test+docs(m5): M5.7 — de-date 2 EndToEnd purge tests (closes #52); document T3-T8 in Component-AuditLog/-CLI/README/CLAUDE

Tests: anchor SeedOccurredAt() to a fixed thresholdAnchor (2026-01-20) and compute
RetentionDays dynamically (UtcNow - anchor + 1d) so the threshold always sits near
Jan 20 2026, between the Jan-15 "old" seed (purged) and Apr-15/Jun-15 "kept" seeds.
Seed dates stay within the explicit pf_AuditLog_Month boundary range (Jan 2026 –
Dec 2027) — relative-from-now offsets landed before 2026-01-01 (the catch-all
partition, invisible to GetPartitionBoundariesOlderThanAsync). Both tests confirmed
passing; all 284 AuditLog tests green.

Docs:
- Component-AuditLog.md: per-channel retention overrides (T3, PerChannelRetentionDays
  + bounded DELETE + AuditLogPurge:ChannelPurgeBatchSize); ParentExecutionId tag-cascade
  now spans alarm-triggered + nested CallScript/CallShared + inbound→routed (T4, "no
  further spawn points deferred"); per-node stuck KPIs for Notification Outbox +
  Site Call Audit (T6); T7 structured response-capture increments (request headers in
  Extra.requestHeaders, AuditInboundCeilingHits counter, per-method SkipBodyCapture);
  T8 CLI audit tree; T1 hash-chain + T2 Parquet explicitly marked deferred to v1.x.
- Component-CLI.md + README.md: document audit tree --execution-id <guid> and
  audit backfill-source-node --sentinel/--before/--batch with exact options verified
  against AuditCommands.cs; update Interactions to list new endpoints.
- CLAUDE.md: update audit-log design-decision bullets for T3 per-channel retention,
  T4 tag-cascade complete, T6 per-node KPIs, T7 inbound capture increments, T8 tree
  command; clarify T1/T2 remain deferred to v1.x.

docs/requirements/Component-CLI.md

@@ -228,14 +228,17 @@ The new centralized Audit Log component (#23) is exposed via the `scadabridge au
 The `scadabridge audit` group targets the centralized Audit Log component (#23) and
 exposes the UI-equivalent operational audit surface. Permissions follow the same
 read-vs-export split the Central UI uses (see Component-AuditLog.md, Security &
-Tamper-Evidence, and Security & Auth #10): `audit query` and `audit verify-chain`
-require the `OperationalAudit` permission; `audit export` additionally requires
-`AuditExport`. The server enforces permission checks and returns HTTP 403 (CLI
-exit code 2) on denial.
+Tamper-Evidence, and Security & Auth #10): `audit query`, `audit tree`, and
+`audit verify-chain` require the `OperationalAudit` permission; `audit export`
+additionally requires `AuditExport`; `audit backfill-source-node` requires the
+`Admin` role (maintenance path only). The server enforces permission checks and
+returns HTTP 403 (CLI exit code 2) on denial.
 
 ```
 scadabridge audit query [--since <t>] [--until <t>] [--channel <c>] [--kind <k>] [--status <s>] [--site <s>] [--target <t>] [--actor <a>] [--correlation-id <id>] [--execution-id <id>] [--parent-execution-id <id>] [--errors-only] [--page-size <n>] [--all]
 scadabridge audit export --since <t> --until <t> --format csv|jsonl|parquet --output <path> [--channel <c>] [--kind <k>] [--status <s>] [--site <s>] [--target <t>] [--actor <a>]
+scadabridge audit tree --execution-id <guid> [--format table|json]
+scadabridge audit backfill-source-node --before <ISO-8601-UTC> [--sentinel <value>] [--batch <n>]
 scadabridge audit verify-chain --month <YYYY-MM>
 ```
 
@@ -247,6 +250,18 @@ scadabridge audit verify-chain --month <YYYY-MM>
   requested format (`csv`, `jsonl`, `parquet`) written to `--output`. The server
   streams rows rather than materializing them in memory; the CLI writes bytes
   through to disk. Supports the same scoping filters as `audit query`.
+- `audit tree --execution-id <guid>` (M5.3 T8) — renders the full execution-chain
+  tree for the given `ExecutionId`. The server resolves the root from any node in
+  the chain (walks `ParentExecutionId` to find the root, then traverses downward)
+  and returns all reachable executions with their summary row counts and first/last
+  occurred timestamps. Output format: `json` (default — structured tree suitable
+  for scripting) or `table` (human-readable indented tree). Requires
+  `OperationalAudit` permission. Backed by `GET /api/audit/tree?executionId=<guid>`.
+- `audit backfill-source-node --before <ISO-8601-UTC>` (M5.6 T5) — sets
+  `SourceNode` to a sentinel value (`--sentinel`, default `"unknown"`) on pre-feature
+  rows where `SourceNode IS NULL` and `OccurredAtUtc < --before`, in batches
+  (`--batch`, default 5000). Admin-only maintenance command. Idempotent.
+  Backed by `POST /api/audit/backfill-source-node`.
 - `audit verify-chain` — hash-chain verification for the named month.
   **No-op in v1**: the command is defined so the command tree is stable, but
   verification only becomes meaningful once the hash-chain ships (see
@@ -366,7 +381,7 @@ Configuration is resolved in the following priority order (highest wins):
 - **System.CommandLine**: Command-line argument parsing.
 - **Microsoft.AspNetCore.SignalR.Client**: SignalR client for the `debug stream` command's WebSocket connection.
 - **Management Service (#18)**: The CLI hits the central cluster via the existing HTTP Management API (`POST /management`), which dispatches to the ManagementActor. The `scadabridge audit` command group rides a parallel REST surface on the same Host (`GET /api/audit/query` and `GET /api/audit/export`), sharing HTTP Basic Auth with `/management` but bypassing the actor for read-only, keyset-paged / streaming workloads.
-- **Audit Log (#23)**: The `scadabridge audit query` and `audit export` subcommands target the centralized Audit Log component's REST endpoints (`GET /api/audit/query`, `GET /api/audit/export`) on the Host's Management API surface; `audit verify-chain` rides `POST /management` until hash-chain verification ships. Permission checks (`OperationalAudit`, `AuditExport`) are enforced server-side by `AuditEndpoints`.
+- **Audit Log (#23)**: The `scadabridge audit query`, `audit export`, `audit tree`, and `audit backfill-source-node` subcommands target the centralized Audit Log component's REST endpoints (`GET /api/audit/query`, `GET /api/audit/export`, `GET /api/audit/tree`, `POST /api/audit/backfill-source-node`) on the Host's Management API surface; `audit verify-chain` is a client-side no-op today (hash-chain deferred to v1.x). Permission checks (`OperationalAudit`, `AuditExport`, `Admin`) are enforced server-side by `AuditEndpoints`.
 
 ## Interactions