feat: add organization setting to restrict project-scoped contracts

app/controlplane/api/controlplane/v1/organization.proto

@@ -96,6 +96,9 @@ message OrganizationServiceUpdateRequest {
 
   // prevent workflows and projects from being created implicitly during attestation init
   optional bool prevent_implicit_workflow_creation = 5;
+
+  // restrict_contract_creation_to_org_admins restricts contract creation (org-level and project-level) to only organization admins (owner/admin roles)
+  optional bool restrict_contract_creation_to_org_admins = 6;
 }
 
 message OrganizationServiceUpdateResponse {

app/controlplane/api/controlplane/v1/response_messages.proto

@@ -281,6 +281,8 @@ message OrgItem {
   repeated string policy_allowed_hostnames = 5;
   // prevent workflows and projects from being created implicitly during attestation init
   bool prevent_implicit_workflow_creation = 7;
+  // restrict_contract_creation_to_org_admins restricts contract creation (org-level and project-level) to only organization admins (owner/admin roles)
+  bool restrict_contract_creation_to_org_admins = 8;
 
   enum PolicyViolationBlockingStrategy {
     POLICY_VIOLATION_BLOCKING_STRATEGY_UNSPECIFIED = 0;

app/controlplane/internal/service/attestation.go

@@ -59,6 +59,7 @@ type AttestationService struct {
 	projectVersionUseCase   *biz.ProjectVersionUseCase
 	projectUseCase          *biz.ProjectUseCase
 	signingUseCase          *biz.SigningUseCase
+	userUseCase             *biz.UserUseCase
 }
 
 type NewAttestationServiceOpts struct {
@@ -78,6 +79,7 @@ type NewAttestationServiceOpts struct {
 	ProjectUC          *biz.ProjectUseCase
 	ProjectVersionUC   *biz.ProjectVersionUseCase
 	SigningUseCase     *biz.SigningUseCase
+	UserUC             *biz.UserUseCase
 	Opts               []NewOpt
 }
 
@@ -100,6 +102,7 @@ func NewAttestationService(opts *NewAttestationServiceOpts) *AttestationService
 		projectUseCase:          opts.ProjectUC,
 		projectVersionUseCase:   opts.ProjectVersionUC,
 		signingUseCase:          opts.SigningUseCase,
+		userUseCase:             opts.UserUC,
 	}
 }
 
@@ -748,14 +751,21 @@ func (s *AttestationService) FindOrCreateWorkflow(ctx context.Context, req *cpAP
 		return &cpAPI.FindOrCreateWorkflowResponse{Result: bizWorkflowToPb(wf)}, nil
 	}
 
+	// Get organization
+	org, err := s.orgUseCase.FindByID(ctx, apiToken.OrgID)
+	if err != nil {
+		return nil, handleUseCaseErr(err, s.log)
+	}
+
 	// the workflow does not exist, let's create it alongside its project and contract
 	createOpts := &biz.WorkflowCreateOpts{
-		OrgID:            apiToken.OrgID,
-		Name:             req.GetWorkflowName(),
-		Project:          req.GetProjectName(),
-		ContractName:     req.GetContractName(),
-		ContractBytes:    req.GetContractBytes(),
-		ImplicitCreation: true, // Mark as implicit creation from attestation init
+		OrgID:                               apiToken.OrgID,
+		Name:                                req.GetWorkflowName(),
+		Project:                             req.GetProjectName(),
+		ContractName:                        req.GetContractName(),
+		ContractBytes:                       req.GetContractBytes(),
+		ImplicitCreation:                    true, // Mark as implicit creation from attestation init
+		OrgRestrictContractCreationToAdmins: org.RestrictContractCreationToOrgAdmins,
 	}
 
