gRPC M0: probe (R0.4, live-verified) + system-param (R0.3) + shared handshake

Roadmap docs/plans/hcal-roadmap.md, milestone M0 (gRPC parity for the DONE
surface). Now unblocked for live verification by a reachable 2023 R2 server.

- R0.4 Probe over gRPC: new HistorianGrpcProbe calls History/Retrieval/Status
  GetInterfaceVersion (unauthenticated). ProbeAsync routes over gRPC when
  Transport==RemoteGrpc. LIVE-VERIFIED against a real 2023 R2 server — needs no
  credentials (runs before the auth loop), so it works despite the auth blocker.

- R0.3 System parameter over gRPC: new HistorianGrpcStatusClient calls
  StatusService.GetSystemParameter over the authenticated session; routed in the
  dialect. Built + unit-tested (request/response field mapping pinned).
  Live-verification pending an auth fix (see below).

- Extracted the proven auth handshake from HistorianGrpcReadOrchestrator into
  shared Grpc/HistorianGrpcHandshake (reused by read + status + future
  browse/metadata). Repointed the IL structural guardrail test to it.

- Diagnostics: round-failure now decodes the native server error + hex/ASCII
  preview (HistorianNativeHandshake.DescribeError). This surfaced the live auth
  blocker as SEC_E_LOGON_DENIED (0x8009030C) at NTLM round 1 — framing is correct,
  the credential did not validate. Probable cause: stale file password or NAM-domain
  NTLM restriction (Kerberos/RDP works, NTLM denied; no SPN path over the tunnel).

216 unit tests pass; live gRPC probe passes. Sanitization scan clean.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01B6mcaT2PjRFKcogzp9UkfC

src/AVEVA.Historian.Client/Grpc/HistorianGrpcHandshake.cs

@@ -0,0 +1,74 @@
+using Google.Protobuf;
+using Grpc.Core;
+using AVEVA.Historian.Client.Wcf;
+using GrpcHistory = ArchestrA.Grpc.Contract.History;
+using GrpcStorage = ArchestrA.Grpc.Contract.Storage;
+
+namespace AVEVA.Historian.Client.Grpc;
+
+/// <summary>
+/// Shared 2023 R2 gRPC authentication handshake. Opens an authenticated History session over an
+/// existing <see cref="HistorianGrpcConnection"/> and returns the transient client handle used by
+/// the Retrieval/Status services. Extracted from <see cref="HistorianGrpcReadOrchestrator"/> so the
+/// read, status, and (future) browse/metadata gRPC paths all drive the identical chain:
+/// <c>HistoryService.GetInterfaceVersion → StorageService.ValidateClientCredential (token loop) →
+/// HistoryService.OpenConnection</c>. The byte payloads (OpenConnection3 v6 request, NTLM token
+/// framing) are the proven 2020 protocol and transfer unchanged inside protobuf <c>bytes</c> fields.
+///
+/// See <see cref="HistorianGrpcReadOrchestrator"/> for the op-routing rationale (the Negotiate loop
+/// belongs on StorageService.ValidateClientCredential, NOT HistoryService.ExchangeKey).
+/// </summary>
+internal static class HistorianGrpcHandshake
+{
+    public static uint OpenAuthenticatedConnection(
+        HistorianGrpcConnection connection,
+        HistorianClientOptions options,
+        CancellationToken cancellationToken)
+    {
+        DateTime Deadline() => DateTime.UtcNow.Add(options.RequestTimeout);
+
+        Guid contextKey = Guid.NewGuid();
+        var historyClient = new GrpcHistory.HistoryService.HistoryServiceClient(connection.Channel);
+
+        GrpcHistory.GetInterfaceVersionResponse historyVersion = historyClient.GetInterfaceVersion(
+            new GrpcHistory.GetInterfaceVersionRequest(), connection.Metadata, Deadline(), cancellationToken);
+        HistorianServerVersionGate.Validate(HistorianServiceInterface.History, historyVersion.UiVersion, options);
+
+        var storageClient = new GrpcStorage.StorageService.StorageServiceClient(connection.Channel);
+        HistorianNativeHandshake.RunTokenRounds(
+            (handle, wrapped, _) =>
+            {
+                GrpcStorage.ValidateClientCredentialResponse response = storageClient.ValidateClientCredential(
+                    new GrpcStorage.ValidateClientCredentialRequest { Handle = handle, InBuff = ByteString.CopyFrom(wrapped) },
+                    connection.Metadata,
+                    Deadline(),
+                    cancellationToken);
+                byte[] serverOutput = response.OutBuff?.ToByteArray() ?? [];
+                byte[] error = response.Status?.BtError?.ToByteArray() ?? [];
+                bool success = response.Status?.BSuccess ?? false;
+                return new HistorianNativeHandshake.TokenExchangeResult(success, serverOutput, error);
+            },
+            contextKey,
+            options,
+            cancellationToken);
+
+        byte[] open2Request = HistorianNativeHandshake.BuildOpenConnection3Request(
+            options.Host, contextKey, HistorianWcfAuthChainHelper.NativeIntegratedReadOnlyConnectionMode);
+
+        GrpcHistory.OpenConnectionResponse open2 = historyClient.OpenConnection(
+            new GrpcHistory.OpenConnectionRequest { BtConnectionRequest = ByteString.CopyFrom(open2Request) },
+            connection.Metadata,
+            Deadline(),
+            cancellationToken);
+
+        byte[] open2Response = open2.BtConnectionResponse?.ToByteArray() ?? [];
+        if (!(open2.Status?.BSuccess ?? false))
+        {
+            byte[] err = open2.Status?.BtError?.ToByteArray() ?? [];
+            throw new InvalidOperationException($"gRPC OpenConnection failed (errorLen={err.Length}, responseLen={open2Response.Length}).");
+        }
+
+        (uint clientHandle, _) = HistorianNativeHandshake.ParseOpenConnectionResponse(open2Response);
+        return clientHandle;
+    }
+}

