6e4977ea3b
Tracks the work to (a) fix the silently-inert token-revocation lookup in JwtAuthenticationFilter, (b) add POST /api/v1/auth/logout that bumps users.token_revoked_before, and (c) replace the broken cross-origin fetch logout in the SPA with proper RP-Initiated Logout (top-level redirect) plus a signed-out splash and prompt=login defence. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>