ksef-client-ts 0.7.0 → 0.7.2-alpha.0

package/dist/index.cjs

@@ -30,11 +30,22 @@ var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__ge
 ));
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 
+// node_modules/tsup/assets/cjs_shims.js
+var getImportMetaUrl, importMetaUrl;
+var init_cjs_shims = __esm({
+  "node_modules/tsup/assets/cjs_shims.js"() {
+    "use strict";
+    getImportMetaUrl = () => typeof document === "undefined" ? new URL(`file:${__filename}`).href : document.currentScript && document.currentScript.tagName.toUpperCase() === "SCRIPT" ? document.currentScript.src : new URL("main.js", document.baseURI).href;
+    importMetaUrl = /* @__PURE__ */ getImportMetaUrl();
+  }
+});
+
 // src/config/environments.ts
 var Environment;
 var init_environments = __esm({
   "src/config/environments.ts"() {
     "use strict";
+    init_cjs_shims();
     Environment = {
       TEST: {
         apiUrl: "https://api-test.ksef.mf.gov.pl",
@@ -73,6 +84,7 @@ var DEFAULT_API_VERSION, DEFAULT_TIMEOUT;
 var init_options = __esm({
   "src/config/options.ts"() {
     "use strict";
+    init_cjs_shims();
     init_environments();
     DEFAULT_API_VERSION = "v2";
     DEFAULT_TIMEOUT = 3e4;
@@ -83,6 +95,7 @@ var init_options = __esm({
 var init_config = __esm({
   "src/config/index.ts"() {
     "use strict";
+    init_cjs_shims();
     init_environments();
     init_options();
   }
@@ -93,6 +106,7 @@ var KSeFError;
 var init_ksef_error = __esm({
   "src/errors/ksef-error.ts"() {
     "use strict";
+    init_cjs_shims();
     KSeFError = class extends Error {
       constructor(message) {
         super(message);
@@ -107,6 +121,7 @@ var KSeFApiError;
 var init_ksef_api_error = __esm({
   "src/errors/ksef-api-error.ts"() {
     "use strict";
+    init_cjs_shims();
     init_ksef_error();
     KSeFApiError = class _KSeFApiError extends KSeFError {
       statusCode;
@@ -134,6 +149,7 @@ var KSeFRateLimitError;
 var init_ksef_rate_limit_error = __esm({
   "src/errors/ksef-rate-limit-error.ts"() {
     "use strict";
+    init_cjs_shims();
     init_ksef_api_error();
     KSeFRateLimitError = class _KSeFRateLimitError extends KSeFApiError {
       statusCode = 429;
@@ -184,6 +200,7 @@ var KSeFUnauthorizedError;
 var init_ksef_unauthorized_error = __esm({
   "src/errors/ksef-unauthorized-error.ts"() {
     "use strict";
+    init_cjs_shims();
     init_ksef_api_error();
     KSeFUnauthorizedError = class extends KSeFApiError {
       statusCode = 401;
@@ -216,6 +233,7 @@ var KSeFForbiddenError;
 var init_ksef_forbidden_error = __esm({
   "src/errors/ksef-forbidden-error.ts"() {
     "use strict";
+    init_cjs_shims();
     init_ksef_api_error();
     KSeFForbiddenError = class extends KSeFApiError {
       statusCode = 403;
@@ -254,6 +272,7 @@ var KSeFGoneError;
 var init_ksef_gone_error = __esm({
   "src/errors/ksef-gone-error.ts"() {
     "use strict";
+    init_cjs_shims();
     init_ksef_api_error();
     KSeFGoneError = class extends KSeFApiError {
       statusCode = 410;
@@ -286,6 +305,7 @@ var KSeFBadRequestError;
 var init_ksef_bad_request_error = __esm({
   "src/errors/ksef-bad-request-error.ts"() {
     "use strict";
+    init_cjs_shims();
     init_ksef_api_error();
     KSeFBadRequestError = class extends KSeFApiError {
       statusCode = 400;
@@ -321,6 +341,7 @@ var KSeFAuthStatusError;
 var init_ksef_auth_status_error = __esm({
   "src/errors/ksef-auth-status-error.ts"() {
     "use strict";
+    init_cjs_shims();
     init_ksef_error();
     KSeFAuthStatusError = class extends KSeFError {
       referenceNumber;
@@ -340,6 +361,7 @@ var KSeFSessionExpiredError;
 var init_ksef_session_expired_error = __esm({
   "src/errors/ksef-session-expired-error.ts"() {
     "use strict";
+    init_cjs_shims();
     init_ksef_error();
     KSeFSessionExpiredError = class extends KSeFError {
       constructor(message = "KSeF session has expired") {
@@ -359,6 +381,7 @@ var KSeFValidationError;
 var init_ksef_validation_error = __esm({
   "src/errors/ksef-validation-error.ts"() {
     "use strict";
+    init_cjs_shims();
     init_ksef_error();
     KSeFValidationError = class _KSeFValidationError extends KSeFError {
       details;
@@ -386,6 +409,7 @@ var KSeFErrorCode;
 var init_error_codes = __esm({
   "src/errors/error-codes.ts"() {
     "use strict";
+    init_cjs_shims();
     KSeFErrorCode = {
       BatchTimeout: 21208,
       DuplicateInvoice: 440
@@ -398,6 +422,7 @@ var KSeFBatchTimeoutError;
 var init_ksef_batch_timeout_error = __esm({
   "src/errors/ksef-batch-timeout-error.ts"() {
     "use strict";
+    init_cjs_shims();
     init_ksef_api_error();
     init_error_codes();
     KSeFBatchTimeoutError = class _KSeFBatchTimeoutError extends KSeFApiError {
@@ -417,6 +442,52 @@ var init_ksef_batch_timeout_error = __esm({
   }
 });
 
+// src/errors/ksef-circuit-open-error.ts
+var KSeFCircuitOpenError;
+var init_ksef_circuit_open_error = __esm({
+  "src/errors/ksef-circuit-open-error.ts"() {
+    "use strict";
+    init_cjs_shims();
+    init_ksef_error();
+    KSeFCircuitOpenError = class extends KSeFError {
+      endpoint;
+      openedAt;
+      retryAfterMs;
+      constructor(endpoint, openedAt, retryAfterMs) {
+        super(
+          `Circuit breaker is open for '${endpoint}'. Retry after ${Math.round(retryAfterMs)}ms.`
+        );
+        this.name = "KSeFCircuitOpenError";
+        this.endpoint = endpoint;
+        this.openedAt = openedAt;
+        this.retryAfterMs = retryAfterMs;
+      }
+    };
+  }
+});
+
+// src/errors/ksef-xsd-validation-error.ts
+var KSeFXsdValidationError;
+var init_ksef_xsd_validation_error = __esm({
+  "src/errors/ksef-xsd-validation-error.ts"() {
+    "use strict";
+    init_cjs_shims();
+    init_ksef_error();
+    KSeFXsdValidationError = class extends KSeFError {
+      schemaFile;
+      errors;
+      constructor(schemaFile, errors) {
+        const preview = errors.slice(0, 3).join("; ");
+        const extra = errors.length > 3 ? ` (+${errors.length - 3} more)` : "";
+        super(`XSD validation failed against ${schemaFile}: ${preview}${extra}`);
+        this.name = "KSeFXsdValidationError";
+        this.schemaFile = schemaFile;
+        this.errors = errors;
+      }
+    };
+  }
+});
+
 // src/errors/assert-never.ts
 function assertNever(value) {
   throw new Error(`Unexpected value: ${String(value)}`);
@@ -424,6 +495,7 @@ function assertNever(value) {
 var init_assert_never = __esm({
   "src/errors/assert-never.ts"() {
     "use strict";
+    init_cjs_shims();
   }
 });
 
