npm - ksef-client-ts - Versions diffs - 0.7.0 → 0.7.2-alpha.0 - Mend

ksef-client-ts 0.7.0 → 0.7.2-alpha.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (37) hide show

package/README.md +2 -1
package/dist/cli.js +1717 -333
package/dist/cli.js.map +1 -1
package/dist/index.cjs +733 -85
package/dist/index.cjs.map +1 -1
package/dist/index.d.cts +77 -2
package/dist/index.d.ts +77 -2
package/dist/index.js +711 -75
package/dist/index.js.map +1 -1
package/docs/schemas/FA/bazowe/ElementarneTypyDanych_v10-0E.xsd +1 -0
package/docs/schemas/FA/bazowe/KodyKrajow_v10-0E.xsd +1283 -0
package/docs/schemas/FA/bazowe/StrukturyDanych_v10-0E.xsd +1 -0
package/docs/schemas/FA/schemat_FA(2)_v1-0E.xsd +3661 -0
package/docs/schemas/FA/schemat_FA(3)_v1-0E.xsd +3950 -0
package/docs/schemas/PEF/Schemat_PEF(3)_v2-1.xsd +977 -0
package/docs/schemas/PEF/Schemat_PEF_KOR(3)_v2-1.xsd +926 -0
package/docs/schemas/PEF/bazowe/20241206_PEFPL-CommonAggregateComponents-2.1-v1.4.34.xsd +428 -0
package/docs/schemas/PEF/bazowe/20241206_PEFPL-CommonBasicComponents-2.1-v1.4.34.xsd +65 -0
package/docs/schemas/PEF/bazowe/CCTS_CCT_SchemaModule-2.1.xsd +731 -0
package/docs/schemas/PEF/bazowe/UBL-CommonAggregateComponents-2.1.xsd +39799 -0
package/docs/schemas/PEF/bazowe/UBL-CommonBasicComponents-2.1.xsd +5389 -0
package/docs/schemas/PEF/bazowe/UBL-CommonExtensionComponents-2.1.xsd +223 -0
package/docs/schemas/PEF/bazowe/UBL-CommonSignatureComponents-2.1.xsd +101 -0
package/docs/schemas/PEF/bazowe/UBL-ExtensionContentDataType-2.1.xsd +89 -0
package/docs/schemas/PEF/bazowe/UBL-QualifiedDataTypes-2.1.xsd +69 -0
package/docs/schemas/PEF/bazowe/UBL-SignatureAggregateComponents-2.1.xsd +138 -0
package/docs/schemas/PEF/bazowe/UBL-SignatureBasicComponents-2.1.xsd +78 -0
package/docs/schemas/PEF/bazowe/UBL-UnqualifiedDataTypes-2.1.xsd +553 -0
package/docs/schemas/PEF/bazowe/UBL-XAdESv132-2.1.xsd +476 -0
package/docs/schemas/PEF/bazowe/UBL-XAdESv141-2.1.xsd +25 -0
package/docs/schemas/PEF/bazowe/UBL-xmldsig-core-schema-2.1.xsd +323 -0
package/docs/schemas/PEF/bazowe/commontypes.xsd +735 -0
package/docs/schemas/PEF/bazowe/isotypes.xsd +3158 -0
package/docs/schemas/RR/schemat_FA_RR(1)_v1-1E.xsd +2188 -0
package/docs/schemas/RR/schemat_RR(1)_v1-0E.xsd +2188 -0
package/docs/schemas/RR/schemat_RR(1)_v1-1E.xsd +2188 -0
package/package.json +12 -2

package/dist/index.js CHANGED Viewed

@@ -8,11 +8,19 @@ var __export = (target, all) => {
     __defProp(target, name, { get: all[name], enumerable: true });
 };
+// node_modules/tsup/assets/esm_shims.js
+var init_esm_shims = __esm({
+  "node_modules/tsup/assets/esm_shims.js"() {
+    "use strict";
+  }
+});
 // src/config/environments.ts
 var Environment;
 var init_environments = __esm({
   "src/config/environments.ts"() {
     "use strict";
+    init_esm_shims();
     Environment = {
       TEST: {
         apiUrl: "https://api-test.ksef.mf.gov.pl",
@@ -51,6 +59,7 @@ var DEFAULT_API_VERSION, DEFAULT_TIMEOUT;
 var init_options = __esm({
   "src/config/options.ts"() {
     "use strict";
+    init_esm_shims();
     init_environments();
     DEFAULT_API_VERSION = "v2";
     DEFAULT_TIMEOUT = 3e4;
@@ -61,6 +70,7 @@ var init_options = __esm({
 var init_config = __esm({
   "src/config/index.ts"() {
     "use strict";
+    init_esm_shims();
     init_environments();
     init_options();
   }
@@ -71,6 +81,7 @@ var KSeFError;
 var init_ksef_error = __esm({
   "src/errors/ksef-error.ts"() {
     "use strict";
+    init_esm_shims();
     KSeFError = class extends Error {
       constructor(message) {
         super(message);
@@ -85,6 +96,7 @@ var KSeFApiError;
 var init_ksef_api_error = __esm({
   "src/errors/ksef-api-error.ts"() {
     "use strict";
+    init_esm_shims();
     init_ksef_error();
     KSeFApiError = class _KSeFApiError extends KSeFError {
       statusCode;
@@ -112,6 +124,7 @@ var KSeFRateLimitError;
 var init_ksef_rate_limit_error = __esm({
   "src/errors/ksef-rate-limit-error.ts"() {
     "use strict";
+    init_esm_shims();
     init_ksef_api_error();
     KSeFRateLimitError = class _KSeFRateLimitError extends KSeFApiError {
       statusCode = 429;
@@ -162,6 +175,7 @@ var KSeFUnauthorizedError;
 var init_ksef_unauthorized_error = __esm({
   "src/errors/ksef-unauthorized-error.ts"() {
     "use strict";
+    init_esm_shims();
     init_ksef_api_error();
     KSeFUnauthorizedError = class extends KSeFApiError {
       statusCode = 401;
@@ -194,6 +208,7 @@ var KSeFForbiddenError;
 var init_ksef_forbidden_error = __esm({
   "src/errors/ksef-forbidden-error.ts"() {
     "use strict";
+    init_esm_shims();
     init_ksef_api_error();
     KSeFForbiddenError = class extends KSeFApiError {
       statusCode = 403;
@@ -232,6 +247,7 @@ var KSeFGoneError;
 var init_ksef_gone_error = __esm({
   "src/errors/ksef-gone-error.ts"() {
     "use strict";
+    init_esm_shims();
     init_ksef_api_error();
     KSeFGoneError = class extends KSeFApiError {
       statusCode = 410;
@@ -264,6 +280,7 @@ var KSeFBadRequestError;
 var init_ksef_bad_request_error = __esm({
   "src/errors/ksef-bad-request-error.ts"() {
     "use strict";
+    init_esm_shims();
     init_ksef_api_error();
     KSeFBadRequestError = class extends KSeFApiError {
       statusCode = 400;
@@ -299,6 +316,7 @@ var KSeFAuthStatusError;
 var init_ksef_auth_status_error = __esm({
   "src/errors/ksef-auth-status-error.ts"() {
     "use strict";
+    init_esm_shims();
     init_ksef_error();
     KSeFAuthStatusError = class extends KSeFError {
       referenceNumber;
@@ -318,6 +336,7 @@ var KSeFSessionExpiredError;
 var init_ksef_session_expired_error = __esm({
   "src/errors/ksef-session-expired-error.ts"() {
     "use strict";
+    init_esm_shims();
     init_ksef_error();
     KSeFSessionExpiredError = class extends KSeFError {
       constructor(message = "KSeF session has expired") {
@@ -337,6 +356,7 @@ var KSeFValidationError;
 var init_ksef_validation_error = __esm({
   "src/errors/ksef-validation-error.ts"() {
     "use strict";
+    init_esm_shims();
     init_ksef_error();
     KSeFValidationError = class _KSeFValidationError extends KSeFError {
       details;
@@ -364,6 +384,7 @@ var KSeFErrorCode;
 var init_error_codes = __esm({
   "src/errors/error-codes.ts"() {
     "use strict";
+    init_esm_shims();
     KSeFErrorCode = {
       BatchTimeout: 21208,
       DuplicateInvoice: 440
@@ -376,6 +397,7 @@ var KSeFBatchTimeoutError;
 var init_ksef_batch_timeout_error = __esm({
   "src/errors/ksef-batch-timeout-error.ts"() {
     "use strict";
+    init_esm_shims();
     init_ksef_api_error();
     init_error_codes();
     KSeFBatchTimeoutError = class _KSeFBatchTimeoutError extends KSeFApiError {
@@ -395,6 +417,52 @@ var init_ksef_batch_timeout_error = __esm({
   }
 });
+// src/errors/ksef-circuit-open-error.ts
+var KSeFCircuitOpenError;
+var init_ksef_circuit_open_error = __esm({
+  "src/errors/ksef-circuit-open-error.ts"() {
+    "use strict";
+    init_esm_shims();
+    init_ksef_error();
+    KSeFCircuitOpenError = class extends KSeFError {
+      endpoint;
+      openedAt;
+      retryAfterMs;
+      constructor(endpoint, openedAt, retryAfterMs) {
+        super(
+          `Circuit breaker is open for '${endpoint}'. Retry after ${Math.round(retryAfterMs)}ms.`
+        );
+        this.name = "KSeFCircuitOpenError";
+        this.endpoint = endpoint;
+        this.openedAt = openedAt;
+        this.retryAfterMs = retryAfterMs;
+      }
+    };
+  }
+});
+// src/errors/ksef-xsd-validation-error.ts
+var KSeFXsdValidationError;
+var init_ksef_xsd_validation_error = __esm({
+  "src/errors/ksef-xsd-validation-error.ts"() {
+    "use strict";
+    init_esm_shims();
+    init_ksef_error();
+    KSeFXsdValidationError = class extends KSeFError {
+      schemaFile;
+      errors;
+      constructor(schemaFile, errors) {
+        const preview = errors.slice(0, 3).join("; ");
+        const extra = errors.length > 3 ? ` (+${errors.length - 3} more)` : "";
+        super(`XSD validation failed against ${schemaFile}: ${preview}${extra}`);
+        this.name = "KSeFXsdValidationError";
+        this.schemaFile = schemaFile;
+        this.errors = errors;
+      }
+    };
+  }
+});
 // src/errors/assert-never.ts
 function assertNever(value) {
   throw new Error(`Unexpected value: ${String(value)}`);
@@ -402,6 +470,7 @@ function assertNever(value) {
 var init_assert_never = __esm({
   "src/errors/assert-never.ts"() {
     "use strict";
+    init_esm_shims();
   }
 });
@@ -409,6 +478,7 @@ var init_assert_never = __esm({
 var init_errors = __esm({
   "src/errors/index.ts"() {
     "use strict";
+    init_esm_shims();
     init_ksef_error();
     init_ksef_api_error();
     init_ksef_rate_limit_error();
@@ -420,6 +490,8 @@ var init_errors = __esm({
     init_ksef_session_expired_error();
     init_ksef_validation_error();
     init_ksef_batch_timeout_error();
+    init_ksef_circuit_open_error();
+    init_ksef_xsd_validation_error();
     init_error_codes();
     init_assert_never();
   }
@@ -430,6 +502,7 @@ var RouteBuilder;
 var init_route_builder = __esm({
   "src/http/route-builder.ts"() {
     "use strict";
