@project-chip/matter.js 0.9.2 → 0.9.4

package/dist/esm/behavior/AccessControl.js.map

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../../src/behavior/AccessControl.ts"],
-  "sourcesContent": ["/**\n * @license\n * Copyright 2022-2024 Matter.js Authors\n * SPDX-License-Identifier: Apache-2.0\n */\n\nimport { AccessLevel } from \"../cluster/Cluster.js\";\nimport { ClusterId } from \"../datatype/ClusterId.js\";\nimport { FabricIndex } from \"../datatype/FabricIndex.js\";\nimport { SubjectId } from \"../datatype/SubjectId.js\";\nimport { DataModelPath } from \"../endpoint/DataModelPath.js\";\nimport { Access } from \"../model/aspects/index.js\";\nimport { ElementTag } from \"../model/index.js\";\nimport { ValueModel } from \"../model/models/index.js\";\nimport { StatusCode } from \"../protocol/interaction/StatusCode.js\";\nimport { InvokeError, ReadError, SchemaImplementationError, WriteError } from \"./errors.js\";\nimport { Schema } from \"./supervision/Schema.js\";\n\nconst cache = new WeakMap<Schema, AccessControl>();\n\n/**\n * Enforces access control for a specific schema.\n */\nexport interface AccessControl {\n    /**\n     * Operational access control metadata.\n     */\n    limits: AccessControl.Limits;\n\n    /**\n     * Assert read is authorized.\n     */\n    authorizeRead: AccessControl.Assertion;\n\n    /**\n     * Determine if read is authorized.\n     */\n    mayRead: AccessControl.Verification;\n\n    /**\n     * Assert write is authorized.\n     */\n    authorizeWrite: AccessControl.Assertion;\n\n    /**\n     * Determine if write is authorized.\n     */\n    mayWrite: AccessControl.Verification;\n\n    /**\n     * Assert invoke is authorized.\n     */\n    authorizeInvoke: AccessControl.Assertion;\n\n    /**\n     * Determine if invoke is authorized.\n     */\n    mayInvoke: AccessControl.Verification;\n}\n\n/**\n * Obtain an enforcer for specific schema.\n *\n * This is central to security.  Implementation is explicit, all objects are involved are frozen and cache is stored as\n * module-private.\n *\n * Pure function; returned value is cached.\n */\nexport function AccessControl(schema: Schema) {\n    let enforcer = cache.get(schema);\n    if (enforcer === undefined) {\n        enforcer = enforcerFor(schema);\n    }\n    return enforcer;\n}\n\nexport namespace AccessControl {\n    /**\n     * Operational access control metadata for a schema.\n     */\n    export interface Limits {\n        readonly readable: boolean;\n        readonly readLevel: AccessLevel;\n\n        readonly writable: boolean;\n        readonly writeLevel: AccessLevel;\n\n        readonly fabricScoped: boolean;\n        readonly fabricSensitive: boolean;\n\n        readonly timed: boolean;\n    }\n\n    /**\n     * A function that asserts access control requirements are met.\n     */\n    export type Assertion = (session: Session, location: Location) => void;\n\n    /**\n     * A function that returns true if access control requirements are met.\n     */\n    export type Verification = (session: Session, location: Location) => boolean;\n\n    /**\n     * Metadata that varies with position in the data model.\n     */\n    export interface Location {\n        /**\n         * The diagnostic path to the location.\n         */\n        path: DataModelPath;\n\n        /**\n         * The owning behavior.\n         */\n        cluster?: ClusterId;\n\n        /**\n         * The fabric that owns the data subtree.  Undefined or {@link FabricIndex.NO_FABRIC} disables fabric\n         * enforcement.\n         */\n        owningFabric?: FabricIndex;\n\n        /**\n         * The access levels already retrieved for this location. With this subtree elements can access the same\n         * access levels without re-evaluating.\n         */\n        accessLevels?: AccessLevel[];\n    }\n\n    /**\n     * Authorization metadata that varies with session.\n     */\n    export interface Session {\n        /**\n         * Checks if the authorized client has a certain Access Privilege granted.\n         */\n        authorizedFor(desiredAccessLevel: AccessLevel, location?: Location): boolean;\n\n        /**\n         * The fabric of the authorized client.\n         */\n        readonly fabric?: FabricIndex;\n\n        /**\n         * The authenticated {@link SubjectId} for online sessions.\n         */\n        readonly subject?: SubjectId;\n\n        /**\n         * If this is true, fabric-scoped lists are filtered to the accessing\n         * fabric.\n         */\n        readonly fabricFiltered?: boolean;\n\n        /**\n         * If this is true a timed transaction is in effect.\n         */\n        readonly timed?: boolean;\n\n        /**\n         * If this is true then data access levels are not enforced.  Datatypes and command-related access controls are\n         * active.\n         */\n        readonly command?: boolean;\n\n        /**\n         * If this is true then access levels are not enforced and all values are read/write.  Datatypes are still\n         * enforced.\n         *\n         * Tracks \"offline\" rather than \"online\" because this makes the safer mode (full enforcement) the default.\n         */\n        offline?: boolean;\n    }\n}\n\nObject.freeze(AccessControl);\n\nfunction enforcerFor(schema: Schema): AccessControl {\n    if (schema.tag === ElementTag.Command) {\n        return commandEnforcerFor(schema);\n    }\n    return dataEnforcerFor(schema);\n}\n\nfunction dataEnforcerFor(schema: Schema): AccessControl {\n    const limits = limitsFor(schema);\n\n    let mayRead: AccessControl.Verification = (session, location) => {\n        if (session.offline || session.command) {\n            return true;\n        }\n\n        return session.authorizedFor(limits.readLevel, location);\n    };\n\n    let mayWrite: AccessControl.Verification = (session, location) => {\n        if (session.offline || session.command) {\n            return true;\n        }\n\n        return session.authorizedFor(limits.writeLevel, location);\n    };\n\n    let authorizeRead: AccessControl.Assertion = (session, location) => {\n        if (session.offline || session.command) {\n            return;\n        }\n\n        if (session.authorizedFor(limits.readLevel, location)) {\n            return;\n        }\n\n        throw new ReadError(location, \"Permission denied\", StatusCode.UnsupportedAccess);\n    };\n\n    let authorizeWrite: AccessControl.Assertion = (session, location) => {\n        if (session.offline || session.command) {\n            return;\n        }\n\n        if (session.authorizedFor(limits.writeLevel, location)) {\n            return;\n        }\n\n        throw new WriteError(location, \"Permission denied\", StatusCode.UnsupportedAccess);\n    };\n\n    if (limits.timed) {\n        const wrappedAuthorizeWrite = authorizeWrite;\n        const wrappedMayWrite = mayWrite;\n\n        authorizeWrite = (session, location) => {\n            if (!session.offline && !session.timed) {\n                throw new WriteError(\n                    location,\n                    \"Permission denied because interaction is not timed\",\n                    StatusCode.NeedsTimedInteraction,\n                );\n            }\n            wrappedAuthorizeWrite?.(session, location);\n        };\n\n        mayWrite = (session, location) => {\n            if (!session.offline && !session.timed) {\n                return false;\n            }\n\n            return wrappedMayWrite(session, location);\n        };\n    }\n\n    if (limits.fabricSensitive) {\n        const wrappedAuthorizeRead = authorizeRead;\n        const wrappedMayRead = mayRead;\n        const wrappedAuthorizeWrite = authorizeWrite;\n        const wrappedMayWrite = mayWrite;\n\n        authorizeRead = (session, location) => {\n            if (session.offline || session.command) {\n                return;\n            }\n\n            if (session.fabricFiltered) {\n                if (session.fabric === undefined) {\n                    throw new ReadError(\n                        location,\n                        \"Permission denied: No accessing fabric\",\n                        StatusCode.UnsupportedAccess,\n                    );\n                }\n\n                if (location?.owningFabric && location.owningFabric !== session.fabric) {\n                    throw new WriteError(\n                        location,\n                        \"Permission denied: Owning/accessing fabric mismatch\",\n                        StatusCode.UnsupportedAccess,\n                    );\n                }\n            }\n\n            wrappedAuthorizeRead(session, location);\n        };\n\n        mayRead = (session, location) => {\n            if (session.offline || session.command) {\n                return true;\n            }\n\n            if (session.fabric === undefined) {\n                return false;\n            }\n\n            if (session.fabricFiltered && location?.owningFabric && location.owningFabric !== session.fabric) {\n                return false;\n            }\n\n            return wrappedMayRead(session, location);\n        };\n\n        authorizeWrite = (session, location) => {\n            if (session.offline || session.command) {\n                return;\n            }\n\n            if (session.fabric === undefined) {\n                throw new WriteError(location, \"Permission denied: No accessing fabric\", StatusCode.UnsupportedAccess);\n            }\n\n            if (location?.owningFabric && location.owningFabric !== session.fabric) {\n                throw new WriteError(location, \"Permission denied: Owning/accessing fabric mismatch\");\n            }\n\n            wrappedAuthorizeWrite(session, location);\n        };\n\n        mayWrite = (session, location) => {\n            if (session.offline || session.command) {\n                return true;\n            }\n\n            if (session.fabric === undefined) {\n                return false;\n            }\n\n            if (location?.owningFabric && location.owningFabric !== session.fabric) {\n                return false;\n            }\n\n            return wrappedMayWrite(session, location);\n        };\n    }\n\n    if (!limits.readable) {\n        authorizeRead = (session, location) => {\n            if (session.offline || session.command) {\n                return;\n            }\n\n            throw new ReadError(location, \"Permission defined: Value is write-only\");\n        };\n\n        mayRead = session => {\n            return !!session.offline || !!session.command;\n        };\n    }\n\n    if (!limits.writable) {\n        authorizeWrite = (session, location) => {\n            if (session.offline || session.command) {\n                return;\n            }\n            throw new WriteError(location, \"Permission denied: Value is read-only\");\n        };\n\n        mayWrite = session => {\n            return !!session.offline || !!session.command;\n        };\n    }\n\n    return Object.freeze({\n        limits,\n        authorizeRead,\n        mayRead,\n        authorizeWrite,\n        mayWrite,\n\n        authorizeInvoke(_session: AccessControl.Session, location: AccessControl.Location) {\n            throw new SchemaImplementationError(location, \"Permission denied: Invoke request but non-command schema\");\n        },\n\n        mayInvoke() {\n            return false;\n        },\n    } satisfies AccessControl);\n}\n\nfunction commandEnforcerFor(schema: Schema): AccessControl {\n    const limits = limitsFor(schema);\n    const timed = schema.effectiveAccess.timed;\n    const fabric = schema.effectiveAccess.fabric;\n\n    return {\n        limits,\n\n        authorizeRead(_session, location) {\n            throw new SchemaImplementationError(location, \"Permission denied: Read request but command schema\");\n        },\n\n        mayRead() {\n            return false;\n        },\n\n        authorizeWrite(_session, location) {\n            throw new SchemaImplementationError(location, \"Permission denied: Write request but command schema\");\n        },\n\n        mayWrite() {\n            return false;\n        },\n\n        authorizeInvoke(session, location) {\n            if (session.offline) {\n                return;\n            }\n\n            if (!session.command) {\n                throw new InvokeError(location, \"Invoke attempt without command context\");\n            }\n\n            if (timed && !session.timed) {\n                throw new InvokeError(\n                    location,\n                    \"Invoke attempt without required timed context\",\n                    StatusCode.TimedRequestMismatch,\n                );\n            }\n\n            if (fabric && session.fabric === undefined) {\n                throw new WriteError(location, \"Permission denied: No accessing fabric\", StatusCode.UnsupportedAccess);\n            }\n\n            if (session.authorizedFor(limits.writeLevel, location)) {\n                return;\n            }\n\n            throw new InvokeError(location, \"Permission denied\", StatusCode.UnsupportedAccess);\n        },\n\n        mayInvoke(session, location) {\n            if (session.offline) {\n                return true;\n            }\n\n            if (!session.command) {\n                return false;\n            }\n\n            if (timed && !session.timed) {\n                return false;\n            }\n\n            if (fabric && session.fabric === undefined) {\n                return false;\n            }\n\n            return session.authorizedFor(limits.writeLevel, location);\n        },\n    };\n}\n\nfunction limitsFor(schema: Schema) {\n    const access = schema.effectiveAccess;\n    const quality = schema instanceof ValueModel ? schema.effectiveQuality : undefined;\n\n    // Special handling for fixed values - we treat any property owned by a fixed value as also read-only\n    let fixed = quality?.fixed;\n    for (let s = schema.parent; !fixed && s instanceof ValueModel; s = s.parent) {\n        if (s.effectiveQuality.fixed) {\n            fixed = true;\n        }\n    }\n\n    const limits: AccessControl.Limits = Object.freeze({\n        readable: access.readable,\n        writable: access.writable && !fixed,\n        fabricScoped: access.fabric === Access.Fabric.Scoped || access.fabric === Access.Fabric.Sensitive,\n        fabricSensitive: access.fabric === Access.Fabric.Sensitive,\n        timed: access.timed === true,\n\n        // Official Matter defaults are View for read and Operate for write. However, the schema's effective access\n        // should already have these defaults.  Here we just adopt minimum needed rights as a safe fallback access level.\n        readLevel: access.readPriv === undefined ? AccessLevel.View : Access.PrivilegeLevel[access.readPriv],\n        writeLevel: access.writePriv === undefined ? AccessLevel.Operate : Access.PrivilegeLevel[access.writePriv],\n    });\n\n    return limits;\n}\n"],
-  "mappings": "AAAA;AAAA;AAAA;AAAA;AAAA;AAMA,SAAS,mBAAmB;AAK5B,SAAS,cAAc;AACvB,SAAS,kBAAkB;AAC3B,SAAS,kBAAkB;AAC3B,SAAS,kBAAkB;AAC3B,SAAS,aAAa,WAAW,2BAA2B,kBAAkB;AAG9E,MAAM,QAAQ,oBAAI,QAA+B;AAkD1C,SAAS,cAAc,QAAgB;AAC1C,MAAI,WAAW,MAAM,IAAI,MAAM;AAC/B,MAAI,aAAa,QAAW;AACxB,eAAW,YAAY,MAAM;AAAA,EACjC;AACA,SAAO;AACX;AAsGA,OAAO,OAAO,aAAa;AAE3B,SAAS,YAAY,QAA+B;AAChD,MAAI,OAAO,QAAQ,WAAW,SAAS;AACnC,WAAO,mBAAmB,MAAM;AAAA,EACpC;AACA,SAAO,gBAAgB,MAAM;AACjC;AAEA,SAAS,gBAAgB,QAA+B;AACpD,QAAM,SAAS,UAAU,MAAM;AAE/B,MAAI,UAAsC,CAAC,SAAS,aAAa;AAC7D,QAAI,QAAQ,WAAW,QAAQ,SAAS;AACpC,aAAO;AAAA,IACX;AAEA,WAAO,QAAQ,cAAc,OAAO,WAAW,QAAQ;AAAA,EAC3D;AAEA,MAAI,WAAuC,CAAC,SAAS,aAAa;AAC9D,QAAI,QAAQ,WAAW,QAAQ,SAAS;AACpC,aAAO;AAAA,IACX;AAEA,WAAO,QAAQ,cAAc,OAAO,YAAY,QAAQ;AAAA,EAC5D;AAEA,MAAI,gBAAyC,CAAC,SAAS,aAAa;AAChE,QAAI,QAAQ,WAAW,QAAQ,SAAS;AACpC;AAAA,IACJ;AAEA,QAAI,QAAQ,cAAc,OAAO,WAAW,QAAQ,GAAG;AACnD;AAAA,IACJ;AAEA,UAAM,IAAI,UAAU,UAAU,qBAAqB,WAAW,iBAAiB;AAAA,EACnF;AAEA,MAAI,iBAA0C,CAAC,SAAS,aAAa;AACjE,QAAI,QAAQ,WAAW,QAAQ,SAAS;AACpC;AAAA,IACJ;AAEA,QAAI,QAAQ,cAAc,OAAO,YAAY,QAAQ,GAAG;AACpD;AAAA,IACJ;AAEA,UAAM,IAAI,WAAW,UAAU,qBAAqB,WAAW,iBAAiB;AAAA,EACpF;AAEA,MAAI,OAAO,OAAO;AACd,UAAM,wBAAwB;AAC9B,UAAM,kBAAkB;AAExB,qBAAiB,CAAC,SAAS,aAAa;AACpC,UAAI,CAAC,QAAQ,WAAW,CAAC,QAAQ,OAAO;AACpC,cAAM,IAAI;AAAA,UACN;AAAA,UACA;AAAA,UACA,WAAW;AAAA,QACf;AAAA,MACJ;AACA,8BAAwB,SAAS,QAAQ;AAAA,IAC7C;AAEA,eAAW,CAAC,SAAS,aAAa;AAC9B,UAAI,CAAC,QAAQ,WAAW,CAAC,QAAQ,OAAO;AACpC,eAAO;AAAA,MACX;AAEA,aAAO,gBAAgB,SAAS,QAAQ;AAAA,IAC5C;AAAA,EACJ;AAEA,MAAI,OAAO,iBAAiB;AACxB,UAAM,uBAAuB;AAC7B,UAAM,iBAAiB;AACvB,UAAM,wBAAwB;AAC9B,UAAM,kBAAkB;AAExB,oBAAgB,CAAC,SAAS,aAAa;AACnC,UAAI,QAAQ,WAAW,QAAQ,SAAS;AACpC;AAAA,MACJ;AAEA,UAAI,QAAQ,gBAAgB;AACxB,YAAI,QAAQ,WAAW,QAAW;AAC9B,gBAAM,IAAI;AAAA,YACN;AAAA,YACA;AAAA,YACA,WAAW;AAAA,UACf;AAAA,QACJ;AAEA,YAAI,UAAU,gBAAgB,SAAS,iBAAiB,QAAQ,QAAQ;AACpE,gBAAM,IAAI;AAAA,YACN;AAAA,YACA;AAAA,YACA,WAAW;AAAA,UACf;AAAA,QACJ;AAAA,MACJ;AAEA,2BAAqB,SAAS,QAAQ;AAAA,IAC1C;AAEA,cAAU,CAAC,SAAS,aAAa;AAC7B,UAAI,QAAQ,WAAW,QAAQ,SAAS;AACpC,eAAO;AAAA,MACX;AAEA,UAAI,QAAQ,WAAW,QAAW;AAC9B,eAAO;AAAA,MACX;AAEA,UAAI,QAAQ,kBAAkB,UAAU,gBAAgB,SAAS,iBAAiB,QAAQ,QAAQ;AAC9F,eAAO;AAAA,MACX;AAEA,aAAO,eAAe,SAAS,QAAQ;AAAA,IAC3C;AAEA,qBAAiB,CAAC,SAAS,aAAa;AACpC,UAAI,QAAQ,WAAW,QAAQ,SAAS;AACpC;AAAA,MACJ;AAEA,UAAI,QAAQ,WAAW,QAAW;AAC9B,cAAM,IAAI,WAAW,UAAU,0CAA0C,WAAW,iBAAiB;AAAA,MACzG;AAEA,UAAI,UAAU,gBAAgB,SAAS,iBAAiB,QAAQ,QAAQ;AACpE,cAAM,IAAI,WAAW,UAAU,qDAAqD;AAAA,MACxF;AAEA,4BAAsB,SAAS,QAAQ;AAAA,IAC3C;AAEA,eAAW,CAAC,SAAS,aAAa;AAC9B,UAAI,QAAQ,WAAW,QAAQ,SAAS;AACpC,eAAO;AAAA,MACX;AAEA,UAAI,QAAQ,WAAW,QAAW;AAC9B,eAAO;AAAA,MACX;AAEA,UAAI,UAAU,gBAAgB,SAAS,iBAAiB,QAAQ,QAAQ;AACpE,eAAO;AAAA,MACX;AAEA,aAAO,gBAAgB,SAAS,QAAQ;AAAA,IAC5C;AAAA,EACJ;AAEA,MAAI,CAAC,OAAO,UAAU;AAClB,oBAAgB,CAAC,SAAS,aAAa;AACnC,UAAI,QAAQ,WAAW,QAAQ,SAAS;AACpC;AAAA,MACJ;AAEA,YAAM,IAAI,UAAU,UAAU,yCAAyC;AAAA,IAC3E;AAEA,cAAU,aAAW;AACjB,aAAO,CAAC,CAAC,QAAQ,WAAW,CAAC,CAAC,QAAQ;AAAA,IAC1C;AAAA,EACJ;AAEA,MAAI,CAAC,OAAO,UAAU;AAClB,qBAAiB,CAAC,SAAS,aAAa;AACpC,UAAI,QAAQ,WAAW,QAAQ,SAAS;AACpC;AAAA,MACJ;AACA,YAAM,IAAI,WAAW,UAAU,uCAAuC;AAAA,IAC1E;AAEA,eAAW,aAAW;AAClB,aAAO,CAAC,CAAC,QAAQ,WAAW,CAAC,CAAC,QAAQ;AAAA,IAC1C;AAAA,EACJ;AAEA,SAAO,OAAO,OAAO;AAAA,IACjB;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IAEA,gBAAgB,UAAiC,UAAkC;AAC/E,YAAM,IAAI,0BAA0B,UAAU,0DAA0D;AAAA,IAC5G;AAAA,IAEA,YAAY;AACR,aAAO;AAAA,IACX;AAAA,EACJ,CAAyB;AAC7B;AAEA,SAAS,mBAAmB,QAA+B;AACvD,QAAM,SAAS,UAAU,MAAM;AAC/B,QAAM,QAAQ,OAAO,gBAAgB;AACrC,QAAM,SAAS,OAAO,gBAAgB;AAEtC,SAAO;AAAA,IACH;AAAA,IAEA,cAAc,UAAU,UAAU;AAC9B,YAAM,IAAI,0BAA0B,UAAU,oDAAoD;AAAA,IACtG;AAAA,IAEA,UAAU;AACN,aAAO;AAAA,IACX;AAAA,IAEA,eAAe,UAAU,UAAU;AAC/B,YAAM,IAAI,0BAA0B,UAAU,qDAAqD;AAAA,IACvG;AAAA,IAEA,WAAW;AACP,aAAO;AAAA,IACX;AAAA,IAEA,gBAAgB,SAAS,UAAU;AAC/B,UAAI,QAAQ,SAAS;AACjB;AAAA,MACJ;AAEA,UAAI,CAAC,QAAQ,SAAS;AAClB,cAAM,IAAI,YAAY,UAAU,wCAAwC;AAAA,MAC5E;AAEA,UAAI,SAAS,CAAC,QAAQ,OAAO;AACzB,cAAM,IAAI;AAAA,UACN;AAAA,UACA;AAAA,UACA,WAAW;AAAA,QACf;AAAA,MACJ;AAEA,UAAI,UAAU,QAAQ,WAAW,QAAW;AACxC,cAAM,IAAI,WAAW,UAAU,0CAA0C,WAAW,iBAAiB;AAAA,MACzG;AAEA,UAAI,QAAQ,cAAc,OAAO,YAAY,QAAQ,GAAG;AACpD;AAAA,MACJ;AAEA,YAAM,IAAI,YAAY,UAAU,qBAAqB,WAAW,iBAAiB;AAAA,IACrF;AAAA,IAEA,UAAU,SAAS,UAAU;AACzB,UAAI,QAAQ,SAAS;AACjB,eAAO;AAAA,MACX;AAEA,UAAI,CAAC,QAAQ,SAAS;AAClB,eAAO;AAAA,MACX;AAEA,UAAI,SAAS,CAAC,QAAQ,OAAO;AACzB,eAAO;AAAA,MACX;AAEA,UAAI,UAAU,QAAQ,WAAW,QAAW;AACxC,eAAO;AAAA,MACX;AAEA,aAAO,QAAQ,cAAc,OAAO,YAAY,QAAQ;AAAA,IAC5D;AAAA,EACJ;AACJ;AAEA,SAAS,UAAU,QAAgB;AAC/B,QAAM,SAAS,OAAO;AACtB,QAAM,UAAU,kBAAkB,aAAa,OAAO,mBAAmB;AAGzE,MAAI,QAAQ,SAAS;AACrB,WAAS,IAAI,OAAO,QAAQ,CAAC,SAAS,aAAa,YAAY,IAAI,EAAE,QAAQ;AACzE,QAAI,EAAE,iBAAiB,OAAO;AAC1B,cAAQ;AAAA,IACZ;AAAA,EACJ;AAEA,QAAM,SAA+B,OAAO,OAAO;AAAA,IAC/C,UAAU,OAAO;AAAA,IACjB,UAAU,OAAO,YAAY,CAAC;AAAA,IAC9B,cAAc,OAAO,WAAW,OAAO,OAAO,UAAU,OAAO,WAAW,OAAO,OAAO;AAAA,IACxF,iBAAiB,OAAO,WAAW,OAAO,OAAO;AAAA,IACjD,OAAO,OAAO,UAAU;AAAA;AAAA;AAAA,IAIxB,WAAW,OAAO,aAAa,SAAY,YAAY,OAAO,OAAO,eAAe,OAAO,QAAQ;AAAA,IACnG,YAAY,OAAO,cAAc,SAAY,YAAY,UAAU,OAAO,eAAe,OAAO,SAAS;AAAA,EAC7G,CAAC;AAED,SAAO;AACX;",
