@matter/node 0.16.0-alpha.0-20250906-463912bd0 → 0.16.0-alpha.0-20250912-0d12bf718

package/src/behavior/system/commissioning/CommissioningClient.ts

@@ -33,6 +33,7 @@ import {
     Subscribe,
 } from "#protocol";
 import {
+    CaseAuthenticatedTag,
     DeviceTypeId,
     DiscoveryCapabilitiesBitmap,
     ManualPairingCodeCodec,
@@ -56,6 +57,7 @@ export class CommissioningClient extends Behavior {
     static override readonly early = true;
 
     static override readonly id = "commissioning";
+
     override initialize(options: { descriptor?: RemoteDescriptor }) {
         const descriptor = options?.descriptor;
         if (descriptor) {
@@ -151,6 +153,7 @@ export class CommissioningClient extends Behavior {
 
         const network = this.agent.get(NetworkClient);
         network.state.startupSubscription = opts.startupSubscription;
+        network.state.caseAuthenticatedTags = opts.caseAuthenticatedTags;
 
         node.lifecycle.commissioned.emit(this.context);
 
@@ -433,6 +436,18 @@ export namespace CommissioningClient {
          * read omits them then the node will only be partially functional once initialized.
          */
         startupSubscription?: Subscribe | null;
+
+        /**
+         * Case Authenticated Tags (CATs) to use for operational CASE sessions with this node.
+         *
+         * CATs provide additional authentication context for Matter operational sessions. They are only used
+         * for operational CASE connections after commissioning is complete, not during the initial PASE
+         * commissioning process.
+         *
+         * Note: CATs only make sense when additional ACLs (Access Control Lists) are also configured on
+         * the target device to grant specific permissions based on these tags.
+         */
+        caseAuthenticatedTags?: CaseAuthenticatedTag[];
     }
 
     export interface PasscodeOptions extends BaseCommissioningOptions {

package/src/behavior/system/network/ClientNetworkRuntime.ts

@@ -51,9 +51,13 @@ export class ClientNetworkRuntime extends NetworkRuntime {
         const { env, lifecycle } = this.owner;
         const peers = env.get(PeerSet);
         const commissioningState = this.owner.stateOf(CommissioningClient);
+        const networkState = this.owner.state.network;
 
         const exchangeProvider = await peers.exchangeProviderFor(address, {
-            discoveryData: RemoteDescriptor.fromLongForm(commissioningState),
+            discoveryOptions: { discoveryData: RemoteDescriptor.fromLongForm(commissioningState) },
+            caseAuthenticatedTags: networkState.caseAuthenticatedTags
+                ? [...networkState.caseAuthenticatedTags] // needed because the tags are readonly
+                : undefined,
         });
         env.set(ExchangeProvider, exchangeProvider);
 

package/src/behavior/system/network/NetworkClient.ts

@@ -7,6 +7,7 @@
 import { DatatypeModel, FieldElement } from "#model";
 import { Node } from "#node/Node.js";
 import { DEFAULT_MIN_INTERVAL_FLOOR, Subscribe } from "#protocol";
+import { CaseAuthenticatedTag } from "#types";
 import { ClientNetworkRuntime } from "./ClientNetworkRuntime.js";
 import { NetworkBehavior } from "./NetworkBehavior.js";
 
@@ -62,6 +63,19 @@ export class NetworkClient extends NetworkBehavior {
                 type: "bool",
                 quality: "N",
             }),
+
+            FieldElement({
+                name: "caseAuthenticatedTags",
+                type: "list",
+                quality: "N",
+                conformance: "O",
+                children: [
+                    FieldElement({
+                        name: "entry",
+                        type: "uint32",
+                    }),
+                ],
+            }),
         ],
     });
 }
@@ -86,5 +100,14 @@ export namespace NetworkClient {
          * If true, the matter.js will not perform network communication with the node.
          */
         isDisabled = false;
+
+        /**
+         * Case Authenticated Tags (CATs) to use for operational CASE sessions with this node.
+         *
+         * CATs provide additional authentication context for Matter operational sessions. They are only used
+         * for operational CASE connections after commissioning is complete, not during the initial PASE
+         * commissioning process.
+         */
+        caseAuthenticatedTags?: CaseAuthenticatedTag[];
     }
 }

