CLAUDE.md: cross-platform cert-binding verified end-to-end

With AllowUntrustedServerCertificate=true + ServerDnsIdentity="localhost",
all four representative read calls (ReadRawAsync, GetSystemParameterAsync,
BrowseTagNamesAsync, GetTagMetadataAsync) succeed from a Debian 13 client
against the Windows Historian over RemoteTcpCertificate with explicit
Windows credentials and NegotiateAuthentication via GSSAPI/NTLM.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

CLAUDE.md

@@ -111,13 +111,14 @@ The SDK builds and runs on Linux (Debian 13, .NET 10 SDK 10.0.203). `HistorianSs
   `GetTagMetadataAsync` returned correct fields, `BrowseTagNamesAsync`
   returned matching tags. Confirms the SDK's auth chain (Open2 → ValCl × N
   → service call) works cross-platform.
-- ⚠️ **Calls that touch the cert-transport binding directly from Linux**
-  (`ReadRawAsync`, `GetSystemParameterAsync`, etc.) fail with X509 chain
-  validation even after `update-ca-certificates`. .NET WCF on Linux uses
-  its own X509Chain plumbing rather than the system CA bundle. Workarounds
-  are out of scope for this pass: install the cert into
-  `~/.dotnet/corefx/cryptography/x509stores/` per-user, or expose a
-  `ServerCertificateValidationCallback` on `HistorianClientOptions`.
+- ✅ **Cert-binding calls from Linux** verified end-to-end with the two
+  new `HistorianClientOptions` knobs: `AllowUntrustedServerCertificate=true`
+  (skips X509 chain validation — needed because .NET WCF on Linux ignores
+  the system CA bundle) plus `ServerDnsIdentity="localhost"` (matches the
+  installer-generated cert's DNS claim when reaching the server by IP).
+  `ReadRawAsync`, `GetSystemParameterAsync`, `BrowseTagNamesAsync`, and
+  `GetTagMetadataAsync` all succeed from Debian 13 against the Windows
+  Historian over `RemoteTcpCertificate` with explicit Windows credentials.
 
 ### Remaining gaps