ksef-client-ts 0.8.0 → 0.9.0

package/dist/cli.js

@@ -291,7 +291,9 @@ var init_error_codes = __esm({
     "use strict";
     KSeFErrorCode = {
       BatchTimeout: 21208,
-      DuplicateInvoice: 440
+      DuplicateInvoice: 440,
+      /** The supplied public key identifier is unknown or points to a revoked key (KSeF API v2.5.0). */
+      UnknownPublicKeyId: 21470
     };
   }
 });
@@ -320,6 +322,37 @@ var init_ksef_batch_timeout_error = __esm({
   }
 });
 
+// src/errors/ksef-unknown-public-key-error.ts
+function messageOf(description) {
+  return description?.trim() || "The supplied public key identifier is unknown or revoked (KSeF 21470).";
+}
+var KSeFUnknownPublicKeyError;
+var init_ksef_unknown_public_key_error = __esm({
+  "src/errors/ksef-unknown-public-key-error.ts"() {
+    "use strict";
+    init_ksef_api_error();
+    init_error_codes();
+    KSeFUnknownPublicKeyError = class _KSeFUnknownPublicKeyError extends KSeFApiError {
+      statusCode = 400;
+      errorCode = KSeFErrorCode.UnknownPublicKeyId;
+      constructor(message, errorResponse) {
+        super(message, 400, errorResponse);
+        this.name = "KSeFUnknownPublicKeyError";
+      }
+      static fromLegacy(body) {
+        const detail = body?.exception?.exceptionDetailList?.find(
+          (d) => d.exceptionCode === KSeFErrorCode.UnknownPublicKeyId
+        );
+        return new _KSeFUnknownPublicKeyError(messageOf(detail?.exceptionDescription), body);
+      }
+      static fromProblem(problem) {
+        const detail = problem.errors?.find((e) => e.code === KSeFErrorCode.UnknownPublicKeyId);
+        return new _KSeFUnknownPublicKeyError(messageOf(detail?.description || problem.detail));
+      }
+    };
+  }
+});
+
 // src/errors/ksef-circuit-open-error.ts
 var KSeFCircuitOpenError;
 var init_ksef_circuit_open_error = __esm({
@@ -386,6 +419,7 @@ var init_errors = __esm({
     init_ksef_session_expired_error();
     init_ksef_validation_error();
     init_ksef_batch_timeout_error();
+    init_ksef_unknown_public_key_error();
     init_ksef_circuit_open_error();
     init_ksef_xsd_validation_error();
     init_error_codes();
@@ -652,6 +686,7 @@ var init_rest_client = __esm({
     init_ksef_gone_error();
     init_ksef_bad_request_error();
     init_ksef_batch_timeout_error();
+    init_ksef_unknown_public_key_error();
     init_error_codes();
     init_route_builder();
     init_transport();
@@ -666,6 +701,7 @@ var init_rest_client = __esm({
       circuitBreakerPolicy;
       authManager;
       presignedUrlPolicy;
+      onSystemWarning;
       constructor(options, config) {
         this.options = options;
         this.routeBuilder = new RouteBuilder(options.apiVersion);
@@ -675,23 +711,41 @@ var init_rest_client = __esm({
         this.circuitBreakerPolicy = config?.circuitBreakerPolicy ?? null;
         this.authManager = config?.authManager;
         this.presignedUrlPolicy = config?.presignedUrlPolicy;
+        this.onSystemWarning = config?.onSystemWarning;
       }
       async execute(request) {
         const response = await this.sendRequest(request);
         await this.ensureSuccess(response);
+        this.handleSystemWarning(response);
         const body = await response.json();
         return { body, headers: response.headers, statusCode: response.status };
       }
       async executeVoid(request) {
         const response = await this.sendRequest(request);
         await this.ensureSuccess(response);
+        this.handleSystemWarning(response);
       }
       async executeRaw(request) {
         const response = await this.sendRequest(request);
         await this.ensureSuccess(response);
+        this.handleSystemWarning(response);
         const body = await response.arrayBuffer();
         return { body, headers: response.headers, statusCode: response.status };
       }
+      /** Surface the optional `X-System-Warning` response header (KSeF API v2.6.0). */
+      handleSystemWarning(response) {
+        const warning = response.headers.get("x-system-warning");
+        if (!warning) return;
+        if (this.onSystemWarning) {
+          try {
+            this.onSystemWarning(warning);
+          } catch (error) {
+            consola3.warn("onSystemWarning callback threw an exception (ignored):", error);
+          }
+        } else {
+          consola3.warn(`KSeF system warning: ${warning}`);
+        }
+      }
       async sendRequest(request) {
         const url2 = this.buildUrl(request);
         if (request.isPresigned() && this.presignedUrlPolicy) {
@@ -833,9 +887,15 @@ var init_rest_client = __esm({
         if (response.status === 400) {
           const problem = tryParseProblem(isBadRequestProblem);
           if (problem) {
+            if (problem.errors?.some((e) => e.code === KSeFErrorCode.UnknownPublicKeyId)) {
+              throw KSeFUnknownPublicKeyError.fromProblem(problem);
+            }
             throw new KSeFBadRequestError(problem);
           }
           const legacy = parseJson();
+          if (hasErrorCode(legacy, KSeFErrorCode.UnknownPublicKeyId)) {
+            throw KSeFUnknownPublicKeyError.fromLegacy(legacy);
+          }
           if (hasErrorCode(legacy, KSeFErrorCode.BatchTimeout)) {
             throw KSeFBatchTimeoutError.fromResponse(400, legacy);
           }
@@ -2311,8 +2371,8 @@ var init_certificate_fetcher = __esm({
     init_routes();
     CertificateFetcher = class {
       restClient;
-      symmetricKeyPem;
-      ksefTokenPem;
+      symmetricKey;
+      ksefToken;
       initialized = false;
       constructor(restClient) {
         this.restClient = restClient;
@@ -2325,17 +2385,38 @@ var init_certificate_fetcher = __esm({
         this.initialized = false;
         await this.fetchCertificates();
       }
+      /**
+       * Immutable snapshot ({@link SelectedCertificate}) of the selected
+       * SymmetricKeyEncryption certificate. The stored object is replaced wholesale
+       * by {@link refresh}, never mutated, so holding the returned reference yields a
+       * consistent pem + publicKeyId pair even if a concurrent refresh swaps the cache.
+       */
+      getSymmetricKeyEncryption() {
+        return { ...this.requireSelected(this.symmetricKey) };
+      }
+      /** Immutable snapshot of the selected KsefTokenEncryption certificate. See {@link getSymmetricKeyEncryption}. */
+      getKsefTokenEncryption() {
+        return { ...this.requireSelected(this.ksefToken) };
+      }
       getSymmetricKeyEncryptionPem() {
-        if (!this.symmetricKeyPem) {
-          throw new Error("CertificateFetcher not initialized. Call init() first.");
-        }
-        return this.symmetricKeyPem;
+        return this.requireSelected(this.symmetricKey).pem;
       }
       getKsefTokenEncryptionPem() {
-        if (!this.ksefTokenPem) {
+        return this.requireSelected(this.ksefToken).pem;
+      }
+      /** Public key identifier of the selected SymmetricKeyEncryption certificate (KSeF API v2.5.0). */
+      getSymmetricKeyPublicKeyId() {
+        return this.requireSelected(this.symmetricKey).publicKeyId;
+      }
+      /** Public key identifier of the selected KsefTokenEncryption certificate (KSeF API v2.5.0). */
+      getKsefTokenPublicKeyId() {
+        return this.requireSelected(this.ksefToken).publicKeyId;
+      }
+      requireSelected(selected) {
+        if (!selected) {
           throw new Error("CertificateFetcher not initialized. Call init() first.");
         }
-        return this.ksefTokenPem;
+        return selected;
       }
       async fetchCertificates() {
         const request = RestRequest.get(Routes.Security.publicKeyCertificates);
@@ -2344,19 +2425,27 @@ var init_certificate_fetcher = __esm({
         if (!certs || certs.length === 0) {
           throw new Error("No public key certificates returned from KSeF API.");
         }
-        const symmetricCert = certs.find((c) => c.usage.includes("SymmetricKeyEncryption"));
-        if (!symmetricCert) {
-          throw new Error("No SymmetricKeyEncryption certificate found.");
-        }
-        this.symmetricKeyPem = this.derBase64ToPem(symmetricCert.certificate);
-        const tokenCerts = certs.filter((c) => c.usage.includes("KsefTokenEncryption")).sort((a, b) => a.validFrom.localeCompare(b.validFrom));
-        const tokenCert = tokenCerts[0];
-        if (!tokenCert) {
-          throw new Error("No KsefTokenEncryption certificate found.");
-        }
-        this.ksefTokenPem = this.derBase64ToPem(tokenCert.certificate);
+        this.symmetricKey = this.select(certs, "SymmetricKeyEncryption");
+        this.ksefToken = this.select(certs, "KsefTokenEncryption");
         this.initialized = true;
       }
+      /**
+       * Select the certificate to use for a given usage under key rotation:
+       * filter to currently-valid certificates (validFrom ≤ now < validTo) and pick
+       * the newest by validFrom. If none are currently valid, fall back to the newest
+       * overall so the server can reject it with a clear error rather than sending nothing.