package/src/behaviors/access-control/AccessControlServer.ts

@@ -15,6 +15,8 @@ import {
     AclList,
     Fabric,
     FabricManager,
+    hasLocalActor,
+    hasRemoteActor,
     IncomingSubjectDescriptor,
     MessageExchange,
     NodeSession,
@@ -91,8 +93,8 @@ export class AccessControlServer extends AccessControlBehavior.with("Extension")
                     ". This should only happen once after upgrading to matter.js 0.9.1",
                 );
             }
-            fabric.acl.aclList = fabricAcls;
-            fabric.acl.extensionEntryAccessCheck = this.extensionEntryAccessCheck.bind(this);
+            fabric.accessControl.aclList = fabricAcls;
+            fabric.accessControl.extensionEntryAccessCheck = this.extensionEntryAccessCheck.bind(this);
         }
 
         // TODO handle delete fabric more generically later to remove fabric scoped data
@@ -134,11 +136,14 @@ export class AccessControlServer extends AccessControlBehavior.with("Extension")
     #validateAccessControlListChanges(
         value: AccessControlTypes.AccessControlEntry[],
         _oldValue: AccessControlTypes.AccessControlEntry[],
-        context?: ActionContext,
     ) {
-        // TODO: This might be not really correct for local ACL changes because there the session fabric could be
-        //  different which would lead to missing validation of the relevant entries
-        const relevantFabricIndex = this.context.session?.associatedFabric.fabricIndex;
+        const { context } = this;
+
+        if (!hasRemoteActor(context)) {
+            return;
+        }
+
+        const relevantFabricIndex = context.session.associatedFabric.fabricIndex;
 
         if (relevantFabricIndex === undefined) {
             return;
@@ -276,7 +281,8 @@ export class AccessControlServer extends AccessControlBehavior.with("Extension")
         if (!this.internal.initialized) {
             return; // Too early to send events
         }
-        const { session } = this.context;
+
+        const session = hasRemoteActor(this.context) ? this.context.session : undefined;
 
         // TODO: This might be not really correct for local ACL changes because there the session fabric could be
         //  different which would lead to missing events
@@ -327,14 +333,12 @@ export class AccessControlServer extends AccessControlBehavior.with("Extension")
     }
 
     #validateAccessControlExtensionChanges(value: AccessControlTypes.AccessControlExtension[]) {
-        // TODO: This might be not really correct for local ACL changes because there the session fabric could be
-        //  different which would lead to missing validation of the relevant entries
-        const relevantFabricIndex = this.context.session?.associatedFabric.fabricIndex;
-
-        if (relevantFabricIndex === undefined) {
+        if (!hasRemoteActor(this.context)) {
             return;
         }
 
+        const relevantFabricIndex = this.context.session.associatedFabric.fabricIndex;
+
         const fabricExtensions = value.filter(entry => entry.fabricIndex === relevantFabricIndex);
 
         if (fabricExtensions.length === 0) {
@@ -355,7 +359,8 @@ export class AccessControlServer extends AccessControlBehavior.with("Extension")
         if (!this.internal.initialized) {
             return; // Too early to send events
         }
-        const { session } = this.context;
+
+        const session = hasRemoteActor(this.context) ? this.context.session : undefined;
 
         // TODO: This might be not really correct for local ACL changes because there the session fabric could be
         //  different which would lead to missing events of the relevant entries
@@ -437,7 +442,7 @@ export class AccessControlServer extends AccessControlBehavior.with("Extension")
     /** A fabric was added or updated, so we need to initialize the ACL for this fabric */
     #updateFabricAcls(fabric: Fabric) {
         const fabricIndex = fabric.fabricIndex;
-        fabric.acl.aclList = deepCopy(this.state.acl).filter(entry => entry.fabricIndex === fabricIndex);
+        fabric.accessControl.aclList = deepCopy(this.state.acl).filter(entry => entry.fabricIndex === fabricIndex);
     }
 
