Phase2.5: Skill SetUp Process

src/app/api/admin/skills/pending/[id]/reject/route.ts

@@ -8,6 +8,7 @@ import {
 import { getPackageDef } from "@/lib/packages";
 import { listOrgUsers } from "@/lib/zitadel";
 import { sendSkillActivationRejectionEmail } from "@/lib/email";
+import { deletePackageSecrets } from "@/lib/openbao";
 
 /**
  * POST /api/admin/skills/pending/[id]/reject
@@ -79,6 +80,33 @@ export async function POST(
     );
   }
 
+  // Cleanup: if the package needed customer-provided secrets, the
+  // user submitted them BEFORE the gate fired (handleSubmitSecrets
+  // in PackageCard writes to OpenBao then PATCHes). Those secrets
+  // are now orphaned — the package never made it into spec, won't
+  // be re-attempted unless the user retries with fresh credentials.
+  // Best-effort delete: keep the OpenBao path clean, avoid stale
+  // creds lurking. Idempotent (404 is fine). Failure is logged but
+  // not propagated — the rejection itself already succeeded.
+  //
+  // We deliberately skip customProvisioning packages here. Those
+  // mint platform-side credentials via a dedicated endpoint and
+  // need symmetric deprovisioning (POST /[pkg.id] → DELETE
+  // /[pkg.id]). Calling deletePackageSecrets wouldn't revoke them
+  // — admin handles that path manually if the rejected request had
+  // already minted resources.
+  const def = getPackageDef(req.skillId);
+  if (def?.requiresSecrets && !def.customProvisioning) {
+    try {
+      await deletePackageSecrets(req.tenantName, req.skillId);
+    } catch (e) {
+      console.error(
+        `Failed to delete orphan secrets for ${req.tenantName}/${req.skillId} after reject:`,
+        e
+      );
+    }
+  }
+
   // Email the requester with the reason — best-effort.
   try {
     const orgUsers = await listOrgUsers(req.zitadelOrgId);

src/app/api/skills/requests/[id]/withdraw/route.ts

@@ -4,6 +4,8 @@ import {
   getSkillActivationRequestById,
   updateSkillActivationRequestStatus,
 } from "@/lib/db";
+import { getPackageDef } from "@/lib/packages";
+import { deletePackageSecrets } from "@/lib/openbao";
 
 /**
  * POST /api/skills/requests/[id]/withdraw
@@ -50,5 +52,23 @@ export async function POST(
       { status: 409 }
     );
   }
+
+  // Cleanup: same logic as reject — the user submitted secrets
+  // before the gate fired, and those are now orphaned in OpenBao.
+  // Best-effort delete; failure logged but not propagated. Skip
+  // customProvisioning packages (their deprovisioning is a
+  // separate, dedicated endpoint).
+  const def = getPackageDef(req.skillId);
+  if (def?.requiresSecrets && !def.customProvisioning) {
+    try {
+      await deletePackageSecrets(req.tenantName, req.skillId);
+    } catch (e) {
+      console.error(
+        `Failed to delete orphan secrets for ${req.tenantName}/${req.skillId} after withdraw:`,
+        e
+      );
+    }
+  }
+
   return NextResponse.json(updated);
 }

src/components/packages/package-card.tsx

@@ -240,11 +240,23 @@ export function PackageCard({
             <span className="text-[10px] text-text-muted">{t("packages.requiresApiKey")}</span>
           )}
           {/* Phase 2.5: pending or rejected request takes precedence
-              over the toggle. Approved/withdrawn never reach here. */}
+              over the toggle. Approved/withdrawn never reach here.
+              For packages that needed secrets, surface that they're
+              safely stored — the user might otherwise worry the
+              credentials they typed got lost when the activation
+              was deferred. */}
           {canEdit && activationRequest?.status === "pending" ? (
-            <div className="ml-auto flex items-center gap-2">
-              <span className="text-[10px] text-warning italic">
+            <div className="ml-auto flex flex-col items-end gap-1">
+              <span
+                className="text-[10px] text-warning italic"
+                title={pkg.requiresSecrets ? t("packages.credentialsSavedTip") : undefined}
+              >
                 {t("packages.manualReviewPending")}
+                {pkg.requiresSecrets && (
+                  <span className="text-text-muted ml-1 not-italic">
+                    · {t("packages.credentialsSaved")}
+                  </span>
+                )}
               </span>
               <button
                 onClick={withdrawRequest}

