docs(audit): fix Audit error rate semantics and CLI permission split

Bundle D code-review feedback on 0ae1a25 and e6f7a7f:

- Audit error rate (HealthMonitoring tile) was described as a combined
  view of CentralAuditWriteFailures + AuditRedactionFailure (writer
  health). Per alog.md §10.3 / §14.1 it is the operational error rate
  of audited operations: % of central AuditLog rows with Status not
  in (Success/Delivered/Enqueued) over a rolling 5-min window. Audit
  writer issues surface separately via the dedicated metrics.

- Audit volume description gains the spec-mandated 'events/min, global
  + per-site sparkline' shape.

- CLI: scadalink audit was claiming all three subcommands need both
  OperationalAudit and AuditExport. Per alog.md §11.2 / §15.1, read
  (query, verify-chain) needs OperationalAudit; bulk export
  additionally requires AuditExport. Restored the spec's split.

docs/requirements/Component-CLI.md

@@ -179,10 +179,12 @@ the `scadalink audit` group below.
 ### Centralized Audit Commands
 
 The `scadalink audit` group targets the centralized Audit Log component (#23) and
-exposes the UI-equivalent operational audit surface. All three subcommands require
-both the `OperationalAudit` and `AuditExport` permissions (see Security & Auth #10);
-the server enforces permission checks and returns HTTP 403 (CLI exit code 2) on
-denial.
+exposes the UI-equivalent operational audit surface. Permissions follow the same
+read-vs-export split the Central UI uses (see Component-AuditLog.md, Security &
+Tamper-Evidence, and Security & Auth #10): `audit query` and `audit verify-chain`
+require the `OperationalAudit` permission; `audit export` additionally requires
+`AuditExport`. The server enforces permission checks and returns HTTP 403 (CLI
+exit code 2) on denial.
 
 ```
 scadalink audit query --site <s> --since <t> [--until <t>] [--kind <k>] [--user <u>] [--entity-id <id>] [--correlation-id <id>] [--status <s>] [--page <n>] [--page-size <n>]