     /**
@@ -445,7 +450,7 @@ export class AccessControlServer extends AccessControlBehavior.with("Extension")
      * fabric index. If ACL data are really changed later, the exchange gets added then.
      */
     #handleInteractionBegin(session?: AccessControl.Session) {
-        if (session !== undefined && !session.offline && session.fabric !== undefined) {
+        if (hasRemoteActor(session)) {
             this.#prepareAclUpdateFor(session.fabric);
         }
     }
@@ -456,7 +461,7 @@ export class AccessControlServer extends AccessControlBehavior.with("Extension")
      * not changing the ACL.
      */
     #handleInteractionEnd(session?: AccessControl.Session) {
-        if (session !== undefined && !session.offline && session.fabric !== undefined) {
+        if (hasRemoteActor(session)) {
             if (this.internal.aclUpdateDelayed.get(session.fabric) !== undefined) {
                 this.#applyDelayedAclUpdateFor(session.fabric);
             }
@@ -469,7 +474,7 @@ export class AccessControlServer extends AccessControlBehavior.with("Extension")
         _oldAcl: AccessControlTypes.AccessControlEntry[],
         context?: ActionContext,
     ) {
-        if (context === undefined || context.offline) {
+        if (hasLocalActor(context)) {
             // local or offline ACL change, so we update all fabrics because we do not know better
             this.#updateAllFabricsAcls();
         } else {
@@ -498,7 +503,7 @@ export class AccessControlServer extends AccessControlBehavior.with("Extension")
             // No interaction registered, so we apply directly because local/offline change
             logger.debug("ACL attribute updated, applying update to ACL manager", fabricIndex);
 
-            fabric.acl.aclList = deepCopy(acl).filter(entry => entry.fabricIndex === fabricIndex);
+            fabric.accessControl.aclList = deepCopy(acl).filter(entry => entry.fabricIndex === fabricIndex);
         }
     }
 
@@ -522,7 +527,7 @@ export class AccessControlServer extends AccessControlBehavior.with("Extension")
         const fabrics = this.env.get(FabricManager);
         for (const fabric of fabrics) {
             // Update all Fabrics and set the ACL list for each fabric, empty ACLs when none are present
-            fabric.acl.aclList = aclsForFabric.get(fabric.fabricIndex) ?? [];
+            fabric.accessControl.aclList = aclsForFabric.get(fabric.fabricIndex) ?? [];
         }
     }
 
@@ -564,7 +569,7 @@ export class AccessControlServer extends AccessControlBehavior.with("Extension")
         this.internal.delayedAclData.delete(fabricIndex);
         this.internal.aclUpdateDelayed.delete(fabricIndex);
         if (updateDelayed && delayedData !== undefined) {
-            this.env.get(FabricManager).for(fabricIndex).acl.aclList = delayedData;
+            this.env.get(FabricManager).for(fabricIndex).accessControl.aclList = delayedData;
         }
     }
 }

package/src/behaviors/administrator-commissioning/AdministratorCommissioningServer.ts

@@ -7,7 +7,14 @@
 import { AdministratorCommissioning } from "#clusters/administrator-commissioning";
 import { Duration, InternalError, Logger, Seconds, Time, Timer } from "#general";
 import { AccessLevel } from "#model";
-import { DeviceCommissioner, FailsafeContext, PaseServer, SessionManager } from "#protocol";
+import {
+    assertRemoteActor,
+    DeviceCommissioner,
+    FailsafeContext,
+    hasRemoteActor,
+    PaseServer,
+    SessionManager,
+} from "#protocol";
 import {
     Command,
     MINIMUM_COMMISSIONING_TIMEOUT,
@@ -155,16 +162,17 @@ export class AdministratorCommissioningServer extends AdministratorCommissioning
             // Should never happen, but let's make sure
             throw new InternalError("Commissioning window already initialized.");
         }
-        logger.debug(
-            `Commissioning window timer started for ${commissioningTimeout} seconds for ${this.context.session?.name}.`,
-        );
+        const actor = hasRemoteActor(this.context) ? this.context.session.name : "local actor";
+        logger.debug(`Commissioning window timer started for ${commissioningTimeout} seconds for ${actor}.`);
         this.internal.commissioningWindowTimeout = Time.getTimer(
             "Commissioning timeout",
             commissioningTimeout,
             this.callback(this.#commissioningTimeout),
         ).start();
 
-        const adminFabric = this.session.associatedFabric;
+        assertRemoteActor(this.context);
+
+        const adminFabric = this.context.session.associatedFabric;
 
         this.state.windowStatus = windowStatus;
         this.state.adminFabricIndex = adminFabric.fabricIndex;
@@ -176,7 +184,7 @@ export class AdministratorCommissioningServer extends AdministratorCommissioning
             adminFabric.deleteRemoveCallback(removeCallback);
         };
 
-        this.session.associatedFabric.addRemoveCallback(removeCallback);
+        this.context.session.associatedFabric.addRemoveCallback(removeCallback);
     }
 