+       */
+      select(certs, usage) {
+        const candidates = certs.filter((c) => c.usage.includes(usage));
+        if (candidates.length === 0) {
+          throw new Error(`No ${usage} certificate found.`);
+        }
+        const now = Date.now();
+        const byNewestValidFrom = (a, b) => Date.parse(b.validFrom) - Date.parse(a.validFrom);
+        const valid = candidates.filter((c) => Date.parse(c.validFrom) <= now && now < Date.parse(c.validTo)).sort(byNewestValidFrom);
+        const chosen = valid[0] ?? [...candidates].sort(byNewestValidFrom)[0];
+        return { pem: this.derBase64ToPem(chosen.certificate), publicKeyId: chosen.publicKeyId };
+      }
       derBase64ToPem(base64Der) {
         const lines = [];
         for (let i = 0; i < base64Der.length; i += 64) {
@@ -2411,6 +2500,14 @@ var init_cryptography_service = __esm({
       async init() {
         await this.fetcher.init();
       }
+      /** Re-fetch KSeF public certificates, discarding the cached selection (used for key-rotation recovery). */
+      async refresh() {
+        await this.fetcher.refresh();
+      }
+      /** Identifier of the KsefTokenEncryption public key used by {@link encryptKsefToken} (KSeF API v2.5.0). */
+      getKsefTokenPublicKeyId() {
+        return this.fetcher.getKsefTokenPublicKeyId();
+      }
       // ---------------------------------------------------------------------------
       // AES-256-CBC
       // ---------------------------------------------------------------------------
@@ -2456,11 +2553,12 @@ var init_cryptography_service = __esm({
       async getEncryptionData() {
         const key = crypto.randomBytes(32);
         const iv = crypto.randomBytes(16);
-        const certPem = this.fetcher.getSymmetricKeyEncryptionPem();
-        const encryptedKey = await this.rsaOaepEncrypt(certPem, new Uint8Array(key));
+        const cert = this.fetcher.getSymmetricKeyEncryption();
+        const encryptedKey = await this.rsaOaepEncrypt(cert.pem, new Uint8Array(key));
         const encryptionInfo = {
           encryptedSymmetricKey: Buffer.from(encryptedKey).toString("base64"),
-          initializationVector: iv.toString("base64")
+          initializationVector: iv.toString("base64"),
+          publicKeyId: cert.publicKeyId
         };
         return {
           cipherKey: new Uint8Array(key),
@@ -2485,9 +2583,29 @@ var init_cryptography_service = __esm({
        * `[ephemeralSPKI | nonce(12) | ciphertext+tag]`.
        */
       async encryptKsefToken(token, challengeTimestamp) {
+        return this.encryptKsefTokenWithCertPem(
+          this.fetcher.getKsefTokenEncryptionPem(),
+          token,
+          challengeTimestamp
+        );
+      }
+      /**
+       * Encrypt a KSeF token and return it together with the public key id of the
+       * exact certificate used.
+       *
+       * Both values come from a single certificate snapshot taken before any
+       * `await`, so a concurrent {@link refresh} cannot tag the ciphertext with a
+       * different key than it was encrypted under (KSeF API v2.5.0). Prefer this over
+       * pairing {@link encryptKsefToken} with a separate {@link getKsefTokenPublicKeyId}.
+       */
+      async encryptKsefTokenWithKeyId(token, challengeTimestamp) {
+        const cert = this.fetcher.getKsefTokenEncryption();
+        const encryptedToken = await this.encryptKsefTokenWithCertPem(cert.pem, token, challengeTimestamp);
+        return { encryptedToken, publicKeyId: cert.publicKeyId };
+      }
+      async encryptKsefTokenWithCertPem(certPem, token, challengeTimestamp) {
         const timestampMs = new Date(challengeTimestamp).getTime();
         const plaintext = Buffer.from(`${token}|${timestampMs}`, "utf-8");
-        const certPem = this.fetcher.getKsefTokenEncryptionPem();
         const cert = new crypto.X509Certificate(certPem);
         const publicKey = cert.publicKey;
         if (publicKey.asymmetricKeyType === "rsa") {
@@ -2646,6 +2764,25 @@ var init_cryptography_service = __esm({
   }
 });
 
+// src/crypto/with-key-rotation-retry.ts
+async function withKeyRotationRetry(crypto8, op) {
+  try {
+    return await op();
+  } catch (err) {
+    if (err instanceof KSeFUnknownPublicKeyError) {
+      await crypto8.refresh();
+      return await op();
+    }
+    throw err;
+  }
+}
+var init_with_key_rotation_retry = __esm({
+  "src/crypto/with-key-rotation-retry.ts"() {
+    "use strict";
+    init_ksef_unknown_public_key_error();
+  }
+});
+
 // src/qr/verification-link-service.ts
 import crypto2 from "node:crypto";
 var VerificationLinkService;
@@ -2729,7 +2866,7 @@ var AUTH_TOKEN_REQUEST_NS;
 var init_auth_xml_builder = __esm({
   "src/crypto/auth-xml-builder.ts"() {
     "use strict";
-    AUTH_TOKEN_REQUEST_NS = "http://ksef.mf.gov.pl/auth/token/2.0";
+    AUTH_TOKEN_REQUEST_NS = "http://ksef.mf.gov.pl/auth/token/2.1";
   }
 });
 
@@ -2960,6 +3097,7 @@ var init_offline_invoice_workflow = __esm({
     "use strict";
     init_ksef_api_error();
     init_deadline();
+    init_with_key_rotation_retry();
     init_document_structures();
     OfflineInvoiceWorkflow = class {
       constructor(qrService) {
@@ -3066,11 +3204,14 @@ var init_offline_invoice_workflow = __esm({
         }
         if (pending.length === 0) return result;
         await client.crypto.init();
-        const encData = await client.crypto.getEncryptionData();
         const formCode = options.formCode ?? DEFAULT_FORM_CODE;
-        const openResp = await client.onlineSession.openSession(
-          { formCode, encryption: encData.encryptionInfo }
-        );
+        const { encData, openResp } = await withKeyRotationRetry(client.crypto, async () => {
+          const encData2 = await client.crypto.getEncryptionData();
+          const openResp2 = await client.onlineSession.openSession(
+            { formCode, encryption: encData2.encryptionInfo }
+          );
+          return { encData: encData2, openResp: openResp2 };
+        });
         const sessionRef = openResp.referenceNumber;
         try {
           for (const inv of pending) {
@@ -3155,11 +3296,14 @@ var init_offline_invoice_workflow = __esm({
         }
         const originalHash = crypto3.createHash("sha256").update(original.invoiceXml).digest("base64");
         await client.crypto.init();
-        const encData = await client.crypto.getEncryptionData();
         const formCode = options.formCode ?? DEFAULT_FORM_CODE;
-        const openResp = await client.onlineSession.openSession(
-          { formCode, encryption: encData.encryptionInfo }
-        );
+        const { encData, openResp } = await withKeyRotationRetry(client.crypto, async () => {
+          const encData2 = await client.crypto.getEncryptionData();
+          const openResp2 = await client.onlineSession.openSession(
+            { formCode, encryption: encData2.encryptionInfo }
+          );
+          return { encData: encData2, openResp: openResp2 };
+        });
         const sessionRef = openResp.referenceNumber;
         try {
           const data = new TextEncoder().encode(correctedInvoiceXml);
@@ -3611,6 +3755,9 @@ function buildRestClientConfig(options, authManager) {
       allowedHosts: [...base.allowedHosts, ...options.presignedUrlHosts]
     };
   }
+  if (options?.onSystemWarning) {
+    config.onSystemWarning = options.onSystemWarning;
+  }
   return config;
 }
 var KSeFClient;
@@ -3639,6 +3786,7 @@ var init_client = __esm({
     init_test_data();
     init_certificate_fetcher();
     init_cryptography_service();
+    init_with_key_rotation_retry();
     init_verification_link_service();
     init_auth_xml_builder();
     init_offline_invoice_workflow();
@@ -3705,11 +3853,14 @@ var init_client = __esm({
       async loginWithToken(token, nip) {
         const challenge2 = await this.auth.getChallenge();
         await this.crypto.init();
-        const encryptedToken = await this.crypto.encryptKsefToken(token, challenge2.timestamp);
-        const submitResult = await this.auth.submitKsefTokenAuthRequest({
-          challenge: challenge2.challenge,
-          contextIdentifier: { type: "Nip", value: nip },
-          encryptedToken: Buffer.from(encryptedToken).toString("base64")