src/messages/de.json

@@ -287,7 +287,7 @@
       "clientSecretPlaceholder": "GOCSPX-…",
       "refreshTokenLabel": "Google OAuth Refresh-Token",
       "refreshTokenPlaceholder": "1//0g…",
-      "instructions": "Die Google-Workspace-Integration verwendet OAuth und erfordert derzeit manuelles Onboarding. Bitte eröffnen Sie ein Support-Ticket, um den Setup-Prozess zu starten — wir tauschen die Client-Zugangsdaten und ein Refresh-Token offline aus und aktivieren dann dieses Paket für Ihren Mandanten.",
+      "instructions": "Google Workspace nutzt OAuth. Erstellen Sie einen OAuth-Client in Ihrem Google-Cloud-Projekt, autorisieren Sie ihn mit den benötigten Scopes (Gmail, Kalender, Drive usw.) und fügen Sie die Zugangsdaten unten ein. Mit dem Absenden werden sie sicher gespeichert und Ihre Aktivierung zur Admin-Prüfung eingereiht — nach Genehmigung wird die Integration automatisch aktiviert.",
       "disclaimer": "Mit der Aktivierung der Google-Workspace-Integration autorisieren Sie PieCed, in Ihrem Namen auf Gmail, Kalender, Drive, Docs, Sheets und Kontakte zuzugreifen. Daten fliessen über die Google-APIs, vorbehaltlich der Google-Bedingungen."
     },
     "mail": {
@@ -315,7 +315,9 @@
     "manualReviewPending": "Manuelle Prüfung ausstehend",
     "withdraw": "Zurückziehen",
     "activationRejected": "Abgelehnt",
-    "tryAgain": "Erneut versuchen"
+    "tryAgain": "Erneut versuchen",
+    "credentialsSaved": "Zugangsdaten gespeichert",
+    "credentialsSavedTip": "Die eingegebenen Zugangsdaten sind sicher gespeichert und werden verwendet, sobald die Aktivierung vom Admin genehmigt wurde. Sie müssen sie nicht erneut eingeben."
   },
   "admin": {
     "title": "Plattform-Admin",

src/messages/en.json

@@ -287,7 +287,7 @@
       "clientSecretPlaceholder": "GOCSPX-…",
       "refreshTokenLabel": "Google OAuth Refresh Token",
       "refreshTokenPlaceholder": "1//0g…",
-      "instructions": "Google Workspace integration uses OAuth and requires manual onboarding for now. Please open a support ticket to start the setup — we'll exchange the client credentials and a refresh token offline, then enable this package on your tenant.",
+      "instructions": "Google Workspace uses OAuth. Create an OAuth client in your Google Cloud project, authorize it with the scopes you need (Gmail, Calendar, Drive, etc.), then paste the credentials below. Submission stores them securely and queues your activation for admin review — once approved, the integration activates automatically.",
       "disclaimer": "By enabling Google Workspace integration you authorize PieCed to access Gmail, Calendar, Drive, Docs, Sheets, and Contacts on your behalf. Data flows through Google's APIs subject to Google's terms."
     },
     "mail": {
@@ -315,7 +315,9 @@
     "manualReviewPending": "Manual review pending",
     "withdraw": "Withdraw",
     "activationRejected": "Rejected",
-    "tryAgain": "Try again"
+    "tryAgain": "Try again",
+    "credentialsSaved": "credentials saved",
+    "credentialsSavedTip": "The credentials you entered are securely stored and will be used as soon as admin approves the activation. You don't need to re-enter them."
   },
   "admin": {
     "title": "Platform Admin",