     /**

package/src/behaviors/general-commissioning/GeneralCommissioningServer.ts

@@ -10,7 +10,15 @@ import { AdministratorCommissioning } from "#clusters/administrator-commissionin
 import { GeneralCommissioning } from "#clusters/general-commissioning";
 import { Bytes, Diagnostic, Logger, MatterFlowError, MaybePromise, Seconds } from "#general";
 import type { ServerNode } from "#node/ServerNode.js";
-import { DeviceCommissioner, FabricManager, GroupSession, NodeSession, SecureSession, SessionManager } from "#protocol";
+import {
+    assertRemoteActor,
+    DeviceCommissioner,
+    FabricManager,
+    GroupSession,
+    NodeSession,
+    SecureSession,
+    SessionManager,
+} from "#protocol";
 import { GeneralCommissioningBehavior } from "./GeneralCommissioningBehavior.js";
 import { ServerNodeFailsafeContext } from "./ServerNodeFailsafeContext.js";
 
@@ -121,7 +129,8 @@ export class GeneralCommissioningServer extends GeneralCommissioningBehavior {
     }
 
     override armFailSafe(request: GeneralCommissioning.ArmFailSafeRequest) {
-        return this.#armFailSafe(request, this.session);
+        assertRemoteActor(this.context);
+        return this.#armFailSafe(request, this.context.session);
     }
 
     override async setRegulatoryConfig({
@@ -191,10 +200,7 @@ export class GeneralCommissioningServer extends GeneralCommissioningBehavior {
             };
         }
 
-        // Regulatory config is not fabric-writable so requires elevated privileges
-        this.asAdmin(() => {
-            this.state.regulatoryConfig = newRegulatoryConfig;
-        });
+        this.state.regulatoryConfig = newRegulatoryConfig;
 
         this.state.breadcrumb = breadcrumb;
 
@@ -202,7 +208,8 @@ export class GeneralCommissioningServer extends GeneralCommissioningBehavior {
     }
 
     override async commissioningComplete() {
-        const session = this.session;
+        assertRemoteActor(this.context);
+        const { session } = this.context;
         if ((NodeSession.is(session) && session.isPase) || GroupSession.is(session)) {
             return {
                 errorCode: GeneralCommissioning.CommissioningError.InvalidAuthentication,
@@ -210,7 +217,7 @@ export class GeneralCommissioningServer extends GeneralCommissioningBehavior {
             };
         }
 
-        const fabric = this.session.associatedFabric;
+        const fabric = session.associatedFabric;
 
         const commissioner = this.env.get(DeviceCommissioner);
 

package/src/behaviors/general-diagnostics/GeneralDiagnosticsServer.ts

@@ -28,7 +28,7 @@ import {
 } from "#general";
 import { FieldElement, Specification } from "#model";
 import type { NodeLifecycle } from "#node/NodeLifecycle.js";
-import { MdnsService, Val } from "#protocol";
+import { assertRemoteActor, MdnsService, Val } from "#protocol";
 import { CommandId, StatusCode, StatusResponseError, TlvInvokeResponse } from "#types";
 import { GeneralDiagnosticsBehavior } from "./GeneralDiagnosticsBehavior.js";
 
@@ -173,10 +173,8 @@ export class GeneralDiagnosticsServer extends Base {
             ],
         }).byteLength;
 
-        const exchange = this.context.exchange;
-        if (exchange === undefined) {
-            throw new ImplementationError(`Illegal operation outside exchange context`);
-        }
+        assertRemoteActor(this.context);
+        const { exchange } = this.context;
 
         if (responseSize > exchange.maxPayloadSize) {
             throw new StatusResponseError("Response too large", StatusCode.ResourceExhausted);

package/src/behaviors/group-key-management/GroupKeyManagementServer.ts

@@ -9,7 +9,7 @@ import { GroupKeyManagement } from "#clusters/group-key-management";
 import { deepCopy, ImplementationError, Logger, MaybePromise } from "#general";
 import { DatatypeModel, FieldElement } from "#model";
 import { NodeLifecycle } from "#node/NodeLifecycle.js";
-import { Fabric, FabricManager, SecureSession } from "#protocol";
+import { assertRemoteActor, Fabric, FabricManager, hasRemoteActor } from "#protocol";
 import { EndpointNumber, FabricIndex, GroupId, StatusCode, StatusResponseError } from "#types";
 import { GroupKeyManagementBehavior } from "./GroupKeyManagementBehavior.js";
 