+        const submitResult = await withKeyRotationRetry(this.crypto, async () => {
+          const { encryptedToken, publicKeyId } = await this.crypto.encryptKsefTokenWithKeyId(token, challenge2.timestamp);
+          return this.auth.submitKsefTokenAuthRequest({
+            challenge: challenge2.challenge,
+            contextIdentifier: { type: "Nip", value: nip },
+            encryptedToken: Buffer.from(encryptedToken).toString("base64"),
+            publicKeyId
+          });
         });
         const authToken = submitResult.authenticationToken.token;
         await this.awaitAuthReady(submitResult.referenceNumber, authToken);
@@ -4607,6 +4758,135 @@ var init_zip = __esm({
   }
 });
 
+// src/utils/targz.ts
+var targz_exports = {};
+__export(targz_exports, {
+  createTarGz: () => createTarGz,
+  extractTarGz: () => extractTarGz
+});
+import { createGzip, createGunzip } from "node:zlib";
+import { Readable } from "node:stream";
+import { extract, pack } from "tar-stream";
+async function createTarGz(entries) {
+  const packer = pack();
+  const gzip = packer.pipe(createGzip());
+  const chunks = [];
+  return new Promise((resolve2, reject) => {
+    let settled = false;
+    const fail = (err) => {
+      if (settled) return;
+      settled = true;
+      reject(err);
+    };
+    packer.on("error", fail);
+    gzip.on("error", fail);
+    gzip.on("data", (chunk) => chunks.push(chunk));
+    gzip.on("end", () => {
+      if (settled) return;
+      settled = true;
+      resolve2(Buffer.concat(chunks));
+    });
+    try {
+      for (const entry of entries) {
+        const content = Buffer.from(entry.content);
+        packer.entry({ name: entry.fileName, size: content.length }, content);
+      }
+      packer.finalize();
+    } catch (err) {
+      fail(err instanceof Error ? err : new Error(String(err)));
+    }
+  });
+}
+async function extractTarGz(buffer, options = {}) {
+  const limits2 = { ...DEFAULT_LIMITS, ...options };
+  const ratioCeiling = limits2.maxCompressionRatio !== null && limits2.maxCompressionRatio !== void 0 && buffer.length > 0 ? buffer.length * limits2.maxCompressionRatio : null;
+  return new Promise((resolve2, reject) => {
+    const source = Readable.from(buffer);
+    const gunzip = createGunzip();
+    const extractor = extract();
+    const files = /* @__PURE__ */ new Map();
+    let extractedFileCount = 0;
+    let totalUncompressed = 0;
+    let settled = false;
+    const cleanup = () => {
+      source.destroy();
+      gunzip.destroy();
+      extractor.destroy();
+    };
+    const fail = (err) => {
+      if (settled) return;
+      settled = true;
+      cleanup();
+      reject(err);
+    };
+    const succeed = () => {
+      if (settled) return;
+      settled = true;
+      resolve2(files);
+    };
+    gunzip.on("data", (chunk) => {
+      totalUncompressed += chunk.length;
+      if (limits2.maxTotalUncompressedSize > 0 && totalUncompressed > limits2.maxTotalUncompressedSize) {
+        fail(new Error("tar.gz exceeds max_total_uncompressed_size"));
+        return;
+      }
+      if (ratioCeiling !== null && totalUncompressed > ratioCeiling) {
+        fail(new Error("tar.gz exceeds max_compression_ratio"));
+      }
+    });
+    extractor.on("entry", (header, stream, next) => {
+      if (settled) {
+        stream.resume();
+        return;
+      }
+      if (header.type !== "file") {
+        stream.resume();
+        stream.on("end", next);
+        return;
+      }
+      if (limits2.maxFiles > 0 && extractedFileCount >= limits2.maxFiles) {
+        fail(new Error("tar.gz contains too many files"));
+        return;
+      }
+      const chunks = [];
+      let entrySize = 0;
+      stream.on("data", (chunk) => {
+        if (settled) return;
+        entrySize += chunk.length;
+        if (limits2.maxFileUncompressedSize > 0 && entrySize > limits2.maxFileUncompressedSize) {
+          fail(new Error("tar.gz entry exceeds max_file_uncompressed_size"));
+          return;
+        }
+        chunks.push(chunk);
+      });
+      stream.on("error", fail);
+      stream.on("end", () => {
+        if (settled) return;
+        extractedFileCount += 1;
+        files.set(header.name, Buffer.concat(chunks));
+        next();
+      });
+    });
+    extractor.on("finish", succeed);
+    extractor.on("error", fail);
+    gunzip.on("error", fail);
+    source.on("error", fail);
+    source.pipe(gunzip).pipe(extractor);
+  });
+}
+var DEFAULT_LIMITS;
+var init_targz = __esm({
+  "src/utils/targz.ts"() {
+    "use strict";
+    DEFAULT_LIMITS = {
+      maxFiles: 1e4,
+      maxTotalUncompressedSize: 2e9,
+      maxFileUncompressedSize: 5e8,
+      maxCompressionRatio: 200
+    };
+  }
+});
+
 // src/validation/xml-to-object.ts
 import { DOMParser as DOMParser2 } from "@xmldom/xmldom";
 function xmlToObject(xml) {
@@ -5505,15 +5785,15 @@ var init_fa2 = __esm({
   }
 });
 
-// src/validation/schemas/rr1-v11e.ts
-var rr1_v11e_exports = {};
-__export(rr1_v11e_exports, {
-  RR1_V11ESchema: () => RR1_V11ESchema
+// src/validation/schemas/fa-rr1.ts
+var fa_rr1_exports = {};
+__export(fa_rr1_exports, {
+  FA_RR1Schema: () => FA_RR1Schema
 });
 import { z as z3 } from "zod";
-var TKodFormularza3, TDataCzas3, TZnakowy4, TNaglowek3, TNrNIP3, TZnakowy5123, TPodmiot13, TKodKraju3, TGLN3, TAdres3, TAdresEmail3, TNumerTelefonu3, TStatusInfoPodatnika3, TZnakowy203, TNIPIdWew3, TWybor13, TPodmiot33, TRolaPodmiotu33, TKodWaluty3, TData3, TDataT3, TKwotowy4, TRodzajFaktury3, TTypKorekty3, TNumerKSeF3, TNaturalny3, TKluczWartosc3, TZnakowy503, TIlosci3, TKwotowy23, TProcentowy3, TStawkaPodatku3, TFormaPlatnosci3, TNrRB3, SWIFT_Type3, TRachunekBankowy3, TTekstowy3, TNrKRS3, TNrREGON3, RR1_V11ESchema;
-var init_rr1_v11e = __esm({
-  "src/validation/schemas/rr1-v11e.ts"() {
+var TKodFormularza3, TDataCzas3, TZnakowy4, TNaglowek3, TNrNIP3, TZnakowy5123, TPodmiot13, TKodKraju3, TGLN3, TAdres3, TAdresEmail3, TNumerTelefonu3, TStatusInfoPodatnika3, TZnakowy203, TNIPIdWew3, TWybor13, TPodmiot33, TRolaPodmiotu33, TKodWaluty3, TData3, TDataT3, TKwotowy4, TRodzajFaktury3, TTypKorekty3, TNumerKSeF3, TNaturalny3, TKluczWartosc3, TZnakowy503, TIlosci3, TKwotowy23, TProcentowy3, TStawkaPodatku3, TFormaPlatnosci3, TNrRB3, SWIFT_Type3, TRachunekBankowy3, TTekstowy3, TNrKRS3, TNrREGON3, FA_RR1Schema;
+var init_fa_rr1 = __esm({
+  "src/validation/schemas/fa-rr1.ts"() {
     "use strict";
     TKodFormularza3 = z3.literal("FA_RR");
     TDataCzas3 = z3.string();
@@ -5581,7 +5861,7 @@ var init_rr1_v11e = __esm({
     TTekstowy3 = z3.string().min(1).max(3500);
     TNrKRS3 = z3.string().regex(/^\d{10}$/);
     TNrREGON3 = z3.union([z3.string().regex(/^\d{9}$/), z3.string().regex(/^\d{14}$/)]);
-    RR1_V11ESchema = z3.object({
+    FA_RR1Schema = z3.object({
       "Naglowek": TNaglowek3,
       "Podmiot1": z3.object({
         "DaneIdentyfikacyjne": TPodmiot13,
@@ -5710,222 +5990,87 @@ var init_rr1_v11e = __esm({
   }
 });
 
-// src/validation/schemas/rr1-v10e.ts
-var rr1_v10e_exports = {};
-__export(rr1_v10e_exports, {
-  RR1_V10ESchema: () => RR1_V10ESchema
+// src/validation/schemas/pef3.ts
+var pef3_exports = {};
+__export(pef3_exports, {
+  PEF3Schema: () => PEF3Schema
 });
 import { z as z4 } from "zod";
-var TKodFormularza4, TDataCzas4, TZnakowy5, TNaglowek4, TNrNIP4, TZnakowy5124, TPodmiot14, TKodKraju4, TGLN4, TAdres4, TAdresEmail4, TNumerTelefonu4, TStatusInfoPodatnika4, TZnakowy204, TNIPIdWew4, TWybor14, TPodmiot34, TRolaPodmiotu34, TKodWaluty4, TData4, TDataT4, TKwotowy5, TRodzajFaktury4, TTypKorekty4, TNumerKSeF4, TNaturalny4, TKluczWartosc4, TZnakowy504, TIlosci4, TKwotowy24, TProcentowy4, TStawkaPodatku4, TFormaPlatnosci4, TNrRB4, SWIFT_Type4, TRachunekBankowy4, TTekstowy4, TNrKRS4, TNrREGON4, RR1_V10ESchema;
-var init_rr1_v10e = __esm({
-  "src/validation/schemas/rr1-v10e.ts"() {
+var InvoiceType, PEF3Schema;
+var init_pef3 = __esm({
+  "src/validation/schemas/pef3.ts"() {
     "use strict";
-    TKodFormularza4 = z4.literal("FA_RR");
-    TDataCzas4 = z4.string();
-    TZnakowy5 = z4.string().min(1).max(256);
-    TNaglowek4 = z4.object({
-      "KodFormularza": z4.object({ "#text": TKodFormularza4, "@kodSystemowy": z4.literal("FA_RR(1)"), "@wersjaSchemy": z4.literal("1-0E") }).strict(),
