feat(auditlog): ExecutionId on site SQLite schema + gRPC AuditEventDto

test(auditlog): cover ExecutionId in AuditEvent round-trip test; clarify staging-table comment
feat(auditlog): ExecutionId column on AuditEvent + central AuditLog
2026-05-21 14:53:08 -04:00 · 2026-05-21 14:48:39 -04:00 · 2026-05-21 14:43:35 -04:00 · 2026-05-21 14:37:12 -04:00 · 2026-05-21 14:34:12 -04:00 · 2026-05-21 13:58:37 -04:00
42 changed files with 3037 additions and 234 deletions
@@ -0,0 +1,115 @@
+# Audit Log — ExecutionId Universal Correlation (Design)
+
+**Date:** 2026-05-21
+**Status:** Validated — ready for implementation planning.
+
+## Problem
+
+The audit `CorrelationId` column is overloaded with three incompatible meanings —
+`TrackedOperationId` for cached calls, `NotificationId` for notifications, the
+script-execution id for sync calls (added 2026-05-21), and request-local ids for
+inbound. It is `NULL` for sync one-shot calls. There is no single value that ties
+together *everything one script run (or inbound request) did*: a run that makes a
+sync API call, a cached call and a notification produces three unrelated
+correlation ids, and nothing links the cached call's lifecycle rows back to the
+run that launched them.
+
+A single `CorrelationId` column cannot serve both scopes — the **operation
+lifecycle** (a cached call's `Submit→Attempted→Resolve`; a notification's
+`Send→Deliver`, which the Site Calls / Notifications "View audit history"
+drill-ins depend on) and the **execution trace** (all operations of one run).
+
+## Decision
+
+Add a dedicated, nullable **`ExecutionId`** column to the audit row. It identifies
+the originating **script execution** or **inbound API request**. Every audit row
+that execution produces carries the same `ExecutionId`. `CorrelationId` is left
+exactly as it is — it keeps the per-operation lifecycle meaning, so the existing
+operation drill-ins are unaffected.
+
+Result: `WHERE ExecutionId = X` returns every audit row of one run — sync
+`ApiCall`/`DbWrite`, the whole cached-call lifecycle, `NotifySend`,
+`NotifyDeliver`, and the inbound row — across both the site and central tables.
+
+`ScriptRuntimeContext` already holds a per-execution id (`_auditCorrelationId`,
+added 2026-05-21). That id becomes the `ExecutionId`; this work stamps it into the
+new column from every emitter and threads it to the two paths where the script
+context is not in scope.
+
+### Considered and rejected
+
+- **Overload `CorrelationId`** with the execution id everywhere — breaks the
+  cached-call / notification "View audit history" drill-ins (they filter
+  `CorrelationId` by `TrackedOperationId` / `NotificationId`), or forces them to
+  show the whole run instead of the one operation.
+- **Stash the execution id in `Extra` JSON** — no schema change, but `Extra` is
+  unindexed; filtering an audit table of this volume by it is unworkable.
+
+## Schema changes (all additive, nullable — no backfill; pre-existing rows stay `NULL`)
+
+| Where | Change |
+|---|---|
+| `ScadaLink.Commons` | `AuditEvent` record (and the site-local variant) gains `Guid? ExecutionId`. |
+| Central MS SQL `AuditLog` | new `ExecutionId uniqueidentifier NULL` column + index `IX_AuditLog_Execution (ExecutionId)`. EF migration — additive nullable column is a metadata-only `ALTER`, fast even on the monthly-partitioned table. |
+| Site SQLite `auditlog.db` `AuditLog` | new `ExecutionId TEXT NULL` column (`SqliteAuditWriter` schema + `MapRow`). |
+| gRPC `AuditEventDto` (`sitestream.proto`) | additive `execution_id` field; `AuditEventDtoMapper` maps it both directions. |
+| Central MS SQL `Notifications` | new `OriginExecutionId uniqueidentifier NULL` column — carries the originating run's id so the dispatcher can echo it onto `NotifyDeliver` audit rows. EF migration. |
+
+`SiteCalls` needs no new column — the cached telemetry packet already carries the
+audit half, which now has `ExecutionId` directly.
+
+## Emitter coverage — every audit row carries `ExecutionId`
+
+| Emitter | `ExecutionId` source |
+|---|---|
+| Sync `ApiCall`, sync `DbWrite` | `ScriptRuntimeContext` execution id (in scope today) |
+| Cached call script-side rows (`CachedSubmit`, immediate `Attempted`/`CachedResolve`) | `ScriptRuntimeContext` execution id |
+| Cached call **S&F retry-loop** rows (`CachedCallLifecycleBridge`) | threaded through the store-and-forward buffered message → `CachedCallAttemptContext` → the bridge. This same threading also fixes the pre-existing `SourceScript = NULL` gap on those rows (identical boundary). |
+| `NotifySend` (site, script-side) | `ScriptRuntimeContext` execution id |
+| `NotifyDeliver` (central dispatch) | `Notifications.OriginExecutionId` — the id rides on `NotificationSubmit`, is persisted on the `Notifications` row, and the dispatcher stamps it on every `NotifyDeliver` row |
+| Inbound `InboundRequest` / `InboundAuthFailure` | request id minted once in `AuditWriteMiddleware` |
+
+## Data flow
+
+- **Site script run** — `ScriptRuntimeContext` generates the execution id (or is
+  given one); every emitter it owns stamps `ExecutionId`.
+- **Buffered cached call** — the execution id rides on the S&F buffered message;
+  the retry loop reconstructs it into `CachedCallAttemptContext`;
+  `CachedCallLifecycleBridge` stamps it on the retry-loop audit rows.
+- **Notification** — the `NotifySend` row stamps it site-side; the id travels on
+  `NotificationSubmit`, is stored as `Notifications.OriginExecutionId`, and the
+  dispatcher stamps every `NotifyDeliver` row it emits.
+- **Inbound API request** — `AuditWriteMiddleware` mints a request id and stamps
+  the inbound audit row.
+
+## UI / CLI surface
+
+- **Central UI Audit Log page** — `ExecutionId` added as a results-grid column
+  (the grid already supports resize/reorder); an `ExecutionId` paste-filter in
+  the filter bar; the page accepts `?executionId=<guid>`; a row drill-in
+  "View this execution" → `/audit/log?executionId=<guid>`.
+- **CLI** — `scadalink audit query --execution-id <guid>`.
+- **ManagementService** — `/api/audit/query` and the export endpoint accept an
+  `executionId` filter parameter.
+
+## Compatibility
+
+- Two additive nullable columns; additive proto field; additive message-contract
+  fields — all version-compatible. No data backfill; historical rows keep
+  `ExecutionId = NULL`.
+- `CorrelationId` semantics unchanged — every existing drill-in keeps working.
+
+## Testing
+
+- Repository: query-by-`ExecutionId`; migration smoke test.
+- Emitter unit tests: each emitter stamps `ExecutionId`; the cached-call lifecycle
+  rows from one run share it; `NotifyDeliver` echoes `Notifications.OriginExecutionId`.
+- Integration: a script run that does a sync call + a cached call + a notification
+  → all resulting audit rows share one `ExecutionId` end-to-end.
+- Central UI: bUnit (grid column, filter, drill-in) + Playwright.
+
+## Out of scope
+
+- Bridging the inbound request id into the routed site script's execution
+  (cross-cluster threading) — a separate future change.
+- Backfilling `ExecutionId` on historical audit rows.
@@ -0,0 +1,155 @@
+# Audit Log ExecutionId — Implementation Plan
+
+> **For Claude:** REQUIRED SUB-SKILL: Use superpowers-extended-cc:subagent-driven-development to execute this plan task-by-task (fresh implementer per task + spec review + code-quality review).
+
+**Goal:** Add a dedicated `ExecutionId` column to the Audit Log — one universal correlation value, stamped on every audit row, identifying the originating script execution or inbound request.
+
+**Architecture:** Additive nullable `ExecutionId` (`Guid`) on the audit row (Commons `AuditEvent`, central MS SQL `AuditLog`, site SQLite `auditlog.db`, gRPC `AuditEventDto`). Every emitter stamps it; the `ScriptRuntimeContext` per-execution id is the source for site script runs, threaded through the S&F buffer for retry-loop cached rows and through `NotificationSubmit` → `Notifications.OriginExecutionId` for central `NotifyDeliver` rows. `CorrelationId` is left as the per-operation lifecycle id (and reverts to `null` for sync one-shot calls). Validated design: `docs/plans/2026-05-21-audit-executionid-design.md`.
+
+**Tech Stack:** .NET 10, EF Core 10 (MS SQL + SQLite), Akka.NET, gRPC, Blazor Server + Bootstrap, System.CommandLine, xUnit + Akka.TestKit.Xunit2 + bUnit + NSubstitute/Moq, Playwright.
+
+**Ground rules (every task):** branch is `feature/audit-executionid` (already created) — never commit to `main`. Edit in place; never touch `infra/*`; `docker/*` only if a task says so (none do). Stage with explicit `git add <path>` — never `git add .` / `commit -am`. TDD; full solution stays green (`dotnet build ScadaLink.slnx` 0 warnings — `TreatWarningsAsErrors` is on). Additive contract evolution. Do not push.
+
+---
+
+## Task 0: Prep — verify branch + baseline
+
+**Files:** none.
+
+**Steps:** confirm `git branch --show-current` is `feature/audit-executionid`; `dotnet build ScadaLink.slnx` succeeds.
+
+**Acceptance:** on the branch, solution builds clean.
+
+---
+
+## Task 1: Foundation — `AuditEvent.ExecutionId`, central `AuditLog` column, repository query
+
+**Files:**
+- Modify: `src/ScadaLink.Commons/Entities/Audit/AuditEvent.cs` — add `Guid? ExecutionId`.
+- Modify: `src/ScadaLink.Commons/Types/Audit/AuditLogQueryFilter.cs` — add `Guid? ExecutionId` filter dimension (single-value, like `CorrelationId`).
+- Modify: `src/ScadaLink.ConfigurationDatabase/Configurations/AuditLogEntityTypeConfiguration.cs` — map the column; add index `IX_AuditLog_Execution (ExecutionId)`.
+- Create: a new EF migration under `src/ScadaLink.ConfigurationDatabase/Migrations/` — `AddAuditLogExecutionId` — `ExecutionId uniqueidentifier NULL` + the index. Additive nullable column (metadata-only ALTER, safe on the monthly-partitioned table). Mirror the existing `AddNotificationsTable` migration style.
+- Modify: `src/ScadaLink.ConfigurationDatabase/Repositories/AuditLogRepository.cs` — `QueryAsync` translates `filter.ExecutionId` to `e.ExecutionId == value` (mirror the `CorrelationId` clause). Keyset paging untouched.
+- Test: `tests/ScadaLink.ConfigurationDatabase.Tests/Repositories/AuditLogRepositoryTests.cs` — `QueryAsync_FilterByExecutionId`; migration smoke if the suite has that pattern.
+
+**Approach:** purely additive. `ExecutionId` is `Guid?` everywhere. Generate the migration with `dotnet ef migrations add` against the ConfigurationDatabase project (or hand-write mirroring an existing one — match how the repo does migrations).
+
+**Commit:** `feat(auditlog): ExecutionId column on AuditEvent + central AuditLog`
+
+---
+
+## Task 2: Foundation — site SQLite + gRPC DTO
+
+**Files:**
+- Modify: `src/ScadaLink.AuditLog/Site/SqliteAuditWriter.cs` — add `ExecutionId TEXT NULL` to the `auditlog.db` `AuditLog` table DDL; the insert command binds it; `MapRow` reads it back. (Site SQLite is created fresh by the writer — an additive column in the `CREATE TABLE` is enough; if the writer has any migration/ALTER path, extend it.)
+- Modify: `src/ScadaLink.Communication/Protos/sitestream.proto` — add `string execution_id` to `AuditEventDto` (next free field number; additive). Rebuild regenerates the C# stubs.
+- Modify: `src/ScadaLink.Communication/Grpc/AuditEventDtoMapper.cs` — `ToDto`/`FromDto` map `ExecutionId` ↔ `execution_id` (Guid ↔ string; empty string ↔ null, mirroring the existing `CorrelationId` handling).
+- Test: `tests/ScadaLink.AuditLog.Tests/Site/SqliteAuditWriterSchemaTests.cs` (column present + round-trips); `tests/ScadaLink.Communication.Tests/AuditEventDtoMapperTests.cs` (ExecutionId round-trip incl. null).
+
+**Commit:** `feat(auditlog): ExecutionId on site SQLite schema + gRPC AuditEventDto`
+
+---
+
+## Task 3: Site script-side emitters stamp `ExecutionId`
+
+**What:** Every audit row a `ScriptRuntimeContext` emits gets `ExecutionId` = the context's per-execution id. Revert the interim "execution id in `CorrelationId` for sync rows" change so `CorrelationId` is purely per-operation again.
+
+**Files:**
+- Modify: `src/ScadaLink.SiteRuntime/Scripts/ScriptRuntimeContext.cs`:
+  - Rename the field `_auditCorrelationId` → `_executionId` (and the ctor param `auditCorrelationId` → `executionId`) for clarity; update XML docs. Thread it to the helpers as today.
+  - Sync `ApiCall` (`BuildCallAuditEvent`): set `ExecutionId = _executionId`; set `CorrelationId = null` (revert — sync one-shot calls have no operation lifecycle).
+  - Cached script-side rows (`CachedSubmit`, immediate `ApiCallCached`/`CachedResolve`): set `ExecutionId = _executionId`; `CorrelationId` stays `trackedId.Value`.
+  - `NotifySend` (`Notify.Send` emission): set `ExecutionId = _executionId`; `CorrelationId` stays the `NotificationId`.
+- Modify: `src/ScadaLink.SiteRuntime/Scripts/AuditingDbConnection.cs` + `AuditingDbCommand.cs` — thread `_executionId` (rename from the audit-correlation param); sync `DbWrite` event sets `ExecutionId = _executionId` and `CorrelationId = null`. Cached DB write rows: `ExecutionId` set, `CorrelationId` stays `trackedId`.
+- Test: extend `tests/ScadaLink.SiteRuntime.Tests/Scripts/ExternalSystemCallAuditEmissionTests.cs`, `DatabaseSyncEmissionTests.cs`, `ExternalSystemCachedCallEmissionTests.cs`, `DatabaseCachedWriteEmissionTests.cs`, `NotifySendAuditEmissionTests.cs`, and `ExecutionCorrelationContextTests.cs` — assert `ExecutionId` is the context's id on every row; assert sync rows now have `CorrelationId == null`; assert cached/notification rows keep their `CorrelationId`.
+
+**Commit:** `feat(auditlog): site script-side emitters stamp ExecutionId`
+
+---
+
+## Task 4: Cached S&F retry-loop rows carry `ExecutionId`
+
+**What:** Thread the execution id through the store-and-forward buffer so the retry-loop cached audit rows (`CachedCallLifecycleBridge`) carry `ExecutionId`. This same threading fixes the pre-existing `SourceScript = null` gap on those rows (identical boundary).
+
+**Files:**
+- Modify: the S&F buffered cached-call message / `StoreAndForwardMessage` (or the cached-call payload) in `src/ScadaLink.StoreAndForward/` — carry the originating execution id (and source script) alongside the call.
+- Modify: `CachedCallAttemptContext` (find it — `src/ScadaLink.AuditLog/Site/Telemetry/` or StoreAndForward) — add an `ExecutionId` (and `SourceScript`) field.
+- Modify: `src/ScadaLink.AuditLog/Site/Telemetry/CachedCallLifecycleBridge.cs` `BuildPacket` — set `ExecutionId` from the context (and `SourceScript`, replacing the `SourceScript = null` line).
+- Modify the enqueue path (`ExternalSystem.CachedCall` / `Database.CachedWrite` in `ScriptRuntimeContext`) so the execution id is written into the buffered message.
+- Test: `tests/ScadaLink.AuditLog.Tests/` cached-telemetry tests + `tests/ScadaLink.StoreAndForward.Tests/` — retry-loop rows carry the originating `ExecutionId`.
+
+**Note for implementer:** this is the deepest task — the threading touches StoreAndForward. If the buffered message can't cleanly carry the id, STOP and report before guessing.
+
+**Commit:** `feat(auditlog): thread ExecutionId through S&F for retry-loop cached rows`
+
+---
+
+## Task 5: Central `NotifyDeliver` rows carry `ExecutionId`
+
+**Files:**
+- Modify: `src/ScadaLink.Commons/Entities/Notifications/Notification.cs` — add `Guid? OriginExecutionId`.
+- Modify: `src/ScadaLink.Commons/Messages/Notification/` — `NotificationSubmit` carries `Guid? OriginExecutionId` (additive).
+- Modify: `src/ScadaLink.ConfigurationDatabase/` — EF config + a new migration `AddNotificationOriginExecutionId` (`Notifications.OriginExecutionId uniqueidentifier NULL`).
+- Modify: the site `NotifySend` forward path — the execution id (already on the `NotifySend` audit row from Task 3) also rides on the `NotificationSubmit` (set it where the submit is built — `ScriptRuntimeContext` `Notify.Send` / the S&F notification forwarder).
+- Modify: `src/ScadaLink.NotificationOutbox/NotificationOutboxActor.cs` — persist `OriginExecutionId` on insert; `BuildNotifyDeliverEvent` sets `ExecutionId = notification.OriginExecutionId`.
+- Test: `tests/ScadaLink.NotificationOutbox.Tests/` — `NotifyDeliver` rows echo `OriginExecutionId`; `tests/ScadaLink.Commons.Tests/` contract shape.
+
+**Commit:** `feat(auditlog): NotifyDeliver rows carry the originating ExecutionId`
+
+---
+
+## Task 6: Inbound rows carry `ExecutionId`
+
+**Files:**
+- Modify: `src/ScadaLink.InboundAPI/Middleware/AuditWriteMiddleware.cs` — `EmitInboundAudit` sets `ExecutionId` to the request id (it already mints a `Guid.NewGuid()` for the inbound `CorrelationId` per the 2026-05-21 change; reuse that one id for `ExecutionId` — and reconsider whether the inbound row's `CorrelationId` should now be `null` to keep `CorrelationId` purely per-operation; align with the Task 3 decision: inbound is a one-shot from the audit row's perspective → `CorrelationId = null`, `ExecutionId = <request id>`).
+- Test: `tests/ScadaLink.InboundAPI.Tests/Middleware/AuditWriteMiddlewareTests.cs` — inbound row carries a non-null `ExecutionId`; distinct per request.
+
+**Commit:** `feat(auditlog): inbound audit rows carry ExecutionId`
+
+---
+
+## Task 7: Central UI — ExecutionId column, filter, drill-in
+
+**Files:**
+- Modify: `src/ScadaLink.CentralUI/Components/Audit/AuditResultsGrid.razor` (+ `.razor.cs`) — add `ExecutionId` to the column set (the grid already supports resize/reorder + a `ColumnOrder`); render it (short form / monospace).
+- Modify: `src/ScadaLink.CentralUI/Components/Audit/AuditFilterBar.razor` (+ `.razor.cs`) + `AuditQueryModel.cs` — an `ExecutionId` paste text-filter; `ToFilter` maps it to `AuditLogQueryFilter.ExecutionId`.
+- Modify: `src/ScadaLink.CentralUI/Components/Pages/Audit/AuditLogPage.razor.cs` — `ApplyQueryStringFilters` accepts `?executionId=<guid>`; `BuildExportUrl` emits it.
+- Add a "View this execution" drill-in — a row/drilldown action linking `/audit/log?executionId=<guid>`. Mirror the existing `?correlationId=` drill-in.
+- Test: `tests/ScadaLink.CentralUI.Tests/` bUnit (column renders, filter maps, query-param parsed); `tests/ScadaLink.CentralUI.PlaywrightTests/Audit/` (drill-in filters the grid).
+
+Use the `frontend-design` skill for the column/filter styling.
+
+**Commit:** `feat(centralui): ExecutionId column, filter and drill-in on the Audit Log page`
+
+---
+
+## Task 8: CLI + ManagementService — ExecutionId filter
+
+**Files:**
+- Modify: `src/ScadaLink.CLI/Commands/AuditCommands.cs` + `AuditQueryHelpers.cs` — `audit query --execution-id <guid>`; `AuditQueryArgs` + `BuildQueryString` emit `executionId`.
+- Modify: `src/ScadaLink.ManagementService/AuditEndpoints.cs` `ParseFilter` — parse `executionId` query param into `AuditLogQueryFilter.ExecutionId` (lax-parse — unparseable dropped).
+- Modify: `src/ScadaLink.CentralUI/Audit/AuditExportEndpoints.cs` `ParseFilter` — same.
+- Test: `tests/ScadaLink.CLI.Tests/`, `tests/ScadaLink.ManagementService.Tests/AuditEndpointsTests.cs`.
+
+**Commit:** `feat(audit): ExecutionId filter in the CLI and ManagementService`
+
+---
+
+## Task 9: End-to-end integration test + docs
+
+**Files:**
+- Create: `tests/ScadaLink.IntegrationTests/AuditLog/ExecutionIdCorrelationTests.cs` — boot a site+central pair; run a script that does a sync `ExternalSystem.Call`, a cached call, and a `Notify.Send`; assert every resulting audit row (site + central) shares one `ExecutionId`.
+- Modify: `docs/requirements/Component-AuditLog.md` — add `ExecutionId` to the schema table and a sentence on its meaning vs `CorrelationId`. (Do NOT modify `alog.md` — it is the locked v1 spec.)
+- Modify: `CLAUDE.md` — one line under the Centralized Audit Log decisions noting `ExecutionId` as the universal per-run correlation value.
+
+**Commit:** `test(auditlog): end-to-end ExecutionId correlation + docs`
+
+---
+
+## Final review
+
+Dispatch a final cross-cutting review of the whole branch; full `dotnet build` + `dotnet test ScadaLink.slnx`; hand back to the user for the push/merge/redeploy decision (do not push).
+
+## Dependency summary
+
+0 blocks all. 2 blockedBy 1. 3 blockedBy 2. 4 blockedBy 3. 5 blockedBy 2. 6 blockedBy 2. 7 blockedBy 1. 8 blockedBy 1. 9 blockedBy 3,4,5,6,7,8. Execution order: 0 → 1 → 2 → 3 → 4 → 5 → 6 → 7 → 8 → 9 → final review.
@@ -0,0 +1,16 @@
+{
+  "planPath": "docs/plans/2026-05-21-audit-executionid.md",
+  "tasks": [
+    {"id": 50, "subject": "Task 0: Prep — verify branch + baseline", "status": "pending"},
+    {"id": 51, "subject": "Task 1: Foundation — AuditEvent.ExecutionId + central AuditLog column + repo query", "status": "pending", "blockedBy": [50]},
+    {"id": 52, "subject": "Task 2: Foundation — site SQLite + gRPC DTO", "status": "pending", "blockedBy": [51]},
+    {"id": 53, "subject": "Task 3: Site script-side emitters stamp ExecutionId", "status": "pending", "blockedBy": [52]},
+    {"id": 54, "subject": "Task 4: Cached S&F retry-loop rows carry ExecutionId", "status": "pending", "blockedBy": [53]},
+    {"id": 55, "subject": "Task 5: Central NotifyDeliver rows carry ExecutionId", "status": "pending", "blockedBy": [52]},
+    {"id": 56, "subject": "Task 6: Inbound audit rows carry ExecutionId", "status": "pending", "blockedBy": [52]},
+    {"id": 57, "subject": "Task 7: Central UI — ExecutionId column, filter, drill-in", "status": "pending", "blockedBy": [51]},
+    {"id": 58, "subject": "Task 8: CLI + ManagementService — ExecutionId filter", "status": "pending", "blockedBy": [51]},
+    {"id": 59, "subject": "Task 9: End-to-end integration test + docs", "status": "pending", "blockedBy": [53, 54, 55, 56, 57, 58]}
+  ],
+  "lastUpdated": "2026-05-21T00:00:00Z"
+}
@@ -114,6 +114,7 @@ public class SqliteAuditWriter : IAuditWriter, ISiteAuditQueue, IAsyncDisposable
                PayloadTruncated   INTEGER NOT NULL,
                Extra              TEXT    NULL,
                ForwardState       TEXT    NOT NULL,
+                ExecutionId        TEXT    NULL,
                PRIMARY KEY (EventId)
            );
            CREATE INDEX IF NOT EXISTS IX_SiteAuditLog_ForwardState_Occurred
@@ -221,12 +222,14 @@ public class SqliteAuditWriter : IAuditWriter, ISiteAuditQueue, IAsyncDisposable
                        EventId, OccurredAtUtc, Channel, Kind, CorrelationId,
                        SourceSiteId, SourceInstanceId, SourceScript, Actor, Target,
                        Status, HttpStatus, DurationMs, ErrorMessage, ErrorDetail,
-                        RequestSummary, ResponseSummary, PayloadTruncated, Extra, ForwardState
+                        RequestSummary, ResponseSummary, PayloadTruncated, Extra, ForwardState,
+                        ExecutionId
                    ) VALUES (
                        $EventId, $OccurredAtUtc, $Channel, $Kind, $CorrelationId,
                        $SourceSiteId, $SourceInstanceId, $SourceScript, $Actor, $Target,
                        $Status, $HttpStatus, $DurationMs, $ErrorMessage, $ErrorDetail,
-                        $RequestSummary, $ResponseSummary, $PayloadTruncated, $Extra, $ForwardState
+                        $RequestSummary, $ResponseSummary, $PayloadTruncated, $Extra, $ForwardState,
+                        $ExecutionId
                    );
                    """;

