CCSDS File Delivery Protocol - CfdpManager by Brian-Campuzano · Pull Request #5138 · nasa/fprime

Brian-Campuzano · 2026-05-11T19:39:51Z


*Related Issue(s)*	#2768
*Has Unit Tests (y/n)*	y
*Documentation Included (y/n)*	y
*Generative AI was used in this contribution (y/n)*	y

Change Description

This PR adds the CfdpManager component, an F´ implementation of the CCSDS File Delivery Protocol (CFDP) standard ported from NASA's Core Flight System (cFS) CFDP Application v3.0.0. CfdpManager provides both Class 1 (unacknowledged) and Class 2 (acknowledged) file transfer capabilities, designed to replace the standard FileUplink and FileDownlink components with guaranteed file delivery support.

Attribution and License:

Substantial portions ported from: NASA Core Flight System (cFS) CFDP (CF) Application v3.0.0
Original License: Apache License 2.0
Original Copyright: Copyright (c) 2019 United States Government as represented by the Administrator of the National Aeronautics and Space Administration
NASA Docket: GSC-18,447-1

Ported components (retain original NASA copyright):

Core CFDP engine and transaction management logic (Engine.cpp, Transaction.hpp, TransactionTx.cpp, TransactionRx.cpp)
Protocol state machines for transmit and receive operations
Utility functions for file handling and resource management (Utils.cpp, Channel.cpp)
Chunk and gap tracking for Class 2 transfers (Chunk.cpp, Clist.cpp)

New F´-specific implementations:

CfdpManager component wrapper with F´ ports, commands, events, telemetry, and parameters
Object-oriented PDU encoding/decoding classes based on F´ Serializable interface
Timer implementation using F´ time primitives
FileHandlingCfdp subtopology for integration

See ATTRIBUTION.md for complete file-by-file attribution breakdown.

Summary of changes:

Full PDU support: Metadata, FileData, EOF, FIN, ACK, NAK
Multi-channel support with configurable throttling and timer parameters
Port-based file transfer interface compatible with existing F´ components (e.g., DpCatalog)
Comprehensive unit tests covering Class 1/2 transactions, PDU handling, and edge cases
Complete SDD documentation with architecture diagrams, sequence diagrams, and usage examples

Rationale

Current F´ file transfer components (FileUplink/FileDownlink) lack reliable delivery guarantees over lossy or intermittent links, automatic retransmission and gap detection, and industry-standard CFDP protocol compliance required for interoperability with ground systems and other spacecraft.

CfdpManager addresses these gaps by implementing the CCSDS CFDP standard, which is specifically designed for space missions with long propagation delays, high error rates, and disruption-tolerant requirements. By porting NASA's proven CF application from cFS, this implementation leverages flight-proven CFDP logic while adapting it to F´'s architecture and component model.

Testing/Review Recommendations

Unit Test Coverage:

CfdpManagerTester.cpp: Component-level tests with Class 1/2 TX/RX transactions, NAK handling, timer expiration, and throttling
PduTester.cpp: PDU serialization/deserialization tests for all PDU types

Areas to focus on:

Port connections & buffer management: Verify buffer allocation/deallocation patterns in uplink/downlink paths (particularly dataOut/dataReturnIn and bufferAllocate/bufferDeallocate)
Timer logic: Review 1Hz scheduler integration and protocol timer handling (inactivity, ACK, NAK timers)
Multi-channel support: Validate channel isolation and resource limits (transactions per channel)
Configuration parameters: Review default values in CfdpCfg.hpp and CfdpCfg.fpp
File I/O error handling: Verify proper cleanup on file open/read/write failures
CF→F´ port quality: Review adaptations from cFS to F´ (e.g., replacing CFE OS calls with F´ Os abstraction)
Documentation accuracy: Cross-check SDD against implementation

Future Work

Add support for offset/partial file transfers in fileIn port
Implement additional TLV (Type-Length-Value) options (e.g., flow label, fault handler overrides)
Add command-line parameter validation for remote entity IDs
Consider performance optimizations for high-throughput scenarios
Add integration tests with ComQueue and deframing components

AI Usage (see policy)

Generative AI (Claude Code) was used for:

Code generation: Assisted with boilerplate for PDU class implementations, unit test scaffolding, and F´ component port wiring
Documentation: Assisted with drafting and formatting the SDD markdown (including sequence diagrams and tables) and generating this PR description
Refactoring: Suggested improvements during CF→F´ port (e.g., replacing void* with typed pointers, modernizing C→C++ patterns)
Debugging: Assisted in diagnosing unit test failures and identifying edge cases in transaction state machines

Important note: AI was NOT used to generate the core CFDP protocol logic. The core engine, transaction state machines, and protocol logic were ported directly from NASA's CF application v3.0.0 (human-written, flight-proven code). AI assistance was limited to F´-specific integration code, documentation, and port quality improvements.

github-advanced-security

CodeQL found more than 20 potential problems in the proposed changes. Check the Files changed tab for more details.

thomas-bc

A few AI finds that seemed relevant, and one big question about how to handle file paths.

thomas-bc · 2026-05-12T17:51:14Z

+
+void Engine::setChannelFlowState(U8 channelId, Flow::T flowState)
+{
+    FW_ASSERT(channelId <= Cfdp::NumChannels, channelId, Cfdp::NumChannels);


AI finding: Should this be channelId < Cfdp::NumChannels instead of <= ?