+    init_esm_shims();
     RouteBuilder = class {
       apiVersion;
       constructor(apiVersion) {
@@ -448,6 +521,7 @@ var RestRequest;
 var init_rest_request = __esm({
   "src/http/rest-request.ts"() {
     "use strict";
+    init_esm_shims();
     RestRequest = class _RestRequest {
       method;
       path;
@@ -456,21 +530,21 @@ var init_rest_request = __esm({
       _query = [];
       _presigned = false;
       _skipAuthRetry = false;
-      constructor(method, path2) {
+      constructor(method, path3) {
         this.method = method;
-        this.path = path2;
+        this.path = path3;
       }
-      static get(path2) {
-        return new _RestRequest("GET", path2);
+      static get(path3) {
+        return new _RestRequest("GET", path3);
       }
-      static post(path2) {
-        return new _RestRequest("POST", path2);
+      static post(path3) {
+        return new _RestRequest("POST", path3);
       }
-      static put(path2) {
-        return new _RestRequest("PUT", path2);
+      static put(path3) {
+        return new _RestRequest("PUT", path3);
       }
-      static delete(path2) {
-        return new _RestRequest("DELETE", path2);
+      static delete(path3) {
+        return new _RestRequest("DELETE", path3);
       }
       body(data) {
         this._body = data;
@@ -524,6 +598,7 @@ var defaultTransport;
 var init_transport = __esm({
   "src/http/transport.ts"() {
     "use strict";
+    init_esm_shims();
     defaultTransport = (url, init) => fetch(url, init);
   }
 });
@@ -573,6 +648,7 @@ var RETRYABLE_ERROR_CODES;
 var init_retry_policy = __esm({
   "src/http/retry-policy.ts"() {
     "use strict";
+    init_esm_shims();
     RETRYABLE_ERROR_CODES = /* @__PURE__ */ new Set([
       "ECONNRESET",
       "ECONNREFUSED",
@@ -663,6 +739,7 @@ var BLOCKED_PARAMS;
 var init_presigned_url_policy = __esm({
   "src/http/presigned-url-policy.ts"() {
     "use strict";
+    init_esm_shims();
     init_ksef_validation_error();
     BLOCKED_PARAMS = ["redirect", "callback", "return_url", "next"];
   }
@@ -695,6 +772,7 @@ var RestClient;
 var init_rest_client = __esm({
   "src/http/rest-client.ts"() {
     "use strict";
+    init_esm_shims();
     init_ksef_api_error();
     init_ksef_rate_limit_error();
     init_ksef_unauthorized_error();
@@ -713,6 +791,7 @@ var init_rest_client = __esm({
       transport;
       retryPolicy;
       rateLimitPolicy;
+      circuitBreakerPolicy;
       authManager;
       presignedUrlPolicy;
       constructor(options, config) {
@@ -721,6 +800,7 @@ var init_rest_client = __esm({
         this.transport = config?.transport ?? defaultTransport;
         this.retryPolicy = config?.retryPolicy ?? defaultRetryPolicy();
         this.rateLimitPolicy = config?.rateLimitPolicy ?? null;
+        this.circuitBreakerPolicy = config?.circuitBreakerPolicy ?? null;
         this.authManager = config?.authManager;
         this.presignedUrlPolicy = config?.presignedUrlPolicy;
       }
@@ -745,18 +825,32 @@ var init_rest_client = __esm({
         if (request.isPresigned() && this.presignedUrlPolicy) {
           validatePresignedUrl(url, this.presignedUrlPolicy);
         }
+        let ownsProbeSlot = false;
+        if (this.circuitBreakerPolicy) {
+          const claimed = this.circuitBreakerPolicy.ensureClosed(request.path);
+          if (claimed) ownsProbeSlot = true;
+        }
         if (this.rateLimitPolicy) {
-          await this.rateLimitPolicy.acquire(request.path);
+          try {
+            await this.rateLimitPolicy.acquire(request.path);
+          } catch (error) {
+            if (ownsProbeSlot) this.circuitBreakerPolicy?.releaseProbe(request.path);
+            throw error;
+          }
         }
         let lastError;
         for (let attempt = 0; attempt <= this.retryPolicy.maxRetries; attempt++) {
+          if (this.circuitBreakerPolicy) {
+            const claimed = this.circuitBreakerPolicy.ensureClosed(request.path, ownsProbeSlot);
+            if (claimed) ownsProbeSlot = true;
+          }
           try {
-            const response = await this.doRequest(request, url);
+            let response = await this.doRequest(request, url);
             if (response.status === 401 && this.authManager && attempt === 0 && !request.isSkipAuthRetry()) {
               const newToken = await this.authManager.onUnauthorized();
               if (newToken) {
                 consola.debug("Auth token refreshed, retrying request");
-                return this.doRequest(request, url, newToken);
+                response = await this.doRequest(request, url, newToken);
               }
             }
             if (isRetryableStatus(response.status, this.retryPolicy) && attempt < this.retryPolicy.maxRetries) {
@@ -766,10 +860,17 @@ var init_rest_client = __esm({
               consola.debug(`Retryable ${response.status}, attempt ${attempt + 1}/${this.retryPolicy.maxRetries}, waiting ${Math.round(delayMs)}ms`);
               await sleep(delayMs);
               if (is429 && this.rateLimitPolicy) {
-                await this.rateLimitPolicy.acquire(request.path);
+                try {
+                  await this.rateLimitPolicy.acquire(request.path);
+                } catch (error) {
+                  this.recordCircuitOutcome(request.path, 429);
+                  ownsProbeSlot = false;
+                  throw error;
+                }
               }
               continue;
             }
+            this.recordCircuitOutcome(request.path, response.status);
             return response;
           } catch (error) {
             lastError = error;
@@ -779,11 +880,22 @@ var init_rest_client = __esm({
               await sleep(delayMs);
               continue;
             }
+            if (isRetryableError(error, this.retryPolicy) || ownsProbeSlot) {
+              this.circuitBreakerPolicy?.recordFailure(request.path);
+            }
             throw error;
           }
         }
         throw lastError;
       }
+      recordCircuitOutcome(path3, status) {
+        if (!this.circuitBreakerPolicy) return;
+        if (status >= 500) {
+          this.circuitBreakerPolicy.recordFailure(path3);
+          return;
+        }
+        this.circuitBreakerPolicy.recordSuccess(path3);
+      }
       async doRequest(request, url, overrideToken) {
         const headers = {
           ...this.options.customHeaders,
@@ -819,9 +931,9 @@ var init_rest_client = __esm({
         return response;
       }
       buildUrl(request) {
-        const path2 = this.routeBuilder.build(request.path);
+        const path3 = this.routeBuilder.build(request.path);
         const base = this.options.baseUrl;
-        const url = new URL(`${base}${path2}`);
+        const url = new URL(`${base}${path3}`);
         const query = request.getQuery();
         for (const [key, value] of query) {
           url.searchParams.append(key, value);
@@ -905,6 +1017,7 @@ var Routes;
 var init_routes = __esm({
   "src/http/routes.ts"() {
     "use strict";
+    init_esm_shims();
     Routes = {
       TestData: {
         createSubject: "testdata/subject",
@@ -1037,6 +1150,7 @@ var TokenBucket, RateLimitPolicy;
 var init_rate_limit_policy = __esm({
   "src/http/rate-limit-policy.ts"() {
     "use strict";
+    init_esm_shims();
     TokenBucket = class {
       tokens;
       maxTokens;
@@ -1097,11 +1211,151 @@ var init_rate_limit_policy = __esm({
   }
 });
+// src/http/circuit-breaker-policy.ts
+import { consola as consola2 } from "consola";
+function defaultCircuitBreakerPolicy() {
+  return new CircuitBreakerPolicy();
+}
+var GLOBAL_KEY, CircuitBreakerPolicy;
+var init_circuit_breaker_policy = __esm({
+  "src/http/circuit-breaker-policy.ts"() {
+    "use strict";
+    init_esm_shims();
+    init_ksef_circuit_open_error();
+    GLOBAL_KEY = "__global__";
+    CircuitBreakerPolicy = class _CircuitBreakerPolicy {
+      failureThreshold;
+      openMs;
+      scope;
+      states = /* @__PURE__ */ new Map();
+      constructor(config = {}) {
+        const failureThreshold = config.failureThreshold ?? 5;
+        const openMs = config.openMs ?? 3e4;
+        if (!Number.isInteger(failureThreshold) || failureThreshold <= 0) {
+          throw new RangeError("CircuitBreakerPolicy: failureThreshold must be a positive integer");
+        }
+        if (!Number.isFinite(openMs) || openMs <= 0) {
+          throw new RangeError("CircuitBreakerPolicy: openMs must be > 0");
+        }
+        const scope = config.scope ?? "global";
+        if (scope !== "global" && scope !== "endpoint") {
+          throw new RangeError(
+            "CircuitBreakerPolicy: scope must be 'global' or 'endpoint'"
+          );
+        }
+        this.failureThreshold = failureThreshold;
+        this.openMs = openMs;
+        this.scope = scope;
+      }
+      // Returns true iff this call just claimed the single probe slot for the
+      // caller. The caller MUST pass `alreadyOwnsProbe=true` on subsequent
+      // re-checks for the same logical request (e.g. a retry loop) so the probe
+      // owner cannot deadlock itself on its own in-flight slot.
