Organizations

Organizations are the top-level tenant boundary. All projects, secrets, and access rules belong to an organization.

Create an organization

coldrune org create --name my-org

You become the owner automatically.

List organizations

coldrune org list

Rename

coldrune org update --name my-org --new-name new-name

Delete

coldrune org delete --name my-org

Soft-deletes the org. The name can be reused after deletion.

Members

Invite a user

coldrune org members invite --org my-org --email alice@example.com --role developer

The default role is member if --role is omitted.

List members

coldrune org members list --org my-org

Change role

coldrune org members update-role --org my-org --email alice@example.com --role admin

Remove a member

coldrune org members remove --org my-org --email alice@example.com

Roles

Four roles, each inheriting the permissions below it:

Role	Secrets	Projects/Envs	Members	Org settings
Owner	read + write	create, update, delete	invite, remove, change roles	rename, delete
Admin	read + write	create, update, delete	invite, remove	—
Developer	read + write	—	—	—
Member	read only	—	—	—

Multiple owners are allowed
The last owner cannot be removed or demoted
Superadmins bypass all role checks
Developers and members need ACL rules for project/env-level access

Naming rules

Organization names must be 2-50 characters, lowercase alphanumeric with hyphens, starting and ending with an alphanumeric character.

REST API

# Create
curl -X POST http://localhost:7100/api/orgs \
  -H 'Authorization: Bearer <token>' \
  -H 'Content-Type: application/json' \
  -d '{"name": "my-org"}'

# List
curl http://localhost:7100/api/orgs \
  -H 'Authorization: Bearer <token>'

# Invite member
curl -X POST http://localhost:7100/api/orgs/my-org/members \
  -H 'Authorization: Bearer <token>' \
  -H 'Content-Type: application/json' \
  -d '{"email": "alice@example.com", "role": "developer"}'