Part of &20404 ([Implement Organizations Read-Only Mode](https://gitlab.com/groups/gitlab-org/-/work_items/20404)). Design: [ADR 010](https://handbook.gitlab.com/handbook/engineering/architecture/design-documents/organization/decisions/010_organization_read_only_mode/). The model layer landed in !240492 (states + `read_only?` predicate). This issue covers the **primary write-blocking enforcement** keyed off `Current.organization`, which the surrounding edge-case issues (#602813, #602814) presume exists. ## Scope - Block write requests (non-GET controllers, REST/Grape mutations, GraphQL mutations, `Gitlab::GitAccess` push) when the request's Organization returns `read_only?` - All enforcement gates on the single `Organizations::Organization#read_only?` predicate - Return a structured error per the matrix in #602825: `503` + `Retry-After` for time-bounded reasons, `403` otherwise; reads continue to work - Gate enforcement behind the feature flags from #602810 - Port enforcement code from reference POC !228743 (will not be merged) ## Out of scope (tracked separately) - Container Registry enforcement: #602811 - Git LFS enforcement: #602812 - Authentication exemption: #602813 - GET side-effect audit: #602814 - Read-only banner: #602823 - CI/CD blocking: #602821