From f767489e2692cb201fe4b3f34907b7098cdfd279 Mon Sep 17 00:00:00 2001
From: master <>
Date: Fri, 27 Mar 2026 12:28:24 +0200
Subject: [PATCH] Authority: update console admin endpoint extensions

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .../Console/Admin/ConsoleAdminEndpointExtensions.cs | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/src/Authority/StellaOps.Authority/StellaOps.Authority/Console/Admin/ConsoleAdminEndpointExtensions.cs b/src/Authority/StellaOps.Authority/StellaOps.Authority/Console/Admin/ConsoleAdminEndpointExtensions.cs
index 7d878d5d8..f2b5c0df7 100644
--- a/src/Authority/StellaOps.Authority/StellaOps.Authority/Console/Admin/ConsoleAdminEndpointExtensions.cs
+++ b/src/Authority/StellaOps.Authority/StellaOps.Authority/Console/Admin/ConsoleAdminEndpointExtensions.cs
@@ -702,6 +702,19 @@ internal static class ConsoleAdminEndpointExtensions
             return Results.NotFound(new { error = "user_not_found", userId });
         }
 
+        // Prevent disabling the last enabled user in the tenant — doing so would lock
+        // everyone out with no way to recover without direct database access.
+        var enabledUsers = await userRepository.GetAllAsync(tenantId, enabled: true, limit: 2, offset: 0, cancellationToken).ConfigureAwait(false);
+        if (enabledUsers.Count <= 1)
+        {
+            return Results.BadRequest(new
+            {
+                error = "last_admin_user",
+                message = "Cannot disable the last enabled user. At least one user must remain active.",
+                userId,
+            });
+        }
+
         var updatedUser = new UserEntity
         {
             Id = user.Id,