Add a per-agent blocklist to deny specific agents independent of the allowlist

[mikewheeleer]

Implement an agent blocklist (deny list) in record_usage

Description

Access control in contracts/escrow/src/lib.rs is allowlist-only: AllowlistEnabled + AgentAllowed(Address) admit listed agents while it is on. There is no way to deny a single abusive agent while leaving the contract otherwise open — the operator must flip the global allowlist on and re-list every legitimate agent, which is operationally heavy during an incident. This issue adds a complementary deny list that blocks named agents regardless of the allowlist state.

Requirements and context

• Repository scope: Agentpay-Org/Agentpay-contracts only.
• Add DataKey::AgentBlocked(Address) and admin set_agent_blocked(agent, blocked) / read is_agent_blocked(agent) using the existing admin-auth pattern.
• In record_usage, reject a blocked agent with a new AgentBlocked error (next free code, append-only) — the block must take precedence over the allowlist (a blocked agent is rejected even if also allow-listed).
• Document the precedence order (paused → zero → bounds → registration → disabled → blocklist → allowlist) precisely and decide where the new check slots in.
• Default to not-blocked (absent entry) so existing behaviour is unchanged when unused.

Suggested execution

• Fork the repo and create a branch
• git checkout -b feature/contracts-agent-blocklist
• Implement changes
  • Write code in: contracts/escrow/src/lib.rs — blocklist key, setter/getter, and the record_usage deny check + new error variant.
  • Write comprehensive tests in: contracts/escrow/src/test.rs — blocked agent rejected, block beats allowlist, unblock restores access, round-trip getters.
  • Add documentation: document the blocklist and precedence in README.md.
  • Include NatSpec-style doc comments (///) matching the existing style in lib.rs.
  • Validate security: an agent cannot self-unblock, precedence is unambiguous.
• Test and commit

Test and commit

• Run cargo fmt --all -- --check, cargo build, and cargo test.
• Cover edge cases: blocked + allow-listed, blocked while allowlist disabled, unblock then record, non-admin setter.
• Include the full cargo test output and a short security notes section in the PR description.

Example commit message

feat: add per-agent blocklist with precedence over the allowlist

Guidelines

• Minimum 95 percent test coverage for impacted modules.
• Clear, reviewer-focused documentation.
• Timeframe: 96 hours.

Community & contribution rewards

• 💬 Join the AgentPay community on Discord for questions, reviews, and faster merges: https://discord.gg/eXvRKkgcv
• ⭐ This is a GrantFox OSS / Official Campaign task and may be rewarded. When your PR is merged you'll be prompted to rate the project — if this issue and the maintainers helped you ship, we'd be grateful for a 5-star rating. Clear questions in Discord and tidy, well-tested PRs are the fastest path to a merge and a reward.

[Baskarayelu]

I’d love to be assigned this issue and contribute across the relevant areas, whether it involves smart contracts, UI development, backend logic, design implementation, or overall system integration. I’m comfortable working across the full stack and can adapt to the project’s technical requirements to ensure a smooth and consistent contribution.

[grantfox-oss]

🦊 GrantFox — @Baskarayelu has been assigned to this issue as part of the Official Campaign campaign!

Next steps:

1. Open a Pull Request referencing this issue (e.g., Closes #36)
2. Your PR will be reviewed by the Agentpay-Org maintainers

Good luck! Track your progress on GrantFox.

[grantfox-oss]

🎉 This issue has been marked as completed on GrantFox as part of the Official Campaign campaign!

@Baskarayelu's PR #64 was approved and merged by @mikewheeleer.

🏆 @Baskarayelu: You earned 35 FoxPoints for this contribution! Your current tier: Explorer (328 total points). Track your full progress on GrantFox.

👏 Great work, @Baskarayelu! Keep contributing to Agentpay-Org.