gRPC 2023 R2: fix auth handshake op routing + accept History v12

First live-verified gRPC read against a real 2023 R2 Historian. The handshake
previously failed at round 0 (cred-independent) because the SSPI/Negotiate token
loop was routed to HistoryService.ExchangeKey. ExchangeKey is a separate
key-exchange/cert-path op, not the Negotiate loop — the token loop belongs on
StorageService.ValidateClientCredential, which kept the 2020 inBuff/outBuff token
framing the SDK's WrapValidateClientCredentialToken/TryRead helpers already build.

Captured + diffed against the recovered 2023 R2 protobuf contract and the
decompiled stock client; routing the loop to ValidateClientCredential completes
the full chain (ValidateClientCredential x N -> OpenConnection -> StartQuery ->
GetNextQueryResultBuffer) and returns rows.

- HistorianGrpcReadOrchestrator: token loop now calls
  StorageService.ValidateClientCredential(Handle, InBuff); corrected the op-map
  doc comment (was asserting the wrong ExchangeKey mapping).
- HistorianServerVersionGate: accept History interface version 12 alongside 11.
  Live server reports History=12, Retrieval=4, Storage=4; the buffers are
  byte-identical (a live read returns rows), so 12 is buffer-compatible. Retrieval
  stays pinned at 4 (matches). New AcceptedVersions() supports multi-version gates.
- New HistorianGrpcHandshakeRoutingTests: IL-level structural guardrail that
  disassembles the orchestrator (incl. lambda closures) and asserts the handshake
  invokes ValidateClientCredential and never ExchangeKey — fails if the regression
  returns.
- Updated gate tests + CLAUDE.md gRPC op-map.

240 unit tests pass on the full stack; 210 on this branch's base. The byte
payloads remain the proven 2020 protocol.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01B6mcaT2PjRFKcogzp9UkfC

tests/AVEVA.Historian.Client.Tests/HistorianGrpcHandshakeRoutingTests.cs

@@ -0,0 +1,153 @@
+using System.Reflection;
+using System.Reflection.Emit;
+
+namespace AVEVA.Historian.Client.Tests;
+
+/// <summary>
+/// Structural guardrail pinning the 2023 R2 gRPC auth-handshake op routing. The SSPI/Negotiate
+/// token loop MUST be carried by <c>StorageService.ValidateClientCredential</c> (the op that kept
+/// the 2020 inBuff/outBuff token framing), NOT by <c>HistoryService.ExchangeKey</c> — ExchangeKey
+/// is a separate key-exchange/cert-path op that rejects an NTLM token at round 0 regardless of
+/// credentials (live-confirmed against a real 2023 R2 server, 2026-06-21). An earlier revision
+/// routed the loop to ExchangeKey; this test fails if that regression returns.
+///
+/// It works by disassembling the IL of <c>HistorianGrpcReadOrchestrator</c> (and its
+/// compiler-generated nested closure types — the token-loop call lives inside a lambda) and
+/// collecting every method invoked.
+/// </summary>
+public sealed class HistorianGrpcHandshakeRoutingTests
+{
+    [Fact]
+    public void Handshake_UsesValidateClientCredential_NotExchangeKey()
+    {
+        HashSet<string> calledMethods = CollectCalledMethodNames(
+            "AVEVA.Historian.Client.Grpc.HistorianGrpcReadOrchestrator");
+
+        Assert.Contains("ValidateClientCredential", calledMethods);
+        Assert.DoesNotContain("ExchangeKey", calledMethods);
+    }
+
+    private static HashSet<string> CollectCalledMethodNames(string typeFullName)
+    {
+        Assembly sdk = typeof(HistorianClientOptions).Assembly;
+        Type orchestrator = sdk.GetType(typeFullName, throwOnError: true)!;
+        Module module = orchestrator.Module;
+
+        // The orchestrator type plus its compiler-generated nested types (lambda closures).
+        IEnumerable<Type> types = new[] { orchestrator }
+            .Concat(orchestrator.GetNestedTypes(BindingFlags.Public | BindingFlags.NonPublic));
+
+        var names = new HashSet<string>(StringComparer.Ordinal);
+        foreach (Type t in types)
+        {
+            Type[] typeArgs = t.IsGenericType ? t.GetGenericArguments() : Type.EmptyTypes;
+            foreach (MethodInfo m in t.GetMethods(
+                BindingFlags.Public | BindingFlags.NonPublic | BindingFlags.Instance | BindingFlags.Static | BindingFlags.DeclaredOnly))
+            {
+                byte[]? il = m.GetMethodBody()?.GetILAsByteArray();
+                if (il is null)
+                {
+                    continue;
+                }
+
+                Type[] methodArgs = m.IsGenericMethodDefinition ? m.GetGenericArguments() : Type.EmptyTypes;
+                foreach (int token in EnumerateMethodTokens(il))
+                {
+                    try
+                    {
+                        MethodBase? resolved = module.ResolveMethod(token, typeArgs, methodArgs);
+                        if (resolved is not null)
+                        {
+                            names.Add(resolved.Name);
+                        }
+                    }
+                    catch (Exception ex) when (ex is ArgumentException or BadImageFormatException)
+                    {
+                        // vararg / MethodSpec tokens that don't resolve cleanly — irrelevant here.
+                    }
+                }
+            }
+        }
+
+        return names;
+    }
+
+    /// <summary>
+    /// Walks an IL byte stream, yielding the 4-byte metadata token of every call/callvirt/newobj
+    /// (any <see cref="OperandType.InlineMethod"/> opcode). Uses the reflection-emit opcode table so
+    /// operands of other instructions are skipped correctly rather than misread as opcodes.
+    /// </summary>
+    private static IEnumerable<int> EnumerateMethodTokens(byte[] il)
+    {
+        int pos = 0;
+        while (pos < il.Length)
+        {
+            OpCode op;
+            if (il[pos] == 0xFE && pos + 1 < il.Length)
+            {
+                op = TwoByteOpCodes[il[pos + 1]];
+                pos += 2;
+            }
+            else
+            {
+                op = OneByteOpCodes[il[pos]];
+                pos += 1;
+            }
+
+            switch (op.OperandType)
+            {
+                case OperandType.InlineMethod:
+                    yield return BitConverter.ToInt32(il, pos);
+                    pos += 4;
+                    break;
+                case OperandType.InlineNone:
+                    break;
+                case OperandType.ShortInlineBrTarget:
+                case OperandType.ShortInlineI:
+                case OperandType.ShortInlineVar:
+                    pos += 1;
+                    break;
+                case OperandType.InlineVar:
+                    pos += 2;
+                    break;
+                case OperandType.InlineI8:
+                case OperandType.InlineR:
+                    pos += 8;
+                    break;
+                case OperandType.InlineSwitch:
+                    int count = BitConverter.ToInt32(il, pos);
+                    pos += 4 + (4 * count);
+                    break;
+                default:
+                    // InlineBrTarget, InlineField, InlineI, InlineSig, InlineString, InlineTok,
+                    // InlineType, ShortInlineR — all 4-byte operands.
+                    pos += 4;
+                    break;
+            }
+        }
+    }
+
+    private static readonly OpCode[] OneByteOpCodes = BuildOpCodeTable(twoByte: false);
+    private static readonly OpCode[] TwoByteOpCodes = BuildOpCodeTable(twoByte: true);
+
+    private static OpCode[] BuildOpCodeTable(bool twoByte)
+    {
+        var table = new OpCode[256];
+        foreach (FieldInfo f in typeof(OpCodes).GetFields(BindingFlags.Public | BindingFlags.Static))
+        {
+            if (f.GetValue(null) is not OpCode op)
+            {
+                continue;
+            }
+
+            ushort value = unchecked((ushort)op.Value);
+            bool isTwoByte = (value & 0xFF00) == 0xFE00;
+            if (isTwoByte == twoByte)
+            {
+                table[value & 0xFF] = op;
+            }
+        }
+
+        return table;
+    }
+}