src/AVEVA.Historian.Client/Grpc/HistorianGrpcProbe.cs

@@ -0,0 +1,48 @@
+using Grpc.Core;
+using GrpcHistory = ArchestrA.Grpc.Contract.History;
+using GrpcRetrieval = ArchestrA.Grpc.Contract.Retrieval;
+using GrpcStatus = ArchestrA.Grpc.Contract.Status;
+
+namespace AVEVA.Historian.Client.Grpc;
+
+/// <summary>
+/// 2023 R2 gRPC reachability probe (roadmap item R0.4). Mirrors <see cref="Wcf.HistorianWcfProbe"/>
+/// over the gRPC transport: it calls the unauthenticated <c>GetInterfaceVersion</c> RPC on the
+/// History, Retrieval, and Status services and applies the same success criteria. No credentials
+/// are required — these RPCs run before the SSPI/Negotiate token loop — so the probe works even
+/// when authentication is unavailable.
+/// </summary>
+internal static class HistorianGrpcProbe
+{
+    public static async Task<bool> ProbeAsync(HistorianClientOptions options, CancellationToken cancellationToken)
+    {
+        ArgumentNullException.ThrowIfNull(options);
+        cancellationToken.ThrowIfCancellationRequested();
+
+        return await Task.Run(() => Probe(options, cancellationToken), cancellationToken).ConfigureAwait(false);
+    }
+
+    private static bool Probe(HistorianClientOptions options, CancellationToken cancellationToken)
+    {
+        using HistorianGrpcConnection connection = HistorianGrpcChannelFactory.Create(options);
+        DateTime deadline = DateTime.UtcNow.Add(options.ConnectTimeout > TimeSpan.Zero ? options.ConnectTimeout : TimeSpan.FromSeconds(5));
+
+        var historyClient = new GrpcHistory.HistoryService.HistoryServiceClient(connection.Channel);
+        GrpcHistory.GetInterfaceVersionResponse history = historyClient.GetInterfaceVersion(
+            new GrpcHistory.GetInterfaceVersionRequest(), connection.Metadata, deadline, cancellationToken);
+
+        var retrievalClient = new GrpcRetrieval.RetrievalService.RetrievalServiceClient(connection.Channel);
+        GrpcRetrieval.GetRetrievalInterfaceVersionResponse retrieval = retrievalClient.GetRetrievalInterfaceVersion(
+            new GrpcRetrieval.GetRetrievalInterfaceVersionRequest(), connection.Metadata, deadline, cancellationToken);
+
+        var statusClient = new GrpcStatus.StatusService.StatusServiceClient(connection.Channel);
+        GrpcStatus.GetStatusInterfaceVersionResponse status = statusClient.GetStatusInterfaceVersion(
+            new GrpcStatus.GetStatusInterfaceVersionRequest(), connection.Metadata, deadline, cancellationToken);
+
+        return history.UiError == 0
+            && history.UiVersion > 0
+            && retrieval.UiError == 0
+            && retrieval.UiVersion > 0
+            && status.UiError == 0;
+    }
+}

src/AVEVA.Historian.Client/Grpc/HistorianGrpcReadOrchestrator.cs

@@ -3,9 +3,7 @@ using Google.Protobuf;
 using Grpc.Core;
 using AVEVA.Historian.Client.Models;
 using AVEVA.Historian.Client.Wcf;
-using GrpcHistory = ArchestrA.Grpc.Contract.History;
 using GrpcRetrieval = ArchestrA.Grpc.Contract.Retrieval;
-using GrpcStorage = ArchestrA.Grpc.Contract.Storage;
 
 namespace AVEVA.Historian.Client.Grpc;
 