@@ -431,6 +503,7 @@ var init_assert_never = __esm({
 var init_errors = __esm({
   "src/errors/index.ts"() {
     "use strict";
+    init_cjs_shims();
     init_ksef_error();
     init_ksef_api_error();
     init_ksef_rate_limit_error();
@@ -442,6 +515,8 @@ var init_errors = __esm({
     init_ksef_session_expired_error();
     init_ksef_validation_error();
     init_ksef_batch_timeout_error();
+    init_ksef_circuit_open_error();
+    init_ksef_xsd_validation_error();
     init_error_codes();
     init_assert_never();
   }
@@ -452,6 +527,7 @@ var RouteBuilder;
 var init_route_builder = __esm({
   "src/http/route-builder.ts"() {
     "use strict";
+    init_cjs_shims();
     RouteBuilder = class {
       apiVersion;
       constructor(apiVersion) {
@@ -470,6 +546,7 @@ var RestRequest;
 var init_rest_request = __esm({
   "src/http/rest-request.ts"() {
     "use strict";
+    init_cjs_shims();
     RestRequest = class _RestRequest {
       method;
       path;
@@ -478,21 +555,21 @@ var init_rest_request = __esm({
       _query = [];
       _presigned = false;
       _skipAuthRetry = false;
-      constructor(method, path2) {
+      constructor(method, path3) {
         this.method = method;
-        this.path = path2;
+        this.path = path3;
       }
-      static get(path2) {
-        return new _RestRequest("GET", path2);
+      static get(path3) {
+        return new _RestRequest("GET", path3);
       }
-      static post(path2) {
-        return new _RestRequest("POST", path2);
+      static post(path3) {
+        return new _RestRequest("POST", path3);
       }
-      static put(path2) {
-        return new _RestRequest("PUT", path2);
+      static put(path3) {
+        return new _RestRequest("PUT", path3);
       }
-      static delete(path2) {
-        return new _RestRequest("DELETE", path2);
+      static delete(path3) {
+        return new _RestRequest("DELETE", path3);
       }
       body(data) {
         this._body = data;
@@ -546,6 +623,7 @@ var defaultTransport;
 var init_transport = __esm({
   "src/http/transport.ts"() {
     "use strict";
+    init_cjs_shims();
     defaultTransport = (url, init) => fetch(url, init);
   }
 });
@@ -595,6 +673,7 @@ var RETRYABLE_ERROR_CODES;
 var init_retry_policy = __esm({
   "src/http/retry-policy.ts"() {
     "use strict";
+    init_cjs_shims();
     RETRYABLE_ERROR_CODES = /* @__PURE__ */ new Set([
       "ECONNRESET",
       "ECONNREFUSED",
@@ -685,6 +764,7 @@ var BLOCKED_PARAMS;
 var init_presigned_url_policy = __esm({
   "src/http/presigned-url-policy.ts"() {
     "use strict";
+    init_cjs_shims();
     init_ksef_validation_error();
     BLOCKED_PARAMS = ["redirect", "callback", "return_url", "next"];
   }
@@ -716,6 +796,7 @@ var import_consola, RestClient;
 var init_rest_client = __esm({
   "src/http/rest-client.ts"() {
     "use strict";
+    init_cjs_shims();
     import_consola = require("consola");
     init_ksef_api_error();
     init_ksef_rate_limit_error();
@@ -735,6 +816,7 @@ var init_rest_client = __esm({
       transport;
       retryPolicy;
       rateLimitPolicy;
+      circuitBreakerPolicy;
       authManager;
       presignedUrlPolicy;
       constructor(options, config) {
@@ -743,6 +825,7 @@ var init_rest_client = __esm({
         this.transport = config?.transport ?? defaultTransport;
         this.retryPolicy = config?.retryPolicy ?? defaultRetryPolicy();
         this.rateLimitPolicy = config?.rateLimitPolicy ?? null;
+        this.circuitBreakerPolicy = config?.circuitBreakerPolicy ?? null;
         this.authManager = config?.authManager;
         this.presignedUrlPolicy = config?.presignedUrlPolicy;
       }
@@ -767,18 +850,32 @@ var init_rest_client = __esm({
         if (request.isPresigned() && this.presignedUrlPolicy) {
           validatePresignedUrl(url, this.presignedUrlPolicy);
         }
+        let ownsProbeSlot = false;
+        if (this.circuitBreakerPolicy) {
+          const claimed = this.circuitBreakerPolicy.ensureClosed(request.path);
+          if (claimed) ownsProbeSlot = true;
+        }
         if (this.rateLimitPolicy) {
-          await this.rateLimitPolicy.acquire(request.path);
+          try {
+            await this.rateLimitPolicy.acquire(request.path);
+          } catch (error) {
+            if (ownsProbeSlot) this.circuitBreakerPolicy?.releaseProbe(request.path);
+            throw error;
+          }
         }
         let lastError;
         for (let attempt = 0; attempt <= this.retryPolicy.maxRetries; attempt++) {
+          if (this.circuitBreakerPolicy) {
+            const claimed = this.circuitBreakerPolicy.ensureClosed(request.path, ownsProbeSlot);
+            if (claimed) ownsProbeSlot = true;
+          }
           try {
-            const response = await this.doRequest(request, url);
+            let response = await this.doRequest(request, url);
             if (response.status === 401 && this.authManager && attempt === 0 && !request.isSkipAuthRetry()) {
               const newToken = await this.authManager.onUnauthorized();
               if (newToken) {
                 import_consola.consola.debug("Auth token refreshed, retrying request");
-                return this.doRequest(request, url, newToken);
+                response = await this.doRequest(request, url, newToken);
               }
             }
             if (isRetryableStatus(response.status, this.retryPolicy) && attempt < this.retryPolicy.maxRetries) {
@@ -788,10 +885,17 @@ var init_rest_client = __esm({
               import_consola.consola.debug(`Retryable ${response.status}, attempt ${attempt + 1}/${this.retryPolicy.maxRetries}, waiting ${Math.round(delayMs)}ms`);
               await sleep(delayMs);
               if (is429 && this.rateLimitPolicy) {
-                await this.rateLimitPolicy.acquire(request.path);
+                try {
+                  await this.rateLimitPolicy.acquire(request.path);
+                } catch (error) {
+                  this.recordCircuitOutcome(request.path, 429);
+                  ownsProbeSlot = false;
+                  throw error;
+                }
               }
               continue;
             }
+            this.recordCircuitOutcome(request.path, response.status);
             return response;
           } catch (error) {
             lastError = error;
@@ -801,11 +905,22 @@ var init_rest_client = __esm({
               await sleep(delayMs);
               continue;
             }
+            if (isRetryableError(error, this.retryPolicy) || ownsProbeSlot) {
+              this.circuitBreakerPolicy?.recordFailure(request.path);
+            }
             throw error;
           }
         }
         throw lastError;
       }
+      recordCircuitOutcome(path3, status) {
+        if (!this.circuitBreakerPolicy) return;
+        if (status >= 500) {
+          this.circuitBreakerPolicy.recordFailure(path3);
+          return;
+        }
+        this.circuitBreakerPolicy.recordSuccess(path3);
+      }
       async doRequest(request, url, overrideToken) {
         const headers = {
           ...this.options.customHeaders,
@@ -841,9 +956,9 @@ var init_rest_client = __esm({
         return response;
       }
       buildUrl(request) {
-        const path2 = this.routeBuilder.build(request.path);
+        const path3 = this.routeBuilder.build(request.path);
         const base = this.options.baseUrl;
-        const url = new URL(`${base}${path2}`);
+        const url = new URL(`${base}${path3}`);
         const query = request.getQuery();
         for (const [key, value] of query) {
           url.searchParams.append(key, value);
@@ -927,6 +1042,7 @@ var Routes;
 var init_routes = __esm({
   "src/http/routes.ts"() {
     "use strict";
+    init_cjs_shims();
     Routes = {
       TestData: {
         createSubject: "testdata/subject",
@@ -1059,6 +1175,7 @@ var TokenBucket, RateLimitPolicy;
 var init_rate_limit_policy = __esm({
   "src/http/rate-limit-policy.ts"() {
     "use strict";
+    init_cjs_shims();
     TokenBucket = class {
       tokens;
       maxTokens;
@@ -1119,11 +1236,151 @@ var init_rate_limit_policy = __esm({
   }
 });
 
