ksef-client-ts 0.6.2 → 0.7.0

package/dist/cli.js

@@ -43,6 +43,9 @@ var init_ksef_api_error = __esm({
         const message = details?.length ? details.map((d) => d.exceptionDescription ?? "").filter(Boolean).join("; ") || `KSeF API error: HTTP ${statusCode}` : `KSeF API error: HTTP ${statusCode}`;
         return new _KSeFApiError(message, statusCode, body);
       }
+      toProblemFields() {
+        return { detail: this.message };
+      }
     };
   }
 });
@@ -54,17 +57,20 @@ var init_ksef_rate_limit_error = __esm({
     "use strict";
     init_ksef_api_error();
     KSeFRateLimitError = class _KSeFRateLimitError extends KSeFApiError {
+      statusCode = 429;
       retryAfterSeconds;
       retryAfterDate;
       recommendedDelay;
-      constructor(message, statusCode, errorResponse, retryAfterSeconds, retryAfterDate) {
+      problem;
+      constructor(message, statusCode, errorResponse, retryAfterSeconds, retryAfterDate, problem) {
         super(message, statusCode, errorResponse);
         this.name = "KSeFRateLimitError";
         this.retryAfterSeconds = retryAfterSeconds;
         this.retryAfterDate = retryAfterDate;
         this.recommendedDelay = retryAfterSeconds ?? 60;
+        this.problem = problem;
       }
-      static fromRetryAfterHeader(statusCode, retryAfterHeader, body) {
+      static fromRetryAfterHeader(statusCode, retryAfterHeader, body, problem) {
         let retryAfterSeconds;
         let retryAfterDate;
         if (retryAfterHeader) {
@@ -79,8 +85,16 @@ var init_ksef_rate_limit_error = __esm({
             }
           }
         }
-        const message = retryAfterSeconds != null ? `Rate limited. Retry after ${retryAfterSeconds}s` : "Rate limited by KSeF API";
-        return new _KSeFRateLimitError(message, statusCode, body, retryAfterSeconds, retryAfterDate);
+        const message = retryAfterSeconds != null ? `Rate limited. Retry after ${retryAfterSeconds}s` : problem?.detail ?? "Rate limited by KSeF API";
+        return new _KSeFRateLimitError(message, statusCode, body, retryAfterSeconds, retryAfterDate, problem);
+      }
+      toProblemFields() {
+        return {
+          detail: this.problem?.detail,
+          traceId: this.problem?.traceId,
+          instance: this.problem?.instance,
+          timestamp: this.problem?.timestamp
+        };
       }
     };
   }
@@ -91,21 +105,29 @@ var KSeFUnauthorizedError;
 var init_ksef_unauthorized_error = __esm({
   "src/errors/ksef-unauthorized-error.ts"() {
     "use strict";
-    init_ksef_error();
-    KSeFUnauthorizedError = class extends KSeFError {
+    init_ksef_api_error();
+    KSeFUnauthorizedError = class extends KSeFApiError {
       statusCode = 401;
       detail;
       traceId;
       instance;
       timestamp;
       constructor(problemDetails) {
-        super(problemDetails.detail || "Unauthorized");
+        super(problemDetails.detail || "Unauthorized", 401);
         this.name = "KSeFUnauthorizedError";
         this.detail = problemDetails.detail;
         this.traceId = problemDetails.traceId;
         this.instance = problemDetails.instance;
         this.timestamp = problemDetails.timestamp;
       }
+      toProblemFields() {
+        return {
+          detail: this.detail,
+          traceId: this.traceId,
+          instance: this.instance,
+          timestamp: this.timestamp
+        };
+      }
     };
   }
 });
@@ -115,8 +137,8 @@ var KSeFForbiddenError;
 var init_ksef_forbidden_error = __esm({
   "src/errors/ksef-forbidden-error.ts"() {
     "use strict";
-    init_ksef_error();
-    KSeFForbiddenError = class extends KSeFError {
+    init_ksef_api_error();
+    KSeFForbiddenError = class extends KSeFApiError {
       statusCode = 403;
       detail;
       reasonCode;
@@ -125,7 +147,7 @@ var init_ksef_forbidden_error = __esm({
       traceId;
       timestamp;
       constructor(problemDetails) {
-        super(problemDetails.detail || "Forbidden");
+        super(problemDetails.detail || "Forbidden", 403);
         this.name = "KSeFForbiddenError";
         this.detail = problemDetails.detail;
         this.reasonCode = problemDetails.reasonCode;
@@ -134,10 +156,103 @@ var init_ksef_forbidden_error = __esm({
         this.traceId = problemDetails.traceId;
         this.timestamp = problemDetails.timestamp;
       }
+      toProblemFields() {
+        return {
+          detail: this.detail,
+          reasonCode: this.reasonCode,
+          security: this.security,
+          traceId: this.traceId,
+          instance: this.instance,
+          timestamp: this.timestamp
+        };
+      }
+    };
+  }
+});
+
+// src/errors/ksef-gone-error.ts
+var KSeFGoneError;
+var init_ksef_gone_error = __esm({
+  "src/errors/ksef-gone-error.ts"() {
+    "use strict";
+    init_ksef_api_error();
+    KSeFGoneError = class extends KSeFApiError {
+      statusCode = 410;
+      detail;
+      instance;
+      traceId;
+      timestamp;
+      constructor(problemDetails) {
+        super(problemDetails.detail || "Operation status no longer available (retention expired)", 410);
+        this.name = "KSeFGoneError";
+        this.detail = problemDetails.detail;
+        this.instance = problemDetails.instance;
+        this.traceId = problemDetails.traceId;
+        this.timestamp = problemDetails.timestamp;
+      }
+      toProblemFields() {
+        return {
+          detail: this.detail,
+          traceId: this.traceId,
+          instance: this.instance,
+          timestamp: this.timestamp
+        };
+      }
+    };
+  }
+});
+
+// src/errors/ksef-bad-request-error.ts
+var KSeFBadRequestError;
+var init_ksef_bad_request_error = __esm({
+  "src/errors/ksef-bad-request-error.ts"() {
+    "use strict";
+    init_ksef_api_error();
+    KSeFBadRequestError = class extends KSeFApiError {
+      statusCode = 400;
+      detail;
+      instance;
+      errors;
+      traceId;
+      timestamp;
+      constructor(problemDetails) {
+        super(problemDetails.detail || problemDetails.title || "Bad Request", 400);
+        this.name = "KSeFBadRequestError";
+        this.detail = problemDetails.detail;
+        this.instance = problemDetails.instance;
+        this.errors = problemDetails.errors ?? [];
+        this.traceId = problemDetails.traceId;
+        this.timestamp = problemDetails.timestamp;
+      }
+      toProblemFields() {
+        return {
+          detail: this.detail,
+          errors: this.errors.length ? this.errors : void 0,
+          traceId: this.traceId,
+          instance: this.instance,
+          timestamp: this.timestamp
+        };
+      }
     };
   }
 });
 
+// src/errors/ksef-auth-status-error.ts
+var init_ksef_auth_status_error = __esm({
+  "src/errors/ksef-auth-status-error.ts"() {
+    "use strict";
+    init_ksef_error();
+  }
+});
+
+// src/errors/ksef-session-expired-error.ts
+var init_ksef_session_expired_error = __esm({
+  "src/errors/ksef-session-expired-error.ts"() {
+    "use strict";
+    init_ksef_error();
+  }
+});
+
 // src/errors/ksef-validation-error.ts
 var ksef_validation_error_exports = {};
 __export(ksef_validation_error_exports, {
@@ -166,6 +281,72 @@ var init_ksef_validation_error = __esm({
   }
 });
 
+// src/errors/error-codes.ts
+function hasErrorCode(body, code) {
+  return !!body?.exception?.exceptionDetailList?.some((d) => d.exceptionCode === code);
+}
+var KSeFErrorCode;
+var init_error_codes = __esm({
+  "src/errors/error-codes.ts"() {
+    "use strict";
+    KSeFErrorCode = {
+      BatchTimeout: 21208,
+      DuplicateInvoice: 440
+    };
+  }
+});
+
+// src/errors/ksef-batch-timeout-error.ts
+var KSeFBatchTimeoutError;
+var init_ksef_batch_timeout_error = __esm({
+  "src/errors/ksef-batch-timeout-error.ts"() {
+    "use strict";
+    init_ksef_api_error();
+    init_error_codes();
+    KSeFBatchTimeoutError = class _KSeFBatchTimeoutError extends KSeFApiError {
+      errorCode = KSeFErrorCode.BatchTimeout;
+      constructor(message, statusCode, errorResponse) {
+        super(message, statusCode, errorResponse);
+        this.name = "KSeFBatchTimeoutError";
+      }
+      static fromResponse(statusCode, body) {
+        const detail = body?.exception?.exceptionDetailList?.find(
+          (d) => d.exceptionCode === KSeFErrorCode.BatchTimeout
+        );
+        const message = detail?.exceptionDescription?.trim() || "Batch session timed out before the server completed processing (KSeF 21208).";
+        return new _KSeFBatchTimeoutError(message, statusCode, body);
+      }
+    };
+  }
+});
+
+// src/errors/assert-never.ts
+var init_assert_never = __esm({
+  "src/errors/assert-never.ts"() {
+    "use strict";
+  }
+});
+
+// src/errors/index.ts
+var init_errors = __esm({
+  "src/errors/index.ts"() {
+    "use strict";
+    init_ksef_error();
+    init_ksef_api_error();
+    init_ksef_rate_limit_error();
+    init_ksef_unauthorized_error();
+    init_ksef_forbidden_error();
+    init_ksef_gone_error();
+    init_ksef_bad_request_error();
+    init_ksef_auth_status_error();
+    init_ksef_session_expired_error();
+    init_ksef_validation_error();
+    init_ksef_batch_timeout_error();
+    init_error_codes();
+    init_assert_never();
+  }
+});
+
 // src/config/environments.ts
 var Environment;
 var init_environments = __esm({
@@ -201,7 +382,8 @@ function resolveOptions(options = {}) {
     apiVersion: options.apiVersion ?? DEFAULT_API_VERSION,
     timeout: options.timeout ?? DEFAULT_TIMEOUT,
     customHeaders: options.customHeaders ?? {},
-    environmentName: options.environment ?? (options.baseUrl ? void 0 : "TEST")
+    environmentName: options.environment ?? (options.baseUrl ? void 0 : "TEST"),
+    errorFormat: options.errorFormat ?? "problem-details"
   };
 }
 var DEFAULT_API_VERSION, DEFAULT_TIMEOUT;
@@ -223,69 +405,6 @@ var init_config = __esm({
   }
 });
 