@@ -217,7 +217,7 @@ export class GroupKeyManagementServer extends GroupKeyManagementBehavior {
         _oldMap?: GroupKeyManagement.GroupKeyMap[],
         context?: ActionContext,
     ) {
-        if (context !== undefined && !context?.offline) {
+        if (context !== undefined && hasRemoteActor(context)) {
             const fabric = context.session?.associatedFabric;
             const fabricIndex = fabric?.fabricIndex;
 
@@ -252,7 +252,7 @@ export class GroupKeyManagementServer extends GroupKeyManagementBehavior {
     }
 
     override async keySetWrite({ groupKeySet }: GroupKeyManagement.KeySetWriteRequest) {
-        SecureSession.assert(this.session);
+        assertRemoteActor(this.context);
 
         const {
             groupKeySetId,
@@ -324,7 +324,7 @@ export class GroupKeyManagementServer extends GroupKeyManagementBehavior {
             throw new StatusResponseError("GroupKeyMulticastPolicy must be PerGroupId", StatusCode.InvalidCommand);
         }
 
-        const fabric = this.session.associatedFabric;
+        const fabric = this.context.session.associatedFabric;
         const fabricIndex = fabric.fabricIndex;
 
         // Replace or add the group key set to the internal persisted state
@@ -356,7 +356,9 @@ export class GroupKeyManagementServer extends GroupKeyManagementBehavior {
     override keySetRead({
         groupKeySetId,
     }: GroupKeyManagement.KeySetReadRequest): GroupKeyManagement.KeySetReadResponse {
-        const fabric = this.session.associatedFabric;
+        assertRemoteActor(this.context);
+
+        const fabric = this.context.session.associatedFabric;
 
         // We use the fabric group manager to retrieve the group key set because he also has the id 0 and is synced anyway
         const groupKeySet = fabric.groups.keySets.asGroupKeySet(groupKeySetId);
@@ -379,7 +381,9 @@ export class GroupKeyManagementServer extends GroupKeyManagementBehavior {
             throw new StatusResponseError(`GroupKeySet ${groupKeySetId} cannot be removed`, StatusCode.InvalidCommand);
         }
 
-        const fabric = this.session.associatedFabric;
+        assertRemoteActor(this.context);
+
+        const fabric = this.context.session.associatedFabric;
         const fabricIndex = fabric.fabricIndex;
 
         // Replace or add the group key set to the internal persisted state
@@ -402,7 +406,9 @@ export class GroupKeyManagementServer extends GroupKeyManagementBehavior {
     }
 
     override keySetReadAllIndices(): GroupKeyManagement.KeySetReadAllIndicesResponse {
-        const fabric = this.session.associatedFabric;
+        assertRemoteActor(this.context);
+
+        const fabric = this.context.session.associatedFabric;
         const fabricIndex = fabric.fabricIndex;
 
         const groupKeySetIDs = this.state.groupKeySets

package/src/behaviors/groups/GroupsServer.ts

@@ -11,6 +11,7 @@ import { Endpoint } from "#endpoint/Endpoint.js";
 import { RootEndpoint } from "#endpoints/root";
 import { InternalError, Logger } from "#general";
 import { AccessLevel } from "#model";
+import { assertRemoteActor, Fabric } from "#protocol";
 import {
     Command,
     StatusCode,
@@ -75,16 +76,20 @@ export class GroupsServer extends GroupsBase {
         return rootEndpoint;
     }
 
-    async #actOnGroupKeyManagement<T>(act: (groupKeyManagement: GroupKeyManagementServer) => T): Promise<T> {
+    async #actOnGroupKeyManagement<T>(
+        act: (fabric: Fabric, groupKeyManagement: GroupKeyManagementServer) => T,
+    ): Promise<T> {
+        assertRemoteActor(this.context);
         const agent = this.#rootEndpoint.agentFor(this.context);
         const gkm = agent.get(GroupKeyManagementServer);
         await agent.context.transaction.addResources(gkm);
         await agent.context.transaction.begin();
-        return act(gkm);
+        return act(this.context.session.associatedFabric, gkm);
     }
 
     override async addGroup({ groupId, groupName }: Groups.AddGroupRequest): Promise<Groups.AddGroupResponse> {
-        const fabric = this.session.associatedFabric;
+        assertRemoteActor(this.context);
+        const fabric = this.context.session.associatedFabric;
 
