@matter/node 0.16.0-alpha.0-20250902-38a7cc156 → 0.16.0-alpha.0-20250909-aecad94f3

package/src/behavior/state/managed/Datasource.ts

@@ -16,9 +16,8 @@ import {
     Observable,
     Transaction,
 } from "#general";
-import { AccessLevel } from "#model";
 import type { Val } from "#protocol";
-import { AccessControl, ExpiredReferenceError } from "#protocol";
+import { AccessControl, ExpiredReferenceError, hasRemoteActor } from "#protocol";
 import { RootSupervisor } from "../../supervision/RootSupervisor.js";
 import { ValueSupervisor } from "../../supervision/ValueSupervisor.js";
 import { StateType } from "../StateType.js";
@@ -125,12 +124,6 @@ export function Datasource<const T extends StateType = StateType>(options: Datas
         get view() {
             if (!readOnlyView) {
                 const session: ValueSupervisor.Session = {
-                    offline: true,
-                    authorityAt(desiredAccessLevel: AccessLevel) {
-                        return desiredAccessLevel === AccessLevel.View
-                            ? AccessControl.Authority.Granted
-                            : AccessControl.Authority.Unauthorized;
-                    },
                     transaction: viewTx,
                 };
                 readOnlyView = createReference(this, internals, session).managed as InstanceType<T>;
@@ -281,7 +274,7 @@ interface Internals extends Datasource.Options {
     primaryKey: "name" | "id";
     sessions?: Map<ValueSupervisor.Session, SessionContext>;
     featuresKey?: string;
-    interactionObserver(session?: AccessControl.Session): MaybePromise<void>;
+    interactionObserver(session?: ValueSupervisor.Session): MaybePromise<void>;
     events: Datasource.InternalEvents;
     changedEventFor(key: string): undefined | Datasource.Events[any];
     persistentFields: Set<string>;
@@ -635,6 +628,7 @@ function createReference(resource: Transaction.Resource, internals: Internals, s
         transaction.beginSync();
 
         if (
+            hasRemoteActor(session) &&
             !session.interactionStarted &&
             session.interactionComplete &&
             !session.interactionComplete.isObservedBy(internals.interactionObserver)

package/src/behavior/state/managed/values/ListManager.ts

@@ -7,7 +7,16 @@
 import { isObject, serialize } from "#general";
 import type { Schema } from "#model";
 import { Access, DataModelPath, ValueModel } from "#model";
-import { AccessControl, ExpiredReferenceError, ReadError, SchemaImplementationError, Val, WriteError } from "#protocol";
+import {
+    AccessControl,
+    ExpiredReferenceError,
+    hasLocalActor,
+    hasRemoteActor,
+    ReadError,
+    SchemaImplementationError,
+    Val,
+    WriteError,
+} from "#protocol";
 import { StatusCode } from "#types";
 import type { RootSupervisor } from "../../../supervision/RootSupervisor.js";
 import type { ValueSupervisor } from "../../../supervision/ValueSupervisor.js";
@@ -206,7 +215,7 @@ function createProxy(config: ListConfig, reference: Val.Reference<Val.List>, ses
                 }
 
                 // If there's no fabric index or it's a match, consider "in scope"
-                if (session.offline || !entry.fabricIndex || entry.fabricIndex === session.fabric) {
+                if (hasLocalActor(session) || !entry.fabricIndex || entry.fabricIndex === session.fabric) {
                     if (nextPos === index) {
                         // Found our target
                         return i;
@@ -229,7 +238,7 @@ function createProxy(config: ListConfig, reference: Val.Reference<Val.List>, ses
             throw new WriteError(reference.location, `Index ${index} would leave gaps in fabric-filtered list`);
         }
 
