log rotation implementation (and design)

[pmonday]

Summary

Implements audit log file rotation for regulatory compliance (FDA 21 CFR Part 11, SOX & 802, HIPAA § 164.312(b), GDPR Art. 30). Adds cryptographic cross-log chaining so rotated logs form an unbroken audit trail.
Resolves #2

Key Changes

Core rotation logic (log.go, audit.go, foundation.go)

• Log.Rotate() — writes a log.terminus entry to the current log, then creates a new log with a log.genesis entry that cryptographically references the old log
• Log.Fingerprint() — SHA-256 hash of the entire log file, stored in both terminus and genesis entries
• Log.IsTerminus() / Log.IsGenesis() — helper methods to inspect log role
• VerifyChain() — validates cross-log integrity across all rotated logs in a directory
• DefaultRotatePath() — generates next log path using zero-padded sequence (audit-log.000.jsonl, audit-log.001.jsonl, ...)
• New types: RotationReason (size_threshold, time_threshold, manual) and library-internal EventType constants (EventLogTerminus, EventLogGenesis)
• Foundation extended with LogRole and LogRef fields (omitted when empty via omitempty)

CLI (cmd/sealcheck/main.go)

• New verify-chain <dir> <base> subcommand for cross-log verification

Tests (audit_test.go)

• Tests for rotation event types, reasons, fingerprinting, single and double rotation, and chain verification

Docs (docs/rotation.md)

• Full design document covering rotation process, cryptographic binding, verification, atomicity, and CFR Part 11 compliance mapping

Files Changed (9 files, +918 / -4)

File	Change
log.go	+315 lines — rotation methods and VerifyChain
docs/rotation.md	+290 lines — design documentation
audit_test.go	+199 lines — rotation tests
cmd/sealcheck/main.go	+18 lines — verify-chain subcommand
audit.go	+15 lines — event types and rotation reasons
foundation.go	+4 lines — LogRole, LogRef fields
README.md	+35 lines
.gitignore	+9 lines

Verification

go test -race ./...
go build -o sealcheck ./cmd/sealcheck
./sealcheck verify-chain /tmp/testdir audit-log