+      ensureClosed(endpoint, alreadyOwnsProbe = false) {
+        const key = this.keyFor(endpoint);
+        const state = this.states.get(key);
+        if (!state || state.openedAt === null) return false;
+        const now = performance.now();
+        const elapsed = now - state.openedAt;
+        if (elapsed >= this.openMs) {
+          if (alreadyOwnsProbe) return false;
+          if (state.probeInFlight) {
+            throw new KSeFCircuitOpenError(endpoint, state.openedAt, 0);
+          }
+          state.probeInFlight = true;
+          consola2.debug(`Circuit breaker: probe after cooldown for '${key}'`);
+          return true;
+        }
+        const retryAfterMs = Math.max(0, this.openMs - elapsed);
+        throw new KSeFCircuitOpenError(endpoint, state.openedAt, retryAfterMs);
+      }
+      recordSuccess(endpoint) {
+        const key = this.keyFor(endpoint);
+        const state = this.states.get(key);
+        if (!state) return;
+        if (state.openedAt !== null || state.failures > 0) {
+          consola2.debug(`Circuit breaker: reset for '${key}'`);
+        }
+        this.states.delete(key);
+      }
+      // Release a claimed probe slot WITHOUT observing an outcome. Use this when
+      // the probe attempt was aborted before reaching upstream (e.g. rate-limit
+      // acquire rejected, client cancellation). We have no new information about
+      // upstream health, so the breaker must stay OPEN — but we do restart the
+      // cooldown clock so the next probe attempt waits a fresh `openMs`,
+      // preventing a tight loop of aborted probes from spamming the limiter.
+      releaseProbe(endpoint) {
+        const key = this.keyFor(endpoint);
+        const state = this.states.get(key);
+        if (!state || !state.probeInFlight) return;
+        state.probeInFlight = false;
+        if (state.openedAt !== null) {
+          state.openedAt = performance.now();
+        }
+        consola2.debug(`Circuit breaker: probe aborted (not observed) for '${key}', cooldown restarted`);
+      }
+      recordFailure(endpoint) {
+        const key = this.keyFor(endpoint);
+        const now = performance.now();
+        let state = this.states.get(key);
+        if (!state) {
+          state = { failures: 0, openedAt: null, lastFailureAt: null, probeInFlight: false };
+          this.states.set(key, state);
+        }
+        if (state.openedAt !== null && state.probeInFlight) {
+          state.openedAt = now;
+          state.failures = this.failureThreshold;
+          state.lastFailureAt = now;
+          state.probeInFlight = false;
+          consola2.debug(`Circuit breaker: probe failed, re-opened for '${key}'`);
+          this.maybeSweepStaleClosed(now, key);
+          return;
+        }
+        const slidingStale = state.lastFailureAt !== null && now - state.lastFailureAt > this.openMs;
+        state.failures = slidingStale ? 1 : state.failures + 1;
+        state.lastFailureAt = now;
+        if (state.openedAt === null && state.failures >= this.failureThreshold) {
+          state.openedAt = now;
+          consola2.debug(
+            `Circuit breaker: opened for '${key}' after ${state.failures} failures (cooldown ${this.openMs}ms)`
+          );
+        }
+        this.maybeSweepStaleClosed(now, key);
+      }
+      keyFor(endpoint) {
+        return this.scope === "global" ? GLOBAL_KEY : endpoint;
+      }
+      // Prevent unbounded map growth under `scope: 'endpoint'` when callers hit
+      // many distinct parameterized paths (e.g. `auth/sessions/{ref}`) that each
+      // fail once and are never revisited. Global scope is always a single entry.
+      //
+      // Runs amortized O(n) — gated on a size threshold so small workloads pay
+      // nothing. Only evicts states that are genuinely settled: closed, no probe
+      // in flight, and with the last failure older than two cooldowns.
+      maybeSweepStaleClosed(now, keepKey) {
+        if (this.scope !== "endpoint") return;
+        if (this.states.size <= _CircuitBreakerPolicy.sweepThreshold) return;
+        const staleBefore = now - 2 * this.openMs;
+        for (const [key, state] of this.states) {
+          if (key === keepKey) continue;
+          if (state.openedAt !== null) continue;
+          if (state.probeInFlight) continue;
+          if (state.lastFailureAt !== null && state.lastFailureAt < staleBefore) {
+            this.states.delete(key);
+          }
+        }
+      }
+      static sweepThreshold = 64;
+    };
+  }
+});
 // src/http/auth-manager.ts
 var DefaultAuthManager;
 var init_auth_manager = __esm({
   "src/http/auth-manager.ts"() {
     "use strict";
+    init_esm_shims();
     DefaultAuthManager = class {
       token;
       refreshToken;
@@ -1142,6 +1396,7 @@ var KSEF_FEATURE_HEADER, UpoVersion, ENFORCE_XADES_COMPLIANCE;
 var init_ksef_feature = __esm({
   "src/http/ksef-feature.ts"() {
     "use strict";
+    init_esm_shims();
     KSEF_FEATURE_HEADER = "X-KSeF-Feature";
     UpoVersion = {
       /** UPO v4-2 format (default before 2026-01-05). */
@@ -1241,6 +1496,7 @@ var NIP_PATTERN_CORE, VAT_UE_PATTERN_CORE, Nip, VatUe, NipVatUe, InternalId, Pep
 var init_patterns = __esm({
   "src/validation/patterns.ts"() {
     "use strict";
+    init_esm_shims();
     NIP_PATTERN_CORE = "[1-9]((\\d[1-9])|([1-9]\\d))\\d{7}";
     VAT_UE_PATTERN_CORE = "(ATU\\d{8}|BE[01]{1}\\d{9}|BG\\d{9,10}|CY\\d{8}[A-Z]|CZ\\d{8,10}|DE\\d{9}|DK\\d{8}|EE\\d{9}|EL\\d{9}|ES([A-Z]\\d{8}|\\d{8}[A-Z]|[A-Z]\\d{7}[A-Z])|FI\\d{8}|FR[A-Z0-9]{2}\\d{9}|HR\\d{11}|HU\\d{8}|IE(\\d{7}[A-Z]{2}|\\d[A-Z0-9+*]\\d{5}[A-Z])|IT\\d{11}|LT(\\d{9}|\\d{12})|LU\\d{8}|LV\\d{11}|MT\\d{8}|NL[A-Z0-9+*]{12}|PT\\d{9}|RO\\d{2,10}|SE\\d{12}|SI\\d{8}|SK\\d{10}|XI((\\d{9}|\\d{12})|(GD|HA)\\d{3}))";
     Nip = new RegExp(`^${NIP_PATTERN_CORE}$`);
@@ -1357,6 +1613,7 @@ function getTextContent(el) {
 var init_xml_to_object = __esm({
   "src/validation/xml-to-object.ts"() {
     "use strict";
+    init_esm_shims();
   }
 });
@@ -1370,6 +1627,7 @@ var TKodFormularza, TDataCzas, TZnakowy, TNaglowek, TKodyKrajowUE, TNrNIP, TZnak
 var init_fa3 = __esm({
   "src/validation/schemas/fa3.ts"() {
     "use strict";
+    init_esm_shims();
     TKodFormularza = z.literal("FA");
     TDataCzas = z.string();
     TZnakowy = z.string().min(1).max(256);
@@ -1780,6 +2038,7 @@ var TKodFormularza2, TDataCzas2, TZnakowy3, TNaglowek2, TKodyKrajowUE2, TNrNIP2,
 var init_fa2 = __esm({
   "src/validation/schemas/fa2.ts"() {
     "use strict";
+    init_esm_shims();
     TKodFormularza2 = z2.literal("FA");
     TDataCzas2 = z2.string();
     TZnakowy3 = z2.string().min(1).max(256);
@@ -2174,6 +2433,7 @@ var TKodFormularza3, TDataCzas3, TZnakowy4, TNaglowek3, TNrNIP3, TZnakowy5123, T
 var init_rr1_v11e = __esm({
   "src/validation/schemas/rr1-v11e.ts"() {
     "use strict";
+    init_esm_shims();
     TKodFormularza3 = z3.literal("FA_RR");
     TDataCzas3 = z3.string();
     TZnakowy4 = z3.string().min(1).max(256);
@@ -2379,6 +2639,7 @@ var TKodFormularza4, TDataCzas4, TZnakowy5, TNaglowek4, TNrNIP4, TZnakowy5124, T
 var init_rr1_v10e = __esm({
   "src/validation/schemas/rr1-v10e.ts"() {
     "use strict";
+    init_esm_shims();
     TKodFormularza4 = z4.literal("FA_RR");
     TDataCzas4 = z4.string();
     TZnakowy5 = z4.string().min(1).max(256);
@@ -2584,6 +2845,7 @@ var InvoiceType, PEF3Schema;
 var init_pef3 = __esm({
   "src/validation/schemas/pef3.ts"() {
     "use strict";
+    init_esm_shims();
     InvoiceType = z5.object({
       "UBLExtensions": z5.any().optional(),
       "UBLVersionID": z5.any().optional(),
@@ -2654,6 +2916,7 @@ var CreditNoteType, PEF_KOR3Schema;
 var init_pef_kor3 = __esm({
   "src/validation/schemas/pef-kor3.ts"() {
     "use strict";
+    init_esm_shims();
     CreditNoteType = z6.object({
       "UBLExtensions": z6.any().optional(),
       "UBLVersionID": z6.any().optional(),
@@ -2716,6 +2979,7 @@ var NAMESPACE_MAP;
 var init_schemas = __esm({
   "src/validation/schemas/index.ts"() {
     "use strict";
+    init_esm_shims();
     init_fa3();
     init_fa2();
     init_rr1_v11e();
@@ -2772,6 +3036,7 @@ var ROOT_ELEMENT_MAP, schemaCache, SchemaRegistry;
 var init_schema_registry = __esm({
   "src/validation/schema-registry.ts"() {
     "use strict";
+    init_esm_shims();
     init_schemas();
     ROOT_ELEMENT_MAP = {
       Invoice: "PEF3",
@@ -2897,6 +3162,7 @@ var DISCOURAGED_UNICODE_RANGES, PI_TARGET_RE;
 var init_char_validity = __esm({
   "src/validation/char-validity.ts"() {
     "use strict";