-        if (session.fabricFiltered || config.fabricSensitive) {
+        if (hasRemoteActor(session) && (session.fabricFiltered || config.fabricSensitive)) {
             const nextReadEntry = readEntry;
 
             hasEntry = (index: number) => {
@@ -262,10 +271,7 @@ function createProxy(config: ListConfig, reference: Val.Reference<Val.List>, ses
                 let length = 0;
                 for (let i = 0; i < readVal().length; i++) {
                     const entry = readVal()[i] as undefined | { fabricIndex?: number };
-                    if (
-                        isObject(entry) &&
-                        (session.offline || !entry.fabricIndex || entry.fabricIndex === session.fabric)
-                    ) {
+                    if (isObject(entry) && (!entry.fabricIndex || entry.fabricIndex === session.fabric)) {
                         length++;
                     }
                 }
@@ -278,10 +284,7 @@ function createProxy(config: ListConfig, reference: Val.Reference<Val.List>, ses
                 reference.change(() => {
                     for (let i = formerLength - 1; i >= length; i--) {
                         const entry = writeVal()[mapScopedToActual(i, true)] as undefined | { fabricIndex?: number };
-                        if (
-                            isObject(entry) &&
-                            (session.offline || !entry.fabricIndex || entry.fabricIndex === session.fabric)
-                        ) {
+                        if (isObject(entry) && (!entry.fabricIndex || entry.fabricIndex === session.fabric)) {
                             writeVal().splice(mapScopedToActual(i, false), 1);
                         } else if (entry !== undefined) {
                             throw new WriteError(

package/src/behavior/supervision/ValueSupervisor.ts

@@ -4,7 +4,6 @@
  * SPDX-License-Identifier: Apache-2.0
  */
 
-import { ActionContext } from "#behavior/context/ActionContext.js";
 import type { AsyncObservable, Transaction } from "#general";
 import { DataModelPath, Schema } from "#model";
 import type { AccessControl, Val } from "#protocol";
@@ -67,9 +66,9 @@ export interface ValueSupervisor {
 
 export namespace ValueSupervisor {
     /**
-     * Session information required for value management.
+     * {@link Session} values that control supervision.
      */
-    export interface Session extends AccessControl.Session {
+    export interface SupervisionSettings {
         /**
          * The transaction used for isolating state changes associated with this session.
          */
@@ -82,22 +81,31 @@ export namespace ValueSupervisor {
         acceptInvalid?: boolean;
 
         /**
-         * If present the session is associated with an online interaction.  Emits when the interaction ends.
+         * If true, structs initialize without named properties which are more expensive to install.  This is useful
+         * when implementing the Matter protocol where ID is the only value necessary.
          */
-        interactionComplete?: AsyncObservable<[session?: ActionContext]>;
+        protocol?: boolean;
+    }
 
+    /**
+     * {@link Session} information that enforces stricter controls based on an authenticated remote subject.
+     */
+    export interface RemoteActorSession extends AccessControl.RemoteActorSession, SupervisionSettings {
         /**
-         * Set to true when the interaction has started and the interactionBegin event was emitted for this session
+         * If present the session is associated with an online interaction.  Emits when the interaction ends.
          */
-        interactionStarted?: boolean;
+        interactionComplete?: AsyncObservable<[session?: RemoteActorSession]>;
 
         /**
-         * If true, structs initialize without named properties which are more expensive to install.  This is useful
-         * when implementing the Matter protocol where ID is the only value necessary.
+         * Set to true when the interaction has started and the interactionBegin event was emitted for this session
          */
-        protocol?: boolean;
+        interactionStarted?: boolean;
     }
 
+    export interface LocalActorSession extends AccessControl.LocalActorSession, SupervisionSettings {}
+
+    export type Session = LocalActorSession | RemoteActorSession;
+
     export type Validate = (value: Val, session: Session, location: ValidationLocation) => void;
 
     export type Manage = (reference: Val.Reference, session: Session) => Val;

package/src/behaviors/access-control/AccessControlServer.ts

@@ -15,6 +15,8 @@ import {
     AclList,
     Fabric,
     FabricManager,
+    hasLocalActor,
+    hasRemoteActor,
     IncomingSubjectDescriptor,
     MessageExchange,
     NodeSession,
@@ -91,8 +93,8 @@ export class AccessControlServer extends AccessControlBehavior.with("Extension")
                     ". This should only happen once after upgrading to matter.js 0.9.1",
                 );
             }
-            fabric.acl.aclList = fabricAcls;
-            fabric.acl.extensionEntryAccessCheck = this.extensionEntryAccessCheck.bind(this);
+            fabric.accessControl.aclList = fabricAcls;
+            fabric.accessControl.extensionEntryAccessCheck = this.extensionEntryAccessCheck.bind(this);
         }
 
