pycyphal2 2.0.0.dev3__tar.gz → 2.0.0.dev4__tar.gz

{pycyphal2-2.0.0.dev3/src/pycyphal2.egg-info → pycyphal2-2.0.0.dev4}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: pycyphal2
-Version: 2.0.0.dev3
+Version: 2.0.0.dev4
 Summary: Pure-Python implementation of Cyphal -- a simple and robust real-time publish/subscribe stack that runs anywhere.
 Author-email: Pavel Kirienko and OpenCyphal team <pavel@opencyphal.org>
 License: MIT

{pycyphal2-2.0.0.dev3 → pycyphal2-2.0.0.dev4}/src/pycyphal2/__init__.py

@@ -155,7 +155,7 @@ from ._transport import SubjectWriter as SubjectWriter
 from ._transport import Transport as Transport
 from ._transport import TransportArrival as TransportArrival
 
-__version__ = "2.0.0.dev3"
+__version__ = "2.0.0.dev4"
 
 # pdoc needs __all__ to display re-exported members.
 __all__ = [

{pycyphal2-2.0.0.dev3 → pycyphal2-2.0.0.dev4}/src/pycyphal2/_node.py

@@ -2,6 +2,7 @@ from __future__ import annotations
 
 import asyncio
 from collections import OrderedDict
+from collections.abc import Coroutine
 import logging
 import math
 import os
@@ -28,7 +29,7 @@ from ._header import (
     deserialize_header,
 )
 from ._transport import SubjectWriter, Transport, TransportArrival
-from ._api import Topic, Node, Publisher, Subscriber, Breadcrumb, Closable, Instant, Priority, SendError
+from ._api import Topic, Node, Publisher, Subscriber, Breadcrumb, Closable, ClosedError, Instant, Priority, SendError
 from ._api import SUBJECT_ID_PINNED_MAX
 
 if TYPE_CHECKING:
@@ -58,6 +59,22 @@ ACK_SEQNO_MAX_LAG = 100000
 U64_MASK = (1 << 64) - 1
 
 
+def ack_is_last_attempt(current_ack_deadline_ns: int, current_ack_timeout: float, total_deadline_ns: int) -> bool:
+    """True if doubling the ACK timeout would overrun the total deadline, so this is the last retry."""
+    next_ack_timeout_ns = round(current_ack_timeout * 2 * 1e9)
+    remaining_budget_ns = total_deadline_ns - current_ack_deadline_ns
+    return remaining_budget_ns < next_ack_timeout_ns
+
+
+def ack_window(deadline_ns: int, ack_timeout: float) -> tuple[int, bool] | None:
+    """Next reliable-delivery ACK window: (ack_deadline_ns, is_last_attempt), or None if past the deadline."""
+    now_ns = Instant.now().ns
+    if now_ns >= deadline_ns:
+        return None
+    ack_deadline_ns = min(deadline_ns, now_ns + round(ack_timeout * 1e9))
+    return ack_deadline_ns, ack_is_last_attempt(ack_deadline_ns, ack_timeout, deadline_ns)
+
+
 class GossipScope(Enum):
     UNICAST = auto()
     BROADCAST = auto()
@@ -115,6 +132,24 @@ def _name_is_homeful(name: str) -> bool:
     return name == "~" or name.startswith("~/")
 
 
+def _is_valid_wire_name(name: str) -> bool:
+    """True if `name` is a well-formed *resolved* wire topic name, as required of names received in gossip:
+    nonempty, length-bounded, printable ASCII (33-126), already normalized (no leading/trailing/duplicate
+    '/'), verbatim (no '*'/'>' pattern tokens), not homeful ('~'/'~/...'), and pin-free (no '#<id>' suffix).
+    The last two are stripped/expanded by resolve_name before a name reaches the wire, so their presence
+    means the gossip is unresolved/non-canonical and must not create a local topic."""
+    return (
+        bool(name)
+        and len(name) <= TOPIC_NAME_MAX
+        and "*" not in name
+        and ">" not in name
+        and not _name_is_homeful(name)
+        and _name_consume_pin_suffix(name)[1] is None
+        and all(33 <= ord(ch) <= 126 for ch in name)
+        and _name_normalize(name) == name
+    )
+
+
 def resolve_name(
     name: str, home: str, namespace: str, remaps: dict[str, str] | None = None
 ) -> tuple[str, int | None, bool]:
@@ -345,10 +380,8 @@ class PublishTracker:
     """Tracks a pending reliable publication awaiting ACKs."""
 
     tag: int
-    deadline_ns: int
     ack_event: asyncio.Event
     acknowledged: bool = False
-    data: bytes | None = None
     ack_timeout: float = ACK_BASELINE_DEFAULT_TIMEOUT
     compromised: bool = False
     remaining: set[int] = field(default_factory=set)
@@ -507,7 +540,6 @@ class NodeImpl(Node):
         self._remaps: dict[str, str] = {}
         self._closed = False
         self.loop = asyncio.get_running_loop()
-        self._now_mono = time.monotonic()
         self._monitor_callbacks: dict[int, Callable[[Topic], None]] = {}
         self._next_monitor_callback_id = 0
 
@@ -573,7 +605,31 @@ class NodeImpl(Node):
     def transport(self) -> Transport:
         return self._transport
 
+    def _raise_if_closed(self) -> None:
+        if self._closed:
+            raise ClosedError(f"Node '{self._home}' is closed")
+
+    def _spawn_detached(self, coro: Coroutine[Any, Any, None], what: str) -> None:
+        """Fire-and-forget a short-lived send: skip when closed, and never let its exception go unobserved."""
+        if self._closed:
+            coro.close()
+            return
+
+        def _done(task: asyncio.Task[None]) -> None:
+            if task.cancelled():
+                return
+            ex = task.exception()
+            if ex is None:
+                return
+            if isinstance(ex, (SendError, OSError)):
+                _logger.debug("%s send failed: %s", what, ex)
+            else:
+                _logger.error("%s task crashed: %s", what, ex, exc_info=ex)
+
+        self.loop.create_task(coro).add_done_callback(_done)
+
     def remap(self, spec: str | dict[str, str]) -> None:
+        self._raise_if_closed()
         if isinstance(spec, str):
             spec = dict(x.split("=", 1) for x in spec.split() if "=" in x)
         assert isinstance(spec, dict)
@@ -584,6 +640,7 @@ class NodeImpl(Node):
     def advertise(self, name: str) -> Publisher:
         from ._publisher import PublisherImpl
 
+        self._raise_if_closed()
         resolved, pin, verbatim = resolve_name(name, self._home, self._namespace, self._remaps)
         if not verbatim:
             raise ValueError("Cannot advertise on a pattern name")
@@ -602,6 +659,7 @@ class NodeImpl(Node):
     def subscribe(self, name: str, *, reordering_window: float | None = None) -> Subscriber:
         from ._subscriber import SubscriberImpl
 
