Parent: #4985
Depends on: #4987 (SSS client)
Context
Wire the SSS client into two enforcement points so sanctioned orgs are blocked at both the corporate and individual level.
Integration points
1. CCLA signing (primary gate)
Before the DocuSign envelope is sent to the signatory, or before the CCLA is approved. A sanctioned org must not end up with a signed, approved CCLA.
2. ECLA/employee acknowledgement (secondary gate)
When a contributor acknowledges the ECLA under their company's CCLA. This catches orgs that were clean at CCLA signing but got flagged afterward. The SSS call is fast (~200ms) since the org is already cached in SSS from the CCLA check.
Data sourcing
When building the SSS request for a given org:
| SSS Parameter |
How to get it |
domain |
Fetch from Organization Service using existing client. The Org Link field contains the website URL (e.g., https://datev.de). Strip the protocol to get the bare domain datev.de. |
org_name |
company_name from the EasyCLA companies table |
sfdc_id |
company_external_id, only if it starts with 001 (Salesforce Account ID). Skip for lf-prefixed IDs — those are LFX-native and not valid SFDC IDs. |
country |
From Organization Service address fields, if available. Optional — improves Descartes match accuracy but not required. |
Behavior
SSS returns clean
- Set
is_sanctioned = false on the org
- Proceed normally (approve CCLA / allow ECLA acknowledgement)
SSS returns flagged
- Set
is_sanctioned = true on the org
- CCLA signing: block the signing, return error to user
- ECLA acknowledgement: block acknowledgement, inform contributor their company cannot participate due to compliance restrictions
- Log the event
SSS unavailable (503 / timeout)
See decision in parent epic #4985 — implement the chosen option.
Org has no domain in Organization Service
- Skip SSS call for now (log a warning)
- Do not block signing — this covers legacy v1 orgs without a website
- We will revisit once we know how many orgs this affects
Acceptance criteria
Parent: #4985
Depends on: #4987 (SSS client)
Context
Wire the SSS client into two enforcement points so sanctioned orgs are blocked at both the corporate and individual level.
Integration points
1. CCLA signing (primary gate)
Before the DocuSign envelope is sent to the signatory, or before the CCLA is approved. A sanctioned org must not end up with a signed, approved CCLA.
2. ECLA/employee acknowledgement (secondary gate)
When a contributor acknowledges the ECLA under their company's CCLA. This catches orgs that were clean at CCLA signing but got flagged afterward. The SSS call is fast (~200ms) since the org is already cached in SSS from the CCLA check.
Data sourcing
When building the SSS request for a given org:
domainLinkfield contains the website URL (e.g.,https://datev.de). Strip the protocol to get the bare domaindatev.de.org_namecompany_namefrom the EasyCLA companies tablesfdc_idcompany_external_id, only if it starts with001(Salesforce Account ID). Skip forlf-prefixed IDs — those are LFX-native and not valid SFDC IDs.countryBehavior
SSS returns
cleanis_sanctioned = falseon the orgSSS returns
flaggedis_sanctioned = trueon the orgSSS unavailable (503 / timeout)
See decision in parent epic #4985 — implement the chosen option.
Org has no domain in Organization Service
Acceptance criteria
is_sanctionedfield is updated from SSS response at both checkpoints