@riddix/hamh 2.1.0-alpha.493 → 2.1.0-alpha.495

package/dist/backend/cli.js

@@ -9825,12 +9825,12 @@ var init_StandardCrypto = __esm({
       implementationName = "JS";
       #crypto;
       #subtle;
-      constructor(crypto7 = globalThis.crypto) {
-        const { subtle } = crypto7;
-        assertInterface("crypto", crypto7, requiredCryptoMethods);
+      constructor(crypto8 = globalThis.crypto) {
+        const { subtle } = crypto8;
+        assertInterface("crypto", crypto8, requiredCryptoMethods);
         assertInterface("crypto.subtle", subtle, requiredSubtleMethods);
         super();
-        this.#crypto = crypto7;
+        this.#crypto = crypto8;
         this.#subtle = subtle;
       }
       get subtle() {
@@ -10013,9 +10013,9 @@ var init_StandardCrypto = __esm({
       }
     };
     if ("crypto" in globalThis && globalThis.crypto?.subtle) {
-      const crypto7 = new StandardCrypto();
-      Environment.default.set(Entropy, crypto7);
-      Environment.default.set(Crypto, crypto7);
+      const crypto8 = new StandardCrypto();
+      Environment.default.set(Entropy, crypto8);
+      Environment.default.set(Crypto, crypto8);
     }
   }
 });
@@ -10025,9 +10025,9 @@ function MockCrypto(index = 128, implementation = StandardCrypto) {
   if (index < 0 || index > 255) {
     throw new ImplementationError(`Index for stable crypto must be 0-255`);
   }
-  const crypto7 = new implementation();
-  const { randomBytes: randomBytes2, createKeyPair } = crypto7;
-  Object.defineProperties(crypto7, {
+  const crypto8 = new implementation();
+  const { randomBytes: randomBytes2, createKeyPair } = crypto8;
+  Object.defineProperties(crypto8, {
     index: {
       get() {
         return index;
@@ -10038,12 +10038,12 @@ function MockCrypto(index = 128, implementation = StandardCrypto) {
     },
     entropic: {
       get() {
-        return crypto7.randomBytes === randomBytes2;
+        return crypto8.randomBytes === randomBytes2;
       },
       set(entropic) {
         if (entropic) {
-          crypto7.randomBytes = randomBytes2;
-          crypto7.createKeyPair = createKeyPair;
+          crypto8.randomBytes = randomBytes2;
+          crypto8.createKeyPair = createKeyPair;
         } else {
           disableEntropy();
         }
@@ -10051,15 +10051,15 @@ function MockCrypto(index = 128, implementation = StandardCrypto) {
     }
   });
   disableEntropy();
-  return crypto7;
+  return crypto8;
   function disableEntropy() {
-    crypto7.randomBytes = function getRandomDataNONENTROPIC(length) {
+    crypto8.randomBytes = function getRandomDataNONENTROPIC(length) {
       const result = new Uint8Array(length);
       result.fill(index);
       return result;
     };
-    crypto7.createKeyPair = function getRandomDataNONENTROPIC() {
-      const privateBits = ec.mapHashToField(Bytes.of(crypto7.randomBytes(48)), ec.p256.Point.CURVE().n);
+    crypto8.createKeyPair = function getRandomDataNONENTROPIC() {
+      const privateBits = ec.mapHashToField(Bytes.of(crypto8.randomBytes(48)), ec.p256.Point.CURVE().n);
       return Key({
         kty: KeyType.EC,
         crv: CurveType.p256,
@@ -10092,9 +10092,9 @@ var init_NodeJsStyleCrypto = __esm({
     NodeJsStyleCrypto = class extends Crypto {
       implementationName = "Node.js";
       #crypto;
-      constructor(crypto7) {
+      constructor(crypto8) {
         super();
-        this.#crypto = crypto7;
+        this.#crypto = crypto8;
       }
       encrypt(key, data, nonce, aad) {
         const cipher = this.#crypto.createCipheriv(CRYPTO_ENCRYPT_ALGORITHM, Bytes.of(key), Bytes.of(nonce), {
@@ -10368,29 +10368,29 @@ var init_Spake2p = __esm({
       #context;
       #random;
       #w0;
-      static async computeW0W1(crypto7, { iterations, salt }, pin) {
+      static async computeW0W1(crypto8, { iterations, salt }, pin) {
         const pinWriter = new DataWriter(Endian.Little);
         pinWriter.writeUInt32(pin);
         const ws2 = Bytes.of(
-          await crypto7.createPbkdf2Key(pinWriter.toByteArray(), salt, iterations, CRYPTO_W_SIZE_BYTES * 2)
+          await crypto8.createPbkdf2Key(pinWriter.toByteArray(), salt, iterations, CRYPTO_W_SIZE_BYTES * 2)
         );
         const curve = Point2.CURVE();
         const w0 = mod2(bytesToNumberBE(ws2.slice(0, 40)), curve.n);
         const w1 = mod2(bytesToNumberBE(ws2.slice(40, 80)), curve.n);
         return { w0, w1 };
       }
-      static async computeW0L(crypto7, pbkdfParameters, pin) {
-        const { w0, w1 } = await this.computeW0W1(crypto7, pbkdfParameters, pin);
+      static async computeW0L(crypto8, pbkdfParameters, pin) {
+        const { w0, w1 } = await this.computeW0W1(crypto8, pbkdfParameters, pin);
         const L = Point2.BASE.multiply(w1).toBytes(false);
         return { w0, L };
       }
-      static create(crypto7, context, w0) {
+      static create(crypto8, context, w0) {
         const curve = Point2.CURVE();
-        const random = crypto7.randomBigInt(32, curve.p);
-        return new _Spake2p(crypto7, context, random, w0);
+        const random = crypto8.randomBigInt(32, curve.p);
+        return new _Spake2p(crypto8, context, random, w0);
       }
-      constructor(crypto7, context, random, w0) {
-        this.#crypto = crypto7;
+      constructor(crypto8, context, random, w0) {
+        this.#crypto = crypto8;
         this.#context = context;
         this.#random = random;
         this.#w0 = w0;
@@ -10521,10 +10521,10 @@ var init_X509 = __esm({
     init_Pem();
     init_X962();
     ((X5092) => {
-      async function sign(crypto7, key, cert) {
+      async function sign(crypto8, key, cert) {
         return {
           ...cert,
-          signature: (await crypto7.signEcdsa(key, certificateToDer(cert))).der
+          signature: (await crypto8.signEcdsa(key, certificateToDer(cert))).der
         };
       }
       X5092.sign = sign;
@@ -46460,9 +46460,9 @@ var init_NodeId = __esm({
         return hex.fixed(nodeId3, 16);
       }
       NodeId2.strOf = strOf;
-      NodeId2.randomOperationalNodeId = (crypto7) => {
+      NodeId2.randomOperationalNodeId = (crypto8) => {
         while (true) {
-          const randomBigInt = crypto7.randomBigInt(8);
+          const randomBigInt = crypto8.randomBigInt(8);
           if (randomBigInt >= OPERATIONAL_NODE_MIN && randomBigInt <= OPERATIONAL_NODE_MAX) {
             return NodeId2(randomBigInt);
           }
@@ -88338,11 +88338,11 @@ var init_GlobalFabricId = __esm({
         return hex.fixed(id, 16);
       }
       GlobalFabricId2.strOf = strOf;
-      async function compute(crypto7, id, caKey) {
+      async function compute(crypto8, id, caKey) {
         const saltWriter = new DataWriter();
         saltWriter.writeUInt64(id);
         return GlobalFabricId2(
-          await crypto7.createHkdfKey(
+          await crypto8.createHkdfKey(
             Bytes.of(caKey).slice(1),
             saltWriter.toByteArray(),
             COMPRESSED_FABRIC_ID_INFO,
@@ -90621,8 +90621,8 @@ var init_Certificate = __esm({
        * Sign the certificate using the provided crypto and key.
        * It throws a CertificateError if the certificate is already signed.
        */
-      async sign(crypto7, key) {
-        this.signature = await crypto7.signEcdsa(key, this.asUnsignedDer());
+      async sign(crypto8, key) {
+        this.signature = await crypto8.signEcdsa(key, this.asUnsignedDer());
       }
       /**
        * Serialize as signed DER.
@@ -90684,7 +90684,7 @@ var init_Certificate = __esm({
       }
     };
     ((Certificate2) => {
-      async function createCertificateSigningRequest(crypto7, key) {
+      async function createCertificateSigningRequest(crypto8, key) {
         const request = {
           version: 0,
           subject: { organization: X520.OrganisationName("CSR") },
@@ -90694,7 +90694,7 @@ var init_Certificate = __esm({
         return DerCodec.encode({
           request,
           signAlgorithm: X962.EcdsaWithSHA256,
-          signature: DerBitString((await crypto7.signEcdsa(key, DerCodec.encode(request))).der)
+          signature: DerBitString((await crypto8.signEcdsa(key, DerCodec.encode(request))).der)
         });
       }
       Certificate2.createCertificateSigningRequest = createCertificateSigningRequest;
@@ -90973,7 +90973,7 @@ var init_Certificate = __esm({
         };
       }
       Certificate2.parseAsn1Certificate = parseAsn1Certificate;
-      async function getPublicKeyFromCsr(crypto7, encodedCsr) {
+      async function getPublicKeyFromCsr(crypto8, encodedCsr) {
         const { _elements: rootElements } = DerCodec.decode(encodedCsr);
         if (rootElements?.length !== 3) {
           throw new CertificateError("Invalid CSR data");
@@ -91011,7 +91011,7 @@ var init_Certificate = __esm({
         if (signatureAlgorithmBytes === void 0 || !Bytes.areEqual(X962.EcdsaWithSHA256._objectId._bytes, signatureAlgorithmBytes)) {
           throw new CertificateError("Unsupported signature algorithm in CSR");
         }
-        await crypto7.verifyEcdsa(
+        await crypto8.verifyEcdsa(
           PublicKey(publicKey),
           DerCodec.encode(requestNode),
           new EcdsaSignature(signatureNode._bytes, "der")
@@ -91240,7 +91240,7 @@ var init_Icac = __esm({
        * Verify requirements a Matter Intermediate CA certificate must fulfill.
        * Rules for this are listed in @see {@link MatterSpecification.v12.Core} §6.5.x
        */
-      async verify(crypto7, root) {
+      async verify(crypto8, root) {
         this.generalVerify();
         const {
           subject,
@@ -91316,7 +91316,7 @@ var init_Icac = __esm({
             `Ica certificate authorityKeyIdentifier must be equal to root cert subjectKeyIdentifier.`
           );
         }
-        await crypto7.verifyEcdsa(PublicKey(root.cert.ellipticCurvePublicKey), this.asUnsignedDer(), this.signature);
+        await crypto8.verifyEcdsa(PublicKey(root.cert.ellipticCurvePublicKey), this.asUnsignedDer(), this.signature);
       }
     };
   }
@@ -91367,7 +91367,7 @@ var init_Noc = __esm({
        * Verify requirements a Matter Node Operational certificate must fulfill.
        * Rules for this are listed in @see {@link MatterSpecification.v12.Core} §6.5.x
        */
-      async verify(crypto7, root, ica) {
+      async verify(crypto8, root, ica) {
         this.generalVerify();
