Suspendedremoval

src/app/[locale]/dashboard/page.tsx

@@ -174,7 +174,16 @@ export default async function DashboardPage() {
     (t) => t.metadata.labels?.["pieced.ch/zitadel-org-id"] === user.orgId
   );
   const inflightRequests = orgRequests.filter(
-    (r) => !r.tenantName || !orgScopedTenants.some((t) => t.metadata.name === r.tenantName)
+    (r) =>
+      // Only show provision (initial creation) requests on the
+      // dashboard. Resume requests (Bug 37a) belong with their
+      // specific tenant — the SubscriptionToggle on the tenant
+      // detail page renders the pending state there. Showing them
+      // on the dashboard too would duplicate the surface and
+      // confuse customers about which tenant they refer to.
+      r.requestType !== "resume" &&
+      (!r.tenantName ||
+        !orgScopedTenants.some((t) => t.metadata.name === r.tenantName))
   );
 
   // Slice 5: only owners (and platform users, who'd typically be using

src/app/[locale]/tenants/[name]/page.tsx

@@ -3,6 +3,7 @@ import { getTranslations, getFormatter } from "next-intl/server";
 import { redirect, notFound } from "next/navigation";
 import { getTenant } from "@/lib/k8s";
 import { canUserSeeTenant } from "@/lib/visibility";
+import { getPendingResumeRequestForTenant } from "@/lib/db";
 import { StatusBadge } from "@/components/ui/status-badge";
 import { WarningBadge } from "@/components/ui/warning-badge";
 import { UsageDisplay } from "@/components/dashboard/usage-display";
@@ -47,6 +48,13 @@ export default async function TenantDetailPage({
   // The current state comes from spec.suspend on the CR.
   const isSuspended = Boolean(tenant.spec.suspend);
 
+  // Bug 37a: when the tenant is suspended, an owner can request
+  // reactivation (admin-gated). Look up whether one is in flight so
+  // the SubscriptionToggle can render the right state.
+  const pendingResumeRequest = isSuspended
+    ? await getPendingResumeRequestForTenant(name)
+    : null;
+
   // Bug 7: assigned-users panel is meaningless for personal tenants
   // (sole-owner by definition; the only "assignee" is the owner
   // themselves). We hide the panel when EITHER the CR carries the
@@ -208,7 +216,19 @@ export default async function TenantDetailPage({
               ? t("subscriptionDescriptionSuspended")
               : t("subscriptionDescriptionActive")}
           </p>
-          <SubscriptionToggle tenantName={name} suspended={isSuspended} />
+          <SubscriptionToggle
+            tenantName={name}
+            suspended={isSuspended}
+            isPlatform={user.isPlatform}
+            pendingResumeRequest={
+              pendingResumeRequest
+                ? {
+                    id: pendingResumeRequest.id,
+                    createdAt: pendingResumeRequest.createdAt,
+                  }
+                : null
+            }
+          />
         </section>
       )}
     </div>

src/app/api/admin/requests/[id]/approve/route.ts

@@ -5,7 +5,7 @@ import {
   updateTenantRequestStatus,
   clearEncryptedSecrets,
 } from "@/lib/db";
-import { createTenant } from "@/lib/k8s";
+import { createTenant, patchTenantSpec, setTenantAnnotation } from "@/lib/k8s";
 import { sendApprovalEmail } from "@/lib/email";
 import { decryptSecrets } from "@/lib/crypto";
 import { writePackageSecrets } from "@/lib/openbao";
@@ -19,14 +19,26 @@ import { safeError } from "@/lib/errors";
 
 /**
  * POST /api/admin/requests/[id]/approve
- * Approve a tenant request:
+ *
- * 1. Decrypt stored package secrets (if any)
+ * Approve a request. Two paths depending on request_type:
- * 2. Write each package's secrets to OpenBao at secret/data/tenants/{tenant-name}/{package}
+ *
- * 3. Null the encrypted_secrets column
+ * Provision (the original purpose):
- * 4. Build workspace files (SOUL.md, AGENTS.md, TOOLS.md)
+ *  1. Decrypt stored package secrets (if any)
- * 5. Create PiecedTenant CR
+ *  2. Write each package's secrets to OpenBao
- * 6. Update request status, notify customer.
+ *  3. Null the encrypted_secrets column
- * Also supports re-approving a previously rejected request (clears admin notes).
+ *  4. Build workspace files (SOUL.md, AGENTS.md, TOOLS.md)
+ *  5. Create PiecedTenant CR
+ *  6. Update request status, notify customer.
+ *  Supports re-approving a previously rejected request (clears admin notes).
+ *
+ * Resume (Bug 37a):
+ *  1. PATCH spec.suspend=false on the existing PiecedTenant CR.
+ *  2. Clear the `pieced.ch/resume-request-pending` annotation so the
+ *     operator knows the request is settled (and doesn't pause its
+ *     60-day TTL forever — though now that the tenant isn't suspended,
+ *     the timer is moot).
+ *  3. Mark request approved, notify customer.
+ *  No CR creation, no secret materialisation, no workspace files.
  */
 export async function POST(
   request: Request,
@@ -60,6 +72,56 @@ export async function POST(
     );
   }
 
+  // Resume request: short path. Just patch the existing tenant, clear
+  // the annotation, mark approved.
+  if (tenantRequest.requestType === "resume") {
+    if (!tenantRequest.tenantName) {
+      // Shouldn't happen — resume requests are created with tenant_name
+      // set. Defensive 500 if it does.
+      return NextResponse.json(
+        { error: "Resume request has no tenant_name" },
+        { status: 500 }
+      );
+    }
+    try {
+      await patchTenantSpec(tenantRequest.tenantName, { suspend: false });
+      // Clear the annotation that pauses the operator's 60-day TTL.
+      // Best-effort — annotation cleanup is also done by the operator
+      // when it sees suspend=false on the next reconcile (it clears
+      // status.suspendedAt), but explicitly clearing here keeps the
+      // CR clean.
+      try {
+        await setTenantAnnotation(
+          tenantRequest.tenantName,
+          "pieced.ch/resume-request-pending",
+          null
+        );
+      } catch (e) {
+        console.warn(
+          "post-approve annotation clear failed; not blocking",
+          e
+        );
+      }
+
+      await updateTenantRequestStatus(id, "approved", adminNotes);
+
+      await sendApprovalEmail(tenantRequest, tenantRequest.tenantName).catch(
+        (e) => console.error("approval email failed:", e)
+      );
+
+      return NextResponse.json({
+        message: "Resume approved. Tenant is reactivating.",
+        tenantName: tenantRequest.tenantName,
+      });
+    } catch (e: any) {
+      console.error("Resume approval failed:", e);
+      return NextResponse.json(
+        { error: safeError(e, "Failed to approve resume") },
+        { status: 500 }
+      );
+    }
+  }
+
   const isReApproval = tenantRequest.status === "rejected";
 
   // Build the CR name: see `lib/tenant-naming.ts` for the format spec.

