npm - @matter/protocol - Versions diffs - 0.14.1-alpha.0-20250605-9fc134af0 → 0.14.1-alpha.0-20250606-a9bcd03f9 - Mend

@matter/protocol 0.14.1-alpha.0-20250605-9fc134af0 → 0.14.1-alpha.0-20250606-a9bcd03f9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (312) hide show

package/dist/cjs/action/server/AccessControl.d.ts +5 -7
package/dist/cjs/action/server/AccessControl.d.ts.map +1 -1
package/dist/cjs/action/server/AccessControl.js.map +1 -1
package/dist/cjs/action/server/AttributeWriteResponse.d.ts.map +1 -1
package/dist/cjs/action/server/AttributeWriteResponse.js +23 -0
package/dist/cjs/action/server/AttributeWriteResponse.js.map +1 -1
package/dist/cjs/action/server/CommandInvokeResponse.d.ts.map +1 -1
package/dist/cjs/action/server/CommandInvokeResponse.js +24 -1
package/dist/cjs/action/server/CommandInvokeResponse.js.map +1 -1
package/dist/cjs/action/server/DataResponse.d.ts +1 -1
package/dist/cjs/action/server/DataResponse.d.ts.map +1 -1
package/dist/cjs/action/server/Subject.d.ts +25 -0
package/dist/cjs/action/server/Subject.d.ts.map +1 -0
package/dist/cjs/action/server/Subject.js +54 -0
package/dist/cjs/action/server/Subject.js.map +6 -0
package/dist/cjs/action/server/index.d.ts +1 -0
package/dist/cjs/action/server/index.d.ts.map +1 -1
package/dist/cjs/action/server/index.js +1 -0
package/dist/cjs/action/server/index.js.map +1 -1
package/dist/cjs/certificate/DeviceCertification.d.ts +2 -2
package/dist/cjs/certificate/DeviceCertification.d.ts.map +1 -1
package/dist/cjs/certificate/DeviceCertification.js.map +1 -1
package/dist/cjs/cluster/client/AttributeClient.d.ts +3 -3
package/dist/cjs/cluster/client/AttributeClient.d.ts.map +1 -1
package/dist/cjs/cluster/client/AttributeClient.js +14 -2
package/dist/cjs/cluster/client/AttributeClient.js.map +1 -1
package/dist/cjs/cluster/client/ClusterClient.d.ts +3 -2
package/dist/cjs/cluster/client/ClusterClient.d.ts.map +1 -1
package/dist/cjs/cluster/client/ClusterClient.js +60 -1
package/dist/cjs/cluster/client/ClusterClient.js.map +1 -1
package/dist/cjs/cluster/client/ClusterClientTypes.d.ts +33 -8
package/dist/cjs/cluster/client/ClusterClientTypes.d.ts.map +1 -1
package/dist/cjs/cluster/client/EventClient.d.ts +3 -3
package/dist/cjs/cluster/client/EventClient.d.ts.map +1 -1
package/dist/cjs/cluster/client/EventClient.js +7 -0
package/dist/cjs/cluster/client/EventClient.js.map +1 -1
package/dist/cjs/codec/MessageCodec.d.ts.map +1 -1
package/dist/cjs/codec/MessageCodec.js +31 -6
package/dist/cjs/codec/MessageCodec.js.map +1 -1
package/dist/cjs/fabric/Fabric.d.ts +20 -30
package/dist/cjs/fabric/Fabric.d.ts.map +1 -1
package/dist/cjs/fabric/Fabric.js +38 -62
package/dist/cjs/fabric/Fabric.js.map +2 -2
package/dist/cjs/fabric/FabricManager.d.ts.map +1 -1
package/dist/cjs/fabric/FabricManager.js +10 -4
package/dist/cjs/fabric/FabricManager.js.map +1 -1
package/dist/cjs/groups/FabricGroupsManager.d.ts +46 -0
package/dist/cjs/groups/FabricGroupsManager.d.ts.map +1 -0
package/dist/cjs/groups/FabricGroupsManager.js +155 -0
package/dist/cjs/groups/FabricGroupsManager.js.map +6 -0
package/dist/cjs/groups/Groups.d.ts +34 -0
package/dist/cjs/groups/Groups.d.ts.map +1 -0
package/dist/cjs/groups/Groups.js +89 -0
package/dist/cjs/groups/Groups.js.map +6 -0
package/dist/cjs/groups/KeySets.d.ts +64 -0
package/dist/cjs/groups/KeySets.d.ts.map +1 -0
package/dist/cjs/groups/KeySets.js +179 -0
package/dist/cjs/groups/KeySets.js.map +6 -0
package/dist/cjs/groups/MessagingState.d.ts +24 -0
package/dist/cjs/groups/MessagingState.d.ts.map +1 -0
package/dist/cjs/groups/MessagingState.js +91 -0
package/dist/cjs/groups/MessagingState.js.map +6 -0
package/dist/cjs/groups/index.d.ts +8 -0
package/dist/cjs/groups/index.d.ts.map +1 -0
package/dist/cjs/groups/index.js +25 -0
package/dist/cjs/groups/index.js.map +6 -0
package/dist/cjs/index.d.ts +1 -0
package/dist/cjs/index.d.ts.map +1 -1
package/dist/cjs/index.js +1 -0
package/dist/cjs/index.js.map +1 -1
package/dist/cjs/interaction/AccessControlManager.d.ts +4 -13
package/dist/cjs/interaction/AccessControlManager.d.ts.map +1 -1
package/dist/cjs/interaction/AccessControlManager.js +38 -47
package/dist/cjs/interaction/AccessControlManager.js.map +1 -1
package/dist/cjs/interaction/InteractionClient.d.ts +5 -4
package/dist/cjs/interaction/InteractionClient.d.ts.map +1 -1
package/dist/cjs/interaction/InteractionClient.js +53 -3
package/dist/cjs/interaction/InteractionClient.js.map +1 -1
package/dist/cjs/interaction/InteractionMessenger.d.ts.map +1 -1
package/dist/cjs/interaction/InteractionMessenger.js +15 -0
package/dist/cjs/interaction/InteractionMessenger.js.map +1 -1
package/dist/cjs/interaction/Subscription.d.ts +3 -3
package/dist/cjs/interaction/Subscription.d.ts.map +1 -1
package/dist/cjs/interaction/Subscription.js.map +1 -1
package/dist/cjs/peer/PeerAddress.d.ts +1 -0
package/dist/cjs/peer/PeerAddress.d.ts.map +1 -1
package/dist/cjs/peer/PeerAddress.js +5 -0
package/dist/cjs/peer/PeerAddress.js.map +1 -1
package/dist/cjs/peer/PeerSet.d.ts.map +1 -1
package/dist/cjs/peer/PeerSet.js +31 -2
package/dist/cjs/peer/PeerSet.js.map +1 -1
package/dist/cjs/protocol/ChannelManager.d.ts.map +1 -1
package/dist/cjs/protocol/ChannelManager.js +7 -8
package/dist/cjs/protocol/ChannelManager.js.map +1 -1
package/dist/cjs/protocol/ExchangeManager.d.ts.map +1 -1
package/dist/cjs/protocol/ExchangeManager.js +39 -25
package/dist/cjs/protocol/ExchangeManager.js.map +1 -1
package/dist/cjs/protocol/MessageExchange.d.ts +1 -1
