chainloop-dev · Piskoo · Dec 5, 2025
diff --git a/app/controlplane/api/controlplane/v1/organization.pb.go b/app/controlplane/api/controlplane/v1/organization.pb.go
diff --git a/app/controlplane/api/controlplane/v1/organization.proto b/app/controlplane/api/controlplane/v1/organization.proto
@@ -96,6 +96,9 @@ message OrganizationServiceUpdateRequest {
 
   // prevent workflows and projects from being created implicitly during attestation init
   optional bool prevent_implicit_workflow_creation = 5;
+
+  // prevent_project_scoped_contracts restricts contract creation to only organization-level contracts
+  optional bool prevent_project_scoped_contracts = 6;
 }
 
 message OrganizationServiceUpdateResponse {

diff --git a/app/controlplane/api/controlplane/v1/response_messages.pb.go b/app/controlplane/api/controlplane/v1/response_messages.pb.go
diff --git a/app/controlplane/api/controlplane/v1/response_messages.proto b/app/controlplane/api/controlplane/v1/response_messages.proto
@@ -281,6 +281,8 @@ message OrgItem {
   repeated string policy_allowed_hostnames = 5;
   // prevent workflows and projects from being created implicitly during attestation init
   bool prevent_implicit_workflow_creation = 7;
+  // prevent_project_scoped_contracts restricts contract creation to only organization-level contracts
+  bool prevent_project_scoped_contracts = 8;
 
   enum PolicyViolationBlockingStrategy {
     POLICY_VIOLATION_BLOCKING_STRATEGY_UNSPECIFIED = 0;

diff --git a/app/controlplane/api/gen/frontend/controlplane/v1/organization.ts b/app/controlplane/api/gen/frontend/controlplane/v1/organization.ts
diff --git a/app/controlplane/api/gen/frontend/controlplane/v1/response_messages.ts b/app/controlplane/api/gen/frontend/controlplane/v1/response_messages.ts
diff --git a/app/controlplane/api/gen/jsonschema/controlplane.v1.OrgItem.jsonschema.json b/app/controlplane/api/gen/jsonschema/controlplane.v1.OrgItem.jsonschema.json
diff --git a/app/controlplane/api/gen/jsonschema/controlplane.v1.OrgItem.schema.json b/app/controlplane/api/gen/jsonschema/controlplane.v1.OrgItem.schema.json
diff --git a/...plane/api/gen/jsonschema/controlplane.v1.OrganizationServiceUpdateRequest.jsonschema.json b/...plane/api/gen/jsonschema/controlplane.v1.OrganizationServiceUpdateRequest.jsonschema.json
diff --git a/...trolplane/api/gen/jsonschema/controlplane.v1.OrganizationServiceUpdateRequest.schema.json b/...trolplane/api/gen/jsonschema/controlplane.v1.OrganizationServiceUpdateRequest.schema.json
diff --git a/app/controlplane/cmd/wire_gen.go b/app/controlplane/cmd/wire_gen.go
diff --git a/app/controlplane/internal/service/context.go b/app/controlplane/internal/service/context.go
@@ -122,6 +122,7 @@ func bizOrgToPb(m *biz.Organization) *pb.OrgItem {
 		DefaultPolicyViolationStrategy:  bizPolicyViolationBlockingStrategyToPb(m.BlockOnPolicyViolation),
 		PolicyAllowedHostnames:          m.PoliciesAllowedHostnames,
 		PreventImplicitWorkflowCreation: m.PreventImplicitWorkflowCreation,
+		PreventProjectScopedContracts:   m.PreventProjectScopedContracts,
 	}
 }
 

diff --git a/app/controlplane/internal/service/organization.go b/app/controlplane/internal/service/organization.go
@@ -89,7 +89,7 @@ func (s *OrganizationService) Update(ctx context.Context, req *pb.OrganizationSe
 		}
 	}
 