@@ -250,6 +253,7 @@ public class SqliteAuditWriter : IAuditWriter, ISiteAuditQueue, IAsyncDisposable
                var pPayloadTruncated = cmd.Parameters.Add("$PayloadTruncated", SqliteType.Integer);
                var pExtra = cmd.Parameters.Add("$Extra", SqliteType.Text);
                var pForwardState = cmd.Parameters.Add("$ForwardState", SqliteType.Text);
+                var pExecutionId = cmd.Parameters.Add("$ExecutionId", SqliteType.Text);

                foreach (var pending in batch)
                {
@@ -274,6 +278,7 @@ public class SqliteAuditWriter : IAuditWriter, ISiteAuditQueue, IAsyncDisposable
                    pPayloadTruncated.Value = e.PayloadTruncated ? 1 : 0;
                    pExtra.Value = (object?)e.Extra ?? DBNull.Value;
                    pForwardState.Value = (e.ForwardState ?? AuditForwardState.Pending).ToString();
+                    pExecutionId.Value = (object?)e.ExecutionId?.ToString() ?? DBNull.Value;

                    try
                    {
@@ -331,7 +336,8 @@ public class SqliteAuditWriter : IAuditWriter, ISiteAuditQueue, IAsyncDisposable
                SELECT EventId, OccurredAtUtc, Channel, Kind, CorrelationId,
                       SourceSiteId, SourceInstanceId, SourceScript, Actor, Target,
                       Status, HttpStatus, DurationMs, ErrorMessage, ErrorDetail,
-                       RequestSummary, ResponseSummary, PayloadTruncated, Extra, ForwardState
+                       RequestSummary, ResponseSummary, PayloadTruncated, Extra, ForwardState,
+                       ExecutionId
                FROM   AuditLog
                WHERE  ForwardState = $pending
                ORDER  BY OccurredAtUtc ASC, EventId ASC
@@ -379,7 +385,8 @@ public class SqliteAuditWriter : IAuditWriter, ISiteAuditQueue, IAsyncDisposable
                SELECT EventId, OccurredAtUtc, Channel, Kind, CorrelationId,
                       SourceSiteId, SourceInstanceId, SourceScript, Actor, Target,
                       Status, HttpStatus, DurationMs, ErrorMessage, ErrorDetail,
-                       RequestSummary, ResponseSummary, PayloadTruncated, Extra, ForwardState
+                       RequestSummary, ResponseSummary, PayloadTruncated, Extra, ForwardState,
+                       ExecutionId
                FROM   AuditLog
                WHERE  ForwardState = $forwarded
                ORDER  BY OccurredAtUtc ASC, EventId ASC
@@ -465,7 +472,8 @@ public class SqliteAuditWriter : IAuditWriter, ISiteAuditQueue, IAsyncDisposable
                SELECT EventId, OccurredAtUtc, Channel, Kind, CorrelationId,
                       SourceSiteId, SourceInstanceId, SourceScript, Actor, Target,
                       Status, HttpStatus, DurationMs, ErrorMessage, ErrorDetail,
-                       RequestSummary, ResponseSummary, PayloadTruncated, Extra, ForwardState
+                       RequestSummary, ResponseSummary, PayloadTruncated, Extra, ForwardState,
+                       ExecutionId
                FROM   AuditLog
                WHERE  ForwardState IN ($pending, $forwarded)
                  AND  OccurredAtUtc >= $since
@@ -642,6 +650,7 @@ public class SqliteAuditWriter : IAuditWriter, ISiteAuditQueue, IAsyncDisposable
            PayloadTruncated = reader.GetInt32(17) != 0,
            Extra = reader.IsDBNull(18) ? null : reader.GetString(18),
            ForwardState = Enum.Parse<AuditForwardState>(reader.GetString(19)),
+            ExecutionId = reader.IsDBNull(20) ? null : Guid.Parse(reader.GetString(20)),
        };
    }

@@ -6,78 +6,58 @@

 <div class="card mb-3" data-test="audit-filter-bar">
    <div class="card-body py-2">
-        @* Channel chip multi-select. *@
-        <div class="mb-2" data-test="filter-channel">
-            <label class="form-label small mb-1">Channel</label>
-            <div>
-                @foreach (var channel in Enum.GetValues<AuditChannel>())
+        @* All filters sit in one wrapped row. Kind / Status / Site use compact
+           MultiSelectDropdown controls; Channel is a single-select because the
+           Kind options narrow to the chosen channel — so the bar stays a row or
+           two tall instead of four stacked blocks of chip buttons. *@
+        <div class="row g-2 align-items-end">
+            @* Single-select: one channel at a time, so the Kind options below
+               narrow cleanly to that channel. "All channels" clears it. *@
+            <div class="col-auto" data-test="filter-channel">
+                <label class="form-label small mb-1" for="audit-channel">Channel</label>
+                <select id="audit-channel" data-test="filter-channel-select"
+                        class="form-select form-select-sm" @bind="SelectedChannel">
+                    <option value="">All channels</option>
+                    @foreach (var channel in _channels)
                    {
-                    var selected = _model.Channels.Contains(channel);
-                    <button type="button" data-test="chip-channel-@channel"
-                            class="@ChipClass(selected)"
-                            @onclick="() => ToggleChannel(channel)">
-                        @channel
-                    </button>
+                        <option value="@channel">@channel</option>
                    }
-            </div>
+                </select>
            </div>

-        @* Kind chip multi-select — narrowed by Channel selection. *@
-        <div class="mb-2" data-test="filter-kind">
+            @* Kind options are narrowed by the Channel selection (VisibleKinds). *@
+            <div class="col-auto" data-test="filter-kind">
                <label class="form-label small mb-1">Kind</label>
                <div>
-                @foreach (var kind in _model.VisibleKinds())
-                {
-                    var selected = _model.Kinds.Contains(kind);
-                    <button type="button" data-test="chip-kind-@kind"
-                            class="@ChipClass(selected)"
-                            @onclick="() => ToggleKind(kind)">
-                        @kind
-                    </button>
-                }
+                    <MultiSelectDropdown TValue="AuditKind"
+                                         Items="_model.VisibleKinds()"
+                                         Selected="_model.Kinds"
+                                         DataTest="filter-kind-ms" />
                </div>
            </div>

-        @* Status chip multi-select. *@
-        <div class="mb-2" data-test="filter-status">
+            <div class="col-auto" data-test="filter-status">
                <label class="form-label small mb-1">Status</label>
                <div>
-                @foreach (var status in Enum.GetValues<AuditStatus>())
-                {
-                    var selected = _model.Statuses.Contains(status);
-                    <button type="button" data-test="chip-status-@status"
-                            class="@ChipClass(selected)"
-                            @onclick="() => ToggleStatus(status)">
-                        @status
-                    </button>
-                }
+                    <MultiSelectDropdown TValue="AuditStatus"
+                                         Items="_statuses"
+                                         Selected="_model.Statuses"
+                                         DataTest="filter-status-ms" />
                </div>
            </div>

-        @* Site chip multi-select — populated from ISiteRepository. *@
-        <div class="mb-2" data-test="filter-site">
+            <div class="col-auto" data-test="filter-site">
                <label class="form-label small mb-1">Site</label>
                <div>
-                @if (_sites.Count == 0)
-                {
-                    <span class="text-muted small">No sites available.</span>
-                }
-                else
-                {
-                    @foreach (var site in _sites)
-                    {
-                        var selected = _model.SiteIdentifiers.Contains(site.SiteIdentifier);
-                        <button type="button" data-test="chip-site-@site.SiteIdentifier"
-                                class="@ChipClass(selected)"
-                                @onclick="() => ToggleSite(site.SiteIdentifier)">
-                            @site.Name
-                        </button>
-                    }
-                }
+                    <MultiSelectDropdown TValue="string"
+                                         Items="_siteIds"
+                                         Selected="_model.SiteIdentifiers"
+                                         Display="SiteName"
+                                         EmptyText="No sites available"
+                                         DataTest="filter-site-ms" />
                </div>
            </div>

-        <div class="row g-2 align-items-end">
            <div class="col-auto" data-test="filter-time-range">
                <label class="form-label small mb-1" for="audit-time-range">Time range</label>
                <select id="audit-time-range" class="form-select form-select-sm"
@@ -7,19 +7,32 @@ namespace ScadaLink.CentralUI.Components.Audit;

 /// <summary>
 /// Filter bar for the central Audit Log page (#23 M7-T2). Owns the
-/// <see cref="AuditQueryModel"/> binding state, renders the 10 filter elements
-/// plus the Errors-only toggle, and publishes a collapsed
-/// <see cref="AuditLogQueryFilter"/> via <see cref="OnFilterChanged"/> when the
-/// user clicks Apply. See <see cref="AuditQueryModel"/> for the multi-select →
-/// single-value collapse contract.
+/// <see cref="AuditQueryModel"/> binding state and renders the filter controls
+/// — Channel as a single-select (one channel at a time, so the Kind options
+/// narrow to it cleanly); Kind / Status / Site as compact
+/// <see cref="ScadaLink.CentralUI.Components.Shared.MultiSelectDropdown{TValue}"/>
+/// controls; plus the time range, free-text searches and the Errors-only
+/// toggle — and publishes an <see cref="AuditLogQueryFilter"/> via
+/// <see cref="OnFilterChanged"/> when the user clicks Apply. The selected
+/// dimensions map through to the filter's list fields; see
+/// <see cref="AuditQueryModel"/> for the Errors-only and time-range rules.
 /// </summary>
 public partial class AuditFilterBar
 {
    private readonly AuditQueryModel _model = new();
    private List<Site> _sites = new();

+    /// <summary>Channel options — the full enum, fixed for the component's lifetime.</summary>
+    private static readonly IReadOnlyList<AuditChannel> _channels = Enum.GetValues<AuditChannel>();
+
+    /// <summary>Status options — the full enum, fixed for the component's lifetime.</summary>
+    private static readonly IReadOnlyList<AuditStatus> _statuses = Enum.GetValues<AuditStatus>();
+
+    /// <summary>Site identifiers in display order; rebuilt once when sites load.</summary>
+    private IReadOnlyList<string> _siteIds = Array.Empty<string>();
+
    /// <summary>
-    /// Raised when the user clicks Apply. Carries the collapsed
+    /// Raised when the user clicks Apply. Carries the
    /// <see cref="AuditLogQueryFilter"/> the parent page hands to
    /// <see cref="ScadaLink.CentralUI.Services.IAuditLogQueryService"/>.
    /// </summary>
@@ -51,10 +64,9 @@ public partial class AuditFilterBar
            _model.InstanceSearch = InitialInstanceSearch.Trim();
        }

-
-        // Populate the Site chips at component init. Failure is non-fatal — the chip
-        // section just shows "No sites available." Sites are listed by Name to match
-        // operator expectations from the Notification Report.
+        // Populate the Site dropdown at component init. Failure is non-fatal — the
+        // dropdown just shows "No sites available." Sites are listed by Name to
+        // match operator expectations from the Notification Report.
        try
        {
            var sites = await SiteRepository.GetAllSitesAsync();
@@ -62,48 +74,52 @@ public partial class AuditFilterBar
        }
        catch
        {
-            // Swallowed: filter bar still renders without the Site chips. The page
+            // Swallowed: filter bar still renders without the Site options. The page
            // surfaces site-load errors elsewhere (the grid query path).
            _sites = new();
        }
+
+        _siteIds = _sites.Select(s => s.SiteIdentifier).ToArray();
    }