         if (groupId < 1) {
             return { status: StatusCode.ConstraintError, groupId };
@@ -100,7 +105,7 @@ export class GroupsServer extends GroupsBase {
         const endpointNumber = this.endpoint.number;
 
         try {
-            await this.#actOnGroupKeyManagement(gkm =>
+            await this.#actOnGroupKeyManagement((fabric, gkm) =>
                 gkm.addEndpointForGroup(fabric, groupId, endpointNumber, groupName),
             );
         } catch (error) {
@@ -113,7 +118,8 @@ export class GroupsServer extends GroupsBase {
     }
 
     override viewGroup({ groupId }: Groups.ViewGroupRequest): Groups.ViewGroupResponse {
-        const fabric = this.session.associatedFabric;
+        assertRemoteActor(this.context);
+        const fabric = this.context.session.associatedFabric;
 
         if (groupId < 1) {
             return { status: StatusCode.ConstraintError, groupId, groupName: "" };
@@ -133,7 +139,8 @@ export class GroupsServer extends GroupsBase {
     override async getGroupMembership({
         groupList,
     }: Groups.GetGroupMembershipRequest): Promise<Groups.GetGroupMembershipResponse> {
-        const fabric = this.session.associatedFabric;
+        assertRemoteActor(this.context);
+        const fabric = this.context.session.associatedFabric;
         const fabricIndex = fabric.fabricIndex;
         const endpointNumber = this.endpoint.number;
 
@@ -158,8 +165,8 @@ export class GroupsServer extends GroupsBase {
 
         try {
             if (
-                await this.#actOnGroupKeyManagement(gkm =>
-                    gkm.removeEndpoint(this.session.associatedFabric, this.endpoint.number, groupId),
+                await this.#actOnGroupKeyManagement((fabric, gkm) =>
+                    gkm.removeEndpoint(fabric, this.endpoint.number, groupId),
                 )
             ) {
                 return { status: StatusCode.Success, groupId };
@@ -174,9 +181,7 @@ export class GroupsServer extends GroupsBase {
     // TODO ScenesManagement cluster is also affected by this command
     override async removeAllGroups() {
         try {
-            await this.#actOnGroupKeyManagement(gkm =>
-                gkm.removeEndpoint(this.session.associatedFabric, this.endpoint.number),
-            );
+            await this.#actOnGroupKeyManagement((fabric, gkm) => gkm.removeEndpoint(fabric, this.endpoint.number));
         } catch (error) {
             StatusResponseError.accept(error);
             throw error;

package/src/behaviors/operational-credentials/OperationalCredentialsServer.ts

@@ -14,6 +14,7 @@ import { Crypto, CryptoVerifyError, Logger, MatterFlowError, MaybePromise, Unexp
 import { AccessLevel } from "#model";
 import type { Node } from "#node/Node.js";
 import {
+    assertRemoteActor,
     CertificateError,
     DeviceCertification,
     DeviceCommissioner,
@@ -94,13 +95,15 @@ export class OperationalCredentialsServer extends OperationalCredentialsBehavior
     }
 
     override async attestationRequest({ attestationNonce }: OperationalCredentials.AttestationRequest) {
+        assertRemoteActor(this.context);
+
         if (attestationNonce.byteLength !== 32) {
             throw new StatusResponseError("Invalid attestation nonce length", StatusCode.InvalidCommand);
         }
 
         const certification = await this.getCertification();
 
-        const session = this.session;
+        const session = this.context.session;
         NodeSession.assert(session);
 
         const attestationElements = TlvAttestation.encode({
@@ -115,11 +118,13 @@ export class OperationalCredentialsServer extends OperationalCredentialsBehavior
     }
 
     override async csrRequest({ csrNonce, isForUpdateNoc }: OperationalCredentials.CsrRequest) {
+        assertRemoteActor(this.context);
+
         if (csrNonce.byteLength !== 32) {
             throw new StatusResponseError("Invalid csr nonce length", StatusCode.InvalidCommand);
         }
 
-        const session = this.session;
+        const session = this.context.session;
         NodeSession.assert(session);
         if (isForUpdateNoc && session.isPase) {
             throw new StatusResponseError(
@@ -139,9 +144,10 @@ export class OperationalCredentialsServer extends OperationalCredentialsBehavior
 
         const certification = await this.getCertification();
 