         // TODO handle delete fabric more generically later to remove fabric scoped data
@@ -134,11 +136,14 @@ export class AccessControlServer extends AccessControlBehavior.with("Extension")
     #validateAccessControlListChanges(
         value: AccessControlTypes.AccessControlEntry[],
         _oldValue: AccessControlTypes.AccessControlEntry[],
-        context?: ActionContext,
     ) {
-        // TODO: This might be not really correct for local ACL changes because there the session fabric could be
-        //  different which would lead to missing validation of the relevant entries
-        const relevantFabricIndex = this.context.session?.associatedFabric.fabricIndex;
+        const { context } = this;
+
+        if (!hasRemoteActor(context)) {
+            return;
+        }
+
+        const relevantFabricIndex = context.session.associatedFabric.fabricIndex;
 
         if (relevantFabricIndex === undefined) {
             return;
@@ -276,7 +281,8 @@ export class AccessControlServer extends AccessControlBehavior.with("Extension")
         if (!this.internal.initialized) {
             return; // Too early to send events
         }
-        const { session } = this.context;
+
+        const session = hasRemoteActor(this.context) ? this.context.session : undefined;
 
         // TODO: This might be not really correct for local ACL changes because there the session fabric could be
         //  different which would lead to missing events
@@ -327,14 +333,12 @@ export class AccessControlServer extends AccessControlBehavior.with("Extension")
     }
 
     #validateAccessControlExtensionChanges(value: AccessControlTypes.AccessControlExtension[]) {
-        // TODO: This might be not really correct for local ACL changes because there the session fabric could be
-        //  different which would lead to missing validation of the relevant entries
-        const relevantFabricIndex = this.context.session?.associatedFabric.fabricIndex;
-
-        if (relevantFabricIndex === undefined) {
+        if (!hasRemoteActor(this.context)) {
             return;
         }
 
+        const relevantFabricIndex = this.context.session.associatedFabric.fabricIndex;
+
         const fabricExtensions = value.filter(entry => entry.fabricIndex === relevantFabricIndex);
 
         if (fabricExtensions.length === 0) {
@@ -355,7 +359,8 @@ export class AccessControlServer extends AccessControlBehavior.with("Extension")
         if (!this.internal.initialized) {
             return; // Too early to send events
         }
-        const { session } = this.context;
+
+        const session = hasRemoteActor(this.context) ? this.context.session : undefined;
 
         // TODO: This might be not really correct for local ACL changes because there the session fabric could be
         //  different which would lead to missing events of the relevant entries
@@ -437,7 +442,7 @@ export class AccessControlServer extends AccessControlBehavior.with("Extension")
     /** A fabric was added or updated, so we need to initialize the ACL for this fabric */
     #updateFabricAcls(fabric: Fabric) {
         const fabricIndex = fabric.fabricIndex;
-        fabric.acl.aclList = deepCopy(this.state.acl).filter(entry => entry.fabricIndex === fabricIndex);
+        fabric.accessControl.aclList = deepCopy(this.state.acl).filter(entry => entry.fabricIndex === fabricIndex);
     }
 