+    init_esm_shims();
     DISCOURAGED_UNICODE_RANGES = [
       [127, 132],
       [134, 159],
@@ -2979,11 +3245,11 @@ async function validateSchema(xml, options, _parsed) {
   const prefix = rootElement ? `/${rootElement}/` : "/";
   const validationErrors = result.error.issues.map((issue) => {
     const zodPath = issue.path.join("/");
-    const path2 = zodPath ? `${prefix}${zodPath}` : rootElement ? `/${rootElement}` : void 0;
+    const path3 = zodPath ? `${prefix}${zodPath}` : rootElement ? `/${rootElement}` : void 0;
     return {
       code: mapZodErrorCode(issue),
       message: issue.message,
-      path: path2
+      path: path3
     };
   });
   return { valid: false, schemaType, errors: validationErrors };
@@ -3023,9 +3289,9 @@ function validateBusinessRules(xml, _parsed) {
   collectDateErrors(object, rootElement, errors);
   return { valid: errors.length === 0, schemaType, errors };
 }
-function collectNipPeselErrors(obj, path2, errors) {
+function collectNipPeselErrors(obj, path3, errors) {
   for (const [key, value] of Object.entries(obj)) {
-    const currentPath = path2 ? `${path2}/${key}` : key;
+    const currentPath = path3 ? `${path3}/${key}` : key;
     if (key === "NIP" && typeof value === "string") {
       if (!isValidNip(value)) {
         errors.push({
@@ -3104,6 +3370,7 @@ function batchValidationDetails(batch) {
 var init_invoice_validator = __esm({
   "src/validation/invoice-validator.ts"() {
     "use strict";
+    init_esm_shims();
     init_xml_to_object();
     init_schema_registry();
     init_char_validity();
@@ -3116,6 +3383,7 @@ var SystemCode, FORM_CODES, DEFAULT_FORM_CODE, INVOICE_TYPES_BY_SYSTEM_CODE, FOR
 var init_types = __esm({
   "src/models/document-structures/types.ts"() {
     "use strict";
+    init_esm_shims();
     SystemCode = {
       FA_2: "FA (2)",
       FA_3: "FA (3)",
@@ -3168,6 +3436,7 @@ var SYSTEM_CODE_TO_FORM_CODE, ALL_FORM_CODES, BATCH_DISALLOWED_SYSTEM_CODES;
 var init_helpers = __esm({
   "src/models/document-structures/helpers.ts"() {
     "use strict";
+    init_esm_shims();
     init_types();
     SYSTEM_CODE_TO_FORM_CODE = {
       [SystemCode.FA_2]: FORM_CODES.FA_2,
@@ -3188,6 +3457,7 @@ var init_helpers = __esm({
 var init_document_structures = __esm({
   "src/models/document-structures/index.ts"() {
     "use strict";
+    init_esm_shims();
     init_types();
     init_helpers();
   }
@@ -3198,6 +3468,7 @@ var AuthService;
 var init_auth = __esm({
   "src/services/auth.ts"() {
     "use strict";
+    init_esm_shims();
     init_ksef_feature();
     init_rest_request();
     init_routes();
@@ -3248,6 +3519,7 @@ var ActiveSessionsService;
 var init_active_sessions = __esm({
   "src/services/active-sessions.ts"() {
     "use strict";
+    init_esm_shims();
     init_rest_request();
     init_routes();
     ActiveSessionsService = class {
@@ -3279,6 +3551,7 @@ var OnlineSessionService;
 var init_online_session = __esm({
   "src/services/online-session.ts"() {
     "use strict";
+    init_esm_shims();
     init_ksef_feature();
     init_rest_request();
     init_routes();
@@ -3331,6 +3604,7 @@ async function runWithConcurrency(tasks, parallelism) {
 var init_concurrency = __esm({
   "src/utils/concurrency.ts"() {
     "use strict";
+    init_esm_shims();
   }
 });
@@ -3339,6 +3613,7 @@ var BatchSessionService;
 var init_batch_session = __esm({
   "src/services/batch-session.ts"() {
     "use strict";
+    init_esm_shims();
     init_ksef_feature();
     init_rest_request();
     init_routes();
@@ -3443,6 +3718,7 @@ var SessionStatusService;
 var init_session_status = __esm({
   "src/services/session-status.ts"() {
     "use strict";
+    init_esm_shims();
     init_rest_request();
     init_routes();
     SessionStatusService = class {
@@ -3529,6 +3805,7 @@ var InvoiceDownloadService;
 var init_invoice_download = __esm({
   "src/services/invoice-download.ts"() {
     "use strict";
+    init_esm_shims();
     init_rest_request();
     init_routes();
     InvoiceDownloadService = class {
@@ -3571,6 +3848,7 @@ var PermissionsService;
 var init_permissions = __esm({
   "src/services/permissions.ts"() {
     "use strict";
+    init_esm_shims();
     init_ksef_validation_error();
     init_rest_request();
     init_routes();
@@ -3763,6 +4041,7 @@ function parseKSeFTokenContext(token) {
 var init_jwt = __esm({
   "src/utils/jwt.ts"() {
     "use strict";
+    init_esm_shims();
   }
 });
@@ -3774,6 +4053,7 @@ var TOKEN_AUTHOR_IDENTIFIER_TYPES, TokenService;
 var init_tokens = __esm({
   "src/services/tokens.ts"() {
     "use strict";
+    init_esm_shims();
     init_rest_request();
     init_routes();
     init_jwt();
@@ -3894,6 +4174,7 @@ var CertificateApiService;
 var init_certificates = __esm({
   "src/services/certificates.ts"() {
     "use strict";
+    init_esm_shims();
     init_rest_request();
     init_routes();
     CertificateApiService = class {
@@ -3946,6 +4227,7 @@ var LighthouseService;
 var init_lighthouse = __esm({
   "src/services/lighthouse.ts"() {
     "use strict";
+    init_esm_shims();
     init_errors();
     LighthouseService = class {
       lighthouseUrl;
@@ -3954,20 +4236,20 @@ var init_lighthouse = __esm({
         this.lighthouseUrl = options.lighthouseUrl;
         this.timeout = options.timeout;
       }
-      async fetchJson(path2) {
+      async fetchJson(path3) {
         if (!this.lighthouseUrl) {
           throw new KSeFError(
             "Lighthouse API is not available for the DEMO environment. Use TEST or PROD instead."
           );
         }
-        const response = await fetch(`${this.lighthouseUrl}${path2}`, {
+        const response = await fetch(`${this.lighthouseUrl}${path3}`, {
           headers: { Accept: "application/json" },
           signal: AbortSignal.timeout(this.timeout)
         });
         if (!response.ok) {
           const body = await response.text();
           throw new KSeFError(
-            `Lighthouse ${path2} failed: HTTP ${response.status} \u2014 ${body}`
+            `Lighthouse ${path3} failed: HTTP ${response.status} \u2014 ${body}`
           );
         }
         return await response.json();
@@ -3988,6 +4270,7 @@ var LimitsService;
 var init_limits = __esm({
   "src/services/limits.ts"() {
     "use strict";
+    init_esm_shims();
     init_rest_request();
     init_routes();
     LimitsService = class {
@@ -4019,6 +4302,7 @@ var PeppolService;
 var init_peppol = __esm({
   "src/services/peppol.ts"() {
     "use strict";
+    init_esm_shims();
     init_rest_request();
     init_routes();
     PeppolService = class {
@@ -4042,6 +4326,7 @@ var TestDataService;
 var init_test_data = __esm({
   "src/services/test-data.ts"() {
     "use strict";
+    init_esm_shims();
     init_rest_request();
     init_routes();
     init_ksef_error();
@@ -4161,6 +4446,7 @@ var CertificateFetcher;
 var init_certificate_fetcher = __esm({
   "src/crypto/certificate-fetcher.ts"() {
     "use strict";
+    init_esm_shims();
     init_rest_request();
     init_routes();
     CertificateFetcher = class {
@@ -4225,7 +4511,7 @@ ${lines.join("\n")}
 });
 // src/crypto/cryptography-service.ts
-import * as crypto2 from "crypto";
+import * as crypto2 from "node:crypto";
 import * as x509 from "@peculiar/x509";
 function setCryptoProvider() {
   x509.cryptoProvider.set(crypto2.webcrypto);
@@ -4256,6 +4542,7 @@ var CryptographyService;
 var init_cryptography_service = __esm({
   "src/crypto/cryptography-service.ts"() {
     "use strict";
+    init_esm_shims();
     CryptographyService = class {
       fetcher;
       constructor(fetcher) {
@@ -4313,7 +4600,7 @@ var init_cryptography_service = __esm({
         const certPem = this.fetcher.getSymmetricKeyEncryptionPem();
         const encryptedKey = crypto2.publicEncrypt(
           {
-            key: certPem,
+            key: this.extractSpkiPem(certPem),
             oaepHash: "sha256",
             padding: crypto2.constants.RSA_PKCS1_OAEP_PADDING
           },
@@ -4443,12 +4730,22 @@ var init_cryptography_service = __esm({
       // ---------------------------------------------------------------------------
       // Private helpers
       // ---------------------------------------------------------------------------
+      /**
+       * Extract a public-key SPKI PEM (`-----BEGIN PUBLIC KEY-----`) from a full
+       * CERTIFICATE PEM. Node's `publicEncrypt` accepts either form, but Deno's
+       * Node compatibility layer only accepts SPKI PEM, so we normalize upfront
+       * to keep the library portable across runtimes.