         const {
           subject,
@@ -91452,7 +91452,7 @@ var init_Noc = __esm({
             `Noc certificate authorityKeyIdentifier must be equal to Root/Ica subjectKeyIdentifier.`
           );
         }
-        await crypto7.verifyEcdsa(PublicKey(issuer.cert.ellipticCurvePublicKey), this.asUnsignedDer(), this.signature);
+        await crypto8.verifyEcdsa(PublicKey(issuer.cert.ellipticCurvePublicKey), this.asUnsignedDer(), this.signature);
       }
     };
   }
@@ -93037,10 +93037,10 @@ var init_MessageCounter = __esm({
        * counter is not allowed to rollover and the callback is called before a rollover would happen. Optionally provide
        * a number of messages before the rollover callback is called (Default 1000).
        */
-      constructor(crypto7, onRollover, rolloverInfoDifference = ROLLOVER_INFO_DIFFERENCE) {
+      constructor(crypto8, onRollover, rolloverInfoDifference = ROLLOVER_INFO_DIFFERENCE) {
         this.onRollover = onRollover;
         this.rolloverInfoDifference = rolloverInfoDifference;
-        this.messageCounter = (crypto7.randomUint32 >>> 4) + 1;
+        this.messageCounter = (crypto8.randomUint32 >>> 4) + 1;
       }
       messageCounter;
       async getIncrementedCounter() {
@@ -93058,8 +93058,8 @@ var init_MessageCounter = __esm({
       }
     };
     PersistedMessageCounter = class _PersistedMessageCounter extends MessageCounter {
-      constructor(crypto7, storageContext, storageKey, aboutToRolloverCallback, rolloverInfoDifference = ROLLOVER_INFO_DIFFERENCE) {
-        super(crypto7, aboutToRolloverCallback, rolloverInfoDifference);
+      constructor(crypto8, storageContext, storageKey, aboutToRolloverCallback, rolloverInfoDifference = ROLLOVER_INFO_DIFFERENCE) {
+        super(crypto8, aboutToRolloverCallback, rolloverInfoDifference);
         this.storageContext = storageContext;
         this.storageKey = storageKey;
         this.#construction = Construction(this, async () => {
@@ -93078,10 +93078,10 @@ var init_MessageCounter = __esm({
       get construction() {
         return this.#construction;
       }
-      static async create(crypto7, storageContext, storageKey, aboutToRolloverCallback, rolloverInfoDifference = ROLLOVER_INFO_DIFFERENCE) {
+      static async create(crypto8, storageContext, storageKey, aboutToRolloverCallback, rolloverInfoDifference = ROLLOVER_INFO_DIFFERENCE) {
         return asyncNew(
           _PersistedMessageCounter,
-          crypto7,
+          crypto8,
           storageContext,
           storageKey,
           aboutToRolloverCallback,
@@ -93994,7 +93994,7 @@ var init_NodeSession = __esm({
       }
       constructor(config10) {
         const {
-          crypto: crypto7,
+          crypto: crypto8,
           manager,
           id,
           fabric,
@@ -94012,14 +94012,14 @@ var init_NodeSession = __esm({
           setActiveTimestamp: true,
           // We always set the active timestamp for Secure sessions
           // Can be changed to a PersistedMessageCounter if we implement session storage
-          messageCounter: new MessageCounter(crypto7, async () => {
+          messageCounter: new MessageCounter(crypto8, async () => {
             await this.initiateClose(async () => {
               await this.closeSubscriptions(true);
             });
           }),
           messageReceptionState: new MessageReceptionStateEncryptedWithoutRollover(0)
         });
-        this.#crypto = crypto7;
+        this.#crypto = crypto8;
         this.#id = id;
         this.#fabric = fabric;
         this.#peerNodeId = peerNodeId;
@@ -94468,22 +94468,22 @@ var init_CaseClient = __esm({
         }
       }
       async #doPair(messenger, exchange, fabric, peerNodeId, caseAuthenticatedTags) {
-        const { crypto: crypto7 } = fabric;
-        const initiatorRandom = crypto7.randomBytes(32);
+        const { crypto: crypto8 } = fabric;
+        const initiatorRandom = crypto8.randomBytes(32);
         const initiatorSessionId = await this.#sessions.getNextAvailableSessionId();
         const { operationalIdentityProtectionKey, operationalCert: localNoc, intermediateCACert: localIcac } = fabric;
-        const localKey = await crypto7.createKeyPair();
+        const localKey = await crypto8.createKeyPair();
         let sigma1Bytes;
         let resumed = false;
         let resumptionRecord = this.#sessions.findResumptionRecordByAddress(fabric.addressOf(peerNodeId));
         if (resumptionRecord !== void 0) {
           const { sharedSecret, resumptionId } = resumptionRecord;
-          const resumeKey = await crypto7.createHkdfKey(
+          const resumeKey = await crypto8.createHkdfKey(
             sharedSecret,
             Bytes.concat(initiatorRandom, resumptionId),
             KDFSR1_KEY_INFO
           );
-          const initiatorResumeMic = crypto7.encrypt(resumeKey, new Uint8Array(0), RESUME1_MIC_NONCE);
+          const initiatorResumeMic = crypto8.encrypt(resumeKey, new Uint8Array(0), RESUME1_MIC_NONCE);
           sigma1Bytes = await messenger.sendSigma1({
             initiatorSessionId,
             destinationId: await fabric.currentDestinationIdFor(peerNodeId, initiatorRandom),
@@ -94518,8 +94518,8 @@ var init_CaseClient = __esm({
             ...resumptionSessionParams ?? {}
           };
           const resumeSalt = Bytes.concat(initiatorRandom, resumptionId);
-          const resumeKey = await crypto7.createHkdfKey(sharedSecret, resumeSalt, KDFSR2_KEY_INFO);
-          crypto7.decrypt(resumeKey, resumeMic, RESUME2_MIC_NONCE);
+          const resumeKey = await crypto8.createHkdfKey(sharedSecret, resumeSalt, KDFSR2_KEY_INFO);
+          crypto8.decrypt(resumeKey, resumeMic, RESUME2_MIC_NONCE);
           const secureSessionSalt = Bytes.concat(initiatorRandom, resumptionRecord.resumptionId);
           secureSession = await this.#sessions.createSecureSession({
             channel: exchange.channel.channel,
@@ -94563,15 +94563,15 @@ var init_CaseClient = __esm({
             ...exchange.session.parameters,
             ...responderSessionParams ?? {}
           };
-          const sharedSecret = await crypto7.generateDhSecret(localKey, PublicKey(peerKey));
+          const sharedSecret = await crypto8.generateDhSecret(localKey, PublicKey(peerKey));
           const sigma2Salt = Bytes.concat(
             operationalIdentityProtectionKey,
             responderRandom,
             peerKey,
-            await crypto7.computeHash(sigma1Bytes)
+            await crypto8.computeHash(sigma1Bytes)
           );
-          const sigma2Key = await crypto7.createHkdfKey(sharedSecret, sigma2Salt, KDFSR2_INFO);
-          const peerEncryptedData = crypto7.decrypt(sigma2Key, peerEncrypted, TBE_DATA2_NONCE);
+          const sigma2Key = await crypto8.createHkdfKey(sharedSecret, sigma2Salt, KDFSR2_INFO);
+          const peerEncryptedData = crypto8.decrypt(sigma2Key, peerEncrypted, TBE_DATA2_NONCE);
           const {
             responderNoc: peerNoc,
             responderIcac: peerIcac,
@@ -94588,7 +94588,7 @@ var init_CaseClient = __esm({
             ellipticCurvePublicKey: peerPublicKey,
             subject: { fabricId: peerFabricIdNOCert, nodeId: peerNodeIdNOCert }
           } = Noc.fromTlv(peerNoc).cert;
-          await crypto7.verifyEcdsa(PublicKey(peerPublicKey), peerSignatureData, new EcdsaSignature(peerSignature));
+          await crypto8.verifyEcdsa(PublicKey(peerPublicKey), peerSignatureData, new EcdsaSignature(peerSignature));
           if (peerNodeIdNOCert !== peerNodeId) {
             throw new UnexpectedDataError(
               `The node ID in the peer certificate ${peerNodeIdNOCert} doesn't match the expected peer node ID ${peerNodeId}`
@@ -94612,9 +94612,9 @@ var init_CaseClient = __esm({
           await fabric.verifyCredentials(peerNoc, peerIcac);
           const sigma3Salt = Bytes.concat(
             operationalIdentityProtectionKey,
-            await crypto7.computeHash([sigma1Bytes, sigma2Bytes])
+            await crypto8.computeHash([sigma1Bytes, sigma2Bytes])
           );
-          const sigma3Key = await crypto7.createHkdfKey(sharedSecret, sigma3Salt, KDFSR3_INFO);
+          const sigma3Key = await crypto8.createHkdfKey(sharedSecret, sigma3Salt, KDFSR3_INFO);
           const signatureData = TlvSignedData.encode({
             responderNoc: localNoc,
             responderIcac: localIcac,
@@ -94627,13 +94627,13 @@ var init_CaseClient = __esm({
             responderIcac: localIcac,
             signature: signature.bytes
           });
-          const encrypted = crypto7.encrypt(sigma3Key, encryptedData, TBE_DATA3_NONCE);
+          const encrypted = crypto8.encrypt(sigma3Key, encryptedData, TBE_DATA3_NONCE);
           const sigma3Bytes = await messenger.sendSigma3({ encrypted });
           await messenger.waitForSuccess("Sigma3-Success");
           const sessionCaseAuthenticatedTags = caseAuthenticatedTags ?? resumptionRecord?.caseAuthenticatedTags;
           const secureSessionSalt = Bytes.concat(
             operationalIdentityProtectionKey,
-            await crypto7.computeHash([sigma1Bytes, sigma2Bytes, sigma3Bytes])
+            await crypto8.computeHash([sigma1Bytes, sigma2Bytes, sigma3Bytes])
           );
           secureSession = await this.#sessions.createSecureSession({
             channel: exchange.channel.channel,
@@ -94711,7 +94711,7 @@ var init_Rcac = __esm({
        * Verify requirements a Matter Root certificate must fulfill.
        * Rules for this are listed in @see {@link MatterSpecification.v12.Core} §6.5.x
        */
-      async verify(crypto7) {
+      async verify(crypto8) {
         this.generalVerify();
         const { subject, extensions } = this.cert;
         const { fabricId: fabricId3, rcacId } = subject;
@@ -94768,7 +94768,7 @@ var init_Rcac = __esm({
             `Root certificate authorityKeyIdentifier must be equal to subjectKeyIdentifier.`
           );
         }
-        await crypto7.verifyEcdsa(PublicKey(this.cert.ellipticCurvePublicKey), this.asUnsignedDer(), this.signature);
+        await crypto8.verifyEcdsa(PublicKey(this.cert.ellipticCurvePublicKey), this.asUnsignedDer(), this.signature);
       }
     };
   }
@@ -94903,8 +94903,8 @@ var init_KeySets = __esm({
         };
       }
       /** Calculates a group session id based on the operational group key. */