src/app/api/admin/requests/[id]/reject/route.ts

@@ -1,11 +1,19 @@
 import { NextResponse } from "next/server";
 import { requirePlatformRole } from "@/lib/session";
 import { getTenantRequestById, updateTenantRequestStatus } from "@/lib/db";
+import { setTenantAnnotation } from "@/lib/k8s";
 import { sendRejectionEmail } from "@/lib/email";
 
 /**
  * POST /api/admin/requests/[id]/reject
  * Reject a tenant request and notify the customer.
+ *
+ * For resume requests (Bug 37a): also clears the
+ * `pieced.ch/resume-request-pending` annotation on the tenant CR.
+ * The operator's 60-day TTL then resumes counting from the original
+ * suspendedAt — rejection doesn't reset it. The customer can submit
+ * a fresh resume request later if circumstances change, but that
+ * starts a new pending row and re-stamps the annotation.
  */
 export async function POST(
   request: Request,
@@ -37,6 +45,26 @@ export async function POST(
     adminNotes,
   });
 
+  // Resume rejection: clear the annotation so the operator's TTL
+  // resumes. Best-effort — failure is logged, not propagated.
+  if (
+    tenantRequest.requestType === "resume" &&
+    tenantRequest.tenantName
+  ) {
+    try {
+      await setTenantAnnotation(
+        tenantRequest.tenantName,
+        "pieced.ch/resume-request-pending",
+        null
+      );
+    } catch (e) {
+      console.warn(
+        "post-reject annotation clear failed; operator's TTL will pause until annotation removed by admin",
+        e
+      );
+    }
+  }
+
   // Notify customer
   await sendRejectionEmail(
     tenantRequest.contactEmail,

src/app/api/onboarding/[id]/route.ts

@@ -6,6 +6,7 @@ import {
   updateTenantRequestEditableFields,
 } from "@/lib/db";
 import { encryptSecrets } from "@/lib/crypto";
+import { setTenantAnnotation } from "@/lib/k8s";
 import { onboardingSchema } from "@/lib/validation";
 import { safeError } from "@/lib/errors";
 
@@ -91,6 +92,25 @@ export async function DELETE(
 
   try {
     await updateTenantRequestStatus(id, "cancelled");
+
+    // Customer cancels their own pending resume request: clear the
+    // operator-side annotation so the 60-day TTL resumes counting.
+    // Best-effort — the operator handles missing annotation gracefully.
+    if (tr.requestType === "resume" && tr.tenantName) {
+      try {
+        await setTenantAnnotation(
+          tr.tenantName,
+          "pieced.ch/resume-request-pending",
+          null
+        );
+      } catch (e) {
+        console.warn(
+          "post-cancel annotation clear failed; not blocking",
+          e
+        );
+      }
+    }
+
     return NextResponse.json({ message: "Request cancelled.", id });
   } catch (e: any) {
     console.error("Failed to cancel request:", e);

src/app/api/tenants/[name]/resume-request/route.ts

@@ -0,0 +1,154 @@
+import { NextRequest, NextResponse } from "next/server";
+import { getSessionUser, canMutate } from "@/lib/session";
+import { getTenant, setTenantAnnotation } from "@/lib/k8s";
+import { canUserSeeTenant } from "@/lib/visibility";
+import {
+  createResumeRequest,
+  getPendingResumeRequestForTenant,
+  getTenantRequestByTenantName,
+} from "@/lib/db";
+import { safeError } from "@/lib/errors";
+
+/**
+ * POST /api/tenants/[name]/resume-request
+ *
+ * Owner-initiated request to reactivate a suspended tenant (Bug 37a).
+ * Creates a pending tenant_request of type 'resume' for admin review,
+ * and stamps the PiecedTenant CR with an annotation that pauses the
+ * operator's 60-day deletion timer.
+ *
+ * Why a request flow at all
+ * -------------------------
+ * Customers can self-serve cancel; resume requires admin oversight.
+ * Reactivation may involve re-validating billing, confirming the
+ * customer still wants to be active, or other manual steps. The
+ * request flow gives admins a queue to review, with the same approve/
+ * reject UX as initial provision requests.
+ *
+ * Authorization
+ * -------------
+ * Owners and platform admins. Platform admins shouldn't normally use
+ * this endpoint — they have direct PATCH suspend access — but it's
+ * permissive in case admin tooling pivots.
+ *
+ * Validation
+ * ----------
+ *  - Tenant must exist and be visible to the caller.
+ *  - Tenant must be currently suspended. Resuming an active tenant
+ *    is meaningless.
+ *  - At most one pending resume request per tenant. Enforced by the
+ *    DB's partial unique index, but we also check explicitly here to
+ *    return a friendly 409 instead of a 500.
+ *
+ * Side effects on success
+ * -----------------------
+ *  - INSERT into tenant_requests (request_type='resume', status='pending')
+ *  - PATCH annotation `pieced.ch/resume-request-pending=<request-id>` on
+ *    the CR. This is the operator's signal to pause its 60-day deletion
+ *    timer until the request transitions to terminal.
+ *
+ * The annotation set is best-effort: if the K8s PATCH fails after the
+ * DB insert, the row exists without the annotation. The customer
+ * sees the request as pending; admin can still approve. The only
+ * functional consequence is the 60-day timer doesn't pause until the
+ * next request transition, which is fine in practice (admin response
+ * times are dramatically shorter than 60 days).
+ */
+export async function POST(
+  req: NextRequest,
+  { params }: { params: Promise<{ name: string }> }
+) {
+  const user = await getSessionUser();
+  if (!user) {
+    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+  }
+  if (!canMutate(user)) {
+    return NextResponse.json({ error: "Forbidden" }, { status: 403 });
+  }
+
+  const { name } = await params;
+  const tenant = await getTenant(name);
+  if (!tenant) {
+    return NextResponse.json({ error: "Not found" }, { status: 404 });
+  }
+  if (!(await canUserSeeTenant(user, tenant))) {
+    return NextResponse.json({ error: "Not found" }, { status: 404 });
+  }
+
+  if (!tenant.spec.suspend) {
+    return NextResponse.json(
+      { error: "Tenant is not suspended; nothing to resume." },
+      { status: 409 }
+    );
+  }
+
+  // Already a pending request? Don't duplicate.
+  const existing = await getPendingResumeRequestForTenant(name);
+  if (existing) {
+    return NextResponse.json(
+      {
+        error: "A resume request for this tenant is already pending.",
+        request: { id: existing.id, createdAt: existing.createdAt },
+      },
+      { status: 409 }
+    );
+  }
+
+  // Pull traceability fields (companyName, agentName) from the original
+  // provision request. The schema marks these NOT NULL, so we have to
+  // populate them; copying from the provision row keeps the resume
+  // row navigable in the admin UI without making up values.
+  const provision = await getTenantRequestByTenantName(name);
+
+  try {
+    const resumeRequest = await createResumeRequest({
+      tenantName: name,
+      zitadelOrgId: tenant.metadata.labels?.[
+        "pieced.ch/zitadel-org-id"
+      ] ?? user.zitadelOrgId,
+      zitadelUserId: user.id,
+      contactName: user.name ?? user.email ?? "Unknown",
+      contactEmail: user.email ?? "unknown@example.invalid",
+      companyName: provision?.companyName ?? tenant.spec.displayName ?? name,
+      agentName: provision?.agentName ?? "Assistant",
+    });
+
+    // Stamp the annotation so the operator pauses its TTL. If this
+    // fails the request still exists; surface the error so admin
+    // tooling can re-stamp if needed, but don't roll back.
+    try {
+      await setTenantAnnotation(
+        name,
+        "pieced.ch/resume-request-pending",
+        resumeRequest.id
+      );
+    } catch (e) {
+      console.warn(
+        "resume request created but annotation could not be set; operator's 60-day timer will not pause until next reconcile triggered by request transition",
+        e
+      );
+    }
+
+    return NextResponse.json(
+      {
+        message: "Resume request submitted. An admin will review shortly.",
+        request: { id: resumeRequest.id, status: resumeRequest.status },
+      },
+      { status: 201 }
+    );
+  } catch (e: any) {
+    // Unique violation (a pending row already exists for this tenant)
+    // is friendly-handled above; this catches everything else.
+    if (e.code === "23505") {
+      return NextResponse.json(
+        { error: "A resume request for this tenant is already pending." },
+        { status: 409 }
+      );
+    }
+    console.error("Resume request creation failed:", e);
+    return NextResponse.json(
+      { error: safeError(e, "Failed to submit resume request") },
+      { status: 500 }
+    );
+  }
+}

