docs(admin): correct login/logout audit_log claimed_actor field

bootjp · bootjp · commit 85df320f3273 · 2026-04-26T22:53:07.000+09:00
Codex P2 on the latest review of #674: my line 260 said both login and logout `admin_audit` entries include `claimed_actor`, but `auditLogout` (auth_handler.go:442-449) only emits `action`, `actor`, `remote`, and `status`. `claimed_actor` is login-only because the field exists to distinguish the typed access key from the authenticated one — logout has no claim to verify (the actor comes from the already-validated session cookie). A log pipeline that validated field presence against the previous text would misclassify every successful logout as malformed, exactly the operator-facing bug Codex flagged. Replaced the one-line summary with two concrete sample lines — one for login (with `claimed_actor`), one for logout (without) — and a closing sentence telling parsers that `claimed_actor` is present-only-on-login. Same shape verified against auth_handler.go:432-449. No code changes; doc-only.
diff --git a/docs/admin.md b/docs/admin.md
@@ -255,10 +255,21 @@ CR and LF in `forwarded_from` are stripped at the entry point — a
 hostile follower cannot split a single audit line into two by
 smuggling control characters into its node ID.
 
-Login and logout emit their own `admin_audit` lines with
-`action=login` / `action=logout` (plus `actor`, `claimed_actor`,
-`remote`, `status`) so the JWT's lifetime can be correlated with the
-mutations it authorised.
+Login and logout emit their own `admin_audit` lines so the JWT's
+lifetime can be correlated with the mutations it authorised. The
+two shapes differ on a single field — login carries `claimed_actor`
+because the access key the operator typed is distinct from the
+authenticated `actor` (a successful login proves they match; a
+failed login records what was claimed), while logout has no claim
+to verify and omits the field:
+
+```
+admin_audit action=login  actor=AKIA_ADMIN claimed_actor=AKIA_ADMIN remote=10.0.0.7:51234 status=200
+admin_audit action=logout actor=AKIA_ADMIN remote=10.0.0.7:51234 status=200
+```
+
+Log parsers consuming this shape should treat `claimed_actor` as
+present-only-on-login.
 
 ## Troubleshooting
 
