pieced/pieced-portal
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Group D fixes
Some checks failed
Build and Push / build (push) Failing after 37s
Details

Browse Source
This commit is contained in:
admin
2026-04-29 22:13:08 +02:00
parent 9c50c9f054
commit 219b4c8365
15 changed files with 914 additions and 55 deletions
Download Patch File Download Diff File Expand all files Collapse all files

87
src/app/[locale]/dashboard/edit/[id]/page.tsx Normal file
View File

@@ -0,0 +1,87 @@
import { getSessionUser, canMutate } from "@/lib/session";
import { redirect } from "next/navigation";
import { getTranslations } from "next-intl/server";
import { getTenantRequestById } from "@/lib/db";
import { OnboardingFlow } from "@/components/onboarding/onboarding-flow";
import { BackLink } from "@/components/ui/back-link";
/**
* /dashboard/edit/[id] — re-opens the onboarding wizard with the
* fields of a still-pending request pre-filled (Bug 6). On submit,
* the wizard PATCHes /api/onboarding/[id] instead of POSTing to
* /api/onboarding.
*
* Hard guards
* -----------
* - Logged-in customer owner (or platform user) only — same as the
* /dashboard/new page.
* - Request must exist, belong to the caller's org, and be in 'pending'
* status. Editing approved/provisioning rows would race against the
* operator; we redirect such cases back to the dashboard rather than
* render an invalid wizard.
*
* Pre-fill
* --------
* The wizard takes a single `editingRequest` prop — when present, it
* (a) pre-populates state from those values and (b) targets the PATCH
* endpoint on submit. When absent, it behaves exactly as today (POST
* to /api/onboarding).
*
* Note on encrypted secrets
* -------------------------
* Per-package secrets are NEVER decrypted server-side and exposed to
* the client (would be a clear security regression). When editing,
* the wizard opens with empty secret fields and the user re-enters
* any they want to change. If they don't touch the package-secrets
* UI, the existing encrypted blob in the DB is preserved by the
* PATCH endpoint (it only re-encrypts when the wizard sends a
* non-empty secrets payload).
*/
export default async function EditRequestPage({
params,
}: {
params: Promise<{ id: string; locale: string }>;
}) {
const { id } = await params;
const user = await getSessionUser();
if (!user) redirect("/login");
if (user.isPlatform) redirect("/dashboard");
if (!canMutate(user)) redirect("/dashboard");
const tr = await getTenantRequestById(id);
if (!tr) redirect("/dashboard");
if (tr.zitadelOrgId !== user.orgId) redirect("/dashboard");
if (tr.status !== "pending") redirect("/dashboard");
const t = await getTranslations("dashboard");
const tOnboarding = await getTranslations("onboarding");
return (
<div className="container max-w-3xl mx-auto px-4 py-8">
<div className="mb-8 animate-in">
<BackLink href="/dashboard" label={t("title")} />
<h1 className="font-display text-2xl font-semibold accent-rule mb-2">
{tOnboarding("editRequestTitle")}
</h1>
<p className="text-sm text-text-secondary">
{tOnboarding("editRequestDescription")}
</p>
</div>
<OnboardingFlow
orgName={user.orgName}
userName={user.name}
userEmail={user.email}
editingRequest={{
id: tr.id,
instanceName: tr.instanceName ?? "",
agentName: tr.agentName,
soulMd: tr.soulMd ?? "",
agentsMd: tr.agentsMd ?? "",
packages: tr.packages,
billingAddress: tr.billingAddress,
billingNotes: tr.billingNotes ?? "",
}}
/>
</div>
);
}

6
src/app/[locale]/dashboard/page.tsx
View File

@@ -315,7 +315,11 @@ export default async function DashboardPage() {
</h2>
<div className="space-y-3">
{inflightRequests.map((r) => (
<ProvisioningStatus key={r.id} requestId={r.id} />
<ProvisioningStatus
key={r.id}
requestId={r.id}
canAct={canMutate(user)}
/>
))}
</div>
</div>

65
src/app/api/onboarding/[id]/dismiss/route.ts Normal file
View File

@@ -0,0 +1,65 @@
import { NextRequest, NextResponse } from "next/server";
import { getSessionUser, canMutate } from "@/lib/session";
import { dismissTenantRequest, getTenantRequestById } from "@/lib/db";
import { safeError } from "@/lib/errors";
/**
* POST /api/onboarding/[id]/dismiss
*
* Customer-side acknowledgement of a rejected or cancelled request
* (Bug 13). Sets `dismissed_at = now()` so the row stops appearing
* in the dashboard's `listActiveTenantRequestsByOrgId` query. The
* row itself is preserved for audit.
*
* Authorization mirrors the GET / DELETE / PATCH endpoints on this
* resource: customer owners (or platform staff) of the row's org.
*
* Idempotent: dismissing an already-dismissed request returns 200
* with no change. We refuse to dismiss non-terminal rows (pending,
* approved, provisioning, active) — those are still actionable, and
* "hiding" them would stash live state from the customer.
*/
export async function POST(
_req: NextRequest,
{ params }: { params: Promise<{ id: string }> }
) {
const user = await getSessionUser();
if (!user) {
return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
}
if (!canMutate(user)) {
return NextResponse.json({ error: "Forbidden" }, { status: 403 });
}
const { id } = await params;
const tr = await getTenantRequestById(id);
if (!tr) {
return NextResponse.json({ error: "Not found" }, { status: 404 });
}
if (!user.isPlatform && tr.zitadelOrgId !== user.orgId) {
return NextResponse.json({ error: "Not found" }, { status: 404 });
}
if (tr.status !== "rejected" && tr.status !== "cancelled") {
return NextResponse.json(
{
error:
"Only rejected or cancelled requests can be dismissed. Active requests stay visible.",
code: "not_dismissable",
currentStatus: tr.status,
},
{ status: 409 }
);
}
try {
await dismissTenantRequest(id);
return NextResponse.json({ message: "Dismissed.", id });
} catch (e: any) {
console.error("Failed to dismiss request:", e);
return NextResponse.json(
{ error: safeError(e, "Failed to dismiss request") },
{ status: 500 }
);
}
}

