@matter/protocol 0.17.2 → 0.17.3-alpha.0-20260617-ea3690abc

package/src/action/server/CommandInvokeResponse.ts

@@ -11,7 +11,7 @@ import { InvokeResult } from "#action/response/InvokeResult.js";
 import { AccessControl, hasRemoteActor } from "#action/server/AccessControl.js";
 import { DataResponse, FallbackLimits } from "#action/server/DataResponse.js";
 import { Diagnostic, InternalError, Logger } from "@matter/general";
-import { CommandModel, DataModelPath, ElementTag, FabricIndex as FabricIndexField } from "@matter/model";
+import { AccessLevel, CommandModel, DataModelPath, ElementTag, FabricIndex as FabricIndexField } from "@matter/model";
 import {
     CommandPath,
     EndpointNumber,
@@ -214,9 +214,10 @@ export class CommandInvokeResponse<
             limits = command.limits;
         }
 
-        // Validate access.  Order here prescribed by 1.4 core spec 8.4.3.2
+        // Order prescribed by core spec 8.8.3.2: an Operate-privilege pass gates element-existence disclosure,
+        // existence checks follow, then the actual-privilege pass gates the invoke.
         // We need some fallback location if cluster is not defined
-        const location = {
+        const location: AccessControl.Location = {
             ...(cluster?.location ?? {
                 path: DataModelPath.none,
                 endpoint: endpointId,
@@ -225,20 +226,13 @@ export class CommandInvokeResponse<
             owningFabric: this.session.fabric,
         };
 
+        let access: { session: AccessControl.RemoteActorSession; location: AccessControl.Location } | undefined;
         if (hasRemoteActor(this.session)) {
-            const permission = this.session.authorityAt(limits.writeLevel, location);
-            switch (permission) {
-                case AccessControl.Authority.Granted:
-                    break;
+            access = { session: this.session, location };
 
-                case AccessControl.Authority.Unauthorized:
-                    return this.#addStatus(path, commandRef, Status.UnsupportedAccess);
-
-                case AccessControl.Authority.Restricted:
-                    return this.#addStatus(path, commandRef, Status.AccessRestricted);
-
-                default:
-                    throw new InternalError(`Unsupported authorization state ${permission}`);
+            const denial = this.#authorize(access.session, AccessLevel.Operate, location);
+            if (denial !== undefined) {
+                return this.#addStatus(path, commandRef, denial);
             }
         }
 
@@ -252,6 +246,13 @@ export class CommandInvokeResponse<
             return this.#addStatus(path, commandRef, Status.UnsupportedCommand);
         }
 
+        if (access !== undefined) {
+            const denial = this.#authorize(access.session, limits.writeLevel, access.location);
+            if (denial !== undefined) {
+                return this.#addStatus(path, commandRef, denial);
+            }
+        }
+
         if (hasRemoteActor(this.session)) {
             if (limits.largeMessage && !this.session.largeMessage) {
                 this.#errorCount++;
@@ -369,6 +370,26 @@ export class CommandInvokeResponse<
         }
     }
 
+    /**
+     * Validate access at {@link level}.  Returns undefined if granted; otherwise the status to report.
+     */
+    #authorize(session: AccessControl.RemoteActorSession, level: AccessLevel, location: AccessControl.Location) {
+        const permission = session.authorityAt(level, location);
+        switch (permission) {
+            case AccessControl.Authority.Granted:
+                return undefined;
+
+            case AccessControl.Authority.Unauthorized:
+                return Status.UnsupportedAccess;
+
+            case AccessControl.Authority.Restricted:
+                return Status.AccessRestricted;
+
+            default:
+                throw new InternalError(`Unsupported authorization state ${permission}`);
+        }
+    }
+
     #addResponse(chunk: InvokeResult.Data) {
         if (this.#chunk) {
             this.#chunk.push(chunk);

package/src/action/server/EventReadResponse.ts

@@ -12,7 +12,7 @@ import { AccessControl, hasRemoteActor } from "#action/server/AccessControl.js";
 import { DataResponse, FallbackLimits } from "#action/server/DataResponse.js";
 import { NumberedOccurrence } from "#events/Occurrence.js";
 import { InternalError, isObject, Logger } from "@matter/general";
-import { DataModelPath, ElementTag, EventModel } from "@matter/model";
+import { AccessLevel, DataModelPath, ElementTag, EventModel } from "@matter/model";
 import {
     EventNumber,
     EventPath,
@@ -185,10 +185,12 @@ export class EventReadResponse<
             limits = event.limits;
         }
 