src/app/api/tenants/[name]/suspend/route.ts

@@ -1,7 +1,7 @@
 import { NextRequest, NextResponse } from "next/server";
 import { z } from "zod";
 import { getSessionUser, canMutate } from "@/lib/session";
-import { getTenant, patchTenantSpec } from "@/lib/k8s";
+import { getTenant, patchTenantSpec, setTenantAnnotation } from "@/lib/k8s";
 import { canUserSeeTenant } from "@/lib/visibility";
 import { safeError } from "@/lib/errors";
 
@@ -12,37 +12,38 @@ const patchSchema = z.object({
 /**
  * PATCH /api/tenants/[name]/suspend
  *
- * Customer-side "Cancel subscription" / "Resume" toggle (Bug 31).
+ * Direct suspend control on the PiecedTenant CR. Sets `spec.suspend`
+ * to true (cancel) or false (resume).
  *
- * Sets `spec.suspend` on the PiecedTenant CR. The operator interprets
+ * Authorization (Bug 37a)
- * this flag as "stop reconciling this tenant" — workloads, packages,
+ * -----------------------
- * and channel-user changes are no longer applied. Existing data is
+ * - suspend=true  → owners and platform admins may call.
- * preserved (namespace, ConfigMaps, OpenBao secrets, CNPG database,
+ * - suspend=false → platform admins ONLY. Owners must go through the
- * billing records). Resuming sets the flag back to false and the
+ *   resume-request flow (POST /api/tenants/[name]/resume-request),
- * operator picks up reconciliation on the next loop.
+ *   which creates a pending request for admin approval. This
+ *   asymmetry is by design: cancellation is self-service (low risk;
+ *   reversible by request); reactivation requires admin oversight
+ *   (e.g. to re-validate billing, confirm intent).
  *
- * Authorization
+ * Customer flow:
- * -------------
+ *   - Cancel:  PATCH suspend=true  here
- * - Customer-side: only an `owner` of the tenant's org may call this.
+ *   - Resume:  POST /resume-request — creates a 'resume' tenant_request,
- *   `canMutate` is the right gate (mirrors the rest of the customer
+ *              admin approves via /api/admin/requests/[id]/approve which
- *   API surface). User-role members cannot cancel a subscription.
+ *              then PATCHes suspend=false here as a platform user.
- * - Platform staff: allowed via `canMutate`'s isPlatform branch, but
- *   in practice they should use admin tooling for this — the action
- *   is exposed here for the customer's benefit.
  *
- * Visibility check is via `canUserSeeTenant` — same notFound() trick
+ * Workload behaviour
- * as the detail page, so we don't leak existence of tenants the
+ * ------------------
- * caller can't see.
+ * On suspend=true the operator deletes the OpenClawInstance, stopping
+ * the pod within seconds. Tenant data — namespace, ConfigMaps,
+ * OpenBao secrets, CNPG database, LiteLLM team — is retained.
  *
- * Note on workload teardown
+ * Suspended tenants enter a 60-day retention window (operator
- * -------------------------
+ * constant `retentionAfterSuspend`); after that, the tenant is fully
- * As of this writing, the operator's `suspend` handling is "skip
+ * deleted unless a pending resume request exists. The operator
- * reconciliation and set status.phase to Suspended". The underlying
+ * checks the `pieced.ch/resume-request-pending` annotation to know
- * StatefulSet keeps running until next reconciliation, which won't
+ * about pending requests; we set it here when admin approves the
- * happen while suspended. Group D will add scale-to-zero so cancelled
+ * resume (transitively, via the admin-approve endpoint), and clear
- * subscriptions actually stop incurring compute. Until then, an
+ * it when the request reaches a terminal state.
- * operator following up with a `kubectl scale` is the workaround.
- * Customer data is preserved either way.
  */
 export async function PATCH(
   req: NextRequest,
@@ -76,6 +77,18 @@ export async function PATCH(
   }
   const { suspend } = parsed.data;
 
+  // Bug 37a: resume (suspend=false) is platform-admin only via this
+  // endpoint. Owners must go through the resume-request flow.
+  if (!suspend && !user.isPlatform) {
+    return NextResponse.json(
+      {
+        error:
+          "Resume requires platform-admin approval. Submit a resume request via /api/tenants/[name]/resume-request.",
+      },
+      { status: 403 }
+    );
+  }
+
   // No-op early exit. Avoids a needless K8s patch + status churn when
   // the user double-clicks the button or the UI is briefly out of sync.
   if (Boolean(tenant.spec.suspend) === suspend) {
@@ -87,10 +100,32 @@ export async function PATCH(
 
   try {
     await patchTenantSpec(name, { suspend });
+
+    // On admin-side resume, also clear the pending-resume-request
+    // annotation if it exists. Belt-and-suspenders: the admin-approve
+    // endpoint already clears it on its happy path, but a platform
+    // user resuming directly via this endpoint shouldn't leave the
+    // annotation behind. Best-effort: failure to clear the annotation
+    // is logged but doesn't fail the resume.
+    if (!suspend) {
+      try {
+        await setTenantAnnotation(
+          name,
+          "pieced.ch/resume-request-pending",
+          null
+        );
+      } catch (e) {
+        console.warn(
+          "failed to clear resume-request-pending annotation; operator will see it stale until next request transition",
+          e
+        );
+      }
+    }
+
     return NextResponse.json(
       {
         message: suspend
-          ? "Subscription cancelled. Your data is preserved."
+          ? "Subscription cancelled. Your data is preserved for 60 days."
           : "Subscription resumed.",
         suspend,
       },