207
src/app/api/onboarding/[id]/route.ts Normal file
View File

@@ -0,0 +1,207 @@
import { NextRequest, NextResponse } from "next/server";
import { getSessionUser, canMutate } from "@/lib/session";
import {
getTenantRequestById,
updateTenantRequestStatus,
updateTenantRequestEditableFields,
} from "@/lib/db";
import { encryptSecrets } from "@/lib/crypto";
import { onboardingSchema } from "@/lib/validation";
import { safeError } from "@/lib/errors";
/**
* Customer-side controls for a single tenant_request row.
*
* - DELETE /api/onboarding/[id] → cancel a still-pending request
* - PATCH /api/onboarding/[id] → edit fields of a still-pending
* request (Bug 6)
*
* Both endpoints share the same authorization check: the caller must
* be a customer owner (or platform staff) of the request's org. We
* also enforce status === 'pending' on the row — once an admin has
* acted on it, the customer can no longer mutate it from the portal.
*
* Reading these is via the existing GET /api/onboarding?id=... handler.
*/
async function loadAuthorized(
id: string
): Promise<
| { error: NextResponse }
| { req: Awaited<ReturnType<typeof getTenantRequestById>>; }
> {
const user = await getSessionUser();
if (!user) {
return {
error: NextResponse.json({ error: "Unauthorized" }, { status: 401 }),
};
}
if (!canMutate(user)) {
return {
error: NextResponse.json({ error: "Forbidden" }, { status: 403 }),
};
}
const tr = await getTenantRequestById(id);
if (!tr) {
return {
error: NextResponse.json({ error: "Not found" }, { status: 404 }),
};
}
// Customers may only read their own org's requests; platform users
// may read any. Same scope as `GET /api/onboarding?id=...`.
if (!user.isPlatform && tr.zitadelOrgId !== user.orgId) {
return {
error: NextResponse.json({ error: "Not found" }, { status: 404 }),
};
}
return { req: tr };
}
/**
* DELETE /api/onboarding/[id]
*
* Customer cancels a still-pending request. Status flips to 'cancelled';
* the row is preserved for audit. The customer can dismiss the
* cancelled card afterwards (Bug 13 reuse — same dismissal mechanism).
*
* Once admin has approved/provisioned/rejected, this endpoint refuses
* (409). Cancelling a tenant that's already running goes through the
* subscription-suspend flow on the tenant detail page, not here.
*/
export async function DELETE(
_req: NextRequest,
{ params }: { params: Promise<{ id: string }> }
) {
const { id } = await params;
const loaded = await loadAuthorized(id);
if ("error" in loaded) return loaded.error;
const tr = loaded.req!;
if (tr.status !== "pending") {
return NextResponse.json(
{
error:
"Only pending requests can be cancelled. Approved or provisioning instances must be managed from the tenant page.",
code: "not_pending",
currentStatus: tr.status,
},
{ status: 409 }
);
}
try {
await updateTenantRequestStatus(id, "cancelled");
return NextResponse.json({ message: "Request cancelled.", id });
} catch (e: any) {
console.error("Failed to cancel request:", e);
return NextResponse.json(
{ error: safeError(e, "Failed to cancel request") },
{ status: 500 }
);
}
}
/**
* PATCH /api/onboarding/[id]
*
* Customer edits a still-pending request. Validation is the same as on
* POST /api/onboarding (shared schema). Only customer-input fields are
* editable; status/tenant_name/admin_notes/etc. are server-managed.
*
* Note on company-level fields
* ----------------------------
* For a follow-up instance (org has prior approved rows), the POST
* handler intentionally ignores the wizard's billingAddress and uses
* the on-file value instead. We mirror that here: company-level fields
* (companyName, contactName, contactEmail, billingAddress) on a
* follow-up edit are NOT updated through this endpoint. The customer
* should use a future settings page (Bug 11) for those. For now,
* editing only mutates per-instance fields — agent name, instance
* name, packages, soulMd, agentsMd, billingNotes, packageSecrets.
*
* For the FIRST instance (no prior approved rows), billingAddress IS
* editable here, since the customer is still defining their company's
* billing data.
*/
export async function PATCH(
req: NextRequest,
{ params }: { params: Promise<{ id: string }> }
) {
const { id } = await params;
const loaded = await loadAuthorized(id);
if ("error" in loaded) return loaded.error;
const tr = loaded.req!;
if (tr.status !== "pending") {
return NextResponse.json(
{
error: "Only pending requests can be edited.",
code: "not_pending",
currentStatus: tr.status,
},
{ status: 409 }
);
}
const body = await req.json().catch(() => null);
const parsed = onboardingSchema.safeParse(body);
if (!parsed.success) {
return NextResponse.json(
{ error: "Invalid input", details: parsed.error.flatten() },
{ status: 400 }
);
}
const input = parsed.data;
// Re-encrypt package secrets if present in the patch body. When the
// user re-opens the wizard to edit, the secrets array is populated
// afresh from the wizard (we never decrypt and return existing
// secrets — that'd be a security regression). If the user didn't
// touch any secret-bearing package, the wizard sends no
// packageSecrets and we leave the existing encrypted blob alone.
let encryptedSecrets: Buffer | null | undefined;
if (input.packageSecrets && Object.keys(input.packageSecrets).length > 0) {
try {
encryptedSecrets = await encryptSecrets(input.packageSecrets);
} catch (e: any) {
console.error("Failed to encrypt package secrets:", e);
return NextResponse.json(
{ error: "Failed to secure credentials. Please try again." },
{ status: 500 }
);
}
}
// Only first-instance edits get billingAddress; follow-ups inherit
// company billing from the on-file approved row.
const isFirstInstance = !tr.tenantName; // approximation; covers the
// "no prior approved row for this org" case the POST handler treats
// identically. A more rigorous check would call
// getMostRecentApprovedRequestForOrg, but in practice an org with
// an approved row for some other tenant has a tenantName on those
// rows, not on the pending one being edited — so the simple check
// here is fine for the only state the endpoint accepts (pending).
try {
const updated = await updateTenantRequestEditableFields(id, {
instanceName: input.instanceName,
agentName: input.agentName,
soulMd: input.soulMd,
agentsMd: input.agentsMd,
packages: input.packages ?? [],
billingAddress: isFirstInstance ? input.billingAddress : undefined,
billingNotes: input.billingNotes,
encryptedSecrets,
});
if (!updated) {
return NextResponse.json({ error: "Not found" }, { status: 404 });
}
return NextResponse.json({ message: "Request updated.", id });
} catch (e: any) {
console.error("Failed to edit request:", e);
return NextResponse.json(
{ error: safeError(e, "Failed to edit request") },
{ status: 500 }
);
}
}