-      async sessionIdFromKey(crypto7, operationalGroupKey) {
-        const groupKeyHash = await crypto7.createHkdfKey(operationalGroupKey, new Uint8Array(), GROUP_KEY_INFO, 2);
+      async sessionIdFromKey(crypto8, operationalGroupKey) {
+        const groupKeyHash = await crypto8.createHkdfKey(operationalGroupKey, new Uint8Array(), GROUP_KEY_INFO, 2);
         return new DataReader(groupKeyHash).readUInt16();
       }
       /**
@@ -94957,8 +94957,8 @@ var init_MessagingState = __esm({
       #messageDataReceptionState = /* @__PURE__ */ new Map();
       #crypto;
       #storage;
-      constructor(crypto7, storage2) {
-        this.#crypto = crypto7;
+      constructor(crypto8, storage2) {
+        this.#crypto = crypto8;
         if (storage2 !== void 0) {
           this.#storage = storage2;
         }
@@ -95491,8 +95491,8 @@ var init_Fabric = __esm({
        * Certain derived fields that require async crypto operations to compute must be supplied here.  Use {@link create}
        * to populate these fields automatically.
        */
-      constructor(crypto7, config10) {
-        this.#crypto = crypto7;
+      constructor(crypto8, config10) {
+        this.#crypto = crypto8;
         this.fabricIndex = config10.fabricIndex;
         this.fabricId = config10.fabricId;
         this.nodeId = config10.nodeId;
@@ -95521,20 +95521,20 @@ var init_Fabric = __esm({
        *
        * This async creation path populates derived fields that require async crypto operations to compute.
        */
-      static async create(crypto7, config10) {
+      static async create(crypto8, config10) {
         let { globalId, operationalIdentityProtectionKey } = config10;
         if (globalId === void 0) {
           const caKey = config10.rootPublicKey ?? Rcac.publicKeyOfTlv(config10.rootCert);
-          globalId = await GlobalFabricId.compute(crypto7, config10.fabricId, caKey);
+          globalId = await GlobalFabricId.compute(crypto8, config10.fabricId, caKey);
         }
         if (operationalIdentityProtectionKey === void 0) {
-          operationalIdentityProtectionKey = await crypto7.createHkdfKey(
+          operationalIdentityProtectionKey = await crypto8.createHkdfKey(
             config10.identityProtectionKey,
             Bytes.fromBigInt(globalId, 8),
             GROUP_SECURITY_INFO
           );
         }
-        return new _Fabric(crypto7, {
+        return new _Fabric(crypto8, {
           ...config10,
           globalId,
           operationalIdentityProtectionKey
@@ -95791,12 +95791,12 @@ var init_Fabric = __esm({
       #vvsc;
       #fabricIndex;
       #label = "";
-      constructor(crypto7, key) {
-        this.#crypto = crypto7;
+      constructor(crypto8, key) {
+        this.#crypto = crypto8;
         this.#keyPair = key;
       }
-      static async create(crypto7) {
-        return new _FabricBuilder(crypto7, await crypto7.createKeyPair());
+      static async create(crypto8) {
+        return new _FabricBuilder(crypto8, await crypto8.createKeyPair());
       }
       get publicKey() {
         return this.#keyPair.publicKey;
@@ -95955,8 +95955,8 @@ var init_FabricManager = __esm({
         failsafeClosed: Observable()
       };
       #construction;
-      constructor(crypto7, storage2) {
-        this.#crypto = crypto7;
+      constructor(crypto8, storage2) {
+        this.#crypto = crypto8;
         this.#storage = storage2;
         let construct;
         if (this.#storage === void 0) {
@@ -95969,7 +95969,7 @@ var init_FabricManager = __esm({
             }
             const fabrics = await this.#storage.get("fabrics", []);
             for (const fabricConfig of fabrics) {
-              this.#addNewFabric(await Fabric.create(crypto7, fabricConfig));
+              this.#addNewFabric(await Fabric.create(crypto8, fabricConfig));
             }
             this.#nextFabricIndex = await this.#storage.get("nextFabricIndex", this.#nextFabricIndex);
             this.#initializationDone = true;
@@ -96265,14 +96265,14 @@ var init_CaseServer = __esm({
           return false;
         }
         const { sharedSecret, fabric, peerNodeId, caseAuthenticatedTags } = cx.resumptionRecord;
-        const { crypto: crypto7 } = this.#fabrics;
-        const peerResumeKey = await crypto7.createHkdfKey(
+        const { crypto: crypto8 } = this.#fabrics;
+        const peerResumeKey = await crypto8.createHkdfKey(
           sharedSecret,
           Bytes.concat(cx.peerRandom, cx.peerResumptionId),
           KDFSR1_KEY_INFO
         );
         try {
-          crypto7.decrypt(peerResumeKey, cx.peerResumeMic, RESUME1_MIC_NONCE);
+          crypto8.decrypt(peerResumeKey, cx.peerResumeMic, RESUME1_MIC_NONCE);
         } catch (e) {
           CryptoDecryptError.accept(e);
           cx.peerResumptionId = cx.peerResumeMic = void 0;
@@ -96296,8 +96296,8 @@ var init_CaseServer = __esm({
           // Session establishment could still fail, so add session ourselves to the manager
         });
         const resumeSalt = Bytes.concat(cx.peerRandom, cx.localResumptionId);
-        const resumeKey = await crypto7.createHkdfKey(sharedSecret, resumeSalt, KDFSR2_KEY_INFO);
-        const resumeMic = crypto7.encrypt(resumeKey, new Uint8Array(0), RESUME2_MIC_NONCE);
+        const resumeKey = await crypto8.createHkdfKey(sharedSecret, resumeSalt, KDFSR2_KEY_INFO);
+        const resumeMic = crypto8.encrypt(resumeKey, new Uint8Array(0), RESUME2_MIC_NONCE);
         try {
           const responderSessionParams = this.#sessions.sessionParameters;
           await cx.messenger.sendSigma2Resume({
@@ -96326,20 +96326,20 @@ var init_CaseServer = __esm({
         ) {
           return false;
         }
-        const { crypto: crypto7 } = this.#fabrics;
-        const responderRandom = crypto7.randomBytes(32);
+        const { crypto: crypto8 } = this.#fabrics;
+        const responderRandom = crypto8.randomBytes(32);
         const fabric = await this.#fabrics.findFabricFromDestinationId(cx.destinationId, cx.peerRandom);
         const { operationalCert: nodeOpCert, intermediateCACert, operationalIdentityProtectionKey } = fabric;
-        const key = await crypto7.createKeyPair();
+        const key = await crypto8.createKeyPair();
         const responderEcdhPublicKey = key.publicBits;
-        const sharedSecret = await crypto7.generateDhSecret(key, PublicKey(cx.peerEcdhPublicKey));
+        const sharedSecret = await crypto8.generateDhSecret(key, PublicKey(cx.peerEcdhPublicKey));
         const sigma2Salt = Bytes.concat(
           operationalIdentityProtectionKey,
           responderRandom,
           responderEcdhPublicKey,
-          await crypto7.computeHash(cx.bytes)
+          await crypto8.computeHash(cx.bytes)
         );
-        const sigma2Key = await crypto7.createHkdfKey(sharedSecret, sigma2Salt, KDFSR2_INFO);
+        const sigma2Key = await crypto8.createHkdfKey(sharedSecret, sigma2Salt, KDFSR2_INFO);
         const signatureData = TlvSignedData.encode({
           responderNoc: nodeOpCert,
           responderIcac: intermediateCACert,
@@ -96353,7 +96353,7 @@ var init_CaseServer = __esm({
           signature: signature.bytes,
           resumptionId: cx.localResumptionId
         });
-        const encrypted = crypto7.encrypt(sigma2Key, encryptedData, TBE_DATA2_NONCE);
+        const encrypted = crypto8.encrypt(sigma2Key, encryptedData, TBE_DATA2_NONCE);
         const responderSessionId = await this.#sessions.getNextAvailableSessionId();
         const sigma2Bytes = await cx.messenger.sendSigma2({
           responderRandom,
@@ -96369,10 +96369,10 @@ var init_CaseServer = __esm({
         } = await cx.messenger.readSigma3();
         const sigma3Salt = Bytes.concat(
           operationalIdentityProtectionKey,
-          await crypto7.computeHash([cx.bytes, sigma2Bytes])
+          await crypto8.computeHash([cx.bytes, sigma2Bytes])
         );
-        const sigma3Key = await crypto7.createHkdfKey(sharedSecret, sigma3Salt, KDFSR3_INFO);
-        const peerDecryptedData = crypto7.decrypt(sigma3Key, peerEncrypted, TBE_DATA3_NONCE);
+        const sigma3Key = await crypto8.createHkdfKey(sharedSecret, sigma3Salt, KDFSR3_INFO);
+        const peerDecryptedData = crypto8.decrypt(sigma3Key, peerEncrypted, TBE_DATA3_NONCE);
         const {
           responderNoc: peerNewOpCert,
           responderIcac: peerIntermediateCACert,
@@ -96392,10 +96392,10 @@ var init_CaseServer = __esm({
         if (fabric.fabricId !== peerFabricId) {
           throw new UnexpectedDataError(`Fabric ID mismatch: ${fabric.fabricId} !== ${peerFabricId}`);
         }
-        await crypto7.verifyEcdsa(PublicKey(peerPublicKey), peerSignatureData, new EcdsaSignature(peerSignature));
+        await crypto8.verifyEcdsa(PublicKey(peerPublicKey), peerSignatureData, new EcdsaSignature(peerSignature));
         const secureSessionSalt = Bytes.concat(
           operationalIdentityProtectionKey,
-          await crypto7.computeHash([cx.bytes, sigma2Bytes, sigma3Bytes])
+          await crypto8.computeHash([cx.bytes, sigma2Bytes, sigma3Bytes])
         );
         const secureSession = await this.#sessions.createSecureSession({
           channel,
@@ -96440,8 +96440,8 @@ var init_CaseServer = __esm({
       peerSessionParams;
       resumptionRecord;
       #localResumptionId;
-      constructor(crypto7, messenger, bytes, sigma1, resumptionRecord) {
-        this.crypto = crypto7;
+      constructor(crypto8, messenger, bytes, sigma1, resumptionRecord) {
+        this.crypto = crypto8;
         this.messenger = messenger;
         this.bytes = bytes;
         this.peerSessionId = sigma1.initiatorSessionId;
@@ -96937,25 +96937,25 @@ var init_PaseClient = __esm({
       constructor(sessions) {
         this.#sessions = sessions;
       }
-      static async generatePakePasscodeVerifier(crypto7, setupPinCode, pbkdfParameters) {
-        const { w0, L } = await Spake2p.computeW0L(crypto7, pbkdfParameters, setupPinCode);
+      static async generatePakePasscodeVerifier(crypto8, setupPinCode, pbkdfParameters) {
+        const { w0, L } = await Spake2p.computeW0L(crypto8, pbkdfParameters, setupPinCode);
         return Bytes.concat(numberToBytesBE3(w0, 32), L);
       }
-      static generateRandomPasscode(crypto7) {
+      static generateRandomPasscode(crypto8) {
         let passcode;
-        passcode = crypto7.randomUint32 % 99999998 + 1;
