@matter/node 0.16.0-alpha.0-20250906-463912bd0 → 0.16.0-alpha.0-20250912-0d12bf718

package/src/behavior/Behavior.ts

@@ -9,14 +9,12 @@ import {
     AsyncObservable,
     EventEmitter,
     GeneratedClass,
-    ImplementationError,
     MaybePromise,
     NotImplementedError,
     Observable,
     Transaction,
 } from "#general";
 import { Schema } from "#model";
-import { SecureSession } from "#protocol";
 import type { ClusterType } from "#types";
 import { Reactor } from "./Reactor.js";
 import type { BehaviorBacking } from "./internal/BehaviorBacking.js";
@@ -106,45 +104,6 @@ export abstract class Behavior {
         return this.endpoint.env;
     }
 
-    /**
-     * The session in which the behavior has been invoked.
-     */
-    get session() {
-        const session = this.#agent.context.session;
-        if (session === undefined) {
-            throw new ImplementationError(`Illegal operation outside session context`);
-        }
-
-        // TODO - would a behavior ever need access to an insecure session?
-        SecureSession.assert(session);
-
-        return session;
-    }
-
-    /**
-     * Execute logic with elevated privileges.
-     *
-     * The provided function executes with privileges escalated to offline mode.  This is not commonly necessary.
-     *
-     * Elevated logic effectively ignores ACLs so should be used with care.
-     *
-     * Note that interactions with the behavior will remain elevated until the synchronous completion of this call.
-     * You should only elevate privileges for synchronous logic.
-     *
-     * @param fn the elevated logic
-     */
-    asAdmin(fn: () => void) {
-        const context = this.context;
-
-        const offline = context.offline;
-        try {
-            context.offline = true;
-            fn();
-        } finally {
-            context.offline = offline;
-        }
-    }
-
     /**
      * Access the behavior's state.
      */

package/src/behavior/Transitions.ts

@@ -23,7 +23,7 @@ import {
 } from "#general";
 import { Behavior } from "./Behavior.js";
 import { ClusterEvents } from "./cluster/ClusterEvents.js";
-import { OfflineContext } from "./context/server/OfflineContext.js";
+import { LocalActorContext } from "./context/server/LocalActorContext.js";
 import { Events } from "./Events.js";
 import { BehaviorBacking } from "./internal/BehaviorBacking.js";
 
@@ -227,7 +227,7 @@ export class Transitions<B extends Behavior> {
 
         const previousRemainingTime = this.#prevPublishedRemainingTime;
         this.#prevPublishedRemainingTime = newRemainingTime;
-        this.#config.remainingTimeEvent?.emit(newRemainingTime, previousRemainingTime, OfflineContext.ReadOnly);
+        this.#config.remainingTimeEvent?.emit(newRemainingTime, previousRemainingTime, LocalActorContext.ReadOnly);
     }
 
     /**

package/src/behavior/context/ActionContext.ts

@@ -7,13 +7,8 @@
 import type { Agent } from "#endpoint/Agent.js";
 import type { Endpoint } from "#endpoint/Endpoint.js";
 import type { AccessLevel } from "#model";
-import type { Message, SecureSession } from "#protocol";
-import { MessageExchange } from "#protocol";
-import { Priority } from "#types";
-import type { ValueSupervisor } from "../supervision/ValueSupervisor.js";
-import { NodeActivity } from "./NodeActivity.js";
-import type { OfflineContext } from "./server/OfflineContext.js";
-import type { OnlineContext } from "./server/OnlineContext.js";
+import type { LocalActorContext } from "./server/LocalActorContext.js";
+import type { RemoteActorContext } from "./server/RemoteActorContext.js";
 