-        // Validate access.  Order here prescribed by 1.4 core spec 8.4.3.2
-        // We need some fallback location if cluster is not defined
+        // Order prescribed by core spec 8.4.3.2: a View-privilege pass gates element-existence disclosure,
+        // existence checks follow, then the actual-privilege pass gates the data.
+        let access: { session: AccessControl.RemoteActorSession; location: AccessControl.Location } | undefined;
         if (hasRemoteActor(this.session)) {
-            const location = {
+            // We need some fallback location if cluster is not defined
+            const location: AccessControl.Location = {
                 ...(cluster?.location ?? {
                     path: DataModelPath.none,
                     endpoint: endpointId,
@@ -196,19 +198,11 @@ export class EventReadResponse<
                 }),
                 owningFabric: this.session.fabric,
             };
-            const permission = this.session.authorityAt(limits.readLevel, location);
-            switch (permission) {
-                case AccessControl.Authority.Granted:
-                    break;
-
-                case AccessControl.Authority.Unauthorized:
-                    return this.#asStatus(path, Status.UnsupportedAccess);
-
-                case AccessControl.Authority.Restricted:
-                    return this.#asStatus(path, Status.AccessRestricted);
+            access = { session: this.session, location };
 
-                default:
-                    throw new InternalError(`Unsupported authorization state ${permission}`);
+            const denied = this.#authorize(access.session, path, AccessLevel.View, location);
+            if (denied !== undefined) {
+                return denied;
             }
         }
 
@@ -222,6 +216,13 @@ export class EventReadResponse<
             return this.#asStatus(path, Status.UnsupportedEvent);
         }
 
+        if (access !== undefined) {
+            const denied = this.#authorize(access.session, path, limits.readLevel, access.location);
+            if (denied !== undefined) {
+                return denied;
+            }
+        }
+
         if (this.#currentEndpoint !== endpoint) {
             this.#currentEndpoint = endpoint;
             this.#currentCluster = cluster;
@@ -354,6 +355,31 @@ export class EventReadResponse<
         }
     }
 
+    /**
+     * Validate access at {@link level}.  Returns undefined if granted; otherwise a status report to return.
+     */
+    #authorize(
+        session: AccessControl.RemoteActorSession,
+        path: ReadResult.ConcreteEventPath,
+        level: AccessLevel,
+        location: AccessControl.Location,
+    ) {
+        const permission = session.authorityAt(level, location);
+        switch (permission) {
+            case AccessControl.Authority.Granted:
+                return undefined;
+
+            case AccessControl.Authority.Unauthorized:
+                return this.#asStatus(path, Status.UnsupportedAccess);
+
+            case AccessControl.Authority.Restricted:
+                return this.#asStatus(path, Status.AccessRestricted);
+
+            default:
+                throw new InternalError(`Unsupported authorization state ${permission}`);
+        }
+    }
+
     /**
      * Add a status value.
      */

package/src/certificate/DeviceAttestationValidator.ts

@@ -4,7 +4,7 @@
  * SPDX-License-Identifier: Apache-2.0
  */
 
-import { Bytes, Crypto, EcdsaSignature, MaybePromise, PublicKey } from "@matter/general";
+import { Bytes, Crypto, Diagnostic, EcdsaSignature, MaybePromise, PublicKey } from "@matter/general";
 import { MATTER_EPOCH_OFFSET_S, VendorId } from "@matter/types";
 import { TlvAttestation } from "../common/OperationalCredentialsTypes.js";
 import { DclCertificateService } from "../dcl/DclCertificateService.js";
@@ -59,6 +59,10 @@ export class DeviceAttestationError extends CommissioningError {
     }
 }
 
+function idHex(id?: number) {
+    return id === undefined ? "undefined" : `0x${Diagnostic.hex(id, 4).toUpperCase()}`;
+}
+
 export namespace DeviceAttestationValidator {
     export interface Context {
         crypto: Crypto;
@@ -131,7 +135,7 @@ export namespace DeviceAttestationValidator {
         if (dac.cert.subject.vendorId !== pai.cert.subject.vendorId) {
             throw new DeviceAttestationError(
                 DeviceAttestationCheck.VendorIdMismatch,
-                `DAC vendorId ${dac.cert.subject.vendorId} does not match PAI vendorId ${pai.cert.subject.vendorId}`,
+                `DAC vendorId ${idHex(dac.cert.subject.vendorId)} does not match PAI vendorId ${idHex(pai.cert.subject.vendorId)}`,
             );
         }
 