-    private void ToggleChannel(AuditChannel channel)
+    /// <summary>
+    /// Single-select Channel binding for the filter bar. The Audit Log filters one
+    /// channel at a time so the Kind options narrow cleanly to it; the model still
+    /// stores the selection as a set (0 or 1 entry) so <see cref="AuditQueryModel.ToFilter"/>
+    /// and <see cref="AuditQueryModel.VisibleKinds"/> are unchanged. <c>null</c> = all channels.
+    /// </summary>
+    private AuditChannel? SelectedChannel
    {
-        if (!_model.Channels.Add(channel))
+        get => _model.Channels.Count > 0 ? _model.Channels.First() : null;
+        set
        {
-            _model.Channels.Remove(channel);
+            _model.Channels.Clear();
+            if (value is { } channel)
+            {
+                _model.Channels.Add(channel);
            }

-        // Drop Kind chips that fall outside the new visible set. Keeps "Channel and
-        // Kind both picked" coherent — without this, removing a channel could leave
-        // stale Kind chips selected that no longer match any visible chip.
+            OnChannelsChanged();
+        }
+    }
+
+    /// <summary>
+    /// Runs after the Channel selection changes. Drops any Kind selections that fell
+    /// outside the new visible set — without this, changing the channel could leave
+    /// stale Kind selections that no longer match any visible option.
+    /// </summary>
+    private void OnChannelsChanged()
+    {
        var visible = _model.VisibleKinds().ToHashSet();
        _model.Kinds.RemoveWhere(k => !visible.Contains(k));
    }

-    private void ToggleKind(AuditKind kind)
+    /// <summary>Display label for a site identifier — its friendly Name, id as fallback.</summary>
+    private string SiteName(string siteIdentifier)
    {
-        if (!_model.Kinds.Add(kind))
-        {
-            _model.Kinds.Remove(kind);
-        }
-    }
-
-    private void ToggleStatus(AuditStatus status)
-    {
-        if (!_model.Statuses.Add(status))
-        {
-            _model.Statuses.Remove(status);
-        }
-    }
-
-    private void ToggleSite(string siteIdentifier)
-    {
-        if (!_model.SiteIdentifiers.Add(siteIdentifier))
-        {
-            _model.SiteIdentifiers.Remove(siteIdentifier);
-        }
+        var site = _sites.FirstOrDefault(s =>
+            string.Equals(s.SiteIdentifier, siteIdentifier, StringComparison.OrdinalIgnoreCase));
+        return site?.Name ?? siteIdentifier;
    }

    private void ClearFilters()
@@ -129,11 +145,6 @@ public partial class AuditFilterBar
        await OnFilterChanged.InvokeAsync(filter);
    }

-    private static string ChipClass(bool selected) =>
-        selected
-            ? "btn btn-sm btn-primary me-1 mb-1"
-            : "btn btn-sm btn-outline-secondary me-1 mb-1";
-
    private static string TimeRangeLabel(AuditTimeRangePreset preset) => preset switch
    {
        AuditTimeRangePreset.Last5Minutes => "now − 5 min → now",
@@ -0,0 +1,40 @@
+@typeparam TValue
+@*
+    Compact multi-select control: a Bootstrap dropdown whose toggle button
+    summarises the current selection over a checkbox menu. Replaces a wrapped
+    block of chip buttons with a single control of one row's height.
+*@
+<div class="dropdown msd" data-test="@DataTest">
+    <button type="button"
+            class="btn btn-sm btn-outline-secondary dropdown-toggle msd-toggle text-start"
+            data-bs-toggle="dropdown"
+            data-bs-auto-close="outside"
+            aria-expanded="false"
+            disabled="@(Items.Count == 0)"
+            data-test="@($"{DataTest}-toggle")">
+        <span class="msd-summary">@Summary()</span>
+    </button>
+    <ul class="dropdown-menu msd-menu">
+        @if (Items.Count == 0)
+        {
+            <li><span class="dropdown-item-text text-muted small">@EmptyText</span></li>
+        }
+        else
+        {
+            @foreach (var item in Items)
+            {
+                var isSelected = Selected.Contains(item);
+                <li>
+                    <label class="dropdown-item msd-item">
+                        <input type="checkbox"
+                               class="form-check-input msd-check"
+                               checked="@isSelected"
+                               @onchange="() => Toggle(item)"
+                               data-test="@($"{DataTest}-opt-{item}")" />
+                        <span>@Display(item)</span>
+                    </label>
+                </li>
+            }
+        }
+    </ul>
+</div>
@@ -0,0 +1,95 @@
+using Microsoft.AspNetCore.Components;
+
+namespace ScadaLink.CentralUI.Components.Shared;
+
+/// <summary>
+/// A compact multi-select control: a Bootstrap dropdown whose toggle button
+/// summarises the current selection ("All" when empty, the single item's label
+/// when one is picked, or "N selected" otherwise) over a checkbox menu.
+///
+/// <para>
+/// It exists to keep multi-value filter controls one row tall instead of a
+/// wrapped block of chip buttons. The component mutates the caller-owned
+/// <see cref="Selected"/> collection in place and raises
+/// <see cref="SelectionChanged"/> after every toggle so the parent can react
+/// (re-render, prune dependent selections, …).
+/// </para>
+///
+/// <para>
+/// Requires the Bootstrap JS bundle (loaded in <c>App.razor</c>) for the
+/// dropdown toggle; <c>data-bs-auto-close="outside"</c> keeps the menu open
+/// while the operator ticks several boxes.
+/// </para>
+/// </summary>
+/// <typeparam name="TValue">The option value type (an enum or string).</typeparam>
+public partial class MultiSelectDropdown<TValue> where TValue : notnull
+{
+    /// <summary>The options shown in the menu, in display order.</summary>
+    [Parameter, EditorRequired]
+    public IReadOnlyList<TValue> Items { get; set; } = Array.Empty<TValue>();
+
+    /// <summary>
+    /// The caller-owned selection set. Mutated in place by <see cref="Toggle"/>.
+    /// </summary>
+    [Parameter, EditorRequired]
+    public ICollection<TValue> Selected { get; set; } = default!;
+
+    /// <summary>Maps an option to its display label. Defaults to <c>ToString()</c>.</summary>
+    [Parameter]
+    public Func<TValue, string> Display { get; set; } = static v => v.ToString() ?? string.Empty;
+
+    /// <summary>Raised after each toggle, once <see cref="Selected"/> has been updated.</summary>
+    [Parameter]
+    public EventCallback SelectionChanged { get; set; }
+
+    /// <summary>Summary text shown on the toggle button when nothing is selected.</summary>
+    [Parameter]
+    public string AllLabel { get; set; } = "All";
+
+    /// <summary>Text shown in the menu when there are no options.</summary>
+    [Parameter]
+    public string EmptyText { get; set; } = "None available";
+
+    /// <summary><c>data-test</c> root for this control, its toggle and its options.</summary>
+    [Parameter]
+    public string DataTest { get; set; } = "multi-select";
+
+    private async Task Toggle(TValue item)
+    {
+        // ICollection.Remove returns false when the item was absent — that is the
+        // "not currently selected" case, so add it. This is a plain toggle.
+        if (!Selected.Remove(item))
+        {
+            Selected.Add(item);
+        }
+
+        await SelectionChanged.InvokeAsync();
+    }
+
+    private string Summary()
+    {
+        var count = Selected.Count;
+        if (count == 0)
+        {
+            return AllLabel;
+        }
+
+        if (count == 1)
+        {
+            // Prefer the single selection's label over a bare "1 selected".
+            foreach (var item in Items)
+            {
+                if (Selected.Contains(item))
+                {
+                    return Display(item);
+                }
+            }
+
+            // The one selected value is not in the current Items list (e.g. a Kind
+            // narrowed out by a Channel change before the parent pruned it).
+            return "1 selected";
+        }
+
+        return $"{count} selected";
+    }
+}
@@ -0,0 +1,32 @@
+/* Compact multi-select dropdown. Tuned to sit inline with form-select-sm /
+   form-control-sm controls in a filter row. */
+
+.msd-toggle {
+    min-width: 9rem;
+    max-width: 15rem;
+    overflow: hidden;
+    text-overflow: ellipsis;
+    white-space: nowrap;
+}
+
+/* Keep a long option list from running off-screen — scroll within the menu. */
+.msd-menu {
+    max-height: 16rem;
+    overflow-y: auto;
+}
+
+/* The whole row is a <label> so a click anywhere toggles the checkbox; the
+   menu stays open thanks to data-bs-auto-close="outside". */
+.msd-item {
+    display: flex;
+    align-items: center;
+    gap: 0.5rem;
+    cursor: pointer;
+}
+
+/* Neutralise the default form-check-input top margin so the box lines up with
+   the option text inside the dropdown-item. */
+.msd-check {
+    flex: 0 0 auto;
+    margin: 0;
+}
@@ -26,6 +26,13 @@ public sealed record AuditEvent
    /// <summary>Correlation id linking related audit rows (e.g. the cached-op lifecycle).</summary>
    public Guid? CorrelationId { get; init; }

+    /// <summary>
+    /// Id of the originating script execution / inbound request — the universal
+    /// per-run correlation value, distinct from <see cref="CorrelationId"/> (which
+    /// is the per-operation lifecycle id).
+    /// </summary>
+    public Guid? ExecutionId { get; init; }
+
    /// <summary>Site id where the action originated; null for central-direct events.</summary>
    public string? SourceSiteId { get; init; }

@@ -11,7 +11,9 @@ namespace ScadaLink.Commons.Types.Audit;
 /// dimension (translated to a SQL <c>IN (…)</c>). Time bounds are half-open in
 /// the spec sense — <see cref="FromUtc"/> is inclusive and <see cref="ToUtc"/> is
 /// inclusive of the upper bound; the repository SQL uses <c>&gt;=</c> / <c>&lt;=</c>
-/// respectively. All filter dimensions are AND-combined with one another.
+/// respectively. All filter dimensions are AND-combined with one another. The
+/// single-value <see cref="CorrelationId"/> and <see cref="ExecutionId"/>
+/// dimensions constrain on equality when set.
 /// </summary>
 public sealed record AuditLogQueryFilter(
    IReadOnlyList<AuditChannel>? Channels = null,
@@ -21,5 +23,6 @@ public sealed record AuditLogQueryFilter(
    string? Target = null,
    string? Actor = null,
    Guid? CorrelationId = null,
+    Guid? ExecutionId = null,
    DateTime? FromUtc = null,
    DateTime? ToUtc = null);
@@ -47,6 +47,7 @@ public static class AuditEventDtoMapper
            Channel = evt.Channel.ToString(),
            Kind = evt.Kind.ToString(),
            CorrelationId = evt.CorrelationId?.ToString() ?? string.Empty,
+            ExecutionId = evt.ExecutionId?.ToString() ?? string.Empty,
            SourceSiteId = evt.SourceSiteId ?? string.Empty,
            SourceInstanceId = evt.SourceInstanceId ?? string.Empty,
            SourceScript = evt.SourceScript ?? string.Empty,
@@ -92,6 +93,7 @@ public static class AuditEventDtoMapper
            Channel = Enum.Parse<AuditChannel>(dto.Channel),
            Kind = Enum.Parse<AuditKind>(dto.Kind),
            CorrelationId = NullIfEmpty(dto.CorrelationId) is { } cid ? Guid.Parse(cid) : null,
+            ExecutionId = NullIfEmpty(dto.ExecutionId) is { } eid ? Guid.Parse(eid) : null,
            SourceSiteId = NullIfEmpty(dto.SourceSiteId),
            SourceInstanceId = NullIfEmpty(dto.SourceInstanceId),
            SourceScript = NullIfEmpty(dto.SourceScript),
@@ -91,6 +91,7 @@ message AuditEventDto {
  string response_summary = 17;
  bool payload_truncated = 18;
  string extra = 19;
+  string execution_id = 20;       // empty string represents null
 }

