Docs: mark R01-N04 fixed, refresh SPEC §9 / §13

- doc/REVIEW_01.md: flip R01-N04 (HIGH, SESSION_SECRET documented but
  unused) to fixed-in-296883c with the path taken (the smaller "remove
  it" branch). Strike out R01-N04 in the suggested ordering; next open
  finding in the cadence is R01-N15 (rel="noopener noreferrer", a
  one-character fix).
- SPEC §9: insert a new shipped entry above the R01-N02 one explaining
  why the "remove it" path was preferred and listing the renumbered
  admin-manual subsections.
- SPEC §13: append 296883c plus the previously-missing 18389bb so the
  history block covers every commit since the audit doc landed.

No code, no test delta — pure docs follow-up to 296883c.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

SPEC.md

@@ -1045,6 +1045,23 @@ with a `BOOTSTRAP_ADMIN` audit row.
       unchanged. *New sprint* stays in the header as the one
       quick-action admins reach for from any page.
 
+- [x] **R01-N04 — `SESSION_SECRET` removed from env template + docs**
+      (`296883c`). The env var was documented as the salt for the
+      session cookie name / CSRF tokens but nothing in the code reads
+      it (`SessionGuard` doesn't reference it; CSRF tokens are
+      `bin2hex(random_bytes(32))`; the session id is PHP-generated).
+      Operators who rotated the secret expecting sessions / tokens to
+      invalidate got a false sense of security. Took the "remove it"
+      branch from REVIEW_01's two options — wiring the value into a
+      CSRF HMAC or session-id derivation is recorded as a follow-up if
+      a deploy-time rotation knob is wanted later. Touched
+      `.env.example`, `README.md`, this file's §8, and
+      `doc/admin-manual.md` (dropped §3.3 entirely; renumbered the
+      remaining `Database / Environment / Local admin` subsections from
+      §3.4-§3.6 down to §3.3-§3.5). Existing deployments' `.env` files
+      keep their (now-dead) `SESSION_SECRET=` line; harmless. Pure docs
+      change — no code, no test count delta.
+
 - [x] **R01-N02 / R01-N31 — Runtime panel on `/` is now admin-only**
       (`7fd849b`). `views/home.twig`'s "Runtime" `<details>` block was
       previously rendered for anonymous visitors as well as admins,
@@ -1174,6 +1191,8 @@ before acting — nothing here is load-bearing once it grows stale.
 ## 13. Git history (as of this writing)
 
 ```
+296883c Fix R01-N04: drop unused SESSION_SECRET from env template + docs
+18389bb Docs: mark R01-N02 / R01-N31 fixed, refresh SPEC §9 / §11 / §13
 7fd849b Fix R01-N02 / R01-N31: gate runtime panel on home page to admins
 912ef9b doc/REVIEW_01.md: initial security + fishy-pattern audit
 756650a SPEC.md: note new-sprint form weeks-drop + task list row hover

doc/REVIEW_01.md

@@ -113,7 +113,11 @@ note. Do not delete entries — they're history.
 
 ### R01-N04 — `SESSION_SECRET` env var is documented but unused
 - **Severity**: HIGH (misleading documentation; not actively exploitable).
-- **Status**: open.
+- **Status**: fixed-in-`296883c` — removed from `.env.example`,
+  `SPEC.md` §8, `README.md`, and `doc/admin-manual.md` §3.3 (subsequent
+  subsections renumbered). Took the "remove it" path called out in the
+  Suggested-fix list. Existing deployments' `.env` files keep their dead
+  `SESSION_SECRET=` line; harmless, can be deleted at any time.
 - **Where**:
   - `.env` / `.env.example` line 11.
   - `src/Auth/SessionGuard.php` — no reference.
@@ -631,7 +635,7 @@ A reasonable cadence (do not treat as binding):
 
 1. ~~**R01-N02** (homepage info disclosure)~~ — fixed in `7fd849b`. Also
    closes R01-N31.
-2. **R01-N04** (`SESSION_SECRET` doc cleanup) — pure docs.
+2. ~~**R01-N04** (`SESSION_SECRET` doc cleanup)~~ — fixed in `296883c`.
 3. **R01-N15** (`rel="noopener noreferrer"`) — one-character fix.
 4. **R01-N11** (audit column whitelist) — defensive, trivial.
 5. **R01-N01** (local-admin password hashing) — biggest single security