@@ -166,51 +164,7 @@ internal sealed class HistorianGrpcReadOrchestrator
     }
 
     private uint OpenAuthenticatedConnection(HistorianGrpcConnection connection, CancellationToken cancellationToken)
-    {
-        Guid contextKey = Guid.NewGuid();
-        var historyClient = new GrpcHistory.HistoryService.HistoryServiceClient(connection.Channel);
-
-        GrpcHistory.GetInterfaceVersionResponse historyVersion = historyClient.GetInterfaceVersion(
-            new GrpcHistory.GetInterfaceVersionRequest(), connection.Metadata, Deadline(), cancellationToken);
-        HistorianServerVersionGate.Validate(HistorianServiceInterface.History, historyVersion.UiVersion, _options);
-
-        var storageClient = new GrpcStorage.StorageService.StorageServiceClient(connection.Channel);
-        HistorianNativeHandshake.RunTokenRounds(
-            (handle, wrapped, _) =>
-            {
-                GrpcStorage.ValidateClientCredentialResponse response = storageClient.ValidateClientCredential(
-                    new GrpcStorage.ValidateClientCredentialRequest { Handle = handle, InBuff = ByteString.CopyFrom(wrapped) },
-                    connection.Metadata,
-                    Deadline(),
-                    cancellationToken);
-                byte[] serverOutput = response.OutBuff?.ToByteArray() ?? [];
-                byte[] error = response.Status?.BtError?.ToByteArray() ?? [];
-                bool success = response.Status?.BSuccess ?? false;
-                return new HistorianNativeHandshake.TokenExchangeResult(success, serverOutput, error);
-            },
-            contextKey,
-            _options,
-            cancellationToken);
-
-        byte[] open2Request = HistorianNativeHandshake.BuildOpenConnection3Request(
-            _options.Host, contextKey, HistorianWcfAuthChainHelper.NativeIntegratedReadOnlyConnectionMode);
-
-        GrpcHistory.OpenConnectionResponse open2 = historyClient.OpenConnection(
-            new GrpcHistory.OpenConnectionRequest { BtConnectionRequest = ByteString.CopyFrom(open2Request) },
-            connection.Metadata,
-            Deadline(),
-            cancellationToken);
-
-        byte[] open2Response = open2.BtConnectionResponse?.ToByteArray() ?? [];
-        if (!(open2.Status?.BSuccess ?? false))
-        {
-            byte[] err = open2.Status?.BtError?.ToByteArray() ?? [];
-            throw new InvalidOperationException($"gRPC OpenConnection failed (errorLen={err.Length}, responseLen={open2Response.Length}).");
-        }
-
-        (uint clientHandle, _) = HistorianNativeHandshake.ParseOpenConnectionResponse(open2Response);
-        return clientHandle;
-    }
+        => HistorianGrpcHandshake.OpenAuthenticatedConnection(connection, _options, cancellationToken);
 
     private List<HistorianSample> RunQuery(
         HistorianGrpcConnection connection,

src/AVEVA.Historian.Client/Grpc/HistorianGrpcStatusClient.cs

@@ -0,0 +1,38 @@
+using Grpc.Core;
+using GrpcStatus = ArchestrA.Grpc.Contract.Status;
+
+namespace AVEVA.Historian.Client.Grpc;
+
+/// <summary>
+/// 2023 R2 gRPC status client (roadmap item R0.3). Mirrors
+/// <see cref="Wcf.HistorianWcfStatusClient"/> over the gRPC transport: it opens an authenticated
+/// History session via <see cref="HistorianGrpcHandshake"/> and queries the StatusService for the
+/// resulting client handle. <c>GetSystemParameter</c> carries the parameter name as a protobuf
+/// string and returns the value string directly — there is no opaque native buffer to decode.
+/// </summary>
+internal static class HistorianGrpcStatusClient
+{
+    public static Task<string?> GetSystemParameterAsync(
+        HistorianClientOptions options,
+        string parameterName,
+        CancellationToken cancellationToken)
+    {
+        ArgumentException.ThrowIfNullOrWhiteSpace(parameterName);
+        return Task.Run(() => GetSystemParameter(options, parameterName, cancellationToken), cancellationToken);
+    }
+
+    private static string? GetSystemParameter(HistorianClientOptions options, string parameterName, CancellationToken cancellationToken)
+    {
+        using HistorianGrpcConnection connection = HistorianGrpcChannelFactory.Create(options);
+        uint clientHandle = HistorianGrpcHandshake.OpenAuthenticatedConnection(connection, options, cancellationToken);
+
+        var statusClient = new GrpcStatus.StatusService.StatusServiceClient(connection.Channel);
+        GrpcStatus.GetSystemParameterResponse response = statusClient.GetSystemParameter(
+            new GrpcStatus.GetSystemParameterRequest { UiHandle = clientHandle, StrParameterName = parameterName },
+            connection.Metadata,
+            DateTime.UtcNow.Add(options.RequestTimeout),
+            cancellationToken);
+
+        return (response.Status?.BSuccess ?? false) ? response.StrParameterValue : null;
+    }
+}