package/dist/cjs/protocol/MessageExchange.d.ts.map +1 -1
package/dist/cjs/protocol/MessageExchange.js +32 -4
package/dist/cjs/protocol/MessageExchange.js.map +1 -1
package/dist/cjs/protocol/MessageReceptionState.d.ts +1 -1
package/dist/cjs/securechannel/SecureChannelProtocol.js +1 -1
package/dist/cjs/securechannel/SecureChannelProtocol.js.map +1 -1
package/dist/cjs/session/GroupSession.d.ts +56 -0
package/dist/cjs/session/GroupSession.d.ts.map +1 -0
package/dist/cjs/session/GroupSession.js +188 -0
package/dist/cjs/session/GroupSession.js.map +6 -0
package/dist/cjs/session/InsecureSession.d.ts +2 -1
package/dist/cjs/session/InsecureSession.d.ts.map +1 -1
package/dist/cjs/session/InsecureSession.js +3 -2
package/dist/cjs/session/InsecureSession.js.map +1 -1
package/dist/cjs/session/NodeSession.d.ts +88 -0
package/dist/cjs/session/NodeSession.d.ts.map +1 -0
package/dist/cjs/session/NodeSession.js +318 -0
package/dist/cjs/session/NodeSession.js.map +6 -0
package/dist/cjs/session/SecureSession.d.ts +10 -75
package/dist/cjs/session/SecureSession.d.ts.map +1 -1
package/dist/cjs/session/SecureSession.js +9 -280
package/dist/cjs/session/SecureSession.js.map +2 -2
package/dist/cjs/session/Session.d.ts +6 -5
package/dist/cjs/session/Session.d.ts.map +1 -1
package/dist/cjs/session/Session.js +11 -1
package/dist/cjs/session/Session.js.map +1 -1
package/dist/cjs/session/SessionManager.d.ts +27 -9
package/dist/cjs/session/SessionManager.d.ts.map +1 -1
package/dist/cjs/session/SessionManager.js +83 -5
package/dist/cjs/session/SessionManager.js.map +2 -2
package/dist/cjs/session/case/CaseClient.d.ts +1 -1
package/dist/cjs/session/case/CaseClient.js +2 -2
package/dist/cjs/session/case/CaseClient.js.map +1 -1
package/dist/cjs/session/index.d.ts +2 -0
package/dist/cjs/session/index.d.ts.map +1 -1
package/dist/cjs/session/index.js +2 -0
package/dist/cjs/session/index.js.map +1 -1
package/dist/cjs/session/pase/PaseClient.d.ts +1 -1
package/dist/esm/action/server/AccessControl.d.ts +5 -7
package/dist/esm/action/server/AccessControl.d.ts.map +1 -1
package/dist/esm/action/server/AccessControl.js.map +1 -1
package/dist/esm/action/server/AttributeWriteResponse.d.ts.map +1 -1
package/dist/esm/action/server/AttributeWriteResponse.js +23 -0
package/dist/esm/action/server/AttributeWriteResponse.js.map +1 -1
package/dist/esm/action/server/CommandInvokeResponse.d.ts.map +1 -1
package/dist/esm/action/server/CommandInvokeResponse.js +24 -1
package/dist/esm/action/server/CommandInvokeResponse.js.map +1 -1
package/dist/esm/action/server/DataResponse.d.ts +1 -1
package/dist/esm/action/server/DataResponse.d.ts.map +1 -1
package/dist/esm/action/server/Subject.d.ts +25 -0
package/dist/esm/action/server/Subject.d.ts.map +1 -0
package/dist/esm/action/server/Subject.js +34 -0
package/dist/esm/action/server/Subject.js.map +6 -0
package/dist/esm/action/server/index.d.ts +1 -0
package/dist/esm/action/server/index.d.ts.map +1 -1
package/dist/esm/action/server/index.js +1 -0
package/dist/esm/action/server/index.js.map +1 -1
package/dist/esm/certificate/DeviceCertification.d.ts +2 -2
package/dist/esm/certificate/DeviceCertification.d.ts.map +1 -1
package/dist/esm/certificate/DeviceCertification.js.map +1 -1
package/dist/esm/cluster/client/AttributeClient.d.ts +3 -3
package/dist/esm/cluster/client/AttributeClient.d.ts.map +1 -1
package/dist/esm/cluster/client/AttributeClient.js +13 -1
package/dist/esm/cluster/client/AttributeClient.js.map +1 -1
package/dist/esm/cluster/client/ClusterClient.d.ts +3 -2
package/dist/esm/cluster/client/ClusterClient.d.ts.map +1 -1
package/dist/esm/cluster/client/ClusterClient.js +61 -2
package/dist/esm/cluster/client/ClusterClient.js.map +1 -1
package/dist/esm/cluster/client/ClusterClientTypes.d.ts +33 -8
package/dist/esm/cluster/client/ClusterClientTypes.d.ts.map +1 -1
package/dist/esm/cluster/client/EventClient.d.ts +3 -3
package/dist/esm/cluster/client/EventClient.d.ts.map +1 -1
package/dist/esm/cluster/client/EventClient.js +7 -0
package/dist/esm/cluster/client/EventClient.js.map +1 -1
package/dist/esm/codec/MessageCodec.d.ts.map +1 -1
package/dist/esm/codec/MessageCodec.js +41 -7
package/dist/esm/codec/MessageCodec.js.map +1 -1
package/dist/esm/fabric/Fabric.d.ts +20 -30
package/dist/esm/fabric/Fabric.d.ts.map +1 -1
package/dist/esm/fabric/Fabric.js +38 -62
package/dist/esm/fabric/Fabric.js.map +2 -2
package/dist/esm/fabric/FabricManager.d.ts.map +1 -1
package/dist/esm/fabric/FabricManager.js +10 -4
package/dist/esm/fabric/FabricManager.js.map +1 -1
package/dist/esm/groups/FabricGroupsManager.d.ts +46 -0
package/dist/esm/groups/FabricGroupsManager.d.ts.map +1 -0
package/dist/esm/groups/FabricGroupsManager.js +135 -0
package/dist/esm/groups/FabricGroupsManager.js.map +6 -0
package/dist/esm/groups/Groups.d.ts +34 -0
package/dist/esm/groups/Groups.d.ts.map +1 -0
package/dist/esm/groups/Groups.js +69 -0
package/dist/esm/groups/Groups.js.map +6 -0
package/dist/esm/groups/KeySets.d.ts +64 -0
package/dist/esm/groups/KeySets.d.ts.map +1 -0
package/dist/esm/groups/KeySets.js +159 -0
package/dist/esm/groups/KeySets.js.map +6 -0
package/dist/esm/groups/MessagingState.d.ts +24 -0
package/dist/esm/groups/MessagingState.d.ts.map +1 -0
package/dist/esm/groups/MessagingState.js +71 -0
package/dist/esm/groups/MessagingState.js.map +6 -0
package/dist/esm/groups/index.d.ts +8 -0
package/dist/esm/groups/index.d.ts.map +1 -0
package/dist/esm/groups/index.js +8 -0