 /**
  * Provides contextual information for Matter actions such as accessing attributes or invoking commands.
@@ -21,7 +16,7 @@ import type { OnlineContext } from "./server/OnlineContext.js";
  * Matter.js provides an "online" ActionContext for you when responding to network requests.  You can also use
  * "offline" agents to invoke cluster APIs {@link Endpoint} without an active user session.
  *
- * See {@link OnlineContext} and {@link OfflineContext} for details of these two types of interaction.
+ * See {@link RemoteActorContext} and {@link LocalActorContext} for details of these two types of interaction.
  *
  * Context includes:
  *
@@ -35,30 +30,4 @@ import type { OnlineContext } from "./server/OnlineContext.js";
  *
  * For the formal definition of an "action" see {@link MatterSpecification.v12.Core} § 8.2.4
  */
-export interface ActionContext extends ValueSupervisor.Session {
-    /**
-     * The Matter session in which an interaction occurs.
-     */
-    session?: SecureSession;
-
-    /**
-     * The Matter exchange in which an interaction occurs.
-     */
-    exchange?: MessageExchange;
-
-    /**
-     * The wire message that initiated invocation.
-     */
-    message?: Message;
-
-    /**
-     * Activity tracking information.  If present, activity frames are inserted at key points for diagnostic
-     * purposes.
-     */
-    activity?: NodeActivity.Activity;
-
-    /**
-     * The priority of actions in this context.
-     */
-    priority?: Priority;
-}
+export type ActionContext = LocalActorContext | RemoteActorContext;

package/src/behavior/context/server/{OfflineContext.ts → LocalActorContext.ts}

@@ -4,26 +4,29 @@
  * SPDX-License-Identifier: Apache-2.0
  */
 
+import { ValueSupervisor } from "#behavior/supervision/ValueSupervisor.js";
 import type { Agent } from "#endpoint/Agent.js";
 import { Diagnostic, InternalError, MaybePromise, Transaction } from "#general";
 import { AccessLevel } from "#model";
 import { AccessControl } from "#protocol";
-import type { ActionContext } from "../ActionContext.js";
 import { Contextual } from "../Contextual.js";
 import type { NodeActivity } from "../NodeActivity.js";
-
 export let nextInternalId = 1;
 
-let ReadOnly: ActionContext | undefined;
+let ReadOnly: LocalActorContext | undefined;
+
+export interface LocalActorContext extends ValueSupervisor.LocalActorSession {}
 
 /**
- * {@link OfflineContext.act} gives you access to the {@link Agent} API outside of user interaction.
+ * The context for operations triggered locally, either for in-process node implementations or remote nodes that are
+ * peers of a local node.
  *
- * You can also use {@link OfflineContext.ReadOnly} for read-only {@link Agent} access.
+ * You can also use {@link LocalActorContext.ReadOnly} for read-only {@link Agent} access.
  */
-export const OfflineContext = {
+export const LocalActorContext = {
     /**
-     * Operate in offline context.  Interactions with private Matter.js APIs happen in an offline context.
+     * Operate on behalf of a local actor.  This is the context for operations on nodes initiated locally, without
+     * authentication.
      *
      * {@link act} provides an {@link ActionContext} you can use to access agents for a {@link Endpoint}.
      * State changes and change events occur once {@link actor} returns.
@@ -36,8 +39,8 @@ export const OfflineContext = {
      */
     act<T>(
         purpose: string,
-        actor: (context: ActionContext) => MaybePromise<T>,
-        options?: OfflineContext.Options,
+        actor: (context: LocalActorContext) => MaybePromise<T>,
+        options?: LocalActorContext.Options,
     ): MaybePromise<T> {
         const context = this.open(purpose, options);
 
@@ -57,7 +60,7 @@ export const OfflineContext = {
      * This context operates with a {@link Transaction} created via {@link Transaction.open} and the same rules
      * apply for lifecycle management using {@link Transaction.Finalization}.
      */
-    open(purpose: string, options?: OfflineContext.Options): ActionContext & Transaction.Finalization {
+    open(purpose: string, options?: LocalActorContext.Options): LocalActorContext & Transaction.Finalization {
         const id = nextInternalId;
         nextInternalId = (nextInternalId + 1) % 65535;
         const via = Diagnostic.via(`${purpose}#${id.toString(16)}`);
@@ -115,7 +118,7 @@ export const OfflineContext = {
     },
 
