histsdk/docs/reverse-engineering/wcf-contract-evidence.md

# WCF Contract Evidence

## Local run evidence

- `current\aahClient.dll` export inventory ran successfully. SHA256:
  `77a778988e2d8f2d0e88113f8c8b0788a0ef34fa5134938a353976778144dc83`.
- `ArchestrA.HistorianAccess.OpenConnection` succeeded against `localhost:32568`
  using `HistorianConnectionArgs` with `ConnectionType=Process` and `ReadOnly=true`.
- Holding that native connection open produced established TCP sessions from the
  native PowerShell process to `127.0.0.1:32568`; the server-side listener was
  owned by `SMSvcHost.exe`, consistent with WCF Net.TCP port sharing.
- The managed harness command
  `dotnet run --no-build --project tools\AVEVA.Historian.ReverseEngineering -- wcf-probe localhost 32568`
  successfully called `GetV` through fully managed WCF/MDAS:
  - `net.tcp://localhost:32568/Hist` returned version `11`
  - `net.tcp://localhost:32568/Retr` returned version `4`
  - `net.tcp://localhost:32568/Stat` returned version `0`
  - `net.tcp://localhost:32568/Trx` returned version `2`
  - `net.tcp://localhost:32568/Storage` did not listen on this local install
  - `net.tcp://localhost:32568/HistCert` and `/Hist-Integrated` reset when
    called with the plain managed `GetV` contract, while prefixed variants such
    as `/HCAP/HistCert` returned `EndpointNotFound`
  Sanitized output is stored in `docs\reverse-engineering\wcf-probe-localhost.json`.
- `netsh trace` and `pktmon` produced ETL files under
  `%TEMP%\histsdk-captures`, but their converted PCAPNG files contained zero
  packets. Built-in Windows packet capture is not sufficient for loopback
  evidence on this machine.
- A dedicated managed certificate-binding probe now reaches `HistCert.GetV`
  through MDAS over WCF Net.TCP transport security:
  - `net.tcp://localhost:32568/HistCert` returned version `11`
  - `net.tcp://10.100.0.48:32568/HistCert` initially failed endpoint identity
    validation because the server certificate presented DNS identity
    `localhost`
  - the same remote endpoint returned version `11` when the client supplied
    endpoint DNS identity `localhost`
  Sanitized outputs are stored in
  `docs\reverse-engineering\wcf-cert-probe-localhost-latest.json`,
  `docs\reverse-engineering\wcf-cert-probe-remote-latest.json`, and
  `docs\reverse-engineering\wcf-cert-probe-remote-localhost-identity-latest.json`.
- The same remote server also accepts the plain managed WCF/MDAS probe on the
  expected non-security-specific service paths:
  - `net.tcp://10.100.0.48:32568/Hist` returned version `11`
  - `net.tcp://10.100.0.48:32568/Retr` returned version `4`
  - `net.tcp://10.100.0.48:32568/Stat` returned version `0`
  - `net.tcp://10.100.0.48:32568/Trx` returned version `2`
  Sanitized output is stored in
  `docs\reverse-engineering\wcf-probe-remote-latest.json`.
- Managed remote `Open2` evidence matches localhost: integrated Windows auth
  succeeds on `net.tcp://10.100.0.48:32568/Hist-Integrated`, while the same
  Windows transport binding fails on plain `/Hist` before dispatch. The
  successful returned handle is accepted by `Retr.IsOriginalAllowed`. Session
  output bytes and transient handle values are redacted in
  `docs\reverse-engineering\wcf-open2-remote-latest.json`.
- Managed remote `StartQuery2` evidence is still negative but sharper: all 22
  reconstructed `DataQueryRequest` variants successfully open the integrated
  session and pass `Retr.IsOriginalAllowed`, then `StartQuery2` returns `false`
  with zero response and error sizes. The legacy `StartQuery` call returns code
  `238` for each request and also returns zero response size/no response buffer.
  Sanitized request hashes are stored in
  `docs\reverse-engineering\wcf-start-query-remote-latest.json`.
- A later bounded managed replay of the first byte-matched full-history
  candidate used the same integrated open and `Retr.IsOriginalAllowed` path;
  `StartQuery2` still returned `false` with zero response/error sizes, while
  legacy `StartQuery` faulted with a server null-reference. This keeps
  `Open2` as useful connection evidence, but not as a viable replacement for
  the native `OpenConnection3` session state required by query reads.
- Managed wildcard tag browse remains positive evidence for an `Open2`-backed
  operation: `Retr.StartLikeTagNameSearch` returned `0`, and one
  `GetLikeTagnames` batch returned the deterministic 66-byte single-tag buffer
  with SHA-256
  `2d450a55f392aed0026e9a957fefa3b116aab6ec81912c5d824c6b9a1ff5a4a1`.
- Managed remote scalar tag calls also accept the integrated session handle:
  `Retr.GetTagTypeFromName` returns code `0` and tag type `1` for
  `OtOpcUaParityTest_001.Counter`; `Retr.IsManualTag` returns code `0` and
  `false`; legacy `Retr.GetTagInfoFromName` returns `238` with zero metadata
  bytes. Five `GetTgByNm` tag-name buffer variants and five `GetTg` tag-id
  buffer variants all return `238`, sequence `0`, and zero output bytes. This
  suggests the calls are reaching server logic but the metadata-returning
  contract shape or request buffer is still incomplete. Sanitized output is
  stored in
  `docs\reverse-engineering\wcf-tag-info-remote-latest.json`.