+        self._raise_if_closed()
         resolved, pin, verbatim = resolve_name(name, self._home, self._namespace, self._remaps)
         if pin is not None and not verbatim:
             raise ValueError("Pattern names cannot be pinned")
@@ -637,6 +695,7 @@ class NodeImpl(Node):
         return subscriber
 
     def monitor(self, callback: Callable[[Topic], None]) -> Closable:
+        self._raise_if_closed()
         callback_id = self._next_monitor_callback_id
         self._next_monitor_callback_id += 1
         self._monitor_callbacks[callback_id] = callback
@@ -653,6 +712,7 @@ class NodeImpl(Node):
                 _logger.exception("monitor() callback failed for %s", topic)
 
     async def scout(self, pattern: str) -> None:
+        self._raise_if_closed()
         resolved, pin, _ = resolve_name(pattern, self._home, self._namespace, self._remaps)
         if pin is not None:
             raise ValueError("Cannot scout a pinned name/pattern")
@@ -800,12 +860,10 @@ class NodeImpl(Node):
         tracker.remaining.clear()
 
     @staticmethod
-    def prepare_publish_tracker(topic: TopicImpl, tag: int, deadline_ns: int, data: bytes) -> PublishTracker:
+    def prepare_publish_tracker(topic: TopicImpl, tag: int) -> PublishTracker:
         tracker = PublishTracker(
             tag=tag,
-            deadline_ns=deadline_ns,
             ack_event=asyncio.Event(),
-            data=data,
         )
         tracker.ack_timeout = ACK_BASELINE_DEFAULT_TIMEOUT
         for assoc in sorted(topic.associations.values(), key=lambda x: x.remote_id):
@@ -1036,14 +1094,6 @@ class NodeImpl(Node):
 
         root.scout_task = self.loop.create_task(do_send())
 
-    def send_scout(self, pattern: str) -> None:
-        """Send a scout message to discover topics matching a pattern."""
-
-        async def do_send() -> None:
-            await self._send_scout_once(pattern)
-
-        self.loop.create_task(do_send())
-
     # -- Message Dispatch --
 
     def on_subject_arrival(self, subject_id: int, arrival: TransportArrival) -> None:
@@ -1055,6 +1105,8 @@ class NodeImpl(Node):
         self.dispatch_arrival(arrival, subject_id=None, unicast=True)
 
     def dispatch_arrival(self, arrival: TransportArrival, *, subject_id: int | None, unicast: bool) -> None:
+        if self._closed:
+            return  # Drop late arrivals after close instead of mutating state / spawning sends.
         msg = arrival.message
         if len(msg) < HEADER_SIZE:
             _logger.debug("Drop short msg len=%d", len(msg))
@@ -1207,7 +1259,7 @@ class NodeImpl(Node):
             except (SendError, OSError) as e:
                 _logger.debug("ACK send failed: %s", e)
 
-        self.loop.create_task(do_send())
+        self._spawn_detached(do_send(), "ACK")
 
     def on_msg_ack(self, arrival: TransportArrival, hdr: MsgAckHeader | MsgNackHeader) -> None:
         topic = self.topics_by_hash.get(hdr.topic_hash)
@@ -1295,7 +1347,7 @@ class NodeImpl(Node):
             except (SendError, OSError) as e:
                 _logger.debug("RSP ACK send failed: %s", e)
 
-        self.loop.create_task(do_send())
+        self._spawn_detached(do_send(), "RSP ACK")
 
     def on_gossip(
         self,
@@ -1306,6 +1358,8 @@ class NodeImpl(Node):
     ) -> None:
         name = ""
         if hdr.name_len > 0:
+            # Best-effort decode for diagnostics/monitoring; an invalid name cannot create a topic because
+            # topic_subscribe_if_matching validates the character set before creating one.
             name = payload[: hdr.name_len].decode("utf-8", errors="replace")
 
         topic = self.topics_by_hash.get(hdr.topic_hash)
@@ -1374,6 +1428,14 @@ class NodeImpl(Node):
         now: float,
     ) -> TopicImpl | None:
         """Create an implicit topic if any pattern subscriber matches the name."""
+        # REFERENCE PARITY: the reference does not (yet) validate gossip-name characters here -- it trusts
+        # the hash. We additionally reject names that are not valid resolved wire names (non-normalized,
+        # non-verbatim by this implementation's rule, homeful, or pinned) so untrusted wire input cannot
+        # create a local topic with such a name. Consistent with the documented whitespace-strip deviation;
+        # the reference may adopt the same validation later.
+        if not _is_valid_wire_name(name):
+            _logger.debug("Gossip drop invalid wire name hash=%016x", topic_hash)
+            return None
         # Validate that the hash matches the name to prevent corrupt gossip from creating inconsistencies.
         if rapidhash(name) != topic_hash:
             _logger.debug("Gossip hash mismatch for '%s': got %016x, expected %016x", name, topic_hash, rapidhash(name))
@@ -1398,12 +1460,15 @@ class NodeImpl(Node):
     def on_scout(self, arrival: TransportArrival, hdr: ScoutHeader, payload: bytes) -> None:
         if hdr.pattern_len == 0 or hdr.pattern_len > TOPIC_NAME_MAX or len(payload) < hdr.pattern_len:
             return
+        # Best-effort decode; an invalid pattern simply matches no local topic names.
         pattern = payload[: hdr.pattern_len].decode("utf-8", errors="replace")
         _logger.debug("Scout received pattern='%s' from %016x", pattern, arrival.remote_id)
         for topic in list(self.topics_by_name.values()):
             subs = match_pattern(pattern, topic.name)
             if subs is not None:
-                self.loop.create_task(self.send_gossip_unicast(topic, arrival.remote_id, arrival.priority))
+                self._spawn_detached(
+                    self.send_gossip_unicast(topic, arrival.remote_id, arrival.priority), "gossip unicast"
+                )
 
     # -- Implicit Topic GC --
 
@@ -1474,6 +1539,12 @@ class NodeImpl(Node):
             return
         self._closed = True
         _logger.info("Node closing home='%s'", self._home)
+        # Unblock anything awaiting on a subscriber (`async for`): closing each enqueues StopAsyncIteration,
+        # otherwise a default (no-liveness-timeout) subscriber would wait on its queue forever. (Reliable
+        # publishes / response streams are deadline-bounded and resolve on their own.)
+        for root in list(self.sub_roots_verbatim.values()) + list(self.sub_roots_pattern.values()):
+            for sub in list(root.subscribers):
+                sub.close()
         self._gc_task.cancel()
         for root in list(self.sub_roots_pattern.values()):
             if root.scout_task is not None:

{pycyphal2-2.0.0.dev3 → pycyphal2-2.0.0.dev4}/src/pycyphal2/_publisher.py

@@ -8,7 +8,7 @@ from dataclasses import dataclass
 from ._api import DeliveryError, Instant, LivenessError, Priority, SendError
 from ._api import Publisher, Topic, ResponseStream, Response
 from ._header import MsgBeHeader, MsgRelHeader, RspBeHeader, RspRelHeader
-from ._node import ACK_BASELINE_DEFAULT_TIMEOUT, NodeImpl, PublishTracker, SESSION_LIFETIME, TopicImpl
+from ._node import ACK_BASELINE_DEFAULT_TIMEOUT, NodeImpl, PublishTracker, SESSION_LIFETIME, TopicImpl, ack_window
 from ._transport import TransportArrival
 
 _logger = logging.getLogger(__name__)
@@ -124,7 +124,7 @@ class PublisherImpl(Publisher):
         )
         self._topic.request_futures[tag] = stream
 
