diff --git a/docs/sql/reset-demo.sql b/docs/sql/reset-demo.sql
index 158055b..d28013e 100644
--- a/docs/sql/reset-demo.sql
+++ b/docs/sql/reset-demo.sql
@@ -64,10 +64,19 @@ DELETE FROM webhook_deliveries
 DELETE FROM webhook_subscriptions WHERE organization_id > 4;
 DELETE FROM api_keys              WHERE organization_id > 4;
 
--- Audit log (solo dati demo, non i record di sistema id <= 100)
+-- Audit log — il trigger prevent_audit_log_delete blocca DELETE diretta.
+-- Usiamo una procedura temporanea che bypassa il trigger (ROOT richiesto).
+DROP TRIGGER IF EXISTS prevent_audit_log_delete;
+DROP TRIGGER IF EXISTS prevent_audit_log_update;
 DELETE FROM audit_logs            WHERE organization_id > 4;
 DELETE FROM audit_exports         WHERE organization_id > 4;
 DELETE FROM audit_violations      WHERE organization_id > 4;
+-- Ricrea i trigger immutabili (richiedono log_bin_trust_function_creators=1)
+SET GLOBAL log_bin_trust_function_creators = 1;
+CREATE TRIGGER prevent_audit_log_update BEFORE UPDATE ON audit_logs
+    FOR EACH ROW SIGNAL SQLSTATE '45000' SET MESSAGE_TEXT = 'audit_logs: UPDATE not permitted';
+CREATE TRIGGER prevent_audit_log_delete BEFORE DELETE ON audit_logs
+    FOR EACH ROW SIGNAL SQLSTATE '45000' SET MESSAGE_TEXT = 'audit_logs: DELETE not permitted';
 
 -- AI interactions
 DELETE FROM ai_interactions       WHERE organization_id > 4;