+       */
+      extractSpkiPem(certPem) {
+        const publicKey = new crypto2.X509Certificate(certPem).publicKey;
+        return publicKey.export({ type: "spki", format: "pem" });
+      }
       /** RSA-OAEP SHA-256 encryption. */
       encryptRsaOaep(certPem, plaintext) {
         return new Uint8Array(
           crypto2.publicEncrypt(
             {
-              key: certPem,
+              key: this.extractSpkiPem(certPem),
               oaepHash: "sha256",
               padding: crypto2.constants.RSA_PKCS1_OAEP_PADDING
             },
@@ -4490,9 +4787,43 @@ var signature_service_exports = {};
 __export(signature_service_exports, {
   SignatureService: () => SignatureService
 });
-import * as crypto3 from "crypto";
+import * as crypto3 from "node:crypto";
 import { ExclusiveCanonicalization } from "xml-crypto";
 import { DOMParser as DOMParser2, XMLSerializer } from "@xmldom/xmldom";
+function pickRsaAlgo() {
+  return {
+    nodeHashName: "sha256",
+    signatureUri: RSA_SHA256_SIGNATURE_URI,
+    digestUri: DIGEST_URI.sha256
+  };
+}
+function pickEcdsaAlgo(privateKey) {
+  const curve = privateKey.asymmetricKeyDetails?.namedCurve;
+  switch (curve) {
+    case "prime256v1":
+      return {
+        nodeHashName: "sha256",
+        signatureUri: ECDSA_SIGNATURE_URI.sha256,
+        digestUri: DIGEST_URI.sha256
+      };
+    case "secp384r1":
+      return {
+        nodeHashName: "sha384",
+        signatureUri: ECDSA_SIGNATURE_URI.sha384,
+        digestUri: DIGEST_URI.sha384
+      };
+    case "secp521r1":
+      return {
+        nodeHashName: "sha512",
+        signatureUri: ECDSA_SIGNATURE_URI.sha512,
+        digestUri: DIGEST_URI.sha512
+      };
+    default:
+      throw new KSeFError(
+        `Unsupported ECDSA curve: ${curve ?? "unknown"}. Supported: P-256 (prime256v1), P-384 (secp384r1), P-521 (secp521r1).`
+      );
+  }
+}
 function extractDerFromPem(pem) {
   const base64 = pem.replace(/-----BEGIN [A-Z\s]+-----/g, "").replace(/-----END [A-Z\s]+-----/g, "").replace(/\s+/g, "");
   return Buffer.from(base64, "base64");
@@ -4507,12 +4838,12 @@ function canonicalize(elem) {
   const c14n = new ExclusiveCanonicalization();
   return c14n.process(elem, {});
 }
-function computeRootDigest(doc) {
+function computeRootDigest(doc, hashName) {
   const root = doc.documentElement;
   const canonical = canonicalize(root);
-  return crypto3.createHash("sha256").update(canonical, "utf-8").digest("base64");
+  return crypto3.createHash(hashName).update(canonical, "utf-8").digest("base64");
 }
-function computeSignedPropertiesDigest(qualifyingPropertiesXml) {
+function computeSignedPropertiesDigest(qualifyingPropertiesXml, hashName) {
   const parser2 = new DOMParser2();
   const qpDoc = parser2.parseFromString(qualifyingPropertiesXml, "text/xml");
   const signedProps = findElementByLocalName(qpDoc.documentElement, "SignedProperties");
@@ -4520,9 +4851,9 @@ function computeSignedPropertiesDigest(qualifyingPropertiesXml) {
     throw new Error("SignedProperties element not found in QualifyingProperties");
   }
   const canonical = canonicalize(signedProps);
-  return crypto3.createHash("sha256").update(canonical, "utf-8").digest("base64");
+  return crypto3.createHash(hashName).update(canonical, "utf-8").digest("base64");
 }
-function buildSignedInfo(signatureAlgorithm, rootDigest, signedPropertiesDigest) {
+function buildSignedInfo(signatureAlgorithm, digestAlgorithm, rootDigest, signedPropertiesDigest) {
   return [
     `<ds:SignedInfo xmlns:ds="${DS_NS}">`,
     `<ds:CanonicalizationMethod Algorithm="${EXC_C14N_ALGORITHM}"/>`,
@@ -4533,7 +4864,7 @@ function buildSignedInfo(signatureAlgorithm, rootDigest, signedPropertiesDigest)
     `<ds:Transform Algorithm="${ENVELOPED_SIGNATURE_TRANSFORM}"/>`,
     `<ds:Transform Algorithm="${EXC_C14N_ALGORITHM}"/>`,
     `</ds:Transforms>`,
-    `<ds:DigestMethod Algorithm="${SHA256_DIGEST_METHOD}"/>`,
+    `<ds:DigestMethod Algorithm="${digestAlgorithm}"/>`,
     `<ds:DigestValue>${rootDigest}</ds:DigestValue>`,
     `</ds:Reference>`,
     // Reference 2: SignedProperties
@@ -4541,22 +4872,22 @@ function buildSignedInfo(signatureAlgorithm, rootDigest, signedPropertiesDigest)
     `<ds:Transforms>`,
     `<ds:Transform Algorithm="${EXC_C14N_ALGORITHM}"/>`,
     `</ds:Transforms>`,
-    `<ds:DigestMethod Algorithm="${SHA256_DIGEST_METHOD}"/>`,
+    `<ds:DigestMethod Algorithm="${digestAlgorithm}"/>`,
     `<ds:DigestValue>${signedPropertiesDigest}</ds:DigestValue>`,
     `</ds:Reference>`,
     `</ds:SignedInfo>`
   ].join("");
 }
-function computeSignatureValue(canonicalSignedInfo, privateKey, isEc) {
+function computeSignatureValue(canonicalSignedInfo, privateKey, isEc, hashName) {
   const data = Buffer.from(canonicalSignedInfo, "utf-8");
   let signature;
   if (isEc) {
-    signature = crypto3.sign("sha256", data, {
+    signature = crypto3.sign(hashName, data, {
       key: privateKey,
       dsaEncoding: "ieee-p1363"
     });
   } else {
-    signature = crypto3.sign("sha256", data, privateKey);
+    signature = crypto3.sign(hashName, data, privateKey);
   }
   return signature.toString("base64");
 }
@@ -4577,7 +4908,7 @@ function buildSignatureElement(signedInfoXml, signatureValue, certBase64, qualif
     `</ds:Signature>`
   ].join("");
 }
-function buildQualifyingProperties(signatureId, signedPropertiesId, certDigest, issuerName, serialNumber, signingTime) {
+function buildQualifyingProperties(signatureId, signedPropertiesId, certDigest, issuerName, serialNumber, signingTime, digestAlgorithm) {
   return [
     `<xades:QualifyingProperties`,
     ` Target="#${signatureId}"`,
@@ -4589,7 +4920,7 @@ function buildQualifyingProperties(signatureId, signedPropertiesId, certDigest,
     `<xades:SigningCertificate>`,
     `<xades:Cert>`,
     `<xades:CertDigest>`,
-    `<DigestMethod Algorithm="${SHA256_DIGEST_METHOD}"/>`,
+    `<DigestMethod Algorithm="${digestAlgorithm}"/>`,
     `<DigestValue>${certDigest}</DigestValue>`,
     `</xades:CertDigest>`,
     `<xades:IssuerSerial>`,
@@ -4625,18 +4956,28 @@ function wrapBase64(base64) {
   }
   return lines.join("\n");
 }
-var XADES_NS, DS_NS, SIGNED_PROPERTIES_TYPE, SHA256_DIGEST_METHOD, EXC_C14N_ALGORITHM, ENVELOPED_SIGNATURE_TRANSFORM, RSA_SHA256_SIGNATURE, ECDSA_SHA256_SIGNATURE, CLOCK_SKEW_BUFFER_MS, SIGNATURE_ID, SIGNED_PROPERTIES_ID, SignatureService;
+var XADES_NS, DS_NS, SIGNED_PROPERTIES_TYPE, EXC_C14N_ALGORITHM, ENVELOPED_SIGNATURE_TRANSFORM, DIGEST_URI, ECDSA_SIGNATURE_URI, RSA_SHA256_SIGNATURE_URI, CLOCK_SKEW_BUFFER_MS, SIGNATURE_ID, SIGNED_PROPERTIES_ID, SignatureService;
 var init_signature_service = __esm({
   "src/crypto/signature-service.ts"() {
     "use strict";
+    init_esm_shims();
+    init_ksef_error();
     XADES_NS = "http://uri.etsi.org/01903/v1.3.2#";
     DS_NS = "http://www.w3.org/2000/09/xmldsig#";
     SIGNED_PROPERTIES_TYPE = "http://uri.etsi.org/01903#SignedProperties";
-    SHA256_DIGEST_METHOD = "http://www.w3.org/2001/04/xmlenc#sha256";
     EXC_C14N_ALGORITHM = "http://www.w3.org/2001/10/xml-exc-c14n#";
     ENVELOPED_SIGNATURE_TRANSFORM = "http://www.w3.org/2000/09/xmldsig#enveloped-signature";
-    RSA_SHA256_SIGNATURE = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256";
-    ECDSA_SHA256_SIGNATURE = "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256";
+    DIGEST_URI = {
+      sha256: "http://www.w3.org/2001/04/xmlenc#sha256",
+      sha384: "http://www.w3.org/2001/04/xmldsig-more#sha384",
+      sha512: "http://www.w3.org/2001/04/xmlenc#sha512"
+    };
+    ECDSA_SIGNATURE_URI = {
+      sha256: "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256",
+      sha384: "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384",
+      sha512: "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512"
+    };
+    RSA_SHA256_SIGNATURE_URI = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256";
     CLOCK_SKEW_BUFFER_MS = -6e4;
     SIGNATURE_ID = "Signature";
     SIGNED_PROPERTIES_ID = "SignedProperties";
@@ -4656,15 +4997,21 @@ var init_signature_service = __esm({
         }
         const certDer = extractDerFromPem(certPem);
         const certBase64 = certDer.toString("base64");
-        const certDigest = crypto3.createHash("sha256").update(certDer).digest("base64");
         const x5093 = new crypto3.X509Certificate(certPem);
         const issuerName = normalizeIssuerDn(x5093.issuer);
         const serialNumber = hexSerialToDecimal(x5093.serialNumber);
         const privateKey = crypto3.createPrivateKey(
           passphrase ? { key: privateKeyPem, format: "pem", passphrase } : privateKeyPem
         );
-        const isEc = privateKey.asymmetricKeyType === "ec";
-        const signatureAlgorithm = isEc ? ECDSA_SHA256_SIGNATURE : RSA_SHA256_SIGNATURE;
+        const keyType = privateKey.asymmetricKeyType;
+        if (keyType !== "ec" && keyType !== "rsa") {
+          throw new KSeFError(
+            `Unsupported private key type: ${keyType ?? "unknown"}. Supported: RSA and ECDSA.`
+          );
+        }
+        const isEc = keyType === "ec";
+        const algo = isEc ? pickEcdsaAlgo(privateKey) : pickRsaAlgo();
+        const certDigest = crypto3.createHash(algo.nodeHashName).update(certDer).digest("base64");
         const signingTime = new Date(Date.now() + CLOCK_SKEW_BUFFER_MS).toISOString();
         const parser2 = new DOMParser2();
         const doc = parser2.parseFromString(xml, "text/xml");
@@ -4678,12 +5025,17 @@ var init_signature_service = __esm({
           certDigest,
           issuerName,
           serialNumber,