-        tracker = self._prepare_reliable_publish_tracker(tag, delivery_deadline.ns, payload)
+        tracker = self._prepare_reliable_publish_tracker(tag)
         try:
             initial_window = await self._reliable_publish_start(delivery_deadline, tag, payload, tracker)
         except asyncio.CancelledError:
@@ -169,12 +169,6 @@ class PublisherImpl(Publisher):
         finally:
             self._release_reliable_publish_tracker(tag, tracker)
 
-    @staticmethod
-    def _ack_is_last_attempt(current_ack_deadline_ns: int, current_ack_timeout: float, total_deadline_ns: int) -> bool:
-        next_ack_timeout_ns = round(current_ack_timeout * 2 * 1e9)
-        remaining_budget_ns = total_deadline_ns - current_ack_deadline_ns
-        return remaining_budget_ns < next_ack_timeout_ns
-
     @staticmethod
     def _ack_window_is_compromised(deadline_ns: int, current_ack_timeout: float) -> bool:
         return Instant.now().ns >= (deadline_ns - round(current_ack_timeout * 1e9))
@@ -189,16 +183,8 @@ class PublisherImpl(Publisher):
         )
         return hdr.serialize() + payload
 
-    @staticmethod
-    def _reliable_publish_window(deadline_ns: int, ack_timeout: float) -> tuple[int, bool] | None:
-        now_ns = Instant.now().ns
-        if now_ns >= deadline_ns:
-            return None
-        ack_deadline_ns = min(deadline_ns, now_ns + round(ack_timeout * 1e9))
-        return ack_deadline_ns, PublisherImpl._ack_is_last_attempt(ack_deadline_ns, ack_timeout, deadline_ns)
-
-    def _prepare_reliable_publish_tracker(self, tag: int, deadline_ns: int, payload: bytes) -> PublishTracker:
-        tracker = self._node.prepare_publish_tracker(self._topic, tag, deadline_ns, payload)
+    def _prepare_reliable_publish_tracker(self, tag: int) -> PublishTracker:
+        tracker = self._node.prepare_publish_tracker(self._topic, tag)
         tracker.ack_timeout = self.ack_timeout
         self._topic.publish_futures[tag] = tracker
         return tracker
@@ -231,7 +217,7 @@ class PublisherImpl(Publisher):
         payload: bytes,
         tracker: PublishTracker,
     ) -> tuple[int, bool]:
-        initial_window = self._reliable_publish_window(deadline.ns, tracker.ack_timeout)
+        initial_window = ack_window(deadline.ns, tracker.ack_timeout)
         if initial_window is None:
             raise DeliveryError("Reliable publish not acknowledged before deadline")
         ack_deadline_ns, _ = initial_window
@@ -277,7 +263,7 @@ class PublisherImpl(Publisher):
             if last_attempt:
                 break
             tracker.ack_timeout *= 2
-            next_window = self._reliable_publish_window(deadline.ns, tracker.ack_timeout)
+            next_window = ack_window(deadline.ns, tracker.ack_timeout)
             if next_window is None:
                 break
             ack_deadline_ns, last_attempt = next_window
@@ -292,7 +278,7 @@ class PublisherImpl(Publisher):
         raise DeliveryError("Reliable publish not acknowledged before deadline")
 
     async def _reliable_publish(self, deadline: Instant, tag: int, payload: bytes) -> None:
-        tracker = self._prepare_reliable_publish_tracker(tag, deadline.ns, payload)
+        tracker = self._prepare_reliable_publish_tracker(tag)
         try:
             initial_window = await self._reliable_publish_start(deadline, tag, payload, tracker)
             await self._reliable_publish_continue(deadline, tag, payload, tracker, initial_window)

{pycyphal2-2.0.0.dev3 → pycyphal2-2.0.0.dev4}/src/pycyphal2/_subscriber.py

@@ -15,6 +15,7 @@ from ._node import (
     NodeImpl,
     SubscriberRoot,
     TopicImpl,
+    ack_window,
     match_pattern,
 )
 
@@ -220,9 +221,6 @@ class SubscriberImpl(Subscriber):
 
         state.timeout_handle = loop.call_later(delay, on_timeout)
 
-    def _arm_reorder_timeout(self, state: ReorderingState) -> None:
-        self._rearm_reorder_timeout(state)
-
     def _drop_stale_reordering(self, now: float) -> None:
         stale = [key for key, state in self._reordering.items() if (state.last_active_at + SESSION_LIFETIME) < now]
         for key in stale:
@@ -337,7 +335,7 @@ class BreadcrumbImpl(Breadcrumb):
 
         ack_timeout = ACK_BASELINE_DEFAULT_TIMEOUT * (1 << int(self._priority))
         try:
-            initial_window = _ack_window(deadline.ns, ack_timeout)
+            initial_window = ack_window(deadline.ns, ack_timeout)
             if initial_window is None:
                 raise DeliveryError("Reliable response not acknowledged before deadline")
 
@@ -371,7 +369,7 @@ class BreadcrumbImpl(Breadcrumb):
                 if last_attempt:
                     break
                 ack_timeout *= 2
-                next_window = _ack_window(deadline.ns, ack_timeout)
+                next_window = ack_window(deadline.ns, ack_timeout)
                 if next_window is None:
                     break
                 ack_deadline_ns, last_attempt = next_window
@@ -414,17 +412,3 @@ class RespondTracker:
         self.done = True
         self.nacked = not positive
         self.ack_event.set()
-
-
-def _ack_is_last_attempt(current_ack_deadline_ns: int, current_ack_timeout: float, total_deadline_ns: int) -> bool:
-    next_ack_timeout_ns = round(current_ack_timeout * 2 * 1e9)
-    remaining_budget_ns = total_deadline_ns - current_ack_deadline_ns
-    return remaining_budget_ns < next_ack_timeout_ns
-
-
-def _ack_window(deadline_ns: int, ack_timeout: float) -> tuple[int, bool] | None:
-    now_ns = Instant.now().ns
-    if now_ns >= deadline_ns:
-        return None
-    ack_deadline_ns = min(deadline_ns, now_ns + round(ack_timeout * 1e9))
-    return ack_deadline_ns, _ack_is_last_attempt(ack_deadline_ns, ack_timeout, deadline_ns)

{pycyphal2-2.0.0.dev3 → pycyphal2-2.0.0.dev4}/src/pycyphal2/can/_interface.py

@@ -7,7 +7,8 @@ import itertools
 
 from .. import Closable, Instant
 
-_CAN_EXT_ID_MASK = (1 << 29) - 1
+CAN_EXT_ID_MASK = (1 << 29) - 1
+CAN_STD_ID_MASK = (1 << 11) - 1
 
 
 @dataclass(frozen=True)
@@ -18,7 +19,7 @@ class Frame:
     data: bytes
 
     def __post_init__(self) -> None:
-        if not isinstance(self.id, int) or not (0 <= self.id <= _CAN_EXT_ID_MASK):
+        if not isinstance(self.id, int) or not (0 <= self.id <= CAN_EXT_ID_MASK):
             raise ValueError(f"Invalid CAN identifier: {self.id!r}")
         data = bytes(self.data)
         if len(data) > 64:
@@ -39,9 +40,9 @@ class Filter:
     mask: int
 
     def __post_init__(self) -> None:
-        if not (0 <= self.id <= _CAN_EXT_ID_MASK):
+        if not (0 <= self.id <= CAN_EXT_ID_MASK):
             raise ValueError(f"Invalid CAN identifier: {self.id!r}")
-        if not (0 <= self.mask <= _CAN_EXT_ID_MASK):
+        if not (0 <= self.mask <= CAN_EXT_ID_MASK):
             raise ValueError(f"Invalid CAN mask: {self.mask!r}")
 