src/components/admin/admin-panel.tsx

@@ -362,9 +362,28 @@ export function AdminPanel({ initialTenants }: AdminPanelProps) {
                         className="border-b border-border last:border-0 hover:bg-surface-2/50 transition-colors"
                       >
                         <td className="px-4 py-3">
-                          <div className="font-medium text-text-primary text-sm">
+                          <div className="font-medium text-text-primary text-sm flex items-center gap-2">
                             {req.companyName}
+                            {/* Bug 37a: distinguish resume requests in the
+                                queue. Provision and resume share status
+                                semantics but very different action
+                                consequences — a resume approval just
+                                un-suspends an existing tenant, no
+                                provisioning workflow runs. */}
+                            {req.requestType === "resume" && (
+                              <span
+                                className="px-1.5 py-0.5 text-[10px] font-semibold rounded uppercase tracking-wider bg-success/15 text-success"
+                                title={t("resumeRequestTooltip")}
+                              >
+                                {t("resumeRequestBadge")}
+                              </span>
+                            )}
                           </div>
+                          {req.requestType === "resume" && req.tenantName && (
+                            <div className="text-text-muted text-xs font-mono mt-0.5">
+                              {req.tenantName}
+                            </div>
+                          )}
                         </td>
                         <td className="px-4 py-3">
                           <div className="text-text-primary text-sm">

src/components/tenants/subscription-toggle.tsx

@@ -2,49 +2,73 @@
 
 import { useState } from "react";
 import { useRouter } from "next/navigation";
-import { useTranslations } from "next-intl";
+import { useTranslations, useFormatter } from "next-intl";
 import { Modal } from "@/components/ui/modal";
 
 interface Props {
   tenantName: string;
   /**
-   * Current suspend state — server-derived. The control toggles this
+   * Current suspend state — server-derived. Drives which control the
-   * via PATCH /api/tenants/[name]/suspend, then refreshes the route
+   * customer sees: "Cancel subscription" while active, the
-   * so server-component-side data (status badge, suspended notice)
+   * resume-request flow while suspended.
-   * re-renders.
    */
   suspended: boolean;
+  /**
+   * True when the viewer has platform admin role. Platform users are
+   * the only ones who can directly resume a tenant via PATCH; owners
+   * must go through the resume-request flow. We use this in the
+   * suspended branch to decide whether to render a direct "Resume"
+   * button or the "Request reactivation" workflow.
+   */
+  isPlatform: boolean;
+  /**
+   * If a resume request is currently pending for this tenant, its
+   * id and submitted-at. The component renders an info card with
+   * a cancel-request button instead of the request-reactivation
+   * button. Only meaningful when `suspended === true`.
+   */
+  pendingResumeRequest: { id: string; createdAt: string } | null;
 }
 
 /**
- * SubscriptionToggle — owner-side cancel/resume control (Bug 31).
+ * SubscriptionToggle — owner-side cancel/resume control.
  *
- * Renders a single button that toggles between "Cancel subscription"
+ * Three render states:
- * (when active) and "Resume subscription" (when suspended). Cancellation
+ *   1. Active: "Cancel subscription" button + confirmation modal
- * is gated behind a confirmation modal because it's destructive
+ *      (mentions 60-day retention before permanent deletion).
- * looking from the user's POV — even though no data is lost, the
+ *   2. Suspended, no pending resume request: "Request reactivation"
- * AI assistant becomes unavailable until they resume. Resume has no
+ *      button + simple confirmation modal explaining admin review.
- * modal; it's a strict subset of cancellation in terms of risk.
+ *   3. Suspended, pending resume request: status card "Reactivation
+ *      requested X days ago" + "Cancel request" button.
  *
- * The control intentionally lives at the bottom of the tenant detail
+ * Platform admins viewing a suspended tenant get a fourth state in
- * page rather than next to the status badge — putting it near the
+ * place of #2/#3: a direct "Resume now" button (no admin queue, no
- * top would invite mis-clicks. Customers who want to cancel scroll
+ * request flow). This is the admin escape hatch.
- * past the running configuration, billing-relevant info, and assigned
- * users first; that's the right friction level.
  *
- * Suspended tenants render a top-of-page banner separately (see the
+ * The control intentionally lives at the bottom of the tenant
- * detail page); this component focuses on the action itself.
+ * detail page rather than near the top — putting it next to the
+ * status badge would invite mis-clicks.
  */
-export function SubscriptionToggle({ tenantName, suspended }: Props) {
+export function SubscriptionToggle({
+  tenantName,
+  suspended,
+  isPlatform,
+  pendingResumeRequest,
+}: Props) {
   const t = useTranslations("tenantDetail");
   const tCommon = useTranslations("common");
+  const f = useFormatter();
   const router = useRouter();
 
-  const [confirmOpen, setConfirmOpen] = useState(false);
+  const [confirmCancelOpen, setConfirmCancelOpen] = useState(false);
+  const [confirmResumeOpen, setConfirmResumeOpen] = useState(false);
   const [submitting, setSubmitting] = useState(false);
   const [error, setError] = useState("");
 
-  const toggleSuspend = async (next: boolean) => {
+  // Customer-side cancel: PATCH suspend=true. Same path as before.
+  // The 60-day retention copy in the modal is the new bit (Bug 37b);
+  // mechanics are unchanged.
+  const cancel = async () => {
     setSubmitting(true);
     setError("");
     try {
@@ -53,18 +77,14 @@ export function SubscriptionToggle({ tenantName, suspended }: Props) {
         {
           method: "PATCH",
           headers: { "Content-Type": "application/json" },
-          body: JSON.stringify({ suspend: next }),
+          body: JSON.stringify({ suspend: true }),
         }
       );
       if (!res.ok) {
         const data = await res.json().catch(() => ({}));
         throw new Error(data.error || t("subscriptionUpdateFailed"));
       }
-      setConfirmOpen(false);
+      setConfirmCancelOpen(false);
-      // The status badge + suspended banner are server-rendered, so
-      // a route refresh is the simplest way to reflect the new state.
-      // Optimistic local toggle would diverge from the actual CR if
-      // the operator hasn't observed the patch yet.
       router.refresh();
     } catch (e: any) {
       setError(e.message);
@@ -73,39 +93,217 @@ export function SubscriptionToggle({ tenantName, suspended }: Props) {
     }
   };
 