 message AuditEventBatch { repeated AuditEventDto events = 1; }
@@ -41,7 +41,7 @@ namespace ScadaLink.Communication.Grpc {
            "c3RhdGUYAyABKA4yGi5zaXRlc3RyZWFtLkFsYXJtU3RhdGVFbnVtEhAKCHBy",
            "aW9yaXR5GAQgASgFEi0KCXRpbWVzdGFtcBgFIAEoCzIaLmdvb2dsZS5wcm90",
            "b2J1Zi5UaW1lc3RhbXASKQoFbGV2ZWwYBiABKA4yGi5zaXRlc3RyZWFtLkFs",
-            "YXJtTGV2ZWxFbnVtEg8KB21lc3NhZ2UYByABKAki9QMKDUF1ZGl0RXZlbnRE",
+            "YXJtTGV2ZWxFbnVtEg8KB21lc3NhZ2UYByABKAkiiwQKDUF1ZGl0RXZlbnRE",
            "dG8SEAoIZXZlbnRfaWQYASABKAkSMwoPb2NjdXJyZWRfYXRfdXRjGAIgASgL",
            "MhouZ29vZ2xlLnByb3RvYnVmLlRpbWVzdGFtcBIPCgdjaGFubmVsGAMgASgJ",
            "EgwKBGtpbmQYBCABKAkSFgoOY29ycmVsYXRpb25faWQYBSABKAkSFgoOc291",
@@ -52,43 +52,43 @@ namespace ScadaLink.Communication.Grpc {
            "GA0gASgLMhsuZ29vZ2xlLnByb3RvYnVmLkludDMyVmFsdWUSFQoNZXJyb3Jf",
            "bWVzc2FnZRgOIAEoCRIUCgxlcnJvcl9kZXRhaWwYDyABKAkSFwoPcmVxdWVz",
            "dF9zdW1tYXJ5GBAgASgJEhgKEHJlc3BvbnNlX3N1bW1hcnkYESABKAkSGQoR",
-            "cGF5bG9hZF90cnVuY2F0ZWQYEiABKAgSDQoFZXh0cmEYEyABKAkiPAoPQXVk",
-            "aXRFdmVudEJhdGNoEikKBmV2ZW50cxgBIAMoCzIZLnNpdGVzdHJlYW0uQXVk",
-            "aXRFdmVudER0byInCglJbmdlc3RBY2sSGgoSYWNjZXB0ZWRfZXZlbnRfaWRz",
-            "GAEgAygJIvQCChZTaXRlQ2FsbE9wZXJhdGlvbmFsRHRvEhwKFHRyYWNrZWRf",
-            "b3BlcmF0aW9uX2lkGAEgASgJEg8KB2NoYW5uZWwYAiABKAkSDgoGdGFyZ2V0",
-            "GAMgASgJEhMKC3NvdXJjZV9zaXRlGAQgASgJEg4KBnN0YXR1cxgFIAEoCRIT",
-            "CgtyZXRyeV9jb3VudBgGIAEoBRISCgpsYXN0X2Vycm9yGAcgASgJEjAKC2h0",
-            "dHBfc3RhdHVzGAggASgLMhsuZ29vZ2xlLnByb3RvYnVmLkludDMyVmFsdWUS",
-            "MgoOY3JlYXRlZF9hdF91dGMYCSABKAsyGi5nb29nbGUucHJvdG9idWYuVGlt",
-            "ZXN0YW1wEjIKDnVwZGF0ZWRfYXRfdXRjGAogASgLMhouZ29vZ2xlLnByb3Rv",
-            "YnVmLlRpbWVzdGFtcBIzCg90ZXJtaW5hbF9hdF91dGMYCyABKAsyGi5nb29n",
-            "bGUucHJvdG9idWYuVGltZXN0YW1wIoABChVDYWNoZWRUZWxlbWV0cnlQYWNr",
-            "ZXQSLgoLYXVkaXRfZXZlbnQYASABKAsyGS5zaXRlc3RyZWFtLkF1ZGl0RXZl",
-            "bnREdG8SNwoLb3BlcmF0aW9uYWwYAiABKAsyIi5zaXRlc3RyZWFtLlNpdGVD",
-            "YWxsT3BlcmF0aW9uYWxEdG8iSgoUQ2FjaGVkVGVsZW1ldHJ5QmF0Y2gSMgoH",
-            "cGFja2V0cxgBIAMoCzIhLnNpdGVzdHJlYW0uQ2FjaGVkVGVsZW1ldHJ5UGFj",
-            "a2V0IlsKFlB1bGxBdWRpdEV2ZW50c1JlcXVlc3QSLQoJc2luY2VfdXRjGAEg",
-            "ASgLMhouZ29vZ2xlLnByb3RvYnVmLlRpbWVzdGFtcBISCgpiYXRjaF9zaXpl",
-            "GAIgASgFIlwKF1B1bGxBdWRpdEV2ZW50c1Jlc3BvbnNlEikKBmV2ZW50cxgB",
-            "IAMoCzIZLnNpdGVzdHJlYW0uQXVkaXRFdmVudER0bxIWCg5tb3JlX2F2YWls",
-            "YWJsZRgCIAEoCCpcCgdRdWFsaXR5EhcKE1FVQUxJVFlfVU5TUEVDSUZJRUQQ",
-            "ABIQCgxRVUFMSVRZX0dPT0QQARIVChFRVUFMSVRZX1VOQ0VSVEFJThACEg8K",
-            "C1FVQUxJVFlfQkFEEAMqXQoOQWxhcm1TdGF0ZUVudW0SGwoXQUxBUk1fU1RB",
-            "VEVfVU5TUEVDSUZJRUQQABIWChJBTEFSTV9TVEFURV9OT1JNQUwQARIWChJB",
-            "TEFSTV9TVEFURV9BQ1RJVkUQAiqFAQoOQWxhcm1MZXZlbEVudW0SFAoQQUxB",
-            "Uk1fTEVWRUxfTk9ORRAAEhMKD0FMQVJNX0xFVkVMX0xPVxABEhcKE0FMQVJN",
-            "X0xFVkVMX0xPV19MT1cQAhIUChBBTEFSTV9MRVZFTF9ISUdIEAMSGQoVQUxB",
-            "Uk1fTEVWRUxfSElHSF9ISUdIEAQy4QIKEVNpdGVTdHJlYW1TZXJ2aWNlElUK",
-            "EVN1YnNjcmliZUluc3RhbmNlEiEuc2l0ZXN0cmVhbS5JbnN0YW5jZVN0cmVh",
-            "bVJlcXVlc3QaGy5zaXRlc3RyZWFtLlNpdGVTdHJlYW1FdmVudDABEkcKEUlu",
-            "Z2VzdEF1ZGl0RXZlbnRzEhsuc2l0ZXN0cmVhbS5BdWRpdEV2ZW50QmF0Y2ga",
-            "FS5zaXRlc3RyZWFtLkluZ2VzdEFjaxJQChVJbmdlc3RDYWNoZWRUZWxlbWV0",
-            "cnkSIC5zaXRlc3RyZWFtLkNhY2hlZFRlbGVtZXRyeUJhdGNoGhUuc2l0ZXN0",
-            "cmVhbS5Jbmdlc3RBY2sSWgoPUHVsbEF1ZGl0RXZlbnRzEiIuc2l0ZXN0cmVh",
-            "bS5QdWxsQXVkaXRFdmVudHNSZXF1ZXN0GiMuc2l0ZXN0cmVhbS5QdWxsQXVk",
-            "aXRFdmVudHNSZXNwb25zZUIfqgIcU2NhZGFMaW5rLkNvbW11bmljYXRpb24u",
-            "R3JwY2IGcHJvdG8z"));
+            "cGF5bG9hZF90cnVuY2F0ZWQYEiABKAgSDQoFZXh0cmEYEyABKAkSFAoMZXhl",
+            "Y3V0aW9uX2lkGBQgASgJIjwKD0F1ZGl0RXZlbnRCYXRjaBIpCgZldmVudHMY",
+            "ASADKAsyGS5zaXRlc3RyZWFtLkF1ZGl0RXZlbnREdG8iJwoJSW5nZXN0QWNr",
+            "EhoKEmFjY2VwdGVkX2V2ZW50X2lkcxgBIAMoCSL0AgoWU2l0ZUNhbGxPcGVy",
+            "YXRpb25hbER0bxIcChR0cmFja2VkX29wZXJhdGlvbl9pZBgBIAEoCRIPCgdj",
+            "aGFubmVsGAIgASgJEg4KBnRhcmdldBgDIAEoCRITCgtzb3VyY2Vfc2l0ZRgE",
+            "IAEoCRIOCgZzdGF0dXMYBSABKAkSEwoLcmV0cnlfY291bnQYBiABKAUSEgoK",
+            "bGFzdF9lcnJvchgHIAEoCRIwCgtodHRwX3N0YXR1cxgIIAEoCzIbLmdvb2ds",
+            "ZS5wcm90b2J1Zi5JbnQzMlZhbHVlEjIKDmNyZWF0ZWRfYXRfdXRjGAkgASgL",
+            "MhouZ29vZ2xlLnByb3RvYnVmLlRpbWVzdGFtcBIyCg51cGRhdGVkX2F0X3V0",
+            "YxgKIAEoCzIaLmdvb2dsZS5wcm90b2J1Zi5UaW1lc3RhbXASMwoPdGVybWlu",
+            "YWxfYXRfdXRjGAsgASgLMhouZ29vZ2xlLnByb3RvYnVmLlRpbWVzdGFtcCKA",
+            "AQoVQ2FjaGVkVGVsZW1ldHJ5UGFja2V0Ei4KC2F1ZGl0X2V2ZW50GAEgASgL",
+            "Mhkuc2l0ZXN0cmVhbS5BdWRpdEV2ZW50RHRvEjcKC29wZXJhdGlvbmFsGAIg",
+            "ASgLMiIuc2l0ZXN0cmVhbS5TaXRlQ2FsbE9wZXJhdGlvbmFsRHRvIkoKFENh",
+            "Y2hlZFRlbGVtZXRyeUJhdGNoEjIKB3BhY2tldHMYASADKAsyIS5zaXRlc3Ry",
+            "ZWFtLkNhY2hlZFRlbGVtZXRyeVBhY2tldCJbChZQdWxsQXVkaXRFdmVudHNS",
+            "ZXF1ZXN0Ei0KCXNpbmNlX3V0YxgBIAEoCzIaLmdvb2dsZS5wcm90b2J1Zi5U",
+            "aW1lc3RhbXASEgoKYmF0Y2hfc2l6ZRgCIAEoBSJcChdQdWxsQXVkaXRFdmVu",
+            "dHNSZXNwb25zZRIpCgZldmVudHMYASADKAsyGS5zaXRlc3RyZWFtLkF1ZGl0",
+            "RXZlbnREdG8SFgoObW9yZV9hdmFpbGFibGUYAiABKAgqXAoHUXVhbGl0eRIX",
+            "ChNRVUFMSVRZX1VOU1BFQ0lGSUVEEAASEAoMUVVBTElUWV9HT09EEAESFQoR",
+            "UVVBTElUWV9VTkNFUlRBSU4QAhIPCgtRVUFMSVRZX0JBRBADKl0KDkFsYXJt",
+            "U3RhdGVFbnVtEhsKF0FMQVJNX1NUQVRFX1VOU1BFQ0lGSUVEEAASFgoSQUxB",
+            "Uk1fU1RBVEVfTk9STUFMEAESFgoSQUxBUk1fU1RBVEVfQUNUSVZFEAIqhQEK",
+            "DkFsYXJtTGV2ZWxFbnVtEhQKEEFMQVJNX0xFVkVMX05PTkUQABITCg9BTEFS",
+            "TV9MRVZFTF9MT1cQARIXChNBTEFSTV9MRVZFTF9MT1dfTE9XEAISFAoQQUxB",
+            "Uk1fTEVWRUxfSElHSBADEhkKFUFMQVJNX0xFVkVMX0hJR0hfSElHSBAEMuEC",
+            "ChFTaXRlU3RyZWFtU2VydmljZRJVChFTdWJzY3JpYmVJbnN0YW5jZRIhLnNp",
+            "dGVzdHJlYW0uSW5zdGFuY2VTdHJlYW1SZXF1ZXN0Ghsuc2l0ZXN0cmVhbS5T",
+            "aXRlU3RyZWFtRXZlbnQwARJHChFJbmdlc3RBdWRpdEV2ZW50cxIbLnNpdGVz",
+            "dHJlYW0uQXVkaXRFdmVudEJhdGNoGhUuc2l0ZXN0cmVhbS5Jbmdlc3RBY2sS",
+            "UAoVSW5nZXN0Q2FjaGVkVGVsZW1ldHJ5EiAuc2l0ZXN0cmVhbS5DYWNoZWRU",
+            "ZWxlbWV0cnlCYXRjaBoVLnNpdGVzdHJlYW0uSW5nZXN0QWNrEloKD1B1bGxB",
+            "dWRpdEV2ZW50cxIiLnNpdGVzdHJlYW0uUHVsbEF1ZGl0RXZlbnRzUmVxdWVz",
+            "dBojLnNpdGVzdHJlYW0uUHVsbEF1ZGl0RXZlbnRzUmVzcG9uc2VCH6oCHFNj",
+            "YWRhTGluay5Db21tdW5pY2F0aW9uLkdycGNiBnByb3RvMw=="));
      descriptor = pbr::FileDescriptor.FromGeneratedCode(descriptorData,
          new pbr::FileDescriptor[] { global::Google.Protobuf.WellKnownTypes.TimestampReflection.Descriptor, global::Google.Protobuf.WellKnownTypes.WrappersReflection.Descriptor, },
          new pbr::GeneratedClrTypeInfo(new[] {typeof(global::ScadaLink.Communication.Grpc.Quality), typeof(global::ScadaLink.Communication.Grpc.AlarmStateEnum), typeof(global::ScadaLink.Communication.Grpc.AlarmLevelEnum), }, null, new pbr::GeneratedClrTypeInfo[] {
@@ -96,7 +96,7 @@ namespace ScadaLink.Communication.Grpc {
            new pbr::GeneratedClrTypeInfo(typeof(global::ScadaLink.Communication.Grpc.SiteStreamEvent), global::ScadaLink.Communication.Grpc.SiteStreamEvent.Parser, new[]{ "CorrelationId", "AttributeChanged", "AlarmChanged" }, new[]{ "Event" }, null, null, null),
            new pbr::GeneratedClrTypeInfo(typeof(global::ScadaLink.Communication.Grpc.AttributeValueUpdate), global::ScadaLink.Communication.Grpc.AttributeValueUpdate.Parser, new[]{ "InstanceUniqueName", "AttributePath", "AttributeName", "Value", "Quality", "Timestamp" }, null, null, null, null),
            new pbr::GeneratedClrTypeInfo(typeof(global::ScadaLink.Communication.Grpc.AlarmStateUpdate), global::ScadaLink.Communication.Grpc.AlarmStateUpdate.Parser, new[]{ "InstanceUniqueName", "AlarmName", "State", "Priority", "Timestamp", "Level", "Message" }, null, null, null, null),
-            new pbr::GeneratedClrTypeInfo(typeof(global::ScadaLink.Communication.Grpc.AuditEventDto), global::ScadaLink.Communication.Grpc.AuditEventDto.Parser, new[]{ "EventId", "OccurredAtUtc", "Channel", "Kind", "CorrelationId", "SourceSiteId", "SourceInstanceId", "SourceScript", "Actor", "Target", "Status", "HttpStatus", "DurationMs", "ErrorMessage", "ErrorDetail", "RequestSummary", "ResponseSummary", "PayloadTruncated", "Extra" }, null, null, null, null),
+            new pbr::GeneratedClrTypeInfo(typeof(global::ScadaLink.Communication.Grpc.AuditEventDto), global::ScadaLink.Communication.Grpc.AuditEventDto.Parser, new[]{ "EventId", "OccurredAtUtc", "Channel", "Kind", "CorrelationId", "SourceSiteId", "SourceInstanceId", "SourceScript", "Actor", "Target", "Status", "HttpStatus", "DurationMs", "ErrorMessage", "ErrorDetail", "RequestSummary", "ResponseSummary", "PayloadTruncated", "Extra", "ExecutionId" }, null, null, null, null),
            new pbr::GeneratedClrTypeInfo(typeof(global::ScadaLink.Communication.Grpc.AuditEventBatch), global::ScadaLink.Communication.Grpc.AuditEventBatch.Parser, new[]{ "Events" }, null, null, null, null),
            new pbr::GeneratedClrTypeInfo(typeof(global::ScadaLink.Communication.Grpc.IngestAck), global::ScadaLink.Communication.Grpc.IngestAck.Parser, new[]{ "AcceptedEventIds" }, null, null, null, null),
            new pbr::GeneratedClrTypeInfo(typeof(global::ScadaLink.Communication.Grpc.SiteCallOperationalDto), global::ScadaLink.Communication.Grpc.SiteCallOperationalDto.Parser, new[]{ "TrackedOperationId", "Channel", "Target", "SourceSite", "Status", "RetryCount", "LastError", "HttpStatus", "CreatedAtUtc", "UpdatedAtUtc", "TerminalAtUtc" }, null, null, null, null),
@@ -1591,6 +1591,7 @@ namespace ScadaLink.Communication.Grpc {
      responseSummary_ = other.responseSummary_;
      payloadTruncated_ = other.payloadTruncated_;
      extra_ = other.extra_;
+      executionId_ = other.executionId_;
      _unknownFields = pb::UnknownFieldSet.Clone(other._unknownFields);
    }

@@ -1838,6 +1839,21 @@ namespace ScadaLink.Communication.Grpc {
      }
    }

+    /// <summary>Field number for the "execution_id" field.</summary>
+    public const int ExecutionIdFieldNumber = 20;
+    private string executionId_ = "";
+    /// <summary>
+    /// empty string represents null
+    /// </summary>
+    [global::System.Diagnostics.DebuggerNonUserCodeAttribute]
+    [global::System.CodeDom.Compiler.GeneratedCode("protoc", null)]
+    public string ExecutionId {
+      get { return executionId_; }
+      set {
+        executionId_ = pb::ProtoPreconditions.CheckNotNull(value, "value");
+      }
+    }
+
    [global::System.Diagnostics.DebuggerNonUserCodeAttribute]
    [global::System.CodeDom.Compiler.GeneratedCode("protoc", null)]
    public override bool Equals(object other) {
@@ -1872,6 +1888,7 @@ namespace ScadaLink.Communication.Grpc {
      if (ResponseSummary != other.ResponseSummary) return false;
      if (PayloadTruncated != other.PayloadTruncated) return false;
      if (Extra != other.Extra) return false;
+      if (ExecutionId != other.ExecutionId) return false;
      return Equals(_unknownFields, other._unknownFields);
    }

@@ -1898,6 +1915,7 @@ namespace ScadaLink.Communication.Grpc {
      if (ResponseSummary.Length != 0) hash ^= ResponseSummary.GetHashCode();
      if (PayloadTruncated != false) hash ^= PayloadTruncated.GetHashCode();
      if (Extra.Length != 0) hash ^= Extra.GetHashCode();
+      if (ExecutionId.Length != 0) hash ^= ExecutionId.GetHashCode();
      if (_unknownFields != null) {
        hash ^= _unknownFields.GetHashCode();
      }
@@ -1990,6 +2008,10 @@ namespace ScadaLink.Communication.Grpc {
        output.WriteRawTag(154, 1);
        output.WriteString(Extra);
      }
+      if (ExecutionId.Length != 0) {
+        output.WriteRawTag(162, 1);
+        output.WriteString(ExecutionId);
+      }
      if (_unknownFields != null) {
        _unknownFields.WriteTo(output);
      }
@@ -2074,6 +2096,10 @@ namespace ScadaLink.Communication.Grpc {
        output.WriteRawTag(154, 1);
        output.WriteString(Extra);
      }
+      if (ExecutionId.Length != 0) {
+        output.WriteRawTag(162, 1);
+        output.WriteString(ExecutionId);
+      }
      if (_unknownFields != null) {
        _unknownFields.WriteTo(ref output);
      }
@@ -2141,6 +2167,9 @@ namespace ScadaLink.Communication.Grpc {
      if (Extra.Length != 0) {
        size += 2 + pb::CodedOutputStream.ComputeStringSize(Extra);
      }
+      if (ExecutionId.Length != 0) {
+        size += 2 + pb::CodedOutputStream.ComputeStringSize(ExecutionId);
+      }
      if (_unknownFields != null) {
        size += _unknownFields.CalculateSize();
      }
@@ -2217,6 +2246,9 @@ namespace ScadaLink.Communication.Grpc {
      if (other.Extra.Length != 0) {
        Extra = other.Extra;
      }
+      if (other.ExecutionId.Length != 0) {
+        ExecutionId = other.ExecutionId;
+      }
      _unknownFields = pb::UnknownFieldSet.MergeFrom(_unknownFields, other._unknownFields);
    }

@@ -2321,6 +2353,10 @@ namespace ScadaLink.Communication.Grpc {
            Extra = input.ReadString();
            break;
          }
+          case 162: {
+            ExecutionId = input.ReadString();
+            break;
+          }
        }
      }
    #endif
@@ -2425,6 +2461,10 @@ namespace ScadaLink.Communication.Grpc {
            Extra = input.ReadString();
            break;
          }
+          case 162: {
+            ExecutionId = input.ReadString();
+            break;
+          }
        }
      }
    }
@@ -89,6 +89,10 @@ public class AuditLogEntityTypeConfiguration : IEntityTypeConfiguration<AuditEve
            .HasFilter("[CorrelationId] IS NOT NULL")
            .HasDatabaseName("IX_AuditLog_CorrelationId");

+        builder.HasIndex(e => e.ExecutionId)
+            .HasFilter("[ExecutionId] IS NOT NULL")
+            .HasDatabaseName("IX_AuditLog_Execution");
+
        builder.HasIndex(e => new { e.Channel, e.Status, e.OccurredAtUtc })
            .IsDescending(false, false, true)
            .HasDatabaseName("IX_AuditLog_Channel_Status_Occurred");
@@ -0,0 +1,57 @@
+using System;
+using Microsoft.EntityFrameworkCore.Migrations;
+
+#nullable disable
+
+namespace ScadaLink.ConfigurationDatabase.Migrations
+{
+    /// <summary>
+    /// Adds the universal <c>ExecutionId</c> correlation column to the centralized
+    /// <c>AuditLog</c> table (#23). <c>ExecutionId</c> identifies the originating
+    /// script execution / inbound request and is distinct from the per-operation
+    /// <c>CorrelationId</c>.
+    ///
+    /// The change is purely additive:
+    /// 1. <c>ExecutionId uniqueidentifier NULL</c> is added with no default, so the
+    ///    operation is a metadata-only <c>ALTER TABLE … ADD</c> — it does NOT
+    ///    rewrite the monthly-partitioned <c>AuditLog</c> table, and historical
+    ///    rows stay <c>NULL</c> (no backfill).
+    /// 2. <c>IX_AuditLog_Execution</c> is created via raw SQL so it lands on the
+    ///    <c>ps_AuditLog_Month(OccurredAtUtc)</c> partition scheme, matching every
+    ///    other <c>IX_AuditLog_*</c> index. Keeping it partition-aligned preserves
+    ///    the partition-switch purge path (see AuditLogRepository.SwitchOutPartitionAsync).
+    /// </summary>
+    public partial class AddAuditLogExecutionId : Migration
+    {
+        /// <inheritdoc />
+        protected override void Up(MigrationBuilder migrationBuilder)
+        {
+            migrationBuilder.AddColumn<Guid>(
+                name: "ExecutionId",
+                table: "AuditLog",
+                type: "uniqueidentifier",
+                nullable: true);
+
+            // Raw SQL so the index is created on the partition scheme — EF's
+            // CreateIndex cannot express the ON ps_AuditLog_Month(OccurredAtUtc)
+            // clause. Mirrors IX_AuditLog_CorrelationId (filtered, aligned).
+            migrationBuilder.Sql(@"
+CREATE NONCLUSTERED INDEX IX_AuditLog_Execution
+ON dbo.AuditLog (ExecutionId)
+WHERE ExecutionId IS NOT NULL
+ON ps_AuditLog_Month(OccurredAtUtc);");
+        }
+
+        /// <inheritdoc />
+        protected override void Down(MigrationBuilder migrationBuilder)
+        {
+            migrationBuilder.Sql(@"
+IF EXISTS (SELECT 1 FROM sys.indexes WHERE name = 'IX_AuditLog_Execution' AND object_id = OBJECT_ID('dbo.AuditLog'))
+    DROP INDEX IX_AuditLog_Execution ON dbo.AuditLog;");
+
+            migrationBuilder.DropColumn(
+                name: "ExecutionId",
+                table: "AuditLog");
+        }
+    }
+}
@@ -73,6 +73,9 @@ namespace ScadaLink.ConfigurationDatabase.Migrations
                        .HasMaxLength(1024)
                        .HasColumnType("nvarchar(1024)");

+                    b.Property<Guid?>("ExecutionId")
+                        .HasColumnType("uniqueidentifier");
+
                    b.Property<string>("Extra")
                        .HasColumnType("nvarchar(max)");

