diff --git a/src/app/[locale]/dashboard/page.tsx b/src/app/[locale]/dashboard/page.tsx
index 6c88a7e..a416ba7 100644
--- a/src/app/[locale]/dashboard/page.tsx
+++ b/src/app/[locale]/dashboard/page.tsx
@@ -141,7 +141,11 @@ export default async function DashboardPage() {
// No tenant → check for existing request, show onboarding flow
if (!myTenant) {
const existingRequest = await getTenantRequestByOrgId(user.orgId);
- const initialState = existingRequest?.status ?? "no_request";
+ // Treat "deleted" as no request — customer can re-onboard
+ const initialState =
+ !existingRequest || existingRequest.status === "deleted"
+ ? "no_request"
+ : existingRequest.status;
return (
diff --git a/src/app/api/admin/requests/[id]/approve/route.ts b/src/app/api/admin/requests/[id]/approve/route.ts
index 137ea91..90201d9 100644
--- a/src/app/api/admin/requests/[id]/approve/route.ts
+++ b/src/app/api/admin/requests/[id]/approve/route.ts
@@ -1,12 +1,19 @@
import { NextResponse } from "next/server";
import { requirePlatformRole } from "@/lib/session";
-import { getTenantRequestById, updateTenantRequestStatus } from "@/lib/db";
+import { getTenantRequestById, updateTenantRequestStatus, clearEncryptedSecrets } from "@/lib/db";
import { createTenant } from "@/lib/k8s";
import { sendApprovalEmail } from "@/lib/email";
+import { decryptSecrets } from "@/lib/crypto";
+import { writePackageSecrets } from "@/lib/openbao";
/**
* POST /api/admin/requests/[id]/approve
- * Approve a tenant request: create the PiecedTenant CR, update status, notify customer.
+ * Approve a tenant request:
+ * 1. Decrypt stored package secrets (if any)
+ * 2. Write each package's secrets to OpenBao at secret/data/tenants/{tenant-name}/{package}
+ * 3. Null the encrypted_secrets column
+ * 4. Create PiecedTenant CR
+ * 5. Update request status, notify customer.
* Also supports re-approving a previously rejected request (clears admin notes).
*/
export async function POST(
@@ -48,7 +55,17 @@ export async function POST(
.slice(0, 63) || `tenant-${tenantRequest.id.slice(0, 8)}`;
try {
- // Create the PiecedTenant CR
+ // Step 1: Decrypt and write package secrets to OpenBao (if collected during wizard)
+ if (tenantRequest.encryptedSecrets) {
+ const secrets = await decryptSecrets(tenantRequest.encryptedSecrets);
+ for (const [packageId, pkgSecrets] of Object.entries(secrets)) {
+ await writePackageSecrets(`tenant-${tenantName}`, packageId, pkgSecrets);
+ }
+ // Step 2: Null the encrypted column — secrets are now safely in OpenBao
+ await clearEncryptedSecrets(id);
+ }
+
+ // Step 3: Create the PiecedTenant CR
await createTenant(
tenantName,
{
@@ -64,14 +81,14 @@ export async function POST(
}
);
- // Update request status — clear admin notes on re-approval
+ // Step 4: Update request status — clear admin notes on re-approval
const updated = await updateTenantRequestStatus(id, "provisioning", {
adminNotes: isReApproval ? null : adminNotes,
tenantName,
clearAdminNotes: isReApproval,
});
- // Notify customer
+ // Step 5: Notify customer
await sendApprovalEmail(
tenantRequest.contactEmail,
tenantRequest.contactName,
diff --git a/src/app/api/admin/tenants/[name]/delete/route.ts b/src/app/api/admin/tenants/[name]/delete/route.ts
index 4c94bd9..851870d 100644
--- a/src/app/api/admin/tenants/[name]/delete/route.ts
+++ b/src/app/api/admin/tenants/[name]/delete/route.ts
@@ -1,11 +1,14 @@
import { NextResponse } from "next/server";
import { requirePlatformRole } from "@/lib/session";
import { getTenant, deleteTenant } from "@/lib/k8s";
+import { markTenantRequestDeletedByTenantName } from "@/lib/db";
/**
* POST /api/admin/tenants/[name]/delete
* Delete a PiecedTenant CR. The operator handles cleanup
* (namespace, vault, litellm team, etc.).