+  // Owner-side resume request: POST a 'resume' tenant_request that
+  // sits pending until admin acts. Different from cancel: no PATCH
+  // on the CR — that happens only when admin approves.
+  const requestResume = async () => {
+    setSubmitting(true);
+    setError("");
+    try {
+      const res = await fetch(
+        `/api/tenants/${encodeURIComponent(tenantName)}/resume-request`,
+        {
+          method: "POST",
+          headers: { "Content-Type": "application/json" },
+        }
+      );
+      if (!res.ok) {
+        const data = await res.json().catch(() => ({}));
+        throw new Error(data.error || t("subscriptionUpdateFailed"));
+      }
+      setConfirmResumeOpen(false);
+      router.refresh();
+    } catch (e: any) {
+      setError(e.message);
+    } finally {
+      setSubmitting(false);
+    }
+  };
+
+  // Customer cancels their own pending resume request.
+  const cancelResumeRequest = async () => {
+    if (!pendingResumeRequest) return;
+    setSubmitting(true);
+    setError("");
+    try {
+      const res = await fetch(
+        `/api/onboarding/${pendingResumeRequest.id}`,
+        { method: "DELETE" }
+      );
+      if (!res.ok) {
+        const data = await res.json().catch(() => ({}));
+        throw new Error(data.error || t("subscriptionUpdateFailed"));
+      }
+      router.refresh();
+    } catch (e: any) {
+      setError(e.message);
+    } finally {
+      setSubmitting(false);
+    }
+  };
+
+  // Platform admin: direct resume, bypassing the request flow.
+  const adminResume = async () => {
+    setSubmitting(true);
+    setError("");
+    try {
+      const res = await fetch(
+        `/api/tenants/${encodeURIComponent(tenantName)}/suspend`,
+        {
+          method: "PATCH",
+          headers: { "Content-Type": "application/json" },
+          body: JSON.stringify({ suspend: false }),
+        }
+      );
+      if (!res.ok) {
+        const data = await res.json().catch(() => ({}));
+        throw new Error(data.error || t("subscriptionUpdateFailed"));
+      }
+      router.refresh();
+    } catch (e: any) {
+      setError(e.message);
+    } finally {
+      setSubmitting(false);
+    }
+  };
+
+  // ─── Suspended branch ───────────────────────────────────────────────
+
   if (suspended) {
+    // Platform admin sees direct resume. Independent of pending
+    // resume — admin can always resume immediately.
+    if (isPlatform) {
+      return (
+        <div>
+          <button
+            type="button"
+            onClick={adminResume}
+            disabled={submitting}
+            className="text-sm font-medium px-4 py-2 rounded-lg border border-success/30 text-success hover:bg-success/10 transition-colors disabled:opacity-50"
+          >
+            {submitting
+              ? tCommon("loading")
+              : t("resumeSubscription")}
+          </button>
+          {pendingResumeRequest && (
+            <p className="text-xs text-text-muted mt-2">
+              {t("resumeRequestPendingNoteAdmin")}
+            </p>
+          )}
+          {error && <p className="text-xs text-red-400 mt-2">{error}</p>}
+        </div>
+      );
+    }
+
+    // Owner with pending resume request: render the request status
+    // card with cancel.
+    if (pendingResumeRequest) {
+      const submittedDate = new Date(pendingResumeRequest.createdAt);
+      return (
+        <div>
+          <div className="rounded-xl border border-amber-500/30 bg-amber-500/5 px-4 py-3">
+            <div className="text-sm font-medium text-amber-400 mb-1">
+              {t("resumeRequestPendingTitle")}
+            </div>
+            <div className="text-xs text-text-secondary">
+              {t.rich("resumeRequestPendingDescription", {
+                when: f.relativeTime(submittedDate),
+              })}
+            </div>
+            <button
+              type="button"
+              onClick={cancelResumeRequest}
+              disabled={submitting}
+              className="mt-3 text-xs px-3 py-1.5 rounded-lg border border-border text-text-secondary hover:text-text-primary transition-colors disabled:opacity-50"
+            >
+              {submitting
+                ? tCommon("loading")
+                : t("cancelResumeRequest")}
+            </button>
+          </div>
+          {error && <p className="text-xs text-red-400 mt-2">{error}</p>}
+        </div>
+      );
+    }
+
+    // Owner with no pending request: offer to create one.
     return (
       <div>
         <button
           type="button"
-          onClick={() => toggleSuspend(false)}
+          onClick={() => setConfirmResumeOpen(true)}
-          disabled={submitting}
+          className="text-sm font-medium px-4 py-2 rounded-lg border border-success/30 text-success hover:bg-success/10 transition-colors"
-          className="text-sm font-medium px-4 py-2 rounded-lg border border-success/30 text-success hover:bg-success/10 transition-colors disabled:opacity-50"
         >
-          {submitting ? tCommon("loading") : t("resumeSubscription")}
+          {t("requestReactivation")}
         </button>
-        {error && <p className="text-xs text-red-400 mt-2">{error}</p>}
+        {error && !confirmResumeOpen && (
+          <p className="text-xs text-red-400 mt-2">{error}</p>
+        )}
+
+        {confirmResumeOpen && (
+          <Modal
+            open={confirmResumeOpen}
+            onClose={() => setConfirmResumeOpen(false)}
+            ariaLabel={t("requestReactivationConfirmTitle")}
+          >
+            <h3 className="font-display text-lg font-semibold text-text-primary mb-2">
+              {t("requestReactivationConfirmTitle")}
+            </h3>
+            <p className="text-sm text-text-secondary mb-5">
+              {t("requestReactivationConfirmDescription")}
+            </p>
+
+            {error && (
+              <div className="text-xs text-red-400 bg-red-400/10 border border-red-400/20 rounded-lg px-3 py-2 mb-3">
+                {error}
+              </div>
+            )}
+
+            <div className="flex justify-end gap-2">
+              <button
+                type="button"
+                onClick={() => setConfirmResumeOpen(false)}
+                disabled={submitting}
+                className="text-sm px-4 py-2 rounded-lg border border-border text-text-secondary hover:text-text-primary transition-colors"
+              >
+                {tCommon("cancel")}
+              </button>
+              <button
+                type="button"
+                onClick={requestResume}
+                disabled={submitting}
+                className="text-sm px-4 py-2 rounded-lg bg-success text-white hover:bg-success/90 transition-colors disabled:opacity-50"
+              >
+                {submitting
+                  ? tCommon("loading")
+                  : t("requestReactivationConfirm")}
+              </button>
+            </div>
+          </Modal>
+        )}
       </div>
     );
   }
 
+  // ─── Active branch ──────────────────────────────────────────────────
+
   return (
     <div>
       <button
         type="button"
-        onClick={() => setConfirmOpen(true)}
+        onClick={() => setConfirmCancelOpen(true)}
         className="text-sm font-medium px-4 py-2 rounded-lg border border-border text-text-secondary hover:text-text-primary hover:border-text-secondary transition-colors"
       >
         {t("cancelSubscription")}
       </button>
-      {error && !confirmOpen && (
+      {error && !confirmCancelOpen && (
         <p className="text-xs text-red-400 mt-2">{error}</p>
       )}
 
