Fix audit events logged as INFO+2 instead of AUDIT

[kimjune01]

Summary

• Add ReplaceAttr to the audit logger's JSON handler so the custom audit level renders as "AUDIT" instead of "INFO+2"
• Fixes compatibility with log aggregation systems (Loki, Elasticsearch) that expect standard level names for filtering

Fixes #4296

Type of change

• Bug fix
• New feature
• Refactoring (no behavior change)
• Dependency update
• Documentation
• Other (describe):

Test plan

• Unit tests (task test)
• E2E tests (task test-e2e)
• Linting (task lint-fix)
• Manual testing (describe below)

Added two tests: one verifying audit events render as "AUDIT", another verifying standard levels (INFO, WARN) are preserved. go test ./pkg/audit/... -count=1: 28 tests passed.

API Compatibility

• This PR does not break the v1beta1 API, OR the api-break-allowed label is applied and the migration guidance is described above.

Does this introduce a user-facing change?

No. Audit log output changes from "INFO+2" to "AUDIT" in JSON logs, but this is a bug fix restoring intended behavior.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 68.41%. Comparing base (439977d) to head (22c48b7).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #5256      +/-   ##
==========================================
- Coverage   68.42%   68.41%   -0.01%     
==========================================
  Files         620      620              
  Lines       63354    63358       +4     
==========================================
  Hits        43349    43349              
- Misses      16768    16774       +6     
+ Partials     3237     3235       -2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[amirejaz]

Nice fix, and a clear PR description — the problem ("INFO+2" leaking into log aggregators) is well-motivated. The implementation is small and correct. I have two suggestions below: one about making the level comparison more explicit, and one about the second test case re-implementing rather than exercising NewAuditLogger.

[kimjune01]

Thanks for the review @amirejaz — both points addressed in 9bd90a0.

1. Explicit level comparison (auditor.go:64-68): replaced a.Value.Any() == LevelAudit with a slog.Level type assertion. Makes the contract explicit and defensive.

2. Test exercises NewAuditLogger (auditor_test.go:1027-1041): the preserves standard log levels subtest now calls NewAuditLogger directly and asserts on WARN (above the LevelAudit threshold, so it survives the level filter). A regression in the production ReplaceAttr would now be caught. Comment in the test explains why INFO can't be tested through the production path.

go test ./pkg/audit/... passes locally.

[amirejaz]

Linter is flagging two things in the fixup commit:

1. auditor.go:59 — groups in the ReplaceAttr signature is unused. Rename it to _.
2. auditor_test.go:1015 — logger.Log(nil, ...) passes a nil context. Replace nil with context.TODO().

Otherwise looks good — happy to approve once those are fixed.

[kimjune01]

Lint findings addressed in 081101c.

• groups → _ in auditor.go:59
• nil → context.TODO() in auditor_test.go:1015

Tests pass.