docs: mark SEC_REVIEW F41 as fixed in 4ca69f3

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

doc/SEC_REVIEW.md

@@ -11,7 +11,7 @@
 >
 > Each finding is referenced as **F<N>** for later citation.
 >
-> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (27 fixed, 0 open), 42 sev-1 (8 fixed, 34 open).
+> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (27 fixed, 0 open), 42 sev-1 (9 fixed, 33 open).
 
 ---
 
@@ -1397,6 +1397,26 @@
   for a reporter/consumer before performing further activity, then
   re-enable. No special-class audit signal flags the toggle.
 - **Severity: 1**
+- **Status:** Fixed. Two new audit actions —
+  `AuditAction::REPORTER_AUDIT_TOGGLED` (`reporter.audit_toggled`) and
+  `AuditAction::CONSUMER_AUDIT_TOGGLED` (`consumer.audit_toggled`) —
+  fire from the PATCH handlers whenever `audit_enabled` actually flips
+  (no-ops, e.g. PATCHing the field to its current value, do not emit).
+  The standard `reporter.updated` / `consumer.updated` rows continue
+  to carry the full field diff for context, so existing observers
+  keep working; the new action is the flat alertable signal SOC
+  tooling can match on with `WHERE action IN ('reporter.audit_toggled',
+  'consumer.audit_toggled')` rather than walking into the metadata
+  `changes` blob. Both rows live in the same DB transaction as the
+  underlying update, so a partial commit cannot hide the toggle
+  while the field flips. The UI's `AuditController` filter dropdown
+  is extended to expose the new actions. Regression tests in
+  `api/tests/Integration/Admin/ReportersControllerTest.php` and
+  `…/ConsumersControllerTest.php`:
+  `testAuditEnabledToggleEmitsDedicatedAuditRow` (toggle fires both
+  rows; metadata records `from`/`to` booleans) and
+  `testAuditEnabledNoOpDoesNotEmitDedicatedRow` (PATCH with the same
+  value does not fire the dedicated signal).
 
 ### F42 — UI policy proxy controllers rely entirely on API for role enforcement
 - **File:** `ui/src/Controllers/PoliciesController.php:61-118`