@@ -270,7 +274,7 @@ export namespace DeviceAttestationValidator {
             if (paaVendorId !== undefined && paaVendorId !== pai.cert.subject.vendorId) {
                 throw new DeviceAttestationError(
                     DeviceAttestationCheck.VendorIdMismatch,
-                    `PAA vendorId ${paaVendorId} does not match PAI vendorId ${pai.cert.subject.vendorId}`,
+                    `PAA vendorId ${idHex(paaVendorId)} does not match PAI vendorId ${idHex(pai.cert.subject.vendorId)}`,
                 );
             }
 
@@ -356,7 +360,7 @@ export namespace DeviceAttestationValidator {
         if (cdContent.vendorId !== data.vendorId) {
             throw new DeviceAttestationError(
                 DeviceAttestationCheck.CertificationDeclarationFieldMismatch,
-                `CD vendor_id ${cdContent.vendorId} does not match BasicInformation VendorID ${data.vendorId}`,
+                `CD vendor_id ${idHex(cdContent.vendorId)} does not match BasicInformation VendorID ${idHex(data.vendorId)}`,
             );
         }
 
@@ -364,7 +368,7 @@ export namespace DeviceAttestationValidator {
         if (!cdContent.produceIdArray.includes(data.productId)) {
             throw new DeviceAttestationError(
                 DeviceAttestationCheck.CertificationDeclarationFieldMismatch,
-                `CD product_id_array does not contain BasicInformation ProductID ${data.productId}`,
+                `CD product_id_array [${cdContent.produceIdArray.map(idHex).join(", ")}] does not contain BasicInformation ProductID ${idHex(data.productId)}`,
             );
         }
 
@@ -383,27 +387,27 @@ export namespace DeviceAttestationValidator {
             if (dac.cert.subject.vendorId !== cdContent.dacOriginVendorId) {
                 throw new DeviceAttestationError(
                     DeviceAttestationCheck.CertificationDeclarationFieldMismatch,
-                    "DAC vendorId does not match CD dac_origin_vendor_id",
+                    `DAC vendorId ${idHex(dac.cert.subject.vendorId)} does not match CD dac_origin_vendor_id ${idHex(cdContent.dacOriginVendorId)}`,
                 );
             }
             if (pai.cert.subject.vendorId !== cdContent.dacOriginVendorId) {
                 throw new DeviceAttestationError(
                     DeviceAttestationCheck.CertificationDeclarationFieldMismatch,
-                    "PAI vendorId does not match CD dac_origin_vendor_id",
+                    `PAI vendorId ${idHex(pai.cert.subject.vendorId)} does not match CD dac_origin_vendor_id ${idHex(cdContent.dacOriginVendorId)}`,
                 );
             }
             const dacProductId = dac.cert.subject.productId;
             if (dacProductId !== undefined && dacProductId !== cdContent.dacOriginProductId) {
                 throw new DeviceAttestationError(
                     DeviceAttestationCheck.CertificationDeclarationFieldMismatch,
-                    "DAC productId does not match CD dac_origin_product_id",
+                    `DAC productId ${idHex(dacProductId)} does not match CD dac_origin_product_id ${idHex(cdContent.dacOriginProductId)}`,
                 );
             }
             const paiProductId = pai.cert.subject.productId;
             if (paiProductId !== undefined && paiProductId !== cdContent.dacOriginProductId) {
                 throw new DeviceAttestationError(
                     DeviceAttestationCheck.CertificationDeclarationFieldMismatch,
-                    "PAI productId does not match CD dac_origin_product_id",
+                    `PAI productId ${idHex(paiProductId)} does not match CD dac_origin_product_id ${idHex(cdContent.dacOriginProductId)}`,
                 );
             }
         } else {
@@ -411,27 +415,27 @@ export namespace DeviceAttestationValidator {
             if (dac.cert.subject.vendorId !== cdContent.vendorId) {
                 throw new DeviceAttestationError(
                     DeviceAttestationCheck.CertificationDeclarationFieldMismatch,
-                    "DAC vendorId does not match CD vendor_id",
+                    `DAC vendorId ${idHex(dac.cert.subject.vendorId)} does not match CD vendor_id ${idHex(cdContent.vendorId)}`,
                 );
             }
             if (pai.cert.subject.vendorId !== cdContent.vendorId) {
                 throw new DeviceAttestationError(
                     DeviceAttestationCheck.CertificationDeclarationFieldMismatch,
-                    "PAI vendorId does not match CD vendor_id",
+                    `PAI vendorId ${idHex(pai.cert.subject.vendorId)} does not match CD vendor_id ${idHex(cdContent.vendorId)}`,
                 );
             }
             const dacProductId = dac.cert.subject.productId;
             if (dacProductId !== undefined && !cdContent.produceIdArray.includes(dacProductId)) {
                 throw new DeviceAttestationError(
                     DeviceAttestationCheck.CertificationDeclarationFieldMismatch,
-                    "DAC productId not found in CD product_id_array",
+                    `DAC productId ${idHex(dacProductId)} not found in CD product_id_array [${cdContent.produceIdArray.map(idHex).join(", ")}]`,
                 );
             }
             const paiProductId = pai.cert.subject.productId;
             if (paiProductId !== undefined && !cdContent.produceIdArray.includes(paiProductId)) {
                 throw new DeviceAttestationError(
                     DeviceAttestationCheck.CertificationDeclarationFieldMismatch,
-                    "PAI productId not found in CD product_id_array",
+                    `PAI productId ${idHex(paiProductId)} not found in CD product_id_array [${cdContent.produceIdArray.map(idHex).join(", ")}]`,
                 );
             }
         }

