infra(seed): dump encrypted secret columns as NULL, restore via CLI

ASP.NET Data Protection ciphertext is non-deterministic and bound to the
source key ring, so encrypted secret columns (ExternalSystemDefinitions
.AuthConfiguration, SmtpConfigurations.Credentials, DatabaseConnection
Definitions.ConnectionString) cannot be replayed from a static SQL dump —
the app would fail to decrypt them. dump_seed.py now emits those columns
as NULL; reseed.sh adds a post-seed stage that recreates the values
through the ScadaLink CLI so the EF value converter re-encrypts against
the target cluster's key ring.

CLAUDE.md

@@ -36,7 +36,7 @@ This project contains design documentation for a distributed SCADA system built
 - Use `git diff` to review changes before committing.
 - Commit related changes together with a descriptive message summarizing the design decision.
 
-## Current Component List (22 components)
+## Current Component List (23 components)
 
 1. Template Engine — Template modeling, inheritance, composition, validation, flattening, diffs.
 2. Deployment Manager — Central-side deployment pipeline, system-wide artifact deployment, instance lifecycle.
@@ -60,6 +60,7 @@ This project contains design documentation for a distributed SCADA system built
 20. Traefik Proxy — Reverse proxy/load balancer fronting central cluster, active node routing via `/health/active`, automatic failover.
 21. Notification Outbox — Central component ingesting store-and-forwarded notifications, `Notifications` audit table, dispatcher loop, retry/parking, delivery KPIs.
 22. Site Call Audit — Central component auditing site cached calls (`CachedCall`/`CachedWrite`); `SiteCalls` audit table, telemetry ingest, reconciliation, KPIs, central→site Retry/Discard relay; sites remain the source of truth.
+23. Audit Log — Central append-only AuditLog table spanning every script-trust-boundary action (outbound API sync+cached, outbound DB sync+cached, notifications, inbound API). Site SQLite hot-path + gRPC telemetry + reconciliation; combined telemetry with Site Call Audit; central direct-write for Notification Outbox dispatch + Inbound API; monthly partitioning, 365-day retention.
 
 ## Key Design Decisions (for context across sessions)
 
@@ -127,6 +128,18 @@ This project contains design documentation for a distributed SCADA system built
 - Site Call Audit (#22): central `SiteCallAuditActor` singleton with a `SiteCalls` audit table (central MS SQL) fed by best-effort site telemetry plus periodic reconciliation pulls — an eventually-consistent mirror, NOT a dispatcher; cached-call delivery stays site-local. Ingest is insert-if-not-exists then upsert-on-newer-status.
 - Central UI Site Calls page + central→site `RetryParkedOperation`/`DiscardParkedOperation` relay for parked cached calls; central never mutates the `SiteCalls` row directly.
 
+### Centralized Audit Log
+- Layered design — append-only `AuditLog` (#23) sits alongside operational `Notifications` (#21) and `SiteCalls` (#22), not replacing them.
+- Scope = script trust boundary: outbound API (sync + cached), outbound DB (sync + cached), notifications, inbound API. Framework/internal traffic is explicitly excluded.
+- One row per lifecycle event; cached calls produce 4+ rows per operation (`Submitted`, `Forwarded`, `Attempted`, `Delivered`/`Parked`/`Discarded`).
+- Site SQLite hot-path first, then gRPC telemetry to central; ingest is idempotent on `EventId`; periodic reconciliation pull as fallback when telemetry is lost.
+- Cached operations: site emits a single additively-extended `CachedCallTelemetry` packet carrying both audit events and operational state; central writes `AuditLog` + `SiteCalls` in one transaction.
+- Payload cap 8 KB by default / 64 KB on error rows; auth headers redacted by default; SQL parameter values captured by default; per-target redaction opt-in.
+- Audit-write failure NEVER aborts the user-facing action — audit is best-effort, the action's own success/failure path is authoritative.
+- 365-day central retention with monthly partition-switch purge; 7-day site SQLite retention with a hard `ForwardState` invariant (no row purged until forwarded or reconciled).
+- Append-only enforced via DB roles (writer role has INSERT only, no UPDATE/DELETE); hash-chain tamper evidence and Parquet archival are deferred to v1.x.
+- Central UI: new top-level **Audit** nav group + Audit Log page, with drill-ins from Notifications, Site Calls, External Systems, Inbound API Keys, Sites, and Instances.
+
 ### Security & Auth
 - Authentication: direct LDAP bind (username/password), no Kerberos/NTLM. LDAPS/StartTLS required.
 - Cookie+JWT hybrid sessions: HttpOnly/Secure cookie carries an embedded JWT (HMAC-SHA256 shared symmetric key), 15-minute expiry with sliding refresh, 30-minute idle timeout. Cookies are the correct transport for Blazor Server (SignalR circuits).

Directory.Packages.props

@@ -29,6 +29,7 @@
     <PackageVersion Include="Microsoft.AspNetCore.DataProtection" Version="10.0.7" />
     <PackageVersion Include="Microsoft.AspNetCore.DataProtection.EntityFrameworkCore" Version="10.0.7" />
     <PackageVersion Include="Microsoft.AspNetCore.Mvc.Testing" Version="10.0.7" />
+    <PackageVersion Include="Microsoft.AspNetCore.TestHost" Version="10.0.7" />
     <PackageVersion Include="Microsoft.AspNetCore.SignalR.Client" Version="9.0.3" />
     <PackageVersion Include="Microsoft.CodeAnalysis.CSharp.Scripting" Version="5.0.0" />
     <PackageVersion Include="Microsoft.CodeAnalysis.CSharp.Workspaces" Version="5.0.0" />
@@ -64,6 +65,14 @@
     <PackageVersion Include="System.IdentityModel.Tokens.Jwt" Version="8.11.0" />
     <PackageVersion Include="xunit" Version="2.9.3" />
     <PackageVersion Include="xunit.runner.visualstudio" Version="3.1.4" />
+    <!--
+      Xunit.SkippableFact provides [SkippableFact] + Skip.IfNot/Skip.If for
+      xunit v2. The native Skip API (Assert.Skip / Assert.SkipUnless /
+      Assert.SkipWhen) only exists in xunit v3; xunit 2.9.x lacks it. Used by
+      Bundle C MSSQL integration tests in ScadaLink.ConfigurationDatabase.Tests
+      to mark tests as Skipped (not silently Passed) when MSSQL is unreachable.
+    -->
+    <PackageVersion Include="Xunit.SkippableFact" Version="1.5.61" />
   </ItemGroup>
 
 </Project>

README.md

@@ -56,6 +56,7 @@ This document serves as the master index for the SCADA system design. The system
 | 20 | Traefik Proxy | [docs/requirements/Component-TraefikProxy.md](docs/requirements/Component-TraefikProxy.md) | Reverse proxy/load balancer fronting central cluster, active node routing via `/health/active`, automatic failover. |
 | 21 | Notification Outbox | [docs/requirements/Component-NotificationOutbox.md](docs/requirements/Component-NotificationOutbox.md) | Central component ingesting store-and-forwarded notifications into the `Notifications` audit table, with `NotificationOutboxActor` singleton dispatcher, per-type delivery adapters, retry/parking, status tracking, daily purge, and delivery KPIs. |
 | 22 | Site Call Audit | [docs/requirements/Component-SiteCallAudit.md](docs/requirements/Component-SiteCallAudit.md) | Central component auditing site cached calls (`ExternalSystem.CachedCall`/`Database.CachedWrite`) into the `SiteCalls` audit table, with `SiteCallAuditActor` singleton, telemetry ingest, periodic reconciliation, point-in-time KPIs, daily purge, and central→site Retry/Discard relay for parked calls. |
+| 23 | Audit Log | [docs/requirements/Component-AuditLog.md](docs/requirements/Component-AuditLog.md) | New central append-only AuditLog spanning every script-trust-boundary action (outbound API sync+cached, outbound DB sync+cached, notifications, inbound API). Site-local SQLite hot-path append + gRPC telemetry + central reconciliation; combined telemetry packet with Site Call Audit; central direct-write for Notification Outbox dispatch + Inbound API middleware; monthly partitioning, 365-day default retention. |
 
 ### Reference Documentation
 
@@ -90,6 +91,17 @@ This document serves as the master index for the SCADA system design. The system
 │  │ Mgmt     │  ◄── CLI (ClusterClient)              │
 │  │ Service  │      ManagementActor + Receptionist   │
 │  └──────────┘                                       │
+│  ┌──────────┐ ┌──────────┐ ┌──────────┐            │
+│  │   Ntf    │ │   Site   │ │  Audit   │ Observ. /   │
+│  │  Outbox  │ │   Call   │ │   Log    │ Audit area  │
+│  │ (#21)    │ │  Audit   │ │  (#23)   │             │
+│  │          │ │  (#22)   │ │          │             │
+│  └────▲─────┘ └────▲─────┘ └────▲─────┘            │
+│       │ ingests    │ ingests    │ ingests          │
+│       │ (S&F)      │ (telemetry)│ (telemetry +     │
+│       │            │            │  direct-write    │
+│       │            │            │  from Ntf Outbox │
+│       │            │            │  & Inbound API)  │
 │  ┌───────────────────────────────────┐              │
 │  │    Akka.NET Communication Layer   │              │
 │  │  ClusterClient: command/control   │              │

ScadaLink.slnx

@@ -1,5 +1,6 @@
 <Solution>
   <Folder Name="/src/">
+    <Project Path="src/ScadaLink.AuditLog/ScadaLink.AuditLog.csproj" />
     <Project Path="src/ScadaLink.Commons/ScadaLink.Commons.csproj" />
     <Project Path="src/ScadaLink.Host/ScadaLink.Host.csproj" />
     <Project Path="src/ScadaLink.TemplateEngine/ScadaLink.TemplateEngine.csproj" />
@@ -11,6 +12,7 @@
     <Project Path="src/ScadaLink.ExternalSystemGateway/ScadaLink.ExternalSystemGateway.csproj" />
     <Project Path="src/ScadaLink.NotificationService/ScadaLink.NotificationService.csproj" />
     <Project Path="src/ScadaLink.NotificationOutbox/ScadaLink.NotificationOutbox.csproj" />
+    <Project Path="src/ScadaLink.SiteCallAudit/ScadaLink.SiteCallAudit.csproj" />
     <Project Path="src/ScadaLink.CentralUI/ScadaLink.CentralUI.csproj" />
     <Project Path="src/ScadaLink.Security/ScadaLink.Security.csproj" />
     <Project Path="src/ScadaLink.HealthMonitoring/ScadaLink.HealthMonitoring.csproj" />
@@ -22,6 +24,7 @@
     <Project Path="src/ScadaLink.CLI/ScadaLink.CLI.csproj" />
   </Folder>
   <Folder Name="/tests/">
+    <Project Path="tests/ScadaLink.AuditLog.Tests/ScadaLink.AuditLog.Tests.csproj" />
     <Project Path="tests/ScadaLink.Commons.Tests/ScadaLink.Commons.Tests.csproj" />
     <Project Path="tests/ScadaLink.Host.Tests/ScadaLink.Host.Tests.csproj" />
     <Project Path="tests/ScadaLink.TemplateEngine.Tests/ScadaLink.TemplateEngine.Tests.csproj" />
@@ -33,6 +36,7 @@
     <Project Path="tests/ScadaLink.ExternalSystemGateway.Tests/ScadaLink.ExternalSystemGateway.Tests.csproj" />
     <Project Path="tests/ScadaLink.NotificationService.Tests/ScadaLink.NotificationService.Tests.csproj" />
     <Project Path="tests/ScadaLink.NotificationOutbox.Tests/ScadaLink.NotificationOutbox.Tests.csproj" />
+    <Project Path="tests/ScadaLink.SiteCallAudit.Tests/ScadaLink.SiteCallAudit.Tests.csproj" />
     <Project Path="tests/ScadaLink.CentralUI.Tests/ScadaLink.CentralUI.Tests.csproj" />
     <Project Path="tests/ScadaLink.Security.Tests/ScadaLink.Security.Tests.csproj" />
     <Project Path="tests/ScadaLink.HealthMonitoring.Tests/ScadaLink.HealthMonitoring.Tests.csproj" />

alog.md

@@ -0,0 +1,604 @@
+# Centralized Audit Log — Design (Working Draft)
+
+**Status:** Validated — ready for implementation planning.
+**Owner:** Joseph Doherty
+**Date:** 2026-05-20
+**Provisional component number:** #23 Audit Log
+
+> A new central, append-only audit log capturing every action a script causes to cross the cluster trust boundary: outbound API calls (sync + cached), outbound DB writes (sync + cached), notifications sent, and inbound API requests that invoke a script.
+
+---
+
+## 1. Purpose
+
+Provide a **single forensic + operational record** of every integration action initiated by, or terminating in, a script — answering both:
+
+- **Compliance / forensic:** "Did instance X send notification Y on date Z? What was the body?  Did external system A get called by script B last quarter, and with what result?"
+- **Operational visibility:** "Why is site S misbehaving right now? What did its scripts touch in the last 10 minutes? Which inbound API caller is hammering us?"
+
+One store, rich payloads, long retention, dashboards + drilldowns + filter queries.
+
+The audit log is **not** the operational state store. It does not drive dispatchers, retry loops, or Retry/Discard actions — those remain in [Notification Outbox](#21) and [Site Call Audit](#22). The audit log is the immutable history that **observes** those subsystems and adds coverage where they are silent.
+
+---
+
+## 2. Scope — the script trust boundary
+
+The audit log captures **every action that a script causes to cross the cluster trust boundary**:
+
+| Channel | Trigger | Direction | Covered today? |
+|---|---|---|---|
+| `ExternalSystem.Call(...)` | Script | Outbound | ❌ (gap) |
+| `ExternalSystem.CachedCall(...)` | Script | Outbound | ✅ `SiteCalls` (Site Call Audit) |
+| `Database.Connection().Execute*(...)` — writes | Script | Outbound | ❌ (gap) |
+| `Database.CachedWrite(...)` | Script | Outbound | ✅ `SiteCalls` (Site Call Audit) |
+| `Notify.To(list).Send(...)` | Script | Outbound | ✅ `Notifications` (Notification Outbox) |
+| `POST /api/{method}` (Inbound API) | External | Inbound (invokes a script) | ❌ (gap) |
+
+**Out of scope** — framework traffic is *not* audited:
+
+- Health checks, heartbeats, cluster membership messages.
+- gRPC inter-cluster real-time streams (attribute values, alarm states).
+- Data Connection Layer ↔ OPC UA / custom protocol traffic.
+- LDAP authentication probes, Traefik routing decisions.
+- Internal Configuration Database queries by the framework.
+- Site Event Log writes, audit log writes themselves.
+
+This boundary is meaningful because the script trust model already controls what scripts can do; the audit log is the record of how that surface was exercised.
+
+> **Note on DB reads.** Script-initiated reads via `Database.Connection().ExecuteReader(...)` count as actions from a script and ARE in scope. They are expected to be far less common than reads via DCL/subscriptions (which are framework traffic and excluded).
+
+---
+
+## 3. Architecture — layered, append-only
+
+```
+              ┌──────────────────────────────────────────────────────────────────────┐
+              │                       Central cluster (MS SQL)                       │
+              │                                                                      │
+              │   ┌──────────────────┐   ┌───────────────┐   ┌────────────────────┐  │
+              │   │ Notification     │   │ Site Call     │   │ Inbound API        │  │
+              │   │ Outbox (#21)     │   │ Audit (#22)   │   │ (#14)              │  │
+              │   │ Notifications    │   │ SiteCalls     │   │ (no audit today)   │  │
+              │   └────────┬─────────┘   └───────┬───────┘   └─────────┬──────────┘  │
+              │            │ emits               │ emits               │ emits        │
+              │            ▼                     ▼                     ▼              │
+              │       ┌────────────────────────────────────────────────────────────┐  │
+              │       │            AuditLog  (new, append-only, MS SQL)            │  │
+              │       │  one row per lifecycle event across all channels           │  │
+              │       └─────────────────────────▲──────────────────────────────────┘  │
+              │                                 │ telemetry (gRPC, idempotent)        │
+              └─────────────────────────────────┼─────────────────────────────────────┘
+                                                │
+                                                │
+              ┌─────────────────────────────────┼─────────────────────────────────────┐
+              │                 Site cluster (SQLite, per active node)                │
+              │                                 │                                     │
+              │       ┌─────────────────────────┴──────────────────────────────┐      │
+              │       │   Site-local AuditLog  (SQLite, hot-path append)       │      │
+              │       └────▲───────────────▲───────────────▲───────────────────┘      │
+              │            │               │               │                          │
+              │  ┌─────────┴────────┐  ┌───┴──────┐  ┌─────┴────────────┐             │
+              │  │ External System  │  │ Database │  │ Site S&F /       │             │
+              │  │ Gateway (#7)     │  │ Layer    │  │ Notifications    │             │
+              │  │ sync + cached    │  │ sync +   │  │ (transitions)    │             │
+              │  └──────────────────┘  │ cached   │  └──────────────────┘             │
+              │                        └──────────┘                                   │
+              └───────────────────────────────────────────────────────────────────────┘
+```
+
+**Key properties:**
+
+- **Strictly append-only.** Once written, an AuditLog row is never updated or deleted (except by retention purge). Operational state (live status, parked-for-retry, etc.) lives in `Notifications` / `SiteCalls` — not in AuditLog.
+- **One row per lifecycle event.** A cached call that retries three times then parks produces five rows: enqueued, attempt #1, attempt #2, attempt #3, parked. A sync call produces one row. An inbound API hit produces one row.
+- **Site-local first for site-originated events.** Hot-path script calls never wait on the network for an audit write.
+- **Direct write for central-originated events.** Notification delivery attempts and inbound API hits land at central — they write directly to the central `AuditLog`. No detour through site SQLite.
+- **At-least-once telemetry, idempotent on `EventId`.** Same dedup model as Site Call Audit today.
+
+---
+
+## 4. Data Model (first cut)
+
+Single wide table, polymorphic by `Channel` + `Kind` discriminators, JSON payload column.
+
+### Central: `AuditLog`
+
+| Column | Type | Notes |
+|---|---|---|
+| `EventId` | `uniqueidentifier` PK | Generated where the event originates (site or central). Idempotency key. |
+| `OccurredAtUtc` | `datetime2` | When the event happened (call returned, retry attempted, etc.). |
+| `IngestedAtUtc` | `datetime2` | When central persisted the row (lags `OccurredAtUtc` for site-originated rows). |
+| `Channel` | `varchar(32)` | `ApiOutbound` \| `DbOutbound` \| `Notification` \| `ApiInbound`. |
+| `Kind` | `varchar(32)` | Event kind discriminator (see kinds list below). |
+| `CorrelationId` | `uniqueidentifier` NULL | Ties multi-event operations together. `TrackedOperationId` for cached calls, `NotificationId` for notifications, request-id for inbound API. NULL for sync one-shot calls. |
+| `SourceSiteId` | `varchar(64)` NULL | NULL for central-originated events (inbound API, central notification dispatch). |
+| `SourceInstanceId` | `varchar(128)` NULL | Instance whose script initiated the action (when applicable). |
+| `SourceScript` | `varchar(128)` NULL | Script name within the instance. |
+| `Actor` | `varchar(128)` NULL | Inbound API: API key name. Outbound: script identity. Central: system user. |
+| `Target` | `varchar(256)` NULL | Outbound API: external system + method. DB: connection name. Notification: list name. Inbound API: method name. |
+| `Status` | `varchar(32)` | Outcome of *this event*: `Submitted`, `Forwarded`, `Attempted`, `Delivered`, `Failed`, `Parked`, `Discarded`, `Skipped`. |
+| `HttpStatus` | `int` NULL | HTTP-bearing events only. |
+| `DurationMs` | `int` NULL | Call/attempt duration. |
+| `ErrorMessage` | `nvarchar(1024)` NULL | Truncated; `ErrorDetail` for full text. |
+| `ErrorDetail` | `nvarchar(max)` NULL | Optional full exception/text on failures. |
+| `RequestSummary` | `nvarchar(max)` NULL | Truncated request payload (configurable cap, default 8 KB). Headers redacted. |
+| `ResponseSummary` | `nvarchar(max)` NULL | Truncated response payload (same cap). Full on errors. |
+| `PayloadTruncated` | `bit` | Set if either summary was truncated. |
+| `Extra` | `nvarchar(max)` NULL | Channel-specific JSON for fields we don't promote to columns. |
+
+**Indexes (first cut):**
+
+- `IX_AuditLog_OccurredAtUtc` — primary time-range index for global scans.
+- `IX_AuditLog_Site_Occurred (SourceSiteId, OccurredAtUtc)` — per-site filters.
+- `IX_AuditLog_Correlation (CorrelationId)` — drilldown from a single operation.
+- `IX_AuditLog_Channel_Status_Occurred (Channel, Status, OccurredAtUtc)` — KPI / dashboard tiles.
+- `IX_AuditLog_Target_Occurred (Target, OccurredAtUtc)` — "what did we send to system X."
+- Partitioning by month on `OccurredAtUtc` from day one (purge becomes a partition switch instead of a delete storm).
+
+**`Kind` values (flat — 10 discriminators across all channels):**
+
+| Kind | Fires when |
+|---|---|
+| `ApiCall` | Sync `ExternalSystem.Call(...)` returns (success or permanent failure). One row per call. |
+| `ApiCallCached` | A cached outbound-API attempt records its forward-ack (`Forwarded`) or each retry (`Attempted`). |
+| `DbWrite` | Sync `Database.Connection().Execute*(...)` / `ExecuteReader(...)` completes. One row per call. |
+| `DbWriteCached` | A cached outbound-DB attempt records its forward-ack (`Forwarded`) or each retry (`Attempted`). |
+| `NotifySend` | Script's `Notify.Send(...)` is enqueued on the site — first row in a notification's lifecycle (`Status=Submitted`). |
+| `NotifyDeliver` | Central Notification Outbox dispatcher records a delivery attempt (`Attempted`) or terminal outcome (`Delivered`/`Parked`/`Discarded`). |
+| `InboundRequest` | An inbound API request completes — one row per request, written at request end with final status. |
+| `InboundAuthFailure` | An inbound API request was rejected at the auth boundary (bad/missing key). One row, `Status=Failed`, `HttpStatus=401`. |
+| `CachedSubmit` | Script-side enqueue of a cached call (`ExternalSystem.CachedCall` / `Database.CachedWrite`); first row in the cached-call lifecycle, written to site SQLite before any forward attempt. |
+| `CachedResolve` | Terminal row for a cached operation — `Status` = `Delivered` / `Failed` / `Parked` / `Discarded`. |
+
+### Site: `AuditLog` (SQLite)
+
+Same shape minus `IngestedAtUtc` (irrelevant at the source) plus a local `ForwardState` column:
+
+- `ForwardState`: `Pending` | `Forwarded` | `Reconciled`. Drives the telemetry loop and reconciliation pull.
+
+**Site SQLite retention rule (hard invariant):**
+
+A row is eligible for purge only when **both** conditions hold:
+
+1. `OccurredAtUtc` is older than the configured site retention window (default **7 days**); AND
+2. `ForwardState IN ('Forwarded', 'Reconciled')` — i.e., central has acknowledged receipt.
+
+Rows still in `ForwardState = 'Pending'` are **never** purged on the basis of age. A prolonged central outage will grow the site audit table indefinitely until central is reachable again. This is intentional — losing audit rows to make room is a compliance violation, not a self-healing behavior.
+
+To bound that growth in practice, the site emits a **`SiteAuditBacklog`** health metric (pending row count, oldest pending age, bytes on disk). Crossing operator-configured thresholds surfaces as a Health dashboard warning on the relevant site tile. This is the same pattern used by the Store-and-Forward Engine's backlog metric.
+
+Central is the durable home; site SQLite is a write-buffer with a forwarding guarantee.
+
+---
+
+## 5. Where this fits in the existing component matrix
+
+This work probably becomes **component #23: Audit Log**, with edges into:
+
+- **#7 External System Gateway** — emits audit events for sync `Call()`, sync DB writes (and reads from scripts), and cached operations.
+- **#14 Inbound API** — emits one row per request (success or failure) at request completion.
+- **#21 Notification Outbox** — emits an audit row on enqueue, on each delivery attempt, and on terminal status.
+- **#22 Site Call Audit** — emits an audit row on each lifecycle transition (enqueue, attempt, terminal). `SiteCalls` remains the operational state store; AuditLog is the immutable shadow.
+- **#3 Site Runtime / #16 Commons** — script-trust-boundary call paths gain a thin audit interface.
+- **#17 Configuration Database** — Audit Log is a separate concern from `IAuditService` (which stays config-change-only). Both coexist.
+
+---
+
+## 6. Ingestion paths
+
+There are three write paths into the central `AuditLog`, all converging on the same table.
+
+### 6.1 Site hot-path append (site-originated events)
+
+1. Script issues an action across the trust boundary (`ExternalSystem.Call`, `Database` write/read, `Notify.Send`, etc.).
+2. The component completing the action (External System Gateway, Database Layer, S&F Engine) builds an `AuditEvent` value object with a fresh `EventId` (Guid v4) and `OccurredAtUtc = UtcNow`.
+3. Component appends the event to the site-local `AuditLog` SQLite via the `ISiteAuditWriter` interface. Single-statement `INSERT`, `ForwardState = 'Pending'`. Fire-and-forget from the caller's point of view (await returns once the local write is durable, typically microseconds).
+4. Control returns to the script. No central round-trip on the hot path.
+
+Failure modes on the hot path:
+
+- **SQLite write fails** (disk full, IO error): the audit writer logs a critical event to the Site Event Log, surfaces a `SiteAuditWriteFailures` health metric, and *the action proceeds*. We do not fail user-facing actions because the audit write failed — but the operator must be told loudly. (Open question: do we want a "strict mode" where audit-write failure aborts the action? Default off.)
+- **Audit writer not yet bootstrapped** (very early startup): events buffer in-memory bounded by a small ring; oldest discarded with a warning if it overflows. This window is normally sub-second.
+
+### 6.2 Telemetry forward (site → central)
+
+A `SiteAuditTelemetryActor` runs as a singleton on the active site node and drives the forwarding loop:
+
+1. Selects up to N `Pending` rows from local `AuditLog` ordered by `OccurredAtUtc`.
+2. Sends them in a batched gRPC `IngestAuditEvents(events)` call to central (over the existing `SiteStream` channel — same transport as cached-call telemetry today).
+3. Central performs **insert-if-not-exists** on `EventId` (idempotent) and returns the accepted IDs.
+4. Site flips `ForwardState = 'Forwarded'` for accepted IDs. Rejected IDs (transient central error) stay `Pending` for the next sweep.
+
+Cadence: short polling interval (default 5s) when the queue is non-empty, longer (default 30s) when idle. Telemetry runs on a dedicated dispatcher so it doesn't compete with the script blocking-I/O dispatcher.
+
+### 6.3 Reconciliation pull (self-healing for missed telemetry)
+
+A central `SiteAuditReconciliationActor` periodically (default every 5 minutes per site) asks each site: *"What's your highest `EventId.OccurredAtUtc` with `ForwardState = 'Pending'`?  And how many pending rows do you have?"*  If central sees a non-empty pending backlog that hasn't drained on its own (e.g., telemetry actor is wedged), it issues a `PullAuditEvents(sinceUtc, batchSize)` request that returns rows directly. Central inserts-if-not-exists and acks them — site flips to `ForwardState = 'Reconciled'`.
+
+This is the same self-healing pattern Site Call Audit uses for `SiteCalls`.
+
+### 6.4 Central direct-write (central-originated events)
+
+Events that originate at central never touch site SQLite:
+
+- **Inbound API** — request completed at central; one `ApiInbound`/`InboundRequest` row written via `ICentralAuditWriter` synchronously inside the request handler middleware before the HTTP response is flushed. Auth failures emit `ApiInbound`/`InboundAuthFailure` instead.
+- **Notification Outbox dispatcher** — each delivery attempt writes a `Notification`/`NotifyDeliver` row with `Status=Attempted`; terminal status writes a `Notification`/`NotifyDeliver` row with `Status=Delivered`/`Parked`/`Discarded`. (The site-originated `Notification`/`NotifySend` row, `Status=Submitted`, arrives via §6.2.)
+Central direct-writes use the same insert-if-not-exists semantics keyed on `EventId`, so a retried request handler can't produce duplicates.
+
+### 6.5 Cached operations — site emits, central writes twice
+
+For `ExternalSystem.CachedCall` and `Database.CachedWrite`, the **site** is the source of truth for every audit row. The site writes each lifecycle event — `CachedSubmit` (`Status=Submitted`), then `ApiCallCached`/`DbWriteCached` rows for the forward-ack (`Status=Forwarded`) and each retry (`Status=Attempted`), then a terminal `CachedResolve` row (`Status=Delivered`/`Failed`/`Parked`/`Discarded`) — to its local SQLite `AuditLog` on the hot path (or on the retry tick for `Attempted` rows), then forwards via the same telemetry channel described in §6.2. The telemetry message format gains the audit-row fields additively — one packet per lifecycle transition carries both the operational state update AND the audit row content.
+
+On receipt, central does two things in **one transaction**:
+
+1. Insert-if-not-exists the immutable `AuditLog` row, keyed on `EventId`.
+2. Upsert the operational `SiteCalls` row (existing Site Call Audit behavior — status, retry count, last error, timestamps).
+
+This collapses what would otherwise be two telemetry concerns into one, keeps site SQLite as the single local source of truth for audit content, and preserves the existing operational `SiteCalls` shape for the dispatcher / UI. No central-side derivation; no double-emission from the site.
+
+---
+
+## 7. Per-channel event mapping
+
+Worked examples — what each `Channel`/`Kind` row actually looks like. (Other columns omitted for brevity unless interesting.)
+
+### 7.1 `ApiOutbound` — outbound HTTP via External System Gateway
+
+**Sync call** (`ExternalSystem.Call("Weather", "GetForecast", { city: "Dublin" })` succeeds):
+
+```
+EventId        = <new guid>
+Channel        = ApiOutbound
+Kind           = ApiCall
+CorrelationId  = NULL                                  -- one-shot, no operation to correlate
+SourceSiteId   = "site-01"
+SourceInstance = "Plant1.Boiler"
+SourceScript   = "OnHourly"
+Target         = "Weather/GetForecast"
+Status         = Delivered
+HttpStatus     = 200
+DurationMs     = 142
+RequestSummary = '{"city":"Dublin"}'                  -- truncated to cap
+ResponseSummary= '{"tempC":11.4,...}'                 -- truncated to cap
+```
+
+**Cached call** (`ExternalSystem.CachedCall(...)`, hits a 500, retries, succeeds on attempt 3):
+
+```
+1. Kind=CachedSubmit      Status=Submitted                          CorrelationId=<tracked-op-id>
+2. Kind=ApiCallCached     Status=Forwarded                          CorrelationId=<same>
+3. Kind=ApiCallCached     Status=Attempted   HttpStatus=500         CorrelationId=<same>
+4. Kind=ApiCallCached     Status=Attempted   HttpStatus=500         CorrelationId=<same>
+5. Kind=ApiCallCached     Status=Attempted   HttpStatus=200         CorrelationId=<same>
+6. Kind=CachedResolve     Status=Delivered                          CorrelationId=<same>
+```
+
+The shadow of the `SiteCalls` row's lifecycle, but immutable and time-ordered.
+
+### 7.2 `DbOutbound` — outbound DB via Database layer
+
+**Sync write** (`db.Execute("INSERT INTO Readings ...", new {...})`):
+
+```
+Channel        = DbOutbound
+Kind           = DbWrite
+Target         = "PlantDB"                            -- connection name only, not server
+CorrelationId  = NULL
+Status         = Delivered
+DurationMs     = 9
+RequestSummary = "INSERT INTO Readings(ts,val) VALUES (@p0,@p1)"   -- SQL text
+Extra          = '{"rowsAffected":1,"params":{"p0":"2026-05-20T14:00Z","p1":42.7}}'  -- values captured by default
+
+```
+
+**Sync read** (`db.Query<...>(...)`):
+
+```
+Channel        = DbOutbound
+Kind           = DbWrite
+Status         = Delivered
+DurationMs     = 31
+RequestSummary = "SELECT id, value FROM Readings WHERE ts > @p0"
+Extra          = '{"rowsReturned":42}'
+ResponseSummary= NULL                                 -- rows not captured by default; opt-in per connection
+```
+
+(Reads and writes share the `DbWrite` kind — the kind distinguishes the trust-boundary call shape, not the SQL verb. Distinguish by `RequestSummary` / `Extra.rowsAffected` vs `Extra.rowsReturned` when needed.)
+
+**Cached write** — same multi-row lifecycle as the cached API example, using `Kind=DbWriteCached` for the `Forwarded` / `Attempted` rows in place of `ApiCallCached`.
+
+### 7.3 `Notification` — outbound notifications
+
+```
+1. Kind=NotifySend     Status=Submitted     CorrelationId=<NotificationId>  SourceSiteId="site-01" SourceInstance="Plant1.Boiler"
+2. Kind=NotifyDeliver  Status=Attempted     ErrorMessage="SMTP 451 ..."     CorrelationId=<same>    SourceSiteId=NULL (dispatch is central)
+3. Kind=NotifyDeliver  Status=Attempted                                     CorrelationId=<same>
+4. Kind=NotifyDeliver  Status=Delivered                                     CorrelationId=<same>
+Target = "OpsTeamEmail"                              -- notification list name
+Extra  = '{"resolvedTargets":["a@x.com","b@x.com"], "subject":"Boiler high temp"}'
+RequestSummary = '...body, truncated...'
+```
+
+Note the site→central handoff is implicit: row 1 arrives via §6.2 telemetry (it originated at the site script); rows 2–4 are written by the central dispatcher directly via §6.4.
+
+### 7.4 `ApiInbound` — inbound API
+
+One row per request, written at request completion:
+
+```
+Channel        = ApiInbound
+Kind           = InboundRequest
+CorrelationId  = <request-id>                        -- the request's correlation header (or generated)
+SourceSiteId   = NULL                                -- central-originated event
+Actor          = "AcmeSCADA"                         -- API key name (NOT the key itself)
+Target         = "RecordReading"                     -- inbound method name
+Status         = Delivered | Failed                  -- mapped from final HTTP outcome
+HttpStatus     = 200 | 400 | 500
+DurationMs     = 73
+RequestSummary = '{"siteId":"...","value":12.4}'     -- truncated; secrets/PII per redaction policy
+ResponseSummary= '{"ok":true}'                       -- full body on 5xx
+Extra          = '{"remoteIp":"203.0.113.42","userAgent":"...","scriptInvoked":"RecordReading.Handle"}'
+```
+
+A bad API key → separate kind: `Kind=InboundAuthFailure`, `Status=Failed`, `HttpStatus=401`, `Actor=NULL`, `Extra` carries `remoteIp` for abuse triage.
+
+---
+
+## 8. Payload capture policy
+
+### 8.1 Truncation
+- Default cap: **8 KB** for each of `RequestSummary` and `ResponseSummary`. Configurable globally; per-target overrides allowed (§8.4).
+- On any error row (`Status IN ('Failed', 'Parked', 'Discarded')`), the cap is raised to **64 KB** for that row — error context is precious.
+- When a body is truncated, `PayloadTruncated = 1` and the captured prefix is preserved verbatim (UTF-8 byte-safe truncation, no mid-character cuts).
+- Bodies exceeding the larger cap are still truncated; full bodies are never stored.
+
+### 8.2 Redaction
+Redaction happens **at the write site**, before the row touches SQLite (or central MS SQL for §6.4 events). Unredacted secrets never persist.
+
+- **HTTP headers** — `Authorization`, `Cookie`, `Set-Cookie`, `X-API-Key`, and any header matching the configured redact-list (regex) become `<redacted>`. List is operator-extensible.
+- **HTTP bodies** — captured verbatim by default. Operators can register per-External-System / per-Inbound-Method body redactors (regex → replacement) for known secret fields (e.g., `"password"\s*:\s*"[^"]+"`).
+- **SQL** — statement text and parameter values captured verbatim by default. Per-connection redaction opt-in (e.g., redact parameters whose name matches `@apikey|@token|@password`).
+- **Notification bodies** — captured per the existing notification rules (no behavioral change from today).
+- **Safety net** — if a configured redactor throws, the affected payload becomes `"<redacted: redactor error>"` and a `AuditRedactionFailure` health metric increments. We over-redact, never under-redact, on configuration faults.
+
+### 8.3 Never captured
+- Raw API key material (only the key *name* via `Actor`).
+- LDAP bind credentials, cluster secrets, Configuration DB connection strings.
+- Framework traffic per §2 (out of scope by construction, not by redaction).
+
+### 8.4 Configurability
+Bound from `appsettings.json` (new `AuditLog` options class owned by the Audit Log component):
+
+```jsonc
+"AuditLog": {
+  "DefaultCapBytes": 8192,
+  "ErrorCapBytes": 65536,
+  "HeaderRedactList": [ "Authorization", "Cookie", "Set-Cookie", "X-API-Key" ],
+  "GlobalBodyRedactors": [
+    { "Pattern": "\"password\"\\s*:\\s*\"[^\"]+\"", "Replacement": "\"password\":\"<redacted>\"" }
+  ],
+  "PerTargetOverrides": {
+    "Weather/GetForecast": { "CapBytes": 4096 },
+    "PlantDB":             { "RedactSqlParamsMatching": "@apikey|@token" }
+  }
+}
+```
+
+Per-target keys bind by External System / Inbound Method / Notification List / Database Connection name.
+
+---
+
+## 9. Failure handling & idempotency
+
+### 9.1 `EventId` is the dedup key
+- Generated at the originator (site for §6.1/§6.5, central for §6.4). Guid v4.
+- Central ingest is `INSERT … WHERE NOT EXISTS (SELECT 1 FROM AuditLog WHERE EventId = @id)`, executed under the PK constraint.
+- Idempotent across telemetry retries, reconciliation pulls, and any combination thereof.
+
+### 9.2 Central MS SQL outage
+- Site telemetry calls fail; `ForwardState` stays `Pending`; backlog grows.
+- Reconciliation pulls also fail.
+- Site SQLite continues to absorb hot-path writes (no upstream dependency on the hot path).
+- `SiteAuditBacklog` health metric crosses thresholds → Health dashboard surfaces it on the affected site tile.
+- On recovery, telemetry drains; insert-if-not-exists handles any overlap.
+
+### 9.3 Site SQLite write failure
+- Audit writer fails to append (disk full, schema lock, transient IO error).
+- **The action proceeds** — we do not fail script-initiated work because the audit write failed.
+- `SiteAuditWriteFailures` health metric increments; critical-severity Site Event Log entry.
+- A small in-memory ring (default 1024 rows) buffers events while the local writer is unhealthy; on ring overflow, oldest events are dropped with a Site Event Log warning per drop.
+
+### 9.4 Telemetry actor wedged
+- Reconciliation pull (§6.3) is the fallback. If two consecutive reconciliation cycles report a non-draining backlog, the supervisor restarts the telemetry actor and a `SiteAuditTelemetryStalled` event fires.
+
+### 9.5 Central direct-write failure
+- Inbound API: middleware audit failure is logged + metricked but never affects the HTTP response.
+- Notification Outbox dispatcher: audit failure logs critical and increments `CentralAuditWriteFailures`; the operational `Notifications` row update proceeds.
+
+### 9.6 Dedup horizon — there isn't one
+`EventId` PK enforces uniqueness as long as a row exists in the table. Purge (§12) removes rows by `OccurredAtUtc`, not `EventId`; a stale telemetry retry arriving after the original was purged will insert a "new" row. Acceptable — a retry that arrives more than a year late is vanishingly rare and an extra row is harmless.
+
+---
+
+## 10. UI & query surface
+
+### 10.1 Audit Log page (new, top-level)
+Lives under a new **Audit** nav group in Central UI (sibling to **Notifications**). Standard Blazor Server + Bootstrap, custom components per the project UI rules.
+
+**Filter bar (top of page, collapses to one row when not focused):**
+- Time range (relative: 15m / 1h / 24h / 7d / custom).
+- Channel (multi-select: `ApiOutbound`, `DbOutbound`, `Notification`, `ApiInbound`).
+- Kind (filtered by selected channels).
+- Status (multi-select).
+- Site (multi-select, scoped to user's authorized sites).
+- Instance / Script (text search with autocomplete).
+- Target (text search — system+method, DB connection, list name).
+- Actor (text search — inbound API key name).
+- CorrelationId (paste a `TrackedOperationId` / `NotificationId` / request-id to see its full event sequence).
+- "Errors only" toggle (`Status IN ('Failed', 'Parked', 'Discarded')`).
+
+**Results grid:**
+- Columns (resizable, reorderable, persisted per user): `OccurredAtUtc`, `Site`, `Channel`, `Kind`, `Status`, `Target`, `Actor`, `DurationMs`, `HttpStatus`, `ErrorMessage`.
+- Keyset pagination on `(OccurredAtUtc desc, EventId desc)`. Default page 100.
+- Click row → drilldown drawer.
+
+**Drilldown drawer:**
+- Pretty-prints `RequestSummary` / `ResponseSummary` (JSON auto-detected; SQL syntax-highlighted).
+- Redaction indicators where headers/fields were stripped.
+- "Copy as cURL" for `ApiOutbound` / `ApiInbound` rows.
+- "Show all events for this operation" link → filters by `CorrelationId`.
+
+### 10.2 Drill-in links from existing pages
+- **Notifications** row → "View audit history" → Audit Log filtered to `CorrelationId = NotificationId`.
+- **Site Calls** row → "View audit history" → Audit Log filtered to `CorrelationId = TrackedOperationId`.
+- **External Systems** detail → "Recent activity" → Audit Log filtered to `Target starts-with <system>`.
+- **Inbound API keys** detail → "Recent calls" → Audit Log filtered to `Actor = <key name>` AND `Channel = ApiInbound`.
+- **Sites** detail → new "Audit feed" tab.
+- **Instances** detail → new "Audit feed" tab.
+
+### 10.3 Health dashboard tiles
+Three new tiles in an "Audit" KPI group:
+- **Audit volume** — events/min global + per-site sparkline.
+- **Audit error rate** — % rows where `Status IN ('Failed', 'Parked', 'Discarded')`, rolling 5 min.
+- **Audit backlog** — sum of `Pending` site rows; click → per-site breakdown.
+
+### 10.4 Export
+Audit Log page **Export** button streams CSV (current filter) server-side. Default cap 100k rows; larger exports use the CLI (§15).
+
+---
+
+## 11. Security & tamper-evidence
+
+### 11.1 Append-only enforcement
+- Application accesses `AuditLog` via a dedicated DB role `scadalink_audit_writer` granted `INSERT` + `SELECT` only — no `UPDATE`, no `DELETE`.
+- Purge runs under a separate role `scadalink_audit_purger` whose permissions are limited to the partition-switch operation (§12.2). Row-level `DELETE` is not granted even to purge.
+- A CI guard greps the data layer for any `UPDATE … AuditLog` or `DELETE … AuditLog` text and fails the build.
+
+### 11.2 Authorization
+- Reading the Audit Log requires the existing **Audit** role (today used for the IAuditService config-change log) extended with a new **OperationalAudit** permission.
+- Per-site row scoping reuses the existing site-permission model from Security & Auth — a user sees only rows for sites they are authorized to operate.
+- Bulk export (UI button + CLI) requires an additional **AuditExport** permission.
+
+### 11.3 Payload redaction at write
+See §8.2. Contract: unredacted secrets never persist. Safety net over-redacts on misconfiguration.
+
+### 11.4 Tamper-evidence hash chain (deferred, v1.x)
+- Each row gains a `RowHash` column.
+- `RowHash = SHA-256(prev.RowHash || canonical(row))` per partition.
+- Computed by a chaining job that runs after each monthly partition closes.
+- Verifiable offline via `scadalink audit verify-chain --month YYYY-MM`.
+- Default **off** in v1 to avoid operational burden. Flag for v1.x.
+
+### 11.5 Site SQLite security
+- File permissions: read/write by the ScadaLink service account only.
+- Not backed up off-machine — site SQLite is a buffer with a forwarding guarantee, not a record. Central is the durable home.
+
+---
+
+## 12. Retention & purge mechanics
+
+### 12.1 Central retention defaults
+- **365 days** based on `OccurredAtUtc`. Configurable via `AuditLog:RetentionDays` (min 7, max 3650, validated at startup).
+- **Single global retention in v1** — no per-channel/Kind overrides. Deferred to v1.x once production cost data shows whether overrides are needed.
+
+### 12.2 Partition strategy
+- Monthly partitions on `OccurredAtUtc`. Partition function `pf_AuditLog_Month`, scheme `ps_AuditLog_Month`, created in the EF Core migration.
+- Purge by partition switch: move the eligible partition to a staging table, then drop. No row-by-row delete; no log bloat.
+- Partition-maintenance job rolls forward each month (creates the next month's partition ahead of time).
+
+### 12.3 Purge job
+- Singleton actor `AuditLogPurgeActor` on the active central node, runs daily.
+- Switches out any partition whose latest `OccurredAtUtc` is older than the global retention window. Pure partition-switch; no row-level deletes.
+- Emits a `AuditLog:Purged` event (partition range, rowcount, duration).
+
+### 12.4 Site SQLite purge
+- Daily site job, hard invariant per §4: purge only `OccurredAtUtc < threshold AND ForwardState IN ('Forwarded','Reconciled')`.
+- Default site retention **7 days** (configurable, min 1, max 90).
+- Backlog metric (§9.2) provides visibility into "central outage → site bloat" before disk-full.
+
+---
+
+## 13. Performance & sizing
+
+Rough back-of-envelope; load testing will confirm.
+
+### 13.1 Per-site event rate (assumed nominal site)
+| Channel/Kind | Typ events/min | Peak events/min |
+|---|---:|---:|
+| `ApiOutbound.ApiCall` | 10 | 100 |
+| `ApiOutbound.ApiCallCached` (~4 rows/op incl. `CachedSubmit`/`CachedResolve`) | 4 | 20 |
+| `DbOutbound.DbWrite` (writes) | 30 | 300 |
+| `DbOutbound.DbWrite` (reads) | 60 | 600 |
+| `DbOutbound.DbWriteCached` (~4 rows/op incl. `CachedSubmit`/`CachedResolve`) | 4 | 20 |
+| `Notification.NotifySend` (site-emit) | 1 | 10 |
+| **Per-site total** | **~110** | **~1,050** |
+
+### 13.2 Central total (50-site deployment)
+- Typical: ~5,500 events/min = ~**92 events/sec**.
+- Peak: ~52,500 events/min = ~**875 events/sec**.
+- Plus central-originated (Notification dispatch + Inbound API): assume ~30 events/sec typical.
+
+MS SQL handles this with batched ingest and the time-aligned indexes.
+
+### 13.3 Row size
+- Fixed columns: ~250 bytes.
+- Average captured payload: ~1 KB.
+- Per row: **~1.3 KB**.
+
+### 13.4 Yearly central footprint
+- Typical: 100 events/sec × 86,400 × 365 × 1.3 KB ≈ **~4 TB** at default cap.
+- Cap reduction (8 KB → 2 KB) or per-channel retention shaves this multi-fold.
+
+### 13.5 Site SQLite footprint
+- 110/min × 60 × 24 × 7 × 1.3 KB ≈ **~140 MB / site** at the 7-day window. Trivial.
+
+### 13.6 Levers
+- Reduce `DefaultCapBytes` per §8.1.
+- Tighten per-channel retention per §12.1 (especially `DbOutbound.DbWrite` read traffic).
+- Defer to v1.x: Parquet archival to object storage before purge (§15.2).
+
+---
+
+## 14. KPI surface & relationship to existing KPIs
+
+### 14.1 New Audit Log KPIs
+- **Volume** — events/min, global + per-site.
+- **Error rate** — % rows where `Status IN ('Failed', 'Parked', 'Discarded')`, rolling 5 min.
+- **Backlog** — sum of `Pending` site rows.
+- **Top inbound callers** — top-10 `Actor` by request count, last 1h.
+- **Top outbound 5xx** — top-10 `Target` by 5xx-status count, last 1h.
+
+### 14.2 Relationship to existing KPIs
+- **Notification Outbox KPIs** (queue depth, parked, delivered-last-interval, etc.) — unchanged, sourced from `Notifications`. Audit Log KPIs describe the audit table itself, not the notification subsystem.
+- **Site Call Audit KPIs** — unchanged, sourced from `SiteCalls`.
+- Audit Log KPIs occupy their own group on the Health dashboard. Nothing is collapsed or superseded.
+
+---
+
+## 15. CLI & external access
+
+### 15.1 CLI commands
+New `scadalink audit` command group:
+- `scadalink audit query --site <s> --since <t> --kind <k> [...]` — same filter set as the UI.
+- `scadalink audit export --since <t> --until <t> --format csv|jsonl|parquet --output <path>` — bulk export, server-side streaming.
+- `scadalink audit verify-chain --month <YYYY-MM>` — hash-chain verification (when §11.4 is enabled).
+
+Requires the same **OperationalAudit** / **AuditExport** permissions as the UI.
+
+### 15.2 Object-storage archival (deferred, v1.x)
+A monthly job dumps the closing partition to Parquet on operator-configured object storage before central purge — enabling indefinite cold retention without bloating MS SQL. Flag for v1.x; not in initial scope.
+
+---
+
+## 16. Locked decisions
+
+| # | Question | Decision |
+|---|---|---|
+| 1 | Component number | **#23 Audit Log** (README matrix + HighLevelReqs). |
+| 2 | Nav placement | New top-level **Audit** nav group in Central UI. |
+| 3 | Hash-chain tamper evidence (§11.4) | Deferred to v1.x. v1 enforces append-only via DB grants only. |
+| 4 | Parquet archival to object storage (§15.2) | Deferred to v1.x. |
+| 5 | Per-channel retention overrides (§12.1) | Deferred to v1.x. v1 uses a single global `RetentionDays`. |
+| 6 | Default payload cap | **8 KB** for `RequestSummary` / `ResponseSummary`; **64 KB** on error rows (`Status IN ('Failed', 'Parked', 'Discarded')`). |
+
+All earlier design decisions (purpose, topology, scope, payload depth, lifecycle granularity, retention default, site→central path, UI shape, cached-call audit emission, SQL parameter capture, never-fail-on-audit-failure) are also locked. See §1–§15.

docs/plans/2026-05-20-auditlog-m1-foundation.md

@@ -0,0 +1,324 @@
+# Audit Log #23 — M1 Foundation Implementation Plan
+
+> **For Claude:** REQUIRED SUB-SKILL: Use superpowers-extended-cc:subagent-driven-development to implement this plan task-by-task (bundled cadence per `feedback_subagent_cadence`).
+
+**Goal:** Land the `AuditLog` table (monthly-partitioned) plus DB roles in MS SQL, and add the Commons types + EF repo + new `ScadaLink.AuditLog` project skeleton that every later milestone depends on. After M1 the database is ready, the new project is wired into the solution, and `dotnet build && dotnet test` are both green.
+
+**Architecture:** New `AuditEvent` record + audit enums + writer interfaces in Commons. New EF entity configuration + EF Core migration creating `AuditLog` table aligned to `ps_AuditLog_Month` partition scheme on `OccurredAtUtc`, plus `scadalink_audit_writer` and `scadalink_audit_purger` SQL roles. New `IAuditLogRepository` with append-only surface (no Update, no row-delete). New `src/ScadaLink.AuditLog/` project skeleton + `AuditLogOptions`.
+
+**Tech Stack:** .NET 10 / EF Core 10.0.7 / Microsoft.Data.SqlClient 6.0.2 / xUnit 2.9.3 / running `infra/mssql` container for integration tests.
+
+**Brainstorm decisions (locked):**
+- **MSSQL test harness:** integration tests hit the existing `infra/mssql` container (require `cd infra && docker compose up -d`).
+- **AuditEvent shape:** one record with nullable `IngestedAtUtc` (set centrally) and nullable `ForwardState` (set site-locally).
+- **Filegroup:** PRIMARY, hard-coded.
+- **Indexes:** five named explicitly via `.HasDatabaseName("IX_AuditLog_…")`.
+
+**Pre-existing reality:**
+- `Entities/Audit/AuditLogEntry.cs` (config-audit, 9 cols) **coexists with** new `AuditEvent` — no rename, no removal.
+- `IAuditService` (config-audit) is distinct from new `IAuditWriter` / `ICentralAuditWriter`.
+- `tests/ScadaLink.IntegrationTests/` uses EF in-memory — NOT usable for partition/role tests.
+- Roadmap M1-T10 (project skeleton) must run before M1-T9 (options class). **Swapped in this plan.**
+
+---
+
+## Bundles (cadence-aligned)
+
+Tasks 1–11 from the roadmap are grouped into 6 bundles. Each bundle = one implementer dispatch + one combined spec+quality reviewer. The final cross-bundle reviewer runs over the whole branch.
+
+- **Bundle A — Commons types** (roadmap T1+T2+T3+T4): enums, AuditEvent record + ForwardState enum, IAuditWriter / ICentralAuditWriter, telemetry message DTOs.
+- **Bundle B — EF entity mapping** (T5): DbSet + IEntityTypeConfiguration<AuditEvent> + indexes.
+- **Bundle C — Migration with partitioning + DB roles** (T6+T7 merged — one migration file).
+- **Bundle D — Repository** (T8): IAuditLogRepository + EF implementation + DI registration.
+- **Bundle E — AuditLog project skeleton + options** (T10 then T9): new `src/ScadaLink.AuditLog/` project + `AuditLogOptions`.
+- **Bundle F — Docs paper trail** (T11): controller-direct edit; no subagent needed for a 1–3 line update.
+
+---
+
+## Bundle A — Commons types
+
+### Task 1: Add audit enums to Commons
+
+**Files:**
+- Create: `src/ScadaLink.Commons/Types/Enums/AuditChannel.cs`
+- Create: `src/ScadaLink.Commons/Types/Enums/AuditKind.cs`
+- Create: `src/ScadaLink.Commons/Types/Enums/AuditStatus.cs`
+- Create: `src/ScadaLink.Commons/Types/Enums/AuditForwardState.cs`
+- Create: `tests/ScadaLink.Commons.Tests/Types/Enums/AuditEnumTests.cs`
+
+**AuditChannel members** (4): `ApiOutbound`, `DbOutbound`, `Notification`, `ApiInbound`.
+
+**AuditKind members** (10, per alog.md §4): `ApiCall`, `ApiCallCached`, `DbWrite`, `DbWriteCached`, `NotifySend`, `NotifyDeliver`, `InboundRequest`, `InboundAuthFailure`, `CachedSubmit`, `CachedResolve`.
+
+**AuditStatus members** (8, per alog.md §4): `Submitted`, `Forwarded`, `Attempted`, `Delivered`, `Failed`, `Parked`, `Discarded`, `Skipped`.
+
+**AuditForwardState members** (3): `Pending`, `Forwarded`, `Reconciled`.
+
+**Steps:**
+1. Failing tests assert each enum's exact member set via `Enum.GetValues(typeof(T)).Cast<T>().Select(x => x.ToString())` against a string-array literal.
+2. Run: fail (enums don't exist).
+3. Implement the four enums (no `[Flags]`).
+4. Run: pass.
+5. Commit: `feat(commons): add Audit{Channel,Kind,Status,ForwardState} enums for #23`.
+
+### Task 2: Add AuditEvent record
+
+**Files:**
+- Create: `src/ScadaLink.Commons/Entities/Audit/AuditEvent.cs` — `public sealed record AuditEvent` with the 20 central columns per alog.md §4, plus nullable `AuditForwardState? ForwardState` and nullable `DateTime? IngestedAtUtc`.
+- Create: `tests/ScadaLink.Commons.Tests/Entities/Audit/AuditEventTests.cs`.
+
+Properties (in alog.md §4 order):
+`Guid EventId`, `DateTime OccurredAtUtc`, `DateTime? IngestedAtUtc`, `AuditChannel Channel`, `AuditKind Kind`, `Guid? CorrelationId`, `string? SourceSiteId`, `string? SourceInstanceId`, `string? SourceScript`, `string? Actor`, `string? Target`, `AuditStatus Status`, `int? HttpStatus`, `int? DurationMs`, `string? ErrorMessage`, `string? ErrorDetail`, `string? RequestSummary`, `string? ResponseSummary`, `bool PayloadTruncated`, `string? Extra`, `AuditForwardState? ForwardState`.
+
+**Steps:**
+1. Failing test constructs an `AuditEvent`, asserts each property reads back as set, asserts `with` expression produces a new instance with one field changed.
+2. Run: fail.
+3. Implement record with all properties as `init`-only.
+4. Run: pass.
+5. Commit: `feat(commons): add AuditEvent record (#23)`.
+
+### Task 3: Add IAuditWriter and ICentralAuditWriter
+
+**Files:**
+- Create: `src/ScadaLink.Commons/Interfaces/Services/IAuditWriter.cs`
+- Create: `src/ScadaLink.Commons/Interfaces/Services/ICentralAuditWriter.cs`
+- Create: `tests/ScadaLink.Commons.Tests/Interfaces/Services/AuditWriterContractTests.cs`
+
+Both interfaces expose `Task WriteAsync(AuditEvent evt, CancellationToken ct = default)`. XML doc comments name Audit Log #23 as the owner; `IAuditWriter` is the abstraction the boundary code calls, `ICentralAuditWriter` is the central-only flavor (used by direct-write paths in M2+).
+
+**Steps:**
+1. Failing reflection test: `typeof(IAuditWriter).GetMethod("WriteAsync")` returns a method whose parameters are `(AuditEvent, CancellationToken)` and return type is `Task`. Same for `ICentralAuditWriter`.
+2. Run: fail.
+3. Implement both interfaces with XML docs.
+4. Run: pass.
+5. Commit: `feat(commons): add IAuditWriter and ICentralAuditWriter (#23)`.
+
+### Task 4: Add audit telemetry + pull message DTOs
+
+**Files:**
+- Create: `src/ScadaLink.Commons/Messages/Integration/AuditTelemetryEnvelope.cs` — `public sealed record AuditTelemetryEnvelope(Guid EnvelopeId, string SourceSiteId, IReadOnlyList<AuditEvent> Events)`.
+- Create: `src/ScadaLink.Commons/Messages/Integration/PullAuditEventsRequest.cs` — `public sealed record PullAuditEventsRequest(string SourceSiteId, DateTime SinceUtc, int BatchSize)`.
+- Create: `src/ScadaLink.Commons/Messages/Integration/PullAuditEventsResponse.cs` — `public sealed record PullAuditEventsResponse(IReadOnlyList<AuditEvent> Events, bool MoreAvailable)`.
+- Create: `tests/ScadaLink.Commons.Tests/Messages/Integration/AuditTelemetryMessagesTests.cs`.
+
+**Steps:**
+1. Failing test constructs envelope with 3 events and asserts immutability and enumerability.
+2. Failing test constructs `PullAuditEventsRequest` + `PullAuditEventsResponse` with `MoreAvailable=true`.
+3. Run: fail.
+4. Implement records.
+5. Run: pass.
+6. Commit: `feat(commons): add audit telemetry + pull message DTOs (#23)`.
+
+**Bundle A acceptance:** Commons project compiles. Four enum tests, AuditEvent test, two interface contract tests, two telemetry-message tests all green. No existing tests regress.
+
+---
+
+## Bundle B — EF entity mapping
+
+### Task 5: Extend ScadaLinkDbContext + add IEntityTypeConfiguration<AuditEvent>
+
+**Files:**
+- Modify: `src/ScadaLink.ConfigurationDatabase/ScadaLinkDbContext.cs` — add `public DbSet<AuditEvent> AuditLogs => Set<AuditEvent>();` in the existing `// Audit` section, **directly after** the existing `AuditLogEntries` DbSet. Do not remove or modify `AuditLogEntries`.
+- Create: `src/ScadaLink.ConfigurationDatabase/Configurations/AuditLogEntityTypeConfiguration.cs` — `IEntityTypeConfiguration<AuditEvent>` mapping to table `AuditLog`, columns per alog.md §4 (with max lengths), PK on `EventId`, enum columns stored as `varchar(32)` via `HasConversion<string>().HasMaxLength(32)`. **No partition function declared here** — that goes in the migration's raw SQL.
+
+Five indexes with explicit names:
+- `IX_AuditLog_OccurredAtUtc` on (`OccurredAtUtc` desc)
+- `IX_AuditLog_Site_Occurred` on (`SourceSiteId`, `OccurredAtUtc` desc)
+- `IX_AuditLog_CorrelationId` on (`CorrelationId`) where `CorrelationId IS NOT NULL`
+- `IX_AuditLog_Channel_Status_Occurred` on (`Channel`, `Status`, `OccurredAtUtc` desc)
+- `IX_AuditLog_Target_Occurred` on (`Target`, `OccurredAtUtc` desc) where `Target IS NOT NULL`
+
+- Modify: `OnModelCreating` — apply via `modelBuilder.ApplyConfiguration(new AuditLogEntityTypeConfiguration())`.
+- Create: `tests/ScadaLink.ConfigurationDatabase.Tests/Configurations/AuditLogEntityTypeConfigurationTests.cs` — use a `ModelBuilder` directly (no DbContext required) and assert:
+  - mapped table name is `AuditLog`,
+  - PK is `EventId`,
+  - exactly 21 properties are mapped (20 + ForwardState; IngestedAtUtc is one of the 20 per spec; but ForwardState is the +1),
+  - the five indexes exist with the documented names.
+
+**Steps:**
+1. Failing test: model asserts on table name + PK + property count.
+2. Implement config + apply in `OnModelCreating`; add the DbSet.
+3. Failing test: model asserts five named indexes.
+4. Add `HasIndex(...).HasDatabaseName(...)` for each.
+5. Run: pass.
+6. Commit: `feat(configdb): map AuditEvent to AuditLog table with PK and five named indexes (#23)`.
+
+**Bundle B acceptance:** ConfigurationDatabase project compiles. Mapping test passes. No existing ConfigurationDatabase.Tests regress.
+
+---
+
+## Bundle C — Migration with partitioning + DB roles
+
+### Task 6+7 (merged): Create migration with partition function/scheme/table + DB roles
+
+**Files:**
+- Generate: `src/ScadaLink.ConfigurationDatabase/Migrations/<yyyyMMddHHmmss>_AddAuditLogTable.cs` via:
+  ```
+  dotnet ef migrations add AddAuditLogTable --project src/ScadaLink.ConfigurationDatabase \
+    --startup-project src/ScadaLink.Host --output-dir Migrations
+  ```
+- Customize the migration's `Up()`:
+  1. Raw SQL: create partition function `pf_AuditLog_Month` (RANGE RIGHT FOR VALUES with month-boundaries from `2026-01-01` through `2027-12-01` UTC), and partition scheme `ps_AuditLog_Month` ALL TO ([PRIMARY]).
+  2. Drop EF's auto-generated `CREATE TABLE` and replace with raw SQL that creates `AuditLog` ON `ps_AuditLog_Month(OccurredAtUtc)`. (Or: let EF generate the table, then `ALTER TABLE … ADD CONSTRAINT … PK … ON ps_AuditLog_Month(OccurredAtUtc)` — whichever EF 10 supports cleanly.)
+  3. Create the five named indexes via `migrationBuilder.CreateIndex(...)`, partition-aligned on `ps_AuditLog_Month(OccurredAtUtc)` where appropriate.
+  4. Raw SQL roles, idempotent (`IF NOT EXISTS … CREATE ROLE`):
+     - `scadalink_audit_writer`: GRANT INSERT ON AuditLog; GRANT SELECT ON AuditLog. (No UPDATE, no DELETE.)
+     - `scadalink_audit_purger`: GRANT ALTER ON SCHEMA::dbo; GRANT SELECT ON AuditLog. (Enables ALTER PARTITION FUNCTION SWITCH and SWITCH PARTITION.)
+- `Down()` drops indexes, table, scheme, function, then both roles.
+- Create: `tests/ScadaLink.ConfigurationDatabase.Tests/Migrations/AddAuditLogTableMigrationTests.cs` — uses a fixture connecting to the running `infra/mssql` container via the connection string in `infra/mssql/.env` (or skips with `Skip.If` when the env var `SCADALINK_MSSQL_TEST_CONN` is unset, so CI without the container still passes).
+
+Integration test assertions:
+- `sys.partition_functions` contains `pf_AuditLog_Month`.
+- `sys.partition_schemes` contains `ps_AuditLog_Month`.
+- `INFORMATION_SCHEMA.TABLES` contains `AuditLog` aligned to the partition scheme.
+- `sys.indexes` contains the five expected named indexes.
+- `sys.database_principals` contains both roles.
+- Smoke test: log in as a user mapped to `scadalink_audit_writer`, attempt `UPDATE AuditLog …`, expect `SqlException` with permission error.
+
+**Steps:**
+1. Generate the migration; let EF auto-fill the body.
+2. Failing integration test: assert partition function exists.
+3. Edit migration to add the partition function + scheme + table alignment.
+4. Re-run: pass.
+5. Failing integration test: assert five indexes exist.
+6. Add named indexes to migration.
+7. Failing integration test: assert both roles exist with documented grants.
+8. Add roles to migration.
+9. Failing integration test: smoke `UPDATE AuditLog` as writer expects permission error.
+10. Verify role grants exclude UPDATE.
+11. Run: pass.
+12. Commit: `feat(configdb): add AuditLog migration with monthly partitioning and DB roles (#23)`.
+
+**Notes for the implementer:**
+- Use `Microsoft.Data.SqlClient` directly in the test fixture (not EF) to issue raw SQL for grant assertions.
+- `Skip.If(string.IsNullOrEmpty(Environment.GetEnvironmentVariable("SCADALINK_MSSQL_TEST_CONN")), "MSSQL not available")` — keeps tests CI-safe.
+- Test database name: `ScadaLinkAuditMigrationTest_<guid>` (created per fixture, dropped on dispose).
+
+**Bundle C acceptance:** Migration applied to a fresh test DB on the `infra/mssql` container creates the partition function/scheme/table/indexes/roles. Smoke test confirms UPDATE is denied for the writer role. All migration tests pass when `SCADALINK_MSSQL_TEST_CONN` is set; skip cleanly when unset.
+
+---
+
+## Bundle D — Repository
+
+### Task 8: IAuditLogRepository + EF implementation + DI
+
+**Files:**
+- Create: `src/ScadaLink.Commons/Interfaces/Repositories/IAuditLogRepository.cs` — three methods:
+  - `Task InsertIfNotExistsAsync(AuditEvent evt, CancellationToken ct = default);`
+  - `Task<IReadOnlyList<AuditEvent>> QueryAsync(AuditLogQueryFilter filter, AuditLogPaging paging, CancellationToken ct = default);`
+  - `Task SwitchOutPartitionAsync(DateTime monthBoundary, CancellationToken ct = default);`
+
+  Plus two small DTOs in the same file (or co-located `Types/Audit/`):
+  - `AuditLogQueryFilter` record: nullable `AuditChannel?`, `AuditKind?`, `AuditStatus?`, `string? SourceSiteId`, `string? Target`, `string? Actor`, `Guid? CorrelationId`, `DateTime? FromUtc`, `DateTime? ToUtc`.
+  - `AuditLogPaging` record: `int PageSize`, `Guid? AfterEventId`, `DateTime? AfterOccurredAtUtc` (keyset).
+
+- Create: `src/ScadaLink.ConfigurationDatabase/Repositories/AuditLogRepository.cs` — implements all three methods:
+  - `InsertIfNotExistsAsync` uses raw SQL `IF NOT EXISTS (SELECT 1 FROM AuditLog WHERE EventId = @id) INSERT INTO AuditLog …` via `DbContext.Database.ExecuteSqlInterpolatedAsync` (bypasses change tracker).
+  - `QueryAsync` builds an `IQueryable<AuditEvent>`, applies filters, projects, paged by keyset on `(OccurredAtUtc desc, EventId desc)`.
+  - `SwitchOutPartitionAsync` builds a unique staging table name, runs `CREATE TABLE … <staging>` with identical schema and ON `[PRIMARY]`, runs `ALTER TABLE AuditLog SWITCH PARTITION <n> TO <staging>`, then `DROP TABLE <staging>`. All inside a single transaction. Computes partition number from `monthBoundary` via `$partition.pf_AuditLog_Month(@boundary)`.
+
+- Modify: `src/ScadaLink.ConfigurationDatabase/ServiceCollectionExtensions.cs` — add `services.AddScoped<IAuditLogRepository, AuditLogRepository>();` after `INotificationOutboxRepository` line.
+
+- Create: `tests/ScadaLink.ConfigurationDatabase.Tests/Repositories/AuditLogRepositoryTests.cs` — uses the same MSSQL fixture from Bundle C (skipped when env var unset) since `InsertIfNotExistsAsync` uses raw SQL that won't run on EF in-memory.
+
+Tests:
+- Insert for fresh `EventId` writes one row.
+- Calling `InsertIfNotExistsAsync` again with the same `EventId` is a no-op (no exception, row count unchanged).
+- `QueryAsync` returns rows in `(OccurredAtUtc desc, EventId desc)` order honoring all filter predicates.
+- `QueryAsync` with non-null `AfterEventId`/`AfterOccurredAtUtc` keysets correctly to the next page.
+- `SwitchOutPartitionAsync` for an old boundary removes the rows belonging to that partition from the live table.
+
+**Steps:**
+1. Failing test: insert + duplicate insert.
+2. Implement using raw SQL.
+3. Failing test: query order + filters.
+4. Implement.
+5. Failing test: keyset paging.
+6. Implement.
+7. Failing test: switch-out partition.
+8. Implement.
+9. Run all: pass.
+10. Commit: `feat(configdb): IAuditLogRepository + EF implementation, append-only with partition-switch purge (#23)`.
+
+**Bundle D acceptance:** Repository tests green. DI smoke test from existing ConfigurationDatabase.Tests still passes.
+
+---
+
+## Bundle E — AuditLog project skeleton + options
+
+### Task 10 (first): Scaffold `src/ScadaLink.AuditLog/` project
+
+**Files:**
+- Create: `src/ScadaLink.AuditLog/ScadaLink.AuditLog.csproj` — TargetFramework `net10.0` (matches solution), references `ScadaLink.Commons` + `ScadaLink.ConfigurationDatabase`.
+- Create: `src/ScadaLink.AuditLog/ServiceCollectionExtensions.cs` — `public static class ServiceCollectionExtensions { public static IServiceCollection AddAuditLog(this IServiceCollection services, IConfiguration config) { … } }` registering `AuditLogOptions` (from Task 9) and forwarding to `services.AddScoped<IAuditLogRepository, AuditLogRepository>()` (already registered by ConfigurationDatabase, so this is a no-op but documents the dependency).
+- Create: `tests/ScadaLink.AuditLog.Tests/ScadaLink.AuditLog.Tests.csproj` with one smoke test.
+- Create: `tests/ScadaLink.AuditLog.Tests/AddAuditLogTests.cs` — smoke test: `services.AddAuditLog(config); var p = services.BuildServiceProvider(); Assert.NotNull(p.GetService<IOptions<AuditLogOptions>>());`.
+- Modify: `ScadaLink.slnx` — add both projects.
+
+**Steps:**
+1. `dotnet new classlib -n ScadaLink.AuditLog -o src/ScadaLink.AuditLog --framework net10.0` (then delete the default `Class1.cs`).
+2. `dotnet new xunit -n ScadaLink.AuditLog.Tests -o tests/ScadaLink.AuditLog.Tests --framework net10.0`.
+3. Add `<ProjectReference>` to Commons + ConfigurationDatabase in the src csproj; add reference to ScadaLink.AuditLog in the test csproj.
+4. Add both projects to `ScadaLink.slnx` (inside the existing `/src/` and `/tests/` folders).
+5. Add `<PackageReference Include="Microsoft.Extensions.Configuration.Binder" />` to the src csproj (already in `Directory.Packages.props`).
+6. Create stub `ServiceCollectionExtensions.AddAuditLog` (just registers options; writer impl comes in M2).
+7. Commit: `feat(auditlog): scaffold ScadaLink.AuditLog project (#23)`.
+
+### Task 9: AuditLogOptions
+
+**Files:**
+- Create: `src/ScadaLink.AuditLog/Configuration/AuditLogOptions.cs` — class with:
+  - `int DefaultCapBytes` (default 8192)
+  - `int ErrorCapBytes` (default 65536)
+  - `List<string> HeaderRedactList` (default: `[ "Authorization", "X-Api-Key", "Cookie", "Set-Cookie" ]`)
+  - `List<string> GlobalBodyRedactors` (default: empty)
+  - `Dictionary<string, PerTargetRedactionOverride> PerTargetOverrides` (default empty)
+  - `int RetentionDays` (default 365; range [30, 3650])
+- Create: `src/ScadaLink.AuditLog/Configuration/PerTargetRedactionOverride.cs` — minimal: `int? CapBytes`, `List<string>? AdditionalBodyRedactors`.
+- Create: `src/ScadaLink.AuditLog/Configuration/AuditLogOptionsValidator.cs` — `IValidateOptions<AuditLogOptions>` checking `DefaultCapBytes > 0`, `ErrorCapBytes >= DefaultCapBytes`, `RetentionDays` in `[30, 3650]`.
+- Modify: `src/ScadaLink.AuditLog/ServiceCollectionExtensions.AddAuditLog` to `services.AddOptions<AuditLogOptions>().Bind(config.GetSection("AuditLog")).ValidateOnStart(); services.AddSingleton<IValidateOptions<AuditLogOptions>, AuditLogOptionsValidator>();`.
+- Add: `tests/ScadaLink.AuditLog.Tests/Configuration/AuditLogOptionsTests.cs`:
+  - Bind valid section → values present.
+  - Bind invalid `RetentionDays = 0` → validator rejects.
+  - Bind invalid `ErrorCapBytes < DefaultCapBytes` → validator rejects.
+
+**Steps:**
+1. Failing test: valid bind round-trip.
+2. Implement options class.
+3. Failing test: invalid `RetentionDays`.
+4. Implement validator.
+5. Failing test: invalid `ErrorCapBytes`.
+6. Validator covers it.
+7. Run: pass.
+8. Commit: `feat(auditlog): add AuditLogOptions + validator (#23)`.
+
+**Bundle E acceptance:** New `src/ScadaLink.AuditLog/` project builds. Solution still builds. Smoke + options tests green. `ScadaLink.slnx` includes both new entries.
+
+---
+
+## Bundle F — Docs paper trail (controller-direct)
+
+### Task 11: Register AuditLog project in Component-Host.md and confirm README
+
+**Files:**
+- Modify: `docs/requirements/Component-Host.md` — list `ScadaLink.AuditLog` in the central role's registration set.
+- Modify: `README.md` — confirm row #23 link reflects the new project (no functional change unless missing).
+
+This is a 1–3 line edit. Per the cadence memory, controller does it directly without a subagent.
+
+**Commit:** `docs(audit): register ScadaLink.AuditLog project in Host role (#23)`.
+
+---
+
+## Final cross-bundle review
+
+After all bundles ship:
+
+- Dispatch a final code-reviewer subagent over the whole M1 branch.
+- Acceptance gate (from goal prompt step E):
+  - `dotnet test ScadaLink.slnx` green (full solution).
+  - All M1 roadmap acceptance criteria met; each cited by name to the proving test.
+- If green, merge to main `--no-ff` with summary message (step F).
+- Update M2–M8 sections of the roadmap with realities learned (step G), commit.
+- Status paragraph (step H).
+- Proceed to M2 (step I).