+ * Also marks the associated tenant_request as "deleted" so the
+ * customer can re-submit the onboarding wizard.
*/
export async function POST(
_request: Request,
@@ -26,6 +29,13 @@ export async function POST(
try {
await deleteTenant(name);
+
+ // Mark the associated tenant_request as "deleted" so the customer
+ // sees the wizard again instead of a stale "active" status
+ await markTenantRequestDeletedByTenantName(name).catch((e) =>
+ console.error("Failed to update tenant request after delete:", e)
+ );
+
return NextResponse.json({
message: "Tenant deletion initiated. The operator will clean up all resources.",
});
diff --git a/src/app/api/onboarding/route.ts b/src/app/api/onboarding/route.ts
index 8a969f3..30f937a 100644
--- a/src/app/api/onboarding/route.ts
+++ b/src/app/api/onboarding/route.ts
@@ -3,9 +3,11 @@ import { getSessionUser } from "@/lib/session";
import {
createTenantRequest,
getTenantRequestByOrgId,
+ deleteTenantRequest,
} from "@/lib/db";
import { getTenant, listTenants } from "@/lib/k8s";
import { sendAdminNotificationEmail } from "@/lib/email";
+import { encryptSecrets } from "@/lib/crypto";
import type { OnboardingInput } from "@/types";
import { z } from "zod";
@@ -13,6 +15,9 @@ const onboardingSchema = z.object({
agentName: z.string().min(1).max(50),
soulMd: z.string().max(10_000).optional(),
packages: z.array(z.string()).optional(),
+ packageSecrets: z
+ .record(z.string(), z.record(z.string(), z.string()))
+ .optional(),
billingAddress: z.object({
company: z.string().optional(),
street: z.string().optional(),
@@ -54,7 +59,7 @@ export async function GET() {
// Check if there's a pending request
const request = await getTenantRequestByOrgId(user.orgId);
- if (!request) {
+ if (!request || request.status === "deleted") {
return NextResponse.json({ state: "no_request" });
}
@@ -88,7 +93,11 @@ export async function GET() {
* POST /api/onboarding
* Submit the onboarding wizard. Creates a tenant_request with status "pending".
* The actual PiecedTenant CR is NOT created yet — admin approval required.
- * Sends a notification email to the admin.
+ *
+ * If packageSecrets are provided (for packages requiring credentials like
+ * Telegram, Discord, Email), they are encrypted with AES-256-GCM and stored
+ * as a BYTEA blob. They are decrypted only during admin approval to write
+ * to OpenBao.
*/
export async function POST(request: Request) {
const user = await getSessionUser();
@@ -97,13 +106,18 @@ export async function POST(request: Request) {
// Check for existing request
const existing = await getTenantRequestByOrgId(user.orgId);
- if (existing) {
+ if (existing && existing.status !== "deleted") {
return NextResponse.json(
{ error: "Onboarding request already submitted.", request: existing },
{ status: 409 }
);
}
+ // If previous request was deleted, remove it so a fresh one can be created
+ if (existing && existing.status === "deleted") {
+ await deleteTenantRequest(existing.id);
+ }
+
// Check for existing tenant
const allTenants = await listTenants();
const myTenant = allTenants.find(
@@ -125,7 +139,21 @@ export async function POST(request: Request) {
);
}
- const input: OnboardingInput = parsed.data;
+ const input: OnboardingInput & { packageSecrets?: Record> } = parsed.data;
+
+ // Encrypt package secrets if provided
+ let encryptedSecrets: Buffer | undefined;
+ if (input.packageSecrets && Object.keys(input.packageSecrets).length > 0) {
+ try {
+ encryptedSecrets = await encryptSecrets(input.packageSecrets);
+ } catch (e: any) {
+ console.error("Failed to encrypt package secrets:", e);
+ return NextResponse.json(
+ { error: "Failed to secure credentials. Please try again." },
+ { status: 500 }
+ );
+ }
+ }
const tenantRequest = await createTenantRequest({