package/src/certificate/kinds/Certificate.ts

@@ -166,6 +166,23 @@ export abstract class Certificate<CT extends MatterCertificate> {
     }
 }
 
+/**
+ * Extract a VendorID or ProductID encoded via the "fallback method" (Matter spec 6.2.2.2): the
+ * prefix `Mvid:`/`Mpid:` followed by 4 uppercase hexadecimal characters, anywhere within a
+ * `commonName`. Returns the leftmost correctly-encoded value, or `undefined` if the prefix is
+ * absent. Throws if the prefix appears but no correctly-encoded value exists (spec 6.2.2.2.1).
+ */
+export function parseMatterFallbackVidPid(commonName: string, prefix: "Mvid:" | "Mpid:"): number | undefined {
+    const match = commonName.match(new RegExp(`${prefix}([0-9A-F]{4})`));
+    if (match !== null) {
+        return parseInt(match[1], 16);
+    }
+    if (commonName.includes(prefix)) {
+        throw new CertificateError(`commonName contains ${prefix} not followed by 4 uppercase hex digits`);
+    }
+    return undefined;
+}
+
 export namespace Certificate {
     /**
      * Create a Certificate Signing Request (CSR) in ASN.1 DER format.
@@ -285,6 +302,21 @@ export namespace Certificate {
             }
         }
 
+        // Spec 6.2.2.2: an OID VID/PID anywhere in the field disables fallback parsing for that field.
+        if (result.vendorId === undefined && result.productId === undefined) {
+            const commonName = (result.commonName ?? result.commonNamePs) as string | undefined;
+            if (commonName !== undefined) {
+                const vendorId = parseMatterFallbackVidPid(commonName, "Mvid:");
+                if (vendorId !== undefined) {
+                    result.vendorId = vendorId;
+                }
+                const productId = parseMatterFallbackVidPid(commonName, "Mpid:");
+                if (productId !== undefined) {
+                    result.productId = productId;
+                }
+            }
+        }
+
         return result;
     }
 
