diff --git a/docs/requirements/Component-CLI.md b/docs/requirements/Component-CLI.md
index 01614bf..f70a651 100644
--- a/docs/requirements/Component-CLI.md
+++ b/docs/requirements/Component-CLI.md
@@ -172,6 +172,37 @@ scadalink security scope-rule delete --id <id>
 scadalink audit-log query [--user <username>] [--entity-type <type>] [--action <action>] [--from <date>] [--to <date>] [--page <n>] [--page-size <n>]
 ```
 
+The legacy `audit-log query` above targets the original configuration-change audit
+(IAuditService) surface. The new centralized Audit Log component (#23) is exposed via
+the `scadalink audit` group below.
+
+### Centralized Audit Commands
+
+The `scadalink audit` group targets the centralized Audit Log component (#23) and
+exposes the UI-equivalent operational audit surface. All three subcommands require
+both the `OperationalAudit` and `AuditExport` permissions (see Security & Auth #10);
+the server enforces permission checks and returns HTTP 403 (CLI exit code 2) on
+denial.
+
+```
+scadalink audit query --site <s> --since <t> [--until <t>] [--kind <k>] [--user <u>] [--entity-id <id>] [--correlation-id <id>] [--status <s>] [--page <n>] [--page-size <n>]
+scadalink audit export --since <t> --until <t> --format csv|jsonl|parquet --output <path> [--site <s>] [--kind <k>]
+scadalink audit verify-chain --month <YYYY-MM>
+```
+
+- `audit query` — filtered query against the central `AuditLog` table, matching the
+  Central UI filter set (site, time range, audit kind, user, entity, correlation ID,
+  status, paging). Results stream as JSON (default) or table.
+- `audit export` — server-side streaming export of the central `AuditLog` to the
+  requested format (`csv`, `jsonl`, `parquet`) written to `--output`. The server
+  streams rows rather than materializing them in memory; the CLI writes bytes
+  through to disk. Supports the same scoping filters as `audit query`.
+- `audit verify-chain` — hash-chain verification for the named month.
+  **No-op in v1**: the command is defined so the command tree is stable, but
+  verification only becomes meaningful once the hash-chain ships (see
+  Component-AuditLog.md, Security & Tamper-Evidence). Until then, the server
+  responds with a "verification not yet available" status and the CLI exits 0.
+
 ### Health Commands
 ```
 scadalink health summary
@@ -273,6 +304,8 @@ Configuration is resolved in the following priority order (highest wins):
 - **Commons**: Message contracts (`Messages/Management/`) for command type definitions and registry.
 - **System.CommandLine**: Command-line argument parsing.
 - **Microsoft.AspNetCore.SignalR.Client**: SignalR client for the `debug stream` command's WebSocket connection.
+- **Management Service (#18)**: The CLI hits the central cluster via the existing HTTP Management API (`POST /management`), which dispatches to the ManagementActor. The `scadalink audit` command group rides this same transport — there is no separate audit endpoint.
+- **Audit Log (#23)**: The `scadalink audit query`, `audit export`, and `audit verify-chain` subcommands target the centralized Audit Log component's query/export/verify surfaces via the Management API. Permission checks (`OperationalAudit`, `AuditExport`) are enforced server-side.
 
 ## Interactions