     /**
-     * Normally you need to use {@link OfflineContext.act} to work with behaviors, and you can only interact with the
+     * Normally you need to use {@link LocalActorContext.act} to work with behaviors, and you can only interact with the
      * behaviors in the actor function.  This {@link ActionContext} allows you to create offline agents that remain
      * functional for the lifespan of the node.
      *
@@ -123,7 +126,7 @@ export const OfflineContext = {
      */
     get ReadOnly() {
         if (ReadOnly === undefined) {
-            ReadOnly = OfflineContext.open("read-only", { isolation: "ro" });
+            ReadOnly = LocalActorContext.open("read-only", { isolation: "ro" });
         }
         return ReadOnly;
     },
@@ -131,9 +134,9 @@ export const OfflineContext = {
     [Symbol.toStringTag]: "OfflineContext",
 };
 
-export namespace OfflineContext {
+export namespace LocalActorContext {
     /**
-     * {@link OfflineContext} configuration options.
+     * {@link LocalActorContext} configuration options.
      */
     export interface Options {
         command?: boolean;

package/src/behavior/context/server/{OnlineContext.ts → RemoteActorContext.ts}

@@ -4,57 +4,73 @@
  * SPDX-License-Identifier: Apache-2.0
  */
 
-import { AsyncObservable, Diagnostic, ImplementationError, InternalError, MaybePromise, Transaction } from "#general";
+import { ValueSupervisor } from "#behavior/supervision/ValueSupervisor.js";
+import { AsyncObservable, Diagnostic, InternalError, MaybePromise, Transaction } from "#general";
 import { AccessLevel } from "#model";
 import type { Node } from "#node/Node.js";
 import type { Message, NodeProtocol } from "#protocol";
-import {
-    AccessControl,
-    AclEndpointContext,
-    FabricAccessControl,
-    MessageExchange,
-    SecureSession,
-    Subject,
-} from "#protocol";
-import { FabricIndex, NodeId } from "#types";
-import { ActionContext } from "../ActionContext.js";
+import { AccessControl, AclEndpointContext, FabricAccessControl, MessageExchange, SecureSession } from "#protocol";
+import { FabricIndex, Priority } from "#types";
 import { Contextual } from "../Contextual.js";
 import { NodeActivity } from "../NodeActivity.js";
 
+export interface RemoteActorContext extends ValueSupervisor.RemoteActorSession {
+    /**
+     * Override for {@link ValueSupervisor.RemoteActorSession} to specialize the context.
+     */
+    interactionComplete?: AsyncObservable<[context?: RemoteActorContext]>;
+
+    /**
+     * The Matter session in which an interaction occurs.
+     */
+    session: SecureSession;
+
+    /**
+     * The Matter exchange in which an interaction occurs.
+     */
+    exchange: MessageExchange;
+
+    /**
+     * The wire message that initiated invocation.
+     */
+    message?: Message;
+
+    /**
+     * Activity tracking information.  If present, activity frames are inserted at key points for diagnostic
+     * purposes.
+     */
+    activity?: NodeActivity.Activity;
+
+    /**
+     * The priority of actions in this context.
+     */
+    priority?: Priority;
+}
+
 /**
  * Caches completion events per exchange. Uses if multiple OnlineContext instances are created for an exchange.
  * Entries will be cleaned up when the exchange is closed.
  */
-const exchangeCompleteEvents = new WeakMap<MessageExchange, AsyncObservable<[session?: ActionContext | undefined]>>();
+const exchangeCompleteEvents = new WeakMap<
+    MessageExchange,
+    AsyncObservable<[session?: RemoteActorContext | undefined]>
+>();
 