18
src/app/api/onboarding/route.ts
View File

@@ -24,15 +24,33 @@ import { z } from "zod";
* Helper: shape a TenantRequest row for client consumption.
* Hides server-only fields (encryptedSecrets, internal db ids).
*/
/**
* Helper: shape a TenantRequest row for client consumption.
* Hides server-only fields (encryptedSecrets, internal db ids).
*
* Slice 7 / Bug 6: surfaces enough fields for the customer-side edit
* flow to pre-fill the wizard. soulMd, agentsMd, billingAddress,
* billingNotes were previously kept off the public shape because the
* pre-Slice-3 dashboard didn't render them. Edit needs them.
*
* Bug 13: surfaces dismissedAt so the dashboard can distinguish
* "freshly rejected, show prominently" from "rejected and acknowledged,
* keep hidden" without an extra API call.
*/
function publicRequestShape(r: TenantRequest) {
return {
id: r.id,
instanceName: r.instanceName,
agentName: r.agentName,
soulMd: r.soulMd,
agentsMd: r.agentsMd,
packages: r.packages,
billingAddress: r.billingAddress,
billingNotes: r.billingNotes,
status: r.status,
adminNotes: r.adminNotes,
tenantName: r.tenantName,
dismissedAt: r.dismissedAt ?? null,
createdAt: r.createdAt,
updatedAt: r.updatedAt,
};

10
src/components/onboarding/onboarding-flow.tsx
View File

@@ -12,6 +12,14 @@ interface OnboardingFlowProps {
*/
userName?: string;
userEmail?: string;
/**
* Bug 6: when present, the wizard is rendered in edit mode against
* the given pending request. See `OnboardingWizard` for the full
* shape and behavioural contract.
*/
editingRequest?: React.ComponentProps<
typeof OnboardingWizard
>["editingRequest"];
}
/**
@@ -29,6 +37,7 @@ export function OnboardingFlow({
orgName,
userName,
userEmail,
editingRequest,
}: OnboardingFlowProps) {
const router = useRouter();
@@ -37,6 +46,7 @@ export function OnboardingFlow({
orgName={orgName}
userName={userName}
userEmail={userEmail}
editingRequest={editingRequest}
onComplete={() => {
// Navigate back to /dashboard and re-fetch on the server. The
// parent server component will see the new `pending` row and