Agreed, changed assertion from channelId <= Cfdp::NumChannels to channelId < Cfdp::NumChannels to prevent out-of-bounds array access.

thomas-bc · 2026-05-12T17:55:33Z

+        U32 directiveCodeOffset = 4 + (2 * eidSize) + tsnSize;
+
+        // Read directive code
+        U8 directiveCode = data[directiveCodeOffset];


AI finding: This reads at an offset based of header bytes (potentially untrusted) - we should check that there is enough length in the data before trying to access.

Agreed, added validation check if (directiveCodeOffset < buffer.getSize()) before reading directive code from calculated offset.

thomas-bc · 2026-05-12T18:03:24Z

+
+    /* store the filenames in transaction - validation already done during deserialization */
+    txn->m_history->fnames.src_filename = md.getSourceFilename();
+    txn->m_history->fnames.dst_filename = md.getDestFilename();


One security issue that we've had reported a lot on the F Prime Svc.FileUplink component is that it allows to write files at any location on the filesystem, potentially overwriting critical system files etc.
This is risky for in case of operator oversight (shrug) but also if you receive unauthenticated (potentially malicious) commands.
My understanding is this CfdpManager has the same capability.

Did you find that CFDP makes recommendation on how to deal with that? If not, we should agree on a rationale so that we stop the spam of "hey you have a critical vulnerability here". Maybe the answer is "encrypt/authenticate your comms". But we should agree on something.

cc @bitWarrior , if you have recommendations.

CfdpManager was patterned using the same security model as FileUplink/FileDownlink. Authentication is expected to happen at the physical or network layers, not in the application itself. In out use-cases, CFDP traffic is being sent over authenticated channels such as encrypted radios or Bundle Protocol Security, so CfdpManager assumes the source is already trusted. That matches the assumptions generally made by the CCSDS 727.0-B-5 CFDP standard.

I understand the defense-in-depth argument for adding application-layer path validation. The tradeoff is additional configuration complexity and possible conflicts with legitimate use cases like firmware updates or system file management. It also does not solve the underlying problem if the CFDP traffic itself is unauthenticated.

I added a “Security Considerations” section to the SDD to document the design rationale more clearly.

If there is interest in revisiting the design or discussing path validation for F´ components more broadly, I’d be happy to join that discussion.

…ASSERTs

This reverts commit f48314f.

… NAK processed logic

+        // notably this state is distinguishable from items still on the free list
+        txn->m_state = TXN_STATE_INIT;
+        txn->m_history->dir = direction;
+        txn->m_chan = this;  // Set channel pointer


lestarch-autobot · 2026-05-28T19:42:00Z

+| CFDP-010 | `CfdpManager` shall support configurable file archiving to move completed files instead of deletion | Preserves files for audit trails and operational analysis while managing storage | Unit Test |
+| CFDP-011 | `CfdpManager` shall support both command-initiated and port-initiated file transfers | Allows both ground operators and onboard components to initiate file transfers | Unit Test, System Test |
+| CFDP-012 | `CfdpManager` shall support flow control to freeze and resume channel operations | Provides mechanism to temporarily halt file transfers during critical spacecraft operations | Unit Test |
+


must fix SDD has no Events section — 72 events defined in Events.fppi are undocumented.

Events are ground-/operator-facing FPP surfaces. The SDD documents Commands, Parameters, and Telemetry but omits Events entirely. Ground operators rely on the SDD to understand event semantics, severities, and parameter meanings. An ## Events section with at minimum a summary table (name, severity, description) is required before this ships.

This is a nice-to-have

lestarch-autobot · 2026-05-28T19:42:00Z

+| SetChannelFlow | Sets the flow control state for a specific CFDP channel. Can freeze (pause) or resume PDU transmission on the channel. |
+| SuspendResumeTransaction | Suspend or resume a transaction. When suspended, the transaction remains in memory but stops making progress (no PDUs sent or processed, no timers tick). Useful during critical spacecraft operations. Takes an action parameter (SUSPEND or RESUME). Transactions are identified by channel ID, transaction sequence number, and entity ID. |
+| CancelTransaction | Gracefully cancel a transaction with protocol close-out. Sends FIN/ACK PDUs as appropriate for the transaction type and state. Transaction is removed from memory. Transactions are identified by channel ID, transaction sequence number, and entity ID. |
+| AbandonTransaction | Immediately terminate a transaction without protocol close-out. No FIN/ACK sent. Transaction is immediately removed from memory. Used for stuck or unresponsive transactions. Transactions are identified by channel ID, transaction sequence number, and entity ID. |


could fix Commands table is missing the ResetCounters command.