+        passcode = crypto8.randomUint32 % 99999998 + 1;
         if (CommissioningOptions.FORBIDDEN_PASSCODES.includes(passcode)) {
           passcode += 1;
         }
         return passcode;
       }
-      static generateRandomDiscriminator(crypto7) {
-        return crypto7.randomUint16 % 4096;
+      static generateRandomDiscriminator(crypto8) {
+        return crypto8.randomUint16 % 4096;
       }
       async pair(initiatorSessionParams, exchange, channel, setupPin) {
         const messenger = new PaseClientMessenger(exchange);
-        const { crypto: crypto7 } = this.#sessions;
-        const initiatorRandom = crypto7.randomBytes(32);
+        const { crypto: crypto8 } = this.#sessions;
+        const initiatorRandom = crypto8.randomBytes(32);
         const initiatorSessionId = await this.#sessions.getNextAvailableSessionId();
         const requestPayload = await messenger.sendPbkdfParamRequest({
           initiatorRandom,
@@ -96979,10 +96979,10 @@ var init_PaseClient = __esm({
           ...exchange.session.parameters,
           ...responderSessionParams ?? {}
         };
-        const { w0, w1 } = await Spake2p.computeW0W1(crypto7, pbkdfParameters, setupPin);
+        const { w0, w1 } = await Spake2p.computeW0W1(crypto8, pbkdfParameters, setupPin);
         const spake2p = Spake2p.create(
-          crypto7,
-          await crypto7.computeHash([SPAKE_CONTEXT, requestPayload, responsePayload]),
+          crypto8,
+          await crypto8.computeHash([SPAKE_CONTEXT, requestPayload, responsePayload]),
           w0
         );
         const X = spake2p.computeX();
@@ -97093,7 +97093,7 @@ var init_PaseServer = __esm({
           }
         }
       }
-      async handlePairingRequest(crypto7, channel) {
+      async handlePairingRequest(crypto8, channel) {
         const messenger = this.#pairingMessenger;
         logger40.info("Received pairing request", Mark.INBOUND, Diagnostic.via(messenger.channelName));
         this.#pairingTimer = Time.getTimer(
@@ -97115,7 +97115,7 @@ var init_PaseServer = __esm({
           throw new UnexpectedDataError(`Unsupported passcode ID ${passcodeId}.`);
         }
         const responderSessionId = await this.sessions.getNextAvailableSessionId();
-        const responderRandom = crypto7.randomBytes(32);
+        const responderRandom = crypto8.randomBytes(32);
         const responderSessionParams = this.sessions.sessionParameters;
         if (initiatorSessionParams !== void 0) {
           messenger.channel.session.timingParameters = initiatorSessionParams;
@@ -97128,8 +97128,8 @@ var init_PaseServer = __esm({
           responderSessionParams
         });
         const spake2p = Spake2p.create(
-          crypto7,
-          await crypto7.computeHash([SPAKE_CONTEXT, requestPayload, responsePayload]),
+          crypto8,
+          await crypto8.computeHash([SPAKE_CONTEXT, requestPayload, responsePayload]),
           this.w0
         );
         const { x: X } = await messenger.readPasePake1();
@@ -97197,14 +97197,14 @@ var init_UnsecuredSession = __esm({
       supportsMRP = true;
       type = SessionType.Unicast;
       constructor(config10) {
-        const { crypto: crypto7, initiatorNodeId, isInitiator } = config10;
+        const { crypto: crypto8, initiatorNodeId, isInitiator } = config10;
         super({
           ...config10,
           setActiveTimestamp: !isInitiator,
           // When we are the initiator we assume the node is in idle mode
           messageReceptionState: new MessageReceptionStateUnencryptedWithRollover()
         });
-        this.#initiatorNodeId = initiatorNodeId ?? NodeId.randomOperationalNodeId(crypto7);
+        this.#initiatorNodeId = initiatorNodeId ?? NodeId.randomOperationalNodeId(crypto8);
       }
       get isSecure() {
         return false;
@@ -97291,11 +97291,11 @@ var init_SessionManager = __esm({
       constructor(context) {
         this.#context = context;
         const {
-          fabrics: { crypto: crypto7 }
+          fabrics: { crypto: crypto8 }
         } = context;
         this.#sessionParameters = SessionParameters({ ...SessionParameters.defaults, ...context.parameters });
-        this.#nextSessionId = crypto7.randomUint16;
-        this.#globalUnencryptedMessageCounter = new MessageCounter(crypto7);
+        this.#nextSessionId = crypto8.randomUint16;
+        this.#globalUnencryptedMessageCounter = new MessageCounter(crypto8);
         this.#observers.on(context.fabrics.events.deleting, async (fabric) => {
           await this.deleteResumptionRecordsForFabric(fabric);
         });
@@ -100871,18 +100871,18 @@ var init_ProtocolMocks = __esm({
     init_MessageExchange();
     ((ProtocolMocks2) => {
       class Fabric2 extends Fabric {
-        constructor(config10, crypto7) {
-          if (!crypto7) {
-            crypto7 = Environment.default.maybeGet(Crypto);
-            if (!(crypto7 instanceof MockCrypto)) {
-              crypto7 = MockCrypto();
+        constructor(config10, crypto8) {
+          if (!crypto8) {
+            crypto8 = Environment.default.maybeGet(Crypto);
+            if (!(crypto8 instanceof MockCrypto)) {
+              crypto8 = MockCrypto();
             }
           }
-          const keyPair = config10?.keyPair ?? crypto7.createKeyPair();
+          const keyPair = config10?.keyPair ?? crypto8.createKeyPair();
           if (MaybePromise.is(keyPair)) {
             throw new ImplementationError("Must provide key pair with async crypto");
           }
-          super(crypto7, {
+          super(crypto8, {
             ...Fabric2.defaults,
             ...config10,
             keyPair
@@ -100912,7 +100912,7 @@ var init_ProtocolMocks = __esm({
         constructor(config10) {
           const index = config10?.index ?? 1;
           const fabricIndex = config10?.fabricIndex ?? 1;
-          const crypto7 = config10?.crypto ?? Environment.default.get(Crypto);
+          const crypto8 = config10?.crypto ?? Environment.default.get(Crypto);
           const fabric = config10 && "fabric" in config10 ? config10.fabric : new Fabric2({ fabricIndex });
           const maxPayloadSize = config10?.maxPayloadSize;
           let channel;
@@ -100931,7 +100931,7 @@ var init_ProtocolMocks = __esm({
             encryptKey: Bytes.empty,
             isInitiator: true,
             ...config10,
-            crypto: crypto7,
+            crypto: crypto8,
             fabric
           };
           delete fullConfig.channel;
@@ -100940,11 +100940,11 @@ var init_ProtocolMocks = __esm({
           this.lifetime = Lifetime.mock;
         }
         static async create(config10) {
-          const crypto7 = config10?.crypto ?? config10?.manager?.crypto ?? Environment.default.get(Crypto);
+          const crypto8 = config10?.crypto ?? config10?.manager?.crypto ?? Environment.default.get(Crypto);
           const index = config10?.index ?? 1;
           return NodeSession.create.call(this, {
             id: index,
-            crypto: crypto7,
+            crypto: crypto8,
             peerNodeId: NodeId(0),
             peerSessionId: index,
             sharedSecret: Bytes.empty,
@@ -106671,9 +106671,9 @@ var init_MdnsAdvertiser = __esm({
     init_CommissionerMdnsAdvertisement();
     init_OperationalMdnsAdvertisement();
     MdnsAdvertiser = class _MdnsAdvertiser extends Advertiser {
-      constructor(crypto7, server, options) {
+      constructor(crypto8, server, options) {
         super(options?.lifetime);
-        this.crypto = crypto7;
+        this.crypto = crypto8;
         this.server = server;
         this.port = options?.port ?? STANDARD_MATTER_PORT;
         this.omitPrivateDetails = options?.omitPrivateDetails ?? false;
@@ -108118,8 +108118,8 @@ var init_AttestationCertificates = __esm({
        * Sign the certificate using the provided crypto and key.
        * If the certificate is already signed, it throws a CertificateError.
        */
-      async sign(crypto7, key) {
-        this.signature = await crypto7.signEcdsa(key, this.asUnsignedDer());
+      async sign(crypto8, key) {
+        this.signature = await crypto8.signEcdsa(key, this.asUnsignedDer());
       }
     };
     Paa = class _Paa extends AttestationBaseCertificate {
@@ -108168,17 +108168,17 @@ var init_AttestationCertificateManager = __esm({
       #paiCertId = BigInt(1);
       #paiCertBytes;
       #nextCertificateId = 2;
-      constructor(crypto7, vendorId3, paiKeyPair, paiKeyIdentifier) {
-        this.#crypto = crypto7;
+      constructor(crypto8, vendorId3, paiKeyPair, paiKeyIdentifier) {
+        this.#crypto = crypto8;
         this.#vendorId = vendorId3;
         this.#paiKeyPair = paiKeyPair;
         this.#paiKeyIdentifier = paiKeyIdentifier;
         this.#paiCertBytes = this.generatePAICert(vendorId3);
       }
-      static async create(crypto7, vendorId3) {
-        const key = await crypto7.createKeyPair();
-        const identifier = Bytes.of(await crypto7.computeHash(key.publicKey));
-        return new _AttestationCertificateManager(crypto7, vendorId3, key, identifier.slice(0, 20));
+      static async create(crypto8, vendorId3) {
+        const key = await crypto8.createKeyPair();
+        const identifier = Bytes.of(await crypto8.computeHash(key.publicKey));
+        return new _AttestationCertificateManager(crypto8, vendorId3, key, identifier.slice(0, 20));
       }
       getPAICert() {
         return this.#paiCertBytes;
@@ -108324,11 +108324,11 @@ var init_CertificateAuthority = __esm({
       get construction() {
         return this.#construction;
       }
-      static async create(crypto7, options, generateIntermediateCert) {
-        return asyncNew(_CertificateAuthority, crypto7, options, generateIntermediateCert);
+      static async create(crypto8, options, generateIntermediateCert) {
+        return asyncNew(_CertificateAuthority, crypto8, options, generateIntermediateCert);
       }
-      constructor(crypto7, options, generateIntermediateCert) {
-        this.#crypto = crypto7;
+      constructor(crypto8, options, generateIntermediateCert) {
+        this.#crypto = crypto8;
         this.#construction = Construction(this, async () => {
           if (typeof options === "boolean") {
             generateIntermediateCert = options;
@@ -108610,7 +108610,7 @@ var init_CertificationDeclaration = __esm({