249
src/components/onboarding/provisioning-status.tsx
View File

@@ -1,6 +1,8 @@
"use client";
import { useState, useEffect, useCallback } from "react";
import Link from "next/link";
import { useRouter } from "next/navigation";
import { useTranslations, useFormatter } from "next-intl";
import { Card } from "@/components/ui/card";
import { StatusBadge } from "@/components/ui/status-badge";
@@ -14,6 +16,7 @@ interface RequestSummary {
status: string;
adminNotes?: string;
tenantName?: string;
dismissedAt?: string | null;
createdAt?: string;
updatedAt?: string;
}
@@ -36,21 +39,42 @@ interface SingleRequestState {
tenant: TenantSummary | null;
}
interface Props {
requestId: string;
/**
* Whether the viewer can act on this request — cancel a pending one,
* dismiss a rejected one, etc. True for owner + platform; false for
* `user`-role customers (who shouldn't see in-flight requests at all,
* but defence in depth — `canSeeInflightRequests` already gates the
* dashboard side).
*/
canAct: boolean;
}
/**
* ProvisioningStatus
*
* Polls /api/onboarding?id=<requestId> every 5s until the request reaches
* a terminal state. Slice 3: takes a `requestId` prop so multiple of these
* can render on the same dashboard for different in-flight requests.
* a terminal state. Slice 3: takes a `requestId` prop so multiple of
* these can render on the same dashboard for different in-flight
* requests.
*
* The pre-Slice-3 version polled /api/onboarding with no params and
* assumed one-request-per-org — that endpoint shape is gone now.
* Slice 7 / Bug 6 + 13:
* - pending → cancel + edit buttons
* - rejected → admin notes block + dismiss button
* - cancelled → small acknowledgement card + dismiss button
* - terminal Ready/Active states unchanged
*/
export function ProvisioningStatus({ requestId }: { requestId: string }) {
export function ProvisioningStatus({ requestId, canAct }: Props) {
const t = useTranslations("onboarding");
const tCommon = useTranslations("common");
const f = useFormatter();
const router = useRouter();
const [data, setData] = useState<SingleRequestState | null>(null);
const [error, setError] = useState("");
const [actionPending, setActionPending] = useState(false);
const [confirmCancel, setConfirmCancel] = useState(false);
const poll = useCallback(async () => {
try {
@@ -67,11 +91,11 @@ export function ProvisioningStatus({ requestId }: { requestId: string }) {
useEffect(() => {
poll();
const status = data?.request?.status;
const phase = data?.tenant?.phase;
const terminal =
status === "rejected" ||
status === "cancelled" ||
status === "active" ||
phase === "Ready" ||
phase === "Running";
@@ -82,7 +106,54 @@ export function ProvisioningStatus({ requestId }: { requestId: string }) {
return () => clearInterval(interval);
}, [poll, data?.request?.status, data?.tenant?.phase]);
if (error) {
const handleCancel = async () => {
setActionPending(true);
setError("");
try {
const res = await fetch(
`/api/onboarding/${encodeURIComponent(requestId)}`,
{ method: "DELETE" }
);
if (!res.ok) {
const body = await res.json().catch(() => ({}));
throw new Error(body.error || t("cancelFailed"));
}
setConfirmCancel(false);
// Re-poll so the card transitions to "cancelled" state without a
// full route refresh — the dashboard's surrounding tenant cards
// are unaffected.
await poll();
router.refresh();
} catch (err: any) {
setError(err.message);
} finally {
setActionPending(false);
}
};
const handleDismiss = async () => {
setActionPending(true);
setError("");
try {
const res = await fetch(
`/api/onboarding/${encodeURIComponent(requestId)}/dismiss`,
{ method: "POST" }
);
if (!res.ok) {
const body = await res.json().catch(() => ({}));
throw new Error(body.error || t("dismissFailed"));
}
// Server-rendered list query (`listActiveTenantRequestsByOrgId`)
// filters out dismissed rows — refresh to drop this card.
router.refresh();
} catch (err: any) {
setError(err.message);
} finally {
setActionPending(false);
}
};
if (error && !data) {
return (
<Card>
<div className="text-xs text-red-400">{error}</div>
@@ -107,7 +178,7 @@ export function ProvisioningStatus({ requestId }: { requestId: string }) {
data.request.tenantName ||
data.request.agentName;
// Pending admin approval
// ─── Pending: awaiting admin approval ───────────────────────────────
if (status === "pending") {
return (
<Card className="animate-in">
@@ -131,7 +202,9 @@ export function ProvisioningStatus({ requestId }: { requestId: string }) {
{t("pendingTitle")}
</h2>
{label && (
<p className="text-xs font-mono text-text-secondary mb-2">{label}</p>
<p className="text-xs font-mono text-text-secondary mb-2">
{label}
</p>
)}
<p className="text-sm text-text-secondary max-w-sm mx-auto">
{t("pendingDescription")}
@@ -150,12 +223,76 @@ export function ProvisioningStatus({ requestId }: { requestId: string }) {
</span>
</p>
)}
{/* Bug 6 — owner-only edit + cancel actions while still
pending. Once admin acts, both buttons disappear (the
status branch changes). */}
{canAct && (
<div className="flex justify-center gap-2 mt-5">
<Link
href={`/dashboard/edit/${encodeURIComponent(requestId)}`}
className="text-sm font-medium px-4 py-2 rounded-lg border border-border text-text-secondary hover:text-text-primary hover:border-text-secondary transition-colors"
>
{t("editRequest")}
</Link>
<button
type="button"
onClick={() => setConfirmCancel(true)}
className="text-sm font-medium px-4 py-2 rounded-lg border border-red-500/30 text-red-400 hover:bg-red-500/10 transition-colors"