zitadelOrgId: user.orgId,
@@ -138,6 +166,7 @@ export async function POST(request: Request) {
packages: input.packages ?? [],
billingAddress: input.billingAddress,
billingNotes: input.billingNotes,
+ encryptedSecrets,
});
// Notify admin about the new request
diff --git a/src/app/api/tenants/[name]/secrets/route.ts b/src/app/api/tenants/[name]/secrets/route.ts
index 6b13d98..bc687f5 100644
--- a/src/app/api/tenants/[name]/secrets/route.ts
+++ b/src/app/api/tenants/[name]/secrets/route.ts
@@ -60,7 +60,8 @@ export async function POST(
return NextResponse.json({ error: "Forbidden" }, { status: 403 });
}
- await writePackageSecrets(name, packageId, secrets);
+ // Use tenant-{name} to match the operator's vault path convention
+ await writePackageSecrets(`tenant-${name}`, packageId, secrets);
return NextResponse.json({ ok: true });
} catch (e: any) {
console.error("Secret write error:", e.message);
diff --git a/src/components/onboarding/wizard.tsx b/src/components/onboarding/wizard.tsx
index 2441227..775495b 100644
--- a/src/components/onboarding/wizard.tsx
+++ b/src/components/onboarding/wizard.tsx
@@ -1,8 +1,9 @@
"use client";
-import { useState } from "react";
+import { useState, useCallback } from "react";
import { useTranslations } from "next-intl";
import { Card } from "@/components/ui/card";
+import { PACKAGE_CATALOG, type PackageDef } from "@/lib/packages";
type Step = "welcome" | "configure" | "billing" | "confirm";
@@ -19,13 +20,10 @@ You are a helpful AI assistant for {company}. You are professional, concise, and
- Respect privacy and confidentiality
`;
-const AVAILABLE_PACKAGES = [
- "telegram",
- "discord",
- "email",
- "web-search",
- "document-processing",
-];
+const CATEGORIES = [
+ { key: "channel" as const, labelKey: "categories.channels" },
+ { key: "skill" as const, labelKey: "categories.skills" },
+] as const;
interface WizardProps {
orgName: string;
@@ -34,6 +32,7 @@ interface WizardProps {
export function OnboardingWizard({ orgName, onComplete }: WizardProps) {
const t = useTranslations("onboarding");
+ const tPkg = useTranslations("packages");
const tCommon = useTranslations("common");
const [step, setStep] = useState("welcome");
@@ -54,6 +53,15 @@ export function OnboardingWizard({ orgName, onComplete }: WizardProps) {
billingNotes: "",
});
+ // Per-package collected secrets: { "telegram": { "bot-token": "123:ABC" }, ... }
+ const [packageSecrets, setPackageSecrets] = useState<
+ Record>
+ >({});
+ // Per-package disclaimer acceptance
+ const [disclaimerAccepted, setDisclaimerAccepted] = useState<
+ Record
+ >({});
+
const stepIndex = STEPS.indexOf(step);
const goNext = () => {
@@ -64,13 +72,52 @@ export function OnboardingWizard({ orgName, onComplete }: WizardProps) {
if (stepIndex > 0) setStep(STEPS[stepIndex - 1]);
};
- const togglePackage = (pkg: string) => {
- setConfig((prev) => ({
- ...prev,
- packages: prev.packages.includes(pkg)
- ? prev.packages.filter((p) => p !== pkg)
- : [...prev.packages, pkg],
- }));
+ const togglePackage = useCallback((pkgId: string) => {
+ setConfig((prev) => {
+ const removing = prev.packages.includes(pkgId);
+ if (removing) {
+ setPackageSecrets((s) => {
+ const next = { ...s };
+ delete next[pkgId];
+ return next;
+ });
+ setDisclaimerAccepted((d) => {
+ const next = { ...d };
+ delete next[pkgId];
+ return next;
+ });
+ }
+ return {
+ ...prev,
+ packages: removing
+ ? prev.packages.filter((p) => p !== pkgId)
+ : [...prev.packages, pkgId],
+ };
+ });
+ }, []);
+
+ const updateSecret = useCallback(
+ (pkgId: string, key: string, value: string) => {
+ setPackageSecrets((prev) => ({
+ ...prev,
+ [pkgId]: { ...(prev[pkgId] || {}), [key]: value },
+ }));
+ },
+ []
+ );
+
+ // Validate that all secret-requiring enabled packages have complete credentials