+// src/http/circuit-breaker-policy.ts
+function defaultCircuitBreakerPolicy() {
+  return new CircuitBreakerPolicy();
+}
+var import_consola2, GLOBAL_KEY, CircuitBreakerPolicy;
+var init_circuit_breaker_policy = __esm({
+  "src/http/circuit-breaker-policy.ts"() {
+    "use strict";
+    init_cjs_shims();
+    import_consola2 = require("consola");
+    init_ksef_circuit_open_error();
+    GLOBAL_KEY = "__global__";
+    CircuitBreakerPolicy = class _CircuitBreakerPolicy {
+      failureThreshold;
+      openMs;
+      scope;
+      states = /* @__PURE__ */ new Map();
+      constructor(config = {}) {
+        const failureThreshold = config.failureThreshold ?? 5;
+        const openMs = config.openMs ?? 3e4;
+        if (!Number.isInteger(failureThreshold) || failureThreshold <= 0) {
+          throw new RangeError("CircuitBreakerPolicy: failureThreshold must be a positive integer");
+        }
+        if (!Number.isFinite(openMs) || openMs <= 0) {
+          throw new RangeError("CircuitBreakerPolicy: openMs must be > 0");
+        }
+        const scope = config.scope ?? "global";
+        if (scope !== "global" && scope !== "endpoint") {
+          throw new RangeError(
+            "CircuitBreakerPolicy: scope must be 'global' or 'endpoint'"
+          );
+        }
+        this.failureThreshold = failureThreshold;
+        this.openMs = openMs;
+        this.scope = scope;
+      }
+      // Returns true iff this call just claimed the single probe slot for the
+      // caller. The caller MUST pass `alreadyOwnsProbe=true` on subsequent
+      // re-checks for the same logical request (e.g. a retry loop) so the probe
+      // owner cannot deadlock itself on its own in-flight slot.
+      ensureClosed(endpoint, alreadyOwnsProbe = false) {
+        const key = this.keyFor(endpoint);
+        const state = this.states.get(key);
+        if (!state || state.openedAt === null) return false;
+        const now = performance.now();
+        const elapsed = now - state.openedAt;
+        if (elapsed >= this.openMs) {
+          if (alreadyOwnsProbe) return false;
+          if (state.probeInFlight) {
+            throw new KSeFCircuitOpenError(endpoint, state.openedAt, 0);
+          }
+          state.probeInFlight = true;
+          import_consola2.consola.debug(`Circuit breaker: probe after cooldown for '${key}'`);
+          return true;
+        }
+        const retryAfterMs = Math.max(0, this.openMs - elapsed);
+        throw new KSeFCircuitOpenError(endpoint, state.openedAt, retryAfterMs);
+      }
+      recordSuccess(endpoint) {
+        const key = this.keyFor(endpoint);
+        const state = this.states.get(key);
+        if (!state) return;
+        if (state.openedAt !== null || state.failures > 0) {
+          import_consola2.consola.debug(`Circuit breaker: reset for '${key}'`);
+        }
+        this.states.delete(key);
+      }
+      // Release a claimed probe slot WITHOUT observing an outcome. Use this when
+      // the probe attempt was aborted before reaching upstream (e.g. rate-limit
+      // acquire rejected, client cancellation). We have no new information about
+      // upstream health, so the breaker must stay OPEN — but we do restart the
+      // cooldown clock so the next probe attempt waits a fresh `openMs`,
+      // preventing a tight loop of aborted probes from spamming the limiter.
+      releaseProbe(endpoint) {
+        const key = this.keyFor(endpoint);
+        const state = this.states.get(key);
+        if (!state || !state.probeInFlight) return;
+        state.probeInFlight = false;
+        if (state.openedAt !== null) {
+          state.openedAt = performance.now();
+        }
+        import_consola2.consola.debug(`Circuit breaker: probe aborted (not observed) for '${key}', cooldown restarted`);
+      }
+      recordFailure(endpoint) {
+        const key = this.keyFor(endpoint);
+        const now = performance.now();
+        let state = this.states.get(key);
+        if (!state) {
+          state = { failures: 0, openedAt: null, lastFailureAt: null, probeInFlight: false };
+          this.states.set(key, state);
+        }
+        if (state.openedAt !== null && state.probeInFlight) {
+          state.openedAt = now;
+          state.failures = this.failureThreshold;
+          state.lastFailureAt = now;
+          state.probeInFlight = false;
+          import_consola2.consola.debug(`Circuit breaker: probe failed, re-opened for '${key}'`);
+          this.maybeSweepStaleClosed(now, key);
+          return;
+        }
+        const slidingStale = state.lastFailureAt !== null && now - state.lastFailureAt > this.openMs;
+        state.failures = slidingStale ? 1 : state.failures + 1;
+        state.lastFailureAt = now;
+        if (state.openedAt === null && state.failures >= this.failureThreshold) {
+          state.openedAt = now;
+          import_consola2.consola.debug(
+            `Circuit breaker: opened for '${key}' after ${state.failures} failures (cooldown ${this.openMs}ms)`
+          );
+        }
+        this.maybeSweepStaleClosed(now, key);
+      }
+      keyFor(endpoint) {
+        return this.scope === "global" ? GLOBAL_KEY : endpoint;
+      }
+      // Prevent unbounded map growth under `scope: 'endpoint'` when callers hit
+      // many distinct parameterized paths (e.g. `auth/sessions/{ref}`) that each
+      // fail once and are never revisited. Global scope is always a single entry.
+      //
+      // Runs amortized O(n) — gated on a size threshold so small workloads pay
+      // nothing. Only evicts states that are genuinely settled: closed, no probe
+      // in flight, and with the last failure older than two cooldowns.
+      maybeSweepStaleClosed(now, keepKey) {
+        if (this.scope !== "endpoint") return;
+        if (this.states.size <= _CircuitBreakerPolicy.sweepThreshold) return;
+        const staleBefore = now - 2 * this.openMs;
+        for (const [key, state] of this.states) {
+          if (key === keepKey) continue;
+          if (state.openedAt !== null) continue;
+          if (state.probeInFlight) continue;
+          if (state.lastFailureAt !== null && state.lastFailureAt < staleBefore) {
+            this.states.delete(key);
+          }
+        }
+      }
+      static sweepThreshold = 64;
+    };
+  }
+});
+
 // src/http/auth-manager.ts
 var DefaultAuthManager;
 var init_auth_manager = __esm({
   "src/http/auth-manager.ts"() {
     "use strict";
+    init_cjs_shims();
     DefaultAuthManager = class {
       token;
       refreshToken;
@@ -1164,6 +1421,7 @@ var KSEF_FEATURE_HEADER, UpoVersion, ENFORCE_XADES_COMPLIANCE;
 var init_ksef_feature = __esm({
   "src/http/ksef-feature.ts"() {
     "use strict";
+    init_cjs_shims();
     KSEF_FEATURE_HEADER = "X-KSeF-Feature";
     UpoVersion = {
       /** UPO v4-2 format (default before 2026-01-05). */
@@ -1263,6 +1521,7 @@ var NIP_PATTERN_CORE, VAT_UE_PATTERN_CORE, Nip, VatUe, NipVatUe, InternalId, Pep
 var init_patterns = __esm({
   "src/validation/patterns.ts"() {
     "use strict";
+    init_cjs_shims();
     NIP_PATTERN_CORE = "[1-9]((\\d[1-9])|([1-9]\\d))\\d{7}";
     VAT_UE_PATTERN_CORE = "(ATU\\d{8}|BE[01]{1}\\d{9}|BG\\d{9,10}|CY\\d{8}[A-Z]|CZ\\d{8,10}|DE\\d{9}|DK\\d{8}|EE\\d{9}|EL\\d{9}|ES([A-Z]\\d{8}|\\d{8}[A-Z]|[A-Z]\\d{7}[A-Z])|FI\\d{8}|FR[A-Z0-9]{2}\\d{9}|HR\\d{11}|HU\\d{8}|IE(\\d{7}[A-Z]{2}|\\d[A-Z0-9+*]\\d{5}[A-Z])|IT\\d{11}|LT(\\d{9}|\\d{12})|LU\\d{8}|LV\\d{11}|MT\\d{8}|NL[A-Z0-9+*]{12}|PT\\d{9}|RO\\d{2,10}|SE\\d{12}|SI\\d{8}|SK\\d{10}|XI((\\d{9}|\\d{12})|(GD|HA)\\d{3}))";
     Nip = new RegExp(`^${NIP_PATTERN_CORE}$`);
@@ -1379,6 +1638,7 @@ var import_xmldom;
 var init_xml_to_object = __esm({
   "src/validation/xml-to-object.ts"() {
     "use strict";
+    init_cjs_shims();
     import_xmldom = require("@xmldom/xmldom");
   }
 });
@@ -1392,6 +1652,7 @@ var import_zod, TKodFormularza, TDataCzas, TZnakowy, TNaglowek, TKodyKrajowUE, T
 var init_fa3 = __esm({
   "src/validation/schemas/fa3.ts"() {
     "use strict";
+    init_cjs_shims();
     import_zod = require("zod");
     TKodFormularza = import_zod.z.literal("FA");
     TDataCzas = import_zod.z.string();
@@ -1802,6 +2063,7 @@ var import_zod2, TKodFormularza2, TDataCzas2, TZnakowy3, TNaglowek2, TKodyKrajow
 var init_fa2 = __esm({
   "src/validation/schemas/fa2.ts"() {
     "use strict";
+    init_cjs_shims();
     import_zod2 = require("zod");
     TKodFormularza2 = import_zod2.z.literal("FA");
     TDataCzas2 = import_zod2.z.string();
@@ -2196,6 +2458,7 @@ var import_zod3, TKodFormularza3, TDataCzas3, TZnakowy4, TNaglowek3, TNrNIP3, TZ
 var init_rr1_v11e = __esm({
   "src/validation/schemas/rr1-v11e.ts"() {
     "use strict";
+    init_cjs_shims();
     import_zod3 = require("zod");
     TKodFormularza3 = import_zod3.z.literal("FA_RR");
     TDataCzas3 = import_zod3.z.string();
@@ -2401,6 +2664,7 @@ var import_zod4, TKodFormularza4, TDataCzas4, TZnakowy5, TNaglowek4, TNrNIP4, TZ
 var init_rr1_v10e = __esm({
   "src/validation/schemas/rr1-v10e.ts"() {
     "use strict";
+    init_cjs_shims();
     import_zod4 = require("zod");
     TKodFormularza4 = import_zod4.z.literal("FA_RR");
     TDataCzas4 = import_zod4.z.string();
@@ -2606,6 +2870,7 @@ var import_zod5, InvoiceType, PEF3Schema;
 var init_pef3 = __esm({
   "src/validation/schemas/pef3.ts"() {
     "use strict";
+    init_cjs_shims();
     import_zod5 = require("zod");
     InvoiceType = import_zod5.z.object({
       "UBLExtensions": import_zod5.z.any().optional(),
@@ -2676,6 +2941,7 @@ var import_zod6, CreditNoteType, PEF_KOR3Schema;
 var init_pef_kor3 = __esm({
   "src/validation/schemas/pef-kor3.ts"() {
     "use strict";
+    init_cjs_shims();
     import_zod6 = require("zod");
     CreditNoteType = import_zod6.z.object({
       "UBLExtensions": import_zod6.z.any().optional(),
@@ -2739,6 +3005,7 @@ var NAMESPACE_MAP;
 var init_schemas = __esm({
   "src/validation/schemas/index.ts"() {
     "use strict";
+    init_cjs_shims();
     init_fa3();
     init_fa2();
     init_rr1_v11e();
@@ -2795,6 +3062,7 @@ var ROOT_ELEMENT_MAP, schemaCache, SchemaRegistry;
 var init_schema_registry = __esm({
   "src/validation/schema-registry.ts"() {
     "use strict";
+    init_cjs_shims();
     init_schemas();
     ROOT_ELEMENT_MAP = {
       Invoice: "PEF3",
@@ -2920,6 +3188,7 @@ var DISCOURAGED_UNICODE_RANGES, PI_TARGET_RE;
 var init_char_validity = __esm({
   "src/validation/char-validity.ts"() {
     "use strict";
+    init_cjs_shims();
     DISCOURAGED_UNICODE_RANGES = [
       [127, 132],
       [134, 159],
@@ -3002,11 +3271,11 @@ async function validateSchema(xml, options, _parsed) {
   const prefix = rootElement ? `/${rootElement}/` : "/";
   const validationErrors = result.error.issues.map((issue) => {
     const zodPath = issue.path.join("/");
-    const path2 = zodPath ? `${prefix}${zodPath}` : rootElement ? `/${rootElement}` : void 0;
+    const path3 = zodPath ? `${prefix}${zodPath}` : rootElement ? `/${rootElement}` : void 0;
     return {
       code: mapZodErrorCode(issue),
       message: issue.message,
-      path: path2
+      path: path3
     };
   });
   return { valid: false, schemaType, errors: validationErrors };
@@ -3046,9 +3315,9 @@ function validateBusinessRules(xml, _parsed) {
   collectDateErrors(object, rootElement, errors);
   return { valid: errors.length === 0, schemaType, errors };
 }
-function collectNipPeselErrors(obj, path2, errors) {
+function collectNipPeselErrors(obj, path3, errors) {
   for (const [key, value] of Object.entries(obj)) {
-    const currentPath = path2 ? `${path2}/${key}` : key;
+    const currentPath = path3 ? `${path3}/${key}` : key;
     if (key === "NIP" && typeof value === "string") {
       if (!isValidNip(value)) {
         errors.push({
@@ -3127,6 +3396,7 @@ function batchValidationDetails(batch) {
 var init_invoice_validator = __esm({
   "src/validation/invoice-validator.ts"() {
     "use strict";
+    init_cjs_shims();
     init_xml_to_object();
     init_schema_registry();
     init_char_validity();
@@ -3139,6 +3409,7 @@ var SystemCode, FORM_CODES, DEFAULT_FORM_CODE, INVOICE_TYPES_BY_SYSTEM_CODE, FOR
 var init_types = __esm({
   "src/models/document-structures/types.ts"() {
     "use strict";
+    init_cjs_shims();
     SystemCode = {
       FA_2: "FA (2)",
       FA_3: "FA (3)",
@@ -3191,6 +3462,7 @@ var SYSTEM_CODE_TO_FORM_CODE, ALL_FORM_CODES, BATCH_DISALLOWED_SYSTEM_CODES;
 var init_helpers = __esm({
   "src/models/document-structures/helpers.ts"() {
     "use strict";
+    init_cjs_shims();
     init_types();
     SYSTEM_CODE_TO_FORM_CODE = {
       [SystemCode.FA_2]: FORM_CODES.FA_2,
@@ -3211,6 +3483,7 @@ var init_helpers = __esm({
 var init_document_structures = __esm({
   "src/models/document-structures/index.ts"() {
     "use strict";
+    init_cjs_shims();
     init_types();
     init_helpers();
   }
@@ -3221,6 +3494,7 @@ var AuthService;
 var init_auth = __esm({
   "src/services/auth.ts"() {
     "use strict";
+    init_cjs_shims();
     init_ksef_feature();
     init_rest_request();
     init_routes();
@@ -3271,6 +3545,7 @@ var ActiveSessionsService;
 var init_active_sessions = __esm({
   "src/services/active-sessions.ts"() {
     "use strict";
+    init_cjs_shims();
     init_rest_request();
     init_routes();
     ActiveSessionsService = class {
@@ -3302,6 +3577,7 @@ var OnlineSessionService;
 var init_online_session = __esm({
   "src/services/online-session.ts"() {
     "use strict";
+    init_cjs_shims();
     init_ksef_feature();
     init_rest_request();
     init_routes();
@@ -3354,6 +3630,7 @@ async function runWithConcurrency(tasks, parallelism) {
 var init_concurrency = __esm({
   "src/utils/concurrency.ts"() {
     "use strict";
+    init_cjs_shims();
   }
 });
 