package/dist/esm/groups/index.js.map +6 -0
package/dist/esm/index.d.ts +1 -0
package/dist/esm/index.d.ts.map +1 -1
package/dist/esm/index.js +1 -0
package/dist/esm/index.js.map +1 -1
package/dist/esm/interaction/AccessControlManager.d.ts +4 -13
package/dist/esm/interaction/AccessControlManager.d.ts.map +1 -1
package/dist/esm/interaction/AccessControlManager.js +39 -48
package/dist/esm/interaction/AccessControlManager.js.map +1 -1
package/dist/esm/interaction/InteractionClient.d.ts +5 -4
package/dist/esm/interaction/InteractionClient.d.ts.map +1 -1
package/dist/esm/interaction/InteractionClient.js +54 -4
package/dist/esm/interaction/InteractionClient.js.map +1 -1
package/dist/esm/interaction/InteractionMessenger.d.ts.map +1 -1
package/dist/esm/interaction/InteractionMessenger.js +15 -0
package/dist/esm/interaction/InteractionMessenger.js.map +1 -1
package/dist/esm/interaction/Subscription.d.ts +3 -3
package/dist/esm/interaction/Subscription.d.ts.map +1 -1
package/dist/esm/interaction/Subscription.js.map +1 -1
package/dist/esm/peer/PeerAddress.d.ts +1 -0
package/dist/esm/peer/PeerAddress.d.ts.map +1 -1
package/dist/esm/peer/PeerAddress.js +5 -0
package/dist/esm/peer/PeerAddress.js.map +1 -1
package/dist/esm/peer/PeerSet.d.ts.map +1 -1
package/dist/esm/peer/PeerSet.js +33 -3
package/dist/esm/peer/PeerSet.js.map +1 -1
package/dist/esm/protocol/ChannelManager.d.ts.map +1 -1
package/dist/esm/protocol/ChannelManager.js +7 -8
package/dist/esm/protocol/ChannelManager.js.map +1 -1
package/dist/esm/protocol/ExchangeManager.d.ts.map +1 -1
package/dist/esm/protocol/ExchangeManager.js +41 -27
package/dist/esm/protocol/ExchangeManager.js.map +1 -1
package/dist/esm/protocol/MessageExchange.d.ts +1 -1
package/dist/esm/protocol/MessageExchange.d.ts.map +1 -1
package/dist/esm/protocol/MessageExchange.js +39 -5
package/dist/esm/protocol/MessageExchange.js.map +1 -1
package/dist/esm/protocol/MessageReceptionState.d.ts +1 -1
package/dist/esm/securechannel/SecureChannelProtocol.js +2 -2
package/dist/esm/securechannel/SecureChannelProtocol.js.map +1 -1
package/dist/esm/session/GroupSession.d.ts +56 -0
package/dist/esm/session/GroupSession.d.ts.map +1 -0
package/dist/esm/session/GroupSession.js +177 -0
package/dist/esm/session/GroupSession.js.map +6 -0
package/dist/esm/session/InsecureSession.d.ts +2 -1
package/dist/esm/session/InsecureSession.d.ts.map +1 -1
package/dist/esm/session/InsecureSession.js +3 -2
package/dist/esm/session/InsecureSession.js.map +1 -1
package/dist/esm/session/NodeSession.d.ts +88 -0
package/dist/esm/session/NodeSession.d.ts.map +1 -0
package/dist/esm/session/NodeSession.js +298 -0
package/dist/esm/session/NodeSession.js.map +6 -0
package/dist/esm/session/SecureSession.d.ts +10 -75
package/dist/esm/session/SecureSession.d.ts.map +1 -1
package/dist/esm/session/SecureSession.js +10 -291
package/dist/esm/session/SecureSession.js.map +2 -2
package/dist/esm/session/Session.d.ts +6 -5
package/dist/esm/session/Session.d.ts.map +1 -1
package/dist/esm/session/Session.js +12 -2
package/dist/esm/session/Session.js.map +1 -1
package/dist/esm/session/SessionManager.d.ts +27 -9
package/dist/esm/session/SessionManager.d.ts.map +1 -1
package/dist/esm/session/SessionManager.js +84 -6
package/dist/esm/session/SessionManager.js.map +1 -1
package/dist/esm/session/case/CaseClient.d.ts +1 -1
package/dist/esm/session/case/CaseClient.js +2 -2
package/dist/esm/session/case/CaseClient.js.map +1 -1
package/dist/esm/session/index.d.ts +2 -0
package/dist/esm/session/index.d.ts.map +1 -1
package/dist/esm/session/index.js +2 -0
package/dist/esm/session/index.js.map +1 -1
package/dist/esm/session/pase/PaseClient.d.ts +1 -1
package/package.json +6 -6
package/src/action/server/AccessControl.ts +4 -7
package/src/action/server/AttributeWriteResponse.ts +29 -7
package/src/action/server/CommandInvokeResponse.ts +28 -7
package/src/action/server/DataResponse.ts +1 -1
package/src/action/server/Subject.ts +45 -0
package/src/action/server/index.ts +1 -0
package/src/certificate/DeviceCertification.ts +2 -2
package/src/cluster/client/AttributeClient.ts +15 -3
package/src/cluster/client/ClusterClient.ts +90 -4
package/src/cluster/client/ClusterClientTypes.ts +38 -9
package/src/cluster/client/EventClient.ts +9 -2
package/src/codec/MessageCodec.ts +49 -8
package/src/fabric/Fabric.ts +51 -85
package/src/fabric/FabricManager.ts +11 -4
package/src/groups/FabricGroupsManager.ts +164 -0
package/src/groups/Groups.ts +81 -0
package/src/groups/KeySets.ts +194 -0
package/src/groups/MessagingState.ts +76 -0
package/src/groups/index.ts +8 -0
package/src/index.ts +1 -0
package/src/interaction/AccessControlManager.ts +49 -81
package/src/interaction/InteractionClient.ts +66 -6
package/src/interaction/InteractionMessenger.ts +15 -0
package/src/interaction/Subscription.ts +3 -3
package/src/peer/PeerAddress.ts +4 -0
package/src/peer/PeerSet.ts +39 -4
package/src/protocol/ChannelManager.ts +7 -9
package/src/protocol/ExchangeManager.ts +51 -35
package/src/protocol/MessageExchange.ts +42 -7
package/src/protocol/MessageReceptionState.ts +2 -2
package/src/securechannel/SecureChannelProtocol.ts +2 -2
package/src/session/GroupSession.ts +223 -0
package/src/session/InsecureSession.ts +3 -2
package/src/session/NodeSession.ts +367 -0
package/src/session/SecureSession.ts +14 -363
package/src/session/Session.ts +17 -6
package/src/session/SessionManager.ts +94 -14
package/src/session/case/CaseClient.ts +2 -2
package/src/session/index.ts +2 -3

