[M5] mxaccess-asb-nettcp/asb: Connect handshake live + SOAP fault detection

Live-bring-up reconciliation against AVEVA's MxDataProvider on Windows.
Connect now completes end-to-end (real DH key exchange, apollo:V2
encryption, ServicePublicKey/ServiceAuthenticationData populated). Five
fixes land:

1. NBFX `PrefixElement_a..z` (0x5E-0x77) and `PrefixAttribute_a..z`
   (0x26-0x3F) decode + encode arms. The server's ConnectResponse hit
   `0x65 = PrefixElement_h` for a dynamically-named element and our
   decoder bailed with `unknown NBFX record byte 0x65`. Both directions
   now round-trip; encoder picks short-form when prefix is a single
   lowercase ASCII letter.

2. xmlns redeclaration on `<Data>` AND `<InitializationVector>` inside
   `AuthenticationData` / `PublicKey`. `[XmlType(Namespace = ...)]` on
   AuthenticationData / PublicKey (`AsbContracts.cs:350-381`) means
   XmlSerializer emits `xmlns="..."` on each direct child. The default-
   ns scope ends at `</Data>`, so `<InitializationVector>` needs its own
   redeclaration to stay in the data namespace; without it the server
   fell back to messages-namespace and the deserialiser threw an
   `InternalServiceFault`.

3. SOAP-fault detection in `AsbClient::send_envelope`. New
   `ClientError::SoapFault { action, code, reason }` surfaces when the
   response Action header matches the canonical `dispatcher/fault`
   template; previously body decoders blindly ran and surfaced
   `MissingField { field: "Status" }` masking the actual fault. Reason
   text is extracted as the longest `NbfxText::Chars` in the body —
   robust against the `nbfs.rs` static-dictionary id mismatches.

4. Identified blocker (filed as F28): signed-request HMAC currently
   covers the NBFX wire bytes, but .NET's `AsbSystemAuthenticator.Sign`
   HMACs `Encoding.UTF8.GetBytes(request.ToXml())` — the canonical XML
   serialisation via `XmlSerializer` with namespace
   `urn:invensys.schemas` (`AsbSerialization.cs:12-48`). Until the Rust
   port emits identical XML bytes for `ConnectedRequest` subclasses,
   AuthenticateMe / RegisterItems / every signed RPC fault on the
   server. Connect itself is unsigned (`ServiceMessage` not
   `ConnectedRequest`) which is why it works today.

5. Identified `nbfs.rs` static-dictionary id drift (filed as F29): wire
   uses Fault=134/Code=142/Reason=144/Text=146/Value=154/Subcode=156
   but our table has them at 114/122/124/126/134/136. Off by 20 from
   id 114+ — 10 missing entries between `s` (id 112) and `Fault`. No
   request-side impact (we only encode IDs ≤44, all correct); the SOAP
   fault decode walks text records directly so it sidesteps the issue.

Workspace: 702 tests pass (no test count delta — wire-only fixes).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

rust/crates/mxaccess-asb-nettcp/src/nbfx.rs

@@ -432,6 +432,13 @@ fn encode_element(
             out.push(0x44 + off);
             encode_multibyte_int31_to_nbfx(out, *id)
         }
+        // Short-form: single-letter prefix + inline name. Records
+        // 0x5E..0x77 (PrefixElement_a..z).
+        (Some(prefix), NbfxName::Inline(s)) if prefix_letter_offset(prefix).is_some() => {
+            let off = prefix_letter_offset(prefix).unwrap_or(0);
+            out.push(0x5E + off);
+            encode_string(s.as_bytes(), out)
+        }
         (Some(prefix), NbfxName::Inline(s)) => {
             out.push(REC_ELEMENT);
             encode_string(prefix.as_bytes(), out)?;
@@ -470,6 +477,13 @@ fn encode_attribute(
             out.push(0x0C + off);
             encode_multibyte_int31_to_nbfx(out, *id)?;
         }
+        // Short-form: single-letter prefix + inline name. Records
+        // 0x26..0x3F (PrefixAttribute_a..z).
+        (Some(prefix), NbfxName::Inline(s)) if prefix_letter_offset(prefix).is_some() => {
+            let off = prefix_letter_offset(prefix).unwrap_or(0);
+            out.push(0x26 + off);
+            encode_string(s.as_bytes(), out)?;
+        }
         (Some(prefix), NbfxName::Inline(s)) => {
             out.push(REC_ATTRIBUTE);
             encode_string(prefix.as_bytes(), out)?;
@@ -647,6 +661,18 @@ pub fn decode_tokens(
                     name: NbfxName::Static(id),
                 });
             }
+            // PrefixElement_a..z: 0x5E..0x77 — single-letter prefix +
+            // inline element name. WCF emits these on the response side
+            // when the element name is not in either dictionary (e.g.
+            // dynamically-named DataContract members).
+            byte if (0x5E..=0x77).contains(&byte) => {
+                let prefix_letter = char::from(b'a' + (byte - 0x5E));
+                let name = decode_string(input, &mut cursor, "prefix-element-name")?;
+                tokens.push(NbfxToken::Element {
+                    prefix: Some(prefix_letter.to_string()),
+                    name: NbfxName::Inline(name),
+                });
+            }
             REC_SHORT_ATTRIBUTE => {
                 let name = decode_string(input, &mut cursor, "short-attribute")?;
                 let value = decode_text_record(input, &mut cursor)?;
@@ -697,6 +723,18 @@ pub fn decode_tokens(
                     value,
                 });
             }
+            // PrefixAttribute_a..z: 0x26..0x3F — single-letter prefix +
+            // inline attribute name + text-record value.
+            byte if (0x26..=0x3F).contains(&byte) => {
+                let prefix_letter = char::from(b'a' + (byte - 0x26));
+                let name = decode_string(input, &mut cursor, "prefix-attribute-name")?;
+                let value = decode_text_record(input, &mut cursor)?;
+                tokens.push(NbfxToken::Attribute {
+                    prefix: Some(prefix_letter.to_string()),
+                    name: NbfxName::Inline(name),
+                    value,
+                });
+            }
             REC_SHORT_XMLNS_ATTRIBUTE => {
                 let value_str = decode_string(input, &mut cursor, "default-xmlns-value")?;
                 tokens.push(NbfxToken::DefaultNamespace {