     @property

{pycyphal2-2.0.0.dev3 → pycyphal2-2.0.0.dev4}/src/pycyphal2/can/_media_slcan.py

@@ -6,12 +6,11 @@ from __future__ import annotations
 
 import logging
 
-from ._interface import Frame
-from ._wire import CAN_EXT_ID_MASK, DLC_TO_LENGTH, MTU_CAN_CLASSIC
+from ._interface import CAN_EXT_ID_MASK, CAN_STD_ID_MASK, Frame
+from ._wire import DLC_TO_LENGTH, MTU_CAN_CLASSIC
 
 _logger = logging.getLogger(__name__)
 
-_CAN_STD_ID_MASK = (1 << 11) - 1
 _CR = 0x0D  # ACK / carriage return
 _LF = 0x0A
 _BEL = 0x07  # NACK / bell
@@ -157,7 +156,7 @@ def _parse_data_frame(line: bytes, *, id_length: int, max_payload_length: int) -
     if len(line) < expected:
         _logger.debug("SLCAN drop data dlc mismatch len=%d expected=%d", len(line), expected)
         return None
-    if id_length == 3 and identifier > _CAN_STD_ID_MASK:
+    if id_length == 3 and identifier > CAN_STD_ID_MASK:
         _logger.debug("SLCAN drop invalid standard id=%x", identifier)
         return None
     data = _parse_hex_bytes(line[header_length:expected])

{pycyphal2-2.0.0.dev3 → pycyphal2-2.0.0.dev4}/src/pycyphal2/can/_wire.py

@@ -10,9 +10,8 @@ from .._hash import (
     CRC16CCITT_FALSE_RESIDUE,
     crc16ccitt_false_add,
 )
-from ._interface import Filter
+from ._interface import CAN_EXT_ID_MASK, Filter
 
-CAN_EXT_ID_MASK = (1 << 29) - 1
 NODE_ID_MAX = 127
 NODE_ID_ANONYMOUS = 0xFF
 NODE_ID_CAPACITY = NODE_ID_MAX + 1

{pycyphal2-2.0.0.dev3 → pycyphal2-2.0.0.dev4}/src/pycyphal2/can/pythoncan.py

@@ -18,7 +18,7 @@ import logging
 import threading
 
 from .._api import ClosedError, Instant
-from ._interface import Filter, Interface, TimestampedFrame
+from ._interface import CAN_EXT_ID_MASK, Filter, Interface, TimestampedFrame
 
 try:
     import can
@@ -27,8 +27,11 @@ except ImportError:
 
 _logger = logging.getLogger(__name__)
 
-_RX_POLL_TIMEOUT = 0.1
-_CAN_EXT_ID_MASK = (1 << 29) - 1
+# RX thread poll cadence. This also bounds how long filter()/close() may block the event loop while
+# they quiesce the RX thread (it can only acknowledge a pause between recv() calls). Kept short so that
+# admin stall stays small. ponytail: to remove the stall entirely, hand pending filters to the RX
+# thread to apply between recv() calls instead of pausing it from the loop thread.
+_RX_POLL_TIMEOUT = 0.02
 
 
 class PythonCANInterface(Interface):
@@ -96,6 +99,7 @@ class PythonCANInterface(Interface):
         self._raise_if_closed()
         if self._tx_task is None:
             self._tx_task = self._loop.create_task(self._tx_loop())
+            self._tx_task.add_done_callback(self._on_task_done)
         for chunk in data:
             self._tx_seq += 1
             self._tx_queue.put_nowait((id, self._tx_seq, deadline.ns, bytes(chunk)))
@@ -151,15 +155,12 @@ class PythonCANInterface(Interface):
         loop = asyncio.get_running_loop()
         while not self._closed:
             try:
-                identifier, _seq, deadline_ns, payload = await self._tx_queue.get()
+                identifier, seq, deadline_ns, payload = await self._tx_queue.get()
             except asyncio.CancelledError:
                 raise
             if self._closed:
                 return
-            if Instant.now().ns >= deadline_ns:
-                _logger.debug("PythonCAN tx drop expired iface=%s id=%08x", self._name, identifier)
-                continue
-            timeout = max(0.0, (deadline_ns - Instant.now().ns) * 1e-9)
+            timeout = (deadline_ns - Instant.now().ns) * 1e-9
             if timeout <= 0.0:
                 _logger.debug("PythonCAN tx drop expired iface=%s id=%08x", self._name, identifier)
                 continue
@@ -172,14 +173,10 @@ class PythonCANInterface(Interface):
             )
             try:
                 await asyncio.wait_for(loop.run_in_executor(None, self._bus.send, msg, timeout), timeout=timeout)
-            except asyncio.TimeoutError:
-                self._tx_queue.put_nowait((identifier, self._tx_seq, deadline_ns, payload))
-                self._tx_seq += 1
-                await asyncio.sleep(0.001)
-            except can.CanError as ex:
+            except (asyncio.TimeoutError, can.CanError) as ex:
+                # Re-queue with the original seq so the frame keeps its place within its transfer.
                 _logger.debug("PythonCAN tx retry iface=%s err=%s", self._name, ex)
-                self._tx_queue.put_nowait((identifier, self._tx_seq, deadline_ns, payload))
-                self._tx_seq += 1
+                self._tx_queue.put_nowait((identifier, seq, deadline_ns, payload))
                 await asyncio.sleep(0.001)
             except OSError as ex:
                 self._fail(ex)
@@ -229,6 +226,14 @@ class PythonCANInterface(Interface):
             _logger.error("PythonCAN interface %s failed: %s", self._name, ex)
         self.close()
 
+    def _on_task_done(self, task: asyncio.Task[None]) -> None:
+        # Surface an unexpected TX-task crash as an interface failure instead of swallowing it.
+        if task.cancelled() or self._closed:
+            return
+        ex = task.exception()
+        if ex is not None:
+            self._fail(ex)
+
     def _raise_if_closed(self) -> None:
         if self._closed:
             if self._failure is not None:
@@ -258,4 +263,4 @@ def _parse_message(msg: can.Message) -> TimestampedFrame | None:
     if msg.is_remote_frame:
         _logger.debug("PythonCAN drop remote frame id=%08x", msg.arbitration_id)
         return None
-    return TimestampedFrame(id=msg.arbitration_id & _CAN_EXT_ID_MASK, data=bytes(msg.data), timestamp=Instant.now())
+    return TimestampedFrame(id=msg.arbitration_id & CAN_EXT_ID_MASK, data=bytes(msg.data), timestamp=Instant.now())

{pycyphal2-2.0.0.dev3 → pycyphal2-2.0.0.dev4}/src/pycyphal2/can/socketcan.py

@@ -21,12 +21,14 @@ _logger = logging.getLogger(__name__)
 