-// src/errors/ksef-gone-error.ts
-var KSeFGoneError;
-var init_ksef_gone_error = __esm({
-  "src/errors/ksef-gone-error.ts"() {
-    "use strict";
-    init_ksef_error();
-    KSeFGoneError = class extends KSeFError {
-      statusCode = 410;
-      detail;
-      instance;
-      traceId;
-      timestamp;
-      constructor(problemDetails) {
-        super(problemDetails.detail || "Operation status no longer available (retention expired)");
-        this.name = "KSeFGoneError";
-        this.detail = problemDetails.detail;
-        this.instance = problemDetails.instance;
-        this.traceId = problemDetails.traceId;
-        this.timestamp = problemDetails.timestamp;
-      }
-    };
-  }
-});
-
-// src/errors/error-codes.ts
-function hasErrorCode(body, code) {
-  return !!body?.exception?.exceptionDetailList?.some((d) => d.exceptionCode === code);
-}
-var KSeFErrorCode;
-var init_error_codes = __esm({
-  "src/errors/error-codes.ts"() {
-    "use strict";
-    KSeFErrorCode = {
-      BatchTimeout: 21208,
-      DuplicateInvoice: 440
-    };
-  }
-});
-
-// src/errors/ksef-batch-timeout-error.ts
-var KSeFBatchTimeoutError;
-var init_ksef_batch_timeout_error = __esm({
-  "src/errors/ksef-batch-timeout-error.ts"() {
-    "use strict";
-    init_ksef_api_error();
-    init_error_codes();
-    KSeFBatchTimeoutError = class _KSeFBatchTimeoutError extends KSeFApiError {
-      errorCode = KSeFErrorCode.BatchTimeout;
-      constructor(message, statusCode, errorResponse) {
-        super(message, statusCode, errorResponse);
-        this.name = "KSeFBatchTimeoutError";
-      }
-      static fromResponse(statusCode, body) {
-        const detail = body?.exception?.exceptionDetailList?.find(
-          (d) => d.exceptionCode === KSeFErrorCode.BatchTimeout
-        );
-        const message = detail?.exceptionDescription?.trim() || "Batch session timed out before the server completed processing (KSeF 21208).";
-        return new _KSeFBatchTimeoutError(message, statusCode, body);
-      }
-    };
-  }
-});
-
 // src/http/route-builder.ts
 var RouteBuilder;
 var init_route_builder = __esm({
@@ -455,6 +574,27 @@ var init_presigned_url_policy = __esm({
 
 // src/http/rest-client.ts
 import { consola as consola3 } from "consola";
+function isBadRequestProblem(value) {
+  if (typeof value !== "object" || value === null) return false;
+  const v = value;
+  if (typeof v.title !== "string") return false;
+  if (v.status !== void 0 && typeof v.status !== "number") return false;
+  if (v.errors !== void 0) {
+    if (!Array.isArray(v.errors)) return false;
+    for (const item of v.errors) {
+      if (typeof item !== "object" || item === null) return false;
+      const detail = item;
+      if (typeof detail.code !== "number") return false;
+      if (typeof detail.description !== "string") return false;
+    }
+  }
+  return true;
+}
+function isTooManyRequestsProblem(value) {
+  if (typeof value !== "object" || value === null) return false;
+  const v = value;
+  return typeof v.title === "string" && (v.status === void 0 || typeof v.status === "number") && (v.detail === void 0 || typeof v.detail === "string") && (v.instance === void 0 || typeof v.instance === "string") && (v.traceId === void 0 || typeof v.traceId === "string") && (v.timestamp === void 0 || typeof v.timestamp === "string");
+}
 var RestClient;
 var init_rest_client = __esm({
   "src/http/rest-client.ts"() {
@@ -464,6 +604,7 @@ var init_rest_client = __esm({
     init_ksef_unauthorized_error();
     init_ksef_forbidden_error();
     init_ksef_gone_error();
+    init_ksef_bad_request_error();
     init_ksef_batch_timeout_error();
     init_error_codes();
     init_route_builder();
@@ -552,6 +693,10 @@ var init_rest_client = __esm({
           ...this.options.customHeaders,
           ...request.getHeaders()
         };
+        const hasHeader = (name) => Object.keys(headers).some((header) => header.toLowerCase() === name.toLowerCase());
+        if (this.options.errorFormat !== "legacy" && !hasHeader("x-error-format")) {
+          headers["X-Error-Format"] = "problem-details";
+        }
         if (!headers["Authorization"] && this.authManager) {
           const token = overrideToken ?? this.authManager.getAccessToken();
           if (token) {
@@ -590,19 +735,40 @@ var init_rest_client = __esm({
       async ensureSuccess(response) {
         if (response.ok) return;
         const text = await response.text().catch(() => "");
+        let jsonCache = null;
         const parseJson = () => {
-          try {
-            return JSON.parse(text);
-          } catch {
-            return void 0;
+          if (jsonCache === null) {
+            try {
+              jsonCache = { value: JSON.parse(text) };
+            } catch {
+              jsonCache = { value: void 0 };
+            }
           }
+          return jsonCache.value;
         };
-        if (response.status === 429) {
+        const tryParseProblem = (guard) => {
           const parsed = parseJson();
+          return parsed !== void 0 && guard(parsed) ? parsed : void 0;
+        };
+        if (response.status === 400) {
+          const problem = tryParseProblem(isBadRequestProblem);
+          if (problem) {
+            throw new KSeFBadRequestError(problem);
+          }
+          const legacy = parseJson();
+          if (hasErrorCode(legacy, KSeFErrorCode.BatchTimeout)) {
+            throw KSeFBatchTimeoutError.fromResponse(400, legacy);
+          }
+          throw KSeFApiError.fromResponse(400, legacy);
+        }
+        if (response.status === 429) {
+          const problem = tryParseProblem(isTooManyRequestsProblem);
+          const legacy = problem ? void 0 : parseJson();
           throw KSeFRateLimitError.fromRetryAfterHeader(
             response.status,
             response.headers.get("Retry-After"),
-            parsed
+            legacy,
+            problem
           );
         }
         if (response.status === 401) {
@@ -1336,9 +1502,10 @@ var PermissionsService;
 var init_permissions = __esm({
   "src/services/permissions.ts"() {
     "use strict";
+    init_ksef_validation_error();
     init_rest_request();
     init_routes();
-    PermissionsService = class {
+    PermissionsService = class _PermissionsService {
       restClient;
       constructor(restClient) {
         this.restClient = restClient;
@@ -1396,6 +1563,7 @@ var init_permissions = __esm({
       }
       // Search methods
       async queryPersonalGrants(options, pageOffset, pageSize) {
+        _PermissionsService.validateContextIdentifier(options?.contextIdentifier);
         const req = RestRequest.post(Routes.Permissions.Query.personalGrants).body(options ?? {});
         if (pageOffset !== void 0) req.query("pageOffset", String(pageOffset));
         if (pageSize !== void 0) req.query("pageSize", String(pageSize));
@@ -1424,6 +1592,7 @@ var init_permissions = __esm({
         return response.body;
       }
       async queryEntitiesGrants(options, pageOffset, pageSize) {
+        _PermissionsService.validateContextIdentifier(options?.contextIdentifier);
         const req = RestRequest.post(Routes.Permissions.Query.entitiesGrants).body(options ?? {});
         if (pageOffset !== void 0) req.query("pageOffset", String(pageOffset));
         if (pageSize !== void 0) req.query("pageSize", String(pageSize));
@@ -1462,17 +1631,90 @@ var init_permissions = __esm({
         const response = await this.restClient.execute(req);
         return response.body;
       }
+      static validateContextIdentifier(ctx) {
+        if (!ctx) return;
+        if (ctx.type === "InternalId") {
+          const len = ctx.value.length;
+          if (len < 10 || len > 16) {
+            throw KSeFValidationError.fromField(
+              "contextIdentifier.value",
+              `InternalId must be 10-16 characters, got ${len}`
+            );
+          }
+        }
+      }
     };
   }
 });
 