>
{t("cancelRequest")}
</button>
</div>
)}
{error && (
<p className="text-xs text-red-400 mt-3">{error}</p>
)}
</div>
{confirmCancel && (
<div
role="dialog"
aria-modal="true"
className="fixed inset-0 z-50 flex items-center justify-center p-4 bg-black/60 backdrop-blur-sm"
onClick={(e) => {
if (e.target === e.currentTarget) setConfirmCancel(false);
}}
>
<div className="bg-surface-1 border border-border rounded-xl p-6 max-w-md w-full">
<h3 className="font-display text-lg font-semibold text-text-primary mb-2">
{t("cancelConfirmRequestTitle")}
</h3>
<p className="text-sm text-text-secondary mb-5">
{t("cancelConfirmRequestDescription")}
</p>
<div className="flex justify-end gap-2">
<button
type="button"
onClick={() => setConfirmCancel(false)}
disabled={actionPending}
className="text-sm px-4 py-2 rounded-lg border border-border text-text-secondary hover:text-text-primary transition-colors"
>
{tCommon("cancel")}
</button>
<button
type="button"
onClick={handleCancel}
disabled={actionPending}
className="text-sm px-4 py-2 rounded-lg bg-red-500 text-white hover:bg-red-600 transition-colors disabled:opacity-50"
>
{actionPending
? tCommon("loading")
: t("cancelRequestConfirm")}
</button>
</div>
</div>
</div>
)}
</Card>
);
}
// Rejected
// ─── Rejected: admin declined ───────────────────────────────────────
if (status === "rejected") {
return (
<Card className="animate-in">
@@ -179,22 +316,94 @@ export function ProvisioningStatus({ requestId }: { requestId: string }) {
{t("rejectedTitle")}
</h2>
{label && (
<p className="text-xs font-mono text-text-secondary mb-2">{label}</p>
<p className="text-xs font-mono text-text-secondary mb-2">
{label}
</p>
)}
<p className="text-sm text-text-secondary max-w-sm mx-auto">
{t("rejectedDescription")}
</p>
{data.request.adminNotes && (
<p className="text-xs text-text-muted mt-3 bg-surface-2 border border-border rounded-lg p-3 max-w-sm mx-auto">
{data.request.adminNotes}
</p>
<div className="text-left text-xs text-text-secondary mt-4 bg-surface-2 border border-border rounded-lg p-3 max-w-sm mx-auto">
<div className="font-semibold uppercase tracking-wider text-text-muted text-[10px] mb-1.5">
{t("rejectionReason")}
</div>
<div className="whitespace-pre-wrap">
{data.request.adminNotes}
</div>
</div>
)}
{/* Bug 13: dismiss removes this card from the dashboard but
keeps the row in the DB for audit. The customer can also
just resubmit via the wizard — both paths are valid. */}
{canAct && (
<div className="flex justify-center mt-5">
<button
type="button"
onClick={handleDismiss}
disabled={actionPending}
className="text-sm font-medium px-4 py-2 rounded-lg border border-border text-text-secondary hover:text-text-primary hover:border-text-secondary transition-colors disabled:opacity-50"
>
{actionPending ? tCommon("loading") : t("dismiss")}
</button>
</div>
)}
{error && <p className="text-xs text-red-400 mt-3">{error}</p>}
</div>
</Card>
);
}
// Provisioning in progress (status approved/provisioning, optionally with tenant phase < Ready)
// ─── Cancelled: customer cancelled before admin acted (Bug 6) ──────
if (status === "cancelled") {
return (
<Card className="animate-in">
<div className="text-center py-6">
<div className="h-14 w-14 rounded-xl bg-text-muted/15 flex items-center justify-center mx-auto mb-4">
<svg
className="h-7 w-7 text-text-muted"
fill="none"
viewBox="0 0 24 24"
stroke="currentColor"
strokeWidth={1.5}
>
<path
strokeLinecap="round"
strokeLinejoin="round"
d="M9.75 9.75l4.5 4.5m0-4.5l-4.5 4.5M21 12a9 9 0 11-18 0 9 9 0 0118 0z"
/>
</svg>
</div>
<h2 className="font-display text-lg font-semibold text-text-primary mb-2">
{t("cancelledTitle")}
</h2>
{label && (
<p className="text-xs font-mono text-text-secondary mb-2">
{label}
</p>
)}
<p className="text-sm text-text-secondary max-w-sm mx-auto">
{t("cancelledDescription")}
</p>
{canAct && (
<div className="flex justify-center mt-5">
<button
type="button"
onClick={handleDismiss}
disabled={actionPending}
className="text-sm font-medium px-4 py-2 rounded-lg border border-border text-text-secondary hover:text-text-primary hover:border-text-secondary transition-colors disabled:opacity-50"
>
{actionPending ? tCommon("loading") : t("dismiss")}
</button>
</div>
)}
{error && <p className="text-xs text-red-400 mt-3">{error}</p>}
</div>
</Card>
);
}
// ─── Provisioning: approved, operator working ──────────────────────
if (
status === "approved" ||
status === "provisioning" ||
@@ -213,7 +422,9 @@ export function ProvisioningStatus({ requestId }: { requestId: string }) {
{t("provisioningTitle")}
</h2>
{label && (
<p className="text-xs font-mono text-text-secondary mb-2">{label}</p>
<p className="text-xs font-mono text-text-secondary mb-2">
{label}
</p>
)}
<p className="text-sm text-text-secondary">
{t("provisioningDescription")}
@@ -249,7 +460,7 @@ export function ProvisioningStatus({ requestId }: { requestId: string }) {
);
}
// Active / Ready
// ─── Active / Ready ─────────────────────────────────────────────────
if (status === "active") {
return (
<Card className="animate-in">
@@ -273,7 +484,9 @@ export function ProvisioningStatus({ requestId }: { requestId: string }) {
{t("readyTitle")}
</h2>
{label && (
<p className="text-xs font-mono text-text-secondary mb-2">{label}</p>
<p className="text-xs font-mono text-text-secondary mb-2">
{label}
</p>
)}
<p className="text-sm text-text-secondary max-w-sm mx-auto mb-4">
{t("readyDescription")}