@@ -3362,6 +3639,7 @@ var BatchSessionService;
 var init_batch_session = __esm({
   "src/services/batch-session.ts"() {
     "use strict";
+    init_cjs_shims();
     init_ksef_feature();
     init_rest_request();
     init_routes();
@@ -3466,6 +3744,7 @@ var SessionStatusService;
 var init_session_status = __esm({
   "src/services/session-status.ts"() {
     "use strict";
+    init_cjs_shims();
     init_rest_request();
     init_routes();
     SessionStatusService = class {
@@ -3552,6 +3831,7 @@ var InvoiceDownloadService;
 var init_invoice_download = __esm({
   "src/services/invoice-download.ts"() {
     "use strict";
+    init_cjs_shims();
     init_rest_request();
     init_routes();
     InvoiceDownloadService = class {
@@ -3594,6 +3874,7 @@ var PermissionsService;
 var init_permissions = __esm({
   "src/services/permissions.ts"() {
     "use strict";
+    init_cjs_shims();
     init_ksef_validation_error();
     init_rest_request();
     init_routes();
@@ -3786,6 +4067,7 @@ function parseKSeFTokenContext(token) {
 var init_jwt = __esm({
   "src/utils/jwt.ts"() {
     "use strict";
+    init_cjs_shims();
   }
 });
 