-      "WariantFormularza": z4.literal("1"),
-      "DataWytworzeniaFa": z4.string(),
-      "SystemInfo": TZnakowy5.optional()
-    }).strict();
-    TNrNIP4 = z4.string().regex(/^[1-9]((\d[1-9])|([1-9]\d))\d{7}$/);
-    TZnakowy5124 = z4.string().min(1).max(512);
-    TPodmiot14 = z4.object({
-      "NIP": TNrNIP4,
-      "Nazwa": TZnakowy5124
-    }).strict();
-    TKodKraju4 = z4.enum(["AF", "AX", "AL", "DZ", "AD", "AO", "AI", "AQ", "AG", "AN", "SA", "AR", "AM", "AW", "AU", "AT", "AZ", "BS", "BH", "BD", "BB", "BE", "BZ", "BJ", "BM", "BT", "BY", "BO", "BQ", "BA", "BW", "BR", "BN", "IO", "BG", "BF", "BI", "XC", "CL", "CN", "HR", "CW", "CY", "TD", "ME", "DK", "DM", "DO", "DJ", "EG", "EC", "ER", "EE", "ET", "FK", "FJ", "PH", "FI", "FR", "TF", "GA", "GM", "GH", "GI", "GR", "GD", "GL", "GE", "GU", "GG", "GY", "GF", "GP", "GT", "GN", "GQ", "GW", "HT", "ES", "HN", "HK", "IN", "ID", "IQ", "IR", "IE", "IS", "IL", "JM", "JP", "YE", "JE", "JO", "KY", "KH", "CM", "CA", "QA", "KZ", "KE", "KG", "KI", "CO", "KM", "CG", "CD", "KP", "XK", "CR", "CU", "KW", "LA", "LS", "LB", "LR", "LY", "LI", "LT", "LV", "LU", "MK", "MG", "YT", "MO", "MW", "MV", "MY", "ML", "MT", "MP", "MA", "MQ", "MR", "MU", "MX", "XL", "FM", "UM", "MD", "MC", "MN", "MS", "MZ", "MM", "NA", "NR", "NP", "NL", "DE", "NE", "NG", "NI", "NU", "NF", "NO", "NC", "NZ", "PS", "OM", "PK", "PW", "PA", "PG", "PY", "PE", "PN", "PF", "PL", "GS", "PT", "PR", "CF", "CZ", "KR", "ZA", "RE", "RU", "RO", "RW", "EH", "BL", "KN", "LC", "MF", "VC", "SV", "WS", "AS", "SM", "SN", "RS", "SC", "SL", "SG", "SK", "SI", "SO", "LK", "PM", "US", "SZ", "SD", "SS", "SR", "SJ", "SH", "SY", "CH", "SE", "TJ", "TH", "TW", "TZ", "TG", "TK", "TO", "TT", "TN", "TR", "TM", "TV", "UG", "UA", "UY", "UZ", "VU", "WF", "VA", "HU", "VE", "GB", "VN", "IT", "TL", "CI", "BV", "CX", "IM", "SX", "CK", "VI", "VG", "HM", "CC", "MH", "FO", "SB", "ST", "TC", "ZM", "CV", "ZW", "AE", "XI"]);
-    TGLN4 = z4.string().min(1).max(13);
-    TAdres4 = z4.object({
-      "KodKraju": TKodKraju4,
-      "AdresL1": TZnakowy5124,
-      "AdresL2": TZnakowy5124.optional(),
-      "GLN": TGLN4.optional()
-    }).strict();
-    TAdresEmail4 = z4.string().min(3).max(255).regex(/^(.)+@(.)+$/);
-    TNumerTelefonu4 = z4.string().min(1).max(16);
-    TStatusInfoPodatnika4 = z4.enum(["1", "2", "3", "4"]);
-    TZnakowy204 = z4.string().min(1).max(20);
-    TNIPIdWew4 = z4.string().min(1).max(20).regex(/^[1-9]((\d[1-9])|([1-9]\d))\d{7}-\d{5}$/);
-    TWybor14 = z4.literal("1");
-    TPodmiot34 = z4.object({
-      "NIP": TNrNIP4.optional(),
-      "IDWew": TNIPIdWew4.optional(),
-      "BrakID": TWybor14.optional(),
-      "Nazwa": TZnakowy5124
-    }).strict();
-    TRolaPodmiotu34 = z4.enum(["1", "2", "3", "5", "6", "7", "8", "9", "10", "11"]);
-    TKodWaluty4 = z4.enum(["AED", "AFN", "ALL", "AMD", "ANG", "AOA", "ARS", "AUD", "AWG", "AZN", "BAM", "BBD", "BDT", "BGN", "BHD", "BIF", "BMD", "BND", "BOB", "BOV", "BRL", "BSD", "BTN", "BWP", "BYN", "BZD", "CAD", "CDF", "CHE", "CHF", "CHW", "CLF", "CLP", "CNY", "COP", "COU", "CRC", "CUC", "CUP", "CVE", "CZK", "DJF", "DKK", "DOP", "DZD", "EGP", "ERN", "ETB", "EUR", "FJD", "FKP", "GBP", "GEL", "GGP", "GHS", "GIP", "GMD", "GNF", "GTQ", "GYD", "HKD", "HNL", "HRK", "HTG", "HUF", "IDR", "ILS", "IMP", "INR", "IQD", "IRR", "ISK", "JEP", "JMD", "JOD", "JPY", "KES", "KGS", "KHR", "KMF", "KPW", "KRW", "KWD", "KYD", "KZT", "LAK", "LBP", "LKR", "LRD", "LSL", "LYD", "MAD", "MDL", "MGA", "MKD", "MMK", "MNT", "MOP", "MRU", "MUR", "MVR", "MWK", "MXN", "MXV", "MYR", "MZN", "NAD", "NGN", "NIO", "NOK", "NPR", "NZD", "OMR", "PAB", "PEN", "PGK", "PHP", "PKR", "PLN", "PYG", "QAR", "RON", "RSD", "RUB", "RWF", "SAR", "SBD", "SCR", "SDG", "SEK", "SGD", "SHP", "SLL", "SOS", "SRD", "SSP", "STN", "SVC", "SYP", "SZL", "THB", "TJS", "TMT", "TND", "TOP", "TRY", "TTD", "TWD", "TZS", "UAH", "UGX", "USD", "USN", "UYI", "UYU", "UYW", "UZS", "VES", "VND", "VUV", "WST", "XAF", "XAG", "XAU", "XBA", "XBB", "XBC", "XBD", "XCD", "XCG", "XDR", "XOF", "XPD", "XPF", "XPT", "XSU", "XUA", "XXX", "YER", "ZAR", "ZMW", "ZWL"]);
-    TData4 = z4.string();
-    TDataT4 = z4.string();
-    TKwotowy5 = z4.string().regex(/^-?([1-9]\d{0,15}|0)(\.\d{1,2})?$/);
-    TRodzajFaktury4 = z4.enum(["VAT_RR", "KOR_VAT_RR"]);
-    TTypKorekty4 = z4.enum(["1", "2", "3", "4"]);
-    TNumerKSeF4 = z4.string().regex(/^([1-9]((\d[1-9])|([1-9]\d))\d{7}|M\d{9}|[A-Z]{3}\d{7})-(20[2-9][0-9]|2[1-9][0-9]{2}|[3-9][0-9]{3})(0[1-9]|1[0-2])(0[1-9]|[1-2][0-9]|3[0-1])-([0-9A-F]{6})-?([0-9A-F]{6})-([0-9A-F]{2})$/);
-    TNaturalny4 = z4.string();
-    TKluczWartosc4 = z4.object({
-      "NrWiersza": TNaturalny4.optional(),
-      "Klucz": TZnakowy5,
-      "Wartosc": TZnakowy5
-    }).strict();
-    TZnakowy504 = z4.string().min(1).max(50);
-    TIlosci4 = z4.string().regex(/^-?([1-9]\d{0,15}|0)(\.\d{1,6})?$/);
-    TKwotowy24 = z4.string().regex(/^-?([1-9]\d{0,13}|0)(\.\d{1,8})?$/);
-    TProcentowy4 = z4.coerce.number().min(0).max(100);
-    TStawkaPodatku4 = z4.enum(["6.5", "7"]);
-    TFormaPlatnosci4 = z4.literal("1");
-    TNrRB4 = z4.string().min(10).max(34);
-    SWIFT_Type4 = z4.string().regex(/^[A-Z]{6}[A-Z0-9]{2}([A-Z0-9]{3}){0,1}$/);
-    TRachunekBankowy4 = z4.object({
-      "NrRB": TNrRB4,
-      "SWIFT": SWIFT_Type4.optional(),
-      "NazwaBanku": TZnakowy5.optional(),
-      "OpisRachunku": TZnakowy5.optional()
-    }).strict();
-    TTekstowy4 = z4.string().min(1).max(3500);
-    TNrKRS4 = z4.string().regex(/^\d{10}$/);
-    TNrREGON4 = z4.union([z4.string().regex(/^\d{9}$/), z4.string().regex(/^\d{14}$/)]);
-    RR1_V10ESchema = z4.object({
-      "Naglowek": TNaglowek4,
-      "Podmiot1": z4.object({
-        "DaneIdentyfikacyjne": TPodmiot14,
-        "Adres": TAdres4,
-        "AdresKoresp": TAdres4.optional(),
-        "DaneKontaktowe": z4.preprocess((v) => Array.isArray(v) ? v : v == null ? [] : [v], z4.array(z4.object({
-          "Email": TAdresEmail4.optional(),
-          "Telefon": TNumerTelefonu4.optional()
-        }).strict()).min(0).max(3)).optional(),
-        "NrKontrahenta": TZnakowy5.optional()
-      }).strict(),
-      "Podmiot2": z4.object({
-        "DaneIdentyfikacyjne": TPodmiot14,
-        "Adres": TAdres4,
-        "AdresKoresp": TAdres4.optional(),
-        "DaneKontaktowe": z4.preprocess((v) => Array.isArray(v) ? v : v == null ? [] : [v], z4.array(z4.object({
-          "Email": TAdresEmail4.optional(),
-          "Telefon": TNumerTelefonu4.optional()
-        }).strict()).min(0).max(3)).optional(),
-        "StatusInfoPodatnika": TStatusInfoPodatnika4.optional()
-      }).strict(),
-      "Podmiot3": z4.preprocess((v) => Array.isArray(v) ? v : v == null ? [] : [v], z4.array(z4.object({
-        "DaneIdentyfikacyjne": TPodmiot34,
-        "Adres": TAdres4.optional(),
-        "AdresKoresp": TAdres4.optional(),
-        "DaneKontaktowe": z4.preprocess((v) => Array.isArray(v) ? v : v == null ? [] : [v], z4.array(z4.object({
-          "Email": TAdresEmail4.optional(),
-          "Telefon": TNumerTelefonu4.optional()
-        }).strict()).min(0).max(3)).optional(),
-        "Rola": TRolaPodmiotu34.optional(),
-        "RolaInna": TWybor14.optional(),
-        "OpisRoli": TZnakowy5.optional()
-      }).strict()).min(0).max(100)).optional(),
-      "FakturaRR": z4.object({
-        "KodWaluty": TKodWaluty4,
-        "P_1M": TZnakowy5.optional(),
-        "P_4A": TDataT4.optional(),
-        "P_4B": TDataT4,
-        "P_4C": TZnakowy5,
-        "P_11_1": TKwotowy5,
-        "P_11_1W": TKwotowy5.optional(),
-        "P_11_2": TKwotowy5,
-        "P_11_2W": TKwotowy5.optional(),
-        "P_12_1": TKwotowy5,
-        "P_12_1W": TKwotowy5.optional(),
-        "P_12_2": TZnakowy5,
-        "RodzajFaktury": TRodzajFaktury4,
-        "PrzyczynaKorekty": TZnakowy5.optional(),
-        "TypKorekty": TTypKorekty4.optional(),
-        "DaneFaKorygowanej": z4.preprocess((v) => Array.isArray(v) ? v : v == null ? [] : [v], z4.array(z4.object({
-          "DataWystFaKorygowanej": TDataT4,
-          "NrFaKorygowanej": TZnakowy5,
-          "NrKSeF": TWybor14.optional(),
-          "NrKSeFFaKorygowanej": TNumerKSeF4.optional(),
-          "NrKSeFN": TWybor14.optional()