        * Generator which is the main usage for the class from outside.
        * It constructs the class with the relevant details and returns a signed ASN.1 DER version of the CD.
        */
-      static generate(crypto7, vendorId3, productId, provisional = false) {
+      static generate(crypto8, vendorId3, productId, provisional = false) {
         const cd = new _CertificationDeclaration(
           {
             formatVersion: 1,
@@ -108626,7 +108626,7 @@ var init_CertificationDeclaration = __esm({
           },
           TestCMS_SignerSubjectKeyIdentifier
         );
-        return cd.asSignedAsn1(crypto7, PrivateKey(TestCMS_SignerPrivateKey));
+        return cd.asSignedAsn1(crypto8, PrivateKey(TestCMS_SignerPrivateKey));
       }
       constructor(content, subjectKeyIdentifier) {
         this.#eContent = CertificationDeclaration.TlvDc.encode(content);
@@ -108635,7 +108635,7 @@ var init_CertificationDeclaration = __esm({
       /**
        * Returns the signed certificate in ASN.1 DER format.
        */
-      async asSignedAsn1(crypto7, privateKey) {
+      async asSignedAsn1(crypto8, privateKey) {
         const cert = {
           version: 3,
           digestAlgorithm: [Shs.SHA256_CMS],
@@ -108646,7 +108646,7 @@ var init_CertificationDeclaration = __esm({
               subjectKeyIdentifier: ContextTaggedBytes(0, this.#subjectKeyIdentifier),
               digestAlgorithm: Shs.SHA256_CMS,
               signatureAlgorithm: X962.EcdsaWithSHA256,
-              signature: (await crypto7.signEcdsa(privateKey, this.#eContent)).der
+              signature: (await crypto8.signEcdsa(privateKey, this.#eContent)).der
             }
           ]
         };
@@ -108684,8 +108684,8 @@ var init_DeviceCertification = __esm({
       get declaration() {
         return this.#assertInitialized().declaration;
       }
-      constructor(crypto7, config10, product) {
-        this.#crypto = crypto7;
+      constructor(crypto8, config10, product) {
+        this.#crypto = crypto8;
         let configProvider;
         if (typeof config10 === "function") {
           configProvider = config10;
@@ -108696,13 +108696,13 @@ var init_DeviceCertification = __esm({
             if (product === void 0) {
               throw new ImplementationError(`Cannot generate device certification without product information`);
             }
-            const paa = await AttestationCertificateManager.create(crypto7, product.vendorId);
+            const paa = await AttestationCertificateManager.create(crypto8, product.vendorId);
             const { keyPair: dacKeyPair, dac } = await paa.getDACert(product.productId);
             return {
               privateKey: PrivateKey(dacKeyPair.privateKey),
               certificate: dac,
               intermediateCertificate: await paa.getPAICert(),
-              declaration: await CertificationDeclaration2.generate(crypto7, product.vendorId, product.productId)
+              declaration: await CertificationDeclaration2.generate(crypto8, product.vendorId, product.productId)
             };
           };
         }
@@ -109493,8 +109493,8 @@ var init_OtaImageReader = __esm({
         return reader.#headerData;
       }
       /** Read and validate the full OTA image file from the stream and returns the header data on success. */
-      static async file(streamReader, crypto7, expectedTotalSize, options) {
-        const reader = new _OtaImageReader(streamReader, crypto7);
+      static async file(streamReader, crypto8, expectedTotalSize, options) {
+        const reader = new _OtaImageReader(streamReader, crypto8);
         if (options?.checksumType !== void 0) {
           reader.#fullFileChecksumType = options.checksumType;
         }
@@ -109528,8 +109528,8 @@ var init_OtaImageReader = __esm({
        * Read and validate OTA file, extracting payload to a writable stream.
        * Returns the header information after successful validation and extraction.
        */
-      static async extractPayload(streamReader, payloadWriter, crypto7, expectedTotalSize) {
-        const reader = new _OtaImageReader(streamReader, crypto7);
+      static async extractPayload(streamReader, payloadWriter, crypto8, expectedTotalSize) {
+        const reader = new _OtaImageReader(streamReader, crypto8);
         const { remainingData } = await reader.#processHeader(false);
         if (reader.#headerData === void 0) {
           throw new InternalError("OTA header not read");
@@ -109545,9 +109545,9 @@ var init_OtaImageReader = __esm({
         }
         return reader.#headerData;
       }
-      constructor(streamReader, crypto7) {
+      constructor(streamReader, crypto8) {
         this.#streamReader = streamReader;
-        this.#crypto = crypto7;
+        this.#crypto = crypto8;
       }
       get totalSize() {
         return this.#totalSize;
@@ -125833,8 +125833,8 @@ var init_VendorIdVerification = __esm({
       }
       VendorIdVerification2.dataToSign = dataToSign;
       async function verify(node, options) {
-        const crypto7 = node.env.get(Crypto);
-        const clientChallenge = crypto7.randomBytes(32);
+        const crypto8 = node.env.get(Crypto);
+        const clientChallenge = crypto8.randomBytes(32);
         const {
           fabric: { fabricIndex }
         } = options;
@@ -125857,7 +125857,7 @@ var init_VendorIdVerification = __esm({
           return void 0;
         }
         const { noc, rcac, fabric } = options;
-        return await verifyData(crypto7, {
+        return await verifyData(crypto8, {
           clientChallenge,
           attChallenge: session.attestationChallengeKey,
           signVerificationResponse,
@@ -125867,7 +125867,7 @@ var init_VendorIdVerification = __esm({
         });
       }
       VendorIdVerification2.verify = verify;
-      async function verifyData(crypto7, options) {
+      async function verifyData(crypto8, options) {
         const {
           clientChallenge,
           attChallenge,
@@ -125893,14 +125893,14 @@ var init_VendorIdVerification = __esm({
           }
         }).signatureData;
         try {
-          await crypto7.verifyEcdsa(PublicKey(rootPublicKey), tbs, new EcdsaSignature(signature));
+          await crypto8.verifyEcdsa(PublicKey(rootPublicKey), tbs, new EcdsaSignature(signature));
           const rootCert = Rcac.fromTlv(rcac);
           const nocCert = Noc.fromTlv(noc);
           const icaCert = icac ? Icac.fromTlv(icac) : void 0;
           if (icaCert !== void 0) {
-            await icaCert.verify(crypto7, rootCert);
+            await icaCert.verify(crypto8, rootCert);
           }
-          await nocCert.verify(crypto7, rootCert, icaCert);
+          await nocCert.verify(crypto8, rootCert, icaCert);
         } catch (error) {
           CryptoError.accept(error);
           logger103.error("Could not verify VendorId", error);
@@ -125930,13 +125930,13 @@ var init_VendorIdVerification = __esm({
               `VVSC SubjectKeyIdentifier does not match signerSkid in VID Verification Statement`
             );
           }
-          await vvscCert.verify(crypto7);
+          await vvscCert.verify(crypto8);
           const ourStatement = createStatementBytes({
             version: vidStatementVersion,
             fabricBindingMessage: tbs,
             signerSkid
           });
-          await crypto7.verifyEcdsa(
+          await crypto8.verifyEcdsa(
             PublicKey(ellipticCurvePublicKey),
             ourStatement,
             new EcdsaSignature(vidStatementSignature)
@@ -130205,8 +130205,8 @@ var init_OtaSoftwareUpdateProviderServer = __esm({
             // the usual bdx session timeout is 5 minutes, so let's use this
           };
         }
-        const crypto7 = this.env.get(Crypto);
-        const updateToken = crypto7.randomBytes(OTA_UPDATE_TOKEN_LENGTH_BYTES);
+        const crypto8 = this.env.get(Crypto);
+        const updateToken = crypto8.randomBytes(OTA_UPDATE_TOKEN_LENGTH_BYTES);
         if (consentRequired && !request.requestorCanConsent) {
           this.#updateInProgressDetails(peerAddress, updateToken, OtaUpdateStatus.WaitForConsent, newSoftwareVersion);
           const { consentState, delayTime = Seconds(120) } = await this.requestUserConsentForUpdate(
@@ -132681,8 +132681,8 @@ var init_OtaSoftwareUpdateRequestorServer = __esm({
         try {
           const blob = await this.downloadLocation.openBlob();
           totalSize = blob.size;
-          const crypto7 = this.env.get(Crypto);
-          const header = await OtaImageReader.file(blob.stream().getReader(), crypto7);
+          const crypto8 = this.env.get(Crypto);
+          const header = await OtaImageReader.file(blob.stream().getReader(), crypto8);
           const { softwareVersion: otaFileSoftwareVersion } = header;
           if (newSoftwareVersion === void 0) {
             const { softwareVersion: currentSoftwareVersion } = this.#basicInformationState();
@@ -141853,9 +141853,9 @@ var init_ServerNetworkRuntime = __esm({
             lifetime: this.construction,
             ...this.owner.state.commissioning.mdns
           };
-          const crypto7 = this.owner.env.get(Crypto);
+          const crypto8 = this.owner.env.get(Crypto);
           const { server } = this.#services.get(MdnsService);
-          this.#mdnsAdvertiser = new MdnsAdvertiser(crypto7, server, { ...options, port });
+          this.#mdnsAdvertiser = new MdnsAdvertiser(crypto8, server, { ...options, port });
         }
         return this.#mdnsAdvertiser;
       }
@@ -145421,14 +145421,14 @@ function rootDirOf(env) {
 function configureCrypto(env) {
   Boot.init(() => {
     if (env.vars.boolean("nodejs.crypto")) {
-      let crypto7;
+      let crypto8;
       if (!isBunjs()) {
-        crypto7 = new NodeJsCrypto();
+        crypto8 = new NodeJsCrypto();
       } else {
-        crypto7 = new StandardCrypto(global.crypto);
+        crypto8 = new StandardCrypto(global.crypto);
       }
-      env.set(Entropy, crypto7);
-      env.set(Crypto, crypto7);
+      env.set(Entropy, crypto8);
+      env.set(Crypto, crypto8);
       return;
     }
     if (Environment.default.has(Entropy)) {
@@ -159417,6 +159417,7 @@ var DimmablePlugInUnitDeviceDefinition = MutableEndpoint({
   )
 });
 Object.freeze(DimmablePlugInUnitDeviceDefinition);
+var DimmablePlugInUnitDevice = DimmablePlugInUnitDeviceDefinition;
 