+  "sourcesContent": ["/**\n * @license\n * Copyright 2022-2024 Matter.js Authors\n * SPDX-License-Identifier: Apache-2.0\n */\n\nimport { AccessLevel } from \"../cluster/Cluster.js\";\nimport { ClusterId } from \"../datatype/ClusterId.js\";\nimport { FabricIndex } from \"../datatype/FabricIndex.js\";\nimport { SubjectId } from \"../datatype/SubjectId.js\";\nimport { DataModelPath } from \"../endpoint/DataModelPath.js\";\nimport { Access } from \"../model/aspects/index.js\";\nimport { ElementTag } from \"../model/index.js\";\nimport { ValueModel } from \"../model/models/index.js\";\nimport { StatusCode } from \"../protocol/interaction/StatusCode.js\";\nimport { InvokeError, ReadError, SchemaImplementationError, WriteError } from \"./errors.js\";\nimport { Schema } from \"./supervision/Schema.js\";\n\nconst cache = new WeakMap<Schema, AccessControl>();\n\n/**\n * Enforces access control for a specific schema.\n */\nexport interface AccessControl {\n    /**\n     * Operational access control metadata.\n     */\n    limits: AccessControl.Limits;\n\n    /**\n     * Assert read is authorized.\n     */\n    authorizeRead: AccessControl.Assertion;\n\n    /**\n     * Determine if read is authorized.\n     */\n    mayRead: AccessControl.Verification;\n\n    /**\n     * Assert write is authorized.\n     */\n    authorizeWrite: AccessControl.Assertion;\n\n    /**\n     * Determine if write is authorized.\n     */\n    mayWrite: AccessControl.Verification;\n\n    /**\n     * Assert invoke is authorized.\n     */\n    authorizeInvoke: AccessControl.Assertion;\n\n    /**\n     * Determine if invoke is authorized.\n     */\n    mayInvoke: AccessControl.Verification;\n}\n\n/**\n * Obtain an enforcer for specific schema.\n *\n * This is central to security.  Implementation is explicit, all objects are involved are frozen and cache is stored as\n * module-private.\n *\n * Pure function; returned value is cached.\n */\nexport function AccessControl(schema: Schema) {\n    let enforcer = cache.get(schema);\n    if (enforcer === undefined) {\n        enforcer = enforcerFor(schema);\n    }\n    return enforcer;\n}\n\nexport namespace AccessControl {\n    /**\n     * Operational access control metadata for a schema.\n     */\n    export interface Limits {\n        readonly readable: boolean;\n        readonly readLevel: AccessLevel;\n\n        readonly writable: boolean;\n        readonly writeLevel: AccessLevel;\n\n        readonly fabricScoped: boolean;\n        readonly fabricSensitive: boolean;\n\n        readonly timed: boolean;\n    }\n\n    /**\n     * A function that asserts access control requirements are met.\n     */\n    export type Assertion = (session: Session, location: Location) => void;\n\n    /**\n     * A function that returns true if access control requirements are met.\n     */\n    export type Verification = (session: Session, location: Location) => boolean;\n\n    /**\n     * Metadata that varies with position in the data model.\n     */\n    export interface Location {\n        /**\n         * The diagnostic path to the location.\n         */\n        path: DataModelPath;\n\n        /**\n         * The owning behavior.\n         */\n        cluster?: ClusterId;\n\n        /**\n         * The fabric that owns the data subtree.  Undefined or {@link FabricIndex.NO_FABRIC} disables fabric\n         * enforcement.\n         */\n        owningFabric?: FabricIndex;\n\n        /**\n         * The access levels already retrieved for this location. With this subtree elements can access the same\n         * access levels without re-evaluating.\n         */\n        accessLevels?: AccessLevel[];\n    }\n\n    /**\n     * Authorization metadata that varies with session.\n     */\n    export interface Session {\n        /**\n         * Checks if the authorized client has a certain Access Privilege granted.\n         */\n        authorizedFor(desiredAccessLevel: AccessLevel, location?: Location): boolean;\n\n        /**\n         * The fabric of the authorized client.\n         */\n        readonly fabric?: FabricIndex;\n\n        /**\n         * The authenticated {@link SubjectId} for online sessions.\n         */\n        readonly subject?: SubjectId;\n\n        /**\n         * If this is true, fabric-scoped lists are filtered to the accessing\n         * fabric.\n         */\n        readonly fabricFiltered?: boolean;\n\n        /**\n         * If this is true a timed transaction is in effect.\n         */\n        readonly timed?: boolean;\n\n        /**\n         * If this is true then data access levels are not enforced.  Datatypes and command-related access controls are\n         * active.\n         */\n        readonly command?: boolean;\n\n        /**\n         * If this is true then access levels are not enforced and all values are read/write.  Datatypes are still\n         * enforced.\n         *\n         * Tracks \"offline\" rather than \"online\" because this makes the safer mode (full enforcement) the default.\n         */\n        offline?: boolean;\n    }\n}\n\nObject.freeze(AccessControl);\n\nfunction enforcerFor(schema: Schema): AccessControl {\n    if (schema.tag === ElementTag.Command) {\n        return commandEnforcerFor(schema);\n    }\n    return dataEnforcerFor(schema);\n}\n\nfunction dataEnforcerFor(schema: Schema): AccessControl {\n    const limits = limitsFor(schema);\n\n    let mayRead: AccessControl.Verification = (session, location) => {\n        if (session.offline || session.command) {\n            return true;\n        }\n\n        return session.authorizedFor(limits.readLevel, location);\n    };\n\n    let mayWrite: AccessControl.Verification = (session, location) => {\n        if (session.offline || session.command) {\n            return true;\n        }\n\n        return session.authorizedFor(limits.writeLevel, location);\n    };\n\n    let authorizeRead: AccessControl.Assertion = (session, location) => {\n        if (session.offline || session.command) {\n            return;\n        }\n\n        if (session.authorizedFor(limits.readLevel, location)) {\n            return;\n        }\n\n        throw new ReadError(location, \"Permission denied\", StatusCode.UnsupportedAccess);\n    };\n\n    let authorizeWrite: AccessControl.Assertion = (session, location) => {\n        if (session.offline || session.command) {\n            return;\n        }\n\n        if (session.authorizedFor(limits.writeLevel, location)) {\n            return;\n        }\n\n        throw new WriteError(location, \"Permission denied\", StatusCode.UnsupportedAccess);\n    };\n\n    if (limits.timed) {\n        const wrappedAuthorizeWrite = authorizeWrite;\n        const wrappedMayWrite = mayWrite;\n\n        authorizeWrite = (session, location) => {\n            if (!session.offline && !session.timed) {\n                throw new WriteError(\n                    location,\n                    \"Permission denied because interaction is not timed\",\n                    StatusCode.NeedsTimedInteraction,\n                );\n            }\n            wrappedAuthorizeWrite?.(session, location);\n        };\n\n        mayWrite = (session, location) => {\n            if (!session.offline && !session.timed) {\n                return false;\n            }\n\n            return wrappedMayWrite(session, location);\n        };\n    }\n\n    if (limits.fabricSensitive) {\n        const wrappedAuthorizeRead = authorizeRead;\n        const wrappedMayRead = mayRead;\n        const wrappedAuthorizeWrite = authorizeWrite;\n        const wrappedMayWrite = mayWrite;\n\n        authorizeRead = (session, location) => {\n            if (session.offline || session.command) {\n                return;\n            }\n\n            if (session.fabricFiltered) {\n                if (session.fabric === undefined) {\n                    throw new ReadError(\n                        location,\n                        \"Permission denied: No accessing fabric\",\n                        StatusCode.UnsupportedAccess,\n                    );\n                }\n\n                if (location?.owningFabric && location.owningFabric !== session.fabric) {\n                    throw new ReadError(\n                        location,\n                        \"Permission denied: Owning/accessing fabric mismatch\",\n                        StatusCode.UnsupportedAccess,\n                    );\n                }\n            }\n\n            wrappedAuthorizeRead(session, location);\n        };\n\n        mayRead = (session, location) => {\n            if (session.offline || session.command) {\n                return true;\n            }\n\n            if (session.fabric === undefined) {\n                return false;\n            }\n\n            if (location?.owningFabric && location.owningFabric !== session.fabric) {\n                return false;\n            }\n\n            return wrappedMayRead(session, location);\n        };\n\n        authorizeWrite = (session, location) => {\n            if (session.offline || session.command) {\n                return;\n            }\n\n            if (session.fabric === undefined) {\n                throw new WriteError(location, \"Permission denied: No accessing fabric\", StatusCode.UnsupportedAccess);\n            }\n\n            if (location?.owningFabric && location.owningFabric !== session.fabric) {\n                throw new WriteError(location, \"Permission denied: Owning/accessing fabric mismatch\");\n            }\n\n            wrappedAuthorizeWrite(session, location);\n        };\n\n        mayWrite = (session, location) => {\n            if (session.offline || session.command) {\n                return true;\n            }\n\n            if (session.fabric === undefined) {\n                return false;\n            }\n\n            if (location?.owningFabric && location.owningFabric !== session.fabric) {\n                return false;\n            }\n\n            return wrappedMayWrite(session, location);\n        };\n    }\n\n    if (!limits.readable) {\n        authorizeRead = (session, location) => {\n            if (session.offline || session.command) {\n                return;\n            }\n\n            throw new ReadError(location, \"Permission defined: Value is write-only\");\n        };\n\n        mayRead = session => {\n            return !!session.offline || !!session.command;\n        };\n    }\n\n    if (!limits.writable) {\n        authorizeWrite = (session, location) => {\n            if (session.offline || session.command) {\n                return;\n            }\n            throw new WriteError(location, \"Permission denied: Value is read-only\");\n        };\n\n        mayWrite = session => {\n            return !!session.offline || !!session.command;\n        };\n    }\n\n    return Object.freeze({\n        limits,\n        authorizeRead,\n        mayRead,\n        authorizeWrite,\n        mayWrite,\n\n        authorizeInvoke(_session: AccessControl.Session, location: AccessControl.Location) {\n            throw new SchemaImplementationError(location, \"Permission denied: Invoke request but non-command schema\");\n        },\n\n        mayInvoke() {\n            return false;\n        },\n    } satisfies AccessControl);\n}\n\nfunction commandEnforcerFor(schema: Schema): AccessControl {\n    const limits = limitsFor(schema);\n    const timed = schema.effectiveAccess.timed;\n    const fabric = schema.effectiveAccess.fabric;\n\n    return {\n        limits,\n\n        authorizeRead(_session, location) {\n            throw new SchemaImplementationError(location, \"Permission denied: Read request but command schema\");\n        },\n\n        mayRead() {\n            return false;\n        },\n\n        authorizeWrite(_session, location) {\n            throw new SchemaImplementationError(location, \"Permission denied: Write request but command schema\");\n        },\n\n        mayWrite() {\n            return false;\n        },\n\n        authorizeInvoke(session, location) {\n            if (session.offline) {\n                return;\n            }\n\n            if (!session.command) {\n                throw new InvokeError(location, \"Invoke attempt without command context\");\n            }\n\n            if (timed && !session.timed) {\n                throw new InvokeError(\n                    location,\n                    \"Invoke attempt without required timed context\",\n                    StatusCode.TimedRequestMismatch,\n                );\n            }\n\n            if (fabric && session.fabric === undefined) {\n                throw new WriteError(location, \"Permission denied: No accessing fabric\", StatusCode.UnsupportedAccess);\n            }\n\n            if (session.authorizedFor(limits.writeLevel, location)) {\n                return;\n            }\n\n            throw new InvokeError(location, \"Permission denied\", StatusCode.UnsupportedAccess);\n        },\n\n        mayInvoke(session, location) {\n            if (session.offline) {\n                return true;\n            }\n\n            if (!session.command) {\n                return false;\n            }\n\n            if (timed && !session.timed) {\n                return false;\n            }\n\n            if (fabric && session.fabric === undefined) {\n                return false;\n            }\n\n            return session.authorizedFor(limits.writeLevel, location);\n        },\n    };\n}\n\nfunction limitsFor(schema: Schema) {\n    const access = schema.effectiveAccess;\n    const quality = schema instanceof ValueModel ? schema.effectiveQuality : undefined;\n\n    // Special handling for fixed values - we treat any property owned by a fixed value as also read-only\n    let fixed = quality?.fixed;\n    for (let s = schema.parent; !fixed && s instanceof ValueModel; s = s.parent) {\n        if (s.effectiveQuality.fixed) {\n            fixed = true;\n        }\n    }\n\n    const limits: AccessControl.Limits = Object.freeze({\n        readable: access.readable,\n        writable: access.writable && !fixed,\n        fabricScoped: access.fabric === Access.Fabric.Scoped || access.fabric === Access.Fabric.Sensitive,\n        fabricSensitive: access.fabric === Access.Fabric.Sensitive,\n        timed: access.timed === true,\n\n        // Official Matter defaults are View for read and Operate for write. However, the schema's effective access\n        // should already have these defaults.  Here we just adopt minimum needed rights as a safe fallback access level.\n        readLevel: access.readPriv === undefined ? AccessLevel.View : Access.PrivilegeLevel[access.readPriv],\n        writeLevel: access.writePriv === undefined ? AccessLevel.Operate : Access.PrivilegeLevel[access.writePriv],\n    });\n\n    return limits;\n}\n"],
+  "mappings": "AAAA;AAAA;AAAA;AAAA;AAAA;AAMA,SAAS,mBAAmB;AAK5B,SAAS,cAAc;AACvB,SAAS,kBAAkB;AAC3B,SAAS,kBAAkB;AAC3B,SAAS,kBAAkB;AAC3B,SAAS,aAAa,WAAW,2BAA2B,kBAAkB;AAG9E,MAAM,QAAQ,oBAAI,QAA+B;AAkD1C,SAAS,cAAc,QAAgB;AAC1C,MAAI,WAAW,MAAM,IAAI,MAAM;AAC/B,MAAI,aAAa,QAAW;AACxB,eAAW,YAAY,MAAM;AAAA,EACjC;AACA,SAAO;AACX;AAsGA,OAAO,OAAO,aAAa;AAE3B,SAAS,YAAY,QAA+B;AAChD,MAAI,OAAO,QAAQ,WAAW,SAAS;AACnC,WAAO,mBAAmB,MAAM;AAAA,EACpC;AACA,SAAO,gBAAgB,MAAM;AACjC;AAEA,SAAS,gBAAgB,QAA+B;AACpD,QAAM,SAAS,UAAU,MAAM;AAE/B,MAAI,UAAsC,CAAC,SAAS,aAAa;AAC7D,QAAI,QAAQ,WAAW,QAAQ,SAAS;AACpC,aAAO;AAAA,IACX;AAEA,WAAO,QAAQ,cAAc,OAAO,WAAW,QAAQ;AAAA,EAC3D;AAEA,MAAI,WAAuC,CAAC,SAAS,aAAa;AAC9D,QAAI,QAAQ,WAAW,QAAQ,SAAS;AACpC,aAAO;AAAA,IACX;AAEA,WAAO,QAAQ,cAAc,OAAO,YAAY,QAAQ;AAAA,EAC5D;AAEA,MAAI,gBAAyC,CAAC,SAAS,aAAa;AAChE,QAAI,QAAQ,WAAW,QAAQ,SAAS;AACpC;AAAA,IACJ;AAEA,QAAI,QAAQ,cAAc,OAAO,WAAW,QAAQ,GAAG;AACnD;AAAA,IACJ;AAEA,UAAM,IAAI,UAAU,UAAU,qBAAqB,WAAW,iBAAiB;AAAA,EACnF;AAEA,MAAI,iBAA0C,CAAC,SAAS,aAAa;AACjE,QAAI,QAAQ,WAAW,QAAQ,SAAS;AACpC;AAAA,IACJ;AAEA,QAAI,QAAQ,cAAc,OAAO,YAAY,QAAQ,GAAG;AACpD;AAAA,IACJ;AAEA,UAAM,IAAI,WAAW,UAAU,qBAAqB,WAAW,iBAAiB;AAAA,EACpF;AAEA,MAAI,OAAO,OAAO;AACd,UAAM,wBAAwB;AAC9B,UAAM,kBAAkB;AAExB,qBAAiB,CAAC,SAAS,aAAa;AACpC,UAAI,CAAC,QAAQ,WAAW,CAAC,QAAQ,OAAO;AACpC,cAAM,IAAI;AAAA,UACN;AAAA,UACA;AAAA,UACA,WAAW;AAAA,QACf;AAAA,MACJ;AACA,8BAAwB,SAAS,QAAQ;AAAA,IAC7C;AAEA,eAAW,CAAC,SAAS,aAAa;AAC9B,UAAI,CAAC,QAAQ,WAAW,CAAC,QAAQ,OAAO;AACpC,eAAO;AAAA,MACX;AAEA,aAAO,gBAAgB,SAAS,QAAQ;AAAA,IAC5C;AAAA,EACJ;AAEA,MAAI,OAAO,iBAAiB;AACxB,UAAM,uBAAuB;AAC7B,UAAM,iBAAiB;AACvB,UAAM,wBAAwB;AAC9B,UAAM,kBAAkB;AAExB,oBAAgB,CAAC,SAAS,aAAa;AACnC,UAAI,QAAQ,WAAW,QAAQ,SAAS;AACpC;AAAA,MACJ;AAEA,UAAI,QAAQ,gBAAgB;AACxB,YAAI,QAAQ,WAAW,QAAW;AAC9B,gBAAM,IAAI;AAAA,YACN;AAAA,YACA;AAAA,YACA,WAAW;AAAA,UACf;AAAA,QACJ;AAEA,YAAI,UAAU,gBAAgB,SAAS,iBAAiB,QAAQ,QAAQ;AACpE,gBAAM,IAAI;AAAA,YACN;AAAA,YACA;AAAA,YACA,WAAW;AAAA,UACf;AAAA,QACJ;AAAA,MACJ;AAEA,2BAAqB,SAAS,QAAQ;AAAA,IAC1C;AAEA,cAAU,CAAC,SAAS,aAAa;AAC7B,UAAI,QAAQ,WAAW,QAAQ,SAAS;AACpC,eAAO;AAAA,MACX;AAEA,UAAI,QAAQ,WAAW,QAAW;AAC9B,eAAO;AAAA,MACX;AAEA,UAAI,UAAU,gBAAgB,SAAS,iBAAiB,QAAQ,QAAQ;AACpE,eAAO;AAAA,MACX;AAEA,aAAO,eAAe,SAAS,QAAQ;AAAA,IAC3C;AAEA,qBAAiB,CAAC,SAAS,aAAa;AACpC,UAAI,QAAQ,WAAW,QAAQ,SAAS;AACpC;AAAA,MACJ;AAEA,UAAI,QAAQ,WAAW,QAAW;AAC9B,cAAM,IAAI,WAAW,UAAU,0CAA0C,WAAW,iBAAiB;AAAA,MACzG;AAEA,UAAI,UAAU,gBAAgB,SAAS,iBAAiB,QAAQ,QAAQ;AACpE,cAAM,IAAI,WAAW,UAAU,qDAAqD;AAAA,MACxF;AAEA,4BAAsB,SAAS,QAAQ;AAAA,IAC3C;AAEA,eAAW,CAAC,SAAS,aAAa;AAC9B,UAAI,QAAQ,WAAW,QAAQ,SAAS;AACpC,eAAO;AAAA,MACX;AAEA,UAAI,QAAQ,WAAW,QAAW;AAC9B,eAAO;AAAA,MACX;AAEA,UAAI,UAAU,gBAAgB,SAAS,iBAAiB,QAAQ,QAAQ;AACpE,eAAO;AAAA,MACX;AAEA,aAAO,gBAAgB,SAAS,QAAQ;AAAA,IAC5C;AAAA,EACJ;AAEA,MAAI,CAAC,OAAO,UAAU;AAClB,oBAAgB,CAAC,SAAS,aAAa;AACnC,UAAI,QAAQ,WAAW,QAAQ,SAAS;AACpC;AAAA,MACJ;AAEA,YAAM,IAAI,UAAU,UAAU,yCAAyC;AAAA,IAC3E;AAEA,cAAU,aAAW;AACjB,aAAO,CAAC,CAAC,QAAQ,WAAW,CAAC,CAAC,QAAQ;AAAA,IAC1C;AAAA,EACJ;AAEA,MAAI,CAAC,OAAO,UAAU;AAClB,qBAAiB,CAAC,SAAS,aAAa;AACpC,UAAI,QAAQ,WAAW,QAAQ,SAAS;AACpC;AAAA,MACJ;AACA,YAAM,IAAI,WAAW,UAAU,uCAAuC;AAAA,IAC1E;AAEA,eAAW,aAAW;AAClB,aAAO,CAAC,CAAC,QAAQ,WAAW,CAAC,CAAC,QAAQ;AAAA,IAC1C;AAAA,EACJ;AAEA,SAAO,OAAO,OAAO;AAAA,IACjB;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IAEA,gBAAgB,UAAiC,UAAkC;AAC/E,YAAM,IAAI,0BAA0B,UAAU,0DAA0D;AAAA,IAC5G;AAAA,IAEA,YAAY;AACR,aAAO;AAAA,IACX;AAAA,EACJ,CAAyB;AAC7B;AAEA,SAAS,mBAAmB,QAA+B;AACvD,QAAM,SAAS,UAAU,MAAM;AAC/B,QAAM,QAAQ,OAAO,gBAAgB;AACrC,QAAM,SAAS,OAAO,gBAAgB;AAEtC,SAAO;AAAA,IACH;AAAA,IAEA,cAAc,UAAU,UAAU;AAC9B,YAAM,IAAI,0BAA0B,UAAU,oDAAoD;AAAA,IACtG;AAAA,IAEA,UAAU;AACN,aAAO;AAAA,IACX;AAAA,IAEA,eAAe,UAAU,UAAU;AAC/B,YAAM,IAAI,0BAA0B,UAAU,qDAAqD;AAAA,IACvG;AAAA,IAEA,WAAW;AACP,aAAO;AAAA,IACX;AAAA,IAEA,gBAAgB,SAAS,UAAU;AAC/B,UAAI,QAAQ,SAAS;AACjB;AAAA,MACJ;AAEA,UAAI,CAAC,QAAQ,SAAS;AAClB,cAAM,IAAI,YAAY,UAAU,wCAAwC;AAAA,MAC5E;AAEA,UAAI,SAAS,CAAC,QAAQ,OAAO;AACzB,cAAM,IAAI;AAAA,UACN;AAAA,UACA;AAAA,UACA,WAAW;AAAA,QACf;AAAA,MACJ;AAEA,UAAI,UAAU,QAAQ,WAAW,QAAW;AACxC,cAAM,IAAI,WAAW,UAAU,0CAA0C,WAAW,iBAAiB;AAAA,MACzG;AAEA,UAAI,QAAQ,cAAc,OAAO,YAAY,QAAQ,GAAG;AACpD;AAAA,MACJ;AAEA,YAAM,IAAI,YAAY,UAAU,qBAAqB,WAAW,iBAAiB;AAAA,IACrF;AAAA,IAEA,UAAU,SAAS,UAAU;AACzB,UAAI,QAAQ,SAAS;AACjB,eAAO;AAAA,MACX;AAEA,UAAI,CAAC,QAAQ,SAAS;AAClB,eAAO;AAAA,MACX;AAEA,UAAI,SAAS,CAAC,QAAQ,OAAO;AACzB,eAAO;AAAA,MACX;AAEA,UAAI,UAAU,QAAQ,WAAW,QAAW;AACxC,eAAO;AAAA,MACX;AAEA,aAAO,QAAQ,cAAc,OAAO,YAAY,QAAQ;AAAA,IAC5D;AAAA,EACJ;AACJ;AAEA,SAAS,UAAU,QAAgB;AAC/B,QAAM,SAAS,OAAO;AACtB,QAAM,UAAU,kBAAkB,aAAa,OAAO,mBAAmB;AAGzE,MAAI,QAAQ,SAAS;AACrB,WAAS,IAAI,OAAO,QAAQ,CAAC,SAAS,aAAa,YAAY,IAAI,EAAE,QAAQ;AACzE,QAAI,EAAE,iBAAiB,OAAO;AAC1B,cAAQ;AAAA,IACZ;AAAA,EACJ;AAEA,QAAM,SAA+B,OAAO,OAAO;AAAA,IAC/C,UAAU,OAAO;AAAA,IACjB,UAAU,OAAO,YAAY,CAAC;AAAA,IAC9B,cAAc,OAAO,WAAW,OAAO,OAAO,UAAU,OAAO,WAAW,OAAO,OAAO;AAAA,IACxF,iBAAiB,OAAO,WAAW,OAAO,OAAO;AAAA,IACjD,OAAO,OAAO,UAAU;AAAA;AAAA;AAAA,IAIxB,WAAW,OAAO,aAAa,SAAY,YAAY,OAAO,OAAO,eAAe,OAAO,QAAQ;AAAA,IACnG,YAAY,OAAO,cAAc,SAAY,YAAY,UAAU,OAAO,eAAe,OAAO,SAAS;AAAA,EAC7G,CAAC;AAED,SAAO;AACX;",
   "names": []
 }