-        }).strict()).min(1).max(5e4)).optional(),
-        "NrFaKorygowany": TZnakowy5.optional(),
-        "Podmiot1K": z4.object({
-          "DaneIdentyfikacyjne": TPodmiot14,
-          "Adres": TAdres4
-        }).strict().optional(),
-        "Podmiot2K": z4.object({
-          "DaneIdentyfikacyjne": TPodmiot14,
-          "Adres": TAdres4
-        }).strict().optional(),
-        "DokumentZaplaty": z4.preprocess((v) => Array.isArray(v) ? v : v == null ? [] : [v], z4.array(z4.object({
-          "NrDokumentu": TZnakowy5,
-          "DataDokumentu": TData4.optional()
-        }).strict()).min(0).max(50)).optional(),
-        "DodatkowyOpis": z4.preprocess((v) => Array.isArray(v) ? v : v == null ? [] : [v], z4.array(TKluczWartosc4).min(0).max(1e4)).optional(),
-        "FakturaRRWiersz": z4.preprocess((v) => Array.isArray(v) ? v : v == null ? [] : [v], z4.array(z4.object({
-          "NrWierszaFa": TNaturalny4,
-          "UU_ID": TZnakowy504.optional(),
-          "P_4AA": TDataT4.optional(),
-          "P_5": TZnakowy5,
-          "GTIN": TZnakowy204.optional(),
-          "PKWiU": TZnakowy504.optional(),
-          "CN": TZnakowy504.optional(),
-          "P_6A": TZnakowy5,
-          "P_6B": TIlosci4,
-          "P_6C": TZnakowy5,
-          "P_7": TKwotowy24,
-          "P_8": TKwotowy5,
-          "P_9": TStawkaPodatku4,
-          "P_10": TKwotowy5,
-          "P_11": TKwotowy5,
-          "StanPrzed": TWybor14.optional(),
-          "KursWaluty": TIlosci4.optional()
-        }).strict()).min(0).max(1e4)).optional(),
-        "Rozliczenie": z4.object({
-          "Obciazenia": z4.preprocess((v) => Array.isArray(v) ? v : v == null ? [] : [v], z4.array(z4.object({
-            "Kwota": TKwotowy5,
-            "Powod": TZnakowy5
-          }).strict()).min(0).max(100)).optional(),
-          "SumaObciazen": TKwotowy5.optional(),
-          "Odliczenia": z4.preprocess((v) => Array.isArray(v) ? v : v == null ? [] : [v], z4.array(z4.object({
-            "Kwota": TKwotowy5,
-            "Powod": TZnakowy5
-          }).strict()).min(0).max(100)).optional(),
-          "SumaOdliczen": TKwotowy5.optional(),
-          "DoZaplaty": TKwotowy5.optional(),
-          "DoRozliczenia": TKwotowy5.optional()
-        }).strict().optional(),
-        "Platnosc": z4.object({
-          "FormaPlatnosci": TFormaPlatnosci4.optional(),
-          "PlatnoscInna": TWybor14.optional(),
-          "OpisPlatnosci": TZnakowy5.optional(),
-          "RachunekBankowy1": z4.preprocess((v) => Array.isArray(v) ? v : v == null ? [] : [v], z4.array(TRachunekBankowy4).min(0).max(3)).optional(),
-          "RachunekBankowy2": z4.preprocess((v) => Array.isArray(v) ? v : v == null ? [] : [v], z4.array(TRachunekBankowy4).min(0).max(3)).optional(),
-          "IPKSeF": z4.string().min(1).max(13).regex(/^[0-9]{3}[a-zA-Z0-9]{10}$/).optional(),
-          "LinkDoPlatnosci": z4.string().min(1).max(512).regex(/^(https?):\/\/([a-zA-Z0-9][a-zA-Z0-9-]*\.)+[a-zA-Z]{2,}(:[0-9]{1,5})?(\/[^\s?#]*)?\?([^#\s]*&)?IPKSeF=[0-9]{3}[a-zA-Z0-9]{10}(&[^#\s]*)?(#.*)?$/).optional()
-        }).strict().optional()
-      }).strict(),
-      "Stopka": z4.object({
-        "Informacje": z4.preprocess((v) => Array.isArray(v) ? v : v == null ? [] : [v], z4.array(z4.object({
-          "StopkaFaktury": TTekstowy4.optional()
-        }).strict()).min(0).max(3)).optional(),
-        "Rejestry": z4.preprocess((v) => Array.isArray(v) ? v : v == null ? [] : [v], z4.array(z4.object({
-          "PelnaNazwa": TZnakowy5.optional(),
-          "KRS": TNrKRS4.optional(),
-          "REGON": TNrREGON4.optional(),
-          "BDO": z4.string().min(1).max(9).optional()
-        }).strict()).min(0).max(100)).optional()
-      }).strict().optional()
+    InvoiceType = z4.object({
+      "UBLExtensions": z4.any().optional(),
+      "UBLVersionID": z4.any().optional(),
+      "CustomizationID": z4.any().optional(),
+      "ProfileID": z4.any().optional(),
+      "ProfileExecutionID": z4.any().optional(),
+      "ID": z4.any(),
+      "CopyIndicator": z4.any().optional(),
+      "UUID": z4.any().optional(),
+      "IssueDate": z4.any(),
+      "IssueTime": z4.any().optional(),
+      "DueDate": z4.any().optional(),
+      "InvoiceTypeCode": z4.any().optional(),
+      "Note": z4.preprocess((v) => Array.isArray(v) ? v : v == null ? [] : [v], z4.array(z4.any()).min(0)).optional(),
+      "TaxPointDate": z4.any().optional(),
+      "DocumentCurrencyCode": z4.any().optional(),
+      "TaxCurrencyCode": z4.any().optional(),
+      "PricingCurrencyCode": z4.any().optional(),
+      "PaymentCurrencyCode": z4.any().optional(),
+      "PaymentAlternativeCurrencyCode": z4.any().optional(),
+      "AccountingCostCode": z4.any().optional(),
+      "AccountingCost": z4.any().optional(),
+      "LineCountNumeric": z4.any().optional(),
+      "BuyerReference": z4.any().optional(),
+      "InvoicePeriod": z4.preprocess((v) => Array.isArray(v) ? v : v == null ? [] : [v], z4.array(z4.any()).min(0)).optional(),
+      "OrderReference": z4.any().optional(),
+      "BillingReference": z4.preprocess((v) => Array.isArray(v) ? v : v == null ? [] : [v], z4.array(z4.any()).min(0)).optional(),
+      "DespatchDocumentReference": z4.preprocess((v) => Array.isArray(v) ? v : v == null ? [] : [v], z4.array(z4.any()).min(0)).optional(),
+      "ReceiptDocumentReference": z4.preprocess((v) => Array.isArray(v) ? v : v == null ? [] : [v], z4.array(z4.any()).min(0)).optional(),
+      "StatementDocumentReference": z4.preprocess((v) => Array.isArray(v) ? v : v == null ? [] : [v], z4.array(z4.any()).min(0)).optional(),
+      "OriginatorDocumentReference": z4.preprocess((v) => Array.isArray(v) ? v : v == null ? [] : [v], z4.array(z4.any()).min(0)).optional(),
+      "ContractDocumentReference": z4.preprocess((v) => Array.isArray(v) ? v : v == null ? [] : [v], z4.array(z4.any()).min(0)).optional(),
+      "AdditionalDocumentReference": z4.preprocess((v) => Array.isArray(v) ? v : v == null ? [] : [v], z4.array(z4.any()).min(0)).optional(),
+      "ProjectReference": z4.preprocess((v) => Array.isArray(v) ? v : v == null ? [] : [v], z4.array(z4.any()).min(0)).optional(),
+      "Signature": z4.preprocess((v) => Array.isArray(v) ? v : v == null ? [] : [v], z4.array(z4.any()).min(0)).optional(),
+      "AccountingSupplierParty": z4.any(),
+      "AccountingCustomerParty": z4.any(),
+      "PayeeParty": z4.any().optional(),
+      "BuyerCustomerParty": z4.any().optional(),
+      "SellerSupplierParty": z4.any().optional(),
+      "TaxRepresentativeParty": z4.any().optional(),
+      "Delivery": z4.preprocess((v) => Array.isArray(v) ? v : v == null ? [] : [v], z4.array(z4.any()).min(0)).optional(),
+      "DeliveryTerms": z4.any().optional(),
+      "PaymentMeans": z4.preprocess((v) => Array.isArray(v) ? v : v == null ? [] : [v], z4.array(z4.any()).min(0)).optional(),
+      "PaymentTerms": z4.preprocess((v) => Array.isArray(v) ? v : v == null ? [] : [v], z4.array(z4.any()).min(0)).optional(),
+      "PrepaidPayment": z4.preprocess((v) => Array.isArray(v) ? v : v == null ? [] : [v], z4.array(z4.any()).min(0)).optional(),
+      "AllowanceCharge": z4.preprocess((v) => Array.isArray(v) ? v : v == null ? [] : [v], z4.array(z4.any()).min(0)).optional(),
+      "TaxExchangeRate": z4.any().optional(),
+      "PricingExchangeRate": z4.any().optional(),
+      "PaymentExchangeRate": z4.any().optional(),
+      "PaymentAlternativeExchangeRate": z4.any().optional(),
+      "TaxTotal": z4.preprocess((v) => Array.isArray(v) ? v : v == null ? [] : [v], z4.array(z4.any()).min(0)).optional(),
+      "WithholdingTaxTotal": z4.preprocess((v) => Array.isArray(v) ? v : v == null ? [] : [v], z4.array(z4.any()).min(0)).optional(),
+      "LegalMonetaryTotal": z4.any(),
+      "InvoiceLine": z4.preprocess((v) => Array.isArray(v) ? v : v == null ? [] : [v], z4.array(z4.any()).min(1))
     }).strict();
+    PEF3Schema = InvoiceType;
   }
 });
 
-// src/validation/schemas/pef3.ts
-var pef3_exports = {};
-__export(pef3_exports, {
-  PEF3Schema: () => PEF3Schema
+// src/validation/schemas/pef-kor3.ts
+var pef_kor3_exports = {};
+__export(pef_kor3_exports, {
+  PEF_KOR3Schema: () => PEF_KOR3Schema
 });
 import { z as z5 } from "zod";
