diff --git a/README.md b/README.md
index 6cc9f9e..9308027 100644
--- a/README.md
+++ b/README.md
@@ -10,7 +10,7 @@ certctl is a self-hosted platform for **end-to-end certificate lifecycle automat
 
 ## What It Does
 
-certctl gives you a single pane of glass for every TLS certificate in your organization. The **web dashboard** shows your full certificate inventory — what's healthy, what's expiring, what's already expired, and who owns each one. The **REST API** (68 endpoints) lets you automate everything. **Agents** deployed on your infrastructure generate private keys locally and submit CSRs — private keys never leave your servers. The background scheduler watches expiration dates and triggers renewals automatically — when certificate lifespans drop to 47 days, certctl handles the constant rotation without human involvement.
+certctl gives you a single pane of glass for every TLS certificate in your organization. The **web dashboard** shows your full certificate inventory — what's healthy, what's expiring, what's already expired, and who owns each one. The **REST API** (70 endpoints) lets you automate everything. **Agents** deployed on your infrastructure generate private keys locally and submit CSRs — private keys never leave your servers. The background scheduler watches expiration dates and triggers renewals automatically — when certificate lifespans drop to 47 days, certctl handles the constant rotation without human involvement.
 
 ```mermaid
 flowchart LR
@@ -116,7 +116,7 @@ flowchart TB
     end
 
     subgraph "Data Store"
-        PG[("PostgreSQL 16\n17 tables\nTEXT primary keys")]
+        PG[("PostgreSQL 16\n18 tables\nTEXT primary keys")]
     end
 
     subgraph "Agents"
@@ -158,6 +158,7 @@ flowchart TB
 | `certificate_profiles` | Named enrollment profiles with allowed key types, max TTL, crypto constraints |
 | `agent_groups` | Dynamic device grouping by OS, architecture, IP CIDR, version |
 | `agent_group_members` | Manual include/exclude membership for agent groups |
+| `certificate_revocations` | Revocation records with RFC 5280 reason codes, serial numbers, issuer notification status |
 
 ## Configuration
 
@@ -208,6 +209,8 @@ DELETE /api/v1/certificates/{id}          Archive (soft delete)
 GET    /api/v1/certificates/{id}/versions Version history
 POST   /api/v1/certificates/{id}/renew    Trigger renewal → 202 Accepted
 POST   /api/v1/certificates/{id}/deploy   Trigger deployment → 202 Accepted
+POST   /api/v1/certificates/{id}/revoke   Revoke with RFC 5280 reason code
+GET    /api/v1/crl                        Certificate Revocation List (JSON)
 ```
 
 ### Agents
@@ -360,7 +363,7 @@ make docker-clean       # Stop + remove volumes
 ## Roadmap
 
 ### V1 (v1.0.0 released)
-All nine development milestones (M1–M9) are complete. The backend covers the full certificate lifecycle: Local CA and ACME v2 issuers, NGINX/Apache/HAProxy/F5/IIS target connectors, threshold-based expiration alerting, agent-side ECDSA P-256 key generation, API auth with rate limiting, and a React dashboard with 16 pages wired to the real API. The CI pipeline runs build, vet, test with coverage gates (service layer 30%+, handler layer 50%+), frontend type checking, Vitest test suite, and Vite production build on every push. 525+ tests total: 431 Go test functions (192 service, 212 handler, 4 integration with 35+ subtests, 23 connector) plus 53 frontend Vitest tests covering API client functions and utility helpers. Docker images are published to GitHub Container Registry on every version tag via the release workflow.
+All nine development milestones (M1–M9) are complete. The backend covers the full certificate lifecycle: Local CA and ACME v2 issuers, NGINX/Apache/HAProxy/F5/IIS target connectors, threshold-based expiration alerting, agent-side ECDSA P-256 key generation, API auth with rate limiting, and a React dashboard with 16 pages wired to the real API. The CI pipeline runs build, vet, test with coverage gates (service layer 30%+, handler layer 50%+), frontend type checking, Vitest test suite, and Vite production build on every push. 600+ tests total: 465 Go test functions + 138 subtests (207 service, 226 handler, integration with 40+ subtests, 23 connector) plus 53 frontend Vitest tests covering API client functions and utility helpers. Docker images are published to GitHub Container Registry on every version tag via the release workflow.
 
 ### V2: Operational Maturity
 - **M10: Agent Metadata + Targets** ✅ — agents report OS, architecture, IP, hostname, version via heartbeat; Apache httpd and HAProxy target connectors
@@ -368,7 +371,8 @@ All nine development milestones (M1–M9) are complete. The backend covers the f
 - **M12: Sub-CA + DNS-01 + step-ca** ✅ — Local CA sub-CA mode (enterprise root chain with RSA/ECDSA/PKCS#8), ACME DNS-01 challenges (script-based DNS hooks for any provider, wildcard cert support), step-ca issuer connector (native /sign API with JWK provisioner auth)
 - **M13: GUI Operations** — bulk cert operations (renew, revoke, reassign), deployment timeline, inline policy editor, target config wizard, audit export, short-lived credentials dashboard
 - **M14: Enterprise Connectors** — SSE/WebSocket real-time updates, F5 BIG-IP, IIS, ADCS, OpenSSL/Custom CA implementations
-- **M15: Revocation Infrastructure** — revocation API with reason codes, embedded OCSP responder, CRL endpoint, bulk revocation by profile/owner/agent, revocation webhooks
+- **M15a: Core Revocation** ✅ — revocation API with all RFC 5280 reason codes, JSON CRL endpoint, webhook + email revocation notifications, best-effort issuer notification, `certificate_revocations` table with idempotent recording, 48 new tests
+- **M15b: OCSP + Bulk Revocation + GUI** — embedded OCSP responder, DER-encoded X.509 CRL, short-lived cert exemption, bulk revocation by profile/owner/agent, revocation GUI
 - **M16: Team Adoption** — OIDC/SSO, RBAC (profile-gated), CLI tool, Slack/Teams/PagerDuty/OpsGenie notifiers, bulk cert import
 - **M17: Observability** — expiration calendar, health scores, compliance scoring, Prometheus metrics (issuance/revocation rates, OCSP latency), deployment rollback
 - **M18: Integrations** — MCP server (OpenClaw/Claude/Cursor), CT Log monitoring, DigiCert issuer, filesystem cert discovery
diff --git a/docs/architecture.md b/docs/architecture.md
index 417675b..59b86a1 100644
--- a/docs/architecture.md
+++ b/docs/architecture.md
@@ -30,7 +30,7 @@ flowchart TB
     end
 
     subgraph "Data Store"
-        PG[("PostgreSQL 16\n17 tables\nTEXT primary keys")]
+        PG[("PostgreSQL 16\n18 tables\nTEXT primary keys")]
     end
 
     subgraph "Agent Fleet"
diff --git a/docs/demo-advanced.md b/docs/demo-advanced.md
index ec7d55c..80e32ff 100644
--- a/docs/demo-advanced.md
+++ b/docs/demo-advanced.md
@@ -501,7 +501,7 @@ flowchart TB
     end
 
     subgraph "Data Store"
-        PG["PostgreSQL 16\n17 tables, TEXT PKs"]
+        PG["PostgreSQL 16\n18 tables, TEXT PKs"]
     end
 
     subgraph "Agent (certctl-agent)"