package/dist/esm/behavior/definitions/general-commissioning/ServerNodeFailsafeContext.d.ts

@@ -27,5 +27,6 @@ export declare class ServerNodeFailsafeContext extends FailsafeContext {
     restoreNetworkState(): Promise<void>;
     revokeFabric(fabric: Fabric): Promise<void>;
     restoreBreadcrumb(): Promise<void>;
+    rollback(): Promise<void>;
 }
 //# sourceMappingURL=ServerNodeFailsafeContext.d.ts.map

package/dist/esm/behavior/definitions/general-commissioning/ServerNodeFailsafeContext.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"ServerNodeFailsafeContext.d.ts","sourceRoot":"","sources":["../../../../../src/behavior/definitions/general-commissioning/ServerNodeFailsafeContext.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,eAAe,EAAE,MAAM,oCAAoC,CAAC;AAGrE,OAAO,EAAE,MAAM,EAAE,MAAM,2BAA2B,CAAC;AACnD,OAAO,EAAE,IAAI,EAAE,MAAM,uBAAuB,CAAC;AAI7C;;GAEG;AACH,qBAAa,yBAA0B,SAAQ,eAAe;;gBAiB9C,IAAI,EAAE,IAAI,EAAE,OAAO,EAAE,eAAe,CAAC,OAAO;IAWxD;;;;;;;;;;OAUG;IACY,kBAAkB;IAsBlB,mBAAmB;IAanB,YAAY,CAAC,MAAM,EAAE,MAAM;IAM3B,iBAAiB;CA+BnC"}
+{"version":3,"file":"ServerNodeFailsafeContext.d.ts","sourceRoot":"","sources":["../../../../../src/behavior/definitions/general-commissioning/ServerNodeFailsafeContext.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,eAAe,EAAE,MAAM,oCAAoC,CAAC;AAGrE,OAAO,EAAE,MAAM,EAAE,MAAM,2BAA2B,CAAC;AAEnD,OAAO,EAAE,IAAI,EAAE,MAAM,uBAAuB,CAAC;AAI7C;;GAEG;AACH,qBAAa,yBAA0B,SAAQ,eAAe;;gBAiB9C,IAAI,EAAE,IAAI,EAAE,OAAO,EAAE,eAAe,CAAC,OAAO;IAWxD;;;;;;;;;;OAUG;IACY,kBAAkB;IAsBlB,mBAAmB;IAanB,YAAY,CAAC,MAAM,EAAE,MAAM;IAM3B,iBAAiB;IAMjB,QAAQ;CA4C1B"}

package/dist/esm/behavior/definitions/general-commissioning/ServerNodeFailsafeContext.js

@@ -4,7 +4,8 @@
  * SPDX-License-Identifier: Apache-2.0
  */
 import { FailsafeContext } from "../../../common/FailsafeContext.js";
-import { Lifecycle } from "../../../common/Lifecycle.js";
+import { Lifecycle, UnsupportedDependencyError } from "../../../common/Lifecycle.js";
+import { FabricManager } from "../../../fabric/FabricManager.js";
 import { NetworkCommissioningBehavior } from "../network-commissioning/NetworkCommissioningBehavior.js";
 class ServerNodeFailsafeContext extends FailsafeContext {
   #node;
@@ -67,6 +68,19 @@ class ServerNodeFailsafeContext extends FailsafeContext {
       agent.generalCommissioning.state.breadcrumb = 0;
     });
   }
+  async rollback() {
+    if (!this.fabricIndex && this.hasRootCert) {
+      try {
+        const fabricManager = this.#node.env.get(FabricManager);
+        fabricManager.events.failsafeClosed.emit();
+      } catch (error) {
+        if (!(error instanceof UnsupportedDependencyError)) {
+          throw error;
+        }
+      }
+    }
+    return super.rollback();
+  }
   /*
       override async restoreFabric() {
           await super.restoreFabric();

package/dist/esm/behavior/definitions/general-commissioning/ServerNodeFailsafeContext.js.map

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../../../../src/behavior/definitions/general-commissioning/ServerNodeFailsafeContext.ts"],
-  "sourcesContent": ["/**\n * @license\n * Copyright 2022-2024 Matter.js Authors\n * SPDX-License-Identifier: Apache-2.0\n */\n\nimport { FailsafeContext } from \"../../../common/FailsafeContext.js\";\nimport { Lifecycle } from \"../../../common/Lifecycle.js\";\nimport { Endpoint } from \"../../../endpoint/Endpoint.js\";\nimport { Fabric } from \"../../../fabric/Fabric.js\";\nimport { Node } from \"../../../node/Node.js\";\nimport { Immutable } from \"../../../util/Type.js\";\nimport { NetworkCommissioningBehavior } from \"../network-commissioning/NetworkCommissioningBehavior.js\";\n\n/**\n * {@link FailsafeContext} for {@link Node} API.\n */\nexport class ServerNodeFailsafeContext extends FailsafeContext {\n    #node: Node;\n    #storedState?: {\n        networks: Map<Endpoint, Immutable<NetworkCommissioningBehavior.State[\"networks\"]>>;\n        /*\n\n        When Fabrics are no longer managed centrally in FabricManager we need this. Maybe we change to this later,\n        but now it is just here for reference because these changes are realized by events that are triggered by Fabric\n        object changes. See also other commented out sections in this class.\n\n        nocs: OperationalCredentialsBehavior.State[\"nocs\"];\n        fabrics: OperationalCredentialsBehavior.State[\"fabrics\"];\n        trustedRootCertificates: OperationalCredentialsBehavior.State[\"trustedRootCertificates\"];\n\n         */\n    };\n\n    constructor(node: Node, options: FailsafeContext.Options) {\n        super(options);\n        this.#node = node;\n        this.#node.env.set(FailsafeContext, this);\n        this.construction.change.on(status => {\n            if (status === Lifecycle.Status.Destroyed) {\n                this.#node.env.delete(FailsafeContext, this);\n            }\n        });\n    }\n\n    /**\n     * Persist endpoint credentials and network configurations for restoration if commissioning does not complete.\n     *\n     * The Matter 1.2 specification makes it pretty clear that Matter supports configuration of multiple network\n     * interfaces (e.g. @see {@link MatterSpecification.v11.Core} \u00A7 11.8.8 and \u00A7 2.3.2).\n     * {@link NetworkCommissioningCluster} of the primary interface is on the root endpoint.  However it's not clear\n     * where {@link NetworkCommissioningCluster} instances for secondary interfaces reside.  To be on the safe side\n     * we just assume any endpoint may support {@link NetworkCommissioningCluster}.\n     *\n     * TODO - it's recommended to reset all state if commissioning bails; currently we perform mandatory restore\n     */\n    override async storeEndpointState() {\n        // const opcreds = this.#node.state.operationalCredentials;\n        this.#storedState = {\n            networks: new Map(),\n            /*\n            nocs: opcreds.nocs.map(noc => ({ ...noc })),\n            fabrics: opcreds.fabrics.map(fabric => ({ ...fabric })),\n            trustedRootCertificates: [...opcreds.trustedRootCertificates],\n             */\n        };\n\n        if (!this.#node.behaviors.has(NetworkCommissioningBehavior)) {\n            return;\n        }\n\n        this.#node.visit(endpoint => {\n            if (endpoint.behaviors.has(NetworkCommissioningBehavior)) {\n                this.#storedState?.networks.set(endpoint, endpoint.stateOf(NetworkCommissioningBehavior).networks);\n            }\n        });\n    }\n\n    override async restoreNetworkState() {\n        await this.#node.act(async agent => {\n            const context = agent.context;\n\n            await this.#node.visit(async endpoint => {\n                const networks = this.#storedState?.networks.get(endpoint);\n                if (networks) {\n                    context.agentFor(endpoint).get(NetworkCommissioningBehavior).state.networks = [...networks];\n                }\n            });\n        });\n    }\n\n    override async revokeFabric(fabric: Fabric) {\n        await fabric.remove();\n\n        // await this.#restoreOperationalCredentials();\n    }\n\n    override async restoreBreadcrumb() {\n        await this.#node.act(agent => {\n            agent.generalCommissioning.state.breadcrumb = 0;\n        });\n    }\n\n    /*\n    override async restoreFabric() {\n        await super.restoreFabric();\n        await this.#restoreOperationalCredentials();\n    }\n\n    async #restoreOperationalCredentials() {\n        if (this.#operationalCredentialsRestored) {\n            return;\n        }\n\n        const state = this.#storedState;\n        if (state) {\n            await this.#node.act(agent => {\n                const opcreds = agent.operationalCredentials.state;\n                opcreds.nocs = state.nocs;\n                opcreds.fabrics = state.fabrics;\n                opcreds.commissionedFabrics = opcreds.fabrics.length;\n                opcreds.trustedRootCertificates = state.trustedRootCertificates;\n            });\n        }\n\n        this.#operationalCredentialsRestored = true;\n    }\n    */\n}\n"],
-  "mappings": "AAAA;AAAA;AAAA;AAAA;AAAA;AAMA,SAAS,uBAAuB;AAChC,SAAS,iBAAiB;AAK1B,SAAS,oCAAoC;AAKtC,MAAM,kCAAkC,gBAAgB;AAAA,EAC3D;AAAA,EACA;AAAA,EAeA,YAAY,MAAY,SAAkC;AACtD,UAAM,OAAO;AACb,SAAK,QAAQ;AACb,SAAK,MAAM,IAAI,IAAI,iBAAiB,IAAI;AACxC,SAAK,aAAa,OAAO,GAAG,YAAU;AAClC,UAAI,WAAW,UAAU,OAAO,WAAW;AACvC,aAAK,MAAM,IAAI,OAAO,iBAAiB,IAAI;AAAA,MAC/C;AAAA,IACJ,CAAC;AAAA,EACL;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAaA,MAAe,qBAAqB;AAEhC,SAAK,eAAe;AAAA,MAChB,UAAU,oBAAI,IAAI;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAMtB;AAEA,QAAI,CAAC,KAAK,MAAM,UAAU,IAAI,4BAA4B,GAAG;AACzD;AAAA,IACJ;AAEA,SAAK,MAAM,MAAM,cAAY;AACzB,UAAI,SAAS,UAAU,IAAI,4BAA4B,GAAG;AACtD,aAAK,cAAc,SAAS,IAAI,UAAU,SAAS,QAAQ,4BAA4B,EAAE,QAAQ;AAAA,MACrG;AAAA,IACJ,CAAC;AAAA,EACL;AAAA,EAEA,MAAe,sBAAsB;AACjC,UAAM,KAAK,MAAM,IAAI,OAAM,UAAS;AAChC,YAAM,UAAU,MAAM;AAEtB,YAAM,KAAK,MAAM,MAAM,OAAM,aAAY;AACrC,cAAM,WAAW,KAAK,cAAc,SAAS,IAAI,QAAQ;AACzD,YAAI,UAAU;AACV,kBAAQ,SAAS,QAAQ,EAAE,IAAI,4BAA4B,EAAE,MAAM,WAAW,CAAC,GAAG,QAAQ;AAAA,QAC9F;AAAA,MACJ,CAAC;AAAA,IACL,CAAC;AAAA,EACL;AAAA,EAEA,MAAe,aAAa,QAAgB;AACxC,UAAM,OAAO,OAAO;AAAA,EAGxB;AAAA,EAEA,MAAe,oBAAoB;AAC/B,UAAM,KAAK,MAAM,IAAI,WAAS;AAC1B,YAAM,qBAAqB,MAAM,aAAa;AAAA,IAClD,CAAC;AAAA,EACL;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AA2BJ;",
+  "sourcesContent": ["/**\n * @license\n * Copyright 2022-2024 Matter.js Authors\n * SPDX-License-Identifier: Apache-2.0\n */\n\nimport { FailsafeContext } from \"../../../common/FailsafeContext.js\";\nimport { Lifecycle, UnsupportedDependencyError } from \"../../../common/Lifecycle.js\";\nimport { Endpoint } from \"../../../endpoint/Endpoint.js\";\nimport { Fabric } from \"../../../fabric/Fabric.js\";\nimport { FabricManager } from \"../../../fabric/FabricManager.js\";\nimport { Node } from \"../../../node/Node.js\";\nimport { Immutable } from \"../../../util/Type.js\";\nimport { NetworkCommissioningBehavior } from \"../network-commissioning/NetworkCommissioningBehavior.js\";\n\n/**\n * {@link FailsafeContext} for {@link Node} API.\n */\nexport class ServerNodeFailsafeContext extends FailsafeContext {\n    #node: Node;\n    #storedState?: {\n        networks: Map<Endpoint, Immutable<NetworkCommissioningBehavior.State[\"networks\"]>>;\n        /*\n\n        When Fabrics are no longer managed centrally in FabricManager we need this. Maybe we change to this later,\n        but now it is just here for reference because these changes are realized by events that are triggered by Fabric\n        object changes. See also other commented out sections in this class.\n\n        nocs: OperationalCredentialsBehavior.State[\"nocs\"];\n        fabrics: OperationalCredentialsBehavior.State[\"fabrics\"];\n        trustedRootCertificates: OperationalCredentialsBehavior.State[\"trustedRootCertificates\"];\n\n         */\n    };\n\n    constructor(node: Node, options: FailsafeContext.Options) {\n        super(options);\n        this.#node = node;\n        this.#node.env.set(FailsafeContext, this);\n        this.construction.change.on(status => {\n            if (status === Lifecycle.Status.Destroyed) {\n                this.#node.env.delete(FailsafeContext, this);\n            }\n        });\n    }\n\n    /**\n     * Persist endpoint credentials and network configurations for restoration if commissioning does not complete.\n     *\n     * The Matter 1.2 specification makes it pretty clear that Matter supports configuration of multiple network\n     * interfaces (e.g. @see {@link MatterSpecification.v11.Core} \u00A7 11.8.8 and \u00A7 2.3.2).\n     * {@link NetworkCommissioningCluster} of the primary interface is on the root endpoint.  However it's not clear\n     * where {@link NetworkCommissioningCluster} instances for secondary interfaces reside.  To be on the safe side\n     * we just assume any endpoint may support {@link NetworkCommissioningCluster}.\n     *\n     * TODO - it's recommended to reset all state if commissioning bails; currently we perform mandatory restore\n     */\n    override async storeEndpointState() {\n        // const opcreds = this.#node.state.operationalCredentials;\n        this.#storedState = {\n            networks: new Map(),\n            /*\n            nocs: opcreds.nocs.map(noc => ({ ...noc })),\n            fabrics: opcreds.fabrics.map(fabric => ({ ...fabric })),\n            trustedRootCertificates: [...opcreds.trustedRootCertificates],\n             */\n        };\n\n        if (!this.#node.behaviors.has(NetworkCommissioningBehavior)) {\n            return;\n        }\n\n        this.#node.visit(endpoint => {\n            if (endpoint.behaviors.has(NetworkCommissioningBehavior)) {\n                this.#storedState?.networks.set(endpoint, endpoint.stateOf(NetworkCommissioningBehavior).networks);\n            }\n        });\n    }\n\n    override async restoreNetworkState() {\n        await this.#node.act(async agent => {\n            const context = agent.context;\n\n            await this.#node.visit(async endpoint => {\n                const networks = this.#storedState?.networks.get(endpoint);\n                if (networks) {\n                    context.agentFor(endpoint).get(NetworkCommissioningBehavior).state.networks = [...networks];\n                }\n            });\n        });\n    }\n\n    override async revokeFabric(fabric: Fabric) {\n        await fabric.remove();\n\n        // await this.#restoreOperationalCredentials();\n    }\n\n    override async restoreBreadcrumb() {\n        await this.#node.act(agent => {\n            agent.generalCommissioning.state.breadcrumb = 0;\n        });\n    }\n\n    override async rollback() {\n        if (!this.fabricIndex && this.hasRootCert) {\n            // Update the fabric details if needed (like Trusted Root certificates)\n            // Only if fabric was not added because else all data gets updated anyway\n            try {\n                const fabricManager = this.#node.env.get(FabricManager);\n                fabricManager.events.failsafeClosed.emit();\n            } catch (error) {\n                // UnsupportedDependencyError can happen when the node closes.\n                // Then data are refreshed on next start anyway, so ignore this case\n                if (!(error instanceof UnsupportedDependencyError)) {\n                    throw error;\n                }\n            }\n        }\n\n        return super.rollback();\n    }\n\n    /*\n    override async restoreFabric() {\n        await super.restoreFabric();\n        await this.#restoreOperationalCredentials();\n    }\n\n    async #restoreOperationalCredentials() {\n        if (this.#operationalCredentialsRestored) {\n            return;\n        }\n\n        const state = this.#storedState;\n        if (state) {\n            await this.#node.act(agent => {\n                const opcreds = agent.operationalCredentials.state;\n                opcreds.nocs = state.nocs;\n                opcreds.fabrics = state.fabrics;\n                opcreds.commissionedFabrics = opcreds.fabrics.length;\n                opcreds.trustedRootCertificates = state.trustedRootCertificates;\n            });\n        }\n\n        this.#operationalCredentialsRestored = true;\n    }\n    */\n}\n"],
+  "mappings": "AAAA;AAAA;AAAA;AAAA;AAAA;AAMA,SAAS,uBAAuB;AAChC,SAAS,WAAW,kCAAkC;AAGtD,SAAS,qBAAqB;AAG9B,SAAS,oCAAoC;AAKtC,MAAM,kCAAkC,gBAAgB;AAAA,EAC3D;AAAA,EACA;AAAA,EAeA,YAAY,MAAY,SAAkC;AACtD,UAAM,OAAO;AACb,SAAK,QAAQ;AACb,SAAK,MAAM,IAAI,IAAI,iBAAiB,IAAI;AACxC,SAAK,aAAa,OAAO,GAAG,YAAU;AAClC,UAAI,WAAW,UAAU,OAAO,WAAW;AACvC,aAAK,MAAM,IAAI,OAAO,iBAAiB,IAAI;AAAA,MAC/C;AAAA,IACJ,CAAC;AAAA,EACL;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAaA,MAAe,qBAAqB;AAEhC,SAAK,eAAe;AAAA,MAChB,UAAU,oBAAI,IAAI;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAMtB;AAEA,QAAI,CAAC,KAAK,MAAM,UAAU,IAAI,4BAA4B,GAAG;AACzD;AAAA,IACJ;AAEA,SAAK,MAAM,MAAM,cAAY;AACzB,UAAI,SAAS,UAAU,IAAI,4BAA4B,GAAG;AACtD,aAAK,cAAc,SAAS,IAAI,UAAU,SAAS,QAAQ,4BAA4B,EAAE,QAAQ;AAAA,MACrG;AAAA,IACJ,CAAC;AAAA,EACL;AAAA,EAEA,MAAe,sBAAsB;AACjC,UAAM,KAAK,MAAM,IAAI,OAAM,UAAS;AAChC,YAAM,UAAU,MAAM;AAEtB,YAAM,KAAK,MAAM,MAAM,OAAM,aAAY;AACrC,cAAM,WAAW,KAAK,cAAc,SAAS,IAAI,QAAQ;AACzD,YAAI,UAAU;AACV,kBAAQ,SAAS,QAAQ,EAAE,IAAI,4BAA4B,EAAE,MAAM,WAAW,CAAC,GAAG,QAAQ;AAAA,QAC9F;AAAA,MACJ,CAAC;AAAA,IACL,CAAC;AAAA,EACL;AAAA,EAEA,MAAe,aAAa,QAAgB;AACxC,UAAM,OAAO,OAAO;AAAA,EAGxB;AAAA,EAEA,MAAe,oBAAoB;AAC/B,UAAM,KAAK,MAAM,IAAI,WAAS;AAC1B,YAAM,qBAAqB,MAAM,aAAa;AAAA,IAClD,CAAC;AAAA,EACL;AAAA,EAEA,MAAe,WAAW;AACtB,QAAI,CAAC,KAAK,eAAe,KAAK,aAAa;AAGvC,UAAI;AACA,cAAM,gBAAgB,KAAK,MAAM,IAAI,IAAI,aAAa;AACtD,sBAAc,OAAO,eAAe,KAAK;AAAA,MAC7C,SAAS,OAAO;AAGZ,YAAI,EAAE,iBAAiB,6BAA6B;AAChD,gBAAM;AAAA,QACV;AAAA,MACJ;AAAA,IACJ;AAEA,WAAO,MAAM,SAAS;AAAA,EAC1B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AA2BJ;",
   "names": []
 }