-var InvoiceType, PEF3Schema;
-var init_pef3 = __esm({
-  "src/validation/schemas/pef3.ts"() {
+var CreditNoteType, PEF_KOR3Schema;
+var init_pef_kor3 = __esm({
+  "src/validation/schemas/pef-kor3.ts"() {
     "use strict";
-    InvoiceType = z5.object({
+    CreditNoteType = z5.object({
       "UBLExtensions": z5.any().optional(),
       "UBLVersionID": z5.any().optional(),
       "CustomizationID": z5.any().optional(),
@@ -5936,10 +6081,9 @@ var init_pef3 = __esm({
       "UUID": z5.any().optional(),
       "IssueDate": z5.any(),
       "IssueTime": z5.any().optional(),
-      "DueDate": z5.any().optional(),
-      "InvoiceTypeCode": z5.any().optional(),
-      "Note": z5.preprocess((v) => Array.isArray(v) ? v : v == null ? [] : [v], z5.array(z5.any()).min(0)).optional(),
       "TaxPointDate": z5.any().optional(),
+      "CreditNoteTypeCode": z5.any().optional(),
+      "Note": z5.preprocess((v) => Array.isArray(v) ? v : v == null ? [] : [v], z5.array(z5.any()).min(0)).optional(),
       "DocumentCurrencyCode": z5.any().optional(),
       "TaxCurrencyCode": z5.any().optional(),
       "PricingCurrencyCode": z5.any().optional(),
@@ -5950,15 +6094,15 @@ var init_pef3 = __esm({
       "LineCountNumeric": z5.any().optional(),
       "BuyerReference": z5.any().optional(),
       "InvoicePeriod": z5.preprocess((v) => Array.isArray(v) ? v : v == null ? [] : [v], z5.array(z5.any()).min(0)).optional(),
+      "DiscrepancyResponse": z5.preprocess((v) => Array.isArray(v) ? v : v == null ? [] : [v], z5.array(z5.any()).min(0)).optional(),
       "OrderReference": z5.any().optional(),
       "BillingReference": z5.preprocess((v) => Array.isArray(v) ? v : v == null ? [] : [v], z5.array(z5.any()).min(0)).optional(),
       "DespatchDocumentReference": z5.preprocess((v) => Array.isArray(v) ? v : v == null ? [] : [v], z5.array(z5.any()).min(0)).optional(),
       "ReceiptDocumentReference": z5.preprocess((v) => Array.isArray(v) ? v : v == null ? [] : [v], z5.array(z5.any()).min(0)).optional(),
-      "StatementDocumentReference": z5.preprocess((v) => Array.isArray(v) ? v : v == null ? [] : [v], z5.array(z5.any()).min(0)).optional(),
-      "OriginatorDocumentReference": z5.preprocess((v) => Array.isArray(v) ? v : v == null ? [] : [v], z5.array(z5.any()).min(0)).optional(),
       "ContractDocumentReference": z5.preprocess((v) => Array.isArray(v) ? v : v == null ? [] : [v], z5.array(z5.any()).min(0)).optional(),
       "AdditionalDocumentReference": z5.preprocess((v) => Array.isArray(v) ? v : v == null ? [] : [v], z5.array(z5.any()).min(0)).optional(),
-      "ProjectReference": z5.preprocess((v) => Array.isArray(v) ? v : v == null ? [] : [v], z5.array(z5.any()).min(0)).optional(),
+      "StatementDocumentReference": z5.preprocess((v) => Array.isArray(v) ? v : v == null ? [] : [v], z5.array(z5.any()).min(0)).optional(),
+      "OriginatorDocumentReference": z5.preprocess((v) => Array.isArray(v) ? v : v == null ? [] : [v], z5.array(z5.any()).min(0)).optional(),
       "Signature": z5.preprocess((v) => Array.isArray(v) ? v : v == null ? [] : [v], z5.array(z5.any()).min(0)).optional(),
       "AccountingSupplierParty": z5.any(),
       "AccountingCustomerParty": z5.any(),
@@ -5967,86 +6111,17 @@ var init_pef3 = __esm({
       "SellerSupplierParty": z5.any().optional(),
       "TaxRepresentativeParty": z5.any().optional(),
       "Delivery": z5.preprocess((v) => Array.isArray(v) ? v : v == null ? [] : [v], z5.array(z5.any()).min(0)).optional(),
-      "DeliveryTerms": z5.any().optional(),
+      "DeliveryTerms": z5.preprocess((v) => Array.isArray(v) ? v : v == null ? [] : [v], z5.array(z5.any()).min(0)).optional(),
       "PaymentMeans": z5.preprocess((v) => Array.isArray(v) ? v : v == null ? [] : [v], z5.array(z5.any()).min(0)).optional(),
       "PaymentTerms": z5.preprocess((v) => Array.isArray(v) ? v : v == null ? [] : [v], z5.array(z5.any()).min(0)).optional(),
-      "PrepaidPayment": z5.preprocess((v) => Array.isArray(v) ? v : v == null ? [] : [v], z5.array(z5.any()).min(0)).optional(),
-      "AllowanceCharge": z5.preprocess((v) => Array.isArray(v) ? v : v == null ? [] : [v], z5.array(z5.any()).min(0)).optional(),
       "TaxExchangeRate": z5.any().optional(),
       "PricingExchangeRate": z5.any().optional(),
       "PaymentExchangeRate": z5.any().optional(),
       "PaymentAlternativeExchangeRate": z5.any().optional(),
+      "AllowanceCharge": z5.preprocess((v) => Array.isArray(v) ? v : v == null ? [] : [v], z5.array(z5.any()).min(0)).optional(),
       "TaxTotal": z5.preprocess((v) => Array.isArray(v) ? v : v == null ? [] : [v], z5.array(z5.any()).min(0)).optional(),
-      "WithholdingTaxTotal": z5.preprocess((v) => Array.isArray(v) ? v : v == null ? [] : [v], z5.array(z5.any()).min(0)).optional(),
       "LegalMonetaryTotal": z5.any(),
-      "InvoiceLine": z5.preprocess((v) => Array.isArray(v) ? v : v == null ? [] : [v], z5.array(z5.any()).min(1))
-    }).strict();
-    PEF3Schema = InvoiceType;
-  }
-});
-
-// src/validation/schemas/pef-kor3.ts
-var pef_kor3_exports = {};
-__export(pef_kor3_exports, {
-  PEF_KOR3Schema: () => PEF_KOR3Schema
-});
-import { z as z6 } from "zod";
-var CreditNoteType, PEF_KOR3Schema;
-var init_pef_kor3 = __esm({
-  "src/validation/schemas/pef-kor3.ts"() {
-    "use strict";
-    CreditNoteType = z6.object({
-      "UBLExtensions": z6.any().optional(),
-      "UBLVersionID": z6.any().optional(),
-      "CustomizationID": z6.any().optional(),
-      "ProfileID": z6.any().optional(),
-      "ProfileExecutionID": z6.any().optional(),
-      "ID": z6.any(),
-      "CopyIndicator": z6.any().optional(),
-      "UUID": z6.any().optional(),
-      "IssueDate": z6.any(),
-      "IssueTime": z6.any().optional(),
-      "TaxPointDate": z6.any().optional(),
-      "CreditNoteTypeCode": z6.any().optional(),
-      "Note": z6.preprocess((v) => Array.isArray(v) ? v : v == null ? [] : [v], z6.array(z6.any()).min(0)).optional(),
-      "DocumentCurrencyCode": z6.any().optional(),
-      "TaxCurrencyCode": z6.any().optional(),
-      "PricingCurrencyCode": z6.any().optional(),
-      "PaymentCurrencyCode": z6.any().optional(),
-      "PaymentAlternativeCurrencyCode": z6.any().optional(),
-      "AccountingCostCode": z6.any().optional(),
-      "AccountingCost": z6.any().optional(),
-      "LineCountNumeric": z6.any().optional(),
-      "BuyerReference": z6.any().optional(),
-      "InvoicePeriod": z6.preprocess((v) => Array.isArray(v) ? v : v == null ? [] : [v], z6.array(z6.any()).min(0)).optional(),
-      "DiscrepancyResponse": z6.preprocess((v) => Array.isArray(v) ? v : v == null ? [] : [v], z6.array(z6.any()).min(0)).optional(),
-      "OrderReference": z6.any().optional(),
-      "BillingReference": z6.preprocess((v) => Array.isArray(v) ? v : v == null ? [] : [v], z6.array(z6.any()).min(0)).optional(),
-      "DespatchDocumentReference": z6.preprocess((v) => Array.isArray(v) ? v : v == null ? [] : [v], z6.array(z6.any()).min(0)).optional(),
-      "ReceiptDocumentReference": z6.preprocess((v) => Array.isArray(v) ? v : v == null ? [] : [v], z6.array(z6.any()).min(0)).optional(),
-      "ContractDocumentReference": z6.preprocess((v) => Array.isArray(v) ? v : v == null ? [] : [v], z6.array(z6.any()).min(0)).optional(),
-      "AdditionalDocumentReference": z6.preprocess((v) => Array.isArray(v) ? v : v == null ? [] : [v], z6.array(z6.any()).min(0)).optional(),
-      "StatementDocumentReference": z6.preprocess((v) => Array.isArray(v) ? v : v == null ? [] : [v], z6.array(z6.any()).min(0)).optional(),
-      "OriginatorDocumentReference": z6.preprocess((v) => Array.isArray(v) ? v : v == null ? [] : [v], z6.array(z6.any()).min(0)).optional(),
-      "Signature": z6.preprocess((v) => Array.isArray(v) ? v : v == null ? [] : [v], z6.array(z6.any()).min(0)).optional(),
-      "AccountingSupplierParty": z6.any(),
-      "AccountingCustomerParty": z6.any(),
-      "PayeeParty": z6.any().optional(),
-      "BuyerCustomerParty": z6.any().optional(),
-      "SellerSupplierParty": z6.any().optional(),
-      "TaxRepresentativeParty": z6.any().optional(),
-      "Delivery": z6.preprocess((v) => Array.isArray(v) ? v : v == null ? [] : [v], z6.array(z6.any()).min(0)).optional(),
