ksef-client-ts 0.7.0 → 0.7.2-alpha.0

package/dist/cli.js

@@ -320,6 +320,50 @@ var init_ksef_batch_timeout_error = __esm({
   }
 });
 
+// src/errors/ksef-circuit-open-error.ts
+var KSeFCircuitOpenError;
+var init_ksef_circuit_open_error = __esm({
+  "src/errors/ksef-circuit-open-error.ts"() {
+    "use strict";
+    init_ksef_error();
+    KSeFCircuitOpenError = class extends KSeFError {
+      endpoint;
+      openedAt;
+      retryAfterMs;
+      constructor(endpoint, openedAt, retryAfterMs) {
+        super(
+          `Circuit breaker is open for '${endpoint}'. Retry after ${Math.round(retryAfterMs)}ms.`
+        );
+        this.name = "KSeFCircuitOpenError";
+        this.endpoint = endpoint;
+        this.openedAt = openedAt;
+        this.retryAfterMs = retryAfterMs;
+      }
+    };
+  }
+});
+
+// src/errors/ksef-xsd-validation-error.ts
+var KSeFXsdValidationError;
+var init_ksef_xsd_validation_error = __esm({
+  "src/errors/ksef-xsd-validation-error.ts"() {
+    "use strict";
+    init_ksef_error();
+    KSeFXsdValidationError = class extends KSeFError {
+      schemaFile;
+      errors;
+      constructor(schemaFile, errors) {
+        const preview = errors.slice(0, 3).join("; ");
+        const extra = errors.length > 3 ? ` (+${errors.length - 3} more)` : "";
+        super(`XSD validation failed against ${schemaFile}: ${preview}${extra}`);
+        this.name = "KSeFXsdValidationError";
+        this.schemaFile = schemaFile;
+        this.errors = errors;
+      }
+    };
+  }
+});
+
 // src/errors/assert-never.ts
 var init_assert_never = __esm({
   "src/errors/assert-never.ts"() {
@@ -342,6 +386,8 @@ var init_errors = __esm({
     init_ksef_session_expired_error();
     init_ksef_validation_error();
     init_ksef_batch_timeout_error();
+    init_ksef_circuit_open_error();
+    init_ksef_xsd_validation_error();
     init_error_codes();
     init_assert_never();
   }
@@ -617,6 +663,7 @@ var init_rest_client = __esm({
       transport;
       retryPolicy;
       rateLimitPolicy;
+      circuitBreakerPolicy;
       authManager;
       presignedUrlPolicy;
       constructor(options, config) {
@@ -625,6 +672,7 @@ var init_rest_client = __esm({
         this.transport = config?.transport ?? defaultTransport;
         this.retryPolicy = config?.retryPolicy ?? defaultRetryPolicy();
         this.rateLimitPolicy = config?.rateLimitPolicy ?? null;
+        this.circuitBreakerPolicy = config?.circuitBreakerPolicy ?? null;
         this.authManager = config?.authManager;
         this.presignedUrlPolicy = config?.presignedUrlPolicy;
       }
@@ -649,18 +697,32 @@ var init_rest_client = __esm({
         if (request.isPresigned() && this.presignedUrlPolicy) {
           validatePresignedUrl(url2, this.presignedUrlPolicy);
         }
+        let ownsProbeSlot = false;
+        if (this.circuitBreakerPolicy) {
+          const claimed = this.circuitBreakerPolicy.ensureClosed(request.path);
+          if (claimed) ownsProbeSlot = true;
+        }
         if (this.rateLimitPolicy) {
-          await this.rateLimitPolicy.acquire(request.path);
+          try {
+            await this.rateLimitPolicy.acquire(request.path);
+          } catch (error) {
+            if (ownsProbeSlot) this.circuitBreakerPolicy?.releaseProbe(request.path);
+            throw error;
+          }
         }
         let lastError;
         for (let attempt = 0; attempt <= this.retryPolicy.maxRetries; attempt++) {
+          if (this.circuitBreakerPolicy) {
+            const claimed = this.circuitBreakerPolicy.ensureClosed(request.path, ownsProbeSlot);
+            if (claimed) ownsProbeSlot = true;
+          }
           try {
-            const response = await this.doRequest(request, url2);
+            let response = await this.doRequest(request, url2);
             if (response.status === 401 && this.authManager && attempt === 0 && !request.isSkipAuthRetry()) {
               const newToken = await this.authManager.onUnauthorized();
               if (newToken) {
                 consola3.debug("Auth token refreshed, retrying request");
-                return this.doRequest(request, url2, newToken);
+                response = await this.doRequest(request, url2, newToken);
               }
             }
             if (isRetryableStatus(response.status, this.retryPolicy) && attempt < this.retryPolicy.maxRetries) {
@@ -670,10 +732,17 @@ var init_rest_client = __esm({
               consola3.debug(`Retryable ${response.status}, attempt ${attempt + 1}/${this.retryPolicy.maxRetries}, waiting ${Math.round(delayMs)}ms`);
               await sleep(delayMs);
               if (is429 && this.rateLimitPolicy) {
-                await this.rateLimitPolicy.acquire(request.path);
+                try {
+                  await this.rateLimitPolicy.acquire(request.path);
+                } catch (error) {
+                  this.recordCircuitOutcome(request.path, 429);
+                  ownsProbeSlot = false;
+                  throw error;
+                }
               }
               continue;
             }
+            this.recordCircuitOutcome(request.path, response.status);
             return response;
           } catch (error) {
             lastError = error;
@@ -683,11 +752,22 @@ var init_rest_client = __esm({
               await sleep(delayMs);
               continue;
             }
+            if (isRetryableError(error, this.retryPolicy) || ownsProbeSlot) {
+              this.circuitBreakerPolicy?.recordFailure(request.path);
+            }
             throw error;
           }
         }
         throw lastError;
       }
+      recordCircuitOutcome(path12, status7) {
+        if (!this.circuitBreakerPolicy) return;
+        if (status7 >= 500) {
+          this.circuitBreakerPolicy.recordFailure(path12);
+          return;
+        }
+        this.circuitBreakerPolicy.recordSuccess(path12);
+      }
       async doRequest(request, url2, overrideToken) {
         const headers = {
           ...this.options.customHeaders,
@@ -723,9 +803,9 @@ var init_rest_client = __esm({
         return response;
       }
       buildUrl(request) {
-        const path10 = this.routeBuilder.build(request.path);
+        const path12 = this.routeBuilder.build(request.path);
         const base = this.options.baseUrl;
-        const url2 = new URL(`${base}${path10}`);
+        const url2 = new URL(`${base}${path12}`);
         const query2 = request.getQuery();
         for (const [key, value] of query2) {
           url2.searchParams.append(key, value);
@@ -869,6 +949,141 @@ var init_rate_limit_policy = __esm({
   }
 });
 
+// src/http/circuit-breaker-policy.ts
+import { consola as consola4 } from "consola";
+var GLOBAL_KEY, CircuitBreakerPolicy;
+var init_circuit_breaker_policy = __esm({
+  "src/http/circuit-breaker-policy.ts"() {
+    "use strict";
+    init_ksef_circuit_open_error();
+    GLOBAL_KEY = "__global__";
+    CircuitBreakerPolicy = class _CircuitBreakerPolicy {
+      failureThreshold;
+      openMs;
+      scope;
+      states = /* @__PURE__ */ new Map();
+      constructor(config = {}) {
+        const failureThreshold = config.failureThreshold ?? 5;
+        const openMs = config.openMs ?? 3e4;
+        if (!Number.isInteger(failureThreshold) || failureThreshold <= 0) {
+          throw new RangeError("CircuitBreakerPolicy: failureThreshold must be a positive integer");
+        }
+        if (!Number.isFinite(openMs) || openMs <= 0) {
+          throw new RangeError("CircuitBreakerPolicy: openMs must be > 0");
+        }
+        const scope = config.scope ?? "global";
+        if (scope !== "global" && scope !== "endpoint") {
+          throw new RangeError(
+            "CircuitBreakerPolicy: scope must be 'global' or 'endpoint'"
+          );
+        }
+        this.failureThreshold = failureThreshold;
+        this.openMs = openMs;
+        this.scope = scope;
+      }
+      // Returns true iff this call just claimed the single probe slot for the
+      // caller. The caller MUST pass `alreadyOwnsProbe=true` on subsequent
+      // re-checks for the same logical request (e.g. a retry loop) so the probe
+      // owner cannot deadlock itself on its own in-flight slot.
+      ensureClosed(endpoint, alreadyOwnsProbe = false) {
+        const key = this.keyFor(endpoint);
+        const state = this.states.get(key);
+        if (!state || state.openedAt === null) return false;
+        const now = performance.now();
+        const elapsed = now - state.openedAt;
+        if (elapsed >= this.openMs) {
+          if (alreadyOwnsProbe) return false;
+          if (state.probeInFlight) {
+            throw new KSeFCircuitOpenError(endpoint, state.openedAt, 0);
+          }
+          state.probeInFlight = true;
+          consola4.debug(`Circuit breaker: probe after cooldown for '${key}'`);
+          return true;
+        }
+        const retryAfterMs = Math.max(0, this.openMs - elapsed);
+        throw new KSeFCircuitOpenError(endpoint, state.openedAt, retryAfterMs);
+      }
+      recordSuccess(endpoint) {
+        const key = this.keyFor(endpoint);
+        const state = this.states.get(key);
+        if (!state) return;
+        if (state.openedAt !== null || state.failures > 0) {
+          consola4.debug(`Circuit breaker: reset for '${key}'`);
+        }
+        this.states.delete(key);
+      }
+      // Release a claimed probe slot WITHOUT observing an outcome. Use this when
+      // the probe attempt was aborted before reaching upstream (e.g. rate-limit
+      // acquire rejected, client cancellation). We have no new information about
+      // upstream health, so the breaker must stay OPEN — but we do restart the
+      // cooldown clock so the next probe attempt waits a fresh `openMs`,
+      // preventing a tight loop of aborted probes from spamming the limiter.
+      releaseProbe(endpoint) {
+        const key = this.keyFor(endpoint);
+        const state = this.states.get(key);
+        if (!state || !state.probeInFlight) return;
+        state.probeInFlight = false;
+        if (state.openedAt !== null) {
+          state.openedAt = performance.now();
+        }
+        consola4.debug(`Circuit breaker: probe aborted (not observed) for '${key}', cooldown restarted`);
+      }
+      recordFailure(endpoint) {
+        const key = this.keyFor(endpoint);
+        const now = performance.now();
+        let state = this.states.get(key);
+        if (!state) {
+          state = { failures: 0, openedAt: null, lastFailureAt: null, probeInFlight: false };
+          this.states.set(key, state);
+        }
+        if (state.openedAt !== null && state.probeInFlight) {
+          state.openedAt = now;
+          state.failures = this.failureThreshold;
+          state.lastFailureAt = now;
+          state.probeInFlight = false;
+          consola4.debug(`Circuit breaker: probe failed, re-opened for '${key}'`);
+          this.maybeSweepStaleClosed(now, key);
+          return;
+        }
+        const slidingStale = state.lastFailureAt !== null && now - state.lastFailureAt > this.openMs;
+        state.failures = slidingStale ? 1 : state.failures + 1;
+        state.lastFailureAt = now;
+        if (state.openedAt === null && state.failures >= this.failureThreshold) {
+          state.openedAt = now;
+          consola4.debug(
+            `Circuit breaker: opened for '${key}' after ${state.failures} failures (cooldown ${this.openMs}ms)`
+          );
+        }
+        this.maybeSweepStaleClosed(now, key);
+      }
+      keyFor(endpoint) {
+        return this.scope === "global" ? GLOBAL_KEY : endpoint;
+      }
+      // Prevent unbounded map growth under `scope: 'endpoint'` when callers hit
+      // many distinct parameterized paths (e.g. `auth/sessions/{ref}`) that each
+      // fail once and are never revisited. Global scope is always a single entry.
+      //
+      // Runs amortized O(n) — gated on a size threshold so small workloads pay
+      // nothing. Only evicts states that are genuinely settled: closed, no probe
+      // in flight, and with the last failure older than two cooldowns.
+      maybeSweepStaleClosed(now, keepKey) {
+        if (this.scope !== "endpoint") return;
+        if (this.states.size <= _CircuitBreakerPolicy.sweepThreshold) return;
+        const staleBefore = now - 2 * this.openMs;
+        for (const [key, state] of this.states) {
+          if (key === keepKey) continue;
+          if (state.openedAt !== null) continue;
+          if (state.probeInFlight) continue;
+          if (state.lastFailureAt !== null && state.lastFailureAt < staleBefore) {
+            this.states.delete(key);
+          }
+        }
+      }
+      static sweepThreshold = 64;
+    };
+  }
+});
+
 // src/http/auth-manager.ts
 var DefaultAuthManager;
 var init_auth_manager = __esm({
@@ -932,21 +1147,21 @@ var init_rest_request = __esm({
       _query = [];
       _presigned = false;
       _skipAuthRetry = false;
-      constructor(method, path10) {
+      constructor(method, path12) {
         this.method = method;
-        this.path = path10;
+        this.path = path12;
       }
-      static get(path10) {
-        return new _RestRequest("GET", path10);
+      static get(path12) {
+        return new _RestRequest("GET", path12);
       }
-      static post(path10) {
-        return new _RestRequest("POST", path10);
+      static post(path12) {
+        return new _RestRequest("POST", path12);
       }
-      static put(path10) {
-        return new _RestRequest("PUT", path10);
+      static put(path12) {
+        return new _RestRequest("PUT", path12);
       }
-      static delete(path10) {
-        return new _RestRequest("DELETE", path10);
+      static delete(path12) {
+        return new _RestRequest("DELETE", path12);
       }
       body(data) {
         this._body = data;
@@ -1885,20 +2100,20 @@ var init_lighthouse = __esm({
         this.lighthouseUrl = options.lighthouseUrl;
         this.timeout = options.timeout;
       }
-      async fetchJson(path10) {
+      async fetchJson(path12) {
         if (!this.lighthouseUrl) {
           throw new KSeFError(
             "Lighthouse API is not available for the DEMO environment. Use TEST or PROD instead."
           );
         }
-        const response = await fetch(`${this.lighthouseUrl}${path10}`, {
+        const response = await fetch(`${this.lighthouseUrl}${path12}`, {
           headers: { Accept: "application/json" },
           signal: AbortSignal.timeout(this.timeout)
         });
         if (!response.ok) {
           const body = await response.text();
           throw new KSeFError(
-            `Lighthouse ${path10} failed: HTTP ${response.status} \u2014 ${body}`
+            `Lighthouse ${path12} failed: HTTP ${response.status} \u2014 ${body}`
           );
         }
         return await response.json();
@@ -2156,7 +2371,7 @@ ${lines.join("\n")}
 });
 
 // src/crypto/cryptography-service.ts
-import * as crypto from "crypto";
+import * as crypto from "node:crypto";
 import * as x509 from "@peculiar/x509";
 function setCryptoProvider() {
   x509.cryptoProvider.set(crypto.webcrypto);
@@ -2244,7 +2459,7 @@ var init_cryptography_service = __esm({
         const certPem = this.fetcher.getSymmetricKeyEncryptionPem();
         const encryptedKey = crypto.publicEncrypt(
           {
-            key: certPem,
+            key: this.extractSpkiPem(certPem),
             oaepHash: "sha256",
             padding: crypto.constants.RSA_PKCS1_OAEP_PADDING
           },
@@ -2374,12 +2589,22 @@ var init_cryptography_service = __esm({
       // ---------------------------------------------------------------------------
       // Private helpers
       // ---------------------------------------------------------------------------
+      /**
+       * Extract a public-key SPKI PEM (`-----BEGIN PUBLIC KEY-----`) from a full
+       * CERTIFICATE PEM. Node's `publicEncrypt` accepts either form, but Deno's
+       * Node compatibility layer only accepts SPKI PEM, so we normalize upfront
+       * to keep the library portable across runtimes.
+       */
+      extractSpkiPem(certPem) {
+        const publicKey = new crypto.X509Certificate(certPem).publicKey;
+        return publicKey.export({ type: "spki", format: "pem" });
+      }
       /** RSA-OAEP SHA-256 encryption. */
       encryptRsaOaep(certPem, plaintext) {
         return new Uint8Array(
           crypto.publicEncrypt(
             {
-              key: certPem,
+              key: this.extractSpkiPem(certPem),
               oaepHash: "sha256",
               padding: crypto.constants.RSA_PKCS1_OAEP_PADDING
             },
@@ -2417,7 +2642,7 @@ var init_cryptography_service = __esm({
 });
 
 // src/qr/verification-link-service.ts
-import crypto2 from "crypto";
+import crypto2 from "node:crypto";
 var VerificationLinkService;
 var init_verification_link_service = __esm({
   "src/qr/verification-link-service.ts"() {
@@ -2443,11 +2668,11 @@ var init_verification_link_service = __esm({
        * Build certificate verification URL (Code II).
        * Format: {baseQrUrl}/certificate/{contextType}/{contextId}/{sellerNip}/{certSerial}/{hash_base64url}/{signature_base64url}
        */
-      buildCertificateVerificationUrl(contextType, contextId, sellerNip, certSerial, invoiceHashBase64, privateKeyPem) {
+      buildCertificateVerificationUrl(contextType, contextId, sellerNip, certSerial, invoiceHashBase64, privateKeyPem, privateKeyPassword) {
         const hashBase64Url = this.base64ToBase64Url(invoiceHashBase64);
         const pathWithoutSignature = `${this.baseQrUrl}/certificate/${contextType}/${contextId}/${sellerNip}/${certSerial}/${hashBase64Url}`;
         const dataToSign = pathWithoutSignature.replace(/^https?:\/\//, "");
-        const key = crypto2.createPrivateKey(privateKeyPem);
+        const key = privateKeyPassword !== void 0 ? crypto2.createPrivateKey({ key: privateKeyPem, format: "pem", passphrase: privateKeyPassword }) : crypto2.createPrivateKey(privateKeyPem);
         let signature;
         if (key.asymmetricKeyType === "rsa") {
           signature = crypto2.sign("sha256", Buffer.from(dataToSign), {
@@ -2723,7 +2948,7 @@ var init_document_structures = __esm({
 });
 
