CCSDS File Delivery Protocol - CfdpManager

[Brian-Campuzano]

Related Issue(s)	#2768
Has Unit Tests (y/n)	y
Documentation Included (y/n)	y
Generative AI was used in this contribution (y/n)	y

---

Change Description

This PR adds the CfdpManager component, an F´ implementation of the CCSDS File Delivery Protocol (CFDP) standard ported from NASA's Core Flight System (cFS) CFDP Application v3.0.0. CfdpManager provides both Class 1 (unacknowledged) and Class 2 (acknowledged) file transfer capabilities, designed to replace the standard FileUplink and FileDownlink components with guaranteed file delivery support.

Attribution and License:

• Substantial portions ported from: NASA Core Flight System (cFS) CFDP (CF) Application v3.0.0
• Original License: Apache License 2.0
• Original Copyright: Copyright (c) 2019 United States Government as represented by the Administrator of the National Aeronautics and Space Administration
• NASA Docket: GSC-18,447-1

Ported components (retain original NASA copyright):

• Core CFDP engine and transaction management logic (Engine.cpp, Transaction.hpp, TransactionTx.cpp, TransactionRx.cpp)
• Protocol state machines for transmit and receive operations
• Utility functions for file handling and resource management (Utils.cpp, Channel.cpp)
• Chunk and gap tracking for Class 2 transfers (Chunk.cpp, Clist.cpp)

New F´-specific implementations:

• CfdpManager component wrapper with F´ ports, commands, events, telemetry, and parameters
• Object-oriented PDU encoding/decoding classes based on F´ Serializable interface
• Timer implementation using F´ time primitives
• FileHandlingCfdp subtopology for integration

See ATTRIBUTION.md for complete file-by-file attribution breakdown.

Summary of changes:

• Full PDU support: Metadata, FileData, EOF, FIN, ACK, NAK
• Multi-channel support with configurable throttling and timer parameters
• Port-based file transfer interface compatible with existing F´ components (e.g., DpCatalog)
• Comprehensive unit tests covering Class 1/2 transactions, PDU handling, and edge cases
• Complete SDD documentation with architecture diagrams, sequence diagrams, and usage examples

Rationale

Current F´ file transfer components (FileUplink/FileDownlink) lack reliable delivery guarantees over lossy or intermittent links, automatic retransmission and gap detection, and industry-standard CFDP protocol compliance required for interoperability with ground systems and other spacecraft.

CfdpManager addresses these gaps by implementing the CCSDS CFDP standard, which is specifically designed for space missions with long propagation delays, high error rates, and disruption-tolerant requirements. By porting NASA's proven CF application from cFS, this implementation leverages flight-proven CFDP logic while adapting it to F´'s architecture and component model.

Testing/Review Recommendations

Unit Test Coverage:

• CfdpManagerTester.cpp: Component-level tests with Class 1/2 TX/RX transactions, NAK handling, timer expiration, and throttling
• PduTester.cpp: PDU serialization/deserialization tests for all PDU types

Areas to focus on:

1. Port connections & buffer management: Verify buffer allocation/deallocation patterns in uplink/downlink paths (particularly dataOut/dataReturnIn and bufferAllocate/bufferDeallocate)
2. Timer logic: Review 1Hz scheduler integration and protocol timer handling (inactivity, ACK, NAK timers)
3. Multi-channel support: Validate channel isolation and resource limits (transactions per channel)
4. Configuration parameters: Review default values in CfdpCfg.hpp and CfdpCfg.fpp
5. File I/O error handling: Verify proper cleanup on file open/read/write failures
6. CF→F´ port quality: Review adaptations from cFS to F´ (e.g., replacing CFE OS calls with F´ Os abstraction)
7. Documentation accuracy: Cross-check SDD against implementation

Future Work

• Add support for offset/partial file transfers in fileIn port
• Implement additional TLV (Type-Length-Value) options (e.g., flow label, fault handler overrides)
• Add command-line parameter validation for remote entity IDs
• Consider performance optimizations for high-throughput scenarios
• Add integration tests with ComQueue and deframing components

AI Usage (see policy)

Generative AI (Claude Code) was used for:

• Code generation: Assisted with boilerplate for PDU class implementations, unit test scaffolding, and F´ component port wiring
• Documentation: Assisted with drafting and formatting the SDD markdown (including sequence diagrams and tables) and generating this PR description
• Refactoring: Suggested improvements during CF→F´ port (e.g., replacing void* with typed pointers, modernizing C→C++ patterns)
• Debugging: Assisted in diagnosing unit test failures and identifying edge cases in transaction state machines

Important note: AI was NOT used to generate the core CFDP protocol logic. The core engine, transaction state machines, and protocol logic were ported directly from NASA's CF application v3.0.0 (human-written, flight-proven code). AI assistance was limited to F´-specific integration code, documentation, and port quality improvements.

[github-advanced-security]

CodeQL found more than 20 potential problems in the proposed changes. Check the Files changed tab for more details.

[thomas-bc]

A few AI finds that seemed relevant, and one big question about how to handle file paths.

[thomas-bc]

AI finding: Should this be channelId < Cfdp::NumChannels instead of <= ?

[thomas-bc]

AI finding: This reads at an offset based of header bytes (potentially untrusted) - we should check that there is enough length in the data before trying to access.

[thomas-bc]

One security issue that we've had reported a lot on the F Prime Svc.FileUplink component is that it allows to write files at any location on the filesystem, potentially overwriting critical system files etc.
This is risky for in case of operator oversight (shrug) but also if you receive unauthenticated (potentially malicious) commands.
My understanding is this CfdpManager has the same capability.

Did you find that CFDP makes recommendation on how to deal with that? If not, we should agree on a rationale so that we stop the spam of "hey you have a critical vulnerability here". Maybe the answer is "encrypt/authenticate your comms". But we should agree on something.

cc @bitWarrior , if you have recommendations.