package/dist/esm/behavior/definitions/operational-credentials/OperationalCredentialsServer.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"OperationalCredentialsServer.d.ts","sourceRoot":"","sources":["../../../../../src/behavior/definitions/operational-credentials/OperationalCredentialsServer.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAKH,OAAO,EAAE,sBAAsB,EAAE,MAAM,+DAA+D,CAAC;AAKvG,OAAO,EAAE,WAAW,EAAE,MAAM,kCAAkC,CAAC;AAC/D,OAAO,EAAE,QAAQ,EAAE,MAAM,+BAA+B,CAAC;AAUzD,OAAO,EAAE,GAAG,EAAE,MAAM,oBAAoB,CAAC;AACzC,OAAO,EAAE,eAAe,EAAE,MAAM,sCAAsC,CAAC;AAIvE,OAAO,EAAE,mBAAmB,EAAE,MAAM,0BAA0B,CAAC;AAC/D,OAAO,EAAE,8BAA8B,EAAE,MAAM,qCAAqC,CAAC;AACrF,OAAO,EACH,aAAa,EACb,gCAAgC,EAChC,kBAAkB,EAClB,uBAAuB,EACvB,UAAU,EAEV,mBAAmB,EACnB,wBAAwB,EACxB,gBAAgB,EACnB,MAAM,sCAAsC,CAAC;AA+B9C;;;;;;;GAOG;AACH,qBAAa,4BAA6B,SAAQ,8BAA8B;;IACpE,QAAQ,EAAE,4BAA4B,CAAC,QAAQ,CAAC;IAChD,KAAK,EAAE,4BAA4B,CAAC,KAAK,CAAC;IAEzC,UAAU;IAUJ,kBAAkB,CAAC,EAAE,gBAAgB,EAAE,EAAE,kBAAkB;;;;IAkB3D,UAAU,CAAC,EAAE,QAAQ,EAAE,cAAc,EAAE,EAAE,UAAU;;;;IA8BnD,uBAAuB,CAAC,EAAE,eAAe,EAAE,EAAE,uBAAuB;;;IAkDpE,MAAM,CAAC,EAAE,QAAQ,EAAE,SAAS,EAAE,QAAQ,EAAE,gBAAgB,EAAE,aAAa,EAAE,EAAE,aAAa;;;;;IAqGxF,SAAS,CAAC,EAAE,QAAQ,EAAE,SAAS,EAAE,EAAE,gBAAgB;;;;;IAwDnD,iBAAiB,CAAC,EAAE,KAAK,EAAE,EAAE,wBAAwB;;;;;;;;;IAoBrD,YAAY,CAAC,EAAE,WAAW,EAAE,EAAE,mBAAmB;;;;;;;;;IAqBvD,yBAAyB,CAAC,EAAE,iBAAiB,EAAE,EAAE,gCAAgC;IAwDpF,gBAAgB;CAoCzB;AAED,yBAAiB,4BAA4B,CAAC;IAC1C,MAAa,QAAQ;QACjB,aAAa,CAAC,EAAE,mBAAmB,CAAC;QACpC,kBAAkB,CAAC,EAAE,WAAW,CAAC;KACpC;IAED,MAAa,KAAM,SAAQ,8BAA8B,CAAC,KAAK;QAC3D;;;;;;;;WAQG;QACH,aAAa,CAAC,EAAE,mBAAmB,CAAC,UAAU,CAAa;QAE3D,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,SAAS,EAAE,QAAQ,EAAE,OAAO,EAAE,eAAe,CAAC,OAAO;;;KAOzE;CACJ"}
+{"version":3,"file":"OperationalCredentialsServer.d.ts","sourceRoot":"","sources":["../../../../../src/behavior/definitions/operational-credentials/OperationalCredentialsServer.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAKH,OAAO,EAAE,sBAAsB,EAAE,MAAM,+DAA+D,CAAC;AAMvG,OAAO,EAAE,WAAW,EAAE,MAAM,kCAAkC,CAAC;AAC/D,OAAO,EAAE,QAAQ,EAAE,MAAM,+BAA+B,CAAC;AAUzD,OAAO,EAAE,GAAG,EAAE,MAAM,oBAAoB,CAAC;AACzC,OAAO,EAAE,eAAe,EAAE,MAAM,sCAAsC,CAAC;AAIvE,OAAO,EAAE,mBAAmB,EAAE,MAAM,0BAA0B,CAAC;AAC/D,OAAO,EAAE,8BAA8B,EAAE,MAAM,qCAAqC,CAAC;AACrF,OAAO,EACH,aAAa,EACb,gCAAgC,EAChC,kBAAkB,EAClB,uBAAuB,EACvB,UAAU,EAEV,mBAAmB,EACnB,wBAAwB,EACxB,gBAAgB,EACnB,MAAM,sCAAsC,CAAC;AA+B9C;;;;;;;GAOG;AACH,qBAAa,4BAA6B,SAAQ,8BAA8B;;IACpE,QAAQ,EAAE,4BAA4B,CAAC,QAAQ,CAAC;IAChD,KAAK,EAAE,4BAA4B,CAAC,KAAK,CAAC;IAEzC,UAAU;IAUJ,kBAAkB,CAAC,EAAE,gBAAgB,EAAE,EAAE,kBAAkB;;;;IAkB3D,UAAU,CAAC,EAAE,QAAQ,EAAE,cAAc,EAAE,EAAE,UAAU;;;;IA8BnD,uBAAuB,CAAC,EAAE,eAAe,EAAE,EAAE,uBAAuB;;;IAmDpE,MAAM,CAAC,EAAE,QAAQ,EAAE,SAAS,EAAE,QAAQ,EAAE,gBAAgB,EAAE,aAAa,EAAE,EAAE,aAAa;;;;;IAqGxF,SAAS,CAAC,EAAE,QAAQ,EAAE,SAAS,EAAE,EAAE,gBAAgB;;;;;IAwDnD,iBAAiB,CAAC,EAAE,KAAK,EAAE,EAAE,wBAAwB;;;;;;;;;IAoBrD,YAAY,CAAC,EAAE,WAAW,EAAE,EAAE,mBAAmB;;;;;;;;;IAqBvD,yBAAyB,CAAC,EAAE,iBAAiB,EAAE,EAAE,gCAAgC;IA8DpF,gBAAgB;CAyCzB;AAED,yBAAiB,4BAA4B,CAAC;IAC1C,MAAa,QAAQ;QACjB,aAAa,CAAC,EAAE,mBAAmB,CAAC;QACpC,kBAAkB,CAAC,EAAE,WAAW,CAAC;KACpC;IAED,MAAa,KAAM,SAAQ,8BAA8B,CAAC,KAAK;QAC3D;;;;;;;;WAQG;QACH,aAAa,CAAC,EAAE,mBAAmB,CAAC,UAAU,CAAa;QAE3D,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,SAAS,EAAE,QAAQ,EAAE,OAAO,EAAE,eAAe,CAAC,OAAO;;;KAOzE;CACJ"}

package/dist/esm/behavior/definitions/operational-credentials/OperationalCredentialsServer.js

@@ -11,6 +11,7 @@ import { MatterFabricInvalidAdminSubjectError } from "../../../common/FailsafeCo
 import { MatterFabricConflictError } from "../../../common/FailsafeTimer.js";
 import { MatterFlowError, UnexpectedDataError } from "../../../common/MatterError.js";
 import { ValidationError } from "../../../common/ValidationError.js";
+import { CryptoVerifyError } from "../../../crypto/Crypto.js";
 import { FabricIndex } from "../../../datatype/FabricIndex.js";
 import { PublicKeyError } from "../../../fabric/Fabric.js";
 import { FabricAction, FabricManager, FabricTableFullError } from "../../../fabric/FabricManager.js";
@@ -121,7 +122,7 @@ class OperationalCredentialsServer extends OperationalCredentialsBehavior {
         statusCode: OperationalCredentials.NodeOperationalCertStatus.TableFull,
         debugText: error.message
       };
-    } else if (error instanceof CertificateError || error instanceof ValidationError || error instanceof UnexpectedDataError) {
+    } else if (error instanceof CryptoVerifyError || error instanceof CertificateError || error instanceof ValidationError || error instanceof UnexpectedDataError) {
       return {
         statusCode: OperationalCredentials.NodeOperationalCertStatus.InvalidNoc,
         debugText: error.message
@@ -307,11 +308,15 @@ class OperationalCredentialsServer extends OperationalCredentialsBehavior {
       failsafeContext.setRootCert(rootCaCertificate);
     } catch (error) {
       logger.info("setting root certificate failed", error);
-      if (error instanceof CertificateError || error instanceof ValidationError || error instanceof UnexpectedDataError) {
+      if (error instanceof CryptoVerifyError || error instanceof CertificateError || error instanceof ValidationError || error instanceof UnexpectedDataError) {
         throw new StatusResponseError(error.message, StatusCode.InvalidCommand);
       }
       throw error;
     }
+    const fabrics = this.endpoint.env.get(FabricManager).getFabrics();
+    const trustedRootCertificates = fabrics.map((fabric) => fabric.rootCert);
+    trustedRootCertificates.push(rootCaCertificate);
+    this.state.trustedRootCertificates = trustedRootCertificates;
   }
   async #updateFabrics() {
     const fabrics = this.endpoint.env.get(FabricManager).getFabrics();
@@ -354,11 +359,15 @@ class OperationalCredentialsServer extends OperationalCredentialsBehavior {
     await this.#updateFabrics();
     this.agent.get(CommissioningBehavior).handleFabricChange(fabricIndex, FabricAction.Removed);
   }
+  async #handleFailsafeClosed() {
+    await this.#updateFabrics();
+  }
   async #nodeOnline() {
     const fabricManager = this.endpoint.env.get(FabricManager);
     this.reactTo(fabricManager.events.added, this.#handleAddedFabric);
     this.reactTo(fabricManager.events.updated, this.#handleUpdatedFabric);
     this.reactTo(fabricManager.events.deleted, this.#handleRemovedFabric);
+    this.reactTo(fabricManager.events.failsafeClosed, this.#handleFailsafeClosed, { lock: true });
     await this.#updateFabrics();
   }
 }

package/dist/esm/behavior/definitions/operational-credentials/OperationalCredentialsServer.js.map