 _CAN_FILTER_CAPACITY = 64
 _CAN_INTERFACE_TYPE = 280
-_CAN_CLASSIC_MTU = 16
-_CAN_FD_MTU = 72
 _CANFD_FDF = getattr(socket, "CANFD_FDF", 0)
 _CAN_FRAME_STRUCT = struct.Struct("=IB3x8s")
 _CANFD_FRAME_STRUCT = struct.Struct("=IBBBB64s")
 _CAN_FILTER_STRUCT = struct.Struct("=II")
+# SocketCAN frame sizes — sizeof(struct can_frame)=16, sizeof(struct canfd_frame)=72 (NOT the 8/64 payload MTU).
+# The kernel also reports these as the CAN netdev MTU, so they double as the FD-capability threshold.
+_CLASSIC_FRAME_SIZE = _CAN_FRAME_STRUCT.size
+_FD_FRAME_SIZE = _CANFD_FRAME_STRUCT.size
 _TRANSIENT_TX_ERRNO = {errno.EAGAIN, errno.EWOULDBLOCK, errno.ENOBUFS, errno.ENOMEM, errno.EBUSY}
 
 
@@ -37,7 +39,7 @@ class SocketCANInterface(Interface):
         self._sock.setblocking(False)
         self._sock.setsockopt(socket.SOL_CAN_RAW, socket.CAN_RAW_LOOPBACK, 1)
         self._sock.bind((self._name,))
-        self._fd = self._read_iface_mtu() >= _CAN_FD_MTU
+        self._fd = self._read_iface_mtu() >= _FD_FRAME_SIZE
         if self._fd:
             self._sock.setsockopt(socket.SOL_CAN_RAW, socket.CAN_RAW_FD_FRAMES, 1)
         self._closed = False
@@ -74,6 +76,7 @@ class SocketCANInterface(Interface):
         self._raise_if_closed()
         if self._tx_task is None:
             self._tx_task = asyncio.get_running_loop().create_task(self._tx_loop())
+            self._tx_task.add_done_callback(self._on_task_done)
         for chunk in data:
             self._tx_seq += 1
             self._tx_queue.put_nowait((id, self._tx_seq, deadline.ns, bytes(chunk)))
@@ -94,7 +97,7 @@ class SocketCANInterface(Interface):
     async def receive(self) -> TimestampedFrame:
         self._raise_if_closed()
         loop = asyncio.get_running_loop()
-        recv_size = _CAN_FD_MTU if self._fd else _CAN_CLASSIC_MTU
+        recv_size = _FD_FRAME_SIZE if self._fd else _CLASSIC_FRAME_SIZE
         while True:
             try:
                 raw = await loop.sock_recv(self._sock, recv_size)
@@ -128,14 +131,17 @@ class SocketCANInterface(Interface):
                 raise
             if self._closed:
                 return
-            if Instant.now().ns >= deadline_ns:
-                _logger.debug("SocketCAN tx drop expired iface=%s id=%08x", self._name, identifier)
-                continue
-            frame = self._encode(identifier, payload)
-            timeout = max(0.0, (deadline_ns - Instant.now().ns) * 1e-9)
+            timeout = (deadline_ns - Instant.now().ns) * 1e-9
             if timeout <= 0.0:
                 _logger.debug("SocketCAN tx drop expired iface=%s id=%08x", self._name, identifier)
                 continue
+            try:
+                frame = self._encode(identifier, payload)
+            except ValueError as ex:
+                # An unencodable frame (e.g. oversized on a Classic-only interface) is a single bad
+                # frame, not an interface failure: drop it instead of letting it kill the TX task.
+                _logger.warning("SocketCAN tx drop unencodable iface=%s id=%08x: %s", self._name, identifier, ex)
+                continue
             try:
                 await asyncio.wait_for(loop.sock_sendall(self._sock, frame), timeout=timeout)
             except asyncio.TimeoutError:
@@ -159,6 +165,14 @@ class SocketCANInterface(Interface):
             _logger.error("SocketCAN interface %s failed: %s", self._name, ex)
         self.close()
 
+    def _on_task_done(self, task: asyncio.Task[None]) -> None:
+        # Surface an unexpected TX-task crash as an interface failure instead of swallowing it.
+        if task.cancelled() or self._closed:
+            return
+        ex = task.exception()
+        if ex is not None:
+            self._fail(ex)
+
     def _raise_if_closed(self) -> None:
         if self._closed:
             if self._failure is not None:
@@ -172,7 +186,9 @@ class SocketCANInterface(Interface):
     def _encode(self, identifier: int, data: bytes) -> bytes:
         if len(data) > 8:
             if not self._fd:
-                raise ClosedError(f"SocketCAN interface {self._name} is not CAN FD-capable")
+                raise ValueError(
+                    f"SocketCAN interface {self._name} cannot send a {len(data)}-byte frame on Classic CAN"
+                )
             return _CANFD_FRAME_STRUCT.pack(
                 socket.CAN_EFF_FLAG | (identifier & socket.CAN_EFF_MASK),
                 len(data),
@@ -189,14 +205,14 @@ class SocketCANInterface(Interface):
 
     @staticmethod
     def _decode(raw: bytes) -> TimestampedFrame | None:
-        if len(raw) < _CAN_CLASSIC_MTU:
+        if len(raw) < _CLASSIC_FRAME_SIZE:
             _logger.debug("SocketCAN drop short len=%d", len(raw))
             return None
-        if len(raw) >= _CAN_FD_MTU:
-            can_id, length, _flags, _reserved0, _reserved1, data = _CANFD_FRAME_STRUCT.unpack(raw[:_CAN_FD_MTU])
+        if len(raw) >= _FD_FRAME_SIZE:
+            can_id, length, _flags, _reserved0, _reserved1, data = _CANFD_FRAME_STRUCT.unpack(raw[:_FD_FRAME_SIZE])
             payload = data[: min(length, 64)]
         else:
-            can_id, length, data = _CAN_FRAME_STRUCT.unpack(raw[:_CAN_CLASSIC_MTU])
+            can_id, length, data = _CAN_FRAME_STRUCT.unpack(raw[:_CLASSIC_FRAME_SIZE])
             payload = data[: min(length, 8)]
         if (can_id & socket.CAN_EFF_FLAG) == 0 or (can_id & (socket.CAN_RTR_FLAG | socket.CAN_ERR_FLAG)) != 0:
             _logger.debug("SocketCAN drop non-extended or non-data id=%08x", can_id)

{pycyphal2-2.0.0.dev3 → pycyphal2-2.0.0.dev4}/src/pycyphal2/udp.py

@@ -172,7 +172,6 @@ def _frame_is_valid(header: _FrameHeader, payload_chunk: bytes | memoryview) ->
 class _Fragment:
     offset: int
     data: bytes
-    crc: int
 
     @property
     def end(self) -> int:
@@ -210,7 +209,7 @@ class _TransferSlot:
         )
 
     def update(self, timestamp_ns: int, header: _FrameHeader, payload_chunk: bytes) -> bytes | None:
-        if self._accept_fragment(header.frame_payload_offset, payload_chunk, header.prefix_crc):
+        if self._accept_fragment(header.frame_payload_offset, payload_chunk):
             self.ts_max_ns = max(self.ts_max_ns, timestamp_ns)
             self.ts_min_ns = min(self.ts_min_ns, timestamp_ns)
             crc_end = header.frame_payload_offset + len(payload_chunk)
@@ -221,7 +220,7 @@ class _TransferSlot:
             return None
         return self._finalize_payload()
 
-    def _accept_fragment(self, offset: int, data: bytes, crc: int) -> bool:
+    def _accept_fragment(self, offset: int, data: bytes) -> bool:
         left = offset
         right = offset + len(data)
         for frag in self.fragments:
@@ -244,7 +243,7 @@ class _TransferSlot:
         v_left = min(left, left_neighbor.offset + 1) if left_neighbor is not None else left
         v_right = max(right, max(right_neighbor.end, 1) - 1) if right_neighbor is not None else right
         self.fragments = [frag for frag in self.fragments if not (frag.offset >= v_left and frag.end <= v_right)]
-        self.fragments.append(_Fragment(offset=offset, data=data, crc=crc))
+        self.fragments.append(_Fragment(offset=offset, data=data))
         self.fragments.sort(key=lambda frag: frag.offset)
         self.covered_prefix = self._compute_covered_prefix()
         return True
@@ -474,10 +473,15 @@ class Interface:
     mtu_link: int
     """Link-layer MTU. E.g., 1500 for Ethernet, ~64K for loopback."""
 