-      {confirmOpen && (
+      {confirmCancelOpen && (
         <Modal
-          open={confirmOpen}
+          open={confirmCancelOpen}
-          onClose={() => setConfirmOpen(false)}
+          onClose={() => setConfirmCancelOpen(false)}
           ariaLabel={t("cancelConfirmTitle")}
         >
           <h3 className="font-display text-lg font-semibold text-text-primary mb-2">
@@ -114,11 +312,17 @@ export function SubscriptionToggle({ tenantName, suspended }: Props) {
           <p className="text-sm text-text-secondary mb-3">
             {t("cancelConfirmDescription")}
           </p>
-          <ul className="text-xs text-text-muted list-disc list-inside space-y-1 mb-5">
+          <ul className="text-xs text-text-muted list-disc list-inside space-y-1 mb-3">
             <li>{t("cancelConfirmBullet1")}</li>
             <li>{t("cancelConfirmBullet2")}</li>
             <li>{t("cancelConfirmBullet3")}</li>
           </ul>
+          {/* Bug 37b: 60-day retention warning. Distinct paragraph so it
+              reads as a separate, more serious commitment than the
+              regular bullets above. */}
+          <div className="text-xs text-amber-400 bg-amber-400/10 border border-amber-400/20 rounded-lg px-3 py-2 mb-5">
+            {t("cancelConfirmRetentionWarning")}
+          </div>
 
           {error && (
             <div className="text-xs text-red-400 bg-red-400/10 border border-red-400/20 rounded-lg px-3 py-2 mb-3">
@@ -129,7 +333,7 @@ export function SubscriptionToggle({ tenantName, suspended }: Props) {
           <div className="flex justify-end gap-2">
             <button
               type="button"
-              onClick={() => setConfirmOpen(false)}
+              onClick={() => setConfirmCancelOpen(false)}
               disabled={submitting}
               className="text-sm px-4 py-2 rounded-lg border border-border text-text-secondary hover:text-text-primary transition-colors"
             >
@@ -137,7 +341,7 @@ export function SubscriptionToggle({ tenantName, suspended }: Props) {
             </button>
             <button
               type="button"
-              onClick={() => toggleSuspend(true)}
+              onClick={cancel}
               disabled={submitting}
               className="text-sm px-4 py-2 rounded-lg bg-amber-500 text-white hover:bg-amber-600 transition-colors disabled:opacity-50"
             >

src/lib/db.ts

@@ -78,6 +78,42 @@ const MIGRATION_SQL = `
   -- is only meaningful for rejected and cancelled rows.
   ALTER TABLE tenant_requests ADD COLUMN IF NOT EXISTS dismissed_at TIMESTAMPTZ;
 
+  -- Bug 37a: resume requests use the same table as provision requests so
+  -- the customer dashboard and admin queue share rendering. Discriminator
+  -- is request_type. Default 'provision' on backfill keeps existing rows
+  -- working without explicit migration.
+  --
+  -- Resume rows have:
+  --   request_type     = 'resume'
+  --   tenant_name      = the existing tenant being requested for reactivation
+  --   zitadel_org_id   = the org owning that tenant
+  --   zitadel_user_id  = the requesting customer
+  --   status           = pending → approved/rejected (or cancelled by customer)
+  --   most provision-only fields (packages, billing_address, etc.) are NULL
+  ALTER TABLE tenant_requests ADD COLUMN IF NOT EXISTS request_type TEXT NOT NULL DEFAULT 'provision';
+  -- Constrain to the known set so a future code change can't accidentally
+  -- write a third type without first widening this constraint.
+  DO $$ BEGIN
+    ALTER TABLE tenant_requests ADD CONSTRAINT tenant_requests_request_type_check
+      CHECK (request_type IN ('provision', 'resume'));
+  EXCEPTION WHEN duplicate_object THEN NULL;
+  END $$;
+
+  -- Tenant_name uniqueness was originally meant for "one tenant CR per
+  -- approved provision request". Resume requests reuse a tenant_name,
+  -- so the uniqueness must now be scoped to provision rows only.
+  DROP INDEX IF EXISTS uniq_tenant_requests_tenant_name;
+  CREATE UNIQUE INDEX IF NOT EXISTS uniq_tenant_requests_tenant_name_provision
+    ON tenant_requests(tenant_name)
+    WHERE tenant_name IS NOT NULL AND request_type = 'provision';
+
+  -- Only one pending resume request per tenant at a time. Otherwise a
+  -- customer could spam-create resume requests (the admin queue would
+  -- bloat) or two admins might race on approving duplicates.
+  CREATE UNIQUE INDEX IF NOT EXISTS uniq_tenant_requests_pending_resume
+    ON tenant_requests(tenant_name)
+    WHERE tenant_name IS NOT NULL AND request_type = 'resume' AND status = 'pending';
+
   -- Slice 3: drop the legacy 1-org-1-request constraint if it exists
   ALTER TABLE tenant_requests DROP CONSTRAINT IF EXISTS tenant_requests_zitadel_org_id_key;
 
