diff --git a/docs/plans/2026-05-20-auditlog-m8-cli.md b/docs/plans/2026-05-20-auditlog-m8-cli.md
new file mode 100644
index 0000000..3e68f00
--- /dev/null
+++ b/docs/plans/2026-05-20-auditlog-m8-cli.md
@@ -0,0 +1,21 @@
+# Audit Log #23 — M8 CLI Implementation Plan
+
+> **For Claude:** subagent-driven-development with bundled cadence. FINAL milestone.
+
+**Goal:** Operator CLI surface — `scadalink audit query | export | verify-chain` — plus the ManagementService HTTP endpoints they call, output formatters, and renaming the pre-existing `audit-log` config-change command to `audit-config` with a deprecation alias.
+
+**M7 realities baked in:**
+- `OperationalAudit` + `AuditExport` are role-claim policies (M7 Bundle G). The Management endpoints reuse them.
+- `IAuditLogRepository.QueryAsync` (keyset paging) + `GetKpiSnapshotAsync` exist.
+- `AuditLogQueryFilter` is single-value per dimension — the CLI's `--channel` etc. flags collapse to single values like the UI chips do (documented limitation).
+- `verify-chain` is a v1 no-op stub (hash-chain deferred to v1.x per alog.md locked decisions). Do NOT implement hash chains.
+- ManagementService surface: confirm controllers vs minimal API by reading the project (M7 found CentralUI uses minimal API; ManagementService may differ).
+
+**CLI conventions:** System.CommandLine; JSON default + `--format table` opt-in. The CLI connects via the HTTP Management API (per CLAUDE.md). Mirror `src/ScadaLink.CLI/Commands/AuditLogCommands.cs` for the System.CommandLine pattern.
+
+**Bundles:**
+- Bundle A — CLI `audit` command group: scaffold + query + export + verify-chain (T1, T2, T3, T4).
+- Bundle B — ManagementService /api/audit/{query,export} endpoints (T5).
+- Bundle C — Output formatters + audit-config rename + README (T6, T7, T8).
+
+Final cross-bundle review + merge + roadmap closeout.