feat(organization): add suspension support

[Piskoo]

Summary

Added a suspended field to the Organization schema and a suspension middleware that blocks access when an org is suspended.

Examples

Non account/org related requests fail

$ chainloop att init --project myproject --workflow suspend
WRN API contacted in insecure mode
WRN User-attended mode detected. This is intended for local testing only. For CI/CD or automated workflows, please use an API token.
This command will run against the organization "myorg"
Please confirm to continue y/N
y
ERR organization is suspended, read-only access only
exit status 1

$ chainloop wf contract create --name suspended
WRN API contacted in insecure mode
ERR organization is suspended, read-only access only
exit status 1

$ chainloop org api-token create --name suspended
WRN API contacted in insecure mode
ERR organization is suspended, read-only access only
exit status 1

$ chainloop wf contract describe --name vulnerabilities -o schema
WRN API contacted in insecure mode
ERR organization is suspended, read-only access only

Org/account management requests pass

$ chainloop org member ls
WRN API contacted in insecure mode
┌──────────────────────────────────────┬───────────────────────┬────────┬─────────────────────┐
│ ID                                   │ EMAIL                 │ ROLE   │ JOINED AT           │
├──────────────────────────────────────┼───────────────────────┼────────┼─────────────────────┤
│ e0bc184d-4455-425f-9179-3cb276745329 │ john@chainloop.local  │ member │ 12 Dec 25 10:58 UTC │
├──────────────────────────────────────┼───────────────────────┼────────┼─────────────────────┤
│ c7740e0e-1a0c-467b-8bde-036b4d753bf7 │ sarah@chainloop.local │ owner  │ 16 Jun 25 09:09 UTC │
└──────────────────────────────────────┴───────────────────────┴────────┴─────────────────────┘
INF Showing [1-2] out of 2


$ chainloop org set --name myorg
WRN API contacted in insecure mode
INF Organization switched!
┌───────┬─────────┬─────────┬───────┬─────────────────────────┬─────────────────────┐
│ NAME  │ CURRENT │ DEFAULT │ ROLE  │ DEFAULT POLICY STRATEGY │ JOINED AT           │
├───────┼─────────┼─────────┼───────┼─────────────────────────┼─────────────────────┤
│ myorg │ true    │ true    │ owner │ ADVISORY                │ 16 Jun 25 09:09 UTC │
└───────┴─────────┴─────────┴───────┴─────────────────────────┴─────────────────────┘

Closes #3005

[cubic-dev-ai]

1 issue found across 26 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="app/controlplane/pkg/authz/authz.go">

<violation number="1" location="app/controlplane/pkg/authz/authz.go:500">
P2: `regexp.MatchString` recompiles the pattern on every call. Since this runs in a request-hot loop over all `ServerOperationsMap` keys, precompile the regex patterns once at package init. Currently every OrgMetrics API call (and any unmapped operation) triggers ~55 regex compilations.

Consider extracting regex-pattern keys into a separate `map[*regexp.Regexp][]*Policy` built at init time, or precompile them with `regexp.MustCompile` in a package-level variable, similar to how `suspensionExemptRegexp` is handled in the suspension middleware.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review, or fix all with cubic.}

[jiparis]

This is fragile and difficult to maintain if we add more endpoints. What if instead we extend the endpoint info in authz.go to add whether an endpoint is mutating or not? This would require adding all endpoints there though (default to mutating=true for maximum security if it's not found)
Another option is trying to get the metadata from the proto definitions, but I don't think Kratos exposes that.

[jiparis]

Nevermind, I've just seen that logic below. Thanks

[migmartri]

I have mixed feelings about this feature; I’m not sure why we need to support read-only.

[Piskoo]

I have mixed feelings about this feature; I’m not sure why we need to support read-only.

It follows what for example Stripe or Github does with blocked/expired accounts. We could also completely block the access and show only the information that organization is suspended with steps to resolve that.

Updated to block all not account/org management requests as disussed

[cubic-dev-ai]

1 issue found across 3 files (changes from recent commits).

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="app/controlplane/internal/server/grpc.go">

<violation number="1" location="app/controlplane/internal/server/grpc.go:214">
P3: This comment overstates behavior: suspension is not applied to all RPCs because selector matchers intentionally exempt some organization/account operations. Please make the comment explicit about the exception.

(Based on your team's feedback about documenting non-obvious authorization behavior.) [FEEDBACK_USED]</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review, or fix all with cubic.}