## Decompiled service contracts

`current\aahClientManaged.dll` contains WCF contracts with namespace `aa`:

- `HistoryServiceContract.IHistoryServiceContract`
  - `[ServiceContract(Name = "Hist", Namespace = "aa")]`
  - `GetInterfaceVersion` as operation `GetV`
  - `OpenConnection` as operation `Open`
  - `CloseConnection` as operation `Close`
  - `ValidateClient` as operation `VldC`
  - `UpdateClientStatus` as operation `UpdC`
  - `AddTags` as `AddT`, `RegisterTags` as `RTag`
  - `AddStreamValues` as `AddS`, `SetClientTimeOut` as `SetT`
- `HistoryServiceContract.IHistoryServiceContract2`
  - `[ServiceContract(Name = "Hist", Namespace = "aa")]`
  - byte-buffer session open uses `OpenConnection2` as operation `Open2`
  - extended client status uses `UpdC2` / `UpdC3`
  - extended write and maintenance calls include `EnsT`, `DelT`, `AddS2`,
    `ExKey`, `ValCl`, and `GetI`
- `RetrievalServiceContract.IRetrievalServiceContract`
  - `[ServiceContract(Name = "Retr", Namespace = "aa")]`
  - `StartQuery`, `GetNextQueryResultBuffer`, `EndQuery` use default
    operation names
  - tag type/name helpers and tag info calls use default operation names
- `RetrievalServiceContract.IRetrievalServiceContract2/3/4`
  - extended bool/error-buffer variants
  - SQL/recordset byte stream calls
  - tag query calls `QTB`, `QTG`, `QTE`
  - event query calls use default operation names
  - extended property calls include `GetTgByNm2` and `GetTepByNm`
- `StorageServiceContract.IStorageServiceContract`
  - `[ServiceContract(Name = "Storage", Namespace = "aa")]`
  - storage/session, metadata, streamed-value, block, snapshot, and delete-tag
    calls
- `StatusServiceContract.IStatusServiceContract`
  - `[ServiceContract(Name = "Stat", Namespace = "aa")]`
  - `GetInterfaceVersion` as `GetV`
  - server time, timezone, DB case sensitivity, and logging use default
    operation names
- `StatusServiceContract.IStatusServiceContract2`
  - extended status operations include `GetSystemParameter`, `GetTimeZoneNames`,
    license checks, historian info, and process/ping helpers
  - ping and historian-info helpers use aliases `PNGS`, `PNGP`, and `GETHI`
- `TransactionServiceContract.ITransactionServiceContract`
  - `[ServiceContract(Name = "Trx", Namespace = "aa")]`
  - snapshot forwarding and non-streamed value transactions

`aahMDASEncoder.ClientMessageEncoder` wraps an inner WCF encoder and exposes
media/content type `application/x-mdas`. This means the first managed driver
transport target should be WCF Net.TCP plus the MDAS content-type encoder, not
the earlier speculative raw-frame layer.

## Current unknowns

- Endpoint URI paths `net.tcp://{host}:32568/Hist`, `/Retr`, `/Stat`, and
  `/Trx` are confirmed for `GetV` calls on the local 2020 install.
- Relay and local WCF probe evidence also identify security-specific history
  endpoints `/HistCert` and `/Hist-Integrated`. `/HistCert` is confirmed as a
  `Hist` contract endpoint when called with MDAS over TLS transport security;
  `/Hist-Integrated` remains the Windows negotiate endpoint for integrated
  session open.
- Managed `Open2` evidence confirms `/Hist-Integrated` is the correct endpoint
  for integrated Windows auth. The plain `/Hist` endpoint rejects the Windows
  transport-security upgrade before dispatching the operation.
- The storage contract is confirmed statically, but `/Storage` was not a
  listening endpoint in the local probe; storage may be routed through
  session-specific storage/shard endpoints.
- `Hist.OpenConnection` reaches server logic, but the native password/session
  packet encoding is not decoded yet. See `wcf-open-localhost.md`.
- `Hist.Open2` is confirmed reachable with a managed version-1 byte buffer.
  Empty credentials return custom native error `171` (`AuthenticationFailed`),
  and the harness decodes observed five-byte error buffers as type plus
  little-endian error code. This confirms framing has progressed past
  packet-version rejection. See `wcf-open2-localhost.md`.
- `Stat` is reachable, but `CStatusConnectionWCF.GetServerTime` is a no-op stub
  in the decompiled native WCF path and handle-dependent status calls fail with
  handle `0`. See `wcf-status-localhost.md`.
- Query request and response byte-buffer layouts are still proprietary payloads
  inside WCF operations such as `StartQuery` and `GetNextQueryResultBuffer`.
- Write payload layouts remain out of scope until read/query payloads are
  decoded and fixture-backed.