diff --git a/src/daemon/lib/acl/index.ts b/src/daemon/lib/acl/index.ts
index d693e72..1c7912d 100644
--- a/src/daemon/lib/acl/index.ts
+++ b/src/daemon/lib/acl/index.ts
@@ -13,7 +13,6 @@ export { grantIsLive } from './lifecycle.js';
  *   1. fetch KeyUser; if missing → undefined (no binding exists)
  *   2. KeyUser.revokedAt set → false (subject-level ban beats everything)
  *   3. manual-override layer (LIVE SigningConditions only):
- *        - live explicit reject (method='*', allowed=false) → false
  *        - live matching per-(method,kind) deny → false
  *        - live matching per-(method,kind) grant → true
  *   4. live token grant: a redeemed Token bound to this KeyUser that is
@@ -56,16 +55,10 @@ export async function checkIfPubkeyAllowed(
 
     const live = liveWhere(now);
 
-    // Step 3a: live explicit reject.
-    const explicitReject = await prisma.signingCondition.findFirst({
-        where: { keyUserId: keyUser.id, method: '*', allowed: false, ...live },
-    });
-
-    if (explicitReject) {
-        return false;
-    }
-
-    // Step 3b: live matching per-(method, kind) override — deny beats grant.
+    // Step 3: live matching per-(method, kind) override — deny beats grant.
+    // (Subject-level "reject all from this user" is KeyUser.revokedAt, applied
+    // at step 2 via the revoke_user admin command. There is no method='*'
+    // SigningCondition sentinel — nothing writes one.)
     const signingConditionQuery = requestToSigningConditionQuery(method, payload);
 
     const liveDeny = await prisma.signingCondition.findFirst({
@@ -223,20 +216,3 @@ export async function allowAllRequestsFromKey(
         console.log('allowAllRequestsFromKey', e);
     }
 }
-
-export async function rejectAllRequestsFromKey(remotePubkey: string, keyName: string): Promise<void> {
-    // Upsert the KeyUser with the given remotePubkey
-    const upsertedUser = await prisma.keyUser.upsert({
-        where: { unique_key_user: { keyName, userPubkey: remotePubkey } },
-        update: { },
-        create: { keyName, userPubkey: remotePubkey },
-    });
-
-    // Create a new SigningCondition for the given KeyUser and set allowed to false
-    await prisma.signingCondition.create({
-        data: {
-            allowed: false,
-            keyUserId: upsertedUser.id,
-        },
-    });
-}