docs/plans/2026-05-20-auditlog-m1-foundation.md.tasks.json

@@ -0,0 +1,24 @@
+{
+  "planPath": "docs/plans/2026-05-20-auditlog-m1-foundation.md",
+  "tasks": [
+    {"id": "A1", "subject": "Bundle A T1: Add audit enums (Channel, Kind, Status, ForwardState)", "status": "pending"},
+    {"id": "A2", "subject": "Bundle A T2: Add AuditEvent record", "status": "pending", "blockedBy": ["A1"]},
+    {"id": "A3", "subject": "Bundle A T3: Add IAuditWriter + ICentralAuditWriter", "status": "pending", "blockedBy": ["A2"]},
+    {"id": "A4", "subject": "Bundle A T4: Add audit telemetry + pull message DTOs", "status": "pending", "blockedBy": ["A2"]},
+    {"id": "A-rev", "subject": "Bundle A combined spec+quality review", "status": "pending", "blockedBy": ["A1", "A2", "A3", "A4"]},
+    {"id": "B5", "subject": "Bundle B T5: ScadaLinkDbContext.AuditLogs + IEntityTypeConfiguration<AuditEvent> with five named indexes", "status": "pending", "blockedBy": ["A-rev"]},
+    {"id": "B-rev", "subject": "Bundle B review", "status": "pending", "blockedBy": ["B5"]},
+    {"id": "C67", "subject": "Bundle C T6+T7: AddAuditLogTable migration (partition fn/scheme/table/indexes) + DB roles, with infra/mssql integration tests", "status": "pending", "blockedBy": ["B-rev"]},
+    {"id": "C-rev", "subject": "Bundle C review", "status": "pending", "blockedBy": ["C67"]},
+    {"id": "D8", "subject": "Bundle D T8: IAuditLogRepository + EF implementation + DI registration", "status": "pending", "blockedBy": ["C-rev"]},
+    {"id": "D-rev", "subject": "Bundle D review", "status": "pending", "blockedBy": ["D8"]},
+    {"id": "E10", "subject": "Bundle E T10: Scaffold src/ScadaLink.AuditLog/ project + slnx entries", "status": "pending", "blockedBy": ["D-rev"]},
+    {"id": "E9", "subject": "Bundle E T9: AuditLogOptions + validator", "status": "pending", "blockedBy": ["E10"]},
+    {"id": "E-rev", "subject": "Bundle E review", "status": "pending", "blockedBy": ["E10", "E9"]},
+    {"id": "F11", "subject": "Bundle F T11 (controller-direct): Register ScadaLink.AuditLog in Component-Host.md + README confirm", "status": "pending", "blockedBy": ["E-rev"]},
+    {"id": "FINAL-rev", "subject": "Final cross-bundle review over the whole M1 branch", "status": "pending", "blockedBy": ["F11"]},
+    {"id": "MERGE", "subject": "Verify gate: full solution dotnet test green, then merge --no-ff to main", "status": "pending", "blockedBy": ["FINAL-rev"]},
+    {"id": "ROADMAP", "subject": "Update downstream M2-M8 sections of roadmap with realities learned in M1", "status": "pending", "blockedBy": ["MERGE"]}
+  ],
+  "lastUpdated": "2026-05-20T00:00:00Z"
+}

docs/plans/2026-05-20-auditlog-m2-site-sync-pipeline.md

@@ -0,0 +1,408 @@
+# Audit Log #23 — M2 Site Pipeline (sync-only) Implementation Plan
+
+> **For Claude:** REQUIRED SUB-SKILL: Use superpowers-extended-cc:subagent-driven-development (bundled cadence per `feedback_subagent_cadence`).
+
+**Goal:** First end-to-end audit emission. A script-initiated `ExternalSystem.Call()` produces exactly one `ApiOutbound`/`ApiCall` row in the central `AuditLog` table via site SQLite hot-path + gRPC push telemetry + central ingest actor. Audit-write failures NEVER abort the script.
+
+**Architecture (decisions locked):**
+- Provenance: **Wrap CallAsync in ScriptRuntimeContext** — IExternalSystemClient.CallAsync signature unchanged; ScriptRuntimeContext.ExternalSystem.Call captures instance/script/site and emits the AuditEvent via IAuditWriter.
+- Direction: **Push primary** — SiteAuditTelemetryActor batches Pending rows and pushes via a new `IngestAuditEvents` unary gRPC RPC on `sitestream.proto`. Pull (reconciliation) deferred to M6.
+- E2E: **Component-level test** via TestKit + MSSQL fixture; stubbed gRPC client forwards directly to the central ingest actor. No expansion of `ScadaLinkWebApplicationFactory`.
+- Site writer: **Mirror SiteEventLogger** — `Channel<PendingAuditEvent>` + background writer Task for sub-ms enqueue durability.
+
+**M1 realities baked in:**
+- Enum vocabulary: `AuditKind.ApiCall` for sync API call; `AuditStatus.Delivered` for success, `AuditStatus.Failed` for HTTP non-2xx (permanent OR transient → both Failed for a sync call; cached path differs in M3). The "Status=Success/TransientFailure/PermanentFailure" wording in the roadmap is stale and must be replaced with the new vocabulary.
+- `AuditLogRepository.InsertIfNotExistsAsync` race window — M2 is the first concurrent writer; harden it before AuditLogIngestActor lands.
+- Keyset tiebreaker test gap from Bundle D — add a same-OccurredAt test in M2.
+- `MsSqlMigrationFixture` reusable as-is; promoted to `[CollectionDefinition]`-shared if multiple test classes need it (defer until actually needed).
+- `Xunit.SkippableFact` + `Skip.IfNot(_fixture.Available, _fixture.SkipReason)` for any MSSQL-dependent tests.
+- `ScadaLink.AuditLog/Site/` and `ScadaLink.AuditLog/Central/` and `ScadaLink.AuditLog/Telemetry/` subfolders. DI extension `AddAuditLog` is the registration point.
+
+**Tech stack additions:**
+- `Microsoft.Data.Sqlite 10.0.7` (pinned).
+- `Akka.TestKit.Xunit2 1.5.62` (pinned).
+- `Grpc.Tools` already configured in `ScadaLink.Communication.csproj`.
+
+---
+
+## Bundles
+
+- **Bundle A — Repo race-fix + tiebreaker test** (M1 realities catch-up).
+- **Bundle B — Site SQLite writer + fallback** (M2-T1, T2, T3, T4).
+- **Bundle C — gRPC proto + mapper** (M2-T5, T6).
+- **Bundle D — Telemetry actor + ingest actor + gRPC handler** (M2-T7, T8).
+- **Bundle E — Host wiring** (M2-T9).
+- **Bundle F — ESG emission via ScriptRuntimeContext wrapper** (M2-T10).
+- **Bundle G — Health metric SiteAuditWriteFailures** (M2-T11).
+- **Bundle H — Component-level integration test** (M2-T12).
+
+Final cross-bundle reviewer pass, then merge + roadmap update.
+
+---
+
+## Bundle A — Repo race-fix + keyset tiebreaker test
+
+### Task A1: Harden `InsertIfNotExistsAsync` against duplicate-key race
+
+**Files:**
+- Modify: `src/ScadaLink.ConfigurationDatabase/Repositories/AuditLogRepository.cs:30-60` — wrap the `ExecuteSqlInterpolatedAsync` call in a `try/catch Microsoft.Data.SqlClient.SqlException` that swallows error numbers 2601 and 2627 (unique-index violation on `UX_AuditLog_EventId`) and logs at Debug. Other SqlExceptions rethrow.
+- Modify: `tests/ScadaLink.ConfigurationDatabase.Tests/Repositories/AuditLogRepositoryTests.cs` — add:
+  - `InsertIfNotExistsAsync_ConcurrentDuplicateInserts_ProduceExactlyOneRow` — fire 50 parallel `InsertIfNotExistsAsync` calls with the same `EventId`, assert row count = 1 and no exception escapes.
+  - `QueryAsync_Keyset_SameOccurredAtUtc_TiebreaksOnEventId` — Bundle D reviewer's deferred recommendation. Insert 4 rows with identical OccurredAtUtc but distinct EventIds; page through them with PageSize=2; assert no overlap, correct count, and that the second page's first row's EventId is strictly less than the first page's last row's EventId.
+
+**Steps:**
+1. Write failing concurrency test.
+2. Run: expect SqlException 2601/2627 OR identical-row-count violation.
+3. Add try/catch in the repo.
+4. Run: pass.
+5. Write failing keyset-tiebreaker test.
+6. Run: depending on EF Core 10's Guid.CompareTo translation, this may already pass — confirm.
+7. If passing, the test locks in the behavior; commit anyway.
+8. Commit: `fix(configdb): InsertIfNotExistsAsync swallows duplicate-key races + add keyset tiebreaker test (#23)`.
+
+**Bundle A acceptance:** All ConfigurationDatabase.Tests still green; 2 new tests pass.
+
+---
+
+## Bundle B — Site SQLite writer + fallback (mirror SiteEventLogger pattern)
+
+### Task B1: `SqliteAuditWriter` — schema + connection bootstrap
+
+**Files:**
+- Create: `src/ScadaLink.AuditLog/Site/SqliteAuditWriter.cs` — implements `IAuditWriter` per Bundle A's signature (single `Task WriteAsync(AuditEvent evt, CancellationToken ct = default)`). Constructor takes `IOptions<SqliteAuditWriterOptions>` + `ILogger`. Single `SqliteConnection` opened at construction (`Data Source={path};Cache=Shared`). Sync `_writeLock` Monitor-pattern (mirrors `SiteEventLogger.cs:32`). Inline `InitializeSchema()` runs `PRAGMA auto_vacuum = INCREMENTAL` + `CREATE TABLE IF NOT EXISTS AuditLog (...)`.
+- Create: `src/ScadaLink.AuditLog/Site/SqliteAuditWriterOptions.cs` — `string DatabasePath = "auditlog.db"`, `int ChannelCapacity = 4096` (bounded; drop-oldest applies in Bundle B-T3 ring overflow, but the writer's pending channel is bounded as a safety net), `int BatchSize = 256`, `int FlushIntervalMs = 50`.
+- Create: `tests/ScadaLink.AuditLog.Tests/Site/SqliteAuditWriterSchemaTests.cs`.
+
+**Schema (20 site columns + ForwardState — IngestedAtUtc is central-only):**
+
+```sql
+CREATE TABLE IF NOT EXISTS AuditLog (
+    EventId            TEXT    NOT NULL,
+    OccurredAtUtc      TEXT    NOT NULL,
+    Channel            TEXT    NOT NULL,
+    Kind               TEXT    NOT NULL,
+    CorrelationId      TEXT    NULL,
+    SourceSiteId       TEXT    NULL,
+    SourceInstanceId   TEXT    NULL,
+    SourceScript       TEXT    NULL,
+    Actor              TEXT    NULL,
+    Target             TEXT    NULL,
+    Status             TEXT    NOT NULL,
+    HttpStatus         INTEGER NULL,
+    DurationMs         INTEGER NULL,
+    ErrorMessage       TEXT    NULL,
+    ErrorDetail        TEXT    NULL,
+    RequestSummary     TEXT    NULL,
+    ResponseSummary    TEXT    NULL,
+    PayloadTruncated   INTEGER NOT NULL,
+    Extra              TEXT    NULL,
+    ForwardState       TEXT    NOT NULL,
+    PRIMARY KEY (EventId)
+);
+CREATE INDEX IF NOT EXISTS IX_SiteAuditLog_ForwardState_Occurred
+    ON AuditLog (ForwardState, OccurredAtUtc);
+```
+
+**Tests:**
+1. `Opens_Creates_AuditLog_Table_With_All_Columns_And_PK`
+2. `Opens_Creates_IX_ForwardState_Occurred_Index`
+3. `PRAGMA_auto_vacuum_Is_INCREMENTAL`
+
+**Steps:**
+1. Failing test asserts table + PK + 20 columns + index via `PRAGMA table_info(AuditLog)` + `PRAGMA index_list(AuditLog)`.
+2. Implement constructor + InitializeSchema with inline SQL.
+3. Run: pass.
+4. Commit: `feat(auditlog): SqliteAuditWriter schema bootstrap (#23)`.
+
+### Task B2: `SqliteAuditWriter` — Channel<T> + background writer for hot-path
+
+**Files:**
+- Modify: `src/ScadaLink.AuditLog/Site/SqliteAuditWriter.cs` — add `Channel<PendingAuditEvent> _writeQueue` (bounded BoundedChannelFullMode.Wait, default capacity 4096), background `Task ProcessWriteQueueAsync()` launched in constructor. `WriteAsync` enqueues + returns the pending's `TaskCompletionSource`. The loop reads up to `BatchSize`, opens a transaction, INSERTs all events, commits, completes the TCS for each.
+- Pattern mirrors `src/ScadaLink.SiteEventLogging/SiteEventLogger.cs:135-173`.
+- Test: `tests/ScadaLink.AuditLog.Tests/Site/SqliteAuditWriterWriteTests.cs`.
+
+**Tests:**
+1. `WriteAsync_FreshEvent_PersistsWithForwardStatePending` — write one event, query SQLite, assert row has `ForwardState='Pending'`.
+2. `WriteAsync_Concurrent_1000Calls_All_Persist_NoExceptions` — fire 1000 parallel WriteAsync, assert row count = 1000 and zero exceptions surface.
+3. `WriteAsync_LatencyP99_LessThan_5ms_For_Enqueue` — assert TCS Task.IsCompleted within reasonable time AFTER awaiting, but the enqueue itself returns near-instantly (verify via a stopwatch around the Channel.Writer.TryWriteAsync).
+4. `WriteAsync_DuplicateEventId_FirstWriteWins_NoException` — insert same EventId twice, assert one row only and no exception (the PRIMARY KEY violation is caught/swallowed in the writer loop).
+
+**Steps:**
+1. Failing tests for 1, 2, 4.
+2. Implement Channel + background loop + transactional batch INSERT.
+3. Run: pass.
+4. Commit: `feat(auditlog): SqliteAuditWriter Channel-based hot-path write (#23)`.
+
+### Task B3: `RingBufferFallback`
+
+**Files:**
+- Create: `src/ScadaLink.AuditLog/Site/RingBufferFallback.cs` — `Channel<AuditEvent>` bounded at 1024 with `BoundedChannelFullMode.DropOldest`. Exposes `bool TryEnqueue(AuditEvent)`, `IAsyncEnumerable<AuditEvent> DrainAsync(CancellationToken)`, and an event `RingBufferOverflowed` (callback for the health counter).
+- Test: `tests/ScadaLink.AuditLog.Tests/Site/RingBufferFallbackTests.cs`.
+
+**Tests:**
+1. `Enqueue_1025_Into_1024Cap_Ring_DropsOldest_AndRaisesOverflow` — invoke 1025 enqueues, assert the OverflowEvent counter increments once, and the surviving 1024 are the latest.
+2. `DrainAsync_Yields_FIFO_Then_Completes_When_Empty`.
+
+**Steps:**
+1. Failing tests.
+2. Implement using `Channel.CreateBounded<AuditEvent>(new BoundedChannelOptions(1024) { FullMode = BoundedChannelFullMode.DropOldest })`.
+3. Run: pass.
+4. Commit: `feat(auditlog): RingBufferFallback with drop-oldest overflow (#23)`.
+
+### Task B4: `FallbackAuditWriter` — compose primary + ring
+
+**Files:**
+- Create: `src/ScadaLink.AuditLog/Site/FallbackAuditWriter.cs` — implements `IAuditWriter`. Constructor takes the primary `SqliteAuditWriter` + `RingBufferFallback` + `IAuditWriteFailureCounter` (lightweight DI'd interface, Bundle G implements it as `SiteAuditWriteFailures` counter on health metrics). On primary success: returns. On primary throw: increments counter, enqueues into ring (DropOldest), returns success. On the NEXT successful primary call (success after a failure window), drains the ring back through the primary.
+- Test: `tests/ScadaLink.AuditLog.Tests/Site/FallbackAuditWriterTests.cs`.
+
+**Tests:**
+1. `WriteAsync_PrimaryThrows_EventLandsInRing_CallReturnsSuccess`.
+2. `WriteAsync_PrimaryRecovers_RingDrains_InFIFOOrder_OnNextWrite`.
+3. `WriteAsync_PrimaryAlwaysSucceeds_Ring_StaysEmpty`.
+
+**Steps:**
+1. Failing tests.
+2. Implement; mock the primary with a `Func<AuditEvent, Task>` flip-switch failure.
+3. Run: pass.
+4. Commit: `feat(auditlog): FallbackAuditWriter compose SQLite + ring (#23)`.
+
+**Bundle B acceptance:** 4 tasks merged. `ScadaLink.AuditLog.Tests` adds ~12+ tests. No regressions.
+
+---
+
+## Bundle C — gRPC proto + mapper
+
+### Task C1: Extend `sitestream.proto` with `IngestAuditEvents`
+
+**Files:**
+- Modify: `src/ScadaLink.Communication/Protos/sitestream.proto` — add the messages and unary RPC. Use `google.protobuf.Timestamp` for `OccurredAtUtc`; encode enums as `string` (matches the EF mapping).
+
+Proposed addition:
+```proto
+message AuditEventDto {
+  string event_id = 1;
+  google.protobuf.Timestamp occurred_at_utc = 2;
+  string channel = 3;
+  string kind = 4;
+  string correlation_id = 5;        // empty string when null
+  string source_site_id = 6;
+  string source_instance_id = 7;
+  string source_script = 8;
+  string actor = 9;
+  string target = 10;
+  string status = 11;
+  google.protobuf.Int32Value http_status = 12;
+  google.protobuf.Int32Value duration_ms = 13;
+  string error_message = 14;
+  string error_detail = 15;
+  string request_summary = 16;
+  string response_summary = 17;
+  bool payload_truncated = 18;
+  string extra = 19;
+}
+message AuditEventBatch { repeated AuditEventDto events = 1; }
+message IngestAck { repeated string accepted_event_ids = 1; }
+
+service SiteStreamService {
+  // existing rpcs...
+  rpc IngestAuditEvents(AuditEventBatch) returns (IngestAck);
+}
+```
+
+(Use `google.protobuf.Int32Value` to encode nullable ints; empty string semantics for nullable text fields.)
+
+- Test: `tests/ScadaLink.Communication.Tests/Protos/AuditEventProtoTests.cs`.
+
+**Steps:**
+1. Edit proto + rebuild (`dotnet build src/ScadaLink.Communication/`).
+2. Failing test round-trips an `AuditEventDto` through `ToByteArray()` and `Parser.ParseFrom()`; asserts all populated fields survive.
+3. Run: pass.
+4. Commit: `feat(comms): IngestAuditEvents RPC + AuditEventDto proto (#23)`.
+
+### Task C2: `AuditEvent` ↔ `AuditEventDto` mapper
+
+**Files:**
+- Create: `src/ScadaLink.AuditLog/Telemetry/AuditEventMapper.cs` — static `ToDto(AuditEvent)` and `FromDto(AuditEventDto)`. Handles nullable→empty-string, Timestamp↔DateTime UTC, enum↔string. ForwardState NOT carried in the proto (site-local only; central never sees it).
+- Test: `tests/ScadaLink.AuditLog.Tests/Telemetry/AuditEventMapperTests.cs`.
+
+**Tests:**
+1. `Roundtrip_FullyPopulated_PreservesAllFields`.
+2. `Roundtrip_AllNullableFieldsNull_ProducesEmptyDtoFields`.
+3. `FromDto_EmptyOptionalString_BecomesNullProperty`.
+4. `ToDto_Sets_OccurredAtUtc_As_UtcTimestamp` — Round-trip with `DateTimeKind.Utc` preserved.
+
+**Steps:**
+1. Failing tests.
+2. Implement.
+3. Run: pass.
+4. Commit: `feat(auditlog): AuditEvent ↔ proto mapper (#23)`.
+
+**Bundle C acceptance:** Communication.Tests + AuditLog.Tests still green; proto rebuilds cleanly.
+
+---
+
+## Bundle D — SiteAuditTelemetryActor + AuditLogIngestActor + gRPC handler
+
+### Task D1: `SiteAuditTelemetryActor` — drain loop
+
+**Files:**
+- Create: `src/ScadaLink.AuditLog/Site/Telemetry/SiteAuditTelemetryActor.cs` — `ReceiveActor`. On `Drain`: queries `SqliteAuditWriter.ReadPendingAsync(BatchSize)`, calls `gRPC client.IngestAuditEventsAsync(batch)`, on ack flips returned EventIds to `Forwarded` via `SqliteAuditWriter.MarkForwardedAsync(eventIds)`. Re-schedules `Drain` self-tick: 5s if ≥1 row drained, 30s otherwise. On gRPC error: re-schedule 5s; rows stay Pending.
+- Modify: `src/ScadaLink.AuditLog/Site/SqliteAuditWriter.cs` — add `ReadPendingAsync(int limit, CancellationToken)` returning `IReadOnlyList<AuditEvent>` (with ForwardState=Pending), and `MarkForwardedAsync(IReadOnlyList<Guid> eventIds, CancellationToken)`.
+- Create: `src/ScadaLink.AuditLog/Site/Telemetry/SiteAuditTelemetryOptions.cs` — `BatchSize=256`, `BusyIntervalSeconds=5`, `IdleIntervalSeconds=30`.
+- Test: `tests/ScadaLink.AuditLog.Tests/Site/Telemetry/SiteAuditTelemetryActorTests.cs` using `TestKit` + NSubstitute-mocked gRPC client.
+
+**Tests:**
+1. `Drain_With_50PendingRows_Sends_OneBatch_Of_50`.
+2. `Drain_Ack_Flips_Rows_To_Forwarded`.
+3. `Drain_GrpcThrows_Rows_StayPending_NextTick_Retries`.
+4. `Drain_Cadence_5s_AfterNonZero_30s_AfterZero` (via `TestScheduler`).
+
+**Steps:**
+1. Failing tests.
+2. Implement.
+3. Run: pass.
+4. Commit: `feat(auditlog): SiteAuditTelemetryActor drain loop (#23)`.
+
+### Task D2: `AuditLogIngestActor` + gRPC server handler
+
+**Files:**
+- Create: `src/ScadaLink.AuditLog/Central/AuditLogIngestActor.cs` — `ReceiveActor` accepting `IngestAuditEventsCommand(IReadOnlyList<AuditEvent> events, IActorRef replyTo)`. For each event, calls `IAuditLogRepository.InsertIfNotExistsAsync` (which now swallows duplicates per Bundle A). Sets `IngestedAtUtc = DateTime.UtcNow` before insert (this is the central-side timestamp). Replies with `IngestAck(acceptedEventIds)` — by spec "accepted" includes already-existed rows (idempotent semantics).
+- Create: `src/ScadaLink.AuditLog/Central/IngestAuditEventsCommand.cs` (Akka message).
+- Create: `src/ScadaLink.AuditLog/Central/IngestAck.cs` (Akka reply).
+- Modify: `src/ScadaLink.Communication/SiteStreamGrpc/SiteStreamGrpcServer.cs` — implement `public override async Task<IngestAck> IngestAuditEvents(AuditEventBatch request, ServerCallContext context)` — Ask the central `AuditLogIngestActor` proxy with the deserialized batch, await reply, return.
+- Modify: `src/ScadaLink.Communication/SiteStreamGrpc/SiteStreamGrpcServer.cs` — add a setter `SetAuditIngestActor(IActorRef)` mirroring how `SetNotificationOutbox` is wired (per recon: Notification Outbox proxy is handed in via `commService?.SetNotificationOutbox(outboxProxy)`).
+- Test: `tests/ScadaLink.AuditLog.Tests/Central/AuditLogIngestActorTests.cs`.
+- Test: `tests/ScadaLink.Communication.Tests/SiteStreamIngestAuditEventsTests.cs`.
+
+**Tests:**
+1. `Receive_BatchOf5_Calls_Repo_5Times_Acks_All`.
+2. `Receive_BatchWith_AlreadyExistingEvent_AcksAll_NoDoubleInsert` (idempotent).
+3. `Receive_RepoThrowsTransient_Replies_AckExcludingFailedEventIds_LogsError` (partial-failure semantics — what gets acked is what was persisted).
+4. `Receive_Sets_IngestedAtUtc_Before_Insert`.
+5. `gRPC_Handler_Routes_To_Actor_Returns_Reply`.
+
+**Steps:**
+1. Failing tests.
+2. Implement actor + gRPC handler.
+3. Run: pass.
+4. Commit: `feat(auditlog): AuditLogIngestActor + gRPC handler (#23)`.
+
+**Bundle D acceptance:** New actor + gRPC handler tests all green.
+
+---
+
+## Bundle E — Host wiring (central singleton + site actor + dispatcher)
+
+### Task E1: Register `AuditLogIngestActor` + `SiteAuditTelemetryActor` + dispatcher
+
+**Files:**
+- Modify: `src/ScadaLink.Host/Actors/AkkaHostedService.cs` — mirror the Notification Outbox pattern (recon report's exact lines 272-295):
+  - Central role: `AuditLogIngestActor` as `ClusterSingletonManager` (singleton name `"audit-log-ingest"`) + `ClusterSingletonProxy` (`"audit-log-ingest-proxy"`). Hand the proxy to `SiteStreamGrpcServer.SetAuditIngestActor(proxy)`.
+  - Site role: `SiteAuditTelemetryActor` as a per-site actor (`actorSystem.ActorOf(Props.Create(...)`), bound to the dedicated dispatcher (below).
+- Modify: HOCON in `src/ScadaLink.Host/Configuration/` (the existing akka config file) — add:
+  ```
+  audit-telemetry-dispatcher {
+    type = ForkJoinDispatcher
+    throughput = 100
+    dedicated-thread-pool { thread-count = 2 }
+  }
+  ```
+  Apply `.WithDispatcher("audit-telemetry-dispatcher")` to `SiteAuditTelemetryActor`'s Props.
+- Modify: `src/ScadaLink.AuditLog/ServiceCollectionExtensions.cs:AddAuditLog` — register the SqliteAuditWriter+RingBufferFallback+FallbackAuditWriter chain and the actor factories.
+- Test: `tests/ScadaLink.Host.Tests/AkkaHostedServiceAuditWiringTests.cs`.
+
+**Tests:**
+1. `Central_Host_Starts_With_AuditLogIngest_Singleton_Healthy`.
+2. `Site_Host_Starts_With_SiteAuditTelemetry_Bound_To_DedicatedDispatcher`.
+3. `AuditWriter_Resolves_From_DI_To_FallbackAuditWriter`.
+
+**Steps:**
+1. Failing tests against current host (which doesn't wire audit).
+2. Implement wiring.
+3. Run: pass.
+4. Commit: `feat(host): register Audit Log #23 singletons with dedicated dispatcher`.
+
+**Bundle E acceptance:** Host.Tests still green; 3 new tests pass.
+
+---
+
+## Bundle F — ESG audit emission via ScriptRuntimeContext wrapper
+
+### Task F1: Wrap `ExternalSystem.Call` in `ScriptRuntimeContext` to emit audit
+
+**Files:**
+- Modify: `src/ScadaLink.SiteRuntime/Scripts/ScriptRuntimeContext.cs` — find the existing `ExternalSystem.Call` method (or add one if scripts call through a dynamic API surface). Inside, after `_externalSystemClient.CallAsync(...)` returns OR throws, build the `AuditEvent` (channel=`ApiOutbound`, kind=`ApiCall`, status=`Delivered` for success, `Failed` for HTTP non-2xx or exception, populate `Target=$"{systemName}.{methodName}"`, `SourceSiteId={siteId}`, `SourceInstanceId={instanceName}`, `SourceScript={sourceScript}`, `DurationMs={stopwatch}`, `HttpStatus`, `ErrorMessage`). Call `_auditWriter.WriteAsync(evt)` inside a try/catch that swallows + logs at Warning + increments `SiteAuditWriteFailures` (via the same counter Bundle G defines). Re-throw the original ExternalSystem exception (if any) so the script sees its original error path unchanged.
+- Modify: `src/ScadaLink.SiteRuntime/Scripts/ScriptRuntimeContext.cs` constructor — inject `IAuditWriter`.
+- Modify: `src/ScadaLink.SiteRuntime/Actors/ScriptExecutionActor.cs` — resolve and pass `IAuditWriter` into the ScriptRuntimeContext.
+- Test: `tests/ScadaLink.SiteRuntime.Tests/Scripts/ExternalSystemCallAuditEmissionTests.cs`.
+
+**Tests:**
+1. `Call_Success_EmitsOneEvent_Channel_ApiOutbound_Kind_ApiCall_Status_Delivered`.
+2. `Call_HTTP500_EmitsEvent_Status_Failed_HttpStatus_500_ErrorMessage_Set`.
+3. `Call_HTTP400_EmitsEvent_Status_Failed_HttpStatus_400`.
+4. `Call_ClientThrows_NetworkError_EmitsEvent_Status_Failed_ErrorMessage_SetFromException`.
+5. `AuditWriter_Throws_Script_Call_Returns_Original_Result_Unchanged_Audit_Failure_Counter_Incremented`.
+6. `Provenance_Populated_FromContext` — SourceInstanceId, SourceScript, SourceSiteId all match the ScriptRuntimeContext's values.
+
+**Steps:**
+1. Failing tests.
+2. Implement wrapper + provenance threading.
+3. Run: pass.
+4. Commit: `feat(siteruntime): ExternalSystem.Call emits Audit Log #23 event on every sync call`.
+
+**Bundle F acceptance:** SiteRuntime.Tests still green; 6 new tests.
+
+---
+
+## Bundle G — Health metric `SiteAuditWriteFailures`
+
+### Task G1: Counter + DI surface
+
+**Files:**
+- Create: `src/ScadaLink.AuditLog/Site/IAuditWriteFailureCounter.cs` — `void Increment();`. Bundle B's `FallbackAuditWriter` already takes this.
+- Modify: `src/ScadaLink.HealthMonitoring/SiteHealthCollector.cs` — add `int _siteAuditWriteFailures` field + `IncrementSiteAuditWriteFailures()` method using `Interlocked.Increment`. Expose via a snapshot read.
+- Modify: `src/ScadaLink.HealthMonitoring/SiteHealthState.cs` — add `SiteAuditWriteFailures` property to the report payload.
+- Implementation: a small adapter class `HealthMetricsAuditWriteFailureCounter : IAuditWriteFailureCounter` registered in DI that bridges to `ISiteHealthCollector.IncrementSiteAuditWriteFailures()`.
+- Test: `tests/ScadaLink.HealthMonitoring.Tests/SiteAuditWriteFailuresMetricTests.cs`.
+
+**Tests:**
+1. `Increment_Three_Times_Counter_Reports_3`.
+2. `Report_Payload_Includes_SiteAuditWriteFailures`.
+
+**Steps:**
+1. Failing tests.
+2. Implement counter + adapter + DI registration.
+3. Run: pass.
+4. Commit: `feat(health): SiteAuditWriteFailures counter (#23)`.
+
+**Bundle G acceptance:** HealthMonitoring.Tests still green; 2 new tests.
+
+---
+
+## Bundle H — Component-level integration test
+
+### Task H1: End-to-end via TestKit + MSSQL fixture
+
+**Files:**
+- Create: `tests/ScadaLink.AuditLog.Tests/Integration/SyncCallEmissionEndToEndTests.cs` — uses `MsSqlMigrationFixture` (the M1 reusable fixture; depend on `Xunit.SkippableFact`):
+  - Brings up `SqliteAuditWriter` against `:memory:`.
+  - Brings up `SiteAuditTelemetryActor` via TestKit.
+  - Brings up `AuditLogIngestActor` via TestKit, configured with the MSSQL `IAuditLogRepository` from M1.
+  - Stubs the gRPC client by overriding the actor's gRPC dependency with a direct `IActorRef`-backed mock that forwards `IngestAuditEvents` directly to the central actor.
+  - Writes one `AuditEvent` via the FallbackAuditWriter.
+  - Drives a `Drain` tick on the telemetry actor.
+  - Asserts the row appears in the MS SQL `AuditLog` table within 5 seconds via `IAuditLogRepository.QueryAsync`.
+
+**Steps:**
+1. Failing test (telemetry not yet wired).
+2. Wire the components together via the test harness.
+3. Run: pass.
+4. Commit: `test(auditlog): end-to-end sync-call emission via TestKit + MSSQL fixture (#23)`.
+
+**Bundle H acceptance:** New test passes when MSSQL container is up; skips cleanly when down.
+
+---
+
+## Final cross-bundle review
+
+After Bundles A–H, dispatch a final reviewer agent with the same template as M1's. Acceptance gate: full `dotnet test ScadaLink.slnx` green. Then merge `--no-ff` with summary; update M3–M8 with M2 realities; status paragraph; proceed to M3.

docs/plans/2026-05-20-auditlog-m3-cached-operations.md

@@ -0,0 +1,212 @@
+# Audit Log #23 — M3 Cached Operations + Dual-Write Implementation Plan
+
+> **For Claude:** REQUIRED SUB-SKILL: Use superpowers-extended-cc:subagent-driven-development (bundled cadence per `feedback_subagent_cadence`).
+
+**Goal:** Cached external calls (`ExternalSystem.CachedCall`) and cached DB writes (`Database.CachedWrite`) each produce 4+ audit rows per operation (`CachedSubmit` → `ApiCallCached`/`DbWriteCached` × N attempts with statuses `Forwarded` then `Attempted` then `Delivered`/`Failed` → `CachedResolve` terminal) AND a `SiteCalls` row at central. Combined telemetry: site emits one packet per lifecycle event carrying both the AuditEvent and the SiteCalls upsert; central writes both in one MS SQL transaction. Audit-write failure never aborts the script.
+
+**Recommended-defaults applied:**
+- Telemetry proto: **new top-level RPC `IngestCachedTelemetry(CachedTelemetryBatch) returns (IngestAck)`** (sitestream.proto), separate from the M2 `IngestAuditEvents` to keep payload shapes distinct.
+- Forwarder: **separate `CachedCallTelemetryForwarder`** actor (or static dispatcher hooking into the existing `SiteAuditTelemetryActor`'s SQLite queue) — write the audit row + tracking row in one SQLite transaction, then let the existing telemetry actor drain both via the new RPC. Reuse the M2 Channel/SQLite hot-path infrastructure; do NOT introduce a parallel writer.
+- Provenance: mirror M2's `ScriptRuntimeContext` wrapper pattern — ScriptRuntimeContext's cached-call helpers capture instance/script/site and feed the combined packet.
+- IntegrationTests E2E: same component-level pattern as M2 Bundle H (`DirectActorSiteStreamAuditClient`), but extracted into `tests/ScadaLink.AuditLog.Tests/Integration/Infrastructure/` for reuse.
+
+**M2 realities baked in (from roadmap line 446-459):**
+- Use M1 vocabulary: `AuditKind.CachedSubmit` (enqueue), `AuditKind.ApiCallCached` / `AuditKind.DbWriteCached` (each attempt + post-forward), `AuditKind.CachedResolve` (terminal). `AuditStatus.Submitted` → `Forwarded` → `Attempted` × N → `Delivered`/`Failed`/`Parked`/`Discarded`. NO `CachedEnqueued`/`CachedAttempt`/`CachedTerminal` strings appear in code (those are pre-M1 spec wording the roadmap text still mentions; honor the enum vocabulary).
+- NoOpSiteStreamAuditClient still in production until M6; E2E tests use the M2 Bundle H pattern.
+- AuditEventMapper duplication note from M2: M3 should move the mapper into Commons (or document the gRPC inline duplication) since M3 adds a SECOND gRPC handler with the same DTO→entity translation work.
+- CachedCallTelemetry message creates from scratch (additive per Commons REQ-COM-5a) — NOT renamed to CachedOperationTelemetry.
+
+---
+
+## Bundles
+
+- **Bundle A — Commons types + tracking store** (T1, T2, T3, T4): TrackedOperationId, OperationTrackingStore, Tracking.Status API, CachedCallTelemetry message.
+- **Bundle B — SiteCalls table EF + migration + repo** (T5, T6, T7).
+- **Bundle C — SiteCallAudit project + actor** (T8).
+- **Bundle D — Proto + central dual-write transaction** (T9, T10).
+- **Bundle E — ESG / DB-gateway / S&F emissions** (T11, T12, T13, T14).
+- **Bundle F — Host registration** (T15).
+- **Bundle G — Integration tests** (T16, T17, T18).
+
+Final cross-bundle reviewer + merge to main.
+
+---
+
+## Bundle A — Commons types + tracking store
+
+### Task A1: TrackedOperationId strong-typed ID
+File: `src/ScadaLink.Commons/Types/TrackedOperationId.cs` — `public readonly record struct TrackedOperationId(Guid Value)`. Static `New()`, `Parse(string)`, `ToString()` returns Value.ToString("D"). Implicit conversion from Guid via `From(Guid)` (no operator implicit because record struct doesn't allow). Tests in `tests/ScadaLink.Commons.Tests/Types/TrackedOperationIdTests.cs`. Commit: `feat(commons): TrackedOperationId strong type (#23 M3)`.
+
+### Task A2: OperationTrackingStore (site-local SQLite)
+File: `src/ScadaLink.Commons/Interfaces/IOperationTrackingStore.cs` — `RecordEnqueueAsync`, `RecordAttemptAsync`, `RecordTerminalAsync`, `GetStatusAsync(TrackedOperationId)`, `PurgeTerminalAsync(olderThanUtc)`.
+File: `src/ScadaLink.SiteRuntime/Tracking/OperationTrackingStore.cs` — SQLite-backed, mirror SqliteAuditWriter pattern: Channel<T> + background writer Task + write-lock. Schema:
+```sql
+CREATE TABLE IF NOT EXISTS OperationTracking (
+  TrackedOperationId TEXT NOT NULL PRIMARY KEY,
+  Kind TEXT NOT NULL,
+  TargetSummary TEXT NULL,
+  Status TEXT NOT NULL,
+  RetryCount INTEGER NOT NULL DEFAULT 0,
+  LastError TEXT NULL,
+  HttpStatus INTEGER NULL,
+  CreatedAtUtc TEXT NOT NULL,
+  UpdatedAtUtc TEXT NOT NULL,
+  TerminalAtUtc TEXT NULL,
+  SourceInstanceId TEXT NULL,
+  SourceScript TEXT NULL);
+CREATE INDEX IF NOT EXISTS IX_OperationTracking_Status_Updated ON OperationTracking(Status, UpdatedAtUtc);
+```
+Tests: schema, insert+update sequence, terminal purge (only terminal rows older than threshold). Commit: `feat(siteruntime): OperationTrackingStore site-local SQLite (#23 M3)`.
+
+### Task A3: Tracking.Status script API
+File: `src/ScadaLink.SiteRuntime/Scripts/ScriptRuntimeContext.cs` — add a `Tracking` accessor exposing `Status(TrackedOperationId)` reading via `IOperationTrackingStore.GetStatusAsync`. Returns a `TrackingStatusSnapshot` record (Commons/Types) with `Status`, `RetryCount`, `LastError`, `CreatedAtUtc`, `UpdatedAtUtc`, `TerminalAtUtc`. Returns null for unknown IDs.
+Tests: known, unknown, terminal IDs. Commit: `feat(siteruntime): Tracking.Status script API (#23 M3)`.
+
+### Task A4: CachedCallTelemetry Commons message
+File: `src/ScadaLink.Commons/Messages/Integration/CachedCallTelemetry.cs` — `public sealed record CachedCallTelemetry(TrackedOperationId TrackedOperationId, AuditEvent Audit, SiteCallOperational Operational)` plus `SiteCallOperational` record (TrackedOperationId, Channel, Target, SourceSite, Status, RetryCount, LastError, HttpStatus, CreatedAtUtc, UpdatedAtUtc, TerminalAtUtc?).
+Tests: round-trip; lifecycle-specific construction (Submit/Attempted/Resolve). Commit: `feat(commons): CachedCallTelemetry combined operational+audit packet (#23 M3)`.
+
+---
+
+## Bundle B — SiteCalls EF + migration + repo
+
+### Task B1: SiteCall entity + EF mapping
+File: `src/ScadaLink.Commons/Entities/Audit/SiteCall.cs` — `public sealed record SiteCall` with fields per `SiteCallOperational` plus `IngestedAtUtc`.
+File: `src/ScadaLink.ConfigurationDatabase/Configurations/SiteCallEntityTypeConfiguration.cs` — table `SiteCalls`, PK on `TrackedOperationId`, indexes `IX_SiteCalls_Source_Created` on (SourceSite, CreatedAtUtc), `IX_SiteCalls_Status_Updated` on (Status, UpdatedAtUtc).
+Modify: `ScadaLinkDbContext.cs` — `public DbSet<SiteCall> SiteCalls => Set<SiteCall>();`.
+Tests as M1 pattern. Commit: `feat(configdb): map SiteCall to SiteCalls table (#23 M3)`.
+
+### Task B2: AddSiteCallsTable migration
+Generate via `dotnet ef migrations add AddSiteCallsTable --project src/ScadaLink.ConfigurationDatabase --startup-project src/ScadaLink.Host`. No partitioning (operational state, not audit). Use MsSqlMigrationFixture for integration test. Commit: `feat(configdb): add SiteCalls migration (#23 M3)`.
+
+### Task B3: ISiteCallAuditRepository + EF impl
+File: `src/ScadaLink.Commons/Interfaces/Repositories/ISiteCallAuditRepository.cs` — `UpsertAsync(SiteCall)` with **monotonic status progression** (later status wins; earlier status is no-op), `GetAsync(TrackedOperationId)`, `QueryAsync(filter, paging)`, `PurgeTerminalAsync(olderThanUtc)`.
+File: `src/ScadaLink.ConfigurationDatabase/Repositories/SiteCallAuditRepository.cs` — implement via `MERGE` or `INSERT ... WHERE NOT EXISTS` + `UPDATE WHERE TerminalAtUtc IS NULL AND <monotonic order check>`. Tests use MsSqlMigrationFixture. Commit: `feat(configdb): ISiteCallAuditRepository + EF impl (#23 M3)`.
+
+---
+
+## Bundle C — SiteCallAudit project + actor
+
+### Task C1: ScadaLink.SiteCallAudit project + actor
+Create: `src/ScadaLink.SiteCallAudit/ScadaLink.SiteCallAudit.csproj` (mirrors ScadaLink.AuditLog csproj style — net10.0, references Commons + ConfigurationDatabase). 
+Create: `src/ScadaLink.SiteCallAudit/SiteCallAuditActor.cs` — central singleton actor handling `UpsertSiteCallCommand(SiteCall siteCall)` by calling `ISiteCallAuditRepository.UpsertAsync` (scope-per-message via IServiceProvider, mirror AuditLogIngestActor). Idempotent via repo's monotonic upsert.
+Create: `src/ScadaLink.SiteCallAudit/ServiceCollectionExtensions.cs` — `AddSiteCallAudit()` registering actor props factory.
+Create: `tests/ScadaLink.SiteCallAudit.Tests/` project.
+Modify: `ScadaLink.slnx` — add src + tests entries.
+Commit: `feat(scaudit): SiteCallAuditActor minimum surface (#22, #23 M3)`.
+
+---
+
+## Bundle D — Proto + central dual-write transaction
+
+### Task D1: Extend sitestream.proto with IngestCachedTelemetry RPC
+Follow the documented protobuf regen procedure from M2 Bundle C (temporarily uncomment ItemGroup, build, copy back, recomment). Add:
+```proto
+message SiteCallOperationalDto {
+  string tracked_operation_id = 1;
+  string channel = 2;
+  string target = 3;
+  string source_site = 4;
+  string status = 5;
+  int32 retry_count = 6;
+  string last_error = 7;
+  google.protobuf.Int32Value http_status = 8;
+  google.protobuf.Timestamp created_at_utc = 9;
+  google.protobuf.Timestamp updated_at_utc = 10;
+  google.protobuf.Timestamp terminal_at_utc = 11;  // null when active
+}
+message CachedTelemetryPacket {
+  AuditEventDto audit_event = 1;
+  SiteCallOperationalDto operational = 2;
+}
+message CachedTelemetryBatch { repeated CachedTelemetryPacket packets = 1; }
+
+service SiteStreamService {
+  rpc IngestCachedTelemetry(CachedTelemetryBatch) returns (IngestAck);
+}
+```
+Test round-trips. Commit: `feat(comms): IngestCachedTelemetry RPC + CachedTelemetryPacket proto (#23 M3)`.
+
+### Task D2: Dual-write transaction in AuditLogIngestActor
+File: `src/ScadaLink.AuditLog/Central/AuditLogIngestActor.cs` (extend) — add `IngestCachedTelemetryCommand` handler. Inside one `DbContext.Database.BeginTransactionAsync()`:
+1. Call `IAuditLogRepository.InsertIfNotExistsAsync(auditEvent)` (idempotent already from M2 Bundle A).
+2. Call `ISiteCallAuditRepository.UpsertAsync(siteCallOperational)` (monotonic).
+3. Commit on both-success; rollback on either-throw (the central singleton SUPERVISES — actor doesn't crash).
+4. Reply `IngestAck(acceptedIds)`.
+
+Modify: `src/ScadaLink.Communication/SiteStreamGrpc/SiteStreamGrpcServer.cs` — implement `IngestCachedTelemetry` gRPC handler routing to actor. Same inline FromDto pattern as M2 (move to mapper if time permits per M2 reviewer recommendation).
+
+Add: `src/ScadaLink.Commons/Messages/Audit/IngestCachedTelemetryCommand.cs` and `IngestCachedTelemetryReply.cs` (Akka messages).
+
+Tests: 
+- Single packet → 1 AuditLog + 1 SiteCalls row.
+- Duplicate `EventId` + same status → AuditLog no-op, SiteCalls no-op (monotonic), no error.
+- Duplicate `EventId` + ADVANCED status → AuditLog no-op, SiteCalls updates.
+- SiteCalls upsert throws → AuditLog rolled back (no orphan).
+- AuditLog throws (non-duplicate) → SiteCalls rolled back.
+
+Commit: `feat(auditlog): combined telemetry dual-write transaction (#23 M3)`.
+
+---
+
+## Bundle E — ESG / DB / S&F lifecycle emissions
+
+### Task E1: ScriptRuntimeContext.ExternalSystem.CachedCall wrapper
+Mirror M2 Bundle F's `Call` wrapper. Differences:
+- Emit on enqueue: AuditEvent(Kind=CachedSubmit, Status=Submitted) + SiteCallOperational(Status=Submitted, RetryCount=0).
+- Calls `_externalSystemClient.CachedCallAsync` (resolves what S&F existing API surface looks like — discover by reading ExternalSystemClient).
+- Returns a `TrackedOperationId` immediately (a TrackedOperationId tracking handle).
+- Hands the operation to the existing StoreAndForward retry loop.
+
+For the per-attempt + terminal emissions, hook into the S&F dispatch loop (Bundle E2/E3).
+
+### Task E2: S&F retry-loop emission
+Find the S&F retry-attempt callback site in `src/ScadaLink.StoreAndForward/`. On each attempt (success/transient/permanent):
+- Build AuditEvent(Kind=ApiCallCached or DbWriteCached, Status=Attempted).
+- Build SiteCallOperational(Status=Attempted, RetryCount=N, LastError, HttpStatus).
+- Hand to `CachedCallTelemetryForwarder` which writes both to SQLite (AuditLog + OperationTracking tables, in one SQLite transaction) and lets SiteAuditTelemetryActor's drain loop push them.
+
+### Task E3: S&F terminal-state emission
+On final state transition (Delivered / Failed / Parked / Discarded):
+- Build AuditEvent(Kind=CachedResolve, Status={final state}).
+- Build SiteCallOperational(Status={final state}, TerminalAtUtc=DateTime.UtcNow).
+- Forward.
+
+### Task E4: Database.CachedWrite mirror
+Same three-event pattern but Channel=DbOutbound, Kind=DbWriteCached for attempts, Kind=CachedSubmit for enqueue, Kind=CachedResolve for terminal.
+
+Tests in ExternalSystemGateway.Tests + StoreAndForward.Tests.
+
+Commit (bundle-level): one commit per task, descriptive messages following M2 style.
+
+---
+
+## Bundle F — Host registration
+
+### Task F1: Register SiteCallAuditActor central singleton
+File: `src/ScadaLink.Host/Actors/AkkaHostedService.cs` — register `SiteCallAuditActor` central singleton + proxy alongside `AuditLogIngestActor`. Hand the proxy to `SiteStreamGrpcServer.SetSiteCallAuditActor(proxy)` (mirroring `SetAuditIngestActor`).
+File: `src/ScadaLink.Host/Program.cs` — call `.AddSiteCallAudit()` on the central role's services.
+Tests in `tests/ScadaLink.Host.Tests/AkkaHostedServiceAuditWiringTests.cs` (extend).
+Commit: `feat(host): register SiteCallAuditActor central singleton (#22, #23 M3)`.
+
+---
+
+## Bundle G — Integration tests
+
+### Task G1: Extract DirectActorSiteStreamAuditClient to shared infrastructure
+Move from `tests/ScadaLink.AuditLog.Tests/Integration/SyncCallEmissionEndToEndTests.cs` private inner class into `tests/ScadaLink.AuditLog.Tests/Integration/Infrastructure/DirectActorSiteStreamAuditClient.cs`. Extend to also implement the new `IngestCachedTelemetryAsync` method (mirror pattern).
+
+### Task G2: Cached call E2E test
+File: `tests/ScadaLink.AuditLog.Tests/Integration/CachedCallCombinedTelemetryTests.cs` (use AuditLog.Tests, not IntegrationTests, because the existing IntegrationTests harness disables Akka per M2 reality). Test: cached call that fails twice then succeeds produces 5 AuditLog rows (1 Submit + 1 Forwarded + 2 Attempted + 1 Resolve) + 1 SiteCalls row (Status=Delivered) + Tracking.Status reports Delivered.
+
+### Task G3: Cached DB write E2E test
+File: `tests/ScadaLink.AuditLog.Tests/Integration/CachedWriteCombinedTelemetryTests.cs`. Mirror G2 for DB.
+
+### Task G4: Idempotency test
+File: `tests/ScadaLink.AuditLog.Tests/Integration/CombinedTelemetryIdempotencyTests.cs`. Send the same packet twice; assert exactly 1 AuditLog row + 1 SiteCalls row.
+
+---
+
+## Final cross-bundle review + merge
+
+Same template as M1/M2.

docs/plans/2026-05-20-auditlog-m4-remaining-boundaries.md

@@ -0,0 +1,24 @@
+# Audit Log #23 — M4 Remaining Boundary Emission Implementation Plan
+
+> **For Claude:** REQUIRED SUB-SKILL: Use superpowers-extended-cc:subagent-driven-development (bundled cadence).
+
+**Goal:** Close every remaining script-trust-boundary emission gap: sync DB writes/reads via Database.Connection().Execute*/ExecuteReader, Notification Outbox central dispatcher attempts + terminal, site-side Notify.Send submission, and Inbound API middleware. Audit-write failure NEVER aborts the user-facing action across all five new code paths.
+
+**Vocabulary (M3 reality-locked):**
+- `AuditKind.DbWrite` (Channel=DbOutbound) for both Execute and ExecuteReader; `Extra` carries `{"op":"write"|"read","rowsAffected":N|"rowsReturned":N}`.
+- `AuditKind.NotifyDeliver` for each Notification Outbox attempt; `AuditStatus.Attempted` on attempts, `AuditStatus.Delivered|Failed|Parked|Discarded` on terminal.
+- `AuditKind.NotifySend` for site-emit at Notify.Send; `AuditStatus.Submitted`.
+- `AuditKind.InboundRequest` for happy-path inbound; `AuditStatus.Delivered`. `AuditKind.InboundAuthFailure` for 401; `AuditStatus.Failed`.
+- `AuditStatus.Failed` replaces "PermanentFailure" / "TransientFailure" terminal wording throughout.
+
+**Bundles:**
+- Bundle A — DB sync emissions (T1, T2)
+- Bundle B — NotificationOutbox central emissions (T3, T4, T5)
+- Bundle C — Site Notify.Send emission (T6)
+- Bundle D — Inbound API audit middleware (T7, T8)
+- Bundle E — Integration tests (T9, T10, T11, T12)
+- Final cross-bundle review + merge
+
+Each task follows the M2 Bundle F / M3 Bundle E emission pattern: capture timing, build AuditEvent with provenance, write via try/catch that swallows + logs, never propagate audit failure to the user-facing action. Mirror M2's ScriptRuntimeContext wrapper pattern where the emission is script-context-aware.
+
+Integration tests go in `tests/ScadaLink.AuditLog.Tests/Integration/` (component-level per M2 Bundle H + M3 Bundle G — the existing IntegrationTests factory disables Akka).

docs/plans/2026-05-20-auditlog-m5-payload-redaction.md

@@ -0,0 +1,20 @@
+# Audit Log #23 — M5 Payload + Redaction Implementation Plan
+
+> **For Claude:** REQUIRED SUB-SKILL: Use superpowers-extended-cc:subagent-driven-development (bundled cadence).
+
+**Goal:** Filter pipeline (IAuditPayloadFilter) runs between event construction and writer call. Truncates to 8 KB / 64 KB on error; applies HTTP header redactors (default list from M1-T9 AuditLogOptions); applies body regex redactors (global + per-target); applies SQL parameter redactors (per-connection opt-in); over-redacts on regex error and increments AuditRedactionFailure metric. Hot-reloadable config via IOptionsMonitor.
+
+**Vocabulary (M1 reality):** Error-row cap (64 KB) triggers when `Status NOT IN (AuditStatus.Delivered, AuditStatus.Submitted, AuditStatus.Forwarded)` — i.e., on `Failed/Parked/Discarded/Attempted/Skipped`. The roadmap's M5-T2 step references (Status=TransientFailure/PermanentFailure) are stale pre-M1 wording. Translation: `TransientFailure` = `Attempted` with HttpStatus 5xx OR `Failed`; `PermanentFailure` = `Failed`.
+
+**M4 realities baked in:** AuditingDb decorators, NotificationOutboxActor, AuditWriteMiddleware, site emission paths all need filter pluggin. Filter is invoked in:
+- FallbackAuditWriter.WriteAsync (site chain) — before SqliteAuditWriter.WriteAsync.
+- CentralAuditWriter.WriteAsync (central direct-write) — before IAuditLogRepository.InsertIfNotExistsAsync.
+- AuditLogIngestActor handlers — before InsertIfNotExistsAsync/UpsertAsync.
+
+**Bundles:**
+- Bundle A — Filter contract + truncation (T1, T2).
+- Bundle B — Header + body + SQL param redaction (T3, T4, T5).
+- Bundle C — Wire into emission paths + health metric (T6, T7).
+- Bundle D — Configuration binding + perf + safety-net edge cases (T8, T9, T10).
+
+Final cross-bundle review + merge.

docs/plans/2026-05-20-auditlog-m6-reconciliation-purge.md

@@ -0,0 +1,19 @@
+# Audit Log #23 — M6 Reconciliation + Purge + Partition Maintenance + Health Metrics
+
+> **For Claude:** subagent-driven-development with bundled cadence.
+
+**Goal:** Self-healing telemetry (5-min reconciliation pull), monthly partition rollover, daily partition-switch purge with drop-and-rebuild around UX_AuditLog_EventId, all five health metrics live (SiteAuditBacklog, SiteAuditWriteFailures, SiteAuditTelemetryStalled, CentralAuditWriteFailures, AuditRedactionFailure).
+
+**M5 realities baked in:** AuditRedactionFailure counter is site-only — M6-T9 surfaces it centrally. SwitchOutPartitionAsync ships as NotSupportedException stub from M1; M6-T4 replaces it with the drop-DROP-INDEX → SWITCH PARTITION → DROP staging → CREATE UNIQUE NONCLUSTERED INDEX dance. Partition function pre-seeded Jan 2026 – Dec 2027; M6-T5 SPLITs new boundaries forward.
+
+**Bundles:**
+- Bundle A — Proto + site handler (T1, T2)
+- Bundle B — Reconciliation actor (T3)
+- Bundle C — Purge actor + drop-and-rebuild repository fix (T4)
+- Bundle D — Partition maintenance hosted service (T5)
+- Bundle E — Health metrics (T6, T7, T8, T9)
+- Bundle F — Integration tests (T10, T11, T12)
+
+Final cross-bundle review + merge.
+
+**Note**: M2 noted NoOpSiteStreamAuditClient stays in production until "M6 wires the real client". M6-T1+T2 add the PULL RPC; the actual production PUSH client (real implementation of ISiteStreamAuditClient.IngestAuditEventsAsync + IngestCachedTelemetryAsync) is the bigger lift. M6 will add the real client IF feasible within scope OR defer to a follow-up. Decision: try in Bundle A (alongside the proto extension); if scope blows up, the NoOp stays.

docs/plans/2026-05-20-auditlog-m7-central-ui.md

@@ -0,0 +1,31 @@
+# Audit Log #23 — M7 Central UI Implementation Plan
+
+> **For Claude:** subagent-driven-development with bundled cadence.
+
+**Goal:** User-visible Audit Log page in the Central UI: filter bar, results grid with keyset paging, drilldown drawer with JSON pretty-print + cURL + redaction badges, drill-ins from Notifications/Site Calls/External Systems/Inbound API Keys/Sites/Instances, 3 KPI tiles on Health dashboard, server-side streaming CSV export, OperationalAudit+AuditExport permission gating, Playwright E2E.
+
+**UI memory constraints (locked):**
+- Blazor Server + Bootstrap CSS only. NO third-party UI libraries (no Blazorise, MudBlazor, Radzen, Prism.js, Highlight.js, etc.).
+- Custom Blazor components for tables/grids/forms.
+- Clean corporate aesthetic.
+- Form layout: vertical stacking, read-only fields first, subsections stacked, buttons at bottom.
+- Use the frontend-design skill IF dispatched UI-design subagents need pattern guidance.
+
+**M6 realities baked in:**
+- `IAuditCentralHealthSnapshot` aggregates CentralAuditWriteFailures + AuditRedactionFailure + per-site stalled. Health tiles read this.
+- `SiteHealthReport.SiteAuditBacklog` ready for per-site display.
+- `IAuditLogRepository.QueryAsync` keyset-paged; data source for the grid.
+- Pre-existing `Components/Pages/Monitoring/AuditLog.razor` (IAuditService config-change viewer) must be renamed → `Components/Pages/Audit/ConfigurationAuditLog.razor` with route `/audit/configuration`. Old route returns 404 (no redirect — internal tool, no external bookmarks).
+- Need to add `OperationalAudit` + `AuditExport` permission strings.
+
+**SQL highlighting decision:** no third-party highlighter. Render `<pre><code>` block with `language-sql` class and let any future CSS theme it; semantic markup is preserved without JS dependency.
+
+**Bundles:**
+- Bundle A — Page scaffold + nav + ConfigurationAuditLog rename (T1, T9)
+- Bundle B — Filter bar + results grid (T2, T3)
+- Bundle C — Drilldown drawer (T4, T5, T6, T7, T8)
+- Bundle D — Drill-ins from other pages (T10, T11, T12)
+- Bundle E — Health dashboard KPI tiles (T13)
+- Bundle F — CSV export (T14)
+- Bundle G — Permissions (T15)
+- Bundle H — Playwright E2E (T16)

docs/plans/2026-05-20-auditlog-m8-cli.md

@@ -0,0 +1,21 @@
+# Audit Log #23 — M8 CLI Implementation Plan
+
+> **For Claude:** subagent-driven-development with bundled cadence. FINAL milestone.
+
+**Goal:** Operator CLI surface — `scadalink audit query | export | verify-chain` — plus the ManagementService HTTP endpoints they call, output formatters, and renaming the pre-existing `audit-log` config-change command to `audit-config` with a deprecation alias.
+
+**M7 realities baked in:**
+- `OperationalAudit` + `AuditExport` are role-claim policies (M7 Bundle G). The Management endpoints reuse them.
+- `IAuditLogRepository.QueryAsync` (keyset paging) + `GetKpiSnapshotAsync` exist.
+- `AuditLogQueryFilter` is single-value per dimension — the CLI's `--channel` etc. flags collapse to single values like the UI chips do (documented limitation).
+- `verify-chain` is a v1 no-op stub (hash-chain deferred to v1.x per alog.md locked decisions). Do NOT implement hash chains.
+- ManagementService surface: confirm controllers vs minimal API by reading the project (M7 found CentralUI uses minimal API; ManagementService may differ).
+
+**CLI conventions:** System.CommandLine; JSON default + `--format table` opt-in. The CLI connects via the HTTP Management API (per CLAUDE.md). Mirror `src/ScadaLink.CLI/Commands/AuditLogCommands.cs` for the System.CommandLine pattern.
+
+**Bundles:**
+- Bundle A — CLI `audit` command group: scaffold + query + export + verify-chain (T1, T2, T3, T4).
+- Bundle B — ManagementService /api/audit/{query,export} endpoints (T5).
+- Bundle C — Output formatters + audit-config rename + README (T6, T7, T8).
+
+Final cross-bundle review + merge + roadmap closeout.

