Initial commit: managed .NET 10 AVEVA Historian SDK + reverse-engineering toolkit

Full read-only SDK (src/AVEVA.Historian.Client) implementing the CLAUDE.md required
surface against AVEVA Historian's binary WCF protocol — no native AVEVA runtime
dependency. All operations live-verified against a local Historian:

- ProbeAsync, ReadRawAsync, ReadAggregateAsync, ReadAtTimeAsync, ReadEventsAsync
- BrowseTagNamesAsync, GetTagMetadataAsync (17 native data-type codes mapped)
- GetConnectionStatusAsync, GetStoreForwardStatusAsync, GetSystemParameterAsync
- 108/108 unit + integration tests pass

Includes the reverse-engineering toolkit (tools/AVEVA.Historian.ReverseEngineering)
used to decode the protocol: WCF probes, IL inspection via dnlib, and IL-rewrite
instrumentation (instrument-wcf-{write,read}message etc.) plus the .NET Framework
trace harness (tools/AVEVA.Historian.NativeTraceHarness) for parity testing.

Sanitized handoff evidence under docs/reverse-engineering/. Native AVEVA binaries
(current/, aveva-install-x64/, aveva-install-x86/) are gitignored — fetch separately
from the AVEVA installer.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/AVEVA.Historian.Client/Wcf/HistorianWcfAuthenticationProtocol.cs

@@ -0,0 +1,63 @@
+using System.Buffers.Binary;
+namespace AVEVA.Historian.Client.Wcf;
+
+internal static class HistorianWcfAuthenticationProtocol
+{
+    private const uint NativeNtlmNegotiateVersionFlag = 0x0010_0000;
+
+    public static byte[] WrapValidateClientCredentialToken(bool isFirstRound, ReadOnlySpan<byte> token)
+    {
+        byte[] buffer = new byte[checked(1 + sizeof(uint) + token.Length)];
+        buffer[0] = isFirstRound ? (byte)1 : (byte)0;
+        BinaryPrimitives.WriteUInt32LittleEndian(buffer.AsSpan(1, sizeof(uint)), checked((uint)token.Length));
+        token.CopyTo(buffer.AsSpan(1 + sizeof(uint)));
+        return buffer;
+    }
+
+    public static bool TryApplyNativeNtlmNegotiateVersionFlag(Span<byte> token)
+    {
+        ReadOnlySpan<byte> ntlmSignature = "NTLMSSP\0"u8;
+        if (token.Length < 16
+            || !token[..ntlmSignature.Length].SequenceEqual(ntlmSignature)
+            || BinaryPrimitives.ReadUInt32LittleEndian(token.Slice(8, sizeof(uint))) != 1)
+        {
+            return false;
+        }
+
+        uint flags = BinaryPrimitives.ReadUInt32LittleEndian(token.Slice(12, sizeof(uint)));
+        BinaryPrimitives.WriteUInt32LittleEndian(
+            token.Slice(12, sizeof(uint)),
+            flags | NativeNtlmNegotiateVersionFlag);
+        return true;
+    }
+
+    public static ValidateClientCredentialToken? TryReadWrappedValidateClientCredentialToken(ReadOnlySpan<byte> buffer)
+    {
+        if (buffer.Length < 1 + sizeof(uint))
+        {
+            return null;
+        }
+
+        uint tokenLength = BinaryPrimitives.ReadUInt32LittleEndian(buffer.Slice(1, sizeof(uint)));
+        if (tokenLength > int.MaxValue || buffer.Length != 1 + sizeof(uint) + (int)tokenLength)
+        {
+            return null;
+        }
+
+        return new ValidateClientCredentialToken(buffer[0] != 0, buffer[(1 + sizeof(uint))..].ToArray());
+    }
+
+    public static ValidateClientCredentialResponse? TryReadValidateClientCredentialResponse(ReadOnlySpan<byte> buffer)
+    {
+        if (buffer.Length == 0)
+        {
+            return null;
+        }
+
+        return new ValidateClientCredentialResponse(buffer[0] != 0, buffer[1..].ToArray());
+    }
+}
+
+internal sealed record ValidateClientCredentialToken(bool IsFirstRound, byte[] Token);
+
+internal sealed record ValidateClientCredentialResponse(bool Continue, byte[] Token);