fix(auth): RevokeAuthorityOverrideAsync ignores action parameter and may revoke wrong override

[github-actions]

Summary

IAuthorityPort.RevokeAuthorityOverrideAsync in AuthorityService queries AuthorityOverrides by AgentId/TenantId/IsActive but ignores the action parameter and calls FirstOrDefaultAsync(). When multiple active override rows exist for the same agent/tenant, this can revoke an unrelated or already-expired override, leaving the requested elevated permission in place.

Affected file

src/BusinessApplications/AgentRegistry/Services/AuthorityService.cs — lines 745-760

Required fix

Add action to the LINQ filter and choose deterministically:

var activeOverride = (await _dbContext.AuthorityOverrides
    .Where(o => o.AgentId == agentId
             && o.TenantId == tenantId
             && o.IsActive
             && o.ExpiresAt > DateTimeOffset.UtcNow)
    .OrderByDescending(o => o.CreatedAt)
    .ToListAsync())
    .FirstOrDefault(o => o.OverrideScope?.AllowedApiEndpoints?.Contains(action) == true);

References

• PR Phase 16: Remaining widgets, role-based UI, frontend tests #361 review: Phase 16: Remaining widgets, role-based UI, frontend tests #361 (comment)
• Severity: 🔴 Critical

[blocksorg]

Mention Blocks like a regular teammate with your question or request:

@blocks can you add technical details to this issue?
@blocks make the following changes ...
@blocks create an issue from what was mentioned in the following comment ...
@blocks explain the following code ...
@blocks are there any security or performance concerns?

Run @blocks /help for more information.

Workspace settings | Disable this message