112
src/components/onboarding/wizard.tsx
View File

@@ -64,6 +64,35 @@ interface WizardProps {
*/
userName?: string;
userEmail?: string;
/**
* Bug 6: when present, the wizard renders in "edit" mode — fields
* are pre-populated from the request, the SOUL.md auto-fetch is
* skipped (we trust the existing values), and the submit button
* PATCHes /api/onboarding/[id] instead of POSTing /api/onboarding.
*
* Per-package secrets are deliberately NOT pre-filled, even if the
* customer originally supplied them — server-side decryption to
* the client would be a security regression. The user re-enters
* any secrets they want to change; if they leave them blank, the
* existing encrypted blob in the DB is preserved by the PATCH
* endpoint.
*/
editingRequest?: {
id: string;
instanceName: string;
agentName: string;
soulMd: string;
agentsMd: string;
packages: string[];
billingAddress: {
company?: string;
street?: string;
city?: string;
postalCode?: string;
country?: string;
};
billingNotes: string;
};
onComplete: () => void;
}
@@ -71,6 +100,7 @@ export function OnboardingWizard({
orgName,
userName,
userEmail,
editingRequest,
onComplete,
}: WizardProps) {
const t = useTranslations("onboarding");
@@ -91,30 +121,55 @@ export function OnboardingWizard({
orgName,
isPersonal,
});
const isEditing = Boolean(editingRequest);
const [step, setStep] = useState<Step>("welcome");
// Edit mode jumps straight to the configure step — the welcome step
// is a first-time onboarding affordance and only adds friction when
// the customer is fixing a typo.
const [step, setStep] = useState<Step>(isEditing ? "configure" : "welcome");
const [submitting, setSubmitting] = useState(false);
const [error, setError] = useState("");
const [advancedOpen, setAdvancedOpen] = useState(false);
const [defaultsLoaded, setDefaultsLoaded] = useState(false);
// In edit mode we already have soulMd/agentsMd from the request;
// skip the workspace-defaults round trip that would overwrite them.
const [defaultsLoaded, setDefaultsLoaded] = useState(isEditing);
const [config, setConfig] = useState({
instanceName: "",
agentName: "Assistant",
soulMd: FALLBACK_SOUL.replace("{company}", displayOrgName),
agentsMd: FALLBACK_AGENTS,
packages: [] as string[],
billingAddress: {
// For personal accounts, leave the company field empty — it'll
// appear on invoices. The user can still type something if they
// want to.
company: isPersonal ? "" : displayOrgName,
street: "",
city: "",
postalCode: "",
country: "CH",
},
billingNotes: "",
const [config, setConfig] = useState(() => {
if (editingRequest) {
return {
instanceName: editingRequest.instanceName,
agentName: editingRequest.agentName,
soulMd: editingRequest.soulMd,
agentsMd: editingRequest.agentsMd,
packages: editingRequest.packages,
billingAddress: {
company: editingRequest.billingAddress.company ?? "",
street: editingRequest.billingAddress.street ?? "",
city: editingRequest.billingAddress.city ?? "",
postalCode: editingRequest.billingAddress.postalCode ?? "",
country: editingRequest.billingAddress.country ?? "CH",
},
billingNotes: editingRequest.billingNotes,
};
}
return {
instanceName: "",
agentName: "Assistant",
soulMd: FALLBACK_SOUL.replace("{company}", displayOrgName),
agentsMd: FALLBACK_AGENTS,
packages: [] as string[],
billingAddress: {
// For personal accounts, leave the company field empty — it'll
// appear on invoices. The user can still type something if they
// want to.
company: isPersonal ? "" : displayOrgName,
street: "",
city: "",
postalCode: "",
country: "CH",
},
billingNotes: "",
};
});
// TOOLS.md preview — readonly, auto-generated
@@ -308,8 +363,17 @@ export function OnboardingWizard({
}
}
const res = await fetch("/api/onboarding", {
method: "POST",
// Bug 6: edit mode targets the per-row endpoint with PATCH;
// create mode targets the collection endpoint with POST. Body
// shape is the same — both routes parse it through
// onboardingSchema.
const url = editingRequest
? `/api/onboarding/${encodeURIComponent(editingRequest.id)}`
: "/api/onboarding";
const method = editingRequest ? "PATCH" : "POST";
const res = await fetch(url, {
method,
headers: { "Content-Type": "application/json" },
body: JSON.stringify({
...config,
@@ -1017,7 +1081,11 @@ export function OnboardingWizard({
disabled={submitting}
className="py-2.5 px-6 bg-accent text-white text-sm font-medium rounded-lg hover:bg-accent-dim transition-colors disabled:opacity-50 disabled:cursor-not-allowed"
>
{submitting ? tCommon("loading") : t("submitRequest")}
{submitting
? tCommon("loading")
: isEditing
? t("saveChanges")
: t("submitRequest")}
</button>
</div>
</Card>

8
src/components/ui/status-badge.tsx
View File

@@ -15,6 +15,11 @@ const phaseStyles: Record<string, string> = {
Running: "bg-success/10 text-success border-success/20",
Ready: "bg-success/10 text-success border-success/20",
Provisioning: "bg-warning/10 text-warning border-warning/20",
// Reconfiguring shares the warning palette (yellow pulse) but renders
// a distinct label, so customers see it differently from first-time
// provisioning. Useful when packages or channel-users change and the
// pod restarts mid-life.
Reconfiguring: "bg-warning/10 text-warning border-warning/20",
Pending: "bg-text-muted/10 text-text-secondary border-border",
Suspended: "bg-amber-500/10 text-amber-400 border-amber-500/30",
Error: "bg-error/10 text-error border-error/20",
@@ -44,6 +49,9 @@ export function StatusBadge({ phase }: { phase: string }) {
{phase === "Provisioning" && (
<span className="status-pulse h-1.5 w-1.5 rounded-full bg-warning" />
)}
{phase === "Reconfiguring" && (
<span className="status-pulse h-1.5 w-1.5 rounded-full bg-warning" />
)}
{label}
</span>
);