 // src/workflows/offline-invoice-workflow.ts
-import crypto3 from "crypto";
+import crypto3 from "node:crypto";
 var OfflineInvoiceWorkflow;
 var init_offline_invoice_workflow = __esm({
   "src/workflows/offline-invoice-workflow.ts"() {
@@ -2761,7 +2986,8 @@ var init_offline_invoice_workflow = __esm({
             input.sellerNip,
             options.certificate.certificateSerial,
             invoiceHashBase64,
-            options.certificate.privateKeyPem
+            options.certificate.privateKeyPem,
+            options.certificate.password
           );
         }
         const submitBy = options?.customDeadline ? typeof options.customDeadline === "string" ? options.customDeadline : options.customDeadline.toISOString() : calculateOfflineDeadline(mode, input.invoiceDate, options?.maintenanceWindow).toISOString();
@@ -2951,7 +3177,8 @@ var init_offline_invoice_workflow = __esm({
               original.sellerNip,
               options.certificate.certificateSerial,
               correctedHashBase64,
-              options.certificate.privateKeyPem
+              options.certificate.privateKeyPem,
+              options.certificate.password
             );
           }
           const correctionMetadata = {
@@ -3013,9 +3240,43 @@ var signature_service_exports = {};
 __export(signature_service_exports, {
   SignatureService: () => SignatureService
 });
-import * as crypto4 from "crypto";
+import * as crypto4 from "node:crypto";
 import { ExclusiveCanonicalization } from "xml-crypto";
 import { DOMParser, XMLSerializer } from "@xmldom/xmldom";
+function pickRsaAlgo() {
+  return {
+    nodeHashName: "sha256",
+    signatureUri: RSA_SHA256_SIGNATURE_URI,
+    digestUri: DIGEST_URI.sha256
+  };
+}
+function pickEcdsaAlgo(privateKey) {
+  const curve = privateKey.asymmetricKeyDetails?.namedCurve;
+  switch (curve) {
+    case "prime256v1":
+      return {
+        nodeHashName: "sha256",
+        signatureUri: ECDSA_SIGNATURE_URI.sha256,
+        digestUri: DIGEST_URI.sha256
+      };
+    case "secp384r1":
+      return {
+        nodeHashName: "sha384",
+        signatureUri: ECDSA_SIGNATURE_URI.sha384,
+        digestUri: DIGEST_URI.sha384
+      };
+    case "secp521r1":
+      return {
+        nodeHashName: "sha512",
+        signatureUri: ECDSA_SIGNATURE_URI.sha512,
+        digestUri: DIGEST_URI.sha512
+      };
+    default:
+      throw new KSeFError(
+        `Unsupported ECDSA curve: ${curve ?? "unknown"}. Supported: P-256 (prime256v1), P-384 (secp384r1), P-521 (secp521r1).`
+      );
+  }
+}
 function extractDerFromPem(pem) {
   const base64 = pem.replace(/-----BEGIN [A-Z\s]+-----/g, "").replace(/-----END [A-Z\s]+-----/g, "").replace(/\s+/g, "");
   return Buffer.from(base64, "base64");
@@ -3030,12 +3291,12 @@ function canonicalize(elem) {
   const c14n = new ExclusiveCanonicalization();
   return c14n.process(elem, {});
 }
-function computeRootDigest(doc) {
+function computeRootDigest(doc, hashName) {
   const root = doc.documentElement;
   const canonical = canonicalize(root);
-  return crypto4.createHash("sha256").update(canonical, "utf-8").digest("base64");
+  return crypto4.createHash(hashName).update(canonical, "utf-8").digest("base64");
 }
-function computeSignedPropertiesDigest(qualifyingPropertiesXml) {
+function computeSignedPropertiesDigest(qualifyingPropertiesXml, hashName) {
   const parser2 = new DOMParser();
   const qpDoc = parser2.parseFromString(qualifyingPropertiesXml, "text/xml");
   const signedProps = findElementByLocalName(qpDoc.documentElement, "SignedProperties");
@@ -3043,9 +3304,9 @@ function computeSignedPropertiesDigest(qualifyingPropertiesXml) {
     throw new Error("SignedProperties element not found in QualifyingProperties");
   }
   const canonical = canonicalize(signedProps);
-  return crypto4.createHash("sha256").update(canonical, "utf-8").digest("base64");
+  return crypto4.createHash(hashName).update(canonical, "utf-8").digest("base64");
 }
-function buildSignedInfo(signatureAlgorithm, rootDigest, signedPropertiesDigest) {
+function buildSignedInfo(signatureAlgorithm, digestAlgorithm, rootDigest, signedPropertiesDigest) {
   return [
     `<ds:SignedInfo xmlns:ds="${DS_NS}">`,
     `<ds:CanonicalizationMethod Algorithm="${EXC_C14N_ALGORITHM}"/>`,
@@ -3056,7 +3317,7 @@ function buildSignedInfo(signatureAlgorithm, rootDigest, signedPropertiesDigest)
     `<ds:Transform Algorithm="${ENVELOPED_SIGNATURE_TRANSFORM}"/>`,
     `<ds:Transform Algorithm="${EXC_C14N_ALGORITHM}"/>`,
     `</ds:Transforms>`,
-    `<ds:DigestMethod Algorithm="${SHA256_DIGEST_METHOD}"/>`,
+    `<ds:DigestMethod Algorithm="${digestAlgorithm}"/>`,
     `<ds:DigestValue>${rootDigest}</ds:DigestValue>`,
     `</ds:Reference>`,
     // Reference 2: SignedProperties
@@ -3064,22 +3325,22 @@ function buildSignedInfo(signatureAlgorithm, rootDigest, signedPropertiesDigest)
     `<ds:Transforms>`,
     `<ds:Transform Algorithm="${EXC_C14N_ALGORITHM}"/>`,
     `</ds:Transforms>`,
-    `<ds:DigestMethod Algorithm="${SHA256_DIGEST_METHOD}"/>`,
+    `<ds:DigestMethod Algorithm="${digestAlgorithm}"/>`,
     `<ds:DigestValue>${signedPropertiesDigest}</ds:DigestValue>`,
     `</ds:Reference>`,
     `</ds:SignedInfo>`
   ].join("");
 }
-function computeSignatureValue(canonicalSignedInfo, privateKey, isEc) {
+function computeSignatureValue(canonicalSignedInfo, privateKey, isEc, hashName) {
   const data = Buffer.from(canonicalSignedInfo, "utf-8");
   let signature;
   if (isEc) {
-    signature = crypto4.sign("sha256", data, {
+    signature = crypto4.sign(hashName, data, {
       key: privateKey,
       dsaEncoding: "ieee-p1363"
     });
   } else {
-    signature = crypto4.sign("sha256", data, privateKey);
+    signature = crypto4.sign(hashName, data, privateKey);
   }
   return signature.toString("base64");
 }
@@ -3100,7 +3361,7 @@ function buildSignatureElement(signedInfoXml, signatureValue, certBase64, qualif
     `</ds:Signature>`
   ].join("");
 }
-function buildQualifyingProperties(signatureId, signedPropertiesId, certDigest, issuerName, serialNumber, signingTime) {
+function buildQualifyingProperties(signatureId, signedPropertiesId, certDigest, issuerName, serialNumber, signingTime, digestAlgorithm) {
   return [
     `<xades:QualifyingProperties`,
     ` Target="#${signatureId}"`,
@@ -3112,7 +3373,7 @@ function buildQualifyingProperties(signatureId, signedPropertiesId, certDigest,
     `<xades:SigningCertificate>`,
     `<xades:Cert>`,
     `<xades:CertDigest>`,
-    `<DigestMethod Algorithm="${SHA256_DIGEST_METHOD}"/>`,
+    `<DigestMethod Algorithm="${digestAlgorithm}"/>`,
     `<DigestValue>${certDigest}</DigestValue>`,
     `</xades:CertDigest>`,
     `<xades:IssuerSerial>`,
@@ -3148,18 +3409,27 @@ function wrapBase64(base64) {
   }
   return lines.join("\n");
 }
-var XADES_NS, DS_NS, SIGNED_PROPERTIES_TYPE, SHA256_DIGEST_METHOD, EXC_C14N_ALGORITHM, ENVELOPED_SIGNATURE_TRANSFORM, RSA_SHA256_SIGNATURE, ECDSA_SHA256_SIGNATURE, CLOCK_SKEW_BUFFER_MS, SIGNATURE_ID, SIGNED_PROPERTIES_ID, SignatureService;
+var XADES_NS, DS_NS, SIGNED_PROPERTIES_TYPE, EXC_C14N_ALGORITHM, ENVELOPED_SIGNATURE_TRANSFORM, DIGEST_URI, ECDSA_SIGNATURE_URI, RSA_SHA256_SIGNATURE_URI, CLOCK_SKEW_BUFFER_MS, SIGNATURE_ID, SIGNED_PROPERTIES_ID, SignatureService;
 var init_signature_service = __esm({
   "src/crypto/signature-service.ts"() {
     "use strict";
+    init_ksef_error();
     XADES_NS = "http://uri.etsi.org/01903/v1.3.2#";
     DS_NS = "http://www.w3.org/2000/09/xmldsig#";
     SIGNED_PROPERTIES_TYPE = "http://uri.etsi.org/01903#SignedProperties";
-    SHA256_DIGEST_METHOD = "http://www.w3.org/2001/04/xmlenc#sha256";
     EXC_C14N_ALGORITHM = "http://www.w3.org/2001/10/xml-exc-c14n#";
     ENVELOPED_SIGNATURE_TRANSFORM = "http://www.w3.org/2000/09/xmldsig#enveloped-signature";
-    RSA_SHA256_SIGNATURE = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256";
-    ECDSA_SHA256_SIGNATURE = "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256";
+    DIGEST_URI = {
+      sha256: "http://www.w3.org/2001/04/xmlenc#sha256",
+      sha384: "http://www.w3.org/2001/04/xmldsig-more#sha384",
+      sha512: "http://www.w3.org/2001/04/xmlenc#sha512"
+    };
+    ECDSA_SIGNATURE_URI = {
+      sha256: "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256",
+      sha384: "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384",
+      sha512: "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512"
+    };
+    RSA_SHA256_SIGNATURE_URI = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256";
     CLOCK_SKEW_BUFFER_MS = -6e4;
     SIGNATURE_ID = "Signature";
     SIGNED_PROPERTIES_ID = "SignedProperties";
@@ -3179,15 +3449,21 @@ var init_signature_service = __esm({
         }
         const certDer = extractDerFromPem(certPem);
         const certBase64 = certDer.toString("base64");
-        const certDigest = crypto4.createHash("sha256").update(certDer).digest("base64");
         const x5093 = new crypto4.X509Certificate(certPem);
         const issuerName = normalizeIssuerDn(x5093.issuer);
         const serialNumber = hexSerialToDecimal(x5093.serialNumber);
         const privateKey = crypto4.createPrivateKey(
           passphrase ? { key: privateKeyPem, format: "pem", passphrase } : privateKeyPem
         );
-        const isEc = privateKey.asymmetricKeyType === "ec";
-        const signatureAlgorithm = isEc ? ECDSA_SHA256_SIGNATURE : RSA_SHA256_SIGNATURE;
+        const keyType = privateKey.asymmetricKeyType;
+        if (keyType !== "ec" && keyType !== "rsa") {
+          throw new KSeFError(
+            `Unsupported private key type: ${keyType ?? "unknown"}. Supported: RSA and ECDSA.`
+          );
+        }
+        const isEc = keyType === "ec";
+        const algo = isEc ? pickEcdsaAlgo(privateKey) : pickRsaAlgo();
+        const certDigest = crypto4.createHash(algo.nodeHashName).update(certDer).digest("base64");
         const signingTime = new Date(Date.now() + CLOCK_SKEW_BUFFER_MS).toISOString();
         const parser2 = new DOMParser();
         const doc = parser2.parseFromString(xml, "text/xml");
@@ -3201,12 +3477,17 @@ var init_signature_service = __esm({
           certDigest,
           issuerName,
           serialNumber,
-          signingTime
+          signingTime,
+          algo.digestUri
+        );
+        const rootDigest = computeRootDigest(doc, algo.nodeHashName);
+        const signedPropertiesDigest = computeSignedPropertiesDigest(
+          qualifyingPropertiesXml,
+          algo.nodeHashName
         );
-        const rootDigest = computeRootDigest(doc);
-        const signedPropertiesDigest = computeSignedPropertiesDigest(qualifyingPropertiesXml);
         const signedInfoXml = buildSignedInfo(
-          signatureAlgorithm,
+          algo.signatureUri,
+          algo.digestUri,
           rootDigest,
           signedPropertiesDigest
         );
@@ -3215,7 +3496,8 @@ var init_signature_service = __esm({
         const signatureValue = computeSignatureValue(
           canonicalSignedInfo,
           privateKey,
-          isEc
+          isEc,
+          algo.nodeHashName
         );
         const signatureXml = buildSignatureElement(
           signedInfoXml,
@@ -3312,6 +3594,11 @@ function buildRestClientConfig(options, authManager) {
       endpointLimits: options.rateLimit.endpointLimits
     });
   }
+  if (options?.circuitBreaker === null) {
+    config.circuitBreakerPolicy = null;
+  } else if (options?.circuitBreaker) {
+    config.circuitBreakerPolicy = new CircuitBreakerPolicy(options.circuitBreaker);
+  }
   if (options?.presignedUrlHosts) {
     const base = defaultPresignedUrlPolicy();
     config.presignedUrlPolicy = {
@@ -3329,6 +3616,7 @@ var init_client = __esm({
     init_rest_client();
     init_retry_policy();
     init_rate_limit_policy();
+    init_circuit_breaker_policy();
     init_presigned_url_policy();
     init_auth_manager();
     init_auth();
@@ -3655,10 +3943,35 @@ var init_invoice_field_extractor = __esm({
 
 // src/xml/xml-engine.ts
 import { XMLBuilder, XMLParser as XMLParser3 } from "fast-xml-parser";
-var parser, builder;
+function createObjectBuilder(pretty = false) {
+  return new XMLBuilder({
+    ignoreAttributes: false,
+    preserveOrder: false,
+    attributeNamePrefix: "@_",
+    textNodeName: "#text",
+    format: pretty,
+    suppressBooleanAttributes: false,
+    suppressEmptyNode: false,
+    processEntities: true
+  });
+}
+function prependDeclaration(xml) {
+  return xml.startsWith("<?xml") ? xml : `${XML_DECLARATION}${xml}`;
+}
+function buildXml(document) {
+  return prependDeclaration(builder.build(document));
+}
+function buildXmlFromObject(document, options) {
+  return prependDeclaration(createObjectBuilder(options?.pretty).build(document));
+}
+function stripBom(input) {
+  return input.charCodeAt(0) === 65279 ? input.slice(1) : input;
+}
+var XML_DECLARATION, parser, builder;
 var init_xml_engine = __esm({
   "src/xml/xml-engine.ts"() {
     "use strict";
+    XML_DECLARATION = '<?xml version="1.0" encoding="UTF-8"?>\n';
     parser = new XMLParser3({
       ignoreAttributes: false,
       preserveOrder: true,
@@ -3685,31 +3998,485 @@ var init_xml_engine = __esm({
 });
 
 // src/xml/order-map.ts
+function comparePKey(a, b) {
+  const normalize = (value) => value.replace(/^P_/, "").split("_").map((part) => Number.isNaN(Number(part)) ? part : Number(part));
+  const aParts = normalize(a);
+  const bParts = normalize(b);
+  const max = Math.max(aParts.length, bParts.length);
+  for (let i = 0; i < max; i += 1) {
+    const left = aParts[i];
+    const right = bParts[i];
+    if (left === void 0) return -1;
+    if (right === void 0) return 1;
+    if (typeof left === "number" && typeof right === "number") {
+      if (left !== right) return left - right;
+      continue;
+    }
+    const leftStr = String(left);
+    const rightStr = String(right);
+    if (leftStr !== rightStr) return leftStr < rightStr ? -1 : 1;
+  }
+  return 0;
+}
+function isObject(value) {
+  return Boolean(value) && typeof value === "object" && !Array.isArray(value);
+}
+function normalizeValueForKey(key, value) {
+  if (Array.isArray(value)) {
+    return value.map(
+      (item) => isObject(item) ? orderXmlObject(item, key) : normalizeValue(item)
+    );
+  }
+  if (isObject(value)) return orderXmlObject(value, key);
+  return value;
+}
+function normalizeValue(value) {
+  if (Array.isArray(value)) return value.map((item) => normalizeValue(item));
+  if (isObject(value)) return orderXmlObject(value);
+  return value;
+}
+function orderXmlObject(value, contextKey) {
+  const order = contextKey ? ORDER_MAP[contextKey] : void 0;
+  const keys = Object.keys(value);
+  const used = /* @__PURE__ */ new Set();
+  const ordered = {};
+  if (order) {
+    for (const key of order) {
+      if (Object.prototype.hasOwnProperty.call(value, key)) {
+        const item = value[key];
+        if (item !== void 0) ordered[key] = normalizeValueForKey(key, item);
+        used.add(key);
+      }
+    }
+  }
+  const pKeys = keys.filter((key) => !used.has(key) && key.startsWith("P_")).sort(comparePKey);
+  for (const key of pKeys) {
+    const item = value[key];
+    if (item !== void 0) ordered[key] = normalizeValueForKey(key, item);
+    used.add(key);
+  }
+  for (const key of keys) {
+    if (used.has(key)) continue;
+    const item = value[key];
+    if (item !== void 0) ordered[key] = normalizeValueForKey(key, item);
+  }
+  return ordered;
+}
+var ORDER_MAP;
 var init_order_map = __esm({
   "src/xml/order-map.ts"() {
     "use strict";
+    ORDER_MAP = {
+      Faktura: ["Naglowek", "Podmiot1", "Podmiot2", "Podmiot3", "Fa", "Stopka"],
+      Naglowek: ["KodFormularza", "WariantFormularza", "DataWytworzeniaFa", "SystemInfo"],
+      Podmiot1: [
+        "PrefiksPodatnika",
+        "NrEORI",
+        "DaneIdentyfikacyjne",
+        "Adres",
+        "AdresKoresp",
+        "DaneKontaktowe",
+        "StatusInfoPodatnika"
+      ],
+      Podmiot2: [
+        "NrEORI",
+        "DaneIdentyfikacyjne",
+        "Adres",
+        "AdresKoresp",
+        "DaneKontaktowe",
+        "NrKlienta",
+        "IDNabywcy",
+        "JST",
+        "GV"
+      ],
+      Podmiot3: [
+        "IDNabywcy",
+        "NrEORI",
+        "DaneIdentyfikacyjne",
+        "Adres",
+        "AdresKoresp",
+        "DaneKontaktowe",
+        "Rola",
+        "Udzial"
+      ],
+      DaneIdentyfikacyjne: [
+        "NIP",
+        "IDWew",
+        "KodUE",
+        "NrVatUE",
+        "KodKraju",
+        "NrID",
+        "BrakID",
+        "Nazwa",
+        "Identyfikator",
+        "KRS"
+      ],
+      Adres: ["KodKraju", "AdresL1", "AdresL2", "AdresL3"],
+      DaneKontaktowe: ["Email", "Telefon"],
+      Fa: [
+        "KodWaluty",
+        "P_1",
+        "P_1M",
+        "P_2",
+        "WZ",
+        "P_6",
+        "OkresFa",
+        // Multi-rate interleave per VAT group — DO NOT flatten into P_13_* block then P_14_* block.
+        // See smekcio TS d1ec8fe and the "multi-rate interleave" regression test.
+        "P_13_1",
+        "P_14_1",
+        "P_14_1W",
+        "P_13_2",
+        "P_14_2",
+        "P_14_2W",
+        "P_13_3",
+        "P_14_3",
+        "P_14_3W",
+        "P_13_4",
+        "P_14_4",
+        "P_14_4W",
+        "P_13_5",
+        "P_14_5",
+        "P_13_6_1",
+        "P_13_6_2",
+        "P_13_6_3",
+        "P_13_7",
+        "P_13_8",
+        "P_13_9",
+        "P_13_10",
+        "P_13_11",
+        "P_15",
+        "KursWalutyZ",
+        "Adnotacje",
+        "RodzajFaktury",
+        "PrzyczynaKorekty",
+        "TypKorekty",
+        "DaneFaKorygowanej",
+        "OkresFaKorygowanej",
+        "NrFaKorygowany",
+        "Podmiot1K",
+        "Podmiot2K",
+        "Podmiot3K",
+        "ZaliczkaCzesciowa",
+        "FP",
+        "TP",
+        "DodatkowyOpis",
+        "FakturaZaliczkowa",
+        "ZwrotAkcyzy",
+        "FaWiersz",
+        "FaWiersze",
+        "Rozliczenie",
+        "Platnosc"
+      ],
+      Adnotacje: ["P_16", "P_17", "P_18", "P_18A", "Zwolnienie", "NoweSrodkiTransportu", "P_23", "PMarzy"],
+      OkresFa: ["P_6_Od", "P_6_Do"],
+      FaWiersz: [
+        "NrWierszaFa",
+        "UU_ID",
+        "P_6A",
+        "P_7",
+        "Indeks",
+        "GTIN",
+        "PKWiU",
+        "CN",
+        "PKOB",
+        "P_8A",
+        "P_8B",
+        "P_9A",
+        "P_9B",
+        "P_10",
+        "P_11",
+        "P_11A",
+        "P_11Vat",
+        "P_12",
+        "P_12_XII",
+        "P_12_Zal_15",
+        "KwotaAkcyzy",
+        "GTU",
+        "Procedura",
+        "KursWaluty",
+        "StanPrzed"
+      ]
+    };
   }
 });
 