 // ../../node_modules/.pnpm/@matter+node@0.16.10/node_modules/@matter/node/dist/esm/devices/dimmer-switch.js
 init_IdentifyServer();
@@ -164696,10 +164697,6 @@ import * as path12 from "node:path";
 // src/plugins/plugin-device-factory.ts
 init_esm();
 
-// src/matter/behaviors/basic-information-server.ts
-init_esm7();
-import crypto4 from "node:crypto";
-
 // ../../node_modules/.pnpm/@matter+main@0.16.10/node_modules/@matter/main/dist/esm/behaviors.js
 init_nodejs();
 
@@ -165657,6 +165654,65 @@ init_window_covering();
 init_ClientBehavior();
 var WindowCoveringClientConstructor = ClientBehavior(WindowCovering3.Complete);
 
+// src/matter/behaviors/identify-server.ts
+var IdentifyServer2 = class extends IdentifyServer {
+};
+
+// src/matter/endpoints/validate-endpoint-type.ts
+init_esm();
+init_esm7();
+var logger158 = Logger.get("EndpointValidation");
+function toCamelCase(name) {
+  return name.charAt(0).toLowerCase() + name.slice(1);
+}
+function validateEndpointType(endpointType, entityId) {
+  const deviceTypeModel = Matter.deviceTypes.find(
+    (dt) => dt.id === endpointType.deviceType
+  );
+  if (!deviceTypeModel) {
+    return void 0;
+  }
+  const serverClusterReqs = deviceTypeModel.requirements.filter(
+    (r) => r.element === "serverCluster"
+  );
+  const behaviorKeys = new Set(Object.keys(endpointType.behaviors));
+  const missingMandatory = [];
+  const availableOptional = [];
+  const presentClusters = [];
+  for (const req of serverClusterReqs) {
+    const key = toCamelCase(req.name);
+    if (behaviorKeys.has(key)) {
+      presentClusters.push(req.name);
+    } else if (req.isMandatory) {
+      missingMandatory.push(req.name);
+    } else {
+      availableOptional.push(req.name);
+    }
+  }
+  const prefix = entityId ? `[${entityId}] ` : "";
+  if (missingMandatory.length > 0) {
+    logger158.warn(
+      `${prefix}${deviceTypeModel.name} (0x${endpointType.deviceType.toString(16)}): missing mandatory clusters: ${missingMandatory.join(", ")}`
+    );
+  }
+  if (availableOptional.length > 0) {
+    logger158.debug(
+      `${prefix}${deviceTypeModel.name} (0x${endpointType.deviceType.toString(16)}): optional clusters not used: ${availableOptional.join(", ")}`
+    );
+  }
+  return {
+    deviceTypeName: deviceTypeModel.name,
+    deviceTypeId: endpointType.deviceType,
+    missingMandatory,
+    availableOptional,
+    presentClusters
+  };
+}
+
+// src/plugins/plugin-basic-information-server.ts
+init_esm7();
+import crypto4 from "node:crypto";
+
 // src/services/bridges/bridge-data-provider.ts
 init_service();
 import { values as values2 } from "lodash-es";
@@ -165745,7 +165801,7 @@ var BridgeDataProvider = class extends Service {
 
 // src/utils/apply-patch-state.ts
 init_esm();
-var logger158 = Logger.get("ApplyPatchState");
+var logger159 = Logger.get("ApplyPatchState");
 function applyPatchState(state, patch, options) {
   return applyPatch(state, patch, options?.force);
 }
@@ -165772,23 +165828,23 @@ function applyPatch(state, patch, force = false) {
       if (errorMessage.includes(
         "Endpoint storage inaccessible because endpoint is not a node and is not owned by another endpoint"
       )) {
-        logger158.debug(
+        logger159.debug(
           `Suppressed endpoint storage error, patch not applied: ${JSON.stringify(actualPatch)}`
         );
         return actualPatch;
       }
       if (errorMessage.includes("synchronous-transaction-conflict")) {
-        logger158.warn(
+        logger159.warn(
           `Transaction conflict, state update DROPPED: ${JSON.stringify(actualPatch)}`
         );
         return actualPatch;
       }
       failedKeys.push(key);
-      logger158.warn(`Failed to set property '${key}': ${errorMessage}`);
+      logger159.warn(`Failed to set property '${key}': ${errorMessage}`);
     }
   }
   if (failedKeys.length > 0) {
-    logger158.warn(
+    logger159.warn(
       `${failedKeys.length} properties failed to update: [${failedKeys.join(", ")}]`
     );
   }
@@ -165811,56 +165867,6 @@ function deepEqual(a, b) {
   return a === b;
 }
 
-// src/matter/behaviors/basic-information-server.ts
-init_home_assistant_entity_behavior();
-var BasicInformationServer2 = class extends BridgedDeviceBasicInformationServer {
-  async initialize() {
-    await super.initialize();
-    const homeAssistant = await this.agent.load(HomeAssistantEntityBehavior);
-    this.update(homeAssistant.entity);
-    this.reactTo(homeAssistant.onChange, this.update);
-  }
-  update(entity) {
-    if (!entity.state) {
-      return;
-    }
-    const { basicInformation } = this.env.get(BridgeDataProvider);
-    const homeAssistant = this.agent.get(HomeAssistantEntityBehavior);
-    const device = entity.deviceRegistry;
-    applyPatchState(this.state, {
-      vendorId: VendorId(basicInformation.vendorId),
-      vendorName: ellipse(32, device?.manufacturer) ?? hash(32, basicInformation.vendorName),
-      productName: ellipse(32, device?.model_id) ?? ellipse(32, device?.model) ?? hash(32, basicInformation.productName),
-      productLabel: ellipse(64, device?.model) ?? hash(64, basicInformation.productLabel),
-      hardwareVersion: basicInformation.hardwareVersion,
-      softwareVersion: basicInformation.softwareVersion,
-      hardwareVersionString: ellipse(64, device?.hw_version),
-      softwareVersionString: ellipse(64, device?.sw_version),
-      nodeLabel: ellipse(32, homeAssistant.state.customName) ?? ellipse(32, entity.state?.attributes?.friendly_name) ?? ellipse(32, entity.entity_id),
-      reachable: entity.state?.state != null && entity.state.state !== "unavailable",
-      // The device serial number is available in `device?.serial_number`, but
-      // we're keeping it as the entity ID for now to avoid breaking existing
-      // deployments.
-      serialNumber: hash(32, entity.entity_id),
-      // UniqueId helps controllers (especially Alexa) identify devices across
-      // multiple fabric connections. Using MD5 hash of entity_id for stability.
-      uniqueId: crypto4.createHash("md5").update(entity.entity_id).digest("hex").substring(0, 32)
-    });
-  }
-};
-function ellipse(maxLength, value) {
-  return trimToLength(value, maxLength, "...");
-}
-function hash(maxLength, value) {
-  const hashLength = 4;
-  const suffix = crypto4.createHash("md5").update(value ?? "").digest("hex").substring(0, hashLength);
-  return trimToLength(value, maxLength, suffix);
-}
-
-// src/matter/behaviors/identify-server.ts
-var IdentifyServer2 = class extends IdentifyServer {
-};
-
 // src/plugins/plugin-behavior.ts
 init_esm7();
 var PluginDeviceBehavior = class extends Behavior {
@@ -165884,72 +165890,142 @@ var PluginDeviceBehavior = class extends Behavior {
   PluginDeviceBehavior2.Events = Events2;
 })(PluginDeviceBehavior || (PluginDeviceBehavior = {}));
 
+// src/plugins/plugin-basic-information-server.ts
+var PluginBasicInformationServer = class extends BridgedDeviceBasicInformationServer {
+  async initialize() {
+    await super.initialize();
+    const pluginDevice = this.agent.get(PluginDeviceBehavior);
+    const device = pluginDevice.device;
+    const { basicInformation } = this.env.get(BridgeDataProvider);
+    applyPatchState(this.state, {
+      vendorId: VendorId(basicInformation.vendorId),
+      vendorName: truncate(32, pluginDevice.pluginName),
+      productName: truncate(32, device.deviceType),
+      nodeLabel: truncate(32, device.name),
+      serialNumber: crypto4.createHash("md5").update(`plugin_${device.id}`).digest("hex").substring(0, 32),
+      uniqueId: crypto4.createHash("md5").update(`plugin_${device.id}`).digest("hex").substring(0, 32),
+      reachable: true
+    });
+  }
+};
+function truncate(maxLength, value) {
+  if (value.length <= maxLength) return value;
+  return `${value.substring(0, maxLength - 3)}...`;
+}
+
 // src/plugins/plugin-device-factory.ts
-var logger159 = Logger.get("PluginDeviceFactory");
+var logger160 = Logger.get("PluginDeviceFactory");
 var deviceTypeMap = {
   on_off_light: () => OnOffLightDevice.with(
     IdentifyServer2,
-    BasicInformationServer2,
+    PluginBasicInformationServer,
     PluginDeviceBehavior
   ),
   dimmable_light: () => DimmableLightDevice.with(
     IdentifyServer2,
-    BasicInformationServer2,
+    PluginBasicInformationServer,
+    PluginDeviceBehavior
+  ),
+  color_temperature_light: () => ColorTemperatureLightDevice.with(
+    IdentifyServer2,
+    PluginBasicInformationServer,
+    PluginDeviceBehavior
+  ),
+  extended_color_light: () => ExtendedColorLightDevice.with(
+    IdentifyServer2,
+    PluginBasicInformationServer,
     PluginDeviceBehavior
   ),
   on_off_plugin_unit: () => OnOffPlugInUnitDevice.with(
     IdentifyServer2,
-    BasicInformationServer2,
+    PluginBasicInformationServer,
+    PluginDeviceBehavior
+  ),
+  dimmable_plug_in_unit: () => DimmablePlugInUnitDevice.with(
+    IdentifyServer2,
+    PluginBasicInformationServer,
     PluginDeviceBehavior
   ),
   temperature_sensor: () => TemperatureSensorDevice.with(
     IdentifyServer2,
-    BasicInformationServer2,
+    PluginBasicInformationServer,
     PluginDeviceBehavior
   ),
   humidity_sensor: () => HumiditySensorDevice.with(
     IdentifyServer2,
-    BasicInformationServer2,
+    PluginBasicInformationServer,
+    PluginDeviceBehavior
+  ),
+  pressure_sensor: () => PressureSensorDevice.with(
+    IdentifyServer2,
+    PluginBasicInformationServer,
+    PluginDeviceBehavior
+  ),
+  flow_sensor: () => FlowSensorDevice.with(
+    IdentifyServer2,
+    PluginBasicInformationServer,
     PluginDeviceBehavior
   ),
   light_sensor: () => LightSensorDevice.with(
     IdentifyServer2,
-    BasicInformationServer2,
+    PluginBasicInformationServer,
     PluginDeviceBehavior
   ),
   occupancy_sensor: () => OccupancySensorDevice.with(
     IdentifyServer2,
-    BasicInformationServer2,
+    PluginBasicInformationServer,
     PluginDeviceBehavior
   ),
   contact_sensor: () => ContactSensorDevice.with(
     IdentifyServer2,
-    BasicInformationServer2,
+    PluginBasicInformationServer,
+    PluginDeviceBehavior
+  ),
+  air_quality_sensor: () => AirQualitySensorDevice.with(
+    IdentifyServer2,
+    PluginBasicInformationServer,
     PluginDeviceBehavior
   ),
   thermostat: () => ThermostatDevice.with(
     IdentifyServer2,
-    BasicInformationServer2,
+    PluginBasicInformationServer,
     PluginDeviceBehavior
   ),
   door_lock: () => DoorLockDevice.with(
     IdentifyServer2,
-    BasicInformationServer2,
+    PluginBasicInformationServer,
     PluginDeviceBehavior
   ),
   fan: () => FanDevice.with(
     IdentifyServer2,
-    BasicInformationServer2,
+    PluginBasicInformationServer,
+    PluginDeviceBehavior
+  ),
+  window_covering: () => WindowCoveringDevice.with(
+    IdentifyServer2,
+    PluginBasicInformationServer,
+    PluginDeviceBehavior
+  ),
+  generic_switch: () => GenericSwitchDevice.with(
+    IdentifyServer2,
+    PluginBasicInformationServer,
+    PluginDeviceBehavior
+  ),
+  water_leak_detector: () => WaterLeakDetectorDevice.with(
+    IdentifyServer2,
+    PluginBasicInformationServer,
     PluginDeviceBehavior
   )
 };
 function createPluginEndpointType(deviceType) {
   const factory = deviceTypeMap[deviceType];
   if (!factory) {
-    logger159.warn(`Unsupported plugin device type: "${deviceType}"`);
+    logger160.warn(`Unsupported plugin device type: "${deviceType}"`);
     return void 0;
   }
-  return factory();
+  const endpoint = factory();
+  validateEndpointType(endpoint, `plugin:${deviceType}`);
+  return endpoint;
 }
 function getSupportedPluginDeviceTypes() {
   return Object.keys(deviceTypeMap);
@@ -165959,11 +166035,13 @@ function getSupportedPluginDeviceTypes() {
 init_esm();
 import * as fs10 from "node:fs";
 import * as path11 from "node:path";
-var logger160 = Logger.get("PluginStorage");
+var logger161 = Logger.get("PluginStorage");
+var SAVE_DEBOUNCE_MS = 500;
 var FilePluginStorage = class {
   data = {};
   dirty = false;
   filePath;
+  saveTimer;
   constructor(storageDir, pluginName) {
     const safePluginName = pluginName.replace(/[^a-zA-Z0-9_-]/g, "_");
     this.filePath = path11.join(storageDir, `plugin-${safePluginName}.json`);
@@ -165976,12 +166054,12 @@ var FilePluginStorage = class {
   async set(key, value) {
     this.data[key] = value;
     this.dirty = true;
-    this.save();
+    this.scheduleSave();
   }
   async delete(key) {
     delete this.data[key];
     this.dirty = true;
-    this.save();
+    this.scheduleSave();
   }
   async keys() {
     return Object.keys(this.data);
@@ -165993,12 +166071,20 @@ var FilePluginStorage = class {
         this.data = JSON.parse(raw);
       }
     } catch (e) {
-      logger160.warn(`Failed to load plugin storage from ${this.filePath}:`, e);
+      logger161.warn(`Failed to load plugin storage from ${this.filePath}:`, e);
       this.data = {};
     }
   }
+  scheduleSave() {
+    if (this.saveTimer) clearTimeout(this.saveTimer);
+    this.saveTimer = setTimeout(() => this.save(), SAVE_DEBOUNCE_MS);
+  }
   save() {
     if (!this.dirty) return;
+    if (this.saveTimer) {
+      clearTimeout(this.saveTimer);
+      this.saveTimer = void 0;
+    }
     try {
       const dir = path11.dirname(this.filePath);
       if (!fs10.existsSync(dir)) {
@@ -166007,14 +166093,17 @@ var FilePluginStorage = class {
       fs10.writeFileSync(this.filePath, JSON.stringify(this.data, null, 2));
       this.dirty = false;
     } catch (e) {
-      logger160.warn(`Failed to save plugin storage to ${this.filePath}:`, e);
+      logger161.warn(`Failed to save plugin storage to ${this.filePath}:`, e);
     }
   }
+  flush() {
+    this.save();
+  }
 };
 