121
src/lib/db.ts
View File

@@ -1,5 +1,5 @@
import { Pool } from "pg";
import type { TenantRequest, TenantRequestStatus } from "@/types";
import type { BillingAddress, TenantRequest, TenantRequestStatus } from "@/types";
import { listTenants, getTenant } from "./k8s";
// ---------------------------------------------------------------------------
@@ -72,6 +72,11 @@ const MIGRATION_SQL = `
ALTER TABLE tenant_requests ADD COLUMN IF NOT EXISTS agents_md TEXT;
ALTER TABLE tenant_requests ADD COLUMN IF NOT EXISTS instance_name TEXT;
ALTER TABLE tenant_requests ADD COLUMN IF NOT EXISTS is_personal BOOLEAN NOT NULL DEFAULT FALSE;
-- Bug 13: customer-side dismissal of rejected requests. NULL means "still
-- visible on the dashboard"; non-null means "customer clicked Dismiss".
-- Pending/approved/active rows keep this NULL by definition — the field
-- is only meaningful for `rejected` and `cancelled` rows.
ALTER TABLE tenant_requests ADD COLUMN IF NOT EXISTS dismissed_at TIMESTAMPTZ;
-- Slice 3: drop the legacy 1-org-1-request constraint if it exists
ALTER TABLE tenant_requests DROP CONSTRAINT IF EXISTS tenant_requests_zitadel_org_id_key;
@@ -250,10 +255,21 @@ export async function listTenantRequestsByOrgId(
}
/**
* As {@link listTenantRequestsByOrgId} but excludes terminal-failed states
* (rejected, deleted). Useful for the dashboard which wants to show
* pending/approved/provisioning/active tenants and pending requests, not
* historical rejections.
* As {@link listTenantRequestsByOrgId} but tuned for the customer's
* dashboard view.
*
* Returns:
* - All non-terminal rows (pending, approved, provisioning, active),
* because the customer needs to see what's in flight.
* - Terminal-failed rows (rejected, cancelled) that the customer
* hasn't dismissed yet (Bug 13). Without this, a rejection that
* happens while the customer isn't online would only be
* communicated by email — easy to miss.
*
* Excludes:
* - `deleted` rows (admin tore down the tenant — historical, not
* actionable).
* - Dismissed rejected/cancelled rows.
*/
export async function listActiveTenantRequestsByOrgId(
orgId: string
@@ -262,7 +278,8 @@ export async function listActiveTenantRequestsByOrgId(
const result = await getPool().query<TenantRequest>(
`SELECT * FROM tenant_requests
WHERE zitadel_org_id = $1
AND status NOT IN ('deleted', 'rejected')
AND status <> 'deleted'
AND (status NOT IN ('rejected', 'cancelled') OR dismissed_at IS NULL)
ORDER BY created_at DESC`,
[orgId]
);
@@ -354,6 +371,96 @@ export async function clearEncryptedSecrets(requestId: string): Promise<void> {
);
}
/**
* Set dismissed_at = now() on a request row. Used when a customer
* clicks "Dismiss" on a rejected/cancelled card on their dashboard
* (Bug 13). The row stays in the database for history/audit but
* stops appearing in `listActiveTenantRequestsByOrgId`.
*
* Idempotent: dismissing an already-dismissed row is a no-op.
* Caller is responsible for verifying the row belongs to the user's
* org before calling.
*/
export async function dismissTenantRequest(id: string): Promise<void> {
await ensureSchema();
await getPool().query(
`UPDATE tenant_requests
SET dismissed_at = COALESCE(dismissed_at, now()),
updated_at = now()
WHERE id = $1`,
[id]
);
}
/**
* Update editable fields of a still-pending tenant request. Bug 6 — a
* customer who notices a typo or wants to add a package after submitting
* the wizard should be able to fix it without admin involvement.
*
* Only the customer-input fields are updateable. `status`, `tenant_name`,
* `admin_notes`, `encrypted_secrets`, `is_personal`, `zitadel_*` and
* timestamps are managed elsewhere and intentionally not here.
*
* The caller is responsible for:
* - verifying the row belongs to the user's org
* - verifying status === 'pending' (editing approved/provisioning rows
* would race against the operator)
*
* Returns the updated row, or null if the id didn't match anything.
*/
export async function updateTenantRequestEditableFields(
id: string,
fields: {
instanceName?: string | null;
agentName?: string;
soulMd?: string;
agentsMd?: string | null;
packages?: string[];
billingAddress?: BillingAddress;
billingNotes?: string;
encryptedSecrets?: Buffer | null;
}
): Promise<TenantRequest | null> {
await ensureSchema();
const sets: string[] = ["updated_at = now()"];
const values: any[] = [id];
let idx = 2;
// Map JS field names to SQL columns. Each entry is gated on
// `!== undefined` so passing only some fields just updates those.
const colMap: Array<[keyof typeof fields, string]> = [
["instanceName", "instance_name"],
["agentName", "agent_name"],
["soulMd", "soul_md"],
["agentsMd", "agents_md"],
["packages", "packages"],
["billingAddress", "billing_address"],
["billingNotes", "billing_notes"],
["encryptedSecrets", "encrypted_secrets"],
];
for (const [jsField, sqlCol] of colMap) {
const v = fields[jsField];
if (v === undefined) continue;
sets.push(`${sqlCol} = $${idx}`);
values.push(v);
idx++;
}
if (sets.length === 1) {
// No editable fields supplied — return the row unchanged rather
// than running a useless UPDATE that just bumps updated_at.
const cur = await getTenantRequestById(id);
return cur;
}
const result = await getPool().query<TenantRequest>(
`UPDATE tenant_requests SET ${sets.join(", ")} WHERE id = $1 RETURNING *`,
values
);
return result.rows[0] ? mapRow(result.rows[0]) : null;
}
/**
* Wrapper around domain-check.ts that injects the portal's connection pool.
* Kept here so route handlers don't need direct access to the pool.
@@ -446,6 +553,8 @@ function mapRow(row: any): TenantRequest {
tenantName: row.tenant_name,
encryptedSecrets: row.encrypted_secrets ?? null,
isPersonal: row.is_personal ?? false,
dismissedAt:
row.dismissed_at?.toISOString?.() ?? row.dismissed_at ?? null,
createdAt: row.created_at?.toISOString?.() ?? row.created_at,
updatedAt: row.updated_at?.toISOString?.() ?? row.updated_at,
};

19
src/messages/de.json
View File

@@ -100,7 +100,21 @@
"reviewInstanceDefault": "(Standard — verwendet Firmenname)",
"reviewNoPackages": "Keine ausgewählt",
"reviewBillingTo": "Rechnungsempfänger",
"reviewContactEmail": "Kontakt-E-Mail"
"reviewContactEmail": "Kontakt-E-Mail",
"editRequestTitle": "Anfrage bearbeiten",
"editRequestDescription": "Passen Sie die Konfiguration an, bevor unser Team sie prüft.",
"editRequest": "Bearbeiten",
"cancelRequest": "Anfrage stornieren",
"cancelRequestConfirm": "Ja, Anfrage stornieren",
"cancelConfirmRequestTitle": "Diese Anfrage stornieren?",
"cancelConfirmRequestDescription": "Ihre ausstehende Anfrage wird als storniert markiert und aus der Warteschlange entfernt. Sie können jederzeit eine neue Anfrage einreichen.",
"cancelFailed": "Anfrage konnte nicht storniert werden.",
"cancelledTitle": "Anfrage storniert",
"cancelledDescription": "Sie haben diese Anfrage vor der Bearbeitung storniert. Es wurde keine Instanz erstellt.",
"dismiss": "Ausblenden",
"dismissFailed": "Konnte nicht ausgeblendet werden.",
"rejectionReason": "Angegebener Grund",
"saveChanges": "Änderungen speichern"
},
"dashboard": {
"title": "Dashboard",
@@ -345,6 +359,7 @@
"Ready": "Bereit",
"Suspended": "Pausiert",
"Error": "Fehler",
"Deleting": "Wird gelöscht"
"Deleting": "Wird gelöscht",
"Reconfiguring": "Wird neu konfiguriert"
}
}