@@ -677,10 +709,21 @@ function matterToX509(cert: Unsigned<MatterCertificate>): X509.UnsignedCertifica
  */
 function astOfDistinguishedName(data: { [field: string]: any }) {
     const ast = {} as { [field: string]: any[] };
+
+    // Spec 6.2.2.2 forbids mixing fallback (Mvid:/Mpid: in commonName) and OID VID/PID in one field.
+    const commonName = (data.commonName ?? data.commonNamePs) as string | undefined;
+    const usesFallbackVidPid =
+        commonName !== undefined &&
+        (parseMatterFallbackVidPid(commonName, "Mvid:") !== undefined ||
+            parseMatterFallbackVidPid(commonName, "Mpid:") !== undefined);
+
     Object.entries(data).forEach(([key, value]) => {
         if (value === undefined) {
             return;
         }
+        if (usesFallbackVidPid && (key === "vendorId" || key === "productId")) {
+            return;
+        }
         switch (key) {
             case "commonName":
                 ast.commonName = X520.CommonName(value as string);

package/src/codec/MessagePrivacy.ts

@@ -8,19 +8,21 @@ import {
     Bytes,
     Crypto,
     CRYPTO_AEAD_MIC_LENGTH_BYTES,
+    CRYPTO_PRIVACY_NONCE_LENGTH_BYTES,
     CRYPTO_SYMMETRIC_KEY_LENGTH,
     CryptoInputError,
     MaybePromise,
 } from "@matter/general";
 
-/** HKDF info string for deriving a privacy key from an encryption key (Matter spec §4.8.2). */
+/** HKDF info string for deriving a privacy key from an encryption key (Matter spec §4.9.1). */
 const PRIVACY_KEY_INFO = Bytes.fromString("PrivacyKey");
 
-const NONCE_MIC_OFFSET = CRYPTO_AEAD_MIC_LENGTH_BYTES - 11;
-const NONCE_MIC_LENGTH = 11;
+const NONCE_SESSION_ID_LENGTH = 2;
+const NONCE_MIC_LENGTH = CRYPTO_PRIVACY_NONCE_LENGTH_BYTES - NONCE_SESSION_ID_LENGTH;
+const NONCE_MIC_OFFSET = CRYPTO_AEAD_MIC_LENGTH_BYTES - NONCE_MIC_LENGTH;
 
 /**
- * Matter message privacy (spec §4.8): obfuscation of the packet header for privacy-enhanced messages.
+ * Matter message privacy (spec §4.9): obfuscation of the packet header for privacy-enhanced messages.
  */
 export namespace MessagePrivacy {
     /** Derive a privacy key from an encryption key: HKDF(key, salt=[], info="PrivacyKey", 16). */

package/src/events/OccurrenceManager.ts

@@ -18,11 +18,11 @@ import {
 } from "@matter/general";
 import {
     EventNumber,
+    EventPath,
     FabricIndex,
     Priority,
     resolveEventName,
     TlvEventFilter,
-    TlvEventPath,
     TypeFromSchema,
 } from "@matter/types";
 import { EventStore, OccurrenceSummary } from "./EventStore.js";
@@ -151,7 +151,7 @@ export class OccurrenceManager {
      * @deprecated
      */
     query(
-        eventPath: TypeFromSchema<typeof TlvEventPath>,
+        eventPath: EventPath,
         filters?: TypeFromSchema<typeof TlvEventFilter>[],
         filterForFabricIndex?: FabricIndex,
     ): MaybePromise<NumberedOccurrence[]> {

package/src/interaction/AttributeDataEncoder.ts

@@ -7,10 +7,10 @@ import { Diagnostic, MatterFlowError } from "@matter/general";
 import {
     ArraySchema,
     AttributeId,
+    AttributePath,
     ClusterId,
     EndpointNumber,
     NodeId,
-    TlvAttributePath,
     TlvAttributeReport,
     TlvAttributeReportData,
     TlvDataReport,
@@ -245,10 +245,10 @@ export function compressAttributeDataReportTags(data: AttributeReportPayload[])
 
 /** Helper method to compress one path and preserve the state for the next path. */
 function compressPath(
-    path: TypeFromSchema<typeof TlvAttributePath>,
+    path: AttributePath,
     dataVersion: number | undefined,
     lastFullPath: FullAttributePath | undefined,
-): { path: TypeFromSchema<typeof TlvAttributePath>; lastFullPath?: FullAttributePath } {
+): { path: AttributePath; lastFullPath?: FullAttributePath } {
     const { nodeId, endpointId, clusterId, attributeId } = path;
 
     // Should never happen but typing likes it better that way

package/src/peer/Peer.ts

@@ -579,6 +579,7 @@ export class Peer {
 
             done: PeerConnection(this, this.#context, {
                 network: options?.network,
+                additionalMrpDelay: options?.additionalMrpDelay,
                 timing: options?.timing,
                 requiredTransport: options?.requiredTransport,
                 preferredTransport: options?.preferredTransport,
@@ -621,6 +622,12 @@ export namespace Peer {
          */
         network?: string;
 