 // src/plugins/safe-plugin-runner.ts
 init_esm();
-var logger161 = Logger.get("SafePluginRunner");
+var logger162 = Logger.get("SafePluginRunner");
 var DEFAULT_TIMEOUT_MS = 1e4;
 var CIRCUIT_BREAKER_THRESHOLD = 3;
 var SafePluginRunner = class {
@@ -166047,7 +166136,7 @@ var SafePluginRunner = class {
   async run(pluginName, operation, fn, timeoutMs = DEFAULT_TIMEOUT_MS) {
     const state = this.getState(pluginName);
     if (state.disabled) {
-      logger161.debug(
+      logger162.debug(
         `Plugin "${pluginName}" is disabled (circuit breaker open), skipping ${operation}`
       );
       return void 0;
@@ -166065,13 +166154,13 @@ var SafePluginRunner = class {
       timeout.clear();
       state.failures++;
       state.lastError = error instanceof Error ? error.message : String(error);
-      logger161.error(
+      logger162.error(
         `Plugin "${pluginName}" failed during ${operation} (failure ${state.failures}/${CIRCUIT_BREAKER_THRESHOLD}): ${state.lastError}`
       );
       if (state.failures >= CIRCUIT_BREAKER_THRESHOLD) {
         state.disabled = true;
         state.disabledAt = Date.now();
-        logger161.error(
+        logger162.error(
           `Plugin "${pluginName}" DISABLED after ${CIRCUIT_BREAKER_THRESHOLD} consecutive failures. Last error: ${state.lastError}`
         );
       }
@@ -166093,13 +166182,13 @@ var SafePluginRunner = class {
     } catch (error) {
       state.failures++;
       state.lastError = error instanceof Error ? error.message : String(error);
-      logger161.error(
+      logger162.error(
         `Plugin "${pluginName}" failed during ${operation} (sync, failure ${state.failures}/${CIRCUIT_BREAKER_THRESHOLD}): ${state.lastError}`
       );
       if (state.failures >= CIRCUIT_BREAKER_THRESHOLD) {
         state.disabled = true;
         state.disabledAt = Date.now();
-        logger161.error(
+        logger162.error(
           `Plugin "${pluginName}" DISABLED after ${CIRCUIT_BREAKER_THRESHOLD} consecutive failures.`
         );
       }
@@ -166125,12 +166214,16 @@ var SafePluginRunner = class {
 };
 
 // src/plugins/plugin-manager.ts
-var logger162 = Logger.get("PluginManager");
+var logger163 = Logger.get("PluginManager");
+var PLUGIN_API_VERSION = 1;
+var MAX_PLUGIN_DEVICE_ID_LENGTH = 100;
 function validatePluginDevice(device) {
   if (!device || typeof device !== "object") return "device must be an object";
   const d = device;
   if (!d.id || typeof d.id !== "string")
     return "device.id must be a non-empty string";
+  if (d.id.length > MAX_PLUGIN_DEVICE_ID_LENGTH)
+    return `device.id too long (${d.id.length} chars, max ${MAX_PLUGIN_DEVICE_ID_LENGTH})`;
   if (!d.name || typeof d.name !== "string")
     return "device.name must be a non-empty string";
   if (!d.deviceType || typeof d.deviceType !== "string")
@@ -166197,6 +166290,11 @@ var PluginManager = class {
       if (!manifest.main || typeof manifest.main !== "string") {
         throw new Error(`Plugin at ${packagePath} package.json missing "main"`);
       }
+      if (manifest.hamhPluginApiVersion != null && manifest.hamhPluginApiVersion !== PLUGIN_API_VERSION) {
+        logger163.warn(
+          `Plugin "${manifest.name}" declares API version ${manifest.hamhPluginApiVersion}, current is ${PLUGIN_API_VERSION}. It may not work correctly.`
+        );
+      }
       const module = await this.runner.run(
         manifest.name,
         "import",
@@ -166224,7 +166322,7 @@ var PluginManager = class {
       };
       await this.register(plugin, metadata);
     } catch (e) {
-      logger162.error(`Failed to load external plugin from ${packagePath}:`, e);
+      logger163.error(`Failed to load external plugin from ${packagePath}:`, e);
       throw e;
     }
   }
@@ -166285,7 +166383,7 @@ var PluginManager = class {
       devices,
       started: false
     });
-    logger162.info(
+    logger163.info(
       `Registered plugin: ${plugin.name} v${plugin.version} (${metadata.source})`
     );
   }
@@ -166296,13 +166394,13 @@ var PluginManager = class {
     for (const [name, instance] of this.instances) {
       if (!instance.metadata.enabled) continue;
       if (this.runner.isDisabled(name)) {
-        logger162.warn(
+        logger163.warn(
           `Plugin "${name}" is disabled (circuit breaker), skipping start`
         );
         instance.metadata.enabled = false;
         continue;
       }
-      logger162.info(`Starting plugin: ${name}`);
+      logger163.info(`Starting plugin: ${name}`);
       await this.runner.run(
         name,
         "onStart",
@@ -166345,8 +166443,12 @@ var PluginManager = class {
           () => instance.plugin.onShutdown(reason)
         );
       }
+      const storage2 = instance.context.storage;
+      if (storage2 instanceof FilePluginStorage) {
+        storage2.flush();
+      }
       instance.started = false;
-      logger162.info(`Plugin "${name}" shut down`);
+      logger163.info(`Plugin "${name}" shut down`);
     }
     this.instances.clear();
   }
@@ -167308,13 +167410,61 @@ function testBit(value, bitValue) {
   return !!(value & bitValue);
 }
 
+// src/matter/behaviors/basic-information-server.ts
+init_esm7();
+import crypto6 from "node:crypto";
+init_home_assistant_entity_behavior();
+var BasicInformationServer2 = class extends BridgedDeviceBasicInformationServer {
+  async initialize() {
+    await super.initialize();
+    const homeAssistant = await this.agent.load(HomeAssistantEntityBehavior);
+    this.update(homeAssistant.entity);
+    this.reactTo(homeAssistant.onChange, this.update);
+  }
+  update(entity) {
+    if (!entity.state) {
+      return;
+    }
+    const { basicInformation } = this.env.get(BridgeDataProvider);
+    const homeAssistant = this.agent.get(HomeAssistantEntityBehavior);
+    const device = entity.deviceRegistry;
+    applyPatchState(this.state, {
+      vendorId: VendorId(basicInformation.vendorId),
+      vendorName: ellipse(32, device?.manufacturer) ?? hash(32, basicInformation.vendorName),
+      productName: ellipse(32, device?.model_id) ?? ellipse(32, device?.model) ?? hash(32, basicInformation.productName),
+      productLabel: ellipse(64, device?.model) ?? hash(64, basicInformation.productLabel),
+      hardwareVersion: basicInformation.hardwareVersion,
+      softwareVersion: basicInformation.softwareVersion,
+      hardwareVersionString: ellipse(64, device?.hw_version),
+      softwareVersionString: ellipse(64, device?.sw_version),
+      nodeLabel: ellipse(32, homeAssistant.state.customName) ?? ellipse(32, entity.state?.attributes?.friendly_name) ?? ellipse(32, entity.entity_id),
+      reachable: entity.state?.state != null && entity.state.state !== "unavailable",
+      // The device serial number is available in `device?.serial_number`, but
+      // we're keeping it as the entity ID for now to avoid breaking existing
+      // deployments.
+      serialNumber: hash(32, entity.entity_id),
+      // UniqueId helps controllers (especially Alexa) identify devices across
+      // multiple fabric connections. Using MD5 hash of entity_id for stability.
+      uniqueId: crypto6.createHash("md5").update(entity.entity_id).digest("hex").substring(0, 32)
+    });
+  }
+};
+function ellipse(maxLength, value) {
+  return trimToLength(value, maxLength, "...");
+}
+function hash(maxLength, value) {
+  const hashLength = 4;
+  const suffix = crypto6.createHash("md5").update(value ?? "").digest("hex").substring(0, hashLength);
+  return trimToLength(value, maxLength, suffix);
+}
+
 // src/matter/endpoints/composed/composed-air-purifier-endpoint.ts
 init_home_assistant_entity_behavior();
 
 // src/matter/behaviors/humidity-measurement-server.ts
 init_esm();
 init_home_assistant_entity_behavior();
-var logger163 = Logger.get("HumidityMeasurementServer");
+var logger164 = Logger.get("HumidityMeasurementServer");
 var HumidityMeasurementServerBase = class extends RelativeHumidityMeasurementServer {
   async initialize() {
     await super.initialize();
@@ -167327,7 +167477,7 @@ var HumidityMeasurementServerBase = class extends RelativeHumidityMeasurementSer
       return;
     }
     const humidity = this.getHumidity(this.state.config, entity.state);
-    logger163.debug(
+    logger164.debug(
       `Humidity ${entity.state.entity_id} raw=${entity.state.state} measuredValue=${humidity}`
     );
     applyPatchState(this.state, {
@@ -167363,7 +167513,7 @@ init_clusters();
 