docs/plans/2026-05-20-centralized-audit-log.md

@@ -0,0 +1,787 @@
+# Centralized Audit Log Implementation Plan
+
+> **For Claude:** REQUIRED SUB-SKILL: Use superpowers-extended-cc:executing-plans to implement this plan task-by-task.
+>
+> **Repo nature:** Design-documentation only. No code, no tests. Each task is a documentation change. "Verify" = re-read the diff + grep for stale cross-references. Commit after each task.
+
+**Goal:** Document the new **#23 Audit Log** component and propagate its cross-references across every affected component design, the README, HighLevelReqs, and CLAUDE.md — exactly as specified in `alog.md` (committed `fec0bb1`).
+
+**Architecture:** Layered, append-only `AuditLog` table at central, alongside existing `Notifications` (#21) and `SiteCalls` (#22) operational stores. Site SQLite writes on the hot path; gRPC telemetry forwards to central; site purge requires `ForwardState ∈ {Forwarded, Reconciled}`. Cached calls send a single telemetry packet that drives both the immutable `AuditLog` insert and the operational `SiteCalls` upsert. Central-originated events (Inbound API, Notification dispatch attempts) write directly. Monthly partitioning at central, 365-day default retention.
+
+**Tech Stack:** Markdown only. No code in v1 of this plan.
+
+**Spec:** `/Users/dohertj2/Desktop/scadalink-design/alog.md` (see commit `fec0bb1`). All task content below cites sections of that file.
+
+---
+
+## Task 0: Prepare branch
+
+**Files:**
+- None — git operation only.
+
+**Step 1: Confirm working tree state**
+
+Run: `git status --short`
+Expected: three unstaged `infra/` modifications (unrelated; leave them alone), nothing else.
+
+**Step 2: Create feature branch off `main`**
+
+Run: `git switch -c feature/audit-log-docs`
+Expected: switched to a new branch.
+
+**Step 3: Verify branch**
+
+Run: `git rev-parse --abbrev-ref HEAD`
+Expected: `feature/audit-log-docs`.
+
+**No commit at this task — just branch prep.**
+
+---
+
+## Task 1: Author `Component-AuditLog.md`
+
+**Files:**
+- Create: `docs/requirements/Component-AuditLog.md`
+
+**Step 1: Read context**
+
+Read `alog.md` §1–§16. Read the structural style of `docs/requirements/Component-SiteCallAudit.md` and `docs/requirements/Component-NotificationOutbox.md` — mirror their section ordering (Purpose / Location / Responsibilities / Tables / Lifecycle / Ingest & Idempotency / Reconciliation / Retention & Purge / KPIs / Configuration / Dependencies / Interactions).
+
+**Step 2: Write the skeleton**
+
+Create the file with these top-level headings (verbatim, in order):
+
+```
+# Component: Audit Log
+
+## Purpose
+## Location
+## Responsibilities
+## Scope — the script trust boundary
+## The `AuditLog` Table (central)
+## The Site-Local `AuditLog` (SQLite)
+## Ingestion Paths
+## Cached Operations — Combined Telemetry
+## Payload Capture Policy
+## Failure Handling & Idempotency
+## Retention & Purge
+## Security & Tamper-Evidence
+## KPIs
+## Configuration
+## Dependencies
+## Interactions
+```
+
+**Step 3: Fill `Purpose`**
+
+Two-paragraph version of `alog.md` §1. Lead sentence: "Provides a single, append-only, forensic + operational record of every integration action initiated by, or terminating in, a script — across outbound API, outbound DB, notifications, and inbound API." Second paragraph: not a dispatcher, observes Notification Outbox (#21) and Site Call Audit (#22), adds coverage where they are silent.
+
+**Step 4: Fill `Location`**
+
+Central cluster + site cluster. Central: `AuditLog` table in MS SQL plus three singleton actors on the active central node — `AuditLogIngestActor` (telemetry receiver), `SiteAuditReconciliationActor`, `AuditLogPurgeActor`. Sites: `AuditLog` SQLite database file alongside the S&F buffer plus `SiteAuditTelemetryActor` singleton on the active site node. Registered as component #23 in the Host role configuration.
+
+**Step 5: Fill `Responsibilities`**
+
+Bullet list mirroring `alog.md` §1–§3 commitments. Six bullets:
+- Accept site-local hot-path audit writes from script-trust-boundary call paths.
+- Forward site audit rows to central via gRPC telemetry with at-least-once + idempotency on `EventId`.
+- Run periodic reconciliation pulls per site to self-heal missed telemetry.
+- Accept central-originated audit writes (Inbound API, Notification dispatch attempts).
+- Compute point-in-time KPIs (global + per-site) from the central `AuditLog` table.
+- Purge expired rows by monthly partition switch.
+
+**Step 6: Fill `Scope — the script trust boundary`**
+
+Reproduce the table from `alog.md` §2 verbatim (the six rows). Add the "Out of scope" bullet list. Add the DB-reads note.
+
+**Step 7: Fill `The AuditLog Table (central)`**
+
+Reproduce the column table from `alog.md` §4. Then the index list. Then the `Kind`-per-channel table (with the inbound API simplification — only `Completed`).
+
+**Step 8: Fill `The Site-Local AuditLog (SQLite)`**
+
+State same schema as central minus `IngestedAtUtc`, plus `ForwardState` (`Pending | Forwarded | Reconciled`). Reproduce the **hard purge invariant** from `alog.md` §4 verbatim:
+
+> A row is eligible for purge only when both `OccurredAtUtc < retention threshold` AND `ForwardState IN ('Forwarded', 'Reconciled')`. Pending rows are never purged.
+
+Mention the `SiteAuditBacklog` health metric.
+
+**Step 9: Fill `Ingestion Paths`**
+
+Three subsections mirroring `alog.md` §6.1, §6.2, §6.3, §6.4. Keep concise — full pseudo-code lives in `alog.md`; the component doc captures the contract.
+
+**Step 10: Fill `Cached Operations — Combined Telemetry`**
+
+Capture `alog.md` §6.5 — site is source of truth, one telemetry packet carries both the audit row and the SiteCalls operational update; central ingest performs both writes in a single transaction.
+
+**Step 11: Fill `Payload Capture Policy`**
+
+Compress `alog.md` §8 into 8–12 lines: defaults (8 KB / 64 KB on error), header redaction, body-redactor regex hook, SQL captures values by default with per-connection opt-out, never-captured list (API keys, LDAP creds, secrets), safety-net over-redacts on misconfiguration.
+
+**Step 12: Fill `Failure Handling & Idempotency`**
+
+Compress `alog.md` §9: EventId is the PK and dedup key; never-fail-the-action principle; ring buffer for transient SQLite write failures; reconciliation as fallback when telemetry actor wedges; central-direct-write failure handling.
+
+**Step 13: Fill `Retention & Purge`**
+
+Compress `alog.md` §12: 365-day default central retention; monthly partition switch; no row-level deletes at central; site 7-day default; site purge respects `ForwardState`.
+
+**Step 14: Fill `Security & Tamper-Evidence`**
+
+Compress `alog.md` §11: dedicated `scadalink_audit_writer` (INSERT+SELECT) and `scadalink_audit_purger` (partition-switch only) DB roles; CI grep guard against `UPDATE`/`DELETE` of `AuditLog`; Audit + OperationalAudit + AuditExport permissions; hash-chain tamper evidence deferred to v1.x.
+
+**Step 15: Fill `KPIs`**
+
+List the five KPIs from `alog.md` §14: Volume, Error rate, Backlog, Top inbound callers, Top outbound 5xx. Note that Notification Outbox and Site Call Audit KPIs are unaffected.
+
+**Step 16: Fill `Configuration`**
+
+Show the `AuditLog` `appsettings.json` shape from `alog.md` §8.4. Include `DefaultCapBytes`, `ErrorCapBytes`, `HeaderRedactList`, `GlobalBodyRedactors`, `PerTargetOverrides`, and `RetentionDays` (global only in v1).
+
+**Step 17: Fill `Dependencies`**
+
+Cross-references to:
+- **Commons (#16)** — `AuditEvent`, `IAuditWriter`, `ICentralAuditWriter`, `AuditChannel`, `AuditKind`, `AuditStatus` types and interfaces.
+- **Configuration Database (#17)** — `AuditLog` table schema, partition function/scheme, DB roles, retention options.
+- **Cluster Infrastructure (#13)** — singleton placement and supervision (`AuditLogIngestActor`, `SiteAuditTelemetryActor`, `SiteAuditReconciliationActor`, `AuditLogPurgeActor`).
+- **Communication (#5)** — gRPC telemetry message types added to the existing site-stream proto additively.
+- **Site Runtime (#3)** — script trust boundary touchpoints invoke `IAuditWriter`.
+- **Host (#15)** — registers the new component under the central + site roles.
+
+**Step 18: Fill `Interactions`**
+
+Edges to:
+- **External System Gateway (#7)** — emits `ApiOutbound.SyncCall` rows; for `CachedCall` emits combined telemetry (audit + operational).
+- **Site Runtime (#3) / Database layer** — emits `DbOutbound.SyncWrite`, `DbOutbound.SyncRead`, and cached variants similarly.
+- **Inbound API (#14)** — emits `ApiInbound.Completed` rows from request middleware.
+- **Notification Outbox (#21)** — site-emitted `Notification.Enqueued` flows via audit telemetry; central dispatcher writes `Notification.Attempt` and `Notification.Terminal` rows directly via `ICentralAuditWriter`.
+- **Site Call Audit (#22)** — shares the cached-call telemetry packet; central ingest of that packet performs both `AuditLog` insert and `SiteCalls` upsert in one transaction.
+- **Central UI (#9)** — new Audit nav group + Audit Log page; drill-in links from Notifications, Site Calls, External Systems, Inbound API key, Sites, Instances detail pages.
+- **Health Monitoring (#11)** — three new tiles (Volume, Error rate, Backlog) plus new metrics (`SiteAuditBacklog`, `SiteAuditWriteFailures`, `SiteAuditTelemetryStalled`, `CentralAuditWriteFailures`, `AuditRedactionFailure`).
+- **CLI (#19)** — `scadalink audit query|export|verify-chain` commands.
+
+**Step 19: Verify**
+
+Run: `grep -n "Component-AuditLog.md\|#23" docs/requirements/Component-AuditLog.md`
+Expected: file references itself sensibly.
+
+Run: `wc -l docs/requirements/Component-AuditLog.md`
+Expected: ~250–400 lines (sanity check; not exact).
+
+**Step 20: Commit**
+
+```bash
+git add docs/requirements/Component-AuditLog.md
+git commit -m "docs(audit): add Component-AuditLog (#23) design document"
+```
+
+---
+
+## Task 2: Update `Component-Commons.md`
+
+**Files:**
+- Modify: `docs/requirements/Component-Commons.md`
+
+**Step 1: Read existing structure**
+
+Read the file to find the right sections — likely "Types", "Interfaces", "Messages", "Entities". Note which subsections audit-related additions belong in.
+
+**Step 2: Add to `Types/`**
+
+Under the Types section, add:
+
+- `AuditChannel` enum: `ApiOutbound | DbOutbound | Notification | ApiInbound`.
+- `AuditKind` enum: union of channel-specific values from `alog.md` §4 table.
+- `AuditStatus` enum: `Success | TransientFailure | PermanentFailure | Enqueued | Retrying | Delivered | Parked | Discarded`.
+- `AuditEvent` POCO record carrying every column from `alog.md` §4 (central schema), plus a `ForwardState` for site SQLite.
+
+**Step 3: Add to `Interfaces/`**
+
+- `IAuditWriter` — site-local hot-path interface: `Task WriteAsync(AuditEvent evt, CancellationToken ct)`. Implementation lives in Audit Log (#23) component.
+- `ICentralAuditWriter` — central direct-write interface: `Task WriteAsync(AuditEvent evt, CancellationToken ct)` with insert-if-not-exists semantics on `EventId`.
+
+**Step 4: Add to `Messages/`**
+
+- `AuditTelemetryEnvelope` — gRPC message wrapping a batch of `AuditEvent` rows for telemetry forwarding.
+- `CachedCallTelemetry` — the existing SiteCalls telemetry message, additively extended in place to also carry `AuditEvent` content alongside the operational `SiteCalls` upsert fields. Do NOT rename; per `Component-Commons.md` REQ-COM-5a, message renames are breaking changes. Extend the existing entry's description.
+
+**Step 5: Verify**
+
+Run: `grep -n "AuditEvent\|IAuditWriter\|AuditChannel" docs/requirements/Component-Commons.md`
+Expected: all five identifiers appear in the right sections.
+
+**Step 6: Commit**
+
+```bash
+git add docs/requirements/Component-Commons.md
+git commit -m "docs(audit): register AuditEvent, IAuditWriter, AuditTelemetry types in Commons"
+```
+
+---
+
+## Task 3: Update `Component-ConfigurationDatabase.md`
+
+**Files:**
+- Modify: `docs/requirements/Component-ConfigurationDatabase.md`
+
+**Step 1: Read existing structure**
+
+Find the "Tables" and "Roles" / "Permissions" / "Migrations" sections.
+
+**Step 2: Add `AuditLog` table description**
+
+Under Tables, add a new subsection mirroring how `Notifications` and `SiteCalls` are documented. Include:
+- Full column list from `alog.md` §4 (central table).
+- Index list from `alog.md` §4.
+- Monthly partitioning: partition function `pf_AuditLog_Month`, scheme `ps_AuditLog_Month`, filegroup-per-month rollover.
+- PK on `EventId` for idempotency.
+
+**Step 3: Add `AuditLog` DB roles**
+
+Under Roles/Permissions, add `scadalink_audit_writer` (INSERT+SELECT only) and `scadalink_audit_purger` (partition-switch only). Note the CI grep guard against `UPDATE … AuditLog` / `DELETE … AuditLog`.
+
+**Step 4: Add `AuditLog` migration note**
+
+Under Migrations, note that the initial migration creates the partition function/scheme and the table aligned to the scheme; partition-maintenance job is owned by the Audit Log component, not the Configuration DB.
+
+**Step 5: Add retention config note**
+
+Mention `AuditLog:RetentionDays` (global only in v1) as an Audit Log options key consumed by the purge actor.
+
+**Step 6: Verify cross-reference**
+
+Run: `grep -n "AuditLog\|Audit Log" docs/requirements/Component-ConfigurationDatabase.md`
+Expected: new table appears in the Tables section, roles in Roles section.
+
+**Step 7: Commit**
+
+```bash
+git add docs/requirements/Component-ConfigurationDatabase.md
+git commit -m "docs(audit): add AuditLog table, partitioning, and DB roles to Config DB"
+```
+
+---
+
+## Task 4: Update `Component-ClusterInfrastructure.md`
+
+**Files:**
+- Modify: `docs/requirements/Component-ClusterInfrastructure.md`
+
+**Step 1: Read singleton-placement section**
+
+Find where Notification Outbox / Site Call Audit singletons are documented (active-central placement model).
+
+**Step 2: Register central singletons**
+
+Add to the central-singleton list:
+- `AuditLogIngestActor` — receives gRPC telemetry batches, performs insert-if-not-exists on `EventId`; for cached telemetry, performs both `AuditLog` insert and `SiteCalls` upsert in one transaction.
+- `SiteAuditReconciliationActor` — periodic per-site pull, default every 5 minutes.
+- `AuditLogPurgeActor` — daily partition-switch purge.
+
+**Step 3: Register site singletons**
+
+Add to the site-singleton list:
+- `SiteAuditTelemetryActor` — drains the local `AuditLog` SQLite's `Pending` rows to central in batches; short interval (5s) when busy, longer (30s) when idle.
+
+**Step 4: Note dedicated dispatcher**
+
+Add a one-liner: `SiteAuditTelemetryActor` runs on a dedicated dispatcher so it doesn't compete with the script blocking-I/O dispatcher (per `alog.md` §6.2).
+
+**Step 5: Verify**
+
+Run: `grep -n "AuditLogIngestActor\|SiteAuditTelemetryActor\|AuditLogPurgeActor\|SiteAuditReconciliationActor" docs/requirements/Component-ClusterInfrastructure.md`
+Expected: all four singletons listed.
+
+**Step 6: Commit**
+
+```bash
+git add docs/requirements/Component-ClusterInfrastructure.md
+git commit -m "docs(audit): register AuditLog singletons in Cluster Infrastructure"
+```
+
+---
+
+## Task 5: Update `Component-SiteRuntime.md`
+
+**Files:**
+- Modify: `docs/requirements/Component-SiteRuntime.md`
+
+**Step 1: Find script-trust-boundary section**
+
+Locate the section listing what scripts can/cannot do and how their boundary-crossing calls are mediated.
+
+**Step 2: Note audit hook**
+
+Add: "Every script-trust-boundary call (External System Gateway, Database layer, Notify) emits an `AuditEvent` to `IAuditWriter` (site-local SQLite append). Hot path; never fails the calling action; failures logged via the `SiteAuditWriteFailures` health metric (see Health Monitoring #11)."
+
+**Step 3: Note site SQLite footprint**
+
+Find the section discussing site storage (SQLite for deployed configs, S&F buffer, event log, operation tracking). Add the `AuditLog` SQLite database file as a peer with the 7-day-purge-respecting-ForwardState invariant; cross-reference to Component-AuditLog.md.
+
+**Step 4: Verify**
+
+Run: `grep -n "IAuditWriter\|AuditLog\|Audit Log" docs/requirements/Component-SiteRuntime.md`
+Expected: hook documented, SQLite file mentioned.
+
+**Step 5: Commit**
+
+```bash
+git add docs/requirements/Component-SiteRuntime.md
+git commit -m "docs(audit): note IAuditWriter hook and site SQLite in Site Runtime"
+```
+
+---
+
+## Task 6: Update `Component-ExternalSystemGateway.md`
+
+**Files:**
+- Modify: `docs/requirements/Component-ExternalSystemGateway.md`
+
+**Step 1: Find Call/CachedCall sections**
+
+Locate the dual-call-modes documentation.
+
+**Step 2: Note audit emission on sync calls**
+
+Under `ExternalSystem.Call`, add: "Emits an `ApiOutbound.SyncCall` row to `IAuditWriter` at call completion (success or failure). Payload captured per the Audit Log policy (#23 §Payload Capture Policy). Audit-write failure never aborts the script."
+
+**Step 3: Note audit emission on cached calls**
+
+Under `ExternalSystem.CachedCall`, add: "Each lifecycle transition (`CachedEnqueued`, `CachedAttempt`, `CachedTerminal`) emits an audit row via the combined cached-operation telemetry packet — one packet carries both the audit row and the SiteCalls upsert (see Audit Log #23 §Cached Operations and Site Call Audit #22)."
+
+**Step 4: Note audit emission on DB writes**
+
+Under `Database.Connection()` (synchronous), add: "Script-initiated `Execute`/`ExecuteScalar` calls emit `DbOutbound.SyncWrite` rows; `ExecuteReader` emits `DbOutbound.SyncRead`. SQL parameter values are captured by default; per-connection redaction opt-in via the Audit Log configuration (#23 §Payload Capture Policy §8.2)."
+
+**Step 5: Note audit emission on cached DB writes**
+
+Under `Database.CachedWrite`, add: same combined-telemetry pattern as cached external calls.
+
+**Step 6: Verify**
+
+Run: `grep -n "AuditLog\|Audit Log\|ApiOutbound\|DbOutbound\|IAuditWriter" docs/requirements/Component-ExternalSystemGateway.md`
+Expected: hooks documented in all four call-mode subsections.
+
+**Step 7: Commit**
+
+```bash
+git add docs/requirements/Component-ExternalSystemGateway.md
+git commit -m "docs(audit): emit AuditLog rows from External System Gateway call paths"
+```
+
+---
+
+## Task 7: Update `Component-SiteCallAudit.md`
+
+**Files:**
+- Modify: `docs/requirements/Component-SiteCallAudit.md`
+
+**Step 1: Find Ingest & Idempotency section**
+
+Locate the "Ingest & Idempotency" section (around line 69 in current file).
+
+**Step 2: Note combined telemetry**
+
+Add a new paragraph: "From v1.x onward, the cached-operation telemetry packet additively carries the `AuditEvent` content alongside the existing operational fields. Central's `AuditLogIngestActor` (Audit Log #23) performs both the immutable `AuditLog` insert and the `SiteCalls` upsert in a single transaction. Idempotency keys remain `EventId` (for AuditLog) and `TrackedOperationId` (for SiteCalls)."
+
+**Step 3: Cross-reference Audit Log**
+
+Find the Dependencies / Interactions sections (typically near the end). Add an edge to **Audit Log (#23)** noting the shared telemetry packet and dual-write ingest.
+
+**Step 4: Verify**
+
+Run: `grep -n "Audit Log\|AuditLog\|AuditEvent\|#23" docs/requirements/Component-SiteCallAudit.md`
+Expected: combined-telemetry paragraph + Dependencies edge present.
+
+**Step 5: Commit**
+
+```bash
+git add docs/requirements/Component-SiteCallAudit.md
+git commit -m "docs(audit): note shared cached-operation telemetry with Audit Log"
+```
+
+---
+
+## Task 8: Update `Component-NotificationOutbox.md`
+
+**Files:**
+- Modify: `docs/requirements/Component-NotificationOutbox.md`
+
+**Step 1: Find dispatcher section**
+
+Locate the section describing the central dispatcher's delivery attempt loop.
+
+**Step 2: Note central direct-write of attempt/terminal**
+
+Add: "Each delivery attempt writes a `Notification.Attempt` row to the `AuditLog` via `ICentralAuditWriter`; transition to a terminal status (`Delivered` / `Parked` / `Discarded`) writes a `Notification.Terminal` row. Audit writes are direct (no telemetry — the dispatcher runs at central). The site-emitted `Notification.Enqueued` row arrives via the standard audit telemetry channel."
+
+**Step 3: Cross-reference Audit Log**
+
+Add to Dependencies / Interactions: edge to **Audit Log (#23)** noting central direct-write of dispatch lifecycle events.
+
+**Step 4: Note status independence**
+
+Add a clarifying sentence: "The operational `Notifications` table remains the source of truth for the dispatcher and for Retry/Discard actions; the `AuditLog` rows are immutable shadows."
+
+**Step 5: Verify**
+
+Run: `grep -n "Audit Log\|ICentralAuditWriter\|Notification.Attempt\|#23" docs/requirements/Component-NotificationOutbox.md`
+Expected: dispatcher hook + Dependencies edge present.
+
+**Step 6: Commit**
+
+```bash
+git add docs/requirements/Component-NotificationOutbox.md
+git commit -m "docs(audit): central direct-write of notification dispatch events to AuditLog"
+```
+
+---
+
+## Task 9: Update `Component-InboundAPI.md`
+
+**Files:**
+- Modify: `docs/requirements/Component-InboundAPI.md`
+
+**Step 1: Find request-completion / logging section**
+
+Locate the section describing how requests are processed and what gets logged today (today: failures only, per the brainstorm exploration).
+
+**Step 2: Replace failures-only stance**
+
+Edit the "failures-only logging" claim so it now reads: "Every request (success or failure) emits one `ApiInbound.Completed` row to `ICentralAuditWriter` from request middleware before the HTTP response is flushed. The row captures the API key *name* (never the key material), remote IP, user-agent, response status, duration, and truncated request/response bodies per the Audit Log capture policy (#23 §Payload Capture Policy)."
+
+**Step 3: Cross-reference Audit Log**
+
+Add Dependencies edge to **Audit Log (#23)**.
+
+**Step 4: Note non-blocking semantics**
+
+Add: "Middleware audit-write failures are logged and metricked (see Health Monitoring #11) but never affect the HTTP response."
+
+**Step 5: Verify**
+
+Run: `grep -n "Audit Log\|ApiInbound\|ICentralAuditWriter\|#23" docs/requirements/Component-InboundAPI.md`
+Expected: middleware hook + Dependencies edge present.
+
+**Step 6: Commit**
+
+```bash
+git add docs/requirements/Component-InboundAPI.md
+git commit -m "docs(audit): emit ApiInbound.Completed audit row per request"
+```
+
+---
+
+## Task 10: Update `Component-CentralUI.md`
+
+**Files:**
+- Modify: `docs/requirements/Component-CentralUI.md`
+
+**Step 1: Find navigation / page list**
+
+Locate the section enumerating top-level nav groups and pages.
+
+**Step 2: Add Audit nav group**
+
+Add a new top-level group **Audit** with one page in v1:
+- **Audit Log** — global query/filter/drilldown over the central `AuditLog` table.
+
+Document the filter bar and results grid columns from `alog.md` §10.1.
+
+**Step 3: Add drill-in links**
+
+In the existing Notifications, Site Calls, External Systems, Inbound API Keys, Sites, and Instances detail-page documentation, add a "View audit history" / "Recent activity" / "Audit feed" entry that opens the Audit Log page pre-filtered (per `alog.md` §10.2).
+
+**Step 4: Add Health dashboard tiles**
+
+In the Health dashboard documentation, add three tiles under a new "Audit" KPI group: Audit volume, Audit error rate, Audit backlog (per `alog.md` §10.3 / §14).
+
+**Step 5: Note UI rules already covered**
+
+No new framework choices — sticks to Blazor Server + Bootstrap + custom components per the existing project rules (per memory note `feedback_central_ui.md`).
+
+**Step 6: Verify**
+
+Run: `grep -n "Audit Log\|Audit nav\|Audit feed\|Audit volume\|#23" docs/requirements/Component-CentralUI.md`
+Expected: nav group, page, drill-ins, tiles all documented.
+
+**Step 7: Commit**
+
+```bash
+git add docs/requirements/Component-CentralUI.md
+git commit -m "docs(audit): add Audit nav group, Audit Log page, drill-ins, and KPI tiles to Central UI"
+```
+
+---
+
+## Task 11: Update `Component-HealthMonitoring.md`
+
+**Files:**
+- Modify: `docs/requirements/Component-HealthMonitoring.md`
+
+**Step 1: Find metrics list**
+
+Locate where existing site + central metrics are enumerated.
+
+**Step 2: Add new site metrics**
+
+- `SiteAuditBacklog` — count of `Pending` rows in site-local `AuditLog` plus oldest-pending-age plus on-disk bytes. Threshold drives a Health dashboard warning on the affected site tile.
+- `SiteAuditWriteFailures` — count of failed hot-path appends since last report.
+- `SiteAuditTelemetryStalled` — boolean flag set when reconciliation reports a non-draining backlog over two cycles.
+
+**Step 3: Add new central metrics**
+
+- `CentralAuditWriteFailures` — central direct-write failures (Inbound API middleware, Notification Outbox dispatcher).
+- `AuditRedactionFailure` — payload redactor errors (over-redacted, safety-net hit).
+
+**Step 4: Add new tiles**
+
+Three new dashboard tiles under an "Audit" group: Audit volume, Audit error rate, Audit backlog.
+
+**Step 5: Cross-reference Audit Log**
+
+Dependencies edge to **Audit Log (#23)**.
+
+**Step 6: Verify**
+
+Run: `grep -n "SiteAuditBacklog\|SiteAuditWriteFailures\|CentralAuditWriteFailures\|AuditRedactionFailure\|Audit volume" docs/requirements/Component-HealthMonitoring.md`
+Expected: all five metrics + three tiles listed.
+
+**Step 7: Commit**
+
+```bash
+git add docs/requirements/Component-HealthMonitoring.md
+git commit -m "docs(audit): add Audit Log health metrics and dashboard tiles"
+```
+
+---
+
+## Task 12: Update `Component-CLI.md`
+
+**Files:**
+- Modify: `docs/requirements/Component-CLI.md`
+
+**Step 1: Find command-group list**
+
+Locate the section enumerating top-level CLI command groups.
+
+**Step 2: Add `scadalink audit` group**
+
+Three subcommands per `alog.md` §15.1:
+- `audit query --site <s> --since <t> --kind <k> [...]` — UI-equivalent filter set.
+- `audit export --since <t> --until <t> --format csv|jsonl|parquet --output <path>` — server-side streaming export.
+- `audit verify-chain --month <YYYY-MM>` — hash-chain verification (no-op in v1; available once §11.4 ships).
+
+Note: requires `OperationalAudit` + `AuditExport` permissions (Security & Auth #10).
+
+**Step 3: Cross-reference Audit Log and Management Service**
+
+Dependencies edges to **Audit Log (#23)** and **Management Service (#18)** (the CLI hits central via the existing HTTP Management API).
+
+**Step 4: Verify**
+
+Run: `grep -n "scadalink audit\|audit query\|audit export\|audit verify-chain\|#23" docs/requirements/Component-CLI.md`
+Expected: command group documented with all three subcommands.
+
+**Step 5: Commit**
+
+```bash
+git add docs/requirements/Component-CLI.md
+git commit -m "docs(audit): add scadalink audit command group to CLI"
+```
+
+---
+
+## Task 13: Update `README.md`
+
+**Files:**
+- Modify: `README.md`
+
+**Step 1: Find component table**
+
+Locate the markdown table containing rows #1–#22 (currently around lines 36–58).
+
+**Step 2: Add row #23**
+
+Append a row after `Site Call Audit`:
+
+```
+| 23 | Audit Log | [docs/requirements/Component-AuditLog.md](docs/requirements/Component-AuditLog.md) | New central append-only AuditLog spanning every script-trust-boundary action (outbound API sync+cached, outbound DB sync+cached, notifications, inbound API). Site-local SQLite hot-path append + gRPC telemetry + central reconciliation; combined telemetry packet with Site Call Audit; central direct-write for Notification Outbox dispatch + Inbound API middleware; monthly partitioning, 365-day default retention. |
+```
+
+**Step 3: Update architecture diagram (logical)**
+
+In the architecture diagram, add an `AuditLog` box under the central cluster's "Audit Log" / observability cluster (parallel to Notification Outbox and Site Call Audit). Add a thin arrow from each affected component into it.
+
+**Step 4: Verify**
+
+Run: `grep -n "Audit Log\|Component-AuditLog.md\|| 23 |" README.md`
+Expected: new row + diagram entry present.
+
+**Step 5: Commit**
+
+```bash
+git add README.md
+git commit -m "docs(audit): register Audit Log (#23) in the README component table"
+```
+
+---
+
+## Task 14: Update `docs/requirements/HighLevelReqs.md`
+
+**Files:**
+- Modify: `docs/requirements/HighLevelReqs.md`
+
+**Step 1: Find functional-area sections**
+
+Locate the section that currently contains requirements for Notification Outbox and Site Call Audit (likely under "Observability" or "Audit & Reporting").
+
+**Step 2: Add Audit Log requirements section**
+
+Add a new subsection **"Centralized Audit Log"** with numbered requirements covering:
+- AL-1: Append-only central record of every script-trust-boundary action.
+- AL-2: One row per lifecycle event for cached calls and notifications.
+- AL-3: Site-local hot-path append; gRPC telemetry to central; idempotent on `EventId`.
+- AL-4: Reconciliation pull self-heals missed telemetry.
+- AL-5: Payload metadata + truncated bodies (8 KB default, 64 KB on errors).
+- AL-6: Headers redacted by default; SQL parameter values captured by default; per-target redaction opt-in.
+- AL-7: Audit-write failure never aborts the user-facing action.
+- AL-8: 365-day default central retention; monthly partition switch purge.
+- AL-9: Site SQLite purge requires `ForwardState ∈ {Forwarded, Reconciled}`; central outage cannot cause audit loss at sites.
+- AL-10: Central UI Audit Log page with cross-channel filter and drill-ins from existing operational pages.
+- AL-11: Append-only enforced via DB roles; tamper-evidence hash chain deferred to v1.x.
+- AL-12: CLI `scadalink audit` command group.
+
+**Step 3: Cross-reference Audit Log component**
+
+Add a "See Component-AuditLog.md (#23)" pointer at the top of the subsection.
+
+**Step 4: Verify**
+
+Run: `grep -n "AL-1\|AL-12\|Centralized Audit Log\|Component-AuditLog.md" docs/requirements/HighLevelReqs.md`
+Expected: section header and all twelve requirements present.
+
+**Step 5: Commit**
+
+```bash
+git add docs/requirements/HighLevelReqs.md
+git commit -m "docs(audit): add Centralized Audit Log requirements (AL-1..AL-12) to HighLevelReqs"
+```
+
+---
+
+## Task 15: Update `CLAUDE.md`
+
+**Files:**
+- Modify: `CLAUDE.md`
+
+**Step 1: Update Current Component List**
+
+Change the heading from `## Current Component List (22 components)` to `## Current Component List (23 components)`. Append a new line at the end of the numbered list:
+
+```
+23. Audit Log — Central append-only AuditLog table spanning every script-trust-boundary action (outbound API sync+cached, outbound DB sync+cached, notifications, inbound API). Site SQLite hot-path + gRPC telemetry + reconciliation; combined telemetry with Site Call Audit; central direct-write for Notification Outbox dispatch + Inbound API; monthly partitioning, 365-day retention.
+```
+
+**Step 2: Add Key Design Decisions block**
+
+In the **Key Design Decisions** section, add a new subsection **`### Centralized Audit Log`** with bulleted decisions mirroring `alog.md` §1–§15 highlights:
+
+- Layered design — append-only AuditLog alongside operational Notifications (#21) and SiteCalls (#22), not replacing them.
+- Scope = script trust boundary; framework traffic explicitly excluded.
+- One row per lifecycle event; cached calls produce 4+ rows per operation.
+- Site SQLite hot-path first; gRPC telemetry to central; idempotent on `EventId`; reconciliation pull as fallback.
+- Cached operations: site emits, one telemetry packet carries audit + operational state; central writes both in one transaction.
+- Payload cap 8 KB default / 64 KB on errors; headers redacted by default; SQL parameter values captured by default; per-target redaction opt-in.
+- Audit-write failure never aborts the user-facing action.
+- 365-day central retention with monthly partition-switch purge; 7-day site SQLite with hard `ForwardState` invariant.
+- Append-only enforced via DB roles; hash-chain tamper evidence and Parquet archival deferred to v1.x.
+- New top-level **Audit** nav group + Audit Log page + drill-ins from Notifications / Site Calls / External Systems / Inbound API Keys / Sites / Instances.
+
+**Step 3: Verify**
+
+Run: `grep -n "Centralized Audit Log\|Audit Log\|23 components\|23\\. Audit Log" CLAUDE.md`
+Expected: count updated, list extended, Key Design Decisions block present.
+
+**Step 4: Commit**
+
+```bash
+git add CLAUDE.md
+git commit -m "docs(audit): register Audit Log (#23) in CLAUDE.md component list and key decisions"
+```
+
+---
+
+## Task 16: Final cross-reference verification
+
+**Files:**
+- None — verification only.
+
+**Step 1: Grep for stale references**
+
+Run: `grep -rn "22 components\|Currently 22\|22\\. Site Call Audit\\s*$" docs/ README.md CLAUDE.md`
+Expected: no hits — all updated to 23.
+
+**Step 2: Grep for orphan references**
+
+Run: `grep -rn "Component-AuditLog.md" docs/ README.md CLAUDE.md`
+Expected: hits in README, CLAUDE.md, and each affected component doc. Confirm the file exists at the referenced path.
+
+**Step 3: Verify all twelve affected component docs cross-reference Audit Log**
+
+Run: `for f in docs/requirements/Component-{ExternalSystemGateway,InboundAPI,NotificationOutbox,SiteCallAudit,SiteRuntime,Commons,CentralUI,ConfigurationDatabase,ClusterInfrastructure,HealthMonitoring,CLI}.md; do echo "--- $f"; grep -c "Audit Log\|AuditLog\|#23" "$f"; done`
+Expected: each file shows count ≥ 1.
+
+**Step 4: Verify alog.md still matches the design canonically**
+
+Run: `git diff fec0bb1 -- alog.md`
+Expected: no diff — alog.md is unchanged from the validated commit.
+
+**Step 5: Skim the new file once more end-to-end**
+
+Read: `docs/requirements/Component-AuditLog.md`. Verify section ordering, completeness, no contradictions with `alog.md`.
+
+**Step 6: Review the commit graph**
+
+Run: `git log --oneline feature/audit-log-docs ^main`
+Expected: 14 commits — one per Task 1–13 plus Task 15 (Task 14 is HighLevelReqs in this list — recount: tasks 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 = 15 commits). Adjust expectation: 15 docs/commits.
+
+**Step 7: Final commit (only if any fix-ups needed)**
+
+If grep finds any issue, fix it and commit with `docs(audit): cross-reference cleanup`. Otherwise no commit at this task.
+
+---
+
+## Task 17: Merge to main (optional, on user request only)
+
+**Files:**
+- None — git operation only.
+
+**Step 1: Confirm with user**
+
+Per CLAUDE.md and harness policy, do not push or merge to main without explicit user instruction. This task documents the option but does not execute automatically.
+
+**Step 2: If user requests merge**
+
+```bash
+git switch main
+git merge --no-ff feature/audit-log-docs -m "Merge feature/audit-log-docs: centralized audit log design"
+```
+
+**Step 3: If user requests push**
+
+```bash
+git push origin main
+```
+
+(or push the feature branch instead — operator's call).
+
+---
+
+## Execution Notes
+
+- **Tasks 2–14 are mostly independent of each other** once Task 1 is done. Suitable for parallel execution via the **subagent-driven-development** sub-skill — one fresh subagent per task, review between commits.
+- **Tasks 15 and 16** must run last (Task 15 is the CLAUDE.md rollup; Task 16 is verification).
+- **Task 0** must run first (branch prep).
+- Total: 17 tasks, ~15 commits, ~250–400 lines of new prose in `Component-AuditLog.md` plus smaller per-component additions.
+- Spec is `alog.md` (commit `fec0bb1`); every task cites the relevant section.

docs/plans/2026-05-20-centralized-audit-log.md.tasks.json

@@ -0,0 +1,26 @@
+{
+  "planPath": "docs/plans/2026-05-20-centralized-audit-log.md",
+  "spec": "alog.md (commit fec0bb1)",
+  "repoNature": "design-documentation-only",
+  "tasks": [
+    {"id": 0, "subject": "Task 0: Prepare branch", "status": "pending", "blockedBy": []},
+    {"id": 1, "subject": "Task 1: Author Component-AuditLog.md", "status": "pending", "blockedBy": [0]},
+    {"id": 2, "subject": "Task 2: Update Component-Commons.md", "status": "pending", "blockedBy": [0]},
+    {"id": 3, "subject": "Task 3: Update Component-ConfigurationDatabase.md", "status": "pending", "blockedBy": [1]},
+    {"id": 4, "subject": "Task 4: Update Component-ClusterInfrastructure.md", "status": "pending", "blockedBy": [1]},
+    {"id": 5, "subject": "Task 5: Update Component-SiteRuntime.md", "status": "pending", "blockedBy": [1]},
+    {"id": 6, "subject": "Task 6: Update Component-ExternalSystemGateway.md", "status": "pending", "blockedBy": [1]},
+    {"id": 7, "subject": "Task 7: Update Component-SiteCallAudit.md", "status": "pending", "blockedBy": [1]},
+    {"id": 8, "subject": "Task 8: Update Component-NotificationOutbox.md", "status": "pending", "blockedBy": [1]},
+    {"id": 9, "subject": "Task 9: Update Component-InboundAPI.md", "status": "pending", "blockedBy": [1]},
+    {"id": 10, "subject": "Task 10: Update Component-CentralUI.md", "status": "pending", "blockedBy": [1]},
+    {"id": 11, "subject": "Task 11: Update Component-HealthMonitoring.md", "status": "pending", "blockedBy": [1]},
+    {"id": 12, "subject": "Task 12: Update Component-CLI.md", "status": "pending", "blockedBy": [1]},
+    {"id": 13, "subject": "Task 13: Update README.md", "status": "pending", "blockedBy": [1]},
+    {"id": 14, "subject": "Task 14: Update HighLevelReqs.md", "status": "pending", "blockedBy": [1]},
+    {"id": 15, "subject": "Task 15: Update CLAUDE.md", "status": "pending", "blockedBy": [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14]},
+    {"id": 16, "subject": "Task 16: Final cross-reference verification", "status": "pending", "blockedBy": [15]},
+    {"id": 17, "subject": "Task 17: Merge to main (user-gated)", "status": "pending", "blockedBy": [16]}
+  ],
+  "lastUpdated": "2026-05-20T00:00:00Z"
+}

docs/plans/audit-log-goal-prompt.md

@@ -0,0 +1,144 @@
+# Audit Log (#23) — /goal Prompt
+
+Self-contained prompt to drive autonomous execution of the Audit Log
+implementation from `docs/plans/2026-05-20-audit-log-code-roadmap.md`.
+
+**Usage:** copy the fenced block below and paste into `/goal` in this repo.
+Each milestone executes, ships to `main`, then updates downstream roadmap
+sections with realities learned before starting the next milestone.
+
+If your `/goal` environment doesn't pre-load skill identifiers, replace
+`superpowers-extended-cc:brainstorming` (and similar) with whatever
+invocation form is correct. The workflow is the same.
+
+---
+
+```
+GOAL: Implement the ScadaLink Audit Log component (#23) end-to-end against
+the existing codebase by executing all 8 milestones from the roadmap at
+docs/plans/2026-05-20-audit-log-code-roadmap.md. After each milestone ships
+to main, update the remaining milestones in the roadmap with what was
+actually learned. Done when M8 is merged and the full test suite is green.
+
+═══════ STARTING STATE ═══════
+Repo:           /Users/dohertj2/Desktop/scadalink-design
+Starting ref:   main at 39a3ca3
+Spec (immut.):  alog.md (commit fec0bb1) + docs/requirements/Component-AuditLog.md
+Roadmap:        docs/plans/2026-05-20-audit-log-code-roadmap.md  (8 milestones, ~100 tasks)
+Working tree:   3 infra/* modifications are PRE-EXISTING and UNRELATED.
+                Never touch them. Use explicit `git add <path>`; never `commit -am`.
+
+User-memory feedback to honor (under ~/.claude/projects/<this>/memory/):
+  • feedback_subagent_cadence.md — bundle small adjacent tasks per milestone
+  • feedback_central_ui.md       — Blazor Server + Bootstrap only, no 3rd-party frameworks
+  • feedback_form_layout.md      — vertical stack, read-only first, buttons at bottom
+  • feedback_recommendations.md  — lead with a recommended option
+
+═══════ INVARIANTS (never violate) ═══════
+1. Cross-refs to Component-AuditLog.md use PROSE anchors (e.g., "Payload
+   Capture Policy"), NEVER `§N`.  § only exists in alog.md.
+2. CachedCallTelemetry is the correct message name. CachedOperationTelemetry
+   does not exist — never introduce it.
+3. Audit-write failures NEVER abort user-facing actions anywhere — ESG calls,
+   DB writes, Inbound API requests, Notify dispatches all continue normally
+   if the audit append throws.
+4. AuditLog is strictly append-only at central. No UPDATE. No row-level
+   DELETE. Purge is partition-switch only.
+5. Site SQLite purge requires ForwardState ∈ {Forwarded, Reconciled}; pending
+   rows are never age-purged.
+6. Do NOT push to origin. Never. Merges to main are local-only.
+7. Hash-chain tamper-evidence and Parquet archival are deferred to v1.x.
+   Do not implement them. Per-channel retention overrides also deferred.
+
+═══════ PER-MILESTONE LOOP (M1 → M8) ═══════
+For each milestone N from 1 to 8, in order:
+
+  A. BRANCH
+     git switch -c feature/audit-log-m{N}-<slice> from main.
+
+  B. BRAINSTORM
+     Invoke `superpowers-extended-cc:brainstorming` to nail any code-level
+     decisions not fixed by the spec or roadmap (test-fixture placement,
+     exact dispatcher names, helper signatures, etc.). One question at a
+     time, recommended option first.
+
+  C. WRITING-PLANS
+     Invoke `superpowers-extended-cc:writing-plans` to turn the milestone's
+     roadmap section into a milestone-specific executable plan at
+     docs/plans/2026-XX-XX-auditlog-m{N}-<slice>.md with peer .tasks.json.
+     Each task: exact file paths, TDD steps (failing test → impl → passing →
+     commit), commit message.
+
+  D. EXECUTE
+     Invoke `superpowers-extended-cc:subagent-driven-development`.
+     Per the cadence memory: bundle small adjacent tasks into one
+     implementer dispatch + one combined spec+quality reviewer per bundle.
+     Trivial 1–3 line fix-ups may be controller-direct edits; substantive
+     fixes go through a fresh implementer subagent. End each milestone with
+     a final cross-bundle reviewer over the whole branch.
+
+  E. VERIFY (gate — do not skip)
+     • Milestone-specific tests pass:  dotnet test --filter <pattern>
+     • Full solution tests still pass: dotnet test ScadaLink.slnx
+     • Every acceptance criterion from the roadmap's M{N} section is met,
+       cited by name to the test that proves it.
+     • If anything is red, fix-loop. Never proceed with red tests.
+
+  F. MERGE
+     git switch main
+     git merge --no-ff feature/audit-log-m{N}-<slice> -m "<summary>"
+     No push.
+
+  G. UPDATE DOWNSTREAM ROADMAP (the novel step — do not skip)
+     Before starting M{N+1}, edit the M{N+1}..M8 sections of
+     docs/plans/2026-05-20-audit-log-code-roadmap.md to reflect realities
+     learned during M{N}:
+       • Correct any file paths that turned out different.
+       • Update class/method names that got renamed during M{N}.
+       • Add brief notes under affected later-milestone tasks pointing at
+         the actual helper / fixture / pattern used in M{N} that the next
+         milestone should reuse.
+       • Remove tasks that turned out unnecessary; add tasks that turned
+         out missing.
+       • Do NOT rewrite milestones wholesale — only update what M{N}
+         demonstrably changed.
+     Commit on main:
+       docs(audit): roadmap corrections after M{N}
+
+  H. STATUS UPDATE
+     Output one paragraph:
+       - Milestone N and slice name
+       - Commit SHA range merged to main
+       - Tests added / total passing
+       - Roadmap corrections summary (one line)
+       - Next milestone
+
+  I. PROCEED to M{N+1} (back to step A).
+
+═══════ ASK THE USER BEFORE ═══════
+• Implementing anything that contradicts the spec — flag the design gap,
+  let the user decide whether to fix the design first.
+• Touching a file the user is editing in working tree (always check
+  `git status` first).
+• Pulling a deferred v1.x feature into v1 scope.
+• Pushing to origin (never push without explicit authorization).
+• A milestone's acceptance criteria turn out unachievable as written.
+
+═══════ TERMINATION ═══════
+Done when ALL hold:
+  1. M8 merged to main.
+  2. `dotnet test ScadaLink.slnx` green (full solution).
+  3. `dotnet test tests/ScadaLink.IntegrationTests/` green.
+  4. Roadmap reflects what was actually shipped (corrections committed).
+  5. infra/* still untouched and uncommitted.
+  6. alog.md unchanged from fec0bb1 (or, if changed, the design correction
+     was committed BEFORE the affected code change — never the reverse).
+  7. Component-AuditLog.md unchanged unless a clarification was committed
+     first, same discipline.
+
+═══════ START ═══════
+Begin with M1: Foundation (schema, types, DB roles, partitioning).
+The roadmap's M1 section is the source of truth for the task list. Read it
+fully before doing anything else, then proceed through the per-milestone
+loop. Build to ship; do not get clever; trust the design.
+```

docs/requirements/Component-AuditLog.md

@@ -0,0 +1,396 @@
+# Component: Audit Log
+
+## Purpose
+
+Provides a single, append-only, forensic + operational record of every
+integration action initiated by, or terminating in, a script — across outbound
+API, outbound DB, notifications, and inbound API. One row per lifecycle event,
+rich payloads, long retention, dashboards, drilldowns, and filter queries,
+answering both forensic questions ("did instance X send notification Y on date
+Z, with what body?") and operational ones ("which inbound caller is hammering
+us right now?").
+
+The Audit Log is **not a dispatcher**. It does not drive delivery, retry loops,
+or operator Retry/Discard actions — those remain in [Notification Outbox](Component-NotificationOutbox.md)
+and [Site Call Audit](Component-SiteCallAudit.md). The Audit Log is the
+immutable history that **observes** those subsystems and adds coverage where
+they are silent (sync `ExternalSystem.Call`, sync DB writes and reads, inbound
+API requests).
+
+## Location
+
+Central cluster and site clusters.
+
+- **Central:** the `AuditLog` table in central MS SQL, plus three singletons on
+  the active central node — `AuditLogIngestActor` (telemetry receiver),
+  `SiteAuditReconciliationActor`, and `AuditLogPurgeActor`.
+- **Sites:** a site-local `AuditLog` SQLite database file alongside the
+  Store-and-Forward buffer, plus a `SiteAuditTelemetryActor` singleton on the
+  active site node.
+
+Registered as component #23 in the Host role configuration.
+
+## Responsibilities
+
+- Accept site-local hot-path audit writes from script-trust-boundary call paths.
+- Forward site audit rows to central via gRPC telemetry with at-least-once
+  delivery and idempotency on `EventId`.
+- Run periodic per-site reconciliation pulls so missed telemetry self-heals.
+- Accept central-originated audit writes (Inbound API, Notification dispatch
+  attempts and terminal status).
+- Compute point-in-time KPIs (global and per-site) from the central `AuditLog`
+  table.
+- Purge expired rows by monthly partition switch — no row-level deletes.
+
+## Scope — the script trust boundary
+
+The Audit Log captures every action a script causes to cross the cluster trust
+boundary:
+
+| Channel | Trigger | Direction | Covered today? |
+|---|---|---|---|
+| `ExternalSystem.Call(...)` | Script | Outbound | No (gap) |
+| `ExternalSystem.CachedCall(...)` | Script | Outbound | Yes — `SiteCalls` (Site Call Audit) |
+| `Database.Connection().Execute*(...)` — writes | Script | Outbound | No (gap) |
+| `Database.CachedWrite(...)` | Script | Outbound | Yes — `SiteCalls` (Site Call Audit) |
+| `Notify.To(list).Send(...)` | Script | Outbound | Yes — `Notifications` (Notification Outbox) |
+| `POST /api/{method}` (Inbound API) | External | Inbound (invokes a script) | No (gap) |
+
+Out of scope — framework traffic is not audited:
+
+- Health checks, heartbeats, cluster membership messages.
+- gRPC inter-cluster real-time streams (attribute values, alarm states).
+- Data Connection Layer ↔ OPC UA / custom protocol traffic.
+- LDAP authentication probes, Traefik routing decisions.
+- Internal Configuration Database queries by the framework.
+- Site Event Log writes; audit log writes themselves.
+
+Script-initiated DB **reads** via `Database.Connection().ExecuteReader(...)`
+count as actions from a script and are in scope. Reads via DCL / subscriptions
+are framework traffic and excluded.
+
+## The `AuditLog` Table (central)
+
+Single wide table in central MS SQL, polymorphic by `Channel` + `Kind`
+discriminators, with a JSON `Extra` column for channel-specific overflow. One
+row per lifecycle event across all channels.
+
+| Column | Type | Notes |
+|---|---|---|
+| `EventId` | `uniqueidentifier` PK | Generated where the event originates (site or central). Idempotency key. |
+| `OccurredAtUtc` | `datetime2` | When the event happened (call returned, retry attempted, etc.). |
+| `IngestedAtUtc` | `datetime2` | When central persisted the row (lags `OccurredAtUtc` for site-originated rows). |
+| `Channel` | `varchar(32)` | `ApiOutbound` \| `DbOutbound` \| `Notification` \| `ApiInbound`. |
+| `Kind` | `varchar(32)` | Event kind discriminator (see kinds list below). |
+| `CorrelationId` | `uniqueidentifier` NULL | Ties multi-event operations together. `TrackedOperationId` for cached calls, `NotificationId` for notifications, request-id for inbound API. NULL for sync one-shot calls. |
+| `SourceSiteId` | `varchar(64)` NULL | NULL for central-originated events. |
+| `SourceInstanceId` | `varchar(128)` NULL | Instance whose script initiated the action (when applicable). |
+| `SourceScript` | `varchar(128)` NULL | Script name within the instance. |
+| `Actor` | `varchar(128)` NULL | Inbound API: API key name. Outbound: script identity. Central: system user. |
+| `Target` | `varchar(256)` NULL | Outbound API: external system + method. DB: connection name. Notification: list name. Inbound API: method name. |
+| `Status` | `varchar(32)` | Outcome of *this event* — `Submitted`, `Forwarded`, `Attempted`, `Delivered`, `Failed`, `Parked`, `Discarded`, `Skipped`. |
+| `HttpStatus` | `int` NULL | HTTP-bearing events only. |
+| `DurationMs` | `int` NULL | Call / attempt duration. |
+| `ErrorMessage` | `nvarchar(1024)` NULL | Truncated; `ErrorDetail` for full text. |
+| `ErrorDetail` | `nvarchar(max)` NULL | Optional full exception text on failures. |
+| `RequestSummary` | `nvarchar(max)` NULL | Truncated request payload (configurable cap). Headers redacted. |
+| `ResponseSummary` | `nvarchar(max)` NULL | Truncated response payload. Full on errors. |
+| `PayloadTruncated` | `bit` | Set if either summary was truncated. |
+| `Extra` | `nvarchar(max)` NULL | Channel-specific JSON for fields we don't promote to columns. |
+
+**Indexes (first cut):**
+
+- `IX_AuditLog_OccurredAtUtc` — primary time-range index for global scans.
+- `IX_AuditLog_Site_Occurred (SourceSiteId, OccurredAtUtc)` — per-site filters.
+- `IX_AuditLog_Correlation (CorrelationId)` — drilldown from a single operation.
+- `IX_AuditLog_Channel_Status_Occurred (Channel, Status, OccurredAtUtc)` — KPI / dashboard tiles.
+- `IX_AuditLog_Target_Occurred (Target, OccurredAtUtc)` — "what did we send to system X".
+- Monthly partitioning on `OccurredAtUtc` from day one; purge is a partition switch (see Retention & Purge).
+
+**`Kind` values (flat — 10 discriminators across all channels):**
+
+| Kind | Fires when |
+|---|---|
+| `ApiCall` | Sync `ExternalSystem.Call(...)` returns (success or permanent failure). One row per call. |
+| `ApiCallCached` | A cached outbound-API attempt records its forward-ack (`Forwarded`) or each retry (`Attempted`). |
+| `DbWrite` | Sync `Database.Connection().Execute*(...)` / `ExecuteReader(...)` completes. One row per call. |
+| `DbWriteCached` | A cached outbound-DB attempt records its forward-ack (`Forwarded`) or each retry (`Attempted`). |
+| `NotifySend` | Script's `Notify.Send(...)` is enqueued on the site — first row in a notification's lifecycle (`Status=Submitted`). |
+| `NotifyDeliver` | Central Notification Outbox dispatcher records a delivery attempt (`Attempted`) or terminal outcome (`Delivered`/`Parked`/`Discarded`). |
+| `InboundRequest` | An inbound API request completes — one row per request, written at request end with final status. |
+| `InboundAuthFailure` | An inbound API request was rejected at the auth boundary (bad/missing key). One row, `Status=Failed`, `HttpStatus=401`. |
+| `CachedSubmit` | Script-side enqueue of a cached call (`ExternalSystem.CachedCall` / `Database.CachedWrite`); first row in the cached-call lifecycle, written to site SQLite before any forward attempt. |
+| `CachedResolve` | Terminal row for a cached operation — `Status` = `Delivered` / `Failed` / `Parked` / `Discarded`. |
+
+Inbound API is intentionally collapsed to a single `InboundRequest` (or
+`InboundAuthFailure` for auth rejections) row per request rather than a
+multi-event lifecycle.
+
+## The Site-Local `AuditLog` (SQLite)
+
+A SQLite database file on each site node, alongside the Store-and-Forward
+buffer. Same schema as central minus `IngestedAtUtc` (irrelevant at the source),
+plus a `ForwardState` column with values `Pending | Forwarded | Reconciled` that
+drives the telemetry loop and reconciliation pull.
+
+**Site SQLite retention rule (hard invariant):**
+
+> A row is eligible for purge only when both `OccurredAtUtc < retention threshold` AND `ForwardState IN ('Forwarded', 'Reconciled')`. Pending rows are never purged.
+
+A prolonged central outage will grow the site audit table indefinitely until
+central is reachable again. This is intentional — losing audit rows to make
+room is a compliance violation, not a self-healing behavior. To bound that
+growth in practice, the site emits a `SiteAuditBacklog` health metric (pending
+row count, oldest pending age, bytes on disk); crossing operator-configured
+thresholds surfaces a warning on the relevant site tile in the Health
+dashboard, mirroring the Store-and-Forward Engine's backlog metric.
+
+Central is the durable home. Site SQLite is a write-buffer with a forwarding
+guarantee.
+
+## Ingestion Paths
+
+Four paths feed the central `AuditLog` — one site originator and three central
+writers — all idempotent on `EventId`.
+
+### Site hot-path append (site-originated events)
+
+The component completing a script-trust-boundary action (External System
+Gateway, Database layer, Store-and-Forward Engine) builds an `AuditEvent` with a
+fresh `EventId` (Guid v4) and `OccurredAtUtc = UtcNow`, then appends it to the
+site-local `AuditLog` SQLite via `IAuditWriter` with
+`ForwardState = 'Pending'`. The append is a single-statement INSERT and is
+durable in microseconds; control returns to the script with no central
+round-trip on the hot path.
+
+### Telemetry forward (site → central)
+
+A `SiteAuditTelemetryActor` singleton drives the forwarding loop: select up to
+N `Pending` rows ordered by `OccurredAtUtc`, batch-send them to central via the
+existing `SiteStream` gRPC channel as `IngestAuditEvents(events)`, and on
+central-ack flip `ForwardState = 'Forwarded'` for accepted IDs. Rejected IDs
+stay `Pending` for the next sweep. Cadence is short (default 5 s) when
+non-empty, longer (default 30 s) when idle; telemetry runs on a dedicated
+dispatcher.
+
+### Reconciliation pull (self-healing for missed telemetry)
+
+A central `SiteAuditReconciliationActor` periodically (default 5 min per site)
+asks each site for its oldest `Pending` row and pending count; if backlog is
+non-draining (e.g., telemetry actor wedged), central issues a
+`PullAuditEvents(sinceUtc, batchSize)` and inserts-if-not-exists. Accepted rows
+are flipped to `ForwardState = 'Reconciled'` site-side. Same self-healing
+pattern as Site Call Audit's reconciliation of `SiteCalls`.
+
+### Central direct-write (central-originated events)
+
+Events originating at central never touch site SQLite. Inbound API writes one
+`ApiInbound.InboundRequest` row via `ICentralAuditWriter` synchronously inside
+the request-handler middleware, before the HTTP response is flushed; auth-layer
+rejections emit `ApiInbound.InboundAuthFailure` (`Status=Failed`, HTTP 401)
+instead. The Notification Outbox dispatcher writes
+`Notification.NotifyDeliver` with `Status=Attempted` per delivery attempt and
+`Notification.NotifyDeliver` with `Status=Delivered`/`Parked`/`Discarded` on
+terminal status. Central direct-writes use the same insert-if-not-exists
+semantics keyed on `EventId`.
+
+## Cached Operations — Combined Telemetry
+
+For `ExternalSystem.CachedCall` and `Database.CachedWrite`, the **site** is the
+source of truth for every audit row. The site writes each lifecycle event —
+`CachedSubmit` (`Status=Submitted`), then `ApiCallCached`/`DbWriteCached` rows
+for the forward-ack (`Status=Forwarded`) and each retry (`Status=Attempted`),
+then a terminal `CachedResolve` row
+(`Status=Delivered`/`Failed`/`Parked`/`Discarded`) — to its local SQLite
+`AuditLog` on the hot path (or on the retry tick for `Attempted` rows), then
+forwards via the same telemetry channel. The telemetry message format gains the
+audit-row fields additively — one packet per lifecycle transition carries both
+the operational state update AND the audit row content.
+
+On receipt, central performs both writes in one transaction:
+
+1. Insert-if-not-exists the immutable `AuditLog` row, keyed on `EventId`.
+2. Upsert the operational `SiteCalls` row — existing Site Call Audit behavior
+   (status, retry count, last error, timestamps).
+
+This collapses two telemetry concerns into one, keeps site SQLite as the
+single local source of truth for audit content, and preserves the existing
+operational `SiteCalls` shape for the dispatcher and UI.
+
+## Payload Capture Policy
+
+- **Default cap** — 8 KB for each of `RequestSummary` and `ResponseSummary`;
+  raised to 64 KB on any error row (`Status IN ('Failed', 'Parked', 'Discarded')`).
+- **Truncation** — UTF-8 byte-safe; `PayloadTruncated = 1` when applied. Full
+  bodies are never stored.
+- **HTTP headers** — `Authorization`, `Cookie`, `Set-Cookie`, `X-API-Key`, and
+  any header matching the configured redact-list regex become `<redacted>`.
+- **HTTP bodies** — captured verbatim by default. Operators register per-target
+  body redactors (regex → replacement) for known secret fields.
+- **SQL** — statement text and parameter values captured verbatim by default;
+  per-connection opt-in to redact parameters whose name matches a regex.
+- **Never captured** — raw API key material (only the key *name* via `Actor`),
+  LDAP bind credentials, cluster secrets, Configuration DB connection strings.
+- **Safety net** — if a configured redactor throws, the affected payload becomes
+  `"<redacted: redactor error>"` and `AuditRedactionFailure` increments. We
+  over-redact, never under-redact, on configuration faults.
+
+Redaction happens at the write site, before the row touches SQLite (or central
+MS SQL for direct-write events). Unredacted secrets never persist.
+
+## Failure Handling & Idempotency
+
+- **`EventId` is the dedup key.** Generated at the originator; central ingest
+  is `INSERT … WHERE NOT EXISTS (SELECT 1 FROM AuditLog WHERE EventId = @id)`
+  under the PK constraint. Idempotent across telemetry retries, reconciliation
+  pulls, and any combination of the two.
+- **Never fail the action.** A failed audit write — site SQLite or central
+  direct-write — logs a critical Site Event Log entry and increments a health
+  metric (`SiteAuditWriteFailures` or `CentralAuditWriteFailures`), but the
+  user-facing action proceeds. We do not fail script-initiated work because the
+  audit write failed.
+- **Hot-path ring buffer.** While the site audit writer is unhealthy
+  (disk full, schema lock, transient IO), events buffer in a small in-memory
+  ring (default 1024 rows); oldest are discarded with a Site Event Log warning
+  per drop.
+- **Reconciliation as fallback.** If two consecutive reconciliation cycles
+  report a non-draining backlog, the supervisor restarts the telemetry actor
+  and a `SiteAuditTelemetryStalled` event fires.
+- **No dedup horizon.** `EventId` PK enforces uniqueness only while a row
+  exists. A retry that arrives after the original row is purged inserts a "new"
+  row — vanishingly rare and harmless.
+
+## Retention & Purge
+
+- **Central:** 365-day default based on `OccurredAtUtc`, configurable via
+  `AuditLog:RetentionDays` (min 7, max 3650). Single global retention in v1 —
+  no per-channel overrides.
+- **Partitioning:** monthly partitions on `OccurredAtUtc` from day one
+  (`pf_AuditLog_Month` / `ps_AuditLog_Month`). Purge is a partition switch;
+  there are no row-level deletes at central.
+- **Purge actor:** `AuditLogPurgeActor` singleton on the active central node
+  runs daily, switches out any partition whose latest `OccurredAtUtc` is older
+  than the retention window, and emits an `AuditLog:Purged` event (partition
+  range, rowcount, duration). A partition-maintenance step rolls forward each
+  month, creating the next month's partition ahead of time.
+- **Sites:** daily site job; default 7-day retention (configurable, min 1,
+  max 90). Respects the hard `ForwardState` invariant — `Pending` rows are
+  never purged on age alone.
+
+## Security & Tamper-Evidence
+
+- **Append-only enforcement.** The application accesses `AuditLog` via a
+  dedicated DB role `scadalink_audit_writer` granted `INSERT` + `SELECT` only —
+  no `UPDATE`, no `DELETE`. Purge runs under a separate role
+  `scadalink_audit_purger` whose permissions are limited to the partition-switch
+  operation; row-level `DELETE` is not granted even to purge.
+- **CI grep guard.** The build greps the data layer for any
+  `UPDATE … AuditLog` or `DELETE … AuditLog` text and fails on a hit.
+- **Authorization.** Reading the Audit Log requires the existing **Audit** role
+  extended with a new **OperationalAudit** permission. Per-site row scoping
+  reuses the existing site-permission model; bulk export requires an additional
+  **AuditExport** permission.
+- **Payload redaction at write.** See Payload Capture Policy. Unredacted
+  secrets never persist; the safety net over-redacts on misconfiguration.
+- **Hash-chain tamper evidence — deferred to v1.x.** A future `RowHash` column,
+  computed per partition as `SHA-256(prev.RowHash || canonical(row))`, will be
+  verifiable offline via `scadalink audit verify-chain --month YYYY-MM`. Off by
+  default in v1.
+- **Site SQLite security.** File permissions: read/write by the ScadaLink
+  service account only. Not backed up off-machine — site SQLite is a buffer,
+  not a record.
+
+## KPIs
+
+Point-in-time, computed from the central `AuditLog` table; global and per-site.
+
+- **Audit volume** — events/min landing in the central `AuditLog`; global plus per-site sparkline.
+- **Audit error rate** — % of central `AuditLog` rows with `Status IN ('Failed', 'Parked', 'Discarded')` over a rolling 5-minute window. This is the operational error rate of audited operations (HTTP 5xx, permanent failures, parked deliveries) — NOT audit-writer health, which surfaces separately via `CentralAuditWriteFailures` and `AuditRedactionFailure`.
+- **Audit backlog** — sum of `Pending` site rows across sites; click drills into a per-site breakdown.
+
+[Notification Outbox](Component-NotificationOutbox.md) and
+[Site Call Audit](Component-SiteCallAudit.md) KPIs are unaffected — they remain
+sourced from `Notifications` and `SiteCalls` respectively. Audit Log KPIs
+describe the audit table itself.
+
+## Configuration
+
+Bound from `appsettings.json` to a new `AuditLogOptions` class owned by this
+component (Options pattern):
+
+```jsonc
+"AuditLog": {
+  "DefaultCapBytes": 8192,
+  "ErrorCapBytes": 65536,
+  "HeaderRedactList": [ "Authorization", "Cookie", "Set-Cookie", "X-API-Key" ],
+  "GlobalBodyRedactors": [
+    { "Pattern": "\"password\"\\s*:\\s*\"[^\"]+\"", "Replacement": "\"password\":\"<redacted>\"" }
+  ],
+  "PerTargetOverrides": {
+    "Weather/GetForecast": { "CapBytes": 4096 },
+    "PlantDB":             { "RedactSqlParamsMatching": "@apikey|@token" }
+  },
+  "RetentionDays": 365
+}
+```
+
+`PerTargetOverrides` keys bind by External System / Inbound Method /
+Notification List / Database Connection name. `RetentionDays` is a single
+global value in v1; per-channel overrides are deferred to v1.x.
+
+## Dependencies
+
+- **[Commons (#16)](Component-Commons.md)** — `AuditEvent`, `IAuditWriter` /
+  `ICentralAuditWriter` interfaces, and the `AuditChannel`, `AuditKind`,
+  `AuditStatus` enum types live here.
+- **[Configuration Database (#17)](Component-ConfigurationDatabase.md)** — hosts
+  the `AuditLog` table schema, the monthly partition function and scheme, the
+  `scadalink_audit_writer` / `scadalink_audit_purger` DB roles, and the EF
+  migration. Distinct concern from `IAuditService` (config-change audit), which
+  is unchanged.
+- **[Cluster Infrastructure (#13)](Component-ClusterInfrastructure.md)** —
+  singleton placement and supervision for `AuditLogIngestActor`,
+  `SiteAuditTelemetryActor`, `SiteAuditReconciliationActor`, and
+  `AuditLogPurgeActor`.
+- **[Central–Site Communication (#5)](Component-Communication.md)** — carries
+  audit telemetry. New gRPC message types (`IngestAuditEvents`,
+  `PullAuditEvents`) are added to the existing site-stream proto additively.
+- **[Site Runtime (#3)](Component-SiteRuntime.md)** — script-trust-boundary
+  call paths invoke `IAuditWriter` to append events.
+- **[Host (#15)](Component-Host.md)** — registers this component (#23) under
+  the central and site roles.
+
+## Interactions
+
+- **[External System Gateway (#7)](Component-ExternalSystemGateway.md)** —
+  emits `ApiOutbound.ApiCall` rows on every sync `Call()`. For `CachedCall`,
+  emits the combined cached telemetry packet (audit row + operational update)
+  per Cached Operations — Combined Telemetry, using kinds
+  `CachedSubmit` / `ApiCallCached` / `CachedResolve`.
+- **[External System Gateway (#7)](Component-ExternalSystemGateway.md) — Database layer** — the database access modes inside ESG emit `DbOutbound.DbWrite` rows on script-initiated `Connection()` calls (writes and reads share the kind; distinguish via `Extra.rowsAffected` vs `Extra.rowsReturned`); `Database.CachedWrite` emits the cached-write lifecycle rows via the combined-telemetry packet using kinds `CachedSubmit` / `DbWriteCached` / `CachedResolve` (same shape as `ApiOutbound`). Site Runtime is the API surface that exposes the `Database.*` calls to scripts; the audit emission itself lives in ESG.
+- **[Inbound API (#14)](Component-InboundAPI.md)** — emits one
+  `ApiInbound.InboundRequest` row per successful request from request-handler
+  middleware, written directly to central via `ICentralAuditWriter` before the
+  response is flushed. Auth-layer rejections emit
+  `ApiInbound.InboundAuthFailure` instead (`Status=Failed`, HTTP 401).
+- **[Notification Outbox (#21)](Component-NotificationOutbox.md)** — the
+  site-emitted `Notification.NotifySend` row (`Status=Submitted`) flows via
+  audit telemetry; the central dispatcher writes `Notification.NotifyDeliver`
+  rows directly via `ICentralAuditWriter` — `Status=Attempted` per delivery
+  attempt, `Status=Delivered`/`Parked`/`Discarded` on terminal status. The
+  operational `Notifications` table is unchanged.
+- **[Site Call Audit (#22)](Component-SiteCallAudit.md)** — shares the
+  cached-call telemetry packet. Central ingest of that packet performs both the
+  `AuditLog` insert and the `SiteCalls` upsert in one transaction. `SiteCalls`
+  remains the operational state store; the Audit Log is its immutable shadow.
+- **[Central UI (#9)](Component-CentralUI.md)** — a new **Audit** nav group
+  hosts the Audit Log page (filter bar, results grid, drilldown drawer,
+  server-side CSV export). Drill-in links appear on Notifications, Site Calls,
+  External Systems, Inbound API key, Sites, and Instances detail pages.
+- **[Health Monitoring (#11)](Component-HealthMonitoring.md)** — three new
+  tiles (Volume, Error rate, Backlog) plus new health metrics:
+  `SiteAuditBacklog`, `SiteAuditWriteFailures`, `SiteAuditTelemetryStalled`,
+  `CentralAuditWriteFailures`, `AuditRedactionFailure`.
+- **[CLI (#19)](Component-CLI.md)** — new `scadalink audit query`,
+  `scadalink audit export`, and `scadalink audit verify-chain` commands; same
+  permission requirements as the UI.

docs/requirements/Component-CLI.md

@@ -172,6 +172,40 @@ scadalink security scope-rule delete --id <id>
 scadalink audit-log query [--user <username>] [--entity-type <type>] [--action <action>] [--from <date>] [--to <date>] [--page <n>] [--page-size <n>]
 ```
 
+The legacy `audit-log query` above targets the original configuration-change audit
+(IAuditService) surface. The new centralized Audit Log component (#23) is exposed via
+the `scadalink audit` group below.
+
+### Centralized Audit Commands
+
+The `scadalink audit` group targets the centralized Audit Log component (#23) and
+exposes the UI-equivalent operational audit surface. Permissions follow the same
+read-vs-export split the Central UI uses (see Component-AuditLog.md, Security &
+Tamper-Evidence, and Security & Auth #10): `audit query` and `audit verify-chain`
+require the `OperationalAudit` permission; `audit export` additionally requires
+`AuditExport`. The server enforces permission checks and returns HTTP 403 (CLI
+exit code 2) on denial.
+
+```
+scadalink audit query --since <t> [--until <t>] [--channel <c>] [--kind <k>] [--status <s>] [--site <s>] [--instance <i>] [--target <t>] [--actor <a>] [--correlation-id <id>] [--errors-only] [--page <n>] [--page-size <n>]
+scadalink audit export --since <t> --until <t> --format csv|jsonl|parquet --output <path> [--channel <c>] [--kind <k>] [--status <s>] [--site <s>] [--target <t>] [--actor <a>]
+scadalink audit verify-chain --month <YYYY-MM>
+```
+
+- `audit query` — filtered query against the central `AuditLog` table, matching the
+  Central UI Audit Log page filter set (time range, channel, kind, status, site,
+  instance/script, target, actor, correlation ID, errors-only). Results stream as
+  JSON (default) or table.
+- `audit export` — server-side streaming export of the central `AuditLog` to the
+  requested format (`csv`, `jsonl`, `parquet`) written to `--output`. The server
+  streams rows rather than materializing them in memory; the CLI writes bytes
+  through to disk. Supports the same scoping filters as `audit query`.
+- `audit verify-chain` — hash-chain verification for the named month.
+  **No-op in v1**: the command is defined so the command tree is stable, but
+  verification only becomes meaningful once the hash-chain ships (see
+  Component-AuditLog.md, Security & Tamper-Evidence). Until then, the server
+  responds with a "verification not yet available" status and the CLI exits 0.
+
 ### Health Commands
 ```
 scadalink health summary
@@ -273,6 +307,8 @@ Configuration is resolved in the following priority order (highest wins):
 - **Commons**: Message contracts (`Messages/Management/`) for command type definitions and registry.
 - **System.CommandLine**: Command-line argument parsing.
 - **Microsoft.AspNetCore.SignalR.Client**: SignalR client for the `debug stream` command's WebSocket connection.
+- **Management Service (#18)**: The CLI hits the central cluster via the existing HTTP Management API (`POST /management`), which dispatches to the ManagementActor. The `scadalink audit` command group rides this same transport — there is no separate audit endpoint.
+- **Audit Log (#23)**: The `scadalink audit query`, `audit export`, and `audit verify-chain` subcommands target the centralized Audit Log component's query/export/verify surfaces via the Management API. Permission checks (`OperationalAudit`, `AuditExport`) are enforced server-side.
 
 ## Interactions
 

docs/requirements/Component-CentralUI.md

@@ -58,6 +58,7 @@ Central cluster only. Sites have no user interface.
 ### External System Management (Design Role)
 - Define external system contracts: connection details, API method definitions (parameters, return types).
 - Define retry settings per external system (max retry count, fixed time between retries).
+- The external system detail page includes a **"Recent activity"** link that opens the Audit Log page pre-filtered to `Channel = ApiOutbound` and `Target` starts-with the system name — surfacing the system's recent outbound API audit history.
 
 ### Database Connection Management (Design Role)
 - Define named database connections: server, database, credentials.
@@ -74,6 +75,11 @@ Central cluster only. Sites have no user interface.
 - Define data connections and assign them to sites (name, protocol type, connection details).
 - **Data connection form**: "Primary Endpoint Configuration" (required JSON text area) and optional "Backup Endpoint Configuration" (collapsible section, hidden by default, revealed via "Add Backup Endpoint" button; "Remove Backup" button when editing an existing backup). "Failover Retry Count" numeric input (default 3, min 1, max 20) is visible only when a backup endpoint is configured.
 - **Data connection list page**: Shows Primary Config and Backup Config columns. Active Endpoint column populated from health reports.
+- The site detail page exposes a new **"Audit feed"** tab that hosts the Audit Log page pre-filtered to `Site = <site>` — an in-context view of every operational audit event for that site.
+
+### Inbound API Management (Admin Role for keys, Design Role for methods)
+- Manage inbound API keys (create, enable / disable, delete) and define API methods (name, parameters, return values, approved keys, implementation script).
+- The API key detail page includes a **"Recent calls"** link that opens the Audit Log page pre-filtered to `Actor = <key name>` and `Channel = ApiInbound` — surfacing the key's recent inbound-call audit history.
 
 ### Area Management (Admin Role)
 - Define hierarchical area structures per site.
@@ -89,6 +95,7 @@ Central cluster only. Sites have no user interface.
 - **Disable** instances — stops data collection, script triggers, and alarm evaluation at the site while retaining the deployed configuration.
 - **Enable** instances — re-activates a disabled instance.
 - **Delete** instances — removes the running configuration from the site. Blocked if the site is unreachable. Store-and-forward messages are not cleared.
+- The instance detail page exposes a new **"Audit feed"** tab that hosts the Audit Log page pre-filtered to the instance (`Site = <site>` and the `Instance / Script` filter set to the instance unique name) — an in-context view of every operational audit event involving that instance.
 
 ### Deployment (Deployment Role)
 - View list of instances with staleness indicators (deployed config differs from template-derived config).
@@ -124,6 +131,7 @@ Central cluster only. Sites have no user interface.
 - **KPI tiles** at the top of the page: queue depth (`Pending` + `Retrying`), stuck count, parked count, delivered in the last interval, and oldest pending age. The KPIs are central-computed on demand from the `Notifications` table.
 - A **queryable notification list** filterable by status, type, source site, notification list, and time range, with a **stuck-only toggle** and keyword search on subject. Each row shows the notification's status, retry count, last error, and key timestamps.
 - **Retry** and **Discard** actions are available on parked notifications: Retry returns the notification to `Pending` and resets `RetryCount` / `NextAttemptAt`; Discard moves it to `Discarded`. The row is retained either way so the table stays a complete audit record.
+- Each row exposes a **"View audit history"** action that opens the Audit Log page pre-filtered to `CorrelationId = NotificationId`, surfacing every operational audit event recorded for that notification.
 - **Stuck rows are visually badged** — a notification is stuck if it is `Pending` or `Retrying` and older than the configurable stuck-age threshold. Stuck detection is display-only; there is no automated escalation or alerting.
 - All queries are served from the central `Notifications` table — no remote per-site queries are needed, unlike the Parked Message Management page.
 
@@ -131,6 +139,7 @@ Central cluster only. Sites have no user interface.
 - Monitor cached calls store-and-forwarded from sites — `ExternalSystem.CachedCall()` and `Database.CachedWrite()` operations. Scoped to the `ExternalCall` and `DatabaseWrite` kinds only; notifications keep their separate Notification Outbox page and are not merged here.
 - A **queryable cached-call list** filterable by site, kind, status, and time range. Each row shows the call's timestamp, site, kind, target summary, status badge, retry count, and last error.
 - **Retry** and **Discard** actions are available on `Parked` rows only — `Failed` rows are not actionable, since a permanent failure would simply fail again and its error was already returned synchronously to the calling script. The actions issue central→site commands to the owning site; if the site is offline the UI surfaces a "site unreachable" message.
+- Each row exposes a **"View audit history"** action that opens the Audit Log page pre-filtered to `CorrelationId = TrackedOperationId`, showing every operational audit event recorded for that cached call.
 - Data is served from the central Site Call Audit component's `SiteCalls` table. The page is **read-mostly** — an eventually-consistent mirror of site state; the site remains the source of truth.
 
 ### Health Monitoring Dashboard (All Roles)
@@ -138,14 +147,42 @@ Central cluster only. Sites have no user interface.
 - Per-site detail: active/standby node status, data connection health, script error rates, alarm evaluation error rates, store-and-forward buffer depths.
 - Headline **Notification Outbox KPI tiles** — queue depth, stuck count, and parked count. These are central-computed by the Notification Outbox from the central `Notifications` table (not part of any site health report). The full outbox view is on the dedicated Notification Outbox page.
 - Headline **Site Call Audit KPI tiles** — buffered count, parked count, and failed-last-interval. These are central-computed by the Site Call Audit component from the central `SiteCalls` table (not part of any site health report). The full cached-call view is on the dedicated Site Calls page.
+- Headline **Audit KPI tiles** — three tiles in a new "Audit" KPI group: **Audit volume**, **Audit error rate**, and **Audit backlog**. These are sourced from the Audit Log component (#23) and Health Monitoring per the metric definitions in Component-HealthMonitoring.md; the dashboard simply surfaces them. The full audit query view is on the dedicated Audit Log page.
 
 ### Site Event Log Viewer (Deployment Role)
 - Query site event logs remotely.
 - Filter by event type, time range, instance.
 - View script executions, alarm events (activations, clears, evaluation errors), deployment events (including script compilation results), connection status changes, store-and-forward activity, instance lifecycle events (enable, disable, delete).
 
-### Audit Log Viewer (Admin Role)
-- Query the central audit log.
+### Audit Log (Admin / Audit Role)
+- Lives under a **new top-level "Audit" nav group** (sibling to Notifications). In v1 the Audit nav group contains this single Audit Log page; the pre-existing Configuration Audit Log Viewer remains its own page below.
+- Global query / filter / drilldown over the central `AuditLog` table maintained by the Audit Log component (#23). Read-only — the table is append-only, so there are no edit actions on rows.
+- Read access to the page requires the `OperationalAudit` permission (Security & Auth #10). Per-site row scoping reuses the existing site-permission model: a user sees only rows for sites they are authorized to operate. Bulk export (see below) additionally requires `AuditExport`. The split mirrors the CLI's permission model (see Component-CLI.md).
+- **Filter bar** (top of page, collapses to a single row when not focused):
+  - Time range — relative (15m / 1h / 24h / 7d) or custom.
+  - Channel — multi-select: `ApiOutbound`, `DbOutbound`, `Notification`, `ApiInbound`.
+  - Kind — multi-select; the available options are filtered by the selected Channels.
+  - Status — multi-select.
+  - Site — multi-select, scoped to the user's authorized sites.
+  - Instance / Script — text search with autocomplete.
+  - Target — text search (system + method, DB connection, list name).
+  - Actor — text search (inbound API key name).
+  - CorrelationId — paste a `TrackedOperationId` / `NotificationId` / request-id to see the full event sequence for one operation.
+  - "Errors only" toggle — shorthand for `Status NOT IN (Success, Delivered, Enqueued)`.
+- **Results grid** (custom Blazor + Bootstrap component, consistent with the rest of the UI — no third-party grid):
+  - Columns, all resizable and reorderable, persisted per user: `OccurredAtUtc`, `Site`, `Channel`, `Kind`, `Status`, `Target`, `Actor`, `DurationMs`, `HttpStatus`, `ErrorMessage`.
+  - Keyset pagination ordered by `(OccurredAtUtc desc, EventId desc)`. Default page size 100.
+  - Clicking a row opens the drilldown drawer.
+- **Drilldown drawer**:
+  - Pretty-prints `RequestSummary` / `ResponseSummary` — JSON is auto-detected and syntax-highlighted; SQL is syntax-highlighted.
+  - Surfaces **redaction indicators** wherever headers or fields were stripped at write time, per the Audit Log component's "Payload Capture Policy".
+  - **"Copy as cURL"** action on `ApiOutbound` and `ApiInbound` rows.
+  - **"Show all events for this operation"** link — re-applies the current view filtered by the row's `CorrelationId`.
+- **Export** button on the page header streams a server-side CSV of the current filter (default cap 100k rows; larger exports go through the CLI). Requires the `AuditExport` permission.
+
+### Configuration Audit Log Viewer (Admin Role)
+- Pre-existing viewer for the `IAuditService` configuration-change log (template / instance / site / etc. before-after edits). Lives under the same **Audit** nav group as the operational Audit Log above.
+- Query the central configuration audit log.
 - Filter by user, entity type, action type, time range.
 - View before/after state for each change.
 
@@ -163,3 +200,4 @@ Central cluster only. Sites have no user interface.
 - **Health Monitoring**: Provides site health data for the dashboard.
 - **Notification Outbox**: Provides notification delivery KPIs and serves the `Notifications` table queries and Retry/Discard actions for the Notification Outbox page.
 - **Site Call Audit**: Serves the `SiteCalls` table queries and relays Retry/Discard actions to sites for the Site Calls page.
+- **Audit Log (#23)**: Serves all `AuditLog` table queries (filter / grid / drilldown / CSV export) for the new Audit Log page and the drill-in surfaces on Notifications, Site Calls, External Systems, Inbound API keys, Sites, and Instances. Payload capture, redaction, and per-site authorization follow the Audit Log component's "Payload Capture Policy" and "Security & Tamper-Evidence" sections.

docs/requirements/Component-ClusterInfrastructure.md

@@ -54,6 +54,23 @@ remains the home of the configuration contract that the Host consumes.
 - Connected to local SQLite databases (store-and-forward buffer, event logs, deployed configurations).
 - Connected to machines via data connections (OPC UA).
 
+## Cluster Singletons
+
+Akka.NET cluster singletons run on the active node of their cluster and migrate on failover. Each singleton listed here is owned by the named component; this component (Cluster Infrastructure) provides only the hosting, supervision, and active-node placement guarantee.
+
+### Central singletons (active central node)
+
+- **`NotificationOutboxActor`** — owned by Notification Outbox (#21). Drives the central notification dispatch loop against the `Notifications` table.
+- **`SiteCallAuditActor`** — owned by Site Call Audit (#22). Owns the operational `SiteCalls` table: drives periodic reconciliation pulls for `CachedCall` / `CachedWrite` lifecycle, computes KPIs, and relays operator Retry/Discard actions to the owning site. Note: ingest of cached-call telemetry is performed by `AuditLogIngestActor` (#23) in one transaction with the immutable `AuditLog` insert — see Component-AuditLog.md, Cached Operations — Combined Telemetry.
+- **`AuditLogIngestActor`** — owned by Audit Log (#23). Receives gRPC telemetry batches of `AuditEvent` rows from sites and performs insert-if-not-exists on `EventId` against the central `AuditLog` table. For cached-call telemetry (which carries both audit-row content and operational-state fields in a single packet), the ingest performs the `AuditLog` insert and the `SiteCalls` upsert in **one transaction** — see Component-AuditLog.md for the combined-telemetry contract.
+- **`SiteAuditReconciliationActor`** — owned by Audit Log (#23). Periodic per-site pull (default every 5 minutes) that self-heals missed audit telemetry by asking each site for its oldest `ForwardState = 'Pending'` row and issuing a `PullAuditEvents(sinceUtc, batchSize)` when a non-draining backlog is detected.
+- **`AuditLogPurgeActor`** — owned by Audit Log (#23). Daily partition-switch purge against `ps_AuditLog_Month`; switches out any partition older than `AuditLog:RetentionDays` and emits an `AuditLog:Purged` event. Also rolls the partition scheme forward each month so the next month's partition exists ahead of time.
+
+### Site singletons (active site node, per site cluster)
+
+- **Site Runtime Deployment Manager** — owned by Site Runtime (#3). Owns the full Instance Actor hierarchy; re-creates it on failover from local SQLite.
+- **`SiteAuditTelemetryActor`** — owned by Audit Log (#23). Drains the local site `AuditLog` SQLite's `ForwardState = 'Pending'` rows to central in batches via the existing `SiteStream` gRPC channel; cadence is short (default 5 s) when the queue is non-empty and longer (default 30 s) when idle. Runs on a **dedicated dispatcher** so it does not compete with the script blocking-I/O dispatcher (per Component-AuditLog.md, Ingestion Paths → Telemetry forward).
+
 ## Failover Behavior
 
 ### Detection

docs/requirements/Component-Commons.md

@@ -38,6 +38,10 @@ Commons must define shared primitive and utility types used across multiple comp
 - **`TrackedOperationId`**: A GUID identifying a tracked store-and-forward operation (`ExternalSystem.CachedCall`, `Database.CachedWrite`, `Notify.Send`). Generated caller-side at the site at call time, returned to the script as a tracking handle, and reused as the idempotency key for telemetry sent to central. The notification domain's existing `NotificationId` is the notification-specific name for this same concept.
 - **`TrackedOperationKind` enum**: ExternalCall, DatabaseWrite. Discriminates the two cached-call kinds carried by a tracked operation (notifications are tracked separately via the `NotificationType` enum).
 - **`TrackedOperationStatus` enum**: Pending, Retrying, Delivered, Parked, Failed, Discarded. The unified lifecycle state shared by all tracked store-and-forward operations. This is the operation's externally-observable lifecycle status in the site-local tracking table (the status record); it is related to but distinct from the S&F buffer's own `StoreAndForwardMessageStatus`, which tracks a buffered message's retry state within the buffer (the retry mechanism). `Failed` (permanent failure) has no notification analogue — notifications use only the other five states (the `NotificationStatus` enum omits `Failed`).
+- **`AuditChannel` enum**: ApiOutbound, DbOutbound, Notification, ApiInbound. Discriminates the script-trust-boundary channel that produced an `AuditEvent`. Owned by the Audit Log component.
+- **`AuditKind` enum**: SyncCall, CachedEnqueued, CachedAttempt, CachedTerminal, SyncWrite, SyncRead, Enqueued, Attempt, Terminal, Completed. Channel-specific event kind — the valid `Kind` values for each `AuditChannel` are listed in the Audit Log component design (`Component-AuditLog.md`).
+- **`AuditStatus` enum**: Success, TransientFailure, PermanentFailure, Enqueued, Retrying, Delivered, Parked, Discarded. Outcome of a single audit event row; superset of `TrackedOperationStatus` to also cover one-shot sync calls.
+- **`AuditEvent`**: A record carrying every column of the central `AuditLog` row — `EventId` (GUID, idempotency key), `OccurredAtUtc`, `IngestedAtUtc`, `Channel` (`AuditChannel`), `Kind` (`AuditKind`), `CorrelationId`, `SourceSiteId`, `SourceInstanceId`, `SourceScript`, `Actor`, `Target`, `Status` (`AuditStatus`), `HttpStatus`, `DurationMs`, `ErrorMessage`, `ErrorDetail`, `RequestSummary`, `ResponseSummary`, `PayloadTruncated`, `Extra` — plus a site-only `ForwardState` (`Pending` | `Forwarded` | `Reconciled`) used by the site SQLite write-buffer's telemetry/reconciliation loop. `IngestedAtUtc` is unset at the site and stamped on central ingest. See `Component-AuditLog.md` for the persistence schema and ingest semantics.
 
 Types defined here must be immutable and thread-safe.
 
@@ -107,6 +111,8 @@ Commons must define service interfaces for cross-cutting concerns that multiple
 - **`IExternalSystemClient`**: Provides script-facing invocation of external system HTTP APIs (synchronous `Call` and store-and-forward `CachedCall`). Implemented by the External System Gateway, consumed by the script runtime context.
 - **`IInstanceLocator`**: Resolves an instance unique name to its site identifier. Used by the Inbound API's `Route.To()` to determine the destination site.
 - **`INotificationDeliveryService`**: Sends notifications to a named notification list, routing transient failures to store-and-forward. Implemented by the Notification Service, consumed by the script runtime context.
+- **`IAuditWriter`**: Site-local hot-path interface for appending an `AuditEvent` to the site SQLite `AuditLog`: `Task WriteAsync(AuditEvent evt, CancellationToken ct)`. Single durable INSERT, `ForwardState = Pending`. Consumed by the script-trust-boundary call paths (External System Gateway, Database layer, Store-and-Forward Engine). Implementation lives in the Audit Log component.
+- **`ICentralAuditWriter`**: Central direct-write interface for central-originated audit rows (Inbound API request completion, Notification Outbox dispatcher attempts/terminals): `Task WriteAsync(AuditEvent evt, CancellationToken ct)`, with insert-if-not-exists semantics on `EventId` so retried handlers cannot produce duplicates. Implementation lives in the Audit Log component.
 
 These interfaces are defined in Commons so that consuming components depend only on the abstraction, not on the implementing component.
 