package/src/interaction/AccessControlManager.ts CHANGED Viewed

@@ -3,8 +3,9 @@
  * Copyright 2022-2023 Project CHIP Authors
  * SPDX-License-Identifier: Apache-2.0
  */
+import { Subject } from "#action/server/Subject.js";
 import { AccessControl } from "#clusters/access-control";
-import { Logger, MatterFlowError, toHex } from "#general";
+import { MatterFlowError } from "#general";
 import { AccessLevel } from "#model";
 import {
     CaseAuthenticatedTag,
@@ -15,11 +16,9 @@ import {
     NodeId,
     StatusCode,
     StatusResponseError,
+    SubjectId,
 } from "#types";
-import { Fabric } from "../fabric/Fabric.js";
-import { SecureSession } from "../session/SecureSession.js";
-const logger = Logger.get("AccessControlManager");
+import { AccessControl as AccessControlContext } from "../action/server/AccessControl.js";
 export type AclEntry = Omit<AccessControl.AccessControlEntry, "privilege"> & {
     privilege: AccessLevel;
@@ -49,7 +48,7 @@ enum AuthModeNone {
 export type IncomingSubjectDescriptor = {
     isCommissioning: boolean;
     authMode: AccessControl.AccessControlEntryAuthMode | AuthModeNone;
-    subjects: NodeId[];
+    subjects: SubjectId[];
     fabricIndex: FabricIndex;
 };
@@ -98,22 +97,24 @@ export class AccessControlManager {
     /**
      * Get the Access Control List for a given fabric.
      */
-    #getAccessControlEntriesForFabric(fabric: Fabric): AclList {
-        return this.#aclList.filter(entry => entry.fabricIndex === fabric.fabricIndex);
+    #getAccessControlEntriesForFabric(fabricIndex: FabricIndex): AclList {
+        return this.#aclList.filter(entry => entry.fabricIndex === fabricIndex);
     }
     /**
      * Subjects must match exactly, or both are CAT with matching CAT ID and acceptable CAT version
      */
-    #subjectMatches(aclSubject: NodeId, isdSubject: NodeId): boolean {
-        if (aclSubject === isdSubject) {
+    #subjectMatches(aclSubject: SubjectId, isdSubject: SubjectId): boolean {
+        if (BigInt(aclSubject) === BigInt(isdSubject)) {
             return true;
         }
-        if (!NodeId.isCaseAuthenticatedTag(aclSubject) || !NodeId.isCaseAuthenticatedTag(isdSubject)) {
+        const aclNode = NodeId(aclSubject);
+        const isdNode = NodeId(isdSubject);
+        if (!NodeId.isCaseAuthenticatedTag(aclNode) || !NodeId.isCaseAuthenticatedTag(isdNode)) {
             return false;
         }
-        const aclSubjectCat = NodeId.extractAsCaseAuthenticatedTag(aclSubject);
-        const isdSubjectCat = NodeId.extractAsCaseAuthenticatedTag(isdSubject);
+        const aclSubjectCat = NodeId.extractAsCaseAuthenticatedTag(aclNode);
+        const isdSubjectCat = NodeId.extractAsCaseAuthenticatedTag(isdNode);
         return (
             CaseAuthenticatedTag.getIdentifyValue(aclSubjectCat) ===
                 CaseAuthenticatedTag.getIdentifyValue(isdSubjectCat) &&
@@ -149,40 +150,16 @@ export class AccessControlManager {
     }
     /**
-     * Check if the given ACL entry is allowed to be used for the given subject descriptor, endpoint, and cluster ID.
+     * Determines the granted privileges for the given session, endpoint, and cluster ID and returns them.
      */
-    allowsPrivilege(
-        session: SecureSession,
+    getGrantedPrivileges(
+        context: AccessControlContext.Session,
         endpoint: AclEndpointContext,
         clusterId: ClusterId,
-        privilege: AccessLevel,
-    ): boolean {
-        const grantedPrivileges = this.getGrantedPrivileges(session, endpoint, clusterId);
-        if (grantedPrivileges.includes(privilege)) {
-            return true;
-        }
-        logger.notice(
-            `Failed access control check for ${endpoint.id}/0x${toHex(clusterId)} and fabricIndex ${session.associatedFabric.fabricIndex}, acl=`,
-            this.#getAccessControlEntriesForFabric(session.associatedFabric),
-            "with ISD=",
-            this.#getIsdFromMessage(session),
-            "granted privileges=",
-            grantedPrivileges,
-            "not contains",
-            privilege,
-        );
-        return false;
-    }
-    /**
-     * Determines the granted privileges for the given session, endpoint, and cluster ID and returns them.
-     */
-    getGrantedPrivileges(session: SecureSession, endpoint: AclEndpointContext, clusterId: ClusterId): AccessLevel[] {
+    ): AccessLevel[] {
         const endpointId = endpoint.id;
-        const fabric = session.fabric;
-        const subjectDesc = this.#getIsdFromMessage(session);
+        const fabric = context.fabric;
+        const subjectDesc = this.#getIsdFromMessage(context);
         const acl = fabric ? this.#getAccessControlEntriesForFabric(fabric) : [ImplicitDefaultPaseAclEntry];
         // Granted privileges set is initially empty
@@ -203,17 +180,11 @@ export class AccessControlManager {