 	// set project owner if RBAC is enabled
@@ -766,6 +776,14 @@ func (s *AttestationService) FindOrCreateWorkflow(ctx context.Context, req *cpAP
 			return nil, handleUseCaseErr(err, s.log)
 		}
 		createOpts.Owner = &userID
+
+		// Check if user is an org admin
+		membership, err := s.userUseCase.MembershipInOrg(ctx, user.ID, org.Name)
+
+		if err == nil && membership != nil {
+			isAdmin := membership.Role.IsAdmin()
+			createOpts.UserIsOrgAdmin = isAdmin
+		}
 	}
 
 	wf, err := s.workflowUseCase.Create(ctx, createOpts)

app/controlplane/internal/service/context.go

@@ -118,10 +118,11 @@ func (s *ContextService) Current(ctx context.Context, _ *pb.ContextServiceCurren
 
 func bizOrgToPb(m *biz.Organization) *pb.OrgItem {
 	return &pb.OrgItem{Id: m.ID, Name: m.Name, CreatedAt: timestamppb.New(*m.CreatedAt),
-		UpdatedAt:                       timestamppb.New(*m.UpdatedAt),
-		DefaultPolicyViolationStrategy:  bizPolicyViolationBlockingStrategyToPb(m.BlockOnPolicyViolation),
-		PolicyAllowedHostnames:          m.PoliciesAllowedHostnames,
-		PreventImplicitWorkflowCreation: m.PreventImplicitWorkflowCreation,
+		UpdatedAt:                           timestamppb.New(*m.UpdatedAt),
+		DefaultPolicyViolationStrategy:      bizPolicyViolationBlockingStrategyToPb(m.BlockOnPolicyViolation),
+		PolicyAllowedHostnames:              m.PoliciesAllowedHostnames,
+		PreventImplicitWorkflowCreation:     m.PreventImplicitWorkflowCreation,
+		RestrictContractCreationToOrgAdmins: m.RestrictContractCreationToOrgAdmins,
 	}
 }
 

app/controlplane/internal/service/organization.go

@@ -89,7 +89,7 @@ func (s *OrganizationService) Update(ctx context.Context, req *pb.OrganizationSe
 		}
 	}
 
-	org, err := s.orgUC.Update(ctx, currentUser.ID, req.Name, req.BlockOnPolicyViolation, policiesAllowedHostnames, req.PreventImplicitWorkflowCreation)
+	org, err := s.orgUC.Update(ctx, currentUser.ID, req.Name, req.BlockOnPolicyViolation, policiesAllowedHostnames, req.PreventImplicitWorkflowCreation, req.RestrictContractCreationToOrgAdmins)
 	if err != nil {
 		return nil, handleUseCaseErr(err, s.log)
 	}

app/controlplane/internal/service/workflowcontract.go

@@ -34,12 +34,16 @@ type WorkflowContractService struct {
 	*service
 
 	contractUseCase *biz.WorkflowContractUseCase
+	orgUseCase      *biz.OrganizationUseCase
+	userUC          *biz.UserUseCase
 }
 
-func NewWorkflowSchemaService(uc *biz.WorkflowContractUseCase, opts ...NewOpt) *WorkflowContractService {
+func NewWorkflowSchemaService(uc *biz.WorkflowContractUseCase, orgUC *biz.OrganizationUseCase, userUC *biz.UserUseCase, opts ...NewOpt) *WorkflowContractService {
 	return &WorkflowContractService{
 		service:         newService(opts...),
 		contractUseCase: uc,
+		orgUseCase:      orgUC,
+		userUC:          userUC,
 	}
 }
 
@@ -109,6 +113,29 @@ func (s *WorkflowContractService) Create(ctx context.Context, req *pb.WorkflowCo
 		return nil, errors.BadRequest("invalid", "project is required")
 	}
 
+	// Check organization settings for contract creation restriction
+	org, err := s.orgUseCase.FindByID(ctx, currentOrg.ID)
+	if err != nil {
+		return nil, handleUseCaseErr(err, s.log)
+	}
+
+	// If setting is enabled, only org admins can create contracts (org-level or project-level)
+	if org.RestrictContractCreationToOrgAdmins {
+		currentUser, err := requireCurrentUser(ctx)
+		if err != nil {
+			return nil, err
+		}
+
+		membership, err := s.userUC.MembershipInOrg(ctx, currentUser.ID, currentOrg.Name)
+		if err != nil {
+			return nil, handleUseCaseErr(err, s.log)
+		}
+
+		if !membership.Role.IsAdmin() {
+			return nil, errors.Forbidden("forbidden", "only organization admins can create contracts")
+		}
+	}
+
 	// if the project is provided we make sure it exists and the user has permission to it
 	var projectID *uuid.UUID
 	if req.ProjectReference.IsSet() {