+// src/utils/jwt.ts
+function decodeJwtPayload(token) {
+  const parts = token.split(".");
+  if (parts.length !== 3) return null;
+  try {
+    const payload = parts[1];
+    const json = Buffer.from(payload, "base64url").toString("utf-8");
+    return JSON.parse(json);
+  } catch {
+    return null;
+  }
+}
+function tryParseJson(value) {
+  if (typeof value !== "string") return void 0;
+  try {
+    return JSON.parse(value);
+  } catch {
+    return void 0;
+  }
+}
+function tryParseJsonArray(value) {
+  if (typeof value !== "string") return void 0;
+  try {
+    const parsed = JSON.parse(value);
+    return Array.isArray(parsed) && parsed.every((item) => typeof item === "string") ? parsed : void 0;
+  } catch {
+    return void 0;
+  }
+}
+function parseKSeFTokenContext(token) {
+  const raw = decodeJwtPayload(token);
+  if (!raw) return null;
+  return {
+    type: typeof raw["typ"] === "string" ? raw["typ"] : void 0,
+    contextIdentifierType: typeof raw["cit"] === "string" ? raw["cit"] : void 0,
+    contextIdentifierValue: typeof raw["civ"] === "string" ? raw["civ"] : void 0,
+    authMethod: typeof raw["aum"] === "string" ? raw["aum"] : void 0,
+    permissions: tryParseJsonArray(raw["per"]),
+    subjectDetails: tryParseJson(raw["sud"]),
+    authorSubjectIdentifier: tryParseJson(raw["asi"]),
+    issuedAt: typeof raw["iat"] === "number" ? raw["iat"] : void 0,
+    expiresAt: typeof raw["exp"] === "number" ? raw["exp"] : void 0
+  };
+}
+var init_jwt = __esm({
+  "src/utils/jwt.ts"() {
+    "use strict";
+  }
+});
+
 // src/services/tokens.ts
-var TokenService;
+function toTokenAuthorIdentifierType(value) {
+  return TOKEN_AUTHOR_IDENTIFIER_TYPES.has(value) ? value : void 0;
+}
+var TOKEN_AUTHOR_IDENTIFIER_TYPES, TokenService;
 var init_tokens = __esm({
   "src/services/tokens.ts"() {
     "use strict";
     init_rest_request();
     init_routes();
+    init_jwt();
+    init_ksef_api_error();
+    init_ksef_error();
+    TOKEN_AUTHOR_IDENTIFIER_TYPES = /* @__PURE__ */ new Set([
+      "Nip",
+      "Pesel",
+      "Fingerprint"
+    ]);
     TokenService = class {
       restClient;
       constructor(restClient) {
@@ -1507,6 +1749,73 @@ var init_tokens = __esm({
         const req = RestRequest.delete(Routes.Tokens.byReference(ref));
         await this.restClient.executeVoid(req);
       }
+      /**
+       * Resolves the reference number of the token currently in use for authentication.
+       * The only JWT payload field treated as authoritative is the KSeF-specific `trn`
+       * (token reference number). Standard RFC 7519 claims such as `jti` are NOT a safe
+       * fallback — a `jti` that differs from the KSeF reference would cause a DELETE to
+       * hit a non-existent path, which `revokeSelf` treats as already-revoked, falsely
+       * reporting success while leaving the token active on the server. When `trn` is
+       * absent, we fall back to `GET /tokens` filtered by author and context; requires
+       * exactly one active match and returns undefined when ambiguous.
+       */
+      async findSelfReferenceNumber(accessToken) {
+        if (!accessToken) return void 0;
+        const payload = decodeJwtPayload(accessToken);
+        if (payload && typeof payload["trn"] === "string" && payload["trn"].length > 0) {
+          return payload["trn"];
+        }
+        const ctx = parseKSeFTokenContext(accessToken);
+        const author = ctx?.authorSubjectIdentifier;
+        if (!author?.type || !author.value) return void 0;
+        if (!ctx?.contextIdentifierType || !ctx?.contextIdentifierValue) return void 0;
+        const authorType = toTokenAuthorIdentifierType(author.type);
+        if (!authorType) return void 0;
+        let continuationToken;
+        let match;
+        do {
+          const list5 = await this.queryTokens({
+            status: ["Active"],
+            authorIdentifier: author.value,
+            authorIdentifierType: authorType,
+            pageSize: 50,
+            continuationToken
+          });
+          for (const t of list5.tokens) {
+            if (t.status === "Active" && t.contextIdentifier?.value === ctx.contextIdentifierValue && t.contextIdentifier?.type === ctx.contextIdentifierType) {
+              if (match) return void 0;
+              match = t.referenceNumber;
+            }
+          }
+          continuationToken = list5.continuationToken ?? void 0;
+        } while (continuationToken);
+        return match;
+      }
+      /**
+       * Revokes the token currently used for authentication.
+       * Treats 404/409/410 on DELETE as "already revoked" and returns successfully with
+       * `alreadyRevoked: true` so callers can still clear local state.
+       */
+      async revokeSelf(opts = {}) {
+        let ref = opts.referenceNumber;
+        if (!ref && opts.accessToken) {
+          ref = await this.findSelfReferenceNumber(opts.accessToken);
+        }
+        if (!ref) {
+          throw new KSeFError(
+            "Could not determine the current token reference number: no cache, JWT lacks the field, and the active-token list had 0 or 2+ matches in the current context."
+          );
+        }
+        try {
+          await this.revokeToken(ref);
+          return { referenceNumber: ref, alreadyRevoked: false };
+        } catch (err) {
+          if (err instanceof KSeFApiError && (err.statusCode === 404 || err.statusCode === 409 || err.statusCode === 410)) {
+            return { referenceNumber: ref, alreadyRevoked: true };
+          }
+          throw err;
+        }
+      }
     };
   }
 });
@@ -1563,40 +1872,6 @@ var init_certificates = __esm({
   }
 });
 
-// src/errors/ksef-auth-status-error.ts
-var init_ksef_auth_status_error = __esm({
-  "src/errors/ksef-auth-status-error.ts"() {
-    "use strict";
-    init_ksef_error();
-  }
-});
-
-// src/errors/ksef-session-expired-error.ts
-var init_ksef_session_expired_error = __esm({
-  "src/errors/ksef-session-expired-error.ts"() {
-    "use strict";
-    init_ksef_error();
-  }
-});
-
-// src/errors/index.ts
-var init_errors = __esm({
-  "src/errors/index.ts"() {
-    "use strict";
-    init_ksef_error();
-    init_ksef_api_error();
-    init_ksef_rate_limit_error();
-    init_ksef_unauthorized_error();
-    init_ksef_forbidden_error();
-    init_ksef_gone_error();
-    init_ksef_auth_status_error();
-    init_ksef_session_expired_error();
-    init_ksef_validation_error();
-    init_ksef_batch_timeout_error();
-    init_error_codes();
-  }
-});
-
 // src/services/lighthouse.ts
 var LighthouseService;
 var init_lighthouse = __esm({
@@ -2761,8 +3036,8 @@ function computeRootDigest(doc) {
   return crypto4.createHash("sha256").update(canonical, "utf-8").digest("base64");
 }
 function computeSignedPropertiesDigest(qualifyingPropertiesXml) {
-  const parser = new DOMParser();
-  const qpDoc = parser.parseFromString(qualifyingPropertiesXml, "text/xml");
+  const parser2 = new DOMParser();
+  const qpDoc = parser2.parseFromString(qualifyingPropertiesXml, "text/xml");
   const signedProps = findElementByLocalName(qpDoc.documentElement, "SignedProperties");
   if (!signedProps) {
     throw new Error("SignedProperties element not found in QualifyingProperties");
@@ -2914,8 +3189,8 @@ var init_signature_service = __esm({
         const isEc = privateKey.asymmetricKeyType === "ec";
         const signatureAlgorithm = isEc ? ECDSA_SHA256_SIGNATURE : RSA_SHA256_SIGNATURE;
         const signingTime = new Date(Date.now() + CLOCK_SKEW_BUFFER_MS).toISOString();
-        const parser = new DOMParser();
-        const doc = parser.parseFromString(xml, "text/xml");
+        const parser2 = new DOMParser();
+        const doc = parser2.parseFromString(xml, "text/xml");
         const root = doc.documentElement;
         if (!root) {
           throw new Error("XML document has no root element");
@@ -2935,7 +3210,7 @@ var init_signature_service = __esm({
           rootDigest,
           signedPropertiesDigest
         );
-        const signedInfoDoc = parser.parseFromString(signedInfoXml, "text/xml");
+        const signedInfoDoc = parser2.parseFromString(signedInfoXml, "text/xml");
         const canonicalSignedInfo = canonicalize(signedInfoDoc.documentElement);
         const signatureValue = computeSignatureValue(
           canonicalSignedInfo,
@@ -2948,7 +3223,7 @@ var init_signature_service = __esm({
           certBase64,
           qualifyingPropertiesXml
         );
-        const signatureDoc = parser.parseFromString(signatureXml, "text/xml");
+        const signatureDoc = parser2.parseFromString(signatureXml, "text/xml");
         const importedNode = doc.importNode(signatureDoc.documentElement, true);
         root.appendChild(importedNode);
         return new XMLSerializer().serializeToString(doc);
@@ -3378,12 +3653,84 @@ var init_invoice_field_extractor = __esm({
   }
 });
 
