Drove the full revocation flow against a running cameleer-server-app jar
(temp postgres+clickhouse, env-var admin):
GET /auth/me with fresh token -> 200
POST /auth/logout -> 204
GET /auth/me with same revoked token -> 401
POST /auth/logout (unauthenticated) -> 204
users.token_revoked_before -> non-null
audit_log (action=logout, category=AUTH) -> 1 row, SUCCESS
Proves the full chain end-to-end: controller revokes, audit lands, and
the JwtAuthenticationFilter prefix-strip fix actually enforces revocation
against the bare users.user_id (the original bug).
Browser-driven SPA smoke is still owed — Playwright MCP allowlist in
this env blocks 8081, so the SPA flow was verified by code-inspection
during Tasks 4+5. OIDC-user smoke against Logto remains owed pending
post_logout_redirect_uri registration.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
47c303afa0