@@ -3797,6 +4079,7 @@ var TOKEN_AUTHOR_IDENTIFIER_TYPES, TokenService;
 var init_tokens = __esm({
   "src/services/tokens.ts"() {
     "use strict";
+    init_cjs_shims();
     init_rest_request();
     init_routes();
     init_jwt();
@@ -3917,6 +4200,7 @@ var CertificateApiService;
 var init_certificates = __esm({
   "src/services/certificates.ts"() {
     "use strict";
+    init_cjs_shims();
     init_rest_request();
     init_routes();
     CertificateApiService = class {
@@ -3969,6 +4253,7 @@ var LighthouseService;
 var init_lighthouse = __esm({
   "src/services/lighthouse.ts"() {
     "use strict";
+    init_cjs_shims();
     init_errors();
     LighthouseService = class {
       lighthouseUrl;
@@ -3977,20 +4262,20 @@ var init_lighthouse = __esm({
         this.lighthouseUrl = options.lighthouseUrl;
         this.timeout = options.timeout;
       }
-      async fetchJson(path2) {
+      async fetchJson(path3) {
         if (!this.lighthouseUrl) {
           throw new KSeFError(
             "Lighthouse API is not available for the DEMO environment. Use TEST or PROD instead."
           );
         }
-        const response = await fetch(`${this.lighthouseUrl}${path2}`, {
+        const response = await fetch(`${this.lighthouseUrl}${path3}`, {
           headers: { Accept: "application/json" },
           signal: AbortSignal.timeout(this.timeout)
         });
         if (!response.ok) {
           const body = await response.text();
           throw new KSeFError(
-            `Lighthouse ${path2} failed: HTTP ${response.status} \u2014 ${body}`
+            `Lighthouse ${path3} failed: HTTP ${response.status} \u2014 ${body}`
           );
         }
         return await response.json();
@@ -4011,6 +4296,7 @@ var LimitsService;
 var init_limits = __esm({
   "src/services/limits.ts"() {
     "use strict";
+    init_cjs_shims();
     init_rest_request();
     init_routes();
     LimitsService = class {
@@ -4042,6 +4328,7 @@ var PeppolService;
 var init_peppol = __esm({
   "src/services/peppol.ts"() {
     "use strict";
+    init_cjs_shims();
     init_rest_request();
     init_routes();
     PeppolService = class {
@@ -4065,6 +4352,7 @@ var TestDataService;
 var init_test_data = __esm({
   "src/services/test-data.ts"() {
     "use strict";
+    init_cjs_shims();
     init_rest_request();
     init_routes();
     init_ksef_error();
@@ -4184,6 +4472,7 @@ var CertificateFetcher;
 var init_certificate_fetcher = __esm({
   "src/crypto/certificate-fetcher.ts"() {
     "use strict";
+    init_cjs_shims();
     init_rest_request();
     init_routes();
     CertificateFetcher = class {
@@ -4277,7 +4566,8 @@ var crypto2, x509, CryptographyService;
 var init_cryptography_service = __esm({
   "src/crypto/cryptography-service.ts"() {
     "use strict";
-    crypto2 = __toESM(require("crypto"), 1);
+    init_cjs_shims();
+    crypto2 = __toESM(require("node:crypto"), 1);
     x509 = __toESM(require("@peculiar/x509"), 1);
     CryptographyService = class {
       fetcher;
@@ -4336,7 +4626,7 @@ var init_cryptography_service = __esm({
         const certPem = this.fetcher.getSymmetricKeyEncryptionPem();
         const encryptedKey = crypto2.publicEncrypt(
           {
-            key: certPem,
+            key: this.extractSpkiPem(certPem),
             oaepHash: "sha256",
             padding: crypto2.constants.RSA_PKCS1_OAEP_PADDING
           },
@@ -4466,12 +4756,22 @@ var init_cryptography_service = __esm({
       // ---------------------------------------------------------------------------
       // Private helpers
       // ---------------------------------------------------------------------------
+      /**
+       * Extract a public-key SPKI PEM (`-----BEGIN PUBLIC KEY-----`) from a full
+       * CERTIFICATE PEM. Node's `publicEncrypt` accepts either form, but Deno's
+       * Node compatibility layer only accepts SPKI PEM, so we normalize upfront
+       * to keep the library portable across runtimes.
+       */
+      extractSpkiPem(certPem) {
+        const publicKey = new crypto2.X509Certificate(certPem).publicKey;
+        return publicKey.export({ type: "spki", format: "pem" });
+      }
       /** RSA-OAEP SHA-256 encryption. */
       encryptRsaOaep(certPem, plaintext) {
         return new Uint8Array(
           crypto2.publicEncrypt(
             {
-              key: certPem,
+              key: this.extractSpkiPem(certPem),
               oaepHash: "sha256",
               padding: crypto2.constants.RSA_PKCS1_OAEP_PADDING
             },
@@ -4513,6 +4813,40 @@ var signature_service_exports = {};
 __export(signature_service_exports, {
   SignatureService: () => SignatureService
 });
+function pickRsaAlgo() {
+  return {
+    nodeHashName: "sha256",
+    signatureUri: RSA_SHA256_SIGNATURE_URI,
+    digestUri: DIGEST_URI.sha256
+  };
+}
+function pickEcdsaAlgo(privateKey) {
+  const curve = privateKey.asymmetricKeyDetails?.namedCurve;
+  switch (curve) {
+    case "prime256v1":
+      return {
+        nodeHashName: "sha256",
+        signatureUri: ECDSA_SIGNATURE_URI.sha256,
+        digestUri: DIGEST_URI.sha256
+      };
+    case "secp384r1":
+      return {
+        nodeHashName: "sha384",
+        signatureUri: ECDSA_SIGNATURE_URI.sha384,
+        digestUri: DIGEST_URI.sha384
+      };
+    case "secp521r1":
+      return {
+        nodeHashName: "sha512",
+        signatureUri: ECDSA_SIGNATURE_URI.sha512,
+        digestUri: DIGEST_URI.sha512
+      };
+    default:
+      throw new KSeFError(
+        `Unsupported ECDSA curve: ${curve ?? "unknown"}. Supported: P-256 (prime256v1), P-384 (secp384r1), P-521 (secp521r1).`
+      );
+  }
+}
 function extractDerFromPem(pem) {
   const base64 = pem.replace(/-----BEGIN [A-Z\s]+-----/g, "").replace(/-----END [A-Z\s]+-----/g, "").replace(/\s+/g, "");
   return Buffer.from(base64, "base64");
@@ -4527,12 +4861,12 @@ function canonicalize(elem) {
   const c14n = new import_xml_crypto.ExclusiveCanonicalization();
   return c14n.process(elem, {});
 }
-function computeRootDigest(doc) {
+function computeRootDigest(doc, hashName) {
   const root = doc.documentElement;
   const canonical = canonicalize(root);
-  return crypto3.createHash("sha256").update(canonical, "utf-8").digest("base64");
+  return crypto3.createHash(hashName).update(canonical, "utf-8").digest("base64");
 }
-function computeSignedPropertiesDigest(qualifyingPropertiesXml) {
+function computeSignedPropertiesDigest(qualifyingPropertiesXml, hashName) {
   const parser2 = new import_xmldom2.DOMParser();
   const qpDoc = parser2.parseFromString(qualifyingPropertiesXml, "text/xml");
   const signedProps = findElementByLocalName(qpDoc.documentElement, "SignedProperties");
@@ -4540,9 +4874,9 @@ function computeSignedPropertiesDigest(qualifyingPropertiesXml) {
     throw new Error("SignedProperties element not found in QualifyingProperties");
   }
   const canonical = canonicalize(signedProps);
-  return crypto3.createHash("sha256").update(canonical, "utf-8").digest("base64");
+  return crypto3.createHash(hashName).update(canonical, "utf-8").digest("base64");
 }
-function buildSignedInfo(signatureAlgorithm, rootDigest, signedPropertiesDigest) {
+function buildSignedInfo(signatureAlgorithm, digestAlgorithm, rootDigest, signedPropertiesDigest) {
   return [
     `<ds:SignedInfo xmlns:ds="${DS_NS}">`,
     `<ds:CanonicalizationMethod Algorithm="${EXC_C14N_ALGORITHM}"/>`,
@@ -4553,7 +4887,7 @@ function buildSignedInfo(signatureAlgorithm, rootDigest, signedPropertiesDigest)
     `<ds:Transform Algorithm="${ENVELOPED_SIGNATURE_TRANSFORM}"/>`,
     `<ds:Transform Algorithm="${EXC_C14N_ALGORITHM}"/>`,
     `</ds:Transforms>`,
-    `<ds:DigestMethod Algorithm="${SHA256_DIGEST_METHOD}"/>`,
+    `<ds:DigestMethod Algorithm="${digestAlgorithm}"/>`,
     `<ds:DigestValue>${rootDigest}</ds:DigestValue>`,
     `</ds:Reference>`,
     // Reference 2: SignedProperties
@@ -4561,22 +4895,22 @@ function buildSignedInfo(signatureAlgorithm, rootDigest, signedPropertiesDigest)
     `<ds:Transforms>`,
     `<ds:Transform Algorithm="${EXC_C14N_ALGORITHM}"/>`,
     `</ds:Transforms>`,
-    `<ds:DigestMethod Algorithm="${SHA256_DIGEST_METHOD}"/>`,
+    `<ds:DigestMethod Algorithm="${digestAlgorithm}"/>`,
     `<ds:DigestValue>${signedPropertiesDigest}</ds:DigestValue>`,
     `</ds:Reference>`,
     `</ds:SignedInfo>`
   ].join("");
 }
-function computeSignatureValue(canonicalSignedInfo, privateKey, isEc) {
+function computeSignatureValue(canonicalSignedInfo, privateKey, isEc, hashName) {
   const data = Buffer.from(canonicalSignedInfo, "utf-8");
   let signature;
   if (isEc) {
-    signature = crypto3.sign("sha256", data, {
+    signature = crypto3.sign(hashName, data, {
       key: privateKey,
       dsaEncoding: "ieee-p1363"
     });
   } else {
-    signature = crypto3.sign("sha256", data, privateKey);
+    signature = crypto3.sign(hashName, data, privateKey);
   }
   return signature.toString("base64");
 }
@@ -4597,7 +4931,7 @@ function buildSignatureElement(signedInfoXml, signatureValue, certBase64, qualif
     `</ds:Signature>`
   ].join("");
 }
-function buildQualifyingProperties(signatureId, signedPropertiesId, certDigest, issuerName, serialNumber, signingTime) {
+function buildQualifyingProperties(signatureId, signedPropertiesId, certDigest, issuerName, serialNumber, signingTime, digestAlgorithm) {
   return [
     `<xades:QualifyingProperties`,
     ` Target="#${signatureId}"`,
@@ -4609,7 +4943,7 @@ function buildQualifyingProperties(signatureId, signedPropertiesId, certDigest,
     `<xades:SigningCertificate>`,
     `<xades:Cert>`,
     `<xades:CertDigest>`,
-    `<DigestMethod Algorithm="${SHA256_DIGEST_METHOD}"/>`,
+    `<DigestMethod Algorithm="${digestAlgorithm}"/>`,
     `<DigestValue>${certDigest}</DigestValue>`,
     `</xades:CertDigest>`,
     `<xades:IssuerSerial>`,
@@ -4645,21 +4979,31 @@ function wrapBase64(base64) {
   }
   return lines.join("\n");
 }
-var crypto3, import_xml_crypto, import_xmldom2, XADES_NS, DS_NS, SIGNED_PROPERTIES_TYPE, SHA256_DIGEST_METHOD, EXC_C14N_ALGORITHM, ENVELOPED_SIGNATURE_TRANSFORM, RSA_SHA256_SIGNATURE, ECDSA_SHA256_SIGNATURE, CLOCK_SKEW_BUFFER_MS, SIGNATURE_ID, SIGNED_PROPERTIES_ID, SignatureService;
+var crypto3, import_xml_crypto, import_xmldom2, XADES_NS, DS_NS, SIGNED_PROPERTIES_TYPE, EXC_C14N_ALGORITHM, ENVELOPED_SIGNATURE_TRANSFORM, DIGEST_URI, ECDSA_SIGNATURE_URI, RSA_SHA256_SIGNATURE_URI, CLOCK_SKEW_BUFFER_MS, SIGNATURE_ID, SIGNED_PROPERTIES_ID, SignatureService;
 var init_signature_service = __esm({
   "src/crypto/signature-service.ts"() {
     "use strict";
-    crypto3 = __toESM(require("crypto"), 1);
+    init_cjs_shims();
+    crypto3 = __toESM(require("node:crypto"), 1);
     import_xml_crypto = require("xml-crypto");
     import_xmldom2 = require("@xmldom/xmldom");
+    init_ksef_error();
     XADES_NS = "http://uri.etsi.org/01903/v1.3.2#";
     DS_NS = "http://www.w3.org/2000/09/xmldsig#";
     SIGNED_PROPERTIES_TYPE = "http://uri.etsi.org/01903#SignedProperties";
-    SHA256_DIGEST_METHOD = "http://www.w3.org/2001/04/xmlenc#sha256";
     EXC_C14N_ALGORITHM = "http://www.w3.org/2001/10/xml-exc-c14n#";
     ENVELOPED_SIGNATURE_TRANSFORM = "http://www.w3.org/2000/09/xmldsig#enveloped-signature";
-    RSA_SHA256_SIGNATURE = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256";
-    ECDSA_SHA256_SIGNATURE = "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256";
+    DIGEST_URI = {
+      sha256: "http://www.w3.org/2001/04/xmlenc#sha256",
+      sha384: "http://www.w3.org/2001/04/xmldsig-more#sha384",
+      sha512: "http://www.w3.org/2001/04/xmlenc#sha512"
+    };
+    ECDSA_SIGNATURE_URI = {
+      sha256: "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256",