+// src/xml/xml-engine.ts
+import { XMLBuilder, XMLParser as XMLParser3 } from "fast-xml-parser";
+var parser, builder;
+var init_xml_engine = __esm({
+  "src/xml/xml-engine.ts"() {
+    "use strict";
+    parser = new XMLParser3({
+      ignoreAttributes: false,
+      preserveOrder: true,
+      attributeNamePrefix: "@_",
+      textNodeName: "#text",
+      allowBooleanAttributes: true,
+      // Preserve leading zeros and keep everything as strings — KSeF fields like
+      // KRS (`\d{10}`) and NIP (`\d{10}`) would otherwise be lossy through parse.
+      parseTagValue: false,
+      parseAttributeValue: false,
+      trimValues: false
+    });
+    builder = new XMLBuilder({
+      ignoreAttributes: false,
+      preserveOrder: true,
+      attributeNamePrefix: "@_",
+      textNodeName: "#text",
+      format: false,
+      suppressBooleanAttributes: false,
+      suppressEmptyNode: false,
+      processEntities: true
+    });
+  }
+});
+
+// src/xml/order-map.ts
+var init_order_map = __esm({
+  "src/xml/order-map.ts"() {
+    "use strict";
+  }
+});
+
+// src/xml/faktura-builder.ts
+var init_faktura_builder = __esm({
+  "src/xml/faktura-builder.ts"() {
+    "use strict";
+    init_xml_engine();
+    init_order_map();
+  }
+});
+
+// src/xml/pef-builder.ts
+var init_pef_builder = __esm({
+  "src/xml/pef-builder.ts"() {
+    "use strict";
+    init_ksef_validation_error();
+    init_xml_engine();
+  }
+});
+
+// src/xml/invoice-serializer.ts
+var init_invoice_serializer = __esm({
+  "src/xml/invoice-serializer.ts"() {
+    "use strict";
+    init_ksef_validation_error();
+    init_faktura_builder();
+    init_pef_builder();
+    init_xml_engine();
+  }
+});
+
 // src/xml/index.ts
 var init_xml = __esm({
   "src/xml/index.ts"() {
     "use strict";
     init_upo_parser();
     init_invoice_field_extractor();
+    init_xml_engine();
+    init_order_map();
+    init_faktura_builder();
+    init_pef_builder();
+    init_invoice_serializer();
   }
 });
 
@@ -5034,6 +5381,115 @@ var init_schema_registry = __esm({
   }
 });
 
+// src/validation/char-validity.ts
+function validateCharValidity(xml) {
+  return [...findProcessingInstructions(xml), ...findDiscouragedUnicode(xml)];
+}
+function findProcessingInstructionTokens(xml) {
+  const tokens = [];
+  for (let i = 0; i < xml.length; ) {
+    if (xml.startsWith("<!--", i)) {
+      const end = xml.indexOf("-->", i + 4);
+      i = end === -1 ? xml.length : end + 3;
+      continue;
+    }
+    if (xml.startsWith("<![CDATA[", i)) {
+      const end = xml.indexOf("]]>", i + 9);
+      i = end === -1 ? xml.length : end + 3;
+      continue;
+    }
+    if (xml.startsWith("<?", i)) {
+      const end = xml.indexOf("?>", i + 2);
+      if (end === -1) break;
+      tokens.push({ token: xml.slice(i, end + 2), index: i });
+      i = end + 2;
+      continue;
+    }
+    i += 1;
+  }
+  return tokens;
+}
+function findProcessingInstructions(xml) {
+  const errors = [];
+  const matches = findProcessingInstructionTokens(xml);
+  if (matches.length === 0) return errors;
+  const firstMatch = matches[0];
+  const firstTarget = firstMatch.token.match(PI_TARGET_RE)?.[1];
+  const hasBom = xml.charCodeAt(0) === 65279;
+  const prologPosition = hasBom ? 1 : 0;
+  const firstIsProlog = firstMatch.index === prologPosition && firstTarget === "xml";
+  for (let i = 0; i < matches.length; i++) {
+    if (i === 0 && firstIsProlog) continue;
+    const m = matches[i];
+    const target = m.token.match(PI_TARGET_RE)?.[1] ?? "?";
+    errors.push({
+      code: "XML_PROCESSING_INSTRUCTION",
+      message: `Processing instruction <?${target}?> at offset ${m.index} is not allowed (only <?xml ... ?> prolog is permitted)`,
+      path: `offset:${m.index}`
+    });
+  }
+  return errors;
+}
+function findDiscouragedUnicode(xml) {
+  const errors = [];
+  const seenRanges = /* @__PURE__ */ new Set();
+  let utf16Offset = 0;
+  for (const ch of xml) {
+    const cp = ch.codePointAt(0);
+    const idx = rangeIndex(cp);
+    if (idx >= 0 && !seenRanges.has(idx)) {
+      seenRanges.add(idx);
+      errors.push({
+        code: "XML_DISCOURAGED_UNICODE",
+        message: `Discouraged Unicode character U+${cp.toString(16).toUpperCase().padStart(4, "0")} found at offset ${utf16Offset} (W3C XML 1.0 \xA72.2 rejects this range)`,
+        path: `offset:${utf16Offset}`
+      });
+    }
+    utf16Offset += ch.length;
+  }
+  return errors;
+}
+function rangeIndex(cp) {
+  let lo = 0;
+  let hi = DISCOURAGED_UNICODE_RANGES.length - 1;
+  while (lo <= hi) {
+    const mid = lo + hi >> 1;
+    const [start, end] = DISCOURAGED_UNICODE_RANGES[mid];
+    if (cp < start) hi = mid - 1;
+    else if (cp > end) lo = mid + 1;
+    else return mid;
+  }
+  return -1;
+}
+var DISCOURAGED_UNICODE_RANGES, PI_TARGET_RE;
+var init_char_validity = __esm({
+  "src/validation/char-validity.ts"() {
+    "use strict";
+    DISCOURAGED_UNICODE_RANGES = [
+      [127, 132],
+      [134, 159],
+      [64976, 65007],
+      [131070, 131071],
+      [196606, 196607],
+      [262142, 262143],
+      [327678, 327679],
+      [393214, 393215],
+      [458750, 458751],
+      [524286, 524287],
+      [589822, 589823],
+      [655358, 655359],
+      [720894, 720895],
+      [786430, 786431],
+      [851966, 851967],
+      [917502, 917503],
+      [983038, 983039],
+      [1048574, 1048575],
+      [1114110, 1114111]
+    ];
+    PI_TARGET_RE = /^<\?(\S+)/;
+  }
+});
+
 // src/validation/patterns.ts
 function isValidNip(value) {
   if (!Nip.test(value)) return false;
@@ -5220,6 +5676,12 @@ function collectDateErrors(obj, rootElement, errors) {
   }
 }
 async function validate(xml, options) {
+  if (!options?.skipCharValidity) {
+    const l1aErrors = validateCharValidity(xml);
+    if (l1aErrors.length > 0) {
+      return { valid: false, schemaType: null, errors: l1aErrors };
+    }
+  }
   const parsed = xml && xml.trim() ? xmlToObject(xml) : void 0;
   const l1 = validateWellFormedness(xml, parsed);
   if (!l1.valid) return l1;
@@ -5246,6 +5708,7 @@ var init_invoice_validator = __esm({
     "use strict";
     init_xml_to_object();
     init_schema_registry();
+    init_char_validity();
     init_patterns();
   }
 });
@@ -5730,67 +6193,119 @@ function clearOnlineSessionRef() {
   }
 }
 
