diff --git a/docs/requirements/Component-AuditLog.md b/docs/requirements/Component-AuditLog.md
index 285f4f6..7280374 100644
--- a/docs/requirements/Component-AuditLog.md
+++ b/docs/requirements/Component-AuditLog.md
@@ -95,8 +95,8 @@ row per lifecycle event across all channels.
 | `DurationMs` | `int` NULL | Call / attempt duration. |
 | `ErrorMessage` | `nvarchar(1024)` NULL | Truncated; `ErrorDetail` for full text. |
 | `ErrorDetail` | `nvarchar(max)` NULL | Optional full exception text on failures. |
-| `RequestSummary` | `nvarchar(max)` NULL | Truncated request payload (configurable cap). Headers redacted. |
-| `ResponseSummary` | `nvarchar(max)` NULL | Truncated response payload. Full on errors. |
+| `RequestSummary` | `nvarchar(max)` NULL | Truncated request payload (configurable cap). Headers redacted. For `Channel = ApiInbound`, captured in full up to `AuditLog:InboundMaxBytes` (default 1 MiB) — see Payload Capture Policy. |
+| `ResponseSummary` | `nvarchar(max)` NULL | Truncated response payload. For `Channel = ApiInbound`, captured in full up to `AuditLog:InboundMaxBytes` (default 1 MiB). For other channels, capped at `DefaultCapBytes` by default and `ErrorCapBytes` on error rows. |
 | `PayloadTruncated` | `bit` | Set if either summary was truncated. |
 | `Extra` | `nvarchar(max)` NULL | Channel-specific JSON for fields we don't promote to columns. |
 
@@ -262,6 +262,7 @@ operational `SiteCalls` shape for the dispatcher and UI.
 
 - **Default cap** — 8 KB for each of `RequestSummary` and `ResponseSummary`;
   raised to 64 KB on any error row (`Status IN ('Failed', 'Parked', 'Discarded')`).
+- **Inbound API exception.** For `Channel = ApiInbound`, `RequestSummary` and `ResponseSummary` are captured in full up to a per-body hard ceiling of 1 MiB (configurable via `AuditLog:InboundMaxBytes`; default 1 048 576 bytes; min 8 192; max 16 777 216). The 8 KiB / 64 KiB default/error caps that apply to other channels do not apply here. `PayloadTruncated = 1` is set only when the inbound ceiling is hit — verbatim capture is the normal case. The ceiling applies independently to each body. Header redaction and per-target body redactors still run before persistence.
 - **Truncation** — UTF-8 byte-safe; `PayloadTruncated = 1` when applied. Full
   bodies are never stored.
 - **HTTP headers** — `Authorization`, `Cookie`, `Set-Cookie`, `X-API-Key`, and