What's missing
`specs/behaviors/authorization.md` describes a `jti = '*'` sentinel in the revocations sheet that revokes every JWT for a personId whose `iat` precedes the sentinel's `revokedAt`. The verifier-side code at `apps/api/src/auth/revocation.ts` fully implements the sentinel.
But there's no way for a user to trigger it. No API endpoint exposes "sign out all devices," and the Account screen (`specs/screens/account.md`) only offers "Sign out of this session." A user whose phone is lost can revoke that one session but can't blast every JWT issued before now.
Fix shape
- Add `POST /api/auth/logout-all` (or `POST /api/auth/sessions/revoke-all`) — writes a sentinel `Revocation` with `jti = '*'`, `personId = caller.id`, `revokedAt = now`.
- Add a "Sign out of all devices" button to the Account settings screen (`apps/web/src/screens/Account.tsx`).
- Update `specs/api/auth.md` endpoints table + `specs/screens/account.md` Actions table.
Why it's worth the work
Compromised-device recovery is a real account-security need. The hard part (the verifier-side sentinel) is already done; this is just plumbing.
Identified during the 2026-05-30 post-cutover-blog spec-drift audit.
What's missing
`specs/behaviors/authorization.md` describes a `jti = '*'` sentinel in the revocations sheet that revokes every JWT for a personId whose `iat` precedes the sentinel's `revokedAt`. The verifier-side code at `apps/api/src/auth/revocation.ts` fully implements the sentinel.
But there's no way for a user to trigger it. No API endpoint exposes "sign out all devices," and the Account screen (`specs/screens/account.md`) only offers "Sign out of this session." A user whose phone is lost can revoke that one session but can't blast every JWT issued before now.
Fix shape
Why it's worth the work
Compromised-device recovery is a real account-security need. The hard part (the verifier-side sentinel) is already done; this is just plumbing.
Identified during the 2026-05-30 post-cutover-blog spec-drift audit.