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../../../../src/behavior/definitions/operational-credentials/OperationalCredentialsServer.ts"],
-  "sourcesContent": ["/**\n * @license\n * Copyright 2022-2024 Matter.js Authors\n * SPDX-License-Identifier: Apache-2.0\n */\n\nimport { CertificateError } from \"../../../certificate/CertificateManager.js\";\nimport { AccessLevel, Command } from \"../../../cluster/Cluster.js\";\nimport { AccessControl } from \"../../../cluster/definitions/AccessControlCluster.js\";\nimport { OperationalCredentials } from \"../../../cluster/definitions/OperationalCredentialsCluster.js\";\nimport { MatterFabricInvalidAdminSubjectError } from \"../../../common/FailsafeContext.js\";\nimport { MatterFabricConflictError } from \"../../../common/FailsafeTimer.js\";\nimport { MatterFlowError, UnexpectedDataError } from \"../../../common/MatterError.js\";\nimport { ValidationError } from \"../../../common/ValidationError.js\";\nimport { FabricIndex } from \"../../../datatype/FabricIndex.js\";\nimport { Endpoint } from \"../../../endpoint/Endpoint.js\";\nimport { Fabric, PublicKeyError } from \"../../../fabric/Fabric.js\";\nimport { FabricAction, FabricManager, FabricTableFullError } from \"../../../fabric/FabricManager.js\";\nimport { Logger } from \"../../../log/Logger.js\";\nimport type { Node } from \"../../../node/Node.js\";\nimport { StatusCode, StatusResponseError } from \"../../../protocol/interaction/StatusCode.js\";\nimport { assertSecureSession } from \"../../../session/SecureSession.js\";\nimport { TlvBoolean } from \"../../../tlv/TlvBoolean.js\";\nimport { TlvField, TlvObject, TlvOptionalField } from \"../../../tlv/TlvObject.js\";\nimport { TlvByteString } from \"../../../tlv/TlvString.js\";\nimport { Val } from \"../../state/Val.js\";\nimport { ValueSupervisor } from \"../../supervision/ValueSupervisor.js\";\nimport { CommissioningBehavior } from \"../../system/commissioning/CommissioningBehavior.js\";\nimport { ProductDescriptionServer } from \"../../system/product-description/ProductDescriptionServer.js\";\nimport { AccessControlServer } from \"../access-control/AccessControlServer.js\";\nimport { DeviceCertification } from \"./DeviceCertification.js\";\nimport { OperationalCredentialsBehavior } from \"./OperationalCredentialsBehavior.js\";\nimport {\n    AddNocRequest,\n    AddTrustedRootCertificateRequest,\n    AttestationRequest,\n    CertificateChainRequest,\n    CsrRequest,\n    NocResponse,\n    RemoveFabricRequest,\n    UpdateFabricLabelRequest,\n    UpdateNocRequest,\n} from \"./OperationalCredentialsInterface.js\";\nimport { TlvAttestation, TlvCertSigningRequest } from \"./OperationalCredentialsTypes.js\";\n\nconst logger = Logger.get(\"OperationalCredentials\");\n\n/**\n * Monkey patching Tlv Structure of attestationRequest and csrRequest commands to prevent data validation of the nonce\n * fields to be handled as ConstraintError because we need to return a special error.\n * We do this to leave the model in fact for other validations and only apply the change for our Schema-aware Tlv parsing.\n */\nOperationalCredentials.Cluster.commands = {\n    ...OperationalCredentials.Cluster.commands,\n    attestationRequest: Command(\n        0x0,\n        TlvObject({ attestationNonce: TlvField(0, TlvByteString) }),\n        0x1,\n        OperationalCredentials.TlvAttestationResponse,\n        { invokeAcl: AccessLevel.Administer },\n    ),\n    csrRequest: Command(\n        0x4,\n        TlvObject({\n            csrNonce: TlvField(0, TlvByteString),\n            isForUpdateNoc: TlvOptionalField(1, TlvBoolean),\n        }),\n        0x5,\n        OperationalCredentials.TlvCsrResponse,\n        { invokeAcl: AccessLevel.Administer },\n    ),\n};\n\n/**\n * This is the default server implementation of OperationalCredentialsBehavior.\n *\n * TODO - currently \"source of truth\" for fabric data is persisted by FabricManager.  If we remove some legacy code\n * paths we can move source of truth to here.  Right now we just sync fabrics with MatterDevice.  This sync is only as\n * comprehensive as required by current use cases.  If fabrics are mutated directly on MatterDevice then this code will\n * require update.\n */\nexport class OperationalCredentialsServer extends OperationalCredentialsBehavior {\n    declare internal: OperationalCredentialsServer.Internal;\n    declare state: OperationalCredentialsServer.State;\n\n    override initialize() {\n        // maximum number of fabrics. Also FabricBuilder uses 254 as max!\n        if (this.state.supportedFabrics === undefined) {\n            this.state.supportedFabrics = 254;\n        }\n        this.state.commissionedFabrics = this.state.fabrics.length;\n\n        this.reactTo((this.endpoint as Node).lifecycle.online, this.#nodeOnline);\n    }\n\n    override async attestationRequest({ attestationNonce }: AttestationRequest) {\n        if (attestationNonce.length !== 32) {\n            throw new StatusResponseError(\"Invalid attestation nonce length\", StatusCode.InvalidCommand);\n        }\n\n        const certification = await this.getCertification();\n\n        const elements = TlvAttestation.encode({\n            declaration: certification.declaration,\n            attestationNonce: attestationNonce,\n            timestamp: 0,\n        });\n        return {\n            attestationElements: elements,\n            attestationSignature: certification.sign(this.session, elements),\n        };\n    }\n\n    override async csrRequest({ csrNonce, isForUpdateNoc }: CsrRequest) {\n        if (csrNonce.length !== 32) {\n            throw new StatusResponseError(\"Invalid csr nonce length\", StatusCode.InvalidCommand);\n        }\n\n        if (isForUpdateNoc && this.session.isPase) {\n            throw new StatusResponseError(\n                \"csrRequest for UpdateNoc received on a PASE session.\",\n                StatusCode.InvalidCommand,\n            );\n        }\n\n        const failsafeContext = this.session.context.failsafeContext;\n        if (failsafeContext.fabricIndex !== undefined) {\n            throw new StatusResponseError(\n                `csrRequest received after ${failsafeContext.forUpdateNoc ? \"UpdateNOC\" : \"AddNOC\"} already invoked.`,\n                StatusCode.ConstraintError,\n            );\n        }\n\n        const certification = await this.getCertification();\n\n        const certSigningRequest = failsafeContext.createCertificateSigningRequest(\n            isForUpdateNoc ?? false,\n            this.session.id,\n        );\n        const nocsrElements = TlvCertSigningRequest.encode({ certSigningRequest, csrNonce });\n        return { nocsrElements, attestationSignature: certification.sign(this.session, nocsrElements) };\n    }\n\n    override async certificateChainRequest({ certificateType }: CertificateChainRequest) {\n        const certification = await this.getCertification();\n\n        switch (certificateType) {\n            case OperationalCredentials.CertificateChainType.DacCertificate:\n                return { certificate: certification.certificate };\n            case OperationalCredentials.CertificateChainType.PaiCertificate:\n                return { certificate: certification.intermediateCertificate };\n            default:\n                throw new StatusResponseError(\n                    `Unsupported certificate type: ${certificateType}`,\n                    StatusCode.InvalidCommand,\n                );\n        }\n    }\n\n    #mapNocErrors(error: unknown): NocResponse {\n        if (error instanceof MatterFabricConflictError) {\n            return {\n                statusCode: OperationalCredentials.NodeOperationalCertStatus.FabricConflict,\n                debugText: error.message,\n            };\n        } else if (error instanceof FabricTableFullError) {\n            return {\n                statusCode: OperationalCredentials.NodeOperationalCertStatus.TableFull,\n                debugText: error.message,\n            };\n        } else if (\n            error instanceof CertificateError ||\n            error instanceof ValidationError ||\n            error instanceof UnexpectedDataError\n        ) {\n            return {\n                statusCode: OperationalCredentials.NodeOperationalCertStatus.InvalidNoc,\n                debugText: error.message,\n            };\n        } else if (error instanceof PublicKeyError) {\n            return {\n                statusCode: OperationalCredentials.NodeOperationalCertStatus.InvalidPublicKey,\n                debugText: error.message,\n            };\n        } else if (error instanceof MatterFabricInvalidAdminSubjectError) {\n            return {\n                statusCode: OperationalCredentials.NodeOperationalCertStatus.InvalidAdminSubject,\n                debugText: error.message,\n            };\n        }\n        throw error;\n    }\n\n    override async addNoc({ nocValue, icacValue, ipkValue, caseAdminSubject, adminVendorId }: AddNocRequest) {\n        const failsafeContext = this.session.context.failsafeContext;\n\n        if (failsafeContext.fabricIndex !== undefined) {\n            throw new StatusResponseError(\n                `addNoc received after ${failsafeContext.forUpdateNoc ? \"UpdateNOC\" : \"AddNOC\"} already invoked.`,\n                StatusCode.ConstraintError,\n            );\n        }\n\n        if (!failsafeContext.hasRootCert) {\n            return {\n                statusCode: OperationalCredentials.NodeOperationalCertStatus.InvalidNoc,\n                debugText: \"Root certificate not found.\",\n            };\n        }\n\n        if (failsafeContext.csrSessionId !== this.session.id) {\n            return {\n                statusCode: OperationalCredentials.NodeOperationalCertStatus.MissingCsr,\n                debugText: \"CSR not found in failsafe context.\",\n            };\n        }\n\n        if (failsafeContext.forUpdateNoc) {\n            throw new StatusResponseError(\n                `addNoc received after csr request was invoked for UpdateNOC.`,\n                StatusCode.ConstraintError,\n            );\n        }\n\n        const state = this.state;\n        if (state.commissionedFabrics >= state.supportedFabrics) {\n            return {\n                statusCode: OperationalCredentials.NodeOperationalCertStatus.TableFull,\n                debugText: `No more fabrics can be added because limit ${state.supportedFabrics} reached.`,\n            };\n        }\n\n        let fabric: Fabric;\n        try {\n            fabric = await failsafeContext.buildFabric({\n                nocValue,\n                icacValue,\n                adminVendorId,\n                ipkValue,\n                caseAdminSubject,\n            });\n        } catch (error) {\n            logger.info(\"Building fabric for addNoc failed\", error);\n            return this.#mapNocErrors(error);\n        }\n\n        // The receiver SHALL create and add a new Access Control Entry using the CaseAdminSubject field to grant\n        // subsequent Administer access to an Administrator member of the new Fabric.\n        const aclCluster = this.agent.get(AccessControlServer);\n        aclCluster.state.acl.push({\n            fabricIndex: fabric.fabricIndex,\n            privilege: AccessControl.AccessControlEntryPrivilege.Administer,\n            authMode: AccessControl.AccessControlEntryAuthMode.Case,\n            subjects: [caseAdminSubject],\n            targets: null, // entire node\n        });\n\n        await failsafeContext.addFabric(fabric);\n\n        try {\n            if (this.session.isPase) {\n                logger.debug(`Add Fabric ${fabric.fabricIndex} to PASE session ${this.session.name}.`);\n                this.session.addAssociatedFabric(fabric);\n            }\n\n            // Update attributes\n            const existingFabricIndex = this.state.fabrics.findIndex(f => f.fabricIndex === fabric.fabricIndex);\n            const existingNocIndex = this.state.nocs.findIndex(n => n.fabricIndex === fabric.fabricIndex);\n            if (existingFabricIndex !== -1 || existingNocIndex !== -1) {\n                throw new MatterFlowError(\n                    `FabricIndex ${fabric.fabricIndex} already exists in state. This should not happen.`,\n                );\n            }\n        } catch (e) {\n            // Fabric insertion into MatterDevice is not currently transactional so we need to remove manually\n            await fabric.remove(this.session.id);\n            throw e;\n        }\n\n        // TODO The incoming IPKValue SHALL be stored in the Fabric-scoped slot within the Group Key Management cluster\n        //  (see KeySetWrite), for subsequent use during CASE.\n\n        // TODO If the current secure session was established with PASE, the receiver SHALL: a. Augment the secure\n        //  session context with the FabricIndex generated above, such that subsequent interactions have the proper\n        //  accessing fabric.\n\n        logger.info(`addNoc success, adminVendorId ${adminVendorId}, caseAdminSubject ${caseAdminSubject}`);\n\n        return {\n            statusCode: OperationalCredentials.NodeOperationalCertStatus.Ok,\n            fabricIndex: fabric.fabricIndex,\n        };\n    }\n\n    override async updateNoc({ nocValue, icacValue }: UpdateNocRequest) {\n        assertSecureSession(this.session);\n\n        const device = this.session.context;\n\n        const timedOp = device.failsafeContext;\n\n        if (timedOp.fabricIndex !== undefined) {\n            throw new StatusResponseError(\n                `updateNoc received after ${timedOp.forUpdateNoc ? \"UpdateNOC\" : \"AddNOC\"} already invoked.`,\n                StatusCode.ConstraintError,\n            );\n        }\n\n        if (timedOp.forUpdateNoc) {\n            throw new StatusResponseError(\n                `addNoc received after csr request was invoked for UpdateNOC.`,\n                StatusCode.ConstraintError,\n            );\n        }\n\n        if (timedOp.hasRootCert) {\n            throw new StatusResponseError(\n                \"Trusted root certificate added in this session which is now allowed for UpdateNOC.\",\n                StatusCode.ConstraintError,\n            );\n        }\n\n        if (!timedOp.forUpdateNoc) {\n            throw new StatusResponseError(\"csrRequest not invoked for UpdateNOC.\", StatusCode.ConstraintError);\n        }\n\n        if (this.session.associatedFabric.fabricIndex !== timedOp.associatedFabric?.fabricIndex) {\n            throw new StatusResponseError(\n                \"Fabric of this session and the failsafe context do not match.\",\n                StatusCode.ConstraintError,\n            );\n        }\n\n        // Build a new Fabric with the updated NOC and ICAC\n        try {\n            const updateFabric = await timedOp.buildUpdatedFabric(nocValue, icacValue);\n\n            // update FabricManager and Resumption records but leave current session intact\n            await timedOp.updateFabric(updateFabric);\n\n            return {\n                statusCode: OperationalCredentials.NodeOperationalCertStatus.Ok,\n                fabricIndex: updateFabric.fabricIndex,\n            };\n        } catch (error) {\n            logger.info(\"Building fabric for updateNoc failed\", error);\n            return this.#mapNocErrors(error);\n        }\n    }\n\n    override async updateFabricLabel({ label }: UpdateFabricLabelRequest) {\n        const fabric = this.session.associatedFabric;\n\n        const currentFabricIndex = fabric.fabricIndex;\n        const device = this.session.context;\n        const conflictingLabelFabric = device\n            .getFabrics()\n            .find(f => f.label === label && f.fabricIndex !== currentFabricIndex);\n        if (conflictingLabelFabric !== undefined) {\n            return {\n                statusCode: OperationalCredentials.NodeOperationalCertStatus.LabelConflict,\n                debugText: `Label ${label} already used by fabric ${conflictingLabelFabric.fabricIndex}`,\n            };\n        }\n\n        await fabric.setLabel(label);\n\n        return { statusCode: OperationalCredentials.NodeOperationalCertStatus.Ok, fabricIndex: fabric.fabricIndex };\n    }\n\n    override async removeFabric({ fabricIndex }: RemoveFabricRequest) {\n        const device = this.session.context;\n\n        const fabric = device.getFabricByIndex(fabricIndex);\n\n        if (fabric === undefined) {\n            return {\n                statusCode: OperationalCredentials.NodeOperationalCertStatus.InvalidFabricIndex,\n                debugText: `Fabric ${fabricIndex} not found`,\n            };\n        }\n\n        await fabric.remove(this.session.id);\n        // The state is updated on removal via commissionedFabricChanged event, see constructor\n\n        return {\n            statusCode: OperationalCredentials.NodeOperationalCertStatus.Ok,\n            fabricIndex,\n        };\n    }\n\n    override addTrustedRootCertificate({ rootCaCertificate }: AddTrustedRootCertificateRequest) {\n        const failsafeContext = this.session.context.failsafeContext;\n\n        if (failsafeContext.hasRootCert) {\n            throw new StatusResponseError(\n                \"Trusted root certificate already added in this FailSafe context.\",\n                StatusCode.ConstraintError,\n            );\n        }\n\n        if (failsafeContext.fabricIndex !== undefined) {\n            throw new StatusResponseError(\n                `Can not add trusted root certificates after ${failsafeContext.forUpdateNoc ? \"UpdateNOC\" : \"AddNOC\"}.`,\n                StatusCode.ConstraintError,\n            );\n        }\n\n        try {\n            failsafeContext.setRootCert(rootCaCertificate);\n        } catch (error) {\n            logger.info(\"setting root certificate failed\", error);\n            if (\n                error instanceof CertificateError ||\n                error instanceof ValidationError ||\n                error instanceof UnexpectedDataError\n            ) {\n                throw new StatusResponseError(error.message, StatusCode.InvalidCommand);\n            }\n            throw error;\n        }\n    }\n\n    async #updateFabrics() {\n        const fabrics = this.endpoint.env.get(FabricManager).getFabrics();\n        this.state.fabrics = fabrics.map(fabric => ({\n            fabricId: fabric.fabricId,\n            label: fabric.label,\n            nodeId: fabric.nodeId,\n            rootPublicKey: fabric.rootPublicKey,\n            vendorId: fabric.rootVendorId,\n            fabricIndex: fabric.fabricIndex,\n        }));\n\n        this.state.nocs = fabrics.map(fabric => ({\n            noc: fabric.operationalCert,\n            icac: fabric.intermediateCACert ?? null,\n            fabricIndex: fabric.fabricIndex,\n        }));\n\n        this.state.trustedRootCertificates = fabrics.map(fabric => fabric.rootCert);\n\n        this.state.commissionedFabrics = fabrics.length;\n\n        await this.context.transaction.commit();\n    }\n\n    async getCertification() {\n        const certification =\n            this.internal.certification ??\n            (this.internal.certification = new DeviceCertification(\n                this.state.certification,\n                this.agent.get(ProductDescriptionServer).state,\n            ));\n\n        if (!certification.construction.ready) {\n            await certification.construction;\n        }\n        return certification;\n    }\n\n    async #handleAddedFabric({ fabricIndex }: Fabric) {\n        await this.#updateFabrics();\n        this.agent.get(CommissioningBehavior).handleFabricChange(fabricIndex, FabricAction.Added);\n    }\n\n    async #handleUpdatedFabric({ fabricIndex }: Fabric) {\n        await this.#updateFabrics();\n        this.agent.get(CommissioningBehavior).handleFabricChange(fabricIndex, FabricAction.Updated);\n    }\n\n    async #handleRemovedFabric({ fabricIndex }: Fabric) {\n        await this.#updateFabrics();\n        this.agent.get(CommissioningBehavior).handleFabricChange(fabricIndex, FabricAction.Removed);\n    }\n\n    async #nodeOnline() {\n        const fabricManager = this.endpoint.env.get(FabricManager);\n        this.reactTo(fabricManager.events.added, this.#handleAddedFabric);\n        this.reactTo(fabricManager.events.updated, this.#handleUpdatedFabric);\n        this.reactTo(fabricManager.events.deleted, this.#handleRemovedFabric);\n        await this.#updateFabrics();\n    }\n}\n\nexport namespace OperationalCredentialsServer {\n    export class Internal {\n        certification?: DeviceCertification;\n        commissionedFabric?: FabricIndex;\n    }\n\n    export class State extends OperationalCredentialsBehavior.State {\n        /**\n         * Device certification information.\n         *\n         * Device certification provides a cryptographic certificate that asserts the official status of a device.\n         * Production consumer-facing devices are certified by the CSA.\n         *\n         * Development devices and those intended for personal use may use a development certificate.  This is the\n         * default if you do not provide an official certification in {@link ServerOptions.certification}.\n         */\n        certification?: DeviceCertification.Definition = undefined;\n\n        [Val.properties](_endpoint: Endpoint, session: ValueSupervisor.Session) {\n            return {\n                get currentFabricIndex() {\n                    return session.fabric ?? FabricIndex.NO_FABRIC;\n                },\n            };\n        }\n    }\n}\n"],