-// src/cli/error-handler.ts
-init_ksef_rate_limit_error();
-init_ksef_unauthorized_error();
-init_ksef_forbidden_error();
-init_ksef_api_error();
-init_ksef_validation_error();
+// src/cli/error-renderer.ts
+init_errors();
 import { consola as consola2 } from "consola";
-async function withErrorHandler(fn) {
-  try {
-    await fn();
-  } catch (error) {
+function renderCliError(error, opts) {
+  if (opts?.json) {
+    const payload = error instanceof Error ? serializeError(error) : { name: "UnknownError", value: safeValue(error) };
+    process.stdout.write(JSON.stringify({ error: payload }, null, 2) + "\n");
+    return;
+  }
+  if (error instanceof KSeFApiError) {
     if (error instanceof KSeFRateLimitError) {
       consola2.error("Rate limited by KSeF API.");
-      consola2.info(`Hint: Retry after ${error.recommendedDelay}s.`);
-      process.exit(1);
-    }
-    if (error instanceof KSeFUnauthorizedError) {
-      consola2.error(`KSeF API error (HTTP 401): ${error.detail}`);
-      if (error.traceId) consola2.error(`  Trace ID: ${error.traceId}`);
-      consola2.info("Hint: Your session may have expired. Run `ksef auth login` to re-authenticate.");
-      process.exit(1);
-    }
-    if (error instanceof KSeFForbiddenError) {
-      consola2.error(`KSeF API error (HTTP 403): ${error.detail}`);
-      consola2.error(`  Reason: ${error.reasonCode}`);
-      if (error.traceId) consola2.error(`  Trace ID: ${error.traceId}`);
-      consola2.info("Hint: Check your permissions for this operation.");
-      process.exit(1);
+    } else {
+      consola2.error(`KSeF API error (HTTP ${error.statusCode}): ${error.message}`);
     }
-    if (error instanceof KSeFValidationError) {
-      consola2.error(error.message);
-      for (const detail of error.details) {
-        consola2.error(`  ${detail.field ? `[${detail.field}] ` : ""}${detail.message}`);
+    renderProblemDetails(error.toProblemFields());
+    const legacyDetails = error.errorResponse?.exception?.exceptionDetailList;
+    if (legacyDetails?.length) {
+      for (const d of legacyDetails) {
+        consola2.error(`  \u2514 [${d.exceptionCode}] ${d.exceptionDescription ?? ""}`);
       }
-      process.exit(1);
     }
-    if (error instanceof KSeFApiError) {
-      consola2.error(`KSeF API error (HTTP ${error.statusCode}): ${error.message}`);
-      if (error.errorResponse?.exception?.exceptionDetailList) {
-        for (const detail of error.errorResponse.exception.exceptionDetailList) {
-          consola2.error(`  - [${detail.exceptionCode}] ${detail.exceptionDescription}`);
-        }
-      }
-      if (error.statusCode === 401 || error.statusCode === 403) {
-        consola2.info("Hint: Run `ksef auth login` to authenticate.");
-      } else if (error.statusCode === 404) {
-        consola2.info("Hint: Check if the resource reference is correct.");
-      }
-      process.exit(1);
+    const hint = hintForStatus(error);
+    if (hint) consola2.info(hint);
+    return;
+  }
+  if (error instanceof KSeFValidationError) {
+    consola2.error(error.message);
+    for (const d of error.details) {
+      consola2.error(`  \u2514 ${d.field ? `[${d.field}] ` : ""}${d.message}`);
     }
-    if (error instanceof Error) {
-      const msg = error.message;
-      if (msg.includes("fetch failed") || msg.includes("ECONNREFUSED") || msg.includes("ETIMEDOUT") || msg.includes("ENOTFOUND")) {
-        consola2.error("Cannot reach KSeF API. Check your network connection and environment.");
-        consola2.info("Hint: Run `ksef doctor` to diagnose connectivity issues.");
-        process.exit(1);
-      }
+    return;
+  }
+  if (error instanceof Error) {
+    const msg = error.message;
+    if (/fetch failed|ECONNREFUSED|ETIMEDOUT|ENOTFOUND/.test(msg)) {
+      consola2.error("Cannot reach KSeF API. Check your network connection and environment.");
+      consola2.info("Hint: Run `ksef doctor` to diagnose connectivity issues.");
+    } else {
       consola2.error(msg);
-      process.exit(1);
     }
-    consola2.error("Unknown error", error);
+    return;
+  }
+  consola2.error("Unknown error", error);
+}
+function renderProblemDetails(fields) {
+  if (fields.detail) consola2.error(`  \u2514 Detail: ${fields.detail}`);
+  if (fields.reasonCode) consola2.error(`  \u2514 Reason: ${fields.reasonCode}`);
+  const required = fields.security?.requiredAnyOfPermissions;
+  if (required?.length) {
+    consola2.error(`  \u2514 Required (any of): ${required.join(", ")}`);
+  }
+  const present = fields.security?.presentPermissions;
+  if (present?.length) {
+    consola2.error(`  \u2514 Present:           ${present.join(", ")}`);
+  }
+  if (fields.errors?.length) {
+    consola2.error(`  \u2514 Errors:`);
+    for (const err of fields.errors) {
+      consola2.error(`    \u2022 [${err.code}] ${err.description}`);
+      for (const d of err.details ?? []) {
+        consola2.error(`      \u2514 ${d}`);
+      }
+    }
+  }
+  if (fields.traceId) consola2.error(`  \u2514 Trace ID: ${fields.traceId}`);
+  if (fields.instance) consola2.error(`  \u2514 Instance: ${fields.instance}`);
+  if (fields.timestamp) consola2.error(`  \u2514 Timestamp: ${fields.timestamp}`);
+}
+function safeValue(value) {
+  try {
+    return JSON.parse(JSON.stringify(value));
+  } catch {
+    return String(value);
+  }
+}
+function serializeError(error) {
+  if (error instanceof KSeFApiError) {
+    return {
+      ...error.toProblemFields(),
+      name: error.name,
+      statusCode: error.statusCode,
+      message: error.message
+    };
+  }
+  if (error instanceof KSeFValidationError) {
+    return {
+      name: error.name,
+      message: error.message,
+      details: error.details
+    };
+  }
+  return {
+    name: error.name,
+    message: error.message
+  };
+}
+function hintForStatus(error) {
+  if (error instanceof KSeFRateLimitError) return `Hint: Retry after ${error.recommendedDelay}s.`;
+  if (error instanceof KSeFUnauthorizedError) return "Hint: Your session may have expired. Run `ksef auth login` to re-authenticate.";
+  if (error instanceof KSeFForbiddenError) return "Hint: Check your permissions for this operation.";
+  if (error instanceof KSeFBadRequestError) return "Hint: Review the error list above; fix the flagged fields and retry.";
+  if (error instanceof KSeFGoneError) return "Hint: The operation has aged out. Re-submit the request if still relevant.";
+  if (error.statusCode === 404) return "Hint: Check if the resource reference is correct.";
+  return void 0;
+}
+
+// src/cli/error-handler.ts
+async function withErrorHandler(fn, opts) {
+  try {
+    await fn();
+  } catch (error) {
+    renderCliError(error, opts);
     process.exit(1);
   }
 }
@@ -5835,7 +6350,7 @@ var set = defineCommand({
       }
       saveConfig(config);
       outputSuccess("Configuration updated.");
-    });
+    }, { json: Boolean(args.json) });
   }
 });
 var show = defineCommand({
@@ -5847,7 +6362,7 @@ var show = defineCommand({
     return withErrorHandler(async () => {
       const config = loadConfig();
       outputKeyValue(config, { json: args.json });
-    });
+    }, { json: Boolean(args.json) });
   }
 });
 var reset = defineCommand({
@@ -5903,6 +6418,12 @@ function saveCredentials(creds) {
     mode: 384
   });
 }
+function clearCredentials() {
+  try {
+    fs3.unlinkSync(CREDENTIALS_FILE);
+  } catch {
+  }
+}
 
 // src/workflows/auth-workflow.ts
 init_polling();
@@ -6038,53 +6559,7 @@ function clearPendingChallenge() {
 