 /**
- * Operate in online context.  Public Matter API interactions happen in online context.
+ * The context for operations triggered by an authenticated peer.  Public Matter interactions use this context.
  */
-export function OnlineContext(options: OnlineContext.Options) {
-    let fabric: FabricIndex | undefined;
-    let subject: Subject;
+export function RemoteActorContext(options: RemoteActorContext.Options) {
     let nodeProtocol: NodeProtocol | undefined;
     let accessLevelCache: Map<AccessControl.Location, number[]> | undefined;
-    let aclManager: FabricAccessControl;
 
     const { exchange, message } = options;
-    const session = exchange?.session;
-
-    if (session) {
-        SecureSession.assert(session);
-        fabric = session.fabric?.fabricIndex;
-        subject = session.subjectFor(message);
-        // Without a fabric, we assume default PASE based access controls and use a fresh FabricAccessControlManager instance
-        aclManager = session?.fabric?.acl ?? new FabricAccessControl();
-    } else {
-        fabric = options.fabric;
-        if (options.subject !== undefined) {
-            subject = Subject.Node({ id: options.subject });
-        } else {
-            throw new ImplementationError("OnlineContext requires an authorized subject");
-        }
-        aclManager = options.aclManager ?? new FabricAccessControl();
-    }
+    const session = exchange.session;
+
+    SecureSession.assert(session);
+    const fabric = session.fabric;
+    const subject = session.subjectFor(message);
+    // Without a fabric, we assume default PASE based access controls and use a fresh FabricAccessControlManager instance
+    const accessControl = fabric?.accessControl ?? new FabricAccessControl();
 
     // If we have subjects, the first is the main one, used for diagnostics
     const via = Diagnostic.via(
@@ -63,11 +79,11 @@ export function OnlineContext(options: OnlineContext.Options) {
 
     return {
         /**
-         * Run an actor with a read/write context.
+         * Operate on behalf of a remote actor.
          *
          * If the actor changes state, this may return a promise even if {@link actor} does not return a promise.
          */
-        act<T>(actor: (context: ActionContext) => MaybePromise<T>): MaybePromise<T> {
+        act<T>(actor: (context: RemoteActorContext) => MaybePromise<T>): MaybePromise<T> {
             const context = this.open();
 
             let result;
@@ -86,7 +102,7 @@ export function OnlineContext(options: OnlineContext.Options) {
          * This context operates with a {@link Transaction} created via {@link Transaction.open} and the same rules
          * apply for lifecycle management using {@link Transaction.Finalization}.
          */
-        open(): ActionContext & Transaction.Finalization {
+        open(): RemoteActorContext & Transaction.Finalization {
             let close;
             let tx;
             try {
@@ -101,7 +117,7 @@ export function OnlineContext(options: OnlineContext.Options) {
             return createContext(tx, {
                 resolve: tx.resolve.bind(tx),
                 reject: tx.reject.bind(tx),
-            }) as ActionContext & Transaction.Finalization;
+            });
         },
 
         /**
@@ -115,7 +131,7 @@ export function OnlineContext(options: OnlineContext.Options) {
 
             return createContext(Transaction.open(via, "snapshot"), {
                 [Symbol.dispose]: close,
-            }) as OnlineContext.ReadOnly;
+            }) as RemoteActorContext.ReadOnly;
         },
 
         [Symbol.toStringTag]: "OnlineContext",
@@ -142,11 +158,11 @@ export function OnlineContext(options: OnlineContext.Options) {
     /**
      * Initialization stage two - create context object after obtaining transaction
      */
-    function createContext(transaction: Transaction, methods: {}) {
+    function createContext<T extends {}>(transaction: Transaction, methods: T) {
         if (session) {
             SecureSession.assert(session);
         }
-        let interactionComplete: AsyncObservable<[session?: ActionContext | undefined]> | undefined;
+        let interactionComplete: AsyncObservable<[session?: RemoteActorContext | undefined]> | undefined;
         if (exchange !== undefined) {
             interactionComplete = exchangeCompleteEvents.get(exchange);
             if (interactionComplete === undefined) {
@@ -163,13 +179,13 @@ export function OnlineContext(options: OnlineContext.Options) {
             };
             exchange.closing.on(notifyInteractionComplete);
         }
-        const context: ActionContext = {
+        const context: RemoteActorContext & T = {
             ...options,
             session,
             exchange,
             subject,
 