@@ -138,6 +141,10 @@ namespace ScadaLink.ConfigurationDatabase.Migrations
                        .IsUnique()
                        .HasDatabaseName("UX_AuditLog_EventId");

+                    b.HasIndex("ExecutionId")
+                        .HasDatabaseName("IX_AuditLog_Execution")
+                        .HasFilter("[ExecutionId] IS NOT NULL");
+
                    b.HasIndex("OccurredAtUtc")
                        .IsDescending()
                        .HasDatabaseName("IX_AuditLog_OccurredAtUtc");
@@ -64,12 +64,12 @@ public class AuditLogRepository : IAuditLogRepository
            await _context.Database.ExecuteSqlInterpolatedAsync(
                $@"IF NOT EXISTS (SELECT 1 FROM dbo.AuditLog WHERE EventId = {evt.EventId})
 INSERT INTO dbo.AuditLog
-    (EventId, OccurredAtUtc, IngestedAtUtc, Channel, Kind, CorrelationId,
+    (EventId, OccurredAtUtc, IngestedAtUtc, Channel, Kind, CorrelationId, ExecutionId,
     SourceSiteId, SourceInstanceId, SourceScript, Actor, Target, Status,
     HttpStatus, DurationMs, ErrorMessage, ErrorDetail, RequestSummary,
     ResponseSummary, PayloadTruncated, Extra, ForwardState)
 VALUES
-    ({evt.EventId}, {evt.OccurredAtUtc}, {evt.IngestedAtUtc}, {channel}, {kind}, {evt.CorrelationId},
+    ({evt.EventId}, {evt.OccurredAtUtc}, {evt.IngestedAtUtc}, {channel}, {kind}, {evt.CorrelationId}, {evt.ExecutionId},
     {evt.SourceSiteId}, {evt.SourceInstanceId}, {evt.SourceScript}, {evt.Actor}, {evt.Target}, {status},
     {evt.HttpStatus}, {evt.DurationMs}, {evt.ErrorMessage}, {evt.ErrorDetail}, {evt.RequestSummary},
     {evt.ResponseSummary}, {evt.PayloadTruncated}, {evt.Extra}, {forwardState});",
@@ -157,6 +157,11 @@ VALUES
            query = query.Where(e => e.CorrelationId == correlationId);
        }

+        if (filter.ExecutionId is { } executionId)
+        {
+            query = query.Where(e => e.ExecutionId == executionId);
+        }
+
        if (filter.FromUtc is { } fromUtc)
        {
            query = query.Where(e => e.OccurredAtUtc >= fromUtc);
@@ -263,6 +268,10 @@ VALUES
                PayloadTruncated   bit              NOT NULL,
                Extra              nvarchar(max)    NULL,
                ForwardState       varchar(32)      NULL,
+                -- ExecutionId is last because it was added to the live AuditLog table by a later
+                -- ALTER TABLE ADD migration; the staging table must match the live table column
+                -- shape ordinal-for-ordinal or ALTER TABLE ... SWITCH PARTITION fails.
+                ExecutionId        uniqueidentifier NULL,
                CONSTRAINT PK_{stagingTableName} PRIMARY KEY CLUSTERED (EventId, OccurredAtUtc)
            ) ON [PRIMARY];

@@ -145,6 +145,17 @@ public sealed class AuditWriteMiddleware
                OccurredAtUtc = DateTime.UtcNow,
                Channel = AuditChannel.ApiInbound,
                Kind = kind,
+                // Audit Log #23: a fresh per-request correlation id so the
+                // inbound row carries a request identifier (closes the design
+                // gap that inbound rows should be correlatable).
+                //
+                // This id is intentionally request-local: it is NOT bridged to
+                // RouteHelper's routed-call correlation id or to
+                // HttpContext.TraceIdentifier. Threading an inbound request's
+                // correlation id through to the routed script execution (so an
+                // inbound call and the outbound API/DB rows it triggers share
+                // one id) is a deliberate future follow-up, out of scope here.
+                CorrelationId = Guid.NewGuid(),
                Actor = actor,
                Target = methodName,
                Status = status,
@@ -30,6 +30,13 @@ public class NotificationOutboxActor : ReceiveActor, IWithTimers
    private const int FallbackMaxRetries = 10;
    private static readonly TimeSpan FallbackRetryDelay = TimeSpan.FromMinutes(1);

+    /// <summary>
+    /// Audit <c>Actor</c> stamped on central-dispatch (<c>NotifyDeliver</c>) rows.
+    /// The Actor-column spec assigns central-originated audit rows a system
+    /// identity — there is no per-call authenticated user at dispatch time.
+    /// </summary>
+    private const string SystemActor = "system";
+
    private readonly IServiceProvider _serviceProvider;
    private readonly NotificationOutboxOptions _options;
    private readonly ICentralAuditWriter _auditWriter;
@@ -500,9 +507,11 @@ public class NotificationOutboxActor : ReceiveActor, IWithTimers
            Channel = AuditChannel.Notification,
            Kind = AuditKind.NotifyDeliver,
            CorrelationId = correlationId,
-            // Central dispatch — no authenticated actor (the originating
-            // script's identity is captured on the upstream NotifySend row).
-            Actor = null,
+            // Central dispatch — a system identity per the Actor-column spec;
+            // there is no per-call authenticated user here. The originating
+            // script is still captured on SourceScript (and on the upstream
+            // NotifySend row).
+            Actor = SystemActor,
            SourceSiteId = notification.SourceSiteId,
            SourceInstanceId = notification.SourceInstanceId,
            SourceScript = notification.SourceScript,
@@ -37,9 +37,13 @@ internal sealed class AuditingDbCommand : DbCommand
    private readonly string _siteId;
    private readonly string _instanceName;
    private readonly string? _sourceScript;
+    private readonly Guid _auditCorrelationId;
    private readonly ILogger _logger;
    private DbConnection? _wrappingConnection;

+    // Parameter ordering: auditCorrelationId sits immediately after the ILogger,
+    // consistent with the other three audit-threaded ctors (ExternalSystemHelper,
+    // DatabaseHelper, AuditingDbConnection).
    public AuditingDbCommand(
        DbCommand inner,
        IAuditWriter auditWriter,
@@ -47,7 +51,8 @@ internal sealed class AuditingDbCommand : DbCommand
        string siteId,
        string instanceName,
        string? sourceScript,
-        ILogger logger)
+        ILogger logger,
+        Guid auditCorrelationId)
    {
        _inner = inner ?? throw new ArgumentNullException(nameof(inner));
        _auditWriter = auditWriter ?? throw new ArgumentNullException(nameof(auditWriter));
@@ -56,6 +61,7 @@ internal sealed class AuditingDbCommand : DbCommand
        _instanceName = instanceName ?? string.Empty;
        _sourceScript = sourceScript;
        _logger = logger ?? throw new ArgumentNullException(nameof(logger));
+        _auditCorrelationId = auditCorrelationId;
    }

    // -- Forwarded surface ------------------------------------------------
@@ -426,11 +432,17 @@ internal sealed class AuditingDbCommand : DbCommand
            OccurredAtUtc = DateTime.SpecifyKind(occurredAtUtc, DateTimeKind.Utc),
            Channel = AuditChannel.DbOutbound,
            Kind = AuditKind.DbWrite,
-            CorrelationId = null,
+            // Audit Log #23: the execution-wide correlation id, so this sync
+            // DbWrite row shares an id with the other sync trust-boundary rows
+            // from the same script run.
+            CorrelationId = _auditCorrelationId,
            SourceSiteId = string.IsNullOrEmpty(_siteId) ? null : _siteId,
            SourceInstanceId = _instanceName,
            SourceScript = _sourceScript,
-            Actor = null,
+            // Outbound channel: per the Audit Log Actor-column spec the actor is
+            // the calling script. Null when no single script owns the call
+            // (e.g. a shared script running inline).
+            Actor = _sourceScript,
            Target = target,
            Status = status,
            HttpStatus = null,
@@ -36,8 +36,12 @@ internal sealed class AuditingDbConnection : DbConnection
    private readonly string _siteId;
    private readonly string _instanceName;
    private readonly string? _sourceScript;
+    private readonly Guid _auditCorrelationId;
    private readonly ILogger _logger;

+    // Parameter ordering: auditCorrelationId sits immediately after the ILogger,
+    // consistent with the other three audit-threaded ctors (ExternalSystemHelper,
+    // DatabaseHelper, AuditingDbCommand).
    public AuditingDbConnection(
        DbConnection inner,
        IAuditWriter auditWriter,
@@ -45,7 +49,8 @@ internal sealed class AuditingDbConnection : DbConnection
        string siteId,
        string instanceName,
        string? sourceScript,
-        ILogger logger)
+        ILogger logger,
+        Guid auditCorrelationId)
    {
        _inner = inner ?? throw new ArgumentNullException(nameof(inner));
        _auditWriter = auditWriter ?? throw new ArgumentNullException(nameof(auditWriter));
@@ -54,6 +59,7 @@ internal sealed class AuditingDbConnection : DbConnection
        _instanceName = instanceName ?? string.Empty;
        _sourceScript = sourceScript;
        _logger = logger ?? throw new ArgumentNullException(nameof(logger));
+        _auditCorrelationId = auditCorrelationId;
    }

    // ConnectionString is settable on DbConnection — forward both halves.
@@ -92,7 +98,8 @@ internal sealed class AuditingDbConnection : DbConnection
            _siteId,
            _instanceName,
            _sourceScript,
-            _logger);
+            _logger,
+            _auditCorrelationId);
    }

    protected override void Dispose(bool disposing)
@@ -105,6 +105,21 @@ public class ScriptRuntimeContext
    /// </summary>
    private readonly ICachedCallTelemetryForwarder? _cachedForwarder;

+    /// <summary>
+    /// Audit Log #23: the execution-wide audit correlation id. Every sync
+    /// trust-boundary audit row emitted by this script execution
+    /// (<c>ApiCall</c>, <c>DbWrite</c>) is stamped with this id so all the
+    /// rows from one script run can be correlated together.
+    /// </summary>
+    private readonly Guid _auditCorrelationId;
+
+    /// <param name="auditCorrelationId">
+    /// Audit Log #23: the execution-wide audit correlation id. When omitted
+    /// (tag-change / timer-triggered executions) a fresh id is generated; an
+    /// inbound caller may supply one to tie the execution to an upstream
+    /// request. Stamped on the sync <c>ApiCall</c>/<c>DbWrite</c> audit rows
+    /// this execution emits.
+    /// </param>
    public ScriptRuntimeContext(
        IActorRef instanceActor,
        IActorRef self,
@@ -122,7 +137,8 @@ public class ScriptRuntimeContext
        string? sourceScript = null,
        IAuditWriter? auditWriter = null,
        IOperationTrackingStore? operationTrackingStore = null,
-        ICachedCallTelemetryForwarder? cachedForwarder = null)
+        ICachedCallTelemetryForwarder? cachedForwarder = null,
+        Guid? auditCorrelationId = null)
    {
        _instanceActor = instanceActor;
        _self = self;
@@ -141,6 +157,7 @@ public class ScriptRuntimeContext
        _auditWriter = auditWriter;
        _operationTrackingStore = operationTrackingStore;
        _cachedForwarder = cachedForwarder;
+        _auditCorrelationId = auditCorrelationId ?? Guid.NewGuid();
    }

    /// <summary>
@@ -241,7 +258,7 @@ public class ScriptRuntimeContext
    /// ExternalSystem.CachedCall("systemName", "methodName", params)
    /// </summary>
    public ExternalSystemHelper ExternalSystem => new(
-        _externalSystemClient, _instanceName, _logger, _auditWriter, _siteId, _sourceScript,
+        _externalSystemClient, _instanceName, _logger, _auditCorrelationId, _auditWriter, _siteId, _sourceScript,
        // Audit Log #23 (M3 Bundle E — Task E3): emit CachedSubmit telemetry
        // on every ExternalSystem.CachedCall enqueue.
        _cachedForwarder);
@@ -255,6 +272,7 @@ public class ScriptRuntimeContext
        _databaseGateway,
        _instanceName,
        _logger,
+        _auditCorrelationId,
        // Audit Log #23 (M4 Bundle A): wire the IAuditWriter so
        // Database.Connection(name) returns an auditing decorator that
        // emits one DbOutbound/DbWrite row per script-initiated
@@ -362,6 +380,7 @@ public class ScriptRuntimeContext
        private readonly IExternalSystemClient? _client;
        private readonly string _instanceName;
        private readonly ILogger _logger;
+        private readonly Guid _auditCorrelationId;
        private readonly IAuditWriter? _auditWriter;
        private readonly string _siteId;
        private readonly string? _sourceScript;
@@ -370,10 +389,18 @@ public class ScriptRuntimeContext
        // Internal constructor for tests living in ScadaLink.SiteRuntime.Tests
        // (via InternalsVisibleTo). Production sites resolve the helper through
        // ScriptRuntimeContext.ExternalSystem.
+        //
+        // Parameter ordering: auditCorrelationId sits immediately after the
+        // ILogger across all four audit-threaded ctors (ExternalSystemHelper,
+        // DatabaseHelper, AuditingDbConnection, AuditingDbCommand) — a required
+        // Guid cannot follow the optional provenance params without a
+        // required-after-optional compile error, so the post-logger slot is the
+        // one consistent position that compiles cleanly everywhere.
        internal ExternalSystemHelper(
            IExternalSystemClient? client,
            string instanceName,
            ILogger logger,
+            Guid auditCorrelationId,
            IAuditWriter? auditWriter = null,
            string siteId = "",
            string? sourceScript = null,
@@ -382,6 +409,7 @@ public class ScriptRuntimeContext
            _client = client;
            _instanceName = instanceName;
            _logger = logger;
+            _auditCorrelationId = auditCorrelationId;
            _auditWriter = auditWriter;
            _siteId = siteId;
            _sourceScript = sourceScript;
@@ -420,7 +448,7 @@ public class ScriptRuntimeContext
            {
                var elapsedMs = (int)((Stopwatch.GetTimestamp() - startTicks)
                    * 1000d / Stopwatch.Frequency);
-                EmitCallAudit(systemName, methodName, occurredAtUtc, elapsedMs, result, thrown);
+                EmitCallAudit(systemName, methodName, occurredAtUtc, elapsedMs, result, thrown, parameters);
            }
        }

@@ -458,7 +486,7 @@ public class ScriptRuntimeContext
            // Submitted row even if the immediate-delivery attempt happens to
            // resolve before this method returns.
            await EmitCachedSubmitTelemetryAsync(
-                systemName, methodName, target, trackedId, occurredAtUtc, cancellationToken)
+                systemName, methodName, target, trackedId, occurredAtUtc, parameters, cancellationToken)
                .ConfigureAwait(false);

            // Hand off to the existing cached-call path. The TrackedOperationId
@@ -503,7 +531,7 @@ public class ScriptRuntimeContext
            if (result is { WasBuffered: false })
            {
                await EmitImmediateTerminalTelemetryAsync(
-                    systemName, methodName, target, trackedId, result, cancellationToken)
+                    systemName, methodName, target, trackedId, result, parameters, cancellationToken)
                    .ConfigureAwait(false);
            }

@@ -521,6 +549,7 @@ public class ScriptRuntimeContext
            string target,
            TrackedOperationId trackedId,
            DateTime occurredAtUtc,
+            IReadOnlyDictionary<string, object?>? parameters,
            CancellationToken cancellationToken)
        {
            if (_cachedForwarder == null)
@@ -544,6 +573,8 @@ public class ScriptRuntimeContext
                        SourceScript = _sourceScript,
                        Target = target,
                        Status = AuditStatus.Submitted,
+                        // Submit precedes the call — request args only, no response yet.
+                        RequestSummary = SerializeRequest(parameters),
                        ForwardState = AuditForwardState.Pending,
                    },
                    Operational: new SiteCallOperational(
@@ -599,6 +630,7 @@ public class ScriptRuntimeContext
            string target,
            TrackedOperationId trackedId,
            ExternalCallResult result,
+            IReadOnlyDictionary<string, object?>? parameters,
            CancellationToken cancellationToken)
        {
            if (_cachedForwarder == null)
@@ -653,6 +685,8 @@ public class ScriptRuntimeContext
                        Status = AuditStatus.Attempted,
                        HttpStatus = httpStatus,
                        ErrorMessage = result.Success ? null : result.ErrorMessage,
+                        RequestSummary = SerializeRequest(parameters),
+                        ResponseSummary = result.ResponseJson,
                        ForwardState = AuditForwardState.Pending,
                    },
                    Operational: new SiteCallOperational(
@@ -712,6 +746,8 @@ public class ScriptRuntimeContext
                        Status = auditTerminalStatus,
                        HttpStatus = httpStatus,
                        ErrorMessage = result.Success ? null : result.ErrorMessage,
+                        RequestSummary = SerializeRequest(parameters),
+                        ResponseSummary = result.ResponseJson,
                        ForwardState = AuditForwardState.Pending,
                    },
                    Operational: new SiteCallOperational(
@@ -762,7 +798,8 @@ public class ScriptRuntimeContext
            DateTime occurredAtUtc,
            int durationMs,
            ExternalCallResult? result,
-            Exception? thrown)
+            Exception? thrown,
+            IReadOnlyDictionary<string, object?>? parameters)
        {
            if (_auditWriter == null)
            {
@@ -772,7 +809,8 @@ public class ScriptRuntimeContext
            AuditEvent evt;
            try
            {
-                evt = BuildCallAuditEvent(systemName, methodName, occurredAtUtc, durationMs, result, thrown);
+                evt = BuildCallAuditEvent(
+                    systemName, methodName, occurredAtUtc, durationMs, result, thrown, parameters);
            }
            catch (Exception buildEx)
            {
@@ -828,7 +866,8 @@ public class ScriptRuntimeContext
            DateTime occurredAtUtc,
            int durationMs,
            ExternalCallResult? result,
-            Exception? thrown)
+            Exception? thrown,
+            IReadOnlyDictionary<string, object?>? parameters)
        {
            // Status: Delivered on a Success result; Failed otherwise (the
            // ExternalSystemClient already maps HTTP non-2xx + transient
@@ -871,24 +910,57 @@ public class ScriptRuntimeContext
                OccurredAtUtc = DateTime.SpecifyKind(occurredAtUtc, DateTimeKind.Utc),
                Channel = AuditChannel.ApiOutbound,
                Kind = AuditKind.ApiCall,
-                CorrelationId = null,
+                // Audit Log #23: the execution-wide correlation id, so all the
+                // sync ApiCall/DbWrite rows from one script run share an id.
+                CorrelationId = _auditCorrelationId,
                SourceSiteId = string.IsNullOrEmpty(_siteId) ? null : _siteId,
                SourceInstanceId = _instanceName,
                SourceScript = _sourceScript,
-                Actor = null,
+                // Outbound channel: per the Audit Log Actor-column spec the actor
+                // is the calling script. Null when no single script owns the call
+                // (e.g. a shared script running inline).
+                Actor = _sourceScript,
                Target = $"{systemName}.{methodName}",
                Status = status,
                HttpStatus = httpStatus,
                DurationMs = durationMs,
                ErrorMessage = errorMessage,
                ErrorDetail = errorDetail,
-                RequestSummary = null,
-                ResponseSummary = null,
+                // Payload capture: the request arguments and the response body.
+                // The audit writer's payload filter applies the configured size
+                // cap and header/secret redaction downstream — the emitter just
+                // hands over the raw values.
+                RequestSummary = SerializeRequest(parameters),
+                ResponseSummary = result?.ResponseJson,
                PayloadTruncated = false,
                Extra = null,
                ForwardState = AuditForwardState.Pending,
            };
        }
+
+        /// <summary>
+        /// Serialises the outbound-call argument dictionary into the JSON
+        /// <c>RequestSummary</c> stamped on <c>ApiOutbound</c> audit rows.
+        /// Returns <c>null</c> for a null/empty argument set. Serialization
+        /// failure is swallowed (returns <c>null</c>) — a payload that cannot be
+        /// summarised must never abort the best-effort audit emission.
+        /// </summary>
+        private static string? SerializeRequest(IReadOnlyDictionary<string, object?>? parameters)
+        {
+            if (parameters is null || parameters.Count == 0)
+            {
+                return null;
+            }
+
+            try
+            {
+                return JsonSerializer.Serialize(parameters);
+            }
+            catch (Exception)
+            {
+                return null;
+            }
+        }
    }

