feat: add per-agent blocklist with precedence over the allowlist

[Baskarayelu]

Summary

Adds a per-agent blocklist (deny list) to the escrow contract, independent of the existing allowlist. The admin can deny specific agents regardless of whether the allowlist is enabled.

• New DataKey::AgentBlocked(Address) persistent flag (defaults to not-blocked when absent).
• New typed error AgentBlocked = 15 (append-only; no existing codes renumbered).
• New admin entrypoint set_agent_blocked(agent, blocked) (admin-auth) and reader is_agent_blocked(agent) -> bool.
• record_usage rejects a blocked agent with AgentBlocked.

Closes #36

Precedence

The blocklist check runs immediately before the allowlist check and takes precedence over it: an agent that is both allow-listed and blocked is still rejected with AgentBlocked. The full record_usage rejection precedence is now:

paused (#4) -> zero requests (#2) -> max (#8) -> min (#9) -> registration (#7) -> disabled (#12) -> blocklist (#15) -> allowlist (#10)

Default behaviour is unchanged when the feature is unused: an absent AgentBlocked entry reads as false.

Security notes

• set_agent_blocked is admin-gated via the standard DataKey::Admin + require_auth() pattern (panics NotInitialized if uninitialized); a non-admin caller is rejected as unauthorized.
• The blocklist is a hard deny that cannot be overridden by allow-listing, so an explicitly blocked agent can never record usage while blocked.
• Error code 15 is append-only, keeping client SDK error mappings stable.

Tests

Added: blocked agent -> #15; block beats allowlist (allowlist enabled + agent allowed + blocked) -> #15; blocked while allowlist disabled -> #15; unblock then record succeeds; is_agent_blocked round-trip (default false); non-admin set_agent_blocked rejected (unauthorized).

cargo fmt --all -- --check, cargo build, and cargo test all pass:

test result: ok. 57 passed; 0 failed; 0 ignored; 0 measured; 0 filtered out

🤖 Generated with Claude Code