     /**
@@ -445,7 +450,7 @@ export class AccessControlServer extends AccessControlBehavior.with("Extension")
      * fabric index. If ACL data are really changed later, the exchange gets added then.
      */
     #handleInteractionBegin(session?: AccessControl.Session) {
-        if (session !== undefined && !session.offline && session.fabric !== undefined) {
+        if (hasRemoteActor(session)) {
             this.#prepareAclUpdateFor(session.fabric);
         }
     }
@@ -456,7 +461,7 @@ export class AccessControlServer extends AccessControlBehavior.with("Extension")
      * not changing the ACL.
      */
     #handleInteractionEnd(session?: AccessControl.Session) {
-        if (session !== undefined && !session.offline && session.fabric !== undefined) {
+        if (hasRemoteActor(session)) {
             if (this.internal.aclUpdateDelayed.get(session.fabric) !== undefined) {
                 this.#applyDelayedAclUpdateFor(session.fabric);
             }
@@ -469,7 +474,7 @@ export class AccessControlServer extends AccessControlBehavior.with("Extension")
         _oldAcl: AccessControlTypes.AccessControlEntry[],
         context?: ActionContext,
     ) {
-        if (context === undefined || context.offline) {
+        if (hasLocalActor(context)) {
             // local or offline ACL change, so we update all fabrics because we do not know better
             this.#updateAllFabricsAcls();
         } else {
@@ -498,7 +503,7 @@ export class AccessControlServer extends AccessControlBehavior.with("Extension")
             // No interaction registered, so we apply directly because local/offline change
             logger.debug("ACL attribute updated, applying update to ACL manager", fabricIndex);
 
-            fabric.acl.aclList = deepCopy(acl).filter(entry => entry.fabricIndex === fabricIndex);
+            fabric.accessControl.aclList = deepCopy(acl).filter(entry => entry.fabricIndex === fabricIndex);
         }
     }
 
@@ -522,7 +527,7 @@ export class AccessControlServer extends AccessControlBehavior.with("Extension")
         const fabrics = this.env.get(FabricManager);
         for (const fabric of fabrics) {
             // Update all Fabrics and set the ACL list for each fabric, empty ACLs when none are present
-            fabric.acl.aclList = aclsForFabric.get(fabric.fabricIndex) ?? [];
+            fabric.accessControl.aclList = aclsForFabric.get(fabric.fabricIndex) ?? [];
         }
     }
 
@@ -564,7 +569,7 @@ export class AccessControlServer extends AccessControlBehavior.with("Extension")
         this.internal.delayedAclData.delete(fabricIndex);
         this.internal.aclUpdateDelayed.delete(fabricIndex);
         if (updateDelayed && delayedData !== undefined) {
-            this.env.get(FabricManager).for(fabricIndex).acl.aclList = delayedData;
+            this.env.get(FabricManager).for(fabricIndex).accessControl.aclList = delayedData;
         }
     }
 }

package/src/behaviors/administrator-commissioning/AdministratorCommissioningServer.ts

@@ -7,7 +7,14 @@
 import { AdministratorCommissioning } from "#clusters/administrator-commissioning";
 import { Duration, InternalError, Logger, Seconds, Time, Timer } from "#general";
 import { AccessLevel } from "#model";
-import { DeviceCommissioner, FailsafeContext, PaseServer, SessionManager } from "#protocol";
+import {
+    assertRemoteActor,
+    DeviceCommissioner,
+    FailsafeContext,
+    hasRemoteActor,
+    PaseServer,
+    SessionManager,
+} from "#protocol";
 import {
     Command,
     MINIMUM_COMMISSIONING_TIMEOUT,
@@ -155,16 +162,17 @@ export class AdministratorCommissioningServer extends AdministratorCommissioning
             // Should never happen, but let's make sure
             throw new InternalError("Commissioning window already initialized.");
         }
-        logger.debug(
-            `Commissioning window timer started for ${commissioningTimeout} seconds for ${this.context.session?.name}.`,
-        );
+        const actor = hasRemoteActor(this.context) ? this.context.session.name : "local actor";
+        logger.debug(`Commissioning window timer started for ${commissioningTimeout} seconds for ${actor}.`);
         this.internal.commissioningWindowTimeout = Time.getTimer(
             "Commissioning timeout",
             commissioningTimeout,
             this.callback(this.#commissioningTimeout),
         ).start();
 