-            fabric,
+            fabric: fabric?.fabricIndex ?? FabricIndex.NO_FABRIC,
             transaction,
 
             interactionComplete,
@@ -194,7 +210,7 @@ export function OnlineContext(options: OnlineContext.Options) {
                     throw new InternalError("OnlineContext initialized without node");
                 }
 
-                const accessLevels = aclManager.accessLevelsFor(context, location, aclEndpointContextFor(location));
+                const accessLevels = accessControl.accessLevelsFor(context, location, aclEndpointContextFor(location));
 
                 if (accessLevelCache === undefined) {
                     accessLevelCache = new Map();
@@ -206,7 +222,7 @@ export function OnlineContext(options: OnlineContext.Options) {
                     : AccessControl.Authority.Unauthorized;
             },
 
-            get [Contextual.context](): ActionContext {
+            get [Contextual.context](): RemoteActorContext {
                 return this;
             },
         };
@@ -247,21 +263,18 @@ export function OnlineContext(options: OnlineContext.Options) {
     }
 }
 
-export namespace OnlineContext {
+export namespace RemoteActorContext {
     export type Options = {
         node: Node;
+        exchange: MessageExchange;
         activity?: NodeActivity.Activity;
         command?: boolean;
         timed?: boolean;
         fabricFiltered?: boolean;
         message?: Message;
-        aclManager?: FabricAccessControl;
-    } & (
-        | { exchange: MessageExchange; fabric?: undefined; subject?: undefined }
-        | { exchange?: undefined; fabric: FabricIndex; subject: NodeId }
-    );
+    };
 
-    export interface ReadOnly extends ActionContext {
+    export interface ReadOnly extends RemoteActorContext {
         [Symbol.dispose](): void;
     }
 }

package/src/behavior/context/server/index.ts

@@ -4,5 +4,5 @@
  * SPDX-License-Identifier: Apache-2.0
  */
 
-export * from "./OfflineContext.js";
-export * from "./OnlineContext.js";
+export * from "./LocalActorContext.js";
+export * from "./RemoteActorContext.js";

package/src/behavior/internal/Reactors.ts

@@ -7,11 +7,12 @@
 import type { Endpoint } from "#endpoint/Endpoint.js";
 import type { Observable, Observer, Transaction } from "#general";
 import { asError, ImplementationError, InternalError, Logger, MatterAggregateError, MaybePromise } from "#general";
+import { hasRemoteActor } from "#protocol";
 import type { Reactor } from "../Reactor.js";
-import type { ActionContext } from "../context/ActionContext.js";
+import { ActionContext } from "../context/ActionContext.js";
 import { Contextual } from "../context/Contextual.js";
 import { NodeActivity } from "../context/NodeActivity.js";
-import { OfflineContext } from "../context/server/OfflineContext.js";
+import { LocalActorContext } from "../context/server/LocalActorContext.js";
 import type { BehaviorBacking } from "./BehaviorBacking.js";
 
 const logger = Logger.get("Reactors");
@@ -301,7 +302,7 @@ class ReactorBacking<T extends any[], R> {
         }
 