-  "mappings": "AAAA;AAAA;AAAA;AAAA;AAAA;AAMA,SAAS,wBAAwB;AACjC,SAAS,aAAa,eAAe;AACrC,SAAS,qBAAqB;AAC9B,SAAS,8BAA8B;AACvC,SAAS,4CAA4C;AACrD,SAAS,iCAAiC;AAC1C,SAAS,iBAAiB,2BAA2B;AACrD,SAAS,uBAAuB;AAChC,SAAS,mBAAmB;AAE5B,SAAiB,sBAAsB;AACvC,SAAS,cAAc,eAAe,4BAA4B;AAClE,SAAS,cAAc;AAEvB,SAAS,YAAY,2BAA2B;AAChD,SAAS,2BAA2B;AACpC,SAAS,kBAAkB;AAC3B,SAAS,UAAU,WAAW,wBAAwB;AACtD,SAAS,qBAAqB;AAC9B,SAAS,WAAW;AAEpB,SAAS,6BAA6B;AACtC,SAAS,gCAAgC;AACzC,SAAS,2BAA2B;AACpC,SAAS,2BAA2B;AACpC,SAAS,sCAAsC;AAY/C,SAAS,gBAAgB,6BAA6B;AAEtD,MAAM,SAAS,OAAO,IAAI,wBAAwB;AAOlD,uBAAuB,QAAQ,WAAW;AAAA,EACtC,GAAG,uBAAuB,QAAQ;AAAA,EAClC,oBAAoB;AAAA,IAChB;AAAA,IACA,UAAU,EAAE,kBAAkB,SAAS,GAAG,aAAa,EAAE,CAAC;AAAA,IAC1D;AAAA,IACA,uBAAuB;AAAA,IACvB,EAAE,WAAW,YAAY,WAAW;AAAA,EACxC;AAAA,EACA,YAAY;AAAA,IACR;AAAA,IACA,UAAU;AAAA,MACN,UAAU,SAAS,GAAG,aAAa;AAAA,MACnC,gBAAgB,iBAAiB,GAAG,UAAU;AAAA,IAClD,CAAC;AAAA,IACD;AAAA,IACA,uBAAuB;AAAA,IACvB,EAAE,WAAW,YAAY,WAAW;AAAA,EACxC;AACJ;AAUO,MAAM,qCAAqC,+BAA+B;AAAA,EAIpE,aAAa;AAElB,QAAI,KAAK,MAAM,qBAAqB,QAAW;AAC3C,WAAK,MAAM,mBAAmB;AAAA,IAClC;AACA,SAAK,MAAM,sBAAsB,KAAK,MAAM,QAAQ;AAEpD,SAAK,QAAS,KAAK,SAAkB,UAAU,QAAQ,KAAK,WAAW;AAAA,EAC3E;AAAA,EAEA,MAAe,mBAAmB,EAAE,iBAAiB,GAAuB;AACxE,QAAI,iBAAiB,WAAW,IAAI;AAChC,YAAM,IAAI,oBAAoB,oCAAoC,WAAW,cAAc;AAAA,IAC/F;AAEA,UAAM,gBAAgB,MAAM,KAAK,iBAAiB;AAElD,UAAM,WAAW,eAAe,OAAO;AAAA,MACnC,aAAa,cAAc;AAAA,MAC3B;AAAA,MACA,WAAW;AAAA,IACf,CAAC;AACD,WAAO;AAAA,MACH,qBAAqB;AAAA,MACrB,sBAAsB,cAAc,KAAK,KAAK,SAAS,QAAQ;AAAA,IACnE;AAAA,EACJ;AAAA,EAEA,MAAe,WAAW,EAAE,UAAU,eAAe,GAAe;AAChE,QAAI,SAAS,WAAW,IAAI;AACxB,YAAM,IAAI,oBAAoB,4BAA4B,WAAW,cAAc;AAAA,IACvF;AAEA,QAAI,kBAAkB,KAAK,QAAQ,QAAQ;AACvC,YAAM,IAAI;AAAA,QACN;AAAA,QACA,WAAW;AAAA,MACf;AAAA,IACJ;AAEA,UAAM,kBAAkB,KAAK,QAAQ,QAAQ;AAC7C,QAAI,gBAAgB,gBAAgB,QAAW;AAC3C,YAAM,IAAI;AAAA,QACN,6BAA6B,gBAAgB,eAAe,cAAc,QAAQ;AAAA,QAClF,WAAW;AAAA,MACf;AAAA,IACJ;AAEA,UAAM,gBAAgB,MAAM,KAAK,iBAAiB;AAElD,UAAM,qBAAqB,gBAAgB;AAAA,MACvC,kBAAkB;AAAA,MAClB,KAAK,QAAQ;AAAA,IACjB;AACA,UAAM,gBAAgB,sBAAsB,OAAO,EAAE,oBAAoB,SAAS,CAAC;AACnF,WAAO,EAAE,eAAe,sBAAsB,cAAc,KAAK,KAAK,SAAS,aAAa,EAAE;AAAA,EAClG;AAAA,EAEA,MAAe,wBAAwB,EAAE,gBAAgB,GAA4B;AACjF,UAAM,gBAAgB,MAAM,KAAK,iBAAiB;AAElD,YAAQ,iBAAiB;AAAA,MACrB,KAAK,uBAAuB,qBAAqB;AAC7C,eAAO,EAAE,aAAa,cAAc,YAAY;AAAA,MACpD,KAAK,uBAAuB,qBAAqB;AAC7C,eAAO,EAAE,aAAa,cAAc,wBAAwB;AAAA,MAChE;AACI,cAAM,IAAI;AAAA,UACN,iCAAiC,eAAe;AAAA,UAChD,WAAW;AAAA,QACf;AAAA,IACR;AAAA,EACJ;AAAA,EAEA,cAAc,OAA6B;AACvC,QAAI,iBAAiB,2BAA2B;AAC5C,aAAO;AAAA,QACH,YAAY,uBAAuB,0BAA0B;AAAA,QAC7D,WAAW,MAAM;AAAA,MACrB;AAAA,IACJ,WAAW,iBAAiB,sBAAsB;AAC9C,aAAO;AAAA,QACH,YAAY,uBAAuB,0BAA0B;AAAA,QAC7D,WAAW,MAAM;AAAA,MACrB;AAAA,IACJ,WACI,iBAAiB,oBACjB,iBAAiB,mBACjB,iBAAiB,qBACnB;AACE,aAAO;AAAA,QACH,YAAY,uBAAuB,0BAA0B;AAAA,QAC7D,WAAW,MAAM;AAAA,MACrB;AAAA,IACJ,WAAW,iBAAiB,gBAAgB;AACxC,aAAO;AAAA,QACH,YAAY,uBAAuB,0BAA0B;AAAA,QAC7D,WAAW,MAAM;AAAA,MACrB;AAAA,IACJ,WAAW,iBAAiB,sCAAsC;AAC9D,aAAO;AAAA,QACH,YAAY,uBAAuB,0BAA0B;AAAA,QAC7D,WAAW,MAAM;AAAA,MACrB;AAAA,IACJ;AACA,UAAM;AAAA,EACV;AAAA,EAEA,MAAe,OAAO,EAAE,UAAU,WAAW,UAAU,kBAAkB,cAAc,GAAkB;AACrG,UAAM,kBAAkB,KAAK,QAAQ,QAAQ;AAE7C,QAAI,gBAAgB,gBAAgB,QAAW;AAC3C,YAAM,IAAI;AAAA,QACN,yBAAyB,gBAAgB,eAAe,cAAc,QAAQ;AAAA,QAC9E,WAAW;AAAA,MACf;AAAA,IACJ;AAEA,QAAI,CAAC,gBAAgB,aAAa;AAC9B,aAAO;AAAA,QACH,YAAY,uBAAuB,0BAA0B;AAAA,QAC7D,WAAW;AAAA,MACf;AAAA,IACJ;AAEA,QAAI,gBAAgB,iBAAiB,KAAK,QAAQ,IAAI;AAClD,aAAO;AAAA,QACH,YAAY,uBAAuB,0BAA0B;AAAA,QAC7D,WAAW;AAAA,MACf;AAAA,IACJ;AAEA,QAAI,gBAAgB,cAAc;AAC9B,YAAM,IAAI;AAAA,QACN;AAAA,QACA,WAAW;AAAA,MACf;AAAA,IACJ;AAEA,UAAM,QAAQ,KAAK;AACnB,QAAI,MAAM,uBAAuB,MAAM,kBAAkB;AACrD,aAAO;AAAA,QACH,YAAY,uBAAuB,0BAA0B;AAAA,QAC7D,WAAW,8CAA8C,MAAM,gBAAgB;AAAA,MACnF;AAAA,IACJ;AAEA,QAAI;AACJ,QAAI;AACA,eAAS,MAAM,gBAAgB,YAAY;AAAA,QACvC;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACJ,CAAC;AAAA,IACL,SAAS,OAAO;AACZ,aAAO,KAAK,qCAAqC,KAAK;AACtD,aAAO,KAAK,cAAc,KAAK;AAAA,IACnC;AAIA,UAAM,aAAa,KAAK,MAAM,IAAI,mBAAmB;AACrD,eAAW,MAAM,IAAI,KAAK;AAAA,MACtB,aAAa,OAAO;AAAA,MACpB,WAAW,cAAc,4BAA4B;AAAA,MACrD,UAAU,cAAc,2BAA2B;AAAA,MACnD,UAAU,CAAC,gBAAgB;AAAA,MAC3B,SAAS;AAAA;AAAA,IACb,CAAC;AAED,UAAM,gBAAgB,UAAU,MAAM;AAEtC,QAAI;AACA,UAAI,KAAK,QAAQ,QAAQ;AACrB,eAAO,MAAM,cAAc,OAAO,WAAW,oBAAoB,KAAK,QAAQ,IAAI,GAAG;AACrF,aAAK,QAAQ,oBAAoB,MAAM;AAAA,MAC3C;AAGA,YAAM,sBAAsB,KAAK,MAAM,QAAQ,UAAU,OAAK,EAAE,gBAAgB,OAAO,WAAW;AAClG,YAAM,mBAAmB,KAAK,MAAM,KAAK,UAAU,OAAK,EAAE,gBAAgB,OAAO,WAAW;AAC5F,UAAI,wBAAwB,MAAM,qBAAqB,IAAI;AACvD,cAAM,IAAI;AAAA,UACN,eAAe,OAAO,WAAW;AAAA,QACrC;AAAA,MACJ;AAAA,IACJ,SAAS,GAAG;AAER,YAAM,OAAO,OAAO,KAAK,QAAQ,EAAE;AACnC,YAAM;AAAA,IACV;AASA,WAAO,KAAK,iCAAiC,aAAa,sBAAsB,gBAAgB,EAAE;AAElG,WAAO;AAAA,MACH,YAAY,uBAAuB,0BAA0B;AAAA,MAC7D,aAAa,OAAO;AAAA,IACxB;AAAA,EACJ;AAAA,EAEA,MAAe,UAAU,EAAE,UAAU,UAAU,GAAqB;AAChE,wBAAoB,KAAK,OAAO;AAEhC,UAAM,SAAS,KAAK,QAAQ;AAE5B,UAAM,UAAU,OAAO;AAEvB,QAAI,QAAQ,gBAAgB,QAAW;AACnC,YAAM,IAAI;AAAA,QACN,4BAA4B,QAAQ,eAAe,cAAc,QAAQ;AAAA,QACzE,WAAW;AAAA,MACf;AAAA,IACJ;AAEA,QAAI,QAAQ,cAAc;AACtB,YAAM,IAAI;AAAA,QACN;AAAA,QACA,WAAW;AAAA,MACf;AAAA,IACJ;AAEA,QAAI,QAAQ,aAAa;AACrB,YAAM,IAAI;AAAA,QACN;AAAA,QACA,WAAW;AAAA,MACf;AAAA,IACJ;AAEA,QAAI,CAAC,QAAQ,cAAc;AACvB,YAAM,IAAI,oBAAoB,yCAAyC,WAAW,eAAe;AAAA,IACrG;AAEA,QAAI,KAAK,QAAQ,iBAAiB,gBAAgB,QAAQ,kBAAkB,aAAa;AACrF,YAAM,IAAI;AAAA,QACN;AAAA,QACA,WAAW;AAAA,MACf;AAAA,IACJ;AAGA,QAAI;AACA,YAAM,eAAe,MAAM,QAAQ,mBAAmB,UAAU,SAAS;AAGzE,YAAM,QAAQ,aAAa,YAAY;AAEvC,aAAO;AAAA,QACH,YAAY,uBAAuB,0BAA0B;AAAA,QAC7D,aAAa,aAAa;AAAA,MAC9B;AAAA,IACJ,SAAS,OAAO;AACZ,aAAO,KAAK,wCAAwC,KAAK;AACzD,aAAO,KAAK,cAAc,KAAK;AAAA,IACnC;AAAA,EACJ;AAAA,EAEA,MAAe,kBAAkB,EAAE,MAAM,GAA6B;AAClE,UAAM,SAAS,KAAK,QAAQ;AAE5B,UAAM,qBAAqB,OAAO;AAClC,UAAM,SAAS,KAAK,QAAQ;AAC5B,UAAM,yBAAyB,OAC1B,WAAW,EACX,KAAK,OAAK,EAAE,UAAU,SAAS,EAAE,gBAAgB,kBAAkB;AACxE,QAAI,2BAA2B,QAAW;AACtC,aAAO;AAAA,QACH,YAAY,uBAAuB,0BAA0B;AAAA,QAC7D,WAAW,SAAS,KAAK,2BAA2B,uBAAuB,WAAW;AAAA,MAC1F;AAAA,IACJ;AAEA,UAAM,OAAO,SAAS,KAAK;AAE3B,WAAO,EAAE,YAAY,uBAAuB,0BAA0B,IAAI,aAAa,OAAO,YAAY;AAAA,EAC9G;AAAA,EAEA,MAAe,aAAa,EAAE,YAAY,GAAwB;AAC9D,UAAM,SAAS,KAAK,QAAQ;AAE5B,UAAM,SAAS,OAAO,iBAAiB,WAAW;AAElD,QAAI,WAAW,QAAW;AACtB,aAAO;AAAA,QACH,YAAY,uBAAuB,0BAA0B;AAAA,QAC7D,WAAW,UAAU,WAAW;AAAA,MACpC;AAAA,IACJ;AAEA,UAAM,OAAO,OAAO,KAAK,QAAQ,EAAE;AAGnC,WAAO;AAAA,MACH,YAAY,uBAAuB,0BAA0B;AAAA,MAC7D;AAAA,IACJ;AAAA,EACJ;AAAA,EAES,0BAA0B,EAAE,kBAAkB,GAAqC;AACxF,UAAM,kBAAkB,KAAK,QAAQ,QAAQ;AAE7C,QAAI,gBAAgB,aAAa;AAC7B,YAAM,IAAI;AAAA,QACN;AAAA,QACA,WAAW;AAAA,MACf;AAAA,IACJ;AAEA,QAAI,gBAAgB,gBAAgB,QAAW;AAC3C,YAAM,IAAI;AAAA,QACN,+CAA+C,gBAAgB,eAAe,cAAc,QAAQ;AAAA,QACpG,WAAW;AAAA,MACf;AAAA,IACJ;AAEA,QAAI;AACA,sBAAgB,YAAY,iBAAiB;AAAA,IACjD,SAAS,OAAO;AACZ,aAAO,KAAK,mCAAmC,KAAK;AACpD,UACI,iBAAiB,oBACjB,iBAAiB,mBACjB,iBAAiB,qBACnB;AACE,cAAM,IAAI,oBAAoB,MAAM,SAAS,WAAW,cAAc;AAAA,MAC1E;AACA,YAAM;AAAA,IACV;AAAA,EACJ;AAAA,EAEA,MAAM,iBAAiB;AACnB,UAAM,UAAU,KAAK,SAAS,IAAI,IAAI,aAAa,EAAE,WAAW;AAChE,SAAK,MAAM,UAAU,QAAQ,IAAI,aAAW;AAAA,MACxC,UAAU,OAAO;AAAA,MACjB,OAAO,OAAO;AAAA,MACd,QAAQ,OAAO;AAAA,MACf,eAAe,OAAO;AAAA,MACtB,UAAU,OAAO;AAAA,MACjB,aAAa,OAAO;AAAA,IACxB,EAAE;AAEF,SAAK,MAAM,OAAO,QAAQ,IAAI,aAAW;AAAA,MACrC,KAAK,OAAO;AAAA,MACZ,MAAM,OAAO,sBAAsB;AAAA,MACnC,aAAa,OAAO;AAAA,IACxB,EAAE;AAEF,SAAK,MAAM,0BAA0B,QAAQ,IAAI,YAAU,OAAO,QAAQ;AAE1E,SAAK,MAAM,sBAAsB,QAAQ;AAEzC,UAAM,KAAK,QAAQ,YAAY,OAAO;AAAA,EAC1C;AAAA,EAEA,MAAM,mBAAmB;AACrB,UAAM,gBACF,KAAK,SAAS,kBACb,KAAK,SAAS,gBAAgB,IAAI;AAAA,MAC/B,KAAK,MAAM;AAAA,MACX,KAAK,MAAM,IAAI,wBAAwB,EAAE;AAAA,IAC7C;AAEJ,QAAI,CAAC,cAAc,aAAa,OAAO;AACnC,YAAM,cAAc;AAAA,IACxB;AACA,WAAO;AAAA,EACX;AAAA,EAEA,MAAM,mBAAmB,EAAE,YAAY,GAAW;AAC9C,UAAM,KAAK,eAAe;AAC1B,SAAK,MAAM,IAAI,qBAAqB,EAAE,mBAAmB,aAAa,aAAa,KAAK;AAAA,EAC5F;AAAA,EAEA,MAAM,qBAAqB,EAAE,YAAY,GAAW;AAChD,UAAM,KAAK,eAAe;AAC1B,SAAK,MAAM,IAAI,qBAAqB,EAAE,mBAAmB,aAAa,aAAa,OAAO;AAAA,EAC9F;AAAA,EAEA,MAAM,qBAAqB,EAAE,YAAY,GAAW;AAChD,UAAM,KAAK,eAAe;AAC1B,SAAK,MAAM,IAAI,qBAAqB,EAAE,mBAAmB,aAAa,aAAa,OAAO;AAAA,EAC9F;AAAA,EAEA,MAAM,cAAc;AAChB,UAAM,gBAAgB,KAAK,SAAS,IAAI,IAAI,aAAa;AACzD,SAAK,QAAQ,cAAc,OAAO,OAAO,KAAK,kBAAkB;AAChE,SAAK,QAAQ,cAAc,OAAO,SAAS,KAAK,oBAAoB;AACpE,SAAK,QAAQ,cAAc,OAAO,SAAS,KAAK,oBAAoB;AACpE,UAAM,KAAK,eAAe;AAAA,EAC9B;AACJ;AAAA,CAEO,CAAUA,kCAAV;AAAA,EACI,MAAM,SAAS;AAAA,EAGtB;AAHO,EAAAA,8BAAM;AAAA,EAKN,MAAM,cAAc,+BAA+B,MAAM;AAAA,IAAzD;AAAA;AAUH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,2BAAiD;AAAA;AAAA,IAEjD,CAAC,IAAI,UAAU,EAAE,WAAqB,SAAkC;AACpE,aAAO;AAAA,QACH,IAAI,qBAAqB;AACrB,iBAAO,QAAQ,UAAU,YAAY;AAAA,QACzC;AAAA,MACJ;AAAA,IACJ;AAAA,EACJ;AAnBO,EAAAA,8BAAM;AAAA,GANA;",
+  "sourcesContent": ["/**\n * @license\n * Copyright 2022-2024 Matter.js Authors\n * SPDX-License-Identifier: Apache-2.0\n */\n\nimport { CertificateError } from \"../../../certificate/CertificateManager.js\";\nimport { AccessLevel, Command } from \"../../../cluster/Cluster.js\";\nimport { AccessControl } from \"../../../cluster/definitions/AccessControlCluster.js\";\nimport { OperationalCredentials } from \"../../../cluster/definitions/OperationalCredentialsCluster.js\";\nimport { MatterFabricInvalidAdminSubjectError } from \"../../../common/FailsafeContext.js\";\nimport { MatterFabricConflictError } from \"../../../common/FailsafeTimer.js\";\nimport { MatterFlowError, UnexpectedDataError } from \"../../../common/MatterError.js\";\nimport { ValidationError } from \"../../../common/ValidationError.js\";\nimport { CryptoVerifyError } from \"../../../crypto/Crypto.js\";\nimport { FabricIndex } from \"../../../datatype/FabricIndex.js\";\nimport { Endpoint } from \"../../../endpoint/Endpoint.js\";\nimport { Fabric, PublicKeyError } from \"../../../fabric/Fabric.js\";\nimport { FabricAction, FabricManager, FabricTableFullError } from \"../../../fabric/FabricManager.js\";\nimport { Logger } from \"../../../log/Logger.js\";\nimport type { Node } from \"../../../node/Node.js\";\nimport { StatusCode, StatusResponseError } from \"../../../protocol/interaction/StatusCode.js\";\nimport { assertSecureSession } from \"../../../session/SecureSession.js\";\nimport { TlvBoolean } from \"../../../tlv/TlvBoolean.js\";\nimport { TlvField, TlvObject, TlvOptionalField } from \"../../../tlv/TlvObject.js\";\nimport { TlvByteString } from \"../../../tlv/TlvString.js\";\nimport { Val } from \"../../state/Val.js\";\nimport { ValueSupervisor } from \"../../supervision/ValueSupervisor.js\";\nimport { CommissioningBehavior } from \"../../system/commissioning/CommissioningBehavior.js\";\nimport { ProductDescriptionServer } from \"../../system/product-description/ProductDescriptionServer.js\";\nimport { AccessControlServer } from \"../access-control/AccessControlServer.js\";\nimport { DeviceCertification } from \"./DeviceCertification.js\";\nimport { OperationalCredentialsBehavior } from \"./OperationalCredentialsBehavior.js\";\nimport {\n    AddNocRequest,\n    AddTrustedRootCertificateRequest,\n    AttestationRequest,\n    CertificateChainRequest,\n    CsrRequest,\n    NocResponse,\n    RemoveFabricRequest,\n    UpdateFabricLabelRequest,\n    UpdateNocRequest,\n} from \"./OperationalCredentialsInterface.js\";\nimport { TlvAttestation, TlvCertSigningRequest } from \"./OperationalCredentialsTypes.js\";\n\nconst logger = Logger.get(\"OperationalCredentials\");\n\n/**\n * Monkey patching Tlv Structure of attestationRequest and csrRequest commands to prevent data validation of the nonce\n * fields to be handled as ConstraintError because we need to return a special error.\n * We do this to leave the model in fact for other validations and only apply the change for our Schema-aware Tlv parsing.\n */\nOperationalCredentials.Cluster.commands = {\n    ...OperationalCredentials.Cluster.commands,\n    attestationRequest: Command(\n        0x0,\n        TlvObject({ attestationNonce: TlvField(0, TlvByteString) }),\n        0x1,\n        OperationalCredentials.TlvAttestationResponse,\n        { invokeAcl: AccessLevel.Administer },\n    ),\n    csrRequest: Command(\n        0x4,\n        TlvObject({\n            csrNonce: TlvField(0, TlvByteString),\n            isForUpdateNoc: TlvOptionalField(1, TlvBoolean),\n        }),\n        0x5,\n        OperationalCredentials.TlvCsrResponse,\n        { invokeAcl: AccessLevel.Administer },\n    ),\n};\n\n/**\n * This is the default server implementation of OperationalCredentialsBehavior.\n *\n * TODO - currently \"source of truth\" for fabric data is persisted by FabricManager.  If we remove some legacy code\n * paths we can move source of truth to here.  Right now we just sync fabrics with MatterDevice.  This sync is only as\n * comprehensive as required by current use cases.  If fabrics are mutated directly on MatterDevice then this code will\n * require update.\n */\nexport class OperationalCredentialsServer extends OperationalCredentialsBehavior {\n    declare internal: OperationalCredentialsServer.Internal;\n    declare state: OperationalCredentialsServer.State;\n\n    override initialize() {\n        // maximum number of fabrics. Also FabricBuilder uses 254 as max!\n        if (this.state.supportedFabrics === undefined) {\n            this.state.supportedFabrics = 254;\n        }\n        this.state.commissionedFabrics = this.state.fabrics.length;\n\n        this.reactTo((this.endpoint as Node).lifecycle.online, this.#nodeOnline);\n    }\n\n    override async attestationRequest({ attestationNonce }: AttestationRequest) {\n        if (attestationNonce.length !== 32) {\n            throw new StatusResponseError(\"Invalid attestation nonce length\", StatusCode.InvalidCommand);\n        }\n\n        const certification = await this.getCertification();\n\n        const elements = TlvAttestation.encode({\n            declaration: certification.declaration,\n            attestationNonce: attestationNonce,\n            timestamp: 0,\n        });\n        return {\n            attestationElements: elements,\n            attestationSignature: certification.sign(this.session, elements),\n        };\n    }\n\n    override async csrRequest({ csrNonce, isForUpdateNoc }: CsrRequest) {\n        if (csrNonce.length !== 32) {\n            throw new StatusResponseError(\"Invalid csr nonce length\", StatusCode.InvalidCommand);\n        }\n\n        if (isForUpdateNoc && this.session.isPase) {\n            throw new StatusResponseError(\n                \"csrRequest for UpdateNoc received on a PASE session.\",\n                StatusCode.InvalidCommand,\n            );\n        }\n\n        const failsafeContext = this.session.context.failsafeContext;\n        if (failsafeContext.fabricIndex !== undefined) {\n            throw new StatusResponseError(\n                `csrRequest received after ${failsafeContext.forUpdateNoc ? \"UpdateNOC\" : \"AddNOC\"} already invoked.`,\n                StatusCode.ConstraintError,\n            );\n        }\n\n        const certification = await this.getCertification();\n\n        const certSigningRequest = failsafeContext.createCertificateSigningRequest(\n            isForUpdateNoc ?? false,\n            this.session.id,\n        );\n        const nocsrElements = TlvCertSigningRequest.encode({ certSigningRequest, csrNonce });\n        return { nocsrElements, attestationSignature: certification.sign(this.session, nocsrElements) };\n    }\n\n    override async certificateChainRequest({ certificateType }: CertificateChainRequest) {\n        const certification = await this.getCertification();\n\n        switch (certificateType) {\n            case OperationalCredentials.CertificateChainType.DacCertificate:\n                return { certificate: certification.certificate };\n            case OperationalCredentials.CertificateChainType.PaiCertificate:\n                return { certificate: certification.intermediateCertificate };\n            default:\n                throw new StatusResponseError(\n                    `Unsupported certificate type: ${certificateType}`,\n                    StatusCode.InvalidCommand,\n                );\n        }\n    }\n\n    #mapNocErrors(error: unknown): NocResponse {\n        if (error instanceof MatterFabricConflictError) {\n            return {\n                statusCode: OperationalCredentials.NodeOperationalCertStatus.FabricConflict,\n                debugText: error.message,\n            };\n        } else if (error instanceof FabricTableFullError) {\n            return {\n                statusCode: OperationalCredentials.NodeOperationalCertStatus.TableFull,\n                debugText: error.message,\n            };\n        } else if (\n            error instanceof CryptoVerifyError ||\n            error instanceof CertificateError ||\n            error instanceof ValidationError ||\n            error instanceof UnexpectedDataError\n        ) {\n            return {\n                statusCode: OperationalCredentials.NodeOperationalCertStatus.InvalidNoc,\n                debugText: error.message,\n            };\n        } else if (error instanceof PublicKeyError) {\n            return {\n                statusCode: OperationalCredentials.NodeOperationalCertStatus.InvalidPublicKey,\n                debugText: error.message,\n            };\n        } else if (error instanceof MatterFabricInvalidAdminSubjectError) {\n            return {\n                statusCode: OperationalCredentials.NodeOperationalCertStatus.InvalidAdminSubject,\n                debugText: error.message,\n            };\n        }\n        throw error;\n    }\n\n    override async addNoc({ nocValue, icacValue, ipkValue, caseAdminSubject, adminVendorId }: AddNocRequest) {\n        const failsafeContext = this.session.context.failsafeContext;\n\n        if (failsafeContext.fabricIndex !== undefined) {\n            throw new StatusResponseError(\n                `addNoc received after ${failsafeContext.forUpdateNoc ? \"UpdateNOC\" : \"AddNOC\"} already invoked.`,\n                StatusCode.ConstraintError,\n            );\n        }\n\n        if (!failsafeContext.hasRootCert) {\n            return {\n                statusCode: OperationalCredentials.NodeOperationalCertStatus.InvalidNoc,\n                debugText: \"Root certificate not found.\",\n            };\n        }\n\n        if (failsafeContext.csrSessionId !== this.session.id) {\n            return {\n                statusCode: OperationalCredentials.NodeOperationalCertStatus.MissingCsr,\n                debugText: \"CSR not found in failsafe context.\",\n            };\n        }\n\n        if (failsafeContext.forUpdateNoc) {\n            throw new StatusResponseError(\n                `addNoc received after csr request was invoked for UpdateNOC.`,\n                StatusCode.ConstraintError,\n            );\n        }\n\n        const state = this.state;\n        if (state.commissionedFabrics >= state.supportedFabrics) {\n            return {\n                statusCode: OperationalCredentials.NodeOperationalCertStatus.TableFull,\n                debugText: `No more fabrics can be added because limit ${state.supportedFabrics} reached.