TenantAssignment and readside filtering

src/app/api/admin/tenants/[name]/delete/route.ts

@@ -1,13 +1,21 @@
 import { NextResponse } from "next/server";
 import { requirePlatformRole } from "@/lib/session";
 import { getTenant, deleteTenant } from "@/lib/k8s";
-import { markTenantRequestDeletedByTenantName } from "@/lib/db";
+import {
+  markTenantRequestDeletedByTenantName,
+  removeAllAssignmentsForTenant,
+} from "@/lib/db";
 import { safeError } from "@/lib/errors";
 
 /**
  * POST /api/admin/tenants/[name]/delete
  * Delete a PiecedTenant CR. The operator handles cleanup
  * (namespace, vault, litellm team, etc.).
+ *
+ * Slice 6: also cascades the tenant_user_assignments rows so a
+ * future tenant with the same name (won't happen given UUID-suffix
+ * naming, but defense in depth) doesn't inherit stale assignments.
+ *
  * Also marks the associated tenant_request as "deleted" so the
  * customer can re-submit the onboarding wizard.
  */
@@ -31,10 +39,14 @@ export async function POST(
   try {
     await deleteTenant(name);
 
-    // Mark the associated tenant_request as "deleted" so the customer
-    // sees the wizard again instead of a stale "active" status
+    // Best-effort DB cleanups. Both errors are logged but not surfaced —
+    // the K8s deletion has already started, and the row state is just
+    // for portal display.
     await markTenantRequestDeletedByTenantName(name).catch((e) =>
-      console.error("Failed to update tenant request after delete:", e)
+      console.error("Failed to mark tenant request deleted:", e)
+    );
+    await removeAllAssignmentsForTenant(name).catch((e) =>
+      console.error("Failed to clean up tenant assignments:", e)
     );
 
     return NextResponse.json({