+    def __post_init__(self) -> None:
+        # Validate at construction (not via assert, which `python -O` strips) so a too-small MTU can
+        # never produce a negative mtu_cyphal that would make segmentation loop forever.
+        if self.mtu_link < _CYPHAL_MTU_LINK_MIN:
+            raise ValueError(f"mtu_link must be >= {_CYPHAL_MTU_LINK_MIN}, got {self.mtu_link}")
+
     @property
     def mtu_cyphal(self) -> int:
         """Max Cyphal frame payload: mtu_link - 60 (IPv4 max) - 8 (UDP) - 32 (Cyphal header)."""
-        assert self.mtu_link >= _CYPHAL_MTU_LINK_MIN
         return self.mtu_link - _CYPHAL_OVERHEAD_MAX
 
 
@@ -516,18 +520,22 @@ class _UDPSubjectWriter(SubjectWriter):
             except (OSError, SendError) as e:
                 errors.append(e)
 
+        if errors and success_count == 0:
+            _logger.error("Send failed on all interfaces for subject %d", self._subject_id)
+            raise SendError("send failed on all interfaces") from ExceptionGroup(
+                "send failed on all interfaces", errors
+            )
         if errors:
-            eg = ExceptionGroup("send failed on some interfaces", errors)
-            if success_count == 0:
-                _logger.error("Send failed on all interfaces for subject %d", self._subject_id)
-                raise SendError("send failed on all interfaces") from eg
+            # Redundant transport: delivery via at least one interface is a success. Warn but do not
+            # raise, otherwise the caller would treat a delivered transfer as failed and retry it,
+            # duplicating it on the interfaces that already succeeded. This mirrors the CAN transport
+            # (see _CANTransportImpl.send_transfer) and the reference cy_udp_posix push semantics.
             _logger.warning(
-                "Send failed on %d/%d interfaces for subject %d",
-                len(errors),
+                "Send succeeded on %d/%d interfaces for subject %d",
+                success_count,
                 len(errors) + success_count,
                 self._subject_id,
             )
-            raise eg
 
         _logger.debug("Subject tx done sid=%d tid=%d", self._subject_id, transfer_id)
 
@@ -843,8 +851,16 @@ class _UDPTransportImpl(UDPTransport):
             _logger.warning("No endpoint known for remote_id=0x%016x", remote_id)
             raise SendError("No endpoint known for remote_id")
         if errors:
-            raise ExceptionGroup("unicast send failed on some interfaces", errors)
-        _logger.debug("Unicast sent %d frames to remote_id=0x%016x", len(frames), remote_id)
+            # Redundant transport: delivery via at least one interface is a success. Warn but do not
+            # raise, otherwise a delivered transfer would be reported as failed and retried (mirrors
+            # _UDPSubjectWriter.__call__ and the reference cy_udp_posix unicast push semantics).
+            _logger.warning(
+                "Unicast succeeded on %d/%d interfaces for remote_id=0x%016x",
+                success_count,
+                len(errors) + success_count,
+                remote_id,
+            )
+        _logger.debug("Unicast sent to remote_id=0x%016x", remote_id)
 
     def close(self) -> None:
         if self._closed:
@@ -947,7 +963,11 @@ class _UDPTransportImpl(UDPTransport):
             return
         if arrival is not None and self._unicast_handler is not None:
             _logger.debug("Unicast transfer complete from sender_uid=0x%016x", arrival.remote_id)
-            self._unicast_handler(arrival)
+            try:
+                self._unicast_handler(arrival)
+            except Exception:
+                # A raising handler must not kill the receive loop; drop the arrival and keep serving.
+                _logger.exception("Unicast handler raised iface=%d", iface_idx)
 
     def _process_subject_datagram(
         self,
@@ -997,4 +1017,8 @@ class _UDPTransportImpl(UDPTransport):
         if arrival is not None:
             _logger.debug("Subject %d transfer complete from sender_uid=0x%016x", subject_id, arrival.remote_id)
             if handler is not None:
-                handler(arrival)
+                try:
+                    handler(arrival)
+                except Exception:
+                    # A raising handler must not kill the receive loop; drop the arrival and keep serving.
+                    _logger.exception("Subject %d handler raised", subject_id)

{pycyphal2-2.0.0.dev3 → pycyphal2-2.0.0.dev4/src/pycyphal2.egg-info}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: pycyphal2
-Version: 2.0.0.dev3
+Version: 2.0.0.dev4
 Summary: Pure-Python implementation of Cyphal -- a simple and robust real-time publish/subscribe stack that runs anywhere.
 Author-email: Pavel Kirienko and OpenCyphal team <pavel@opencyphal.org>
 License: MIT

{pycyphal2-2.0.0.dev3 → pycyphal2-2.0.0.dev4}/tests/test_monitor.py

@@ -164,6 +164,33 @@ async def test_monitor_unknown_topic_preserves_decoded_wire_name(name_bytes: byt
     node.close()
 
 
+async def test_gossip_wire_path_drops_malformed_name() -> None:
+    """End-to-end wire path: a gossip with a malformed name must not create a local topic, even with a
+    match-all pattern subscriber present (a valid name over the same path IS created -- the control)."""
+    node = new_node(MockTransport(node_id=1), home="n1")
+    node.subscribe(">")  # Match-all, so only the name validation can prevent topic creation.
+    try:
+        bad = "foo bar"  # A space is not a valid topic-name character.
+        _deliver_gossip(
+            node,
+            _make_gossip_arrival(topic_hash=rapidhash(bad), evictions=0, name_bytes=bad.encode()),
+            "broadcast",
+            topic_hash=rapidhash(bad),
+        )
+        assert bad not in node.topics_by_name  # Malformed name dropped on the wire path.
+
+        good = "sensor/temp"
+        _deliver_gossip(
+            node,
+            _make_gossip_arrival(topic_hash=rapidhash(good), evictions=0, name_bytes=good.encode()),
+            "broadcast",
+            topic_hash=rapidhash(good),
+        )
+        assert good in node.topics_by_name  # Control: a valid name over the same path IS created.
+    finally:
+        node.close()
+
+
 async def test_monitor_is_not_invoked_for_inline_gossip_on_message_reception() -> None:
     node = new_node(MockTransport(node_id=1), home="n1")
     pub = node.advertise("/topic")