@@ -381,6 +417,111 @@ export async function clearEncryptedSecrets(requestId: string): Promise<void> {
  * Caller is responsible for verifying the row belongs to the user's
  * org before calling.
  */
+/**
+ * Create a resume request (Bug 37a). Used when an owner of a suspended
+ * tenant wants to reactivate it. Resume is admin-gated — the request
+ * sits as `pending` until a platform admin approves or rejects it.
+ *
+ * Tenant-name uniqueness is enforced for `pending` resume rows by a
+ * partial unique index, so a customer can't spam the queue with
+ * duplicate resume requests for the same tenant. The DB throws a
+ * unique-violation if they try; callers should catch that and translate
+ * to a 409.
+ *
+ * Why this lives in tenant_requests instead of a separate table:
+ *   - the lifecycle is identical (pending → approved/rejected, plus
+ *     customer-side cancel and dismiss-after-terminal)
+ *   - the customer dashboard renders pending+resume cards from the
+ *     same `listActiveTenantRequestsByOrgId` query — adding a separate
+ *     table would mean two queries and union-merging in the UI
+ *   - the admin queue likewise treats them uniformly
+ * The cost is a discriminator column (`request_type`) and most
+ * provision-only fields being null on resume rows. That's a tradeoff
+ * I think is worth it.
+ */
+export async function createResumeRequest(params: {
+  tenantName: string;
+  zitadelOrgId: string;
+  zitadelUserId: string;
+  contactName: string;
+  contactEmail: string;
+  // Provision-only fields default sensibly. company_name + agent_name
+  // are NOT NULL in the original schema; we copy them from the existing
+  // tenant request for traceability rather than storing dummy values.
+  companyName: string;
+  agentName: string;
+}): Promise<TenantRequest> {
+  await ensureSchema();
+  const result = await getPool().query(
+    `INSERT INTO tenant_requests (
+        zitadel_org_id, zitadel_user_id, company_name,
+        contact_name, contact_email, agent_name,
+        tenant_name, request_type, status
+     ) VALUES ($1, $2, $3, $4, $5, $6, $7, 'resume', 'pending')
+     RETURNING *`,
+    [
+      params.zitadelOrgId,
+      params.zitadelUserId,
+      params.companyName,
+      params.contactName,
+      params.contactEmail,
+      params.agentName,
+      params.tenantName,
+    ]
+  );
+  return mapRow(result.rows[0]);
+}
+
+/**
+ * Get the most recent provision request for a tenant_name. Used by
+ * Bug 37a's resume-request creation to populate company_name and
+ * agent_name (NOT NULL columns) from the original provision row
+ * rather than make up values.
+ *
+ * Returns null when no such row exists — should be impossible in
+ * normal flow (resume requests are only created for already-existing
+ * tenants whose CR was created via approving a provision request),
+ * but the caller should guard against it for safety.
+ */
+export async function getTenantRequestByTenantName(
+  tenantName: string
+): Promise<TenantRequest | null> {
+  await ensureSchema();
+  const result = await getPool().query(
+    `SELECT * FROM tenant_requests
+      WHERE tenant_name = $1
+        AND request_type = 'provision'
+      ORDER BY created_at DESC
+      LIMIT 1`,
+    [tenantName]
+  );
+  return result.rows.length > 0 ? mapRow(result.rows[0]) : null;
+}
+
+/**
+ * Return the in-flight (pending) resume request for a given tenant, if
+ * any. Used both to gate the customer's "Request reactivation" button
+ * (don't allow a second when one's already pending) and by the admin
+ * UI to navigate from the tenant detail page to the awaiting request.
+ *
+ * Returns null when no pending resume exists. Approved/rejected rows
+ * are never returned — they're terminal.
+ */
+export async function getPendingResumeRequestForTenant(
+  tenantName: string
+): Promise<TenantRequest | null> {
+  await ensureSchema();
+  const result = await getPool().query(
+    `SELECT * FROM tenant_requests
+      WHERE tenant_name = $1
+        AND request_type = 'resume'
+        AND status = 'pending'
+      LIMIT 1`,
+    [tenantName]
+  );
+  return result.rows.length > 0 ? mapRow(result.rows[0]) : null;
+}
+
 export async function dismissTenantRequest(id: string): Promise<void> {
   await ensureSchema();
   await getPool().query(
@@ -555,6 +696,9 @@ function mapRow(row: any): TenantRequest {
     isPersonal: row.is_personal ?? false,
     dismissedAt:
       row.dismissed_at?.toISOString?.() ?? row.dismissed_at ?? null,
+    requestType: (row.request_type ?? "provision") as
+      | "provision"
+      | "resume",
     createdAt: row.created_at?.toISOString?.() ?? row.created_at,
     updatedAt: row.updated_at?.toISOString?.() ?? row.updated_at,
   };

src/lib/k8s.ts

@@ -130,3 +130,46 @@ export async function patchTenantSpec(
   }
   return res.json() as Promise<PiecedTenant>;
 }
+
+/**
+ * Set or clear an annotation on a PiecedTenant CR.
+ *
+ * Pass `value=null` to remove the annotation. K8s merge-patch removes
+ * a key when its value is null in the patch — that's exactly the
+ * semantic we want.
+ *
+ * Used by the resume-request flow (Bug 37a): the portal sets
+ * `pieced.ch/resume-request-pending` when a customer creates a
+ * resume request, and clears it when the request transitions to a
+ * terminal state. The operator reads this annotation to pause its
+ * 60-day deletion timer while a resume request is in flight.
+ *
+ * Annotations are namespaced informally — we use `pieced.ch/...` for
+ * everything we own, mirroring the labels.
+ */
+export async function setTenantAnnotation(
+  name: string,
+  key: string,
+  value: string | null
+): Promise<PiecedTenant> {
+  const url = `${getBaseUrl()}/apis/${API_VERSION}/${PLURAL}/${name}`;
+  const res = await fetch(url, {
+    method: "PATCH",
+    headers: {
+      Accept: "application/json",
+      "Content-Type": "application/merge-patch+json",
+      ...getAuthHeaders(),
+    },
+    body: JSON.stringify({
+      metadata: { annotations: { [key]: value } },
+    }),
+  });
+
+  if (!res.ok) {
+    const text = await res.text();
+    const err = new Error(`K8s annotate /${name}: ${res.status} ${text}`);
+    (err as any).statusCode = res.status;
+    throw err;
+  }
+  return res.json() as Promise<PiecedTenant>;
+}

src/messages/de.json

@@ -157,7 +157,16 @@
     "cancelConfirmBullet3": "Rechnungsdaten bleiben gespeichert",
     "subscriptionUpdateFailed": "Abonnement konnte nicht aktualisiert werden.",
     "suspendedTitle": "Abonnement gekündigt",
-    "suspendedDescription": "Ihr Assistent ist pausiert. Konfiguration und Daten bleiben erhalten. Verwenden Sie die Reaktivierungs-Schaltfläche unten auf dieser Seite, um ihn wieder online zu bringen."
+    "suspendedDescription": "Ihr Assistent ist pausiert. Konfiguration und Daten bleiben erhalten. Verwenden Sie die Reaktivierungs-Schaltfläche unten auf dieser Seite, um ihn wieder online zu bringen.",
+    "requestReactivation": "Reaktivierung anfragen",
+    "requestReactivationConfirmTitle": "Reaktivierung anfragen?",
+    "requestReactivationConfirmDescription": "Ein Administrator prüft Ihre Anfrage und reaktiviert Ihren Tenant. Sie erhalten eine E-Mail, sobald die Anfrage genehmigt wurde.",
+    "requestReactivationConfirm": "Anfrage senden",
+    "cancelResumeRequest": "Anfrage stornieren",
+    "resumeRequestPendingTitle": "Reaktivierungsanfrage ausstehend",
+    "resumeRequestPendingDescription": "Eingereicht {when}. Ein Administrator wird die Anfrage in Kürze prüfen.",
+    "resumeRequestPendingNoteAdmin": "Ein Inhaber hat eine Reaktivierung angefragt; Sie können direkt oben fortfahren oder die Anfrage in der Admin-Warteschlange bearbeiten.",
+    "cancelConfirmRetentionWarning": "Ihre Daten bleiben nach der Kündigung 60 Tage lang erhalten. Danach werden alle Tenant-Daten – Konfiguration, Geheimnisse, Konversationen und Dateien – endgültig gelöscht."
   },
   "usage": {
     "inputTokens": "Input-Tokens",
@@ -297,7 +306,9 @@
     "loadingHealth": "Statusdaten werden geladen…",
     "statusHealthy": "OK",
     "statusDown": "Ausgefallen",
-    "spendChf": "Kosten (CHF)"
+    "spendChf": "Kosten (CHF)",
+    "resumeRequestBadge": "Wieder",
+    "resumeRequestTooltip": "Reaktivierungsanfrage für einen bestehenden Tenant. Bei Genehmigung wird der Tenant wieder aktiviert; keine Provisionierung läuft."
   },
   "channelUsers": {
     "title": "Autorisierte Benutzer",

