chainloop-dev · migmartri · Nov 7, 2025 · Nov 7, 2025 · Nov 7, 2025 · Nov 7, 2025
diff --git a/app/cli/cmd/organization_update.go b/app/cli/cmd/organization_update.go
@@ -22,9 +22,10 @@ import (
 
 func newOrganizationUpdateCmd() *cobra.Command {
 	var (
-		orgName                  string
-		blockOnPolicyViolation   bool
-		policiesAllowedHostnames []string
+		orgName                         string
+		blockOnPolicyViolation          bool
+		policiesAllowedHostnames        []string
+		preventImplicitWorkflowCreation bool
 	)
 
 	cmd := &cobra.Command{
@@ -40,6 +41,10 @@ func newOrganizationUpdateCmd() *cobra.Command {
 				opts.PoliciesAllowedHostnames = &policiesAllowedHostnames
 			}
 
+			if cmd.Flags().Changed("prevent-implicit-workflow-creation") {
+				opts.PreventImplicitWorkflowCreation = &preventImplicitWorkflowCreation
+			}
+
 			_, err := action.NewOrgUpdate(ActionOpts).Run(cmd.Context(), orgName, opts)
 			if err != nil {
 				return err
@@ -56,5 +61,6 @@ func newOrganizationUpdateCmd() *cobra.Command {
 
 	cmd.Flags().BoolVar(&blockOnPolicyViolation, "block", false, "set the default policy violation blocking strategy")
 	cmd.Flags().StringSliceVar(&policiesAllowedHostnames, "policies-allowed-hostnames", []string{}, "set the allowed hostnames for the policy engine")
+	cmd.Flags().BoolVar(&preventImplicitWorkflowCreation, "prevent-implicit-workflow-creation", false, "prevent workflows and projects from being created implicitly during attestation init")
 	return cmd
 }
diff --git a/app/cli/documentation/cli-reference.mdx b/app/cli/documentation/cli-reference.mdx
@@ -2765,6 +2765,7 @@ Options
 -h, --help                                 help for update
 --name string                          organization name
 --policies-allowed-hostnames strings   set the allowed hostnames for the policy engine
+--prevent-implicit-workflow-creation   prevent workflows and projects from being created implicitly during attestation init
 ```
 
 Options inherited from parent commands

diff --git a/app/cli/pkg/action/config_current_context.go b/app/cli/pkg/action/config_current_context.go
@@ -31,14 +31,17 @@ func NewConfigCurrentContext(cfg *ActionsOpts) *ConfigCurrentContext {
 }
 
 type ConfigContextItem struct {
-	CurrentUser       *UserItem
-	CurrentMembership *MembershipItem
-	CurrentCASBackend *CASBackendItem
+	CurrentUser       *UserItem       `json:"currentUser"`
+	CurrentMembership *MembershipItem `json:"currentMembership"`
+	CurrentCASBackend *CASBackendItem `json:"currentCASBackend"`
 }
 
 type UserItem struct {
-	ID, Email, FirstName, LastName string
-	CreatedAt                      *time.Time
+	ID        string     `json:"id"`
+	Email     string     `json:"email"`
+	FirstName string     `json:"firstName"`
+	LastName  string     `json:"lastName"`
+	CreatedAt *time.Time `json:"createdAt"`
 }
 
 // PrintUserProfileWithEmail formats the user's profile with their email.

diff --git a/app/cli/pkg/action/membership_list.go b/app/cli/pkg/action/membership_list.go
@@ -29,20 +29,22 @@ type MembershipList struct {
 }
 
 type OrgItem struct {
-	ID, Name                        string
-	CreatedAt                       *time.Time
-	PolicyViolationBlockingStrategy string
-	PolicyAllowedHostnames          []string `json:"policyAllowedHostnames,omitempty"`
+	ID                              string     `json:"id"`
+	Name                            string     `json:"name"`
+	CreatedAt                       *time.Time `json:"createdAt"`
+	PolicyViolationBlockingStrategy string     `json:"policyViolationBlockingStrategy"`
+	PolicyAllowedHostnames          []string   `json:"policyAllowedHostnames,omitempty"`
+	PreventImplicitWorkflowCreation bool       `json:"preventImplicitWorkflowCreation"`
 }
 
 type MembershipItem struct {
 	ID        string     `json:"id"`
 	Default   bool       `json:"current"`
 	CreatedAt *time.Time `json:"joinedAt"`
 	UpdatedAt *time.Time `json:"updatedAt"`
-	Org       *OrgItem
-	User      *UserItem
-	Role      Role `json:"role"`
+	Org       *OrgItem   `json:"org"`
+	User      *UserItem  `json:"user"`
+	Role      Role       `json:"role"`
 }
 
 type ListMembersOpts struct {
@@ -130,10 +132,11 @@ func (action *MembershipList) ListMembers(ctx context.Context, page int, pageSiz
 
 func pbOrgItemToAction(in *pb.OrgItem) *OrgItem {
 	i := &OrgItem{
-		ID:                     in.Id,
-		Name:                   in.Name,
-		CreatedAt:              toTimePtr(in.CreatedAt.AsTime()),
-		PolicyAllowedHostnames: in.PolicyAllowedHostnames,
+		ID:                              in.Id,
+		Name:                            in.Name,
+		CreatedAt:                       toTimePtr(in.CreatedAt.AsTime()),
+		PolicyAllowedHostnames:          in.PolicyAllowedHostnames,
+		PreventImplicitWorkflowCreation: in.PreventImplicitWorkflowCreation,
 	}
 
 	if in.DefaultPolicyViolationStrategy == pb.OrgItem_POLICY_VIOLATION_BLOCKING_STRATEGY_BLOCK {

diff --git a/app/cli/pkg/action/org_update.go b/app/cli/pkg/action/org_update.go
@@ -30,16 +30,18 @@ func NewOrgUpdate(cfg *ActionsOpts) *OrgUpdate {
 }
 
 type NewOrgUpdateOpts struct {
-	BlockOnPolicyViolation   *bool
-	PoliciesAllowedHostnames *[]string
+	BlockOnPolicyViolation          *bool
+	PoliciesAllowedHostnames        *[]string
+	PreventImplicitWorkflowCreation *bool
 }
 
 func (action *OrgUpdate) Run(ctx context.Context, name string, opts *NewOrgUpdateOpts) (*OrgItem, error) {
 	client := pb.NewOrganizationServiceClient(action.cfg.CPConnection)
 
 	payload := &pb.OrganizationServiceUpdateRequest{
-		Name:                   name,
-		BlockOnPolicyViolation: opts.BlockOnPolicyViolation,
+		Name:                            name,
+		BlockOnPolicyViolation:          opts.BlockOnPolicyViolation,
+		PreventImplicitWorkflowCreation: opts.PreventImplicitWorkflowCreation,
 	}
 
 	if opts.PoliciesAllowedHostnames != nil {