Implement Organizations Read-Only Mode
## Problem statement
We need to be able to disable write access to a given Organization while their migration (eg. to a Protocell) is in progress. This is **not** the same as instance-wide Maintenance Mode: the Organization's content (groups, projects, settings etc) should remain readable but not editable, with a banner indicating the Organization is in read-only mode.
The design is formalized in [ADR 010: Organization Read-Only Mode](https://handbook.gitlab.com/handbook/engineering/architecture/design-documents/organization/decisions/010_organization_read_only_mode/). In summary:
* A per-Organization state on `Organizations::Stateful`: `active → read_only_initialization → read_only` (and back), with a `reason` recorded for audit (migration, isolation, incident, billing, legal)
* Enforcement keyed off `Current.organization` at every write surface: controllers, REST API (Grape), GraphQL mutations, `Gitlab::GitAccess`, Container Registry, LFS, and Sidekiq
* Org-scoped Sidekiq jobs drain; cron workers skip read-only Organizations; BBMs are paused on the source Cell
* A cutover readiness contract gates the data-copy step on a fully drained source Cell
* An authentication exemption keeps sign-in working (existing `users` row updates allowed; new `users` row creation blocked)
The POC (gitlab-org/gitlab!228743) validated the approach and will not be merged; production implementation builds on the merged unified state machine (gitlab-org/gitlab!230909).
## Exit criteria
* Write requests (web UI, GraphQL mutations, REST API, git push, registry push, LFS upload) to an Organization in `read_only_initialization` or `read_only` fail with a structured error (`503` + `Retry-After` for time-bounded reasons, `403` otherwise); reads continue to work
* Authentication remains available; no new `users` rows are created for a read-only Organization
* Org-scoped Sidekiq jobs drain and cron workers skip the read-only Organization, observable via structured logs
* A cutover readiness check reports when the source Cell is fully drained for the Organization
* New pipelines are blocked and in-flight CI jobs are cancelled on entering read-only
* All pages owned by the Organization show a prominent read-only banner
* Rollout is gated by environment- and Organization-scoped feature flags, default-off on Self-Managed/Dedicated
<!-- STATUS NOTE START -->
## Status 2026-07-16
# Implement Organizations Read-Only Mode — Weekly Status Update
*Container Registry enforcement and the Sidekiq design shipped; authentication protections need two final review threads before rollout.*
## 🕐 total hours spent this week by all contributors
20
## 🎉 achievements
* [!242755](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/242755) merged by @alejandro (2026-07-15), blocking Container Registry push and delete during read-only mode while preserving pull, behind the rollout flag.
* [ADR 010 update !20345](https://gitlab.com/gitlab-com/content-sites/handbook/-/merge_requests/20345) merged by @rutgerwessels (2026-07-14), standardizing Sidekiq on `Current.organization` and defining drain-aware worker and cron behavior.
## 🚫 blockers
* [!243972](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/243972) still has one unresolved identity-verification discussion after @mmacrae-bovell’s approval; resolve the thread before maintainer merge.
* [!243952](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/243952) awaits an `IdentityLinker` spec assertion requested by @hptrs; add coverage and resolve the discussion before maintainer merge.
## ▶️ next
* Resolve remaining discussions on [!243972](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/243972) and [!243952](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/243952), then merge both authentication enforcement changes with passing pipelines.
* Start [#605609](https://gitlab.com/gitlab-org/gitlab/-/work_items/605609) once both MRs merge, consolidating status policy, messages, logging, and cross-surface tests.
* Begin [#603377](https://gitlab.com/gitlab-org/gitlab/-/work_items/603377) internal-organization rollout after authentication enforcement lands, then monitor blocked-write logs before expanding cohorts.
* Keep syncing with @rutgerwessels on [#599101](https://gitlab.com/gitlab-org/gitlab/-/work_items/599101) to define per-iteration organization context for cron workers that mutate organization-owned data.
_Copied from https://gitlab.com/groups/gitlab-org/-/epics/20404#note_3564264879_
<!-- STATUS NOTE END -->
epic