+      sha384: "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384",
+      sha512: "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512"
+    };
+    RSA_SHA256_SIGNATURE_URI = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256";
     CLOCK_SKEW_BUFFER_MS = -6e4;
     SIGNATURE_ID = "Signature";
     SIGNED_PROPERTIES_ID = "SignedProperties";
@@ -4679,15 +5023,21 @@ var init_signature_service = __esm({
         }
         const certDer = extractDerFromPem(certPem);
         const certBase64 = certDer.toString("base64");
-        const certDigest = crypto3.createHash("sha256").update(certDer).digest("base64");
         const x5093 = new crypto3.X509Certificate(certPem);
         const issuerName = normalizeIssuerDn(x5093.issuer);
         const serialNumber = hexSerialToDecimal(x5093.serialNumber);
         const privateKey = crypto3.createPrivateKey(
           passphrase ? { key: privateKeyPem, format: "pem", passphrase } : privateKeyPem
         );
-        const isEc = privateKey.asymmetricKeyType === "ec";
-        const signatureAlgorithm = isEc ? ECDSA_SHA256_SIGNATURE : RSA_SHA256_SIGNATURE;
+        const keyType = privateKey.asymmetricKeyType;
+        if (keyType !== "ec" && keyType !== "rsa") {
+          throw new KSeFError(
+            `Unsupported private key type: ${keyType ?? "unknown"}. Supported: RSA and ECDSA.`
+          );
+        }
+        const isEc = keyType === "ec";
+        const algo = isEc ? pickEcdsaAlgo(privateKey) : pickRsaAlgo();
+        const certDigest = crypto3.createHash(algo.nodeHashName).update(certDer).digest("base64");
         const signingTime = new Date(Date.now() + CLOCK_SKEW_BUFFER_MS).toISOString();
         const parser2 = new import_xmldom2.DOMParser();
         const doc = parser2.parseFromString(xml, "text/xml");
@@ -4701,12 +5051,17 @@ var init_signature_service = __esm({
           certDigest,
           issuerName,
           serialNumber,
-          signingTime
+          signingTime,
+          algo.digestUri
+        );
+        const rootDigest = computeRootDigest(doc, algo.nodeHashName);
+        const signedPropertiesDigest = computeSignedPropertiesDigest(
+          qualifyingPropertiesXml,
+          algo.nodeHashName
         );
-        const rootDigest = computeRootDigest(doc);
-        const signedPropertiesDigest = computeSignedPropertiesDigest(qualifyingPropertiesXml);
         const signedInfoXml = buildSignedInfo(
-          signatureAlgorithm,
+          algo.signatureUri,
+          algo.digestUri,
           rootDigest,
           signedPropertiesDigest
         );
@@ -4715,7 +5070,8 @@ var init_signature_service = __esm({
         const signatureValue = computeSignatureValue(
           canonicalSignedInfo,
           privateKey,
-          isEc
+          isEc,
+          algo.nodeHashName
         );
         const signatureXml = buildSignatureElement(
           signedInfoXml,
@@ -4741,6 +5097,7 @@ var import_node_forge, Pkcs12Loader;
 var init_pkcs12_loader = __esm({
   "src/crypto/pkcs12-loader.ts"() {
     "use strict";
+    init_cjs_shims();
     import_node_forge = __toESM(require("node-forge"), 1);
     Pkcs12Loader = class {
       static load(p12, password) {
@@ -4810,6 +5167,7 @@ var AUTH_TOKEN_REQUEST_NS;
 var init_auth_xml_builder = __esm({
   "src/crypto/auth-xml-builder.ts"() {
     "use strict";
+    init_cjs_shims();
     AUTH_TOKEN_REQUEST_NS = "http://ksef.mf.gov.pl/auth/token/2.0";
   }
 });
@@ -4819,7 +5177,8 @@ var import_node_crypto, VerificationLinkService;
 var init_verification_link_service = __esm({
   "src/qr/verification-link-service.ts"() {
     "use strict";
-    import_node_crypto = __toESM(require("crypto"), 1);
+    init_cjs_shims();
+    import_node_crypto = __toESM(require("node:crypto"), 1);
     VerificationLinkService = class {
       constructor(baseQrUrl) {
         this.baseQrUrl = baseQrUrl;
@@ -4841,11 +5200,11 @@ var init_verification_link_service = __esm({
        * Build certificate verification URL (Code II).
        * Format: {baseQrUrl}/certificate/{contextType}/{contextId}/{sellerNip}/{certSerial}/{hash_base64url}/{signature_base64url}
        */
-      buildCertificateVerificationUrl(contextType, contextId, sellerNip, certSerial, invoiceHashBase64, privateKeyPem) {
+      buildCertificateVerificationUrl(contextType, contextId, sellerNip, certSerial, invoiceHashBase64, privateKeyPem, privateKeyPassword) {
         const hashBase64Url = this.base64ToBase64Url(invoiceHashBase64);
         const pathWithoutSignature = `${this.baseQrUrl}/certificate/${contextType}/${contextId}/${sellerNip}/${certSerial}/${hashBase64Url}`;
         const dataToSign = pathWithoutSignature.replace(/^https?:\/\//, "");
-        const key = import_node_crypto.default.createPrivateKey(privateKeyPem);
+        const key = privateKeyPassword !== void 0 ? import_node_crypto.default.createPrivateKey({ key: privateKeyPem, format: "pem", passphrase: privateKeyPassword }) : import_node_crypto.default.createPrivateKey(privateKeyPem);
         let signature;
         if (key.asymmetricKeyType === "rsa") {
           signature = import_node_crypto.default.sign("sha256", Buffer.from(dataToSign), {
@@ -4959,6 +5318,7 @@ var import_yazl, import_yauzl, DEFAULT_UNZIP_OPTIONS;
 var init_zip = __esm({
   "src/utils/zip.ts"() {
     "use strict";
+    init_cjs_shims();
     import_yazl = require("yazl");
     import_yauzl = require("yauzl");
     DEFAULT_UNZIP_OPTIONS = {
@@ -5032,6 +5392,7 @@ var holidayCache;
 var init_holidays = __esm({
   "src/offline/holidays.ts"() {
     "use strict";
+    init_cjs_shims();
     holidayCache = /* @__PURE__ */ new Map();
   }
 });
@@ -5131,6 +5492,7 @@ var FAR_FUTURE;
 var init_deadline = __esm({
   "src/offline/deadline.ts"() {
     "use strict";
+    init_cjs_shims();
     init_holidays();
     FAR_FUTURE = /* @__PURE__ */ new Date("9999-12-31T23:59:59Z");
   }
@@ -5141,7 +5503,8 @@ var import_node_crypto3, OfflineInvoiceWorkflow;
 var init_offline_invoice_workflow = __esm({
   "src/workflows/offline-invoice-workflow.ts"() {
     "use strict";
-    import_node_crypto3 = __toESM(require("crypto"), 1);
+    init_cjs_shims();
+    import_node_crypto3 = __toESM(require("node:crypto"), 1);
     init_ksef_api_error();
     init_deadline();
     init_document_structures();
@@ -5175,7 +5538,8 @@ var init_offline_invoice_workflow = __esm({
             input.sellerNip,
             options.certificate.certificateSerial,
             invoiceHashBase64,
-            options.certificate.privateKeyPem
+            options.certificate.privateKeyPem,
+            options.certificate.password
           );
         }
         const submitBy = options?.customDeadline ? typeof options.customDeadline === "string" ? options.customDeadline : options.customDeadline.toISOString() : calculateOfflineDeadline(mode, input.invoiceDate, options?.maintenanceWindow).toISOString();
@@ -5365,7 +5729,8 @@ var init_offline_invoice_workflow = __esm({
               original.sellerNip,
               options.certificate.certificateSerial,
               correctedHashBase64,
-              options.certificate.privateKeyPem
+              options.certificate.privateKeyPem,
+              options.certificate.password
             );
           }
           const correctionMetadata = {
@@ -5451,6 +5816,11 @@ function buildRestClientConfig(options, authManager) {
       endpointLimits: options.rateLimit.endpointLimits
     });
   }
+  if (options?.circuitBreaker === null) {
+    config.circuitBreakerPolicy = null;
+  } else if (options?.circuitBreaker) {
+    config.circuitBreakerPolicy = new CircuitBreakerPolicy(options.circuitBreaker);
+  }
   if (options?.presignedUrlHosts) {
     const base = defaultPresignedUrlPolicy();
     config.presignedUrlPolicy = {
@@ -5464,10 +5834,12 @@ var KSeFClient;
 var init_client = __esm({
   "src/client.ts"() {
     "use strict";
+    init_cjs_shims();
     init_config();
     init_rest_client();
     init_retry_policy();
     init_rate_limit_policy();
+    init_circuit_breaker_policy();
     init_presigned_url_policy();
     init_auth_manager();
     init_auth();
@@ -5621,6 +5993,7 @@ __export(index_exports, {
   CertificateFingerprint: () => CertificateFingerprint,
   CertificateName: () => CertificateName,
   CertificateService: () => CertificateService,
+  CircuitBreakerPolicy: () => CircuitBreakerPolicy,
   CryptographyService: () => CryptographyService,
   DEFAULT_FORM_CODE: () => DEFAULT_FORM_CODE,
   DISCOURAGED_UNICODE_RANGES: () => DISCOURAGED_UNICODE_RANGES,
@@ -5630,6 +6003,7 @@ __export(index_exports, {
   EntityPermissionGrantBuilder: () => EntityPermissionGrantBuilder,
   Environment: () => Environment,
   FAKTURA_NAMESPACE: () => FAKTURA_NAMESPACE,
+  FA_XSD_PATHS: () => FA_XSD_PATHS,
   FORM_CODES: () => FORM_CODES,
   FORM_CODE_KEYS: () => FORM_CODE_KEYS,
   FileHwmStore: () => FileHwmStore,
@@ -5648,6 +6022,7 @@ __export(index_exports, {
   KSeFAuthStatusError: () => KSeFAuthStatusError,
   KSeFBadRequestError: () => KSeFBadRequestError,
   KSeFBatchTimeoutError: () => KSeFBatchTimeoutError,
+  KSeFCircuitOpenError: () => KSeFCircuitOpenError,
   KSeFClient: () => KSeFClient,
   KSeFError: () => KSeFError,
   KSeFErrorCode: () => KSeFErrorCode,
@@ -5657,6 +6032,7 @@ __export(index_exports, {
   KSeFSessionExpiredError: () => KSeFSessionExpiredError,
   KSeFUnauthorizedError: () => KSeFUnauthorizedError,
   KSeFValidationError: () => KSeFValidationError,
+  KSeFXsdValidationError: () => KSeFXsdValidationError,
   KsefNumber: () => KsefNumber,
   KsefNumberV35: () => KsefNumberV35,
   KsefNumberV36: () => KsefNumberV36,
@@ -5668,6 +6044,7 @@ __export(index_exports, {
   OfflineInvoiceWorkflow: () => OfflineInvoiceWorkflow,
   OnlineSessionService: () => OnlineSessionService,
   PEF_NAMESPACE: () => PEF_NAMESPACE,
+  PEF_XSD_PATHS: () => PEF_XSD_PATHS,
   PERMISSION_DESCRIPTION_MAX_LENGTH: () => PERMISSION_DESCRIPTION_MAX_LENGTH,
   PERMISSION_DESCRIPTION_MIN_LENGTH: () => PERMISSION_DESCRIPTION_MIN_LENGTH,
   PeppolId: () => PeppolId,
@@ -5715,6 +6092,7 @@ __export(index_exports, {
   createZip: () => createZip,
   decodeJwtPayload: () => decodeJwtPayload,
   deduplicateByKsefNumber: () => deduplicateByKsefNumber,
+  defaultCircuitBreakerPolicy: () => defaultCircuitBreakerPolicy,
   defaultPresignedUrlPolicy: () => defaultPresignedUrlPolicy,
   defaultRateLimitPolicy: () => defaultRateLimitPolicy,
   defaultRetryPolicy: () => defaultRetryPolicy,
@@ -5751,6 +6129,7 @@ __export(index_exports, {
   isValidReferenceNumber: () => isValidReferenceNumber,
   isValidSha256Base64: () => isValidSha256Base64,
   isValidVatUe: () => isValidVatUe,
+  libxmljsAvailable: () => libxmljsAvailable,
   nextBusinessDay: () => nextBusinessDay,
   openOnlineSession: () => openOnlineSession,
   openSendAndClose: () => openSendAndClose,
@@ -5762,6 +6141,7 @@ __export(index_exports, {
   parseXml: () => parseXml,
   pollUntil: () => pollUntil,
   resolveOptions: () => resolveOptions,
+  resolveXsdFor: () => resolveXsdFor,
   resumeOnlineSession: () => resumeOnlineSession,
   runWithConcurrency: () => runWithConcurrency,
   serializeInvoiceXml: () => serializeInvoiceXml,
@@ -5776,6 +6156,7 @@ __export(index_exports, {
   uploadBatchStream: () => uploadBatchStream,
   uploadBatchStreamParsed: () => uploadBatchStreamParsed,
   validate: () => validate,
+  validateAgainstXsd: () => validateAgainstXsd,
   validateBatch: () => validateBatch,
   validateBusinessRules: () => validateBusinessRules,
   validateCharValidity: () => validateCharValidity,
@@ -5787,10 +6168,12 @@ __export(index_exports, {
   xmlToObject: () => xmlToObject
 });
 module.exports = __toCommonJS(index_exports);
+init_cjs_shims();
 init_config();
 init_errors();
 