 // src/cli/commands/auth.ts
 init_polling();
-
-// src/utils/jwt.ts
-function decodeJwtPayload(token) {
-  const parts = token.split(".");
-  if (parts.length !== 3) return null;
-  try {
-    const payload = parts[1];
-    const json = Buffer.from(payload, "base64url").toString("utf-8");
-    return JSON.parse(json);
-  } catch {
-    return null;
-  }
-}
-function tryParseJson(value) {
-  if (typeof value !== "string") return void 0;
-  try {
-    return JSON.parse(value);
-  } catch {
-    return void 0;
-  }
-}
-function tryParseJsonArray(value) {
-  if (typeof value !== "string") return void 0;
-  try {
-    const parsed = JSON.parse(value);
-    return Array.isArray(parsed) && parsed.every((item) => typeof item === "string") ? parsed : void 0;
-  } catch {
-    return void 0;
-  }
-}
-function parseKSeFTokenContext(token) {
-  const raw = decodeJwtPayload(token);
-  if (!raw) return null;
-  return {
-    type: typeof raw["typ"] === "string" ? raw["typ"] : void 0,
-    contextIdentifierType: typeof raw["cit"] === "string" ? raw["cit"] : void 0,
-    contextIdentifierValue: typeof raw["civ"] === "string" ? raw["civ"] : void 0,
-    authMethod: typeof raw["aum"] === "string" ? raw["aum"] : void 0,
-    permissions: tryParseJsonArray(raw["per"]),
-    subjectDetails: tryParseJson(raw["sud"]),
-    authorSubjectIdentifier: tryParseJson(raw["asi"]),
-    issuedAt: typeof raw["iat"] === "number" ? raw["iat"] : void 0,
-    expiresAt: typeof raw["exp"] === "number" ? raw["exp"] : void 0
-  };
-}
-
-// src/cli/commands/auth.ts
+init_jwt();
 async function readStdin(stream = process.stdin) {
   const chunks = [];
   for await (const chunk of stream) {
@@ -6115,7 +6590,7 @@ var challenge = defineCommand2({
       const client = createClient(globalOpts);
       const result = await client.auth.getChallenge();
       outputResult(result, { json: args.json });
-    });
+    }, { json: Boolean(args.json) });
   }
 });
 var login = defineCommand2({
@@ -6172,13 +6647,27 @@ var login = defineCommand2({
       if (args.env && args.env !== config.environment) {
         saveConfig({ ...config, environment: session.environment });
       }
+      if (args.token) {
+        const prev = { ...loadCredentials() ?? {} };
+        delete prev.tokenReferenceNumber;
+        let ref;
+        try {
+          ref = await client.tokens.findSelfReferenceNumber(session.accessToken);
+        } catch {
+        }
+        saveCredentials({
+          ...prev,
+          token: args.token,
+          ...ref ? { tokenReferenceNumber: ref } : {}
+        });
+      }
       if (args.json) {
         console.log(JSON.stringify({ status: "ok", clientIp: loginResult.clientIp }, null, 2));
       } else {
         consola6.info(`Seen client IP: ${loginResult.clientIp}`);
         outputSuccess("Logged in successfully.");
       }
-    });
+    }, { json: Boolean(args.json) });
   }
 });
 var status = defineCommand2({
@@ -6196,7 +6685,7 @@ var status = defineCommand2({
       const { client, session } = await requireSession(globalOpts);
       const result = await client.auth.getAuthStatus(args.ref, session.accessToken);
       outputResult(result, { json: args.json });
-    });
+    }, { json: Boolean(args.json) });
   }
 });
 var logout = defineCommand2({
@@ -6208,6 +6697,102 @@ var logout = defineCommand2({
     });
   }
 });
+var revokeSelfToken = defineCommand2({
+  meta: {
+    name: "revoke-self-token",
+    description: "Revoke the token currently used for authentication. Reference number is resolved via discovery first (JWT payload, then a filtered active-token list), falling back to local cache only if discovery fails; revocation is idempotent (404/409/410 treated as already-revoked)."
+  },
+  args: {
+    "keep-local": { type: "boolean", description: "Revoke server-side but keep local session" },
+    "dry-run": { type: "boolean", description: "Print what would happen without revoking the token (discovery may still query the API)" },
+    env: { type: "string", description: "Environment (test/demo/prod)" },
+    json: { type: "boolean", description: "Output as JSON" },
+    verbose: { type: "boolean", description: "Show HTTP request/response details" },
+    timeout: { type: "string", description: "Request timeout (ms)" }
+  },
+  run({ args }) {
+    return withErrorHandler(async () => {
+      const globalOpts = getGlobalOpts(args);
+      const { client, session } = await requireSession(globalOpts);
+      if (args.env && args.env !== session.environment) {
+        throw new Error(
+          `Current session is '${session.environment}', but --env='${args.env}'. Refusing to revoke a token from a different environment.`
+        );
+      }
+      let discoveredRef;
+      try {
+        discoveredRef = await client.tokens.findSelfReferenceNumber(session.accessToken);
+      } catch {
+        discoveredRef = void 0;
+      }
+      const cachedRef = discoveredRef ? void 0 : loadCredentials()?.tokenReferenceNumber;
+      const ref = discoveredRef ?? cachedRef;
+      const source = discoveredRef ? "discovery" : cachedRef ? "cache-fallback" : "none";
+      if (args["dry-run"]) {
+        if (args.json) {
+          outputResult(
+            {
+              status: "dry-run",
+              referenceNumber: ref ?? null,
+              source,
+              wouldClearLocal: !args["keep-local"]
+            },
+            { json: true }
+          );
+          return;
+        }
+        if (source === "cache-fallback") {
+          outputWarning(
+            "Using cached reference (discovery failed). Verify this is the token you intend to revoke."
+          );
+        }
+        outputKeyValue(
+          {
+            "Would revoke": ref ?? "(unknown \u2014 discovery failed)",
+            Source: source,
+            "Would clear local": args["keep-local"] ? "no" : "yes"
+          },
+          { json: false }
+        );
+        return;
+      }
+      if (source === "cache-fallback" && !args.json) {
+        outputWarning(
+          "Using cached reference (discovery failed). Verify this is the token you intend to revoke."
+        );
+      }
+      const { referenceNumber, alreadyRevoked } = await client.tokens.revokeSelf({
+        referenceNumber: ref,
+        accessToken: session.accessToken
+      });
+      const localCleared = !args["keep-local"];
+      if (localCleared) {
+        clearSession();
+        clearCredentials();
+      }
+      if (args.json) {
+        outputResult(
+          {
+            status: alreadyRevoked ? "already-revoked" : "revoked",
+            referenceNumber,
+            source,
+            localCleared
+          },
+          { json: true }
+        );
+      } else {
+        if (alreadyRevoked) {
+          outputWarning(`Token ${referenceNumber} was already revoked on the server.`);
+        } else {
+          outputSuccess(`Token ${referenceNumber} revoked.`);
+        }
+        if (localCleared) {
+          outputSuccess("Local session and credentials cleared.");
+        }
+      }
+    }, { json: Boolean(args.json) });
+  }
+});
 var refresh = defineCommand2({
   meta: { name: "refresh", description: "Refresh the access token" },
   args: {
@@ -6232,7 +6817,7 @@ var refresh = defineCommand2({
       session.expiresAt = result.accessToken.validUntil;
       saveSession(session);
       outputSuccess("Token refreshed successfully.");
-    });
+    }, { json: Boolean(args.json) });
   }
 });
 var whoami = defineCommand2({
@@ -6283,7 +6868,7 @@ var whoami = defineCommand2({
         info.context = context2;
       }
       outputKeyValue(info, { json: args.json });
-    });
+    }, { json: Boolean(args.json) });
   }
 });
 var loginExternal = defineCommand2({
@@ -6377,12 +6962,21 @@ var loginExternal = defineCommand2({
         clearPendingChallenge();
         outputSuccess("Logged in successfully via external signature.");
       }
-    });
+    }, { json: Boolean(args.json) });
   }
 });
 var authCommand = defineCommand2({
   meta: { name: "auth", description: "Authentication commands" },
-  subCommands: { challenge, login, "login-external": loginExternal, status, logout, refresh, whoami }
+  subCommands: {
+    challenge,
+    login,
+    "login-external": loginExternal,
+    status,
+    logout,
+    "revoke-self-token": revokeSelfToken,
+    refresh,
+    whoami
+  }
 });
 
 // src/cli/commands/session.ts
@@ -6451,7 +7045,7 @@ var open = defineCommand3({
           "Valid Until": result.validUntil
         }, { json: false });
       }
-    });
+    }, { json: Boolean(args.json) });
   }
 });
 var close = defineCommand3({
@@ -6475,7 +7069,7 @@ var close = defineCommand3({
       await client.onlineSession.closeSession(ref);
       clearOnlineSessionRef();
       outputSuccess(`Session ${ref} closed.`);
-    });
+    }, { json: Boolean(args.json) });
   }
 });
 var status2 = defineCommand3({
@@ -6509,7 +7103,7 @@ var status2 = defineCommand3({
           "Failed": result.failedInvoiceCount ?? 0
         }, { json: false });
       }
-    });
+    }, { json: Boolean(args.json) });
   }
 });
 var list = defineCommand3({
@@ -6561,7 +7155,7 @@ var list = defineCommand3({
       if (result.continuationToken) {
         consola7.info(`More results available. Continuation token: ${result.continuationToken}`);
       }
-    });
+    }, { json: Boolean(args.json) });
   }
 });
 var invoices = defineCommand3({
@@ -6612,7 +7206,7 @@ var invoices = defineCommand3({
       if (result.continuationToken) {
         consola7.info(`More results available. Continuation token: ${result.continuationToken}`);
       }
-    });
+    }, { json: Boolean(args.json) });
   }
 });
 var failed = defineCommand3({
@@ -6663,7 +7257,7 @@ var failed = defineCommand3({
       if (result.continuationToken) {
         consola7.info(`More results available. Continuation token: ${result.continuationToken}`);
       }
-    });
+    }, { json: Boolean(args.json) });
   }
 });
 var upo = defineCommand3({
@@ -6716,7 +7310,7 @@ var upo = defineCommand3({
       } else {
         console.log(result.upo);
       }
-    });
+    }, { json: Boolean(args.json) });
   }
 });
 var active = defineCommand3({
@@ -6762,7 +7356,7 @@ var active = defineCommand3({
       if (result.continuationToken) {
         consola7.info(`More results available. Continuation token: ${result.continuationToken}`);
       }
-    });
+    }, { json: Boolean(args.json) });
   }
 });
 var revoke = defineCommand3({
@@ -6796,7 +7390,7 @@ var revoke = defineCommand3({
       } else {
         throw new Error("Provide a session reference or use --current to revoke the current session.");
       }
-    });
+    }, { json: Boolean(args.json) });
   }
 });
 var invoice = defineCommand3({
@@ -6832,7 +7426,7 @@ var invoice = defineCommand3({
           "Invoicing Mode": result.invoicingMode ?? "N/A"
         }, { json: false });
       }
-    });
+    }, { json: Boolean(args.json) });
   }
 });
 var sessionCommand = defineCommand3({
@@ -7122,7 +7716,7 @@ var exportIncremental = defineCommand4({
         consola8.info(`Final HWM: ${continuationPoints[subjectType] ?? "complete"}`);
         consola8.info(`Output: ${outputDir}`);
       }
-    });
+    }, { json: Boolean(args.json) });
   }
 });
 