    /// <summary>
@@ -907,6 +979,7 @@ public class ScriptRuntimeContext
        private readonly IDatabaseGateway? _gateway;
        private readonly string _instanceName;
        private readonly ILogger _logger;
+        private readonly Guid _auditCorrelationId;
        private readonly string _siteId;
        private readonly string? _sourceScript;
        private readonly ICachedCallTelemetryForwarder? _cachedForwarder;
@@ -923,10 +996,15 @@ public class ScriptRuntimeContext
        /// </summary>
        private readonly IAuditWriter? _auditWriter;

+        // Parameter ordering: auditCorrelationId sits immediately after the
+        // ILogger — see the note on ExternalSystemHelper's ctor for why the
+        // post-logger slot is the one consistent position across all four
+        // audit-threaded ctors.
        internal DatabaseHelper(
            IDatabaseGateway? gateway,
            string instanceName,
            ILogger logger,
+            Guid auditCorrelationId,
            IAuditWriter? auditWriter = null,
            string siteId = "",
            string? sourceScript = null,
@@ -935,6 +1013,7 @@ public class ScriptRuntimeContext
            _gateway = gateway;
            _instanceName = instanceName;
            _logger = logger;
+            _auditCorrelationId = auditCorrelationId;
            _auditWriter = auditWriter;
            _siteId = siteId;
            _sourceScript = sourceScript;
@@ -969,7 +1048,8 @@ public class ScriptRuntimeContext
                siteId: _siteId,
                instanceName: _instanceName,
                sourceScript: _sourceScript,
-                logger: _logger);
+                logger: _logger,
+                auditCorrelationId: _auditCorrelationId);
        }

        /// <summary>
@@ -1355,7 +1435,10 @@ public class ScriptRuntimeContext
                    SourceSiteId = string.IsNullOrEmpty(_siteId) ? null : _siteId,
                    SourceInstanceId = _instanceName,
                    SourceScript = _sourceScript,
-                    Actor = null,
+                    // Outbound channel: per the Audit Log Actor-column spec the
+                    // actor is the calling script. Null when no single script
+                    // owns the call (e.g. a shared script running inline).
+                    Actor = _sourceScript,
                    Target = _listName,
                    Status = AuditStatus.Submitted,
                    HttpStatus = null,
@@ -150,6 +150,7 @@ public class AuditWriteFailureSafetyTests : TestKit, IClassFixture<MsSqlMigratio
            client,
            instanceName: "Plant.Pump42",
            NullLogger.Instance,
+            Guid.NewGuid(),
            auditWriter: writer,
            siteId: "site-77",
            sourceScript: "ScriptActor:Sync",
@@ -193,6 +194,7 @@ public class AuditWriteFailureSafetyTests : TestKit, IClassFixture<MsSqlMigratio
            client,
            instanceName: "Plant.Pump42",
            NullLogger.Instance,
+            Guid.NewGuid(),
            auditWriter: writer,
            siteId: "site-77",
            sourceScript: "ScriptActor:Cached",
@@ -243,6 +245,7 @@ public class AuditWriteFailureSafetyTests : TestKit, IClassFixture<MsSqlMigratio
            gateway,
            instanceName,
            NullLogger.Instance,
+            Guid.NewGuid(),
            auditWriter: writer,
            siteId: "site-77",
            sourceScript: "ScriptActor:Db",
@@ -157,6 +157,7 @@ public class DatabaseSyncEmissionEndToEndTests : TestKit, IClassFixture<MsSqlMig
            gateway,
            InstanceName,
            NullLogger.Instance,
+            Guid.NewGuid(),
            auditWriter: writer,
            siteId: siteId,
            sourceScript: SourceScript,
@@ -41,9 +41,9 @@ public class SqliteAuditWriterSchemaTests
    }

    [Fact]
-    public void Opens_Creates_AuditLog_Table_With_20Columns_And_PK_On_EventId()
+    public void Opens_Creates_AuditLog_Table_With_21Columns_And_PK_On_EventId()
    {
-        var (writer, dataSource) = CreateWriter(nameof(Opens_Creates_AuditLog_Table_With_20Columns_And_PK_On_EventId));
+        var (writer, dataSource) = CreateWriter(nameof(Opens_Creates_AuditLog_Table_With_21Columns_And_PK_On_EventId));
        using (writer)
        {
            using var connection = OpenVerifierConnection(dataSource);
@@ -57,7 +57,7 @@ public class SqliteAuditWriterSchemaTests
                columns.Add((reader.GetString(1), reader.GetInt32(5)));
            }

-            Assert.Equal(20, columns.Count);
+            Assert.Equal(21, columns.Count);

            var expected = new[]
            {
@@ -65,7 +65,7 @@ public class SqliteAuditWriterSchemaTests
                "SourceSiteId", "SourceInstanceId", "SourceScript", "Actor", "Target",
                "Status", "HttpStatus", "DurationMs", "ErrorMessage", "ErrorDetail",
                "RequestSummary", "ResponseSummary", "PayloadTruncated", "Extra",
-                "ForwardState",
+                "ForwardState", "ExecutionId",
            };
            Assert.Equal(expected.OrderBy(n => n), columns.Select(c => c.Name).OrderBy(n => n));

@@ -353,4 +353,37 @@ public class SqliteAuditWriterWriteTests
        await writer.MarkReconciledAsync(new[] { Guid.NewGuid(), Guid.NewGuid() });
        // Completes without throwing.
    }
+
+    // ----- ExecutionId column (universal per-run correlation value) ----- //
+
+    [Fact]
+    public async Task WriteAsync_NonNullExecutionId_RoundTripsThroughMapRow()
+    {
+        var (writer, _) = CreateWriter(nameof(WriteAsync_NonNullExecutionId_RoundTripsThroughMapRow));
+        await using var _w = writer;
+
+        var executionId = Guid.NewGuid();
+        var evt = NewEvent() with { ExecutionId = executionId };
+        await writer.WriteAsync(evt);
+
+        var rows = await writer.ReadPendingAsync(limit: 10);
+
+        var row = Assert.Single(rows);
+        Assert.Equal(executionId, row.ExecutionId);
+    }
+
+    [Fact]
+    public async Task WriteAsync_NullExecutionId_RoundTripsAsNull()
+    {
+        var (writer, _) = CreateWriter(nameof(WriteAsync_NullExecutionId_RoundTripsAsNull));
+        await using var _w = writer;
+
+        var evt = NewEvent() with { ExecutionId = null };
+        await writer.WriteAsync(evt);
+
+        var rows = await writer.ReadPendingAsync(limit: 10);
+
+        var row = Assert.Single(rows);
+        Assert.Null(row.ExecutionId);
+    }
 }
@@ -16,7 +16,7 @@ namespace ScadaLink.CentralUI.PlaywrightTests.Audit;
 /// <para>
 /// Scenarios covered (per the M7-T16 brief):
 /// <list type="bullet">
-///   <item><c>FilterNarrowing</c> — channel chip narrows the results grid.</item>
+///   <item><c>FilterNarrowing</c> — the channel filter narrows the results grid.</item>
 ///   <item><c>DrilldownDrawer_JsonPrettyPrint</c> — JSON request bodies pretty-print.</item>
 ///   <item><c>CopyAsCurlButton_VisibleOnApiInbound</c> — cURL action visible for API rows.</item>
 ///   <item><c>DrillInFromCorrelationId_AutoLoadsAuditLog</c> — query-string drill-in
@@ -45,7 +45,7 @@ public class AuditLogPageTests
    }

    [Fact]
-    public async Task FilterNarrowing_ChannelChipShrinksGrid()
+    public async Task FilterNarrowing_ChannelFilterShrinksGrid()
    {
        // Skip with a clear message when MSSQL is not reachable — the rest of
        // the Playwright suite is UI-only and does not need the DB, so this
@@ -91,13 +91,13 @@ public class AuditLogPageTests
            await page.WaitForLoadStateAsync(LoadState.NetworkIdle);

            // Pre-Apply, both rows are absent because the grid stays empty until
-            // the user filters. Click the ApiOutbound chip then Apply.
-            await page.Locator("[data-test='chip-channel-ApiOutbound']").ClickAsync();
+            // the user filters. Pick the ApiOutbound channel, then Apply.
+            await page.Locator("[data-test='filter-channel-select']").SelectOptionAsync("ApiOutbound");
            await page.Locator("[data-test='filter-apply']").ClickAsync();
            await page.WaitForLoadStateAsync(LoadState.NetworkIdle);

            // The seeded ApiOutbound row is visible; the DbOutbound row is not
-            // (it was filtered out by the channel chip).
+            // (it was filtered out by the channel filter).
            var apiRow = page.Locator($"[data-test='grid-row-{apiEventId}']");
            var dbRow = page.Locator($"[data-test='grid-row-{dbEventId}']");
            await Assertions.Expect(apiRow).ToBeVisibleAsync();
@@ -13,13 +13,18 @@ namespace ScadaLink.CentralUI.Tests.Components.Audit;
 /// <summary>
 /// bUnit tests for <see cref="AuditFilterBar"/> (#23 M7-T2 / Bundle B).
 ///
-/// The bar carries the 10 spec filter elements plus the Errors-only toggle. Tests
-/// pin: (1) the full filter set renders; (2) Apply raises <c>OnFilterChanged</c>
-/// with collapsed values; (3) the Channel→Kind narrowing map drives Kind chip
-/// visibility; (4) the Errors-only toggle ORs <c>Failed</c> into Status when
-/// Status is otherwise empty; (5) the "Last hour" preset populates
-/// <c>FromUtc</c> to roughly an hour before "now" — proves the time-window
-/// collapse without freezing the clock.
+/// The bar carries the 10 spec filter elements plus the Errors-only toggle.
+/// Channel is a single-select <c>&lt;select data-test="filter-channel-select"&gt;</c>;
+/// Kind / Status / Site are
+/// <see cref="ScadaLink.CentralUI.Components.Shared.MultiSelectDropdown{TValue}"/>
+/// controls whose options are checkboxes tagged
+/// <c>data-test="filter-&lt;dim&gt;-ms-opt-&lt;value&gt;"</c>. Tests pin:
+/// (1) the full filter set renders; (2) Apply raises <c>OnFilterChanged</c> with
+/// the selected values; (3) the Channel→Kind narrowing map drives Kind option
+/// visibility; (4) the Errors-only toggle ORs the error statuses into Status when
+/// Status is otherwise empty; (5) the "Last hour" preset populates <c>FromUtc</c>
+/// to roughly an hour before "now" — proves the time-window collapse without
+/// freezing the clock.
 /// </summary>
 public class AuditFilterBarTests : BunitContext
 {
@@ -71,8 +76,8 @@ public class AuditFilterBarTests : BunitContext
        var cut = Render<AuditFilterBar>(p => p
            .Add(c => c.OnFilterChanged, EventCallback.Factory.Create<AuditLogQueryFilter>(this, f => captured = f)));

-        // Drive UI: toggle a Channel chip, type in the Target search box, click Apply.
-        cut.Find("[data-test=\"chip-channel-ApiOutbound\"]").Click();
+        // Drive UI: pick a Channel, type in the Target search box, click Apply.
+        cut.Find("[data-test=\"filter-channel-select\"]").Change("ApiOutbound");
        cut.Find("[data-test=\"filter-target\"] input").Change("Plant-A-OPC");
        cut.Find("[data-test=\"filter-apply\"]").Click();

@@ -82,23 +87,25 @@ public class AuditFilterBarTests : BunitContext
    }

    [Fact]
-    public void Apply_WithMultipleChannelChips_PassesAllSelectedChannels()
+    public void ChangingChannel_ReplacesTheSelection_SingleSelect()
    {
-        // Task 9: ToFilter no longer collapses the chip multi-select — every
-        // selected channel chip reaches the filter's Channels list.
+        // Channel is single-select: picking a second channel replaces the first
+        // rather than adding to it (the page filters one channel at a time).
        AuditLogQueryFilter? captured = null;
        var cut = Render<AuditFilterBar>(p => p
            .Add(c => c.OnFilterChanged, EventCallback.Factory.Create<AuditLogQueryFilter>(this, f => captured = f)));

-        cut.Find("[data-test=\"chip-channel-ApiOutbound\"]").Click();
-        cut.Find("[data-test=\"chip-channel-Notification\"]").Click();
+        cut.Find("[data-test=\"filter-channel-select\"]").Change("ApiOutbound");
+        cut.Find("[data-test=\"filter-channel-select\"]").Change("Notification");
        cut.Find("[data-test=\"filter-apply\"]").Click();

        Assert.NotNull(captured);
-        Assert.NotNull(captured!.Channels);
-        Assert.Equal(2, captured.Channels!.Count);
-        Assert.Contains(AuditChannel.ApiOutbound, captured.Channels);
-        Assert.Contains(AuditChannel.Notification, captured.Channels);
+        Assert.Equal(new[] { AuditChannel.Notification }, captured!.Channels);
+
+        // Selecting "All channels" clears the channel filter entirely.
+        cut.Find("[data-test=\"filter-channel-select\"]").Change(string.Empty);
+        cut.Find("[data-test=\"filter-apply\"]").Click();
+        Assert.Null(captured!.Channels);
    }

    [Fact]
@@ -106,23 +113,23 @@ public class AuditFilterBarTests : BunitContext
    {
        var cut = Render<AuditFilterBar>();

-        // With no Channel selected, every kind chip is in the DOM.
+        // With no Channel selected, every kind option is in the DOM.
        foreach (var kind in Enum.GetValues<AuditKind>())
        {
-            Assert.Contains($"data-test=\"chip-kind-{kind}\"", cut.Markup);
+            Assert.Contains($"data-test=\"filter-kind-ms-opt-{kind}\"", cut.Markup);
        }

-        // Select only ApiOutbound; Kind chips outside the channel-kind map drop out.
-        cut.Find("[data-test=\"chip-channel-ApiOutbound\"]").Click();
+        // Select ApiOutbound; Kind options outside the channel-kind map drop out.
+        cut.Find("[data-test=\"filter-channel-select\"]").Change("ApiOutbound");

        var apiKinds = AuditQueryModel.KindsByChannel[AuditChannel.ApiOutbound];
        foreach (var kind in apiKinds)
        {
-            Assert.Contains($"data-test=\"chip-kind-{kind}\"", cut.Markup);
+            Assert.Contains($"data-test=\"filter-kind-ms-opt-{kind}\"", cut.Markup);
        }
        // Sanity: an unrelated kind is gone.
-        Assert.DoesNotContain($"data-test=\"chip-kind-{AuditKind.NotifySend}\"", cut.Markup);
-        Assert.DoesNotContain($"data-test=\"chip-kind-{AuditKind.InboundRequest}\"", cut.Markup);
+        Assert.DoesNotContain($"data-test=\"filter-kind-ms-opt-{AuditKind.NotifySend}\"", cut.Markup);
+        Assert.DoesNotContain($"data-test=\"filter-kind-ms-opt-{AuditKind.InboundRequest}\"", cut.Markup);
    }

    [Fact]
@@ -144,8 +151,8 @@ public class AuditFilterBarTests : BunitContext
        Assert.Contains(AuditStatus.Parked, captured.Statuses);
        Assert.Contains(AuditStatus.Discarded, captured.Statuses);

-        // Now pin an explicit Status chip — Errors-only must yield (chip wins).
-        cut.Find("[data-test=\"chip-status-Delivered\"]").Click();
+        // Now pin an explicit Status option — Errors-only must yield (explicit wins).
+        cut.Find("[data-test=\"filter-status-ms-opt-Delivered\"]").Change(true);
        cut.Find("[data-test=\"filter-apply\"]").Click();

        Assert.Equal(new[] { AuditStatus.Delivered }, captured!.Statuses);
@@ -160,8 +167,8 @@ public class AuditFilterBarTests : BunitContext
        var cut = Render<AuditFilterBar>(p => p
            .Add(c => c.OnFilterChanged, EventCallback.Factory.Create<AuditLogQueryFilter>(this, f => captured = f)));

-        cut.Find("[data-test=\"chip-status-Delivered\"]").Click();
-        cut.Find("[data-test=\"chip-status-Failed\"]").Click();
+        cut.Find("[data-test=\"filter-status-ms-opt-Delivered\"]").Change(true);
+        cut.Find("[data-test=\"filter-status-ms-opt-Failed\"]").Change(true);
        cut.Find("[data-test=\"filter-apply\"]").Click();