src/messages/en.json

@@ -157,7 +157,16 @@
     "cancelConfirmBullet3": "Billing information is kept on file",
     "subscriptionUpdateFailed": "Could not update subscription.",
     "suspendedTitle": "Subscription cancelled",
-    "suspendedDescription": "Your assistant is paused. Configuration and data are preserved. Use the Resume control at the bottom of this page to bring it back online."
+    "suspendedDescription": "Your assistant is paused. Configuration and data are preserved. Use the Resume control at the bottom of this page to bring it back online.",
+    "requestReactivation": "Request reactivation",
+    "requestReactivationConfirmTitle": "Request reactivation?",
+    "requestReactivationConfirmDescription": "An administrator will review your request and reactivate your tenant. You'll be notified by email once it's approved.",
+    "requestReactivationConfirm": "Submit request",
+    "cancelResumeRequest": "Cancel request",
+    "resumeRequestPendingTitle": "Reactivation request pending",
+    "resumeRequestPendingDescription": "Submitted {when}. An administrator will review it shortly.",
+    "resumeRequestPendingNoteAdmin": "An owner has requested reactivation; you can resume directly above or process the request from the admin queue.",
+    "cancelConfirmRetentionWarning": "Your data is preserved for 60 days after cancellation. After that, all tenant data — configuration, secrets, conversations, and files — will be permanently deleted."
   },
   "usage": {
     "inputTokens": "Input Tokens",
@@ -297,7 +306,9 @@
     "loadingHealth": "Loading health data…",
     "statusHealthy": "Healthy",
     "statusDown": "Down",
-    "spendChf": "Spend (CHF)"
+    "spendChf": "Spend (CHF)",
+    "resumeRequestBadge": "Resume",
+    "resumeRequestTooltip": "Reactivation request for an existing tenant. Approving will un-suspend the tenant; no provisioning runs."
   },
   "channelUsers": {
     "title": "Authorized Users",

src/messages/fr.json

@@ -157,7 +157,16 @@
     "cancelConfirmBullet3": "Les informations de facturation sont conservées",
     "subscriptionUpdateFailed": "Impossible de mettre à jour l'abonnement.",
     "suspendedTitle": "Abonnement annulé",
-    "suspendedDescription": "Votre assistant est en pause. La configuration et les données sont préservées. Utilisez le contrôle Reprendre en bas de cette page pour le remettre en ligne."
+    "suspendedDescription": "Votre assistant est en pause. La configuration et les données sont préservées. Utilisez le contrôle Reprendre en bas de cette page pour le remettre en ligne.",
+    "requestReactivation": "Demander la réactivation",
+    "requestReactivationConfirmTitle": "Demander la réactivation ?",
+    "requestReactivationConfirmDescription": "Un administrateur examinera votre demande et réactivera votre locataire. Vous recevrez un e-mail dès que la demande sera approuvée.",
+    "requestReactivationConfirm": "Envoyer la demande",
+    "cancelResumeRequest": "Annuler la demande",
+    "resumeRequestPendingTitle": "Demande de réactivation en attente",
+    "resumeRequestPendingDescription": "Soumise {when}. Un administrateur l'examinera sous peu.",
+    "resumeRequestPendingNoteAdmin": "Un propriétaire a demandé la réactivation ; vous pouvez reprendre directement ci-dessus ou traiter la demande depuis la file d'attente d'administration.",
+    "cancelConfirmRetentionWarning": "Vos données sont conservées pendant 60 jours après l'annulation. Passé ce délai, toutes les données du locataire — configuration, secrets, conversations et fichiers — seront définitivement supprimées."
   },
   "usage": {
     "inputTokens": "Tokens d'entrée",
@@ -297,7 +306,9 @@
     "loadingHealth": "Chargement des données de santé…",
     "statusHealthy": "OK",
     "statusDown": "Hors service",
-    "spendChf": "Coûts (CHF)"
+    "spendChf": "Coûts (CHF)",
+    "resumeRequestBadge": "Reprise",
+    "resumeRequestTooltip": "Demande de réactivation d'un locataire existant. L'approbation le réactivera ; aucun provisionnement ne s'exécute."
   },
   "channelUsers": {
     "title": "Utilisateurs autorisés",

src/messages/it.json

@@ -157,7 +157,16 @@
     "cancelConfirmBullet3": "Le informazioni di fatturazione sono mantenute",
     "subscriptionUpdateFailed": "Impossibile aggiornare l'abbonamento.",
     "suspendedTitle": "Abbonamento annullato",
-    "suspendedDescription": "Il suo assistente è in pausa. Configurazione e dati sono preservati. Usi il controllo Riprendi in fondo a questa pagina per riportarlo online."
+    "suspendedDescription": "Il suo assistente è in pausa. Configurazione e dati sono preservati. Usi il controllo Riprendi in fondo a questa pagina per riportarlo online.",
+    "requestReactivation": "Richiedi riattivazione",
+    "requestReactivationConfirmTitle": "Richiedere la riattivazione?",
+    "requestReactivationConfirmDescription": "Un amministratore esaminerà la tua richiesta e riattiverà il tuo tenant. Riceverai un'email non appena la richiesta sarà approvata.",
+    "requestReactivationConfirm": "Invia richiesta",
+    "cancelResumeRequest": "Annulla richiesta",
+    "resumeRequestPendingTitle": "Richiesta di riattivazione in sospeso",
+    "resumeRequestPendingDescription": "Inviata {when}. Un amministratore la esaminerà a breve.",
+    "resumeRequestPendingNoteAdmin": "Un proprietario ha richiesto la riattivazione; puoi riprendere direttamente sopra o elaborare la richiesta dalla coda di amministrazione.",
+    "cancelConfirmRetentionWarning": "I tuoi dati sono conservati per 60 giorni dopo l'annullamento. Trascorso tale periodo, tutti i dati del tenant — configurazione, segreti, conversazioni e file — verranno eliminati definitivamente."
   },
   "usage": {
     "inputTokens": "Token di input",
@@ -297,7 +306,9 @@
     "loadingHealth": "Caricamento dati di stato…",
     "statusHealthy": "OK",
     "statusDown": "Non disponibile",
-    "spendChf": "Costi (CHF)"
+    "spendChf": "Costi (CHF)",
+    "resumeRequestBadge": "Ripresa",
+    "resumeRequestTooltip": "Richiesta di riattivazione di un tenant esistente. L'approvazione lo riattiverà; non viene eseguito alcun provisioning."
   },
   "channelUsers": {
     "title": "Utenti autorizzati",

src/types/index.ts

@@ -227,6 +227,14 @@ export interface TenantRequest {
    * login). Always null for non-rejected statuses.
    */
   dismissedAt?: string | null;
+  /**
+   * Bug 37a: discriminator between provision (initial tenant creation,
+   * the original purpose of this table) and resume (admin-gated
+   * reactivation of a suspended tenant). Default 'provision' for all
+   * pre-existing rows; resume rows have most provision fields null
+   * but tenant_name set to the tenant being requested.
+   */
+  requestType: "provision" | "resume";
   createdAt: string;
   updatedAt: string;
 }