-          signingTime
+          signingTime,
+          algo.digestUri
+        );
+        const rootDigest = computeRootDigest(doc, algo.nodeHashName);
+        const signedPropertiesDigest = computeSignedPropertiesDigest(
+          qualifyingPropertiesXml,
+          algo.nodeHashName
         );
-        const rootDigest = computeRootDigest(doc);
-        const signedPropertiesDigest = computeSignedPropertiesDigest(qualifyingPropertiesXml);
         const signedInfoXml = buildSignedInfo(
-          signatureAlgorithm,
+          algo.signatureUri,
+          algo.digestUri,
           rootDigest,
           signedPropertiesDigest
         );
@@ -4692,7 +5044,8 @@ var init_signature_service = __esm({
         const signatureValue = computeSignatureValue(
           canonicalSignedInfo,
           privateKey,
-          isEc
+          isEc,
+          algo.nodeHashName
         );
         const signatureXml = buildSignatureElement(
           signedInfoXml,
@@ -4719,6 +5072,7 @@ var Pkcs12Loader;
 var init_pkcs12_loader = __esm({
   "src/crypto/pkcs12-loader.ts"() {
     "use strict";
+    init_esm_shims();
     Pkcs12Loader = class {
       static load(p12, password) {
         const { pki, pkcs12, asn1 } = forge;
@@ -4787,16 +5141,18 @@ var AUTH_TOKEN_REQUEST_NS;
 var init_auth_xml_builder = __esm({
   "src/crypto/auth-xml-builder.ts"() {
     "use strict";
+    init_esm_shims();
     AUTH_TOKEN_REQUEST_NS = "http://ksef.mf.gov.pl/auth/token/2.0";
   }
 });
 // src/qr/verification-link-service.ts
-import crypto5 from "crypto";
+import crypto5 from "node:crypto";
 var VerificationLinkService;
 var init_verification_link_service = __esm({
   "src/qr/verification-link-service.ts"() {
     "use strict";
+    init_esm_shims();
     VerificationLinkService = class {
       constructor(baseQrUrl) {
         this.baseQrUrl = baseQrUrl;
@@ -4818,11 +5174,11 @@ var init_verification_link_service = __esm({
        * Build certificate verification URL (Code II).
        * Format: {baseQrUrl}/certificate/{contextType}/{contextId}/{sellerNip}/{certSerial}/{hash_base64url}/{signature_base64url}
        */
-      buildCertificateVerificationUrl(contextType, contextId, sellerNip, certSerial, invoiceHashBase64, privateKeyPem) {
+      buildCertificateVerificationUrl(contextType, contextId, sellerNip, certSerial, invoiceHashBase64, privateKeyPem, privateKeyPassword) {
         const hashBase64Url = this.base64ToBase64Url(invoiceHashBase64);
         const pathWithoutSignature = `${this.baseQrUrl}/certificate/${contextType}/${contextId}/${sellerNip}/${certSerial}/${hashBase64Url}`;
         const dataToSign = pathWithoutSignature.replace(/^https?:\/\//, "");
-        const key = crypto5.createPrivateKey(privateKeyPem);
+        const key = privateKeyPassword !== void 0 ? crypto5.createPrivateKey({ key: privateKeyPem, format: "pem", passphrase: privateKeyPassword }) : crypto5.createPrivateKey(privateKeyPem);
         let signature;
         if (key.asymmetricKeyType === "rsa") {
           signature = crypto5.sign("sha256", Buffer.from(dataToSign), {
@@ -4938,6 +5294,7 @@ var DEFAULT_UNZIP_OPTIONS;
 var init_zip = __esm({
   "src/utils/zip.ts"() {
     "use strict";
+    init_esm_shims();
     DEFAULT_UNZIP_OPTIONS = {
       maxFiles: 1e4,
       maxTotalUncompressedSize: 2e9,
@@ -5009,6 +5366,7 @@ var holidayCache;
 var init_holidays = __esm({
   "src/offline/holidays.ts"() {
     "use strict";
+    init_esm_shims();
     holidayCache = /* @__PURE__ */ new Map();
   }
 });
@@ -5108,17 +5466,19 @@ var FAR_FUTURE;
 var init_deadline = __esm({
   "src/offline/deadline.ts"() {
     "use strict";
+    init_esm_shims();
     init_holidays();
     FAR_FUTURE = /* @__PURE__ */ new Date("9999-12-31T23:59:59Z");
   }
 });
 // src/workflows/offline-invoice-workflow.ts
-import crypto7 from "crypto";
+import crypto7 from "node:crypto";
 var OfflineInvoiceWorkflow;
 var init_offline_invoice_workflow = __esm({
   "src/workflows/offline-invoice-workflow.ts"() {
     "use strict";
+    init_esm_shims();
     init_ksef_api_error();
     init_deadline();
     init_document_structures();
@@ -5152,7 +5512,8 @@ var init_offline_invoice_workflow = __esm({
             input.sellerNip,
             options.certificate.certificateSerial,
             invoiceHashBase64,
-            options.certificate.privateKeyPem
+            options.certificate.privateKeyPem,
+            options.certificate.password
           );
         }
         const submitBy = options?.customDeadline ? typeof options.customDeadline === "string" ? options.customDeadline : options.customDeadline.toISOString() : calculateOfflineDeadline(mode, input.invoiceDate, options?.maintenanceWindow).toISOString();
@@ -5342,7 +5703,8 @@ var init_offline_invoice_workflow = __esm({
               original.sellerNip,
               options.certificate.certificateSerial,
               correctedHashBase64,
-              options.certificate.privateKeyPem
+              options.certificate.privateKeyPem,
+              options.certificate.password
             );
           }
           const correctionMetadata = {
@@ -5428,6 +5790,11 @@ function buildRestClientConfig(options, authManager) {
       endpointLimits: options.rateLimit.endpointLimits
     });
   }
+  if (options?.circuitBreaker === null) {
+    config.circuitBreakerPolicy = null;
+  } else if (options?.circuitBreaker) {
+    config.circuitBreakerPolicy = new CircuitBreakerPolicy(options.circuitBreaker);
+  }
   if (options?.presignedUrlHosts) {
     const base = defaultPresignedUrlPolicy();
     config.presignedUrlPolicy = {
@@ -5441,10 +5808,12 @@ var KSeFClient;
 var init_client = __esm({
   "src/client.ts"() {
     "use strict";
+    init_esm_shims();
     init_config();
     init_rest_client();
     init_retry_policy();
     init_rate_limit_policy();
+    init_circuit_breaker_policy();
     init_presigned_url_policy();
     init_auth_manager();
     init_auth();
@@ -5578,10 +5947,12 @@ var init_client = __esm({
 });
 // src/index.ts
+init_esm_shims();
 init_config();
 init_errors();
 // src/http/index.ts
+init_esm_shims();
 init_route_builder();
 init_rest_request();
 init_rest_client();
@@ -5589,14 +5960,17 @@ init_routes();
 init_transport();
 init_retry_policy();
 init_rate_limit_policy();
+init_circuit_breaker_policy();
 init_auth_manager();
 init_presigned_url_policy();
 init_ksef_feature();
 // src/validation/index.ts
+init_esm_shims();
 init_patterns();
 // src/validation/constraints.ts
+init_esm_shims();
 var REQUIRED_CHALLENGE_LENGTH = 36;
 var CERTIFICATE_NAME_MIN_LENGTH = 5;
 var CERTIFICATE_NAME_MAX_LENGTH = 100;
@@ -5611,10 +5985,218 @@ init_schema_registry();
 init_invoice_validator();
 init_char_validity();
+// src/validation/xsd-validator.ts
+init_esm_shims();
+import { createRequire } from "node:module";
+import * as fs from "node:fs";
+import * as path from "node:path";
+import { fileURLToPath, pathToFileURL } from "node:url";
+var cachedPkgRoot = null;
+function locatePackageRoot() {
+  if (cachedPkgRoot !== null) return cachedPkgRoot;
+  let dir = path.dirname(fileURLToPath(import.meta.url));
+  const root = path.parse(dir).root;
+  while (dir !== root) {
+    const candidate = path.join(dir, "docs", "schemas");
+    if (fs.existsSync(candidate)) {
+      cachedPkgRoot = dir;
+      return dir;
+    }
+    dir = path.dirname(dir);
+  }
+  throw new Error("Could not locate ksef-client-ts package root (docs/schemas not found).");
+}
+var XSD_RELATIVE = {
+  FA2: ["FA", "schemat_FA(2)_v1-0E.xsd"],
+  FA3: ["FA", "schemat_FA(3)_v1-0E.xsd"],
+  PEF: ["PEF", "Schemat_PEF(3)_v2-1.xsd"],
+  PEF_KOR: ["PEF", "Schemat_PEF_KOR(3)_v2-1.xsd"]
+};
+var FA_XSD_PATHS = {
+  get FA2() {
+    return resolveXsdFor("FA2");
+  },
+  get FA3() {
+    return resolveXsdFor("FA3");
+  }
+};
+var PEF_XSD_PATHS = {
+  get PEF() {
+    return resolveXsdFor("PEF");
+  },
+  get PEF_KOR() {
+    return resolveXsdFor("PEF_KOR");
+  }
+};
+function resolveXsdFor(schema) {
+  const rel = XSD_RELATIVE[schema];
+  if (!rel) throw new Error(`Unknown invoice schema: ${String(schema)}`);
+  return path.join(locatePackageRoot(), "docs", "schemas", ...rel);
+}
+var requireModule = createRequire(import.meta.url);
+var libxmljs = null;
+var libxmljsLoadError = null;
+try {
+  libxmljs = requireModule("libxmljs2");
+} catch (err) {
+  const code = err?.code;
+  if (code === "MODULE_NOT_FOUND" || code === "ERR_MODULE_NOT_FOUND") {
+    libxmljs = null;
+  } else {
+    libxmljs = null;
+    libxmljsLoadError = err instanceof Error ? err : new Error(String(err));
+  }
+}
+var libxmljsAvailable = libxmljs !== null;
+var MISSING_LIBXMLJS_MESSAGE_PREFIX = "libxmljs2 is not installed";
+var EXTERNAL_STRUKTURY_DANYCH_URL = /schemaLocation="http:\/\/crd\.gov\.pl\/xml\/schematy\/dziedzinowe\/mf\/2022\/01\/05\/eD\/DefinicjeTypy\/StrukturyDanych_v10-0E\.xsd"/;
+function rewriteSchemaLocations(xsdContent) {
+  if (!EXTERNAL_STRUKTURY_DANYCH_URL.test(xsdContent)) {
+    return xsdContent;
+  }
+  const bazoweStrukturyPath = path.join(
+    locatePackageRoot(),
+    "docs",
+    "schemas",
+    "FA",
+    "bazowe",
+    "StrukturyDanych_v10-0E.xsd"
+  );
+  const bazoweStrukturyUrl = pathToFileURL(bazoweStrukturyPath).href;
+  const rewritten = xsdContent.replace(
+    EXTERNAL_STRUKTURY_DANYCH_URL,
+    `schemaLocation="${bazoweStrukturyUrl}"`
+  );
+  if (rewritten === xsdContent) {
+    throw new Error(
+      "FA XSD schemaLocation rewrite produced no replacement despite URL being present; regex likely out of sync with docs/schemas/FA/. Re-check after `yarn sync-schemas`."