         // Otherwise run in independent context and errors do not interfere with emitter
-        const command = originalContext?.command;
+        const command = hasRemoteActor(originalContext) && originalContext.command;
         try {
             const reactor = (context: ActionContext) => {
                 return this.#reactWithContext(context, this.#owner.backing, args);
@@ -311,7 +312,7 @@ class ReactorBacking<T extends any[], R> {
             // construction and destruction
             //
             // Also, do not inject activity here.  No reason to have both the reactor and the context registered
-            let result: MaybePromise<Awaited<R> | undefined> = OfflineContext.act(this.toString(), reactor, {
+            let result: MaybePromise<Awaited<R> | undefined> = LocalActorContext.act(this.toString(), reactor, {
                 command,
             });
 

package/src/behavior/state/managed/Datasource.ts

@@ -16,9 +16,8 @@ import {
     Observable,
     Transaction,
 } from "#general";
-import { AccessLevel } from "#model";
 import type { Val } from "#protocol";
-import { AccessControl, ExpiredReferenceError } from "#protocol";
+import { AccessControl, ExpiredReferenceError, hasRemoteActor } from "#protocol";
 import { RootSupervisor } from "../../supervision/RootSupervisor.js";
 import { ValueSupervisor } from "../../supervision/ValueSupervisor.js";
 import { StateType } from "../StateType.js";
@@ -125,12 +124,6 @@ export function Datasource<const T extends StateType = StateType>(options: Datas
         get view() {
             if (!readOnlyView) {
                 const session: ValueSupervisor.Session = {
-                    offline: true,
-                    authorityAt(desiredAccessLevel: AccessLevel) {
-                        return desiredAccessLevel === AccessLevel.View
-                            ? AccessControl.Authority.Granted
-                            : AccessControl.Authority.Unauthorized;
-                    },
                     transaction: viewTx,
                 };
                 readOnlyView = createReference(this, internals, session).managed as InstanceType<T>;
@@ -281,7 +274,7 @@ interface Internals extends Datasource.Options {
     primaryKey: "name" | "id";
     sessions?: Map<ValueSupervisor.Session, SessionContext>;
     featuresKey?: string;
-    interactionObserver(session?: AccessControl.Session): MaybePromise<void>;
+    interactionObserver(session?: ValueSupervisor.Session): MaybePromise<void>;
     events: Datasource.InternalEvents;
     changedEventFor(key: string): undefined | Datasource.Events[any];
     persistentFields: Set<string>;
@@ -635,6 +628,7 @@ function createReference(resource: Transaction.Resource, internals: Internals, s
         transaction.beginSync();
 
         if (
+            hasRemoteActor(session) &&
             !session.interactionStarted &&
             session.interactionComplete &&
             !session.interactionComplete.isObservedBy(internals.interactionObserver)

package/src/behavior/state/managed/values/ListManager.ts

@@ -7,7 +7,16 @@
 import { isObject, serialize } from "#general";
 import type { Schema } from "#model";
 import { Access, DataModelPath, ValueModel } from "#model";
-import { AccessControl, ExpiredReferenceError, ReadError, SchemaImplementationError, Val, WriteError } from "#protocol";
+import {
+    AccessControl,
+    ExpiredReferenceError,
+    hasLocalActor,
+    hasRemoteActor,
+    ReadError,
+    SchemaImplementationError,
+    Val,
+    WriteError,
+} from "#protocol";
 import { StatusCode } from "#types";
 import type { RootSupervisor } from "../../../supervision/RootSupervisor.js";
 import type { ValueSupervisor } from "../../../supervision/ValueSupervisor.js";
@@ -206,7 +215,7 @@ function createProxy(config: ListConfig, reference: Val.Reference<Val.List>, ses
                 }
 
                 // If there's no fabric index or it's a match, consider "in scope"
-                if (session.offline || !entry.fabricIndex || entry.fabricIndex === session.fabric) {
+                if (hasLocalActor(session) || !entry.fabricIndex || entry.fabricIndex === session.fabric) {
                     if (nextPos === index) {
                         // Found our target
                         return i;
@@ -229,7 +238,7 @@ function createProxy(config: ListConfig, reference: Val.Reference<Val.List>, ses
             throw new WriteError(reference.location, `Index ${index} would leave gaps in fabric-filtered list`);
         }
 