             // other than the implicit PASE entry, which we will not see explicitly in the
             // access control list
             if (aclEntry.fabricIndex === FabricIndex.NO_FABRIC || aclEntry.fabricIndex !== subjectDesc.fabricIndex) {
-                logger.debug(
-                    "Skipping ACL entry with mismatched fabric index",
-                    aclEntry.fabricIndex,
-                    subjectDesc.fabricIndex,
-                );
                 continue;
             }
             // Auth mode must match
             if (aclEntry.authMode !== subjectDesc.authMode) {
-                logger.debug("Skipping ACL entry with mismatched auth mode", aclEntry.authMode, subjectDesc.authMode);
                 continue;
             }
@@ -304,50 +275,47 @@ export class AccessControlManager {
     /**
      * Determines the Incoming Subject Descriptor (ISD) from the given session.
      */
-    #getIsdFromMessage(session: SecureSession) {
-        const fabric = session.fabric;
+    #getIsdFromMessage(session: AccessControlContext.Session) {
+        const fabricIndex = session.fabric;
         const isd: IncomingSubjectDescriptor = {
             isCommissioning: false,
             authMode: AuthModeNone.None,
-            subjects: new Array<NodeId>(),
+            subjects: new Array<SubjectId>(),
             fabricIndex: FabricIndex.NO_FABRIC,
         };
-        if (session.isPase) {
+        const { subject } = session;
+        if (subject === undefined) {
+            throw new MatterFlowError("ACL error: ACL checks require an authorized subject");
+        }
+        if (subject.id === NodeId.UNSPECIFIED_NODE_ID) {
+            // Pase Session
             isd.authMode = AccessControl.AccessControlEntryAuthMode.Pase;
             isd.isCommissioning = true; // Or how "commissioning channel" is defined?
-            isd.subjects.push(NodeId(0)); // Default Commissioning Passcode ID
-            if (fabric) {
-                isd.fabricIndex = fabric.fabricIndex;
+            isd.subjects.push(NodeId.UNSPECIFIED_NODE_ID); // Default Commissioning Passcode ID
+            if (fabricIndex !== undefined && fabricIndex !== FabricIndex.NO_FABRIC) {
+                isd.fabricIndex = fabricIndex;
             }
-        } else {
-            // TODO Add Group session handling when implementing groups
-            // if (session instanceof SecureGroupSession) {
-            //   Groups
-            //   # Message is assumed to have been decrypted and matched properly prior to
-            //       # this procedure occurring.
-            //       group_id = message.get_dst_group_id()
-            //       group_key_id = sessions_metadata.get_group_key_id(message)
-            //       # Group membership must be verified against Group Key Management Cluster
-            //       if group_key_management_cluster.group_key_map_has_mapping(group_id, group_key_id):
-            //         isd.AuthMode = AuthModeEnum.Group
-            //         isd.Subjects.append(group_id)
-            //         isd.FabricIndex = sessions_metadata.get_fabric_index(message)
-            //         assert(isd.FabricIndex != 0) # cannot be zero
-            //
-            //     isd.authMode = AccessControl.AccessControlEntryAuthMode.Group;
-            // } else {
+        } else if (Subject.isGroup(subject)) {
+            if (fabricIndex === undefined || fabricIndex === FabricIndex.NO_FABRIC) {
+                throw new MatterFlowError("ACL error: fabric needs to be associated for group sessions");
+            }
+            if (subject.hasValidMapping) {
+                isd.authMode = AccessControl.AccessControlEntryAuthMode.Group;
+                isd.subjects.push(subject.id);
+                isd.fabricIndex = fabricIndex;
+            }
+        } else if (Subject.isNode(subject)) {
             // CASE session
+            if (fabricIndex === undefined || fabricIndex === FabricIndex.NO_FABRIC) {
+                throw new MatterFlowError("ACL error: Case session must be associated with a fabric");
+            }
             isd.authMode = AccessControl.AccessControlEntryAuthMode.Case;
-            isd.subjects.push(session.peerNodeId);
-            // Append CASE session CATs which also serve as subjects
-            session.caseAuthenticatedTags.forEach(cat => isd.subjects.push(NodeId.fromCaseAuthenticatedTag(cat)));
-            // }
-            if (fabric === undefined) {
-                throw new MatterFlowError("ACL error: fabric is undefined");
+            isd.subjects.push(subject.id);
+            if (subject.catSubjects !== undefined) {
+                isd.subjects.push(...subject.catSubjects);
             }
-            isd.fabricIndex = fabric.fabricIndex;
+            isd.fabricIndex = fabricIndex;
         }
         return isd;