@@ -123,8 +129,9 @@ Commons must define the shared DTOs and message contracts used for inter-compone
 - **Script Execution DTOs**: Script call requests (with recursion depth), return values, error results.
 - **System-Wide Artifact DTOs**: Shared script packages, external system definitions, database connection definitions, notification list definitions.
 - **Notification DTOs**: `NotificationSubmit` (site→central submission: `NotificationId`, `ListName`, `Subject`, `Body`, provenance, `SiteEnqueuedAt`) and `NotificationSubmitAck` (central acknowledgement returned only after the `Notifications` row is persisted — ack-after-persist — which the site Store-and-Forward Engine waits on before clearing the buffered message). `NotificationStatusQuery` / `NotificationStatusResponse` back the `Notify.Status` script API, round-tripping a status record (status, retry count, last error, key timestamps) once a notification has been forwarded. Recipient resolution is *not* part of any contract — the site forwards only `(listName, subject, body)` and central resolves the list at delivery time. Subject to the additive-only evolution rules in REQ-COM-5a, since a submission can cross the site→central version-skew boundary.
-- **Cached Call Tracking DTOs**: `CachedCallTelemetry` (site→central lifecycle telemetry for a tracked cached call: `TrackedOperationId`, source site, `Kind` — the `TrackedOperationKind` enum (`ExternalCall` / `DatabaseWrite`) — target summary, status, retry count, last error, key timestamps, and source instance / script provenance) and `CachedCallReconcileRequest` / `CachedCallReconcileResponse` (cursor-based per-site pull of tracking rows changed since a cursor, used so missed telemetry self-heals). All three live in the `Integration/` message folder and are subject to the additive-only evolution rules in REQ-COM-5a, since they cross the site→central version-skew boundary.
+- **Cached Call Tracking DTOs**: `CachedCallTelemetry` (site→central lifecycle telemetry for a tracked cached call: `TrackedOperationId`, source site, `Kind` — the `TrackedOperationKind` enum (`ExternalCall` / `DatabaseWrite`) — target summary, status, retry count, last error, key timestamps, and source instance / script provenance) and `CachedCallReconcileRequest` / `CachedCallReconcileResponse` (cursor-based per-site pull of tracking rows changed since a cursor, used so missed telemetry self-heals). All three live in the `Integration/` message folder and are subject to the additive-only evolution rules in REQ-COM-5a, since they cross the site→central version-skew boundary. `CachedCallTelemetry` is additively extended to also carry the `AuditEvent` content for the corresponding lifecycle transition (`CachedEnqueued` / `CachedAttempt` / `CachedTerminal`), so one packet drives both the `SiteCalls` operational upsert and the `AuditLog` insert-if-not-exists in a single central transaction — see [Component-AuditLog.md](Component-AuditLog.md), Cached Operations — Combined Telemetry.
 - **Parked Operation Command DTOs**: `RetryParkedOperation` and `DiscardParkedOperation` (central→site command/control messages keyed by `TrackedOperationId`, instructing the owning site to retry or discard a parked store-and-forward operation). These generalize the existing parked-message retry/discard commands to also cover parked cached calls; they live in the `RemoteQuery/` message folder alongside the other parked-message management messages.
+- **Audit Telemetry DTOs**: `AuditTelemetryEnvelope` (site→central gRPC message wrapping a batch of `AuditEvent` rows for the `IngestAuditEvents` telemetry call) and the matching reconciliation pull messages (`PullAuditEvents` request/response carrying a `sinceUtc` cursor and a batch of `AuditEvent` rows). Live in the `Integration/` message folder, subject to the additive-only evolution rules in REQ-COM-5a since they cross the site→central version-skew boundary. Cached-operation audit rows do **not** travel via `AuditTelemetryEnvelope` — they are folded into `CachedCallTelemetry` per the bullet above.
 
 All message types must be `record` types or immutable classes suitable for use as Akka.NET messages (though Commons itself must not depend on Akka.NET).
 
@@ -157,7 +164,9 @@ ScadaLink.Commons/
 │   │                               #   DataType, StoreAndForwardCategory,
 │   │                               #   StoreAndForwardMessageStatus,
 │   │                               #   NotificationType, NotificationStatus,
-│   │                               #   TrackedOperationKind, TrackedOperationStatus
+│   │                               #   TrackedOperationKind, TrackedOperationStatus,
+│   │                               #   AuditChannel, AuditKind, AuditStatus
+│   ├── Audit/                      # AuditEvent record (site + central audit row)
 │   ├── DataConnections/            # OPC UA endpoint config value objects + enums
 │   ├── Flattening/                 # FlattenedConfiguration, ConfigurationDiff,
 │   │                               #   DeploymentPackage, ValidationResult
@@ -177,6 +186,8 @@ ScadaLink.Commons/
 │   │   └── ICentralUiRepository.cs
 │   └── Services/                   # REQ-COM-4a: Cross-cutting service interfaces
 │       ├── IAuditService.cs
+│       ├── IAuditWriter.cs
+│       ├── ICentralAuditWriter.cs
 │       ├── IDatabaseGateway.cs
 │       ├── IExternalSystemClient.cs
 │       ├── IInstanceLocator.cs
@@ -209,7 +220,8 @@ ScadaLink.Commons/
 │   ├── DataConnection/             # data-connection subscribe/write/health messages
 │   ├── Instance/                   # attribute get/set request/command messages
 │   ├── Integration/                # external-integration call request/response,
-│   │                               #   cached-call tracking telemetry + reconcile
+│   │                               #   cached-call tracking telemetry + reconcile,
+│   │                               #   audit telemetry envelope + reconcile
 │   ├── Notification/               # NotificationSubmit + ack,
 │   │                               #   NotificationStatusQuery/Response
 │   ├── InboundApi/                 # Route.To() request messages

docs/requirements/Component-ConfigurationDatabase.md

@@ -60,6 +60,9 @@ The configuration database stores all central system data, organized by domain a
 ### Site Calls
 - **SiteCalls**: The central audit table for cached site calls — `ExternalSystem.CachedCall()` and `Database.CachedWrite()` — owned by the Site Call Audit component and a sibling of the `Notifications` table. One row per cached operation. Columns: `TrackedOperationId` (GUID, primary key — generated site-side at call time, used as the idempotency key), `SourceSite`, `Kind` (a `TrackedOperationKind` enum stored with values `ExternalCall` / `DatabaseWrite`), `TargetSummary` (external system + method for an `ExternalCall`, database connection name for a `DatabaseWrite`), `Status` (a `TrackedOperationStatus` enum stored with values `Pending`, `Retrying`, `Delivered`, `Parked`, `Failed`, `Discarded`), `RetryCount`, `LastError`, `Provenance` (source instance / script), `CreatedAtUtc`, `UpdatedAtUtc`, `TerminalAtUtc`. The table is populated **only** by Site Call Audit telemetry and reconciliation pulls — sites are the source of truth and the row is an eventually-consistent mirror, never written by a central dispatcher. Ingestion is **insert-if-not-exists** keyed on `TrackedOperationId`, then **upsert-on-newer-status**; the lifecycle is monotonic, so at-least-once and out-of-order telemetry are harmless. Indexed on `Status` and `SourceSite` for KPI computation and the Central UI query page. Terminal rows are removed by a daily purge job — see Scheduled Maintenance below. See Component-SiteCallAudit.md for the full lifecycle.
 
+### Audit Log
+- **AuditLog**: The central, append-only audit table owned by the Audit Log component — one row per script-trust-boundary lifecycle event across all channels (outbound API calls, outbound DB writes/reads, notifications, and inbound API requests). Sibling of the `Notifications` and `SiteCalls` tables but distinct: `AuditLog` is the immutable history that observes the other subsystems, not an operational state store. Columns: `EventId` (`uniqueidentifier` primary key — generated at the originator, used as the idempotency key), `OccurredAtUtc` (`datetime2`), `IngestedAtUtc` (`datetime2`), `Channel` (`varchar(32)` — `ApiOutbound` / `DbOutbound` / `Notification` / `ApiInbound`), `Kind` (`varchar(32)` — channel-specific event kind), `CorrelationId` (`uniqueidentifier` NULL — `TrackedOperationId` for cached calls, `NotificationId` for notifications, request-id for inbound API), `SourceSiteId` (`varchar(64)` NULL), `SourceInstanceId` (`varchar(128)` NULL), `SourceScript` (`varchar(128)` NULL), `Actor` (`varchar(128)` NULL), `Target` (`varchar(256)` NULL), `Status` (`varchar(32)` — outcome of *this event*: `Success`, `TransientFailure`, `PermanentFailure`, `Enqueued`, `Retrying`, `Delivered`, `Parked`, `Discarded`), `HttpStatus` (`int` NULL), `DurationMs` (`int` NULL), `ErrorMessage` (`nvarchar(1024)` NULL), `ErrorDetail` (`nvarchar(max)` NULL), `RequestSummary` (`nvarchar(max)` NULL — truncated request payload, headers redacted), `ResponseSummary` (`nvarchar(max)` NULL — truncated response payload), `PayloadTruncated` (`bit`), `Extra` (`nvarchar(max)` NULL — channel-specific JSON for fields not promoted to columns). Indexes: `IX_AuditLog_OccurredAtUtc` (primary time-range index for global scans), `IX_AuditLog_Site_Occurred (SourceSiteId, OccurredAtUtc)` (per-site filters), `IX_AuditLog_Correlation (CorrelationId)` (drilldown from a single operation), `IX_AuditLog_Channel_Status_Occurred (Channel, Status, OccurredAtUtc)` (KPI / dashboard tiles), and `IX_AuditLog_Target_Occurred (Target, OccurredAtUtc)` ("what did we send to system X"). The primary key on `EventId` enforces idempotency — central ingest is `INSERT … WHERE NOT EXISTS`, so at-least-once telemetry and reconciliation retries collapse to a single row. **Monthly partitioning** on `OccurredAtUtc` from day one via partition function `pf_AuditLog_Month` and partition scheme `ps_AuditLog_Month`, with a filegroup-per-month rollover so that retention purge is a partition switch rather than a row-level delete. The partition-maintenance job that rolls the scheme forward and switches expired partitions is owned by the Audit Log component, not this component. The table is populated only by Audit Log writers (site telemetry, central direct-write, reconciliation pulls); central ingest is **insert-if-not-exists** keyed on `EventId`. See Component-AuditLog.md for the full lifecycle, payload-capture policy, and ingestion paths.
+
 ### Inbound API
 - **API Keys**: Key definitions (name/label, key value, enabled flag).
 - **API Methods**: Method definitions (name, approved key references, parameter definitions, return value definitions, implementation script, timeout).
@@ -215,7 +218,7 @@ Since only the after-state is stored, change history for an entity is reconstruc
 
 ### Query Capabilities
 
-The Central UI audit log viewer can filter by:
+The Central UI Configuration Audit Log Viewer (distinct from the operational Audit Log page in #23) can filter by:
 - **User**: Who made the change.
 - **Entity type**: What kind of entity was changed.
 - **Action type**: What kind of operation was performed.
@@ -226,6 +229,17 @@ Results are returned in reverse chronological order (most recent first) with pag
 
 ---
 
+## Database Roles
+
+The configuration database defines dedicated SQL Server roles for the append-only `AuditLog` table so that the application can never accidentally mutate audit history:
+
+- **`scadalink_audit_writer`** — the role used by application code that ingests audit events (the `AuditLogIngestActor`, central direct-write paths, and the Notification Outbox dispatcher). Granted `INSERT` and `SELECT` on `AuditLog` only — explicitly **no** `UPDATE` and **no** `DELETE`. Audit ingest is `INSERT … WHERE NOT EXISTS` keyed on `EventId`, which this grant set fully supports.
+- **`scadalink_audit_purger`** — the role used by the `AuditLogPurgeActor`. Granted only the permissions required to execute the monthly partition-switch operation (switch out a partition to a staging table and drop the staging table). Row-level `DELETE` on `AuditLog` is **not** granted even to the purge role; retention is a partition switch, never a row-by-row delete.
+
+A CI grep guard fails the build on any occurrence of `UPDATE … AuditLog` or `DELETE … AuditLog` in the data-access layer source, backstopping the DB-grant enforcement at code-review time. See Component-AuditLog.md (Security & Tamper-Evidence) for the full enforcement contract.
+
+---
+
 ## Migration Management
 
 ### Entity Framework Core Migrations
@@ -233,6 +247,7 @@ Results are returned in reverse chronological order (most recent first) with pag
 - Schema changes are managed via EF Core Migrations (`dotnet ef migrations add`, `dotnet ef migrations script`).
 - Each migration is a versioned, incremental schema change.
 - New tables are introduced as their own migration — for example, the `Notifications` table for the Notification Outbox ships as a dedicated EF Core migration that creates the table, its `Type`/`Status` value conversions, and its dispatcher and KPI indexes.
+- The initial `AuditLog` migration creates the monthly partition function `pf_AuditLog_Month` and partition scheme `ps_AuditLog_Month`, then creates the `AuditLog` table aligned to that scheme on `OccurredAtUtc`, along with the indexes listed under Database Schema. The migration also creates the `scadalink_audit_writer` and `scadalink_audit_purger` DB roles with the grants described in Database Roles. The ongoing **partition-maintenance job** that rolls the scheme forward each month (creating the next month's partition ahead of time) and switches out expired partitions is owned by the **Audit Log component** (`AuditLogPurgeActor` and its monthly roll-forward step), not by the Configuration Database component — this component is responsible only for the initial schema, roles, and any EF migrations against the table going forward.
 
 ### Development Environment
 - Migrations are **auto-applied** at application startup using `dbContext.Database.MigrateAsync()`.
@@ -282,6 +297,10 @@ The `Notifications` table grows one row per notification and is never trimmed by
 
 The `SiteCalls` table grows one row per cached site call and is never trimmed by normal operation. To bound table growth while preserving a strong audit trail, a **daily purge job** deletes terminal rows (`Delivered`, `Failed`, `Discarded`) older than a configurable retention window (default 365 days). Non-terminal rows (`Pending`, `Retrying`, `Parked`) are never purged. The purge is a bulk `DELETE`; it is owned and scheduled by the Site Call Audit component (see Component-SiteCallAudit.md), which supplies the retention window. The Configuration Database component provides only the repository operation and the table.
 
+### AuditLog Table Purge
+
+The `AuditLog` table is append-only and grows by every script-trust-boundary event across all channels. Unlike `Notifications` and `SiteCalls`, purge is **never a row-level `DELETE`** — it is a **monthly partition switch** against the `ps_AuditLog_Month` scheme. A daily job switches out any partition whose latest `OccurredAtUtc` is older than the global retention window (default 365 days, configurable via the `AuditLog:RetentionDays` Audit Log option — single global value in v1, no per-channel overrides) and drops the resulting staging table. The job is owned and scheduled by the Audit Log component (`AuditLogPurgeActor` — see Component-AuditLog.md), which is also the consumer of the `AuditLog:RetentionDays` option. The Configuration Database component contributes only the table, the partition function/scheme, the indexes, and the DB roles that constrain the purge to a partition switch.
+
 ---
 
 ## Connection Management
@@ -310,6 +329,6 @@ The `SiteCalls` table grows one row per cached site call and is never trimmed by
 - **Notification Service**: Uses `INotificationRepository` for notification lists and SMTP configuration.
 - **Notification Outbox**: Uses `INotificationOutboxRepository` for all access to the `Notifications` table — ingest, dispatch polling, status updates, KPI queries, and the daily purge of terminal rows.
 - **Site Call Audit**: Uses `ISiteCallAuditRepository` for all access to the `SiteCalls` table — telemetry/reconciliation ingest, KPI queries, and the daily purge of terminal rows.
-- **Central UI**: Uses `ICentralUiRepository` for read-oriented queries across domain areas, including audit log queries for the audit log viewer.
+- **Central UI**: Uses `ICentralUiRepository` for read-oriented queries across domain areas, including config-audit queries for the Configuration Audit Log Viewer (the operational Audit Log page is owned by #23).
 - **All central components that modify state**: Call `IAuditService.LogAsync()` after successful operations to record audit entries within the same transaction.
 - **Host**: Provides database connection configuration. Registers DbContext, repository implementations, and `IAuditService` implementation in the DI container. Triggers auto-migration in development or validates schema version in production.

docs/requirements/Component-ExternalSystemGateway.md

@@ -57,6 +57,7 @@ Each database connection definition includes:
 - Script calls `Database.Connection("name")` and receives a raw ADO.NET `SqlConnection`.
 - Full control: queries, updates, transactions, stored procedures.
 - Failures are immediate — no buffering.
+- **Audit emission**: script-initiated `Execute`/`ExecuteScalar` calls emit `DbOutbound.SyncWrite` rows; `ExecuteReader` emits `DbOutbound.SyncRead`. SQL parameter values are captured by default; per-connection redaction opt-in via the Audit Log configuration (see [Component-AuditLog.md](Component-AuditLog.md), Payload Capture Policy). Audit-write failure never aborts the script.
 
 ### Cached Write (Store-and-Forward)
 - Script calls `Database.CachedWrite("name", "sql", parameters)`. This is **deferred delivery**: the call returns a `TrackedOperationId` tracking handle immediately rather than the write result.
@@ -64,6 +65,7 @@ Each database connection definition includes:
 - The write is attempted immediately. On immediate success it is recorded as a terminal `Delivered` tracking record. On **transient failure** (database unavailable) it is buffered (`Pending`/`Retrying`) and retried per the connection's retry settings by the Store-and-Forward Engine.
 - On **permanent failure** (e.g. a SQL syntax or constraint error — a request that will never succeed), the error is returned **synchronously** to the calling script and the write is **not** buffered. The call is also recorded as a terminal `Failed` tracking record capturing the error.
 - Cached-write status is observable to scripts via `Tracking.Status(id)` (answered site-locally and authoritatively) and centrally via the Site Call Audit component.
+- **Audit emission**: each lifecycle transition (`CachedEnqueued`, `CachedAttempt`, `CachedTerminal`) emits an audit row via the combined cached-operation telemetry packet — one packet carries both the audit row and the SiteCalls upsert (see [Component-AuditLog.md](Component-AuditLog.md), Cached Operations — Combined Telemetry, and [Component-SiteCallAudit.md](Component-SiteCallAudit.md)). Audit-write failure never aborts the script.
 
 ## Invocation Protocol
 
@@ -83,6 +85,7 @@ Scripts choose between two call modes per invocation, mirroring the dual-mode da
 - The HTTP request is executed immediately. The script blocks until the response is received or the timeout elapses.
 - **All failures** (transient and permanent) return an error to the calling script. No store-and-forward buffering.
 - Use for request/response interactions where the script needs the result (e.g., fetching a recipe, querying inventory).
+- **Audit emission**: emits an `ApiOutbound.SyncCall` row to `IAuditWriter` at call completion (success or failure). Payload captured per the Audit Log policy (see [Component-AuditLog.md](Component-AuditLog.md), Payload Capture Policy). Audit-write failure never aborts the script.
 
 ### Cached (Store-and-Forward)
 - Script calls `ExternalSystem.CachedCall("systemName", "methodName", params)`. This is **deferred delivery**: the call returns a `TrackedOperationId` tracking handle immediately rather than the response body.
@@ -90,6 +93,7 @@ Scripts choose between two call modes per invocation, mirroring the dual-mode da
 - On **transient failure** (connection refused, timeout, HTTP 5xx), the call is routed to the Store-and-Forward Engine for retry per the system's retry settings. The script does **not** block — the call is buffered (`Pending`/`Retrying`) and the script continues.
 - On **permanent failure** (HTTP 4xx), the error is returned **synchronously** to the calling script. No retry — the request itself is wrong. The call is also recorded as a terminal `Failed` tracking record capturing the error.
 - Cached-call status is observable to scripts via `Tracking.Status(id)` (answered site-locally and authoritatively) and centrally via the Site Call Audit component.
+- **Audit emission**: each lifecycle transition (`CachedEnqueued`, `CachedAttempt`, `CachedTerminal`) emits an audit row via the combined cached-operation telemetry packet — one packet carries both the audit row and the SiteCalls upsert (see [Component-AuditLog.md](Component-AuditLog.md), Cached Operations — Combined Telemetry, and [Component-SiteCallAudit.md](Component-SiteCallAudit.md)). Audit-write failure never aborts the script.
 - Use for outbound data pushes where deferred delivery is acceptable (e.g., posting production data, sending quality reports).
 
 ## Call Timeout & Error Handling

docs/requirements/Component-HealthMonitoring.md

@@ -34,6 +34,11 @@ Site clusters (metric collection and reporting). Central cluster (aggregation an
 | Notification Outbox queue depth | Notification Outbox (central) | Count of `Pending` + `Retrying` notifications — central-computed, not site-reported |
 | Notification Outbox stuck count | Notification Outbox (central) | Count of `Pending` / `Retrying` notifications older than the configurable stuck-age threshold — central-computed, not site-reported |
 | Notification Outbox parked count | Notification Outbox (central) | Count of `Parked` notifications — central-computed, not site-reported |
+| `SiteAuditBacklog` | Audit Log (site) | Count of `Pending` rows in the site-local `AuditLog` plus oldest-pending-age plus on-disk bytes. A configurable threshold drives a Health dashboard warning on the affected site tile. |
+| `SiteAuditWriteFailures` | Audit Log (site) | Count of failed hot-path audit appends at the site since the last health report. |
+| `SiteAuditTelemetryStalled` | Audit Log (site) | Boolean flag set when reconciliation reports a non-draining site-local audit backlog over two consecutive cycles. |
+| `CentralAuditWriteFailures` | Audit Log (central) | Count of central direct-write audit failures (Inbound API middleware, Notification Outbox dispatcher, and any other central direct writers) since the last interval. |
+| `AuditRedactionFailure` | Audit Log (central) | Count of payload redactor errors (over-redacted payloads, safety-net hit) since the last interval. |
 
 ## Reporting Protocol
 
@@ -76,6 +81,16 @@ The Site Call Audit is a **central** component, so its KPIs — like the Notific
 
 Unlike the Notification Outbox, the Site Call Audit is **not a dispatcher** — cached calls are delivered by each site's Store-and-Forward Engine, and the `SiteCalls` table is an eventually-consistent central mirror of site-owned status.
 
+## Audit Log KPIs
+
+The Audit Log spans both sites (hot-path append + telemetry forward) and central (direct-write + ingest + redaction). Its operational health surfaces as three new dashboard tiles grouped under **Audit**:
+
+- **Audit volume** — events/min landing in the central `AuditLog` table, shown global plus per-site sparkline; sourced from the Audit Log component on the active central node.
+- **Audit error rate** — percent of central `AuditLog` rows with `Status` other than `Success` / `Delivered` / `Enqueued` over a rolling 5-minute window. This is the operational error rate of audited operations (HTTP 5xx, transient failures, parked deliveries, etc.) — NOT the audit writer's own health. Audit-writer issues surface separately via `CentralAuditWriteFailures` and `AuditRedactionFailure`.
+- **Audit backlog** — global aggregate of `SiteAuditBacklog` across reporting sites (count of `Pending` site-local audit rows, oldest pending age, on-disk bytes); click drills into a per-site breakdown. The per-site tile surfaces a warning badge when its `SiteAuditBacklog` crosses the configurable threshold or when `SiteAuditTelemetryStalled` is set.
+
+These tiles are **point-in-time** like the Notification Outbox and Site Call Audit KPI tiles — no time-series store; consistent with Health Monitoring's "current status only" philosophy. The site-scoped `SiteAuditBacklog` / `SiteAuditWriteFailures` / `SiteAuditTelemetryStalled` metrics arrive in the existing site health report; the central-scoped `CentralAuditWriteFailures` / `AuditRedactionFailure` metrics are central-computed alongside the existing central KPIs.
+
 ## Central Storage
 
 - Health metrics are held **in memory** at the central cluster for display in the UI.
@@ -97,6 +112,7 @@ Unlike the Notification Outbox, the Site Call Audit is **not a dispatcher** —
 - **Cluster Infrastructure (site)**: Provides node role status.
 - **Notification Outbox (central)**: Provides central-computed outbox KPIs — queue depth, stuck count, parked count — for the headline dashboard tiles.
 - **Site Call Audit (central)**: Provides central-computed cached-call KPIs — buffered count, parked count, failed/delivered (last interval), oldest pending age, stuck count — for the headline dashboard tiles.
+- **Audit Log (#23)**: Provides the site-reported `SiteAuditBacklog` / `SiteAuditWriteFailures` / `SiteAuditTelemetryStalled` metrics (via the site health report) and the central-computed `CentralAuditWriteFailures` / `AuditRedactionFailure` metrics, plus the central audit-row rate feeding the **Audit** dashboard tile group (Audit volume, Audit error rate, Audit backlog).
 
 ## Interactions
 

docs/requirements/Component-Host.md

@@ -178,6 +178,7 @@ The Host's `Program.cs` calls these extension methods; the component libraries o
 | Communication | Yes | Yes | Yes | Yes | No |
 | HealthMonitoring | Yes | Yes | Yes | Yes | No |
 | ExternalSystemGateway | Yes | Yes | Yes | Yes | No |
+| AuditLog | Yes | Yes | Yes | Yes | No |
 | NotificationService | Yes | No | Yes | Yes | No |
 | NotificationOutbox | Yes | No | Yes | Yes | No |
 | SiteCallAudit | Yes | No | Yes | Yes | No |
@@ -197,7 +198,7 @@ The Host's `Program.cs` calls these extension methods; the component libraries o
 
 ## Dependencies
 
-- **All 18 component libraries**: The Host references every component project to call their extension methods (excludes CLI, which is a separate executable).
+- **All 19 component libraries**: The Host references every component project to call their extension methods (excludes CLI, which is a separate executable). Audit Log (#23) ships its central+site code in `ScadaLink.AuditLog`; the Host calls `AddAuditLog()` on both roles, M2+ will add `AddAuditLogActors()`.
 - **Akka.Hosting**: For `AddAkka()` and the hosting configuration builder.
 - **Akka.Remote.Hosting, Akka.Cluster.Hosting**: For Akka subsystem configuration. (No Akka.Persistence plugin — see the Persistence note under REQ-HOST-6.)
 - **Serilog.AspNetCore**: For structured logging integration.

docs/requirements/Component-InboundAPI.md

@@ -116,8 +116,9 @@ API method scripts are compiled at central startup — all method definitions ar
 
 ## API Call Logging
 
-- **Only failures are logged.** Script execution errors (500 responses) are logged centrally.
-- Successful API calls are **not** logged — the audit log is reserved for configuration changes, not operational traffic.
+- **Every request — success or failure — emits one `ApiInbound.Completed` row** to `ICentralAuditWriter` from request middleware before the HTTP response is flushed. The row captures the API key **name** (never the key material), remote IP, user-agent, response status, duration, and truncated request/response bodies per the Audit Log capture policy (see Component-AuditLog.md, Payload Capture Policy). This supersedes the earlier failures-only stance: operational API traffic is now part of the centralized audit log, so configuration changes and call activity share a single retention/query surface.
+- Script execution errors (500 responses) remain captured on the same `ApiInbound.Completed` row (response status + error fields) rather than emitting a separate failure-only event.
+- **Fail-soft semantics.** The audit write is synchronous (inline before the response is flushed), but failures are caught: a write that throws is logged and increments `CentralAuditWriteFailures` (see Health Monitoring #11) and the request still returns its normal HTTP response. A failed audit append never turns a successful API call into an error returned to the caller.
 - No rate limiting — this is a private API in a controlled industrial environment with a known set of callers. Misbehaving callers are handled operationally (disable the API key).
 
 ## Request Flow
@@ -197,7 +198,8 @@ Inbound API scripts **cannot** call shared scripts directly — shared scripts a
 - **Configuration Database (MS SQL)**: Stores API keys and method definitions.
 - **Communication Layer**: Routes requests to sites when method implementations need site data.
 - **Security & Auth**: API key validation (separate from LDAP/AD — API uses key-based auth).
-- **Configuration Database (via IAuditService)**: All API key and method definition changes are audit logged. Optionally, API call activity can be logged.
+- **Configuration Database (via IAuditService)**: All API key and method definition changes are audit logged.
+- **Audit Log (#23)**: Every inbound API request emits an `ApiInbound.Completed` row via `ICentralAuditWriter` from request middleware (non-blocking for the HTTP response). Payload truncation/redaction follows the Audit Log Payload Capture Policy.
 - **Cluster Infrastructure**: API is hosted on the active central node and fails over with it.
 
 ## Interactions

docs/requirements/Component-NotificationOutbox.md

@@ -106,6 +106,12 @@ The dispatcher loop runs on a fixed interval. On each tick the `NotificationOutb
    - **transient failure** → `Retrying`, increment `RetryCount`, set `NextAttemptAt`, record `LastError`; once retries are exhausted → `Parked`.
    - **permanent failure** → `Parked`, record `LastError`.
 
+Each delivery attempt also writes a `Notification.Attempt` row to the central `AuditLog` via `ICentralAuditWriter`; a transition to a terminal status (`Delivered` / `Parked` / `Discarded`) writes a `Notification.Terminal` row. Audit writes are **direct** (no telemetry — the dispatcher runs at central), insert-if-not-exists on `EventId`. The site-emitted `Notification.Enqueued` row arrives separately via the standard audit telemetry channel from the site's SQLite write-buffer, so the full per-notification audit trail is `Enqueued` (site-originated) → `Attempt` × N (central direct-write) → `Terminal` (central direct-write). See [Component-AuditLog.md](Component-AuditLog.md), Central direct-write (central-originated events).
+
+The operational `Notifications` table remains the **source of truth** for the dispatcher and for Retry/Discard actions; the `AuditLog` rows are immutable shadows. Operator Retry/Discard still mutates only the `Notifications` row, and each transition emits the corresponding `Notification.Attempt` / `Notification.Terminal` audit row.
+
+**Audit-write failure never affects delivery.** If the `ICentralAuditWriter` direct-write fails (transient DB error, schema lock, etc.) the dispatcher logs the failure and increments the `CentralAuditWriteFailures` health metric (see Health Monitoring #11), but the delivery attempt's outcome on the `Notifications` row stands. The audit row is recovered by re-emission on the next dispatcher tick or by the on-startup reconciliation sweep; central never aborts a notification because audit failed.
+
 ## Delivery Adapters
 
 A delivery adapter implementing `INotificationDeliveryAdapter` is registered per `Type`. Each `Deliver(...)` call returns one of `success | transient failure | permanent failure`, mirroring the External System Gateway error-classification pattern.
@@ -157,6 +163,7 @@ Delivery max-retry-count and retry interval are not part of `NotificationOutboxO
 - **Notification Service**: Provides notification-list and SMTP definitions, and the per-type delivery adapters the outbox invokes.
 - **Configuration Database**: Hosts the `Notifications` table; provides the entity POCO, repository, and EF migration for outbox persistence.
 - **Central–Site Communication**: Carries inbound notification submissions and acks between sites and central.
+- **Audit Log (#23)**: The dispatcher direct-writes `Notification.Attempt` and `Notification.Terminal` rows to the central `AuditLog` via `ICentralAuditWriter` (insert-if-not-exists on `EventId`); the site-emitted `Notification.Enqueued` row arrives via the standard audit telemetry channel. See [Component-AuditLog.md](Component-AuditLog.md), Central direct-write (central-originated events).
 - **Health Monitoring**: Consumes the outbox KPIs as central-computed headline metrics.
 - **Central UI**: Hosts the Notification Outbox page.
 

docs/requirements/Component-SiteCallAudit.md

@@ -73,6 +73,14 @@ then **upsert-on-newer-status**. The lifecycle is monotonic, so status only
 advances and never regresses; at-least-once and out-of-order telemetry are
 therefore harmless.
 
+From v1.x onward, the `CachedCallTelemetry` message additively carries the
+`AuditEvent` content alongside the existing operational fields. Central's
+`AuditLogIngestActor` (Audit Log #23) performs both the immutable `AuditLog`
+insert and the `SiteCalls` upsert in a single transaction. Idempotency keys
+remain `EventId` (for `AuditLog`) and `TrackedOperationId` (for `SiteCalls`).
+See [Component-AuditLog.md](Component-AuditLog.md), Cached Operations —
+Combined Telemetry, for the dual-write contract.
+
 ## Reconciliation
 
 Because telemetry is best-effort, `SiteCallAuditActor` periodically — and on site
@@ -119,6 +127,12 @@ configurable window (default 365 days), matching the `Notifications` purge.
   responses; sends Retry/Discard commands.
 - **Store-and-Forward Engine**: the site-side origin of cached-call telemetry and
   the executor of relayed Retry/Discard commands.
+- **Audit Log (#23)**: shares the `CachedCallTelemetry` packet — each lifecycle
+  transition (`CachedEnqueued`, `CachedAttempt`, `CachedTerminal`) carries an
+  `AuditEvent` alongside the operational fields, and central's
+  `AuditLogIngestActor` performs the `AuditLog` insert and the `SiteCalls`
+  upsert in a single transaction (see [Component-AuditLog.md](Component-AuditLog.md),
+  Cached Operations — Combined Telemetry).
 - **Commons**: `TrackedOperationId`, status enum, telemetry message contracts.
 
 ## Interactions

docs/requirements/Component-SiteRuntime.md

@@ -294,6 +294,10 @@ Scripts execute **in-process** with constrained access. The following restrictio
 
 These constraints are enforced by restricting the set of assemblies and namespaces available to the script compilation context.
 
+### Script Trust Boundary Auditing
+
+Every script-trust-boundary call (External System Gateway, Database layer, Notify) emits an `AuditEvent` to `IAuditWriter` (site-local SQLite append). Hot path; never fails the calling action; failures logged via the `SiteAuditWriteFailures` health metric (see [Component-HealthMonitoring.md](Component-HealthMonitoring.md)). The central audit mirror and event schema live in [Component-AuditLog.md](Component-AuditLog.md).
+
 ## Script Scoping Rules
 
 - Scripts can only read/write attributes on **their own instance** (via the parent Instance Actor).
@@ -363,7 +367,7 @@ Per Akka.NET best practices, internal actor communication uses **Tell** (fire-an
 - **Communication Layer**: Receives deployments and lifecycle commands from central. Handles debug view requests. Reports deployment results.
 - **Site Event Logging**: Records script executions, alarm events, deployment events, instance lifecycle events.
 - **Health Monitoring**: Reports script error rates and alarm evaluation error rates.
-- **Local SQLite**: Persists deployed configurations, system-wide artifacts (external system definitions, database connection definitions, data connection definitions).
+- **Local SQLite**: Persists deployed configurations, system-wide artifacts (external system definitions, database connection definitions, data connection definitions). Sites also maintain peer SQLite stores for the Store-and-Forward buffer, the site event log, the operation tracking table, and the site-local `AuditLog` (see [Component-AuditLog.md](Component-AuditLog.md)). The `AuditLog` file is purged on the same daily cadence as the others but respects the hard `ForwardState` invariant — rows still `Pending` forward are never purged, regardless of age.
 
 ## Interactions
 

docs/requirements/HighLevelReqs.md

@@ -440,6 +440,25 @@ All system-modifying actions are logged, including:
 ### 10.4 Transactional Guarantee
 - Audit entries are written **synchronously** within the same database transaction as the change (via the unit-of-work pattern). If the change succeeds, the audit entry is guaranteed to be recorded. If the change rolls back, the audit entry rolls back too.
 
+### 10.5 Centralized Audit Log (Script Trust Boundary)
+
+*See [Component-AuditLog.md](Component-AuditLog.md) (#23) for the full component design.*
+
+Sections 10.1–10.4 cover **configuration-database audit** (config-mutating user actions via `IAuditService`). This subsection defines the separate **runtime Audit Log** that captures every action crossing the **script trust boundary** at sites and central:
+
+- **AL-1**: The system maintains an **append-only** central Audit Log recording every script-trust-boundary action — outbound external system calls (sync `Call` and `CachedCall`), outbound database operations (sync `Connection` access and `CachedWrite`), notifications, and inbound API method invocations.
+- **AL-2**: For cached calls and notifications, the Audit Log captures **one row per lifecycle event** (e.g., enqueued, retrying, delivered, parked, discarded), not a single mutable row per operation.
+- **AL-3**: Site-originated events are appended to a **site-local SQLite hot-path** synchronously with the action, then **forwarded to central via gRPC telemetry**; central ingest is **idempotent on `EventId`** (insert-if-not-exists; the `AuditLog` table is strictly append-only, so rows are never updated after insert).
+- **AL-4**: A periodic **central→site reconciliation pull** detects and replays any telemetry events that were missed (e.g., during a central outage), making the central Audit Log eventually consistent with sites.
+- **AL-5**: Each row captures **payload metadata** (target, method, status, timings, correlation IDs) plus a **truncated request/response body** — **8 KB default**, expanded to **64 KB on error** outcomes.
+- **AL-6**: **HTTP headers are redacted by default**; **SQL parameter values are captured by default**. Per-target **redaction opt-in** is configurable on external systems, database connections, and inbound API methods.
+- **AL-7**: A failure to write or forward an audit row **never aborts the user-facing action** — the hot-path action proceeds and the audit record is recovered via the local hot-path buffer plus reconciliation.
+- **AL-8**: Central retention defaults to **365 days**, enforced by a **monthly partition switch-and-drop** purge — no row-by-row delete.
+- **AL-9**: The site SQLite Audit Log is purged only when `ForwardState ∈ {Forwarded, Reconciled}` — i.e., a row must be either confirmed-forwarded *or* confirmed-reconciled before it can be removed. A central outage therefore **cannot cause audit loss at sites**.
+- **AL-10**: The Central UI exposes an **Audit Log page** with a cross-channel filter (by site, target, status, time range, correlation ID), plus **drill-ins from existing operational pages** (Site Calls, Notification Outbox, Inbound API).
+- **AL-11**: Append-only semantics are **enforced via DB roles** (no UPDATE/DELETE granted on the `AuditLog` table to application accounts); a **tamper-evidence hash chain is deferred to v1.x**.
+- **AL-12**: The CLI provides a `scadalink audit` command group for query, export, and hash-chain verification (verify-chain becomes operational once AL-11's hash chain ships) against the central Audit Log.
+
 ## 11. Health Monitoring
 
 ### 11.1 Monitored Metrics

infra/mssql/seed-config.sql

@@ -183,8 +183,9 @@ INSERT INTO [DataConnections] ([Id], [Name], [Protocol], [PrimaryConfiguration],
 SET IDENTITY_INSERT [DataConnections] OFF;
 
 -- ExternalSystemDefinitions (1 rows)
+-- NOTE: [AuthConfiguration] is an encrypted secret column — dumped as NULL. Restore via the app (CLI/API) post-seed.
 SET IDENTITY_INSERT [ExternalSystemDefinitions] ON;
-INSERT INTO [ExternalSystemDefinitions] ([Id], [Name], [EndpointUrl], [AuthType], [AuthConfiguration], [MaxRetries], [RetryDelay]) VALUES (1, N'Test REST API', N'http://scadalink-restapi:5200', N'ApiKey', N'scadalink-test-key-1', 0, '00:00:00.000000');
+INSERT INTO [ExternalSystemDefinitions] ([Id], [Name], [EndpointUrl], [AuthType], [AuthConfiguration], [MaxRetries], [RetryDelay]) VALUES (1, N'Test REST API', N'http://scadalink-restapi:5200', N'ApiKey', NULL, 0, '00:00:00.000000');
 SET IDENTITY_INSERT [ExternalSystemDefinitions] OFF;
 
 -- ExternalSystemMethods (1 rows)

infra/reseed.sh

@@ -114,6 +114,34 @@ docker exec -i scadalink-mssql /opt/mssql-tools18/bin/sqlcmd \
     -S localhost -U sa -P 'ScadaLink_Dev1#' -C -d ScadaLinkConfig -b < "$SEED_FILE"
 echo "  Seed replayed."
 
+echo ""
+echo "--- Stage 6d/6: restore encrypted secret config (CLI) ---"
+# Configuration that lives in encrypted secret columns cannot be replayed from
+# raw SQL: ASP.NET Data Protection ciphertext is non-deterministic and bound to
+# the source key ring. Create/restore it through the app so the EF value
+# converter encrypts against this cluster's key ring.
+CLI="dotnet run --project $PROJECT_ROOT/src/ScadaLink.CLI --"
+AUTH="--username multi-role --password password"
+
+# ExternalSystemDefinitions Id 1 ("Test REST API") is inserted by the seed with
+# a fixed identity but a NULL AuthConfiguration; set the API key here.
+$CLI --url "$MGMT_URL" $AUTH external-system update \
+    --id 1 \
+    --name "Test REST API" \
+    --endpoint-url "http://scadalink-restapi:5200" \
+    --auth-type ApiKey \
+    --auth-config "scadalink-test-key-1"
+echo "  External-system auth config restored (encrypted)."
+
+# The "Machine Data DB" database connection is referenced by name from the
+# seeded TestDatabaseQuery script. It is not in seed-config.sql (its
+# ConnectionString is an encrypted secret column); create it through the app.
+$CLI --url "$MGMT_URL" $AUTH db-connection create \
+    --name "Machine Data DB" \
+    --connection-string "Server=scadalink-mssql,1433;Database=ScadaLinkMachineData;User Id=scadalink_app;Password=ScadaLink_Dev1#;TrustServerCertificate=true" \
+|| echo "  (Machine Data DB connection may already exist)"
+echo "  Database connection created (encrypted)."
+
 echo ""
 echo "=== Reseed complete ==="
 echo ""

infra/tools/dump_seed.py

@@ -13,6 +13,12 @@ Excluded by design (per-environment, not design-time): Sites (seeded via
 seed-sites.sh), Instances + InstanceConnectionBindings + InstanceOverrides,
 NotificationLists/Recipients, SmtpConfigurations, ApiKeys, Areas,
 SiteScopeRules, LdapGroupMappings, DataProtectionKeys, audit, deployment.
+
+Encrypted secret columns (see ENCRYPTED_COLUMNS) are emitted as NULL: they
+hold ASP.NET Data Protection ciphertext, which is non-deterministic and bound
+to the source key ring, so a raw SQL dump can never replay a valid value.
+Re-populate them through the application after the seed runs (infra/reseed.sh
+does this via the ScadaLink CLI).
 """
 
 import argparse
@@ -45,6 +51,18 @@ INSERT_ORDER = [
 # the column list. All listed tables happen to use Id as their identity.
 IDENTITY_TABLES = set(INSERT_ORDER)
 
+# (table, column) pairs encrypted at rest via ASP.NET Data Protection
+# (EncryptedStringConverter in ScadaLink.ConfigurationDatabase). Ciphertext is
+# non-deterministic and key-ring-bound, so it cannot be replayed from a static
+# SQL dump — the application would fail to decrypt it on read. These columns
+# are dumped as NULL; re-seed their values through the app (CLI / API) so the
+# value converter encrypts them against the target key ring.
+ENCRYPTED_COLUMNS = {
+    ("ExternalSystemDefinitions", "AuthConfiguration"),
+    ("SmtpConfigurations", "Credentials"),
+    ("DatabaseConnectionDefinitions", "ConnectionString"),
+}
+
 # Templates has self-FK Templates.ParentTemplateId; emit a single batch that
 # inserts shallow rows first then deeper ones. pymssql returns rows in Id order
 # from our ORDER BY, which matches insertion order for this schema (parent Id
@@ -175,6 +193,16 @@ def dump(args):
         rows = cursor.fetchall()
 
         out.append("-- " + table + " (" + str(len(rows)) + " rows)")
+
+        # Columns encrypted at rest cannot be dumped verbatim; emit NULL and
+        # note it so the secret value is restored through the app afterwards.
+        nulled = [c for c in columns if (table, c) in ENCRYPTED_COLUMNS]
+        for c in nulled:
+            out.append(
+                "-- NOTE: [{}] is an encrypted secret column — dumped as NULL. "
+                "Restore via the app (CLI/API) post-seed.".format(c)
+            )
+
         if not rows:
             continue
 
@@ -183,7 +211,10 @@ def dump(args):
         if identity:
             out.append("SET IDENTITY_INSERT [{}] ON;".format(table))
         for row in rows:
-            values = ", ".join(quote(v) for v in row)
+            values = ", ".join(
+                "NULL" if (table, c) in ENCRYPTED_COLUMNS else quote(v)
+                for c, v in zip(columns, row)
+            )
             out.append(
                 "INSERT INTO [{}] ({}) VALUES ({});".format(table, col_list, values)
             )

src/ScadaLink.AuditLog/Central/AuditCentralHealthSnapshot.cs

@@ -0,0 +1,80 @@
+using System.Collections.Concurrent;
+using ScadaLink.AuditLog.Payload;
+
+namespace ScadaLink.AuditLog.Central;
+
+/// <summary>
+/// Audit Log (#23) M6 Bundle E (T8, T9) — central singleton implementation of
+/// <see cref="IAuditCentralHealthSnapshot"/>. Owns thread-safe
+/// <see cref="System.Threading.Interlocked"/> counters for
+/// <c>CentralAuditWriteFailures</c> + <c>AuditRedactionFailure</c> and a
+/// per-site latched stalled-state map fed by the
+/// <see cref="SiteAuditTelemetryStalledTracker"/>. Also implements the
+/// writer surfaces (<see cref="ICentralAuditWriteFailureCounter"/> +
+/// <see cref="IAuditRedactionFailureCounter"/>) so a single concrete object
+/// is the source of truth — DI binds those two interfaces to this same
+/// singleton instance on the central composition root.
+/// </summary>
+/// <remarks>
+/// <para>
+/// <b>Why one type for read + write.</b> The writer interfaces are tiny
+/// (<c>Increment()</c>) and the read surface needs visibility of those
+/// counters anyway — having a single class own both means the
+/// <c>Interlocked</c> field IS the snapshot value, no extra plumbing needed.
+/// Mirrors the
+/// <see cref="ScadaLink.HealthMonitoring.SiteHealthCollector"/> pattern where
+/// the collector both receives and exposes the metric.
+/// </para>
+/// <para>
+/// <b>Stalled-state plumbing.</b> The per-site stalled latch lives directly
+/// on this snapshot. <see cref="SiteAuditTelemetryStalledTracker"/> is the
+/// EventStream subscriber that pushes
+/// <see cref="SiteAuditTelemetryStalledChanged"/> publications in via
+/// <see cref="ApplyStalled"/>. Keeping the dictionary on this type (rather
+/// than reading the tracker on every access) lets the snapshot be constructed
+/// without an <see cref="Akka.Actor.ActorSystem"/> dependency — the tracker
+/// is wired up later from the Akka bootstrap, once the system is built.
+/// </para>
+/// </remarks>
+public sealed class AuditCentralHealthSnapshot
+    : IAuditCentralHealthSnapshot,
+      ICentralAuditWriteFailureCounter,
+      IAuditRedactionFailureCounter
+{
+    private int _centralAuditWriteFailures;
+    private int _auditRedactionFailure;
+    private readonly ConcurrentDictionary<string, bool> _stalled = new();
+
+    /// <inheritdoc/>
+    public int CentralAuditWriteFailures =>
+        Interlocked.CompareExchange(ref _centralAuditWriteFailures, 0, 0);
+
+    /// <inheritdoc/>
+    public int AuditRedactionFailure =>
+        Interlocked.CompareExchange(ref _auditRedactionFailure, 0, 0);
+
+    /// <inheritdoc/>
+    public IReadOnlyDictionary<string, bool> SiteAuditTelemetryStalled =>
+        new Dictionary<string, bool>(_stalled);
+
+    /// <summary>
+    /// Apply a <see cref="SiteAuditTelemetryStalledChanged"/> publication
+    /// observed by <see cref="SiteAuditTelemetryStalledTracker"/>. Public
+    /// so the tracker (which lives in the same assembly but is constructed
+    /// later from the Akka host) can push without a friend reference;
+    /// readers should call <see cref="SiteAuditTelemetryStalled"/>.
+    /// </summary>
+    public void ApplyStalled(SiteAuditTelemetryStalledChanged evt)
+    {
+        if (evt is null) return;
+        _stalled[evt.SiteId] = evt.Stalled;
+    }
+
+    /// <inheritdoc/>
+    void ICentralAuditWriteFailureCounter.Increment() =>
+        Interlocked.Increment(ref _centralAuditWriteFailures);
+
+    /// <inheritdoc/>
+    void IAuditRedactionFailureCounter.Increment() =>
+        Interlocked.Increment(ref _auditRedactionFailure);
+}

src/ScadaLink.AuditLog/Central/AuditLogIngestActor.cs

@@ -0,0 +1,295 @@
+using Akka.Actor;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Logging;
+using ScadaLink.AuditLog.Payload;
+using ScadaLink.Commons.Entities.Audit;
+using ScadaLink.Commons.Interfaces.Repositories;
+using ScadaLink.Commons.Messages.Audit;
+using ScadaLink.ConfigurationDatabase;
+
+namespace ScadaLink.AuditLog.Central;
+
+/// <summary>
+/// Central-side singleton (per Bundle E wiring) that ingests batches of
+/// <see cref="AuditEvent"/> rows pushed from sites via the
+/// <c>IngestAuditEvents</c> gRPC RPC. Each row is stamped with the central-side
+/// <see cref="AuditEvent.IngestedAtUtc"/> and inserted idempotently via
+/// <see cref="IAuditLogRepository.InsertIfNotExistsAsync"/> — duplicates are
+/// silently swallowed (first-write-wins per Bundle A's hardening).
+/// </summary>
+/// <remarks>
+/// <para>
+/// Idempotency is the contract: a row that already exists at central counts
+/// as "accepted" for the purposes of the reply, because the storage state is
+/// consistent and the site is free to flip its local row to <c>Forwarded</c>.
+/// </para>
+/// <para>
+/// Per Bundle D's brief, audit-write failures must NEVER abort the user-facing
+/// action. The actor wraps each repository call in its own try/catch so a
+/// single bad row cannot cause the rest of the batch to be lost; the actor's
+/// <see cref="SupervisorStrategy"/> uses <c>Resume</c> so a thrown exception
+/// inside <c>ReceiveAsync</c> does not restart the actor (which would also
+/// reset any in-flight state).
+/// </para>
+/// <para>
+/// Two constructors exist for a deliberate reason: Bundle D's tests inject a
+/// concrete <see cref="IAuditLogRepository"/> against a per-test MSSQL fixture
+/// (the only way to verify the IngestedAtUtc stamp + duplicate-key idempotency
+/// end to end), while Bundle E's host wiring registers the actor as a cluster
+/// singleton and must therefore resolve the repository — which is a scoped EF
+/// Core service — from a fresh DI scope per message. Mirroring the Notification
+/// Outbox actor's pattern.
+/// </para>
+/// </remarks>
+public class AuditLogIngestActor : ReceiveActor
+{
+    private readonly IServiceProvider? _serviceProvider;
+    private readonly IAuditLogRepository? _injectedRepository;
+    private readonly ILogger<AuditLogIngestActor> _logger;
+
+    /// <summary>
+    /// Test-mode constructor — injects a concrete repository instance whose
+    /// lifetime exceeds the test, so the actor reuses the same instance across
+    /// every message. Used by Bundle D's MSSQL-backed TestKit fixture.
+    /// </summary>
+    public AuditLogIngestActor(
+        IAuditLogRepository repository,
+        ILogger<AuditLogIngestActor> logger)
+    {
+        ArgumentNullException.ThrowIfNull(repository);
+        ArgumentNullException.ThrowIfNull(logger);
+
+        _injectedRepository = repository;
+        _logger = logger;
+
+        ReceiveAsync<IngestAuditEventsCommand>(OnIngestAsync);
+        // The single-repository test ctor cannot service the M3 dual-write —
+        // it has no SiteCalls repo and no DbContext. The handler still
+        // registers (so callers don't dead-letter) but replies empty so the
+        // test surface stays explicit about what this ctor supports.
+        ReceiveAsync<IngestCachedTelemetryCommand>(OnCachedTelemetryWithoutDualWriteAsync);
+    }
+
+    /// <summary>
+    /// Production constructor — resolves <see cref="IAuditLogRepository"/> from
+    /// a fresh DI scope per message because the repository is a scoped EF Core
+    /// service registered by <c>AddConfigurationDatabase</c>. The actor itself
+    /// is a long-lived cluster singleton, so it cannot hold a scope across
+    /// messages.
+    /// </summary>
+    public AuditLogIngestActor(
+        IServiceProvider serviceProvider,
+        ILogger<AuditLogIngestActor> logger)
+    {
+        ArgumentNullException.ThrowIfNull(serviceProvider);
+        ArgumentNullException.ThrowIfNull(logger);
+
+        _serviceProvider = serviceProvider;
+        _logger = logger;
+
+        ReceiveAsync<IngestAuditEventsCommand>(OnIngestAsync);
+        ReceiveAsync<IngestCachedTelemetryCommand>(OnCachedTelemetryAsync);
+    }
+
+    /// <summary>
+    /// Audit-write failures are best-effort by design (see alog.md §13): a
+    /// thrown exception in the ingest pipeline must not crash the actor.
+    /// Resume keeps the actor's state intact so the next batch is processed
+    /// against the same repository instance.
+    /// </summary>
+    protected override SupervisorStrategy SupervisorStrategy()
+    {
+        return new OneForOneStrategy(maxNrOfRetries: 0, withinTimeRange: TimeSpan.Zero, decider:
+            Akka.Actor.SupervisorStrategy.DefaultDecider);
+    }
+
+    private async Task OnIngestAsync(IngestAuditEventsCommand cmd)
+    {
+        // Sender is captured before the first await — Akka resets Sender
+        // between message dispatches, so a post-await Tell would go to
+        // DeadLetters.
+        var replyTo = Sender;
+        var nowUtc = DateTime.UtcNow;
+        var accepted = new List<Guid>(cmd.Events.Count);
+
+        // Resolve the repository for the whole batch — one DbContext per
+        // message, mirroring NotificationOutboxActor. The injected-repository
+        // mode (Bundle D tests) skips the scope entirely.
+        // Bundle C (M5-T6): the IAuditPayloadFilter is also resolved from the
+        // per-message scope when one is available so the row is truncated +
+        // redacted before InsertIfNotExistsAsync. The single-repository test
+        // ctor has no service provider — it falls through with no filter,
+        // which preserves the small-payload assumptions baked into the
+        // existing D2 fixtures.
+        IServiceScope? scope = null;
+        IAuditLogRepository repository;
+        IAuditPayloadFilter? filter = null;
+        ICentralAuditWriteFailureCounter? failureCounter = null;
+        if (_injectedRepository is not null)
+        {
+            repository = _injectedRepository;
+        }
+        else
+        {
+            scope = _serviceProvider!.CreateScope();
+            repository = scope.ServiceProvider.GetRequiredService<IAuditLogRepository>();
+            filter = scope.ServiceProvider.GetService<IAuditPayloadFilter>();
+            // M6 Bundle E (T8): central health counter is best-effort —
+            // unregistered (test composition roots) means the per-row catch
+            // simply logs without surfacing on the health dashboard.
+            failureCounter = scope.ServiceProvider.GetService<ICentralAuditWriteFailureCounter>();
+        }
+
+        try
+        {
+            foreach (var evt in cmd.Events)
+            {
+                try
+                {
+                    // Stamp IngestedAtUtc here, not at the site. Bundle A's
+                    // repository hardening already swallows duplicate-key races,
+                    // so the same id arriving twice (site retry, reconciliation)
+                    // is a silent no-op.
+                    // Filter BEFORE the IngestedAtUtc stamp so the redacted
+                    // copy carries the central-side ingest timestamp. Filter
+                    // is contract-bound to never throw; null = pass-through.
+                    var filtered = filter?.Apply(evt) ?? evt;
+                    var ingested = filtered with { IngestedAtUtc = nowUtc };
+                    await repository.InsertIfNotExistsAsync(ingested).ConfigureAwait(false);
+                    accepted.Add(evt.EventId);
+                }
+                catch (Exception ex)
+                {
+                    // Per-row catch — one bad row never sinks the whole batch.
+                    // The row stays Pending at the site; the next drain retries.
+                    // M6 Bundle E (T8): bump the central health counter so a
+                    // sustained insert-throw failure surfaces on the dashboard.
+                    try { failureCounter?.Increment(); }
+                    catch { /* counter must never throw — defence in depth */ }
+                    _logger.LogError(ex,
+                        "Failed to persist audit event {EventId} during batch ingest; row will be retried by the site.",
+                        evt.EventId);
+                }
+            }
+        }
+        finally
+        {
+            scope?.Dispose();
+        }
+
+        replyTo.Tell(new IngestAuditEventsReply(accepted));
+    }
+
+    /// <summary>
+    /// M3 dual-write handler. For every <see cref="CachedTelemetryEntry"/> the
+    /// actor opens a fresh MS SQL transaction, inserts the AuditLog row
+    /// idempotently AND upserts the SiteCalls row monotonically. Both succeed
+    /// or both roll back, so the audit and operational mirrors never drift
+    /// mid-row. The IngestedAtUtc stamp is unified between the two rows so a
+    /// downstream join lines up cleanly.
+    /// </summary>
+    /// <remarks>
+    /// Per-entry isolation — one entry's failed transaction does NOT abort
+    /// other entries in the batch (each gets its own
+    /// <see cref="Microsoft.EntityFrameworkCore.RelationalDatabaseFacadeExtensions.BeginTransactionAsync"/>
+    /// scope and a try/catch around it). Audit-write failure NEVER aborts the
+    /// user-facing action — the site keeps the row Pending and retries on the
+    /// next drain.
+    /// </remarks>
+    private async Task OnCachedTelemetryAsync(IngestCachedTelemetryCommand cmd)
+    {
+        var replyTo = Sender;
+        var accepted = new List<Guid>(cmd.Entries.Count);
+
+        try
+        {
+            await using var scope = _serviceProvider!.CreateAsyncScope();
+            var auditRepo = scope.ServiceProvider.GetRequiredService<IAuditLogRepository>();
+            var siteCallRepo = scope.ServiceProvider.GetRequiredService<ISiteCallAuditRepository>();
+            var dbContext = scope.ServiceProvider.GetRequiredService<ScadaLinkDbContext>();
+            // Bundle C (M5-T6): resolve the filter for the whole batch from
+            // the scope; null = pass-through for test composition roots that
+            // skip the filter registration. The filter is contract-bound to
+            // never throw, so we can apply it inside the per-entry try
+            // without risking an unbounded blast radius.
+            var filter = scope.ServiceProvider.GetService<IAuditPayloadFilter>();
+            // M6 Bundle E (T8): same best-effort central health counter as
+            // the OnIngestAsync path — null on test composition roots that
+            // skip the registration.
+            var failureCounter = scope.ServiceProvider.GetService<ICentralAuditWriteFailureCounter>();
+
+            foreach (var entry in cmd.Entries)
+            {
+                try
+                {
+                    await using var tx = await dbContext.Database
+                        .BeginTransactionAsync()
+                        .ConfigureAwait(false);
+
+                    // Stamp IngestedAtUtc on both rows from a single
+                    // central-side instant so a join on the two tables sees
+                    // matching timestamps (debugging convenience, not a
+                    // correctness invariant).
+                    var ingestedAt = DateTime.UtcNow;
+                    // Filter the audit half BEFORE the dual-write — only the
+                    // AuditLog row's payload columns are filterable; SiteCalls
+                    // carries operational state only (status, retry count) and
+                    // is left untouched.
+                    var filteredAudit = filter?.Apply(entry.Audit) ?? entry.Audit;
+                    var auditStamped = filteredAudit with { IngestedAtUtc = ingestedAt };
+                    var siteCallStamped = entry.SiteCall with { IngestedAtUtc = ingestedAt };
+
+                    await auditRepo.InsertIfNotExistsAsync(auditStamped)
+                        .ConfigureAwait(false);
+                    await siteCallRepo.UpsertAsync(siteCallStamped)
+                        .ConfigureAwait(false);
+
+                    await tx.CommitAsync().ConfigureAwait(false);
+                    accepted.Add(entry.Audit.EventId);
+                }
+                catch (Exception ex)
+                {
+                    // Both rows rolled back via the disposing transaction. The
+                    // EventId is NOT added to `accepted` so the site keeps its
+                    // row Pending and retries on the next drain. Other entries
+                    // in the batch continue with their own transactions.
+                    // M6 Bundle E (T8): bump the central health counter so a
+                    // sustained dual-write failure surfaces on the dashboard.
+                    try { failureCounter?.Increment(); }
+                    catch { /* counter must never throw — defence in depth */ }
+                    _logger.LogError(
+                        ex,
+                        "Combined telemetry dual-write failed for AuditEvent {EventId} / TrackedOperationId {TrackedOpId}; rolled back.",
+                        entry.Audit.EventId,
+                        entry.SiteCall.TrackedOperationId);
+                }
+            }
+        }
+        catch (Exception ex)
+        {
+            // Resolving the scope itself threw (e.g. DI mis-wiring). Log and
+            // reply with whatever we managed to accept (likely empty) — the
+            // central singleton MUST stay alive.
+            _logger.LogError(
+                ex,
+                "Combined telemetry batch ingest failed before per-entry processing.");
+        }
+
+        replyTo.Tell(new IngestCachedTelemetryReply(accepted));
+    }
+
+    /// <summary>
+    /// Fallback handler installed on the single-repository test ctor — that
+    /// ctor has no DbContext and no <see cref="ISiteCallAuditRepository"/>, so
+    /// it cannot service the dual-write. Logs a warning and replies with an
+    /// empty ack so callers fall through to their retry path.
+    /// </summary>
+    private Task OnCachedTelemetryWithoutDualWriteAsync(IngestCachedTelemetryCommand cmd)
+    {
+        _logger.LogWarning(
+            "AuditLogIngestActor received IngestCachedTelemetryCommand on the single-repository ctor; dual-write requires the IServiceProvider ctor. Replying with empty ack ({Count} entries).",
+            cmd.Entries.Count);
+        Sender.Tell(new IngestCachedTelemetryReply(Array.Empty<Guid>()));
+        return Task.CompletedTask;
+    }
+}

src/ScadaLink.AuditLog/Central/AuditLogPartitionMaintenanceOptions.cs

@@ -0,0 +1,37 @@
+namespace ScadaLink.AuditLog.Central;
+
+/// <summary>
+/// Tuning knobs for the central
+/// <see cref="AuditLogPartitionMaintenanceService"/> hosted service (M6-T5).
+/// Defaults: once every 24 hours, keep at least one future monthly
+/// boundary ahead of <see cref="DateTime.UtcNow"/>.
+/// </summary>
+/// <remarks>
+/// <para>
+/// The hosted service drives a daily roll-forward of
+/// <c>pf_AuditLog_Month</c>: each tick reads the current max boundary and
+/// SPLITs new monthly boundaries until at least
+/// <see cref="LookaheadMonths"/> future months are covered. The 1-month
+/// default is intentionally conservative — anything less risks an
+/// end-of-month race where inserts land in the unbounded tail partition;
+/// anything more wastes nothing but represents premature commitment.
+/// </para>
+/// <para>
+/// The 24-hour cadence is the cheapest interval that still guarantees
+/// at-most-one missed boundary in steady state (even a hard failover the
+/// hosted service can recover on its very next tick). Lowering this below
+/// an hour would generate more metadata churn than it saves.
+/// </para>
+/// </remarks>
+public sealed class AuditLogPartitionMaintenanceOptions
+{
+    /// <summary>Period of the maintenance tick in seconds (default 86 400 = 24 h).</summary>
+    public int IntervalSeconds { get; set; } = 86_400;
+
+    /// <summary>
+    /// Minimum number of future months that <c>pf_AuditLog_Month</c> must
+    /// cover after each tick. Default 1 — i.e. as of mid-May the partition
+    /// for the next full month (June) must already be present.
+    /// </summary>
+    public int LookaheadMonths { get; set; } = 1;
+}

src/ScadaLink.AuditLog/Central/AuditLogPartitionMaintenanceService.cs

@@ -0,0 +1,145 @@
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Hosting;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
+using ScadaLink.Commons.Interfaces;
+
+namespace ScadaLink.AuditLog.Central;
+
+/// <summary>
+/// Central <see cref="IHostedService"/> (M6-T5, Bundle D) that rolls
+/// <c>pf_AuditLog_Month</c> forward once a day. Each tick opens a fresh DI
+/// scope, resolves <see cref="IPartitionMaintenance"/>, and calls
+/// <see cref="IPartitionMaintenance.EnsureLookaheadAsync"/> to SPLIT any
+/// missing future boundaries — the partition function must always cover at
+/// least <see cref="AuditLogPartitionMaintenanceOptions.LookaheadMonths"/>
+/// future months, otherwise inserts past the highest boundary accumulate in
+/// a single unbounded tail partition that <c>SwitchOutPartitionAsync</c>
+/// cannot purge cleanly.
+/// </summary>
+/// <remarks>
+/// <para>
+/// <b>Why a hosted service, not an actor.</b> Bundle C's
+/// <see cref="AuditLogPurgeActor"/> sits inside the central singleton
+/// because it needs supervised lifecycle alongside the rest of the
+/// reconciliation / ingest pipeline. Roll-forward is genuinely a once-a-day
+/// chore with no cross-actor coordination, so we use the much simpler
+/// hosted-service pattern: <c>Task.Run</c> on start, <c>Task.Delay</c>
+/// between ticks, cancellation on stop. Reusing
+/// <see cref="IPartitionMaintenance"/> from the central node-only DI graph
+/// keeps the contract testable without any actor framework involvement.
+/// </para>
+/// <para>
+/// <b>Failure containment.</b> The tick body wraps the maintenance call in
+/// a try/catch so a transient SQL Server error never tears down the hosted
+/// service — the next tick simply retries. The exception is logged with
+/// the original stack trace at <c>Error</c> level; ops surfaces (M6 Bundle
+/// E's central health collector) can subscribe to the logger to alert on
+/// repeated failures.
+/// </para>
+/// <para>
+/// <b>Startup ordering.</b> A first tick fires immediately at
+/// <see cref="StartAsync"/> so a fresh deployment doesn't need to wait
+/// <see cref="AuditLogPartitionMaintenanceOptions.IntervalSeconds"/> for
+/// the partition function to come up to spec. This is also what the brief
+/// asks for ("Run once on startup").
+/// </para>
+/// <para>
+/// <b>DI scope per tick.</b> <see cref="IPartitionMaintenance"/> is scoped
+/// (alongside the rest of the EF repositories) because the implementation
+/// reuses the per-scope <c>ScadaLinkDbContext</c>. A hosted service is a
+/// singleton, so it must open and dispose a scope around each tick — the
+/// same pattern <see cref="AuditLogPurgeActor"/> uses.
+/// </para>
+/// </remarks>
+public sealed class AuditLogPartitionMaintenanceService : IHostedService, IDisposable
+{
+    private readonly IServiceScopeFactory _scopeFactory;
+    private readonly IOptions<AuditLogPartitionMaintenanceOptions> _options;
+    private readonly ILogger<AuditLogPartitionMaintenanceService> _logger;
+    private CancellationTokenSource? _cts;
+    private Task? _loop;
+
+    public AuditLogPartitionMaintenanceService(
+        IServiceScopeFactory scopeFactory,
+        IOptions<AuditLogPartitionMaintenanceOptions> options,
+        ILogger<AuditLogPartitionMaintenanceService> logger)
+    {
+        _scopeFactory = scopeFactory ?? throw new ArgumentNullException(nameof(scopeFactory));
+        _options = options ?? throw new ArgumentNullException(nameof(options));
+        _logger = logger ?? throw new ArgumentNullException(nameof(logger));
+    }
+
+    /// <inheritdoc />
+    public Task StartAsync(CancellationToken ct)
+    {
+        // Linked CTS lets StopAsync's cancellation AND the host's shutdown
+        // token both terminate the loop; either side firing aborts the
+        // pending Task.Delay.
+        _cts = CancellationTokenSource.CreateLinkedTokenSource(ct);
+        _loop = Task.Run(() => RunLoopAsync(_cts.Token));
+        return Task.CompletedTask;
+    }
+
+    private async Task RunLoopAsync(CancellationToken ct)
+    {
+        // Run once on startup so a fresh deployment isn't gated on the
+        // IntervalSeconds initial wait — the brief calls this out explicitly.
+        await SafeMaintainAsync(ct).ConfigureAwait(false);
+
+        while (!ct.IsCancellationRequested)
+        {
+            try
+            {
+                await Task.Delay(TimeSpan.FromSeconds(_options.Value.IntervalSeconds), ct)
+                    .ConfigureAwait(false);
+            }
+            catch (OperationCanceledException)
+            {
+                break;
+            }
+
+            await SafeMaintainAsync(ct).ConfigureAwait(false);
+        }
+    }
+
+    private async Task SafeMaintainAsync(CancellationToken ct)
+    {
+        try
+        {
+            await using var scope = _scopeFactory.CreateAsyncScope();
+            var maintenance = scope.ServiceProvider.GetRequiredService<IPartitionMaintenance>();
+            var added = await maintenance
+                .EnsureLookaheadAsync(_options.Value.LookaheadMonths, ct)
+                .ConfigureAwait(false);
+            if (added.Count > 0)
+            {
+                _logger.LogInformation(
+                    "AuditLogPartitionMaintenance added {Count} boundaries: {Boundaries}",
+                    added.Count,
+                    string.Join(", ", added.Select(b => b.ToString("yyyy-MM-dd"))));
+            }
+        }
+        catch (Exception ex)
+        {
+            // Catch-all is deliberate: the hosted service must survive every
+            // class of tick failure (transient SQL, DI resolution, etc.) so
+            // the next tick gets a chance. The brief's contract is
+            // "exception logged, not propagated".
+            _logger.LogError(ex, "AuditLogPartitionMaintenance tick failed");
+        }
+    }
+
+    /// <inheritdoc />
+    public Task StopAsync(CancellationToken ct)
+    {
+        _cts?.Cancel();
+        return _loop ?? Task.CompletedTask;
+    }
+
+    /// <inheritdoc />
+    public void Dispose()
+    {
+        _cts?.Dispose();
+    }
+}

src/ScadaLink.AuditLog/Central/AuditLogPurgeActor.cs

@@ -0,0 +1,214 @@
+using System.Diagnostics;
+using Akka.Actor;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
+using ScadaLink.AuditLog.Configuration;
+using ScadaLink.Commons.Interfaces.Repositories;
+
+namespace ScadaLink.AuditLog.Central;
+
+/// <summary>
+/// Central singleton (M6 Bundle C) that drives the daily AuditLog partition
+/// purge. On a configurable timer (default 24 hours) the actor:
+/// <list type="number">
+/// <item>Queries <see cref="IAuditLogRepository.GetPartitionBoundariesOlderThanAsync"/>
+///       for monthly boundaries whose latest <c>OccurredAtUtc</c> is older
+///       than <c>DateTime.UtcNow - RetentionDays</c>.</item>
+/// <item>For each eligible boundary, calls
+///       <see cref="IAuditLogRepository.SwitchOutPartitionAsync"/> which runs
+///       the drop-and-rebuild dance around <c>UX_AuditLog_EventId</c>.</item>
+/// <item>Publishes <see cref="AuditLogPurgedEvent"/> on the actor-system
+///       EventStream so the Bundle E central health collector + ops surfaces
+///       can subscribe without coupling to this actor.</item>
+/// </list>
+/// </summary>
+/// <remarks>
+/// <para>
+/// <b>Daily cadence.</b> Partition switch is metadata-only but the
+/// drop-and-rebuild dance briefly removes <c>UX_AuditLog_EventId</c>; running
+/// more often than necessary trades unique-index rebuild outages for
+/// negligible freshness wins. The default 24-hour interval matches
+/// alog.md §10's retention policy.
+/// </para>
+/// <para>
+/// <b>Continue-on-error.</b> A single boundary that throws (transient SQL
+/// failure, contention with backup, missing object) must NOT prevent the
+/// other eligible boundaries from being purged on the same tick. Per-boundary
+/// work runs inside its own try/catch; the actor's
+/// <see cref="SupervisorStrategy"/> uses Resume so any leaked exception keeps
+/// the singleton alive for the next tick.
+/// </para>
+/// <para>
+/// <b>DI scopes.</b> <see cref="IAuditLogRepository"/> is a scoped EF Core
+/// service registered by <c>AddConfigurationDatabase</c>. The singleton
+/// opens one DI scope per tick and reuses the same repository across every
+/// boundary in that tick — mirrors the
+/// <see cref="SiteAuditReconciliationActor"/> pattern.
+/// </para>
+/// <para>
+/// <b>EventStream.</b> Publishing <see cref="AuditLogPurgedEvent"/> through
+/// the EventStream rather than direct messaging avoids coupling this actor
+/// to its consumers; M6 Bundle E will subscribe a central health-counter
+/// bridge that surfaces purge progress on the central health report.
+/// </para>
+/// </remarks>
+public class AuditLogPurgeActor : ReceiveActor
+{
+    private readonly IServiceProvider _services;
+    private readonly AuditLogPurgeOptions _purgeOptions;
+    private readonly AuditLogOptions _auditOptions;
+    private readonly ILogger<AuditLogPurgeActor> _logger;
+    private ICancelable? _timer;
+
+    public AuditLogPurgeActor(
+        IServiceProvider services,
+        IOptions<AuditLogPurgeOptions> purgeOptions,
+        IOptions<AuditLogOptions> auditOptions,
+        ILogger<AuditLogPurgeActor> logger)
+    {
+        ArgumentNullException.ThrowIfNull(services);
+        ArgumentNullException.ThrowIfNull(purgeOptions);
+        ArgumentNullException.ThrowIfNull(auditOptions);
+        ArgumentNullException.ThrowIfNull(logger);
+
+        _services = services;
+        _purgeOptions = purgeOptions.Value;
+        _auditOptions = auditOptions.Value;
+        _logger = logger;
+
+        ReceiveAsync<PurgeTick>(_ => OnTickAsync());
+    }
+
+    protected override void PreStart()
+    {
+        base.PreStart();
+        var interval = _purgeOptions.Interval;
+        _timer = Context.System.Scheduler.ScheduleTellRepeatedlyCancelable(
+            initialDelay: interval,
+            interval: interval,
+            receiver: Self,
+            message: PurgeTick.Instance,
+            sender: Self);
+    }
+
+    protected override void PostStop()
+    {
+        _timer?.Cancel();
+        base.PostStop();
+    }
+
+    /// <summary>
+    /// Resume keeps the singleton alive across any leaked exception. Restart
+    /// would re-run PreStart and reschedule the timer (harmless but wasteful);
+    /// Stop is wrong because the singleton must keep ticking until shutdown.
+    /// </summary>
+    protected override SupervisorStrategy SupervisorStrategy()
+    {
+        return new OneForOneStrategy(
+            maxNrOfRetries: 0,
+            withinTimeRange: TimeSpan.Zero,
+            decider: Akka.Actor.SupervisorStrategy.DefaultDecider);
+    }
+
+    private async Task OnTickAsync()
+    {
+        // Capture EventStream BEFORE the first await. Accessing Context (and
+        // therefore Context.System) after an await is unsafe because Akka's
+        // ActorBase.Context throws "no active ActorContext" once the
+        // continuation runs on a thread that isn't currently dispatching this
+        // actor — mirrors the same Sender-capture pattern in
+        // AuditLogIngestActor.OnIngestAsync.
+        var eventStream = Context.System.EventStream;
+
+        // Compute the retention threshold from AuditLogOptions.RetentionDays
+        // each tick — the options class supports hot reload via
+        // IOptionsMonitor for the redaction policy and similar settings; we
+        // read the snapshot per-tick so an operator who lowers RetentionDays
+        // sees the change applied on the next purge without an actor
+        // restart.
+        var threshold = DateTime.UtcNow - TimeSpan.FromDays(_auditOptions.RetentionDays);
+
+        IServiceScope? scope = null;
+        IAuditLogRepository repository;
+        try
+        {
+            scope = _services.CreateScope();
+            repository = scope.ServiceProvider.GetRequiredService<IAuditLogRepository>();
+        }
+        catch (Exception ex)
+        {
+            _logger.LogError(ex, "Failed to resolve IAuditLogRepository for AuditLog purge tick.");
+            scope?.Dispose();
+            return;
+        }
+
+        try
+        {
+            IReadOnlyList<DateTime> boundaries;
+            try
+            {
+                boundaries = await repository
+                    .GetPartitionBoundariesOlderThanAsync(threshold)
+                    .ConfigureAwait(false);
+            }
+            catch (Exception ex)
+            {
+                _logger.LogError(
+                    ex,
+                    "Failed to enumerate eligible AuditLog partition boundaries (threshold {ThresholdUtc:o}); skipping purge tick.",
+                    threshold);
+                return;
+            }
+
+            if (boundaries.Count == 0)
+            {
+                return;
+            }
+
+            foreach (var boundary in boundaries)
+            {
+                // Per-boundary try/catch: one bad partition (transient SQL
+                // failure, missing object, contention with backup) does NOT
+                // abandon the rest of the tick.
+                var sw = Stopwatch.StartNew();
+                try
+                {
+                    var rowsDeleted = await repository
+                        .SwitchOutPartitionAsync(boundary)
+                        .ConfigureAwait(false);
+                    sw.Stop();
+
+                    eventStream.Publish(
+                        new AuditLogPurgedEvent(boundary, rowsDeleted, sw.ElapsedMilliseconds));
+
+                    _logger.LogInformation(
+                        "Purged AuditLog partition {MonthBoundary:yyyy-MM-dd}; {RowsDeleted} rows in {DurationMs} ms.",
+                        boundary,
+                        rowsDeleted,
+                        sw.ElapsedMilliseconds);
+                }
+                catch (Exception ex)
+                {
+                    sw.Stop();
+                    _logger.LogError(
+                        ex,
+                        "Failed to purge AuditLog partition {MonthBoundary:yyyy-MM-dd}; other partitions continue. Elapsed {DurationMs} ms.",
+                        boundary,
+                        sw.ElapsedMilliseconds);
+                }
+            }
+        }
+        finally
+        {
+            scope.Dispose();
+        }
+    }
+
+    /// <summary>Self-tick triggering a purge pass across all eligible partitions.</summary>
+    internal sealed class PurgeTick
+    {
+        public static readonly PurgeTick Instance = new();
+        private PurgeTick() { }
+    }
+}

