47c303afa0
Drove the full revocation flow against a running cameleer-server-app jar (temp postgres+clickhouse, env-var admin): GET /auth/me with fresh token -> 200 POST /auth/logout -> 204 GET /auth/me with same revoked token -> 401 POST /auth/logout (unauthenticated) -> 204 users.token_revoked_before -> non-null audit_log (action=logout, category=AUTH) -> 1 row, SUCCESS Proves the full chain end-to-end: controller revokes, audit lands, and the JwtAuthenticationFilter prefix-strip fix actually enforces revocation against the bare users.user_id (the original bug). Browser-driven SPA smoke is still owed — Playwright MCP allowlist in this env blocks 8081, so the SPA flow was verified by code-inspection during Tasks 4+5. OIDC-user smoke against Logto remains owed pending post_logout_redirect_uri registration. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>