+        /**
+         * Per-call override for the peer-medium MRP retransmission margin.  When omitted the margin derives from
+         * the peer's network medium, independent of any {@link network} throttle override.
+         */
+        additionalMrpDelay?: Duration;
+
         /**
          * A timeout relative to beginning of connection process.
          *

package/src/peer/PeerConnection.ts

@@ -109,6 +109,9 @@ export async function PeerConnection(
 
     // Reserve network communication slot
     let network = context.networks.select(peer, options?.network);
+    const mediumProfile = context.networks.forPeer(peer);
+    const peerAdditionalMrpDelay =
+        options?.additionalMrpDelay ?? mediumProfile.connect?.additionalMrpDelay ?? mediumProfile.additionalMrpDelay;
     if (network.connect) {
         network = network.connect;
     }
@@ -303,8 +306,7 @@ export async function PeerConnection(
             return;
         }
         const variants = expandAddresses(fallback);
-        // The interned first variant is the fallback marker; reference equality
-        // must match what comes back out of pendingAddresses.
+        // Intern so attempts/pendingAddresses key on one canonical object; fallback identity is matched by value.
         attemptingFallback = addresses.add(variants[0]);
         for (const variant of variants) {
             pendingAddresses.add(variant);
@@ -406,7 +408,7 @@ export async function PeerConnection(
 
         // If this is not the fallback address but we're still attempting to connect to the fallback, it means that
         // we've discovered addresses that do not include the fallback; terminate the fallback attempt
-        if (attemptingFallback && address !== attemptingFallback) {
+        if (attemptingFallback && !ServerAddress.isEqual(address, attemptingFallback)) {
             deleteAddress(
                 attemptingFallback,
                 "Aborting attempt to last known address because device reports address change",
@@ -456,7 +458,13 @@ export async function PeerConnection(
                 isInitiator: true,
             });
 
-            await using exchange = PeerConnection.createExchange(peer, context.exchanges, unsecuredSession, network);
+            await using exchange = PeerConnection.createExchange(
+                peer,
+                context.exchanges,
+                unsecuredSession,
+                network,
+                peerAdditionalMrpDelay,
+            );
 
             info(
                 Diagnostic.via(`${peer.address.toString()}${exchange.via}`),
@@ -470,7 +478,7 @@ export async function PeerConnection(
                 }),
                 Diagnostic.asFlags({
                     [network.id]: true,
-                    fallback: address === attemptingFallback,
+                    fallback: attemptingFallback !== undefined && ServerAddress.isEqual(address, attemptingFallback),
                 }),
             );
 
@@ -492,6 +500,11 @@ export async function PeerConnection(
                         return;
                     }
 
+                    if (exchange.retransmissionRestartSaving < context.timing.kickMinRestartSaving) {
+                        debug(via, address, `Suppressing "${origin}" kick, restart would save too little time`);
+                        return;
+                    }
+
                     const threshold =
                         origin === "discover"
                             ? context.timing.kickRestartCooldown.addressChange
@@ -691,6 +704,13 @@ export namespace PeerConnection {
     export interface Options {
         abort?: AbortSignal;
         network?: string;
+
+        /**
+         * Per-call override for the peer-medium MRP retransmission margin.  When omitted the margin derives from
+         * the peer's network medium, independent of any {@link network} throttle override.
+         */
+        additionalMrpDelay?: Duration;
+
         kicker?: Observable<[KickOrigin]>;
 
         /** See {@link Peer.ConnectOptions.requiredTransport}. */
@@ -718,10 +738,17 @@ export namespace PeerConnection {
         exchanges: ExchangeManager,
         session: Session,
         network: NetworkProfile,
+        peerAdditionalMrpDelay?: Duration,
         protocol = SECURE_CHANNEL_PROTOCOL_ID,
         addressOverride?: ServerAddressUdp,
     ) {
-        return exchanges.initiateExchangeForSession(session, protocol, { onSend, onReceive, network, addressOverride });
+        return exchanges.initiateExchangeForSession(session, protocol, {
+            onSend,
+            onReceive,
+            network,
+            peerAdditionalMrpDelay,
+            addressOverride,
+        });
 