{pycyphal2-2.0.0.dev3 → pycyphal2-2.0.0.dev4}/tests/test_parity.py

@@ -95,7 +95,6 @@ async def test_association_slack_nack_capped():
 
     tracker = PublishTracker(
         tag=tag,
-        deadline_ns=(pycyphal2.Instant.now() + 10.0).ns,
         remaining={42},
         ack_event=asyncio.Event(),
     )
@@ -136,7 +135,6 @@ async def test_association_ack_resets_slack():
 
     tracker = PublishTracker(
         tag=tag,
-        deadline_ns=(pycyphal2.Instant.now() + 10.0).ns,
         remaining={42},
         ack_event=asyncio.Event(),
     )

{pycyphal2-2.0.0.dev3 → pycyphal2-2.0.0.dev4}/tests/test_parity_coverage.py

@@ -215,7 +215,7 @@ async def test_prepare_publish_tracker_skips_saturated_associations_and_release_
     topic.associations = {10: live, 11: saturated}
 
     tag = topic.next_tag()
-    tracker = node.prepare_publish_tracker(topic, tag, (pycyphal2.Instant.now() + 1.0).ns, b"data")
+    tracker = node.prepare_publish_tracker(topic, tag)
 
     assert tracker.remaining == {10}
     assert tracker.associations == [live]
@@ -243,7 +243,7 @@ async def test_publish_tracker_release_compromised_does_not_penalize_association
     assoc = Association(remote_id=10, last_seen=0.0, slack=ASSOC_SLACK_LIMIT - 1)
     topic.associations = {10: assoc}
     tag = topic.next_tag()
-    tracker = node.prepare_publish_tracker(topic, tag, (pycyphal2.Instant.now() + 1.0).ns, b"data")
+    tracker = node.prepare_publish_tracker(topic, tag)
     tracker.compromised = True
 
     node.publish_tracker_release(topic, tracker)
@@ -266,7 +266,7 @@ async def test_reliable_publish_scheduler_lag_does_not_penalize_association() ->
     topic.associations = {10: assoc}
     tag = topic.next_tag()
     deadline = pycyphal2.Instant(ns=1_000_000_000)
-    tracker = pub._prepare_reliable_publish_tracker(tag, deadline.ns, b"data")
+    tracker = pub._prepare_reliable_publish_tracker(tag)
     tracker.ack_timeout = 0.2
 
     now_ns = 0

{pycyphal2-2.0.0.dev3 → pycyphal2-2.0.0.dev4}/tests/test_pubsub.py

@@ -36,6 +36,66 @@ async def test_basic_best_effort_pubsub():
     node.close()
 
 
+async def test_node_operations_after_close_raise():
+    """Public node operations reject use after close() instead of mutating a dead node."""
+    net = MockNetwork()
+    tr = MockTransport(node_id=1, network=net)
+    node = new_node(tr, home="test_node")
+    node.close()
+
+    with pytest.raises(pycyphal2.ClosedError):
+        node.advertise("my/topic")
+    with pytest.raises(pycyphal2.ClosedError):
+        node.subscribe("my/topic")
+    with pytest.raises(pycyphal2.ClosedError):
+        node.monitor(lambda _t: None)
+    with pytest.raises(pycyphal2.ClosedError):
+        node.remap("a=b")
+    with pytest.raises(pycyphal2.ClosedError):
+        await node.scout("pattern/*")
+
+
+async def test_node_close_unblocks_pending_subscriber():
+    """Closing the node ends a pending `async for` on a subscriber instead of hanging it forever."""
+    net = MockNetwork()
+    tr = MockTransport(node_id=1, network=net)
+    node = new_node(tr, home="test_node")
+    sub = node.subscribe("my/topic")
+    task = asyncio.create_task(sub.__anext__())
+    await asyncio.sleep(0)  # Let the task start awaiting on the queue.
+
+    node.close()
+
+    with pytest.raises(StopAsyncIteration):
+        await asyncio.wait_for(task, timeout=1.0)
+
+
+async def test_gossip_rejects_malformed_names():
+    """A gossiped name that is not a normalized verbatim topic name must not become a local topic.
+
+    A match-all '>' pattern subscriber is registered so that, WITHOUT the name guard, every name below
+    would be created -- this makes the test fail on the unfixed code rather than passing vacuously (the
+    hash matches the name in each case, so only the name guard can reject it).
+    """
+    from pycyphal2._hash import rapidhash
+
+    net = MockNetwork()
+    tr = MockTransport(node_id=1, network=net)
+    node = new_node(tr, home="test_node")
+    try:
+        node.subscribe(">")  # Match-all pattern: the name guard is then the only thing that can reject.
+        # Sanity: a valid normalized name IS created through this subscriber, proving the path is live.
+        good = node.topic_subscribe_if_matching("sensor/temp", rapidhash("sensor/temp"), 0, 0, 0.0)
+        assert good is not None
+
+        for bad_name in ["foo bar", "foo//bar", "/foo", "foo/", "foo/*", "foo/>", "foo#123", "~/foo", "~", ""]:
+            result = node.topic_subscribe_if_matching(bad_name, rapidhash(bad_name), 0, 0, 0.0)
+            assert result is None, bad_name
+            assert bad_name not in node.topics_by_name
+    finally:
+        node.close()
+
+
 async def test_publish_multiple_messages():
     """Multiple messages should arrive in order."""
     net = MockNetwork()

{pycyphal2-2.0.0.dev3 → pycyphal2-2.0.0.dev4}/tests/test_reliable.py

@@ -532,7 +532,6 @@ async def test_msg_ack_dispatch():
     tag = topic.next_tag()
     tracker = PublishTracker(
         tag=tag,
-        deadline_ns=(pycyphal2.Instant.now() + 10.0).ns,
         remaining={42},
         ack_event=asyncio.Event(),
     )
@@ -573,7 +572,6 @@ async def test_msg_nack_dispatch():
     tag = topic.next_tag()
     tracker = PublishTracker(
         tag=tag,
-        deadline_ns=(pycyphal2.Instant.now() + 10.0).ns,
         remaining={42},
         ack_event=asyncio.Event(),
     )
@@ -1000,7 +998,6 @@ async def test_multicast_msg_ack_ignored():
     tag = topic.next_tag()
     tracker = PublishTracker(
         tag=tag,
-        deadline_ns=(pycyphal2.Instant.now() + 10.0).ns,
         remaining={42},
         ack_event=asyncio.Event(),
     )

