diff --git a/CLAUDE.md b/CLAUDE.md
index 6391de6..cebd0cf 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -106,10 +106,18 @@ The SDK builds and runs on Linux (Debian 13, .NET 10 SDK 10.0.203). `HistorianSs
   `HistorianWcfBindingFactory.CreateMdasNetNamedPipeBinding` and
   `CreateMdasNetTcpWindowsBinding` methods carry a `#pragma warning disable
   CA1416` documenting this.
-- ⏳ **Authenticated reads over `RemoteTcpCertificate` from Linux** — wired
-  to use NegotiateAuthentication's GSSAPI/NTLM path (`gss-ntlmssp` installed
-  on Debian), but live verification requires an explicit Windows credential
-  (`HISTORIAN_USER` / `HISTORIAN_PASSWORD`) which hasn't been exercised yet.
+- ✅ **Authenticated WCF calls via NegotiateAuthentication GSSAPI/NTLM**
+  from Linux — verified end-to-end with explicit credentials:
+  `GetTagMetadataAsync` returned correct fields, `BrowseTagNamesAsync`
+  returned matching tags. Confirms the SDK's auth chain (Open2 → ValCl × N
+  → service call) works cross-platform.
+- ⚠️ **Calls that touch the cert-transport binding directly from Linux**
+  (`ReadRawAsync`, `GetSystemParameterAsync`, etc.) fail with X509 chain
+  validation even after `update-ca-certificates`. .NET WCF on Linux uses
+  its own X509Chain plumbing rather than the system CA bundle. Workarounds
+  are out of scope for this pass: install the cert into
+  `~/.dotnet/corefx/cryptography/x509stores/` per-user, or expose a
+  `ServerCertificateValidationCallback` on `HistorianClientOptions`.
 
 ### Remaining gaps