`,\n            };\n        }\n\n        let fabric: Fabric;\n        try {\n            fabric = await failsafeContext.buildFabric({\n                nocValue,\n                icacValue,\n                adminVendorId,\n                ipkValue,\n                caseAdminSubject,\n            });\n        } catch (error) {\n            logger.info(\"Building fabric for addNoc failed\", error);\n            return this.#mapNocErrors(error);\n        }\n\n        // The receiver SHALL create and add a new Access Control Entry using the CaseAdminSubject field to grant\n        // subsequent Administer access to an Administrator member of the new Fabric.\n        const aclCluster = this.agent.get(AccessControlServer);\n        aclCluster.state.acl.push({\n            fabricIndex: fabric.fabricIndex,\n            privilege: AccessControl.AccessControlEntryPrivilege.Administer,\n            authMode: AccessControl.AccessControlEntryAuthMode.Case,\n            subjects: [caseAdminSubject],\n            targets: null, // entire node\n        });\n\n        await failsafeContext.addFabric(fabric);\n\n        try {\n            if (this.session.isPase) {\n                logger.debug(`Add Fabric ${fabric.fabricIndex} to PASE session ${this.session.name}.`);\n                this.session.addAssociatedFabric(fabric);\n            }\n\n            // Update attributes\n            const existingFabricIndex = this.state.fabrics.findIndex(f => f.fabricIndex === fabric.fabricIndex);\n            const existingNocIndex = this.state.nocs.findIndex(n => n.fabricIndex === fabric.fabricIndex);\n            if (existingFabricIndex !== -1 || existingNocIndex !== -1) {\n                throw new MatterFlowError(\n                    `FabricIndex ${fabric.fabricIndex} already exists in state. This should not happen.`,\n                );\n            }\n        } catch (e) {\n            // Fabric insertion into MatterDevice is not currently transactional so we need to remove manually\n            await fabric.remove(this.session.id);\n            throw e;\n        }\n\n        // TODO The incoming IPKValue SHALL be stored in the Fabric-scoped slot within the Group Key Management cluster\n        //  (see KeySetWrite), for subsequent use during CASE.\n\n        // TODO If the current secure session was established with PASE, the receiver SHALL: a. Augment the secure\n        //  session context with the FabricIndex generated above, such that subsequent interactions have the proper\n        //  accessing fabric.\n\n        logger.info(`addNoc success, adminVendorId ${adminVendorId}, caseAdminSubject ${caseAdminSubject}`);\n\n        return {\n            statusCode: OperationalCredentials.NodeOperationalCertStatus.Ok,\n            fabricIndex: fabric.fabricIndex,\n        };\n    }\n\n    override async updateNoc({ nocValue, icacValue }: UpdateNocRequest) {\n        assertSecureSession(this.session);\n\n        const device = this.session.context;\n\n        const timedOp = device.failsafeContext;\n\n        if (timedOp.fabricIndex !== undefined) {\n            throw new StatusResponseError(\n                `updateNoc received after ${timedOp.forUpdateNoc ? \"UpdateNOC\" : \"AddNOC\"} already invoked.`,\n                StatusCode.ConstraintError,\n            );\n        }\n\n        if (timedOp.forUpdateNoc) {\n            throw new StatusResponseError(\n                `addNoc received after csr request was invoked for UpdateNOC.`,\n                StatusCode.ConstraintError,\n            );\n        }\n\n        if (timedOp.hasRootCert) {\n            throw new StatusResponseError(\n                \"Trusted root certificate added in this session which is now allowed for UpdateNOC.\",\n                StatusCode.ConstraintError,\n            );\n        }\n\n        if (!timedOp.forUpdateNoc) {\n            throw new StatusResponseError(\"csrRequest not invoked for UpdateNOC.\", StatusCode.ConstraintError);\n        }\n\n        if (this.session.associatedFabric.fabricIndex !== timedOp.associatedFabric?.fabricIndex) {\n            throw new StatusResponseError(\n                \"Fabric of this session and the failsafe context do not match.\",\n                StatusCode.ConstraintError,\n            );\n        }\n\n        // Build a new Fabric with the updated NOC and ICAC\n        try {\n            const updateFabric = await timedOp.buildUpdatedFabric(nocValue, icacValue);\n\n            // update FabricManager and Resumption records but leave current session intact\n            await timedOp.updateFabric(updateFabric);\n\n            return {\n                statusCode: OperationalCredentials.NodeOperationalCertStatus.Ok,\n                fabricIndex: updateFabric.fabricIndex,\n            };\n        } catch (error) {\n            logger.info(\"Building fabric for updateNoc failed\", error);\n            return this.#mapNocErrors(error);\n        }\n    }\n\n    override async updateFabricLabel({ label }: UpdateFabricLabelRequest) {\n        const fabric = this.session.associatedFabric;\n\n        const currentFabricIndex = fabric.fabricIndex;\n        const device = this.session.context;\n        const conflictingLabelFabric = device\n            .getFabrics()\n            .find(f => f.label === label && f.fabricIndex !== currentFabricIndex);\n        if (conflictingLabelFabric !== undefined) {\n            return {\n                statusCode: OperationalCredentials.NodeOperationalCertStatus.LabelConflict,\n                debugText: `Label ${label} already used by fabric ${conflictingLabelFabric.fabricIndex}`,\n            };\n        }\n\n        await fabric.setLabel(label);\n\n        return { statusCode: OperationalCredentials.NodeOperationalCertStatus.Ok, fabricIndex: fabric.fabricIndex };\n    }\n\n    override async removeFabric({ fabricIndex }: RemoveFabricRequest) {\n        const device = this.session.context;\n\n        const fabric = device.getFabricByIndex(fabricIndex);\n\n        if (fabric === undefined) {\n            return {\n                statusCode: OperationalCredentials.NodeOperationalCertStatus.InvalidFabricIndex,\n                debugText: `Fabric ${fabricIndex} not found`,\n            };\n        }\n\n        await fabric.remove(this.session.id);\n        // The state is updated on removal via commissionedFabricChanged event, see constructor\n\n        return {\n            statusCode: OperationalCredentials.NodeOperationalCertStatus.Ok,\n            fabricIndex,\n        };\n    }\n\n    override addTrustedRootCertificate({ rootCaCertificate }: AddTrustedRootCertificateRequest) {\n        const failsafeContext = this.session.context.failsafeContext;\n\n        if (failsafeContext.hasRootCert) {\n            throw new StatusResponseError(\n                \"Trusted root certificate already added in this FailSafe context.\",\n                StatusCode.ConstraintError,\n            );\n        }\n\n        if (failsafeContext.fabricIndex !== undefined) {\n            throw new StatusResponseError(\n                `Can not add trusted root certificates after ${failsafeContext.forUpdateNoc ? \"UpdateNOC\" : \"AddNOC\"}.`,\n                StatusCode.ConstraintError,\n            );\n        }\n\n        try {\n            failsafeContext.setRootCert(rootCaCertificate);\n        } catch (error) {\n            logger.info(\"setting root certificate failed\", error);\n            if (\n                error instanceof CryptoVerifyError ||\n                error instanceof CertificateError ||\n                error instanceof ValidationError ||\n                error instanceof UnexpectedDataError\n            ) {\n                throw new StatusResponseError(error.message, StatusCode.InvalidCommand);\n            }\n            throw error;\n        }\n\n        const fabrics = this.endpoint.env.get(FabricManager).getFabrics();\n        const trustedRootCertificates = fabrics.map(fabric => fabric.rootCert);\n        trustedRootCertificates.push(rootCaCertificate);\n        this.state.trustedRootCertificates = trustedRootCertificates;\n    }\n\n    async #updateFabrics() {\n        const fabrics = this.endpoint.env.get(FabricManager).getFabrics();\n        this.state.fabrics = fabrics.map(fabric => ({\n            fabricId: fabric.fabricId,\n            label: fabric.label,\n            nodeId: fabric.nodeId,\n            rootPublicKey: fabric.rootPublicKey,\n            vendorId: fabric.rootVendorId,\n            fabricIndex: fabric.fabricIndex,\n        }));\n\n        this.state.nocs = fabrics.map(fabric => ({\n            noc: fabric.operationalCert,\n            icac: fabric.intermediateCACert ?? null,\n            fabricIndex: fabric.fabricIndex,\n        }));\n\n        this.state.trustedRootCertificates = fabrics.map(fabric => fabric.rootCert);\n\n        this.state.commissionedFabrics = fabrics.length;\n\n        await this.context.transaction.commit();\n    }\n\n    async getCertification() {\n        const certification =\n            this.internal.certification ??\n            (this.internal.certification = new DeviceCertification(\n                this.state.certification,\n                this.agent.get(ProductDescriptionServer).state,\n            ));\n\n        if (!certification.construction.ready) {\n            await certification.construction;\n        }\n        return certification;\n    }\n\n    async #handleAddedFabric({ fabricIndex }: Fabric) {\n        await this.#updateFabrics();\n        this.agent.get(CommissioningBehavior).handleFabricChange(fabricIndex, FabricAction.Added);\n    }\n\n    async #handleUpdatedFabric({ fabricIndex }: Fabric) {\n        await this.#updateFabrics();\n        this.agent.get(CommissioningBehavior).handleFabricChange(fabricIndex, FabricAction.Updated);\n    }\n\n    async #handleRemovedFabric({ fabricIndex }: Fabric) {\n        await this.#updateFabrics();\n        this.agent.get(CommissioningBehavior).handleFabricChange(fabricIndex, FabricAction.Removed);\n    }\n\n    async #handleFailsafeClosed() {\n        await this.#updateFabrics();\n    }\n\n    async #nodeOnline() {\n        const fabricManager = this.endpoint.env.get(FabricManager);\n        this.reactTo(fabricManager.events.added, this.#handleAddedFabric);\n        this.reactTo(fabricManager.events.updated, this.#handleUpdatedFabric);\n        this.reactTo(fabricManager.events.deleted, this.#handleRemovedFabric);\n        this.reactTo(fabricManager.events.failsafeClosed, this.#handleFailsafeClosed, { lock: true });\n        await this.#updateFabrics();\n    }\n}\n\nexport namespace OperationalCredentialsServer {\n    export class Internal {\n        certification?: DeviceCertification;\n        commissionedFabric?: FabricIndex;\n    }\n\n    export class State extends OperationalCredentialsBehavior.State {\n        /**\n         * Device certification information.\n         *\n         * Device certification provides a cryptographic certificate that asserts the official status of a device.\n         * Production consumer-facing devices are certified by the CSA.\n         *\n         * Development devices and those intended for personal use may use a development certificate.  This is the\n         * default if you do not provide an official certification in {@link ServerOptions.certification}.\n         */\n        certification?: DeviceCertification.Definition = undefined;\n\n        [Val.properties](_endpoint: Endpoint, session: ValueSupervisor.Session) {\n            return {\n                get currentFabricIndex() {\n                    return session.fabric ?? FabricIndex.NO_FABRIC;\n                },\n            };\n        }\n    }\n}\n"],
+  "mappings": "AAAA;AAAA;AAAA;AAAA;AAAA;AAMA,SAAS,wBAAwB;AACjC,SAAS,aAAa,eAAe;AACrC,SAAS,qBAAqB;AAC9B,SAAS,8BAA8B;AACvC,SAAS,4CAA4C;AACrD,SAAS,iCAAiC;AAC1C,SAAS,iBAAiB,2BAA2B;AACrD,SAAS,uBAAuB;AAChC,SAAS,yBAAyB;AAClC,SAAS,mBAAmB;AAE5B,SAAiB,sBAAsB;AACvC,SAAS,cAAc,eAAe,4BAA4B;AAClE,SAAS,cAAc;AAEvB,SAAS,YAAY,2BAA2B;AAChD,SAAS,2BAA2B;AACpC,SAAS,kBAAkB;AAC3B,SAAS,UAAU,WAAW,wBAAwB;AACtD,SAAS,qBAAqB;AAC9B,SAAS,WAAW;AAEpB,SAAS,6BAA6B;AACtC,SAAS,gCAAgC;AACzC,SAAS,2BAA2B;AACpC,SAAS,2BAA2B;AACpC,SAAS,sCAAsC;AAY/C,SAAS,gBAAgB,6BAA6B;AAEtD,MAAM,SAAS,OAAO,IAAI,wBAAwB;AAOlD,uBAAuB,QAAQ,WAAW;AAAA,EACtC,GAAG,uBAAuB,QAAQ;AAAA,EAClC,oBAAoB;AAAA,IAChB;AAAA,IACA,UAAU,EAAE,kBAAkB,SAAS,GAAG,aAAa,EAAE,CAAC;AAAA,IAC1D;AAAA,IACA,uBAAuB;AAAA,IACvB,EAAE,WAAW,YAAY,WAAW;AAAA,EACxC;AAAA,EACA,YAAY;AAAA,IACR;AAAA,IACA,UAAU;AAAA,MACN,UAAU,SAAS,GAAG,aAAa;AAAA,MACnC,gBAAgB,iBAAiB,GAAG,UAAU;AAAA,IAClD,CAAC;AAAA,IACD;AAAA,IACA,uBAAuB;AAAA,IACvB,EAAE,WAAW,YAAY,WAAW;AAAA,EACxC;AACJ;AAUO,MAAM,qCAAqC,+BAA+B;AAAA,EAIpE,aAAa;AAElB,QAAI,KAAK,MAAM,qBAAqB,QAAW;AAC3C,WAAK,MAAM,mBAAmB;AAAA,IAClC;AACA,SAAK,MAAM,sBAAsB,KAAK,MAAM,QAAQ;AAEpD,SAAK,QAAS,KAAK,SAAkB,UAAU,QAAQ,KAAK,WAAW;AAAA,EAC3E;AAAA,EAEA,MAAe,mBAAmB,EAAE,iBAAiB,GAAuB;AACxE,QAAI,iBAAiB,WAAW,IAAI;AAChC,YAAM,IAAI,oBAAoB,oCAAoC,WAAW,cAAc;AAAA,IAC/F;AAEA,UAAM,gBAAgB,MAAM,KAAK,iBAAiB;AAElD,UAAM,WAAW,eAAe,OAAO;AAAA,MACnC,aAAa,cAAc;AAAA,MAC3B;AAAA,MACA,WAAW;AAAA,IACf,CAAC;AACD,WAAO;AAAA,MACH,qBAAqB;AAAA,MACrB,sBAAsB,cAAc,KAAK,KAAK,SAAS,QAAQ;AAAA,IACnE;AAAA,EACJ;AAAA,EAEA,MAAe,WAAW,EAAE,UAAU,eAAe,GAAe;AAChE,QAAI,SAAS,WAAW,IAAI;AACxB,YAAM,IAAI,oBAAoB,4BAA4B,WAAW,cAAc;AAAA,IACvF;AAEA,QAAI,kBAAkB,KAAK,QAAQ,QAAQ;AACvC,YAAM,IAAI;AAAA,QACN;AAAA,QACA,WAAW;AAAA,MACf;AAAA,IACJ;AAEA,UAAM,kBAAkB,KAAK,QAAQ,QAAQ;AAC7C,QAAI,gBAAgB,gBAAgB,QAAW;AAC3C,YAAM,IAAI;AAAA,QACN,6BAA6B,gBAAgB,eAAe,cAAc,QAAQ;AAAA,QAClF,WAAW;AAAA,MACf;AAAA,IACJ;AAEA,UAAM,gBAAgB,MAAM,KAAK,iBAAiB;AAElD,UAAM,qBAAqB,gBAAgB;AAAA,MACvC,kBAAkB;AAAA,MAClB,KAAK,QAAQ;AAAA,IACjB;AACA,UAAM,gBAAgB,sBAAsB,OAAO,EAAE,oBAAoB,SAAS,CAAC;AACnF,WAAO,EAAE,eAAe,sBAAsB,cAAc,KAAK,KAAK,SAAS,aAAa,EAAE;AAAA,EAClG;AAAA,EAEA,MAAe,wBAAwB,EAAE,gBAAgB,GAA4B;AACjF,UAAM,gBAAgB,MAAM,KAAK,iBAAiB;AAElD,YAAQ,iBAAiB;AAAA,MACrB,KAAK,uBAAuB,qBAAqB;AAC7C,eAAO,EAAE,aAAa,cAAc,YAAY;AAAA,MACpD,KAAK,uBAAuB,qBAAqB;AAC7C,eAAO,EAAE,aAAa,cAAc,wBAAwB;AAAA,MAChE;AACI,cAAM,IAAI;AAAA,UACN,iCAAiC,eAAe;AAAA,UAChD,WAAW;AAAA,QACf;AAAA,IACR;AAAA,EACJ;AAAA,EAEA,cAAc,OAA6B;AACvC,QAAI,iBAAiB,2BAA2B;AAC5C,aAAO;AAAA,QACH,YAAY,uBAAuB,0BAA0B;AAAA,QAC7D,WAAW,MAAM;AAAA,MACrB;AAAA,IACJ,WAAW,iBAAiB,sBAAsB;AAC9C,aAAO;AAAA,QACH,YAAY,uBAAuB,0BAA0B;AAAA,QAC7D,WAAW,MAAM;AAAA,MACrB;AAAA,IACJ,WACI,iBAAiB,qBACjB,iBAAiB,oBACjB,iBAAiB,mBACjB,iBAAiB,qBACnB;AACE,aAAO;AAAA,QACH,YAAY,uBAAuB,0BAA0B;AAAA,QAC7D,WAAW,MAAM;AAAA,MACrB;AAAA,IACJ,WAAW,iBAAiB,gBAAgB;AACxC,aAAO;AAAA,QACH,YAAY,uBAAuB,0BAA0B;AAAA,QAC7D,WAAW,MAAM;AAAA,MACrB;AAAA,IACJ,WAAW,iBAAiB,sCAAsC;AAC9D,aAAO;AAAA,QACH,YAAY,uBAAuB,0BAA0B;AAAA,QAC7D,WAAW,MAAM;AAAA,MACrB;AAAA,IACJ;AACA,UAAM;AAAA,EACV;AAAA,EAEA,MAAe,OAAO,EAAE,UAAU,WAAW,UAAU,kBAAkB,cAAc,GAAkB;AACrG,UAAM,kBAAkB,KAAK,QAAQ,QAAQ;AAE7C,QAAI,gBAAgB,gBAAgB,QAAW;AAC3C,YAAM,IAAI;AAAA,QACN,yBAAyB,gBAAgB,eAAe,cAAc,QAAQ;AAAA,QAC9E,WAAW;AAAA,MACf;AAAA,IACJ;AAEA,QAAI,CAAC,gBAAgB,aAAa;AAC9B,aAAO;AAAA,QACH,YAAY,uBAAuB,0BAA0B;AAAA,QAC7D,WAAW;AAAA,MACf;AAAA,IACJ;AAEA,QAAI,gBAAgB,iBAAiB,KAAK,QAAQ,IAAI;AAClD,aAAO;AAAA,QACH,YAAY,uBAAuB,0BAA0B;AAAA,QAC7D,WAAW;AAAA,MACf;AAAA,IACJ;AAEA,QAAI,gBAAgB,cAAc;AAC9B,YAAM,IAAI;AAAA,QACN;AAAA,QACA,WAAW;AAAA,MACf;AAAA,IACJ;AAEA,UAAM,QAAQ,KAAK;AACnB,QAAI,MAAM,uBAAuB,MAAM,kBAAkB;AACrD,aAAO;AAAA,QACH,YAAY,uBAAuB,0BAA0B;AAAA,QAC7D,WAAW,8CAA8C,MAAM,gBAAgB;AAAA,MACnF;AAAA,IACJ;AAEA,QAAI;AACJ,QAAI;AACA,eAAS,MAAM,gBAAgB,YAAY;AAAA,QACvC;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACJ,CAAC;AAAA,IACL,SAAS,OAAO;AACZ,aAAO,KAAK,qCAAqC,KAAK;AACtD,aAAO,KAAK,cAAc,KAAK;AAAA,IACnC;AAIA,UAAM,aAAa,KAAK,MAAM,IAAI,mBAAmB;AACrD,eAAW,MAAM,IAAI,KAAK;AAAA,MACtB,aAAa,OAAO;AAAA,MACpB,WAAW,cAAc,4BAA4B;AAAA,MACrD,UAAU,cAAc,2BAA2B;AAAA,MACnD,UAAU,CAAC,gBAAgB;AAAA,MAC3B,SAAS;AAAA;AAAA,IACb,CAAC;AAED,UAAM,gBAAgB,UAAU,MAAM;AAEtC,QAAI;AACA,UAAI,KAAK,QAAQ,QAAQ;AACrB,eAAO,MAAM,cAAc,OAAO,WAAW,oBAAoB,KAAK,QAAQ,IAAI,GAAG;AACrF,aAAK,QAAQ,oBAAoB,MAAM;AAAA,MAC3C;AAGA,YAAM,sBAAsB,KAAK,MAAM,QAAQ,UAAU,OAAK,EAAE,gBAAgB,OAAO,WAAW;AAClG,YAAM,mBAAmB,KAAK,MAAM,KAAK,UAAU,OAAK,EAAE,gBAAgB,OAAO,WAAW;AAC5F,UAAI,wBAAwB,MAAM,qBAAqB,IAAI;AACvD,cAAM,IAAI;AAAA,UACN,eAAe,OAAO,WAAW;AAAA,QACrC;AAAA,MACJ;AAAA,IACJ,SAAS,GAAG;AAER,YAAM,OAAO,OAAO,KAAK,QAAQ,EAAE;AACnC,YAAM;AAAA,IACV;AASA,WAAO,KAAK,iCAAiC,aAAa,sBAAsB,gBAAgB,EAAE;AAElG,WAAO;AAAA,MACH,YAAY,uBAAuB,0BAA0B;AAAA,MAC7D,aAAa,OAAO;AAAA,IACxB;AAAA,EACJ;AAAA,EAEA,MAAe,UAAU,EAAE,UAAU,UAAU,GAAqB;AAChE,wBAAoB,KAAK,OAAO;AAEhC,UAAM,SAAS,KAAK,QAAQ;AAE5B,UAAM,UAAU,OAAO;AAEvB,QAAI,QAAQ,gBAAgB,QAAW;AACnC,YAAM,IAAI;AAAA,QACN,4BAA4B,QAAQ,eAAe,cAAc,QAAQ;AAAA,QACzE,WAAW;AAAA,MACf;AAAA,IACJ;AAEA,QAAI,QAAQ,cAAc;AACtB,YAAM,IAAI;AAAA,QACN;AAAA,QACA,WAAW;AAAA,MACf;AAAA,IACJ;AAEA,QAAI,QAAQ,aAAa;AACrB,YAAM,IAAI;AAAA,QACN;AAAA,QACA,WAAW;AAAA,MACf;AAAA,IACJ;AAEA,QAAI,CAAC,QAAQ,cAAc;AACvB,YAAM,IAAI,oBAAoB,yCAAyC,WAAW,eAAe;AAAA,IACrG;AAEA,QAAI,KAAK,QAAQ,iBAAiB,gBAAgB,QAAQ,kBAAkB,aAAa;AACrF,YAAM,IAAI;AAAA,QACN;AAAA,QACA,WAAW;AAAA,MACf;AAAA,IACJ;AAGA,QAAI;AACA,YAAM,eAAe,MAAM,QAAQ,mBAAmB,UAAU,SAAS;AAGzE,YAAM,QAAQ,aAAa,YAAY;AAEvC,aAAO;AAAA,QACH,YAAY,uBAAuB,0BAA0B;AAAA,QAC7D,aAAa,aAAa;AAAA,MAC9B;AAAA,IACJ,SAAS,OAAO;AACZ,aAAO,KAAK,wCAAwC,KAAK;AACzD,aAAO,KAAK,cAAc,KAAK;AAAA,IACnC;AAAA,EACJ;AAAA,EAEA,MAAe,kBAAkB,EAAE,MAAM,GAA6B;AAClE,UAAM,SAAS,KAAK,QAAQ;AAE5B,UAAM,qBAAqB,OAAO;AAClC,UAAM,SAAS,KAAK,QAAQ;AAC5B,UAAM,yBAAyB,OAC1B,WAAW,EACX,KAAK,OAAK,EAAE,UAAU,SAAS,EAAE,gBAAgB,kBAAkB;AACxE,QAAI,2BAA2B,QAAW;AACtC,aAAO;AAAA,QACH,YAAY,uBAAuB,0BAA0B;AAAA,QAC7D,WAAW,SAAS,KAAK,2BAA2B,uBAAuB,WAAW;AAAA,MAC1F;AAAA,IACJ;AAEA,UAAM,OAAO,SAAS,KAAK;AAE3B,WAAO,EAAE,YAAY,uBAAuB,0BAA0B,IAAI,aAAa,OAAO,YAAY;AAAA,EAC9G;AAAA,EAEA,MAAe,aAAa,EAAE,YAAY,GAAwB;AAC9D,UAAM,SAAS,KAAK,QAAQ;AAE5B,UAAM,SAAS,OAAO,iBAAiB,WAAW;AAElD,QAAI,WAAW,QAAW;AACtB,aAAO;AAAA,QACH,YAAY,uBAAuB,0BAA0B;AAAA,QAC7D,WAAW,UAAU,WAAW;AAAA,MACpC;AAAA,IACJ;AAEA,UAAM,OAAO,OAAO,KAAK,QAAQ,EAAE;AAGnC,WAAO;AAAA,MACH,YAAY,uBAAuB,0BAA0B;AAAA,MAC7D;AAAA,IACJ;AAAA,EACJ;AAAA,EAES,0BAA0B,EAAE,kBAAkB,GAAqC;AACxF,UAAM,kBAAkB,KAAK,QAAQ,QAAQ;AAE7C,QAAI,gBAAgB,aAAa;AAC7B,YAAM,IAAI;AAAA,QACN;AAAA,QACA,WAAW;AAAA,MACf;AAAA,IACJ;AAEA,QAAI,gBAAgB,gBAAgB,QAAW;AAC3C,YAAM,IAAI;AAAA,QACN,+CAA+C,gBAAgB,eAAe,cAAc,QAAQ;AAAA,QACpG,WAAW;AAAA,MACf;AAAA,IACJ;AAEA,QAAI;AACA,sBAAgB,YAAY,iBAAiB;AAAA,IACjD,SAAS,OAAO;AACZ,aAAO,KAAK,mCAAmC,KAAK;AACpD,UACI,iBAAiB,qBACjB,iBAAiB,oBACjB,iBAAiB,mBACjB,iBAAiB,qBACnB;AACE,cAAM,IAAI,oBAAoB,MAAM,SAAS,WAAW,cAAc;AAAA,MAC1E;AACA,YAAM;AAAA,IACV;AAEA,UAAM,UAAU,KAAK,SAAS,IAAI,IAAI,aAAa,EAAE,WAAW;AAChE,UAAM,0BAA0B,QAAQ,IAAI,YAAU,OAAO,QAAQ;AACrE,4BAAwB,KAAK,iBAAiB;AAC9C,SAAK,MAAM,0BAA0B;AAAA,EACzC;AAAA,EAEA,MAAM,iBAAiB;AACnB,UAAM,UAAU,KAAK,SAAS,IAAI,IAAI,aAAa,EAAE,WAAW;AAChE,SAAK,MAAM,UAAU,QAAQ,IAAI,aAAW;AAAA,MACxC,UAAU,OAAO;AAAA,MACjB,OAAO,OAAO;AAAA,MACd,QAAQ,OAAO;AAAA,MACf,eAAe,OAAO;AAAA,MACtB,UAAU,OAAO;AAAA,MACjB,aAAa,OAAO;AAAA,IACxB,EAAE;AAEF,SAAK,MAAM,OAAO,QAAQ,IAAI,aAAW;AAAA,MACrC,KAAK,OAAO;AAAA,MACZ,MAAM,OAAO,sBAAsB;AAAA,MACnC,aAAa,OAAO;AAAA,IACxB,EAAE;AAEF,SAAK,MAAM,0BAA0B,QAAQ,IAAI,YAAU,OAAO,QAAQ;AAE1E,SAAK,MAAM,sBAAsB,QAAQ;AAEzC,UAAM,KAAK,QAAQ,YAAY,OAAO;AAAA,EAC1C;AAAA,EAEA,MAAM,mBAAmB;AACrB,UAAM,gBACF,KAAK,SAAS,kBACb,KAAK,SAAS,gBAAgB,IAAI;AAAA,MAC/B,KAAK,MAAM;AAAA,MACX,KAAK,MAAM,IAAI,wBAAwB,EAAE;AAAA,IAC7C;AAEJ,QAAI,CAAC,cAAc,aAAa,OAAO;AACnC,YAAM,cAAc;AAAA,IACxB;AACA,WAAO;AAAA,EACX;AAAA,EAEA,MAAM,mBAAmB,EAAE,YAAY,GAAW;AAC9C,UAAM,KAAK,eAAe;AAC1B,SAAK,MAAM,IAAI,qBAAqB,EAAE,mBAAmB,aAAa,aAAa,KAAK;AAAA,EAC5F;AAAA,EAEA,MAAM,qBAAqB,EAAE,YAAY,GAAW;AAChD,UAAM,KAAK,eAAe;AAC1B,SAAK,MAAM,IAAI,qBAAqB,EAAE,mBAAmB,aAAa,aAAa,OAAO;AAAA,EAC9F;AAAA,EAEA,MAAM,qBAAqB,EAAE,YAAY,GAAW;AAChD,UAAM,KAAK,eAAe;AAC1B,SAAK,MAAM,IAAI,qBAAqB,EAAE,mBAAmB,aAAa,aAAa,OAAO;AAAA,EAC9F;AAAA,EAEA,MAAM,wBAAwB;AAC1B,UAAM,KAAK,eAAe;AAAA,EAC9B;AAAA,EAEA,MAAM,cAAc;AAChB,UAAM,gBAAgB,KAAK,SAAS,IAAI,IAAI,aAAa;AACzD,SAAK,QAAQ,cAAc,OAAO,OAAO,KAAK,kBAAkB;AAChE,SAAK,QAAQ,cAAc,OAAO,SAAS,KAAK,oBAAoB;AACpE,SAAK,QAAQ,cAAc,OAAO,SAAS,KAAK,oBAAoB;AACpE,SAAK,QAAQ,cAAc,OAAO,gBAAgB,KAAK,uBAAuB,EAAE,MAAM,KAAK,CAAC;AAC5F,UAAM,KAAK,eAAe;AAAA,EAC9B;AACJ;AAAA,CAEO,CAAUA,kCAAV;AAAA,EACI,MAAM,SAAS;AAAA,EAGtB;AAHO,EAAAA,8BAAM;AAAA,EAKN,MAAM,cAAc,+BAA+B,MAAM;AAAA,IAAzD;AAAA;AAUH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,2BAAiD;AAAA;AAAA,IAEjD,CAAC,IAAI,UAAU,EAAE,WAAqB,SAAkC;AACpE,aAAO;AAAA,QACH,IAAI,qBAAqB;AACrB,iBAAO,QAAQ,UAAU,YAAY;AAAA,QACzC;AAAA,MACJ;AAAA,IACJ;AAAA,EACJ;AAnBO,EAAAA,8BAAM;AAAA,GANA;",
   "names": ["OperationalCredentialsServer"]
 }