 // src/xml/faktura-builder.ts
+function toKodFormularza(formCode) {
+  return {
+    "@_kodSystemowy": formCode.systemCode,
+    "@_wersjaSchemy": formCode.schemaVersion,
+    "#text": formCode.value
+  };
+}
+function isFormCodeShape(value) {
+  if (!value || typeof value !== "object" || Array.isArray(value)) return false;
+  const candidate = value;
+  return typeof candidate.systemCode === "string" && typeof candidate.schemaVersion === "string" && typeof candidate.value === "string";
+}
+function isObject2(value) {
+  return Boolean(value) && typeof value === "object" && !Array.isArray(value);
+}
+function normalizeTopLevelChild(key, value) {
+  if (key === "Naglowek" && isObject2(value)) {
+    return normalizeNaglowek(value);
+  }
+  if (Array.isArray(value)) {
+    return value.map((item) => isObject2(item) ? orderXmlObject(item, key) : item);
+  }
+  if (isObject2(value)) return orderXmlObject(value, key);
+  return value;
+}
+function normalizeNaglowek(value) {
+  const result = {};
+  for (const [key, item] of Object.entries(value)) {
+    if (item === void 0) continue;
+    if (key === "KodFormularza" && isFormCodeShape(item)) {
+      result[key] = toKodFormularza(item);
+      continue;
+    }
+    if (Array.isArray(item)) {
+      result[key] = item.map(
+        (entry) => isObject2(entry) ? orderXmlObject(entry, key) : entry
+      );
+      continue;
+    }
+    if (isObject2(item)) {
+      result[key] = orderXmlObject(item, key);
+      continue;
+    }
+    result[key] = item;
+  }
+  return result;
+}
+function normalizeTopLevel(input) {
+  const result = {};
+  for (const [key, value] of Object.entries(input)) {
+    if (value === void 0) continue;
+    result[key] = normalizeTopLevelChild(key, value);
+  }
+  return result;
+}
+function buildFakturaXml(faktura, options = {}) {
+  const schema = options.schema ?? "FA3";
+  const fakturaNamespace = options.fakturaNamespace ?? FAKTURA_NAMESPACE[schema];
+  const etdNamespace = options.etdNamespace ?? ETD_NAMESPACE[schema];
+  const normalized = normalizeTopLevel(faktura);
+  const ordered = orderXmlObject(normalized, "Faktura");
+  const document = {
+    Faktura: {
+      ...ordered,
+      "@_xmlns": fakturaNamespace,
+      "@_xmlns:etd": etdNamespace
+    }
+  };
+  return buildXmlFromObject(document, { pretty: options.pretty });
+}
+function isFakturaInput(input) {
+  if (!isObject2(input)) return false;
+  const candidate = input;
+  if (!Object.prototype.hasOwnProperty.call(candidate, "Naglowek")) return false;
+  if (!Object.prototype.hasOwnProperty.call(candidate, "Fa")) return false;
+  return isObject2(candidate.Naglowek) && isObject2(candidate.Fa);
+}
+var FAKTURA_NAMESPACE, ETD_NAMESPACE;
 var init_faktura_builder = __esm({
   "src/xml/faktura-builder.ts"() {
     "use strict";
     init_xml_engine();
     init_order_map();
+    FAKTURA_NAMESPACE = {
+      FA2: "http://crd.gov.pl/wzor/2023/06/29/12648/",
+      FA3: "http://crd.gov.pl/wzor/2025/06/25/13775/"
+    };
+    ETD_NAMESPACE = {
+      FA2: "http://crd.gov.pl/xml/schematy/2020/10/08/eDokumenty",
+      FA3: "http://crd.gov.pl/xml/schematy/dziedzinowe/mf/2022/01/05/eD/DefinicjeTypy/"
+    };
   }
 });
 
 // src/xml/pef-builder.ts
+function isPefUblDocumentInput(input) {
+  if (typeof input !== "object" || input === null || Array.isArray(input)) return false;
+  const obj = input;
+  const invoice3 = obj.Invoice;
+  const creditNote = obj.CreditNote;
+  const hasInvoice = typeof invoice3 === "object" && invoice3 !== null && !Array.isArray(invoice3);
+  const hasCreditNote = typeof creditNote === "object" && creditNote !== null && !Array.isArray(creditNote);
+  return hasInvoice !== hasCreditNote;
+}
+function inferSchema(input) {
+  return "Invoice" in input ? "PEF" : "PEF_KOR";
+}
+function isNonArrayObject(value) {
+  return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+function assertPefShape(input) {
+  if (!isNonArrayObject(input)) {
+    throw new KSeFValidationError("PEF input must be a non-array object.");
+  }
+  const hasInvoiceKey = "Invoice" in input;
+  const hasCreditNoteKey = "CreditNote" in input;
+  if (hasInvoiceKey && hasCreditNoteKey) {
+    throw new KSeFValidationError(
+      "PEF input must contain exactly one of `Invoice` or `CreditNote`, not both."
+    );
+  }
+  if (!hasInvoiceKey && !hasCreditNoteKey) {
+    throw new KSeFValidationError(
+      "PEF input must contain either an `Invoice` or a `CreditNote` root element."
+    );
+  }
+  const rootKey = hasInvoiceKey ? "Invoice" : "CreditNote";
+  if (!isNonArrayObject(input[rootKey])) {
+    throw new KSeFValidationError(
+      `PEF \`${rootKey}\` value must be a non-array object.`
+    );
+  }
+}
+function buildPefXml(input, options = {}) {
+  assertPefShape(input);
+  const inferred = inferSchema(input);
+  const schema = options.schema ?? input.schema ?? inferred;
+  if (schema !== inferred) {
+    throw new KSeFValidationError(
+      `PEF schema mismatch: expected ${inferred} based on root element, got ${schema}.`
+    );
+  }
+  const commonNamespaces = {
+    "@_xmlns:ext": UBL_EXT_NS,
+    "@_xmlns:cbc": UBL_CBC_NS,
+    "@_xmlns:cac": UBL_CAC_NS,
+    "@_xmlns:cbc-pl": UBL_CBC_PL_NS,
+    "@_xmlns:cac-pl": UBL_CAC_PL_NS
+  };
+  const document = "Invoice" in input ? {
+    Invoice: {
+      ...input.Invoice,
+      "@_xmlns": PEF_NAMESPACE.PEF,
+      ...commonNamespaces
+    }
+  } : {
+    CreditNote: {
+      ...input.CreditNote,
+      "@_xmlns": PEF_NAMESPACE.PEF_KOR,
+      ...commonNamespaces
+    }
+  };
+  return buildXmlFromObject(document, { pretty: options.pretty });
+}
+var PEF_NAMESPACE, UBL_EXT_NS, UBL_CBC_NS, UBL_CAC_NS, UBL_CBC_PL_NS, UBL_CAC_PL_NS;
 var init_pef_builder = __esm({
   "src/xml/pef-builder.ts"() {
     "use strict";
     init_ksef_validation_error();
     init_xml_engine();
+    PEF_NAMESPACE = {
+      PEF: "urn:oasis:names:specification:ubl:schema:xsd:Invoice-2",
+      PEF_KOR: "urn:oasis:names:specification:ubl:schema:xsd:CreditNote-2"
+    };
+    UBL_EXT_NS = "urn:oasis:names:specification:ubl:schema:xsd:CommonExtensionComponents-2";
+    UBL_CBC_NS = "urn:oasis:names:specification:ubl:schema:xsd:CommonBasicComponents-2";
+    UBL_CAC_NS = "urn:oasis:names:specification:ubl:schema:xsd:CommonAggregateComponents-2";
+    UBL_CBC_PL_NS = "urn:pl:extended:CommonBasicComponents-2";
+    UBL_CAC_PL_NS = "urn:pl:extended:CommonAggregateComponents-2";
   }
 });
 
 // src/xml/invoice-serializer.ts
+function isNonArrayObject2(value) {
+  return Boolean(value) && typeof value === "object" && !Array.isArray(value);
+}
+function classifyUnknownObject(input) {
+  const looksLikeFaktura = "Naglowek" in input || "Fa" in input || "Podmiot1" in input || "Podmiot2" in input;
+  const hasInvoice = "Invoice" in input;
+  const hasCreditNote = "CreditNote" in input;
+  if (hasInvoice && hasCreditNote) {
+    return new KSeFValidationError(
+      "Input must contain exactly one of `Invoice` or `CreditNote`, not both."
+    );
+  }
+  if (hasInvoice !== hasCreditNote) {
+    const rootKey = hasInvoice ? "Invoice" : "CreditNote";
+    if (!isNonArrayObject2(input[rootKey])) {
+      return KSeFValidationError.fromField(
+        rootKey,
+        `PEF \`${rootKey}\` value must be a non-array object.`
+      );
+    }
+  }
+  if (looksLikeFaktura) {
+    const missing = [];
+    if (!("Naglowek" in input)) missing.push("Naglowek");
+    if (!("Fa" in input)) missing.push("Fa");
+    if (missing.length > 0) {
+      return KSeFValidationError.fromField(
+        missing[0],
+        `Faktura input is missing required top-level key(s): ${missing.join(", ")}.`
+      );
+    }
+    for (const key of ["Naglowek", "Fa"]) {
+      if (!isNonArrayObject2(input[key])) {
+        return KSeFValidationError.fromField(
+          key,
+          `Faktura \`${key}\` value must be a non-null, non-array object.`
+        );
+      }
+    }
+    return new KSeFValidationError(
+      "Faktura-like input failed shape validation: `Naglowek` and `Fa` must be own enumerable properties on the input object."
+    );
+  }
+  return new KSeFValidationError(
+    "Unsupported invoice input shape: expected `FakturaInput` (with `Naglowek` + `Fa`) or `PefUblDocumentInput` (with `Invoice` or `CreditNote`)."
+  );
+}
+function serializeInvoiceXml(input, options) {
+  if (Buffer.isBuffer(input)) return input;
+  if (typeof input === "string") {
+    return Buffer.from(stripBom(input), "utf8");
+  }
+  if (Array.isArray(input)) {
+    return Buffer.from(stripBom(buildXml(input)), "utf8");
+  }
+  if (input && typeof input === "object") {
+    const schema = options?.schema;
+    if (isPefUblDocumentInput(input)) {
+      if (schema && !PEF_SCHEMAS.has(schema)) {
+        throw new KSeFValidationError(
+          `schema option ${schema} is not compatible with a PEF / PEF_KOR input.`
+        );
+      }
+      const pefSchema = schema === "PEF" || schema === "PEF_KOR" ? schema : void 0;
+      const xml = buildPefXml(input, {
+        schema: pefSchema,
+        pretty: options?.pretty
+      });
+      return Buffer.from(stripBom(xml), "utf8");
+    }
+    if (isFakturaInput(input)) {
+      if (schema && !FAKTURA_SCHEMAS.has(schema)) {
+        throw new KSeFValidationError(
+          `schema option ${schema} is not compatible with a Faktura input.`
+        );
+      }
+      const fakturaSchema = schema === "FA2" || schema === "FA3" ? schema : void 0;
+      const xml = buildFakturaXml(input, {
+        schema: fakturaSchema,
+        fakturaNamespace: options?.fakturaNamespace,
+        etdNamespace: options?.etdNamespace,
+        pretty: options?.pretty
+      });
+      return Buffer.from(stripBom(xml), "utf8");
+    }
+    throw classifyUnknownObject(input);
+  }
+  throw new KSeFValidationError(
+    "Unsupported invoice input type: expected Buffer, string, XmlDocument, FakturaInput, or PefUblDocumentInput."
+  );
+}
+var FAKTURA_SCHEMAS, PEF_SCHEMAS;
 var init_invoice_serializer = __esm({
   "src/xml/invoice-serializer.ts"() {
     "use strict";
@@ -3717,6 +4484,8 @@ var init_invoice_serializer = __esm({
     init_faktura_builder();
     init_pef_builder();
     init_xml_engine();
+    FAKTURA_SCHEMAS = /* @__PURE__ */ new Set(["FA2", "FA3"]);
+    PEF_SCHEMAS = /* @__PURE__ */ new Set(["PEF", "PEF_KOR"]);
   }
 });
 
@@ -5581,11 +6350,11 @@ async function validateSchema(xml, options, _parsed) {
   const prefix = rootElement ? `/${rootElement}/` : "/";
   const validationErrors = result.error.issues.map((issue) => {
     const zodPath = issue.path.join("/");
-    const path10 = zodPath ? `${prefix}${zodPath}` : rootElement ? `/${rootElement}` : void 0;
+    const path12 = zodPath ? `${prefix}${zodPath}` : rootElement ? `/${rootElement}` : void 0;
     return {
       code: mapZodErrorCode(issue),
       message: issue.message,
-      path: path10
+      path: path12
     };
   });
   return { valid: false, schemaType, errors: validationErrors };
@@ -5625,9 +6394,9 @@ function validateBusinessRules(xml, _parsed) {
   collectDateErrors(object, rootElement, errors);
   return { valid: errors.length === 0, schemaType, errors };
 }
-function collectNipPeselErrors(obj, path10, errors) {
+function collectNipPeselErrors(obj, path12, errors) {
   for (const [key, value] of Object.entries(obj)) {
-    const currentPath = path10 ? `${path10}/${key}` : key;
+    const currentPath = path12 ? `${path12}/${key}` : key;
     if (key === "NIP" && typeof value === "string") {
       if (!isValidNip(value)) {
         errors.push({
@@ -5714,7 +6483,7 @@ var init_invoice_validator = __esm({
 });
 
 // src/builders/batch-file.ts
-import * as crypto6 from "crypto";
+import * as crypto6 from "node:crypto";
 function splitBuffer(data, maxPartSize) {
   if (data.length <= maxPartSize) {
     return [data];
@@ -6043,18 +6812,18 @@ var init_batch_session_workflow = __esm({
 });
 
 // src/cli/index.ts
-import { readFileSync as readFileSync9 } from "fs";
-import { fileURLToPath } from "url";
-import { dirname as dirname2, resolve } from "path";
-import { defineCommand as defineCommand18, runMain } from "citty";
+import { readFileSync as readFileSync11 } from "node:fs";
+import { fileURLToPath as fileURLToPath2 } from "node:url";
+import { dirname as dirname3, resolve } from "node:path";
+import { defineCommand as defineCommand19, runMain } from "citty";
 
 // src/cli/commands/config.ts
 import { defineCommand } from "citty";
 
 // src/cli/config-store.ts
-import * as fs from "fs";
-import * as path from "path";
-import * as os from "os";
+import * as fs from "node:fs";
+import * as path from "node:path";
+import * as os from "node:os";
 
 // src/cli/types.ts
 var ENV_MAP = {
@@ -6133,9 +6902,9 @@ function outputWarning(msg) {
 }
 
 // src/cli/session-store.ts
-import * as fs2 from "fs";
-import * as path2 from "path";
-import * as os2 from "os";
+import * as fs2 from "node:fs";
+import * as path2 from "node:path";
+import * as os2 from "node:os";
 var SESSION_DIR = path2.join(os2.homedir(), ".ksef");
 var SESSION_FILE = path2.join(SESSION_DIR, "session.json");
 function loadSession() {
@@ -6306,7 +7075,13 @@ async function withErrorHandler(fn, opts) {
     await fn();
   } catch (error) {
     renderCliError(error, opts);
-    process.exit(1);
+    let code = 1;
+    try {
+      code = opts?.exitCode?.(error) ?? 1;
+    } catch {
+      code = 1;
+    }
+    process.exit(code);
   }
 }
 
@@ -6384,21 +7159,21 @@ var configCommand = defineCommand({
 });
 
 // src/cli/commands/auth.ts
-import * as fs5 from "fs";
+import * as fs5 from "node:fs";
 import { defineCommand as defineCommand2 } from "citty";
-import { consola as consola6 } from "consola";
+import { consola as consola7 } from "consola";
 
 // src/cli/client-factory.ts
 init_client();
-import { consola as consola5 } from "consola";
+import { consola as consola6 } from "consola";
 
 // src/cli/session-recovery.ts
-import { consola as consola4 } from "consola";
+import { consola as consola5 } from "consola";
 
 // src/cli/credentials-store.ts
-import * as fs3 from "fs";
-import * as path3 from "path";
-import * as os3 from "os";
+import * as fs3 from "node:fs";
+import * as path3 from "node:path";
+import * as os3 from "node:os";
 var CREDENTIALS_DIR = path3.join(os3.homedir(), ".ksef");
 var CREDENTIALS_FILE = path3.join(CREDENTIALS_DIR, "credentials.json");
 function loadCredentials() {
@@ -6460,7 +7235,7 @@ async function recoverSession(globalOpts) {
   const session = loadSession();
   if (session && isSessionExpired(session) && session.refreshToken) {
     try {
-      consola4.info("Session expired, refreshing token...");
+      consola5.info("Session expired, refreshing token...");
       const opts = globalOpts.env ? globalOpts : { ...globalOpts, env: session.environment };
       const client = createClient(opts);
       client.authManager.setAccessToken(session.accessToken);
@@ -6477,7 +7252,7 @@ async function recoverSession(globalOpts) {
   const credentials = loadCredentials();
   const config = loadConfig();
   if (credentials?.token && config.nip) {
-    consola4.info("Logging in with stored credentials...");
+    consola5.info("Logging in with stored credentials...");
     const env = globalOpts.env ?? session?.environment ?? config.environment;
     const opts = { ...globalOpts, env };
     const client = createClient(opts);
@@ -6509,7 +7284,7 @@ async function recoverSession(globalOpts) {
 // src/cli/client-factory.ts
 function createClient(globalOpts) {
   if (globalOpts.verbose) {
-    consola5.level = 4;
+    consola6.level = 4;
   }
   const config = loadConfig();
   const env = globalOpts.env ?? config.environment;
@@ -6522,7 +7297,7 @@ function createClient(globalOpts) {
 }
 async function requireSession(globalOpts) {
   if (globalOpts.verbose) {
-    consola5.level = 4;
+    consola6.level = 4;
   }
   const session = loadSession();
   if (session && !isSessionExpired(session)) {
@@ -6538,9 +7313,9 @@ async function requireSession(globalOpts) {
 }
 