package/src/interaction/InteractionClient.ts CHANGED Viewed

@@ -134,7 +134,8 @@ export class InteractionClientProvider {
             return client;
         }
-        const nodeStore = this.#peers.get(address)?.dataStore;
+        const isGroupAddress = PeerAddress.isGroup(address);
+        const nodeStore = isGroupAddress ? undefined : this.#peers.get(address)?.dataStore;
         await nodeStore?.construction; // Lazy initialize the data if not already done
         const exchangeProvider = await this.#peers.exchangeProviderFor(address, discoveryOptions);
@@ -167,6 +168,7 @@ export class InteractionClient {
     readonly #subscriptionClient: SubscriptionClient;
     readonly #queue?: PromiseQueue;
     readonly #address?: PeerAddress;
+    readonly isGroupAddress: boolean;
     constructor(
         exchangeProvider: ExchangeProvider,
@@ -180,6 +182,7 @@ export class InteractionClient {
         this.#subscriptionClient = subscriptionClient;
         this.#queue = queue;
         this.#address = address;
+        this.isGroupAddress = address !== undefined ? PeerAddress.isGroup(address) : false;
     }
     get address() {
@@ -321,6 +324,10 @@ export class InteractionClient {
             executeQueued?: boolean;
         } = {},
     ): Promise<DecodedDataReport> {
+        if (this.isGroupAddress) {
+            throw new ImplementationError("Reading data from group addresses is not supported.");
+        }
         const {
             attributes: attributeRequests,
             dataVersionFilters,
@@ -411,6 +418,10 @@ export class InteractionClient {
         clusterId: ClusterId;
         attribute: A;
     }): { value: AttributeJsType<A>; version: number } | undefined {
+        if (this.isGroupAddress) {
+            throw new ImplementationError("Reading data from group addresses is not supported.");
+        }
         const { endpointId, clusterId, attribute } = options;
         const { id: attributeId } = attribute;
         if (this.#nodeStore !== undefined) {
@@ -430,6 +441,10 @@ export class InteractionClient {
         requestFromRemote?: boolean;
         executeQueued?: boolean;
     }): Promise<{ value: AttributeJsType<A>; version: number } | undefined> {
+        if (this.isGroupAddress) {
+            throw new ImplementationError("Reading data from group addresses is not supported.");
+        }
         const { endpointId, clusterId, attribute, requestFromRemote, isFabricFiltered, executeQueued } = options;
         const { id: attributeId } = attribute;
         if (this.#nodeStore !== undefined) {
@@ -516,7 +531,7 @@ export class InteractionClient {
     async setAttribute<T>(options: {
         attributeData: {
-            endpointId: EndpointNumber;
+            endpointId?: EndpointNumber;
             clusterId: ClusterId;
             attribute: Attribute<T, any>;
             value: T;
@@ -557,7 +572,7 @@ export class InteractionClient {
     async setMultipleAttributes(options: {
         attributes: {
-            endpointId: EndpointNumber;
+            endpointId?: EndpointNumber;
             clusterId: ClusterId;
             attribute: Attribute<any, any>;
             value: any;
@@ -575,9 +590,22 @@ export class InteractionClient {
             attributes,
             asTimedRequest,
             timedRequestTimeoutMs = DEFAULT_TIMED_REQUEST_TIMEOUT_MS,
-            suppressResponse = false, // TODO needs to be TRUE for Group writes
+            suppressResponse = this.isGroupAddress,
             chunkLists = true, // Should be true currently to stay in sync with chip sdk
         } = options;
+        if (this.isGroupAddress) {
+            if (!suppressResponse) {
+                throw new ImplementationError("Writing attributes on a group address can not return a response.");
+            }
+            if (
+                attributes.some(
+                    ({ endpointId, clusterId, attribute }) =>
+                        endpointId !== undefined || clusterId === undefined || attribute.id === undefined,
+                )
+            ) {
+                throw new ImplementationError("Not all attribute write paths are valid for group address writes.");
+            }
+        }
         logger.debug(
             `Sending write request: ${attributes
                 .map(
@@ -621,6 +649,9 @@ export class InteractionClient {
             attributes.some(({ attribute: { timed } }) => timed) ||
             asTimedRequest === true ||
             options.timedRequestTimeoutMs !== undefined;
+        if (this.isGroupAddress && timedRequest) {
+            throw new ImplementationError("Timed requests are not supported for group address writes.");
+        }
         const response = await this.withMessenger<TypeFromSchema<typeof TlvWriteResponse> | undefined>(
             async messenger => {
@@ -671,6 +702,9 @@ export class InteractionClient {
     }): Promise<{
         maxInterval: number;
     }> {
+        if (this.isGroupAddress) {
+            throw new ImplementationError("Subscribing to attributes on a group address is not supported.");
+        }
         const {
             endpointId,
             clusterId,
@@ -792,6 +826,9 @@ export class InteractionClient {
     }): Promise<{
         maxInterval: number;
     }> {
+        if (this.isGroupAddress) {
+            throw new ImplementationError("Subscribing to events on a group address is not supported.");
+        }
         const {
             endpointId,
             clusterId,
@@ -923,6 +960,9 @@ export class InteractionClient {
         eventReports?: DecodedEventReportValue<any>[];
         maxInterval: number;
     }> {
+        if (this.isGroupAddress) {
+            throw new ImplementationError("Subscribing to attributes or events on a group address is not supported.");
+        }
         const {
             attributes: attributeRequests = [],
             events: eventRequests = [],
@@ -1097,7 +1137,7 @@ export class InteractionClient {
     }
     async invoke<C extends Command<any, any, any>>(options: {
-        endpointId: EndpointNumber;
+        endpointId?: EndpointNumber;
         clusterId: ClusterId;
         request: RequestType<C>;
         command: C;
@@ -1132,6 +1172,15 @@ export class InteractionClient {
         const timedRequest =
             (timed && !skipValidation) || asTimedRequest === true || options.timedRequestTimeoutMs !== undefined;
+        if (this.isGroupAddress) {
+            if (endpointId !== undefined) {
+                throw new ImplementationError("Invoking a concrete command on a group address is not supported.");
+            }
+            if (timedRequest) {
+                throw new ImplementationError("Timed requests are not supported for group address invokes.");
+            }
+        }
         if (requestSchema instanceof ObjectSchema) {
             if (request === undefined) {
                 // If developer did not provide a request object, create an empty one if it needs to be an object
@@ -1228,8 +1277,9 @@ export class InteractionClient {
     }
     // TODO Add to ClusterClient when needed/when Group communication is implemented
+    // TODO Additionally support it without endpoint
     async invokeWithSuppressedResponse<C extends Command<any, any, any>>(options: {
-        endpointId: EndpointNumber;
+        endpointId?: EndpointNumber;
         clusterId: ClusterId;
         request: RequestType<C>;
         command: C;
@@ -1248,6 +1298,16 @@ export class InteractionClient {
             timedRequestTimeoutMs = DEFAULT_TIMED_REQUEST_TIMEOUT_MS,
         } = options;
         const timedRequest = timed || asTimedRequest === true || options.timedRequestTimeoutMs !== undefined;
+        if (this.isGroupAddress) {
+            if (timed) {
+                throw new ImplementationError("Timed requests are not supported for group address invokes.");
+            }
+            if (endpointId !== undefined) {
+                throw new ImplementationError("Invoking a concrete command on a group address is not supported.");
+            }
+        }
         logger.debug(
             `Invoking command with suppressedResponse: ${resolveCommandName({
                 endpointId,