package/dist/esm/behavior/state/transaction/Transaction.d.ts

@@ -145,14 +145,14 @@ export declare const Transaction: {
      * A read-only transaction you may use without context.
      */
     ReadOnly: {
-        "__#6464@#participants": Set<Participant>;
-        "__#6464@#roles": Map<{}, Participant>;
-        "__#6464@#resources": Set<Resource>;
-        "__#6464@#status": Status;
-        "__#6464@#waitingOn"?: Iterable<Transaction> | undefined;
-        "__#6464@#via": string;
-        "__#6464@#shared"?: import("../../../util/Observable.js").Observable<[], void> | undefined;
-        "__#6464@#closed"?: import("../../../util/Observable.js").Observable<[], void> | undefined;
+        "__#6465@#participants": Set<Participant>;
+        "__#6465@#roles": Map<{}, Participant>;
+        "__#6465@#resources": Set<Resource>;
+        "__#6465@#status": Status;
+        "__#6465@#waitingOn"?: Iterable<Transaction> | undefined;
+        "__#6465@#via": string;
+        "__#6465@#shared"?: import("../../../util/Observable.js").Observable<[], void> | undefined;
+        "__#6465@#closed"?: import("../../../util/Observable.js").Observable<[], void> | undefined;
         close(): void;
         readonly via: string;
         readonly status: Status;
@@ -171,16 +171,16 @@ export declare const Transaction: {
         rollback(): Promise<void> | undefined;
         waitFor(others: Set<Transaction>): Promise<void>;
         toString(): string;
-        "__#6464@#finalize"(status: Status, why: string, finalizer: () => MaybePromise): Promise<void> | undefined;
-        "__#6464@#executePreCommit"(): MaybePromise<void>;
-        "__#6464@#executeCommit"(): MaybePromise;
-        "__#6464@#executeCommit1"(): MaybePromise;
-        "__#6464@#executeCommit2"(): Promise<void> | undefined;
-        "__#6464@#executePostCommit"(participants: Participant[]): MaybePromise;
-        "__#6464@#executeRollback"(): Promise<void> | undefined;
-        "__#6464@#log"(...message: unknown[]): void;
-        "__#6464@#locksChanged"(resources: Set<Resource>, how?: string): void;
-        "__#6464@#assertAvailable"(): void;
+        "__#6465@#finalize"(status: Status, why: string, finalizer: () => MaybePromise): Promise<void> | undefined;
+        "__#6465@#executePreCommit"(): MaybePromise<void>;
+        "__#6465@#executeCommit"(): MaybePromise;
+        "__#6465@#executeCommit1"(): MaybePromise;
+        "__#6465@#executeCommit2"(): Promise<void> | undefined;
+        "__#6465@#executePostCommit"(participants: Participant[]): MaybePromise;
+        "__#6465@#executeRollback"(): Promise<void> | undefined;
+        "__#6465@#log"(...message: unknown[]): void;
+        "__#6465@#locksChanged"(resources: Set<Resource>, how?: string): void;
+        "__#6465@#assertAvailable"(): void;
     };
     Status: typeof Status;
     [Symbol.toStringTag]: string;

package/dist/esm/certificate/CertificateManager.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"CertificateManager.d.ts","sourceRoot":"","sources":["../../../src/certificate/CertificateManager.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAeH,OAAO,EAAE,WAAW,EAAE,MAAM,0BAA0B,CAAC;AAEvD,OAAO,EAAE,GAAG,EAAa,MAAM,kBAAkB,CAAC;AAClD,OAAO,EAAE,oBAAoB,EAA2B,MAAM,qCAAqC,CAAC;AACpG,OAAO,EAAE,QAAQ,EAAe,MAAM,yBAAyB,CAAC;AAChE,OAAO,EAAE,MAAM,EAAa,MAAM,uBAAuB,CAAC;AAC1D,OAAO,EAAe,QAAQ,EAAE,MAAM,yBAAyB,CAAC;AAEhE,OAAO,EAAE,OAAO,EAAgB,wBAAwB,EAAE,MAAM,2BAA2B,CAAC;AAM5F,OAAO,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AAErD,OAAO,EAAE,SAAS,EAAE,MAAM,sBAAsB,CAAC;AAKjD,qBAAa,gBAAiB,SAAQ,WAAW;CAAG;AAOpD,wBAAgB,cAAc,CAAC,IAAI,EAAE,MAAM,QAE1C;AAED,wBAAgB,cAAc,CAAC,IAAI,EAAE,IAAI,EAAE,QAAQ,SAAI,UAItD;AAoDD,uDAAuD;AACvD,eAAO,MAAM,aAAa,0BAAuC,CAAC;AAElE,mEAAmE;AACnE,eAAO,MAAM,wBAAwB,0BAAuC,CAAC;AAE7E,uDAAuD;AACvD,eAAO,MAAM,aAAa,mCAAgD,CAAC;AAE3E,uDAAuD;AACvD,eAAO,MAAM,aAAa,mCAAgD,CAAC;AAE3E,yDAAyD;AACzD,eAAO,MAAM,eAAe,4BAAyC,CAAC;AAEtE,uDAAuD;AACvD,eAAO,MAAM,aAAa,0BAAuD,CAAC;AAElF,uDAAuD;AACvD,eAAO,MAAM,eAAe,4BAA0D,CAAC;AAEvF,uDAAuD;AACvD,eAAO,MAAM,gBAAgB,0BAAwD,CAAC;AA2DtF,QAAA,MAAM,uBAAuB;;;;;;;;;;CAU5B,CAAC;AAwDF,eAAO,MAAM,kBAAkB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAM7B,CAAC;AAEH,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAOpC,CAAC;AAEH,eAAO,MAAM,0BAA0B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAMrC,CAAC;AAEH,QAAA,MAAM,kBAAkB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAA0B,CAAC;AAEnD,UAAU,0BAA0B;IAChC,YAAY,EAAE,SAAS,CAAC;IACxB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,MAAM,EAAE,EAAE,CAAC;IACX,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,EAAE,CAAC;IACZ,kBAAkB,EAAE,MAAM,CAAC;IAC3B,uBAAuB,EAAE,MAAM,CAAC;IAChC,sBAAsB,EAAE,SAAS,CAAC;IAClC,UAAU,EAAE;QACR,gBAAgB,EAAE;YACd,IAAI,EAAE,OAAO,CAAC;YACd,OAAO,CAAC,EAAE,MAAM,CAAC;SACpB,CAAC;QACF,QAAQ,EAAE,wBAAwB,CAAC,OAAO,uBAAuB,CAAC,CAAC;QACnE,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;QAC5B,oBAAoB,EAAE,SAAS,CAAC;QAChC,sBAAsB,EAAE,SAAS,CAAC;QAClC,eAAe,CAAC,EAAE,SAAS,EAAE,CAAC;KACjC,CAAC;IACF,SAAS,EAAE,SAAS,CAAC;CACxB;AAED,MAAM,WAAW,4BAA6B,SAAQ,0BAA0B;IAC5E,MAAM,EAAE;QACJ,UAAU,EAAE,MAAM,CAAC;QACnB,SAAS,CAAC,EAAE,MAAM,CAAC;QACnB,QAAQ,EAAE,QAAQ,CAAC;KACtB,CAAC;IACF,OAAO,EAAE;QACL,UAAU,EAAE,MAAM,CAAC;QACnB,SAAS,EAAE,MAAM,CAAC;QAClB,QAAQ,EAAE,QAAQ,CAAC;KACtB,CAAC;CACL;AAED,MAAM,WAAW,yCAA0C,SAAQ,0BAA0B;IACzF,MAAM,EAAE;QACJ,UAAU,EAAE,MAAM,CAAC;QACnB,QAAQ,CAAC,EAAE,QAAQ,CAAC;KACvB,CAAC;IACF,OAAO,EAAE;QACL,UAAU,EAAE,MAAM,CAAC;QACnB,SAAS,CAAC,EAAE,MAAM,CAAC;QACnB,QAAQ,EAAE,QAAQ,CAAC;KACtB,CAAC;CACL;AAED,MAAM,WAAW,sCAAuC,SAAQ,0BAA0B;IACtF,MAAM,EAAE;QACJ,UAAU,EAAE,MAAM,CAAC;QACnB,QAAQ,CAAC,EAAE,QAAQ,CAAC;KACvB,CAAC;IACF,OAAO,EAAE;QACL,UAAU,EAAE,MAAM,CAAC;QACnB,QAAQ,CAAC,EAAE,QAAQ,CAAC;KACvB,CAAC;CACL;AAED,eAAO,MAAM,2BAA2B;;;;;;;;;;;;;EAgBtC,CAAC;AAEH,MAAM,MAAM,eAAe,GAAG,cAAc,CAAC,OAAO,kBAAkB,CAAC,CAAC;AACxE,MAAM,MAAM,eAAe,GAAG,cAAc,CAAC,OAAO,kBAAkB,CAAC,CAAC;AACxE,MAAM,MAAM,uBAAuB,GAAG,cAAc,CAAC,OAAO,0BAA0B,CAAC,CAAC;AACxF,MAAM,MAAM,sBAAsB,GAAG,cAAc,CAAC,OAAO,yBAAyB,CAAC,CAAC;AACtF,MAAM,MAAM,QAAQ,CAAC,IAAI,IAAI;KAAG,QAAQ,IAAI,MAAM,IAAI,IAAI,OAAO,CAAC,QAAQ,EAAE,WAAW,CAAC,GAAG,IAAI,CAAC,QAAQ,CAAC;CAAE,CAAC;AAwL5G,qBAAa,kBAAkB;;IAmC3B,MAAM,CAAC,cAAc,CAAC,IAAI,EAAE,QAAQ,CAAC,eAAe,CAAC;IAYrD,MAAM,CAAC,wBAAwB,CAAC,IAAI,EAAE,QAAQ,CAAC,uBAAuB,CAAC;IAYvE,MAAM,CAAC,yBAAyB,CAAC,IAAI,EAAE,QAAQ,CAAC,sBAAsB,CAAC;IAiBvE,MAAM,CAAC,2BAA2B,CAAC,IAAI,EAAE,QAAQ,CAAC,4BAA4B,CAAC,EAAE,GAAG,EAAE,GAAG;IASzF,MAAM,CAAC,wCAAwC,CAC3C,IAAI,EAAE,QAAQ,CAAC,yCAAyC,CAAC,EACzD,GAAG,EAAE,GAAG;IAUZ,MAAM,CAAC,qCAAqC,CAAC,IAAI,EAAE,QAAQ,CAAC,sCAAsC,CAAC,EAAE,GAAG,EAAE,GAAG;IAS7G,MAAM,CAAC,8BAA8B,CACjC,QAAQ,EAAE,SAAS,EACnB,oBAAoB,EAAE,SAAS,EAC/B,UAAU,EAAE,UAAU;IAoB1B;;;OAGG;IACH,MAAM,CAAC,gCAAgC,CAAC,IAAI,EAAE,eAAe,GAAG,sBAAsB,GAAG,uBAAuB;IAuChH;;;OAGG;IACH,MAAM,CAAC,qBAAqB,CAAC,QAAQ,EAAE,eAAe;IAmFtD;;;OAGG;IACH,MAAM,CAAC,gCAAgC,CACnC,aAAa,EAAE,eAAe,GAAG,uBAAuB,EACxD,OAAO,EAAE,sBAAsB;IA4GnC;;;OAGG;IACH,MAAM,CAAC,+BAA+B,CAAC,QAAQ,EAAE,eAAe,EAAE,OAAO,EAAE,uBAAuB;IAkHlG,MAAM,CAAC,+BAA+B,CAAC,GAAG,EAAE,GAAG;IAe/C,MAAM,CAAC,mBAAmB,CAAC,GAAG,EAAE,SAAS;CA0B5C"}
+{"version":3,"file":"CertificateManager.d.ts","sourceRoot":"","sources":["../../../src/certificate/CertificateManager.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAeH,OAAO,EAAE,WAAW,EAAE,MAAM,0BAA0B,CAAC;AAEvD,OAAO,EAAE,GAAG,EAAa,MAAM,kBAAkB,CAAC;AAClD,OAAO,EAAE,oBAAoB,EAA2B,MAAM,qCAAqC,CAAC;AACpG,OAAO,EAAE,QAAQ,EAAe,MAAM,yBAAyB,CAAC;AAChE,OAAO,EAAE,MAAM,EAAa,MAAM,uBAAuB,CAAC;AAC1D,OAAO,EAAe,QAAQ,EAAE,MAAM,yBAAyB,CAAC;AAEhE,OAAO,EAAE,OAAO,EAAgB,wBAAwB,EAAE,MAAM,2BAA2B,CAAC;AAM5F,OAAO,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AAErD,OAAO,EAAE,SAAS,EAAE,MAAM,sBAAsB,CAAC;AAKjD,qBAAa,gBAAiB,SAAQ,WAAW;CAAG;AAOpD,wBAAgB,cAAc,CAAC,IAAI,EAAE,MAAM,QAE1C;AAED,wBAAgB,cAAc,CAAC,IAAI,EAAE,IAAI,EAAE,QAAQ,SAAI,UAItD;AAoDD,uDAAuD;AACvD,eAAO,MAAM,aAAa,0BAAuC,CAAC;AAElE,mEAAmE;AACnE,eAAO,MAAM,wBAAwB,0BAAuC,CAAC;AAE7E,uDAAuD;AACvD,eAAO,MAAM,aAAa,mCAAgD,CAAC;AAE3E,uDAAuD;AACvD,eAAO,MAAM,aAAa,mCAAgD,CAAC;AAE3E,yDAAyD;AACzD,eAAO,MAAM,eAAe,4BAAyC,CAAC;AAEtE,uDAAuD;AACvD,eAAO,MAAM,aAAa,0BAAuD,CAAC;AAElF,uDAAuD;AACvD,eAAO,MAAM,eAAe,4BAA0D,CAAC;AAEvF,uDAAuD;AACvD,eAAO,MAAM,gBAAgB,0BAAwD,CAAC;AA2DtF,QAAA,MAAM,uBAAuB;;;;;;;;;;CAU5B,CAAC;AAwDF,eAAO,MAAM,kBAAkB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAM7B,CAAC;AAEH,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAOpC,CAAC;AAEH,eAAO,MAAM,0BAA0B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAMrC,CAAC;AAEH,QAAA,MAAM,kBAAkB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAA0B,CAAC;AAEnD,UAAU,0BAA0B;IAChC,YAAY,EAAE,SAAS,CAAC;IACxB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,MAAM,EAAE,EAAE,CAAC;IACX,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,EAAE,CAAC;IACZ,kBAAkB,EAAE,MAAM,CAAC;IAC3B,uBAAuB,EAAE,MAAM,CAAC;IAChC,sBAAsB,EAAE,SAAS,CAAC;IAClC,UAAU,EAAE;QACR,gBAAgB,EAAE;YACd,IAAI,EAAE,OAAO,CAAC;YACd,OAAO,CAAC,EAAE,MAAM,CAAC;SACpB,CAAC;QACF,QAAQ,EAAE,wBAAwB,CAAC,OAAO,uBAAuB,CAAC,CAAC;QACnE,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;QAC5B,oBAAoB,EAAE,SAAS,CAAC;QAChC,sBAAsB,EAAE,SAAS,CAAC;QAClC,eAAe,CAAC,EAAE,SAAS,EAAE,CAAC;KACjC,CAAC;IACF,SAAS,EAAE,SAAS,CAAC;CACxB;AAED,MAAM,WAAW,4BAA6B,SAAQ,0BAA0B;IAC5E,MAAM,EAAE;QACJ,UAAU,EAAE,MAAM,CAAC;QACnB,SAAS,CAAC,EAAE,MAAM,CAAC;QACnB,QAAQ,EAAE,QAAQ,CAAC;KACtB,CAAC;IACF,OAAO,EAAE;QACL,UAAU,EAAE,MAAM,CAAC;QACnB,SAAS,EAAE,MAAM,CAAC;QAClB,QAAQ,EAAE,QAAQ,CAAC;KACtB,CAAC;CACL;AAED,MAAM,WAAW,yCAA0C,SAAQ,0BAA0B;IACzF,MAAM,EAAE;QACJ,UAAU,EAAE,MAAM,CAAC;QACnB,QAAQ,CAAC,EAAE,QAAQ,CAAC;KACvB,CAAC;IACF,OAAO,EAAE;QACL,UAAU,EAAE,MAAM,CAAC;QACnB,SAAS,CAAC,EAAE,MAAM,CAAC;QACnB,QAAQ,EAAE,QAAQ,CAAC;KACtB,CAAC;CACL;AAED,MAAM,WAAW,sCAAuC,SAAQ,0BAA0B;IACtF,MAAM,EAAE;QACJ,UAAU,EAAE,MAAM,CAAC;QACnB,QAAQ,CAAC,EAAE,QAAQ,CAAC;KACvB,CAAC;IACF,OAAO,EAAE;QACL,UAAU,EAAE,MAAM,CAAC;QACnB,QAAQ,CAAC,EAAE,QAAQ,CAAC;KACvB,CAAC;CACL;AAED,eAAO,MAAM,2BAA2B;;;;;;;;;;;;;EAgBtC,CAAC;AAEH,MAAM,MAAM,eAAe,GAAG,cAAc,CAAC,OAAO,kBAAkB,CAAC,CAAC;AACxE,MAAM,MAAM,eAAe,GAAG,cAAc,CAAC,OAAO,kBAAkB,CAAC,CAAC;AACxE,MAAM,MAAM,uBAAuB,GAAG,cAAc,CAAC,OAAO,0BAA0B,CAAC,CAAC;AACxF,MAAM,MAAM,sBAAsB,GAAG,cAAc,CAAC,OAAO,yBAAyB,CAAC,CAAC;AACtF,MAAM,MAAM,QAAQ,CAAC,IAAI,IAAI;KAAG,QAAQ,IAAI,MAAM,IAAI,IAAI,OAAO,CAAC,QAAQ,EAAE,WAAW,CAAC,GAAG,IAAI,CAAC,QAAQ,CAAC;CAAE,CAAC;AAwL5G,qBAAa,kBAAkB;;IAmC3B,MAAM,CAAC,cAAc,CAAC,IAAI,EAAE,QAAQ,CAAC,eAAe,CAAC;IAYrD,MAAM,CAAC,wBAAwB,CAAC,IAAI,EAAE,QAAQ,CAAC,uBAAuB,CAAC;IAYvE,MAAM,CAAC,yBAAyB,CAAC,IAAI,EAAE,QAAQ,CAAC,sBAAsB,CAAC;IAiBvE,MAAM,CAAC,2BAA2B,CAAC,IAAI,EAAE,QAAQ,CAAC,4BAA4B,CAAC,EAAE,GAAG,EAAE,GAAG;IASzF,MAAM,CAAC,wCAAwC,CAC3C,IAAI,EAAE,QAAQ,CAAC,yCAAyC,CAAC,EACzD,GAAG,EAAE,GAAG;IAUZ,MAAM,CAAC,qCAAqC,CAAC,IAAI,EAAE,QAAQ,CAAC,sCAAsC,CAAC,EAAE,GAAG,EAAE,GAAG;IAS7G,MAAM,CAAC,8BAA8B,CACjC,QAAQ,EAAE,SAAS,EACnB,oBAAoB,EAAE,SAAS,EAC/B,UAAU,EAAE,UAAU;IAoB1B;;;OAGG;IACH,MAAM,CAAC,gCAAgC,CAAC,IAAI,EAAE,eAAe,GAAG,sBAAsB,GAAG,uBAAuB;IAuChH;;;OAGG;IACH,MAAM,CAAC,qBAAqB,CAAC,QAAQ,EAAE,eAAe;IAkFtD;;;OAGG;IACH,MAAM,CAAC,gCAAgC,CACnC,aAAa,EAAE,eAAe,GAAG,uBAAuB,EACxD,OAAO,EAAE,sBAAsB;IA4GnC;;;OAGG;IACH,MAAM,CAAC,+BAA+B,CAAC,QAAQ,EAAE,eAAe,EAAE,OAAO,EAAE,uBAAuB;IAkHlG,MAAM,CAAC,+BAA+B,CAAC,GAAG,EAAE,GAAG;IAe/C,MAAM,CAAC,mBAAmB,CAAC,GAAG,EAAE,SAAS;CA0B5C"}

package/dist/esm/certificate/CertificateManager.js

@@ -589,6 +589,7 @@ class CertificateManager {
         `Root certificate authorityKeyIdentifier must be equal to subjectKeyIdentifier.`
       );
     }
+    Crypto.verify(PublicKey(rootCert.ellipticCurvePublicKey), this.rootCertToAsn1(rootCert), rootCert.signature);
   }
   /**
    * Verify requirements a Matter Node Operational certificate must fulfill.