 // src/cli/pending-challenge-store.ts
-import * as fs4 from "fs";
-import * as path4 from "path";
-import * as os4 from "os";
+import * as fs4 from "node:fs";
+import * as path4 from "node:path";
+import * as os4 from "node:os";
 var PENDING_CHALLENGE_FILE = path4.join(os4.homedir(), ".ksef", "pending-challenge.json");
 function savePendingChallenge(data) {
   const dir = path4.dirname(PENDING_CHALLENGE_FILE);
@@ -6613,7 +7388,7 @@ var login = defineCommand2({
       const globalOpts = getGlobalOpts(args);
       const config = loadConfig();
       if (!args.env) {
-        consola6.info(`Using default environment: ${config.environment}`);
+        consola7.info(`Using default environment: ${config.environment}`);
       }
       const client = createClient(globalOpts);
       const nip = args.nip ?? config.nip;
@@ -6625,13 +7400,13 @@ var login = defineCommand2({
       if (token) {
         loginResult = await client.loginWithToken(token, nip);
       } else if (args.p12) {
-        const fs15 = await import("fs");
-        const p12Buffer = fs15.readFileSync(args.p12);
+        const fs17 = await import("node:fs");
+        const p12Buffer = fs17.readFileSync(args.p12);
         loginResult = await client.loginWithPkcs12(p12Buffer, args["p12-password"] ?? "", nip);
       } else if (args.cert && args.key) {
-        const fs15 = await import("fs");
-        const certPem = fs15.readFileSync(args.cert, "utf-8");
-        const keyPem = fs15.readFileSync(args.key, "utf-8");
+        const fs17 = await import("node:fs");
+        const certPem = fs17.readFileSync(args.cert, "utf-8");
+        const keyPem = fs17.readFileSync(args.key, "utf-8");
         loginResult = await client.loginWithCertificate(certPem, keyPem, nip, args["key-password"]);
       } else {
         throw new Error("Provide --token, --p12, or both --cert and --key for authentication.");
@@ -6664,7 +7439,7 @@ var login = defineCommand2({
       if (args.json) {
         console.log(JSON.stringify({ status: "ok", clientIp: loginResult.clientIp }, null, 2));
       } else {
-        consola6.info(`Seen client IP: ${loginResult.clientIp}`);
+        consola7.info(`Seen client IP: ${loginResult.clientIp}`);
         outputSuccess("Logged in successfully.");
       }
     }, { json: Boolean(args.json) });
@@ -6850,7 +7625,7 @@ var whoami = defineCommand2({
         }
       }
       if (restored) {
-        consola6.info("Session restored from stored credentials.");
+        consola7.info("Session restored from stored credentials.");
       }
       const context2 = parseKSeFTokenContext(session.accessToken);
       const info = {
@@ -6980,9 +7755,9 @@ var authCommand = defineCommand2({
 });
 
 // src/cli/commands/session.ts
-import * as fs6 from "fs";
+import * as fs6 from "node:fs";
 import { defineCommand as defineCommand3 } from "citty";
-import { consola as consola7 } from "consola";
+import { consola as consola8 } from "consola";
 init_document_structures();
 init_xml();
 function getGlobalOpts2(args) {
@@ -7028,7 +7803,7 @@ var open = defineCommand3({
       if (args.batch) {
         throw new Error("Batch session open is used internally by `ksef invoice send <dir>`. Use `ksef session open` for online sessions.");
       }
-      if (!args.json) consola7.start("Opening online session...");
+      if (!args.json) consola8.start("Opening online session...");
       const result = await client.onlineSession.openSession(
         { formCode, encryption: encryptionData.encryptionInfo }
       );
@@ -7065,7 +7840,7 @@ var close = defineCommand3({
       if (!ref) {
         throw new Error("No session reference. Provide a ref or run `ksef session open` first.");
       }
-      if (!args.json) consola7.start("Closing session...");
+      if (!args.json) consola8.start("Closing session...");
       await client.onlineSession.closeSession(ref);
       clearOnlineSessionRef();
       outputSuccess(`Session ${ref} closed.`);
@@ -7153,7 +7928,7 @@ var list = defineCommand3({
         { json: false }
       );
       if (result.continuationToken) {
-        consola7.info(`More results available. Continuation token: ${result.continuationToken}`);
+        consola8.info(`More results available. Continuation token: ${result.continuationToken}`);
       }
     }, { json: Boolean(args.json) });
   }
@@ -7204,7 +7979,7 @@ var invoices = defineCommand3({
         { json: false }
       );
       if (result.continuationToken) {
-        consola7.info(`More results available. Continuation token: ${result.continuationToken}`);
+        consola8.info(`More results available. Continuation token: ${result.continuationToken}`);
       }
     }, { json: Boolean(args.json) });
   }
@@ -7255,7 +8030,7 @@ var failed = defineCommand3({
         { json: false }
       );
       if (result.continuationToken) {
-        consola7.info(`More results available. Continuation token: ${result.continuationToken}`);
+        consola8.info(`More results available. Continuation token: ${result.continuationToken}`);
       }
     }, { json: Boolean(args.json) });
   }
@@ -7354,7 +8129,7 @@ var active = defineCommand3({
         { json: false }
       );
       if (result.continuationToken) {
-        consola7.info(`More results available. Continuation token: ${result.continuationToken}`);
+        consola8.info(`More results available. Continuation token: ${result.continuationToken}`);
       }
     }, { json: Boolean(args.json) });
   }
@@ -7435,21 +8210,21 @@ var sessionCommand = defineCommand3({
 });
 
 // src/cli/commands/invoice.ts
-import * as fs9 from "fs";
-import * as path6 from "path";
-import { Readable } from "stream";
-import { defineCommand as defineCommand5 } from "citty";
-import { consola as consola9 } from "consola";
+import * as fs11 from "node:fs";
+import * as path8 from "node:path";
+import { Readable } from "node:stream";
+import { defineCommand as defineCommand6 } from "citty";
+import { consola as consola11 } from "consola";
 init_document_structures();
 
 // src/cli/commands/export-incremental.ts
-import * as fs8 from "fs";
-import * as path5 from "path";
+import * as fs8 from "node:fs";
+import * as path5 from "node:path";
 import { defineCommand as defineCommand4 } from "citty";
-import { consola as consola8 } from "consola";
+import { consola as consola9 } from "consola";
 
 // src/workflows/hwm-storage.ts
-import * as fs7 from "fs/promises";
+import * as fs7 from "node:fs/promises";
 var FileHwmStore = class {
   constructor(filePath) {
     this.filePath = filePath;
@@ -7475,7 +8250,7 @@ init_zip();
 init_polling();
 
 // src/utils/hash.ts
-import crypto5 from "crypto";
+import crypto5 from "node:crypto";
 function sha256Base64(data) {
   return crypto5.createHash("sha256").update(data).digest("base64");
 }
@@ -7666,9 +8441,9 @@ var exportIncremental = defineCommand4({
         fs8.mkdirSync(outputDir, { recursive: true });
       }
       if (!isJson) {
-        consola8.start(`Incremental export: ${from} \u2192 ${to}, subject: ${subjectType}`);
-        consola8.info(`State file: ${stateFile}`);
-        consola8.info(`Output dir: ${outputDir}`);
+        consola9.start(`Incremental export: ${from} \u2192 ${to}, subject: ${subjectType}`);
+        consola9.info(`State file: ${stateFile}`);
+        consola9.info(`Output dir: ${outputDir}`);
       }
       const iterationParts = [];
       const result = await incrementalExportAndDownload(client, {
@@ -7684,7 +8459,7 @@ var exportIncremental = defineCommand4({
           iterationParts.push({ iteration, partCount: iterResult.parts.length });
           if (!isJson) {
             const hwmDate = continuationPoints[subjectType] ?? "complete";
-            consola8.info(
+            consola9.info(
               `Iteration ${iteration + 1}: ${iterResult.invoiceCount} invoices, truncated: ${iterResult.isTruncated}, HWM: ${hwmDate}`
             );
           }
@@ -7713,13 +8488,619 @@ var exportIncremental = defineCommand4({
         outputSuccess(
           `Export complete: ${result.iterationCount} iterations, ${result.decryptedParts.length} parts downloaded`
         );
-        consola8.info(`Final HWM: ${continuationPoints[subjectType] ?? "complete"}`);
-        consola8.info(`Output: ${outputDir}`);
+        consola9.info(`Final HWM: ${continuationPoints[subjectType] ?? "complete"}`);
+        consola9.info(`Output: ${outputDir}`);
       }
     }, { json: Boolean(args.json) });
   }
 });
 