+    );
+  }
+  return rewritten;
+}
+function validateAgainstXsd(xml, xsdPath) {
+  if (!libxmljs) {
+    const loadSuffix = libxmljsLoadError ? ` (load failed: ${libxmljsLoadError.message})` : "";
+    throw new Error(
+      `${MISSING_LIBXMLJS_MESSAGE_PREFIX}${loadSuffix}; cannot run XSD validation. Install it as an optional peer dependency (e.g. \`yarn add -O libxmljs2\` or \`npm i -O libxmljs2\`).`
+    );
+  }
+  const xsdDir = path.dirname(xsdPath);
+  const rawXsd = fs.readFileSync(xsdPath, "utf8");
+  const rewrittenXsd = rewriteSchemaLocations(rawXsd);
+  const baseUrl = pathToFileURL(xsdDir + path.sep).href;
+  let schemaDoc;
+  try {
+    schemaDoc = libxmljs.parseXml(rewrittenXsd, { baseUrl });
+  } catch (err) {
+    return { valid: false, errors: [`XSD parse failed: ${err.message}`] };
+  }
+  let xmlDoc;
+  try {
+    xmlDoc = libxmljs.parseXml(xml);
+  } catch (err) {
+    return { valid: false, errors: [`XML parse failed: ${err.message}`] };
+  }
+  const valid = xmlDoc.validate(schemaDoc);
+  const errors = valid ? [] : xmlDoc.validationErrors.map((err) => err.message.trim());
+  return { valid, errors };
+}
+// src/models/index.ts
+init_esm_shims();
+// src/models/common.ts
+init_esm_shims();
+// src/models/auth/index.ts
+init_esm_shims();
+// src/models/auth/types.ts
+init_esm_shims();
+// src/models/auth/active-sessions-types.ts
+init_esm_shims();
+// src/models/sessions/index.ts
+init_esm_shims();
+// src/models/sessions/online-types.ts
+init_esm_shims();
+// src/models/sessions/batch-types.ts
+init_esm_shims();
+// src/models/sessions/status-types.ts
+init_esm_shims();
+// src/models/sessions/session-state.ts
+init_esm_shims();
+// src/models/invoices/index.ts
+init_esm_shims();
+// src/models/invoices/types.ts
+init_esm_shims();
+// src/models/permissions/index.ts
+init_esm_shims();
+// src/models/permissions/types.ts
+init_esm_shims();
+// src/models/tokens/index.ts
+init_esm_shims();
+// src/models/tokens/types.ts
+init_esm_shims();
+// src/models/certificates/index.ts
+init_esm_shims();
+// src/models/certificates/types.ts
+init_esm_shims();
+// src/models/lighthouse/index.ts
+init_esm_shims();
+// src/models/lighthouse/types.ts
+init_esm_shims();
+// src/models/limits/index.ts
+init_esm_shims();
+// src/models/limits/types.ts
+init_esm_shims();
+// src/models/peppol/index.ts
+init_esm_shims();
+// src/models/peppol/types.ts
+init_esm_shims();
+// src/models/test-data/index.ts
+init_esm_shims();
+// src/models/test-data/types.ts
+init_esm_shims();
+// src/models/crypto/index.ts
+init_esm_shims();
+// src/models/crypto/types.ts
+init_esm_shims();
+// src/models/qrcode/index.ts
+init_esm_shims();
+// src/models/qrcode/types.ts
+init_esm_shims();
 // src/models/index.ts
 init_document_structures();
 // src/services/index.ts
+init_esm_shims();
 init_auth();
 init_active_sessions();
 init_online_session();
@@ -5629,7 +6211,11 @@ init_limits();
 init_peppol();
 init_test_data();
+// src/builders/index.ts
+init_esm_shims();
 // src/builders/auth-token-request.ts
+init_esm_shims();
 init_ksef_validation_error();
 var AuthTokenRequestBuilder = class {
   challenge;
@@ -5684,6 +6270,7 @@ var AuthTokenRequestBuilder = class {
 };
 // src/builders/auth-ksef-token-request.ts
+init_esm_shims();
 init_ksef_validation_error();
 var AuthKsefTokenRequestBuilder = class {
   challenge;
@@ -5738,6 +6325,7 @@ var AuthKsefTokenRequestBuilder = class {
 };
 // src/builders/invoice-query-filter.ts
+init_esm_shims();
 init_ksef_validation_error();
 var InvoiceQueryFilterBuilder = class {
   subjectType;
@@ -5834,7 +6422,11 @@ var InvoiceQueryFilterBuilder = class {
   }
 };
+// src/builders/permissions/index.ts
+init_esm_shims();
 // src/builders/permissions/person-permission.ts
+init_esm_shims();
 init_ksef_validation_error();
 var PersonPermissionGrantBuilder = class {
   subjectIdentifier;
@@ -5884,6 +6476,7 @@ var PersonPermissionGrantBuilder = class {
 };
 // src/builders/permissions/entity-permission.ts
+init_esm_shims();
 init_ksef_validation_error();
 var EntityPermissionGrantBuilder = class {
   nip;
@@ -5933,6 +6526,7 @@ var EntityPermissionGrantBuilder = class {
 };
 // src/builders/permissions/authorization-permission.ts
+init_esm_shims();
 init_ksef_validation_error();
 var AuthorizationPermissionGrantBuilder = class {
   _subjectIdentifier;
@@ -5978,8 +6572,9 @@ var AuthorizationPermissionGrantBuilder = class {
 };
 // src/builders/batch-file.ts
+init_esm_shims();
 init_ksef_validation_error();
-import * as crypto from "crypto";
+import * as crypto from "node:crypto";
 var BATCH_MAX_PART_SIZE = 1e8;
 var BATCH_MAX_TOTAL_SIZE = 5e9;
 var BATCH_MAX_PARTS = 50;
@@ -6148,12 +6743,14 @@ function sha256Base64(data) {
 }
 // src/crypto/index.ts
+init_esm_shims();
 init_certificate_fetcher();
 init_cryptography_service();
 init_signature_service();
 // src/crypto/certificate-service.ts
-import * as crypto4 from "crypto";
+init_esm_shims();
+import * as crypto4 from "node:crypto";
 import * as x5092 from "@peculiar/x509";
 var CertificateService = class {
   static getSha256Fingerprint(certPem) {
@@ -6238,9 +6835,11 @@ init_pkcs12_loader();
 init_auth_xml_builder();
 // src/qr/index.ts
+init_esm_shims();
 init_verification_link_service();
 // src/qr/qrcode-service.ts
+init_esm_shims();
 import * as QRCode from "qrcode";
 var QrCodeService = class _QrCodeService {
   static async generateQrCode(url, options) {
@@ -6300,11 +6899,13 @@ function escapeXml2(str) {
 }
 // src/utils/index.ts
+init_esm_shims();
 init_zip();
 init_jwt();
 // src/utils/hash.ts
-import crypto6 from "crypto";
+init_esm_shims();
+import crypto6 from "node:crypto";
 function sha256Base642(data) {
   return crypto6.createHash("sha256").update(data).digest("base64");
 }
@@ -6315,7 +6916,11 @@ function verifyHash(data, expectedHash) {
 // src/utils/index.ts
 init_concurrency();
+// src/workflows/index.ts
+init_esm_shims();
 // src/workflows/polling.ts
+init_esm_shims();
 async function pollUntil(action, condition, options) {
   const intervalMs = options?.intervalMs ?? 2e3;
   const maxAttempts = options?.maxAttempts ?? 60;
@@ -6333,13 +6938,18 @@ async function pollUntil(action, condition, options) {
 }
 // src/workflows/online-session-workflow.ts
+init_esm_shims();
 init_ksef_session_expired_error();
 init_auth_manager();
 init_online_session();
 init_session_status();
 init_document_structures();
+// src/xml/index.ts
+init_esm_shims();
 // src/xml/upo-parser.ts
+init_esm_shims();
 init_ksef_validation_error();
 import { XMLParser } from "fast-xml-parser";
 function isRecord(value) {
@@ -6458,6 +7068,7 @@ function parseUpoXml(xml) {
 }
 // src/xml/invoice-field-extractor.ts
+init_esm_shims();
 import { XMLParser as XMLParser2 } from "fast-xml-parser";
 var invoiceParser = new XMLParser2({
   ignoreAttributes: false,
@@ -6498,6 +7109,7 @@ function nonEmptyString(value) {
 }
 // src/xml/xml-engine.ts
+init_esm_shims();
 import { XMLBuilder, XMLParser as XMLParser3 } from "fast-xml-parser";
 var XML_DECLARATION = '<?xml version="1.0" encoding="UTF-8"?>\n';
 var parser = new XMLParser3({
@@ -6551,6 +7163,7 @@ function stripBom(input) {
 }
 // src/xml/order-map.ts
+init_esm_shims();
 var ORDER_MAP = {
   Faktura: ["Naglowek", "Podmiot1", "Podmiot2", "Podmiot3", "Fa", "Stopka"],
   Naglowek: ["KodFormularza", "WariantFormularza", "DataWytworzeniaFa", "SystemInfo"],