-        const adminFabric = this.session.associatedFabric;
+        assertRemoteActor(this.context);
+
+        const adminFabric = this.context.session.associatedFabric;
 
         this.state.windowStatus = windowStatus;
         this.state.adminFabricIndex = adminFabric.fabricIndex;
@@ -176,7 +184,7 @@ export class AdministratorCommissioningServer extends AdministratorCommissioning
             adminFabric.deleteRemoveCallback(removeCallback);
         };
 
-        this.session.associatedFabric.addRemoveCallback(removeCallback);
+        this.context.session.associatedFabric.addRemoveCallback(removeCallback);
     }
 
     /**

package/src/behaviors/general-commissioning/GeneralCommissioningServer.ts

@@ -10,7 +10,15 @@ import { AdministratorCommissioning } from "#clusters/administrator-commissionin
 import { GeneralCommissioning } from "#clusters/general-commissioning";
 import { Bytes, Diagnostic, Logger, MatterFlowError, MaybePromise, Seconds } from "#general";
 import type { ServerNode } from "#node/ServerNode.js";
-import { DeviceCommissioner, FabricManager, GroupSession, NodeSession, SecureSession, SessionManager } from "#protocol";
+import {
+    assertRemoteActor,
+    DeviceCommissioner,
+    FabricManager,
+    GroupSession,
+    NodeSession,
+    SecureSession,
+    SessionManager,
+} from "#protocol";
 import { GeneralCommissioningBehavior } from "./GeneralCommissioningBehavior.js";
 import { ServerNodeFailsafeContext } from "./ServerNodeFailsafeContext.js";
 
@@ -121,7 +129,8 @@ export class GeneralCommissioningServer extends GeneralCommissioningBehavior {
     }
 
     override armFailSafe(request: GeneralCommissioning.ArmFailSafeRequest) {
-        return this.#armFailSafe(request, this.session);
+        assertRemoteActor(this.context);
+        return this.#armFailSafe(request, this.context.session);
     }
 
     override async setRegulatoryConfig({
@@ -191,10 +200,7 @@ export class GeneralCommissioningServer extends GeneralCommissioningBehavior {
             };
         }
 
-        // Regulatory config is not fabric-writable so requires elevated privileges
-        this.asAdmin(() => {
-            this.state.regulatoryConfig = newRegulatoryConfig;
-        });
+        this.state.regulatoryConfig = newRegulatoryConfig;
 
         this.state.breadcrumb = breadcrumb;
 
@@ -202,7 +208,8 @@ export class GeneralCommissioningServer extends GeneralCommissioningBehavior {
     }
 
     override async commissioningComplete() {
-        const session = this.session;
+        assertRemoteActor(this.context);
+        const { session } = this.context;
         if ((NodeSession.is(session) && session.isPase) || GroupSession.is(session)) {
             return {
                 errorCode: GeneralCommissioning.CommissioningError.InvalidAuthentication,
@@ -210,7 +217,7 @@ export class GeneralCommissioningServer extends GeneralCommissioningBehavior {
             };
         }
 
-        const fabric = this.session.associatedFabric;
+        const fabric = session.associatedFabric;
 
         const commissioner = this.env.get(DeviceCommissioner);
 

package/src/behaviors/general-diagnostics/GeneralDiagnosticsServer.ts

@@ -28,7 +28,7 @@ import {
 } from "#general";
 import { FieldElement, Specification } from "#model";
 import type { NodeLifecycle } from "#node/NodeLifecycle.js";
-import { MdnsService, Val } from "#protocol";
+import { assertRemoteActor, MdnsService, Val } from "#protocol";
 import { CommandId, StatusCode, StatusResponseError, TlvInvokeResponse } from "#types";
 import { GeneralDiagnosticsBehavior } from "./GeneralDiagnosticsBehavior.js";
 
@@ -173,10 +173,8 @@ export class GeneralDiagnosticsServer extends Base {
             ],
         }).byteLength;
 