@@ -7354,7 +7948,7 @@ var send = defineCommand5({
           outputSuccess(`Invoice sent. Ref: ${result.referenceNumber}`);
         }
       }
-    });
+    }, { json: Boolean(args.json) });
   }
 });
 var get = defineCommand5({
@@ -7382,7 +7976,7 @@ var get = defineCommand5({
       } else {
         console.log(xml);
       }
-    });
+    }, { json: Boolean(args.json) });
   }
 });
 var query = defineCommand5({
@@ -7439,7 +8033,7 @@ var query = defineCommand5({
       if (result.hasMore) {
         consola9.info("More results available. Use --page to fetch the next page.");
       }
-    });
+    }, { json: Boolean(args.json) });
   }
 });
 var exportCmd = defineCommand5({
@@ -7470,7 +8064,7 @@ var exportCmd = defineCommand5({
         outputSuccess(`Export started. Ref: ${result.referenceNumber}`);
         consola9.info("Check status with: ksef invoice export-status " + result.referenceNumber);
       }
-    });
+    }, { json: Boolean(args.json) });
   }
 });
 var exportStatus = defineCommand5({
@@ -7520,7 +8114,7 @@ var exportStatus = defineCommand5({
           );
         }
       }
-    });
+    }, { json: Boolean(args.json) });
   }
 });
 var VALID_SCHEMA_TYPES = SCHEMA_TYPES;
@@ -7590,7 +8184,7 @@ var validateCmd = defineCommand5({
       if (invalidCount > 0) {
         process.exitCode = 1;
       }
-    });
+    }, { json: Boolean(args.json) });
   }
 });
 var invoiceCommand = defineCommand5({
@@ -7600,6 +8194,7 @@ var invoiceCommand = defineCommand5({
 
 // src/cli/commands/permission.ts
 import { defineCommand as defineCommand6 } from "citty";
+init_ksef_validation_error();
 function getGlobalOpts5(args) {
   return {
     env: args.env,
@@ -7788,7 +8383,7 @@ var grant = defineCommand6({
       } else {
         outputSuccess(`Permission granted. Ref: ${result.referenceNumber}`);
       }
-    });
+    }, { json: Boolean(args.json) });
   }
 });
 var revoke2 = defineCommand6({
@@ -7817,7 +8412,7 @@ var revoke2 = defineCommand6({
       } else {
         outputSuccess(`Permission grant ${args.grantId} revoked. Ref: ${result.referenceNumber}`);
       }
-    });
+    }, { json: Boolean(args.json) });
   }
 });
 var search = defineCommand6({
@@ -7827,6 +8422,8 @@ var search = defineCommand6({
     identifier: { type: "string", description: "Subject identifier value" },
     identifierType: { type: "string", description: "Subject identifier type" },
     queryType: { type: "string", description: "Query type (e.g. PermissionsInCurrentContext, Granted)" },
+    contextType: { type: "string", description: "Context identifier type: Nip | InternalId (for --type personal and --type entities-grants)" },
+    contextValue: { type: "string", description: "Context identifier value (NIP or 10-16 char InternalId)" },
     page: { type: "string", description: "Page offset (default: 0)" },
     pageSize: { type: "string", description: "Page size" },
     env: { type: "string", description: "Environment (test/demo/prod)" },
@@ -7841,9 +8438,33 @@ var search = defineCommand6({
       const { client } = await requireSession(globalOpts);
       const page = args.page ? parseInt(args.page, 10) : void 0;
       const pageSize = args.pageSize ? parseInt(args.pageSize, 10) : void 0;
+      const resolveContextBody = () => {
+        const hasType = Boolean(args.contextType);
+        const hasValue = Boolean(args.contextValue);
+        if (hasType !== hasValue) {
+          throw KSeFValidationError.fromField(
+            hasType ? "--context-value" : "--context-type",
+            "--context-type and --context-value must be provided together."
+          );
+        }
+        if (!hasType) return {};
+        if (args.contextType !== "Nip" && args.contextType !== "InternalId") {
+          throw KSeFValidationError.fromField(
+            "--context-type",
+            `--context-type must be "Nip" or "InternalId", got "${args.contextType}".`
+          );
+        }
+        return {
+          contextIdentifier: {
+            type: args.contextType,
+            value: args.contextValue
+          }
+        };
+      };
       switch (args.type) {
         case "personal": {
-          const response = await client.permissions.queryPersonalGrants({}, page, pageSize);
+          const body = resolveContextBody();
+          const response = await client.permissions.queryPersonalGrants(body, page, pageSize);
           if (args.json) {
             outputResult(response, { json: true });
             return;
@@ -7949,7 +8570,8 @@ var search = defineCommand6({
           break;
         }
         case "entities-grants": {
-          const response = await client.permissions.queryEntitiesGrants({}, page, pageSize);
+          const body = resolveContextBody();
+          const response = await client.permissions.queryEntitiesGrants(body, page, pageSize);
           if (args.json) {
             outputResult(response, { json: true });
             return;
@@ -8056,7 +8678,7 @@ var search = defineCommand6({
         default:
           throw new Error(`Unknown search type: ${args.type}. Use: personal, persons, subunits, entities, entities-grants, subordinate-entities, authorizations, eu-entities`);
       }
-    });
+    }, { json: Boolean(args.json) });
   }
 });
 var status3 = defineCommand6({
@@ -8082,7 +8704,7 @@ var status3 = defineCommand6({
           "Status Description": result.status.description
         }, { json: false });
       }
-    });
+    }, { json: Boolean(args.json) });
   }
 });
 var attachmentStatus = defineCommand6({
@@ -8106,7 +8728,7 @@ var attachmentStatus = defineCommand6({
           "Attachments": result.isAttachmentAllowed ? "Allowed" : "Not Allowed"
         }, { json: false });
       }
-    });
+    }, { json: Boolean(args.json) });
   }
 });
 var permissionCommand = defineCommand6({
@@ -8159,7 +8781,7 @@ var generate = defineCommand7({
           "Token": result.token
         }, { json: false });
       }
-    });
+    }, { json: Boolean(args.json) });
   }
 });
 var list2 = defineCommand7({
@@ -8218,7 +8840,7 @@ var list2 = defineCommand7({
       if (result.continuationToken) {
         consola10.info(`More results available. Continuation token: ${result.continuationToken}`);
       }
-    });
+    }, { json: Boolean(args.json) });
   }
 });
 var get2 = defineCommand7({
@@ -8251,7 +8873,7 @@ var get2 = defineCommand7({
           "Last Used": result.lastUseDate ?? "Never"
         }, { json: false });
       }
-    });
+    }, { json: Boolean(args.json) });
   }
 });
 var revoke3 = defineCommand7({
@@ -8275,7 +8897,7 @@ var revoke3 = defineCommand7({
       } else {
         outputSuccess(`Token ${ref} revoked.`);
       }
-    });
+    }, { json: Boolean(args.json) });
   }
 });
 var tokenCommand = defineCommand7({
@@ -8458,7 +9080,7 @@ var generate2 = defineCommand8({
           "Private Key": keyPath
         }, { json: false });
       }
-    });
+    }, { json: Boolean(args.json) });
   }
 });
 var enroll = defineCommand8({
@@ -8496,7 +9118,7 @@ var enroll = defineCommand8({
           "Timestamp": result.timestamp
         }, { json: false });
       }
-    });
+    }, { json: Boolean(args.json) });
   }
 });
 var status4 = defineCommand8({
@@ -8528,7 +9150,7 @@ var status4 = defineCommand8({
         }
         outputKeyValue(kv, { json: false });
       }
-    });
+    }, { json: Boolean(args.json) });
   }
 });
 var list3 = defineCommand8({
@@ -8591,7 +9213,7 @@ var list3 = defineCommand8({
       if (result.hasMore) {
         consola11.info("More results available. Use --page to paginate.");
       }
-    });
+    }, { json: Boolean(args.json) });
   }
 });
 var revoke4 = defineCommand8({
@@ -8618,7 +9240,7 @@ var revoke4 = defineCommand8({
       } else {
         outputSuccess(`Certificate ${serial} revoked.`);
       }
-    });
+    }, { json: Boolean(args.json) });
   }
 });
 var limits = defineCommand8({
@@ -8646,7 +9268,7 @@ var limits = defineCommand8({
           "Certificate Remaining": result.certificate.remaining
         }, { json: false });
       }
-    });
+    }, { json: Boolean(args.json) });
   }
 });
 var enrollmentData = defineCommand8({
@@ -8677,7 +9299,7 @@ var enrollmentData = defineCommand8({
         if (result.organizationIdentifier) kv["Organization ID"] = result.organizationIdentifier;
         outputKeyValue(kv, { json: false });
       }
-    });
+    }, { json: Boolean(args.json) });
   }
 });
 var retrieve = defineCommand8({
@@ -8720,7 +9342,7 @@ var retrieve = defineCommand8({
         ],
         { json: false }
       );
-    });
+    }, { json: Boolean(args.json) });
   }
 });
 var certCommand = defineCommand8({
@@ -8849,7 +9471,7 @@ URL: ${url2}`);
           console.log(buffer.toString("base64"));
         }
       }
-    });
+    }, { json: Boolean(args.json) });
   }
 });
 var certificate = defineCommand9({
@@ -8910,7 +9532,7 @@ URL: ${url2}`);
           console.log(buffer.toString("base64"));
         }
       }
-    });
+    }, { json: Boolean(args.json) });
   }
 });
 var url = defineCommand9({
@@ -8934,7 +9556,7 @@ var url = defineCommand9({
       } else {
         console.log(verificationUrl);
       }
-    });
+    }, { json: Boolean(args.json) });
   }
 });
 var qrCommand = defineCommand9({
@@ -8978,7 +9600,7 @@ var status5 = defineCommand10({
           "Timestamp": result.timestamp
         }, { json: false });
       }
-    });
+    }, { json: Boolean(args.json) });
   }
 });
 var messages = defineCommand10({
@@ -9020,7 +9642,7 @@ var messages = defineCommand10({
         ],
         { json: false }
       );
-    });
+    }, { json: Boolean(args.json) });
   }
 });
 var lighthouseCommand = defineCommand10({
@@ -9076,7 +9698,7 @@ var createSubject = defineCommand11({
       };
       await createClient(globalOpts).testData.createSubject(request);
       outputDone(args.json);
-    });
+    }, { json: Boolean(args.json) });
   }
 });
 var removeSubject = defineCommand11({
@@ -9095,7 +9717,7 @@ var removeSubject = defineCommand11({
       const request = { subjectNip: args.nip };
       await createClient(globalOpts).testData.removeSubject(request);
       outputDone(args.json);
-    });
+    }, { json: Boolean(args.json) });
   }
 });
 var createPerson = defineCommand11({
@@ -9126,7 +9748,7 @@ var createPerson = defineCommand11({
       };
       await createClient(globalOpts).testData.createPerson(request);
       outputDone(args.json);
-    });
+    }, { json: Boolean(args.json) });
   }
 });
 var removePerson = defineCommand11({
@@ -9145,7 +9767,7 @@ var removePerson = defineCommand11({
       const request = { nip: args.nip };
       await createClient(globalOpts).testData.removePerson(request);
       outputDone(args.json);
-    });
+    }, { json: Boolean(args.json) });
   }
 });
 var grantPermissions = defineCommand11({
@@ -9176,7 +9798,7 @@ var grantPermissions = defineCommand11({
       };
       await createClient(globalOpts).testData.grantPermissions(request);
       outputDone(args.json);
-    });
+    }, { json: Boolean(args.json) });
   }
 });
 var revokePermissions = defineCommand11({
@@ -9204,7 +9826,7 @@ var revokePermissions = defineCommand11({
       };
       await createClient(globalOpts).testData.revokePermissions(request);
       outputDone(args.json);
-    });
+    }, { json: Boolean(args.json) });
   }
 });
 var enableAttachment = defineCommand11({
@@ -9223,7 +9845,7 @@ var enableAttachment = defineCommand11({
       const request = { nip: args.nip };
       await createClient(globalOpts).testData.enableAttachment(request);
       outputDone(args.json);
-    });
+    }, { json: Boolean(args.json) });
   }
 });
 var disableAttachment = defineCommand11({
@@ -9246,7 +9868,7 @@ var disableAttachment = defineCommand11({
       };
       await createClient(globalOpts).testData.disableAttachment(request);
       outputDone(args.json);
-    });
+    }, { json: Boolean(args.json) });
   }
 });
 var changeSessionLimits = defineCommand11({
@@ -9283,7 +9905,7 @@ var changeSessionLimits = defineCommand11({
       };
       await client.testData.changeSessionLimits(request);
       outputDone(args.json);
-    });
+    }, { json: Boolean(args.json) });
   }
 });
 var restoreSessionLimits = defineCommand11({
@@ -9302,7 +9924,7 @@ var restoreSessionLimits = defineCommand11({
       const { client } = await requireSession(globalOpts);
       await client.testData.restoreDefaultSessionLimits();
       outputDone(args.json);
-    });
+    }, { json: Boolean(args.json) });
   }
 });
 var changeCertLimits = defineCommand11({
@@ -9329,7 +9951,7 @@ var changeCertLimits = defineCommand11({
       };
       await client.testData.changeCertificatesLimit(request);
       outputDone(args.json);
-    });
+    }, { json: Boolean(args.json) });
   }
 });
 var restoreCertLimits = defineCommand11({
@@ -9348,7 +9970,7 @@ var restoreCertLimits = defineCommand11({
       const { client } = await requireSession(globalOpts);
       await client.testData.restoreDefaultCertificatesLimit();
       outputDone(args.json);
-    });
+    }, { json: Boolean(args.json) });
   }
 });
 var setRateLimits = defineCommand11({
@@ -9371,7 +9993,7 @@ var setRateLimits = defineCommand11({
       };
       await client.testData.setRateLimits(request);
       outputDone(args.json);
-    });
+    }, { json: Boolean(args.json) });
   }
 });
 var restoreRateLimits = defineCommand11({
@@ -9390,7 +10012,7 @@ var restoreRateLimits = defineCommand11({
       const { client } = await requireSession(globalOpts);
       await client.testData.restoreDefaultRateLimits();
       outputDone(args.json);
-    });
+    }, { json: Boolean(args.json) });
   }
 });
 var setProductionRateLimits = defineCommand11({
@@ -9409,7 +10031,7 @@ var setProductionRateLimits = defineCommand11({
       const { client } = await requireSession(globalOpts);
       await client.testData.setProductionRateLimits();
       outputDone(args.json);
-    });
+    }, { json: Boolean(args.json) });
   }
 });
 var blockContext = defineCommand11({
@@ -9436,7 +10058,7 @@ var blockContext = defineCommand11({
       };
       await client.testData.blockContext(request);
       outputDone(args.json);
-    });
+    }, { json: Boolean(args.json) });
   }
 });
 var unblockContext = defineCommand11({
@@ -9463,7 +10085,7 @@ var unblockContext = defineCommand11({
       };
       await client.testData.unblockContext(request);
       outputDone(args.json);
-    });
+    }, { json: Boolean(args.json) });
   }
 });
 var testDataCommand = defineCommand11({
@@ -9525,7 +10147,7 @@ var context = defineCommand12({
           "Batch \u2014 Max Invoices": result.batchSession.maxInvoices
         }, { json: false });
       }
-    });
+    }, { json: Boolean(args.json) });
   }
 });
 var subject = defineCommand12({
@@ -9549,7 +10171,7 @@ var subject = defineCommand12({
           "Max Certificates": result.certificate?.maxCertificates ?? "Unlimited"
         }, { json: false });
       }
-    });
+    }, { json: Boolean(args.json) });
   }
 });
 var rate = defineCommand12({
@@ -9585,7 +10207,7 @@ var rate = defineCommand12({
         ],
         { json: false }
       );
-    });
+    }, { json: Boolean(args.json) });
   }
 });
 var limitsCommand = defineCommand12({
@@ -9646,7 +10268,7 @@ var providers = defineCommand13({
       if (result.hasMore) {
         consola12.info("More results available. Use --page to paginate.");
       }
-    });
+    }, { json: Boolean(args.json) });
   }
 });
 var peppolCommand = defineCommand13({
@@ -9757,7 +10379,7 @@ ${passed}/${total} checks passed.`);
         consola13.warn(`
 ${passed}/${total} checks passed.`);
       }
-    });
+    }, { json: Boolean(args.json) });
   }
 });
 