 // src/http/index.ts
+init_cjs_shims();
 init_route_builder();
 init_rest_request();
 init_rest_client();
@@ -5798,14 +6181,17 @@ init_routes();
 init_transport();
 init_retry_policy();
 init_rate_limit_policy();
+init_circuit_breaker_policy();
 init_auth_manager();
 init_presigned_url_policy();
 init_ksef_feature();
 
 // src/validation/index.ts
+init_cjs_shims();
 init_patterns();
 
 // src/validation/constraints.ts
+init_cjs_shims();
 var REQUIRED_CHALLENGE_LENGTH = 36;
 var CERTIFICATE_NAME_MIN_LENGTH = 5;
 var CERTIFICATE_NAME_MAX_LENGTH = 100;
@@ -5820,10 +6206,218 @@ init_schema_registry();
 init_invoice_validator();
 init_char_validity();
 
+// src/validation/xsd-validator.ts
+init_cjs_shims();
+var import_node_module = require("node:module");
+var fs = __toESM(require("node:fs"), 1);
+var path = __toESM(require("node:path"), 1);
+var import_node_url = require("node:url");
+var cachedPkgRoot = null;
+function locatePackageRoot() {
+  if (cachedPkgRoot !== null) return cachedPkgRoot;
+  let dir = path.dirname((0, import_node_url.fileURLToPath)(importMetaUrl));
+  const root = path.parse(dir).root;
+  while (dir !== root) {
+    const candidate = path.join(dir, "docs", "schemas");
+    if (fs.existsSync(candidate)) {
+      cachedPkgRoot = dir;
+      return dir;
+    }
+    dir = path.dirname(dir);
+  }
+  throw new Error("Could not locate ksef-client-ts package root (docs/schemas not found).");
+}
+var XSD_RELATIVE = {
+  FA2: ["FA", "schemat_FA(2)_v1-0E.xsd"],
+  FA3: ["FA", "schemat_FA(3)_v1-0E.xsd"],
+  PEF: ["PEF", "Schemat_PEF(3)_v2-1.xsd"],
+  PEF_KOR: ["PEF", "Schemat_PEF_KOR(3)_v2-1.xsd"]
+};
+var FA_XSD_PATHS = {
+  get FA2() {
+    return resolveXsdFor("FA2");
+  },
+  get FA3() {
+    return resolveXsdFor("FA3");
+  }
+};
+var PEF_XSD_PATHS = {
+  get PEF() {
+    return resolveXsdFor("PEF");
+  },
+  get PEF_KOR() {
+    return resolveXsdFor("PEF_KOR");
+  }
+};
+function resolveXsdFor(schema) {
+  const rel = XSD_RELATIVE[schema];
+  if (!rel) throw new Error(`Unknown invoice schema: ${String(schema)}`);
+  return path.join(locatePackageRoot(), "docs", "schemas", ...rel);
+}
+var requireModule = (0, import_node_module.createRequire)(importMetaUrl);
+var libxmljs = null;
+var libxmljsLoadError = null;
+try {
+  libxmljs = requireModule("libxmljs2");
+} catch (err) {
+  const code = err?.code;
+  if (code === "MODULE_NOT_FOUND" || code === "ERR_MODULE_NOT_FOUND") {
+    libxmljs = null;
+  } else {
+    libxmljs = null;
+    libxmljsLoadError = err instanceof Error ? err : new Error(String(err));
+  }
+}
+var libxmljsAvailable = libxmljs !== null;
+var MISSING_LIBXMLJS_MESSAGE_PREFIX = "libxmljs2 is not installed";
+var EXTERNAL_STRUKTURY_DANYCH_URL = /schemaLocation="http:\/\/crd\.gov\.pl\/xml\/schematy\/dziedzinowe\/mf\/2022\/01\/05\/eD\/DefinicjeTypy\/StrukturyDanych_v10-0E\.xsd"/;
+function rewriteSchemaLocations(xsdContent) {
+  if (!EXTERNAL_STRUKTURY_DANYCH_URL.test(xsdContent)) {
+    return xsdContent;
+  }
+  const bazoweStrukturyPath = path.join(
+    locatePackageRoot(),
+    "docs",
+    "schemas",
+    "FA",
+    "bazowe",
+    "StrukturyDanych_v10-0E.xsd"
+  );
+  const bazoweStrukturyUrl = (0, import_node_url.pathToFileURL)(bazoweStrukturyPath).href;
+  const rewritten = xsdContent.replace(
+    EXTERNAL_STRUKTURY_DANYCH_URL,
+    `schemaLocation="${bazoweStrukturyUrl}"`
+  );
+  if (rewritten === xsdContent) {
+    throw new Error(
+      "FA XSD schemaLocation rewrite produced no replacement despite URL being present; regex likely out of sync with docs/schemas/FA/. Re-check after `yarn sync-schemas`."
+    );
+  }
+  return rewritten;
+}
+function validateAgainstXsd(xml, xsdPath) {
+  if (!libxmljs) {
+    const loadSuffix = libxmljsLoadError ? ` (load failed: ${libxmljsLoadError.message})` : "";
+    throw new Error(
+      `${MISSING_LIBXMLJS_MESSAGE_PREFIX}${loadSuffix}; cannot run XSD validation. Install it as an optional peer dependency (e.g. \`yarn add -O libxmljs2\` or \`npm i -O libxmljs2\`).`
+    );
+  }
+  const xsdDir = path.dirname(xsdPath);
+  const rawXsd = fs.readFileSync(xsdPath, "utf8");
+  const rewrittenXsd = rewriteSchemaLocations(rawXsd);
+  const baseUrl = (0, import_node_url.pathToFileURL)(xsdDir + path.sep).href;
+  let schemaDoc;
+  try {
+    schemaDoc = libxmljs.parseXml(rewrittenXsd, { baseUrl });
+  } catch (err) {
+    return { valid: false, errors: [`XSD parse failed: ${err.message}`] };
+  }
+  let xmlDoc;
+  try {
+    xmlDoc = libxmljs.parseXml(xml);
+  } catch (err) {
+    return { valid: false, errors: [`XML parse failed: ${err.message}`] };
+  }
+  const valid = xmlDoc.validate(schemaDoc);
+  const errors = valid ? [] : xmlDoc.validationErrors.map((err) => err.message.trim());
+  return { valid, errors };
+}
+
+// src/models/index.ts
+init_cjs_shims();
+
+// src/models/common.ts
+init_cjs_shims();
+
+// src/models/auth/index.ts
+init_cjs_shims();
+
+// src/models/auth/types.ts
+init_cjs_shims();
+
+// src/models/auth/active-sessions-types.ts
+init_cjs_shims();
+
+// src/models/sessions/index.ts
+init_cjs_shims();
+
+// src/models/sessions/online-types.ts
+init_cjs_shims();
+
+// src/models/sessions/batch-types.ts
+init_cjs_shims();
+
+// src/models/sessions/status-types.ts
+init_cjs_shims();
+
+// src/models/sessions/session-state.ts
+init_cjs_shims();
+
+// src/models/invoices/index.ts
+init_cjs_shims();
+
+// src/models/invoices/types.ts
+init_cjs_shims();
+
+// src/models/permissions/index.ts
+init_cjs_shims();
+
+// src/models/permissions/types.ts
+init_cjs_shims();
+
+// src/models/tokens/index.ts
+init_cjs_shims();
+
+// src/models/tokens/types.ts
+init_cjs_shims();
+
+// src/models/certificates/index.ts
+init_cjs_shims();
+
+// src/models/certificates/types.ts
+init_cjs_shims();
+
+// src/models/lighthouse/index.ts
+init_cjs_shims();
+
+// src/models/lighthouse/types.ts
+init_cjs_shims();
+
+// src/models/limits/index.ts
+init_cjs_shims();
+
+// src/models/limits/types.ts
+init_cjs_shims();
+
+// src/models/peppol/index.ts
+init_cjs_shims();
+
+// src/models/peppol/types.ts
+init_cjs_shims();
+
+// src/models/test-data/index.ts
+init_cjs_shims();
+
+// src/models/test-data/types.ts
+init_cjs_shims();
+
+// src/models/crypto/index.ts
+init_cjs_shims();
+
+// src/models/crypto/types.ts
+init_cjs_shims();
+
+// src/models/qrcode/index.ts
+init_cjs_shims();
+
+// src/models/qrcode/types.ts
+init_cjs_shims();
+
 // src/models/index.ts
 init_document_structures();
 
 // src/services/index.ts
+init_cjs_shims();
 init_auth();
 init_active_sessions();
 init_online_session();
@@ -5838,7 +6432,11 @@ init_limits();
 init_peppol();
 init_test_data();
 
+// src/builders/index.ts
+init_cjs_shims();
+
 // src/builders/auth-token-request.ts
+init_cjs_shims();
 init_ksef_validation_error();
 var AuthTokenRequestBuilder = class {
   challenge;
@@ -5893,6 +6491,7 @@ var AuthTokenRequestBuilder = class {
 };
 
 // src/builders/auth-ksef-token-request.ts
+init_cjs_shims();
 init_ksef_validation_error();
 var AuthKsefTokenRequestBuilder = class {
   challenge;
@@ -5947,6 +6546,7 @@ var AuthKsefTokenRequestBuilder = class {
 };
 
 // src/builders/invoice-query-filter.ts
+init_cjs_shims();
 init_ksef_validation_error();
 var InvoiceQueryFilterBuilder = class {
   subjectType;
@@ -6043,7 +6643,11 @@ var InvoiceQueryFilterBuilder = class {
   }
 };
 
+// src/builders/permissions/index.ts
+init_cjs_shims();
+
 // src/builders/permissions/person-permission.ts
+init_cjs_shims();
 init_ksef_validation_error();
 var PersonPermissionGrantBuilder = class {
   subjectIdentifier;
@@ -6093,6 +6697,7 @@ var PersonPermissionGrantBuilder = class {
 };
 
 // src/builders/permissions/entity-permission.ts
+init_cjs_shims();
 init_ksef_validation_error();
 var EntityPermissionGrantBuilder = class {
   nip;
@@ -6142,6 +6747,7 @@ var EntityPermissionGrantBuilder = class {
 };
 
 // src/builders/permissions/authorization-permission.ts
+init_cjs_shims();
 init_ksef_validation_error();
 var AuthorizationPermissionGrantBuilder = class {
   _subjectIdentifier;
@@ -6187,7 +6793,8 @@ var AuthorizationPermissionGrantBuilder = class {
 };
 
 // src/builders/batch-file.ts
-var crypto = __toESM(require("crypto"), 1);
+init_cjs_shims();
+var crypto = __toESM(require("node:crypto"), 1);
 init_ksef_validation_error();
 var BATCH_MAX_PART_SIZE = 1e8;
 var BATCH_MAX_TOTAL_SIZE = 5e9;
@@ -6357,12 +6964,14 @@ function sha256Base64(data) {
 }
 
 // src/crypto/index.ts
+init_cjs_shims();
 init_certificate_fetcher();
 init_cryptography_service();
 init_signature_service();
 
 // src/crypto/certificate-service.ts
-var crypto4 = __toESM(require("crypto"), 1);
+init_cjs_shims();
+var crypto4 = __toESM(require("node:crypto"), 1);
 var x5092 = __toESM(require("@peculiar/x509"), 1);
 var CertificateService = class {
   static getSha256Fingerprint(certPem) {
@@ -6447,9 +7056,11 @@ init_pkcs12_loader();
 init_auth_xml_builder();
 
 // src/qr/index.ts
+init_cjs_shims();
 init_verification_link_service();
 
 // src/qr/qrcode-service.ts
+init_cjs_shims();
 var QRCode = __toESM(require("qrcode"), 1);
 var QrCodeService = class _QrCodeService {
   static async generateQrCode(url, options) {
@@ -6509,11 +7120,13 @@ function escapeXml2(str) {
 }
 
 // src/utils/index.ts
+init_cjs_shims();
 init_zip();
 init_jwt();
 
 // src/utils/hash.ts
-var import_node_crypto2 = __toESM(require("crypto"), 1);
+init_cjs_shims();
+var import_node_crypto2 = __toESM(require("node:crypto"), 1);
 function sha256Base642(data) {
   return import_node_crypto2.default.createHash("sha256").update(data).digest("base64");
 }
@@ -6524,7 +7137,11 @@ function verifyHash(data, expectedHash) {
 // src/utils/index.ts
 init_concurrency();
 
+// src/workflows/index.ts
+init_cjs_shims();
+
 // src/workflows/polling.ts
+init_cjs_shims();
 async function pollUntil(action, condition, options) {
   const intervalMs = options?.intervalMs ?? 2e3;
   const maxAttempts = options?.maxAttempts ?? 60;
@@ -6542,13 +7159,18 @@ async function pollUntil(action, condition, options) {
 }
 
 // src/workflows/online-session-workflow.ts
+init_cjs_shims();
 init_ksef_session_expired_error();
 init_auth_manager();
 init_online_session();
 init_session_status();
 init_document_structures();
 
+// src/xml/index.ts
+init_cjs_shims();
+
 // src/xml/upo-parser.ts
+init_cjs_shims();
 var import_fast_xml_parser = require("fast-xml-parser");
 init_ksef_validation_error();
 function isRecord(value) {
@@ -6667,6 +7289,7 @@ function parseUpoXml(xml) {
 }
 
 // src/xml/invoice-field-extractor.ts
+init_cjs_shims();
 var import_fast_xml_parser2 = require("fast-xml-parser");
 var invoiceParser = new import_fast_xml_parser2.XMLParser({
   ignoreAttributes: false,
@@ -6707,6 +7330,7 @@ function nonEmptyString(value) {
 }
 
 // src/xml/xml-engine.ts
+init_cjs_shims();
 var import_fast_xml_parser3 = require("fast-xml-parser");
 var XML_DECLARATION = '<?xml version="1.0" encoding="UTF-8"?>\n';
 var parser = new import_fast_xml_parser3.XMLParser({
@@ -6749,17 +7373,18 @@ function prependDeclaration(xml) {
 function parseXml(xml) {
   return parser.parse(xml);
 }
-function buildXml(document) {
-  return prependDeclaration(builder.build(document));
+function buildXml(document2) {
+  return prependDeclaration(builder.build(document2));
 }
-function buildXmlFromObject(document, options) {
-  return prependDeclaration(createObjectBuilder(options?.pretty).build(document));
+function buildXmlFromObject(document2, options) {
+  return prependDeclaration(createObjectBuilder(options?.pretty).build(document2));
 }
 function stripBom(input) {
   return input.charCodeAt(0) === 65279 ? input.slice(1) : input;
 }
 
 // src/xml/order-map.ts
+init_cjs_shims();
 var ORDER_MAP = {
   Faktura: ["Naglowek", "Podmiot1", "Podmiot2", "Podmiot3", "Fa", "Stopka"],
   Naglowek: ["KodFormularza", "WariantFormularza", "DataWytworzeniaFa", "SystemInfo"],
@@ -6958,6 +7583,7 @@ function orderXmlObject(value, contextKey) {
 }
 