-        const exchange = this.context.exchange;
-        if (exchange === undefined) {
-            throw new ImplementationError(`Illegal operation outside exchange context`);
-        }
+        assertRemoteActor(this.context);
+        const { exchange } = this.context;
 
         if (responseSize > exchange.maxPayloadSize) {
             throw new StatusResponseError("Response too large", StatusCode.ResourceExhausted);

package/src/behaviors/group-key-management/GroupKeyManagementServer.ts

@@ -9,7 +9,7 @@ import { GroupKeyManagement } from "#clusters/group-key-management";
 import { deepCopy, ImplementationError, Logger, MaybePromise } from "#general";
 import { DatatypeModel, FieldElement } from "#model";
 import { NodeLifecycle } from "#node/NodeLifecycle.js";
-import { Fabric, FabricManager, SecureSession } from "#protocol";
+import { assertRemoteActor, Fabric, FabricManager, hasRemoteActor } from "#protocol";
 import { EndpointNumber, FabricIndex, GroupId, StatusCode, StatusResponseError } from "#types";
 import { GroupKeyManagementBehavior } from "./GroupKeyManagementBehavior.js";
 
@@ -217,7 +217,7 @@ export class GroupKeyManagementServer extends GroupKeyManagementBehavior {
         _oldMap?: GroupKeyManagement.GroupKeyMap[],
         context?: ActionContext,
     ) {
-        if (context !== undefined && !context?.offline) {
+        if (context !== undefined && hasRemoteActor(context)) {
             const fabric = context.session?.associatedFabric;
             const fabricIndex = fabric?.fabricIndex;
 
@@ -252,7 +252,7 @@ export class GroupKeyManagementServer extends GroupKeyManagementBehavior {
     }
 
     override async keySetWrite({ groupKeySet }: GroupKeyManagement.KeySetWriteRequest) {
-        SecureSession.assert(this.session);
+        assertRemoteActor(this.context);
 
         const {
             groupKeySetId,
@@ -324,7 +324,7 @@ export class GroupKeyManagementServer extends GroupKeyManagementBehavior {
             throw new StatusResponseError("GroupKeyMulticastPolicy must be PerGroupId", StatusCode.InvalidCommand);
         }
 
-        const fabric = this.session.associatedFabric;
+        const fabric = this.context.session.associatedFabric;
         const fabricIndex = fabric.fabricIndex;
 
         // Replace or add the group key set to the internal persisted state
@@ -356,7 +356,9 @@ export class GroupKeyManagementServer extends GroupKeyManagementBehavior {
     override keySetRead({
         groupKeySetId,
     }: GroupKeyManagement.KeySetReadRequest): GroupKeyManagement.KeySetReadResponse {
-        const fabric = this.session.associatedFabric;
+        assertRemoteActor(this.context);
+
+        const fabric = this.context.session.associatedFabric;
 
         // We use the fabric group manager to retrieve the group key set because he also has the id 0 and is synced anyway
         const groupKeySet = fabric.groups.keySets.asGroupKeySet(groupKeySetId);
@@ -379,7 +381,9 @@ export class GroupKeyManagementServer extends GroupKeyManagementBehavior {
             throw new StatusResponseError(`GroupKeySet ${groupKeySetId} cannot be removed`, StatusCode.InvalidCommand);
         }
 
-        const fabric = this.session.associatedFabric;
+        assertRemoteActor(this.context);
+
+        const fabric = this.context.session.associatedFabric;
         const fabricIndex = fabric.fabricIndex;
 