19
src/messages/en.json
View File

@@ -100,7 +100,21 @@
"reviewInstanceDefault": "(default — uses company name)",
"reviewNoPackages": "None selected",
"reviewBillingTo": "Billing to",
"reviewContactEmail": "Contact email"
"reviewContactEmail": "Contact email",
"editRequestTitle": "Edit your request",
"editRequestDescription": "Adjust the configuration before our team reviews it.",
"editRequest": "Edit",
"cancelRequest": "Cancel request",
"cancelRequestConfirm": "Yes, cancel request",
"cancelConfirmRequestTitle": "Cancel this request?",
"cancelConfirmRequestDescription": "Your pending request will be marked as cancelled and removed from the review queue. You can submit a new request at any time.",
"cancelFailed": "Could not cancel request.",
"cancelledTitle": "Request cancelled",
"cancelledDescription": "You cancelled this request before it was processed. No instance was created.",
"dismiss": "Dismiss",
"dismissFailed": "Could not dismiss.",
"rejectionReason": "Reason given",
"saveChanges": "Save changes"
},
"dashboard": {
"title": "Dashboard",
@@ -345,6 +359,7 @@
"Ready": "Ready",
"Suspended": "Suspended",
"Error": "Error",
"Deleting": "Deleting"
"Deleting": "Deleting",
"Reconfiguring": "Reconfiguring"
}
}

19
src/messages/fr.json
View File

@@ -100,7 +100,21 @@
"reviewInstanceDefault": "(par défaut — utilise le nom de l'entreprise)",
"reviewNoPackages": "Aucun sélectionné",
"reviewBillingTo": "Facturer à",
"reviewContactEmail": "E-mail de contact"
"reviewContactEmail": "E-mail de contact",
"editRequestTitle": "Modifier votre demande",
"editRequestDescription": "Ajustez la configuration avant que notre équipe ne l'examine.",
"editRequest": "Modifier",
"cancelRequest": "Annuler la demande",
"cancelRequestConfirm": "Oui, annuler la demande",
"cancelConfirmRequestTitle": "Annuler cette demande ?",
"cancelConfirmRequestDescription": "Votre demande en attente sera marquée comme annulée et retirée de la file. Vous pouvez soumettre une nouvelle demande à tout moment.",
"cancelFailed": "Impossible d'annuler la demande.",
"cancelledTitle": "Demande annulée",
"cancelledDescription": "Vous avez annulé cette demande avant son traitement. Aucune instance n'a été créée.",
"dismiss": "Masquer",
"dismissFailed": "Impossible de masquer.",
"rejectionReason": "Motif indiqué",
"saveChanges": "Enregistrer les modifications"
},
"dashboard": {
"title": "Tableau de bord",
@@ -345,6 +359,7 @@
"Ready": "Prêt",
"Suspended": "Suspendu",
"Error": "Erreur",
"Deleting": "Suppression"
"Deleting": "Suppression",
"Reconfiguring": "Reconfiguration"
}
}

19
src/messages/it.json
View File

@@ -100,7 +100,21 @@
"reviewInstanceDefault": "(predefinito — usa il nome dell'azienda)",
"reviewNoPackages": "Nessuno selezionato",
"reviewBillingTo": "Fatturare a",
"reviewContactEmail": "Email di contatto"
"reviewContactEmail": "Email di contatto",
"editRequestTitle": "Modifica la sua richiesta",
"editRequestDescription": "Modifichi la configurazione prima che il nostro team la esamini.",
"editRequest": "Modifica",
"cancelRequest": "Annulla richiesta",
"cancelRequestConfirm": "Sì, annulla la richiesta",
"cancelConfirmRequestTitle": "Annullare questa richiesta?",
"cancelConfirmRequestDescription": "La sua richiesta in attesa sarà contrassegnata come annullata e rimossa dalla coda di revisione. Può inviare una nuova richiesta in qualsiasi momento.",
"cancelFailed": "Impossibile annullare la richiesta.",
"cancelledTitle": "Richiesta annullata",
"cancelledDescription": "Lei ha annullato questa richiesta prima dell'elaborazione. Nessuna istanza è stata creata.",
"dismiss": "Nascondi",
"dismissFailed": "Impossibile nascondere.",
"rejectionReason": "Motivo indicato",
"saveChanges": "Salva modifiche"
},
"dashboard": {
"title": "Dashboard",
@@ -345,6 +359,7 @@
"Ready": "Pronto",
"Suspended": "Sospeso",
"Error": "Errore",
"Deleting": "Eliminazione"
"Deleting": "Eliminazione",
"Reconfiguring": "Riconfigurazione"
}
}

10
src/types/index.ts
View File

@@ -83,6 +83,7 @@ export interface PiecedTenantStatus {
| "Provisioning"
| "Running"
| "Ready"
| "Reconfiguring"
| "Suspended"
| "Error"
| "Deleting";
@@ -169,6 +170,7 @@ export type TenantRequestStatus =
| "provisioning" // PiecedTenant CR created, operator reconciling
| "active" // Tenant running
| "rejected" // Admin rejected
| "cancelled" // Customer cancelled before admin acted on it (Bug 6)
| "deleted"; // Tenant was deleted by admin
export interface TenantRequest {
@@ -202,6 +204,14 @@ export interface TenantRequest {
* domain-uniqueness check on subsequent registrations.
*/
isPersonal?: boolean;
/**
* Bug 13: when set, the customer has explicitly dismissed a rejected
* request from their dashboard. Used by `listActiveTenantRequestsByOrgId`
* to keep showing rejected rows until they're dismissed (so a customer
* who wasn't online when the rejection happened still sees it on next
* login). Always null for non-rejected statuses.
*/
dismissedAt?: string | null;
createdAt: string;
updatedAt: string;
}