Summary
The IAS Zone zone_state attribute (0x0000) is sometimes persisted as Not_enrolled (0) in the appdb / diagnostics dumps, even when the device is actually enrolled and reporting status normally. Because the cached value is reused on every restart (only_cache=True), the bad value sticks indefinitely.
Root cause
In IASZoneClusterHandler.async_configure() (zha/zigbee/cluster_handlers/security.py:361-400):
await self.bind()await self.write_attributes_safe({cie_addr: ieee}) — per ZCL spec, writing CIE address can transition the device back to Not_enrolled until enrollment completesself._cluster.create_catching_task(self.enroll_response(...)) — fire-and-forget, not awaited- Returns
Then async_initialize() runs, and zone_state (in ZCL_INIT_ATTRS with cached=True) is read from the device because the cache is empty (fresh pair) or wiped (re-interview). The read can race the proactive enroll_response, so the device returns 0 (Not_enrolled). That value is cached, persisted to appdb via AttributeReadEvent, and reused forever.
ZHA's cluster_command handler for the device-initiated enroll command (security.py:353-359) sends enroll_response but does not trigger a re-read of zone_state, so even when enrollment subsequently completes, the cached value isn't refreshed.
Why both fresh pair and re-interview are affected
- Fresh pair: Cache is empty → reads from device → race. After successful enrollment via the device's own
enroll command, no re-read happens, so the stale 0 persists in the appdb.
- Re-interview: zigpy's
_device_reinterviewed cascade-deletes the old attribute cache, so the new shadow device starts with empty cache and goes through the same race. Worse, re-interview re-writes cie_addr on a device that was already enrolled, which on spec-compliant devices forces them back to Not_enrolled until the new enroll handshake completes — and the device usually doesn't initiate a new enroll after re-interview, so the proactive enroll_response is the only path back. If the read beats it, 0 sticks again.
- Restart:
async_initialize(from_cache=True) reads zone_state cache-only, so a previously-bad value is never re-validated.
Note
ZHA itself doesn't consume zone_state for any entity — it's effectively diagnostics-only data, but it's misleading in dumps and bug reports.
Possible fixes
await the enroll response task instead of create_catching_task, then re-read zone_state so the post-enroll value is what gets cached.- Re-read
zone_state in the response task itself — wrap the proactive enroll into a small helper that sends the response and then reads the attribute back.
- Re-read
zone_state in cluster_command when the device initiates an enroll, so even devices that take their time to send enroll get a fresh value cached.
- Drop
zone_state from ZCL_INIT_ATTRS — nothing in ZHA uses it, and on-demand reads would avoid persisting stale state.
Likely the cleanest is a combination of (2) and (3): always re-read after replying with enroll_response.
Summary
The IAS Zone
zone_stateattribute (0x0000) is sometimes persisted asNot_enrolled(0) in the appdb / diagnostics dumps, even when the device is actually enrolled and reporting status normally. Because the cached value is reused on every restart (only_cache=True), the bad value sticks indefinitely.Root cause
In
IASZoneClusterHandler.async_configure()(zha/zigbee/cluster_handlers/security.py:361-400):await self.bind()await self.write_attributes_safe({cie_addr: ieee})— per ZCL spec, writing CIE address can transition the device back toNot_enrolleduntil enrollment completesself._cluster.create_catching_task(self.enroll_response(...))— fire-and-forget, not awaitedThen
async_initialize()runs, andzone_state(inZCL_INIT_ATTRSwithcached=True) is read from the device because the cache is empty (fresh pair) or wiped (re-interview). The read can race the proactiveenroll_response, so the device returns0(Not_enrolled). That value is cached, persisted to appdb viaAttributeReadEvent, and reused forever.ZHA's
cluster_commandhandler for the device-initiatedenrollcommand (security.py:353-359) sendsenroll_responsebut does not trigger a re-read ofzone_state, so even when enrollment subsequently completes, the cached value isn't refreshed.Why both fresh pair and re-interview are affected
enrollcommand, no re-read happens, so the stale0persists in the appdb._device_reinterviewedcascade-deletes the old attribute cache, so the new shadow device starts with empty cache and goes through the same race. Worse, re-interview re-writescie_addron a device that was already enrolled, which on spec-compliant devices forces them back toNot_enrolleduntil the new enroll handshake completes — and the device usually doesn't initiate a newenrollafter re-interview, so the proactiveenroll_responseis the only path back. If the read beats it,0sticks again.async_initialize(from_cache=True)readszone_statecache-only, so a previously-bad value is never re-validated.Note
ZHA itself doesn't consume
zone_statefor any entity — it's effectively diagnostics-only data, but it's misleading in dumps and bug reports.Possible fixes
awaitthe enroll response task instead ofcreate_catching_task, then re-readzone_stateso the post-enroll value is what gets cached.zone_statein the response task itself — wrap the proactive enroll into a small helper that sends the response and then reads the attribute back.zone_stateincluster_commandwhen the device initiates anenroll, so even devices that take their time to sendenrollget a fresh value cached.zone_statefromZCL_INIT_ATTRS— nothing in ZHA uses it, and on-demand reads would avoid persisting stale state.Likely the cleanest is a combination of (2) and (3): always re-read after replying with
enroll_response.