tests/AVEVA.Historian.Client.Tests/HistorianServerVersionGateTests.cs

@@ -29,6 +29,20 @@ public sealed class HistorianServerVersionGateTests
         HistorianServerVersionGate.Validate(HistorianServiceInterface.Transaction, HistorianServerVersionGate.TransactionInterfaceVersion, Options());
     }
 
+    [Fact]
+    public void Validate_History_AcceptsBoth2020And2023R2Versions()
+    {
+        // History 11 (2020 WCF) and 12 (2023 R2 gRPC) are both buffer-compatible — a live gRPC
+        // read against a real 2023 R2 server (interface version 12) returns rows. Both must pass.
+        HistorianServerVersionGate.Validate(HistorianServiceInterface.History, 11u, Options());
+        HistorianServerVersionGate.Validate(HistorianServiceInterface.History, HistorianServerVersionGate.HistoryInterfaceVersionGrpc2023R2, Options());
+        Assert.Equal(12u, HistorianServerVersionGate.HistoryInterfaceVersionGrpc2023R2);
+        Assert.Contains(11u, HistorianServerVersionGate.AcceptedVersions(HistorianServiceInterface.History));
+        Assert.Contains(12u, HistorianServerVersionGate.AcceptedVersions(HistorianServiceInterface.History));
+        // Retrieval reported 4 on the live 2023 R2 server — matches 2020, so it is NOT widened.
+        Assert.DoesNotContain(5u, HistorianServerVersionGate.AcceptedVersions(HistorianServiceInterface.Retrieval));
+    }
+
     [Fact]
     public void Validate_MismatchedVersion_ThrowsProtocolEvidenceMissing()
     {
@@ -36,7 +50,7 @@ public sealed class HistorianServerVersionGateTests
         (HistorianServiceInterface Service, uint Version)[] cases =
         [
             (HistorianServiceInterface.History, 10u),
-            (HistorianServiceInterface.History, 12u),
+            (HistorianServiceInterface.History, 13u),
             (HistorianServiceInterface.Retrieval, 3u),
             (HistorianServiceInterface.Retrieval, 5u),
             (HistorianServiceInterface.Transaction, 1u),