feat(protocol): enhance raw capture functionality and documentation updates

- Update `s3_bridge.py` to default raw capture file paths to "auto" for timestamped naming.
- Modify `gui_bridge.py` to pre-check raw capture options and streamline path handling.
- Extend `ach_server.py` to save both incoming and outgoing raw bytes for analysis.
- Revise `CHANGELOG.md` and `instantel_protocol_reference.md` to reflect changes in recording mode handling and compliance data encoding.

CLAUDE.md

@@ -386,7 +386,9 @@ bytes `\x01\x2c` = 300 (5-minute default histogram interval); changes when inter
 
 | Offset | Field | Format | Notes |
 |---|---|---|---|
-| anchor − 8 | recording_mode | uint8 | **Same offset for both read and write.** The byte at anchor−7 is a `0x10` DLE marker regenerated by device firmware in every E5 response — do NOT overwrite it. Writing to anchor−7 causes anchor drift (+1 per write cycle). CORRECTION 2026-04-21: previous doc stated anchor−7 for write; empirically wrong. |
+| anchor − 9 | mode_prefix | uint8 | `0x00` for Single Shot / Continuous; `0x10` for Histogram (DLE prefix in E5 encoding) and Histogram+Continuous (actual config byte). See "compliance_raw DLE encoding" note below. |
+| anchor − 8 | recording_mode | uint8 | **Same offset for both read and write** — confirmed 2026-04-21. `_encode_compliance_config` writes `buf[anc-8]`. NOTE: for Histogram (0x03), E5 encodes the value as `0x10 0x03` so compliance_raw[anc-9]=0x10, compliance_raw[anc-8]=0x03. |
+| anchor − 7 | constant | `0x10` | Always `0x10` in both E5 read and BW write payloads (not a DLE marker — it is part of the sample_rate field area). Do NOT overwrite. |
 | anchor − 6 | sample_rate | uint16 BE | same in read & write |
 | anchor − 4 | histogram_interval_sec | uint16 BE | seconds; same in read & write ✅ 2026-04-20 |
 | anchor − 2 | `0x00 0x00` | padding | |
@@ -395,15 +397,42 @@ bytes `\x01\x2c` = 300 (5-minute default histogram interval); changes when inter
 
 **recording_mode enum** (confirmed 2026-04-20 from 4-20-26 captures):
 
-| Value | Mode |
-|---|---|
-| `0x00` | Single Shot |
-| `0x01` | Continuous |
-| `0x02` | ❓ not observed |
-| `0x03` | Histogram |
-| `0x04` | Histogram + Continuous |
+| Value | Mode | anchor-9 in compliance_raw |
+|---|---|---|
+| `0x00` | Single Shot | `0x00` |
+| `0x01` | Continuous | `0x00` |
+| `0x02` | ❓ not observed | ❓ |
+| `0x03` | Histogram | `0x10` (DLE prefix from E5 wire encoding of 0x03) |
+| `0x04` | Histogram + Continuous | `0x10` (actual config byte for this mode) |
 
-**DLE escaping in write frames — CONFIRMED 2026-04-20:** Write frame data payloads DO escape `0x03` (ETX) bytes with a `0x10` DLE prefix. For histogram_interval = 900 (0x0384), the wire carries `10 03 84` — the `0x03` high byte is preceded by a DLE escape. After DLE destuffing (`10 XX → XX`), the logical field value is correctly `03 84` = 900. The CLAUDE.md claim that write frame data is "written RAW" was incorrect; at minimum ETX (0x03) bytes are escaped. S3FrameParser handles this transparently so the decoded `compliance_raw` always contains logical (destuffed) bytes.
+**compliance_raw DLE encoding — IMPORTANT (confirmed 2026-04-21 from 4-20-26 captures):**
+`compliance_raw` (returned by `read_compliance_config()`) is NOT purely logical bytes — it is
+the wire-encoded representation where `0x03` bytes in the config are preceded by a `0x10` DLE
+prefix (because S3FrameParser preserves DLE+ETX inner-frame pairs as two literal bytes).
+
+Consequences:
+- When recording_mode = `0x03` (Histogram), `compliance_raw[anc-9] = 0x10` (DLE prefix) and
+  `compliance_raw[anc-8] = 0x03` (the value). The anchor position is +1 compared to modes
+  without `0x03` bytes before the anchor.
+- For Histogram+Continuous (`0x04`), `compliance_raw[anc-9] = 0x10` for a different reason:
+  it is an actual stored config byte, not a DLE prefix.
+- The anchor search (`buf.find(b'\xbe\x80\x00\x00\x00\x00', 0, 150)`) correctly locates
+  the anchor regardless of these mode-dependent shifts.
+- When SFM writes recording_mode and round-trips the rest verbatim, the byte at `anc-9` is
+  preserved from the previous read. This means transitioning Histogram→other modes via SFM
+  leaves a `0x10` at `anc-9`. The device stores it as a literal byte; it does not affect
+  recording mode operation (which is at `anc-8`), but differs from what BW writes. This is a
+  known minor discrepancy that does not impact device behavior.
+- **Histogram recording mode (0x03) write via SFM**: untested. When starting from a mode with
+  `anc-9 = 0x00`, SFM writes bare `0x03` at anc-8. BW would write `0x10 0x03`. Device likely
+  accepts both (write frames probably use offset/length for framing, not ETX scanning).
+
+**DLE escaping in write frames — confirmed 2026-04-20:** Blastware escapes `0x03` bytes in
+write frame data as `0x10 0x03` on the wire (defensive ETX escaping). Our `build_bw_write_frame`
+does NOT do this escaping — it sends data bytes raw. Device acceptance of bare `0x03` bytes
+in write frame data is confirmed for the tested modes (Single Shot, Continuous, Histogram+Continuous
+where `0x10 0x03` already appears from round-tripping). Histogram mode (bare `0x03` write from
+non-Histogram starting state) has not been directly tested.
 