-      "DeliveryTerms": z6.preprocess((v) => Array.isArray(v) ? v : v == null ? [] : [v], z6.array(z6.any()).min(0)).optional(),
-      "PaymentMeans": z6.preprocess((v) => Array.isArray(v) ? v : v == null ? [] : [v], z6.array(z6.any()).min(0)).optional(),
-      "PaymentTerms": z6.preprocess((v) => Array.isArray(v) ? v : v == null ? [] : [v], z6.array(z6.any()).min(0)).optional(),
-      "TaxExchangeRate": z6.any().optional(),
-      "PricingExchangeRate": z6.any().optional(),
-      "PaymentExchangeRate": z6.any().optional(),
-      "PaymentAlternativeExchangeRate": z6.any().optional(),
-      "AllowanceCharge": z6.preprocess((v) => Array.isArray(v) ? v : v == null ? [] : [v], z6.array(z6.any()).min(0)).optional(),
-      "TaxTotal": z6.preprocess((v) => Array.isArray(v) ? v : v == null ? [] : [v], z6.array(z6.any()).min(0)).optional(),
-      "LegalMonetaryTotal": z6.any(),
-      "CreditNoteLine": z6.preprocess((v) => Array.isArray(v) ? v : v == null ? [] : [v], z6.array(z6.any()).min(1))
+      "CreditNoteLine": z5.preprocess((v) => Array.isArray(v) ? v : v == null ? [] : [v], z5.array(z5.any()).min(1))
     }).strict();
     PEF_KOR3Schema = CreditNoteType;
   }
@@ -6059,16 +6134,14 @@ var init_schemas = __esm({
     "use strict";
     init_fa3();
     init_fa2();
-    init_rr1_v11e();
-    init_rr1_v10e();
+    init_fa_rr1();
     init_pef3();
     init_pef_kor3();
-    SCHEMA_TYPES = ["FA3", "FA2", "RR1_V11E", "RR1_V10E", "PEF3", "PEF_KOR3"];
+    SCHEMA_TYPES = ["FA3", "FA2", "FA_RR1", "PEF3", "PEF_KOR3"];
     NAMESPACE_MAP = {
       "http://crd.gov.pl/wzor/2025/06/25/13775/": "FA3",
       "http://crd.gov.pl/wzor/2023/06/29/12648/": "FA2",
-      "http://crd.gov.pl/wzor/2026/03/06/14189/": "RR1_V11E",
-      "http://crd.gov.pl/wzor/2026/02/17/14164/": "RR1_V10E",
+      "http://crd.gov.pl/wzor/2026/03/06/14189/": "FA_RR1",
       "urn:oasis:names:specification:ubl:schema:xsd:Invoice-2": "PEF3",
       "urn:oasis:names:specification:ubl:schema:xsd:CreditNote-2": "PEF_KOR3"
     };
@@ -6087,11 +6160,8 @@ async function loadSchema(type) {
     case "FA2":
       mod = await Promise.resolve().then(() => (init_fa2(), fa2_exports));
       break;
-    case "RR1_V11E":
-      mod = await Promise.resolve().then(() => (init_rr1_v11e(), rr1_v11e_exports));
-      break;
-    case "RR1_V10E":
-      mod = await Promise.resolve().then(() => (init_rr1_v10e(), rr1_v10e_exports));
+    case "FA_RR1":
+      mod = await Promise.resolve().then(() => (init_fa_rr1(), fa_rr1_exports));
       break;
     case "PEF3":
       mod = await Promise.resolve().then(() => (init_pef3(), pef3_exports));
@@ -6131,7 +6201,7 @@ var init_schema_registry = __esm({
        * List all available schema types.
        */
       availableSchemas() {
-        return ["FA3", "FA2", "RR1_V11E", "RR1_V10E", "PEF3", "PEF_KOR3"];
+        return ["FA3", "FA2", "FA_RR1", "PEF3", "PEF_KOR3"];
       },
       /**
        * Detect schema type from XML namespace URI and/or root element name.
@@ -6552,6 +6622,7 @@ var init_batch_file = __esm({
           batchFile: {
             fileSize: zipBytes.length,
             fileHash: zipHash,
+            ...options?.compressionType && { compressionType: options.compressionType },
             fileParts
           },
           encryptedParts
@@ -6654,6 +6725,7 @@ var init_batch_file = __esm({
           batchFile: {
             fileSize: zipSize,
             fileHash: zipMeta.hashSHA,
+            ...options?.compressionType && { compressionType: options.compressionType },
             fileParts
           },
           streamParts
@@ -6677,11 +6749,10 @@ async function uploadBatch(client, zipData, options) {
   }
   await client.crypto.init();
   if (options?.validate) {
-    const { unzip: unzip2 } = await Promise.resolve().then(() => (init_zip(), zip_exports));
     const { validateBatch: validateBatch2, batchValidationDetails: batchValidationDetails2 } = await Promise.resolve().then(() => (init_invoice_validator(), invoice_validator_exports));
     const { KSeFValidationError: KSeFValidationError2 } = await Promise.resolve().then(() => (init_ksef_validation_error(), ksef_validation_error_exports));
     const zipBuf = Buffer.isBuffer(zipData) ? zipData : Buffer.from(zipData.buffer, zipData.byteOffset, zipData.byteLength);
-    const files = await unzip2(zipBuf);
+    const files = options?.compressionType === "TarGz" ? await (await Promise.resolve().then(() => (init_targz(), targz_exports))).extractTarGz(zipBuf) : await (await Promise.resolve().then(() => (init_zip(), zip_exports))).unzip(zipBuf);
     const invoices2 = [...files.entries()].filter(([name]) => name.endsWith(".xml")).map(([name, data]) => ({ fileName: name, xml: data.toString("utf-8") }));
     if (invoices2.length > 0) {
       const result2 = await validateBatch2(invoices2);
@@ -6694,21 +6765,25 @@ async function uploadBatch(client, zipData, options) {
       }
     }
   }
-  const encData = await client.crypto.getEncryptionData();
   const formCode = options?.formCode ?? DEFAULT_FORM_CODE;
-  const encryptFn = (part) => client.crypto.encryptAES256(part, encData.cipherKey, encData.cipherIv);
-  const { batchFile, encryptedParts } = BatchFileBuilder.build(zipData, encryptFn, {
-    maxPartSize: options?.maxPartSize
+  const { batchFile, encryptedParts, openResp } = await withKeyRotationRetry(client.crypto, async () => {
+    const encData = await client.crypto.getEncryptionData();
+    const encryptFn = (part) => client.crypto.encryptAES256(part, encData.cipherKey, encData.cipherIv);
+    const { batchFile: batchFile2, encryptedParts: encryptedParts2 } = BatchFileBuilder.build(zipData, encryptFn, {
+      maxPartSize: options?.maxPartSize,
+      compressionType: options?.compressionType
+    });
+    const openResp2 = await client.batchSession.openSession(
+      {
+        formCode,
+        encryption: encData.encryptionInfo,
+        batchFile: batchFile2,
+        offlineMode: options?.offlineMode
+      },
+      options?.upoVersion
+    );
+    return { batchFile: batchFile2, encryptedParts: encryptedParts2, openResp: openResp2 };
   });
-  const openResp = await client.batchSession.openSession(
-    {
-      formCode,
-      encryption: encData.encryptionInfo,
-      batchFile,
-      offlineMode: options?.offlineMode
-    },
-    options?.upoVersion
-  );
   const sendingParts = encryptedParts.map((part, i) => ({
     data: part.buffer.slice(part.byteOffset, part.byteOffset + part.byteLength),
     metadata: {
@@ -6742,26 +6817,29 @@ async function uploadBatchStream(client, zipStreamFactory, zipSize, options) {
     throw new Error("parallelism must be a positive integer");
   }
   await client.crypto.init();
-  const encData = await client.crypto.getEncryptionData();
   const formCode = options?.formCode ?? DEFAULT_FORM_CODE;
-  const encryptStreamFn = (stream) => client.crypto.encryptAES256Stream(stream, encData.cipherKey, encData.cipherIv);
-  const hashStreamFn = (stream) => client.crypto.getFileMetadataFromStream(stream);
-  const { batchFile, streamParts } = await BatchFileBuilder.buildFromStream(
-    zipStreamFactory,
-    zipSize,
-    encryptStreamFn,
-    hashStreamFn,
-    { maxPartSize: options?.maxPartSize }
-  );
-  const openResp = await client.batchSession.openSession(
-    {
-      formCode,
-      encryption: encData.encryptionInfo,
-      batchFile,
-      offlineMode: options?.offlineMode
-    },
-    options?.upoVersion
-  );
+  const { streamParts, openResp } = await withKeyRotationRetry(client.crypto, async () => {
+    const encData = await client.crypto.getEncryptionData();
+    const encryptStreamFn = (stream) => client.crypto.encryptAES256Stream(stream, encData.cipherKey, encData.cipherIv);
+    const hashStreamFn = (stream) => client.crypto.getFileMetadataFromStream(stream);
+    const { batchFile, streamParts: streamParts2 } = await BatchFileBuilder.buildFromStream(
+      zipStreamFactory,
+      zipSize,
+      encryptStreamFn,
+      hashStreamFn,
+      { maxPartSize: options?.maxPartSize, compressionType: options?.compressionType }
+    );
+    const openResp2 = await client.batchSession.openSession(
+      {
+        formCode,
+        encryption: encData.encryptionInfo,