        Assert.NotNull(captured);
@@ -17,6 +17,7 @@ public class AuditEventTests
        var occurredAt = new DateTime(2026, 5, 20, 12, 0, 0, DateTimeKind.Utc);
        var ingestedAt = new DateTime(2026, 5, 20, 12, 0, 1, DateTimeKind.Utc);
        var corrId = Guid.NewGuid();
+        var execId = Guid.NewGuid();

        var evt = new AuditEvent
        {
@@ -26,6 +27,7 @@ public class AuditEventTests
            Channel = AuditChannel.ApiOutbound,
            Kind = AuditKind.ApiCall,
            CorrelationId = corrId,
+            ExecutionId = execId,
            SourceSiteId = "site-01",
            SourceInstanceId = "inst-7",
            SourceScript = "OnAlarm",
@@ -49,6 +51,7 @@ public class AuditEventTests
        Assert.Equal(AuditChannel.ApiOutbound, evt.Channel);
        Assert.Equal(AuditKind.ApiCall, evt.Kind);
        Assert.Equal(corrId, evt.CorrelationId);
+        Assert.Equal(execId, evt.ExecutionId);
        Assert.Equal("site-01", evt.SourceSiteId);
        Assert.Equal("inst-7", evt.SourceInstanceId);
        Assert.Equal("OnAlarm", evt.SourceScript);
@@ -77,6 +80,7 @@ public class AuditEventTests
            Channel = AuditChannel.Notification,
            Kind = AuditKind.NotifySend,
            CorrelationId = null,
+            ExecutionId = null,
            SourceSiteId = null,
            SourceInstanceId = null,
            SourceScript = null,
@@ -96,6 +100,7 @@ public class AuditEventTests

        Assert.Null(evt.IngestedAtUtc);
        Assert.Null(evt.CorrelationId);
+        Assert.Null(evt.ExecutionId);
        Assert.Null(evt.SourceSiteId);
        Assert.Null(evt.SourceInstanceId);
        Assert.Null(evt.SourceScript);
@@ -19,6 +19,7 @@ public class AuditEventDtoMapperTests
        var occurredAt = new DateTime(2026, 5, 20, 10, 15, 30, 123, DateTimeKind.Utc);
        var ingestedAt = new DateTime(2026, 5, 20, 10, 15, 31, 0, DateTimeKind.Utc);
        var correlationId = Guid.NewGuid();
+        var executionId = Guid.NewGuid();
        var eventId = Guid.NewGuid();

        var original = new AuditEvent
@@ -29,6 +30,7 @@ public class AuditEventDtoMapperTests
            Channel = AuditChannel.ApiOutbound,
            Kind = AuditKind.ApiCallCached,
            CorrelationId = correlationId,
+            ExecutionId = executionId,
            SourceSiteId = "site-1",
            SourceInstanceId = "Pump01",
            SourceScript = "OnDemand",
@@ -54,6 +56,7 @@ public class AuditEventDtoMapperTests
        Assert.Equal(original.Channel, roundTripped.Channel);
        Assert.Equal(original.Kind, roundTripped.Kind);
        Assert.Equal(original.CorrelationId, roundTripped.CorrelationId);
+        Assert.Equal(original.ExecutionId, roundTripped.ExecutionId);
        Assert.Equal(original.SourceSiteId, roundTripped.SourceSiteId);
        Assert.Equal(original.SourceInstanceId, roundTripped.SourceInstanceId);
        Assert.Equal(original.SourceScript, roundTripped.SourceScript);
@@ -90,6 +93,7 @@ public class AuditEventDtoMapperTests
        var dto = AuditEventDtoMapper.ToDto(evt);

        Assert.Equal(string.Empty, dto.CorrelationId);
+        Assert.Equal(string.Empty, dto.ExecutionId);
        Assert.Equal(string.Empty, dto.SourceSiteId);
        Assert.Equal(string.Empty, dto.SourceInstanceId);
        Assert.Equal(string.Empty, dto.SourceScript);
@@ -113,6 +117,7 @@ public class AuditEventDtoMapperTests
            Kind = nameof(AuditKind.ApiCall),
            Status = nameof(AuditStatus.Submitted),
            CorrelationId = string.Empty,
+            ExecutionId = string.Empty,
            SourceSiteId = string.Empty,
            SourceInstanceId = string.Empty,
            SourceScript = string.Empty,
@@ -128,6 +133,7 @@ public class AuditEventDtoMapperTests
        var evt = AuditEventDtoMapper.FromDto(dto);

        Assert.Null(evt.CorrelationId);
+        Assert.Null(evt.ExecutionId);
        Assert.Null(evt.SourceSiteId);
        Assert.Null(evt.SourceInstanceId);
        Assert.Null(evt.SourceScript);
@@ -74,8 +74,9 @@ public class AuditLogEntityTypeConfigurationTests : IDisposable
            .Where(p => !p.IsShadowProperty())
            .ToList();

-        // AuditEvent record exposes 21 init-only properties (alog.md §4).
-        Assert.Equal(21, properties.Count);
+        // AuditEvent record exposes 22 init-only properties (alog.md §4 plus the
+        // additive ExecutionId universal correlation column).
+        Assert.Equal(22, properties.Count);
    }

    [Fact]
@@ -90,11 +91,13 @@ public class AuditLogEntityTypeConfigurationTests : IDisposable
            .ToList();

        // Five reconciliation/query indexes from alog.md §4, plus the EventId unique
-        // index introduced alongside the composite PK (Bundle C).
+        // index introduced alongside the composite PK (Bundle C), plus the additive
+        // IX_AuditLog_Execution index supporting ExecutionId lookups.
        var expected = new[]
        {
            "IX_AuditLog_Channel_Status_Occurred",
            "IX_AuditLog_CorrelationId",
+            "IX_AuditLog_Execution",
            "IX_AuditLog_OccurredAtUtc",
            "IX_AuditLog_Site_Occurred",
            "IX_AuditLog_Target_Occurred",
@@ -136,5 +139,9 @@ public class AuditLogEntityTypeConfigurationTests : IDisposable
        var targetIdx = entity.GetIndexes()
            .Single(i => i.GetDatabaseName() == "IX_AuditLog_Target_Occurred");
        Assert.Equal("[Target] IS NOT NULL", targetIdx.GetFilter());
+
+        var executionIdx = entity.GetIndexes()
+            .Single(i => i.GetDatabaseName() == "IX_AuditLog_Execution");
+        Assert.Equal("[ExecutionId] IS NOT NULL", executionIdx.GetFilter());
    }
 }
@@ -247,6 +247,34 @@ public class AuditLogRepositoryTests : IClassFixture<MsSqlMigrationFixture>
        Assert.All(rows, r => Assert.Equal(siteId, r.SourceSiteId));
    }

+    [SkippableFact]
+    public async Task QueryAsync_FilterByExecutionId_ReturnsMatchingRows()
+    {
+        Skip.IfNot(_fixture.Available, _fixture.SkipReason);
+
+        var siteId = NewSiteId();
+        await using var context = CreateContext();
+        var repo = new AuditLogRepository(context);
+
+        var executionId = Guid.NewGuid();
+        var t0 = new DateTime(2026, 5, 3, 12, 0, 0, DateTimeKind.Utc);
+        // Two rows share the ExecutionId; one carries a different ExecutionId and
+        // one leaves it null — both must be excluded by the single-value filter.
+        await repo.InsertIfNotExistsAsync(NewEvent(siteId, occurredAtUtc: t0, executionId: executionId));
+        await repo.InsertIfNotExistsAsync(NewEvent(siteId, occurredAtUtc: t0.AddMinutes(1), executionId: executionId));
+        await repo.InsertIfNotExistsAsync(NewEvent(siteId, occurredAtUtc: t0.AddMinutes(2), executionId: Guid.NewGuid()));
+        await repo.InsertIfNotExistsAsync(NewEvent(siteId, occurredAtUtc: t0.AddMinutes(3), executionId: null));
+
+        var rows = await repo.QueryAsync(
+            new AuditLogQueryFilter(
+                SourceSiteIds: new[] { siteId },
+                ExecutionId: executionId),
+            new AuditLogPaging(PageSize: 10));
+
+        Assert.Equal(2, rows.Count);
+        Assert.All(rows, r => Assert.Equal(executionId, r.ExecutionId));
+    }
+
    [SkippableFact]
    public async Task QueryAsync_FilterByTimeRange()
    {
@@ -725,7 +753,8 @@ public class AuditLogRepositoryTests : IClassFixture<MsSqlMigrationFixture>
        AuditChannel channel = AuditChannel.ApiOutbound,
        AuditKind kind = AuditKind.ApiCall,
        AuditStatus status = AuditStatus.Delivered,
-        string? errorMessage = null) =>
+        string? errorMessage = null,
+        Guid? executionId = null) =>
        new()
        {
            EventId = Guid.NewGuid(),
@@ -735,5 +764,6 @@ public class AuditLogRepositoryTests : IClassFixture<MsSqlMigrationFixture>
            Status = status,
            SourceSiteId = siteId,
            ErrorMessage = errorMessage,
+            ExecutionId = executionId,
        };
 }
@@ -350,6 +350,46 @@ public class AuditWriteMiddlewareTests
        Assert.Equal(requestJson, evt.RequestSummary);
    }

+    // ---------------------------------------------------------------------
+    // Correlation id — Audit Log #23: each inbound row carries a fresh
+    // per-request correlation id so inbound rows are correlatable.
+    // ---------------------------------------------------------------------
+
+    [Fact]
+    public async Task InboundRow_CarriesNonNull_CorrelationId()
+    {
+        var writer = new RecordingAuditWriter();
+        var ctx = BuildContext();
+        var mw = CreateMiddleware(_ =>
+        {
+            ctx.Response.StatusCode = 200;
+            return Task.CompletedTask;
+        }, writer);
+
+        await mw.InvokeAsync(ctx);
+
+        var evt = Assert.Single(writer.Events);
+        Assert.NotNull(evt.CorrelationId);
+        Assert.NotEqual(Guid.Empty, evt.CorrelationId!.Value);
+    }
+
+    [Fact]
+    public async Task SeparateRequests_GetDistinct_CorrelationIds()
+    {
+        var writer = new RecordingAuditWriter();
+        var mw = CreateMiddleware(hc =>
+        {
+            hc.Response.StatusCode = 200;
+            return Task.CompletedTask;
+        }, writer);
+
+        await mw.InvokeAsync(BuildContext());
+        await mw.InvokeAsync(BuildContext());
+
+        Assert.Equal(2, writer.Events.Count);
+        Assert.NotEqual(writer.Events[0].CorrelationId, writer.Events[1].CorrelationId);
+    }
+
    [Fact]
    public async Task DurationMs_IsRecorded()
    {
@@ -155,8 +155,8 @@ public class NotificationOutboxActorAttemptEmissionTests : TestKit
            Assert.Equal("site-alpha", evt.SourceSiteId);
            Assert.Equal("instance-42", evt.SourceInstanceId);
            Assert.Equal("AlarmScript", evt.SourceScript);
-            // Central dispatch: actor is null (no authenticated end-user).
-            Assert.Null(evt.Actor);
+            // Central dispatch: Actor is the system identity (no per-call user).
+            Assert.Equal("system", evt.Actor);
            // Successful attempt: no error message.
            Assert.Null(evt.ErrorMessage);
        });
@@ -47,6 +47,9 @@ public class DatabaseCachedWriteEmissionTests
            gateway,
            InstanceName,
            NullLogger.Instance,
+            // Audit Log #23: execution-wide correlation id. Cached rows keep
+            // CorrelationId = TrackedOperationId, so any value works here.
+            Guid.NewGuid(),
            siteId: SiteId,
            sourceScript: SourceScript,
            cachedForwarder: forwarder);
@@ -48,14 +48,28 @@ public class DatabaseSyncEmissionTests
    private const string SourceScript = "ScriptActor:Sync";
    private const string ConnectionName = "machineData";

+    /// <summary>
+    /// Audit Log #23: a fixed execution-wide correlation id used by the
+    /// default <see cref="CreateHelper(IDatabaseGateway, IAuditWriter?)"/>
+    /// overload so assertions can compare against a known value.
+    /// </summary>
+    private static readonly Guid TestCorrelationId = Guid.NewGuid();
+
    private static ScriptRuntimeContext.DatabaseHelper CreateHelper(
        IDatabaseGateway gateway,
        IAuditWriter? auditWriter)
+        => CreateHelper(gateway, auditWriter, TestCorrelationId);
+
+    private static ScriptRuntimeContext.DatabaseHelper CreateHelper(
+        IDatabaseGateway gateway,
+        IAuditWriter? auditWriter,
+        Guid correlationId)
    {
        return new ScriptRuntimeContext.DatabaseHelper(
            gateway,
            InstanceName,
            NullLogger.Instance,
+            correlationId,
            auditWriter: auditWriter,
            siteId: SiteId,
            sourceScript: SourceScript,
@@ -266,11 +280,36 @@ public class DatabaseSyncEmissionTests
        Assert.Equal(SiteId, evt.SourceSiteId);
        Assert.Equal(InstanceName, evt.SourceInstanceId);
        Assert.Equal(SourceScript, evt.SourceScript);
-        Assert.Null(evt.Actor);
-        Assert.Null(evt.CorrelationId);
+        // Outbound channel: Actor carries the calling script identity.
+        Assert.Equal(SourceScript, evt.Actor);
+        // Audit Log #23: the sync DbWrite row now carries the execution-wide
+        // correlation id the helper was constructed with.
+        Assert.Equal(TestCorrelationId, evt.CorrelationId);
        Assert.NotEqual(Guid.Empty, evt.EventId);
    }

+    [Fact]
+    public async Task SyncDbWrite_StampsExecutionCorrelationId()
+    {
+        using var keepAlive = new SqliteConnection("Data Source=kc;Mode=Memory;Cache=Shared");
+        var inner = NewInMemoryDb(out var _);
+        var gateway = new Mock<IDatabaseGateway>();
+        gateway
+            .Setup(g => g.GetConnectionAsync(ConnectionName, It.IsAny<CancellationToken>()))
+            .ReturnsAsync(inner);
+        var writer = new CapturingAuditWriter();
+        var correlationId = Guid.NewGuid();
+
+        var helper = CreateHelper(gateway.Object, writer, correlationId);
+        await using var conn = await helper.Connection(ConnectionName);
+        await using var cmd = conn.CreateCommand();
+        cmd.CommandText = "INSERT INTO t (id, name) VALUES (7, 'eta')";
+        await cmd.ExecuteNonQueryAsync();
+
+        var evt = Assert.Single(writer.Events);
+        Assert.Equal(correlationId, evt.CorrelationId);
+    }
+
    [Fact]
    public async Task DurationMs_NonZero()
    {
@@ -0,0 +1,179 @@
+using Akka.Actor;
+using Microsoft.Data.Sqlite;
+using Microsoft.Extensions.Logging.Abstractions;
+using Moq;
+using ScadaLink.Commons.Entities.Audit;
+using ScadaLink.Commons.Interfaces.Services;
+using ScadaLink.Commons.Types.Enums;
+using ScadaLink.SiteRuntime.Scripts;
+
+namespace ScadaLink.SiteRuntime.Tests.Scripts;
+
+/// <summary>
+/// Audit Log #23 — execution-correlation tests exercised through a full
+/// <see cref="ScriptRuntimeContext"/>:
+///
+/// <list type="bullet">
+/// <item><description>
+/// The <c>?? Guid.NewGuid()</c> fallback in the <see cref="ScriptRuntimeContext"/>
+/// ctor: when no audit correlation id is supplied (tag-change / timer-triggered
+/// executions) a fresh, non-empty id is minted and stamped on the emitted rows.
+/// </description></item>
+/// <item><description>
+/// The execution-wide contract: an <c>ExternalSystem.Call</c> and a sync
+/// <c>Database</c> write performed through ONE context share a single
+/// <see cref="AuditEvent.CorrelationId"/>.
+/// </description></item>
+/// </list>
+/// </summary>
+public class ExecutionCorrelationContextTests
+{
+    /// <summary>
+    /// In-memory <see cref="IAuditWriter"/> capturing every emitted event
+    /// (mirrors the <c>CapturingAuditWriter</c> stubs in
+    /// <see cref="ExternalSystemCallAuditEmissionTests"/> /
+    /// <see cref="DatabaseSyncEmissionTests"/>).
+    /// </summary>
+    private sealed class CapturingAuditWriter : IAuditWriter
+    {
+        public List<AuditEvent> Events { get; } = new();
+
+        public Task WriteAsync(AuditEvent evt, CancellationToken ct = default)
+        {
+            Events.Add(evt);
+            return Task.CompletedTask;
+        }
+    }
+
+    private const string InstanceName = "Plant.Pump42";
+    private const string ConnectionName = "machineData";
+
+    /// <summary>
+    /// Builds a full <see cref="ScriptRuntimeContext"/> wired with the external
+    /// system client, database gateway and audit writer the cross-helper test
+    /// needs. The actor refs are <see cref="ActorRefs.Nobody"/> — the
+    /// integration helpers (ExternalSystem / Database) never touch them — and
+    /// <paramref name="auditCorrelationId"/> defaults to null so the ctor's
+    /// <c>?? Guid.NewGuid()</c> fallback is exercised unless a test supplies one.
+    /// </summary>
+    private static ScriptRuntimeContext CreateContext(
+        IExternalSystemClient? externalSystemClient,
+        IDatabaseGateway? databaseGateway,
+        IAuditWriter? auditWriter,
+        Guid? auditCorrelationId = null)
+    {
+        var compilationService = new ScriptCompilationService(
+            NullLogger<ScriptCompilationService>.Instance);
+        var sharedScriptLibrary = new SharedScriptLibrary(
+            compilationService, NullLogger<SharedScriptLibrary>.Instance);
+
+        return new ScriptRuntimeContext(
+            ActorRefs.Nobody,
+            ActorRefs.Nobody,
+            sharedScriptLibrary,
+            currentCallDepth: 0,
+            maxCallDepth: 10,
+            askTimeout: TimeSpan.FromSeconds(5),
+            instanceName: InstanceName,
+            logger: NullLogger.Instance,
+            externalSystemClient: externalSystemClient,
+            databaseGateway: databaseGateway,
+            storeAndForward: null,
+            siteCommunicationActor: null,
+            siteId: "site-77",
+            sourceScript: "ScriptActor:OnTick",
+            auditWriter: auditWriter,
+            operationTrackingStore: null,
+            cachedForwarder: null,
+            auditCorrelationId: auditCorrelationId);
+    }
+
+    /// <summary>
+    /// Spin up a fresh in-memory SQLite database with a tiny single-table
+    /// schema. The keep-alive root must outlive any auditing wrapper the test
+    /// exercises (mirrors <c>DatabaseSyncEmissionTests.NewInMemoryDb</c>).
+    /// </summary>
+    private static SqliteConnection NewInMemoryDb(out SqliteConnection keepAlive)
+    {
+        var dbName = $"db-{Guid.NewGuid():N}";
+        var connStr = $"Data Source={dbName};Mode=Memory;Cache=Shared";
+
+        keepAlive = new SqliteConnection(connStr);
+        keepAlive.Open();
+        using (var seed = keepAlive.CreateCommand())
+        {
+            seed.CommandText =
+                "CREATE TABLE t (id INTEGER PRIMARY KEY, name TEXT NOT NULL);";
+            seed.ExecuteNonQuery();
+        }
+
+        var live = new SqliteConnection(connStr);
+        live.Open();
+        return live;
+    }
+
+    [Fact]
+    public async Task NoCorrelationIdSupplied_SyncCall_StampsFreshNonEmptyCorrelationId()
+    {
+        // No auditCorrelationId argument — the ScriptRuntimeContext ctor's
+        // `?? Guid.NewGuid()` fallback must mint one (this is the unsupplied-id
+        // branch every other audit test bypasses by passing an explicit id).
+        var client = new Mock<IExternalSystemClient>();
+        client
+            .Setup(c => c.CallAsync("ERP", "GetOrder", It.IsAny<IReadOnlyDictionary<string, object?>?>(), It.IsAny<CancellationToken>()))
+            .ReturnsAsync(new ExternalCallResult(true, "{}", null));
+        var writer = new CapturingAuditWriter();
+
+        var context = CreateContext(client.Object, databaseGateway: null, writer);
+        await context.ExternalSystem.Call("ERP", "GetOrder");
+
+        var evt = Assert.Single(writer.Events);
+        Assert.NotNull(evt.CorrelationId);
+        Assert.NotEqual(Guid.Empty, evt.CorrelationId!.Value);
+    }
+
+    [Fact]
+    public async Task SameContext_ApiCallAndDbWrite_ShareTheSameCorrelationId()
+    {
+        // The execution-wide contract: an ExternalSystem.Call AND a sync
+        // Database write performed through ONE ScriptRuntimeContext must both
+        // carry the same execution correlation id, so an audit reader can tie
+        // every trust-boundary action from one script run together.
+        using var keepAlive = new SqliteConnection("Data Source=ecc;Mode=Memory;Cache=Shared");
+        var innerDb = NewInMemoryDb(out var _);
+
+        var client = new Mock<IExternalSystemClient>();
+        client
+            .Setup(c => c.CallAsync("ERP", "GetOrder", It.IsAny<IReadOnlyDictionary<string, object?>?>(), It.IsAny<CancellationToken>()))
+            .ReturnsAsync(new ExternalCallResult(true, "{}", null));
+
+        var gateway = new Mock<IDatabaseGateway>();
+        gateway
+            .Setup(g => g.GetConnectionAsync(ConnectionName, It.IsAny<CancellationToken>()))
+            .ReturnsAsync(innerDb);
+
+        var writer = new CapturingAuditWriter();
+        var context = CreateContext(client.Object, gateway.Object, writer);
+
+        // 1) outbound API call through the context's ExternalSystem helper.
+        await context.ExternalSystem.Call("ERP", "GetOrder");
+
+        // 2) sync DB write through the SAME context's Database helper.
+        await using (var conn = await context.Database.Connection(ConnectionName))
+        await using (var cmd = conn.CreateCommand())
+        {
+            cmd.CommandText = "INSERT INTO t (id, name) VALUES (1, 'alpha')";
+            await cmd.ExecuteNonQueryAsync();
+        }
+
+        Assert.Equal(2, writer.Events.Count);
+        var apiRow = Assert.Single(writer.Events, e => e.Channel == AuditChannel.ApiOutbound);
+        var dbRow = Assert.Single(writer.Events, e => e.Channel == AuditChannel.DbOutbound);
+
+        Assert.NotNull(apiRow.CorrelationId);
+        Assert.NotEqual(Guid.Empty, apiRow.CorrelationId!.Value);
+        // The ApiCall row and the DbWrite row, emitted by two different helpers
+        // resolved off one context, carry the identical execution correlation id.
+        Assert.Equal(apiRow.CorrelationId, dbRow.CorrelationId);
+    }
+}
@@ -49,6 +49,9 @@ public class ExternalSystemCachedCallEmissionTests
            client,
            InstanceName,
            NullLogger.Instance,
+            // Audit Log #23: execution-wide correlation id. Cached rows keep
+            // CorrelationId = TrackedOperationId, so any value works here.
+            Guid.NewGuid(),
            auditWriter: null,
            siteId: SiteId,
            sourceScript: SourceScript,
@@ -94,6 +97,42 @@ public class ExternalSystemCachedCallEmissionTests
        Assert.Null(packet.Operational.TerminalAtUtc);
    }

