diff --git a/docs/plans/2026-05-23-inbound-api-full-response-audit-design.md b/docs/plans/2026-05-23-inbound-api-full-response-audit-design.md
index 81eb294..7cec6c6 100644
--- a/docs/plans/2026-05-23-inbound-api-full-response-audit-design.md
+++ b/docs/plans/2026-05-23-inbound-api-full-response-audit-design.md
@@ -19,9 +19,11 @@ receive" debugging path.
 For `Channel = ApiInbound` rows only, capture `RequestSummary` and
 `ResponseSummary` verbatim up to a hard per-body ceiling of **1 MB**
 (configurable). The 8 KB / 64 KB default/error caps that apply to other channels
-do not apply here. All other channels (`ApiOutbound`, `DbOutbound`,
-`Notification`, cached-call lifecycle, `InboundAuthFailure`) keep the existing
-policy unchanged.
+do not apply here. The carve-out is channel-scoped (NOT kind-scoped): every
+`Channel = ApiInbound` row uses the inbound ceiling regardless of `Kind`, so
+`InboundAuthFailure` rows pick up the same ceiling as `InboundRequest`. All
+other channels (`ApiOutbound`, `DbOutbound`, `Notification`, cached-call
+lifecycle) keep the existing policy unchanged.
 
 ## Capture Policy Change
 
@@ -124,8 +126,9 @@ same "options validation" path used for other AuditLog settings.
   routinely-huge responses, operators use the existing per-target body redactor
   to compress them, or lower the global ceiling.
 - **Changes to other channels' caps.** `ApiOutbound`, `DbOutbound`,
-  `Notification`, cached-call lifecycle rows, and `InboundAuthFailure` keep the
-  existing 8 KB / 64 KB policy.
+  `Notification`, and cached-call lifecycle rows keep the existing 8 KB / 64 KB
+  policy. (`InboundAuthFailure` rows carry `Channel = ApiInbound` and so fall
+  under the inbound ceiling like every other inbound row.)
 
 ## Acceptance Criteria