-	org, err := s.orgUC.Update(ctx, currentUser.ID, req.Name, req.BlockOnPolicyViolation, policiesAllowedHostnames, req.PreventImplicitWorkflowCreation)
+	org, err := s.orgUC.Update(ctx, currentUser.ID, req.Name, req.BlockOnPolicyViolation, policiesAllowedHostnames, req.PreventImplicitWorkflowCreation, req.PreventProjectScopedContracts)
 	if err != nil {
 		return nil, handleUseCaseErr(err, s.log)
 	}

diff --git a/app/controlplane/internal/service/workflowcontract.go b/app/controlplane/internal/service/workflowcontract.go
@@ -34,12 +34,14 @@ type WorkflowContractService struct {
 	*service
 
 	contractUseCase *biz.WorkflowContractUseCase
+	orgUseCase      *biz.OrganizationUseCase
 }
 
-func NewWorkflowSchemaService(uc *biz.WorkflowContractUseCase, opts ...NewOpt) *WorkflowContractService {
+func NewWorkflowSchemaService(uc *biz.WorkflowContractUseCase, orgUC *biz.OrganizationUseCase, opts ...NewOpt) *WorkflowContractService {
 	return &WorkflowContractService{
 		service:         newService(opts...),
 		contractUseCase: uc,
+		orgUseCase:      orgUC,
 	}
 }
 
@@ -109,9 +111,20 @@ func (s *WorkflowContractService) Create(ctx context.Context, req *pb.WorkflowCo
 		return nil, errors.BadRequest("invalid", "project is required")
 	}
 
+	// Check organization settings for project-scoped contracts
+	org, err := s.orgUseCase.FindByID(ctx, currentOrg.ID)
+	if err != nil {
+		return nil, handleUseCaseErr(err, s.log)
+	}
+
 	// if the project is provided we make sure it exists and the user has permission to it
 	var projectID *uuid.UUID
 	if req.ProjectReference.IsSet() {
+		// Check if organization prevents project-scoped contracts
+		if org.PreventProjectScopedContracts {
+			return nil, errors.BadRequest("invalid", "organization does not allow project-scoped contracts")
+		}
+
 		// Make sure the provided project exists and the user has permission to create tokens in it
 		project, err := s.userHasPermissionOnProject(ctx, currentOrg.ID, req.GetProjectReference(), authz.PolicyWorkflowContractCreate)
 		if err != nil {

diff --git a/app/controlplane/pkg/biz/organization.go b/app/controlplane/pkg/biz/organization.go
@@ -41,13 +41,15 @@ type Organization struct {
 	PoliciesAllowedHostnames []string
 	// PreventImplicitWorkflowCreation prevents workflows and projects from being created implicitly during attestation init
 	PreventImplicitWorkflowCreation bool
+	// PreventProjectScopedContracts restricts contract creation to only organization-level contracts
+	PreventProjectScopedContracts bool
 }
 
 type OrganizationRepo interface {
 	FindByID(ctx context.Context, orgID uuid.UUID) (*Organization, error)
 	FindByName(ctx context.Context, name string) (*Organization, error)
 	Create(ctx context.Context, name string) (*Organization, error)
-	Update(ctx context.Context, id uuid.UUID, blockOnPolicyViolation *bool, policiesAllowedHostnames []string, preventImplicitWorkflowCreation *bool) (*Organization, error)
+	Update(ctx context.Context, id uuid.UUID, blockOnPolicyViolation *bool, policiesAllowedHostnames []string, preventImplicitWorkflowCreation *bool, preventProjectScopedContracts *bool) (*Organization, error)
 	Delete(ctx context.Context, ID uuid.UUID) error
 }
 
@@ -187,7 +189,7 @@ func (uc *OrganizationUseCase) doCreate(ctx context.Context, name string, opts .
 	return org, nil
 }
 
