From 43e3367c73fee53a5d9b8c3dcc2b6a09be05531a Mon Sep 17 00:00:00 2001
From: jedarden <github@jedarden.com>
Date: Sun, 19 Apr 2026 17:26:20 -0400
Subject: [PATCH] P10.4 followup: log warning on admin session cookie unseal
 failure

Logs a warning with path and error when cookie unseal fails, helping
operators diagnose cross-pod ADMIN_SESSION_SEAL_KEY mismatches in HA
deployments (acceptance criterion 2).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 crates/miroir-proxy/src/auth.rs | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/crates/miroir-proxy/src/auth.rs b/crates/miroir-proxy/src/auth.rs
index 4e7467a..9721999 100644
--- a/crates/miroir-proxy/src/auth.rs
+++ b/crates/miroir-proxy/src/auth.rs
@@ -503,9 +503,15 @@ pub async fn auth_middleware(
                     req.extensions_mut().insert(AdminSessionId(session_id));
                     return next.run(req).await;
                 }
-                Err(_) => {
-                    // Cookie tampering or wrong key — fall through to bearer chain
-                    // which will reject with InvalidAuth for admin paths.
+                Err(e) => {
+                    // Cookie tampering or wrong seal key (e.g. cross-pod key
+                    // mismatch in HA).  Log a warning so operators can diagnose
+                    // ADMIN_SESSION_SEAL_KEY divergence across pods.
+                    tracing::warn!(
+                        path = %path,
+                        error = %e,
+                        "admin session cookie unseal failed — tampered cookie or cross-pod key mismatch"
+                    );
                 }
             }
         }