Commands.fppi defines 9 commands but the SDD table lists only 8 — ResetCounters (resets per-channel telemetry counters, with channelId 0xFF for all channels) is absent.

Suggested change

| AbandonTransaction | Immediately terminate a transaction without protocol close-out. No FIN/ACK sent. Transaction is immediately removed from memory. Used for stuck or unresponsive transactions. Transactions are identified by channel ID, transaction sequence number, and entity ID. |

| AbandonTransaction | Immediately terminate a transaction without protocol close-out. No FIN/ACK sent. Transaction is immediately removed from memory. Used for stuck or unresponsive transactions. Transactions are identified by channel ID, transaction sequence number, and entity ID. |

| ResetCounters | Resets telemetry counters for the specified CFDP channel. Pass `channelId` 0xFF to reset all channels. |

lestarch-autobot · 2026-05-28T19:42:00Z

+#### Sent Counters
+| Field | Type | Description |
+|---|---|---|
+| sentNakSegmentRequests | U32 | Number of NAK segment requests sent to peer entity |


lestarch-autobot · 2026-05-28T19:42:00Z

+        instance prmDb
+
+    } # end topology
+} # end FileHandlingCfdp Subtopology


suggestion New FileHandlingCfdp subtopology ships without a docs/sdd.md.

Peer subtopologies (FileHandling, ComCcsds) include design documents at docs/sdd.md. The subtopology how-to guide also recommends including a docs folder. Adding a brief SDD describing the subtopology's purpose, its component instances, wiring, and configuration knobs would keep the new surface consistent with existing subtopologies.

nice-to-have....or I can get an AI to write it once merged.

I had Claude write an SDD for the FileHandlingCfdp subtopology. Feel free to tear it apart!

lestarch-autobot · 2026-05-28T19:42:07Z

+module Cfdp {
+
+    @ F' implementation of the CFDP file transfer protocol
+    active component CfdpManager {


must fix Human design adjudication required. This PR introduces CfdpManager — a new 73-file active component plus a FileHandlingCfdp subtopology — porting NASA cFS CF v3.0.0 to F Prime. Changes cross Svc, Os, and default/config layers.

The design is prima-facie reasonable (active component with async ports matching the Cyclic Notification Pattern per docs/user-manual/framework/component-and-port-selection.md), but the scope and architectural surface require human design-owner sign-off before deeper reviewer agents invest effort. Key questions for maintainers:

Is wrapping the cFS CF engine via friend class (Engine, Channel, Transaction accessing component EVR/TLM/PRM directly) the desired long-term integration pattern, or should these be separate components communicating via ports?

Is placing this under Svc/Ccsds/ (new namespace layer) the agreed namespace home?

Does the FileHandlingCfdp subtopology composition (CfdpManager + FileManager + PrmDb) match the intended deployment model?

cc @LeStarch @thomas-bc — design needs human adjudication before deeper review.

Is a minor violation of the standard. It would be better to avoid, but not critical.

Yes

If this is a replacement for the FileHandling subtopology, then yes!

If there is a better pattern for subclasses having access to component EVR/TLM/PRM I would be happy to update the access pattern.

👍

Yes the FileHandlingCfdp subtopology is intended as a drop-in replacement for the FileHandling subtopology.

lestarch-autobot · 2026-05-28T19:42:08Z

+@ This file defines proposed telemetry channels for CfdpManager based on
+@ telemetry counters from the NASA CF (CFDP) Application.
+@
+@ Note: These are currently PROPOSALS and not yet implemented.


must fix Telemetry.fppi header declares these channels as "currently PROPOSALS and not yet implemented," but the C++ implementation fully maintains all counters (CfdpManager.hpp lines 110–236, incrementRecv*, addSent*, etc.) and emits them every second via tlmWrite_ChannelTelemetry in run1Hz_handler (CfdpManager.cpp line 71).

The FPP is a contract; this comment creates a false contract that downstream tooling or reviewers may rely on. Remove the "PROPOSALS / not yet implemented" comment block (lines 1–8), and update the SDD § Telemetry which repeats the same claim.

Removed the deprecated comment.

lestarch-autobot · 2026-05-28T19:42:38Z

+)
+
+@ Command to start a directory playback
+async command PlaybackDirectory(


must fix 8 of 9 new async commands have no test coverage.

Only SendFile is exercised via sendCmd_SendFile in the test suite. The remaining 8 commands — PlaybackDirectory, PollDirectory, StopPollDirectory, SetChannelFlow, SuspendResumeTransaction, CancelTransaction, AbandonTransaction, ResetCounters — have no sendCmd_* invocation, no ASSERT_CMD_RESPONSE, and no doDispatch() in any test. Each is a ground-facing async command and requires at minimum a happy-path test (sendCmd_X → doDispatch → ASSERT_CMD_RESPONSE(..., OK)).