src/ScadaLink.AuditLog/Central/AuditLogPurgeOptions.cs

@@ -0,0 +1,43 @@
+namespace ScadaLink.AuditLog.Central;
+
+/// <summary>
+/// Tuning knobs for the central <see cref="AuditLogPurgeActor"/> singleton.
+/// Default cadence is 24 hours per the M6 plan; the retention window itself
+/// is sourced from <see cref="ScadaLink.AuditLog.Configuration.AuditLogOptions.RetentionDays"/>
+/// (default 365) so operators tune retention from a single section.
+/// </summary>
+/// <remarks>
+/// <para>
+/// The purge actor is a daily-cadence singleton, not a hot-loop, because
+/// partition-switch I/O is metadata-only but the drop-and-rebuild dance
+/// briefly removes the <c>UX_AuditLog_EventId</c> unique index — running
+/// more often than necessary trades index-rebuild outages for marginal
+/// freshness gains. Lower this only when an operator can prove they need
+/// sub-daily purge granularity.
+/// </para>
+/// <para>
+/// <see cref="IntervalOverride"/> exists for tests to drop the cadence to
+/// milliseconds without polluting the production config surface; production
+/// binds <see cref="IntervalHours"/> only.
+/// </para>
+/// </remarks>
+public sealed class AuditLogPurgeOptions
+{
+    /// <summary>Period of the purge tick in hours (default 24).</summary>
+    public int IntervalHours { get; set; } = 24;
+
+    /// <summary>
+    /// Test-only override for finer control over the tick cadence than
+    /// whole-hour resolution allows. When non-null, takes precedence over
+    /// <see cref="IntervalHours"/>. Not bound from config — production
+    /// config exposes <see cref="IntervalHours"/> only.
+    /// </summary>
+    public TimeSpan? IntervalOverride { get; set; }
+
+    /// <summary>
+    /// Resolves the effective tick interval, honouring the test override
+    /// when set. Falls back to <see cref="IntervalHours"/>.
+    /// </summary>
+    public TimeSpan Interval =>
+        IntervalOverride ?? TimeSpan.FromHours(IntervalHours);
+}

src/ScadaLink.AuditLog/Central/AuditLogPurgedEvent.cs

@@ -0,0 +1,29 @@
+namespace ScadaLink.AuditLog.Central;
+
+/// <summary>
+/// Published on the actor-system EventStream by <see cref="AuditLogPurgeActor"/>
+/// after each successful partition switch-out. Downstream consumers (Bundle E
+/// central health collector, ops dashboards, audit trails) subscribe so a
+/// purge action is observable without the actor needing to know about any
+/// specific subscriber.
+/// </summary>
+/// <param name="MonthBoundary">
+/// The pf_AuditLog_Month lower-bound boundary that was switched out — i.e.
+/// the first instant of the purged month in UTC.
+/// </param>
+/// <param name="RowsDeleted">
+/// Approximate row count purged from the partition, sampled BEFORE the
+/// switch. Exact accounting would require a post-switch scan of the staging
+/// table, which the dance drops immediately, so this is the closest
+/// observable proxy. Zero is a valid value when the actor's enumerator
+/// included a partition the operator subsequently emptied by hand.
+/// </param>
+/// <param name="DurationMs">
+/// Wall-clock time spent inside <c>SwitchOutPartitionAsync</c> for this
+/// boundary, in milliseconds. Useful for spotting the rare slow purge
+/// without spinning up dedicated telemetry.
+/// </param>
+public sealed record AuditLogPurgedEvent(
+    DateTime MonthBoundary,
+    long RowsDeleted,
+    long DurationMs);

src/ScadaLink.AuditLog/Central/CentralAuditRedactionFailureCounter.cs

@@ -0,0 +1,57 @@
+using ScadaLink.AuditLog.Payload;
+
+namespace ScadaLink.AuditLog.Central;
+
+/// <summary>
+/// Audit Log (#23) M6 Bundle E (T9) — bridges
+/// <see cref="IAuditRedactionFailureCounter"/> (incremented by
+/// <see cref="DefaultAuditPayloadFilter"/> every time a header / body / SQL
+/// parameter redactor stage throws and the filter has to over-redact the
+/// offending field) into <see cref="AuditCentralHealthSnapshot"/> so the
+/// failure surfaces on the central health surface as
+/// <c>AuditCentralHealthSnapshot.AuditRedactionFailure</c>.
+/// </summary>
+/// <remarks>
+/// <para>
+/// <b>Site vs central.</b> M5 Bundle C wired the SITE-side bridge
+/// (<see cref="ScadaLink.AuditLog.Site.HealthMetricsAuditRedactionFailureCounter"/>),
+/// which routes increments into the site health report payload's
+/// <c>AuditRedactionFailure</c> field. That handles redactor failures on the
+/// site SQLite hot-path (FallbackAuditWriter). M6 Bundle E (T9) adds the
+/// MIRROR bridge here so the same payload filter — when it runs on the
+/// central <see cref="CentralAuditWriter"/> /
+/// <see cref="AuditLogIngestActor"/> paths — surfaces its failures on the
+/// central dashboard rather than disappearing into a NoOp.
+/// </para>
+/// <para>
+/// <b>Registration shape.</b> Site composition roots call
+/// <see cref="ServiceCollectionExtensions.AddAuditLogHealthMetricsBridge"/>,
+/// which overrides the binding with the site bridge. Central composition
+/// roots call <see cref="ServiceCollectionExtensions.AddAuditLogCentralMaintenance"/>,
+/// which overrides with this central bridge. A node never wears both hats —
+/// site and central are distinct host roles — so the two bridges never
+/// fight over the same binding at runtime.
+/// </para>
+/// <para>
+/// <b>Why not a thin wrapper around the snapshot directly?</b> The snapshot
+/// itself <i>could</i> be the bound implementation (it already implements
+/// <see cref="IAuditRedactionFailureCounter"/>), but a dedicated class makes
+/// the central-vs-site asymmetry explicit at the DI boundary — readers of
+/// <see cref="ServiceCollectionExtensions.AddAuditLogCentralMaintenance"/>
+/// see "site → site bridge, central → central bridge", matching the
+/// <see cref="ScadaLink.AuditLog.Site.HealthMetricsAuditRedactionFailureCounter"/>
+/// shape one-for-one.
+/// </para>
+/// </remarks>
+public sealed class CentralAuditRedactionFailureCounter : IAuditRedactionFailureCounter
+{
+    private readonly AuditCentralHealthSnapshot _snapshot;
+
+    public CentralAuditRedactionFailureCounter(AuditCentralHealthSnapshot snapshot)
+    {
+        _snapshot = snapshot ?? throw new ArgumentNullException(nameof(snapshot));
+    }
+
+    /// <inheritdoc/>
+    public void Increment() => ((IAuditRedactionFailureCounter)_snapshot).Increment();
+}

src/ScadaLink.AuditLog/Central/CentralAuditWriter.cs

@@ -0,0 +1,123 @@
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Logging;
+using ScadaLink.AuditLog.Payload;
+using ScadaLink.Commons.Entities.Audit;
+using ScadaLink.Commons.Interfaces.Repositories;
+using ScadaLink.Commons.Interfaces.Services;
+
+namespace ScadaLink.AuditLog.Central;
+
+/// <summary>
+/// Central-only direct-write implementation of <see cref="ICentralAuditWriter"/>.
+/// Wraps <see cref="IAuditLogRepository.InsertIfNotExistsAsync"/> as a best-effort
+/// audit emission path for components that originate audit events ON the central
+/// node (Notification Outbox dispatch, Inbound API) — NOT for site telemetry
+/// ingest (that path is the SiteAudit → AuditLogIngestActor batched flow).
+/// </summary>
+/// <remarks>
+/// <para>
+/// <b>Best-effort contract.</b> Audit-write failures NEVER abort the user-facing
+/// action (alog.md §13). The writer catches every exception thrown by repository
+/// resolution or the insert call, logs at warning, and returns successfully.
+/// Callers may still wrap the call in their own try/catch (defensive — the writer
+/// is supposed to swallow).
+/// </para>
+/// <para>
+/// <b>Scope-per-call resolution.</b> <see cref="IAuditLogRepository"/> is a SCOPED
+/// EF Core service (registered by <c>ScadaLink.ConfigurationDatabase</c>). The
+/// writer itself is registered as a singleton (so all callers share one instance),
+/// so it cannot hold a scope across calls — it opens a fresh
+/// <see cref="IServiceScope"/> per <see cref="WriteAsync"/> invocation, mirroring
+/// the per-message scope pattern used by <c>AuditLogIngestActor</c> and
+/// <c>NotificationOutboxActor</c>.
+/// </para>
+/// <para>
+/// <b>Idempotency.</b> Persistence is via <c>InsertIfNotExistsAsync</c>, so a
+/// double-emitted event (same <see cref="AuditEvent.EventId"/>) is a silent
+/// no-op — the writer is safe to call from any number of dispatch paths.
+/// </para>
+/// </remarks>
+public sealed class CentralAuditWriter : ICentralAuditWriter
+{
+    private readonly IServiceProvider _services;
+    private readonly ILogger<CentralAuditWriter> _logger;
+    private readonly IAuditPayloadFilter? _filter;
+    private readonly ICentralAuditWriteFailureCounter _failureCounter;
+
+    /// <summary>
+    /// Bundle C (M5-T6) — the central direct-write path used by the
+    /// NotificationOutboxActor dispatch and the Inbound API middleware also
+    /// needs to truncate + redact before the row hits MS SQL. The filter is
+    /// optional so the M4 test composition roots that don't pass one keep
+    /// working (they only ever write small payloads); production DI registers
+    /// the real filter via <see cref="ServiceCollectionExtensions.AddAuditLog"/>.
+    /// M6 Bundle E (T8) — adds the optional
+    /// <see cref="ICentralAuditWriteFailureCounter"/> so a swallowed repository
+    /// throw bumps the central health surface's
+    /// <c>CentralAuditWriteFailures</c> counter. Defaults to a NoOp so test
+    /// composition roots that don't wire the counter keep their current
+    /// behaviour.
+    /// </summary>
+    public CentralAuditWriter(
+        IServiceProvider services,
+        ILogger<CentralAuditWriter> logger,
+        IAuditPayloadFilter? filter = null,
+        ICentralAuditWriteFailureCounter? failureCounter = null)
+    {
+        _services = services ?? throw new ArgumentNullException(nameof(services));
+        _logger = logger ?? throw new ArgumentNullException(nameof(logger));
+        _filter = filter;
+        _failureCounter = failureCounter ?? new NoOpCentralAuditWriteFailureCounter();
+    }
+
+    /// <summary>
+    /// Persists <paramref name="evt"/> into the central <c>AuditLog</c> table
+    /// idempotently on <see cref="AuditEvent.EventId"/>. Stamps
+    /// <see cref="AuditEvent.IngestedAtUtc"/> from the central-side clock.
+    /// Internal failures are logged and swallowed — never thrown.
+    /// </summary>
+    public async Task WriteAsync(AuditEvent evt, CancellationToken ct = default)
+    {
+        if (evt is null)
+        {
+            // Defensive — a null event is a programming bug at the caller and
+            // produces no meaningful audit row. Log and return.
+            _logger.LogWarning("CentralAuditWriter.WriteAsync received null event; ignoring.");
+            return;
+        }
+
+        try
+        {
+            // Filter BEFORE stamping IngestedAtUtc + handing to the repo. The
+            // filter contract is "never throws"; the null-coalesce keeps the
+            // M4 test composition roots (no filter passed) working unchanged.
+            var filtered = _filter?.Apply(evt) ?? evt;
+
+            await using var scope = _services.CreateAsyncScope();
+            var repo = scope.ServiceProvider.GetRequiredService<IAuditLogRepository>();
+            var stamped = filtered with { IngestedAtUtc = DateTime.UtcNow };
+            await repo.InsertIfNotExistsAsync(stamped, ct).ConfigureAwait(false);
+        }
+        catch (Exception ex)
+        {
+            // Audit failure NEVER aborts the user-facing action — swallow and log.
+            // M6 Bundle E (T8): also surface the failure on the central health
+            // counter so a sustained audit-write outage is visible on the
+            // health dashboard rather than disappearing into the log file.
+            try
+            {
+                _failureCounter.Increment();
+            }
+            catch
+            {
+                // Counter must NEVER throw — defence in depth. Even if a
+                // misbehaving custom counter does, swallowing here keeps the
+                // best-effort contract intact.
+            }
+            _logger.LogWarning(
+                ex,
+                "CentralAuditWriter failed for EventId {EventId} (Kind={Kind}, Status={Status})",
+                evt.EventId, evt.Kind, evt.Status);
+        }
+    }
+}

src/ScadaLink.AuditLog/Central/IAuditCentralHealthSnapshot.cs

@@ -0,0 +1,62 @@
+using ScadaLink.AuditLog.Payload;
+
+namespace ScadaLink.AuditLog.Central;
+
+/// <summary>
+/// Audit Log (#23) M6 Bundle E read-side surface exposing the central-side
+/// audit-health counters: <see cref="CentralAuditWriteFailures"/> (every
+/// repository insert throw from <see cref="CentralAuditWriter"/> /
+/// <see cref="AuditLogIngestActor"/>), <see cref="AuditRedactionFailure"/>
+/// (every payload-filter redactor throw on the central path), and
+/// <see cref="SiteAuditTelemetryStalled"/> (per-site latched state from the
+/// <see cref="SiteAuditTelemetryStalledTracker"/>).
+/// </summary>
+/// <remarks>
+/// <para>
+/// <b>Read-only contract.</b> Implementations expose a point-in-time snapshot
+/// — increments and tracker updates happen through the dedicated counter /
+/// tracker interfaces, not through this surface. Consumers (M7+ central
+/// health pages) read these properties; they never mutate.
+/// </para>
+/// <para>
+/// <b>Why a parallel surface from <see cref="ICentralHealthAggregator"/>.</b>
+/// <see cref="ICentralHealthAggregator"/> aggregates per-site
+/// <c>SiteHealthState</c> reports the SITE emits. The central audit-write
+/// failure / redaction-failure counters originate ON central (no site report
+/// carries them), so they live on a dedicated snapshot rather than being
+/// retro-fitted into a per-site state. The two surfaces will be composed at
+/// the M7 dashboard layer.
+/// </para>
+/// </remarks>
+public interface IAuditCentralHealthSnapshot
+{
+    /// <summary>
+    /// Count of central-side audit-write failures since process start.
+    /// Incremented by every <see cref="CentralAuditWriter"/> /
+    /// <see cref="AuditLogIngestActor"/> repository insert that throws.
+    /// </summary>
+    int CentralAuditWriteFailures { get; }
+
+    /// <summary>
+    /// Count of central-side payload-filter redactor over-redactions since
+    /// process start. Incremented by every header / body / SQL-parameter
+    /// redactor stage that throws (the filter falls back to the
+    /// <c>&lt;redacted: redactor error&gt;</c> marker and never aborts the
+    /// user-facing action). Sites have their own counter
+    /// (<see cref="IAuditRedactionFailureCounter"/>-backed
+    /// <c>SiteHealthReport.AuditRedactionFailure</c>) and the central
+    /// composition root's binding routes ALL central redactor throws
+    /// (CentralAuditWriter + AuditLogIngestActor paths) into this counter.
+    /// </summary>
+    int AuditRedactionFailure { get; }
+
+    /// <summary>
+    /// Per-site latched stalled state: <c>true</c> when the
+    /// <see cref="SiteAuditReconciliationActor"/> has observed two
+    /// consecutive non-draining cycles for that site, <c>false</c> after the
+    /// first draining cycle. Sites absent from the map are interpreted as
+    /// healthy (<c>Stalled=false</c> default). Snapshot is a defensive
+    /// copy — readers must not mutate.
+    /// </summary>
+    IReadOnlyDictionary<string, bool> SiteAuditTelemetryStalled { get; }
+}

src/ScadaLink.AuditLog/Central/ICentralAuditWriteFailureCounter.cs

@@ -0,0 +1,23 @@
+namespace ScadaLink.AuditLog.Central;
+
+/// <summary>
+/// Audit Log (#23) M6 Bundle E (T8) counter sink invoked by central-side audit
+/// writers (<see cref="CentralAuditWriter"/>, <see cref="AuditLogIngestActor"/>)
+/// every time a repository <c>InsertIfNotExistsAsync</c> throws. Mirrors the
+/// site-side <see cref="ScadaLink.AuditLog.Site.IAuditWriteFailureCounter"/>
+/// shape one-for-one — same one-method contract, same NoOp default, same
+/// must-never-abort-the-user-facing-action invariant.
+/// </summary>
+/// <remarks>
+/// Audit-write failures NEVER abort the user-facing action (alog.md §13) —
+/// the writer swallows the exception and surfaces the failure via this counter
+/// instead. A NoOp default is the correct safe fallback while the central
+/// health surface is being wired in; <see cref="AuditCentralHealthSnapshot"/>
+/// is the production binding that routes increments into the aggregated
+/// central health snapshot consumed by future M7+ pages.
+/// </remarks>
+public interface ICentralAuditWriteFailureCounter
+{
+    /// <summary>Increment the central audit-write failure counter by one.</summary>
+    void Increment();
+}

src/ScadaLink.AuditLog/Central/IPullAuditEventsClient.cs

@@ -0,0 +1,45 @@
+using ScadaLink.Commons.Messages.Integration;
+
+namespace ScadaLink.AuditLog.Central;
+
+/// <summary>
+/// Mockable abstraction over the central-side <c>PullAuditEvents</c> gRPC
+/// client surface that <see cref="SiteAuditReconciliationActor"/> uses to
+/// fetch the next reconciliation batch from a specific site. Extracted so the
+/// actor can be unit-tested against an in-memory stub without standing up a
+/// real <c>GrpcChannel</c> per site.
+/// </summary>
+/// <remarks>
+/// <para>
+/// The production implementation (host wiring task) wraps the auto-generated
+/// <c>SiteStreamService.SiteStreamServiceClient</c>, multiplexing one
+/// <c>GrpcChannel</c> per site keyed on
+/// <see cref="SiteEntry.GrpcEndpoint"/>. Until that wiring lands the DI
+/// composition root binds a NoOp default that returns an empty response — the
+/// reconciliation tick is still scheduled and the cursor logic still runs, so
+/// regressions in the actor itself are caught even before the real client
+/// arrives.
+/// </para>
+/// <para>
+/// Implementations MUST NOT throw on transport faults that the actor can
+/// tolerate (connection refused, deadline exceeded). The actor's contract is
+/// "one site's failure doesn't sink the rest of the tick"; an exception still
+/// won't crash the actor (the per-site try/catch catches it), but returning
+/// an empty response on a known-recoverable error keeps the logs cleaner.
+/// </para>
+/// </remarks>
+public interface IPullAuditEventsClient
+{
+    /// <summary>
+    /// Issues a <c>PullAuditEvents</c> RPC against the site whose endpoint
+    /// is registered against <paramref name="siteId"/>. Returns the next
+    /// batch of <see cref="ScadaLink.Commons.Entities.Audit.AuditEvent"/>
+    /// rows ordered oldest-first AND a <c>MoreAvailable</c> flag the actor
+    /// uses to decide whether to fire another pull immediately.
+    /// </summary>
+    Task<PullAuditEventsResponse> PullAsync(
+        string siteId,
+        DateTime sinceUtc,
+        int batchSize,
+        CancellationToken ct);
+}

src/ScadaLink.AuditLog/Central/ISiteEnumerator.cs

@@ -0,0 +1,34 @@
+namespace ScadaLink.AuditLog.Central;
+
+/// <summary>
+/// Enumeration surface consumed by <see cref="SiteAuditReconciliationActor"/> to
+/// discover which sites to poll on each reconciliation tick. Extracted so the
+/// actor can be unit-tested against a static list without depending on the
+/// production <c>ISiteRepository</c> + EF Core DbContext.
+/// </summary>
+/// <remarks>
+/// The production implementation wraps <c>ISiteRepository.GetAllSitesAsync</c>
+/// and projects each <c>Site</c> to a <see cref="SiteEntry"/> using the
+/// site's configured <c>GrpcNodeAAddress</c> (falling back to
+/// <c>GrpcNodeBAddress</c> when NodeA is unset). Sites with NO gRPC address
+/// configured are silently skipped — the reconciliation pull cannot reach
+/// them, but absence of an address is a configuration decision, not a runtime
+/// error.
+/// </remarks>
+public interface ISiteEnumerator
+{
+    /// <summary>
+    /// Returns the current set of sites the reconciliation puller should visit
+    /// on the next tick. Implementations should reflect adds/removes promptly
+    /// — the actor calls this once per tick.
+    /// </summary>
+    Task<IReadOnlyList<SiteEntry>> EnumerateAsync(CancellationToken ct = default);
+}
+
+/// <summary>
+/// One reconciliation target: the site identifier the actor uses as the
+/// cursor key and the gRPC endpoint <see cref="IPullAuditEventsClient"/> dials
+/// to issue the pull. Endpoint is the bare authority (e.g. <c>http://siteA:8083</c>);
+/// transport selection (TLS, keepalive, etc.) is the client's concern.
+/// </summary>
+public sealed record SiteEntry(string SiteId, string GrpcEndpoint);

src/ScadaLink.AuditLog/Central/NoOpCentralAuditWriteFailureCounter.cs

@@ -0,0 +1,17 @@
+namespace ScadaLink.AuditLog.Central;
+
+/// <summary>
+/// Default <see cref="ICentralAuditWriteFailureCounter"/> binding used when
+/// the central health surface (<see cref="AuditCentralHealthSnapshot"/>) has
+/// not been wired (test composition roots, site-only hosts that incidentally
+/// resolve a <see cref="CentralAuditWriter"/>). Drops every increment on the
+/// floor. Mirrors <see cref="ScadaLink.AuditLog.Site.NoOpAuditWriteFailureCounter"/>.
+/// </summary>
+public sealed class NoOpCentralAuditWriteFailureCounter : ICentralAuditWriteFailureCounter
+{
+    /// <inheritdoc/>
+    public void Increment()
+    {
+        // intentional no-op
+    }
+}

src/ScadaLink.AuditLog/Central/SiteAuditReconciliationActor.cs

@@ -0,0 +1,332 @@
+using Akka.Actor;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
+using ScadaLink.Commons.Entities.Audit;
+using ScadaLink.Commons.Interfaces.Repositories;
+
+namespace ScadaLink.AuditLog.Central;
+
+/// <summary>
+/// Central singleton (M6 Bundle B) that drives the audit-log reconciliation
+/// pull loop. On a configurable timer (default 5 minutes) the actor walks every
+/// known site, asks the site for any <see cref="AuditEvent"/> rows with
+/// <see cref="AuditEvent.OccurredAtUtc"/> &gt;= the site's last reconciled
+/// cursor, ingests them idempotently into the central
+/// <see cref="IAuditLogRepository"/>, and advances the cursor.
+/// </summary>
+/// <remarks>
+/// <para>
+/// <b>Self-healing telemetry, not a dispatcher.</b> The push path
+/// (<see cref="ScadaLink.AuditLog.Site.Telemetry.SiteAuditTelemetryActor"/> +
+/// <c>IngestAuditEvents</c>) is the primary mechanism. This actor exists so a
+/// missed push (gRPC blip, central restart, site offline) is eventually
+/// repaired by central re-pulling whatever the site still has in
+/// <c>Pending</c>/<c>Forwarded</c> state. Idempotency on
+/// <see cref="AuditEvent.EventId"/> (M2 Bundle A's race-fix) makes duplicate
+/// arrivals from both paths a silent no-op.
+/// </para>
+/// <para>
+/// <b>Cursor lifetime.</b> The per-site <c>LastReconciledAt</c> watermark is
+/// kept in-memory for the actor's lifetime. The cluster singleton normally
+/// survives the host process; on a deliberate failover OR a singleton restart
+/// the cursors reset to <see cref="DateTime.MinValue"/>. That is conservative
+/// but correct — the next tick simply asks for everything the site still has,
+/// and idempotent ingest swallows the dupes. Persisting cursors to MS SQL was
+/// considered and rejected for M6: the cost of a write per tick outweighs the
+/// rare benefit of avoiding one over-broad pull after a restart.
+/// </para>
+/// <para>
+/// <b>Stalled detection.</b> The brief calls a site "stalled" when two
+/// consecutive pull cycles BOTH return non-empty AND <c>MoreAvailable=true</c>
+/// — i.e. the backlog isn't draining. The actor publishes
+/// <see cref="SiteAuditTelemetryStalledChanged"/> on the actor system's
+/// EventStream so a future <c>ICentralHealthCollector</c> bridge (M6 Bundle E)
+/// can flip the health metric without coupling this actor to the health
+/// collection surface today.
+/// </para>
+/// <para>
+/// <b>Failure isolation.</b> A single site that throws (DNS, transport,
+/// repository write) must NOT prevent other sites from being polled on the
+/// same tick. The per-site work runs inside its own try/catch; the actor's
+/// supervisor strategy keeps it alive across any leaked exception with
+/// <see cref="Akka.Actor.SupervisorStrategy.DefaultDecider"/>'s Restart
+/// semantics — restart resets the in-memory cursors, but as noted above that's
+/// a safe (over-pull, idempotent) recovery.
+/// </para>
+/// <para>
+/// <b>DI scopes.</b> <see cref="IAuditLogRepository"/> is a scoped EF Core
+/// service registered by <c>AddConfigurationDatabase</c>. The singleton actor
+/// opens one DI scope per tick and reuses the same repository across all
+/// sites in that tick — one DbContext per tick mirrors the
+/// <c>AuditLogIngestActor</c> + <c>NotificationOutboxActor</c> pattern.
+/// </para>
+/// </remarks>
+public class SiteAuditReconciliationActor : ReceiveActor
+{
+    private readonly ISiteEnumerator _sites;
+    private readonly IPullAuditEventsClient _client;
+    private readonly IServiceProvider _services;
+    private readonly SiteAuditReconciliationOptions _options;
+    private readonly ILogger<SiteAuditReconciliationActor> _logger;
+
+    /// <summary>
+    /// Per-site reconciliation watermark — the highest
+    /// <see cref="AuditEvent.OccurredAtUtc"/> seen for that site on a previous
+    /// tick. Asking for <c>OccurredAtUtc &gt;= cursor</c> rather than &gt;
+    /// is the site contract (<see cref="ScadaLink.Commons.Interfaces.Services.ISiteAuditQueue.ReadPendingSinceAsync"/>);
+    /// duplicate-with-same-timestamp rows are filtered out by the idempotent
+    /// repository write.
+    /// </summary>
+    private readonly Dictionary<string, DateTime> _cursors = new();
+
+    /// <summary>
+    /// Per-site count of consecutive non-draining cycles. Resets to zero on the
+    /// first draining (or empty) cycle.
+    /// </summary>
+    private readonly Dictionary<string, int> _nonDrainingCycles = new();
+
+    /// <summary>
+    /// Per-site latched stalled state — used so the actor only publishes a
+    /// <see cref="SiteAuditTelemetryStalledChanged"/> transition when the
+    /// stalled flag actually changes, not on every tick while stalled.
+    /// </summary>
+    private readonly Dictionary<string, bool> _stalled = new();
+
+    private ICancelable? _timer;
+
+    public SiteAuditReconciliationActor(
+        ISiteEnumerator sites,
+        IPullAuditEventsClient client,
+        IServiceProvider services,
+        IOptions<SiteAuditReconciliationOptions> options,
+        ILogger<SiteAuditReconciliationActor> logger)
+    {
+        ArgumentNullException.ThrowIfNull(sites);
+        ArgumentNullException.ThrowIfNull(client);
+        ArgumentNullException.ThrowIfNull(services);
+        ArgumentNullException.ThrowIfNull(options);
+        ArgumentNullException.ThrowIfNull(logger);
+
+        _sites = sites;
+        _client = client;
+        _services = services;
+        _options = options.Value;
+        _logger = logger;
+
+        ReceiveAsync<ReconciliationTick>(_ => OnTickAsync());
+    }
+
+    protected override void PreStart()
+    {
+        base.PreStart();
+        var interval = _options.ReconciliationInterval;
+        _timer = Context.System.Scheduler.ScheduleTellRepeatedlyCancelable(
+            initialDelay: interval,
+            interval: interval,
+            receiver: Self,
+            message: ReconciliationTick.Instance,
+            sender: Self);
+    }
+
+    protected override void PostStop()
+    {
+        _timer?.Cancel();
+        base.PostStop();
+    }
+
+    private async Task OnTickAsync()
+    {
+        // Capture EventStream BEFORE the first await. Accessing Context (and
+        // therefore Context.System) after an await is unsafe because Akka's
+        // ActorBase.Context throws "no active ActorContext" once the
+        // continuation runs on a thread that isn't currently dispatching this
+        // actor — mirrors the AuditLogPurgeActor.OnTickAsync fix and the
+        // AuditLogIngestActor.OnIngestAsync Sender-capture pattern.
+        var eventStream = Context.System.EventStream;
+
+        IReadOnlyList<SiteEntry> sites;
+        try
+        {
+            sites = await _sites.EnumerateAsync().ConfigureAwait(false);
+        }
+        catch (Exception ex)
+        {
+            _logger.LogError(ex, "Site enumeration failed; skipping reconciliation tick.");
+            return;
+        }
+
+        if (sites.Count == 0)
+        {
+            return;
+        }
+
+        IServiceScope? scope = null;
+        IAuditLogRepository repository;
+        try
+        {
+            scope = _services.CreateScope();
+            repository = scope.ServiceProvider.GetRequiredService<IAuditLogRepository>();
+        }
+        catch (Exception ex)
+        {
+            _logger.LogError(ex, "Failed to resolve IAuditLogRepository for reconciliation tick.");
+            scope?.Dispose();
+            return;
+        }
+
+        try
+        {
+            foreach (var site in sites)
+            {
+                try
+                {
+                    await PullSiteAsync(site, repository, eventStream).ConfigureAwait(false);
+                }
+                catch (Exception ex)
+                {
+                    // Catch-all per the failure-isolation invariant: one site's
+                    // fault must not sink the rest of the tick. The cursor for
+                    // the failing site is left at its previous value so the
+                    // next tick retries the same window.
+                    _logger.LogWarning(
+                        ex,
+                        "Reconciliation pull failed for site {SiteId}; other sites continue.",
+                        site.SiteId);
+                }
+            }
+        }
+        finally
+        {
+            scope.Dispose();
+        }
+    }
+
+    /// <summary>
+    /// Issues one <c>PullAuditEvents</c> RPC against the site, ingests the
+    /// returned rows idempotently into the central repository, and advances
+    /// the cursor based on the maximum <see cref="AuditEvent.OccurredAtUtc"/>
+    /// observed. The brief's "saturate until backlog clears" intent is met by
+    /// the natural cadence — each tick issues one pull, and a backed-up site
+    /// drains across consecutive ticks. The stalled signal (two non-draining
+    /// ticks in a row) surfaces when that drain isn't keeping up.
+    /// </summary>
+    private async Task PullSiteAsync(SiteEntry site, IAuditLogRepository repository, Akka.Event.EventStream eventStream)
+    {
+        var since = _cursors.TryGetValue(site.SiteId, out var c) ? c : DateTime.MinValue;
+        var response = await _client.PullAsync(
+            site.SiteId, since, _options.BatchSize, CancellationToken.None)
+            .ConfigureAwait(false);
+
+        var maxOccurred = since;
+        var nowUtc = DateTime.UtcNow;
+        foreach (var evt in response.Events)
+        {
+            try
+            {
+                // Idempotent repository write: duplicate EventIds (from a
+                // concurrent push, or a retry of this very pull) collapse to
+                // a no-op courtesy of M2 Bundle A's race-fix on
+                // InsertIfNotExistsAsync.
+                var ingested = evt with { IngestedAtUtc = nowUtc };
+                await repository.InsertIfNotExistsAsync(ingested).ConfigureAwait(false);
+            }
+            catch (Exception ex)
+            {
+                // Per-row catch so one bad event does not abandon the rest of
+                // the batch. The cursor still advances based on OccurredAtUtc
+                // — the row was returned by the site, so the next tick won't
+                // re-fetch it; if it permanently fails to persist, that's an
+                // operational concern surfaced by the log, not a hot-loop
+                // trigger.
+                _logger.LogError(
+                    ex,
+                    "Reconciliation ingest failed for AuditEvent {EventId} from site {SiteId}.",
+                    evt.EventId,
+                    site.SiteId);
+            }
+
+            if (evt.OccurredAtUtc > maxOccurred)
+            {
+                maxOccurred = evt.OccurredAtUtc;
+            }
+        }
+
+        _cursors[site.SiteId] = maxOccurred;
+
+        var nonDraining = response.MoreAvailable && response.Events.Count > 0;
+        UpdateStalledState(site.SiteId, draining: !nonDraining, eventStream);
+    }
+
+    /// <summary>
+    /// Flips the per-site stalled flag based on whether this tick drained the
+    /// queue. A "draining" cycle is one where the server reported no more rows
+    /// available OR returned zero events. A "non-draining" cycle is the
+    /// inverse (events returned AND <c>MoreAvailable=true</c>).
+    /// </summary>
+    /// <remarks>
+    /// The state machine: counter increments on each consecutive non-draining
+    /// tick. On reaching <see cref="SiteAuditReconciliationOptions.StalledAfterNonDrainingCycles"/>
+    /// the actor latches <c>Stalled=true</c> and publishes the transition; on
+    /// any subsequent draining tick the counter resets to zero AND, if the
+    /// latch is currently true, the actor publishes <c>Stalled=false</c>. Only
+    /// transitions are published — repeated ticks in the same state are
+    /// silent so a downstream subscriber doesn't see a flood of redundant
+    /// notifications.
+    /// </remarks>
+    private void UpdateStalledState(string siteId, bool draining, Akka.Event.EventStream eventStream)
+    {
+        var wasStalled = _stalled.TryGetValue(siteId, out var prior) && prior;
+
+        if (draining)
+        {
+            _nonDrainingCycles[siteId] = 0;
+            if (wasStalled)
+            {
+                _stalled[siteId] = false;
+                eventStream.Publish(
+                    new SiteAuditTelemetryStalledChanged(siteId, Stalled: false));
+            }
+            return;
+        }
+
+        var consecutive = _nonDrainingCycles.GetValueOrDefault(siteId) + 1;
+        _nonDrainingCycles[siteId] = consecutive;
+
+        if (consecutive >= _options.StalledAfterNonDrainingCycles && !wasStalled)
+        {
+            _stalled[siteId] = true;
+            eventStream.Publish(
+                new SiteAuditTelemetryStalledChanged(siteId, Stalled: true));
+        }
+    }
+
+    /// <summary>
+    /// Resume on any unhandled exception inside the receive — the singleton
+    /// MUST stay alive even if the per-tick try/catch leaks. Restart would
+    /// reset the cursors (safe but wasteful); Resume preserves them.
+    /// </summary>
+    protected override SupervisorStrategy SupervisorStrategy()
+    {
+        return new OneForOneStrategy(
+            maxNrOfRetries: 0,
+            withinTimeRange: TimeSpan.Zero,
+            decider: Akka.Actor.SupervisorStrategy.DefaultDecider);
+    }
+
+    /// <summary>Self-tick triggering a reconciliation pass across all sites.</summary>
+    internal sealed class ReconciliationTick
+    {
+        public static readonly ReconciliationTick Instance = new();
+        private ReconciliationTick() { }
+    }
+}
+
+/// <summary>
+/// Published on the actor system EventStream when a site's reconciliation
+/// puller transitions into or out of the "stalled" state (backlog not
+/// draining across multiple cycles). The M6 Bundle E central health collector
+/// will subscribe to this and surface
+/// <c>SiteAuditTelemetryStalled</c> on the health-report payload.
+/// </summary>
+public sealed record SiteAuditTelemetryStalledChanged(string SiteId, bool Stalled);

src/ScadaLink.AuditLog/Central/SiteAuditReconciliationOptions.cs

@@ -0,0 +1,60 @@
+namespace ScadaLink.AuditLog.Central;
+
+/// <summary>
+/// Tuning knobs for the central <see cref="SiteAuditReconciliationActor"/> singleton.
+/// Defaults mirror the M6 Bundle B brief: pull every 5 minutes per site, 256 rows per
+/// batch, declare a site "stalled" after two consecutive pull cycles return non-empty
+/// AND <c>MoreAvailable=true</c> (the backlog is not draining).
+/// </summary>
+/// <remarks>
+/// <para>
+/// Per the M6 plan the reconciliation actor is the fallback when push telemetry is
+/// lost; it is intentionally low-frequency. Lowering
+/// <see cref="ReconciliationIntervalSeconds"/> in production trades MS SQL load for
+/// fresher self-healing — keep the default unless a deployment can prove the extra
+/// load is acceptable.
+/// </para>
+/// <para>
+/// <see cref="StalledAfterNonDrainingCycles"/> = 2 because a single non-draining
+/// cycle can happen on a surge (e.g. a backed-up site replays its hot queue); the
+/// stalled signal should only fire when the backlog persists across cycles, which is
+/// the symptom the central health surface is asking us to detect.
+/// </para>
+/// </remarks>
+public sealed class SiteAuditReconciliationOptions
+{
+    /// <summary>
+    /// Period of the reconciliation tick. Each tick visits every known site once.
+    /// </summary>
+    public int ReconciliationIntervalSeconds { get; set; } = 300;
+
+    /// <summary>
+    /// Test-only override for finer control over the tick cadence than
+    /// whole-second resolution allows. When non-null, takes precedence over
+    /// <see cref="ReconciliationIntervalSeconds"/>. Not bound from config —
+    /// production config exposes <see cref="ReconciliationIntervalSeconds"/>
+    /// only.
+    /// </summary>
+    public TimeSpan? ReconciliationIntervalOverride { get; set; }
+
+    /// <summary>
+    /// Resolves the effective tick interval, honouring the test override when
+    /// set. Falls back to <see cref="ReconciliationIntervalSeconds"/>.
+    /// </summary>
+    public TimeSpan ReconciliationInterval =>
+        ReconciliationIntervalOverride ?? TimeSpan.FromSeconds(ReconciliationIntervalSeconds);
+
+    /// <summary>
+    /// Maximum number of <see cref="ScadaLink.Commons.Entities.Audit.AuditEvent"/>
+    /// rows requested in a single <c>PullAuditEvents</c> RPC call.
+    /// </summary>
+    public int BatchSize { get; set; } = 256;
+
+    /// <summary>
+    /// Number of consecutive non-draining cycles (events returned AND
+    /// <c>MoreAvailable=true</c>) that must accumulate for a site before the actor
+    /// publishes <c>SiteAuditTelemetryStalledChanged(Stalled: true)</c> on the
+    /// EventStream.
+    /// </summary>
+    public int StalledAfterNonDrainingCycles { get; set; } = 2;
+}

src/ScadaLink.AuditLog/Central/SiteAuditTelemetryStalledTracker.cs

@@ -0,0 +1,188 @@
+using System.Collections.Concurrent;
+using Akka.Actor;
+using Akka.Event;
+
+namespace ScadaLink.AuditLog.Central;
+
+/// <summary>
+/// Audit Log (#23) M6 Bundle E (T7) — central singleton that subscribes to the
+/// actor system's EventStream for <see cref="SiteAuditTelemetryStalledChanged"/>
+/// publications and maintains a per-site latched stalled-state map readable
+/// via <see cref="Snapshot"/>. Consumed by the M6 Bundle E
+/// <see cref="AuditCentralHealthSnapshot"/> aggregator so the central health
+/// surface can surface per-site "reconciliation isn't draining" without
+/// coupling the publisher (<see cref="SiteAuditReconciliationActor"/>) to the
+/// health collection plumbing.
+/// </summary>
+/// <remarks>
+/// <para>
+/// <b>Why an internal actor.</b> Akka.NET's <see cref="EventStream"/> only
+/// supports <see cref="IActorRef"/> subscribers — there is no callback or
+/// channel-based overload. The tracker therefore spawns a small subscriber
+/// actor that forwards each event into the shared
+/// <see cref="ConcurrentDictionary{TKey,TValue}"/> on the actor's thread, and
+/// readers (<see cref="Snapshot"/>) take a copy off that dictionary on any
+/// thread. Mirrors the <c>DeadLetterMonitorActor</c> shape — subscribe in
+/// <see cref="ActorBase.PreStart"/>, unsubscribe in
+/// <see cref="ActorBase.PostStop"/>, which the tracker triggers via a Stop
+/// at <see cref="Dispose"/>.
+/// </para>
+/// <para>
+/// <b>Per-site latching.</b> The publisher (<see cref="SiteAuditReconciliationActor"/>)
+/// only publishes on stalled-state transitions, so the dictionary is the
+/// authoritative latched state. Sites that have never published are absent
+/// from the snapshot — the consumer surface treats absence as
+/// <c>Stalled=false</c> (default healthy), the same default the reconciliation
+/// actor's own internal latch uses.
+/// </para>
+/// <para>
+/// <b>Singleton lifecycle.</b> Registered as a singleton via
+/// <see cref="ServiceCollectionExtensions.AddAuditLogCentralMaintenance"/>;
+/// <see cref="Dispose"/> tears the internal subscriber down at host shutdown.
+/// </para>
+/// </remarks>
+public sealed class SiteAuditTelemetryStalledTracker : IDisposable
+{
+    private readonly EventStream _eventStream;
+    private readonly ConcurrentDictionary<string, bool> _state = new();
+    private readonly IActorRef? _subscriber;
+    private readonly AuditCentralHealthSnapshot? _snapshot;
+    private bool _disposed;
+
+    /// <summary>
+    /// Construct around a bare <see cref="EventStream"/>. Intended for unit
+    /// tests where the caller wants to publish events without standing up an
+    /// actor system — the tracker registers a transient subscriber actor only
+    /// if the supplied stream is backed by an actor system. In the bare-stream
+    /// mode (no actor system) the tracker still exposes the
+    /// <see cref="Snapshot"/> surface but cannot self-subscribe; production
+    /// callers always go through <see cref="SiteAuditTelemetryStalledTracker(ActorSystem)"/>.
+    /// </summary>
+    /// <remarks>
+    /// Subscribing to <see cref="EventStream"/> requires an <see cref="IActorRef"/>,
+    /// which can only be created from an <see cref="ActorSystem"/>. The bare-
+    /// stream ctor therefore can NOT itself wire the subscriber — tests that
+    /// want event-driven updates must use the ActorSystem ctor (or push state
+    /// directly via <see cref="Apply"/>). The tests in
+    /// <c>SiteAuditTelemetryStalledTrackerTests</c> use the ActorSystem ctor
+    /// via Akka.TestKit so they exercise the production subscribe path.
+    /// </remarks>
+    public SiteAuditTelemetryStalledTracker(EventStream eventStream)
+        : this(eventStream, snapshot: null)
+    {
+    }
+
+    /// <summary>
+    /// Bare-stream ctor with an optional snapshot sink — the central
+    /// composition root passes the singleton
+    /// <see cref="AuditCentralHealthSnapshot"/> so every dictionary update
+    /// also lands on the central health surface. The bare ctor still cannot
+    /// subscribe (no actor system), but tests that drive the tracker via
+    /// <see cref="Apply"/> get the snapshot push for free.
+    /// </summary>
+    public SiteAuditTelemetryStalledTracker(EventStream eventStream, AuditCentralHealthSnapshot? snapshot)
+    {
+        _eventStream = eventStream ?? throw new ArgumentNullException(nameof(eventStream));
+        // No subscriber actor — see the remarks on the parameterless overload.
+        _subscriber = null;
+        _snapshot = snapshot;
+    }
+
+    /// <summary>
+    /// Production ctor: subscribes a small internal actor to the supplied
+    /// system's EventStream so every published
+    /// <see cref="SiteAuditTelemetryStalledChanged"/> updates the latched
+    /// per-site map. <see cref="Dispose"/> tears the subscriber down.
+    /// </summary>
+    public SiteAuditTelemetryStalledTracker(ActorSystem actorSystem)
+        : this(actorSystem, snapshot: null)
+    {
+    }
+
+    /// <summary>
+    /// Production ctor with a snapshot sink — every observed
+    /// <see cref="SiteAuditTelemetryStalledChanged"/> is mirrored onto the
+    /// shared <see cref="AuditCentralHealthSnapshot"/> so the central health
+    /// surface sees per-site stalled state without re-reading the tracker.
+    /// </summary>
+    public SiteAuditTelemetryStalledTracker(ActorSystem actorSystem, AuditCentralHealthSnapshot? snapshot)
+    {
+        ArgumentNullException.ThrowIfNull(actorSystem);
+        _eventStream = actorSystem.EventStream;
+        _snapshot = snapshot;
+        // Anonymous subscriber actor scoped to the system; props build it
+        // with a callback into THIS tracker's Apply method so the actor's
+        // single-threaded receive serialises every dictionary write.
+        _subscriber = actorSystem.ActorOf(
+            Props.Create(() => new StalledChangedSubscriber(this)),
+            name: $"site-audit-stalled-tracker-{Guid.NewGuid():N}");
+        // Subscribe synchronously from the ctor so the subscription is in
+        // place before the tracker is returned to the caller — the actor's
+        // own PreStart runs asynchronously and would otherwise race the
+        // first publish. EventStream.Subscribe is thread-safe.
+        _eventStream.Subscribe(_subscriber, typeof(SiteAuditTelemetryStalledChanged));
+    }
+
+    /// <summary>
+    /// Returns a defensive copy of the per-site latched stalled state.
+    /// Absent sites are interpreted as <c>Stalled=false</c> by consumers.
+    /// </summary>
+    public IReadOnlyDictionary<string, bool> Snapshot() =>
+        new Dictionary<string, bool>(_state);
+
+    /// <summary>
+    /// Applied by the internal subscriber actor on every
+    /// <see cref="SiteAuditTelemetryStalledChanged"/> publication. Exposed
+    /// internally so tests against the bare-stream ctor can still drive the
+    /// tracker, but the production path always goes through the actor.
+    /// </summary>
+    internal void Apply(SiteAuditTelemetryStalledChanged evt)
+    {
+        if (evt is null) return;
+        _state[evt.SiteId] = evt.Stalled;
+        // Mirror into the central health snapshot if wired so a reader of
+        // IAuditCentralHealthSnapshot sees the same per-site state without
+        // a second lookup. Snapshot is optional (test composition roots may
+        // skip it) so the null-coalesce is the safe path.
+        _snapshot?.ApplyStalled(evt);
+    }
+
+    public void Dispose()
+    {
+        if (_disposed) return;
+        _disposed = true;
+        if (_subscriber is not null)
+        {
+            // Unsubscribe runs in PostStop on the subscriber actor; Stop is
+            // fire-and-forget but the actor's PostStop hook is guaranteed to
+            // run before its mailbox is collected.
+            _subscriber.Tell(PoisonPill.Instance);
+        }
+    }
+
+    /// <summary>
+    /// Internal subscriber actor — receives every
+    /// <see cref="SiteAuditTelemetryStalledChanged"/> off the EventStream and
+    /// forwards it into the parent <see cref="SiteAuditTelemetryStalledTracker"/>.
+    /// Unlike <c>DeadLetterMonitorActor</c>, the subscription is registered by
+    /// the tracker constructor BEFORE this actor begins processing messages so
+    /// publishes that arrive between actor creation and PreStart cannot be
+    /// missed. Unsubscribe still runs in <see cref="PostStop"/>.
+    /// </summary>
+    private sealed class StalledChangedSubscriber : ReceiveActor
+    {
+        private readonly SiteAuditTelemetryStalledTracker _parent;
+
+        public StalledChangedSubscriber(SiteAuditTelemetryStalledTracker parent)
+        {
+            _parent = parent;
+            Receive<SiteAuditTelemetryStalledChanged>(evt => _parent.Apply(evt));
+        }
+
+        protected override void PostStop()
+        {
+            Context.System.EventStream.Unsubscribe(Self, typeof(SiteAuditTelemetryStalledChanged));
+            base.PostStop();
+        }
+    }
+}

src/ScadaLink.AuditLog/Configuration/AuditLogOptions.cs

@@ -0,0 +1,36 @@
+namespace ScadaLink.AuditLog.Configuration;
+
+/// <summary>
+/// Configuration for Audit Log (#23). Bound from the <c>AuditLog</c> section of
+/// <c>appsettings.json</c>. Defaults reflect the design (alog.md §6, §10): an
+/// 8 KiB payload-summary cap, a 64 KiB cap on error rows, and a 365-day central
+/// retention window with monthly partition-switch purge. The default
+/// header-redact list covers HTTP auth headers; per-target overrides extend
+/// (never replace) the global redactor set.
+/// </summary>
+public sealed class AuditLogOptions
+{
+    /// <summary>Default payload-summary cap in bytes (default 8 KiB).</summary>
+    public int DefaultCapBytes { get; set; } = 8192;
+
+    /// <summary>Payload-summary cap on error rows in bytes (default 64 KiB).</summary>
+    public int ErrorCapBytes { get; set; } = 65536;
+
+    /// <summary>HTTP headers redacted by default before persistence.</summary>
+    public List<string> HeaderRedactList { get; set; } = new()
+    {
+        "Authorization",
+        "X-Api-Key",
+        "Cookie",
+        "Set-Cookie",
+    };
+
+    /// <summary>Body-content redactors applied globally (regex patterns).</summary>
+    public List<string> GlobalBodyRedactors { get; set; } = new();
+
+    /// <summary>Per-target redaction overrides keyed by target identifier.</summary>
+    public Dictionary<string, PerTargetRedactionOverride> PerTargetOverrides { get; set; } = new();
+
+    /// <summary>Central retention window in days (default 365, range [30, 3650]).</summary>
+    public int RetentionDays { get; set; } = 365;
+}

src/ScadaLink.AuditLog/Configuration/AuditLogOptionsValidator.cs

@@ -0,0 +1,57 @@
+using Microsoft.Extensions.Options;
+
+namespace ScadaLink.AuditLog.Configuration;
+
+/// <summary>
+/// Validates <see cref="AuditLogOptions"/> on startup. The caps drive payload
+/// truncation in the M2+ writers, so an unset/zero cap would let arbitrarily
+/// large blobs into the central <c>AuditLog</c> table. <see cref="AuditLogOptions.ErrorCapBytes"/>
+/// must be at least as large as <see cref="AuditLogOptions.DefaultCapBytes"/>
+/// because the error cap is meant to capture <em>more</em> detail than the
+/// happy-path summary, not less. <see cref="AuditLogOptions.RetentionDays"/> is
+/// bounded to <c>[30, 3650]</c> to keep purge windows sane: too short would
+/// drop in-flight investigations, too long would defeat the partition-switch
+/// purge's purpose.
+/// </summary>
+public sealed class AuditLogOptionsValidator : IValidateOptions<AuditLogOptions>
+{
+    /// <summary>Inclusive lower bound for <see cref="AuditLogOptions.RetentionDays"/>.</summary>
+    public const int MinRetentionDays = 30;
+
+    /// <summary>Inclusive upper bound for <see cref="AuditLogOptions.RetentionDays"/>.</summary>
+    public const int MaxRetentionDays = 3650;
+
+    /// <inheritdoc />
+    public ValidateOptionsResult Validate(string? name, AuditLogOptions options)
+    {
+        ArgumentNullException.ThrowIfNull(options);
+
+        var failures = new List<string>();
+
+        if (options.DefaultCapBytes <= 0)
+        {
+            failures.Add(
+                $"AuditLog:{nameof(AuditLogOptions.DefaultCapBytes)} ({options.DefaultCapBytes}) " +
+                "must be > 0; it drives payload-summary truncation in audit writers.");
+        }
+
+        if (options.ErrorCapBytes < options.DefaultCapBytes)
+        {
+            failures.Add(
+                $"AuditLog:{nameof(AuditLogOptions.ErrorCapBytes)} ({options.ErrorCapBytes}) " +
+                $"must be >= {nameof(AuditLogOptions.DefaultCapBytes)} ({options.DefaultCapBytes}); " +
+                "the error-row cap is intended to capture more detail than the happy-path summary.");
+        }
+
+        if (options.RetentionDays < MinRetentionDays || options.RetentionDays > MaxRetentionDays)
+        {
+            failures.Add(
+                $"AuditLog:{nameof(AuditLogOptions.RetentionDays)} ({options.RetentionDays}) " +
+                $"must be in [{MinRetentionDays}, {MaxRetentionDays}] days.");
+        }
+
+        return failures.Count == 0
+            ? ValidateOptionsResult.Success
+            : ValidateOptionsResult.Fail(failures);
+    }
+}

src/ScadaLink.AuditLog/Configuration/PerTargetRedactionOverride.cs

@@ -0,0 +1,28 @@
+namespace ScadaLink.AuditLog.Configuration;
+
+/// <summary>
+/// Per-target redaction override applied additively on top of
+/// <see cref="AuditLogOptions.GlobalBodyRedactors"/> and the
+/// <see cref="AuditLogOptions.DefaultCapBytes"/> / <see cref="AuditLogOptions.ErrorCapBytes"/>
+/// caps. Targets are identified by the script-facing external-system /
+/// database / notification-list / inbound-API-key name.
+/// </summary>
+public sealed class PerTargetRedactionOverride
+{
+    /// <summary>Optional payload cap override (bytes); null inherits the global cap.</summary>
+    public int? CapBytes { get; set; }
+
+    /// <summary>Additional body redactor regex patterns (appended to the global list).</summary>
+    public List<string>? AdditionalBodyRedactors { get; set; }
+
+    /// <summary>
+    /// Opt-in SQL parameter redaction: case-insensitive regex matched against
+    /// each SQL parameter NAME in the M4 <c>AuditingDbCommand</c> RequestSummary
+    /// JSON (<c>{"sql":"...","parameters":{"@name":"value", ...}}</c>); values
+    /// whose name matches are replaced with <c>&lt;redacted&gt;</c>. Null (the
+    /// default) means parameter values are captured verbatim. Only applied to
+    /// <see cref="ScadaLink.Commons.Types.Enums.AuditChannel.DbOutbound"/>
+    /// rows.
+    /// </summary>
+    public string? RedactSqlParamsMatching { get; set; }
+}

src/ScadaLink.AuditLog/Payload/DefaultAuditPayloadFilter.cs

@@ -0,0 +1,573 @@
+using System.Collections.Concurrent;
+using System.Text;
+using System.Text.Encodings.Web;
+using System.Text.Json;
+using System.Text.Json.Nodes;
+using System.Text.RegularExpressions;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
+using ScadaLink.AuditLog.Configuration;
+using ScadaLink.Commons.Entities.Audit;
+using ScadaLink.Commons.Types.Enums;
+
+namespace ScadaLink.AuditLog.Payload;
+
+/// <summary>
+/// Default <see cref="IAuditPayloadFilter"/>. Bundle A established the
+/// truncation backbone; Bundle B chains HTTP header redaction (M5-T3) BEFORE
+/// truncation so redactors operate on the full payload and the cap then trims
+/// the redacted result.
+/// </summary>
+/// <remarks>
+/// <para>
+/// Uses <see cref="IOptionsMonitor{TOptions}"/> (not <see cref="IOptions{TOptions}"/>)
+/// so the M5-T8 hot-reload path sees fresh values without re-resolving the
+/// singleton. <see cref="Apply"/> reads <see cref="IOptionsMonitor{T}.CurrentValue"/>
+/// on every call, and the regex cache is keyed by pattern string — patterns
+/// added via a live config change compile on first use of the next event;
+/// patterns removed simply stop being looked up. No <c>OnChange</c> subscription
+/// or explicit cache invalidation is required (the
+/// <c>AuditLogOptionsBindingTests</c> fixture in <c>ScadaLink.AuditLog.Tests</c>
+/// pins this behaviour).
+/// </para>
+/// <para>
+/// "Error row" = <see cref="AuditEvent.Status"/> NOT IN (<c>Delivered</c>,
+/// <c>Submitted</c>, <c>Forwarded</c>) — every other status, including the
+/// non-terminal <c>Attempted</c>, the parked/discarded terminals, and the
+/// short-circuit <c>Skipped</c>, receives the larger error cap so a verbose
+/// error body survives.
+/// </para>
+/// <para>
+/// Apply MUST NOT throw — on internal failure the filter over-redacts by
+/// returning the input with <see cref="AuditEvent.PayloadTruncated"/> set and
+/// increments the <c>AuditRedactionFailure</c> health metric via the injected
+/// <see cref="IAuditRedactionFailureCounter"/>. Each redactor stage runs in
+/// its own try/catch — a failure in (say) the header redactor still lets the
+/// SQL parameter redactor and the truncator run on the remaining fields.
+/// </para>
+/// <para>
+/// Stage order (each runs on every applicable field):
+/// header redaction → body regex redaction → truncation. The SQL-parameter
+/// stage piggybacks on the body-redactor path; both run BEFORE truncation so
+/// the cap trims the redacted result, never bytes the redactor intended to
+/// hide.
+/// </para>
+/// </remarks>
+public sealed class DefaultAuditPayloadFilter : IAuditPayloadFilter
+{
+    private const string RedactedMarker = "<redacted>";
+    private const string RedactorErrorMarker = "<redacted: redactor error>";
+
+    /// <summary>
+    /// Per-match regex timeout. Catastrophic-backtracking patterns trip a
+    /// <see cref="RegexMatchTimeoutException"/> when a single match takes
+    /// longer than this; the offending field is then over-redacted with
+    /// <see cref="RedactorErrorMarker"/> and the failure counter is bumped.
+    /// 50 ms is generous for normal patterns yet short enough that the
+    /// audit hot-path isn't held up by a misconfigured regex.
+    /// </summary>
+    private static readonly TimeSpan RegexMatchTimeout = TimeSpan.FromMilliseconds(50);
+
+    /// <summary>
+    /// JSON serializer options used to re-emit redacted summaries. The
+    /// UnsafeRelaxedJsonEscaping encoder is required so the redaction marker
+    /// (which contains <c>&lt;</c> / <c>&gt;</c>) survives unescaped — the
+    /// header-redaction tests grep for the literal marker, and the downstream
+    /// UI / log readers would rather see <c>&lt;redacted&gt;</c> than
+    /// <c><redacted></c>. The summaries are persisted to the audit
+    /// table and rendered in trusted-internal contexts only, so the relaxed
+    /// HTML-escaping rules do not introduce an XSS surface.
+    /// </summary>
+    private static readonly JsonSerializerOptions RedactedSummaryJsonOptions = new()
+    {
+        Encoder = JavaScriptEncoder.UnsafeRelaxedJsonEscaping,
+    };
+
+    private readonly IOptionsMonitor<AuditLogOptions> _options;
+    private readonly ILogger<DefaultAuditPayloadFilter> _logger;
+    private readonly IAuditRedactionFailureCounter _failureCounter;
+
+    /// <summary>
+    /// Compiled-regex cache keyed by pattern string. Lazy population: each
+    /// pattern is compiled on first use and cached forever (the entry's
+    /// <see cref="CompiledRegex"/> carries either the working <see cref="Regex"/>
+    /// or a sentinel marking the pattern as invalid so we don't retry the
+    /// failing compile on every call). ConcurrentDictionary is the right
+    /// thread-safety primitive here because the filter is a DI singleton
+    /// shared across the audit hot-path.
+    /// </summary>
+    private readonly ConcurrentDictionary<string, CompiledRegex> _regexCache = new();
+
+    /// <summary>
+    /// Primary constructor used by DI — pulls the optional redaction-failure
+    /// counter from the container; a NoOp default is registered in
+    /// <see cref="ServiceCollectionExtensions.AddAuditLog"/>.
+    /// </summary>
+    public DefaultAuditPayloadFilter(
+        IOptionsMonitor<AuditLogOptions> options,
+        ILogger<DefaultAuditPayloadFilter> logger,
+        IAuditRedactionFailureCounter? failureCounter = null)
+    {
+        _options = options ?? throw new ArgumentNullException(nameof(options));
+        _logger = logger ?? throw new ArgumentNullException(nameof(logger));
+        _failureCounter = failureCounter ?? new NoOpAuditRedactionFailureCounter();
+    }
+
+    public AuditEvent Apply(AuditEvent rawEvent)
+    {
+        try
+        {
+            var opts = _options.CurrentValue;
+            var cap = IsErrorStatus(rawEvent.Status) ? opts.ErrorCapBytes : opts.DefaultCapBytes;
+
+            // --- Header-redaction stage (runs BEFORE truncation) ----------
+            var request = RedactHeaders(rawEvent.RequestSummary, opts.HeaderRedactList);
+            var response = RedactHeaders(rawEvent.ResponseSummary, opts.HeaderRedactList);
+            var errorDetail = rawEvent.ErrorDetail;
+            var extra = rawEvent.Extra;
+
+            // --- Body-regex stage (also runs BEFORE truncation) -----------
+            // Resolves the active regex set per event so per-target overrides
+            // bound to AuditEvent.Target are picked up; effectively a no-op
+            // when neither GlobalBodyRedactors nor the per-target additions
+            // are configured.
+            var bodyRegexes = ResolveBodyRegexes(opts, rawEvent.Target);
+            if (bodyRegexes.Count > 0)
+            {
+                request = RedactBody(request, bodyRegexes);
+                response = RedactBody(response, bodyRegexes);
+                errorDetail = RedactBody(errorDetail, bodyRegexes);
+                extra = RedactBody(extra, bodyRegexes);
+            }
+
+            // --- SQL parameter redaction stage (DbOutbound only) ----------
+            // Parses the M4 AuditingDbCommand RequestSummary shape
+            // {"sql":"...","parameters":{...}} and redacts parameter VALUES
+            // whose NAME matches the per-connection regex. Opt-in: no
+            // PerTargetOverrides[connectionName].RedactSqlParamsMatching =>
+            // no-op. Channel-guarded so the same regex can never accidentally
+            // touch an ApiOutbound row.
+            if (rawEvent.Channel == AuditChannel.DbOutbound
+                && TryGetSqlParamRedactor(opts, rawEvent.Target, out var sqlParamRegex))
+            {
+                request = RedactSqlParameters(request, sqlParamRegex!);
+            }
+
+            // --- Truncation stage -----------------------------------------
+            var truncated = false;
+            request = TruncateField(request, cap, ref truncated);
+            response = TruncateField(response, cap, ref truncated);
+            errorDetail = TruncateField(errorDetail, cap, ref truncated);
+            extra = TruncateField(extra, cap, ref truncated);
+
+            return rawEvent with
+            {
+                RequestSummary = request,
+                ResponseSummary = response,
+                ErrorDetail = errorDetail,
+                Extra = extra,
+                PayloadTruncated = rawEvent.PayloadTruncated || truncated,
+            };
+        }
+        catch (Exception ex)
+        {
+            // Audit is best-effort: over-redact rather than fail the caller.
+            // The per-stage try/catches above already handle redactor faults
+            // and increment the counter; this catch covers any unexpected
+            // surprise in the surrounding orchestration code.
+            _logger.LogWarning(
+                ex,
+                "Payload filter failed; returning raw event with PayloadTruncated=true");
+            try { _failureCounter.Increment(); } catch { /* swallow per §7 */ }
+            return rawEvent with { PayloadTruncated = true };
+        }
+    }
+
+    /// <summary>
+    /// Parse <paramref name="json"/> as the documented
+    /// <c>{"headers": {...}, "body": ...}</c> shape and replace values whose
+    /// header NAME (case-insensitive) is in <paramref name="redactList"/> with
+    /// <see cref="RedactedMarker"/>. Re-serialises and returns the result.
+    /// </summary>
+    /// <remarks>
+    /// No-op pass-through for inputs that aren't JSON-shaped — emitters that
+    /// have not yet adopted the convention (the M2 site emitters today, which
+    /// leave RequestSummary null on outbound API calls) get a transparent
+    /// pass. If the redactor itself throws, we over-redact the whole field
+    /// with <see cref="RedactorErrorMarker"/> and bump the failure counter.
+    /// </remarks>
+    private string? RedactHeaders(string? json, IList<string> redactList)
+    {
+        if (json is null)
+        {
+            return null;
+        }
+
+        // Cheap structural pre-check: only attempt JSON parsing when the input
+        // actually looks like a JSON object. Saves the JsonDocument allocation
+        // on the (very common) non-JSON ErrorDetail / Extra fields.
+        var trimmed = json.AsSpan().TrimStart();
+        if (trimmed.Length == 0 || trimmed[0] != '{')
+        {
+            return json;
+        }
+
+        try
+        {
+            JsonNode? root;
+            try
+            {
+                root = JsonNode.Parse(json);
+            }
+            catch (JsonException)
+            {
+                // Not parseable JSON — leave the field alone (no error, no
+                // redaction). Emitters not yet using the documented shape get
+                // a transparent pass; Bundle C will update them.
+                return json;
+            }
+
+            if (root is not JsonObject obj || obj["headers"] is not JsonObject headers)
+            {
+                // No "headers" object at the top level — nothing to redact.
+                return json;
+            }
+
+            // Build a case-insensitive lookup of the redact list so we can do
+            // one O(1) check per header name without an inner Any() loop.
+            var redactSet = new HashSet<string>(redactList, StringComparer.OrdinalIgnoreCase);
+
+            // Take a snapshot of names first — we cannot mutate while
+            // enumerating the JsonObject.
+            var names = new List<string>(headers.Count);
+            foreach (var kvp in headers)
+            {
+                names.Add(kvp.Key);
+            }
+            foreach (var name in names)
+            {
+                if (redactSet.Contains(name))
+                {
+                    headers[name] = JsonValue.Create(RedactedMarker);
+                }
+            }
+
+            return obj.ToJsonString(RedactedSummaryJsonOptions);
+        }
+        catch (Exception ex)
+        {
+            _logger.LogWarning(
+                ex,
+                "Header redactor faulted; over-redacting field with '{Marker}'",
+                RedactorErrorMarker);
+            try { _failureCounter.Increment(); } catch { /* swallow per §7 */ }
+            return RedactorErrorMarker;
+        }
+    }
+
+    /// <summary>
+    /// Combine the global and per-target body-redactor lists for a single
+    /// event, returning the compiled-regex set to apply. Patterns that failed
+    /// compilation are silently skipped — the compile-time failure was logged
+    /// once on first encounter; we never let one bad pattern starve the rest.
+    /// </summary>
+    private IReadOnlyList<Regex> ResolveBodyRegexes(AuditLogOptions opts, string? target)
+    {
+        var hasGlobal = opts.GlobalBodyRedactors is { Count: > 0 };
+        var perTargetAdditions = (target != null
+            && opts.PerTargetOverrides.TryGetValue(target, out var over)
+            && over.AdditionalBodyRedactors is { Count: > 0 })
+            ? over.AdditionalBodyRedactors
+            : null;
+
+        if (!hasGlobal && perTargetAdditions == null)
+        {
+            return Array.Empty<Regex>();
+        }
+
+        var result = new List<Regex>();
+        if (hasGlobal)
+        {
+            foreach (var pattern in opts.GlobalBodyRedactors)
+            {
+                if (TryGetCompiledRegex(pattern, out var rx))
+                {
+                    result.Add(rx!);
+                }
+            }
+        }
+        if (perTargetAdditions != null)
+        {
+            foreach (var pattern in perTargetAdditions)
+            {
+                if (TryGetCompiledRegex(pattern, out var rx))
+                {
+                    result.Add(rx!);
+                }
+            }
+        }
+        return result;
+    }
+
+    /// <summary>
+    /// Resolve a compiled regex from the cache, compiling it on first use.
+    /// Returns <c>false</c> for patterns that are invalid OR whose compile
+    /// took longer than 100 ms (the spec calls catastrophic-backtracking
+    /// guesses at compile time "invalid"); the failure is logged once and
+    /// the sentinel cache entry prevents repeat compile attempts.
+    /// </summary>
+    private bool TryGetCompiledRegex(string pattern, out Regex? regex)
+    {
+        var entry = _regexCache.GetOrAdd(pattern, CompileRegex);
+        regex = entry.Regex;
+        return entry.Regex != null;
+    }
+
+    private CompiledRegex CompileRegex(string pattern)
+    {
+        try
+        {
+            var swStart = System.Diagnostics.Stopwatch.GetTimestamp();
+            var rx = new Regex(pattern, RegexOptions.Compiled, RegexMatchTimeout);
+            var elapsedMs = (System.Diagnostics.Stopwatch.GetTimestamp() - swStart)
+                * 1000d / System.Diagnostics.Stopwatch.Frequency;
+            if (elapsedMs > 100)
+            {
+                _logger.LogWarning(
+                    "Body redactor pattern compiled in {Elapsed}ms (> 100ms cap); rejecting '{Pattern}'",
+                    elapsedMs, pattern);
+                return CompiledRegex.Invalid;
+            }
+            return new CompiledRegex(rx);
+        }
+        catch (Exception ex)
+        {
+            _logger.LogWarning(
+                ex,
+                "Body redactor pattern '{Pattern}' failed to compile; skipping",
+                pattern);
+            return CompiledRegex.Invalid;
+        }
+    }
+
+    /// <summary>
+    /// Apply each compiled body-redactor regex to <paramref name="value"/> in
+    /// turn, replacing every match with <see cref="RedactedMarker"/>. If any
+    /// single regex match throws (most commonly
+    /// <see cref="RegexMatchTimeoutException"/>) the field is over-redacted
+    /// with <see cref="RedactorErrorMarker"/> and the failure counter is
+    /// incremented — the user-facing action is never aborted.
+    /// </summary>
+    private string? RedactBody(string? value, IReadOnlyList<Regex> regexes)
+    {
+        if (value is null)
+        {
+            return null;
+        }
+        var current = value;
+        foreach (var rx in regexes)
+        {
+            try
+            {
+                current = rx.Replace(current, RedactedMarker);
+            }
+            catch (Exception ex)
+            {
+                _logger.LogWarning(
+                    ex,
+                    "Body redactor '{Pattern}' faulted; over-redacting field with '{Marker}'",
+                    rx.ToString(), RedactorErrorMarker);
+                try { _failureCounter.Increment(); } catch { /* swallow per §7 */ }
+                return RedactorErrorMarker;
+            }
+        }
+        return current;
+    }
+
+    /// <summary>
+    /// Resolve the per-connection SQL parameter redaction regex for the given
+    /// DbOutbound event target. Target shape (M4 AuditingDbCommand): the
+    /// connection name optionally followed by <c>.&lt;sql-snippet&gt;</c> for
+    /// disambiguation; the per-target dictionary is keyed by the connection
+    /// name alone, so we strip the snippet suffix before lookup. Patterns are
+    /// compiled with case-insensitive matching to match the documented
+    /// behaviour.
+    /// </summary>
+    private bool TryGetSqlParamRedactor(AuditLogOptions opts, string? target, out Regex? regex)
+    {
+        regex = null;
+        if (string.IsNullOrEmpty(target))
+        {
+            return false;
+        }
+
+        var dot = target.IndexOf('.');
+        var connectionKey = dot < 0 ? target : target[..dot];
+
+        if (!opts.PerTargetOverrides.TryGetValue(connectionKey, out var over)
+            || string.IsNullOrEmpty(over.RedactSqlParamsMatching))
+        {
+            return false;
+        }
+
+        // Force case-insensitivity per the spec — even if the operator wrote
+        // the pattern without an IgnoreCase flag. The compile cache key folds
+        // the option to keep the entries unambiguous.
+        var cacheKey = "(?i)" + over.RedactSqlParamsMatching;
+        if (!TryGetCompiledRegex(cacheKey, out regex))
+        {
+            return false;
+        }
+        return true;
+    }
+
+    /// <summary>
+    /// Walk the M4 <c>{"sql":"...","parameters":{...}}</c> RequestSummary
+    /// shape; for each parameter whose NAME matches
+    /// <paramref name="paramNameRegex"/>, replace its value with
+    /// <see cref="RedactedMarker"/>. Re-serialise.
+    /// </summary>
+    /// <remarks>
+    /// No-op pass-through when the input isn't parseable JSON, isn't a JSON
+    /// object, or doesn't carry a top-level <c>"parameters"</c> object. On
+    /// any unexpected fault the field is over-redacted with
+    /// <see cref="RedactorErrorMarker"/> and the failure counter is bumped.
+    /// </remarks>
+    private string? RedactSqlParameters(string? json, Regex paramNameRegex)
+    {
+        if (json is null)
+        {
+            return null;
+        }
+
+        var trimmed = json.AsSpan().TrimStart();
+        if (trimmed.Length == 0 || trimmed[0] != '{')
+        {
+            return json;
+        }
+
+        try
+        {
+            JsonNode? root;
+            try
+            {
+                root = JsonNode.Parse(json);
+            }
+            catch (JsonException)
+            {
+                return json;
+            }
+
+            if (root is not JsonObject obj || obj["parameters"] is not JsonObject parameters)
+            {
+                return json;
+            }
+
+            // Snapshot the names — mutating during enumeration is unsupported.
+            var names = new List<string>(parameters.Count);
+            foreach (var kvp in parameters)
+            {
+                names.Add(kvp.Key);
+            }
+            var anyChanged = false;
+            foreach (var name in names)
+            {
+                bool matched;
+                try
+                {
+                    matched = paramNameRegex.IsMatch(name);
+                }
+                catch (Exception ex)
+                {
+                    _logger.LogWarning(
+                        ex,
+                        "SQL parameter redactor faulted; over-redacting field with '{Marker}'",
+                        RedactorErrorMarker);
+                    try { _failureCounter.Increment(); } catch { /* swallow per §7 */ }
+                    return RedactorErrorMarker;
+                }
+                if (matched)
+                {
+                    parameters[name] = JsonValue.Create(RedactedMarker);
+                    anyChanged = true;
+                }
+            }
+
+            // Avoid re-serialising (which would normalise whitespace / order)
+            // when no parameter matched — keeps the on-disk row byte-identical
+            // to the emitter's output on the no-match path.
+            return anyChanged ? obj.ToJsonString(RedactedSummaryJsonOptions) : json;
+        }
+        catch (Exception ex)
+        {
+            _logger.LogWarning(
+                ex,
+                "SQL parameter redactor faulted; over-redacting field with '{Marker}'",
+                RedactorErrorMarker);
+            try { _failureCounter.Increment(); } catch { /* swallow per §7 */ }
+            return RedactorErrorMarker;
+        }
+    }
+
+    private static string? TruncateField(string? value, int cap, ref bool truncated)
+    {
+        if (value is null)
+        {
+            return null;
+        }
+        var result = TruncateUtf8(value, cap);
+        if (result.Length != value.Length)
+        {
+            truncated = true;
+        }
+        return result;
+    }
+
+    /// <summary>
+    /// UTF-8 byte-safe truncation. Encodes the input to UTF-8, walks back from
+    /// the cap position until the byte is NOT a continuation byte
+    /// (<c>byte &amp; 0xC0 == 0x80</c>), and decodes the resulting prefix —
+    /// guaranteeing the returned string never splits a multi-byte sequence.
+    /// </summary>
+    private static string TruncateUtf8(string value, int capBytes)
+    {
+        if (string.IsNullOrEmpty(value))
+        {
+            return value;
+        }
+        var bytes = Encoding.UTF8.GetBytes(value);
+        if (bytes.Length <= capBytes)
+        {
+            return value;
+        }
+        var boundary = capBytes;
+        while (boundary > 0 && (bytes[boundary] & 0xC0) == 0x80)
+        {
+            boundary--;
+        }
+        return Encoding.UTF8.GetString(bytes, 0, boundary);
+    }
+
+    private static bool IsErrorStatus(AuditStatus status) => status switch
+    {
+        AuditStatus.Delivered or AuditStatus.Submitted or AuditStatus.Forwarded => false,
+        _ => true,
+    };
+
+    /// <summary>
+    /// Cache entry for a body-redactor pattern. Carries the working
+    /// <see cref="Regex"/> on the success path, or the
+    /// <see cref="Invalid"/> sentinel for patterns that failed to compile
+    /// (or exceeded the 100 ms compile budget). The sentinel lets us skip
+    /// repeat compile attempts on every event without re-throwing on the
+    /// hot-path.
+    /// </summary>
+    private readonly struct CompiledRegex
+    {
+        public static readonly CompiledRegex Invalid = new(null);
+
+        public Regex? Regex { get; }
+
+        public CompiledRegex(Regex? regex) => Regex = regex;
+    }
+}