package/src/interaction/InteractionMessenger.ts CHANGED Viewed

@@ -262,6 +262,12 @@ export class InteractionServerMessenger extends InteractionMessenger {
                         break;
                     }
                     case MessageType.SubscribeRequest: {
+                        if (isGroupSession) {
+                            throw new StatusResponseError(
+                                `SubscribeRequest is not supported in group sessions`,
+                                Status.InvalidAction,
+                            );
+                        }
                         const subscribeRequest = TlvSubscribeRequest.decode(message.payload);
                         await recipient.handleSubscribeRequest(this.exchange, subscribeRequest, this, message);
                         // response is sent by handler
@@ -274,6 +280,12 @@ export class InteractionServerMessenger extends InteractionMessenger {
                         break;
                     }
                     case MessageType.TimedRequest: {
+                        if (isGroupSession) {
+                            throw new StatusResponseError(
+                                `TimedRequest is not supported in group sessions`,
+                                Status.InvalidAction,
+                            );
+                        }
                         const timedRequest = TlvTimedRequest.decode(message.payload);
                         recipient.handleTimedRequest(this.exchange, timedRequest, message);
                         await this.sendStatus(StatusCode.Success, {
@@ -288,6 +300,9 @@ export class InteractionServerMessenger extends InteractionMessenger {
                             Status.InvalidAction,
                         );
                 }
+                if (isGroupSession) {
+                    break; // We do not support multiple messages in group sessions
+                }
             }
         } catch (error: any) {
             let errorStatusCode = StatusCode.Failure;

package/src/interaction/Subscription.ts CHANGED Viewed

@@ -5,7 +5,7 @@
  */
 import { AsyncObservable, InternalError, Logger } from "#general";
-import { type SecureSession } from "#session/SecureSession.js";
+import { NodeSession } from "#session/NodeSession.js";
 import { TlvAttributePath, TlvDataVersionFilter, TlvEventFilter, TlvEventPath, TypeFromSchema } from "#types";
 const logger = Logger.get("Subscription");
@@ -24,7 +24,7 @@ export interface SubscriptionCriteria {
  * A single active subscription.
  */
 export abstract class Subscription {
-    #session: SecureSession;
+    #session: NodeSession;
     #id: SubscriptionId;
     #isClosed?: boolean;
     #isCanceledByPeer?: boolean;
@@ -32,7 +32,7 @@ export abstract class Subscription {
     #cancelled = AsyncObservable<[subscription: Subscription]>();
     #maxIntervalMs?: number;
-    constructor(session: SecureSession, id: SubscriptionId, criteria: SubscriptionCriteria) {
+    constructor(session: NodeSession, id: SubscriptionId, criteria: SubscriptionCriteria) {
         this.#session = session;
         this.#id = id;
         this.#criteria = criteria;

package/src/peer/PeerAddress.ts CHANGED Viewed

@@ -64,6 +64,10 @@ export namespace PeerAddress {
         return addr1.fabricIndex === addr2.fabricIndex && addr1.nodeId === addr2.nodeId;
     }
+    export function isGroup(address: PeerAddress): boolean {
+        return NodeId.isGroupNodeId(address.nodeId);
+    }
 }
 /**