{pycyphal2-2.0.0.dev3 → pycyphal2-2.0.0.dev4}/tests/test_udp.py

@@ -475,13 +475,13 @@ class TestTransferSlot:
             ),
             0,
         )
-        assert slot._accept_fragment(0, b"a" * 30, 0)
+        assert slot._accept_fragment(0, b"a" * 30)
         assert slot.covered_prefix == 30
-        assert slot._accept_fragment(50, b"b" * 30, 0)
+        assert slot._accept_fragment(50, b"b" * 30)
         assert slot.covered_prefix == 30
-        assert slot._accept_fragment(30, b"c" * 20, 0)
+        assert slot._accept_fragment(30, b"c" * 20)
         assert slot.covered_prefix == 80
-        assert slot._accept_fragment(80, b"d" * 20, 0)
+        assert slot._accept_fragment(80, b"d" * 20)
         assert slot.covered_prefix == 100
 
     def test_contained_fragment_rejected(self):
@@ -491,8 +491,8 @@ class TestTransferSlot:
             ),
             0,
         )
-        assert slot._accept_fragment(0, b"A" * 4, 0)
-        assert not slot._accept_fragment(1, b"B" * 2, 0)
+        assert slot._accept_fragment(0, b"A" * 4)
+        assert not slot._accept_fragment(1, b"B" * 2)
         assert [(frag.offset, frag.data) for frag in slot.fragments] == [(0, b"AAAA")]
 
     def test_bridge_fragment_evicts_victim(self):
@@ -502,10 +502,10 @@ class TestTransferSlot:
             ),
             0,
         )
-        assert slot._accept_fragment(0, b"AAAA", 0)
-        assert slot._accept_fragment(4, b"BB", 0)
-        assert slot._accept_fragment(6, b"CCCC", 0)
-        assert slot._accept_fragment(2, b"XXXXXX", 0)
+        assert slot._accept_fragment(0, b"AAAA")
+        assert slot._accept_fragment(4, b"BB")
+        assert slot._accept_fragment(6, b"CCCC")
+        assert slot._accept_fragment(2, b"XXXXXX")
         assert [(frag.offset, frag.data) for frag in slot.fragments] == [(0, b"AAAA"), (2, b"XXXXXX"), (6, b"CCCC")]
 
     def test_furthest_reaching_crc_is_used(self):
@@ -1187,3 +1187,124 @@ class TestAsyncSendto:
                     await t.async_sendto(sock, b"fail", ("127.0.0.1", 9999), deadline)
         finally:
             t.close()
+
+
+@pytest.mark.asyncio
+async def test_subject_send_succeeds_when_one_redundant_interface_fails() -> None:
+    """Redundant transport: a transfer delivered on >=1 interface is a success, not a raise.
+
+    Regression: a partial-interface failure used to raise an ExceptionGroup, making the caller treat a
+    delivered transfer as failed and retry it, duplicating it on the interfaces that already succeeded.
+    """
+    iface = Interface(address=IPv4Address("127.0.0.1"), mtu_link=1500)
+    pub = UDPTransport.new(interfaces=[iface, iface])
+    assert isinstance(pub, _UDPTransportImpl)
+    try:
+        real_sendto = pub.async_sendto
+
+        async def flaky_sendto(sock, data, addr, deadline):  # type: ignore[no-untyped-def]
+            if sock is pub.tx_socks[0]:
+                raise OSError("interface 0 is down")
+            await real_sendto(sock, data, addr, deadline)
+
+        with patch.object(pub, "async_sendto", flaky_sendto):
+            writer = pub.subject_advertise(10)
+            await writer(Instant.now() + 2.0, Priority.NOMINAL, b"redundant")  # Must not raise.
+
+        async def all_fail(sock, data, addr, deadline):  # type: ignore[no-untyped-def]
+            raise OSError("all interfaces down")
+
+        with patch.object(pub, "async_sendto", all_fail):
+            writer_all = pub.subject_advertise(11)
+            with pytest.raises(SendError):
+                await writer_all(Instant.now() + 2.0, Priority.NOMINAL, b"nope")
+    finally:
+        pub.close()
+
+
+def test_interface_rejects_subminimum_mtu() -> None:
+    """A link MTU below the Cyphal minimum is rejected at construction, not via a strippable assert."""
+    with pytest.raises(ValueError, match="mtu_link must be"):
+        Interface(address=IPv4Address("127.0.0.1"), mtu_link=100)
+
+
+@pytest.mark.asyncio
+async def test_raising_subject_handler_does_not_kill_rx_loop() -> None:
+    """A subject handler that raises must not tear down the receive loop; later transfers still arrive."""
+    pub = UDPTransport.new_loopback()
+    sub = UDPTransport.new_loopback()
+    try:
+        received: list[bytes] = []
+
+        def handler(arrival: TransportArrival) -> None:
+            received.append(arrival.message)
+            raise RuntimeError("handler boom")  # Raised on every delivery.
+
+        sub.subject_listen(10, handler)
+        writer = pub.subject_advertise(10)
+        await writer(Instant.now() + 2.0, Priority.NOMINAL, b"first")
+        await writer(Instant.now() + 2.0, Priority.NOMINAL, b"second")
+
+        for _ in range(200):
+            if len(received) >= 2:
+                break
+            await asyncio.sleep(0.01)
+        assert received == [b"first", b"second"]  # Second arrived => loop survived the first raise.
+    finally:
+        pub.close()
+        sub.close()
+
+
+@pytest.mark.asyncio
+async def test_unicast_succeeds_when_one_redundant_interface_fails() -> None:
+    """Unicast, like subject send, must succeed if delivered on >=1 interface (used by reliable replies)."""
+    iface = Interface(address=IPv4Address("127.0.0.1"), mtu_link=1500)
+    t = UDPTransport.new(interfaces=[iface, iface])
+    assert isinstance(t, _UDPTransportImpl)
+    try:
+        remote = 5
+        # Pretend both interfaces have learned an endpoint for the remote node.
+        t._remote_endpoints[(remote, 0)] = ("127.0.0.1", t.tx_socks[0].getsockname()[1])
+        t._remote_endpoints[(remote, 1)] = ("127.0.0.1", t.tx_socks[1].getsockname()[1])
+        real_sendto = t.async_sendto
+
+        async def flaky_sendto(sock, data, addr, deadline):  # type: ignore[no-untyped-def]
+            if sock is t.tx_socks[0]:
+                raise OSError("interface 0 is down")
+            await real_sendto(sock, data, addr, deadline)
+
+        with patch.object(t, "async_sendto", flaky_sendto):
+            await t.unicast(Instant.now() + 2.0, Priority.NOMINAL, remote, b"redundant")  # Must not raise.
+
+        async def all_fail(sock, data, addr, deadline):  # type: ignore[no-untyped-def]
+            raise OSError("all interfaces down")
+
+        with patch.object(t, "async_sendto", all_fail):
+            with pytest.raises(SendError):
+                await t.unicast(Instant.now() + 2.0, Priority.NOMINAL, remote, b"nope")
+    finally:
+        t.close()
+
+
+@pytest.mark.asyncio
+async def test_raising_unicast_handler_does_not_kill_rx() -> None:
+    """A raising unicast handler must not tear down the receive path; later transfers still arrive."""
+    t = UDPTransport.new_loopback()
+    assert isinstance(t, _UDPTransportImpl)
+    try:
+        received: list[bytes] = []
+
+        def handler(arrival: TransportArrival) -> None:
+            received.append(arrival.message)
+            raise RuntimeError("handler boom")
+
+        t.unicast_listen(handler)
+        uid = 0x1234
+        first = _segment_transfer(Priority.NOMINAL, 0, uid, b"first", 1400)[0]
+        second = _segment_transfer(Priority.NOMINAL, 1, uid, b"second", 1400)[0]
+        # Feed two single-frame transfers through the same code path the RX loop uses.
+        t._process_unicast_datagram(first, "127.0.0.1", 40000, 0, Instant.now())
+        t._process_unicast_datagram(second, "127.0.0.1", 40000, 0, Instant.now())
+        assert received == [b"first", b"second"]  # Second processed => the first raise was contained.
+    finally:
+        t.close()