feat(s7commplus): enumerate datablocks via EXPLORE (request fix + fragment reassembly)

[ale-rinaldi]

Summary

list_datablocks() returned nothing against a real S7-1500: the EXPLORE request was malformed and the (large, fragmented) response was never reassembled.

• _build_explore_request: match the real wire format — ExploreId as a fixed UInt32, the marker bytes, the address list, and a 5-byte trailer; sent with transport flag 0x34 and the V2 IntegrityId spliced just before the trailer.
• send_request: generalize the V2 IntegrityId splice (integrity_tail) and add optional fragment reassembly — a large EXPLORE response is split across many S7CommPlus PDUs (each 0x72-headed, no trailer until the last); concatenate their data parts until the trailing 0x72 <ver> 0x0000.
• _parse_explore_datablocks: walk the PObject tree — a DataBlock is an object with ClassId DB_CLASS_RID and a RelationId in the DB area (relid >> 16 == 0x8A0E); number = relid & 0xFFFF, name from the ObjectVariableTypeName attribute.
• Correct the demo server's EXPLORE to emit the same DB object format.

Test plan

• pytest tests/ green; ruff clean. New unit tests cover the request format and the PObject DB-list parser.
• Live, against a real S7-1500: list_datablocks() returns all DBs with correct numbers and names.

Stacked on #745 — the EXPLORE response parsing relies on the corrected 10-byte response framing and the sync TLS-in-COTP transport (now a dedicated commit on #745). Full per-tag browse() (parsing the type-info tree) is a planned follow-up.

🤖 Generated with Claude Code

[gijzelaerr]

Review Summary

The EXPLORE request fix, fragment reassembly, and DB-list parser rewrite all look correct and the new tests cover the request format and parser. The reference to the C# driver's Browse step 1 is accurate.

No malicious code detected — no backdoors, exfiltration, or obfuscated code. The TLS changes use standard library primitives. The protocol constants (0x8A0E, DB_CLASS_RID=2574, 0x34) are consistent with known S7CommPlus behavior.

However, this PR is doing significantly more than what the title/description says. Beyond the EXPLORE feature, it includes a complete rewrite of the sync client's TLS to MemoryBIO-based COTP tunneling (the same fix that #745 applied to the async client). That's a substantial standalone change.

Issues:

1. Scope creep — sync TLS-in-COTP rewrite bundled silently

The entire _activate_tls rewrite (ssl.wrap_socket → ssl.MemoryBIO + SSLObject), plus the new _send_s7_data/_recv_s7_data/_tls_flush_outgoing/_tls_read_incoming/_do_tls_handshake methods in connection.py are unmentioned in the PR description. This is a major behavioral change. Even if EXPLORE needs it, it deserves its own section in the description or its own PR.

2. _resp_object_start stored as instance attribute unnecessarily

self._resp_object_start = boff is set and immediately consumed in the next line. This should be a local variable — storing it on self implies it's needed later.

3. Fragment reassembly has no size/count limits

_recv_reassembled_payload will concatenate fragments indefinitely. A malformed or malicious response could cause unbounded memory growth. Consider adding a maximum total size or fragment count guard.

4. _recv_reassembled_payload is untested

The fragment reassembly logic (multi-fragment concatenation, trailer detection) has no unit tests. This is a complex parsing state machine that should have test coverage for: single fragment, multiple fragments, and malformed responses.

5. String encoding heuristic is fragile

The b"\x00" in value check in _parse_explore_datablocks to pick between UTF-16-BE and latin-1 decoding could misclassify if a single-byte string happens to contain a null. Consider documenting why this heuristic is sufficient for PLC datablock names (ASCII-only names are the norm).

[ale-rinaldi]

Restructured and pushed review fixes (EXPLORE commit f7dd81b):

Scope creep (the main point): the sync-client TLS-in-COTP rewrite that was bundled into the EXPLORE commit has been moved out into its own commit on #745 (its natural home, alongside the async/server equivalent). The EXPLORE commit here is now scoped to EXPLORE only. This PR is stacked on #745, so the diff still shows those commits until #745 merges, but they are now cleanly separated.

Other items:

1. _resp_object_start — now a local (the session parsing moved to codec.parse_create_object_session_id in the fix(s7commplus): correct V2 symbolic reads on a real S7-1500 (wire format + async/server TLS-in-COTP) #745 base).
2. Fragment reassembly caps — _recv_reassembled_payload now bounds fragment count and total size.
3. Reassembly tests — added TestReassembledPayload (single / multi-split / bad-header / closed / cap).
4. WString decoding heuristic — kept, with a comment explaining why the null-byte test is the right discriminator for this framing (see the inline thread).

[gijzelaerr]

Re-review after feedback addressed (stacked on #745)

All five issues from the first review resolved:

1. ✅ _resp_object_start — now a local via parse_create_object_session_id() returning (object_ids, obj_end) as a tuple
2. ✅ Reassembly caps — _MAX_REASSEMBLED_FRAGMENTS = 4096 enforced; total-size capped at 16 MiB
3. ✅ Reassembly tests — TestReassembledPayload covers single fragment, multi-fragment, bad header, connection close, and count cap
4. ✅ String encoding comment — clear explanation of the null-byte heuristic at the call site
5. ✅ PR description — now mentions the sync TLS-in-COTP dependency (which lives in #745 as its own commit)

PLC compatibility: S7CommPlus only. Legacy snap7/ untouched.

Security: ✅ Fragment reassembly bounded. No issues.

Ready to merge (after #745 lands first, since this is stacked on it).