         // Replace or add the group key set to the internal persisted state
@@ -402,7 +406,9 @@ export class GroupKeyManagementServer extends GroupKeyManagementBehavior {
     }
 
     override keySetReadAllIndices(): GroupKeyManagement.KeySetReadAllIndicesResponse {
-        const fabric = this.session.associatedFabric;
+        assertRemoteActor(this.context);
+
+        const fabric = this.context.session.associatedFabric;
         const fabricIndex = fabric.fabricIndex;
 
         const groupKeySetIDs = this.state.groupKeySets

package/src/behaviors/groups/GroupsServer.ts

@@ -11,6 +11,7 @@ import { Endpoint } from "#endpoint/Endpoint.js";
 import { RootEndpoint } from "#endpoints/root";
 import { InternalError, Logger } from "#general";
 import { AccessLevel } from "#model";
+import { assertRemoteActor, Fabric } from "#protocol";
 import {
     Command,
     StatusCode,
@@ -75,16 +76,20 @@ export class GroupsServer extends GroupsBase {
         return rootEndpoint;
     }
 
-    async #actOnGroupKeyManagement<T>(act: (groupKeyManagement: GroupKeyManagementServer) => T): Promise<T> {
+    async #actOnGroupKeyManagement<T>(
+        act: (fabric: Fabric, groupKeyManagement: GroupKeyManagementServer) => T,
+    ): Promise<T> {
+        assertRemoteActor(this.context);
         const agent = this.#rootEndpoint.agentFor(this.context);
         const gkm = agent.get(GroupKeyManagementServer);
         await agent.context.transaction.addResources(gkm);
         await agent.context.transaction.begin();
-        return act(gkm);
+        return act(this.context.session.associatedFabric, gkm);
     }
 
     override async addGroup({ groupId, groupName }: Groups.AddGroupRequest): Promise<Groups.AddGroupResponse> {
-        const fabric = this.session.associatedFabric;
+        assertRemoteActor(this.context);
+        const fabric = this.context.session.associatedFabric;
 
         if (groupId < 1) {
             return { status: StatusCode.ConstraintError, groupId };
@@ -100,7 +105,7 @@ export class GroupsServer extends GroupsBase {
         const endpointNumber = this.endpoint.number;
 
         try {
-            await this.#actOnGroupKeyManagement(gkm =>
+            await this.#actOnGroupKeyManagement((fabric, gkm) =>
                 gkm.addEndpointForGroup(fabric, groupId, endpointNumber, groupName),
             );
         } catch (error) {
@@ -113,7 +118,8 @@ export class GroupsServer extends GroupsBase {
     }
 
     override viewGroup({ groupId }: Groups.ViewGroupRequest): Groups.ViewGroupResponse {
-        const fabric = this.session.associatedFabric;
+        assertRemoteActor(this.context);
+        const fabric = this.context.session.associatedFabric;
 
         if (groupId < 1) {
             return { status: StatusCode.ConstraintError, groupId, groupName: "" };
@@ -133,7 +139,8 @@ export class GroupsServer extends GroupsBase {
     override async getGroupMembership({
         groupList,
     }: Groups.GetGroupMembershipRequest): Promise<Groups.GetGroupMembershipResponse> {
-        const fabric = this.session.associatedFabric;
+        assertRemoteActor(this.context);
+        const fabric = this.context.session.associatedFabric;
         const fabricIndex = fabric.fabricIndex;
         const endpointNumber = this.endpoint.number;
 
@@ -158,8 +165,8 @@ export class GroupsServer extends GroupsBase {
 
         try {
             if (
-                await this.#actOnGroupKeyManagement(gkm =>
-                    gkm.removeEndpoint(this.session.associatedFabric, this.endpoint.number, groupId),
+                await this.#actOnGroupKeyManagement((fabric, gkm) =>
+                    gkm.removeEndpoint(fabric, this.endpoint.number, groupId),
                 )
             ) {
                 return { status: StatusCode.Success, groupId };
@@ -174,9 +181,7 @@ export class GroupsServer extends GroupsBase {
     // TODO ScenesManagement cluster is also affected by this command
     override async removeAllGroups() {
         try {
-            await this.#actOnGroupKeyManagement(gkm =>
-                gkm.removeEndpoint(this.session.associatedFabric, this.endpoint.number),
-            );
+            await this.#actOnGroupKeyManagement((fabric, gkm) => gkm.removeEndpoint(fabric, this.endpoint.number));
         } catch (error) {
             StatusResponseError.accept(error);
             throw error;