@@ -6749,6 +7362,7 @@ function orderXmlObject(value, contextKey) {
 }
 // src/xml/faktura-builder.ts
+init_esm_shims();
 var FAKTURA_NAMESPACE = {
   FA2: "http://crd.gov.pl/wzor/2023/06/29/12648/",
   FA3: "http://crd.gov.pl/wzor/2025/06/25/13775/"
@@ -6836,6 +7450,7 @@ function isFakturaInput(input) {
 }
 // src/xml/pef-builder.ts
+init_esm_shims();
 init_ksef_validation_error();
 var PEF_NAMESPACE = {
   PEF: "urn:oasis:names:specification:ubl:schema:xsd:Invoice-2",
@@ -6917,6 +7532,7 @@ function buildPefXml(input, options = {}) {
 }
 // src/xml/invoice-serializer.ts
+init_esm_shims();
 init_ksef_validation_error();
 var FAKTURA_SCHEMAS = /* @__PURE__ */ new Set(["FA2", "FA3"]);
 var PEF_SCHEMAS = /* @__PURE__ */ new Set(["PEF", "PEF_KOR"]);
@@ -7152,6 +7768,7 @@ async function openSendAndClose(client, invoices, options) {
 }
 // src/workflows/batch-session-workflow.ts
+init_esm_shims();
 init_document_structures();
 async function uploadBatch(client, zipData, options) {
   if (options?.parallelism !== void 0 && (!Number.isInteger(options.parallelism) || options.parallelism < 1)) {
@@ -7290,6 +7907,7 @@ async function uploadBatchParsed(client, zipData, options) {
 }
 // src/workflows/invoice-export-workflow.ts
+init_esm_shims();
 init_zip();
 async function doExport(client, filters, options) {
   await client.crypto.init();
@@ -7362,7 +7980,11 @@ async function exportAndDownload(client, filters, options) {
   };
 }
+// src/workflows/incremental-export-workflow.ts
+init_esm_shims();
 // src/workflows/hwm-coordinator.ts
+init_esm_shims();
 function updateContinuationPoint(points, subjectType, pkg) {
   if (pkg.isTruncated && pkg.lastPermanentStorageDate) {
     points[subjectType] = pkg.lastPermanentStorageDate;
@@ -7460,7 +8082,8 @@ function buildDefaultFilters(subjectType, from, to) {
 }
 // src/workflows/hwm-storage.ts
-import * as fs from "fs/promises";
+init_esm_shims();
+import * as fs2 from "node:fs/promises";
 var InMemoryHwmStore = class {
   points = {};
   async load() {
@@ -7476,7 +8099,7 @@ var FileHwmStore = class {
   }
   async load() {
     try {
-      const data = await fs.readFile(this.filePath, "utf-8");
+      const data = await fs2.readFile(this.filePath, "utf-8");
       return JSON.parse(data);
     } catch (err) {
       if (err.code === "ENOENT") {
@@ -7486,11 +8109,12 @@ var FileHwmStore = class {
     }
   }
   async save(points) {
-    await fs.writeFile(this.filePath, JSON.stringify(points, null, 2), "utf-8");
+    await fs2.writeFile(this.filePath, JSON.stringify(points, null, 2), "utf-8");
   }
 };
 // src/workflows/auth-workflow.ts
+init_esm_shims();
 init_auth_xml_builder();
 async function authenticateWithToken(client, options) {
   const challenge = await client.auth.getChallenge();
@@ -7587,10 +8211,12 @@ async function authenticateWithPkcs12(client, options) {
 }
 // src/offline/index.ts
+init_esm_shims();
 init_deadline();
 init_holidays();
 // src/offline/storage.ts
+init_esm_shims();
 function matchesFilter(invoice, filter) {
   if (filter.status !== void 0) {
     const statuses = Array.isArray(filter.status) ? filter.status : [filter.status];
@@ -7629,12 +8255,13 @@ var InMemoryOfflineInvoiceStorage = class {
 };
 // src/offline/file-storage.ts
-import * as fs2 from "fs/promises";
-import * as path from "path";
-import * as os from "os";
+init_esm_shims();
+import * as fs3 from "node:fs/promises";
+import * as path2 from "node:path";
+import * as os from "node:os";
 function resolveDir(dir) {
   if (dir === "~" || dir.startsWith("~/")) {
-    return path.join(os.homedir(), dir.slice(1));
+    return path2.join(os.homedir(), dir.slice(1));
   }
   return dir;
 }
@@ -7650,23 +8277,23 @@ var FileOfflineInvoiceStorage = class {
     this.dir = resolveDir(directory ?? "~/.ksef/offline");
   }
   async ensureDir() {
-    await fs2.mkdir(this.dir, { recursive: true });
+    await fs3.mkdir(this.dir, { recursive: true });
   }
   filePath(id) {
     validateId(id);
-    return path.join(this.dir, `${id}.json`);
+    return path2.join(this.dir, `${id}.json`);
   }
   async save(invoice) {
     await this.ensureDir();
     const file = this.filePath(invoice.id);
     const tmp = `${file}.tmp`;
-    await fs2.writeFile(tmp, JSON.stringify(invoice, null, 2));
-    await fs2.rename(tmp, file);
+    await fs3.writeFile(tmp, JSON.stringify(invoice, null, 2));
+    await fs3.rename(tmp, file);
   }
   async get(id) {
     const file = this.filePath(id);
     try {
-      return JSON.parse(await fs2.readFile(file, "utf-8"));
+      return JSON.parse(await fs3.readFile(file, "utf-8"));
     } catch (err) {
       if (err instanceof Error && "code" in err && err.code === "ENOENT") {
         return null;
@@ -7678,7 +8305,7 @@ var FileOfflineInvoiceStorage = class {
   async list(filter) {
     let files;
     try {
-      files = (await fs2.readdir(this.dir)).filter((f) => f.endsWith(".json"));
+      files = (await fs3.readdir(this.dir)).filter((f) => f.endsWith(".json"));
     } catch {
       return [];
     }
@@ -7686,7 +8313,7 @@ var FileOfflineInvoiceStorage = class {
     for (const file of files) {
       try {
         const data = JSON.parse(
-          await fs2.readFile(path.join(this.dir, file), "utf-8")
+          await fs3.readFile(path2.join(this.dir, file), "utf-8")
         );
         if (!filter || matchesFilter(data, filter)) {
           results.push(data);
@@ -7712,7 +8339,7 @@ var FileOfflineInvoiceStorage = class {
   async delete(id) {
     const file = this.filePath(id);
     try {
-      await fs2.unlink(file);
+      await fs3.unlink(file);
     } catch (e) {
       if (e instanceof Error && "code" in e && e.code !== "ENOENT") throw e;
     }
@@ -7741,6 +8368,7 @@ export {
   CertificateFingerprint,
   CertificateName,
   CertificateService,
+  CircuitBreakerPolicy,
   CryptographyService,
   DEFAULT_FORM_CODE,
   DISCOURAGED_UNICODE_RANGES,
@@ -7750,6 +8378,7 @@ export {
   EntityPermissionGrantBuilder,
   Environment,
   FAKTURA_NAMESPACE,
+  FA_XSD_PATHS,
   FORM_CODES,
   FORM_CODE_KEYS,
   FileHwmStore,
@@ -7768,6 +8397,7 @@ export {
   KSeFAuthStatusError,
   KSeFBadRequestError,
   KSeFBatchTimeoutError,
+  KSeFCircuitOpenError,
   KSeFClient,
   KSeFError,
   KSeFErrorCode,
@@ -7777,6 +8407,7 @@ export {
   KSeFSessionExpiredError,
   KSeFUnauthorizedError,
   KSeFValidationError,
+  KSeFXsdValidationError,
   KsefNumber,
   KsefNumberV35,
   KsefNumberV36,
@@ -7788,6 +8419,7 @@ export {
   OfflineInvoiceWorkflow,
   OnlineSessionService,
   PEF_NAMESPACE,
+  PEF_XSD_PATHS,
   PERMISSION_DESCRIPTION_MAX_LENGTH,
   PERMISSION_DESCRIPTION_MIN_LENGTH,
   PeppolId,
@@ -7835,6 +8467,7 @@ export {
   createZip,
   decodeJwtPayload,
   deduplicateByKsefNumber,
+  defaultCircuitBreakerPolicy,
   defaultPresignedUrlPolicy,
   defaultRateLimitPolicy,
   defaultRetryPolicy,
@@ -7871,6 +8504,7 @@ export {
   isValidReferenceNumber,
   isValidSha256Base64,
   isValidVatUe,
+  libxmljsAvailable,
   nextBusinessDay,
   openOnlineSession,
   openSendAndClose,
@@ -7882,6 +8516,7 @@ export {
   parseXml,
   pollUntil,
   resolveOptions,
+  resolveXsdFor,
   resumeOnlineSession,
   runWithConcurrency,
   serializeInvoiceXml,
@@ -7896,6 +8531,7 @@ export {
   uploadBatchStream,
   uploadBatchStreamParsed,
   validate,
+  validateAgainstXsd,
   validateBatch,
   validateBusinessRules,
   validateCharValidity,