src/AVEVA.Historian.Client/HistorianClient.cs

@@ -25,7 +25,9 @@ public sealed class HistorianClient : IAsyncDisposable
 
     public async Task<bool> ProbeAsync(CancellationToken cancellationToken = default)
     {
-        return await HistorianWcfProbe.ProbeAsync(_options, cancellationToken).ConfigureAwait(false);
+        return _options.Transport == HistorianTransport.RemoteGrpc
+            ? await Grpc.HistorianGrpcProbe.ProbeAsync(_options, cancellationToken).ConfigureAwait(false)
+            : await HistorianWcfProbe.ProbeAsync(_options, cancellationToken).ConfigureAwait(false);
     }
 
     public IAsyncEnumerable<HistorianSample> ReadRawAsync(

src/AVEVA.Historian.Client/Protocol/Historian2020ProtocolDialect.cs

@@ -64,7 +64,9 @@ internal sealed class Historian2020ProtocolDialect
     {
         cancellationToken.ThrowIfCancellationRequested();
         ArgumentException.ThrowIfNullOrWhiteSpace(name);
-        return Wcf.HistorianWcfStatusClient.GetSystemParameterAsync(_options, name, cancellationToken);
+        return UseGrpc
+            ? HistorianGrpcStatusClient.GetSystemParameterAsync(_options, name, cancellationToken)
+            : Wcf.HistorianWcfStatusClient.GetSystemParameterAsync(_options, name, cancellationToken);
     }
 
     private static async IAsyncEnumerable<T> Missing<T>(

src/AVEVA.Historian.Client/Wcf/HistorianNativeHandshake.cs

@@ -33,7 +33,7 @@ internal static class HistorianNativeHandshake
     /// upper-case context-key GUID, <paramref name="wrappedToken"/> is the AVEVA-wrapped SSPI
     /// token (round byte + length + token). The WCF path maps this to
     /// <c>Hist.ValidateClientCredential</c>; the gRPC path maps it to
-    /// <c>HistoryService.ExchangeKey</c> (the renamed handshake op).
+    /// <c>StorageService.ValidateClientCredential</c> (the op that kept the 2020 token framing).
     /// </summary>
     internal delegate TokenExchangeResult TokenExchange(string handle, byte[] wrappedToken, int round);
 
@@ -70,7 +70,8 @@ internal static class HistorianNativeHandshake
 
             if (!result.Success)
             {
-                throw new InvalidOperationException($"Credential token round {round} rejected (errorLen={error.Length}).");
+                throw new InvalidOperationException(
+                    $"Credential token round {round} rejected (errorLen={error.Length}).{DescribeError(error)}");
             }
 
             ValidateClientCredentialResponse? response = HistorianWcfAuthenticationProtocol.TryReadValidateClientCredentialResponse(serverOutput);
@@ -162,4 +163,32 @@ internal static class HistorianNativeHandshake
         int slash = userName.IndexOf('\\');
         return slash > 0 ? userName[(slash + 1)..] : userName;
     }
+
+    /// <summary>
+    /// Renders a diagnostic suffix for a rejected credential round: the decoded native error
+    /// (type/code/name) plus a short hex + printable-ASCII preview of the server error buffer.
+    /// Keeps secrets out — error buffers carry server status codes/messages, not credentials.
+    /// </summary>
+    private static string DescribeError(byte[] error)
+    {
+        if (error.Length == 0)
+        {
+            return string.Empty;
+        }
+
+        HistorianNativeError? native = HistorianOpen2Protocol.TryReadNativeError(error);
+        string nativePart = native is null
+            ? string.Empty
+            : $" native(type={native.Type}, code={native.Code}{(native.Name is null ? string.Empty : $", {native.Name}")})";
+
+        ReadOnlySpan<byte> preview = error.AsSpan(0, Math.Min(error.Length, 64));
+        string hex = Convert.ToHexString(preview);
+        char[] ascii = new char[preview.Length];
+        for (int i = 0; i < preview.Length; i++)
+        {
+            ascii[i] = preview[i] is >= 0x20 and < 0x7F ? (char)preview[i] : '.';
+        }
+
+        return $"{nativePart} hex={hex} ascii=\"{new string(ascii)}\"";
+    }
 }