 ### SUB 0C — Waveform Record (210 bytes = data[11:11+0xD2])
 
@@ -1067,9 +1096,33 @@ body) because writing a dial string may require DLE escaping for embedded contro
 
 - **Database** — SQLite store for events + monitor log entries; dedup by key; queryable
 - **Histograms** — decode histogram-mode A5 data (noise floor tracking)
+- **Blastware-compatible file output** — .MLG and binary waveform file generation matching Blastware format (needed for interoperability with existing workflows)
 - Compliance config encoder — build raw write payloads from a `ComplianceConfig` object
+- **Test Histogram recording mode (0x03) write via SFM** — confirmed working for Single Shot / Continuous / Histogram+Continuous; Histogram (0x03) needs a live test from a non-Histogram starting state (bare 0x03 in write vs BW's DLE-escaped `10 03`)
+- **Compliance write anchor-9 cleanup** — when changing recording_mode via SFM, the byte at anchor-9 is not explicitly managed. A spurious `0x10` may persist after Histogram→other mode transitions. Does not affect device operation but differs from BW's byte-perfect output.
 - Locate "Sensor Check" byte in compliance config (need capture with Disabled vs Before-monitoring)
 - Call Home — map time slots 3/4 offsets; add dial_string write support; confirm `modem_power_relay_enabled`
 - Modem manager — push RV50/RV55 configs via Sierra Wireless API
 - RV55 DCD/DTR issue — newer RV55 firmware doesn't assert DCD by default; units don't
-  resume monitoring after call-home disconnect (`--restart-monitoring` flag deferred)
+  resume monitoring after call-home disconnect (`--restart-monitoring` flag deferred)
+
+## BW capture reference
+
+`bridges/captures/` contains the following BW TX + S3 response captures for protocol analysis:
+
+| Folder / File | Contents |
+|---|---|
+| `3-11-26/raw_bw_20260311_170151.bin` | Full compliance write + event download (SUBs 68→83 confirmed, frames 102–112) |
+| `4-20-26/raw_bw_*_recording_mode_*.bin` | Recording mode changes: Continuous→Single Shot, →Histogram, →Histogram+Continuous |
+| `4-20-26/histogram interval/` | Histogram interval changes: 1min, 5min, 15min, 15sec |
+| `4-20-26/geo sensitivity/` | Geo sensitivity changes: 1.25 in/s (Sensitive), 10 in/s (Normal) |
+| `4-20-26/call home settings/` | Call home config read/write captures |
+| `4-8-26/` | Monitor status read, start/stop monitoring, SESSION_RESET signal, sensor check |
+| `4-3-26-multi_event/` | Browse-mode S3 capture with 2+ events (1E/0A/1F iteration confirmed) |
+| `4-2-26/` | Download-mode BW TX capture (5A bulk stream, POLL×3 requirement confirmed) |
+| `3-31-26/` | Single-event download (148 BW / 147 S3 frames) |
+| `mitm/ach_mitm_20260411_001912/` | Full ACH call-home MITM (erase protocol, 0xA3/0x06/0xA2 confirmed) |
+
+To parse BW TX captures: use `bridges/captures/` scripts or adapt the `find_write_frames()` pattern
+in `/tmp/analyze_write_payload.py` — it correctly handles `0x10 0x03` DLE-escaped ETX bytes
+inside write frame data (the naive parser terminates early at the escaped `0x03`).