+// src/cli/commands/invoice-build.ts
+import { defineCommand as defineCommand5 } from "citty";
+import { consola as consola10 } from "consola";
+init_xml();
+init_invoice_validator();
+
+// src/validation/xsd-validator.ts
+import { createRequire } from "node:module";
+import * as fs9 from "node:fs";
+import * as path6 from "node:path";
+import { fileURLToPath, pathToFileURL } from "node:url";
+var cachedPkgRoot = null;
+function locatePackageRoot() {
+  if (cachedPkgRoot !== null) return cachedPkgRoot;
+  let dir = path6.dirname(fileURLToPath(import.meta.url));
+  const root = path6.parse(dir).root;
+  while (dir !== root) {
+    const candidate = path6.join(dir, "docs", "schemas");
+    if (fs9.existsSync(candidate)) {
+      cachedPkgRoot = dir;
+      return dir;
+    }
+    dir = path6.dirname(dir);
+  }
+  throw new Error("Could not locate ksef-client-ts package root (docs/schemas not found).");
+}
+var XSD_RELATIVE = {
+  FA2: ["FA", "schemat_FA(2)_v1-0E.xsd"],
+  FA3: ["FA", "schemat_FA(3)_v1-0E.xsd"],
+  PEF: ["PEF", "Schemat_PEF(3)_v2-1.xsd"],
+  PEF_KOR: ["PEF", "Schemat_PEF_KOR(3)_v2-1.xsd"]
+};
+function resolveXsdFor(schema) {
+  const rel = XSD_RELATIVE[schema];
+  if (!rel) throw new Error(`Unknown invoice schema: ${String(schema)}`);
+  return path6.join(locatePackageRoot(), "docs", "schemas", ...rel);
+}
+var requireModule = createRequire(import.meta.url);
+var libxmljs = null;
+var libxmljsLoadError = null;
+try {
+  libxmljs = requireModule("libxmljs2");
+} catch (err) {
+  const code = err?.code;
+  if (code === "MODULE_NOT_FOUND" || code === "ERR_MODULE_NOT_FOUND") {
+    libxmljs = null;
+  } else {
+    libxmljs = null;
+    libxmljsLoadError = err instanceof Error ? err : new Error(String(err));
+  }
+}
+var MISSING_LIBXMLJS_MESSAGE_PREFIX = "libxmljs2 is not installed";
+function isMissingLibxmljsError(err) {
+  return err instanceof Error && err.message.startsWith(MISSING_LIBXMLJS_MESSAGE_PREFIX);
+}
+var EXTERNAL_STRUKTURY_DANYCH_URL = /schemaLocation="http:\/\/crd\.gov\.pl\/xml\/schematy\/dziedzinowe\/mf\/2022\/01\/05\/eD\/DefinicjeTypy\/StrukturyDanych_v10-0E\.xsd"/;
+function rewriteSchemaLocations(xsdContent) {
+  if (!EXTERNAL_STRUKTURY_DANYCH_URL.test(xsdContent)) {
+    return xsdContent;
+  }
+  const bazoweStrukturyPath = path6.join(
+    locatePackageRoot(),
+    "docs",
+    "schemas",
+    "FA",
+    "bazowe",
+    "StrukturyDanych_v10-0E.xsd"
+  );
+  const bazoweStrukturyUrl = pathToFileURL(bazoweStrukturyPath).href;
+  const rewritten = xsdContent.replace(
+    EXTERNAL_STRUKTURY_DANYCH_URL,
+    `schemaLocation="${bazoweStrukturyUrl}"`
+  );
+  if (rewritten === xsdContent) {
+    throw new Error(
+      "FA XSD schemaLocation rewrite produced no replacement despite URL being present; regex likely out of sync with docs/schemas/FA/. Re-check after `yarn sync-schemas`."
+    );
+  }
+  return rewritten;
+}
+function validateAgainstXsd(xml, xsdPath) {
+  if (!libxmljs) {
+    const loadSuffix = libxmljsLoadError ? ` (load failed: ${libxmljsLoadError.message})` : "";
+    throw new Error(
+      `${MISSING_LIBXMLJS_MESSAGE_PREFIX}${loadSuffix}; cannot run XSD validation. Install it as an optional peer dependency (e.g. \`yarn add -O libxmljs2\` or \`npm i -O libxmljs2\`).`
+    );
+  }
+  const xsdDir = path6.dirname(xsdPath);
+  const rawXsd = fs9.readFileSync(xsdPath, "utf8");
+  const rewrittenXsd = rewriteSchemaLocations(rawXsd);
+  const baseUrl = pathToFileURL(xsdDir + path6.sep).href;
+  let schemaDoc;
+  try {
+    schemaDoc = libxmljs.parseXml(rewrittenXsd, { baseUrl });
+  } catch (err) {
+    return { valid: false, errors: [`XSD parse failed: ${err.message}`] };
+  }
+  let xmlDoc;
+  try {
+    xmlDoc = libxmljs.parseXml(xml);
+  } catch (err) {
+    return { valid: false, errors: [`XML parse failed: ${err.message}`] };
+  }
+  const valid = xmlDoc.validate(schemaDoc);
+  const errors = valid ? [] : xmlDoc.validationErrors.map((err) => err.message.trim());
+  return { valid, errors };
+}
+
+// src/cli/commands/invoice-build.ts
+init_ksef_validation_error();
+init_ksef_xsd_validation_error();
+
+// src/cli/commands/invoice-build-helpers.ts
+init_ksef_validation_error();
+init_ksef_xsd_validation_error();
+import * as fs10 from "node:fs";
+import * as path7 from "node:path";
+import { parse as parseYaml, YAMLParseError } from "yaml";
+
+// src/cli/commands/invoice-build-templates/fa2.json
+var fa2_default = {
+  Naglowek: {
+    KodFormularza: { systemCode: "FA (2)", schemaVersion: "1-0E", value: "FA" },
+    WariantFormularza: 2,
+    DataWytworzeniaFa: "2026-04-18T00:00:00Z",
+    SystemInfo: "ksef-client-ts"
+  },
+  Podmiot1: {
+    DaneIdentyfikacyjne: { NIP: "1111111111", Nazwa: "Sample Seller" },
+    Adres: { KodKraju: "PL", AdresL1: "ul. Przykladowa 1", AdresL2: "00-001 Warszawa" }
+  },
+  Podmiot2: {
+    DaneIdentyfikacyjne: { NIP: "2222222222", Nazwa: "Sample Buyer" },
+    Adres: { KodKraju: "PL", AdresL1: "ul. Klientowska 2", AdresL2: "00-002 Warszawa" },
+    DaneKontaktowe: { Email: "buyer@example.com" }
+  },
+  Fa: {
+    KodWaluty: "PLN",
+    P_1: "2026-04-18",
+    P_2: "FA/2026/0001",
+    P_13_1: "100.00",
+    P_14_1: "23.00",
+    P_15: "123.00",
+    Adnotacje: {
+      P_16: "2",
+      P_17: "2",
+      P_18: "2",
+      P_18A: "2",
+      Zwolnienie: { P_19N: "1" },
+      NoweSrodkiTransportu: { P_22N: "1" },
+      P_23: "2",
+      PMarzy: { P_PMarzyN: "1" }
+    },
+    RodzajFaktury: "VAT",
+    FaWiersz: [
+      {
+        NrWierszaFa: 1,
+        P_7: "Sample product",
+        P_8A: "szt.",
+        P_8B: "1.00",
+        P_9A: "100.00",
+        P_11: "100.00",
+        P_12: "23"
+      }
+    ]
+  }
+};
+
+// src/cli/commands/invoice-build-templates/fa3.json
+var fa3_default = {
+  Naglowek: {
+    KodFormularza: { systemCode: "FA (3)", schemaVersion: "1-0E", value: "FA" },
+    WariantFormularza: 3,
+    DataWytworzeniaFa: "2026-04-18T00:00:00Z",
+    SystemInfo: "ksef-client-ts"
+  },
+  Podmiot1: {
+    DaneIdentyfikacyjne: { NIP: "1111111111", Nazwa: "Sample Seller" },
+    Adres: { KodKraju: "PL", AdresL1: "ul. Przykladowa 1", AdresL2: "00-001 Warszawa" },
+    DaneKontaktowe: { Email: "seller@example.com" }
+  },
+  Podmiot2: {
+    DaneIdentyfikacyjne: { NIP: "2222222222", Nazwa: "Sample Buyer" },
+    Adres: { KodKraju: "PL", AdresL1: "ul. Klientowska 2", AdresL2: "00-002 Warszawa" },
+    DaneKontaktowe: { Email: "buyer@example.com" },
+    JST: "2",
+    GV: "2"
+  },
+  Fa: {
+    KodWaluty: "PLN",
+    P_1: "2026-04-18",
+    P_2: "FA/2026/0001",
+    P_13_1: "100.00",
+    P_14_1: "23.00",
+    P_15: "123.00",
+    Adnotacje: {
+      P_16: "2",
+      P_17: "2",
+      P_18: "2",
+      P_18A: "2",
+      Zwolnienie: { P_19N: "1" },
+      NoweSrodkiTransportu: { P_22N: "1" },
+      P_23: "2",
+      PMarzy: { P_PMarzyN: "1" }
+    },
+    RodzajFaktury: "VAT",
+    FaWiersz: [
+      {
+        NrWierszaFa: 1,
+        P_7: "Sample product",
+        P_8A: "szt.",
+        P_8B: "1.00",
+        P_9A: "100.00",
+        P_11: "100.00",
+        P_12: "23"
+      }
+    ]
+  }
+};
+
+// src/cli/commands/invoice-build-templates/pef.json
+var pef_default = {
+  Invoice: {
+    "cbc:CustomizationID": "urn:cen.eu:en16931:2017#compliant#urn:fdc:peppol.eu:2017:poacc:billing:3.0",
+    "cbc:ProfileID": "urn:fdc:peppol.eu:2017:poacc:billing:01:1.0",
+    "cbc:ID": "INV/2026/0001",
+    "cbc:IssueDate": "2026-04-18",
+    "cbc:DueDate": "2026-05-18",
+    "cbc:InvoiceTypeCode": "380",
+    "cbc:DocumentCurrencyCode": "PLN",
+    "cac:AccountingSupplierParty": {
+      "cac:Party": {
+        "cac:PartyName": { "cbc:Name": "Sample Seller" },
+        "cac:PostalAddress": {
+          "cbc:StreetName": "ul. Przykladowa 1",
+          "cbc:CityName": "Warszawa",
+          "cbc:PostalZone": "00-001",
+          "cac:Country": { "cbc:IdentificationCode": "PL" }
+        },
+        "cac:PartyTaxScheme": {
+          "cbc:CompanyID": "PL1111111111",
+          "cac:TaxScheme": { "cbc:ID": "VAT" }
+        },
+        "cac:PartyLegalEntity": {
+          "cbc:RegistrationName": "Sample Seller",
+          "cbc:CompanyID": "1111111111"
+        }
+      }
+    },
+    "cac:AccountingCustomerParty": {
+      "cac:Party": {
+        "cac:PartyName": { "cbc:Name": "Sample Buyer" },
+        "cac:PostalAddress": {
+          "cbc:StreetName": "ul. Klientowska 2",
+          "cbc:CityName": "Warszawa",
+          "cbc:PostalZone": "00-002",
+          "cac:Country": { "cbc:IdentificationCode": "PL" }
+        },
+        "cac:PartyLegalEntity": {
+          "cbc:RegistrationName": "Sample Buyer",
+          "cbc:CompanyID": "2222222222"
+        }
+      }
+    },
+    "cac:TaxTotal": [
+      { "cbc:TaxAmount": { "@_currencyID": "PLN", "#text": "23.00" } }
+    ],
+    "cac:LegalMonetaryTotal": {
+      "cbc:LineExtensionAmount": { "@_currencyID": "PLN", "#text": "100.00" },
+      "cbc:TaxExclusiveAmount": { "@_currencyID": "PLN", "#text": "100.00" },
+      "cbc:TaxInclusiveAmount": { "@_currencyID": "PLN", "#text": "123.00" },
+      "cbc:PayableAmount": { "@_currencyID": "PLN", "#text": "123.00" }
+    },
+    "cac:InvoiceLine": [
+      {
+        "cbc:ID": "1",
+        "cbc:InvoicedQuantity": { "@_unitCode": "C62", "#text": "1" },
+        "cbc:LineExtensionAmount": { "@_currencyID": "PLN", "#text": "100.00" },
+        "cac:Item": { "cbc:Name": "Sample product" },
+        "cac:Price": {
+          "cbc:PriceAmount": { "@_currencyID": "PLN", "#text": "100.00" }
+        }
+      }
+    ]
+  }
+};
+
+// src/cli/commands/invoice-build-templates/pef-kor.json
+var pef_kor_default = {
+  CreditNote: {
+    "cbc:CustomizationID": "urn:cen.eu:en16931:2017#compliant#urn:fdc:peppol.eu:2017:poacc:billing:3.0",
+    "cbc:ProfileID": "urn:fdc:peppol.eu:2017:poacc:billing:01:1.0",
+    "cbc:ID": "COR/2026/0001",
+    "cbc:IssueDate": "2026-04-18",
+    "cbc:CreditNoteTypeCode": "381",
+    "cbc:DocumentCurrencyCode": "PLN",
+    "cac:BillingReference": {
+      "cac:InvoiceDocumentReference": {
+        "cbc:ID": "INV/2026/0001",
+        "cbc:IssueDate": "2026-03-01"
+      }
+    },
+    "cac:AccountingSupplierParty": {
+      "cac:Party": {
+        "cac:PartyName": { "cbc:Name": "Sample Seller" },
+        "cac:PostalAddress": {
+          "cbc:StreetName": "ul. Przykladowa 1",
+          "cbc:CityName": "Warszawa",
+          "cbc:PostalZone": "00-001",
+          "cac:Country": { "cbc:IdentificationCode": "PL" }
+        },
+        "cac:PartyTaxScheme": {
+          "cbc:CompanyID": "PL1111111111",
+          "cac:TaxScheme": { "cbc:ID": "VAT" }
+        },
+        "cac:PartyLegalEntity": {
+          "cbc:RegistrationName": "Sample Seller",
+          "cbc:CompanyID": "1111111111"
+        }
+      }
+    },
+    "cac:AccountingCustomerParty": {
+      "cac:Party": {
+        "cac:PartyName": { "cbc:Name": "Sample Buyer" },
+        "cac:PostalAddress": {
+          "cbc:StreetName": "ul. Klientowska 2",
+          "cbc:CityName": "Warszawa",
+          "cbc:PostalZone": "00-002",
+          "cac:Country": { "cbc:IdentificationCode": "PL" }
+        },
+        "cac:PartyLegalEntity": {
+          "cbc:RegistrationName": "Sample Buyer",
+          "cbc:CompanyID": "2222222222"
+        }
+      }
+    },
+    "cac:TaxTotal": [
+      { "cbc:TaxAmount": { "@_currencyID": "PLN", "#text": "-23.00" } }
+    ],
+    "cac:LegalMonetaryTotal": {
+      "cbc:LineExtensionAmount": { "@_currencyID": "PLN", "#text": "-100.00" },
+      "cbc:TaxExclusiveAmount": { "@_currencyID": "PLN", "#text": "-100.00" },
+      "cbc:TaxInclusiveAmount": { "@_currencyID": "PLN", "#text": "-123.00" },
+      "cbc:PayableAmount": { "@_currencyID": "PLN", "#text": "-123.00" }
+    },
+    "cac:CreditNoteLine": [
+      {
+        "cbc:ID": "1",
+        "cbc:CreditedQuantity": { "@_unitCode": "C62", "#text": "1" },
+        "cbc:LineExtensionAmount": { "@_currencyID": "PLN", "#text": "-100.00" },
+        "cac:Item": { "cbc:Name": "Sample product (corrected)" },
+        "cac:Price": {
+          "cbc:PriceAmount": { "@_currencyID": "PLN", "#text": "100.00" }
+        }
+      }
+    ]
+  }
+};
+
+// src/cli/commands/invoice-build-helpers.ts
+var VALID_SCHEMAS = ["FA2", "FA3", "PEF", "PEF_KOR"];
+var VALID_FORMATS = ["auto", "json", "yaml"];
+var TEMPLATES = {
+  FA2: fa2_default,
+  FA3: fa3_default,
+  PEF: pef_default,
+  PEF_KOR: pef_kor_default
+};
+async function readInput(input, format) {
+  const raw = input === "-" ? await readStdin2() : fs10.readFileSync(input, "utf-8");
+  const resolvedFormat = format === "auto" ? inferFormatFromPath(input) : format;
+  return { raw, format: resolvedFormat };
+}
+async function readStdin2() {
+  const chunks = [];
+  for await (const chunk of process.stdin) chunks.push(chunk);
+  return Buffer.concat(chunks).toString("utf-8");
+}
+function inferFormatFromPath(input) {
+  if (input === "-") return "json";
+  const ext = path7.extname(input).toLowerCase();
+  if (ext === ".yml" || ext === ".yaml") return "yaml";
+  return "json";
+}
+function parseInput(raw, format) {
+  if (format === "yaml") return parseYaml(raw);
+  return JSON.parse(raw);
+}
+function inferSchema2(parsed) {
+  if (typeof parsed !== "object" || parsed === null) return "FA3";
+  const obj = parsed;
+  if ("Invoice" in obj) return "PEF";
+  if ("CreditNote" in obj) return "PEF_KOR";
+  const naglowek = obj.Naglowek;
+  if (typeof naglowek === "object" && naglowek !== null) {
+    const formCode = naglowek.KodFormularza;
+    if (typeof formCode === "object" && formCode !== null) {
+      const systemCode = formCode.systemCode;
+      if (systemCode === "FA (2)") return "FA2";
+    }
+  }
+  return "FA3";
+}
+function writeOutput(xml, output) {
+  if (!output || output === "-") {
+    process.stdout.write(xml);
+    return;
+  }
+  fs10.writeFileSync(output, xml);
+}
+function emitTemplate(schema) {
+  const id = schema.toUpperCase();
+  const template = TEMPLATES[id];
+  if (!template) {
+    throw KSeFValidationError.fromField(
+      "template",
+      `Template must be one of: ${VALID_SCHEMAS.join(", ")}.`
+    );
+  }
+  process.stdout.write(JSON.stringify(template, null, 2) + "\n");
+}
+function buildDrySummary(parsed, schema) {
+  if (typeof parsed !== "object" || parsed === null) {
+    return { schema, sections: [] };
+  }
+  const obj = parsed;
+  const sections = Object.keys(obj);
+  const summary = { schema, sections };
+  if (schema === "FA2" || schema === "FA3") {
+    const fa = obj.Fa;
+    if (typeof fa === "object" && fa !== null) {
+      const p2 = fa.P_2;
+      if (typeof p2 === "string" || typeof p2 === "number") {
+        summary.invoiceNumber = String(p2);
+      }
+      const wiersz = fa.FaWiersz;
+      if (Array.isArray(wiersz)) summary.lineCount = wiersz.length;
+      else if (typeof wiersz === "object" && wiersz !== null) summary.lineCount = 1;
+    }
+  } else {
+    const root = schema === "PEF" ? obj.Invoice : obj.CreditNote;
+    if (root) {
+      const id = root["cbc:ID"];
+      if (typeof id === "string" || typeof id === "number") {
+        summary.invoiceNumber = String(id);
+      }
+      const lines = schema === "PEF" ? root["cac:InvoiceLine"] : root["cac:CreditNoteLine"];
+      if (Array.isArray(lines)) summary.lineCount = lines.length;
+      else if (typeof lines === "object" && lines !== null) summary.lineCount = 1;
+    }
+  }
+  return summary;
+}
+function mapBuildExitCode(error) {
+  if (error instanceof SyntaxError) return 2;
+  if (error instanceof YAMLParseError) return 2;
+  if (error instanceof KSeFXsdValidationError) return 4;
+  if (isMissingLibxmljsError(error)) return 4;
+  if (error instanceof KSeFValidationError) return 3;
+  if (typeof error === "object" && error !== null && "code" in error) {
+    const code = error.code;
+    if (typeof code === "string" && IO_ERRNO_CODES.has(code)) {
+      return 5;
+    }
+  }
+  return void 0;
+}
+var IO_ERRNO_CODES = /* @__PURE__ */ new Set([
+  "ENOENT",
+  "EACCES",
+  "EPERM",
+  "EISDIR",
+  "ENOTDIR",
+  "ENOSPC",
+  "EROFS",
+  "EMFILE",
+  "ENFILE",
+  "EIO",
+  "EDQUOT",
+  "EBADF",
+  "EEXIST",
+  "ENAMETOOLONG",
+  "ELOOP",
+  "ETXTBSY"
+]);
+
+// src/cli/commands/invoice-build.ts
+var invoiceBuild = defineCommand5({
+  meta: {
+    name: "build",
+    description: "Build invoice XML from structured JSON/YAML input"
+  },
+  args: {
+    input: {
+      type: "positional",
+      required: false,
+      description: 'Input file path, or "-" to read from stdin'
+    },
+    schema: {
+      type: "string",
+      description: "Explicit schema: FA2|FA3|PEF|PEF_KOR (default: inferred from input)"
+    },
+    output: {
+      type: "string",
+      alias: "o",
+      description: 'Output file path; omit or "-" for stdout'
+    },
+    pretty: {
+      type: "boolean",
+      description: "Pretty-print XML with 2-space indentation"
+    },
+    validate: {
+      type: "boolean",
+      description: "Run schema validation on the serialized XML"
+    },
+    "validate-xsd": {
+      type: "boolean",
+      description: "Run XSD validation on the serialized XML (requires libxmljs2)"
+    },
+    "dry-run": {
+      type: "boolean",
+      description: "Parse and summarise input; do not emit XML"
+    },
+    format: {
+      type: "string",
+      description: "Input format: json|yaml (default: infer from file extension)"
+    },
+    template: {
+      type: "string",
+      description: "Print a skeleton JSON for FA2|FA3|PEF|PEF_KOR and exit"
+    },
+    json: {
+      type: "boolean",
+      description: "Machine-readable output (for --dry-run / error messages)"
+    }
+  },
+  async run({ args }) {
+    await withErrorHandler(
+      async () => {
+        if (args.template) {
+          emitTemplate(args.template);
+          return;
+        }
+        if (!args.input) {
+          throw new Error(
+            'Input file required. Provide a path or use "-" to read from stdin.'
+          );
+        }
+        const formatRaw = args.format;
+        if (formatRaw && !VALID_FORMATS.includes(formatRaw)) {
+          throw KSeFValidationError.fromField(
+            "format",
+            `Format must be one of: ${VALID_FORMATS.join(", ")}.`
+          );
+        }
+        const formatOption = formatRaw ?? "auto";
+        const { raw, format } = await readInput(args.input, formatOption);
+        const parsed = parseInput(raw, format);
+        const explicitSchemaRaw = args.schema;
+        if (explicitSchemaRaw && !VALID_SCHEMAS.includes(explicitSchemaRaw)) {
+          throw KSeFValidationError.fromField(
+            "schema",
+            `Schema must be one of: ${VALID_SCHEMAS.join(", ")}.`
+          );
+        }
+        const explicitSchema = explicitSchemaRaw;
+        const schema = explicitSchema ?? inferSchema2(parsed);
+        if (args["dry-run"]) {
+          const summary = buildDrySummary(parsed, schema);
+          if (args.json) {
+            outputResult(summary, { json: true });
+          } else {
+            consola10.info(`Schema:      ${summary.schema}${explicitSchema ? "" : " (inferred)"}`);
+            consola10.info(`Invoice #:   ${summary.invoiceNumber ?? "(not set)"}`);
+            consola10.info(`Sections:    ${summary.sections.join(", ")}`);
+            if (summary.lineCount !== void 0) {
+              consola10.info(`Line count:  ${summary.lineCount}`);
+            }
+          }
+          return;
+        }
+        const xml = serializeInvoiceXml(parsed, {
+          schema,
+          pretty: Boolean(args.pretty)
+        });
+        const xmlStr = args.validate || args["validate-xsd"] ? xml.toString("utf-8") : "";
+        if (args.validate) {
+          const result = await validate(xmlStr);
+          if (!result.valid) {
+            throw KSeFValidationError.fromMessages(result.errors.map((e) => e.message));
+          }
+        }
+        if (args["validate-xsd"]) {
+          const xsdPath = resolveXsdFor(schema);
+          const xsdResult = validateAgainstXsd(xmlStr, xsdPath);
+          if (!xsdResult.valid) {
+            throw new KSeFXsdValidationError(xsdPath, xsdResult.errors);
+          }
+        }
+        writeOutput(xml, args.output);
+      },
+      { json: Boolean(args.json), exitCode: mapBuildExitCode }
+    );
+  }
+});
+
 // src/cli/commands/invoice.ts
 init_invoice_validator();
 init_ksef_validation_error();
@@ -7777,7 +9158,7 @@ var QUERY_FILTER_ARGS = {
   amountType: { type: "string", description: "Amount type: Brutto|Netto|Vat (default: Brutto)" },
   currency: { type: "string", description: "Currency code (e.g. PLN, EUR)" }
 };
-var send = defineCommand5({
+var send = defineCommand6({
   meta: { name: "send", description: "Send invoice(s) \u2014 single XML file or directory for batch" },
   args: {
     path: { type: "positional", description: "Path to XML file, directory of XMLs, or ZIP for batch", required: true },
@@ -7812,13 +9193,13 @@ var send = defineCommand5({
         }
         formCode = resolved;
       }
-      if (!fs9.existsSync(filePath)) {
+      if (!fs11.existsSync(filePath)) {
         throw new Error(`Path not found: ${filePath}`);
       }
-      const stat = fs9.statSync(filePath);
+      const stat = fs11.statSync(filePath);
       if (args.stream) {
         if (args.validate) {
-          consola9.warn("--validate is not supported in stream mode. Run `ksef invoice validate <path>` before sending, or remove --stream.");
+          consola11.warn("--validate is not supported in stream mode. Run `ksef invoice validate <path>` before sending, or remove --stream.");
         }
         if (!filePath.endsWith(".zip") || stat.isDirectory()) {
           throw new Error("--stream requires a .zip file path.");
@@ -7831,8 +9212,8 @@ var send = defineCommand5({
         }
         const { uploadBatchStream: uploadBatchStream2 } = await Promise.resolve().then(() => (init_batch_session_workflow(), batch_session_workflow_exports));
         const zipSize = stat.size;
-        const zipStreamFactory = () => Readable.toWeb(fs9.createReadStream(filePath));
-        if (!args.json) consola9.start(`Sending batch via stream (${(zipSize / 1e6).toFixed(1)} MB)...`);
+        const zipStreamFactory = () => Readable.toWeb(fs11.createReadStream(filePath));
+        if (!args.json) consola11.start(`Sending batch via stream (${(zipSize / 1e6).toFixed(1)} MB)...`);
         const result = await uploadBatchStream2(client, zipStreamFactory, zipSize, {
           formCode,
           pollOptions: { intervalMs: 3e3 },
@@ -7846,7 +9227,7 @@ var send = defineCommand5({
         return;
       }
       if (stat.isDirectory()) {
-        const xmlFiles = fs9.readdirSync(filePath).filter((f) => f.endsWith(".xml")).map((f) => path6.join(filePath, f));
+        const xmlFiles = fs11.readdirSync(filePath).filter((f) => f.endsWith(".xml")).map((f) => path8.join(filePath, f));
         if (xmlFiles.length === 0) {
           throw new Error(`No XML files found in ${filePath}`);
         }
@@ -7856,14 +9237,14 @@ var send = defineCommand5({
         if (!validateFormCodeForSession(formCode, "batch")) {
           throw new Error(`Document type "${formCode.systemCode}" is not supported in batch sessions. PEF/PEF_KOR require online sessions.`);
         }
-        const fileBuffers = xmlFiles.map((file) => ({ file, content: fs9.readFileSync(file) }));
+        const fileBuffers = xmlFiles.map((file) => ({ file, content: fs11.readFileSync(file) }));
         if (args.validate) {
           const { validateBatch: validateBatch2, batchValidationDetails: batchValidationDetails2 } = await Promise.resolve().then(() => (init_invoice_validator(), invoice_validator_exports));
           const invoicesToValidate = fileBuffers.map(({ file, content }) => ({
-            fileName: path6.basename(file),
+            fileName: path8.basename(file),
             xml: content.toString("utf-8")
           }));
-          if (!args.json) consola9.start(`Validating ${invoicesToValidate.length} invoices...`);
+          if (!args.json) consola11.start(`Validating ${invoicesToValidate.length} invoices...`);
           const batchResult = await validateBatch2(invoicesToValidate);
           if (!batchResult.valid) {
             const invalidCount = batchResult.results.filter((r) => !r.result.valid).length;
@@ -7872,9 +9253,9 @@ var send = defineCommand5({
               batchValidationDetails2(batchResult)
             );
           }
-          if (!args.json) consola9.success(`All ${xmlFiles.length} invoices valid.`);
+          if (!args.json) consola11.success(`All ${xmlFiles.length} invoices valid.`);
         }
-        if (!args.json) consola9.start(`Sending ${xmlFiles.length} invoices via batch session...`);
+        if (!args.json) consola11.start(`Sending ${xmlFiles.length} invoices via batch session...`);
         await client.crypto.init();
         const encryptionData = client.crypto.getEncryptionData();
         const parts = fileBuffers.map(({ content }, i) => {
@@ -7913,7 +9294,7 @@ var send = defineCommand5({
         if (!ref) {
           throw new Error("No active online session. Run `ksef session open` or provide --session-ref.");
         }
-        const xmlContent = fs9.readFileSync(filePath);
+        const xmlContent = fs11.readFileSync(filePath);
         if (args.validate) {
           const xmlStr = xmlContent.toString("utf-8");
           const validationResult = await validate(xmlStr);
@@ -7923,9 +9304,9 @@ var send = defineCommand5({
               validationResult.errors.map((e) => ({ field: e.path, message: e.message }))
             );
           }
-          if (!args.json) consola9.success("Validation passed.");
+          if (!args.json) consola11.success("Validation passed.");
         }
-        if (!args.json) consola9.start("Sending invoice...");
+        if (!args.json) consola11.start("Sending invoice...");
         await client.crypto.init();
         const storedEnc = loadEncryptionData();
         if (!storedEnc) {
@@ -7951,7 +9332,7 @@ var send = defineCommand5({
     }, { json: Boolean(args.json) });
   }
 });
-var get = defineCommand5({
+var get = defineCommand6({
   meta: { name: "get", description: "Download invoice by KSeF number" },
   args: {
     ksefNumber: { type: "positional", description: "KSeF invoice number", required: true },
@@ -7971,7 +9352,7 @@ var get = defineCommand5({
         return;
       }
       if (args.o) {
-        fs9.writeFileSync(args.o, xml, "utf-8");
+        fs11.writeFileSync(args.o, xml, "utf-8");
         outputSuccess(`Invoice saved to ${args.o}`);
       } else {
         console.log(xml);
@@ -7979,7 +9360,7 @@ var get = defineCommand5({
     }, { json: Boolean(args.json) });
   }
 });
-var query = defineCommand5({
+var query = defineCommand6({
   meta: { name: "query", description: "Query invoice metadata" },
   args: {
     ...QUERY_FILTER_ARGS,
@@ -8008,7 +9389,7 @@ var query = defineCommand5({
         return;
       }
       if (result.invoices.length === 0) {
-        consola9.info("No invoices found matching the criteria.");
+        consola11.info("No invoices found matching the criteria.");
         return;
       }
       outputTable(
@@ -8031,12 +9412,12 @@ var query = defineCommand5({
         { json: false }
       );
       if (result.hasMore) {
-        consola9.info("More results available. Use --page to fetch the next page.");
+        consola11.info("More results available. Use --page to fetch the next page.");
       }
     }, { json: Boolean(args.json) });
   }
 });
-var exportCmd = defineCommand5({
+var exportCmd = defineCommand6({
   meta: { name: "export", description: "Start invoice export" },
   args: {
     ...QUERY_FILTER_ARGS,
@@ -8051,7 +9432,7 @@ var exportCmd = defineCommand5({
     return withErrorHandler(async () => {
       const globalOpts = getGlobalOpts4(args);
       const { client } = await requireSession(globalOpts);
-      if (!args.json) consola9.start("Starting invoice export...");
+      if (!args.json) consola11.start("Starting invoice export...");
       await client.crypto.init();
       const encryptionData = client.crypto.getEncryptionData();
       const filters = buildQueryFilters(args);
@@ -8062,12 +9443,12 @@ var exportCmd = defineCommand5({
         outputResult(result, { json: true });
       } else {
         outputSuccess(`Export started. Ref: ${result.referenceNumber}`);
-        consola9.info("Check status with: ksef invoice export-status " + result.referenceNumber);
+        consola11.info("Check status with: ksef invoice export-status " + result.referenceNumber);
       }
     }, { json: Boolean(args.json) });
   }
 });
-var exportStatus = defineCommand5({
+var exportStatus = defineCommand6({
   meta: { name: "export-status", description: "Check invoice export status" },
   args: {
     ref: { type: "positional", description: "Export reference number", required: true },
@@ -8085,15 +9466,15 @@ var exportStatus = defineCommand5({
         outputResult(result, { json: true });
         return;
       }
-      consola9.info(`Status: ${result.status.code} \u2014 ${result.status.description}`);
+      consola11.info(`Status: ${result.status.code} \u2014 ${result.status.description}`);
       if (result.completedDate) {
-        consola9.info(`Completed: ${result.completedDate}`);
+        consola11.info(`Completed: ${result.completedDate}`);
       }
       if (result.packageExpirationDate) {
-        consola9.info(`Package expires: ${result.packageExpirationDate}`);
+        consola11.info(`Package expires: ${result.packageExpirationDate}`);
       }
       if (result.package) {
-        consola9.info(`Invoices: ${result.package.invoiceCount}, Size: ${result.package.size} bytes`);
+        consola11.info(`Invoices: ${result.package.invoiceCount}, Size: ${result.package.size} bytes`);
         if (result.package.parts.length > 0) {
           outputTable(
             result.package.parts.map((p) => ({
@@ -8118,7 +9499,7 @@ var exportStatus = defineCommand5({
   }
 });
 var VALID_SCHEMA_TYPES = SCHEMA_TYPES;
-var validateCmd = defineCommand5({
+var validateCmd = defineCommand6({
   meta: { name: "validate", description: "Validate invoice XML against KSeF schema" },
   args: {
     files: { type: "positional", description: "XML file(s) or directory to validate", required: true },
@@ -8133,13 +9514,13 @@ var validateCmd = defineCommand5({
       }
       const inputPath = args.files;
       const filePaths = [];
-      if (fs9.existsSync(inputPath) && fs9.statSync(inputPath).isDirectory()) {
-        const xmlFiles = fs9.readdirSync(inputPath).filter((f) => f.endsWith(".xml")).sort().map((f) => path6.join(inputPath, f));
+      if (fs11.existsSync(inputPath) && fs11.statSync(inputPath).isDirectory()) {
+        const xmlFiles = fs11.readdirSync(inputPath).filter((f) => f.endsWith(".xml")).sort().map((f) => path8.join(inputPath, f));
         if (xmlFiles.length === 0) {
           throw new Error(`No XML files found in ${inputPath}`);
         }
         filePaths.push(...xmlFiles);
-      } else if (fs9.existsSync(inputPath)) {
+      } else if (fs11.existsSync(inputPath)) {
         filePaths.push(inputPath);
       } else {
         throw new Error(`File not found: ${inputPath}`);
@@ -8148,28 +9529,28 @@ var validateCmd = defineCommand5({
       let invalidCount = 0;
       const allResults = [];
       for (const file of filePaths) {
-        const xml = fs9.readFileSync(file, "utf-8");
+        const xml = fs11.readFileSync(file, "utf-8");
         const result = await validate(xml, schemaOverride ? { schema: schemaOverride } : void 0);
         if (result.valid) {
           validCount++;
           if (!args.json) {
-            consola9.success(`${path6.basename(file)}: valid (${result.schemaType})`);
+            consola11.success(`${path8.basename(file)}: valid (${result.schemaType})`);
             if (result.schemaType === "PEF3" || result.schemaType === "PEF_KOR3") {
-              consola9.warn("PEF validation covers wrapper structure only \u2014 UBL content is not validated.");
+              consola11.warn("PEF validation covers wrapper structure only \u2014 UBL content is not validated.");
             }
           }
         } else {
           invalidCount++;
           if (!args.json) {
-            consola9.error(`${path6.basename(file)}: INVALID (${result.schemaType ?? "unknown schema"})`);
+            consola11.error(`${path8.basename(file)}: INVALID (${result.schemaType ?? "unknown schema"})`);
             for (const err of result.errors) {
               const loc = err.path ? ` at ${err.path}` : "";
-              consola9.log(`  [${err.code}]${loc}: ${err.message}`);
+              consola11.log(`  [${err.code}]${loc}: ${err.message}`);
             }
           }
         }
         allResults.push({
-          file: path6.basename(file),
+          file: path8.basename(file),
           valid: result.valid,
           schemaType: result.schemaType,
           errors: result.errors
@@ -8178,8 +9559,8 @@ var validateCmd = defineCommand5({
       if (args.json) {
         outputResult({ files: allResults, summary: { total: filePaths.length, valid: validCount, invalid: invalidCount } }, { json: true });
       } else if (filePaths.length > 1) {
-        consola9.log("");
-        consola9.info(`Summary: ${validCount} valid, ${invalidCount} invalid, ${filePaths.length} total`);
+        consola11.log("");
+        consola11.info(`Summary: ${validCount} valid, ${invalidCount} invalid, ${filePaths.length} total`);
       }
       if (invalidCount > 0) {
         process.exitCode = 1;
@@ -8187,13 +9568,13 @@ var validateCmd = defineCommand5({
     }, { json: Boolean(args.json) });
   }
 });
-var invoiceCommand = defineCommand5({
+var invoiceCommand = defineCommand6({
   meta: { name: "invoice", description: "Invoice commands" },
-  subCommands: { send, get, query, validate: validateCmd, export: exportCmd, "export-status": exportStatus, "export-incremental": exportIncremental }
+  subCommands: { send, build: invoiceBuild, get, query, validate: validateCmd, export: exportCmd, "export-status": exportStatus, "export-incremental": exportIncremental }
 });
 