@@ -10142,7 +10764,7 @@ var setupCommand = defineCommand16({
         "  ksef session open           \u2014 Open an online session",
         "  ksef auth whoami            \u2014 Check current session"
       ].join("\n"));
-    });
+    }, { json: Boolean(args.json) });
   }
 });
 
@@ -10380,7 +11002,7 @@ var generate3 = defineCommand17({
           "KOD II": metadata.kod2Url ?? "(not generated)"
         }, { json: false });
       }
-    });
+    }, { json: Boolean(args.json) });
   }
 });
 var list4 = defineCommand17({
@@ -10429,7 +11051,7 @@ var list4 = defineCommand17({
         ],
         { json: args.json }
       );
-    });
+    }, { json: Boolean(args.json) });
   }
 });
 var status6 = defineCommand17({
@@ -10465,7 +11087,7 @@ var status6 = defineCommand17({
           Error: invoice3.error ? `${invoice3.error.code}: ${invoice3.error.message}` : "-"
         }, { json: false });
       }
-    });
+    }, { json: Boolean(args.json) });
   }
 });
 var submit = defineCommand17({
@@ -10521,7 +11143,7 @@ var submit = defineCommand17({
           );
         }
       }
-    });
+    }, { json: Boolean(args.json) });
   }
 });
 var correct = defineCommand17({
@@ -10551,7 +11173,7 @@ var correct = defineCommand17({
       } else {
         outputSuccess(`Correction submitted. KSeF ref: ${result.ksefReferenceNumber ?? "pending"}`);
       }
-    });
+    }, { json: Boolean(args.json) });
   }
 });
 var del = defineCommand17({
@@ -10601,7 +11223,7 @@ var del = defineCommand17({
       }
       await storage.delete(args.id);
       outputSuccess(`Deleted offline invoice ${args.id}`);
-    });
+    }, { json: Boolean(args.json) });
   }
 });
 var offlineCommand = defineCommand17({