package/src/peer/PeerSet.ts CHANGED Viewed

@@ -25,6 +25,7 @@ import {
     ObservableSet,
     ServerAddressIp,
     serverAddressToString,
+    STANDARD_MATTER_PORT,
     Time,
     Timer,
 } from "#general";
@@ -34,7 +35,7 @@ import { PeerAddress, PeerAddressMap } from "#peer/PeerAddress.js";
 import { ChannelStatusResponseError } from "#securechannel/index.js";
 import { CaseClient, SecureSession, Session } from "#session/index.js";
 import { SessionManager } from "#session/SessionManager.js";
-import { NodeId, ProtocolStatusCode, SECURE_CHANNEL_PROTOCOL_ID } from "#types";
+import { GroupId, NodeId, ProtocolStatusCode, SECURE_CHANNEL_PROTOCOL_ID } from "#types";
 import { ChannelManager } from "../protocol/ChannelManager.js";
 import { ChannelNotConnectedError, ExchangeManager, MessageChannel } from "../protocol/ExchangeManager.js";
 import { DedicatedChannelExchangeProvider, ReconnectableExchangeProvider } from "../protocol/ExchangeProvider.js";
@@ -240,14 +241,20 @@ export class PeerSet implements ImmutableSet<OperationalPeer>, ObservableSet<Ope
             operationalAddress?: ServerAddressIp;
         },
     ) {
+        address = PeerAddress(address);
+        const isGroupNode = PeerAddress.isGroup(address);
         const { discoveryOptions, allowUnknownPeer, operationalAddress } = options;
-        if (!this.#peersByAddress.has(address) && !allowUnknownPeer) {
+        if (!this.#peersByAddress.has(address) && !allowUnknownPeer && !isGroupNode) {
             throw new UnknownNodeError(`Cannot connect to unknown device ${PeerAddress(address)}`);
         }
-        address = PeerAddress(address);
         if (!this.#channels.hasChannel(address)) {
+            if (isGroupNode) {
+                await this.#createGroupChannel(address);
+                return;
+            }
             const { promise: existingReconnectPromise } = this.#runningPeerReconnections.get(address) ?? {};
             if (existingReconnectPromise !== undefined) {
                 return existingReconnectPromise;
@@ -278,6 +285,13 @@ export class PeerSet implements ImmutableSet<OperationalPeer>, ObservableSet<Ope
             return new DedicatedChannelExchangeProvider(this.#exchanges, addressOrChannel);
         }
         const address: PeerAddress = addressOrChannel;
+        if (PeerAddress.isGroup(address)) {
+            if (!this.#channels.hasChannel(address)) {
+                // Ensure that we have a group channel
+                await this.#createGroupChannel(address);
+            }
+            return new DedicatedChannelExchangeProvider(this.#exchanges, this.#channels.getChannel(address));
+        }
         let initiallyConnected = this.#channels.hasChannel(address);
         return new ReconnectableExchangeProvider(this.#exchanges, this.#channels, address, async () => {
             if (!initiallyConnected && !this.#channels.hasChannel(address)) {
@@ -620,6 +634,27 @@ export class PeerSet implements ImmutableSet<OperationalPeer>, ObservableSet<Ope
         }
     }
+    async #createGroupChannel(address: PeerAddress) {
+        const groupId = GroupId.fromNodeId(address.nodeId);
+        GroupId.assertGroupId(groupId);
+        const multicastAddress = this.#sessions.fabricFor(address).groups.multicastAddressFor(groupId);
+        const operationalInterface = this.#netInterfaces.interfaceFor(ChannelType.UDP, multicastAddress);
+        if (operationalInterface === undefined) {
+            throw new PairRetransmissionLimitReachedError(`IPv6 interface not initialized`);
+        }
+        const operationalChannel = await operationalInterface.openChannel({
+            type: ChannelType.UDP,
+            ip: multicastAddress,
+            port: STANDARD_MATTER_PORT,
+        });
+        const session = this.#sessions.groupSessionForAddress(address);
+        const channel = new MessageChannel(operationalChannel, session);
+        await this.#channels.setChannel(address, channel);
+        return channel;
+    }
     /** Pair with an operational device (already commissioned) and establish a CASE session. */
     async #pair(
         address: PeerAddress,

package/src/protocol/ChannelManager.ts CHANGED Viewed

@@ -6,7 +6,7 @@
 import { AsyncObservable, Channel, Environment, Environmental, Logger, MatterError } from "#general";
 import { PeerAddress, PeerAddressMap } from "#peer/PeerAddress.js";
-import { SecureSession } from "../session/SecureSession.js";
+import { NodeSession } from "../session/NodeSession.js";
 import { Session } from "../session/Session.js";
 import { MessageChannel } from "./ExchangeManager.js";
@@ -91,10 +91,9 @@ export class ChannelManager {
      * Returns the last established session for a Fabric and Node
      */
     getChannelForSession(session: Session) {
-        if (session.isSecure && !session.isPase) {
-            const secureSession = session as SecureSession;
-            const fabric = secureSession.fabric;
-            const nodeId = secureSession.peerNodeId;
+        if (NodeSession.is(session) && !session.isPase) {
+            const fabric = session.fabric;
+            const nodeId = session.peerNodeId;
             if (fabric === undefined) {
                 return this.#paseChannels.get(session);
             }
@@ -142,12 +141,11 @@ export class ChannelManager {
     }
     async getOrCreateChannel(byteArrayChannel: Channel<Uint8Array>, session: Session) {
-        if (!session.isSecure) {
+        if (!NodeSession.is(session)) {
             return this.getOrCreateAsPaseChannel(byteArrayChannel, session);
         }
-        const secureSession = session as SecureSession;
-        const fabric = secureSession.fabric;
-        const nodeId = secureSession.peerNodeId;
+        const fabric = session.fabric;
+        const nodeId = session.peerNodeId;
         if (fabric === undefined) {
             return this.getOrCreateAsPaseChannel(byteArrayChannel, session);
         }