 // src/matter/behaviors/power-source-server.ts
 init_home_assistant_entity_behavior();
-var logger164 = Logger.get("PowerSourceServer");
+var logger165 = Logger.get("PowerSourceServer");
 var FeaturedBase = PowerSourceServer.with("Battery", "Rechargeable");
 var PowerSourceServerBase = class extends FeaturedBase {
   async initialize() {
@@ -167375,17 +167525,17 @@ var PowerSourceServerBase = class extends FeaturedBase {
       applyPatchState(this.state, {
         endpointList: [endpointNumber]
       });
-      logger164.debug(
+      logger165.debug(
         `[${entityId}] PowerSource initialized with endpointList=[${endpointNumber}]`
       );
     } else {
-      logger164.warn(
+      logger165.warn(
         `[${entityId}] PowerSource endpoint number is null during initialize - endpointList will be empty!`
       );
     }
     const batteryEntity = homeAssistant.state.mapping?.batteryEntity;
     if (batteryEntity) {
-      logger164.debug(
+      logger165.debug(
         `[${entityId}] PowerSource using mapped battery entity: ${batteryEntity}`
       );
     }
@@ -167692,7 +167842,7 @@ var OPTIMISTIC_TOLERANCE = 5;
 function notifyLightTurnedOn(entityId) {
   lastTurnOnTimestamps.set(entityId, Date.now());
 }
-var logger165 = Logger.get("LevelControlServer");
+var logger166 = Logger.get("LevelControlServer");
 var FeaturedBase3 = LevelControlServer.with("OnOff", "Lighting");
 var LevelControlServerBase = class extends FeaturedBase3 {
   pendingTransitionTime;
@@ -167707,12 +167857,12 @@ var LevelControlServerBase = class extends FeaturedBase3 {
       this.state.maxLevel = 254;
     }
     this.state.onLevel = null;
-    logger165.debug(`initialize: calling super.initialize()`);
+    logger166.debug(`initialize: calling super.initialize()`);
     try {
       await super.initialize();
-      logger165.debug(`initialize: super.initialize() completed successfully`);
+      logger166.debug(`initialize: super.initialize() completed successfully`);
     } catch (error) {
-      logger165.error(`initialize: super.initialize() FAILED:`, error);
+      logger166.error(`initialize: super.initialize() FAILED:`, error);
       throw error;
     }
     const homeAssistant = await this.agent.load(HomeAssistantEntityBehavior);
@@ -167788,7 +167938,7 @@ var LevelControlServerBase = class extends FeaturedBase3 {
     const timeSinceTurnOn = lastTurnOn ? Date.now() - lastTurnOn : Infinity;
     const isMaxBrightness = level >= this.maxLevel;
     if (isMaxBrightness && timeSinceTurnOn < 200) {
-      logger165.debug(
+      logger166.debug(
         `[${entityId}] Ignoring moveToLevel(${level}) - Alexa brightness reset detected (${timeSinceTurnOn}ms after turn-on)`
       );
       return;
@@ -167831,7 +167981,7 @@ function LevelControlServer2(config10) {
 }
 
 // src/matter/behaviors/on-off-server.ts
-var logger166 = Logger.get("OnOffServer");
+var logger167 = Logger.get("OnOffServer");
 var optimisticOnOffState = /* @__PURE__ */ new Map();
 var OPTIMISTIC_TIMEOUT_MS2 = 3e3;
 var OnOffServerBase = class extends OnOffServer {
@@ -167869,7 +168019,7 @@ var OnOffServerBase = class extends OnOffServer {
     const action = turnOn?.(void 0, this.agent) ?? {
       action: "homeassistant.turn_on"
     };
-    logger166.info(`[${homeAssistant.entityId}] Turning ON -> ${action.action}`);
+    logger167.info(`[${homeAssistant.entityId}] Turning ON -> ${action.action}`);
     notifyLightTurnedOn(homeAssistant.entityId);
     applyPatchState(this.state, { onOff: true });
     optimisticOnOffState.set(homeAssistant.entityId, {
@@ -167891,7 +168041,7 @@ var OnOffServerBase = class extends OnOffServer {
     const action = turnOff?.(void 0, this.agent) ?? {
       action: "homeassistant.turn_off"
     };
-    logger166.info(`[${homeAssistant.entityId}] Turning OFF -> ${action.action}`);
+    logger167.info(`[${homeAssistant.entityId}] Turning OFF -> ${action.action}`);
     applyPatchState(this.state, { onOff: false });
     optimisticOnOffState.set(homeAssistant.entityId, {
       expectedOnOff: false,
@@ -167922,7 +168072,7 @@ function setOptimisticOnOff(entityId, expectedOnOff) {
 }
 
 // src/matter/behaviors/fan-control-server.ts
-var logger167 = Logger.get("FanControlServer");
+var logger168 = Logger.get("FanControlServer");
 var defaultStepSize = 33.33;
 var minSpeedMax = 3;
 var maxSpeedMax = 100;
@@ -168281,7 +168431,7 @@ var FanControlServerBase = class extends FeaturedBase4 {
       const entityId = this.agent.get(HomeAssistantEntityBehavior).entity.entity_id;
       setOptimisticOnOff(entityId, on);
     } catch (e) {
-      logger167.debug(
+      logger168.debug(
         `syncOnOff(${on}) failed: ${e instanceof Error ? e.message : String(e)}`
       );
     }
@@ -168369,7 +168519,7 @@ var FanOnOffServer = OnOffServer2({
 });
 
 // src/matter/endpoints/composed/composed-air-purifier-endpoint.ts
-var logger168 = Logger.get("ComposedAirPurifierEndpoint");
+var logger169 = Logger.get("ComposedAirPurifierEndpoint");
 function createTemperatureConfig(temperatureEntityId) {
   return {
     getValue(_entity, agent) {
@@ -168527,7 +168677,7 @@ var ComposedAirPurifierEndpoint = class _ComposedAirPurifierEndpoint extends End
       config10.humidityEntityId ? "+Hum" : "",
       config10.batteryEntityId ? "+Bat" : ""
     ].filter(Boolean).join("");
-    logger168.info(`Created air purifier ${primaryEntityId}: ${clusterLabels}`);
+    logger169.info(`Created air purifier ${primaryEntityId}: ${clusterLabels}`);
     return endpoint;
   }
   constructor(type, entityId, id, trackedEntityIds, mappedEntityIds) {
@@ -168623,7 +168773,7 @@ init_home_assistant_entity_behavior();
 // src/matter/behaviors/pressure-measurement-server.ts
 init_esm();
 init_home_assistant_entity_behavior();
-var logger169 = Logger.get("PressureMeasurementServer");
+var logger170 = Logger.get("PressureMeasurementServer");
 var MIN_PRESSURE = 300;
 var MAX_PRESSURE = 1100;
 var PressureMeasurementServerBase = class extends PressureMeasurementServer {
@@ -168651,7 +168801,7 @@ var PressureMeasurementServerBase = class extends PressureMeasurementServer {
     }
     const rounded = Math.round(value);
     if (rounded < MIN_PRESSURE || rounded > MAX_PRESSURE) {
-      logger169.warn(
+      logger170.warn(
         `Pressure value ${rounded} (raw: ${value}) for ${entity.entity_id} is outside valid range [${MIN_PRESSURE}-${MAX_PRESSURE}], ignoring`
       );
       return null;
@@ -168670,7 +168820,7 @@ function PressureMeasurementServer2(config10) {
 }
 
 // src/matter/endpoints/composed/composed-sensor-endpoint.ts
-var logger170 = Logger.get("ComposedSensorEndpoint");
+var logger171 = Logger.get("ComposedSensorEndpoint");
 var temperatureConfig = {
   getValue(entity, agent) {
     const fallbackUnit = agent.env.get(HomeAssistantConfig).unitSystem.temperature;
@@ -168834,7 +168984,7 @@ var ComposedSensorEndpoint = class _ComposedSensorEndpoint extends Endpoint {
     if (config10.pressureEntityId && pressSub) {
       endpoint.subEndpoints.set(config10.pressureEntityId, pressSub);
     }
-    logger170.info(
+    logger171.info(
       `Created composed sensor ${primaryEntityId} with ${parts.length} sub-endpoint(s): T${humSub ? "+H" : ""}${pressSub ? "+P" : ""}${config10.batteryEntityId ? "+Bat" : ""}`
     );
     return endpoint;
@@ -168902,57 +169052,6 @@ var ComposedSensorEndpoint = class _ComposedSensorEndpoint extends Endpoint {
   }
 };
 
-// src/matter/endpoints/validate-endpoint-type.ts
-init_esm();
-init_esm7();
-var logger171 = Logger.get("EndpointValidation");
-function toCamelCase(name) {
-  return name.charAt(0).toLowerCase() + name.slice(1);
-}
-function validateEndpointType(endpointType, entityId) {
-  const deviceTypeModel = Matter.deviceTypes.find(
-    (dt) => dt.id === endpointType.deviceType
-  );
-  if (!deviceTypeModel) {
-    return void 0;
-  }
-  const serverClusterReqs = deviceTypeModel.requirements.filter(
-    (r) => r.element === "serverCluster"
-  );
-  const behaviorKeys = new Set(Object.keys(endpointType.behaviors));
-  const missingMandatory = [];
-  const availableOptional = [];
-  const presentClusters = [];
-  for (const req of serverClusterReqs) {
-    const key = toCamelCase(req.name);
-    if (behaviorKeys.has(key)) {
-      presentClusters.push(req.name);
-    } else if (req.isMandatory) {
-      missingMandatory.push(req.name);
-    } else {
-      availableOptional.push(req.name);
-    }
-  }
-  const prefix = entityId ? `[${entityId}] ` : "";
-  if (missingMandatory.length > 0) {
-    logger171.warn(
-      `${prefix}${deviceTypeModel.name} (0x${endpointType.deviceType.toString(16)}): missing mandatory clusters: ${missingMandatory.join(", ")}`
-    );
-  }
-  if (availableOptional.length > 0) {
-    logger171.debug(
-      `${prefix}${deviceTypeModel.name} (0x${endpointType.deviceType.toString(16)}): optional clusters not used: ${availableOptional.join(", ")}`
-    );
-  }
-  return {
-    deviceTypeName: deviceTypeModel.name,
-    deviceTypeId: endpointType.deviceType,
-    missingMandatory,
-    availableOptional,
-    presentClusters
-  };
-}
-
 // src/matter/endpoints/legacy/air-purifier/index.ts
 init_dist();
 init_home_assistant_entity_behavior();
@@ -177954,7 +178053,7 @@ var LegacyEndpoint = class _LegacyEndpoint extends EntityEndpoint {
 
 // src/services/home-assistant/api/subscribe-entities.ts
 init_esm();
-import crypto6 from "node:crypto";
+import crypto7 from "node:crypto";
 import {
   getCollection
 } from "home-assistant-js-websocket";
@@ -178038,7 +178137,7 @@ var subscribeUpdates = (conn, store, entityIds) => {
   });
 };
 function createEntitiesHash(entityIds) {
-  return crypto6.createHash("sha256").update(entityIds.join(",")).digest("hex").substring(0, 16);
+  return crypto7.createHash("sha256").update(entityIds.join(",")).digest("hex").substring(0, 16);
 }
 var entitiesColl = (conn, entityIds) => {
   if (atLeastHaVersion(conn.haVersion, 2022, 4, 0)) {