-        if (session.fabricFiltered || config.fabricSensitive) {
+        if (hasRemoteActor(session) && (session.fabricFiltered || config.fabricSensitive)) {
             const nextReadEntry = readEntry;
 
             hasEntry = (index: number) => {
@@ -262,10 +271,7 @@ function createProxy(config: ListConfig, reference: Val.Reference<Val.List>, ses
                 let length = 0;
                 for (let i = 0; i < readVal().length; i++) {
                     const entry = readVal()[i] as undefined | { fabricIndex?: number };
-                    if (
-                        isObject(entry) &&
-                        (session.offline || !entry.fabricIndex || entry.fabricIndex === session.fabric)
-                    ) {
+                    if (isObject(entry) && (!entry.fabricIndex || entry.fabricIndex === session.fabric)) {
                         length++;
                     }
                 }
@@ -278,10 +284,7 @@ function createProxy(config: ListConfig, reference: Val.Reference<Val.List>, ses
                 reference.change(() => {
                     for (let i = formerLength - 1; i >= length; i--) {
                         const entry = writeVal()[mapScopedToActual(i, true)] as undefined | { fabricIndex?: number };
-                        if (
-                            isObject(entry) &&
-                            (session.offline || !entry.fabricIndex || entry.fabricIndex === session.fabric)
-                        ) {
+                        if (isObject(entry) && (!entry.fabricIndex || entry.fabricIndex === session.fabric)) {
                             writeVal().splice(mapScopedToActual(i, false), 1);
                         } else if (entry !== undefined) {
                             throw new WriteError(

package/src/behavior/supervision/ValueSupervisor.ts

@@ -4,7 +4,6 @@
  * SPDX-License-Identifier: Apache-2.0
  */
 
-import { ActionContext } from "#behavior/context/ActionContext.js";
 import type { AsyncObservable, Transaction } from "#general";
 import { DataModelPath, Schema } from "#model";
 import type { AccessControl, Val } from "#protocol";
@@ -67,9 +66,9 @@ export interface ValueSupervisor {
 
 export namespace ValueSupervisor {
     /**
-     * Session information required for value management.
+     * {@link Session} values that control supervision.
      */
-    export interface Session extends AccessControl.Session {
+    export interface SupervisionSettings {
         /**
          * The transaction used for isolating state changes associated with this session.
          */
@@ -82,22 +81,31 @@ export namespace ValueSupervisor {
         acceptInvalid?: boolean;
 
         /**
-         * If present the session is associated with an online interaction.  Emits when the interaction ends.
+         * If true, structs initialize without named properties which are more expensive to install.  This is useful
+         * when implementing the Matter protocol where ID is the only value necessary.
          */
-        interactionComplete?: AsyncObservable<[session?: ActionContext]>;
+        protocol?: boolean;
+    }
 
+    /**
+     * {@link Session} information that enforces stricter controls based on an authenticated remote subject.
+     */
+    export interface RemoteActorSession extends AccessControl.RemoteActorSession, SupervisionSettings {
         /**
-         * Set to true when the interaction has started and the interactionBegin event was emitted for this session
+         * If present the session is associated with an online interaction.  Emits when the interaction ends.
          */
-        interactionStarted?: boolean;
+        interactionComplete?: AsyncObservable<[session?: RemoteActorSession]>;
 
         /**
-         * If true, structs initialize without named properties which are more expensive to install.  This is useful
-         * when implementing the Matter protocol where ID is the only value necessary.
+         * Set to true when the interaction has started and the interactionBegin event was emitted for this session
          */
-        protocol?: boolean;
+        interactionStarted?: boolean;
     }
 
+    export interface LocalActorSession extends AccessControl.LocalActorSession, SupervisionSettings {}
+
+    export type Session = LocalActorSession | RemoteActorSession;
+
     export type Validate = (value: Val, session: Session, location: ValidationLocation) => void;
 
     export type Manage = (reference: Val.Reference, session: Session) => Val;