...seq=1 (closes #174)
Pre-fix: auth_verify / auth_fail audit events lacked the seq field
because the SequenceCounter was installed downstream (in the runner's
per-A2A-request setup) of the auth middleware. The auth chain's
OnAuth callback used plain AuditLogger.Emit and couldn't reach a
counter that didn't exist yet on req.Context().
Symptom (user-visible on v0.15.0):
 auth_verify (no seq) ← BUG
 session_start seq=1
 guardrail_check seq=2
 llm_call seq=3
 ...
The FWS-8 contract promises every event under a given correlation_id
exposes a monotonically increasing seq for gap detection. auth_verify
sitting outside the sequence breaks that.
Fix: install the SequenceCounter on r.Context() BEFORE the auth chain
runs, via a thin middleware wrapper around auth.Middleware in the
runner. The auth callback now uses EmitFromContext(req.Context(), ...)
and stamps seq=1 on auth_verify. The runner's per-A2A-request setup
calls coreruntime.EnsureSequenceCounter (new helper) which detects
the existing counter and reuses it — so session_start lands seq=2
and the sequence is gap-free.
Three pieces:
 - forge-core/runtime/audit_schema.go gains EnsureSequenceCounter:
 returns ctx unchanged when a counter is present, installs a fresh
 one when absent. Used at every invocation-entry point that may
 run downstream of an upstream middleware.
 - forge-cli/runtime/sequence_counter_middleware.go (new) is the
 thin wrapper: composes (next) → authMW(next) → install counter
 → serve. Cost: ~24B counter allocation per request, even on
 skip paths — simpler than threading skip-path knowledge into the
 wrapper, and the alloc is in the same ballpark as the request
 struct.
 - forge-cli/runtime/runner.go:
 * AuthMiddleware: auth.Middleware(authCfg) →
 installSequenceCounterMiddleware(auth.Middleware(authCfg))
 * makeAuthAuditCallback: Emit → EmitFromContext(req.Context())
 * Three in-request WithSequenceCounter(ctx, new(...)) calls →
 EnsureSequenceCounter(ctx). Counter is reused from the auth
 wrapper (auth ON path) or installed fresh (--no-auth path).
 * Scheduler dispatcher's WithSequenceCounter call is left alone
 — it runs outside any HTTP request, no upstream counter.
Three other plain-Emit sites stay as documented in PR #173:
 - source=proxy egress: subprocess HTTP CONNECT has no Go ctx
 - mcp_tool_conflict: startup-time, pre-invocation
 - schedule_fire / schedule_complete: scheduler tick, no A2A scope
End-to-end smoke (--no-auth path):
 session_start seq=1
 session_end seq=2
 invocation_complete seq=3
End-to-end smoke (auth on, internal token):
 auth_verify seq=1 ← FIXED
 session_start seq=2
 session_end seq=3
 invocation_complete seq=4
Tests:
 - TestAuthAudit_SeqStampedWhenCounterInstalled — the #174 pin: with
 a counter on req.Context(), auth_verify lands seq=1
 - TestAuthAudit_NoSeqWhenCounterAbsent — back-compat: no counter →
 omitempty drops the field (legacy embedders without the wrapper)
 - TestSequenceCounterMiddleware_InstallsCounterBeforeNext — the
 wrapper installs the counter before delegating
 - TestEnsureSequenceCounter_ReusesExisting — runner must not
 clobber the auth-installed counter
 - TestEnsureSequenceCounter_InstallsFresh — --no-auth path: install
 a fresh counter when none is present
Schema impact: none. The events were already declared to carry seq.

Reflects PRs #173 and #174 (both merged to main) in the canonical
audit doc and the comprehensive knowledge skill.
docs/security/audit-logging.md — under "Sequence numbers", added:
 - Counter installation order — the SequenceCounter is installed by
 installSequenceCounterMiddleware (wraps the auth chain) so
 auth_verify / auth_fail land seq=1; the runner's request entry
 uses EnsureSequenceCounter to reuse the wrapper-installed counter
 and only allocate fresh on the --no-auth path. Pinned by
 TestAuthAudit_SeqStampedWhenCounterInstalled +
 TestEnsureSequenceCounter_ReusesExisting.
 - Emit invariant — per-invocation events MUST emit via
 EmitFromContext (or a typed helper); plain Emit skips the counter
 and the trace cross-link. The regression behind #173 (tool_exec +
 session_end) and #174 (auth_verify). A 4-row table names the
 sites that intentionally stay on plain Emit (egress proxy
 subprocess CONNECT, MCP startup events, scheduler tick, startup
 banners) and why. Issue #175 is named as the lint follow-up.
.claude/skills/forge.md — three sections updated:
 - § 3 path trace: middleware order now shows
 installSequenceCounterMiddleware as outermost; runner request
 entry uses EnsureSequenceCounter.
 - § 12.4 FWS-8 section: added the Emit invariant paragraph naming
 the regression pins and exception list.
 - § 18 FWS-8 row: appended #173 / #174 follow-up summary +
 #175 lint tracker.
No code change. TOC anchors unchanged. Broken-link sweep clean.