-func (uc *OrganizationUseCase) Update(ctx context.Context, userID, orgName string, blockOnPolicyViolation *bool, policiesAllowedHostnames []string, preventImplicitWorkflowCreation *bool) (*Organization, error) {
+func (uc *OrganizationUseCase) Update(ctx context.Context, userID, orgName string, blockOnPolicyViolation *bool, policiesAllowedHostnames []string, preventImplicitWorkflowCreation *bool, preventProjectScopedContracts *bool) (*Organization, error) {
 	userUUID, err := uuid.Parse(userID)
 	if err != nil {
 		return nil, NewErrInvalidUUID(err)
@@ -207,7 +209,7 @@ func (uc *OrganizationUseCase) Update(ctx context.Context, userID, orgName strin
 	}
 
 	// Perform the update
-	org, err := uc.orgRepo.Update(ctx, orgUUID, blockOnPolicyViolation, policiesAllowedHostnames, preventImplicitWorkflowCreation)
+	org, err := uc.orgRepo.Update(ctx, orgUUID, blockOnPolicyViolation, policiesAllowedHostnames, preventImplicitWorkflowCreation, preventProjectScopedContracts)
 	if err != nil {
 		return nil, fmt.Errorf("failed to update organization: %w", err)
 	} else if org == nil {

diff --git a/app/controlplane/pkg/data/ent/migrate/migrations/20251204133913.sql b/app/controlplane/pkg/data/ent/migrate/migrations/20251204133913.sql
@@ -0,0 +1,2 @@
+-- Modify "organizations" table
+ALTER TABLE "organizations" ADD COLUMN "prevent_project_scoped_contracts" boolean NOT NULL DEFAULT false;
diff --git a/app/controlplane/pkg/data/ent/migrate/migrations/atlas.sum b/app/controlplane/pkg/data/ent/migrate/migrations/atlas.sum
@@ -1,4 +1,4 @@
-h1:2JyaUYFWieGKl87rW890mAXAE3XJrL4K4/C51Nl3qOk=
+h1:ElZ12CneaiJmAK7EoN8AbLfpZebycSFaTDWu6BG4ZR0=
 20230706165452_init-schema.sql h1:VvqbNFEQnCvUVyj2iDYVQQxDM0+sSXqocpt/5H64k8M=
 20230710111950-cas-backend.sql h1:A8iBuSzZIEbdsv9ipBtscZQuaBp3V5/VMw7eZH6GX+g=
 20230712094107-cas-backends-workflow-runs.sql h1:a5rzxpVGyd56nLRSsKrmCFc9sebg65RWzLghKHh5xvI=
@@ -120,3 +120,4 @@ h1:2JyaUYFWieGKl87rW890mAXAE3XJrL4K4/C51Nl3qOk=
 20251107233855.sql h1:fNK+hRlqzlM4qxKR7SPMEtbrYSAJfau6bKm1jecRDpE=
 20251111162946.sql h1:oNke93PdAreUH6F5AD5FE6uI6riJpE4KPb77LXTeuRU=
 20251114174059.sql h1:f/wB/OlhZxIc9AVCxTNu4dFmPd1T3sCY0nS8Zb9ZS9Q=
+20251204133913.sql h1:tPjlN6sp64nsspbvaXln+PVvLs2R7N+w16fxNqKke1Y=
diff --git a/app/controlplane/pkg/data/ent/migrate/schema.go b/app/controlplane/pkg/data/ent/migrate/schema.go
@@ -423,6 +423,7 @@ var (
 		{Name: "block_on_policy_violation", Type: field.TypeBool, Default: false},
 		{Name: "policies_allowed_hostnames", Type: field.TypeJSON, Nullable: true},
 		{Name: "prevent_implicit_workflow_creation", Type: field.TypeBool, Default: false},
+		{Name: "prevent_project_scoped_contracts", Type: field.TypeBool, Default: false},
 	}
 	// OrganizationsTable holds the schema information for the "organizations" table.
 	OrganizationsTable = &schema.Table{
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		-- Modify "organizations" table
		ALTER TABLE "organizations" ADD COLUMN "prevent_project_scoped_contracts" boolean NOT NULL DEFAULT false;