Audit
Filterable log of every audit-pattern match across the fleet — `network-exfil`, `code-push`, `eval-exec`, the Nexus-gated mutation set, and any custom org policies. Per ADR-0009, raw command text never leaves the device — only HMAC-of-scrubbed-command crosses to cloud.
Phase 1 §1.4 — Audit engine
Nothing to audit yet
Once the desktop probe is paired (Phase 2) and the audit engine streams events into `audit_events_cloud`, this view shows: severity (low/medium/high/critical), category, allowed/blocked, and the cross-product Nexus webhook source events. Search is FTS5 locally, Postgres FTS in cloud.