 // src/xml/faktura-builder.ts
+init_cjs_shims();
 var FAKTURA_NAMESPACE = {
   FA2: "http://crd.gov.pl/wzor/2023/06/29/12648/",
   FA3: "http://crd.gov.pl/wzor/2025/06/25/13775/"
@@ -7027,14 +7653,14 @@ function buildFakturaXml(faktura, options = {}) {
   const etdNamespace = options.etdNamespace ?? ETD_NAMESPACE[schema];
   const normalized = normalizeTopLevel(faktura);
   const ordered = orderXmlObject(normalized, "Faktura");
-  const document = {
+  const document2 = {
     Faktura: {
       ...ordered,
       "@_xmlns": fakturaNamespace,
       "@_xmlns:etd": etdNamespace
     }
   };
-  return buildXmlFromObject(document, { pretty: options.pretty });
+  return buildXmlFromObject(document2, { pretty: options.pretty });
 }
 function isFakturaInput(input) {
   if (!isObject2(input)) return false;
@@ -7045,6 +7671,7 @@ function isFakturaInput(input) {
 }
 
 // src/xml/pef-builder.ts
+init_cjs_shims();
 init_ksef_validation_error();
 var PEF_NAMESPACE = {
   PEF: "urn:oasis:names:specification:ubl:schema:xsd:Invoice-2",
@@ -7109,7 +7736,7 @@ function buildPefXml(input, options = {}) {
     "@_xmlns:cbc-pl": UBL_CBC_PL_NS,
     "@_xmlns:cac-pl": UBL_CAC_PL_NS
   };
-  const document = "Invoice" in input ? {
+  const document2 = "Invoice" in input ? {
     Invoice: {
       ...input.Invoice,
       "@_xmlns": PEF_NAMESPACE.PEF,
@@ -7122,10 +7749,11 @@ function buildPefXml(input, options = {}) {
       ...commonNamespaces
     }
   };
-  return buildXmlFromObject(document, { pretty: options.pretty });
+  return buildXmlFromObject(document2, { pretty: options.pretty });
 }
 
 // src/xml/invoice-serializer.ts
+init_cjs_shims();
 init_ksef_validation_error();
 var FAKTURA_SCHEMAS = /* @__PURE__ */ new Set(["FA2", "FA3"]);
 var PEF_SCHEMAS = /* @__PURE__ */ new Set(["PEF", "PEF_KOR"]);
@@ -7220,8 +7848,8 @@ function serializeInvoiceXml(input, options) {
     "Unsupported invoice input type: expected Buffer, string, XmlDocument, FakturaInput, or PefUblDocumentInput."
   );
 }
-function buildRawXmlString(document, options) {
-  return buildXmlFromObject(document, options);
+function buildRawXmlString(document2, options) {
+  return buildXmlFromObject(document2, options);
 }
 
 // src/workflows/online-session-workflow.ts
@@ -7361,6 +7989,7 @@ async function openSendAndClose(client, invoices, options) {
 }
 
 // src/workflows/batch-session-workflow.ts
+init_cjs_shims();
 init_document_structures();
 async function uploadBatch(client, zipData, options) {
   if (options?.parallelism !== void 0 && (!Number.isInteger(options.parallelism) || options.parallelism < 1)) {
@@ -7499,6 +8128,7 @@ async function uploadBatchParsed(client, zipData, options) {
 }
 
 // src/workflows/invoice-export-workflow.ts
+init_cjs_shims();
 init_zip();
 async function doExport(client, filters, options) {
   await client.crypto.init();
@@ -7571,7 +8201,11 @@ async function exportAndDownload(client, filters, options) {
   };
 }
 
+// src/workflows/incremental-export-workflow.ts
+init_cjs_shims();
+
 // src/workflows/hwm-coordinator.ts
+init_cjs_shims();
 function updateContinuationPoint(points, subjectType, pkg) {
   if (pkg.isTruncated && pkg.lastPermanentStorageDate) {
     points[subjectType] = pkg.lastPermanentStorageDate;
@@ -7669,7 +8303,8 @@ function buildDefaultFilters(subjectType, from, to) {
 }
 
 // src/workflows/hwm-storage.ts
-var fs = __toESM(require("fs/promises"), 1);
+init_cjs_shims();
+var fs2 = __toESM(require("node:fs/promises"), 1);
 var InMemoryHwmStore = class {
   points = {};
   async load() {
@@ -7685,7 +8320,7 @@ var FileHwmStore = class {
   }
   async load() {
     try {
-      const data = await fs.readFile(this.filePath, "utf-8");
+      const data = await fs2.readFile(this.filePath, "utf-8");
       return JSON.parse(data);
     } catch (err) {
       if (err.code === "ENOENT") {
@@ -7695,11 +8330,12 @@ var FileHwmStore = class {
     }
   }
   async save(points) {
-    await fs.writeFile(this.filePath, JSON.stringify(points, null, 2), "utf-8");
+    await fs2.writeFile(this.filePath, JSON.stringify(points, null, 2), "utf-8");
   }
 };
 
 // src/workflows/auth-workflow.ts
+init_cjs_shims();
 init_auth_xml_builder();
 async function authenticateWithToken(client, options) {
   const challenge = await client.auth.getChallenge();
@@ -7796,10 +8432,12 @@ async function authenticateWithPkcs12(client, options) {
 }
 
 // src/offline/index.ts
+init_cjs_shims();
 init_deadline();
 init_holidays();
 
 // src/offline/storage.ts
+init_cjs_shims();
 function matchesFilter(invoice, filter) {
   if (filter.status !== void 0) {
     const statuses = Array.isArray(filter.status) ? filter.status : [filter.status];
@@ -7838,12 +8476,13 @@ var InMemoryOfflineInvoiceStorage = class {
 };
 
 // src/offline/file-storage.ts
-var fs2 = __toESM(require("fs/promises"), 1);
-var path = __toESM(require("path"), 1);
-var os = __toESM(require("os"), 1);
+init_cjs_shims();
+var fs3 = __toESM(require("node:fs/promises"), 1);
+var path2 = __toESM(require("node:path"), 1);
+var os = __toESM(require("node:os"), 1);
 function resolveDir(dir) {
   if (dir === "~" || dir.startsWith("~/")) {
-    return path.join(os.homedir(), dir.slice(1));
+    return path2.join(os.homedir(), dir.slice(1));
   }
   return dir;
 }
@@ -7859,23 +8498,23 @@ var FileOfflineInvoiceStorage = class {
     this.dir = resolveDir(directory ?? "~/.ksef/offline");
   }
   async ensureDir() {
-    await fs2.mkdir(this.dir, { recursive: true });
+    await fs3.mkdir(this.dir, { recursive: true });
   }
   filePath(id) {
     validateId(id);
-    return path.join(this.dir, `${id}.json`);
+    return path2.join(this.dir, `${id}.json`);
   }
   async save(invoice) {
     await this.ensureDir();
     const file = this.filePath(invoice.id);
     const tmp = `${file}.tmp`;
-    await fs2.writeFile(tmp, JSON.stringify(invoice, null, 2));
-    await fs2.rename(tmp, file);
+    await fs3.writeFile(tmp, JSON.stringify(invoice, null, 2));
+    await fs3.rename(tmp, file);
   }
   async get(id) {
     const file = this.filePath(id);
     try {
-      return JSON.parse(await fs2.readFile(file, "utf-8"));
+      return JSON.parse(await fs3.readFile(file, "utf-8"));
     } catch (err) {
       if (err instanceof Error && "code" in err && err.code === "ENOENT") {
         return null;
@@ -7887,7 +8526,7 @@ var FileOfflineInvoiceStorage = class {
   async list(filter) {
     let files;
     try {
-      files = (await fs2.readdir(this.dir)).filter((f) => f.endsWith(".json"));
+      files = (await fs3.readdir(this.dir)).filter((f) => f.endsWith(".json"));
     } catch {
       return [];
     }
@@ -7895,7 +8534,7 @@ var FileOfflineInvoiceStorage = class {
     for (const file of files) {
       try {
         const data = JSON.parse(
-          await fs2.readFile(path.join(this.dir, file), "utf-8")
+          await fs3.readFile(path2.join(this.dir, file), "utf-8")
         );
         if (!filter || matchesFilter(data, filter)) {
           results.push(data);
@@ -7921,7 +8560,7 @@ var FileOfflineInvoiceStorage = class {
   async delete(id) {
     const file = this.filePath(id);
     try {
-      await fs2.unlink(file);
+      await fs3.unlink(file);
     } catch (e) {
       if (e instanceof Error && "code" in e && e.code !== "ENOENT") throw e;
     }
@@ -7951,6 +8590,7 @@ init_client();
   CertificateFingerprint,
   CertificateName,
   CertificateService,
+  CircuitBreakerPolicy,
   CryptographyService,
   DEFAULT_FORM_CODE,
   DISCOURAGED_UNICODE_RANGES,
@@ -7960,6 +8600,7 @@ init_client();
   EntityPermissionGrantBuilder,
   Environment,
   FAKTURA_NAMESPACE,
+  FA_XSD_PATHS,
   FORM_CODES,
   FORM_CODE_KEYS,
   FileHwmStore,
@@ -7978,6 +8619,7 @@ init_client();
   KSeFAuthStatusError,
   KSeFBadRequestError,
   KSeFBatchTimeoutError,
+  KSeFCircuitOpenError,
   KSeFClient,
   KSeFError,
   KSeFErrorCode,
@@ -7987,6 +8629,7 @@ init_client();
   KSeFSessionExpiredError,
   KSeFUnauthorizedError,
   KSeFValidationError,
+  KSeFXsdValidationError,
   KsefNumber,
   KsefNumberV35,
   KsefNumberV36,
@@ -7998,6 +8641,7 @@ init_client();
   OfflineInvoiceWorkflow,
   OnlineSessionService,
   PEF_NAMESPACE,
+  PEF_XSD_PATHS,
   PERMISSION_DESCRIPTION_MAX_LENGTH,
   PERMISSION_DESCRIPTION_MIN_LENGTH,
   PeppolId,
@@ -8045,6 +8689,7 @@ init_client();
   createZip,
   decodeJwtPayload,
   deduplicateByKsefNumber,
+  defaultCircuitBreakerPolicy,
   defaultPresignedUrlPolicy,
   defaultRateLimitPolicy,
   defaultRetryPolicy,
@@ -8081,6 +8726,7 @@ init_client();
   isValidReferenceNumber,
   isValidSha256Base64,
   isValidVatUe,
+  libxmljsAvailable,
   nextBusinessDay,
   openOnlineSession,
   openSendAndClose,
@@ -8092,6 +8738,7 @@ init_client();
   parseXml,
   pollUntil,
   resolveOptions,
+  resolveXsdFor,
   resumeOnlineSession,
   runWithConcurrency,
   serializeInvoiceXml,
@@ -8106,6 +8753,7 @@ init_client();
   uploadBatchStream,
   uploadBatchStreamParsed,
   validate,
+  validateAgainstXsd,
   validateBatch,
   validateBusinessRules,
   validateCharValidity,