src/ScadaLink.AuditLog/Payload/IAuditPayloadFilter.cs

@@ -0,0 +1,30 @@
+using ScadaLink.Commons.Entities.Audit;
+
+namespace ScadaLink.AuditLog.Payload;
+
+/// <summary>
+/// Filters an <see cref="AuditEvent"/> between construction and persistence —
+/// truncates oversized payload fields, applies header/body/SQL-parameter
+/// redaction, sets <see cref="AuditEvent.PayloadTruncated"/>.
+/// </summary>
+/// <remarks>
+/// <para>
+/// Pure function: returns a filtered COPY of the input via <c>with</c>
+/// expressions; never throws (over-redacts on internal failure and increments
+/// the <c>AuditRedactionFailure</c> health metric).
+/// </para>
+/// <para>
+/// Wired in M5 between event construction and the writer chain
+/// (<c>FallbackAuditWriter.WriteAsync</c>, <c>CentralAuditWriter.WriteAsync</c>,
+/// and the <c>AuditLogIngestActor</c> handlers).
+/// </para>
+/// </remarks>
+public interface IAuditPayloadFilter
+{
+    /// <summary>
+    /// Apply the configured truncation + redaction policy to <paramref name="rawEvent"/>
+    /// and return a filtered copy. MUST NOT throw — on internal failure, over-redact
+    /// and surface the failure via the audit-redaction-failure health metric.
+    /// </summary>
+    AuditEvent Apply(AuditEvent rawEvent);
+}

src/ScadaLink.AuditLog/Payload/IAuditRedactionFailureCounter.cs

@@ -0,0 +1,20 @@
+namespace ScadaLink.AuditLog.Payload;
+
+/// <summary>
+/// Counter sink invoked by <see cref="DefaultAuditPayloadFilter"/> every time
+/// a redactor (header / body regex / SQL parameter) throws and the filter has
+/// to over-redact the offending field with the
+/// <c>&lt;redacted: redactor error&gt;</c> marker. Bundle C bridges this into
+/// the Site Health Monitoring report payload as <c>AuditRedactionFailure</c>.
+/// </summary>
+/// <remarks>
+/// Redaction failures must NEVER abort the user-facing action (alog.md §7) —
+/// the filter over-redacts the field and surfaces the failure via this counter
+/// instead. A NoOp default is the correct safe fallback while the health
+/// metric is being wired in.
+/// </remarks>
+public interface IAuditRedactionFailureCounter
+{
+    /// <summary>Increment the audit-redaction failure counter by one.</summary>
+    void Increment();
+}

src/ScadaLink.AuditLog/Payload/NoOpAuditRedactionFailureCounter.cs

@@ -0,0 +1,17 @@
+namespace ScadaLink.AuditLog.Payload;
+
+/// <summary>
+/// Default <see cref="IAuditRedactionFailureCounter"/> binding used when the
+/// Site Health Monitoring bridge has not been wired yet. Bundle C replaces
+/// this registration with the real counter that surfaces in the site health
+/// report payload as <c>AuditRedactionFailure</c>.
+/// </summary>
+public sealed class NoOpAuditRedactionFailureCounter : IAuditRedactionFailureCounter
+{
+    /// <inheritdoc/>
+    public void Increment()
+    {
+        // Intentionally empty — Bundle C overrides this binding with the real
+        // health-metric counter.
+    }
+}

src/ScadaLink.AuditLog/ScadaLink.AuditLog.csproj

@@ -0,0 +1,35 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <PropertyGroup>
+    <TargetFramework>net10.0</TargetFramework>
+    <ImplicitUsings>enable</ImplicitUsings>
+    <Nullable>enable</Nullable>
+    <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <!-- Bundle D D1: SiteAuditTelemetryActor + (D2) AuditLogIngestActor live
+         in this project, so Akka is an explicit dependency. -->
+    <PackageReference Include="Akka" />
+    <PackageReference Include="Microsoft.Data.Sqlite" />
+    <PackageReference Include="Microsoft.Extensions.DependencyInjection.Abstractions" />
+    <PackageReference Include="Microsoft.Extensions.Logging.Abstractions" />
+    <PackageReference Include="Microsoft.Extensions.Options" />
+    <PackageReference Include="Microsoft.Extensions.Options.ConfigurationExtensions" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="../ScadaLink.Commons/ScadaLink.Commons.csproj" />
+    <!-- Audit Log (#23) sits alongside Notification Outbox (#21) and Site Call Audit (#22).
+         IAuditLogRepository is registered by ScadaLink.ConfigurationDatabase; the project
+         reference is documented here so M2 writers + telemetry actors can depend on it. -->
+    <ProjectReference Include="../ScadaLink.ConfigurationDatabase/ScadaLink.ConfigurationDatabase.csproj" />
+    <!-- Communication carries the IngestAuditEvents proto + DTOs (#23 M2 site sync). -->
+    <ProjectReference Include="../ScadaLink.Communication/ScadaLink.Communication.csproj" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <InternalsVisibleTo Include="ScadaLink.AuditLog.Tests" />
+  </ItemGroup>
+
+</Project>

src/ScadaLink.AuditLog/ServiceCollectionExtensions.cs

@@ -0,0 +1,307 @@
+using Microsoft.Extensions.Configuration;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.DependencyInjection.Extensions;
+using Microsoft.Extensions.Hosting;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
+using ScadaLink.AuditLog.Central;
+using ScadaLink.AuditLog.Configuration;
+using ScadaLink.AuditLog.Payload;
+using ScadaLink.AuditLog.Site;
+using ScadaLink.AuditLog.Site.Telemetry;
+using ScadaLink.Commons.Interfaces.Services;
+
+namespace ScadaLink.AuditLog;
+
+/// <summary>
+/// Composition root for the Audit Log (#23) component.
+/// </summary>
+/// <remarks>
+/// <para>
+/// M1 registered <see cref="AuditLogOptions"/> + the validator. M2 Bundle E
+/// extends the surface with the site-side writer chain
+/// (<see cref="SqliteAuditWriter"/> + <see cref="RingBufferFallback"/> +
+/// <see cref="FallbackAuditWriter"/>) and the telemetry collaborators
+/// (<see cref="ISiteAuditQueue"/>, <see cref="ISiteStreamAuditClient"/>,
+/// <see cref="IAuditWriteFailureCounter"/>, <see cref="SiteAuditTelemetryOptions"/>,
+/// <see cref="SqliteAuditWriterOptions"/>).
+/// </para>
+/// <para>
+/// Audit Log (#23) sits alongside Notification Outbox (#21) and Site Call
+/// Audit (#22). <c>IAuditLogRepository</c> is registered by
+/// <c>ScadaLink.ConfigurationDatabase.ServiceCollectionExtensions.AddConfigurationDatabase</c>,
+/// so the caller (the Host on the central node) must also call that.
+/// </para>
+/// </remarks>
+public static class ServiceCollectionExtensions
+{
+    /// <summary>Configuration section bound to <see cref="AuditLogOptions"/>.</summary>
+    public const string ConfigSectionName = "AuditLog";
+
+    /// <summary>Configuration section bound to <see cref="SqliteAuditWriterOptions"/>.</summary>
+    public const string SiteWriterSectionName = "AuditLog:SiteWriter";
+
+    /// <summary>Configuration section bound to <see cref="SiteAuditTelemetryOptions"/>.</summary>
+    public const string SiteTelemetrySectionName = "AuditLog:SiteTelemetry";
+
+    /// <summary>Configuration section bound to <see cref="AuditLogPartitionMaintenanceOptions"/>.</summary>
+    public const string PartitionMaintenanceSectionName = "AuditLog:PartitionMaintenance";
+
+    /// <summary>
+    /// Registers the Audit Log (#23) component services: options, the site
+    /// SQLite writer chain (primary + ring fallback + failure-counter sink),
+    /// and the site-→central telemetry collaborators. Idempotent re-registration
+    /// is not supported; call this exactly once per <see cref="IServiceCollection"/>.
+    /// </summary>
+    public static IServiceCollection AddAuditLog(this IServiceCollection services, IConfiguration config)
+    {
+        ArgumentNullException.ThrowIfNull(services);
+        ArgumentNullException.ThrowIfNull(config);
+
+        // M1: top-level AuditLogOptions + validator (redaction policy, payload caps, etc.).
+        services.AddOptions<AuditLogOptions>()
+            .Bind(config.GetSection(ConfigSectionName))
+            .ValidateOnStart();
+        services.AddSingleton<IValidateOptions<AuditLogOptions>, AuditLogOptionsValidator>();
+
+        // M5 Bundle A: payload filter — truncates oversized RequestSummary /
+        // ResponseSummary / ErrorDetail / Extra fields between event
+        // construction and persistence. Bundle B layers header / body /
+        // SQL-parameter redaction onto the same singleton; Bundle C wires it
+        // into the FallbackAuditWriter / CentralAuditWriter / IngestActor
+        // paths. Singleton — the filter is stateless and the IOptionsMonitor
+        // dependency picks up M5-T8 hot reloads on its own.
+        services.AddSingleton<IAuditPayloadFilter, DefaultAuditPayloadFilter>();
+
+        // M5 Bundle B: per-stage redactor-failure counter. NoOp default;
+        // Bundle C replaces this binding with the Site Health Monitoring
+        // bridge that surfaces failures as AuditRedactionFailure on the site
+        // health report.
+        services.TryAddSingleton<IAuditRedactionFailureCounter, NoOpAuditRedactionFailureCounter>();
+
+        // M2 Bundle E: site writer + telemetry options bindings.
+        // BindConfiguration is not used because the configuration root supplied
+        // by the caller may not be the application root — we go through the
+        // section explicitly so a partial IConfiguration (e.g. a test stub
+        // anchored on the AuditLog section's parent) still works.
+        services.AddOptions<SqliteAuditWriterOptions>()
+            .Bind(config.GetSection(SiteWriterSectionName));
+        services.AddOptions<SiteAuditTelemetryOptions>()
+            .Bind(config.GetSection(SiteTelemetrySectionName));
+
+        // SqliteAuditWriter is a singleton with a single owned SqliteConnection
+        // and a background writer Task; multiple instances would race on the
+        // same file. Registered concretely so the ISiteAuditQueue + IAuditWriter
+        // forwards below resolve to the same instance — the actor must observe
+        // the writes made via the hot-path interface.
+        services.AddSingleton<SqliteAuditWriter>();
+        services.AddSingleton<ISiteAuditQueue>(sp => sp.GetRequiredService<SqliteAuditWriter>());
+
+        // RingBufferFallback: drop-oldest in-memory ring used by
+        // FallbackAuditWriter when the primary SQLite writer throws. Default
+        // capacity is fine for M2 (1024).
+        services.AddSingleton<RingBufferFallback>();
+
+        // IAuditWriteFailureCounter: NoOp default. Bundle G overrides this
+        // binding with the real Site Health Monitoring counter. Registered
+        // before FallbackAuditWriter so the factory can resolve it.
+        services.AddSingleton<IAuditWriteFailureCounter, NoOpAuditWriteFailureCounter>();
+
+        // The script-thread surface is FallbackAuditWriter (primary + ring +
+        // counter), not the raw SqliteAuditWriter — primary failures must NEVER
+        // abort the user-facing action.
+        // Bundle C (M5-T6): the IAuditPayloadFilter singleton above is wired
+        // through the factory so every event written through this surface is
+        // truncated + redacted before it hits SQLite (and the ring on
+        // failure).
+        services.AddSingleton<IAuditWriter>(sp => new FallbackAuditWriter(
+            primary: sp.GetRequiredService<SqliteAuditWriter>(),
+            ring: sp.GetRequiredService<RingBufferFallback>(),
+            failureCounter: sp.GetRequiredService<IAuditWriteFailureCounter>(),
+            logger: sp.GetRequiredService<ILogger<FallbackAuditWriter>>(),
+            filter: sp.GetRequiredService<IAuditPayloadFilter>()));
+
+        // ISiteStreamAuditClient: NoOp default. M6's reconciliation work brings
+        // the real gRPC-backed implementation (no site→central gRPC channel
+        // exists today — sites talk to central via Akka ClusterClient only).
+        // Bundle H's integration test substitutes a stub directly into the
+        // SiteAuditTelemetryActor's Props.Create call.
+        services.AddSingleton<ISiteStreamAuditClient, NoOpSiteStreamAuditClient>();
+
+        // M3 Bundle F: site-side dual emitter for cached-call lifecycle
+        // telemetry. ScriptRuntimeContext.ExternalSystem.CachedCall /
+        // Database.CachedWrite resolves this through DI and pushes one combined
+        // packet per lifecycle event; the forwarder writes the audit half
+        // through IAuditWriter and the operational half through the
+        // IOperationTrackingStore. The audit writer is always wired (the M2
+        // chain above); the operational tracking store is SITE-ONLY (registered
+        // by ScadaLink.SiteRuntime). On a Central composition root the tracking
+        // store has no registration, so the factory resolves it with GetService
+        // (returning null) — the forwarder degrades to "audit-only" emission,
+        // mirroring the lazy IAuditWriter chain established in M2.
+        services.AddSingleton<ICachedCallTelemetryForwarder>(sp =>
+            new CachedCallTelemetryForwarder(
+                sp.GetRequiredService<IAuditWriter>(),
+                sp.GetService<ScadaLink.Commons.Interfaces.IOperationTrackingStore>(),
+                sp.GetRequiredService<ILogger<CachedCallTelemetryForwarder>>()));
+
+        // M3 Bundle F: bridge the store-and-forward retry-loop observer hook
+        // to the cached-call forwarder so per-attempt + terminal telemetry
+        // emitted from the S&F retry sweep lands on the same SQLite hot-path
+        // as the script-thread CachedSubmit row. Registered as a singleton
+        // and also bound to ICachedCallLifecycleObserver so AddStoreAndForward
+        // can resolve it through DI (Bundle F StoreAndForward wiring change).
+        services.AddSingleton<CachedCallLifecycleBridge>();
+        services.AddSingleton<ICachedCallLifecycleObserver>(
+            sp => sp.GetRequiredService<CachedCallLifecycleBridge>());
+
+        // M6 Bundle E (T8): central audit-write failure counter — NoOp default
+        // for site/test composition roots that don't wire the central health
+        // snapshot. AddAuditLogCentralMaintenance below replaces this binding
+        // with the AuditCentralHealthSnapshot implementation so increments
+        // surface on the central dashboard.
+        services.TryAddSingleton<ICentralAuditWriteFailureCounter, NoOpCentralAuditWriteFailureCounter>();
+
+        // M4 Bundle B: central direct-write audit writer used by
+        // NotificationOutboxActor (Bundle B) and Inbound API (Bundle C/D) to
+        // emit AuditLog rows that originate ON central, not via site telemetry.
+        // Singleton — the writer is stateless; its per-call scope opens a fresh
+        // IAuditLogRepository (a SCOPED EF Core service registered by
+        // ScadaLink.ConfigurationDatabase). The interface (ICentralAuditWriter)
+        // is intentionally distinct from IAuditWriter so site composition roots
+        // do not accidentally bind it; central composition roots that include
+        // AddConfigurationDatabase get a working implementation transparently.
+        // Bundle C (M5-T6): wire the IAuditPayloadFilter into the factory so
+        // NotificationOutboxActor + Inbound API rows are truncated + redacted
+        // before they hit MS SQL.
+        // M6 Bundle E (T8): also wire the ICentralAuditWriteFailureCounter
+        // so swallowed repo throws bump the central health counter.
+        services.AddSingleton<ICentralAuditWriter>(sp => new CentralAuditWriter(
+            sp,
+            sp.GetRequiredService<ILogger<CentralAuditWriter>>(),
+            sp.GetRequiredService<IAuditPayloadFilter>(),
+            sp.GetRequiredService<ICentralAuditWriteFailureCounter>()));
+
+        return services;
+    }
+
+    /// <summary>
+    /// Audit Log (#23) M2 Bundle G + M5 Bundle C — swap the default
+    /// <see cref="NoOpAuditWriteFailureCounter"/> and
+    /// <see cref="NoOpAuditRedactionFailureCounter"/> registrations for the
+    /// real <see cref="HealthMetricsAuditWriteFailureCounter"/> /
+    /// <see cref="HealthMetricsAuditRedactionFailureCounter"/> bridges so the
+    /// FallbackAuditWriter primary-failure counter AND the
+    /// DefaultAuditPayloadFilter redactor-failure counter both surface in the
+    /// site health report payload as
+    /// <c>SiteHealthReport.SiteAuditWriteFailures</c> +
+    /// <c>SiteHealthReport.AuditRedactionFailure</c>.
+    /// </summary>
+    /// <remarks>
+    /// <para>
+    /// Must be called AFTER both <see cref="AddAuditLog"/> (registers the
+    /// NoOp defaults this method replaces) and
+    /// <c>ScadaLink.HealthMonitoring.ServiceCollectionExtensions.AddHealthMonitoring</c>
+    /// or <c>AddSiteHealthMonitoring</c> (registers the
+    /// <see cref="ISiteHealthCollector"/> the bridges depend on). Resolving
+    /// <see cref="IAuditWriteFailureCounter"/> or
+    /// <see cref="IAuditRedactionFailureCounter"/> without the latter throws
+    /// <see cref="InvalidOperationException"/> at <c>GetRequiredService</c>
+    /// time — by design, since a silent NoOp would mask a misconfiguration.
+    /// </para>
+    /// <para>
+    /// Idempotent — calling twice replaces each descriptor without piling up
+    /// registrations.
+    /// </para>
+    /// <para>
+    /// Site-side only for M5: the central composition root keeps the NoOp
+    /// defaults; the central health-metric surface that would expose
+    /// <c>AuditRedactionFailure</c> next to the existing central counters
+    /// ships in M6.
+    /// </para>
+    /// </remarks>
+    public static IServiceCollection AddAuditLogHealthMetricsBridge(this IServiceCollection services)
+    {
+        ArgumentNullException.ThrowIfNull(services);
+
+        services.Replace(
+            ServiceDescriptor.Singleton<IAuditWriteFailureCounter, HealthMetricsAuditWriteFailureCounter>());
+        services.Replace(
+            ServiceDescriptor.Singleton<IAuditRedactionFailureCounter, HealthMetricsAuditRedactionFailureCounter>());
+        // M6 Bundle E (T6): the site-side backlog reporter polls the
+        // SqliteAuditWriter every 30 s and pushes the snapshot into the
+        // collector so the next SiteHealthReport carries a fresh
+        // SiteAuditBacklog field. Registered alongside the other site-only
+        // metric bridges so AddAuditLog (which runs on central too) stays
+        // free of hosted-service registrations that would resolve a missing
+        // ISiteHealthCollector on central.
+        services.AddHostedService<SiteAuditBacklogReporter>();
+        return services;
+    }
+
+    /// <summary>
+    /// Audit Log (#23) M6-T5 Bundle D — central-only registration for the
+    /// <see cref="AuditLogPartitionMaintenanceService"/> hosted service plus
+    /// its <see cref="AuditLogPartitionMaintenanceOptions"/> binding. Must be
+    /// called from the Central role's composition root (not from a site
+    /// composition root); the underlying <c>IPartitionMaintenance</c>
+    /// implementation is registered by <c>AddConfigurationDatabase</c> and
+    /// only exists on the central node.
+    /// </summary>
+    /// <remarks>
+    /// <para>
+    /// Separated from <see cref="AddAuditLog"/> because <c>AddAuditLog</c> is
+    /// also invoked from site composition roots — silently starting a
+    /// hosted service that resolves an unregistered dependency on a site
+    /// would fail every tick. Keeping the central-only registration in its
+    /// own helper preserves the "every <c>Add*</c> call is safe to issue
+    /// from any composition root" invariant.
+    /// </para>
+    /// </remarks>
+    public static IServiceCollection AddAuditLogCentralMaintenance(
+        this IServiceCollection services,
+        IConfiguration config)
+    {
+        ArgumentNullException.ThrowIfNull(services);
+        ArgumentNullException.ThrowIfNull(config);
+
+        services.AddOptions<AuditLogPartitionMaintenanceOptions>()
+            .Bind(config.GetSection(PartitionMaintenanceSectionName));
+        services.AddHostedService<AuditLogPartitionMaintenanceService>();
+
+        // M6 Bundle E (T8 + T9): central health snapshot — a single object
+        // that owns the CentralAuditWriteFailures + AuditRedactionFailure
+        // Interlocked counters AND surfaces them on
+        // IAuditCentralHealthSnapshot. The same instance is bound to BOTH
+        // writer-side interfaces (ICentralAuditWriteFailureCounter +
+        // IAuditRedactionFailureCounter) so every central-side increment
+        // routes into the shared counters; site nodes keep their existing
+        // Site bridges (registered by AddAuditLogHealthMetricsBridge) so
+        // the same counter type does not shadow the site-side metric.
+        // The snapshot itself has no actor-system dependency — the
+        // per-site stalled latch is fed by SiteAuditTelemetryStalledTracker
+        // which the Akka bootstrap wires up after ActorSystem.Create returns
+        // (the tracker is NOT registered here because its construction
+        // requires ActorSystem, which is not a DI-resolvable singleton).
+        services.AddSingleton<AuditCentralHealthSnapshot>();
+        services.AddSingleton<IAuditCentralHealthSnapshot>(
+            sp => sp.GetRequiredService<AuditCentralHealthSnapshot>());
+        services.Replace(ServiceDescriptor.Singleton<ICentralAuditWriteFailureCounter>(
+            sp => sp.GetRequiredService<AuditCentralHealthSnapshot>()));
+        // M6 Bundle E (T9): override the NoOp IAuditRedactionFailureCounter
+        // (registered by AddAuditLog) with the CentralAuditRedactionFailureCounter
+        // bridge so payload-filter throws on CentralAuditWriter /
+        // AuditLogIngestActor paths surface on the central dashboard. The
+        // bridge is a thin wrapper around the AuditCentralHealthSnapshot
+        // singleton so all central redactor failures route into the same
+        // counter as CentralAuditWriteFailures. The site composition root
+        // overrides this binding AGAIN via AddAuditLogHealthMetricsBridge —
+        // central nodes do not call that bridge, so this is the final
+        // binding on a central host. Mirrors the M5 Bundle C
+        // HealthMetricsAuditRedactionFailureCounter shape one-for-one.
+        services.Replace(ServiceDescriptor.Singleton<IAuditRedactionFailureCounter,
+            CentralAuditRedactionFailureCounter>());
+
+        return services;
+    }
+}

src/ScadaLink.AuditLog/Site/FallbackAuditWriter.cs

@@ -0,0 +1,151 @@
+using Microsoft.Extensions.Logging;
+using ScadaLink.AuditLog.Payload;
+using ScadaLink.Commons.Entities.Audit;
+using ScadaLink.Commons.Interfaces.Services;
+
+namespace ScadaLink.AuditLog.Site;
+
+/// <summary>
+/// Composes the primary <see cref="SqliteAuditWriter"/> with a drop-oldest
+/// <see cref="RingBufferFallback"/>. Audit writes are best-effort by contract
+/// (see <see cref="IAuditWriter"/>) — a primary failure must NEVER bubble out
+/// to the calling script. Failed events are stashed in the ring; on the next
+/// successful primary write the ring is drained back through the primary in
+/// FIFO order.
+/// </summary>
+/// <remarks>
+/// <para>
+/// Each primary failure increments <see cref="IAuditWriteFailureCounter"/> so
+/// Site Health Monitoring can surface a sustained outage as
+/// <c>SiteAuditWriteFailures</c> (Bundle G).
+/// </para>
+/// <para>
+/// Errors raised by the ring drain on recovery are logged and silently dropped
+/// so we don't loop the failure mode — the trigger event itself succeeded, and
+/// retrying the drain on the NEXT successful write is the recovery path.
+/// </para>
+/// </remarks>
+public sealed class FallbackAuditWriter : IAuditWriter
+{
+    private readonly IAuditWriter _primary;
+    private readonly RingBufferFallback _ring;
+    private readonly IAuditWriteFailureCounter _failureCounter;
+    private readonly ILogger<FallbackAuditWriter> _logger;
+    private readonly IAuditPayloadFilter? _filter;
+    private readonly SemaphoreSlim _drainGate = new(1, 1);
+
+    /// <summary>
+    /// Bundle C (M5-T6) wires the singleton <see cref="IAuditPayloadFilter"/>
+    /// here so every event written via the site hot path is truncated +
+    /// header/body/SQL-param redacted before it hits both the primary SQLite
+    /// writer AND the ring fallback. The parameter is optional (defaults to
+    /// no filtering) so the long tail of test composition roots that don't
+    /// care about the filter need no change — the production
+    /// <see cref="ServiceCollectionExtensions.AddAuditLog"/> registration
+    /// always passes the real filter through.
+    /// </summary>
+    public FallbackAuditWriter(
+        IAuditWriter primary,
+        RingBufferFallback ring,
+        IAuditWriteFailureCounter failureCounter,
+        ILogger<FallbackAuditWriter> logger,
+        IAuditPayloadFilter? filter = null)
+    {
+        _primary = primary ?? throw new ArgumentNullException(nameof(primary));
+        _ring = ring ?? throw new ArgumentNullException(nameof(ring));
+        _failureCounter = failureCounter ?? throw new ArgumentNullException(nameof(failureCounter));
+        _logger = logger ?? throw new ArgumentNullException(nameof(logger));
+        _filter = filter; // null = no-op pass-through; see WriteAsync.
+    }
+
+    public async Task WriteAsync(AuditEvent evt, CancellationToken ct = default)
+    {
+        ArgumentNullException.ThrowIfNull(evt);
+
+        // Filter once, up-front. The filtered event flows BOTH to the primary
+        // and (on failure) to the ring buffer — so a primary outage that
+        // drains later still hands the SqliteAuditWriter a row that has
+        // already been truncated and redacted. The filter contract is
+        // "MUST NOT throw"; the null-coalesce keeps test composition roots
+        // that don't wire a filter working unchanged.
+        var filtered = _filter?.Apply(evt) ?? evt;
+
+        try
+        {
+            await _primary.WriteAsync(filtered, ct).ConfigureAwait(false);
+        }
+        catch (Exception ex)
+        {
+            // Primary down: record the failure, stash in the ring, return
+            // success to the caller. Audit-write failures NEVER abort the
+            // user-facing action (alog.md §7). DO NOT attempt the ring drain
+            // here — primary is throwing, draining would just scramble FIFO
+            // order across re-enqueues.
+            _failureCounter.Increment();
+            _logger.LogWarning(ex,
+                "Primary audit writer threw; routing EventId {EventId} to drop-oldest ring.",
+                filtered.EventId);
+            // Ring stores the filtered copy so the eventual drain replays a
+            // payload that has already been capped/redacted — no second
+            // filter pass needed on recovery, and no risk of the ring
+            // holding the raw oversized blob in memory.
+            _ring.TryEnqueue(filtered);
+            return;
+        }
+
+        // Primary succeeded — opportunistically drain anything that piled up
+        // in the ring during the outage. Best-effort: a failure during the
+        // drain re-enqueues the popped event and is logged; the next
+        // successful write will retry. Drain order in the audit log is
+        // therefore: <triggering event>, <backlog FIFO>.
+        if (_ring.Count > 0)
+        {
+            await TryDrainRingAsync(ct).ConfigureAwait(false);
+        }
+    }
+
+    private async Task TryDrainRingAsync(CancellationToken ct)
+    {
+        // Serialise drains so two concurrent recoveries don't double-replay.
+        if (!await _drainGate.WaitAsync(0, ct).ConfigureAwait(false))
+        {
+            return;
+        }
+
+        try
+        {
+            // Pull only what is currently buffered; do NOT wait for new events.
+            // We iterate with a snapshot of Count so we never starve under
+            // concurrent enqueues.
+            var pending = _ring.Count;
+            for (var i = 0; i < pending; i++)
+            {
+                if (!_ring.TryDequeue(out var queued))
+                {
+                    break;
+                }
+
+                try
+                {
+                    await _primary.WriteAsync(queued, ct).ConfigureAwait(false);
+                }
+                catch (Exception ex)
+                {
+                    // Primary fell over again. Put the event back at the head
+                    // of the queue is impossible with Channel<T>; route to the
+                    // tail (drop-oldest preserves the most-recent picture).
+                    _failureCounter.Increment();
+                    _logger.LogWarning(ex,
+                        "Ring drain re-throw on EventId {EventId}; re-enqueuing.",
+                        queued.EventId);
+                    _ring.TryEnqueue(queued);
+                    break;
+                }
+            }
+        }
+        finally
+        {
+            _drainGate.Release();
+        }
+    }
+}

src/ScadaLink.AuditLog/Site/HealthMetricsAuditRedactionFailureCounter.cs

@@ -0,0 +1,48 @@
+using ScadaLink.AuditLog.Payload;
+using ScadaLink.HealthMonitoring;
+
+namespace ScadaLink.AuditLog.Site;
+
+/// <summary>
+/// Audit Log (#23) M5 Bundle C — bridges
+/// <see cref="IAuditRedactionFailureCounter"/> (incremented by
+/// <see cref="DefaultAuditPayloadFilter"/> every time a header / body / SQL
+/// parameter redactor stage throws and the filter has to over-redact the
+/// offending field) into <see cref="ISiteHealthCollector"/> so the count
+/// surfaces in the site health report payload as
+/// <c>SiteHealthReport.AuditRedactionFailure</c>.
+/// </summary>
+/// <remarks>
+/// <para>
+/// Registered by <see cref="ServiceCollectionExtensions.AddAuditLogHealthMetricsBridge"/>;
+/// callers must register <c>AddHealthMonitoring()</c> first so
+/// <see cref="ISiteHealthCollector"/> resolves. The default <see cref="ServiceCollectionExtensions.AddAuditLog"/>
+/// registration keeps <see cref="NoOpAuditRedactionFailureCounter"/> for nodes
+/// where Site Health Monitoring is not wired (the silent-sink contract —
+/// redaction failures must NEVER abort the user-facing action, alog.md §7).
+/// </para>
+/// <para>
+/// Mirrors the M2 Bundle G <see cref="HealthMetricsAuditWriteFailureCounter"/>
+/// shape one-for-one so the two health-metric bridges age together.
+/// </para>
+/// <para>
+/// Site-side only for M5: the redaction filter also runs on the central
+/// writers (CentralAuditWriter + AuditLogIngestActor), but the central
+/// health-metric surface that would expose <c>AuditRedactionFailure</c>
+/// alongside the existing central counters ships in M6. Until then, the
+/// central composition root keeps the NoOp default — the redactions still
+/// happen, they just don't get counted into a health report.
+/// </para>
+/// </remarks>
+public sealed class HealthMetricsAuditRedactionFailureCounter : IAuditRedactionFailureCounter
+{
+    private readonly ISiteHealthCollector _collector;
+
+    public HealthMetricsAuditRedactionFailureCounter(ISiteHealthCollector collector)
+    {
+        _collector = collector ?? throw new ArgumentNullException(nameof(collector));
+    }
+
+    /// <inheritdoc/>
+    public void Increment() => _collector.IncrementAuditRedactionFailure();
+}

src/ScadaLink.AuditLog/Site/HealthMetricsAuditWriteFailureCounter.cs

@@ -0,0 +1,33 @@
+using ScadaLink.HealthMonitoring;
+
+namespace ScadaLink.AuditLog.Site;
+
+/// <summary>
+/// Audit Log (#23) M2 Bundle G — bridges <see cref="IAuditWriteFailureCounter"/>
+/// (incremented by <see cref="FallbackAuditWriter"/> every time the primary
+/// SQLite writer throws) into <see cref="ISiteHealthCollector"/> so the count
+/// surfaces in the site health report payload as
+/// <c>SiteHealthReport.SiteAuditWriteFailures</c>.
+/// </summary>
+/// <remarks>
+/// <para>
+/// Registered by <see cref="ServiceCollectionExtensions.AddAuditLogHealthMetricsBridge"/>;
+/// callers must register <c>AddHealthMonitoring()</c> first so
+/// <see cref="ISiteHealthCollector"/> resolves. The default <see cref="AddAuditLog"/>
+/// registration keeps <see cref="NoOpAuditWriteFailureCounter"/> for nodes
+/// where Site Health Monitoring is not wired (the silent-sink contract — audit
+/// write failures must NEVER abort the user-facing action, alog.md §7).
+/// </para>
+/// </remarks>
+public sealed class HealthMetricsAuditWriteFailureCounter : IAuditWriteFailureCounter
+{
+    private readonly ISiteHealthCollector _collector;
+
+    public HealthMetricsAuditWriteFailureCounter(ISiteHealthCollector collector)
+    {
+        _collector = collector ?? throw new ArgumentNullException(nameof(collector));
+    }
+
+    /// <inheritdoc/>
+    public void Increment() => _collector.IncrementSiteAuditWriteFailures();
+}

src/ScadaLink.AuditLog/Site/IAuditWriteFailureCounter.cs

@@ -0,0 +1,14 @@
+namespace ScadaLink.AuditLog.Site;
+
+/// <summary>
+/// Lightweight counter sink invoked by <see cref="FallbackAuditWriter"/> every
+/// time the primary <see cref="SqliteAuditWriter"/> throws on an audit write.
+/// Bundle G (M2-T11) implements this as a thread-safe Interlocked counter
+/// bridged into the Site Health Monitoring report payload as
+/// <c>SiteAuditWriteFailures</c>.
+/// </summary>
+public interface IAuditWriteFailureCounter
+{
+    /// <summary>Increment the audit-write failure counter by one.</summary>
+    void Increment();
+}

src/ScadaLink.AuditLog/Site/NoOpAuditWriteFailureCounter.cs

@@ -0,0 +1,25 @@
+namespace ScadaLink.AuditLog.Site;
+
+/// <summary>
+/// Default <see cref="IAuditWriteFailureCounter"/> registered by
+/// <see cref="ScadaLink.AuditLog.ServiceCollectionExtensions.AddAuditLog"/> on
+/// every node. Bundle G replaces this binding with a real counter that bridges
+/// into the Site Health Monitoring report payload as
+/// <c>SiteAuditWriteFailures</c> — until then,
+/// <see cref="FallbackAuditWriter"/> emits to a silent sink rather than NRE-ing
+/// on a null collaborator.
+/// </summary>
+/// <remarks>
+/// Audit-write failures must NEVER abort the user-facing action (alog.md §7),
+/// so the counter is best-effort by contract. A NoOp default is the correct
+/// safe fallback while the health metric is being wired in.
+/// </remarks>
+public sealed class NoOpAuditWriteFailureCounter : IAuditWriteFailureCounter
+{
+    /// <inheritdoc/>
+    public void Increment()
+    {
+        // Intentionally empty. Bundle G overrides this binding with the real
+        // counter once Site Health Monitoring is wired.
+    }
+}

src/ScadaLink.AuditLog/Site/RingBufferFallback.cs

@@ -0,0 +1,115 @@
+using System.Runtime.CompilerServices;
+using System.Threading.Channels;
+using ScadaLink.Commons.Entities.Audit;
+
+namespace ScadaLink.AuditLog.Site;
+
+/// <summary>
+/// Drop-oldest in-memory ring buffer used by <see cref="FallbackAuditWriter"/>
+/// when the primary SQLite writer is throwing. Capacity is fixed at construction
+/// (default 1024). When full, the oldest event is silently dropped to make room
+/// for the newest — preserving the most recent picture of activity in the face
+/// of an extended SQLite outage — and <see cref="RingBufferOverflowed"/> is
+/// raised so a health counter can record the loss.
+/// </summary>
+/// <remarks>
+/// <para>
+/// Backed by a <see cref="Channel{T}"/> with
+/// <see cref="BoundedChannelFullMode.DropOldest"/>. The channel doesn't natively
+/// notify on drop, so this class compares <c>Reader.Count</c> before and after
+/// each enqueue: any time we hit capacity and a subsequent enqueue keeps the
+/// count at capacity, exactly one event has been dropped.
+/// </para>
+/// <para>
+/// Per the M2 plan: the ring is the absolute-last-resort buffer for the
+/// hot-path; it is NOT a substitute for the bounded
+/// <see cref="SqliteAuditWriter"/> write queue.
+/// </para>
+/// </remarks>
+public sealed class RingBufferFallback
+{
+    private readonly Channel<AuditEvent> _channel;
+    private readonly int _capacity;
+
+    /// <summary>
+    /// Raised once each time a drop-oldest overflow occurs. Hooked by
+    /// <see cref="FallbackAuditWriter"/>'s health counter wiring.
+    /// </summary>
+    public event Action? RingBufferOverflowed;
+
+    public RingBufferFallback(int capacity = 1024)
+    {
+        if (capacity <= 0)
+        {
+            throw new ArgumentOutOfRangeException(nameof(capacity), "capacity must be > 0.");
+        }
+
+        _capacity = capacity;
+        _channel = Channel.CreateBounded<AuditEvent>(new BoundedChannelOptions(capacity)
+        {
+            FullMode = BoundedChannelFullMode.DropOldest,
+            SingleReader = true,
+            SingleWriter = false,
+        });
+    }
+
+    /// <summary>Current event count in the ring (for diagnostics/tests).</summary>
+    public int Count => _channel.Reader.Count;
+
+    /// <summary>
+    /// Try to enqueue an event. Returns <see langword="true"/> on success (even
+    /// when an overflow caused an older event to be dropped); returns
+    /// <see langword="false"/> only when the ring has been
+    /// <see cref="Complete"/>-d.
+    /// </summary>
+    public bool TryEnqueue(AuditEvent evt)
+    {
+        ArgumentNullException.ThrowIfNull(evt);
+
+        // DropOldest TryWrite always succeeds unless the channel is completed.
+        // Detect overflow by comparing the count before vs. after: if we were
+        // already at capacity and remain at capacity, exactly one event was
+        // dropped to make room for evt.
+        var beforeCount = _channel.Reader.Count;
+        if (!_channel.Writer.TryWrite(evt))
+        {
+            return false;
+        }
+
+        if (beforeCount >= _capacity)
+        {
+            // The new event displaced an existing one.
+            RingBufferOverflowed?.Invoke();
+        }
+
+        return true;
+    }
+
+    /// <summary>
+    /// Drain the ring in FIFO order. Yields available events immediately and
+    /// then completes when the channel is empty AND <see cref="Complete"/> has
+    /// been called. Callers that only want to drain what's currently buffered
+    /// must call <see cref="Complete"/> first.
+    /// </summary>
+    public async IAsyncEnumerable<AuditEvent> DrainAsync(
+        [EnumeratorCancellation] CancellationToken cancellationToken)
+    {
+        await foreach (var evt in _channel.Reader.ReadAllAsync(cancellationToken).ConfigureAwait(false))
+        {
+            yield return evt;
+        }
+    }
+
+    /// <summary>
+    /// Non-blocking single-item dequeue used by the
+    /// <see cref="FallbackAuditWriter"/> recovery path. Returns
+    /// <see langword="false"/> when the ring is empty.
+    /// </summary>
+    public bool TryDequeue(out AuditEvent evt) => _channel.Reader.TryRead(out evt!);
+
+    /// <summary>
+    /// Mark the ring as no-more-writes. <see cref="DrainAsync"/> will yield the
+    /// remaining events and then complete.
+    /// </summary>
+    public void Complete() => _channel.Writer.TryComplete();
+}

src/ScadaLink.AuditLog/Site/SiteAuditBacklogReporter.cs

@@ -0,0 +1,133 @@
+using Microsoft.Extensions.Hosting;
+using Microsoft.Extensions.Logging;
+using ScadaLink.Commons.Interfaces.Services;
+using ScadaLink.HealthMonitoring;
+
+namespace ScadaLink.AuditLog.Site;
+
+/// <summary>
+/// Audit Log (#23) M6 Bundle E (T6) — site-side hosted service that
+/// periodically pulls a backlog snapshot from <see cref="ISiteAuditQueue"/>
+/// and pushes it into <see cref="ISiteHealthCollector"/> so the next
+/// <see cref="ISiteHealthCollector.CollectReport"/> emits a fresh
+/// <c>SiteAuditBacklog</c> field on the site health report.
+/// </summary>
+/// <remarks>
+/// <para>
+/// <b>Why a hosted service, not the report sender.</b> Querying SQLite for the
+/// backlog requires the queue's write lock; doing it inline in
+/// <see cref="ISiteHealthCollector.CollectReport"/> would couple the collector
+/// to <see cref="ISiteAuditQueue"/> and turn an in-memory snapshot read into
+/// a synchronous I/O call on the report path. The hosted-service pattern keeps
+/// the report path pure and the SQL probe off the report timing budget.
+/// </para>
+/// <para>
+/// <b>Cadence.</b> 30 s by default — coarse enough to amortise the SQL probe
+/// across many reports, fine enough that the central dashboard never lags by
+/// more than one health-report interval. Tunable via
+/// <see cref="ScadaLink.AuditLog.Site.SqliteAuditWriterOptions"/> in a follow-up
+/// if ops needs a different cadence; for M6 we hard-code the value because the
+/// brief calls it out explicitly.
+/// </para>
+/// <para>
+/// <b>Failure containment.</b> The probe call is wrapped in a try/catch so a
+/// transient SQLite error never tears down the hosted service — the next tick
+/// retries. Mirrors <see cref="ScadaLink.AuditLog.Central.AuditLogPartitionMaintenanceService"/>'s
+/// "exception logged, not propagated" contract.
+/// </para>
+/// </remarks>
+public sealed class SiteAuditBacklogReporter : IHostedService, IDisposable
+{
+    /// <summary>
+    /// Default poll cadence. Half a typical 60 s health-report interval keeps
+    /// the snapshot fresh without spinning the SQL probe more often than
+    /// necessary.
+    /// </summary>
+    internal static readonly TimeSpan DefaultRefreshInterval = TimeSpan.FromSeconds(30);
+
+    private readonly ISiteAuditQueue _queue;
+    private readonly ISiteHealthCollector _collector;
+    private readonly ILogger<SiteAuditBacklogReporter> _logger;
+    private readonly TimeSpan _refreshInterval;
+    private CancellationTokenSource? _cts;
+    private Task? _loop;
+
+    public SiteAuditBacklogReporter(
+        ISiteAuditQueue queue,
+        ISiteHealthCollector collector,
+        ILogger<SiteAuditBacklogReporter> logger,
+        TimeSpan? refreshInterval = null)
+    {
+        _queue = queue ?? throw new ArgumentNullException(nameof(queue));
+        _collector = collector ?? throw new ArgumentNullException(nameof(collector));
+        _logger = logger ?? throw new ArgumentNullException(nameof(logger));
+        _refreshInterval = refreshInterval ?? DefaultRefreshInterval;
+    }
+
+    /// <inheritdoc />
+    public Task StartAsync(CancellationToken ct)
+    {
+        // Linked CTS lets StopAsync's cancellation AND the host's shutdown
+        // token both terminate the loop; either side firing aborts the
+        // pending Task.Delay.
+        _cts = CancellationTokenSource.CreateLinkedTokenSource(ct);
+        _loop = Task.Run(() => RunLoopAsync(_cts.Token));
+        return Task.CompletedTask;
+    }
+
+    private async Task RunLoopAsync(CancellationToken ct)
+    {
+        // First tick runs immediately so the very first health report after
+        // process start carries a real backlog snapshot — without this the
+        // dashboard would show null for the first 30 s after a deploy.
+        await SafeProbeAsync(ct).ConfigureAwait(false);
+
+        while (!ct.IsCancellationRequested)
+        {
+            try
+            {
+                await Task.Delay(_refreshInterval, ct).ConfigureAwait(false);
+            }
+            catch (OperationCanceledException)
+            {
+                break;
+            }
+
+            await SafeProbeAsync(ct).ConfigureAwait(false);
+        }
+    }
+
+    private async Task SafeProbeAsync(CancellationToken ct)
+    {
+        try
+        {
+            var snapshot = await _queue.GetBacklogStatsAsync(ct).ConfigureAwait(false);
+            _collector.UpdateSiteAuditBacklog(snapshot);
+        }
+        catch (OperationCanceledException)
+        {
+            // Shutdown — let the outer loop exit cleanly.
+            throw;
+        }
+        catch (Exception ex)
+        {
+            // Catch-all is deliberate: the hosted service must survive every
+            // class of probe failure (transient SQLite lock contention, disk
+            // I/O hiccup, …) so the next tick gets a chance.
+            _logger.LogWarning(ex, "SiteAuditBacklogReporter probe failed; next tick will retry.");
+        }
+    }
+
+    /// <inheritdoc />
+    public Task StopAsync(CancellationToken ct)
+    {
+        _cts?.Cancel();
+        return _loop ?? Task.CompletedTask;
+    }
+
+    /// <inheritdoc />
+    public void Dispose()
+    {
+        _cts?.Dispose();
+    }
+}

src/ScadaLink.AuditLog/Site/SqliteAuditWriter.cs

@@ -0,0 +1,657 @@
+using System.Threading.Channels;
+using Microsoft.Data.Sqlite;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
+using ScadaLink.Commons.Entities.Audit;
+using ScadaLink.Commons.Interfaces.Services;
+using ScadaLink.Commons.Types;
+using ScadaLink.Commons.Types.Enums;
+
+namespace ScadaLink.AuditLog.Site;
+
+/// <summary>
+/// Site-side SQLite hot-path writer for Audit Log (#23) events. Mirrors the
+/// <see cref="ScadaLink.SiteEventLogging.SiteEventLogger"/> design — a single
+/// owned <see cref="SqliteConnection"/> serialised behind a write lock, fed by a
+/// bounded <see cref="Channel{T}"/> drained on a dedicated background writer
+/// task — so script-thread callers never block on disk I/O.
+/// </summary>
+/// <remarks>
+/// <para>
+/// The schema is bootstrapped in the constructor (Bundle B-T1). The
+/// Channel-based <see cref="WriteAsync"/> hot-path + Bundle D
+/// <see cref="ReadPendingAsync"/> / <see cref="MarkForwardedAsync"/> support
+/// surface are wired in Bundle B-T2.
+/// </para>
+/// <para>
+/// Site rows always carry <see cref="AuditForwardState.Pending"/> on first
+/// insert; the central row-shape's <c>IngestedAtUtc</c> column does NOT live in
+/// the site SQLite schema — central stamps it on ingest.
+/// </para>
+/// </remarks>
+public class SqliteAuditWriter : IAuditWriter, ISiteAuditQueue, IAsyncDisposable, IDisposable
+{
+    // Microsoft.Data.Sqlite reports a generic SQLITE_CONSTRAINT (error code 19)
+    // on a PRIMARY KEY violation; the extended subcode 1555 (SQLITE_CONSTRAINT_PRIMARYKEY)
+    // is exposed via SqliteException.SqliteExtendedErrorCode but isn't reliably
+    // surfaced across all SQLite builds. We treat any constraint error on insert
+    // as a duplicate-eventid race and swallow it (first-write-wins) — the index
+    // on EventId is the only constraint on this table, so this scope is precise.
+    private const int SqliteErrorConstraint = 19;
+
+    private readonly SqliteConnection _connection;
+    private readonly SqliteAuditWriterOptions _options;
+    private readonly ILogger<SqliteAuditWriter> _logger;
+    private readonly object _writeLock = new();
+    private readonly Channel<PendingAuditEvent> _writeQueue;
+    private readonly Task _writerLoop;
+    private bool _disposed;
+
+    public SqliteAuditWriter(
+        IOptions<SqliteAuditWriterOptions> options,
+        ILogger<SqliteAuditWriter> logger,
+        string? connectionStringOverride = null)
+    {
+        ArgumentNullException.ThrowIfNull(options);
+        ArgumentNullException.ThrowIfNull(logger);
+
+        _options = options.Value;
+        _logger = logger;
+
+        var connectionString = connectionStringOverride
+            ?? $"Data Source={_options.DatabasePath};Cache=Shared";
+        _connection = new SqliteConnection(connectionString);
+        _connection.Open();
+
+        InitializeSchema();
+
+        _writeQueue = Channel.CreateBounded<PendingAuditEvent>(
+            new BoundedChannelOptions(_options.ChannelCapacity)
+            {
+                // The hot-path enqueue must back-pressure if the background
+                // writer falls behind; a higher-level fallback (Bundle B-T4)
+                // handles truly catastrophic primary failure with a drop-oldest
+                // ring buffer.
+                FullMode = BoundedChannelFullMode.Wait,
+                SingleReader = true,
+                SingleWriter = false,
+            });
+        _writerLoop = Task.Run(ProcessWriteQueueAsync);
+    }
+
+    private void InitializeSchema()
+    {
+        // auto_vacuum must be set before any table is created for it to take
+        // effect on a fresh database. INCREMENTAL lets a future
+        // `PRAGMA incremental_vacuum` shrink the file after the 7-day retention
+        // purge — see alog.md §10.
+        using (var pragmaCmd = _connection.CreateCommand())
+        {
+            pragmaCmd.CommandText = "PRAGMA auto_vacuum = INCREMENTAL";
+            pragmaCmd.ExecuteNonQuery();
+        }
+
+        using var cmd = _connection.CreateCommand();
+        cmd.CommandText = """
+            CREATE TABLE IF NOT EXISTS AuditLog (
+                EventId            TEXT    NOT NULL,
+                OccurredAtUtc      TEXT    NOT NULL,
+                Channel            TEXT    NOT NULL,
+                Kind               TEXT    NOT NULL,
+                CorrelationId      TEXT    NULL,
+                SourceSiteId       TEXT    NULL,
+                SourceInstanceId   TEXT    NULL,
+                SourceScript       TEXT    NULL,
+                Actor              TEXT    NULL,
+                Target             TEXT    NULL,
+                Status             TEXT    NOT NULL,
+                HttpStatus         INTEGER NULL,
+                DurationMs         INTEGER NULL,
+                ErrorMessage       TEXT    NULL,
+                ErrorDetail        TEXT    NULL,
+                RequestSummary     TEXT    NULL,
+                ResponseSummary    TEXT    NULL,
+                PayloadTruncated   INTEGER NOT NULL,
+                Extra              TEXT    NULL,
+                ForwardState       TEXT    NOT NULL,
+                PRIMARY KEY (EventId)
+            );
+            CREATE INDEX IF NOT EXISTS IX_SiteAuditLog_ForwardState_Occurred
+                ON AuditLog (ForwardState, OccurredAtUtc);
+            """;
+        cmd.ExecuteNonQuery();
+    }
+
+    /// <summary>
+    /// Enqueue an event for durable persistence. The returned <see cref="Task"/>
+    /// completes once the event has been INSERTed (or, in the duplicate-EventId
+    /// case, recognised as already present); it faults only if the writer loop
+    /// itself collapses. The enqueue side never blocks on disk I/O — it only
+    /// awaits the bounded channel's back-pressure when the writer is briefly
+    /// behind.
+    /// </summary>
+    public Task WriteAsync(AuditEvent evt, CancellationToken ct = default)
+    {
+        ArgumentNullException.ThrowIfNull(evt);
+
+        // Site rows always carry a non-null ForwardState; central rows leave it
+        // null. Force Pending on enqueue so callers can pass a bare AuditEvent
+        // without thinking about site-vs-central provenance.
+        var siteEvt = evt.ForwardState is null
+            ? evt with { ForwardState = AuditForwardState.Pending }
+            : evt;
+
+        var pending = new PendingAuditEvent(siteEvt);
+
+        // CreateBounded(FullMode=Wait) means WriteAsync will await room rather
+        // than throw when full — exactly the hot-path back-pressure semantics
+        // we want.
+        if (!_writeQueue.Writer.TryWrite(pending))
+        {
+            // The writer is either completed (logger disposed) or the channel
+            // is at capacity. Fall back to the async path which honours the
+            // FullMode=Wait policy.
+            return WriteSlowPathAsync(pending, ct);
+        }
+
+        return pending.Completion.Task;
+    }
+
+    private async Task WriteSlowPathAsync(PendingAuditEvent pending, CancellationToken ct)
+    {
+        try
+        {
+            await _writeQueue.Writer.WriteAsync(pending, ct).ConfigureAwait(false);
+        }
+        catch (ChannelClosedException)
+        {
+            pending.Completion.TrySetException(
+                new ObjectDisposedException(nameof(SqliteAuditWriter),
+                    "Event could not be recorded: the audit writer has been disposed."));
+        }
+
+        await pending.Completion.Task.ConfigureAwait(false);
+    }
+
+    private async Task ProcessWriteQueueAsync()
+    {
+        var batch = new List<PendingAuditEvent>(_options.BatchSize);
+
+        // ReadAllAsync completes when the channel is marked complete (Dispose).
+        await foreach (var first in _writeQueue.Reader.ReadAllAsync().ConfigureAwait(false))
+        {
+            batch.Clear();
+            batch.Add(first);
+
+            // Pull additional ready events up to BatchSize. TryRead is non-
+            // blocking and lets us amortise the transaction overhead across a
+            // burst of concurrent enqueues.
+            while (batch.Count < _options.BatchSize &&
+                   _writeQueue.Reader.TryRead(out var next))
+            {
+                batch.Add(next);
+            }
+
+            FlushBatch(batch);
+        }
+    }
+
+    private void FlushBatch(IReadOnlyList<PendingAuditEvent> batch)
+    {
+        lock (_writeLock)
+        {
+            if (_disposed)
+            {
+                foreach (var pending in batch)
+                {
+                    pending.Completion.TrySetException(
+                        new ObjectDisposedException(nameof(SqliteAuditWriter),
+                            "Event could not be recorded: the audit writer was disposed before the write completed."));
+                }
+                return;
+            }
+
+            using var transaction = _connection.BeginTransaction();
+            try
+            {
+                using var cmd = _connection.CreateCommand();
+                cmd.Transaction = transaction;
+                cmd.CommandText = """
+                    INSERT INTO AuditLog (
+                        EventId, OccurredAtUtc, Channel, Kind, CorrelationId,
+                        SourceSiteId, SourceInstanceId, SourceScript, Actor, Target,
+                        Status, HttpStatus, DurationMs, ErrorMessage, ErrorDetail,
+                        RequestSummary, ResponseSummary, PayloadTruncated, Extra, ForwardState
+                    ) VALUES (
+                        $EventId, $OccurredAtUtc, $Channel, $Kind, $CorrelationId,
+                        $SourceSiteId, $SourceInstanceId, $SourceScript, $Actor, $Target,
+                        $Status, $HttpStatus, $DurationMs, $ErrorMessage, $ErrorDetail,
+                        $RequestSummary, $ResponseSummary, $PayloadTruncated, $Extra, $ForwardState
+                    );
+                    """;
+
+                var pEventId = cmd.Parameters.Add("$EventId", SqliteType.Text);
+                var pOccurredAt = cmd.Parameters.Add("$OccurredAtUtc", SqliteType.Text);
+                var pChannel = cmd.Parameters.Add("$Channel", SqliteType.Text);
+                var pKind = cmd.Parameters.Add("$Kind", SqliteType.Text);
+                var pCorrelationId = cmd.Parameters.Add("$CorrelationId", SqliteType.Text);
+                var pSourceSiteId = cmd.Parameters.Add("$SourceSiteId", SqliteType.Text);
+                var pSourceInstanceId = cmd.Parameters.Add("$SourceInstanceId", SqliteType.Text);
+                var pSourceScript = cmd.Parameters.Add("$SourceScript", SqliteType.Text);
+                var pActor = cmd.Parameters.Add("$Actor", SqliteType.Text);
+                var pTarget = cmd.Parameters.Add("$Target", SqliteType.Text);
+                var pStatus = cmd.Parameters.Add("$Status", SqliteType.Text);
+                var pHttpStatus = cmd.Parameters.Add("$HttpStatus", SqliteType.Integer);
+                var pDurationMs = cmd.Parameters.Add("$DurationMs", SqliteType.Integer);
+                var pErrorMessage = cmd.Parameters.Add("$ErrorMessage", SqliteType.Text);
+                var pErrorDetail = cmd.Parameters.Add("$ErrorDetail", SqliteType.Text);
+                var pRequestSummary = cmd.Parameters.Add("$RequestSummary", SqliteType.Text);
+                var pResponseSummary = cmd.Parameters.Add("$ResponseSummary", SqliteType.Text);
+                var pPayloadTruncated = cmd.Parameters.Add("$PayloadTruncated", SqliteType.Integer);
+                var pExtra = cmd.Parameters.Add("$Extra", SqliteType.Text);
+                var pForwardState = cmd.Parameters.Add("$ForwardState", SqliteType.Text);
+
+                foreach (var pending in batch)
+                {
+                    var e = pending.Event;
+                    pEventId.Value = e.EventId.ToString();
+                    pOccurredAt.Value = e.OccurredAtUtc.ToString("o");
+                    pChannel.Value = e.Channel.ToString();
+                    pKind.Value = e.Kind.ToString();
+                    pCorrelationId.Value = (object?)e.CorrelationId?.ToString() ?? DBNull.Value;
+                    pSourceSiteId.Value = (object?)e.SourceSiteId ?? DBNull.Value;
+                    pSourceInstanceId.Value = (object?)e.SourceInstanceId ?? DBNull.Value;
+                    pSourceScript.Value = (object?)e.SourceScript ?? DBNull.Value;
+                    pActor.Value = (object?)e.Actor ?? DBNull.Value;
+                    pTarget.Value = (object?)e.Target ?? DBNull.Value;
+                    pStatus.Value = e.Status.ToString();
+                    pHttpStatus.Value = (object?)e.HttpStatus ?? DBNull.Value;
+                    pDurationMs.Value = (object?)e.DurationMs ?? DBNull.Value;
+                    pErrorMessage.Value = (object?)e.ErrorMessage ?? DBNull.Value;
+                    pErrorDetail.Value = (object?)e.ErrorDetail ?? DBNull.Value;
+                    pRequestSummary.Value = (object?)e.RequestSummary ?? DBNull.Value;
+                    pResponseSummary.Value = (object?)e.ResponseSummary ?? DBNull.Value;
+                    pPayloadTruncated.Value = e.PayloadTruncated ? 1 : 0;
+                    pExtra.Value = (object?)e.Extra ?? DBNull.Value;
+                    pForwardState.Value = (e.ForwardState ?? AuditForwardState.Pending).ToString();
+
+                    try
+                    {
+                        cmd.ExecuteNonQuery();
+                        pending.Completion.TrySetResult();
+                    }
+                    catch (SqliteException ex) when (ex.SqliteErrorCode == SqliteErrorConstraint)
+                    {
+                        // Duplicate EventId — first-write-wins (alog.md §11).
+                        // Treat as success: the lifecycle event is durably
+                        // recorded under the first writer's payload.
+                        _logger.LogDebug(ex,
+                            "Duplicate EventId {EventId} swallowed by SqliteAuditWriter",
+                            e.EventId);
+                        pending.Completion.TrySetResult();
+                    }
+                }
+
+                transaction.Commit();
+            }
+            catch (Exception ex)
+            {
+                transaction.Rollback();
+                _logger.LogError(ex, "SqliteAuditWriter batch insert failed; faulting {Count} pending events", batch.Count);
+                foreach (var pending in batch)
+                {
+                    pending.Completion.TrySetException(ex);
+                }
+            }
+        }
+    }
+
+    /// <summary>
+    /// Returns up to <paramref name="limit"/> rows in <see cref="AuditForwardState.Pending"/>,
+    /// oldest <see cref="AuditEvent.OccurredAtUtc"/> first, with <see cref="AuditEvent.EventId"/>
+    /// as the deterministic tiebreaker. Called by Bundle D's site telemetry
+    /// actor to build a batch for the gRPC push.
+    /// </summary>
+    public Task<IReadOnlyList<AuditEvent>> ReadPendingAsync(int limit, CancellationToken ct = default)
+    {
+        if (limit <= 0)
+        {
+            throw new ArgumentOutOfRangeException(nameof(limit), "limit must be > 0.");
+        }
+
+        // SqliteConnection is not thread-safe so we go through the same write
+        // lock the batch INSERTer uses. The actor caller is single-threaded,
+        // so contention is bounded.
+        lock (_writeLock)
+        {
+            ObjectDisposedException.ThrowIf(_disposed, this);
+
+            using var cmd = _connection.CreateCommand();
+            cmd.CommandText = """
+                SELECT EventId, OccurredAtUtc, Channel, Kind, CorrelationId,
+                       SourceSiteId, SourceInstanceId, SourceScript, Actor, Target,
+                       Status, HttpStatus, DurationMs, ErrorMessage, ErrorDetail,
+                       RequestSummary, ResponseSummary, PayloadTruncated, Extra, ForwardState
+                FROM   AuditLog
+                WHERE  ForwardState = $pending
+                ORDER  BY OccurredAtUtc ASC, EventId ASC
+                LIMIT  $limit;
+                """;
+            cmd.Parameters.AddWithValue("$pending", AuditForwardState.Pending.ToString());
+            cmd.Parameters.AddWithValue("$limit", limit);
+
+            var rows = new List<AuditEvent>(Math.Min(limit, 256));
+            using var reader = cmd.ExecuteReader();
+            while (reader.Read())
+            {
+                rows.Add(MapRow(reader));
+            }
+
+            return Task.FromResult<IReadOnlyList<AuditEvent>>(rows);
+        }
+    }
+
+    /// <summary>
+    /// Flips the supplied EventIds from <see cref="AuditForwardState.Pending"/> to
+    /// <see cref="AuditForwardState.Forwarded"/> in a single UPDATE. Non-existent
+    /// or already-forwarded ids are no-ops.
+    /// </summary>
+    public Task MarkForwardedAsync(IReadOnlyList<Guid> eventIds, CancellationToken ct = default)
+    {
+        ArgumentNullException.ThrowIfNull(eventIds);
+        if (eventIds.Count == 0)
+        {
+            return Task.CompletedTask;
+        }
+
+        lock (_writeLock)
+        {
+            ObjectDisposedException.ThrowIf(_disposed, this);
+
+            using var cmd = _connection.CreateCommand();
+            // Build a single IN (...) parameter list so we issue one UPDATE per
+            // batch regardless of size. Each id is bound as its own parameter,
+            // so no string concatenation of user data ever enters the SQL.
+            var sb = new System.Text.StringBuilder();
+            sb.Append("UPDATE AuditLog SET ForwardState = $forwarded WHERE EventId IN (");
+            for (int i = 0; i < eventIds.Count; i++)
+            {
+                if (i > 0) sb.Append(',');
+                var p = $"$id{i}";
+                sb.Append(p);
+                cmd.Parameters.AddWithValue(p, eventIds[i].ToString());
+            }
+            sb.Append(");");
+            cmd.CommandText = sb.ToString();
+            cmd.Parameters.AddWithValue("$forwarded", AuditForwardState.Forwarded.ToString());
+
+            cmd.ExecuteNonQuery();
+            return Task.CompletedTask;
+        }
+    }
+
+    /// <summary>
+    /// M6 reconciliation-pull read: returns up to <paramref name="batchSize"/> rows
+    /// whose <c>OccurredAtUtc &gt;= sinceUtc</c> and whose <see cref="AuditForwardState"/>
+    /// is still <see cref="AuditForwardState.Pending"/> or
+    /// <see cref="AuditForwardState.Forwarded"/>. Forwarded rows are included so the
+    /// brief race window between a site-Forwarded ack and central ingest cannot
+    /// silently drop rows; central dedups on <see cref="AuditEvent.EventId"/>.
+    /// Ordered oldest <see cref="AuditEvent.OccurredAtUtc"/> first, EventId tiebreaker.
+    /// </summary>
+    public Task<IReadOnlyList<AuditEvent>> ReadPendingSinceAsync(
+        DateTime sinceUtc, int batchSize, CancellationToken ct = default)
+    {
+        if (batchSize <= 0)
+        {
+            throw new ArgumentOutOfRangeException(nameof(batchSize), "batchSize must be > 0.");
+        }
+
+        // Mirror ReadPendingAsync: the write lock guards the single connection.
+        lock (_writeLock)
+        {
+            ObjectDisposedException.ThrowIf(_disposed, this);
+
+            using var cmd = _connection.CreateCommand();
+            cmd.CommandText = """
+                SELECT EventId, OccurredAtUtc, Channel, Kind, CorrelationId,
+                       SourceSiteId, SourceInstanceId, SourceScript, Actor, Target,
+                       Status, HttpStatus, DurationMs, ErrorMessage, ErrorDetail,
+                       RequestSummary, ResponseSummary, PayloadTruncated, Extra, ForwardState
+                FROM   AuditLog
+                WHERE  ForwardState IN ($pending, $forwarded)
+                  AND  OccurredAtUtc >= $since
+                ORDER  BY OccurredAtUtc ASC, EventId ASC
+                LIMIT  $limit;
+                """;
+            cmd.Parameters.AddWithValue("$pending", AuditForwardState.Pending.ToString());
+            cmd.Parameters.AddWithValue("$forwarded", AuditForwardState.Forwarded.ToString());
+            // Normalise to UTC ISO-8601 round-trip format to match how OccurredAtUtc
+            // is stored on insert ("o" format) — string comparison is monotonic for
+            // that encoding so we can index-scan against it.
+            cmd.Parameters.AddWithValue("$since", EnsureUtc(sinceUtc).ToString(
+                "o", System.Globalization.CultureInfo.InvariantCulture));
+            cmd.Parameters.AddWithValue("$limit", batchSize);
+
+            var rows = new List<AuditEvent>(Math.Min(batchSize, 256));
+            using var reader = cmd.ExecuteReader();
+            while (reader.Read())
+            {
+                rows.Add(MapRow(reader));
+            }
+
+            return Task.FromResult<IReadOnlyList<AuditEvent>>(rows);
+        }
+    }
+
+    /// <summary>
+    /// M6 reconciliation-pull commit: flips the supplied EventIds to
+    /// <see cref="AuditForwardState.Reconciled"/>, but ONLY for rows currently in
+    /// <see cref="AuditForwardState.Pending"/> or <see cref="AuditForwardState.Forwarded"/>.
+    /// Rows already in <see cref="AuditForwardState.Reconciled"/> are left untouched
+    /// (idempotent re-call). Non-existent ids are silent no-ops.
+    /// </summary>
+    public Task MarkReconciledAsync(IReadOnlyList<Guid> eventIds, CancellationToken ct = default)
+    {
+        ArgumentNullException.ThrowIfNull(eventIds);
+        if (eventIds.Count == 0)
+        {
+            return Task.CompletedTask;
+        }
+
+        lock (_writeLock)
+        {
+            ObjectDisposedException.ThrowIf(_disposed, this);
+
+            using var cmd = _connection.CreateCommand();
+            var sb = new System.Text.StringBuilder();
+            sb.Append("UPDATE AuditLog SET ForwardState = $reconciled ")
+              .Append("WHERE ForwardState IN ($pending, $forwarded) AND EventId IN (");
+            for (int i = 0; i < eventIds.Count; i++)
+            {
+                if (i > 0) sb.Append(',');
+                var p = $"$id{i}";
+                sb.Append(p);
+                cmd.Parameters.AddWithValue(p, eventIds[i].ToString());
+            }
+            sb.Append(");");
+            cmd.CommandText = sb.ToString();
+            cmd.Parameters.AddWithValue("$reconciled", AuditForwardState.Reconciled.ToString());
+            cmd.Parameters.AddWithValue("$pending", AuditForwardState.Pending.ToString());
+            cmd.Parameters.AddWithValue("$forwarded", AuditForwardState.Forwarded.ToString());
+
+            cmd.ExecuteNonQuery();
+            return Task.CompletedTask;
+        }
+    }
+
+    /// <summary>
+    /// M6 Bundle E (T6) health-metric surface: returns a point-in-time snapshot
+    /// of the site queue's pending count, the oldest pending row's
+    /// <see cref="AuditEvent.OccurredAtUtc"/>, and the on-disk file size. Called
+    /// by the site-side <c>SiteAuditBacklogReporter</c> hosted service on its
+    /// 30 s tick to refresh the <c>SiteHealthReport.SiteAuditBacklog</c> field.
+    /// </summary>
+    /// <remarks>
+    /// The pending-count + oldest-row queries run inside the same write lock as
+    /// the hot-path INSERT batch so the snapshot is consistent against the
+    /// connection's view (no torn read of an in-flight transaction). The on-disk
+    /// size lookup happens OUTSIDE the lock — it's a stat() call on the file
+    /// path and doesn't touch the connection. In-memory and missing files
+    /// return 0 bytes (the snapshot is for ops dashboards, not a correctness
+    /// invariant).
+    /// </remarks>
+    public Task<SiteAuditBacklogSnapshot> GetBacklogStatsAsync(CancellationToken ct = default)
+    {
+        int pendingCount;
+        DateTime? oldestPending;
+
+        lock (_writeLock)
+        {
+            ObjectDisposedException.ThrowIf(_disposed, this);
+
+            // Single round-trip — COUNT(*) + MIN(OccurredAtUtc) over the same
+            // index range avoids a second scan. The IX_SiteAuditLog_ForwardState_Occurred
+            // index makes both aggregates cheap (count is a covering scan, min
+            // is the first key).
+            using var cmd = _connection.CreateCommand();
+            cmd.CommandText = """
+                SELECT COUNT(*), MIN(OccurredAtUtc)
+                FROM   AuditLog
+                WHERE  ForwardState = $pending;
+                """;
+            cmd.Parameters.AddWithValue("$pending", AuditForwardState.Pending.ToString());
+
+            using var reader = cmd.ExecuteReader();
+            reader.Read();
+            pendingCount = reader.GetInt32(0);
+            oldestPending = reader.IsDBNull(1)
+                ? null
+                : DateTime.Parse(reader.GetString(1),
+                    System.Globalization.CultureInfo.InvariantCulture,
+                    System.Globalization.DateTimeStyles.RoundtripKind);
+        }
+
+        // File-size lookup outside the lock — the DatabasePath option is the
+        // canonical source. The connection-string-override branch (used by
+        // some tests) keeps the same DatabasePath value, so this works
+        // uniformly. In-memory / mode=memory paths return 0 because the file
+        // doesn't exist on disk.
+        long onDiskBytes = 0;
+        try
+        {
+            if (!string.IsNullOrEmpty(_options.DatabasePath) &&
+                !_options.DatabasePath.StartsWith(":memory:", StringComparison.Ordinal) &&
+                !_options.DatabasePath.Contains("mode=memory", StringComparison.OrdinalIgnoreCase) &&
+                File.Exists(_options.DatabasePath))
+            {
+                onDiskBytes = new FileInfo(_options.DatabasePath).Length;
+            }
+        }
+        catch (Exception ex)
+        {
+            // File system probe is a best-effort health-metric — never abort
+            // a backlog snapshot because stat() failed. Log and report 0.
+            _logger.LogDebug(ex,
+                "SqliteAuditWriter could not stat DB path {Path} for backlog snapshot.",
+                _options.DatabasePath);
+        }
+
+        return Task.FromResult(new SiteAuditBacklogSnapshot(
+            PendingCount: pendingCount,
+            OldestPendingUtc: oldestPending,
+            OnDiskBytes: onDiskBytes));
+    }
+
+    private static DateTime EnsureUtc(DateTime value) =>
+        value.Kind == DateTimeKind.Utc
+            ? value
+            : DateTime.SpecifyKind(value.ToUniversalTime(), DateTimeKind.Utc);
+
+    private static AuditEvent MapRow(SqliteDataReader reader)
+    {
+        return new AuditEvent
+        {
+            EventId = Guid.Parse(reader.GetString(0)),
+            OccurredAtUtc = DateTime.Parse(reader.GetString(1),
+                System.Globalization.CultureInfo.InvariantCulture,
+                System.Globalization.DateTimeStyles.RoundtripKind),
+            Channel = Enum.Parse<AuditChannel>(reader.GetString(2)),
+            Kind = Enum.Parse<AuditKind>(reader.GetString(3)),
+            CorrelationId = reader.IsDBNull(4) ? null : Guid.Parse(reader.GetString(4)),
+            SourceSiteId = reader.IsDBNull(5) ? null : reader.GetString(5),
+            SourceInstanceId = reader.IsDBNull(6) ? null : reader.GetString(6),
+            SourceScript = reader.IsDBNull(7) ? null : reader.GetString(7),
+            Actor = reader.IsDBNull(8) ? null : reader.GetString(8),
+            Target = reader.IsDBNull(9) ? null : reader.GetString(9),
+            Status = Enum.Parse<AuditStatus>(reader.GetString(10)),
+            HttpStatus = reader.IsDBNull(11) ? null : reader.GetInt32(11),
+            DurationMs = reader.IsDBNull(12) ? null : reader.GetInt32(12),
+            ErrorMessage = reader.IsDBNull(13) ? null : reader.GetString(13),
+            ErrorDetail = reader.IsDBNull(14) ? null : reader.GetString(14),
+            RequestSummary = reader.IsDBNull(15) ? null : reader.GetString(15),
+            ResponseSummary = reader.IsDBNull(16) ? null : reader.GetString(16),
+            PayloadTruncated = reader.GetInt32(17) != 0,
+            Extra = reader.IsDBNull(18) ? null : reader.GetString(18),
+            ForwardState = Enum.Parse<AuditForwardState>(reader.GetString(19)),
+        };
+    }
+
+    public void Dispose()
+    {
+        DisposeAsync().AsTask().GetAwaiter().GetResult();
+    }
+
+    public async ValueTask DisposeAsync()
+    {
+        Task? writerLoop;
+        lock (_writeLock)
+        {
+            if (_disposed) return;
+            // Stop accepting new events. Setting _disposed first ensures any
+            // FlushBatch entered after we mark disposed will fault its pending
+            // events rather than touching the about-to-close connection.
+            _writeQueue.Writer.TryComplete();
+            writerLoop = _writerLoop;
+        }
+
+        // Wait outside the lock — the loop reacquires it for each batch.
+        try
+        {
+            if (writerLoop is not null)
+            {
+                await writerLoop.WaitAsync(TimeSpan.FromSeconds(5)).ConfigureAwait(false);
+            }
+        }
+        catch (TimeoutException)
+        {
+            _logger.LogWarning("SqliteAuditWriter writer loop did not drain within 5s of dispose.");
+        }
+        catch (Exception ex)
+        {
+            // The loop's per-batch try/catch already routed individual failures
+            // to pending TCSes; a top-level fault here is unexpected.
+            _logger.LogError(ex, "SqliteAuditWriter writer loop faulted during dispose.");
+        }
+
+        lock (_writeLock)
+        {
+            if (_disposed) return;
+            _disposed = true;
+            _connection.Dispose();
+        }
+    }
+
+    /// <summary>An audit event awaiting persistence by the background writer.</summary>
+    private sealed class PendingAuditEvent
+    {
+        public PendingAuditEvent(AuditEvent evt)
+        {
+            Event = evt;
+            Completion = new TaskCompletionSource(TaskCreationOptions.RunContinuationsAsynchronously);
+        }
+
+        public AuditEvent Event { get; }
+        public TaskCompletionSource Completion { get; }
+    }
+}

src/ScadaLink.AuditLog/Site/SqliteAuditWriterOptions.cs

@@ -0,0 +1,27 @@
+namespace ScadaLink.AuditLog.Site;
+
+/// <summary>
+/// Options for the site-side SQLite hot-path audit writer.
+/// Mirrors the ScadaLink.SiteEventLogging pattern: a single SQLite connection
+/// fed by a background writer task draining a bounded
+/// <see cref="System.Threading.Channels.Channel{T}"/> so script-thread enqueues
+/// never block on disk I/O.
+/// </summary>
+public sealed class SqliteAuditWriterOptions
+{
+    /// <summary>SQLite database path (or in-memory URI for tests).</summary>
+    public string DatabasePath { get; set; } = "auditlog.db";
+
+    /// <summary>
+    /// Capacity of the bounded write queue. Set high enough that ordinary
+    /// script bursts never fill it; <see cref="System.Threading.Channels.BoundedChannelFullMode.Wait"/>
+    /// applies when the writer falls behind.
+    /// </summary>
+    public int ChannelCapacity { get; set; } = 4096;
+
+    /// <summary>Max number of pending events the writer drains in one transaction.</summary>
+    public int BatchSize { get; set; } = 256;
+
+    /// <summary>Soft flush interval the writer enforces when fewer than BatchSize events are queued.</summary>
+    public int FlushIntervalMs { get; set; } = 50;
+}