 // src/cli/commands/permission.ts
-import { defineCommand as defineCommand6 } from "citty";
+import { defineCommand as defineCommand7 } from "citty";
 init_ksef_validation_error();
 function getGlobalOpts5(args) {
   return {
@@ -8204,7 +9585,7 @@ function getGlobalOpts5(args) {
     nip: args.nip
   };
 }
-var grant = defineCommand6({
+var grant = defineCommand7({
   meta: { name: "grant", description: "Grant permissions to a subject" },
   args: {
     type: { type: "string", description: "Grant type: person, entity, authorization, indirect, subunit, eu-entity-admin, eu-entity-representative", required: true },
@@ -8386,7 +9767,7 @@ var grant = defineCommand6({
     }, { json: Boolean(args.json) });
   }
 });
-var revoke2 = defineCommand6({
+var revoke2 = defineCommand7({
   meta: { name: "revoke", description: "Revoke a permission grant" },
   args: {
     grantId: { type: "positional", description: "Grant ID to revoke", required: true },
@@ -8415,7 +9796,7 @@ var revoke2 = defineCommand6({
     }, { json: Boolean(args.json) });
   }
 });
-var search = defineCommand6({
+var search = defineCommand7({
   meta: { name: "search", description: "Search permissions" },
   args: {
     type: { type: "string", description: "Search type: personal, persons, subunits, entities, entities-grants, subordinate-entities, authorizations, eu-entities", required: true },
@@ -8681,7 +10062,7 @@ var search = defineCommand6({
     }, { json: Boolean(args.json) });
   }
 });
-var status3 = defineCommand6({
+var status3 = defineCommand7({
   meta: { name: "status", description: "Check permission operation status" },
   args: {
     ref: { type: "positional", description: "Operation reference number", required: true },
@@ -8707,7 +10088,7 @@ var status3 = defineCommand6({
     }, { json: Boolean(args.json) });
   }
 });
-var attachmentStatus = defineCommand6({
+var attachmentStatus = defineCommand7({
   meta: { name: "attachment-status", description: "Check if attachment permissions are allowed" },
   args: {
     env: { type: "string", description: "Environment (test/demo/prod)" },
@@ -8731,14 +10112,14 @@ var attachmentStatus = defineCommand6({
     }, { json: Boolean(args.json) });
   }
 });
-var permissionCommand = defineCommand6({
+var permissionCommand = defineCommand7({
   meta: { name: "permission", description: "Permission management commands" },
   subCommands: { grant, revoke: revoke2, search, status: status3, "attachment-status": attachmentStatus }
 });
 
 // src/cli/commands/token.ts
-import { defineCommand as defineCommand7 } from "citty";
-import { consola as consola10 } from "consola";
+import { defineCommand as defineCommand8 } from "citty";
+import { consola as consola12 } from "consola";
 function getGlobalOpts6(args) {
   return {
     env: args.env,
@@ -8748,7 +10129,7 @@ function getGlobalOpts6(args) {
     nip: args.nip
   };
 }
-var generate = defineCommand7({
+var generate = defineCommand8({
   meta: { name: "generate", description: "Generate a new KSeF token" },
   args: {
     permissions: { type: "string", description: "Comma-separated permissions (e.g. InvoiceRead,InvoiceWrite)", required: true },
@@ -8784,7 +10165,7 @@ var generate = defineCommand7({
     }, { json: Boolean(args.json) });
   }
 });
-var list2 = defineCommand7({
+var list2 = defineCommand8({
   meta: { name: "list", description: "List KSeF tokens" },
   args: {
     status: { type: "string", description: "Comma-separated statuses (e.g. Active,Pending)" },
@@ -8838,12 +10219,12 @@ var list2 = defineCommand7({
         { json: false }
       );
       if (result.continuationToken) {
-        consola10.info(`More results available. Continuation token: ${result.continuationToken}`);
+        consola12.info(`More results available. Continuation token: ${result.continuationToken}`);
       }
     }, { json: Boolean(args.json) });
   }
 });
-var get2 = defineCommand7({
+var get2 = defineCommand8({
   meta: { name: "get", description: "Get token details" },
   args: {
     ref: { type: "positional", description: "Token reference number", required: true },
@@ -8876,7 +10257,7 @@ var get2 = defineCommand7({
     }, { json: Boolean(args.json) });
   }
 });
-var revoke3 = defineCommand7({
+var revoke3 = defineCommand8({
   meta: { name: "revoke", description: "Revoke a KSeF token" },
   args: {
     ref: { type: "positional", description: "Token reference number", required: true },
@@ -8900,19 +10281,19 @@ var revoke3 = defineCommand7({
     }, { json: Boolean(args.json) });
   }
 });
-var tokenCommand = defineCommand7({
+var tokenCommand = defineCommand8({
   meta: { name: "token", description: "Token management commands" },
   subCommands: { generate, list: list2, get: get2, revoke: revoke3 }
 });
 
 // src/cli/commands/cert.ts
-import { defineCommand as defineCommand8 } from "citty";
-import { consola as consola11 } from "consola";
-import fs10 from "fs";
-import path7 from "path";
+import { defineCommand as defineCommand9 } from "citty";
+import { consola as consola13 } from "consola";
+import fs12 from "node:fs";
+import path9 from "node:path";
 
 // src/crypto/certificate-service.ts
-import * as crypto7 from "crypto";
+import * as crypto7 from "node:crypto";
 import * as x5092 from "@peculiar/x509";
 var CertificateService = class {
   static getSha256Fingerprint(certPem) {
@@ -9002,7 +10383,7 @@ function getGlobalOpts7(args) {
     nip: args.nip
   };
 }
-var generate2 = defineCommand8({
+var generate2 = defineCommand9({
   meta: { name: "generate", description: "Generate a self-signed certificate locally" },
   args: {
     type: { type: "string", description: "Certificate type: personal or company-seal", required: true },
@@ -9027,21 +10408,21 @@ var generate2 = defineCommand8({
       const certType = args.type;
       const cn = args.cn;
       const method = args.method || "RSA";
-      const outDir = path7.resolve(args.out || ".");
+      const outDir = path9.resolve(args.out || ".");
       if (certType !== "personal" && certType !== "company-seal") {
         throw new Error('--type must be "personal" or "company-seal".');
       }
       if (method !== "RSA" && method !== "ECDSA") {
         throw new Error('--method must be "RSA" or "ECDSA".');
       }
-      fs10.mkdirSync(outDir, { recursive: true });
-      const certPath = path7.join(outDir, "cert.pem");
-      const keyPath = path7.join(outDir, "key.pem");
+      fs12.mkdirSync(outDir, { recursive: true });
+      const certPath = path9.join(outDir, "cert.pem");
+      const keyPath = path9.join(outDir, "key.pem");
       if (!args.force) {
-        if (fs10.existsSync(certPath)) {
+        if (fs12.existsSync(certPath)) {
           throw new Error(`File already exists: ${certPath}. Use --force to overwrite.`);
         }
-        if (fs10.existsSync(keyPath)) {
+        if (fs12.existsSync(keyPath)) {
           throw new Error(`File already exists: ${keyPath}. Use --force to overwrite.`);
         }
       }
@@ -9068,8 +10449,8 @@ var generate2 = defineCommand8({
           method
         );
       }
-      fs10.writeFileSync(certPath, result.certificatePem, "utf-8");
-      fs10.writeFileSync(keyPath, result.privateKeyPem, "utf-8");
+      fs12.writeFileSync(certPath, result.certificatePem, "utf-8");
+      fs12.writeFileSync(keyPath, result.privateKeyPem, "utf-8");
       if (args.json) {
         outputResult({ certPath, keyPath, fingerprint: result.fingerprint }, { json: true });
       } else {
@@ -9083,7 +10464,7 @@ var generate2 = defineCommand8({
     }, { json: Boolean(args.json) });
   }
 });
-var enroll = defineCommand8({
+var enroll = defineCommand9({
   meta: { name: "enroll", description: "Submit certificate enrollment" },
   args: {
     cert: { type: "string", description: "Path to certificate PEM file", required: true },
@@ -9100,7 +10481,7 @@ var enroll = defineCommand8({
     return withErrorHandler(async () => {
       const globalOpts = getGlobalOpts7(args);
       const { client } = await requireSession(globalOpts);
-      const certPem = fs10.readFileSync(args.cert, "utf-8");
+      const certPem = fs12.readFileSync(args.cert, "utf-8");
       await client.crypto.init();
       const request = {
         certificateName: args.name,
@@ -9121,7 +10502,7 @@ var enroll = defineCommand8({
     }, { json: Boolean(args.json) });
   }
 });
-var status4 = defineCommand8({
+var status4 = defineCommand9({
   meta: { name: "status", description: "Check certificate enrollment status" },
   args: {
     ref: { type: "positional", description: "Enrollment reference number", required: true },
@@ -9153,7 +10534,7 @@ var status4 = defineCommand8({
     }, { json: Boolean(args.json) });
   }
 });
-var list3 = defineCommand8({
+var list3 = defineCommand9({
   meta: { name: "list", description: "Query certificates" },
   args: {
     serial: { type: "string", description: "Filter by serial number" },
@@ -9211,12 +10592,12 @@ var list3 = defineCommand8({
         { json: false }
       );
       if (result.hasMore) {
-        consola11.info("More results available. Use --page to paginate.");
+        consola13.info("More results available. Use --page to paginate.");
       }
     }, { json: Boolean(args.json) });
   }
 });
-var revoke4 = defineCommand8({
+var revoke4 = defineCommand9({
   meta: { name: "revoke", description: "Revoke a certificate" },
   args: {
     serial: { type: "positional", description: "Certificate serial number", required: true },
@@ -9243,7 +10624,7 @@ var revoke4 = defineCommand8({
     }, { json: Boolean(args.json) });
   }
 });
-var limits = defineCommand8({
+var limits = defineCommand9({
   meta: { name: "limits", description: "View certificate limits" },
   args: {
     env: { type: "string", description: "Environment (test/demo/prod)" },
@@ -9271,7 +10652,7 @@ var limits = defineCommand8({
     }, { json: Boolean(args.json) });
   }
 });
-var enrollmentData = defineCommand8({
+var enrollmentData = defineCommand9({
   meta: { name: "enrollment-data", description: "Get enrollment data template from KSeF" },
   args: {
     env: { type: "string", description: "Environment (test/demo/prod)" },
@@ -9302,7 +10683,7 @@ var enrollmentData = defineCommand8({
     }, { json: Boolean(args.json) });
   }
 });
-var retrieve = defineCommand8({
+var retrieve = defineCommand9({
   meta: { name: "retrieve", description: "Retrieve certificates by serial numbers" },
   args: {
     serial: { type: "string", description: "Comma-separated certificate serial numbers", required: true },
@@ -9345,14 +10726,14 @@ var retrieve = defineCommand8({
     }, { json: Boolean(args.json) });
   }
 });
-var certCommand = defineCommand8({
+var certCommand = defineCommand9({
   meta: { name: "cert", description: "Certificate management commands" },
   subCommands: { generate: generate2, enroll, status: status4, list: list3, revoke: revoke4, limits, "enrollment-data": enrollmentData, retrieve }
 });
 
 // src/cli/commands/qr.ts
-import * as fs11 from "fs";
-import { defineCommand as defineCommand9 } from "citty";
+import * as fs13 from "node:fs";
+import { defineCommand as defineCommand10 } from "citty";
 