+        batchFile,
+        offlineMode: options?.offlineMode
+      },
+      options?.upoVersion
+    );
+    return { streamParts: streamParts2, openResp: openResp2 };
+  });
   await client.batchSession.sendPartsWithStream(openResp, streamParts, options?.parallelism);
   await client.batchSession.closeSession(openResp.referenceNumber);
   const result = await pollUntil(
@@ -6812,6 +6890,7 @@ var init_batch_session_workflow = __esm({
     init_document_structures();
     init_batch_file();
     init_polling();
+    init_with_key_rotation_retry();
     init_xml();
   }
 });
@@ -7208,15 +7287,19 @@ function clearCredentials() {
 // src/workflows/auth-workflow.ts
 init_polling();
 init_auth_xml_builder();
+init_with_key_rotation_retry();
 async function authenticateWithToken(client, options) {
   const challenge2 = await client.auth.getChallenge();
   await client.crypto.init();
-  const encryptedToken = await client.crypto.encryptKsefToken(options.token, challenge2.timestamp);
-  const submitResult = await client.auth.submitKsefTokenAuthRequest({
-    challenge: challenge2.challenge,
-    contextIdentifier: { type: "Nip", value: options.nip },
-    encryptedToken: Buffer.from(encryptedToken).toString("base64"),
-    authorizationPolicy: options.authorizationPolicy
+  const submitResult = await withKeyRotationRetry(client.crypto, async () => {
+    const { encryptedToken, publicKeyId } = await client.crypto.encryptKsefTokenWithKeyId(options.token, challenge2.timestamp);
+    return client.auth.submitKsefTokenAuthRequest({
+      challenge: challenge2.challenge,
+      contextIdentifier: { type: "Nip", value: options.nip },
+      encryptedToken: Buffer.from(encryptedToken).toString("base64"),
+      publicKeyId,
+      authorizationPolicy: options.authorizationPolicy
+    });
   });
   const authToken = submitResult.authenticationToken.token;
   await pollUntil(
@@ -7765,6 +7848,7 @@ import { defineCommand as defineCommand3 } from "citty";
 import { consola as consola8 } from "consola";
 init_document_structures();
 init_xml();
+init_with_key_rotation_retry();
 function getGlobalOpts2(args) {
   return {
     env: args.env,
@@ -7795,7 +7879,6 @@ var open = defineCommand3({
         throw new Error("NIP is required. Provide --nip or set it via `ksef config set --nip <nip>`.");
       }
       await client.crypto.init();
-      const encryptionData = await client.crypto.getEncryptionData();
       const formCodeKey = args.formCode;
       let formCode = DEFAULT_FORM_CODE;
       if (formCodeKey) {
@@ -7809,9 +7892,13 @@ var open = defineCommand3({
         throw new Error("Batch session open is used internally by `ksef invoice send <dir>`. Use `ksef session open` for online sessions.");
       }
       if (!args.json) consola8.start("Opening online session...");
-      const result = await client.onlineSession.openSession(
-        { formCode, encryption: encryptionData.encryptionInfo }
-      );
+      const { encryptionData, result } = await withKeyRotationRetry(client.crypto, async () => {
+        const encryptionData2 = await client.crypto.getEncryptionData();
+        const result2 = await client.onlineSession.openSession(
+          { formCode, encryption: encryptionData2.encryptionInfo }
+        );
+        return { encryptionData: encryptionData2, result: result2 };
+      });
       saveOnlineSessionRef(result.referenceNumber, {
         cipherKey: Buffer.from(encryptionData.cipherKey).toString("base64"),
         cipherIv: Buffer.from(encryptionData.cipherIv).toString("base64")
@@ -8217,7 +8304,7 @@ var sessionCommand = defineCommand3({
 // src/cli/commands/invoice.ts
 import * as fs11 from "node:fs";
 import * as path8 from "node:path";
-import { Readable } from "node:stream";
+import { Readable as Readable2 } from "node:stream";
 import { defineCommand as defineCommand6 } from "citty";
 import { consola as consola11 } from "consola";
 init_document_structures();
@@ -8252,7 +8339,9 @@ var FileHwmStore = class {
 
 // src/workflows/invoice-export-workflow.ts
 init_zip();
+init_targz();
 init_polling();
+init_with_key_rotation_retry();
 
 // src/utils/hash.ts
 import crypto5 from "node:crypto";
@@ -8266,11 +8355,15 @@ function verifyHash(data, expectedHash) {
 // src/workflows/invoice-export-workflow.ts
 async function doExport(client, filters, options) {
   await client.crypto.init();
-  const encData = await client.crypto.getEncryptionData();
-  const opResp = await client.invoices.exportInvoices({
-    encryption: encData.encryptionInfo,
-    filters,
-    onlyMetadata: options?.onlyMetadata
+  const { encData, opResp } = await withKeyRotationRetry(client.crypto, async () => {
+    const encData2 = await client.crypto.getEncryptionData();
+    const opResp2 = await client.invoices.exportInvoices({
+      encryption: encData2.encryptionInfo,
+      filters,
+      onlyMetadata: options?.onlyMetadata,
+      ...options?.compressionType && { compressionType: options.compressionType }
+    });
+    return { encData: encData2, opResp: opResp2 };
   });
   const result = await pollUntil(
     () => client.invoices.getInvoiceExportStatus(opResp.referenceNumber),
@@ -9110,6 +9203,7 @@ var invoiceBuild = defineCommand5({
 init_invoice_validator();
 init_ksef_validation_error();
 init_schemas();
+init_with_key_rotation_retry();
 function getGlobalOpts4(args) {
   return {
     env: args.env,
@@ -9217,7 +9311,7 @@ var send = defineCommand6({
         }
         const { uploadBatchStream: uploadBatchStream2 } = await Promise.resolve().then(() => (init_batch_session_workflow(), batch_session_workflow_exports));
         const zipSize = stat.size;
-        const zipStreamFactory = () => Readable.toWeb(fs11.createReadStream(filePath));
+        const zipStreamFactory = () => Readable2.toWeb(fs11.createReadStream(filePath));
         if (!args.json) consola11.start(`Sending batch via stream (${(zipSize / 1e6).toFixed(1)} MB)...`);
         const result = await uploadBatchStream2(client, zipStreamFactory, zipSize, {
           formCode,
@@ -9262,7 +9356,6 @@ var send = defineCommand6({
         }
         if (!args.json) consola11.start(`Sending ${xmlFiles.length} invoices via batch session...`);
         await client.crypto.init();
-        const encryptionData = await client.crypto.getEncryptionData();
         const parts = fileBuffers.map(({ content }, i) => {
           const metadata = client.crypto.getFileMetadata(new Uint8Array(content));
           return {
@@ -9282,9 +9375,12 @@ var send = defineCommand6({
             fileHash: p.metadata.hashSHA
           }))
         };
-        const openResult = await client.batchSession.openSession(
-          { formCode, batchFile: batchFileInfo, encryption: encryptionData.encryptionInfo }
-        );
+        const openResult = await withKeyRotationRetry(client.crypto, async () => {
+          const encryptionData = await client.crypto.getEncryptionData();
+          return client.batchSession.openSession(
+            { formCode, batchFile: batchFileInfo, encryption: encryptionData.encryptionInfo }
+          );
+        });
         saveOnlineSessionRef(openResult.referenceNumber);
         await client.batchSession.sendParts(openResult, parts, parallelism);
         await client.batchSession.closeSession(openResult.referenceNumber);
@@ -9439,11 +9535,13 @@ var exportCmd = defineCommand6({
       const { client } = await requireSession(globalOpts);
       if (!args.json) consola11.start("Starting invoice export...");
       await client.crypto.init();
-      const encryptionData = await client.crypto.getEncryptionData();
       const filters = buildQueryFilters(args);
-      const result = await client.invoices.exportInvoices(
-        { encryption: encryptionData.encryptionInfo, filters, onlyMetadata: args.onlyMetadata }
-      );
+      const result = await withKeyRotationRetry(client.crypto, async () => {
+        const encryptionData = await client.crypto.getEncryptionData();
+        return client.invoices.exportInvoices(
+          { encryption: encryptionData.encryptionInfo, filters, onlyMetadata: args.onlyMetadata }
+        );
+      });
       if (args.json) {
         outputResult(result, { json: true });
       } else {