src/ScadaLink.AuditLog/Site/Telemetry/CachedCallLifecycleBridge.cs

@@ -0,0 +1,202 @@
+using Microsoft.Extensions.Logging;
+using ScadaLink.Commons.Entities.Audit;
+using ScadaLink.Commons.Interfaces.Services;
+using ScadaLink.Commons.Messages.Integration;
+using ScadaLink.Commons.Types;
+using ScadaLink.Commons.Types.Enums;
+
+namespace ScadaLink.AuditLog.Site.Telemetry;
+
+/// <summary>
+/// Audit Log #23 (M3 Bundle E — Tasks E4/E5): translates per-attempt
+/// notifications from the store-and-forward retry loop into one (or two)
+/// <see cref="CachedCallTelemetry"/> packets and pushes them through
+/// <see cref="ICachedCallTelemetryForwarder"/>.
+/// </summary>
+/// <remarks>
+/// <para>
+/// The S&amp;F loop's <see cref="ICachedCallLifecycleObserver"/> reports a
+/// single coarse outcome per attempt; the audit pipeline however models the
+/// lifecycle as TWO rows on terminal outcomes — an <c>Attempted</c>
+/// (<see cref="AuditKind.ApiCallCached"/> / <see cref="AuditKind.DbWriteCached"/>)
+/// row capturing the per-attempt mechanics, plus a <see cref="AuditKind.CachedResolve"/>
+/// row marking the terminal state for downstream consumers. The bridge fans
+/// out per outcome:
+/// </para>
+/// <list type="bullet">
+///   <item><description><c>TransientFailure</c> -> one Attempted(Failed) row.</description></item>
+///   <item><description><c>Delivered</c> -> Attempted(Delivered) + CachedResolve(Delivered).</description></item>
+///   <item><description><c>PermanentFailure</c> -> Attempted(Failed) + CachedResolve(Parked).</description></item>
+///   <item><description><c>ParkedMaxRetries</c> -> Attempted(Failed) + CachedResolve(Parked).</description></item>
+/// </list>
+/// <para>
+/// <b>Best-effort emission (alog.md §7):</b> the bridge itself never throws;
+/// the underlying forwarder swallows + logs its own failures.
+/// </para>
+/// </remarks>
+public sealed class CachedCallLifecycleBridge : ICachedCallLifecycleObserver
+{
+    private readonly ICachedCallTelemetryForwarder _forwarder;
+    private readonly ILogger<CachedCallLifecycleBridge> _logger;
+
+    public CachedCallLifecycleBridge(
+        ICachedCallTelemetryForwarder forwarder,
+        ILogger<CachedCallLifecycleBridge> logger)
+    {
+        _forwarder = forwarder ?? throw new ArgumentNullException(nameof(forwarder));
+        _logger = logger ?? throw new ArgumentNullException(nameof(logger));
+    }
+
+    /// <inheritdoc/>
+    public async Task OnAttemptCompletedAsync(
+        CachedCallAttemptContext context, CancellationToken ct = default)
+    {
+        ArgumentNullException.ThrowIfNull(context);
+
+        try
+        {
+            await EmitAttemptedAsync(context, ct).ConfigureAwait(false);
+
+            if (IsTerminal(context.Outcome))
+            {
+                await EmitResolveAsync(context, ct).ConfigureAwait(false);
+            }
+        }
+        catch (Exception ex)
+        {
+            // Defensive — both EmitX paths call the forwarder which is itself
+            // best-effort. A throw here is unexpected, but the alog.md §7
+            // contract requires we never propagate.
+            _logger.LogWarning(ex,
+                "CachedCallLifecycleBridge: unexpected throw for {TrackedOperationId} (Outcome {Outcome})",
+                context.TrackedOperationId, context.Outcome);
+        }
+    }
+
+    private async Task EmitAttemptedAsync(CachedCallAttemptContext context, CancellationToken ct)
+    {
+        // Per-attempt row: kind discriminates channel; status is always
+        // Attempted regardless of outcome (success vs. failure is captured
+        // by the companion HttpStatus / ErrorMessage fields, NOT by flipping
+        // the status — CachedResolve carries the terminal Status). Per the
+        // M3 brief and alog.md §4.
+        var kind = ChannelToAttemptKind(context.Channel);
+        var status = AuditStatus.Attempted;
+
+        var packet = BuildPacket(
+            context,
+            kind: kind,
+            status: status,
+            // Operational status mirror — for the per-attempt row the
+            // operational state is the running status; the bridge always
+            // writes "Attempted" so reconciliation can't roll back.
+            operationalStatus: "Attempted",
+            terminalAtUtc: null,
+            lastError: context.LastError,
+            httpStatus: context.HttpStatus);
+
+        await _forwarder.ForwardAsync(packet, ct).ConfigureAwait(false);
+    }
+
+    private async Task EmitResolveAsync(CachedCallAttemptContext context, CancellationToken ct)
+    {
+        var (auditStatus, operationalStatus) = TerminalOutcomeToStatuses(context.Outcome);
+
+        var packet = BuildPacket(
+            context,
+            kind: AuditKind.CachedResolve,
+            status: auditStatus,
+            operationalStatus: operationalStatus,
+            terminalAtUtc: context.OccurredAtUtc,
+            lastError: context.LastError,
+            httpStatus: context.HttpStatus);
+
+        await _forwarder.ForwardAsync(packet, ct).ConfigureAwait(false);
+    }
+
+    private static CachedCallTelemetry BuildPacket(
+        CachedCallAttemptContext context,
+        AuditKind kind,
+        AuditStatus status,
+        string operationalStatus,
+        DateTime? terminalAtUtc,
+        string? lastError,
+        int? httpStatus)
+    {
+        var channel = ChannelStringToEnum(context.Channel);
+
+        return new CachedCallTelemetry(
+            Audit: new AuditEvent
+            {
+                EventId = Guid.NewGuid(),
+                OccurredAtUtc = DateTime.SpecifyKind(context.OccurredAtUtc, DateTimeKind.Utc),
+                Channel = channel,
+                Kind = kind,
+                CorrelationId = context.TrackedOperationId.Value,
+                SourceSiteId = string.IsNullOrEmpty(context.SourceSite) ? null : context.SourceSite,
+                SourceInstanceId = context.SourceInstanceId,
+                SourceScript = null, // Not threaded through S&F; left null on retry-loop rows.
+                Target = context.Target,
+                Status = status,
+                HttpStatus = httpStatus,
+                DurationMs = context.DurationMs,
+                ErrorMessage = lastError,
+                ForwardState = AuditForwardState.Pending,
+            },
+            Operational: new SiteCallOperational(
+                TrackedOperationId: context.TrackedOperationId,
+                Channel: context.Channel,
+                Target: context.Target,
+                SourceSite: context.SourceSite,
+                Status: operationalStatus,
+                RetryCount: context.RetryCount,
+                LastError: lastError,
+                HttpStatus: httpStatus,
+                CreatedAtUtc: DateTime.SpecifyKind(context.CreatedAtUtc, DateTimeKind.Utc),
+                UpdatedAtUtc: DateTime.SpecifyKind(context.OccurredAtUtc, DateTimeKind.Utc),
+                TerminalAtUtc: terminalAtUtc is null
+                    ? null
+                    : DateTime.SpecifyKind(terminalAtUtc.Value, DateTimeKind.Utc)));
+    }
+
+    private static AuditKind ChannelToAttemptKind(string channel) => channel switch
+    {
+        "ApiOutbound" => AuditKind.ApiCallCached,
+        "DbOutbound" => AuditKind.DbWriteCached,
+        // Defensive default — the S&F observer is filtered to cached-call
+        // categories so this branch shouldn't fire in practice.
+        _ => AuditKind.ApiCallCached,
+    };
+
+    private static AuditChannel ChannelStringToEnum(string channel) => channel switch
+    {
+        "ApiOutbound" => AuditChannel.ApiOutbound,
+        "DbOutbound" => AuditChannel.DbOutbound,
+        _ => AuditChannel.ApiOutbound,
+    };
+
+    private static (AuditStatus auditStatus, string operationalStatus) TerminalOutcomeToStatuses(
+        CachedCallAttemptOutcome outcome) => outcome switch
+    {
+        CachedCallAttemptOutcome.Delivered =>
+            (AuditStatus.Delivered, "Delivered"),
+        CachedCallAttemptOutcome.PermanentFailure =>
+            (AuditStatus.Parked, "Parked"),
+        CachedCallAttemptOutcome.ParkedMaxRetries =>
+            (AuditStatus.Parked, "Parked"),
+        // TransientFailure isn't terminal — see IsTerminal — but the switch
+        // is exhaustive so we route it through Failed for safety.
+        CachedCallAttemptOutcome.TransientFailure =>
+            (AuditStatus.Failed, "Failed"),
+        _ => (AuditStatus.Failed, "Failed"),
+    };
+
+    private static bool IsTerminal(CachedCallAttemptOutcome outcome) => outcome switch
+    {
+        CachedCallAttemptOutcome.Delivered => true,
+        CachedCallAttemptOutcome.PermanentFailure => true,
+        CachedCallAttemptOutcome.ParkedMaxRetries => true,
+        CachedCallAttemptOutcome.TransientFailure => false,
+        _ => false,
+    };
+}

src/ScadaLink.AuditLog/Site/Telemetry/CachedCallTelemetryForwarder.cs

@@ -0,0 +1,179 @@
+using Microsoft.Extensions.Logging;
+using ScadaLink.Commons.Entities.Audit;
+using ScadaLink.Commons.Interfaces;
+using ScadaLink.Commons.Interfaces.Services;
+using ScadaLink.Commons.Messages.Integration;
+using ScadaLink.Commons.Types;
+using ScadaLink.Commons.Types.Enums;
+
+namespace ScadaLink.AuditLog.Site.Telemetry;
+
+/// <summary>
+/// Site-side dual emitter for cached-call lifecycle telemetry (Audit Log #23 /
+/// M3). Sister to <see cref="SiteAuditTelemetryActor"/>: where the M2 actor
+/// drains audit-only events, this forwarder takes a combined
+/// <see cref="CachedCallTelemetry"/> packet and fans it out to the two
+/// site-local stores in a single call:
+/// <list type="bullet">
+///   <item><description>The <see cref="AuditEvent"/> row is written via
+///   <see cref="IAuditWriter"/> (the site <c>FallbackAuditWriter</c> +
+///   <c>SqliteAuditWriter</c> chain established in M2).</description></item>
+///   <item><description>The operational <see cref="SiteCallOperational"/> half
+///   updates the site-local <c>OperationTracking</c> SQLite store via
+///   <see cref="IOperationTrackingStore"/>, with the per-lifecycle method
+///   (<c>Enqueue</c> / <c>Attempt</c> / <c>Terminal</c>) selected from the
+///   audit row's <see cref="AuditKind"/>.</description></item>
+/// </list>
+/// </summary>
+/// <remarks>
+/// <para>
+/// <b>Best-effort contract (alog.md §7):</b> a thrown writer OR a thrown
+/// tracking store must never propagate to the calling script. Both emission
+/// halves are wrapped in independent try/catch blocks so a SQLite outage on
+/// one side cannot starve the other — the failure is logged and the call
+/// returns normally.
+/// </para>
+/// <para>
+/// <b>Wire push deferred to M6.</b> M3 keeps this forwarder synchronous
+/// against the local stores: there is no site→central gRPC channel yet, so
+/// the <see cref="ISiteStreamAuditClient.IngestCachedTelemetryAsync"/> RPC
+/// is registered on the interface (Bundle E1) but the production binding
+/// remains <c>NoOpSiteStreamAuditClient</c>. Once M6 wires a real client the
+/// drain pattern from <c>SiteAuditTelemetryActor</c> can be reused — the
+/// <c>AuditEvent</c> rows already live in SQLite tagged
+/// <see cref="AuditForwardState.Pending"/>, so a single drain loop sweeps
+/// both M2 and M3 emissions.
+/// </para>
+/// </remarks>
+public sealed class CachedCallTelemetryForwarder : ICachedCallTelemetryForwarder
+{
+    private readonly IAuditWriter _auditWriter;
+    private readonly IOperationTrackingStore? _trackingStore;
+    private readonly ILogger<CachedCallTelemetryForwarder> _logger;
+
+    /// <summary>
+    /// Construct the forwarder. <paramref name="trackingStore"/> is optional —
+    /// when null only the audit half of the packet is emitted, which matches
+    /// the M3 Bundle F composition-root contract on Central nodes: the
+    /// AuditLog DI surface registers the forwarder unconditionally (mirroring
+    /// the IAuditWriter chain) but the site-only tracking store has no central
+    /// registration. Production site nodes wire both — the central lazy
+    /// resolution is a no-op path kept symmetric with the M2 writer chain.
+    /// </summary>
+    public CachedCallTelemetryForwarder(
+        IAuditWriter auditWriter,
+        IOperationTrackingStore? trackingStore,
+        ILogger<CachedCallTelemetryForwarder> logger)
+    {
+        _auditWriter = auditWriter ?? throw new ArgumentNullException(nameof(auditWriter));
+        _logger = logger ?? throw new ArgumentNullException(nameof(logger));
+        _trackingStore = trackingStore;
+    }
+
+    /// <summary>
+    /// Fan out one combined-telemetry packet to the audit writer and the
+    /// tracking store. Returns once both halves have been attempted (success
+    /// OR logged failure). NEVER throws — exceptions are caught per-half and
+    /// logged at warning level so the calling script's outbound action is not
+    /// disturbed.
+    /// </summary>
+    public async Task ForwardAsync(CachedCallTelemetry telemetry, CancellationToken ct = default)
+    {
+        ArgumentNullException.ThrowIfNull(telemetry);
+
+        // Independent try/catch — a thrown audit writer must not prevent the
+        // tracking-store update from running (and vice-versa). Both halves
+        // are best-effort.
+        await TryEmitAuditAsync(telemetry, ct).ConfigureAwait(false);
+        await TryEmitTrackingAsync(telemetry, ct).ConfigureAwait(false);
+    }
+
+    private async Task TryEmitAuditAsync(CachedCallTelemetry telemetry, CancellationToken ct)
+    {
+        try
+        {
+            await _auditWriter.WriteAsync(telemetry.Audit, ct).ConfigureAwait(false);
+        }
+        catch (Exception ex)
+        {
+            // alog.md §7 best-effort contract — log and swallow. The audit
+            // pipeline's own retry/recovery (RingBufferFallback in the
+            // FallbackAuditWriter) handles transient writer failures upstream;
+            // a throw bubbling up here means the writer's own swallow contract
+            // failed, which is itself best-effort-handled.
+            _logger.LogWarning(ex,
+                "CachedCallTelemetryForwarder: audit emission threw for EventId {EventId} (Kind {Kind}, Status {Status})",
+                telemetry.Audit.EventId, telemetry.Audit.Kind, telemetry.Audit.Status);
+        }
+    }
+
+    private async Task TryEmitTrackingAsync(CachedCallTelemetry telemetry, CancellationToken ct)
+    {
+        if (_trackingStore is null)
+        {
+            // No site-local tracking store wired — Central composition root or
+            // an integration-test host that skipped AddSiteRuntime. Emitting
+            // through the audit half is still meaningful; the tracking half
+            // is a no-op rather than an error.
+            return;
+        }
+
+        try
+        {
+            switch (telemetry.Audit.Kind)
+            {
+                case AuditKind.CachedSubmit:
+                    // Enqueue — insert-if-not-exists with the operational
+                    // channel as the kind discriminator. RetryCount is fixed
+                    // at 0 by the tracking store's INSERT contract.
+                    await _trackingStore.RecordEnqueueAsync(
+                        telemetry.Operational.TrackedOperationId,
+                        telemetry.Operational.Channel,
+                        telemetry.Operational.Target,
+                        telemetry.Audit.SourceInstanceId,
+                        telemetry.Audit.SourceScript,
+                        ct).ConfigureAwait(false);
+                    break;
+
+                case AuditKind.ApiCallCached:
+                case AuditKind.DbWriteCached:
+                    // Attempt — advance retry counter + last-error/HTTP-status.
+                    // Terminal rows are guarded by the store's WHERE clause.
+                    await _trackingStore.RecordAttemptAsync(
+                        telemetry.Operational.TrackedOperationId,
+                        telemetry.Operational.Status,
+                        telemetry.Operational.RetryCount,
+                        telemetry.Operational.LastError,
+                        telemetry.Operational.HttpStatus,
+                        ct).ConfigureAwait(false);
+                    break;
+
+                case AuditKind.CachedResolve:
+                    // Terminal — first-write-wins on the resolve flip.
+                    await _trackingStore.RecordTerminalAsync(
+                        telemetry.Operational.TrackedOperationId,
+                        telemetry.Operational.Status,
+                        telemetry.Operational.LastError,
+                        telemetry.Operational.HttpStatus,
+                        ct).ConfigureAwait(false);
+                    break;
+
+                default:
+                    // Defensive — only the four cached-lifecycle kinds are
+                    // expected on this path. Anything else is logged so a
+                    // mis-routed packet is visible but never crashes the
+                    // forwarder.
+                    _logger.LogWarning(
+                        "CachedCallTelemetryForwarder: unexpected audit kind {Kind} on tracking emission for EventId {EventId}",
+                        telemetry.Audit.Kind, telemetry.Audit.EventId);
+                    break;
+            }
+        }
+        catch (Exception ex)
+        {
+            _logger.LogWarning(ex,
+                "CachedCallTelemetryForwarder: tracking-store emission threw for TrackedOperationId {Id} (Status {Status})",
+                telemetry.Operational.TrackedOperationId, telemetry.Operational.Status);
+        }
+    }
+}

src/ScadaLink.AuditLog/Site/Telemetry/ISiteStreamAuditClient.cs

@@ -0,0 +1,42 @@
+using ScadaLink.Communication.Grpc;
+
+namespace ScadaLink.AuditLog.Site.Telemetry;
+
+/// <summary>
+/// Mockable abstraction over the central site-stream gRPC client surface that
+/// <see cref="SiteAuditTelemetryActor"/> uses to push <see cref="AuditEventBatch"/>
+/// payloads. The production implementation (added in Bundle E host wiring)
+/// wraps the auto-generated <c>SiteStreamService.SiteStreamServiceClient</c>;
+/// unit tests substitute via NSubstitute against this interface so the actor
+/// never needs a live gRPC channel.
+/// </summary>
+public interface ISiteStreamAuditClient
+{
+    /// <summary>
+    /// Pushes <paramref name="batch"/> to the central <c>IngestAuditEvents</c>
+    /// RPC. The returned <see cref="IngestAck"/> carries the
+    /// <c>accepted_event_ids</c> the actor will flip to
+    /// <see cref="ScadaLink.Commons.Types.Enums.AuditForwardState.Forwarded"/>
+    /// in the site SQLite queue.
+    /// </summary>
+    Task<IngestAck> IngestAuditEventsAsync(AuditEventBatch batch, CancellationToken ct);
+
+    /// <summary>
+    /// Pushes the combined <see cref="CachedTelemetryBatch"/> (Audit Log #23 / M3)
+    /// to the central <c>IngestCachedTelemetry</c> RPC. Each packet carries both
+    /// the audit row and the operational <c>SiteCalls</c> upsert; central writes
+    /// both in a single MS SQL transaction. Returns the same
+    /// <see cref="IngestAck"/> shape as <see cref="IngestAuditEventsAsync"/> so
+    /// the M3 site-side forwarder can flip the underlying audit rows to
+    /// <see cref="ScadaLink.Commons.Types.Enums.AuditForwardState.Forwarded"/>
+    /// once central has acknowledged them.
+    /// </summary>
+    /// <remarks>
+    /// The production gRPC-backed implementation lands in M6 (no site→central
+    /// gRPC channel exists today); until then the default
+    /// <see cref="NoOpSiteStreamAuditClient"/> binding returns an empty ack and
+    /// integration tests substitute a direct-actor client that routes the batch
+    /// straight into the in-process <c>AuditLogIngestActor</c>.
+    /// </remarks>
+    Task<IngestAck> IngestCachedTelemetryAsync(CachedTelemetryBatch batch, CancellationToken ct);
+}

src/ScadaLink.AuditLog/Site/Telemetry/NoOpSiteStreamAuditClient.cs

@@ -0,0 +1,53 @@
+using ScadaLink.Communication.Grpc;
+
+namespace ScadaLink.AuditLog.Site.Telemetry;
+
+/// <summary>
+/// Default <see cref="ISiteStreamAuditClient"/> registered by
+/// <see cref="ScadaLink.AuditLog.ServiceCollectionExtensions.AddAuditLog"/>.
+/// Ships with M2 site-sync-pipeline wiring; the real gRPC-backed
+/// implementation is deferred to M6 reconciliation, where a site→central gRPC
+/// channel will be introduced (no such channel exists today — sites talk to
+/// central exclusively via Akka ClusterClient, while the gRPC SiteStreamService
+/// is hosted on the SITE side for central→site streaming).
+/// </summary>
+/// <remarks>
+/// <para>
+/// Returns an empty <see cref="IngestAck"/> so the
+/// <see cref="SiteAuditTelemetryActor"/> doesn't flip any rows to
+/// <c>Forwarded</c> when this NoOp is in effect — Bundle H's integration test
+/// substitutes a stub client that routes directly to the central
+/// <c>AuditLogIngestActor</c> in-process. Production wiring (M6) will replace
+/// this binding with a real client.
+/// </para>
+/// <para>
+/// Audit-write paths are best-effort by contract: a NoOp client keeps the
+/// host running cleanly and is consistent with "audit-write failures never
+/// abort the user-facing action".
+/// </para>
+/// </remarks>
+public sealed class NoOpSiteStreamAuditClient : ISiteStreamAuditClient
+{
+    private static readonly IngestAck EmptyAck = new();
+
+    /// <inheritdoc/>
+    public Task<IngestAck> IngestAuditEventsAsync(AuditEventBatch batch, CancellationToken ct)
+    {
+        ArgumentNullException.ThrowIfNull(batch);
+        // Empty ack — no EventIds will be flipped to Forwarded, so rows stay
+        // Pending until M6's real client (or a Bundle H test stub) takes over.
+        return Task.FromResult(EmptyAck);
+    }
+
+    /// <inheritdoc/>
+    public Task<IngestAck> IngestCachedTelemetryAsync(CachedTelemetryBatch batch, CancellationToken ct)
+    {
+        ArgumentNullException.ThrowIfNull(batch);
+        // Empty ack — same rationale as IngestAuditEventsAsync. The M3
+        // CachedCallTelemetryForwarder still writes the audit + tracking rows to
+        // the site SQLite stores authoritatively; central-side state only
+        // materialises once M6's real gRPC client (or a Bundle G test stub) is
+        // wired in.
+        return Task.FromResult(EmptyAck);
+    }
+}

src/ScadaLink.AuditLog/Site/Telemetry/SiteAuditTelemetryActor.cs

@@ -0,0 +1,180 @@
+using Akka.Actor;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
+using ScadaLink.AuditLog.Telemetry;
+using ScadaLink.Commons.Entities.Audit;
+using ScadaLink.Commons.Interfaces.Services;
+using ScadaLink.Communication.Grpc;
+
+namespace ScadaLink.AuditLog.Site.Telemetry;
+
+/// <summary>
+/// Site-side actor that drains the local SQLite audit queue and pushes Pending
+/// rows to central via the <c>IngestAuditEvents</c> gRPC RPC. On a successful
+/// ack the matching EventIds flip to
+/// <see cref="ScadaLink.Commons.Types.Enums.AuditForwardState.Forwarded"/>; on
+/// a gRPC failure the rows stay Pending and the next drain retries.
+/// </summary>
+/// <remarks>
+/// <para>
+/// The drain self-tick is a private <c>Drain</c> message scheduled via the
+/// actor system scheduler. The cadence is options-driven: <c>BusyIntervalSeconds</c>
+/// when the previous drain found rows (or faulted — we want quick recovery),
+/// <c>IdleIntervalSeconds</c> when the queue was empty.
+/// </para>
+/// <para>
+/// Both collaborators are injected as interfaces (<see cref="ISiteAuditQueue"/>
+/// and <see cref="ISiteStreamAuditClient"/>) so unit tests substitute with
+/// NSubstitute and never touch real SQLite or gRPC.
+/// </para>
+/// <para>
+/// Per Bundle D's brief, audit-write paths must be fail-safe — a thrown
+/// exception inside the actor MUST NOT crash it. The Drain handler wraps the
+/// pipeline in a top-level try/catch that logs and re-schedules, and the
+/// actor's <see cref="SupervisorStrategy"/> defaults to
+/// <see cref="Akka.Actor.SupervisorStrategy.DefaultStrategy"/>'s Restart for
+/// child actors — but this actor has no children, so the catch is what matters.
+/// </para>
+/// </remarks>
+public class SiteAuditTelemetryActor : ReceiveActor
+{
+    private readonly ISiteAuditQueue _queue;
+    private readonly ISiteStreamAuditClient _client;
+    private readonly SiteAuditTelemetryOptions _options;
+    private readonly ILogger<SiteAuditTelemetryActor> _logger;
+    private ICancelable? _pendingTick;
+
+    public SiteAuditTelemetryActor(
+        ISiteAuditQueue queue,
+        ISiteStreamAuditClient client,
+        IOptions<SiteAuditTelemetryOptions> options,
+        ILogger<SiteAuditTelemetryActor> logger)
+    {
+        ArgumentNullException.ThrowIfNull(queue);
+        ArgumentNullException.ThrowIfNull(client);
+        ArgumentNullException.ThrowIfNull(options);
+        ArgumentNullException.ThrowIfNull(logger);
+
+        _queue = queue;
+        _client = client;
+        _options = options.Value;
+        _logger = logger;
+
+        ReceiveAsync<Drain>(_ => OnDrainAsync());
+    }
+
+    protected override void PreStart()
+    {
+        base.PreStart();
+        // Initial tick fires on the busy interval so the actor starts polling
+        // soon after host startup. A subsequent empty drain will move to the
+        // idle interval naturally.
+        ScheduleNext(TimeSpan.FromSeconds(_options.BusyIntervalSeconds));
+    }
+
+    protected override void PostStop()
+    {
+        _pendingTick?.Cancel();
+        base.PostStop();
+    }
+
+    private async Task OnDrainAsync()
+    {
+        var nextDelay = TimeSpan.FromSeconds(_options.BusyIntervalSeconds);
+        try
+        {
+            var pending = await _queue.ReadPendingAsync(_options.BatchSize, CancellationToken.None)
+                .ConfigureAwait(false);
+            if (pending.Count == 0)
+            {
+                // No rows — settle into the idle cadence until the next write
+                // bumps us back into the busy cadence.
+                nextDelay = TimeSpan.FromSeconds(_options.IdleIntervalSeconds);
+                return;
+            }
+
+            var batch = BuildBatch(pending);
+
+            IngestAck ack;
+            try
+            {
+                ack = await _client.IngestAuditEventsAsync(batch, CancellationToken.None)
+                    .ConfigureAwait(false);
+            }
+            catch (Exception ex)
+            {
+                // gRPC fault — leave the rows in Pending so the next drain
+                // retries. Bundle D's brief: "On gRPC exception (any), log
+                // Warning, schedule next Drain in BusyIntervalSeconds."
+                _logger.LogWarning(ex,
+                    "IngestAuditEvents push failed for {Count} pending events; will retry next drain.",
+                    pending.Count);
+                return;
+            }
+
+            var acceptedIds = ParseAcceptedIds(ack);
+            if (acceptedIds.Count > 0)
+            {
+                await _queue.MarkForwardedAsync(acceptedIds, CancellationToken.None)
+                    .ConfigureAwait(false);
+            }
+        }
+        catch (Exception ex)
+        {
+            // Catch-all so a SQLite hiccup or mapper bug never crashes the
+            // actor. The next tick is still scheduled in the finally block.
+            _logger.LogError(ex, "Unexpected error during audit-log telemetry drain.");
+        }
+        finally
+        {
+            ScheduleNext(nextDelay);
+        }
+    }
+
+    private static AuditEventBatch BuildBatch(IReadOnlyList<AuditEvent> events)
+    {
+        var batch = new AuditEventBatch();
+        foreach (var e in events)
+        {
+            batch.Events.Add(AuditEventMapper.ToDto(e));
+        }
+        return batch;
+    }
+
+    private static IReadOnlyList<Guid> ParseAcceptedIds(IngestAck ack)
+    {
+        if (ack.AcceptedEventIds.Count == 0)
+        {
+            return Array.Empty<Guid>();
+        }
+
+        var list = new List<Guid>(ack.AcceptedEventIds.Count);
+        foreach (var raw in ack.AcceptedEventIds)
+        {
+            if (Guid.TryParse(raw, out var id))
+            {
+                list.Add(id);
+            }
+            // Malformed ids are ignored — central should never emit them, but
+            // we refuse to crash the actor over a bad string.
+        }
+        return list;
+    }
+
+    private void ScheduleNext(TimeSpan delay)
+    {
+        _pendingTick?.Cancel();
+        _pendingTick = Context.System.Scheduler.ScheduleTellOnceCancelable(
+            delay,
+            Self,
+            Drain.Instance,
+            Self);
+    }
+
+    /// <summary>Self-tick message that triggers a drain cycle.</summary>
+    private sealed class Drain
+    {
+        public static readonly Drain Instance = new();
+        private Drain() { }
+    }
+}

src/ScadaLink.AuditLog/Site/Telemetry/SiteAuditTelemetryOptions.cs

@@ -0,0 +1,28 @@
+namespace ScadaLink.AuditLog.Site.Telemetry;
+
+/// <summary>
+/// Tuning knobs for the site-side <see cref="SiteAuditTelemetryActor"/> drain
+/// loop. Defaults mirror Bundle D's plan: drain every 5 s while rows are
+/// flowing (busy), every 30 s when the queue is empty (idle).
+/// </summary>
+public sealed class SiteAuditTelemetryOptions
+{
+    /// <summary>
+    /// Maximum number of <see cref="ScadaLink.Commons.Entities.Audit.AuditEvent"/>
+    /// rows read from the site SQLite queue and pushed in a single gRPC batch.
+    /// </summary>
+    public int BatchSize { get; set; } = 256;
+
+    /// <summary>
+    /// Delay between drains when the previous drain found at least one Pending
+    /// row OR the previous push faulted. Re-drain quickly to keep telemetry
+    /// flowing and to retry transient gRPC errors.
+    /// </summary>
+    public int BusyIntervalSeconds { get; set; } = 5;
+
+    /// <summary>
+    /// Delay between drains when the previous drain found no Pending rows.
+    /// Longer interval avoids hammering an idle SQLite + gRPC channel.
+    /// </summary>
+    public int IdleIntervalSeconds { get; set; } = 30;
+}

src/ScadaLink.AuditLog/Telemetry/AuditEventMapper.cs

@@ -0,0 +1,112 @@
+using ScadaLink.Commons.Entities.Audit;
+using ScadaLink.Commons.Types.Enums;
+using ScadaLink.Communication.Grpc;
+using Timestamp = Google.Protobuf.WellKnownTypes.Timestamp;
+
+namespace ScadaLink.AuditLog.Telemetry;
+
+/// <summary>
+/// Bridges Audit Log (#23) rows between the in-process <see cref="AuditEvent"/> record
+/// and the wire-format <see cref="AuditEventDto"/> exchanged over the
+/// <c>IngestAuditEvents</c> RPC.
+/// </summary>
+/// <remarks>
+/// <para><b>Lossy by design:</b> the proto contract intentionally omits two fields.</para>
+/// <list type="bullet">
+///   <item><see cref="AuditEvent.ForwardState"/> — site-local SQLite state, never travels.</item>
+///   <item><see cref="AuditEvent.IngestedAtUtc"/> — central-set at ingest time, not at the site.</item>
+/// </list>
+/// <para>
+/// String nullability convention: proto3 scalar strings cannot be absent, so nullable
+/// .NET strings round-trip as empty strings on the wire. Nullable integers use the
+/// <c>Int32Value</c> wrapper so they preserve true null semantics.
+/// </para>
+/// </remarks>
+public static class AuditEventMapper
+{
+    /// <summary>
+    /// Projects an <see cref="AuditEvent"/> into its wire-format DTO. Null reference
+    /// fields collapse to empty strings; null integer fields leave the wrapper unset.
+    /// </summary>
+    public static AuditEventDto ToDto(AuditEvent evt)
+    {
+        ArgumentNullException.ThrowIfNull(evt);
+
+        var dto = new AuditEventDto
+        {
+            EventId = evt.EventId.ToString(),
+            OccurredAtUtc = Timestamp.FromDateTime(EnsureUtc(evt.OccurredAtUtc)),
+            Channel = evt.Channel.ToString(),
+            Kind = evt.Kind.ToString(),
+            CorrelationId = evt.CorrelationId?.ToString() ?? string.Empty,
+            SourceSiteId = evt.SourceSiteId ?? string.Empty,
+            SourceInstanceId = evt.SourceInstanceId ?? string.Empty,
+            SourceScript = evt.SourceScript ?? string.Empty,
+            Actor = evt.Actor ?? string.Empty,
+            Target = evt.Target ?? string.Empty,
+            Status = evt.Status.ToString(),
+            ErrorMessage = evt.ErrorMessage ?? string.Empty,
+            ErrorDetail = evt.ErrorDetail ?? string.Empty,
+            RequestSummary = evt.RequestSummary ?? string.Empty,
+            ResponseSummary = evt.ResponseSummary ?? string.Empty,
+            PayloadTruncated = evt.PayloadTruncated,
+            Extra = evt.Extra ?? string.Empty
+        };
+
+        if (evt.HttpStatus.HasValue)
+        {
+            dto.HttpStatus = evt.HttpStatus.Value;
+        }
+
+        if (evt.DurationMs.HasValue)
+        {
+            dto.DurationMs = evt.DurationMs.Value;
+        }
+
+        return dto;
+    }
+
+    /// <summary>
+    /// Reconstructs an <see cref="AuditEvent"/> from its wire-format DTO. Empty strings
+    /// rehydrate as null reference values; absent integer wrappers stay null.
+    /// <see cref="AuditEvent.ForwardState"/> and <see cref="AuditEvent.IngestedAtUtc"/>
+    /// are intentionally left null — the central ingest actor sets the latter.
+    /// </summary>
+    public static AuditEvent FromDto(AuditEventDto dto)
+    {
+        ArgumentNullException.ThrowIfNull(dto);
+
+        return new AuditEvent
+        {
+            EventId = Guid.Parse(dto.EventId),
+            OccurredAtUtc = DateTime.SpecifyKind(dto.OccurredAtUtc.ToDateTime(), DateTimeKind.Utc),
+            IngestedAtUtc = null,
+            Channel = Enum.Parse<AuditChannel>(dto.Channel),
+            Kind = Enum.Parse<AuditKind>(dto.Kind),
+            CorrelationId = NullIfEmpty(dto.CorrelationId) is { } cid ? Guid.Parse(cid) : null,
+            SourceSiteId = NullIfEmpty(dto.SourceSiteId),
+            SourceInstanceId = NullIfEmpty(dto.SourceInstanceId),
+            SourceScript = NullIfEmpty(dto.SourceScript),
+            Actor = NullIfEmpty(dto.Actor),
+            Target = NullIfEmpty(dto.Target),
+            Status = Enum.Parse<AuditStatus>(dto.Status),
+            HttpStatus = dto.HttpStatus,
+            DurationMs = dto.DurationMs,
+            ErrorMessage = NullIfEmpty(dto.ErrorMessage),
+            ErrorDetail = NullIfEmpty(dto.ErrorDetail),
+            RequestSummary = NullIfEmpty(dto.RequestSummary),
+            ResponseSummary = NullIfEmpty(dto.ResponseSummary),
+            PayloadTruncated = dto.PayloadTruncated,
+            Extra = NullIfEmpty(dto.Extra),
+            ForwardState = null
+        };
+    }
+
+    private static string? NullIfEmpty(string? value) =>
+        string.IsNullOrEmpty(value) ? null : value;
+
+    private static DateTime EnsureUtc(DateTime value) =>
+        value.Kind == DateTimeKind.Utc
+            ? value
+            : DateTime.SpecifyKind(value.ToUniversalTime(), DateTimeKind.Utc);
+}

src/ScadaLink.CLI/Commands/AuditCommandHelpers.cs

@@ -0,0 +1,72 @@
+using System.CommandLine;
+using System.CommandLine.Parsing;
+
+namespace ScadaLink.CLI.Commands;
+
+/// <summary>
+/// Resolved Management API connection details for an <c>audit</c> subcommand, or an
+/// error describing why resolution failed.
+/// </summary>
+public sealed class AuditConnection
+{
+    public string? Url { get; init; }
+    public string? Username { get; init; }
+    public string? Password { get; init; }
+    public string? Error { get; init; }
+    public string? ErrorCode { get; init; }
+
+    public static AuditConnection Fail(string error, string code)
+        => new() { Error = error, ErrorCode = code };
+}
+
+/// <summary>
+/// Connection/format resolution shared by the <c>audit</c> subcommands. Mirrors the URL
+/// and credential precedence used by <see cref="CommandHelpers"/> (command line → config
+/// file / environment), but produces a raw <see cref="ManagementHttpClient"/> target
+/// because the audit endpoints are plain REST resources rather than <c>POST /management</c>
+/// command-envelope calls.
+/// </summary>
+public static class AuditCommandHelpers
+{
+    public static AuditConnection ResolveConnection(
+        ParseResult result,
+        Option<string> urlOption,
+        Option<string> usernameOption,
+        Option<string> passwordOption)
+    {
+        var config = CliConfig.Load();
+
+        var url = result.GetValue(urlOption);
+        if (string.IsNullOrWhiteSpace(url))
+            url = config.ManagementUrl;
+
+        if (string.IsNullOrWhiteSpace(url))
+        {
+            return AuditConnection.Fail(
+                "No management URL specified. Use --url, set SCADALINK_MANAGEMENT_URL, or add 'managementUrl' to ~/.scadalink/config.json.",
+                "NO_URL");
+        }
+
+        if (!CommandHelpers.IsValidManagementUrl(url))
+        {
+            return AuditConnection.Fail(
+                $"Invalid management URL '{url}'. Expected an absolute http/https URL (e.g. http://localhost:9001).",
+                "INVALID_URL");
+        }
+
+        var username = CommandHelpers.ResolveCredential(result.GetValue(usernameOption), config.Username);
+        var password = CommandHelpers.ResolveCredential(result.GetValue(passwordOption), config.Password);
+
+        if (string.IsNullOrWhiteSpace(username) || string.IsNullOrWhiteSpace(password))
+        {
+            return AuditConnection.Fail(
+                "Credentials required. Use --username/--password or set SCADALINK_USERNAME/SCADALINK_PASSWORD.",
+                "NO_CREDENTIALS");
+        }
+
+        return new AuditConnection { Url = url, Username = username, Password = password };
+    }
+
+    public static string ResolveFormat(ParseResult result, Option<string> formatOption)
+        => CommandHelpers.ResolveFormat(result, formatOption, CliConfig.Load());
+}

src/ScadaLink.CLI/Commands/AuditCommands.cs

@@ -0,0 +1,190 @@
+using System.CommandLine;
+using System.CommandLine.Parsing;
+
+namespace ScadaLink.CLI.Commands;
+
+/// <summary>
+/// The <c>scadalink audit</c> command group (Audit Log #23 M8). Provides read access to
+/// the centralized append-only Audit Log via the Bundle B REST endpoints
+/// (<c>GET /api/audit/query</c>, <c>GET /api/audit/export</c>), plus a v1 no-op
+/// <c>verify-chain</c> placeholder for the deferred hash-chain tamper-evidence feature.
+/// </summary>
+public static class AuditCommands
+{
+    public static Command Build(Option<string> urlOption, Option<string> formatOption, Option<string> usernameOption, Option<string> passwordOption)
+    {
+        var command = new Command("audit") { Description = "Query and export the centralized audit log" };
+
+        command.Add(BuildQuery(urlOption, formatOption, usernameOption, passwordOption));
+        command.Add(BuildExport(urlOption, formatOption, usernameOption, passwordOption));
+        command.Add(BuildVerifyChain(urlOption, formatOption, usernameOption, passwordOption));
+
+        return command;
+    }
+
+    private static Command BuildQuery(Option<string> urlOption, Option<string> formatOption, Option<string> usernameOption, Option<string> passwordOption)
+    {
+        var sinceOption = new Option<string?>("--since") { Description = "Start time: relative (1h, 24h, 7d) or ISO-8601" };
+        var untilOption = new Option<string?>("--until") { Description = "End time: relative (1h, 24h, 7d) or ISO-8601" };
+        var channelOption = new Option<string?>("--channel") { Description = "Filter by channel (ApiOutbound, DbOutbound, Notification, ApiInbound)" };
+        channelOption.AcceptOnlyFromAmong("ApiOutbound", "DbOutbound", "Notification", "ApiInbound");
+        var kindOption = new Option<string?>("--kind") { Description = "Filter by event kind (ApiCall, ApiCallCached, DbWrite, DbWriteCached, NotifySend, NotifyDeliver, InboundRequest, InboundAuthFailure, CachedSubmit, CachedResolve)" };
+        kindOption.AcceptOnlyFromAmong(
+            "ApiCall", "ApiCallCached", "DbWrite", "DbWriteCached", "NotifySend",
+            "NotifyDeliver", "InboundRequest", "InboundAuthFailure", "CachedSubmit", "CachedResolve");
+        var statusOption = new Option<string?>("--status") { Description = "Filter by status (Submitted, Forwarded, Attempted, Delivered, Failed, Parked, Discarded, Skipped)" };
+        statusOption.AcceptOnlyFromAmong(
+            "Submitted", "Forwarded", "Attempted", "Delivered", "Failed", "Parked", "Discarded", "Skipped");
+        var siteOption = new Option<string?>("--site") { Description = "Filter by source site ID" };
+        var targetOption = new Option<string?>("--target") { Description = "Filter by target (external system, DB connection, notification list)" };
+        var actorOption = new Option<string?>("--actor") { Description = "Filter by actor" };
+        var correlationIdOption = new Option<string?>("--correlation-id") { Description = "Filter by correlation ID" };
+        var errorsOnlyOption = new Option<bool>("--errors-only") { Description = "Show only failed events (status=Failed; overrides --status)" };
+        var pageSizeOption = new Option<int>("--page-size") { Description = "Events per page (1-1000)" };
+        pageSizeOption.DefaultValueFactory = _ => 100;
+        var allOption = new Option<bool>("--all") { Description = "Fetch every page, following the keyset cursor" };
+
+        var cmd = new Command("query") { Description = "Query audit log events" };
+        cmd.Add(sinceOption);
+        cmd.Add(untilOption);
+        cmd.Add(channelOption);
+        cmd.Add(kindOption);
+        cmd.Add(statusOption);
+        cmd.Add(siteOption);
+        cmd.Add(targetOption);
+        cmd.Add(actorOption);
+        cmd.Add(correlationIdOption);
+        cmd.Add(errorsOnlyOption);
+        cmd.Add(pageSizeOption);
+        cmd.Add(allOption);
+
+        cmd.SetAction(async (ParseResult result) =>
+        {
+            var connection = AuditCommandHelpers.ResolveConnection(result, urlOption, usernameOption, passwordOption);
+            if (connection.Error != null)
+            {
+                OutputFormatter.WriteError(connection.Error, connection.ErrorCode!);
+                return 1;
+            }
+
+            var format = AuditCommandHelpers.ResolveFormat(result, formatOption);
+            var formatter = AuditFormatterFactory.Create(format, Console.Error);
+
+            var args = new AuditQueryArgs
+            {
+                Since = result.GetValue(sinceOption),
+                Until = result.GetValue(untilOption),
+                Channel = result.GetValue(channelOption),
+                Kind = result.GetValue(kindOption),
+                Status = result.GetValue(statusOption),
+                Site = result.GetValue(siteOption),
+                Target = result.GetValue(targetOption),
+                Actor = result.GetValue(actorOption),
+                CorrelationId = result.GetValue(correlationIdOption),
+                ErrorsOnly = result.GetValue(errorsOnlyOption),
+                PageSize = result.GetValue(pageSizeOption),
+            };
+            var fetchAll = result.GetValue(allOption);
+
+            try
+            {
+                using var client = new ManagementHttpClient(connection.Url!, connection.Username!, connection.Password!);
+                return await AuditQueryHelpers.RunQueryAsync(
+                    client, args, fetchAll, formatter, Console.Out, DateTimeOffset.UtcNow);
+            }
+            catch (FormatException ex)
+            {
+                OutputFormatter.WriteError(ex.Message, "INVALID_ARGUMENT");
+                return 1;
+            }
+        });
+        return cmd;
+    }
+
+    private static Command BuildExport(Option<string> urlOption, Option<string> formatOption, Option<string> usernameOption, Option<string> passwordOption)
+    {
+        var sinceOption = new Option<string>("--since") { Description = "Start time: relative (1h, 24h, 7d) or ISO-8601", Required = true };
+        var untilOption = new Option<string>("--until") { Description = "End time: relative (1h, 24h, 7d) or ISO-8601", Required = true };
+        var formatExportOption = new Option<string>("--format") { Description = "Export format", Required = true };
+        formatExportOption.AcceptOnlyFromAmong("csv", "jsonl", "parquet");
+        var outputOption = new Option<string>("--output") { Description = "Destination file path", Required = true };
+        var channelOption = new Option<string?>("--channel") { Description = "Filter by channel" };
+        var kindOption = new Option<string?>("--kind") { Description = "Filter by event kind" };
+        var statusOption = new Option<string?>("--status") { Description = "Filter by status" };
+        var siteOption = new Option<string?>("--site") { Description = "Filter by source site ID" };
+        var targetOption = new Option<string?>("--target") { Description = "Filter by target" };
+        var actorOption = new Option<string?>("--actor") { Description = "Filter by actor" };
+
+        var cmd = new Command("export") { Description = "Export audit log events to a file" };
+        cmd.Add(sinceOption);
+        cmd.Add(untilOption);
+        cmd.Add(formatExportOption);
+        cmd.Add(outputOption);
+        cmd.Add(channelOption);
+        cmd.Add(kindOption);
+        cmd.Add(statusOption);
+        cmd.Add(siteOption);
+        cmd.Add(targetOption);
+        cmd.Add(actorOption);
+
+        cmd.SetAction(async (ParseResult result) =>
+        {
+            var connection = AuditCommandHelpers.ResolveConnection(result, urlOption, usernameOption, passwordOption);
+            if (connection.Error != null)
+            {
+                OutputFormatter.WriteError(connection.Error, connection.ErrorCode!);
+                return 1;
+            }
+
+            var args = new AuditExportArgs
+            {
+                Since = result.GetValue(sinceOption)!,
+                Until = result.GetValue(untilOption)!,
+                Format = result.GetValue(formatExportOption)!,
+                Output = result.GetValue(outputOption)!,
+                Channel = result.GetValue(channelOption),
+                Kind = result.GetValue(kindOption),
+                Status = result.GetValue(statusOption),
+                Site = result.GetValue(siteOption),
+                Target = result.GetValue(targetOption),
+                Actor = result.GetValue(actorOption),
+            };
+
+            try
+            {
+                using var client = new ManagementHttpClient(connection.Url!, connection.Username!, connection.Password!);
+                return await AuditExportHelpers.RunExportAsync(client, args, Console.Out, DateTimeOffset.UtcNow);
+            }
+            catch (FormatException ex)
+            {
+                OutputFormatter.WriteError(ex.Message, "INVALID_ARGUMENT");
+                return 1;
+            }
+        });
+        return cmd;
+    }
+
+    private static Command BuildVerifyChain(Option<string> urlOption, Option<string> formatOption, Option<string> usernameOption, Option<string> passwordOption)
+    {
+        var monthOption = new Option<string>("--month") { Description = "Month to verify (YYYY-MM)", Required = true };
+
+        var cmd = new Command("verify-chain") { Description = "Verify the audit log hash chain for a month" };
+        cmd.Add(monthOption);
+        cmd.SetAction((ParseResult result) =>
+        {
+            var month = result.GetValue(monthOption)!;
+            if (!AuditVerifyChainHelpers.IsValidMonth(month))
+            {
+                OutputFormatter.WriteError(
+                    $"Invalid month '{month}'. Expected YYYY-MM (e.g. 2026-05).", "INVALID_ARGUMENT");
+                return 1;
+            }
+
+            Console.WriteLine(
+                "Hash-chain tamper-evidence is not enabled in this release. "
+                + "See Component-AuditLog.md (Security & Tamper-Evidence) for the v1.x roadmap.");
+            return 0;
+        });
+        return cmd;
+    }
+}

src/ScadaLink.CLI/Commands/AuditExportHelpers.cs

@@ -0,0 +1,114 @@
+using System.Globalization;
+using System.Net;
+
+namespace ScadaLink.CLI.Commands;
+
+/// <summary>
+/// Filter + destination arguments for an <c>audit export</c> invocation. Mirrors the
+/// Bundle B <c>GET /api/audit/export</c> parameters.
+/// </summary>
+public sealed class AuditExportArgs
+{
+    public string Since { get; set; } = string.Empty;
+    public string Until { get; set; } = string.Empty;
+    public string Format { get; set; } = string.Empty;
+    public string Output { get; set; } = string.Empty;
+    public string? Channel { get; set; }
+    public string? Kind { get; set; }
+    public string? Status { get; set; }
+    public string? Site { get; set; }
+    public string? Target { get; set; }
+    public string? Actor { get; set; }
+}
+
+/// <summary>
+/// Helpers for the <c>audit export</c> subcommand: builds the export query string and
+/// streams the HTTP response body straight to the destination file without buffering
+/// the (potentially multi-megabyte) export in memory.
+/// </summary>
+public static class AuditExportHelpers
+{
+    /// <summary>
+    /// Builds the <c>?...</c> query string for <c>GET /api/audit/export</c>: the required
+    /// time window + format, plus optional filters. Time-specs are resolved via
+    /// <see cref="AuditQueryHelpers.ResolveTimeSpec"/>.
+    /// </summary>
+    public static string BuildQueryString(AuditExportArgs args, DateTimeOffset now)
+    {
+        var parts = new List<string>();
+
+        void Add(string key, string? value)
+        {
+            if (!string.IsNullOrWhiteSpace(value))
+                parts.Add($"{key}={Uri.EscapeDataString(value)}");
+        }
+
+        Add("fromUtc", AuditQueryHelpers.ResolveTimeSpec(args.Since, now).ToString("o", CultureInfo.InvariantCulture));
+        Add("toUtc", AuditQueryHelpers.ResolveTimeSpec(args.Until, now).ToString("o", CultureInfo.InvariantCulture));
+        Add("format", args.Format);
+        Add("channel", args.Channel);
+        Add("kind", args.Kind);
+        Add("status", args.Status);
+        Add("sourceSiteId", args.Site);
+        Add("target", args.Target);
+        Add("actor", args.Actor);
+
+        return "?" + string.Join("&", parts);
+    }
+
+    /// <summary>
+    /// Executes the export: GETs <c>/api/audit/export</c> and copies the response body
+    /// stream directly to <see cref="AuditExportArgs.Output"/>. The body is never fully
+    /// buffered — <see cref="Stream.CopyToAsync(Stream)"/> streams in fixed-size chunks.
+    /// A <c>501 Not Implemented</c> (parquet not yet supported server-side) prints the
+    /// server message and returns a non-zero exit code.
+    /// </summary>
+    public static async Task<int> RunExportAsync(
+        ManagementHttpClient client, AuditExportArgs args, TextWriter output, DateTimeOffset now)
+    {
+        var qs = BuildQueryString(args, now);
+
+        HttpResponseMessage response;
+        try
+        {
+            response = await client.SendGetStreamAsync("api/audit/export" + qs, CancellationToken.None);
+        }
+        catch (HttpRequestException ex)
+        {
+            OutputFormatter.WriteError($"Connection failed: {ex.Message}", "CONNECTION_FAILED");
+            return 1;
+        }
+
+        using (response)
+        {
+            if (response.StatusCode == HttpStatusCode.NotImplemented)
+            {
+                var message = await response.Content.ReadAsStringAsync();
+                OutputFormatter.WriteError(
+                    string.IsNullOrWhiteSpace(message)
+                        ? "Export format not implemented by the server."
+                        : message,
+                    "NOT_IMPLEMENTED");
+                return 1;
+            }
+
+            if (!response.IsSuccessStatusCode)
+            {
+                var message = await response.Content.ReadAsStringAsync();
+                OutputFormatter.WriteError(
+                    string.IsNullOrWhiteSpace(message) ? $"Export failed (HTTP {(int)response.StatusCode})." : message,
+                    "ERROR");
+                return 1;
+            }
+
+            await using var source = await response.Content.ReadAsStreamAsync();
+            await using var destination = new FileStream(
+                args.Output, FileMode.Create, FileAccess.Write, FileShare.None,
+                bufferSize: 81920, useAsync: true);
+            await source.CopyToAsync(destination);
+        }
+
+        output.WriteLine($"Exported audit log to {args.Output}");
+        return 0;
+    }
+}

src/ScadaLink.CLI/Commands/AuditFormatter.cs

@@ -0,0 +1,45 @@
+using System.Text.Json;
+
+namespace ScadaLink.CLI.Commands;
+
+/// <summary>
+/// Renders a page of audit-log events to a writer. The <c>audit query</c> command picks
+/// a formatter from the <c>--format</c> option. The default JSONL formatter is defined
+/// here; the human-readable table formatter is supplied by Bundle C.
+/// </summary>
+public interface IAuditFormatter
+{
+    /// <summary>Renders one page of events. Called once per fetched page.</summary>
+    void WritePage(IReadOnlyList<JsonElement> events, TextWriter output);
+}
+
+/// <summary>
+/// Default formatter: one JSON object per line (JSONL). Streamable — each page's events
+/// are flushed as they arrive, so <c>--all</c> over many pages does not accumulate.
+/// </summary>
+public sealed class JsonLinesAuditFormatter : IAuditFormatter
+{
+    private static readonly JsonSerializerOptions Compact = new() { WriteIndented = false };
+
+    public void WritePage(IReadOnlyList<JsonElement> events, TextWriter output)
+    {
+        foreach (var evt in events)
+            output.WriteLine(JsonSerializer.Serialize(evt, Compact));
+    }
+}
+
+/// <summary>
+/// Resolves an <see cref="IAuditFormatter"/> for a given <c>--format</c> value:
+/// <c>table</c> renders a column-aligned text table (<see cref="TableAuditFormatter"/>),
+/// any other value (including <c>json</c>) renders JSONL.
+/// </summary>
+public static class AuditFormatterFactory
+{
+    public static IAuditFormatter Create(string format, TextWriter notices)
+    {
+        if (string.Equals(format, "table", StringComparison.OrdinalIgnoreCase))
+            return new TableAuditFormatter();
+
+        return new JsonLinesAuditFormatter();
+    }
+}

src/ScadaLink.CLI/Commands/AuditLogCommands.cs

@@ -4,11 +4,50 @@ using ScadaLink.Commons.Messages.Management;
 
 namespace ScadaLink.CLI.Commands;
 
+/// <summary>
+/// The <c>scadalink audit-config</c> command group: views the configuration-change
+/// audit log (the <c>IAuditService</c> trail of admin edits — distinct from the
+/// centralized append-only Audit Log served by <see cref="AuditCommands"/>).
+/// </summary>
+/// <remarks>
+/// Renamed from <c>audit-log</c> in #23 M8-T7 to avoid confusion with the new
+/// <c>scadalink audit</c> group. The old <c>audit-log</c> name is retained as a
+/// deprecated alias; <see cref="DeprecatedAlias"/> still resolves the full subcommand
+/// tree, and <c>Program.cs</c> prints a deprecation warning when it is used.
+/// </remarks>
 public static class AuditLogCommands
 {
+    /// <summary>The deprecated alias kept for backward compatibility with the old command name.</summary>
+    public const string DeprecatedAlias = "audit-log";
+
+    /// <summary>The deprecation warning emitted when the old <c>audit-log</c> name is used.</summary>
+    public const string DeprecationWarning =
+        "Warning: 'audit-log' is deprecated and will be removed in a future release. "
+        + "Use 'audit-config' instead.";
+
+    /// <summary>
+    /// Writes the <see cref="DeprecationWarning"/> to <paramref name="stderr"/> when the
+    /// CLI was invoked via the deprecated <c>audit-log</c> command name (i.e. the first
+    /// argument is <see cref="DeprecatedAlias"/>). The command itself still works — it is
+    /// an alias of <c>audit-config</c> — so this only adds the migration warning.
+    /// Factored out of <c>Program.cs</c> so it is unit-testable without spawning a process.
+    /// </summary>
+    public static void WriteDeprecationWarningIfNeeded(string[] args, TextWriter stderr)
+    {
+        if (args.Length > 0
+            && string.Equals(args[0], DeprecatedAlias, StringComparison.Ordinal))
+        {
+            stderr.WriteLine(DeprecationWarning);
+        }
+    }
+
     public static Command Build(Option<string> urlOption, Option<string> formatOption, Option<string> usernameOption, Option<string> passwordOption)
     {
-        var command = new Command("audit-log") { Description = "Query audit logs" };
+        var command = new Command("audit-config") { Description = "Query the configuration-change audit log" };
+        // Backward-compatible alias for the pre-M8 `audit-log` name. The alias keeps
+        // full subcommand parity automatically; the deprecation warning is emitted by
+        // the args[0] check in Program.cs.
+        command.Aliases.Add(DeprecatedAlias);
 
         command.Add(BuildQuery(urlOption, formatOption, usernameOption, passwordOption));
 

src/ScadaLink.CLI/Commands/AuditQueryHelpers.cs

@@ -0,0 +1,179 @@
+using System.Globalization;
+using System.Text;
+using System.Text.Json;
+using System.Text.RegularExpressions;
+
+namespace ScadaLink.CLI.Commands;
+
+/// <summary>
+/// Filter arguments for an <c>audit query</c> invocation. Mirrors the Bundle B
+/// <c>GET /api/audit/query</c> filter parameters; <see cref="Since"/>/<see cref="Until"/>
+/// are time-specs (relative like <c>1h</c>/<c>7d</c>, or absolute ISO-8601).
+/// </summary>
+public sealed class AuditQueryArgs
+{
+    public string? Since { get; set; }
+    public string? Until { get; set; }
+    public string? Channel { get; set; }
+    public string? Kind { get; set; }
+    public string? Status { get; set; }
+    public string? Site { get; set; }
+    public string? Target { get; set; }
+    public string? Actor { get; set; }
+    public string? CorrelationId { get; set; }
+    public bool ErrorsOnly { get; set; }
+    public int PageSize { get; set; } = 100;
+}
+
+/// <summary>
+/// Pure helpers for the <c>audit query</c> subcommand: time-spec resolution, query-string
+/// construction, and the keyset-cursor paging loop. Kept separate from the command wiring
+/// so each piece is unit-testable without standing up the command tree.
+/// </summary>
+public static class AuditQueryHelpers
+{
+    // <number><unit> where unit is s/m/h/d — a relative offset back from "now".
+    private static readonly Regex RelativeSpec = new(@"^(\d+)([smhd])$", RegexOptions.Compiled);
+
+    /// <summary>
+    /// Resolves a time-spec to an absolute <see cref="DateTimeOffset"/>. Accepts a
+    /// relative offset (<c>30s</c>, <c>15m</c>, <c>1h</c>, <c>7d</c>) interpreted as
+    /// <paramref name="now"/> minus the offset, or an absolute ISO-8601 timestamp.
+    /// </summary>
+    /// <exception cref="FormatException">The spec is neither a known relative form nor a parseable ISO-8601 timestamp.</exception>
+    public static DateTimeOffset ResolveTimeSpec(string spec, DateTimeOffset now)
+    {
+        if (string.IsNullOrWhiteSpace(spec))
+            throw new FormatException("Empty time value.");
+
+        var match = RelativeSpec.Match(spec.Trim());
+        if (match.Success)
+        {
+            var amount = int.Parse(match.Groups[1].Value, CultureInfo.InvariantCulture);
+            var offset = match.Groups[2].Value switch
+            {
+                "s" => TimeSpan.FromSeconds(amount),
+                "m" => TimeSpan.FromMinutes(amount),
+                "h" => TimeSpan.FromHours(amount),
+                "d" => TimeSpan.FromDays(amount),
+                _ => throw new FormatException($"Unknown time unit in '{spec}'."),
+            };
+            return now - offset;
+        }
+
+        if (DateTimeOffset.TryParse(spec, CultureInfo.InvariantCulture,
+                DateTimeStyles.AssumeUniversal | DateTimeStyles.AdjustToUniversal, out var absolute))
+        {
+            return absolute;
+        }
+
+        throw new FormatException(
+            $"Invalid time value '{spec}'. Use a relative offset (e.g. 1h, 24h, 7d) or an ISO-8601 timestamp.");
+    }
+
+    /// <summary>
+    /// Builds the <c>?...</c> query string for <c>GET /api/audit/query</c> from the filter
+    /// args plus an optional keyset cursor. Unset filters are omitted. <c>--errors-only</c>
+    /// maps to <c>status=Failed</c> (the server takes a single status value).
+    /// </summary>
+    public static string BuildQueryString(
+        AuditQueryArgs args, DateTimeOffset now, DateTimeOffset? afterOccurredAtUtc, string? afterEventId)
+    {
+        var parts = new List<string>();
+
+        void Add(string key, string? value)
+        {
+            if (!string.IsNullOrWhiteSpace(value))
+                parts.Add($"{key}={Uri.EscapeDataString(value)}");
+        }
+
+        if (!string.IsNullOrWhiteSpace(args.Since))
+            Add("fromUtc", ResolveTimeSpec(args.Since!, now).ToString("o", CultureInfo.InvariantCulture));
+        if (!string.IsNullOrWhiteSpace(args.Until))
+            Add("toUtc", ResolveTimeSpec(args.Until!, now).ToString("o", CultureInfo.InvariantCulture));
+
+        Add("channel", args.Channel);
+        Add("kind", args.Kind);
+
+        // --errors-only is a convenience shorthand for the single-value Failed status
+        // filter. The server's status filter accepts one value, so --errors-only and an
+        // explicit --status are mutually exclusive in effect; --errors-only wins.
+        Add("status", args.ErrorsOnly ? "Failed" : args.Status);
+
+        Add("sourceSiteId", args.Site);
+        Add("target", args.Target);
+        Add("actor", args.Actor);
+        Add("correlationId", args.CorrelationId);
+        Add("pageSize", args.PageSize.ToString(CultureInfo.InvariantCulture));
+
+        if (afterOccurredAtUtc.HasValue)
+            Add("afterOccurredAtUtc", afterOccurredAtUtc.Value.ToString("o", CultureInfo.InvariantCulture));
+        Add("afterEventId", afterEventId);
+
+        return parts.Count == 0 ? string.Empty : "?" + string.Join("&", parts);
+    }
+
+    /// <summary>
+    /// Executes the query: GETs <c>/api/audit/query</c>, renders each page with
+    /// <paramref name="formatter"/>, and — when <paramref name="fetchAll"/> is set —
+    /// follows <c>nextCursor</c> until the server returns a null cursor. Returns the
+    /// process exit code (0 success, non-zero on HTTP/transport error).
+    /// </summary>
+    public static async Task<int> RunQueryAsync(
+        ManagementHttpClient client,
+        AuditQueryArgs args,
+        bool fetchAll,
+        IAuditFormatter formatter,
+        TextWriter output,
+        DateTimeOffset now)
+    {
+        DateTimeOffset? afterOccurredAtUtc = null;
+        string? afterEventId = null;
+
+        while (true)
+        {
+            var qs = BuildQueryString(args, now, afterOccurredAtUtc, afterEventId);
+            var response = await client.SendGetAsync("api/audit/query" + qs, TimeSpan.FromSeconds(30));
+
+            if (response.JsonData == null)
+            {
+                OutputFormatter.WriteError(
+                    response.Error ?? "Audit query failed.", response.ErrorCode ?? "ERROR");
+                return 1;
+            }
+
+            using var doc = JsonDocument.Parse(response.JsonData);
+            var root = doc.RootElement;
+
+            var events = root.TryGetProperty("events", out var evts) && evts.ValueKind == JsonValueKind.Array
+                ? evts.EnumerateArray().ToList()
+                : new List<JsonElement>();
+            formatter.WritePage(events, output);
+            output.Flush();
+
+            if (!fetchAll)
+                return 0;
+
+            if (!root.TryGetProperty("nextCursor", out var cursor)
+                || cursor.ValueKind != JsonValueKind.Object)
+            {
+                return 0;
+            }
+
+            afterOccurredAtUtc = cursor.TryGetProperty("afterOccurredAtUtc", out var c1)
+                && c1.ValueKind == JsonValueKind.String
+                ? DateTimeOffset.Parse(c1.GetString()!, CultureInfo.InvariantCulture,
+                    DateTimeStyles.AssumeUniversal | DateTimeStyles.AdjustToUniversal)
+                : null;
+            afterEventId = cursor.TryGetProperty("afterEventId", out var c2)
+                && c2.ValueKind == JsonValueKind.String
+                ? c2.GetString()
+                : null;
+
+            // A malformed cursor (object present but missing both keys) would loop
+            // forever — treat it as the end of results.
+            if (afterOccurredAtUtc == null && afterEventId == null)
+                return 0;
+        }
+    }
+}

src/ScadaLink.CLI/Commands/AuditVerifyChainHelpers.cs

@@ -0,0 +1,20 @@
+using System.Globalization;
+
+namespace ScadaLink.CLI.Commands;
+
+/// <summary>
+/// Helpers for the <c>audit verify-chain</c> subcommand. v1 is a no-op: hash-chain
+/// tamper-evidence is deferred to v1.x (see Component-AuditLog.md). The command still
+/// validates its <c>--month</c> argument so the surface is stable for v1.x.
+/// </summary>
+public static class AuditVerifyChainHelpers
+{
+    /// <summary>
+    /// Returns true if <paramref name="month"/> is a well-formed <c>YYYY-MM</c> value
+    /// with a real month (01-12). A malformed month (e.g. <c>2026-13</c>) is rejected.
+    /// </summary>
+    public static bool IsValidMonth(string? month)
+        => !string.IsNullOrWhiteSpace(month)
+           && DateTime.TryParseExact(month, "yyyy-MM", CultureInfo.InvariantCulture,
+               DateTimeStyles.None, out _);
+}

src/ScadaLink.CLI/Commands/TableAuditFormatter.cs

@@ -0,0 +1,96 @@
+using System.Text.Json;
+
+namespace ScadaLink.CLI.Commands;
+
+/// <summary>
+/// Human-readable table formatter for <c>audit query --format table</c> (Audit Log
+/// #23 M8-T6). Renders each fetched page as a column-aligned text table with a fixed
+/// column set (<see cref="Columns"/>). Long free-text fields (Target, Actor) are
+/// truncated with an ellipsis so columns stay aligned regardless of payload size.
+/// </summary>
+/// <remarks>
+/// A header row is emitted once per page (matching the streamable, page-at-a-time
+/// contract of <see cref="IAuditFormatter"/>). An empty page emits the header only,
+/// so the column shape is visible even with zero results.
+/// </remarks>
+public sealed class TableAuditFormatter : IAuditFormatter
+{
+    /// <summary>JSON property name (camelCase, as the server serializes it) → column header.</summary>
+    private static readonly (string Property, string Header, int MaxWidth)[] Columns =
+    {
+        ("occurredAtUtc", "OccurredAtUtc", 24),
+        ("channel",       "Channel",       14),
+        ("kind",          "Kind",          18),
+        ("status",        "Status",        12),
+        ("target",        "Target",        32),
+        ("actor",         "Actor",         20),
+        ("durationMs",    "DurationMs",    10),
+        ("httpStatus",    "HttpStatus",    10),
+    };
+
+    public void WritePage(IReadOnlyList<JsonElement> events, TextWriter output)
+    {
+        // Build every cell first so column widths account for the actual data.
+        var rows = new List<string[]>(events.Count);
+        foreach (var evt in events)
+        {
+            var cells = new string[Columns.Length];
+            for (var i = 0; i < Columns.Length; i++)
+                cells[i] = Truncate(CellValue(evt, Columns[i].Property), Columns[i].MaxWidth);
+            rows.Add(cells);
+        }
+
+        var widths = new int[Columns.Length];
+        for (var i = 0; i < Columns.Length; i++)
+            widths[i] = Columns[i].Header.Length;
+        foreach (var row in rows)
+            for (var i = 0; i < Columns.Length; i++)
+                widths[i] = Math.Max(widths[i], row[i].Length);
+
+        WriteRow(output, Columns.Select(c => c.Header).ToArray(), widths);
+        foreach (var row in rows)
+            WriteRow(output, row, widths);
+    }
+
+    /// <summary>
+    /// Extracts a cell value for <paramref name="property"/> from an audit event.
+    /// A missing property or a JSON <c>null</c> renders as an empty string (never
+    /// the literal text "null").
+    /// </summary>
+    private static string CellValue(JsonElement evt, string property)
+    {
+        if (evt.ValueKind != JsonValueKind.Object
+            || !evt.TryGetProperty(property, out var value)
+            || value.ValueKind == JsonValueKind.Null)
+        {
+            return string.Empty;
+        }
+
+        return value.ValueKind == JsonValueKind.String
+            ? value.GetString() ?? string.Empty
+            : value.ToString();
+    }
+
+    /// <summary>
+    /// Truncates <paramref name="value"/> to <paramref name="maxWidth"/> characters,
+    /// replacing the tail with a single-character ellipsis so the column stays aligned.
+    /// </summary>
+    private static string Truncate(string value, int maxWidth)
+    {
+        if (maxWidth <= 0 || value.Length <= maxWidth)
+            return value;
+        if (maxWidth == 1)
+            return "…";
+        return value.Substring(0, maxWidth - 1) + "…";
+    }
+
+    private static void WriteRow(TextWriter output, IReadOnlyList<string> cells, int[] widths)
+    {
+        for (var i = 0; i < cells.Count; i++)
+        {
+            // Last column is not padded — avoids trailing whitespace at line end.
+            output.Write(i == cells.Count - 1 ? cells[i] : cells[i].PadRight(widths[i] + 2));
+        }
+        output.WriteLine();
+    }
+}

src/ScadaLink.CLI/ManagementHttpClient.cs

@@ -74,6 +74,65 @@ public class ManagementHttpClient : IDisposable
         return new ManagementResponse((int)httpResponse.StatusCode, null, error, code);
     }
 
+    /// <summary>
+    /// Issues a plain HTTP <c>GET</c> against a REST endpoint (e.g. the audit
+    /// <c>/api/audit/query</c> endpoint introduced by Audit Log #23 M8) and returns the
+    /// response body. Unlike <see cref="SendCommandAsync"/>, this does not wrap the call
+    /// in the <c>POST /management</c> command envelope — the audit endpoints are plain
+    /// REST resources. Authentication (HTTP Basic) and the base address are shared.
+    /// </summary>
+    /// <param name="relativePath">Path relative to the base URL, with query string.</param>
+    public async Task<ManagementResponse> SendGetAsync(string relativePath, TimeSpan timeout)
+    {
+        using var cts = new CancellationTokenSource(timeout);
+
+        HttpResponseMessage httpResponse;
+        try
+        {
+            httpResponse = await _httpClient.GetAsync(relativePath, cts.Token);
+        }
+        catch (TaskCanceledException)
+        {
+            return new ManagementResponse(504, null, "Request timed out.", "TIMEOUT");
+        }
+        catch (HttpRequestException ex)
+        {
+            return new ManagementResponse(0, null, $"Connection failed: {ex.Message}", "CONNECTION_FAILED");
+        }
+
+        var responseBody = await httpResponse.Content.ReadAsStringAsync(cts.Token);
+
+        if (httpResponse.IsSuccessStatusCode)
+        {
+            return new ManagementResponse((int)httpResponse.StatusCode, responseBody, null, null);
+        }
+
+        string? error = null;
+        string? code = null;
+        try
+        {
+            using var doc = JsonDocument.Parse(responseBody);
+            error = doc.RootElement.TryGetProperty("error", out var e) ? e.GetString() : responseBody;
+            code = doc.RootElement.TryGetProperty("code", out var c) ? c.GetString() : null;
+        }
+        catch
+        {
+            error = responseBody;
+        }
+
+        return new ManagementResponse((int)httpResponse.StatusCode, null, error, code);
+    }
+
+    /// <summary>
+    /// Issues a plain HTTP <c>GET</c> and returns the raw <see cref="HttpResponseMessage"/>
+    /// so the caller can stream the response body without buffering it in memory — used
+    /// by <c>audit export</c>, where the response can be many megabytes. The caller owns
+    /// disposing the returned message. The <see cref="HttpCompletionOption.ResponseHeadersRead"/>
+    /// option ensures the body is not pre-buffered.
+    /// </summary>
+    public async Task<HttpResponseMessage> SendGetStreamAsync(string relativePath, CancellationToken cancellationToken)
+        => await _httpClient.GetAsync(relativePath, HttpCompletionOption.ResponseHeadersRead, cancellationToken);
+
     public void Dispose() => _httpClient.Dispose();
 }
 

src/ScadaLink.CLI/Program.cs

@@ -27,6 +27,7 @@ rootCommand.Add(ExternalSystemCommands.Build(urlOption, formatOption, usernameOp
 rootCommand.Add(NotificationCommands.Build(urlOption, formatOption, usernameOption, passwordOption));
 rootCommand.Add(SecurityCommands.Build(urlOption, formatOption, usernameOption, passwordOption));
 rootCommand.Add(AuditLogCommands.Build(urlOption, formatOption, usernameOption, passwordOption));
+rootCommand.Add(AuditCommands.Build(urlOption, formatOption, usernameOption, passwordOption));
 rootCommand.Add(HealthCommands.Build(urlOption, formatOption, usernameOption, passwordOption));
 rootCommand.Add(DebugCommands.Build(urlOption, formatOption, usernameOption, passwordOption));
 rootCommand.Add(SharedScriptCommands.Build(urlOption, formatOption, usernameOption, passwordOption));
@@ -38,5 +39,10 @@ rootCommand.SetAction(_ =>
     Console.WriteLine("Use --help to see available commands.");
 });
 
+// Deprecation notice for the pre-M8 `audit-log` command name. The command itself
+// still works (it is an alias of `audit-config`), but using the old name emits a
+// warning to stderr so scripts can be migrated.
+AuditLogCommands.WriteDeprecationWarningIfNeeded(args, Console.Error);
+
 var parseResult = CommandLineParser.Parse(rootCommand, args);
 return await parseResult.InvokeAsync();

src/ScadaLink.CLI/README.md

@@ -1049,14 +1049,118 @@ Features:
 
 ---
 
-### `audit-log` — Audit log queries
+### `audit` — Centralized Audit Log
 
-#### `audit-log query`
+Read access to the central append-only **Audit Log** (#23) — the record of every
+script-trust-boundary action: outbound API calls (sync + cached), outbound DB
+operations (sync + cached), notifications, and inbound API calls. This is distinct
+from the configuration-change audit trail exposed by [`audit-config`](#audit-config--configuration-change-audit-log).
 