 // src/qr/qrcode-service.ts
 import * as QRCode from "qrcode";
@@ -9423,7 +10804,7 @@ function getGlobalOpts8(args) {
     nip: args.nip
   };
 }
-var invoice2 = defineCommand9({
+var invoice2 = defineCommand10({
   meta: { name: "invoice", description: "Generate invoice QR code" },
   args: {
     nip: { type: "string", description: "NIP number", required: true },
@@ -9455,7 +10836,7 @@ var invoice2 = defineCommand9({
         const effectiveLabel = args.offline ? "OFFLINE" : args.label;
         const svg = effectiveLabel ? await QrCodeService.generateQrCodeSvgWithLabel(url2, effectiveLabel, { width: size }) : await QrCodeService.generateQrCodeSvg(url2, { width: size });
         if (args.o) {
-          fs11.writeFileSync(args.o, svg);
+          fs13.writeFileSync(args.o, svg);
           outputSuccess(`QR code saved to ${args.o}
 URL: ${url2}`);
         } else {
@@ -9464,7 +10845,7 @@ URL: ${url2}`);
       } else {
         const buffer = await QrCodeService.generateQrCode(url2, { width: size });
         if (args.o) {
-          fs11.writeFileSync(args.o, buffer);
+          fs13.writeFileSync(args.o, buffer);
           outputSuccess(`QR code saved to ${args.o}
 URL: ${url2}`);
         } else {
@@ -9474,7 +10855,7 @@ URL: ${url2}`);
     }, { json: Boolean(args.json) });
   }
 });
-var certificate = defineCommand9({
+var certificate = defineCommand10({
   meta: { name: "certificate", description: "Generate certificate QR code" },
   args: {
     "context-type": { type: "string", description: "Context identifier type", required: true },
@@ -9483,6 +10864,7 @@ var certificate = defineCommand9({
     "cert-serial": { type: "string", description: "Certificate serial number", required: true },
     hash: { type: "string", description: "Certificate hash (base64)", required: true },
     key: { type: "string", description: "Path to PEM private key file", required: true },
+    "key-password": { type: "string", description: "Password for encrypted PEM private key" },
     format: { type: "string", description: "Output format: png or svg (default: png)" },
     size: { type: "string", description: "QR code size in pixels (default: 300)" },
     label: { type: "string", description: "Label text (SVG only)" },
@@ -9499,14 +10881,16 @@ var certificate = defineCommand9({
       const client = createClient(globalOpts);
       const size = args.size ? parseInt(args.size, 10) : 300;
       const format = args.format ?? "png";
-      const privateKeyPem = fs11.readFileSync(args.key, "utf-8");
+      const privateKeyPem = fs13.readFileSync(args.key, "utf-8");
+      const keyPassword = args["key-password"];
       const url2 = client.qr.buildCertificateVerificationUrl(
         args["context-type"],
         args["context-id"],
         args["seller-nip"],
         args["cert-serial"],
         args.hash,
-        privateKeyPem
+        privateKeyPem,
+        keyPassword
       );
       if (args.json) {
         const result = await QrCodeService.generateResult(url2, { width: size });
@@ -9516,7 +10900,7 @@ var certificate = defineCommand9({
       if (format === "svg") {
         const svg = args.label ? await QrCodeService.generateQrCodeSvgWithLabel(url2, args.label, { width: size }) : await QrCodeService.generateQrCodeSvg(url2, { width: size });
         if (args.o) {
-          fs11.writeFileSync(args.o, svg);
+          fs13.writeFileSync(args.o, svg);
           outputSuccess(`QR code saved to ${args.o}
 URL: ${url2}`);
         } else {
@@ -9525,7 +10909,7 @@ URL: ${url2}`);
       } else {
         const buffer = await QrCodeService.generateQrCode(url2, { width: size });
         if (args.o) {
-          fs11.writeFileSync(args.o, buffer);
+          fs13.writeFileSync(args.o, buffer);
           outputSuccess(`QR code saved to ${args.o}
 URL: ${url2}`);
         } else {
@@ -9535,7 +10919,7 @@ URL: ${url2}`);
     }, { json: Boolean(args.json) });
   }
 });
-var url = defineCommand9({
+var url = defineCommand10({
   meta: { name: "url", description: "Print invoice verification URL (no QR image)" },
   args: {
     nip: { type: "string", description: "NIP number", required: true },
@@ -9559,13 +10943,13 @@ var url = defineCommand9({
     }, { json: Boolean(args.json) });
   }
 });
-var qrCommand = defineCommand9({
+var qrCommand = defineCommand10({
   meta: { name: "qr", description: "QR code generation commands" },
   subCommands: { invoice: invoice2, certificate, url }
 });
 
 // src/cli/commands/lighthouse.ts
-import { defineCommand as defineCommand10 } from "citty";
+import { defineCommand as defineCommand11 } from "citty";
 function getGlobalOpts9(args) {
   return {
     env: args.env ?? "prod",
@@ -9575,7 +10959,7 @@ function getGlobalOpts9(args) {
     nip: args.nip
   };
 }
-var status5 = defineCommand10({
+var status5 = defineCommand11({
   meta: { name: "status", description: "Check KSeF system status" },
   args: {
     env: { type: "string", description: "Environment (test/prod, default: prod)" },
@@ -9603,7 +10987,7 @@ var status5 = defineCommand10({
     }, { json: Boolean(args.json) });
   }
 });
-var messages = defineCommand10({
+var messages = defineCommand11({
   meta: { name: "messages", description: "View KSeF system messages" },
   args: {
     env: { type: "string", description: "Environment (test/prod, default: prod)" },
@@ -9645,13 +11029,13 @@ var messages = defineCommand10({
     }, { json: Boolean(args.json) });
   }
 });
-var lighthouseCommand = defineCommand10({
+var lighthouseCommand = defineCommand11({
   meta: { name: "lighthouse", description: "KSeF system status commands" },
   subCommands: { status: status5, messages }
 });
 
 // src/cli/commands/test-data.ts
-import { defineCommand as defineCommand11 } from "citty";
+import { defineCommand as defineCommand12 } from "citty";
 function getGlobalOpts10(args) {
   return {
     env: args.env,
@@ -9674,7 +11058,7 @@ function outputDone(json) {
     outputSuccess("Done.");
   }
 }
-var createSubject = defineCommand11({
+var createSubject = defineCommand12({
   meta: { name: "create-subject", description: "Create a test subject" },
   args: {
     nip: { type: "string", description: "Subject NIP", required: true },
@@ -9701,7 +11085,7 @@ var createSubject = defineCommand11({
     }, { json: Boolean(args.json) });
   }
 });
-var removeSubject = defineCommand11({
+var removeSubject = defineCommand12({
   meta: { name: "remove-subject", description: "Remove a test subject" },
   args: {
     nip: { type: "string", description: "Subject NIP", required: true },
@@ -9720,7 +11104,7 @@ var removeSubject = defineCommand11({
     }, { json: Boolean(args.json) });
   }
 });
-var createPerson = defineCommand11({
+var createPerson = defineCommand12({
   meta: { name: "create-person", description: "Create a test person" },
   args: {
     nip: { type: "string", description: "Person NIP", required: true },
@@ -9751,7 +11135,7 @@ var createPerson = defineCommand11({
     }, { json: Boolean(args.json) });
   }
 });
-var removePerson = defineCommand11({
+var removePerson = defineCommand12({
   meta: { name: "remove-person", description: "Remove a test person" },
   args: {
     nip: { type: "string", description: "Person NIP", required: true },
@@ -9770,7 +11154,7 @@ var removePerson = defineCommand11({
     }, { json: Boolean(args.json) });
   }
 });
-var grantPermissions = defineCommand11({
+var grantPermissions = defineCommand12({
   meta: { name: "grant-permissions", description: "Grant test data permissions" },
   args: {
     "context-nip": { type: "string", description: "Context NIP", required: true },
@@ -9801,7 +11185,7 @@ var grantPermissions = defineCommand11({
     }, { json: Boolean(args.json) });
   }
 });
-var revokePermissions = defineCommand11({
+var revokePermissions = defineCommand12({
   meta: { name: "revoke-permissions", description: "Revoke test data permissions" },
   args: {
     "context-nip": { type: "string", description: "Context NIP", required: true },
@@ -9829,7 +11213,7 @@ var revokePermissions = defineCommand11({
     }, { json: Boolean(args.json) });
   }
 });
-var enableAttachment = defineCommand11({
+var enableAttachment = defineCommand12({
   meta: { name: "enable-attachment", description: "Enable attachment permission for a subject" },
   args: {
     nip: { type: "string", description: "Subject NIP", required: true },
@@ -9848,7 +11232,7 @@ var enableAttachment = defineCommand11({
     }, { json: Boolean(args.json) });
   }
 });
-var disableAttachment = defineCommand11({
+var disableAttachment = defineCommand12({
   meta: { name: "disable-attachment", description: "Disable attachment permission for a subject" },
   args: {
     nip: { type: "string", description: "Subject NIP", required: true },
@@ -9871,7 +11255,7 @@ var disableAttachment = defineCommand11({
     }, { json: Boolean(args.json) });
   }
 });
-var changeSessionLimits = defineCommand11({
+var changeSessionLimits = defineCommand12({
   meta: { name: "change-session-limits", description: "Change session limits in current context" },
   args: {
     "online-max-size": { type: "string", description: "Online session: max invoice size in MB (0-5)", required: true },
@@ -9908,7 +11292,7 @@ var changeSessionLimits = defineCommand11({
     }, { json: Boolean(args.json) });
   }
 });
-var restoreSessionLimits = defineCommand11({
+var restoreSessionLimits = defineCommand12({
   meta: { name: "restore-session-limits", description: "Restore default session limits" },
   args: {
     env: { type: "string", description: "Environment (test/demo/prod)" },
@@ -9927,7 +11311,7 @@ var restoreSessionLimits = defineCommand11({
     }, { json: Boolean(args.json) });
   }
 });
-var changeCertLimits = defineCommand11({
+var changeCertLimits = defineCommand12({
   meta: { name: "change-cert-limits", description: "Change subject limits (enrollment/certificate) in current subject" },
   args: {
     "identifier-type": { type: "string", description: "Subject identifier type (Nip/Pesel/Fingerprint)" },
@@ -9954,7 +11338,7 @@ var changeCertLimits = defineCommand11({
     }, { json: Boolean(args.json) });
   }
 });
-var restoreCertLimits = defineCommand11({
+var restoreCertLimits = defineCommand12({
   meta: { name: "restore-cert-limits", description: "Restore default certificates limit" },
   args: {
     env: { type: "string", description: "Environment (test/demo/prod)" },
@@ -9973,7 +11357,7 @@ var restoreCertLimits = defineCommand11({
     }, { json: Boolean(args.json) });
   }
 });
-var setRateLimits = defineCommand11({
+var setRateLimits = defineCommand12({
   meta: { name: "set-rate-limits", description: "Set effective API rate limits" },
   args: {
     limits: { type: "string", description: "Rate limits as JSON string (ApiRateLimitsOverride)", required: true },
@@ -9996,7 +11380,7 @@ var setRateLimits = defineCommand11({
     }, { json: Boolean(args.json) });
   }
 });
-var restoreRateLimits = defineCommand11({
+var restoreRateLimits = defineCommand12({
   meta: { name: "restore-rate-limits", description: "Restore default API rate limits" },
   args: {
     env: { type: "string", description: "Environment (test/demo/prod)" },
@@ -10015,7 +11399,7 @@ var restoreRateLimits = defineCommand11({
     }, { json: Boolean(args.json) });
   }
 });
-var setProductionRateLimits = defineCommand11({
+var setProductionRateLimits = defineCommand12({
   meta: { name: "set-production-rate-limits", description: "Set production API rate limits" },
   args: {
     env: { type: "string", description: "Environment (test/demo/prod)" },
@@ -10034,7 +11418,7 @@ var setProductionRateLimits = defineCommand11({
     }, { json: Boolean(args.json) });
   }
 });
-var blockContext = defineCommand11({
+var blockContext = defineCommand12({
   meta: { name: "block-context", description: "Block a context" },
   args: {
     "context-value": { type: "string", description: "Context identifier value", required: true },
@@ -10061,7 +11445,7 @@ var blockContext = defineCommand11({
     }, { json: Boolean(args.json) });
   }
 });
-var unblockContext = defineCommand11({
+var unblockContext = defineCommand12({
   meta: { name: "unblock-context", description: "Unblock a context" },
   args: {
     "context-value": { type: "string", description: "Context identifier value", required: true },
@@ -10088,7 +11472,7 @@ var unblockContext = defineCommand11({
     }, { json: Boolean(args.json) });
   }
 });
-var testDataCommand = defineCommand11({
+var testDataCommand = defineCommand12({
   meta: { name: "test-data", description: "Test environment data management (test/demo only)" },
   subCommands: {
     "create-subject": createSubject,
@@ -10112,7 +11496,7 @@ var testDataCommand = defineCommand11({
 });
 
 // src/cli/commands/limits.ts
-import { defineCommand as defineCommand12 } from "citty";
+import { defineCommand as defineCommand13 } from "citty";
 function getGlobalOpts11(args) {
   return {
     env: args.env,
@@ -10122,7 +11506,7 @@ function getGlobalOpts11(args) {
     nip: args.nip
   };
 }
-var context = defineCommand12({
+var context = defineCommand13({
   meta: { name: "context", description: "View effective context limits" },
   args: {
     env: { type: "string", description: "Environment (test/demo/prod)" },
@@ -10150,7 +11534,7 @@ var context = defineCommand12({
     }, { json: Boolean(args.json) });
   }
 });
-var subject = defineCommand12({
+var subject = defineCommand13({
   meta: { name: "subject", description: "View effective subject limits" },
   args: {
     env: { type: "string", description: "Environment (test/demo/prod)" },
@@ -10174,7 +11558,7 @@ var subject = defineCommand12({
     }, { json: Boolean(args.json) });
   }
 });
-var rate = defineCommand12({
+var rate = defineCommand13({
   meta: { name: "rate", description: "View effective API rate limits" },
   args: {
     env: { type: "string", description: "Environment (test/demo/prod)" },
@@ -10210,14 +11594,14 @@ var rate = defineCommand12({
     }, { json: Boolean(args.json) });
   }
 });
-var limitsCommand = defineCommand12({
+var limitsCommand = defineCommand13({
   meta: { name: "limits", description: "View KSeF API limits" },
   subCommands: { context, subject, rate }
 });
 
 // src/cli/commands/peppol.ts
-import { defineCommand as defineCommand13 } from "citty";
-import { consola as consola12 } from "consola";
+import { defineCommand as defineCommand14 } from "citty";
+import { consola as consola14 } from "consola";
 function getGlobalOpts12(args) {
   return {
     env: args.env,
@@ -10227,7 +11611,7 @@ function getGlobalOpts12(args) {
     nip: args.nip
   };
 }
-var providers = defineCommand13({
+var providers = defineCommand14({
   meta: { name: "providers", description: "Query Peppol providers" },
   args: {
     page: { type: "string", description: "Page offset" },
@@ -10266,19 +11650,19 @@ var providers = defineCommand13({
         { json: false }
       );
       if (result.hasMore) {
-        consola12.info("More results available. Use --page to paginate.");
+        consola14.info("More results available. Use --page to paginate.");
       }
     }, { json: Boolean(args.json) });
   }
 });
-var peppolCommand = defineCommand13({
+var peppolCommand = defineCommand14({
   meta: { name: "peppol", description: "Peppol integration commands" },
   subCommands: { providers }
 });
 
 // src/cli/commands/doctor.ts
-import { defineCommand as defineCommand14 } from "citty";
-import { consola as consola13 } from "consola";
+import { defineCommand as defineCommand15 } from "citty";
+import { consola as consola15 } from "consola";
 function getGlobalOpts13(args) {
   return {
     env: args.env,
@@ -10288,7 +11672,7 @@ function getGlobalOpts13(args) {
     verbose: args.verbose
   };
 }
-var doctorCommand = defineCommand14({
+var doctorCommand = defineCommand15({
   meta: { name: "doctor", description: "Check CLI configuration and connectivity" },
   args: {
     env: { type: "string", description: "Environment (test/demo/prod)" },
@@ -10369,14 +11753,14 @@ var doctorCommand = defineCommand14({
       }
       for (const check of checks) {
         const icon = check.status === "pass" ? "\u2713" : check.status === "warn" ? "\u26A0" : "\u2717";
-        const log = check.status === "pass" ? consola13.success : check.status === "warn" ? consola13.warn : consola13.error;
+        const log = check.status === "pass" ? consola15.success : check.status === "warn" ? consola15.warn : consola15.error;
         log(`${icon} ${check.message}`);
       }
       if (passed === total) {
-        consola13.success(`
+        consola15.success(`
 ${passed}/${total} checks passed.`);
       } else {
-        consola13.warn(`
+        consola15.warn(`
 ${passed}/${total} checks passed.`);
       }
     }, { json: Boolean(args.json) });
@@ -10384,7 +11768,7 @@ ${passed}/${total} checks passed.`);
 });
 
 // src/cli/commands/completion.ts
-import { defineCommand as defineCommand15 } from "citty";
+import { defineCommand as defineCommand16 } from "citty";
 var COMMAND_TREE = {
   config: ["set", "show", "reset"],
   auth: ["challenge", "login", "status", "logout", "refresh", "whoami"],
@@ -10476,41 +11860,41 @@ function generateFish() {
   }
   return lines.join("\n") + "\n";
 }
-var bash = defineCommand15({
+var bash = defineCommand16({
   meta: { name: "bash", description: "Generate bash completion script" },
   run() {
     console.log(generateBash());
   }
 });
-var zsh = defineCommand15({
+var zsh = defineCommand16({
   meta: { name: "zsh", description: "Generate zsh completion script" },
   run() {
     console.log(generateZsh());
   }
 });
-var fish = defineCommand15({
+var fish = defineCommand16({
   meta: { name: "fish", description: "Generate fish completion script" },
   run() {
     console.log(generateFish());
   }
 });
-var completionCommand = defineCommand15({
+var completionCommand = defineCommand16({
   meta: { name: "completion", description: "Generate shell completion scripts" },
   subCommands: { bash, zsh, fish }
 });
 
 // src/cli/commands/setup.ts
-import * as fs12 from "fs";
-import * as path8 from "path";
-import * as os5 from "os";
-import { defineCommand as defineCommand16 } from "citty";
-import { consola as consola14 } from "consola";
+import * as fs14 from "node:fs";
+import * as path10 from "node:path";
+import * as os5 from "node:os";
+import { defineCommand as defineCommand17 } from "citty";
+import { consola as consola16 } from "consola";
 init_patterns();
 init_auth_xml_builder();
 init_polling();
 
 // src/cli/utils/open-folder.ts
-import { execFile } from "child_process";
+import { execFile } from "node:child_process";
 function openFolder(folderPath) {
   return new Promise((resolve2) => {
     const platform = process.platform;
@@ -10533,8 +11917,8 @@ function openFolder(folderPath) {
 }
 