         function onSend(_message: Message, retransmission: number) {
             if (retransmission) {

package/src/peer/PeerExchangeProvider.ts

@@ -51,6 +51,7 @@ export class PeerExchangeProvider extends ExchangeProvider {
         await this.#peer.connect({
             abort: options?.abort,
             network: options?.network,
+            additionalMrpDelay: options?.additionalMrpDelay,
             connectionTimeout: options?.connectionTimeout,
             requiredTransport: options?.requiredTransport,
             preferredTransport: options?.preferredTransport,
@@ -72,6 +73,8 @@ export class PeerExchangeProvider extends ExchangeProvider {
             }
 
             const network = this.#context.networks.select(this.#peer, options?.network);
+            const peerAdditionalMrpDelay =
+                options?.additionalMrpDelay ?? this.#context.networks.forPeer(this.#peer).additionalMrpDelay;
             const slot = await network.semaphore.obtainSlot(abort);
 
             try {
@@ -112,6 +115,7 @@ export class PeerExchangeProvider extends ExchangeProvider {
                     this.#context.exchanges,
                     session,
                     network,
+                    peerAdditionalMrpDelay,
                     options?.protocol ?? INTERACTION_PROTOCOL_ID,
                     options?.addressOverride,
                 );

package/src/peer/PeerTimingParameters.ts

@@ -4,7 +4,7 @@
  * SPDX-License-Identifier: Apache-2.0
  */
 
-import { Duration, merge as mergeObjects, Minutes, Seconds } from "@matter/general";
+import { Duration, merge as mergeObjects, Millis, Minutes, Seconds } from "@matter/general";
 
 /**
  * Parameters that control network timing for Matter sessions controlled by matter.js.
@@ -72,6 +72,16 @@ export interface PeerTimingParameters {
      */
     kickMinRetransmissions: number;
 
+    /**
+     * Minimum time a kick-initiated restart must shave off the next retransmission to be worthwhile.
+     *
+     * Restarting resets MRP backoff to its base interval, so it only helps once backoff has grown well
+     * beyond that base.  A kick whose restart would save less than this is suppressed — for an idle/sleepy
+     * peer the base interval is already large, so a restart gains nothing and needlessly tears down the
+     * in-flight exchange.
+     */
+    kickMinRestartSaving: Duration;
+
     /**
      * Per-trigger cooldowns for kick-initiated CASE exchange restarts.
      *
@@ -151,10 +161,12 @@ export namespace PeerTimingParameters {
         return result;
     }
 
+    const maxInitialContactRetryInterval = Minutes(2);
+
     // TODO - tune these
     export const defaults: PeerTimingParameters = {
         defaultConnectionTimeout: Seconds(90),
-        maxDelayBetweenInitialContactRetries: Minutes(2),
+        maxDelayBetweenInitialContactRetries: maxInitialContactRetryInterval,
 
         // We assume 30s processing time on peer for single Sigma actions, so give one IP a bit of time
         // to have a chance before potentially adding a load with a second try
@@ -164,6 +176,7 @@ export namespace PeerTimingParameters {
         delayAfterUnhandledError: Minutes(2),
         kickThrottleInterval: Seconds(3),
         kickMinRetransmissions: 2,
+        kickMinRestartSaving: Millis(maxInitialContactRetryInterval / 2),
         kickRestartCooldown: {
             addressChange: Minutes(30),
             connect: Minutes(10),

package/src/protocol/DeviceCommissioner.ts

@@ -12,6 +12,7 @@ import { SecureChannelProtocol } from "#securechannel/SecureChannelProtocol.js";
 import { PaseServer } from "#session/pase/PaseServer.js";
 import { SessionManager } from "#session/SessionManager.js";
 import {
+    CRYPTO_PBKDF_ITERATIONS_MIN,
     Environment,
     Environmental,
     InternalError,
@@ -117,7 +118,7 @@ export class DeviceCommissioner {
 
         this.#context.secureChannelProtocol.setPaseCommissioner(
             await PaseServer.fromPin(this.#context.sessions, this.#context.commissioningConfig.values.passcode, {
-                iterations: 1000,
+                iterations: CRYPTO_PBKDF_ITERATIONS_MIN,
                 salt: this.#context.fabrics.crypto.randomBytes(32),
             }),
         );