src/messages/fr.json

@@ -287,7 +287,7 @@
       "clientSecretPlaceholder": "GOCSPX-…",
       "refreshTokenLabel": "Jeton de rafraîchissement Google OAuth",
       "refreshTokenPlaceholder": "1//0g…",
-      "instructions": "L'intégration de Google Workspace utilise OAuth et nécessite actuellement une intégration manuelle. Veuillez ouvrir un ticket de support pour démarrer la configuration — nous échangerons hors ligne les identifiants client et un jeton de rafraîchissement, puis activerons ce package sur votre tenant.",
+      "instructions": "Google Workspace utilise OAuth. Créez un client OAuth dans votre projet Google Cloud, autorisez-le avec les scopes nécessaires (Gmail, Agenda, Drive, etc.), puis collez les identifiants ci-dessous. La soumission les stocke en sécurité et place votre activation dans la file de revue administrative — après approbation, l'intégration s'active automatiquement.",
       "disclaimer": "En activant l'intégration de Google Workspace, vous autorisez PieCed à accéder à Gmail, Agenda, Drive, Docs, Sheets et Contacts en votre nom. Les données transitent par les API de Google, soumises aux conditions de Google."
     },
     "mail": {
@@ -315,7 +315,9 @@
     "manualReviewPending": "Revue manuelle en attente",
     "withdraw": "Retirer",
     "activationRejected": "Refusée",
-    "tryAgain": "Réessayer"
+    "tryAgain": "Réessayer",
+    "credentialsSaved": "identifiants enregistrés",
+    "credentialsSavedTip": "Les identifiants saisis sont stockés en sécurité et seront utilisés dès l'approbation de l'activation par l'administrateur. Vous n'avez pas besoin de les ressaisir."
   },
   "admin": {
     "title": "Admin plateforme",

src/messages/it.json

@@ -287,7 +287,7 @@
       "clientSecretPlaceholder": "GOCSPX-…",
       "refreshTokenLabel": "Token di refresh Google OAuth",
       "refreshTokenPlaceholder": "1//0g…",
-      "instructions": "L'integrazione con Google Workspace utilizza OAuth e richiede attualmente un onboarding manuale. Apri un ticket di supporto per avviare la configurazione — scambieremo le credenziali del client e un token di refresh offline, quindi abiliteremo questo pacchetto sul tuo tenant.",
+      "instructions": "Google Workspace utilizza OAuth. Crea un client OAuth nel tuo progetto Google Cloud, autorizzalo con gli scope necessari (Gmail, Calendar, Drive, ecc.), quindi incolla le credenziali qui sotto. L'invio le memorizza in modo sicuro e mette in coda l'attivazione per la revisione amministrativa — dopo l'approvazione, l'integrazione si attiva automaticamente.",
       "disclaimer": "Abilitando l'integrazione con Google Workspace autorizzi PieCed ad accedere per tuo conto a Gmail, Calendar, Drive, Docs, Sheets e Contatti. I dati transitano attraverso le API di Google, soggetti ai termini di Google."
     },
     "mail": {
@@ -315,7 +315,9 @@
     "manualReviewPending": "Revisione manuale in attesa",
     "withdraw": "Ritira",
     "activationRejected": "Rifiutata",
-    "tryAgain": "Riprova"
+    "tryAgain": "Riprova",
+    "credentialsSaved": "credenziali salvate",
+    "credentialsSavedTip": "Le credenziali inserite sono memorizzate in modo sicuro e saranno utilizzate non appena l'attivazione viene approvata dall'amministratore. Non è necessario reinserirle."
   },
   "admin": {
     "title": "Admin piattaforma",