 // src/cli/commands/setup.ts
-var KSEF_DIR = path8.join(os5.homedir(), ".ksef");
-var AUTH_XML_FILE = path8.join(KSEF_DIR, "auth.xml");
+var KSEF_DIR = path10.join(os5.homedir(), ".ksef");
+var AUTH_XML_FILE = path10.join(KSEF_DIR, "auth.xml");
 var SIGNING_URL = "https://podpis.gov.pl/podpisz-dokument-elektronicznie/";
 var ALL_PERMISSIONS = [
   { value: "InvoiceRead", label: "InvoiceRead \u2014 Read invoices" },
@@ -10547,36 +11931,36 @@ var ALL_PERMISSIONS = [
 ];
 function expandTilde(p) {
   if (p.startsWith("~")) {
-    return path8.join(os5.homedir(), p.slice(1));
+    return path10.join(os5.homedir(), p.slice(1));
   }
   return p;
 }
 async function promptNip() {
   while (true) {
-    const nip = await consola14.prompt("Enter your NIP (10 digits):", {
+    const nip = await consola16.prompt("Enter your NIP (10 digits):", {
       type: "text",
       cancel: "reject"
     });
     if (isValidNip(nip.trim())) {
       return nip.trim();
     }
-    consola14.warn("Invalid NIP. Must be a valid 10-digit Polish tax identification number.");
+    consola16.warn("Invalid NIP. Must be a valid 10-digit Polish tax identification number.");
   }
 }
 async function promptSignedXmlPath() {
   while (true) {
-    const raw = await consola14.prompt("Path to signed XML file:", {
+    const raw = await consola16.prompt("Path to signed XML file:", {
       type: "text",
       cancel: "reject"
     });
     const resolved = expandTilde(raw.trim());
-    if (fs12.existsSync(resolved)) {
+    if (fs14.existsSync(resolved)) {
       return resolved;
     }
-    consola14.warn(`File not found: ${resolved}`);
+    consola16.warn(`File not found: ${resolved}`);
   }
 }
-var setupCommand = defineCommand16({
+var setupCommand = defineCommand17({
   meta: { name: "setup", description: "Interactive setup wizard for KSeF CLI" },
   args: {
     env: { type: "string", description: "Environment (test/demo/prod)" }
@@ -10588,17 +11972,17 @@ var setupCommand = defineCommand16({
           "Interactive terminal required. Use `ksef auth login-external` and `ksef token generate` for non-interactive setup."
         );
       }
-      consola14.box("KSeF CLI Setup Wizard");
+      consola16.box("KSeF CLI Setup Wizard");
       const existingSession = loadSession();
       const existingCredentials = loadCredentials();
       if (existingSession || existingCredentials?.token) {
-        const overwrite = await consola14.prompt("An existing session or token was found. Overwrite?", {
+        const overwrite = await consola16.prompt("An existing session or token was found. Overwrite?", {
           type: "confirm",
           initial: false,
           cancel: "reject"
         });
         if (!overwrite) {
-          consola14.info("Setup cancelled.");
+          consola16.info("Setup cancelled.");
           return;
         }
       }
@@ -10606,25 +11990,25 @@ var setupCommand = defineCommand16({
       const env = args.env ?? config.environment;
       const nip = await promptNip();
       saveConfig({ ...config, nip, environment: env });
-      consola14.info(`Config saved: NIP=${nip}, env=${env}`);
+      consola16.info(`Config saved: NIP=${nip}, env=${env}`);
       const client = createClient({ env });
       let useSelfSigned = false;
       if (env === "test") {
-        useSelfSigned = await consola14.prompt("Test environment detected. Use self-signed certificate for quick auth?", {
+        useSelfSigned = await consola16.prompt("Test environment detected. Use self-signed certificate for quick auth?", {
           type: "confirm",
           initial: true,
           cancel: "reject"
         });
       }
       if (useSelfSigned) {
-        consola14.info("Generating self-signed certificate...");
+        consola16.info("Generating self-signed certificate...");
         const cert = await CertificateService.generateCompanySeal(
           "CLI Setup",
           `VATPL-${nip}`,
           `CLI Setup ${nip}`,
           "RSA"
         );
-        consola14.info("Authenticating with self-signed certificate...");
+        consola16.info("Authenticating with self-signed certificate...");
         await client.loginWithCertificate(cert.certificatePem, cert.privateKeyPem, nip);
         const session = {
           accessToken: client.authManager.getAccessToken(),
@@ -10636,15 +12020,15 @@ var setupCommand = defineCommand16({
       } else {
         let authenticated = false;
         while (!authenticated) {
-          consola14.info("Requesting authorization challenge from KSeF...");
+          consola16.info("Requesting authorization challenge from KSeF...");
           const challengeResult = await client.auth.getChallenge();
           const unsignedXml = buildUnsignedAuthTokenRequestXml({
             challenge: challengeResult.challenge,
             contextIdentifier: { type: "Nip", value: nip }
           });
-          fs12.mkdirSync(KSEF_DIR, { recursive: true });
-          fs12.writeFileSync(AUTH_XML_FILE, unsignedXml, "utf-8");
-          consola14.info(`Unsigned XML saved to ${AUTH_XML_FILE}`);
+          fs14.mkdirSync(KSEF_DIR, { recursive: true });
+          fs14.writeFileSync(AUTH_XML_FILE, unsignedXml, "utf-8");
+          consola16.info(`Unsigned XML saved to ${AUTH_XML_FILE}`);
           savePendingChallenge({
             challenge: challengeResult.challenge,
             timestamp: challengeResult.timestamp,
@@ -10653,9 +12037,9 @@ var setupCommand = defineCommand16({
           });
           const opened = await openFolder(KSEF_DIR);
           if (!opened) {
-            consola14.info(`Open the folder manually: ${KSEF_DIR}`);
+            consola16.info(`Open the folder manually: ${KSEF_DIR}`);
           }
-          consola14.box([
+          consola16.box([
             "Sign the XML file using a qualified signature:",
             "",
             `  1. Open: ${SIGNING_URL}`,
@@ -10664,12 +12048,12 @@ var setupCommand = defineCommand16({
             "  4. Download the signed XML file"
           ].join("\n"));
           const signedXmlPath = await promptSignedXmlPath();
-          const signedXml = fs12.readFileSync(signedXmlPath, "utf-8");
+          const signedXml = fs14.readFileSync(signedXmlPath, "utf-8");
           try {
-            consola14.info("Submitting signed XML to KSeF...");
+            consola16.info("Submitting signed XML to KSeF...");
             const submitResult = await client.auth.submitXadesAuthRequest(signedXml);
             const authToken = submitResult.authenticationToken.token;
-            consola14.info("Waiting for authorization...");
+            consola16.info("Waiting for authorization...");
             await pollUntil(
               () => client.auth.getAuthStatus(submitResult.referenceNumber, authToken),
               (s) => s.status.code !== 100,
@@ -10688,36 +12072,36 @@ var setupCommand = defineCommand16({
             outputSuccess("Authenticated successfully via external signature.");
           } catch (error) {
             const msg = error instanceof Error ? error.message : String(error);
-            consola14.error(`Authentication failed: ${msg}`);
-            const retry = await consola14.prompt("Get a new challenge and try again?", {
+            consola16.error(`Authentication failed: ${msg}`);
+            const retry = await consola16.prompt("Get a new challenge and try again?", {
               type: "confirm",
               initial: true,
               cancel: "reject"
             });
             if (!retry) {
-              consola14.info("Setup incomplete. Your NIP and environment are saved. Run `ksef auth login-external` to authenticate later.");
+              consola16.info("Setup incomplete. Your NIP and environment are saved. Run `ksef auth login-external` to authenticate later.");
               return;
             }
           }
         }
       }
-      const generateToken = await consola14.prompt("Generate a long-lived API token?", {
+      const generateToken = await consola16.prompt("Generate a long-lived API token?", {
         type: "confirm",
         initial: true,
         cancel: "reject"
       });
       if (generateToken) {
         try {
-          const selectedPermissions = await consola14.prompt("Select token permissions:", {
+          const selectedPermissions = await consola16.prompt("Select token permissions:", {
             type: "multiselect",
             options: ALL_PERMISSIONS,
             cancel: "reject"
           });
           if (selectedPermissions.length === 0) {
-            consola14.warn("No permissions selected. Skipping token generation.");
+            consola16.warn("No permissions selected. Skipping token generation.");
           } else {
             const defaultDescription = `KSeF CLI API Token ${(/* @__PURE__ */ new Date()).toISOString().slice(0, 10)}`;
-            const description = await consola14.prompt(`Token description (${defaultDescription}):`, {
+            const description = await consola16.prompt(`Token description (${defaultDescription}):`, {
               type: "text",
               default: defaultDescription,
               cancel: "reject"
@@ -10739,19 +12123,19 @@ var setupCommand = defineCommand16({
                 environment: env
               };
               saveSession(newSession);
-              consola14.info("Re-authenticated with generated token.");
+              consola16.info("Re-authenticated with generated token.");
             } catch {
-              consola14.warn("Token saved but re-login failed. Run `ksef auth login` to authenticate with the stored token.");
+              consola16.warn("Token saved but re-login failed. Run `ksef auth login` to authenticate with the stored token.");
             }
           }
         } catch (error) {
           const msg = error instanceof Error ? error.message : String(error);
-          consola14.error(`Token generation failed: ${msg}`);
-          consola14.info("Your session is still active. Run `ksef token generate` to create a token later.");
+          consola16.error(`Token generation failed: ${msg}`);
+          consola16.info("Your session is still active. Run `ksef token generate` to create a token later.");
         }
       }
       const finalCredentials = loadCredentials();
-      consola14.box([
+      consola16.box([
         "Setup complete!",
         "",
         `  Environment: ${env}`,
@@ -10769,14 +12153,14 @@ var setupCommand = defineCommand16({
 });
 
 // src/cli/commands/offline.ts
-import * as fs14 from "fs";
-import { defineCommand as defineCommand17 } from "citty";
-import { consola as consola15 } from "consola";
+import * as fs16 from "node:fs";
+import { defineCommand as defineCommand18 } from "citty";
+import { consola as consola17 } from "consola";
 
 // src/offline/file-storage.ts
-import * as fs13 from "fs/promises";
-import * as path9 from "path";
-import * as os6 from "os";
+import * as fs15 from "node:fs/promises";
+import * as path11 from "node:path";
+import * as os6 from "node:os";
 
 // src/offline/storage.ts
 function matchesFilter(invoice3, filter) {
@@ -10796,7 +12180,7 @@ function matchesFilter(invoice3, filter) {
 // src/offline/file-storage.ts
 function resolveDir(dir) {
   if (dir === "~" || dir.startsWith("~/")) {
-    return path9.join(os6.homedir(), dir.slice(1));
+    return path11.join(os6.homedir(), dir.slice(1));
   }
   return dir;
 }
@@ -10812,23 +12196,23 @@ var FileOfflineInvoiceStorage = class {
     this.dir = resolveDir(directory ?? "~/.ksef/offline");
   }
   async ensureDir() {
-    await fs13.mkdir(this.dir, { recursive: true });
+    await fs15.mkdir(this.dir, { recursive: true });
   }
   filePath(id) {
     validateId(id);
-    return path9.join(this.dir, `${id}.json`);
+    return path11.join(this.dir, `${id}.json`);
   }
   async save(invoice3) {
     await this.ensureDir();
     const file = this.filePath(invoice3.id);
     const tmp = `${file}.tmp`;
-    await fs13.writeFile(tmp, JSON.stringify(invoice3, null, 2));
-    await fs13.rename(tmp, file);
+    await fs15.writeFile(tmp, JSON.stringify(invoice3, null, 2));
+    await fs15.rename(tmp, file);
   }
   async get(id) {
     const file = this.filePath(id);
     try {
-      return JSON.parse(await fs13.readFile(file, "utf-8"));
+      return JSON.parse(await fs15.readFile(file, "utf-8"));
     } catch (err) {
       if (err instanceof Error && "code" in err && err.code === "ENOENT") {
         return null;
@@ -10840,7 +12224,7 @@ var FileOfflineInvoiceStorage = class {
   async list(filter) {
     let files;
     try {
-      files = (await fs13.readdir(this.dir)).filter((f) => f.endsWith(".json"));
+      files = (await fs15.readdir(this.dir)).filter((f) => f.endsWith(".json"));
     } catch {
       return [];
     }
@@ -10848,7 +12232,7 @@ var FileOfflineInvoiceStorage = class {
     for (const file of files) {
       try {
         const data = JSON.parse(
-          await fs13.readFile(path9.join(this.dir, file), "utf-8")
+          await fs15.readFile(path11.join(this.dir, file), "utf-8")
         );
         if (!filter || matchesFilter(data, filter)) {
           results.push(data);
@@ -10874,7 +12258,7 @@ var FileOfflineInvoiceStorage = class {
   async delete(id) {
     const file = this.filePath(id);
     try {
-      await fs13.unlink(file);
+      await fs15.unlink(file);
     } catch (e) {
       if (e instanceof Error && "code" in e && e.code !== "ENOENT") throw e;
     }
@@ -10903,7 +12287,7 @@ var globalArgs = {
   nip: { type: "string", description: "NIP number" },
   "store-dir": { type: "string", description: "Offline invoice store directory" }
 };
-var generate3 = defineCommand17({
+var generate3 = defineCommand18({
   meta: { name: "generate", description: "Generate offline invoice metadata with QR codes" },
   args: {
     ...globalArgs,
@@ -10922,10 +12306,10 @@ var generate3 = defineCommand17({
       const globalOpts = getGlobalOpts14(args);
       const config = loadConfig();
       const xmlPath = args.xml;
-      if (!fs14.existsSync(xmlPath)) {
+      if (!fs16.existsSync(xmlPath)) {
         throw new Error(`File not found: ${xmlPath}`);
       }
-      const invoiceXml = fs14.readFileSync(xmlPath, "utf-8");
+      const invoiceXml = fs16.readFileSync(xmlPath, "utf-8");
       const sellerNip = args.nip ?? config.nip;
       if (!sellerNip) {
         throw new Error("NIP is required. Use --nip or set via `ksef config set --nip`");
@@ -10938,7 +12322,7 @@ var generate3 = defineCommand17({
         throw new Error("--cert-serial is required when using --key");
       }
       const certificate2 = args.key ? {
-        privateKeyPem: fs14.readFileSync(args.key, "utf-8"),
+        privateKeyPem: fs16.readFileSync(args.key, "utf-8"),
         certificateSerial: args["cert-serial"]
       } : void 0;
       const validModes = ["offline24", "offline", "awaryjny", "awaria_calkowita"];
@@ -10964,7 +12348,7 @@ var generate3 = defineCommand17({
       );
       if (args["qr-out"]) {
         const outDir = args["qr-out"];
-        fs14.mkdirSync(outDir, { recursive: true });
+        fs16.mkdirSync(outDir, { recursive: true });
         const format = args["qr-format"] ?? "png";
         if (format !== "png" && format !== "svg") {
           throw new Error(`Invalid --qr-format "${format}". Must be one of: png, svg`);
@@ -10972,17 +12356,17 @@ var generate3 = defineCommand17({
         const shortId = metadata.id.slice(0, 8);
         if (format === "svg") {
           const svg1 = await QrCodeService.generateQrCodeSvgWithLabel(metadata.kod1Url, "OFFLINE");
-          fs14.writeFileSync(`${outDir}/${shortId}-kod1.svg`, svg1);
+          fs16.writeFileSync(`${outDir}/${shortId}-kod1.svg`, svg1);
           if (metadata.kod2Url) {
             const svg2 = await QrCodeService.generateQrCodeSvgWithLabel(metadata.kod2Url, "CERTYFIKAT");
-            fs14.writeFileSync(`${outDir}/${shortId}-kod2.svg`, svg2);
+            fs16.writeFileSync(`${outDir}/${shortId}-kod2.svg`, svg2);
           }
         } else {
           const png1 = await QrCodeService.generateQrCode(metadata.kod1Url);
-          fs14.writeFileSync(`${outDir}/${shortId}-kod1.png`, png1);
+          fs16.writeFileSync(`${outDir}/${shortId}-kod1.png`, png1);
           if (metadata.kod2Url) {
             const png2 = await QrCodeService.generateQrCode(metadata.kod2Url);
-            fs14.writeFileSync(`${outDir}/${shortId}-kod2.png`, png2);
+            fs16.writeFileSync(`${outDir}/${shortId}-kod2.png`, png2);
           }
         }
         outputSuccess(`QR codes saved to ${outDir}/`);
@@ -11005,7 +12389,7 @@ var generate3 = defineCommand17({
     }, { json: Boolean(args.json) });
   }
 });
-var list4 = defineCommand17({
+var list4 = defineCommand18({
   meta: { name: "list", description: "List stored offline invoices" },
   args: {
     ...globalArgs,
@@ -11054,7 +12438,7 @@ var list4 = defineCommand17({
     }, { json: Boolean(args.json) });
   }
 });
-var status6 = defineCommand17({
+var status6 = defineCommand18({
   meta: { name: "status", description: "Show offline invoice details" },
   args: {
     ...globalArgs,
@@ -11090,7 +12474,7 @@ var status6 = defineCommand17({
     }, { json: Boolean(args.json) });
   }
 });
-var submit = defineCommand17({
+var submit = defineCommand18({
   meta: { name: "submit", description: "Submit offline invoices to KSeF" },
   args: {
     ...globalArgs,
@@ -11146,7 +12530,7 @@ var submit = defineCommand17({
     }, { json: Boolean(args.json) });
   }
 });
-var correct = defineCommand17({
+var correct = defineCommand18({
   meta: { name: "correct", description: "Technical correction for rejected offline invoice" },
   args: {
     ...globalArgs,
@@ -11159,10 +12543,10 @@ var correct = defineCommand17({
       const { client } = await requireSession(globalOpts);
       const storage = getStorage(args);
       const xmlPath = args.xml;
-      if (!fs14.existsSync(xmlPath)) {
+      if (!fs16.existsSync(xmlPath)) {
         throw new Error(`File not found: ${xmlPath}`);
       }
-      const correctedXml = fs14.readFileSync(xmlPath, "utf-8");
+      const correctedXml = fs16.readFileSync(xmlPath, "utf-8");
       const result = await client.offline.correct(client, {
         rejectedInvoiceId: args.id,
         correctedInvoiceXml: correctedXml,
@@ -11176,7 +12560,7 @@ var correct = defineCommand17({
     }, { json: Boolean(args.json) });
   }
 });
-var del = defineCommand17({
+var del = defineCommand18({
   meta: { name: "delete", description: "Delete offline invoice from local store" },
   args: {
     ...globalArgs,
@@ -11199,12 +12583,12 @@ var del = defineCommand17({
               `${expired.length} expired invoice(s) would be deleted. Use --force to confirm in non-interactive mode.`
             );
           }
-          const confirmed = await consola15.prompt(
+          const confirmed = await consola17.prompt(
             `Delete ${expired.length} expired invoice(s)?`,
             { type: "confirm", initial: false }
           );
           if (!confirmed) {
-            consola15.info("Cancelled.");
+            consola17.info("Cancelled.");
             return;
           }
         }
@@ -11226,16 +12610,16 @@ var del = defineCommand17({
     }, { json: Boolean(args.json) });
   }
 });
-var offlineCommand = defineCommand17({
+var offlineCommand = defineCommand18({
   meta: { name: "offline", description: "Offline invoice management" },
   subCommands: { generate: generate3, list: list4, status: status6, submit, correct, delete: del }
 });
 
 // src/cli/index.ts
-var __dirname = dirname2(fileURLToPath(import.meta.url));
-var pkg = JSON.parse(readFileSync9(resolve(__dirname, "..", "package.json"), "utf-8"));
+var __dirname = dirname3(fileURLToPath2(import.meta.url));
+var pkg = JSON.parse(readFileSync11(resolve(__dirname, "..", "package.json"), "utf-8"));
 var version = pkg.version;
-var main = defineCommand18({
+var main = defineCommand19({
   meta: {
     name: "ksef",
     version,