-Query the central audit log with optional filters and pagination.
+The subcommands map directly onto the `GET /api/audit/query` and
+`GET /api/audit/export` management endpoints. Filters and the result columns mirror
+the Central UI **Audit** page, so a CLI query and a UI query with the same filters
+return the same rows — CLI ↔ UI filter parity is intentional.
+
+**Permissions.** Querying requires the `OperationalAudit` permission (roles `Admin`,
+`Audit`, or `AuditReadOnly`). Exporting requires the stricter `AuditExport` permission
+(roles `Admin` or `Audit`) — read access does *not* imply export access. A request
+without the required role returns exit code `2`.
+
+#### `audit query`
+
+Query audit log events with optional filters and keyset pagination.
 
 ```sh
-scadalink --url <url> audit-log query [options]
+scadalink --url <url> audit query [options]
+```
+
+| Option | Required | Default | Description |
+|--------|----------|---------|-------------|
+| `--since` | no | — | Start time: relative (`1h`, `24h`, `7d`) or ISO-8601 |
+| `--until` | no | — | End time: relative (`1h`, `24h`, `7d`) or ISO-8601 |
+| `--channel` | no | — | Filter by channel (`ApiOutbound`, `DbOutbound`, `Notification`, `ApiInbound`) |
+| `--kind` | no | — | Filter by event kind (`ApiCall`, `ApiCallCached`, `DbWrite`, `DbWriteCached`, `NotifySend`, `NotifyDeliver`, `InboundRequest`, `InboundAuthFailure`, `CachedSubmit`, `CachedResolve`) |
+| `--status` | no | — | Filter by status (`Submitted`, `Forwarded`, `Attempted`, `Delivered`, `Failed`, `Parked`, `Discarded`, `Skipped`) |
+| `--site` | no | — | Filter by source site ID |
+| `--target` | no | — | Filter by target (external system, DB connection, notification list) |
+| `--actor` | no | — | Filter by actor |
+| `--correlation-id` | no | — | Filter by correlation ID |
+| `--errors-only` | no | `false` | Show only failed events (`status=Failed`; overrides `--status`) |
+| `--page-size` | no | `100` | Events per page (1–1000) |
+| `--all` | no | `false` | Fetch every page, following the keyset cursor |
+| `--format` | no | `json` | Output format: `json` (JSONL, one event per line) or `table` |
+
+With `--format table`, events render as an aligned text table with columns
+`OccurredAtUtc`, `Channel`, `Kind`, `Status`, `Target`, `Actor`, `DurationMs`,
+`HttpStatus`; long `Target`/`Actor` values are truncated with an ellipsis. With
+`--format json` (the default), each page is emitted as JSONL — one JSON object per
+line — which streams cleanly under `--all` across many pages.
+
+#### `audit export`
+
+Export audit log events to a file. The export streams from the server, so it is not
+bounded by the query page size.
+
+```sh
+scadalink --url <url> audit export --since <time> --until <time> --format <fmt> --output <path> [filters]
+```
+
+| Option | Required | Default | Description |
+|--------|----------|---------|-------------|
+| `--since` | yes | — | Start time: relative (`1h`, `24h`, `7d`) or ISO-8601 |
+| `--until` | yes | — | End time: relative (`1h`, `24h`, `7d`) or ISO-8601 |
+| `--format` | yes | — | Export format: `csv`, `jsonl`, or `parquet` |
+| `--output` | yes | — | Destination file path |
+| `--channel` | no | — | Filter by channel |
+| `--kind` | no | — | Filter by event kind |
+| `--status` | no | — | Filter by status |
+| `--site` | no | — | Filter by source site ID |
+| `--target` | no | — | Filter by target |
+| `--actor` | no | — | Filter by actor |
+
+> `--format parquet` is accepted by the CLI but the server returns `501 Not
+> Implemented` — Parquet archival is deferred to v1.x (see `Component-AuditLog.md`).
+> Use `csv` or `jsonl`.
+
+#### `audit verify-chain`
+
+Verify the audit log hash chain for a given month.
+
+```sh
+scadalink --url <url> audit verify-chain --month <YYYY-MM>
+```
+
+| Option | Required | Default | Description |
+|--------|----------|---------|-------------|
+| `--month` | yes | — | Month to verify, `YYYY-MM` (e.g. `2026-05`) |
+
+> **v1 no-op.** Hash-chain tamper-evidence is not enabled in this release. The
+> subcommand validates the `--month` argument and prints a notice pointing at the
+> v1.x roadmap in `Component-AuditLog.md`; it exits `0` without contacting the server.
+> The command exists now so scripts and operator habits do not need to change when
+> tamper-evidence ships.
+
+---
+
+### `audit-config` — Configuration-change audit log
+
+Query the configuration-change audit trail (the `IAuditService` record of admin
+edits to templates, instances, sites, etc.). This is **separate** from the
+centralized [`audit`](#audit--centralized-audit-log) group above.
+
+> **Renamed.** This group was named `audit-log` before #23 M8. The old name still
+> works as a deprecated alias — `scadalink audit-log query ...` resolves the full
+> subcommand tree unchanged — but prints a deprecation warning to stderr:
+> `Warning: 'audit-log' is deprecated and will be removed in a future release. Use 'audit-config' instead.`
+> Migrate scripts to `audit-config`; the `audit-log` alias will be removed in a
+> future release.
+
+#### `audit-config query`
+
+Query the configuration-change audit log with optional filters and pagination.
+
+```sh
+scadalink --url <url> audit-config query [options]
 ```
 
 | Option | Required | Default | Description |

src/ScadaLink.CentralUI/Audit/AuditExportEndpoints.cs

@@ -0,0 +1,173 @@
+using System.Globalization;
+using Microsoft.AspNetCore.Builder;
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Routing;
+using Microsoft.Extensions.DependencyInjection;
+using ScadaLink.CentralUI.Services;
+using ScadaLink.Commons.Types.Audit;
+using ScadaLink.Commons.Types.Enums;
+using ScadaLink.Security;
+
+namespace ScadaLink.CentralUI.Audit;
+
+/// <summary>
+/// Minimal-API endpoint hosting the Audit Log CSV export (#23 M7-T14 / Bundle F).
+///
+/// <para>
+/// CentralUI ships no MVC controllers (see <see cref="ScadaLink.CentralUI.Auth.AuthEndpoints"/>
+/// and <see cref="ScadaLink.CentralUI.ScriptAnalysis.ScriptAnalysisEndpoints"/>),
+/// so the brief's "controller" is implemented as a minimal-API endpoint instead.
+/// The endpoint streams to <c>Response.Body</c> directly so the export does NOT
+/// buffer the full result set in memory — see
+/// <see cref="IAuditLogExportService.ExportAsync"/>.
+/// </para>
+///
+/// <para>
+/// The route is gated on the <see cref="AuthorizationPolicies.AuditExport"/>
+/// policy (#23 M7-T15 / Bundle G) so only roles with the bulk-export
+/// permission can pull a CSV — the page-level
+/// <see cref="AuthorizationPolicies.OperationalAudit"/> gate is read-only
+/// and intentionally narrower. The query-string parser silently drops
+/// unrecognised values to match the page-level parser in
+/// <c>AuditLogPage.ApplyQueryStringFilters</c> — an unknown enum value yields
+/// the same "no constraint" outcome rather than a 400.
+/// </para>
+/// </summary>
+public static class AuditExportEndpoints
+{
+    /// <summary>
+    /// Default row cap for a single export. Large enough to satisfy realistic
+    /// operator workflows; mirrors the brief's recommended ceiling. Operators
+    /// who need more should fall back to the CLI (footnote rendered in the
+    /// cap-footer line).
+    /// </summary>
+    public const int DefaultMaxRows = 100_000;
+
+    public static IEndpointRouteBuilder MapAuditExportEndpoints(this IEndpointRouteBuilder endpoints)
+    {
+        endpoints.MapGet("/api/centralui/audit/export", HandleExportAsync)
+            .RequireAuthorization(AuthorizationPolicies.AuditExport);
+
+        return endpoints;
+    }
+
+    /// <summary>
+    /// Handles <c>GET /api/centralui/audit/export</c>. Internal so endpoint
+    /// tests can call it directly when desirable; the live wire-up goes
+    /// through the minimal-API map above.
+    /// </summary>
+    internal static async Task HandleExportAsync(HttpContext context, IAuditLogExportService exportService)
+    {
+        var filter = ParseFilter(context.Request.Query);
+        var maxRows = ParseMaxRows(context.Request.Query);
+
+        // Stamp the response headers BEFORE the first body write so the client
+        // sees text/csv + an attachment download right away.
+        var fileName = $"audit-log-{DateTime.UtcNow:yyyyMMdd-HHmmss}.csv";
+        context.Response.ContentType = "text/csv; charset=utf-8";
+        context.Response.Headers["Content-Disposition"] = $"attachment; filename=\"{fileName}\"";
+        // Defeat any intermediate buffering proxy so the operator sees rows
+        // streaming through as the server flushes each repository page.
+        context.Response.Headers["Cache-Control"] = "no-store";
+
+        await exportService.ExportAsync(filter, maxRows, context.Response.Body, context.RequestAborted);
+    }
+
+    /// <summary>
+    /// Parses the query-string into an <see cref="AuditLogQueryFilter"/>.
+    /// Unknown enum names / un-parseable Guids / dates are silently dropped
+    /// (same contract as <c>AuditLogPage.ApplyQueryStringFilters</c>).
+    /// </summary>
+    internal static AuditLogQueryFilter ParseFilter(IQueryCollection query)
+    {
+        AuditChannel? channel = null;
+        if (query.TryGetValue("channel", out var channelValues)
+            && Enum.TryParse<AuditChannel>(channelValues.ToString(), ignoreCase: true, out var parsedChannel))
+        {
+            channel = parsedChannel;
+        }
+
+        AuditKind? kind = null;
+        if (query.TryGetValue("kind", out var kindValues)
+            && Enum.TryParse<AuditKind>(kindValues.ToString(), ignoreCase: true, out var parsedKind))
+        {
+            kind = parsedKind;
+        }
+
+        AuditStatus? status = null;
+        if (query.TryGetValue("status", out var statusValues)
+            && Enum.TryParse<AuditStatus>(statusValues.ToString(), ignoreCase: true, out var parsedStatus))
+        {
+            status = parsedStatus;
+        }
+
+        string? site = TrimToNullable(query, "site");
+        string? target = TrimToNullable(query, "target");
+        string? actor = TrimToNullable(query, "actor");
+
+        Guid? correlationId = null;
+        if (query.TryGetValue("correlationId", out var corrValues)
+            && Guid.TryParse(corrValues.ToString(), out var parsedCorr))
+        {
+            correlationId = parsedCorr;
+        }
+
+        DateTime? fromUtc = ParseUtcDate(query, "from");
+        DateTime? toUtc = ParseUtcDate(query, "to");
+
+        return new AuditLogQueryFilter(
+            Channel: channel,
+            Kind: kind,
+            Status: status,
+            SourceSiteId: site,
+            Target: target,
+            Actor: actor,
+            CorrelationId: correlationId,
+            FromUtc: fromUtc,
+            ToUtc: toUtc);
+    }
+
+    /// <summary>
+    /// Optional <c>maxRows=</c> query-string override. Falls back to
+    /// <see cref="DefaultMaxRows"/> on a missing / non-positive / unparseable
+    /// value rather than erroring — same lax contract as the rest of the
+    /// query parser.
+    /// </summary>
+    private static int ParseMaxRows(IQueryCollection query)
+    {
+        if (query.TryGetValue("maxRows", out var raw)
+            && int.TryParse(raw.ToString(), NumberStyles.Integer, CultureInfo.InvariantCulture, out var parsed)
+            && parsed > 0)
+        {
+            return parsed;
+        }
+        return DefaultMaxRows;
+    }
+
+    private static string? TrimToNullable(IQueryCollection query, string key)
+    {
+        if (!query.TryGetValue(key, out var values))
+        {
+            return null;
+        }
+        var v = values.ToString();
+        return string.IsNullOrWhiteSpace(v) ? null : v.Trim();
+    }
+
+    private static DateTime? ParseUtcDate(IQueryCollection query, string key)
+    {
+        if (!query.TryGetValue(key, out var values))
+        {
+            return null;
+        }
+        if (DateTime.TryParse(
+            values.ToString(),
+            CultureInfo.InvariantCulture,
+            DateTimeStyles.AssumeUniversal | DateTimeStyles.AdjustToUniversal,
+            out var parsed))
+        {
+            return DateTime.SpecifyKind(parsed, DateTimeKind.Utc);
+        }
+        return null;
+    }
+}

src/ScadaLink.CentralUI/Components/Audit/AuditDrilldownDrawer.razor

@@ -0,0 +1,161 @@
+@using ScadaLink.Commons.Entities.Audit
+@using ScadaLink.Commons.Types.Enums
+
+@* Audit Log drilldown drawer (#23 M7 Bundle C / M7-T4..T8).
+   Right-side Bootstrap offcanvas-style drawer hosted by the Audit Log page.
+   All form/field rendering follows the form-layout memory:
+   read-only fields first (definition list), then subsections stacked,
+   action buttons at the bottom of the drawer. *@
+
+@if (IsOpen && Event is not null)
+{
+    <div class="offcanvas-backdrop fade show" data-test="drawer-backdrop"
+         @onclick="HandleClose"></div>
+    <div class="offcanvas offcanvas-end show audit-drilldown-drawer"
+         tabindex="-1"
+         style="visibility: visible;"
+         data-test="audit-drilldown-drawer">
+        <div class="offcanvas-header border-bottom">
+            <div>
+                <div class="text-muted small text-uppercase">Audit event</div>
+                <h5 class="offcanvas-title mb-0">Audit Event @ShortEventId(Event.EventId)</h5>
+            </div>
+            <button type="button" class="btn-close" aria-label="Close"
+                    data-test="drawer-close"
+                    @onclick="HandleClose"></button>
+        </div>
+
+        <div class="offcanvas-body small">
+            @* Read-only field list — primary identification + provenance. *@
+            <dl class="row mb-3" data-test="drawer-fields">
+                <dt class="col-4 text-muted fw-normal">Channel / Kind</dt>
+                <dd class="col-8" data-test="field-Channel">@Event.Channel / @Event.Kind</dd>
+
+                <dt class="col-4 text-muted fw-normal">Status</dt>
+                <dd class="col-8" data-test="field-Status">@Event.Status</dd>
+
+                <dt class="col-4 text-muted fw-normal">HttpStatus</dt>
+                <dd class="col-8 font-monospace" data-test="field-HttpStatus">@(Event.HttpStatus?.ToString() ?? "—")</dd>
+
+                <dt class="col-4 text-muted fw-normal">Target</dt>
+                <dd class="col-8" data-test="field-Target">@(Event.Target ?? "—")</dd>
+
+                <dt class="col-4 text-muted fw-normal">Actor</dt>
+                <dd class="col-8" data-test="field-Actor">@(Event.Actor ?? "—")</dd>
+
+                <dt class="col-4 text-muted fw-normal">SourceSiteId</dt>
+                <dd class="col-8" data-test="field-SourceSiteId">@(Event.SourceSiteId ?? "—")</dd>
+
+                <dt class="col-4 text-muted fw-normal">SourceInstanceId</dt>
+                <dd class="col-8" data-test="field-SourceInstanceId">@(Event.SourceInstanceId ?? "—")</dd>
+
+                <dt class="col-4 text-muted fw-normal">SourceScript</dt>
+                <dd class="col-8" data-test="field-SourceScript">@(Event.SourceScript ?? "—")</dd>
+
+                <dt class="col-4 text-muted fw-normal">CorrelationId</dt>
+                <dd class="col-8 font-monospace" data-test="field-CorrelationId">@(Event.CorrelationId?.ToString() ?? "—")</dd>
+
+                <dt class="col-4 text-muted fw-normal">OccurredAtUtc</dt>
+                <dd class="col-8 font-monospace" data-test="field-OccurredAtUtc">@FormatTimestamp(Event.OccurredAtUtc)</dd>
+
+                <dt class="col-4 text-muted fw-normal">IngestedAtUtc</dt>
+                <dd class="col-8 font-monospace" data-test="field-IngestedAtUtc">@(Event.IngestedAtUtc.HasValue ? FormatTimestamp(Event.IngestedAtUtc.Value) : "—")</dd>
+
+                <dt class="col-4 text-muted fw-normal">DurationMs</dt>
+                <dd class="col-8 font-monospace" data-test="field-DurationMs">@(Event.DurationMs?.ToString() ?? "—")</dd>
+            </dl>
+
+            @* Error subsection — only shown when there is something to report. *@
+            @if (!string.IsNullOrEmpty(Event.ErrorMessage) || !string.IsNullOrEmpty(Event.ErrorDetail))
+            {
+                <section class="mb-3" data-test="section-error">
+                    <h6 class="text-uppercase text-muted small fw-semibold mb-1">Error</h6>
+                    @if (!string.IsNullOrEmpty(Event.ErrorMessage))
+                    {
+                        <p class="text-danger mb-1">@Event.ErrorMessage</p>
+                    }
+                    @if (!string.IsNullOrEmpty(Event.ErrorDetail))
+                    {
+                        <pre class="bg-light border rounded p-2 mb-0 drawer-pre">@Event.ErrorDetail</pre>
+                    }
+                </section>
+            }
+
+            @* Request body (channel-aware renderer). *@
+            @if (!string.IsNullOrEmpty(Event.RequestSummary))
+            {
+                <section class="mb-3" data-test="section-request">
+                    <h6 class="text-uppercase text-muted small fw-semibold mb-1 d-flex align-items-center gap-2">
+                        <span>Request</span>
+                        @if (IsRedacted(Event.RequestSummary))
+                        {
+                            <span data-test="redaction-badge-request"
+                                  class="badge bg-warning text-dark"
+                                  title="Sensitive values redacted by audit pipeline">
+                                Redacted
+                            </span>
+                        }
+                    </h6>
+                    <div data-test="request-body">
+                        @RenderBody(Event.RequestSummary!, Event.Channel)
+                    </div>
+                </section>
+            }
+
+            @* Response body (channel-aware renderer). *@
+            @if (!string.IsNullOrEmpty(Event.ResponseSummary))
+            {
+                <section class="mb-3" data-test="section-response">
+                    <h6 class="text-uppercase text-muted small fw-semibold mb-1 d-flex align-items-center gap-2">
+                        <span>Response</span>
+                        @if (IsRedacted(Event.ResponseSummary))
+                        {
+                            <span data-test="redaction-badge-response"
+                                  class="badge bg-warning text-dark"
+                                  title="Sensitive values redacted by audit pipeline">
+                                Redacted
+                            </span>
+                        }
+                    </h6>
+                    <div data-test="response-body">
+                        @RenderBody(Event.ResponseSummary!, Event.Channel)
+                    </div>
+                </section>
+            }
+
+            @* Extra is always JSON when present. *@
+            @if (!string.IsNullOrEmpty(Event.Extra))
+            {
+                <section class="mb-3" data-test="section-extra">
+                    <h6 class="text-uppercase text-muted small fw-semibold mb-1">Extra</h6>
+                    <pre class="bg-light border rounded p-2 mb-0 drawer-pre json">@PrettyPrintJson(Event.Extra!)</pre>
+                </section>
+            }
+        </div>
+
+        @* Action buttons at the bottom per form-layout memory. *@
+        <div class="border-top p-3 d-flex gap-2 flex-wrap drawer-footer">
+            @if (IsApiChannel(Event.Channel))
+            {
+                <button class="btn btn-outline-secondary btn-sm"
+                        data-test="copy-as-curl"
+                        @onclick="CopyCurl">
+                    Copy as cURL
+                </button>
+            }
+            @if (Event.CorrelationId is not null)
+            {
+                <button class="btn btn-outline-secondary btn-sm"
+                        data-test="show-all-events"
+                        @onclick="ShowAllForOperation">
+                    Show all events for this operation
+                </button>
+            }
+            <button class="btn btn-primary btn-sm ms-auto"
+                    data-test="drawer-close-footer"
+                    @onclick="HandleClose">
+                Close
+            </button>
+        </div>
+    </div>
+}

src/ScadaLink.CentralUI/Components/Audit/AuditDrilldownDrawer.razor.cs

@@ -0,0 +1,374 @@
+using System.Globalization;
+using System.Text;
+using System.Text.Json;
+using Microsoft.AspNetCore.Components;
+using Microsoft.JSInterop;
+using ScadaLink.Commons.Entities.Audit;
+using ScadaLink.Commons.Types.Enums;
+
+namespace ScadaLink.CentralUI.Components.Audit;
+
+/// <summary>
+/// Child component for the central Audit Log page (#23 M7 Bundle C / M7-T4..T8).
+/// Renders one <see cref="AuditEvent"/> in a right-side off-canvas drawer:
+/// read-only fields, conditional Error/Request/Response/Extra subsections,
+/// and action buttons (Copy as cURL, Show all events for this operation,
+/// Close). The drawer is fully presentational — it has no DB or service
+/// dependencies; the host page owns the open/close state.
+///
+/// <para>
+/// <b>Body rendering.</b> Request/Response/Extra summaries are strings.
+/// The drawer pretty-prints JSON when it parses; falls back to verbatim
+/// otherwise. DbOutbound payloads carry a <c>{sql, parameters}</c> JSON
+/// shape and get a SQL code block plus a parameter definition list.
+/// Syntax highlighting is CSS-class-only (<c>language-sql</c>); no JS
+/// library is loaded — Blazor Server + Bootstrap only per the project's UI
+/// rules.
+/// </para>
+///
+/// <para>
+/// <b>Redaction badges.</b> The audit pipeline replaces redacted values
+/// with the literal sentinels <c>&lt;redacted&gt;</c> or
+/// <c>&lt;redacted: redactor error&gt;</c> (see Component-AuditLog.md
+/// §Redaction). The drawer surfaces a yellow "Redacted" badge on a body
+/// section when its text contains either sentinel — it does not attempt
+/// to un-redact or count occurrences.
+/// </para>
+///
+/// <para>
+/// <b>Copy as cURL.</b> Best-effort: the URL comes from <c>Target</c>;
+/// when the RequestSummary parses as <c>{headers, body}</c>, headers are
+/// folded into <c>-H</c> flags and the body into <c>--data-raw</c>. The
+/// command is written to the system clipboard via
+/// <see cref="IJSRuntime.InvokeVoidAsync(string, object?[])"/>. We only
+/// surface the button for API channels (ApiOutbound / ApiInbound).
+/// </para>
+///
+/// <para>
+/// <b>Drill-back.</b> When <see cref="AuditEvent.CorrelationId"/> is set,
+/// the "Show all events" button navigates to
+/// <c>/audit/log?correlationId={id}</c>. The parent page does not
+/// auto-apply that filter today — it is a deep link the page can use
+/// when Bundle D wires up query-string deserialization.
+/// </para>
+/// </summary>
+public partial class AuditDrilldownDrawer
+{
+    [Inject] private IJSRuntime JS { get; set; } = null!;
+    [Inject] private NavigationManager Navigation { get; set; } = null!;
+
+    /// <summary>
+    /// The row to render. When null the drawer renders nothing — the host
+    /// page uses this together with <see cref="IsOpen"/> to drive visibility.
+    /// </summary>
+    [Parameter] public AuditEvent? Event { get; set; }
+
+    /// <summary>
+    /// True when the host wants the drawer visible. We deliberately keep
+    /// this as a separate parameter from <see cref="Event"/>: an open
+    /// drawer briefly with a null event renders nothing (the row may still
+    /// be loading); a closed drawer with a stale event is the resting state.
+    /// </summary>
+    [Parameter] public bool IsOpen { get; set; }
+
+    /// <summary>
+    /// Fired when the user dismisses the drawer (close button or backdrop
+    /// click). The host is expected to flip <see cref="IsOpen"/> to false.
+    /// </summary>
+    [Parameter] public EventCallback OnClose { get; set; }
+
+    private const string RedactionSentinel = "<redacted>";
+    private const string RedactorErrorSentinel = "<redacted: redactor error>";
+
+    private static bool IsApiChannel(AuditChannel channel)
+        => channel is AuditChannel.ApiOutbound or AuditChannel.ApiInbound;
+
+    private static string ShortEventId(Guid eventId)
+    {
+        // Mirror the "first 8 hex digits" presentation common across the UI.
+        var n = eventId.ToString("N");
+        return n.Length >= 8 ? n[..8] : n;
+    }
+
+    private static string FormatTimestamp(DateTime utc)
+    {
+        // Force UTC kind in case the row arrived as Unspecified, then emit
+        // round-trip ISO-8601 so audit drilldowns are copy-paste safe.
+        var kind = utc.Kind == DateTimeKind.Unspecified ? DateTime.SpecifyKind(utc, DateTimeKind.Utc) : utc;
+        return kind.ToString("o", CultureInfo.InvariantCulture);
+    }
+
+    private static bool IsRedacted(string? text)
+    {
+        if (string.IsNullOrEmpty(text)) return false;
+        return text.Contains(RedactionSentinel, StringComparison.Ordinal)
+            || text.Contains(RedactorErrorSentinel, StringComparison.Ordinal);
+    }
+
+    /// <summary>
+    /// Channel-aware body renderer. DbOutbound bodies that parse as
+    /// <c>{sql, parameters}</c> get a SQL block + parameter list; anything
+    /// else falls back to JSON-pretty-print, then plain-text verbatim.
+    /// </summary>
+    private RenderFragment RenderBody(string body, AuditChannel channel) => builder =>
+    {
+        // DbOutbound special-case: try to extract {sql, parameters}.
+        if (channel == AuditChannel.DbOutbound && TryParseDbBody(body, out var sql, out var parameters))
+        {
+            builder.OpenElement(0, "pre");
+            builder.AddAttribute(1, "class", "bg-light border rounded p-2 mb-2 drawer-pre");
+            builder.OpenElement(2, "code");
+            // Highlighting is CSS-class-only — no JS library is loaded.
+            builder.AddAttribute(3, "class", "language-sql");
+            builder.AddContent(4, sql);
+            builder.CloseElement();
+            builder.CloseElement();
+
+            if (parameters is not null && parameters.Count > 0)
+            {
+                builder.OpenElement(10, "dl");
+                builder.AddAttribute(11, "class", "row mb-0 small");
+                builder.AddAttribute(12, "data-test", "sql-parameters");
+                // The analyzer (ASP0006) requires literal sequence numbers
+                // inside a render fragment. We delegate parameter rendering
+                // to a helper fragment that uses a stable @key per entry,
+                // so per-row diffing stays correct even though the outer
+                // sequence number is fixed.
+                builder.AddContent(13, BuildSqlParameterRows(parameters));
+                builder.CloseElement();
+            }
+            return;
+        }
+
+        // Generic JSON pretty-print path.
+        if (TryPrettyPrintJson(body, out var pretty))
+        {
+            builder.OpenElement(20, "pre");
+            builder.AddAttribute(21, "class", "bg-light border rounded p-2 mb-0 drawer-pre json");
+            builder.AddContent(22, pretty);
+            builder.CloseElement();
+            return;
+        }
+
+        // Fallback: verbatim. Wrapping in <pre> preserves whitespace, which
+        // is useful when the body is multi-line plain text or a partial JSON.
+        builder.OpenElement(30, "pre");
+        builder.AddAttribute(31, "class", "bg-light border rounded p-2 mb-0 drawer-pre");
+        builder.AddContent(32, body);
+        builder.CloseElement();
+    };
+
+    private static RenderFragment BuildSqlParameterRows(List<KeyValuePair<string, string>> parameters) => builder =>
+    {
+        foreach (var kv in parameters)
+        {
+            // Literal sequence numbers (ASP0006) + per-element SetKey so
+            // Blazor's diff is still keyed on parameter name. The "0" base
+            // is fine here — each loop iteration produces a disjoint
+            // dt/dd pair, and the diff keys on @key, not sequence.
+            builder.OpenElement(0, "dt");
+            builder.SetKey($"dt-{kv.Key}");
+            builder.AddAttribute(1, "class", "col-4 text-muted fw-normal font-monospace");
+            builder.AddContent(2, kv.Key);
+            builder.CloseElement();
+
+            builder.OpenElement(3, "dd");
+            builder.SetKey($"dd-{kv.Key}");
+            builder.AddAttribute(4, "class", "col-8 font-monospace");
+            builder.AddContent(5, kv.Value);
+            builder.CloseElement();
+        }
+    };
+
+    private static bool TryPrettyPrintJson(string text, out string formatted)
+    {
+        formatted = text;
+        try
+        {
+            using var doc = JsonDocument.Parse(text);
+            formatted = JsonSerializer.Serialize(doc.RootElement, new JsonSerializerOptions { WriteIndented = true });
+            return true;
+        }
+        catch (JsonException)
+        {
+            return false;
+        }
+    }
+
+    private static string PrettyPrintJson(string text)
+        => TryPrettyPrintJson(text, out var pretty) ? pretty : text;
+
+    /// <summary>
+    /// Best-effort parse of a DbOutbound <c>{sql, parameters}</c> body.
+    /// Returns true only when the JSON has a string <c>sql</c> property;
+    /// <c>parameters</c> is treated as an optional object whose values
+    /// stringify to scalar text.
+    /// </summary>
+    private static bool TryParseDbBody(string text, out string sql, out List<KeyValuePair<string, string>>? parameters)
+    {
+        sql = string.Empty;
+        parameters = null;
+        try
+        {
+            using var doc = JsonDocument.Parse(text);
+            if (doc.RootElement.ValueKind != JsonValueKind.Object) return false;
+            if (!doc.RootElement.TryGetProperty("sql", out var sqlProp) || sqlProp.ValueKind != JsonValueKind.String)
+                return false;
+            sql = sqlProp.GetString() ?? string.Empty;
+
+            if (doc.RootElement.TryGetProperty("parameters", out var paramsProp)
+                && paramsProp.ValueKind == JsonValueKind.Object)
+            {
+                parameters = new List<KeyValuePair<string, string>>();
+                foreach (var p in paramsProp.EnumerateObject())
+                {
+                    parameters.Add(new KeyValuePair<string, string>(p.Name, StringifyJsonValue(p.Value)));
+                }
+            }
+            return true;
+        }
+        catch (JsonException)
+        {
+            return false;
+        }
+    }
+
+    private static string StringifyJsonValue(JsonElement value) => value.ValueKind switch
+    {
+        JsonValueKind.String => value.GetString() ?? string.Empty,
+        JsonValueKind.Null => "null",
+        JsonValueKind.True => "true",
+        JsonValueKind.False => "false",
+        JsonValueKind.Number => value.GetRawText(),
+        _ => value.GetRawText(),
+    };
+
+    private async Task HandleClose()
+    {
+        if (OnClose.HasDelegate)
+        {
+            await OnClose.InvokeAsync();
+        }
+    }
+
+    private async Task CopyCurl()
+    {
+        if (Event is null) return;
+
+        var curl = BuildCurlCommand(Event);
+        try
+        {
+            await JS.InvokeVoidAsync("navigator.clipboard.writeText", curl);
+        }
+        catch
+        {
+            // Clipboard interop can fail (denied permission, prerender, etc.).
+            // The drawer stays open; the failure surfaces in the dev console
+            // only — we deliberately do not toast here because the parent
+            // page owns toast state.
+        }
+    }
+
+    private void ShowAllForOperation()
+    {
+        if (Event?.CorrelationId is not { } corr) return;
+        var uri = $"/audit/log?correlationId={corr}";
+        Navigation.NavigateTo(uri);
+    }
+
+    /// <summary>
+    /// Build a cURL command from an audit event. The URL comes from
+    /// <c>Target</c>; when the RequestSummary parses as
+    /// <c>{headers, body, method?}</c>, headers fold into <c>-H</c> flags
+    /// and the body into <c>--data-raw</c>. Default method is POST for
+    /// outbound audit rows — the audit pipeline does not always capture
+    /// the verb explicitly.
+    /// </summary>
+    private static string BuildCurlCommand(AuditEvent ev)
+    {
+        var sb = new StringBuilder();
+        sb.Append("curl");
+
+        string method = "POST";
+        List<KeyValuePair<string, string>>? headers = null;
+        string? body = null;
+
+        if (!string.IsNullOrEmpty(ev.RequestSummary))
+        {
+            TryExtractCurlPartsFromJson(ev.RequestSummary!, ref method, ref headers, ref body);
+        }
+
+        sb.Append(' ').Append("-X ").Append(method);
+
+        if (headers is not null)
+        {
+            foreach (var (name, value) in headers)
+            {
+                sb.Append(' ').Append("-H ");
+                sb.Append(QuoteShellArg($"{name}: {value}"));
+            }
+        }
+
+        if (!string.IsNullOrEmpty(body))
+        {
+            sb.Append(' ').Append("--data-raw ");
+            sb.Append(QuoteShellArg(body!));
+        }
+
+        var url = ev.Target ?? string.Empty;
+        sb.Append(' ').Append(QuoteShellArg(url));
+        return sb.ToString();
+    }
+
+    private static void TryExtractCurlPartsFromJson(
+        string requestSummary,
+        ref string method,
+        ref List<KeyValuePair<string, string>>? headers,
+        ref string? body)
+    {
+        try
+        {
+            using var doc = JsonDocument.Parse(requestSummary);
+            if (doc.RootElement.ValueKind != JsonValueKind.Object) return;
+
+            if (doc.RootElement.TryGetProperty("method", out var m) && m.ValueKind == JsonValueKind.String)
+            {
+                method = m.GetString() ?? method;
+            }
+            if (doc.RootElement.TryGetProperty("headers", out var hs) && hs.ValueKind == JsonValueKind.Object)
+            {
+                headers = new List<KeyValuePair<string, string>>();
+                foreach (var h in hs.EnumerateObject())
+                {
+                    var value = h.Value.ValueKind == JsonValueKind.String
+                        ? h.Value.GetString() ?? string.Empty
+                        : h.Value.GetRawText();
+                    headers.Add(new KeyValuePair<string, string>(h.Name, value));
+                }
+            }
+            if (doc.RootElement.TryGetProperty("body", out var b))
+            {
+                body = b.ValueKind == JsonValueKind.String
+                    ? b.GetString()
+                    : b.GetRawText();
+            }
+        }
+        catch (JsonException)
+        {
+            // RequestSummary wasn't the expected {headers, body} shape —
+            // just produce a bare cURL with no body/headers.
+        }
+    }
+
+    /// <summary>
+    /// Quote a single shell argument with single quotes, escaping embedded
+    /// single quotes via the standard <c>'\''</c> idiom. This is the same
+    /// quoting strategy curl examples use across man pages.
+    /// </summary>
+    private static string QuoteShellArg(string value)
+    {
+        if (string.IsNullOrEmpty(value)) return "''";
+        var escaped = value.Replace("'", "'\\''", StringComparison.Ordinal);
+        return $"'{escaped}'";
+    }
+}

src/ScadaLink.CentralUI/Components/Audit/AuditDrilldownDrawer.razor.css

@@ -0,0 +1,40 @@
+/* Audit Log drilldown drawer (#23 M7 Bundle C).
+   The base offcanvas + backdrop classes come from Bootstrap. The local
+   overrides below pin our preferred width and pre-block behaviour. */
+
+.audit-drilldown-drawer {
+    /* Slightly wider than the parked-messages drawer because audit rows can
+       carry larger JSON bodies and SQL blocks. Clamp to viewport so narrow
+       windows still get the close button on screen. */
+    width: min(720px, 95vw);
+}
+
+.audit-drilldown-drawer .drawer-pre {
+    /* Wrap long lines and bound the per-block height so the drawer body
+       stays scrollable end-to-end instead of pushing the action buttons
+       below the fold. */
+    white-space: pre-wrap;
+    word-break: break-word;
+    max-height: 320px;
+    overflow-y: auto;
+    margin: 0;
+    font-size: 0.8125rem;
+}
+
+.audit-drilldown-drawer .drawer-pre.json {
+    /* JSON blocks get a faint left rule so they read as quoted material. */
+    border-left: 3px solid var(--bs-info-border-subtle);
+}
+
+.audit-drilldown-drawer .drawer-pre code.language-sql {
+    /* CSS-only highlight cue: SQL stays mono with a hint of bold weight on
+       a slightly different background so the SQL block reads distinct from
+       generic JSON pretty-prints without loading a syntax-highlighter JS
+       library. */
+    font-family: var(--bs-font-monospace);
+    color: var(--bs-emphasis-color);
+}
+
+.audit-drilldown-drawer .drawer-footer {
+    background-color: var(--bs-tertiary-bg);
+}

src/ScadaLink.CentralUI/Components/Audit/AuditFilterBar.razor

@@ -0,0 +1,156 @@
+@using ScadaLink.Commons.Entities.Sites
+@using ScadaLink.Commons.Interfaces.Repositories
+@using ScadaLink.Commons.Types.Audit
+@using ScadaLink.Commons.Types.Enums
+@inject ISiteRepository SiteRepository
+
+<div class="card mb-3" data-test="audit-filter-bar">
+    <div class="card-body py-2">
+        @* Channel chip multi-select. *@
+        <div class="mb-2" data-test="filter-channel">
+            <label class="form-label small mb-1">Channel</label>
+            <div>
+                @foreach (var channel in Enum.GetValues<AuditChannel>())
+                {
+                    var selected = _model.Channels.Contains(channel);
+                    <button type="button" data-test="chip-channel-@channel"
+                            class="@ChipClass(selected)"
+                            @onclick="() => ToggleChannel(channel)">
+                        @channel
+                    </button>
+                }
+            </div>
+        </div>
+
+        @* Kind chip multi-select — narrowed by Channel selection. *@
+        <div class="mb-2" data-test="filter-kind">
+            <label class="form-label small mb-1">Kind</label>
+            <div>
+                @foreach (var kind in _model.VisibleKinds())
+                {
+                    var selected = _model.Kinds.Contains(kind);
+                    <button type="button" data-test="chip-kind-@kind"
+                            class="@ChipClass(selected)"
+                            @onclick="() => ToggleKind(kind)">
+                        @kind
+                    </button>
+                }
+            </div>
+        </div>
+
+        @* Status chip multi-select. *@
+        <div class="mb-2" data-test="filter-status">
+            <label class="form-label small mb-1">Status</label>
+            <div>
+                @foreach (var status in Enum.GetValues<AuditStatus>())
+                {
+                    var selected = _model.Statuses.Contains(status);
+                    <button type="button" data-test="chip-status-@status"
+                            class="@ChipClass(selected)"
+                            @onclick="() => ToggleStatus(status)">
+                        @status
+                    </button>
+                }
+            </div>
+        </div>
+
+        @* Site chip multi-select — populated from ISiteRepository. *@
+        <div class="mb-2" data-test="filter-site">
+            <label class="form-label small mb-1">Site</label>
+            <div>
+                @if (_sites.Count == 0)
+                {
+                    <span class="text-muted small">No sites available.</span>
+                }
+                else
+                {
+                    @foreach (var site in _sites)
+                    {
+                        var selected = _model.SiteIdentifiers.Contains(site.SiteIdentifier);
+                        <button type="button" data-test="chip-site-@site.SiteIdentifier"
+                                class="@ChipClass(selected)"
+                                @onclick="() => ToggleSite(site.SiteIdentifier)">
+                            @site.Name
+                        </button>
+                    }
+                }
+            </div>
+        </div>
+
+        <div class="row g-2 align-items-end">
+            <div class="col-auto" data-test="filter-time-range">
+                <label class="form-label small mb-1" for="audit-time-range">Time range</label>
+                <select id="audit-time-range" class="form-select form-select-sm"
+                        @bind="_model.TimeRange">
+                    <option value="@AuditTimeRangePreset.Last5Minutes">Last 5 min</option>
+                    <option value="@AuditTimeRangePreset.LastHour">Last 1h</option>
+                    <option value="@AuditTimeRangePreset.Last24Hours">Last 24h</option>
+                    <option value="@AuditTimeRangePreset.Custom">Custom</option>
+                </select>
+            </div>
+
+            @* Custom datetime range; only the pickers are conditional, the wrapper is
+               always emitted so tests can find it. *@
+            <div class="col-auto" data-test="filter-custom-range">
+                @if (_model.TimeRange == AuditTimeRangePreset.Custom)
+                {
+                    <div class="d-flex gap-1 align-items-end">
+                        <div>
+                            <label class="form-label small mb-1" for="audit-from">From (UTC)</label>
+                            <input id="audit-from" type="datetime-local" class="form-control form-control-sm"
+                                   @bind="_model.CustomFromUtc" />
+                        </div>
+                        <div>
+                            <label class="form-label small mb-1" for="audit-to">To (UTC)</label>
+                            <input id="audit-to" type="datetime-local" class="form-control form-control-sm"
+                                   @bind="_model.CustomToUtc" />
+                        </div>
+                    </div>
+                }
+                else
+                {
+                    <span class="text-muted small">Window: @TimeRangeLabel(_model.TimeRange)</span>
+                }
+            </div>
+
+            <div class="col-auto" data-test="filter-instance">
+                <label class="form-label small mb-1" for="audit-instance">Instance</label>
+                <input id="audit-instance" type="text" class="form-control form-control-sm"
+                       placeholder="contains…" @bind="_model.InstanceSearch" />
+            </div>
+
+            <div class="col-auto" data-test="filter-script">
+                <label class="form-label small mb-1" for="audit-script">Script</label>
+                <input id="audit-script" type="text" class="form-control form-control-sm"
+                       placeholder="contains…" @bind="_model.ScriptSearch" />
+            </div>
+
+            <div class="col-auto" data-test="filter-target">
+                <label class="form-label small mb-1" for="audit-target">Target</label>
+                <input id="audit-target" type="text" class="form-control form-control-sm"
+                       placeholder="contains…" @bind="_model.TargetSearch" />
+            </div>
+
+            <div class="col-auto" data-test="filter-actor">
+                <label class="form-label small mb-1" for="audit-actor">Actor</label>
+                <input id="audit-actor" type="text" class="form-control form-control-sm"
+                       placeholder="contains…" @bind="_model.ActorSearch" />
+            </div>
+
+            <div class="col-auto" data-test="filter-errors-only">
+                <div class="form-check mb-1">
+                    <input class="form-check-input" type="checkbox" id="audit-errors-only"
+                           @bind="_model.ErrorsOnly" />
+                    <label class="form-check-label small" for="audit-errors-only">Errors only</label>
+                </div>
+            </div>
+
+            <div class="col-auto ms-auto">
+                <button class="btn btn-outline-secondary btn-sm me-1"
+                        @onclick="ClearFilters" data-test="filter-clear">Clear</button>
+                <button class="btn btn-primary btn-sm"
+                        @onclick="Apply" data-test="filter-apply">Apply</button>
+            </div>
+        </div>
+    </div>
+</div>

src/ScadaLink.CentralUI/Components/Audit/AuditFilterBar.razor.cs

@@ -0,0 +1,144 @@
+using Microsoft.AspNetCore.Components;
+using ScadaLink.Commons.Entities.Sites;
+using ScadaLink.Commons.Types.Audit;
+using ScadaLink.Commons.Types.Enums;
+
+namespace ScadaLink.CentralUI.Components.Audit;
+
+/// <summary>
+/// Filter bar for the central Audit Log page (#23 M7-T2). Owns the
+/// <see cref="AuditQueryModel"/> binding state, renders the 10 filter elements
+/// plus the Errors-only toggle, and publishes a collapsed
+/// <see cref="AuditLogQueryFilter"/> via <see cref="OnFilterChanged"/> when the
+/// user clicks Apply. See <see cref="AuditQueryModel"/> for the multi-select →
+/// single-value collapse contract.
+/// </summary>
+public partial class AuditFilterBar
+{
+    private readonly AuditQueryModel _model = new();
+    private List<Site> _sites = new();
+
+    /// <summary>
+    /// Raised when the user clicks Apply. Carries the collapsed
+    /// <see cref="AuditLogQueryFilter"/> the parent page hands to
+    /// <see cref="ScadaLink.CentralUI.Services.IAuditLogQueryService"/>.
+    /// </summary>
+    [Parameter] public EventCallback<AuditLogQueryFilter> OnFilterChanged { get; set; }
+
+    /// <summary>
+    /// Test seam: overriding "now" is needed to make the time-range collapse tests
+    /// stable in unit suites. Production callers leave this null and the model
+    /// uses <see cref="DateTime.UtcNow"/>.
+    /// </summary>
+    [Parameter] public Func<DateTime>? NowUtcProvider { get; set; }
+
+    /// <summary>
+    /// Bundle D drill-in seam (#23 M7-T10..T12). When set on first render,
+    /// pre-populates the Instance free-text input. Instance is UI-only — the
+    /// repository filter contract has no instance column — so this flows in
+    /// through a separate parameter rather than the <see cref="AuditLogQueryFilter"/>
+    /// the parent page passes to the grid.
+    /// </summary>
+    [Parameter] public string? InitialInstanceSearch { get; set; }
+
+    protected override async Task OnInitializedAsync()
+    {
+        // One-shot prefill from a drill-in deep link. Subsequent parameter changes
+        // do NOT overwrite user input — the field is owned by the operator after
+        // first render.
+        if (!string.IsNullOrWhiteSpace(InitialInstanceSearch))
+        {
+            _model.InstanceSearch = InitialInstanceSearch.Trim();
+        }
+
+
+        // Populate the Site chips at component init. Failure is non-fatal — the chip
+        // section just shows "No sites available." Sites are listed by Name to match
+        // operator expectations from the Notification Report.
+        try
+        {
+            var sites = await SiteRepository.GetAllSitesAsync();
+            _sites = sites.OrderBy(s => s.Name, StringComparer.OrdinalIgnoreCase).ToList();
+        }
+        catch
+        {
+            // Swallowed: filter bar still renders without the Site chips. The page
+            // surfaces site-load errors elsewhere (the grid query path).
+            _sites = new();
+        }
+    }
+
+    private void ToggleChannel(AuditChannel channel)
+    {
+        if (!_model.Channels.Add(channel))
+        {
+            _model.Channels.Remove(channel);
+        }
+
+        // Drop Kind chips that fall outside the new visible set. Keeps "Channel and
+        // Kind both picked" coherent — without this, removing a channel could leave
+        // stale Kind chips selected that no longer match any visible chip.
+        var visible = _model.VisibleKinds().ToHashSet();
+        _model.Kinds.RemoveWhere(k => !visible.Contains(k));
+    }
+
+    private void ToggleKind(AuditKind kind)
+    {
+        if (!_model.Kinds.Add(kind))
+        {
+            _model.Kinds.Remove(kind);
+        }
+    }
+
+    private void ToggleStatus(AuditStatus status)
+    {
+        if (!_model.Statuses.Add(status))
+        {
+            _model.Statuses.Remove(status);
+        }
+    }
+
+    private void ToggleSite(string siteIdentifier)
+    {
+        if (!_model.SiteIdentifiers.Add(siteIdentifier))
+        {
+            _model.SiteIdentifiers.Remove(siteIdentifier);
+        }
+    }
+
+    private void ClearFilters()
+    {
+        _model.Channels.Clear();
+        _model.Kinds.Clear();
+        _model.Statuses.Clear();
+        _model.SiteIdentifiers.Clear();
+        _model.TimeRange = AuditTimeRangePreset.LastHour;
+        _model.CustomFromUtc = null;
+        _model.CustomToUtc = null;
+        _model.InstanceSearch = string.Empty;
+        _model.ScriptSearch = string.Empty;
+        _model.TargetSearch = string.Empty;
+        _model.ActorSearch = string.Empty;
+        _model.ErrorsOnly = false;
+    }
+
+    private async Task Apply()
+    {
+        var now = NowUtcProvider?.Invoke() ?? DateTime.UtcNow;
+        var filter = _model.ToFilter(now);
+        await OnFilterChanged.InvokeAsync(filter);
+    }
+
+    private static string ChipClass(bool selected) =>
+        selected
+            ? "btn btn-sm btn-primary me-1 mb-1"
+            : "btn btn-sm btn-outline-secondary me-1 mb-1";
+
+    private static string TimeRangeLabel(AuditTimeRangePreset preset) => preset switch
+    {
+        AuditTimeRangePreset.Last5Minutes => "now − 5 min → now",
+        AuditTimeRangePreset.LastHour => "now − 1h → now",
+        AuditTimeRangePreset.Last24Hours => "now − 24h → now",
+        _ => "—",
+    };
+}

src/ScadaLink.CentralUI/Components/Audit/AuditQueryModel.cs

@@ -0,0 +1,171 @@
+using System.Collections.Immutable;
+using ScadaLink.Commons.Types.Audit;
+using ScadaLink.Commons.Types.Enums;
+
+namespace ScadaLink.CentralUI.Components.Audit;
+
+/// <summary>
+/// UI-side binding model for <see cref="AuditFilterBar"/> (#23 M7-T2).
+///
+/// <para>
+/// The model mirrors <see cref="AuditLogQueryFilter"/> but allows multi-select chip
+/// state for Channel / Kind / Status / Site (each a <see cref="HashSet{T}"/>) plus
+/// extra UI-only fields the underlying filter does not carry: the Errors-only toggle,
+/// the time-range preset, and free-text Instance / Script searches.
+/// </para>
+///
+/// <para>
+/// The repository filter contract (<see cref="AuditLogQueryFilter"/>) is single-value
+/// per dimension today; the chip multi-selects therefore collapse to the FIRST
+/// selected chip when the model is published via <see cref="ToFilter"/>. That is a
+/// deliberate Bundle B scope decision — the chip UI is preserved so a follow-up can
+/// either repeat the query per chip or widen the filter contract without rewriting
+/// the form. Instance and Script free-text are also UI-only today: the underlying
+/// filter has no matching columns, so they are dropped during collapse.
+/// </para>
+///
+/// <para>
+/// The Errors-only toggle is a convenience: when true AND no explicit Status chips
+/// are selected, the collapsed filter pins <see cref="AuditStatus.Failed"/> (the
+/// first of {Failed, Parked, Discarded}). When Status chips ARE selected the toggle
+/// is a no-op — the explicit Status filter wins.
+/// </para>
+/// </summary>
+public sealed class AuditQueryModel
+{
+    public HashSet<AuditChannel> Channels { get; } = new();
+    public HashSet<AuditKind> Kinds { get; } = new();
+    public HashSet<AuditStatus> Statuses { get; } = new();
+    public HashSet<string> SiteIdentifiers { get; } = new(StringComparer.OrdinalIgnoreCase);
+
+    public AuditTimeRangePreset TimeRange { get; set; } = AuditTimeRangePreset.LastHour;
+    public DateTime? CustomFromUtc { get; set; }
+    public DateTime? CustomToUtc { get; set; }
+
+    public string InstanceSearch { get; set; } = string.Empty;
+    public string ScriptSearch { get; set; } = string.Empty;
+    public string TargetSearch { get; set; } = string.Empty;
+    public string ActorSearch { get; set; } = string.Empty;
+
+    public bool ErrorsOnly { get; set; }
+
+    /// <summary>
+    /// Maps each channel to the kinds it can emit (per Component-AuditLog.md §4).
+    /// <c>CachedSubmit</c> and <c>CachedResolve</c> appear under both
+    /// <see cref="AuditChannel.ApiOutbound"/> and <see cref="AuditChannel.DbOutbound"/>
+    /// because the cached-call lifecycle is channel-agnostic at submit/resolve time.
+    /// Used by the filter bar to narrow the Kind chip list once Channels are picked.
+    /// </summary>
+    public static readonly IReadOnlyDictionary<AuditChannel, ImmutableList<AuditKind>> KindsByChannel =
+        new Dictionary<AuditChannel, ImmutableList<AuditKind>>
+        {
+            [AuditChannel.ApiOutbound] = ImmutableList.Create(
+                AuditKind.ApiCall, AuditKind.ApiCallCached,
+                AuditKind.CachedSubmit, AuditKind.CachedResolve),
+            [AuditChannel.DbOutbound] = ImmutableList.Create(
+                AuditKind.DbWrite, AuditKind.DbWriteCached,
+                AuditKind.CachedSubmit, AuditKind.CachedResolve),
+            [AuditChannel.Notification] = ImmutableList.Create(
+                AuditKind.NotifySend, AuditKind.NotifyDeliver),
+            [AuditChannel.ApiInbound] = ImmutableList.Create(
+                AuditKind.InboundRequest, AuditKind.InboundAuthFailure),
+        };
+
+    /// <summary>
+    /// Returns the kinds visible in the Kind chip list given the currently selected
+    /// Channels. With no Channel selected, all 10 kinds are visible (no narrowing).
+    /// With one or more Channels selected, the union of the channel-specific kind
+    /// lists is returned (deduplicated and order-stable on first-seen).
+    /// </summary>
+    public IReadOnlyList<AuditKind> VisibleKinds()
+    {
+        if (Channels.Count == 0)
+        {
+            return Enum.GetValues<AuditKind>();
+        }
+
+        var seen = new HashSet<AuditKind>();
+        var result = new List<AuditKind>();
+        foreach (var ch in Channels)
+        {
+            if (!KindsByChannel.TryGetValue(ch, out var kinds))
+            {
+                continue;
+            }
+            foreach (var k in kinds)
+            {
+                if (seen.Add(k))
+                {
+                    result.Add(k);
+                }
+            }
+        }
+        return result;
+    }
+
+    /// <summary>
+    /// Collapses this UI model to the repository's single-value filter.
+    /// See class doc for the multi-select → single-value contract.
+    /// </summary>
+    public AuditLogQueryFilter ToFilter(DateTime utcNow)
+    {
+        var status = ResolveStatus();
+
+        var (fromUtc, toUtc) = ResolveTimeWindow(utcNow);
+
+        return new AuditLogQueryFilter(
+            Channel: Channels.Count > 0 ? Channels.First() : null,
+            Kind: Kinds.Count > 0 ? Kinds.First() : null,
+            Status: status,
+            SourceSiteId: SiteIdentifiers.Count > 0 ? SiteIdentifiers.First() : null,
+            Target: string.IsNullOrWhiteSpace(TargetSearch) ? null : TargetSearch.Trim(),
+            Actor: string.IsNullOrWhiteSpace(ActorSearch) ? null : ActorSearch.Trim(),
+            CorrelationId: null,
+            FromUtc: fromUtc,
+            ToUtc: toUtc);
+    }
+
+    private AuditStatus? ResolveStatus()
+    {
+        if (Statuses.Count > 0)
+        {
+            // Explicit chips win — Errors-only is a no-op.
+            return Statuses.First();
+        }
+
+        if (ErrorsOnly)
+        {
+            // Single-value filter contract: Failed is the lead non-success status.
+            // When the filter widens to multi-value the full {Failed, Parked, Discarded}
+            // set will flow through.
+            return AuditStatus.Failed;
+        }
+
+        return null;
+    }
+
+    private (DateTime? From, DateTime? To) ResolveTimeWindow(DateTime utcNow)
+    {
+        return TimeRange switch
+        {
+            AuditTimeRangePreset.Last5Minutes => (utcNow.AddMinutes(-5), null),
+            AuditTimeRangePreset.LastHour => (utcNow.AddHours(-1), null),
+            AuditTimeRangePreset.Last24Hours => (utcNow.AddHours(-24), null),
+            AuditTimeRangePreset.Custom => (CustomFromUtc, CustomToUtc),
+            _ => (null, null),
+        };
+    }
+}
+
+/// <summary>
+/// Time-range presets surfaced in the filter bar. <see cref="Custom"/> reveals the
+/// FromUtc / ToUtc datetime pickers; the other presets compute From relative to
+/// "now" at the moment Apply is clicked.
+/// </summary>
+public enum AuditTimeRangePreset
+{
+    Last5Minutes,
+    LastHour,
+    Last24Hours,
+    Custom,
+}

src/ScadaLink.CentralUI/Components/Audit/AuditResultsGrid.razor

@@ -0,0 +1,111 @@
+@using ScadaLink.CentralUI.Components.Shared
+@using ScadaLink.CentralUI.Services
+@using ScadaLink.Commons.Entities.Audit
+@using ScadaLink.Commons.Types.Audit
+@using ScadaLink.Commons.Types.Enums
+@inject IAuditLogQueryService QueryService
+
+<div data-test="audit-results-grid">
+    @if (_error is not null)
+    {
+        <div class="alert alert-danger small mb-2">@_error</div>
+    }
+
+    <div class="table-responsive">
+        <table class="table table-sm table-hover align-middle">
+            <thead class="table-light">
+                <tr>
+                    @foreach (var col in OrderedColumns())
+                    {
+                        <th data-test="col-header-@col.Key">@col.Label</th>
+                    }
+                </tr>
+            </thead>
+            <tbody>
+                @if (_rows.Count == 0)
+                {
+                    <tr>
+                        <td colspan="@OrderedColumns().Count" class="text-muted small text-center py-4">
+                            @if (_loading)
+                            {
+                                <span>Loading…</span>
+                            }
+                            else
+                            {
+                                <span>No audit events match the current filter.</span>
+                            }
+                        </td>
+                    </tr>
+                }
+                else
+                {
+                    @foreach (var row in _rows)
+                    {
+                        <tr @key="row.EventId"
+                            data-test="grid-row-@row.EventId"
+                            class="audit-row"
+                            style="cursor: pointer;"
+                            @onclick="() => HandleRowClick(row)">
+                            @foreach (var col in OrderedColumns())
+                            {
+                                <td>
+                                    @RenderCell(col.Key, row)
+                                </td>
+                            }
+                        </tr>
+                    }
+                }
+            </tbody>
+        </table>
+    </div>
+
+    <div class="d-flex justify-content-between align-items-center">
+        <span class="text-muted small">Page @_pageNumber · @_rows.Count rows</span>
+        <button class="btn btn-outline-secondary btn-sm"
+                data-test="grid-next-page"
+                disabled="@(_loading || _rows.Count < _pageSize)"
+                @onclick="NextPage">Next page</button>
+    </div>
+</div>
+
+@code {
+    private RenderFragment RenderCell(string key, AuditEvent row) => __builder =>
+    {
+        switch (key)
+        {
+            case "OccurredAtUtc":
+                var occurredOffset = new DateTimeOffset(DateTime.SpecifyKind(row.OccurredAtUtc, DateTimeKind.Utc));
+                <span title="@row.OccurredAtUtc.ToString("u")">
+                    <TimestampDisplay Value="occurredOffset" Format="yyyy-MM-dd HH:mm:ss" />
+                </span>
+                break;
+            case "Site":
+                <span class="small">@(row.SourceSiteId ?? "—")</span>
+                break;
+            case "Channel":
+                <span class="small">@row.Channel</span>
+                break;
+            case "Kind":
+                <span class="small">@row.Kind</span>
+                break;
+            case "Status":
+                <span data-test="status-badge-@row.EventId" class="badge @StatusBadgeClass(row.Status)">@row.Status</span>
+                break;
+            case "Target":
+                <span class="small">@(row.Target ?? "—")</span>
+                break;
+            case "Actor":
+                <span class="small">@(row.Actor ?? "—")</span>
+                break;
+            case "DurationMs":
+                <span class="small font-monospace">@(row.DurationMs?.ToString() ?? "—")</span>
+                break;
+            case "HttpStatus":
+                <span class="small font-monospace">@(row.HttpStatus?.ToString() ?? "—")</span>
+                break;
+            case "ErrorMessage":
+                <span class="small text-danger" title="@row.ErrorMessage">@TruncateError(row.ErrorMessage)</span>
+                break;
+        }
+    };
+}

src/ScadaLink.CentralUI/Components/Audit/AuditResultsGrid.razor.cs

@@ -0,0 +1,199 @@
+using Microsoft.AspNetCore.Components;
+using ScadaLink.Commons.Entities.Audit;
+using ScadaLink.Commons.Types.Audit;
+using ScadaLink.Commons.Types.Enums;
+
+namespace ScadaLink.CentralUI.Components.Audit;
+
+/// <summary>
+/// Keyset-paged results grid for the central Audit Log page (#23 M7-T3).
+/// Renders the 10 columns named in Component-AuditLog.md §10:
+/// OccurredAtUtc, Site, Channel, Kind, Status, Target, Actor, DurationMs,
+/// HttpStatus, ErrorMessage. Talks to <see cref="Services.IAuditLogQueryService"/>
+/// — never to <c>IAuditLogRepository</c> directly — so tests can stub the data
+/// source without standing up EF Core.
+///
+/// <para>
+/// <b>Column model.</b> Each column has a stable string key; the visible order
+/// is the <see cref="ColumnOrder"/> parameter. M7 scope: the column-model
+/// framework is in place but resize / drag-reorder UX is intentionally NOT
+/// implemented — the full spec calls for persisted-per-user reordering and
+/// resizing, which M7.x can ship without rewriting the column model. Resizing
+/// today is CSS-based via Bootstrap's <c>.table-responsive</c> wrapper.
+/// </para>
+///
+/// <para>
+/// <b>Pagination.</b> Each page is a single call to
+/// <c>IAuditLogQueryService.QueryAsync</c>. The "Next page" button uses the
+/// LAST row of the current page as the keyset cursor — repository orders by
+/// <c>(OccurredAtUtc DESC, EventId DESC)</c>, so the oldest row in the visible
+/// page becomes <c>AfterOccurredAtUtc</c> + <c>AfterEventId</c> on the next
+/// request. The button is disabled when the current page is short (less than
+/// <see cref="PageSize"/> rows) — that's the conventional "we've reached the
+/// end" signal for keyset paging without a count query.
+/// </para>
+/// </summary>
+public partial class AuditResultsGrid
+{
+    private const int DefaultPageSize = 100;
+
+    private readonly List<AuditEvent> _rows = new();
+    private int _pageNumber = 1;
+    private bool _loading;
+    private string? _error;
+
+    private AuditLogQueryFilter? _activeFilter;
+
+    /// <summary>
+    /// Filter to apply. When this parameter changes the grid resets to page 1 and
+    /// reissues the query — that's the contract the parent page relies on so the
+    /// filter-bar Apply button does not need to drive grid state manually.
+    /// </summary>
+    [Parameter] public AuditLogQueryFilter? Filter { get; set; }
+
+    /// <summary>Page size. Defaults to 100 to match the service-level default.</summary>
+    [Parameter] public int PageSize { get; set; } = DefaultPageSize;
+
+    /// <summary>
+    /// Optional column order — list of column keys in display order. When null or
+    /// empty the default order from Component-AuditLog.md §10 is used. The grid
+    /// silently drops unknown keys.
+    /// </summary>
+    [Parameter] public IReadOnlyList<string>? ColumnOrder { get; set; }
+
+    /// <summary>
+    /// Raised when the user clicks a row. Bundle C wires this to the drilldown
+    /// drawer. The event payload is the full <see cref="AuditEvent"/>.
+    /// </summary>
+    [Parameter] public EventCallback<AuditEvent> OnRowSelected { get; set; }
+
+    // Effective page size used when paging. Mirrors PageSize but bounded > 0.
+    private int _pageSize => Math.Max(1, PageSize);
+
+    /// <summary>
+    /// Default column definitions. The key is the stable identifier (used by
+    /// <c>data-test</c> + the column-order parameter); the label is the user-facing
+    /// header text. Mirrors Component-AuditLog.md §10.
+    /// </summary>
+    private static readonly IReadOnlyList<(string Key, string Label)> AllColumns = new[]
+    {
+        ("OccurredAtUtc", "OccurredAtUtc"),
+        ("Site", "Site"),
+        ("Channel", "Channel"),
+        ("Kind", "Kind"),
+        ("Status", "Status"),
+        ("Target", "Target"),
+        ("Actor", "Actor"),
+        ("DurationMs", "DurationMs"),
+        ("HttpStatus", "HttpStatus"),
+        ("ErrorMessage", "ErrorMessage"),
+    };
+
+    private IReadOnlyList<(string Key, string Label)> OrderedColumns()
+    {
+        if (ColumnOrder is null || ColumnOrder.Count == 0)
+        {
+            return AllColumns;
+        }
+
+        var byKey = AllColumns.ToDictionary(c => c.Key, c => c);
+        var ordered = new List<(string Key, string Label)>(ColumnOrder.Count);
+        foreach (var key in ColumnOrder)
+        {
+            if (byKey.TryGetValue(key, out var col))
+            {
+                ordered.Add(col);
+            }
+        }
+        return ordered.Count == 0 ? AllColumns : ordered;
+    }
+
+    protected override async Task OnParametersSetAsync()
+    {
+        // Reset & reload whenever the filter reference changes. AuditLogQueryFilter
+        // is a record, so equality-by-value gives us a free "did the user click Apply
+        // with the same chips?" no-op signal. We pin to ReferenceEquals here so the
+        // grid reloads only when the parent hands us a new filter instance — the
+        // page wraps Apply in a fresh allocation, which is the canonical reload signal.
+        if (!ReferenceEquals(_activeFilter, Filter))
+        {
+            _activeFilter = Filter;
+            _pageNumber = 1;
+            _rows.Clear();
+            if (Filter is not null)
+            {
+                await LoadAsync(paging: null);
+            }
+        }
+    }
+
+    private async Task NextPage()
+    {
+        if (_rows.Count == 0 || _activeFilter is null)
+        {
+            return;
+        }
+
+        var last = _rows[^1];
+        var cursor = new AuditLogPaging(
+            PageSize: _pageSize,
+            AfterOccurredAtUtc: last.OccurredAtUtc,
+            AfterEventId: last.EventId);
+
+        await LoadAsync(cursor);
+        _pageNumber++;
+    }
+
+    private async Task LoadAsync(AuditLogPaging? paging)
+    {
+        if (_activeFilter is null)
+        {
+            return;
+        }
+
+        _loading = true;
+        _error = null;
+        try
+        {
+            var effective = paging ?? new AuditLogPaging(_pageSize);
+            var page = await QueryService.QueryAsync(_activeFilter, effective);
+            _rows.Clear();
+            _rows.AddRange(page);
+        }
+        catch (Exception ex)
+        {
+            // Surface the error in-place; the grid stays alive so the user can
+            // adjust the filter and retry without a page refresh.
+            _error = $"Query failed: {ex.Message}";
+        }
+        finally
+        {
+            _loading = false;
+        }
+    }
+
+    private async Task HandleRowClick(AuditEvent row)
+    {
+        if (OnRowSelected.HasDelegate)
+        {
+            await OnRowSelected.InvokeAsync(row);
+        }
+    }
+
+    private static string StatusBadgeClass(AuditStatus status) => status switch
+    {
+        AuditStatus.Delivered => "badge bg-success",
+        AuditStatus.Failed or AuditStatus.Parked or AuditStatus.Discarded => "badge bg-danger",
+        _ => "badge bg-secondary",
+    };
+
+    private static string TruncateError(string? message)
+    {
+        if (string.IsNullOrEmpty(message))
+        {
+            return "—";
+        }
+        const int max = 80;
+        return message.Length <= max ? message : string.Concat(message.AsSpan(0, max), "…");
+    }
+}

src/ScadaLink.CentralUI/Components/Health/AuditKpiTiles.razor

@@ -0,0 +1,59 @@
+@*
+    Audit Log (#23) M7 Bundle E (T13) — three Health-dashboard KPI tiles for the
+    Audit channel: Volume / Error rate / Backlog. Renders Bootstrap card tiles in
+    a single row, each acting as a navigation link to a pre-filtered Audit Log
+    view. The component is purely presentational — the parent page owns the
+    refresh loop and passes the latest snapshot via the Snapshot parameter.
+*@
+
+@namespace ScadaLink.CentralUI.Components.Health
+@inject NavigationManager Navigation
+
+<div class="d-flex justify-content-between align-items-center mb-2">
+    <h6 class="text-muted mb-0">Audit</h6>
+    <a class="small" href="/audit/log">View details &rarr;</a>
+</div>
+<div class="row g-3 mb-3">
+    @* ── Volume tile ───────────────────────────────────────────────────────── *@
+    <div class="col-lg-4 col-md-6 col-12">
+        <button type="button"
+                class="card h-100 w-100 text-start border-0 shadow-none p-0 audit-kpi-tile"
+                data-test="audit-kpi-volume"
+                @onclick="NavigateToVolume">
+            <div class="card-body text-center">
+                <h3 class="mb-0">@VolumeDisplay</h3>
+                <small class="text-muted">Audit volume (last hour)</small>
+            </div>
+        </button>
+    </div>
+
+    @* ── Error rate tile ───────────────────────────────────────────────────── *@
+    <div class="col-lg-4 col-md-6 col-12">
+        <button type="button"
+                class="card h-100 w-100 text-start border-0 shadow-none p-0 audit-kpi-tile @ErrorRateBorderClass"
+                data-test="audit-kpi-error-rate"
+                @onclick="NavigateToErrors">
+            <div class="card-body text-center">
+                <h3 class="mb-0 @ErrorRateTextClass">@ErrorRateDisplay</h3>
+                <small class="text-muted">Audit error rate (last hour)</small>
+            </div>
+        </button>
+    </div>
+
+    @* ── Backlog tile ──────────────────────────────────────────────────────── *@
+    <div class="col-lg-4 col-md-6 col-12">
+        <button type="button"
+                class="card h-100 w-100 text-start border-0 shadow-none p-0 audit-kpi-tile @BacklogBorderClass"
+                data-test="audit-kpi-backlog"
+                @onclick="NavigateToBacklog">
+            <div class="card-body text-center">
+                <h3 class="mb-0 @BacklogTextClass">@BacklogDisplay</h3>
+                <small class="text-muted">Audit backlog (sites pending)</small>
+            </div>
+        </button>
+    </div>
+</div>
+@if (!IsAvailable && !string.IsNullOrEmpty(ErrorMessage))
+{
+    <div class="text-muted small mb-3">Audit KPIs unavailable: @ErrorMessage</div>
+}

src/ScadaLink.CentralUI/Components/Health/AuditKpiTiles.razor.cs

@@ -0,0 +1,157 @@
+using Microsoft.AspNetCore.Components;
+using ScadaLink.Commons.Types;
+
+namespace ScadaLink.CentralUI.Components.Health;
+
+/// <summary>
+/// Audit Log (#23) M7 Bundle E (T13) code-behind for <see cref="AuditKpiTiles"/>.
+/// Renders three KPI tiles — volume, error rate, backlog — from a
+/// <see cref="AuditLogKpiSnapshot"/> the parent page supplies. Tiles act as
+/// drill-in links: clicking navigates to <c>/audit/log</c> with the relevant
+/// query-string filter pre-applied (Bundle D already parses these params).
+/// </summary>
+/// <remarks>
+/// <para>
+/// <b>Why purely presentational.</b> The Health dashboard already owns a 10s
+/// auto-refresh loop and an "as-of" timestamp display; pushing those concerns
+/// into the tile component would either duplicate them (one timer per tile) or
+/// awkwardly couple back to the page. The parent passes a fresh
+/// <see cref="AuditLogKpiSnapshot"/> every refresh and the tile component
+/// re-renders.
+/// </para>
+/// <para>
+/// <b>Error rate division.</b> When <c>TotalEventsLastHour == 0</c> we render
+/// "0%" rather than "—" — the snapshot itself is available, the system just had
+/// no audit traffic to evaluate. This avoids a divide-by-zero AND keeps the
+/// "0% errors" reading semantically true. The em dash is reserved for
+/// <see cref="IsAvailable"/> = <c>false</c>, which represents a failed snapshot
+/// query (different signal from "quiet hour").
+/// </para>
+/// </remarks>
+public partial class AuditKpiTiles
+{
+    /// <summary>
+    /// Latest KPI snapshot. <c>null</c> means the parent has not loaded it yet
+    /// or the load failed — the tiles render em dashes in that case.
+    /// </summary>
+    [Parameter] public AuditLogKpiSnapshot? Snapshot { get; set; }
+
+    /// <summary>
+    /// True when <see cref="Snapshot"/> is a successful query result. False
+    /// when the parent's refresh threw and the displayed values should be
+    /// rendered as em dashes with an error explanation underneath.
+    /// </summary>
+    [Parameter] public bool IsAvailable { get; set; }
+
+    /// <summary>
+    /// Optional error message to render underneath the tiles when
+    /// <see cref="IsAvailable"/> is false. Mirrors how the Notification Outbox
+    /// section on the Health dashboard surfaces transient KPI failures.
+    /// </summary>
+    [Parameter] public string? ErrorMessage { get; set; }
+
+    // ── Volume tile ─────────────────────────────────────────────────────────
+
+    private string VolumeDisplay =>
+        IsAvailable && Snapshot is not null
+            ? Snapshot.TotalEventsLastHour.ToString("N0")
+            : "—";
+
+    private void NavigateToVolume()
+    {
+        // Volume is "all audit rows in the last hour" — no status filter; the
+        // page's existing instance-search seam is enough for drill-in. We rely
+        // on the page's default render which omits a time-range constraint and
+        // shows the newest rows first.
+        Navigation.NavigateTo("/audit/log");
+    }
+
+    // ── Error rate tile ─────────────────────────────────────────────────────
+
+    /// <summary>
+    /// Percentage of error rows (Failed/Parked/Discarded) over the trailing
+    /// hour. Returns 0 when the snapshot is unavailable OR when total events
+    /// is zero (rather than throwing). The display layer renders "—" for the
+    /// unavailable case and "0%" for the zero-events case.
+    /// </summary>
+    internal double ErrorRatePercent
+    {
+        get
+        {
+            if (!IsAvailable || Snapshot is null || Snapshot.TotalEventsLastHour <= 0)
+            {
+                return 0;
+            }
+            return 100.0 * Snapshot.ErrorEventsLastHour / Snapshot.TotalEventsLastHour;
+        }
+    }
+
+    private string ErrorRateDisplay
+    {
+        get
+        {
+            if (!IsAvailable || Snapshot is null)
+            {
+                return "—";
+            }
+            // Format to one decimal so a 1-error-in-2000 rate doesn't round to 0%.
+            return $"{ErrorRatePercent:0.0}%";
+        }
+    }
+
+    // Border + text colour bracket the tile visually: any nonzero error rate
+    // gets a warning border; anything above 10% bumps it to danger. The
+    // thresholds match the Notification Outbox tile pattern (border-warning
+    // when Stuck > 0, border-danger when Parked > 0).
+    private string ErrorRateBorderClass =>
+        !IsAvailable || Snapshot is null || Snapshot.ErrorEventsLastHour == 0
+            ? string.Empty
+            : (ErrorRatePercent >= 10 ? "border-danger" : "border-warning");
+
+    private string ErrorRateTextClass =>
+        !IsAvailable || Snapshot is null || Snapshot.ErrorEventsLastHour == 0
+            ? string.Empty
+            : (ErrorRatePercent >= 10 ? "text-danger" : "text-warning");
+
+    private void NavigateToErrors()
+    {
+        // Drill in pre-filtered to Failed — the most common error class.
+        // (The Audit Log page also accepts ?status=Parked / =Discarded for
+        // operators who want to see those specifically; the tile picks Failed
+        // as the primary surface since it's the only synchronous-failure
+        // status. Parked + Discarded both still appear in the unfiltered grid.)
+        Navigation.NavigateTo("/audit/log?status=Failed");
+    }
+
+    // ── Backlog tile ────────────────────────────────────────────────────────
+
+    private string BacklogDisplay =>
+        IsAvailable && Snapshot is not null
+            ? Snapshot.BacklogTotal.ToString("N0")
+            : "—";
+
+    // Backlog above zero is itself a signal — sites should normally drain to
+    // empty. We render warning when there's a backlog at all; a hard danger
+    // threshold could be added later if ops want it but the on-call playbook
+    // for "backlog > 0" is the same as "backlog > 1000": check why the site
+    // isn't draining.
+    private string BacklogBorderClass =>
+        IsAvailable && Snapshot is not null && Snapshot.BacklogTotal > 0
+            ? "border-warning"
+            : string.Empty;
+
+    private string BacklogTextClass =>
+        IsAvailable && Snapshot is not null && Snapshot.BacklogTotal > 0
+            ? "text-warning"
+            : string.Empty;
+
+    private void NavigateToBacklog()
+    {
+        // The audit-log page itself doesn't carry a per-site backlog grid —
+        // the Health dashboard already shows that per-site card. The natural
+        // drill-in for "the system has a backlog" is the unfiltered Audit Log
+        // page sorted by newest, so an operator can see the most recent rows
+        // and judge whether the queue is moving.
+        Navigation.NavigateTo("/audit/log");
+    }
+}

src/ScadaLink.CentralUI/Components/Layout/NavMenu.razor

@@ -108,11 +108,22 @@
                         </Authorized>
                     </AuthorizeView>
 
-                    @* Audit Log — Admin only *@
-                    <AuthorizeView Policy="@AuthorizationPolicies.RequireAdmin">
+                    @* Audit — gated on the OperationalAudit policy (#23 M7-T15
+                       / Bundle G). Hosts the new Audit Log page (#23 M7) and
+                       the renamed Configuration Audit Log (IAuditService
+                       config-change viewer). Both items share the same gate,
+                       so the section header sits inside the same policy block:
+                       a non-audit user does not even see the heading.
+                       OperationalAudit is satisfied by the Admin, Audit, and
+                       AuditReadOnly roles. *@
+                    <AuthorizeView Policy="@AuthorizationPolicies.OperationalAudit">
                         <Authorized Context="auditContext">
+                            <div role="presentation" class="nav-section-header">Audit</div>
                             <li class="nav-item">
-                                <NavLink class="nav-link" href="/monitoring/audit-log">Audit Log</NavLink>
+                                <NavLink class="nav-link" href="/audit/log">Audit Log</NavLink>
+                            </li>
+                            <li class="nav-item">
+                                <NavLink class="nav-link" href="/audit/configuration">Configuration Audit Log</NavLink>
                             </li>
                         </Authorized>
                     </AuthorizeView>