+    [Fact]
+    public async Task CachedCall_ImmediateCompletion_CapturesRequestArgs_AndResponseBody()
+    {
+        var client = new Mock<IExternalSystemClient>();
+        client
+            .Setup(c => c.CachedCallAsync(
+                "ERP", "GetOrder",
+                It.IsAny<IReadOnlyDictionary<string, object?>?>(),
+                InstanceName,
+                It.IsAny<CancellationToken>(),
+                It.IsAny<TrackedOperationId?>()))
+            .ReturnsAsync(new ExternalCallResult(true, "{\"ok\":true}", null, WasBuffered: false));
+        var forwarder = new CapturingForwarder();
+
+        var helper = CreateHelper(client.Object, forwarder);
+        var args = new Dictionary<string, object?> { ["orderId"] = 42 };
+        await helper.CachedCall("ERP", "GetOrder", args);
+
+        // Immediate completion (WasBuffered=false) emits Submit, Attempted, Resolve.
+        Assert.Equal(3, forwarder.Telemetry.Count);
+        var submit = forwarder.Telemetry.Single(t => t.Audit.Kind == AuditKind.CachedSubmit);
+        var attempted = forwarder.Telemetry.Single(t => t.Audit.Kind == AuditKind.ApiCallCached);
+        var resolve = forwarder.Telemetry.Single(t => t.Audit.Kind == AuditKind.CachedResolve);
+
+        // Every row carries the request args; the two post-call rows also carry
+        // the response body (Submit precedes the call, so it has no response).
+        Assert.Equal("{\"orderId\":42}", submit.Audit.RequestSummary);
+        Assert.Null(submit.Audit.ResponseSummary);
+
+        Assert.Equal("{\"orderId\":42}", attempted.Audit.RequestSummary);
+        Assert.Equal("{\"ok\":true}", attempted.Audit.ResponseSummary);
+
+        Assert.Equal("{\"orderId\":42}", resolve.Audit.RequestSummary);
+        Assert.Equal("{\"ok\":true}", resolve.Audit.ResponseSummary);
+    }
+
    [Fact]
    public async Task CachedCall_ReturnsTrackedOperationId()
    {
@@ -45,14 +45,28 @@ public class ExternalSystemCallAuditEmissionTests
    private const string InstanceName = "Plant.Pump42";
    private const string SourceScript = "ScriptActor:CheckPressure";

+    /// <summary>
+    /// Audit Log #23: a fixed execution-wide correlation id used by the
+    /// default <see cref="CreateHelper(IExternalSystemClient, IAuditWriter?)"/>
+    /// overload so assertions can compare against a known value.
+    /// </summary>
+    private static readonly Guid TestCorrelationId = Guid.NewGuid();
+
    private static ScriptRuntimeContext.ExternalSystemHelper CreateHelper(
        IExternalSystemClient client,
        IAuditWriter? auditWriter)
+        => CreateHelper(client, auditWriter, TestCorrelationId);
+
+    private static ScriptRuntimeContext.ExternalSystemHelper CreateHelper(
+        IExternalSystemClient client,
+        IAuditWriter? auditWriter,
+        Guid correlationId)
    {
        return new ScriptRuntimeContext.ExternalSystemHelper(
            client,
            InstanceName,
            NullLogger.Instance,
+            correlationId,
            auditWriter,
            SiteId,
            SourceScript);
@@ -81,6 +95,29 @@ public class ExternalSystemCallAuditEmissionTests
        Assert.Equal(DateTimeKind.Utc, evt.OccurredAtUtc.Kind);
        Assert.NotEqual(Guid.Empty, evt.EventId);
        Assert.False(evt.PayloadTruncated);
+        // No call arguments → null request summary; the response body is captured.
+        Assert.Null(evt.RequestSummary);
+        Assert.Equal("{}", evt.ResponseSummary);
+    }
+
+    [Fact]
+    public async Task Call_CapturesRequestArgs_AndResponseBody_OnTheAuditRow()
+    {
+        var client = new Mock<IExternalSystemClient>();
+        client
+            .Setup(c => c.CallAsync("Weather", "GetCurrent", It.IsAny<IReadOnlyDictionary<string, object?>?>(), It.IsAny<CancellationToken>()))
+            .ReturnsAsync(new ExternalCallResult(true, "{\"tempC\":11.4}", null));
+        var writer = new CapturingAuditWriter();
+
+        var helper = CreateHelper(client.Object, writer);
+        var args = new Dictionary<string, object?> { ["city"] = "Dublin" };
+        await helper.Call("Weather", "GetCurrent", args);
+
+        var evt = Assert.Single(writer.Events);
+        // RequestSummary is the serialized argument dictionary; ResponseSummary
+        // is the verbatim response body. (Cap + redaction are the writer's job.)
+        Assert.Equal("{\"city\":\"Dublin\"}", evt.RequestSummary);
+        Assert.Equal("{\"tempC\":11.4}", evt.ResponseSummary);
    }

    [Fact]
@@ -186,8 +223,49 @@ public class ExternalSystemCallAuditEmissionTests
        Assert.Equal(SiteId, evt.SourceSiteId);
        Assert.Equal(InstanceName, evt.SourceInstanceId);
        Assert.Equal(SourceScript, evt.SourceScript);
-        Assert.Null(evt.Actor);
-        Assert.Null(evt.CorrelationId);
+        // Outbound channel: Actor carries the calling script identity.
+        Assert.Equal(SourceScript, evt.Actor);
+        // Audit Log #23: the sync ApiCall row now carries the execution-wide
+        // correlation id the helper was constructed with.
+        Assert.Equal(TestCorrelationId, evt.CorrelationId);
+    }
+
+    [Fact]
+    public async Task Call_SyncApiCall_StampsExecutionCorrelationId()
+    {
+        var client = new Mock<IExternalSystemClient>();
+        client
+            .Setup(c => c.CallAsync("ERP", "GetOrder", It.IsAny<IReadOnlyDictionary<string, object?>?>(), It.IsAny<CancellationToken>()))
+            .ReturnsAsync(new ExternalCallResult(true, "{}", null));
+        var writer = new CapturingAuditWriter();
+        var correlationId = Guid.NewGuid();
+
+        var helper = CreateHelper(client.Object, writer, correlationId);
+        await helper.Call("ERP", "GetOrder");
+
+        var evt = Assert.Single(writer.Events);
+        Assert.Equal(correlationId, evt.CorrelationId);
+    }
+
+    [Fact]
+    public async Task Call_TwoCallsOnSameHelper_ShareTheSameCorrelationId()
+    {
+        var client = new Mock<IExternalSystemClient>();
+        client
+            .Setup(c => c.CallAsync(It.IsAny<string>(), It.IsAny<string>(), It.IsAny<IReadOnlyDictionary<string, object?>?>(), It.IsAny<CancellationToken>()))
+            .ReturnsAsync(new ExternalCallResult(true, "{}", null));
+        var writer = new CapturingAuditWriter();
+        var correlationId = Guid.NewGuid();
+
+        var helper = CreateHelper(client.Object, writer, correlationId);
+        await helper.Call("ERP", "GetOrder");
+        await helper.Call("ERP", "GetCustomer");
+
+        Assert.Equal(2, writer.Events.Count);
+        // Both sync ApiCall rows from one execution carry the same id.
+        Assert.Equal(correlationId, writer.Events[0].CorrelationId);
+        Assert.Equal(correlationId, writer.Events[1].CorrelationId);
+        Assert.Equal(writer.Events[0].CorrelationId, writer.Events[1].CorrelationId);
    }

    [Fact]
@@ -127,7 +127,8 @@ public class NotifySendAuditEmissionTests : TestKit, IAsyncLifetime, IDisposable
        Assert.Null(evt.HttpStatus);
        Assert.Null(evt.ErrorMessage);
        Assert.Null(evt.ErrorDetail);
-        Assert.Null(evt.Actor);
+        // Outbound channel: Actor carries the calling script identity.
+        Assert.Equal(SourceScript, evt.Actor);
    }

    [Fact]
@@ -199,7 +200,8 @@ public class NotifySendAuditEmissionTests : TestKit, IAsyncLifetime, IDisposable
        Assert.Equal(SiteId, evt.SourceSiteId);
        Assert.Equal(InstanceName, evt.SourceInstanceId);
        Assert.Equal(SourceScript, evt.SourceScript);
-        Assert.Null(evt.Actor);
+        // Outbound channel: Actor carries the calling script identity.
+        Assert.Equal(SourceScript, evt.Actor);
    }

    [Fact]
Author	SHA1	Message	Date
Joseph Doherty	6b16a48886	feat(auditlog): ExecutionId on site SQLite schema + gRPC AuditEventDto	2026-05-21 14:53:08 -04:00
Joseph Doherty	990731d12f	test(auditlog): cover ExecutionId in AuditEvent round-trip test; clarify staging-table comment	2026-05-21 14:48:39 -04:00
Joseph Doherty	fd12021984	feat(auditlog): ExecutionId column on AuditEvent + central AuditLog	2026-05-21 14:43:35 -04:00
Joseph Doherty	4002f4197b	docs(plan): Audit Log ExecutionId implementation plan	2026-05-21 14:37:12 -04:00
Joseph Doherty	6ffa47f258	docs(design): Audit Log ExecutionId universal correlation	2026-05-21 14:34:12 -04:00
Joseph Doherty	c9229c35fc	Merge branch 'feature/audit-execution-correlation': per-execution audit correlation id Every script execution gets an audit correlation id (generated for tag/timer runs, request-local for inbound); it is stamped as CorrelationId on the sync ApiCall and DbWrite audit rows so all sync trust-boundary rows from one run correlate. Shared scripts inherit it. Cached calls / notifications keep their existing CorrelationId. No schema change.	2026-05-21 13:58:37 -04:00
Joseph Doherty	aadb1fd72a	refactor(auditlog): rename audit correlation field, add cross-helper tests	2026-05-21 13:57:17 -04:00
Joseph Doherty	8243f61e96	feat(auditlog): per-script-execution correlation id on sync audit rows	2026-05-21 13:46:34 -04:00
Joseph Doherty	53508c79b2	Merge branch 'feature/audit-apicall-payloads': capture API-call payloads Outbound API audit rows now carry the request arguments and response body (sync ApiCall + cached immediate-completion path); the emitter previously hard-coded both summary fields to null.	2026-05-21 10:17:50 -04:00
Joseph Doherty	849a011400	fix(auditlog): capture request/response payloads on outbound API audit rows The outbound ApiCall emitter hard-coded RequestSummary/ResponseSummary to null, so audited API calls carried no inputs/outputs — contrary to the Audit Log payload-capture spec. Thread the call arguments into the sync ApiCall emitter and the cached immediate-completion path (CachedSubmit / ApiCallCached / CachedResolve), and stamp the response body from ExternalCallResult.ResponseJson. The writer's payload filter still applies the size cap + redaction downstream. The S&F retry-loop cached rows are unchanged — request data is not threaded through the store-and-forward buffer (same boundary as SourceScript).	2026-05-21 10:17:42 -04:00
Joseph Doherty	405de525ca	Merge branch 'feature/audit-channel-single-select': single-select Channel filter The Audit Log Channel filter becomes a single-select — Kind narrows to the chosen channel, so multi-channel selection is incoherent. Kind, Status and Site stay multi-select.	2026-05-21 10:03:08 -04:00
Joseph Doherty	77922abb33	feat(centralui): single-select Channel filter on the Audit Log page Channel narrows the Kind options to the chosen channel, so filtering by more than one channel at a time is incoherent. Replace the Channel multi-select dropdown with a native single-select (matching the Time range control); Kind, Status and Site stay multi-select. The query filter contract is unchanged — Channels just carries 0 or 1 value.	2026-05-21 10:02:17 -04:00
Joseph Doherty	5f544bfe1e	Merge branch 'feature/audit-actor-identity': populate audit Actor column Stamp the audit Actor column on outbound rows (calling script identity) and central-dispatch rows (system identity); the original emission code left it null on every channel except Inbound API.	2026-05-21 09:56:43 -04:00
Joseph Doherty	aaa6df24cf	Merge branch 'feature/audit-filter-dropdowns': compact audit filter dropdowns Replace the four stacked chip-button groups on the Audit Log filter bar with a reusable MultiSelectDropdown component, collapsing the bar from four full-width chip blocks to four inline dropdowns in one wrapped filter row.	2026-05-21 09:56:43 -04:00
Joseph Doherty	ae7329034f	fix(auditlog): populate the Actor column on outbound and central rows Per the Audit Log Actor-column spec, Actor should carry the calling script identity on outbound rows (ApiCall, DbWrite, NotifySend) and a system identity on central-dispatch rows (NotifyDeliver). The original emission code hard-coded Actor=null at all four sites, so only Inbound API rows (API key name) ever filled it. Stamp the script identity and 'system' respectively.	2026-05-21 09:50:55 -04:00
Joseph Doherty	e36f0bf9c8	feat(centralui): compact multi-select dropdowns for the audit filter bar Replace the four stacked chip-button groups (Channel, Kind, Status, Site) on the Audit Log filter bar with a reusable MultiSelectDropdown component, so the bar collapses from four full-width chip blocks to four inline dropdowns sharing one wrapped filter row. Bootstrap dropdown + checkbox menu (data-bs-auto-close =outside); no third-party UI libraries.	2026-05-21 09:36:36 -04:00
Joseph Doherty	a3eb659b75	Merge branch 'feature/audit-log-followups': Audit Log #23 deferred follow-ups Implements the five deferred follow-ups from the Audit Log #23 roadmap: - Real ClusterClient-based site->central audit push (replaces NoOpSiteStreamAuditClient) - Consolidated the duplicated AuditEvent/SiteCall DTO mappers - Site Calls UI page + read-side backend + central->site Retry/Discard relay + Health KPI tiles - Multi-value AuditLogQueryFilter end-to-end (repository, ManagementService, CLI, Central UI) - Audit results grid column resize/reorder UX Full solution build clean; full test suite green including Playwright 60/60.	2026-05-21 09:27:52 -04:00