+        assertRemoteActor(this.context);
         const certSigningRequest = await failsafeContext.createCertificateSigningRequest(
             isForUpdateNoc ?? false,
-            this.session.id,
+            this.context.session.id,
         );
         const nocsrElements = TlvCertSigningRequest.encode({ certSigningRequest, csrNonce });
         return { nocsrElements, attestationSignature: await certification.sign(session, nocsrElements) };
@@ -205,6 +211,8 @@ export class OperationalCredentialsServer extends OperationalCredentialsBehavior
         caseAdminSubject,
         adminVendorId,
     }: OperationalCredentials.AddNocRequest) {
+        assertRemoteActor(this.context);
+
         const failsafeContext = this.#failsafeContext;
 
         if (failsafeContext.fabricIndex !== undefined) {
@@ -221,7 +229,7 @@ export class OperationalCredentialsServer extends OperationalCredentialsBehavior
             };
         }
 
-        if (failsafeContext.csrSessionId !== this.session.id) {
+        if (failsafeContext.csrSessionId !== this.context.session.id) {
             return {
                 statusCode: OperationalCredentials.NodeOperationalCertStatus.MissingCsr,
                 debugText: "CSR not found in failsafe context",
@@ -261,7 +269,7 @@ export class OperationalCredentialsServer extends OperationalCredentialsBehavior
         // subsequent Administer access to an Administrator member of the new Fabric.
         await this.endpoint.act(agent => agent.get(AccessControlServer).addDefaultCaseAcl(fabric, [caseAdminSubject]));
 
-        const session = this.session;
+        const session = this.context.session;
         NodeSession.assert(session);
 
         await failsafeContext.addFabric(fabric);
@@ -302,7 +310,8 @@ export class OperationalCredentialsServer extends OperationalCredentialsBehavior
     }
 
     override async updateNoc({ nocValue, icacValue }: OperationalCredentials.UpdateNocRequest) {
-        NodeSession.assert(this.session);
+        assertRemoteActor(this.context);
+        NodeSession.assert(this.context.session);
 
         const timedOp = this.#failsafeContext;
 
@@ -338,7 +347,7 @@ export class OperationalCredentialsServer extends OperationalCredentialsBehavior
             };
         }
 
-        if (this.session.associatedFabric.fabricIndex !== timedOp.associatedFabric?.fabricIndex) {
+        if (this.context.session.associatedFabric.fabricIndex !== timedOp.associatedFabric?.fabricIndex) {
             throw new StatusResponseError(
                 "Fabric of this session and the failsafe context do not match",
                 StatusCode.ConstraintError,
@@ -363,7 +372,8 @@ export class OperationalCredentialsServer extends OperationalCredentialsBehavior
     }
 
     override async updateFabricLabel({ label }: OperationalCredentials.UpdateFabricLabelRequest) {
-        const fabric = this.session.associatedFabric;
+        assertRemoteActor(this.context);
+        const fabric = this.context.session.associatedFabric;
 
         const currentFabricIndex = fabric.fabricIndex;
         const fabrics = this.env.get(FabricManager);
@@ -381,6 +391,8 @@ export class OperationalCredentialsServer extends OperationalCredentialsBehavior
     }
 
     override async removeFabric({ fabricIndex }: OperationalCredentials.RemoveFabricRequest) {
+        assertRemoteActor(this.context);
+
         const fabric = this.env.get(FabricManager).findByIndex(fabricIndex);
 
         if (fabric === undefined) {
@@ -390,7 +402,7 @@ export class OperationalCredentialsServer extends OperationalCredentialsBehavior
             };
         }
 
-        await fabric.remove(this.session.id);
+        await fabric.remove(this.context.session.id);
         // The state is updated on removal via commissionedFabricChanged event, see constructor
 
         return {

package/src/behaviors/window-covering/WindowCoveringServer.ts

@@ -187,7 +187,7 @@ export class WindowCoveringBaseServer extends WindowCoveringBase {
             !mode.maintenanceMode || (mode.calibrationMode && !this.internal.supportsCalibration);
         configStatus.liftMovementReversed = !!mode.motorDirectionReversed;
         if (isDeepEqual(configStatus, this.state.configStatus)) {
-            this.asAdmin(() => {
+            this.agent.asLocalActor(() => {
                 this.state.configStatus = configStatus;
             });
         }