+ const packageCredentialsValid = (): boolean => {
+ for (const pkgId of config.packages) {
+ const def = PACKAGE_CATALOG.find((p) => p.id === pkgId);
+ if (!def?.requiresSecrets) continue;
+ const secrets = packageSecrets[pkgId] || {};
+ for (const field of def.secrets || []) {
+ if (!secrets[field.key]?.trim()) return false;
+ }
+ if (def.disclaimerKey && !disclaimerAccepted[pkgId]) return false;
+ }
+ return true;
};
const handleSubmit = async () => {
@@ -78,10 +125,25 @@ export function OnboardingWizard({ orgName, onComplete }: WizardProps) {
setError("");
try {
+ // Build secrets payload — only for packages that require them
+ const secretsPayload: Record> = {};
+ for (const pkgId of config.packages) {
+ const def = PACKAGE_CATALOG.find((p) => p.id === pkgId);
+ if (def?.requiresSecrets && packageSecrets[pkgId]) {
+ secretsPayload[pkgId] = packageSecrets[pkgId];
+ }
+ }
+
const res = await fetch("/api/onboarding", {
method: "POST",
headers: { "Content-Type": "application/json" },
- body: JSON.stringify(config),
+ body: JSON.stringify({
+ ...config,
+ packageSecrets:
+ Object.keys(secretsPayload).length > 0
+ ? secretsPayload
+ : undefined,
+ }),
});
if (!res.ok) {
@@ -212,26 +274,151 @@ export function OnboardingWizard({ orgName, onComplete }: WizardProps) {
+ {/* Packages — grouped by category */}
-
- {AVAILABLE_PACKAGES.map((pkg) => (
-
- ))}
-
+
+ {CATEGORIES.map(({ key, labelKey }) => {
+ const packages = PACKAGE_CATALOG.filter(
+ (p) => p.category === key
+ );
+ if (packages.length === 0) return null;
+
+ return (
+
+
+ {tPkg(labelKey)}
+
+
+ {packages.map((pkg) => {
+ const isSelected = config.packages.includes(pkg.id);
+ const secrets = packageSecrets[pkg.id] || {};
+
+ return (
+
+ {/* Toggle row */}
+
+
+ {/* Inline credential inputs — expand when selected + requires secrets */}
+ {isSelected && pkg.requiresSecrets && (
+
+ )}
+
+ );
+ })}
+
+
+ );
+ })}
+
{t("packagesHint")}
@@ -247,7 +434,8 @@ export function OnboardingWizard({ orgName, onComplete }: WizardProps) {
@@ -436,9 +624,23 @@ export function OnboardingWizard({ orgName, onComplete }: WizardProps) {
)}
+ {config.packages.some((id) =>
+ PACKAGE_CATALOG.find((p) => p.id === id)?.requiresSecrets
+ ) && (
+
+
+ {t("credentialsProvided")}
+
+
+ ✓
+
+
+ )}
{config.billingAddress.company && (
- {t("billingCompany")}
+
+ {t("billingCompany")}
+
{config.billingAddress.company}
@@ -455,9 +657,7 @@ export function OnboardingWizard({ orgName, onComplete }: WizardProps) {
)}
-
- {t("confirmNote")}
-
+ {t("confirmNote")}
{error && (
diff --git a/src/components/packages/package-list.tsx b/src/components/packages/package-list.tsx
index ac48f67..efed5ad 100644
--- a/src/components/packages/package-list.tsx
+++ b/src/components/packages/package-list.tsx
@@ -1,40 +1,66 @@
"use client";
+import { useTranslations } from "next-intl";
import { useRouter } from "next/navigation";
import { PACKAGE_CATALOG } from "@/lib/packages";
import { PackageCard } from "./package-card";
-import type { PiecedTenantStatus } from "@/types";
interface Props {
tenantName: string;
enabledPackages: string[];
- conditions?: PiecedTenantStatus["conditions"];
+ conditions?: Array<{ type: string; status: string; reason?: string }>;
+ onRefresh?: () => void;
}
-export function PackageList({ tenantName, enabledPackages, conditions }: Props) {
- const router = useRouter();
+const CATEGORIES = [
+ { key: "channel" as const, labelKey: "categories.channels" },
+ { key: "skill" as const, labelKey: "categories.skills" },
+] as const;
- function getStatus(pkgId: string): "pending" | "active" | "error" | undefined {
- if (!conditions) return enabledPackages.includes(pkgId) ? "pending" : undefined;
- const cond = conditions.find((c) => c.type === `Package/${pkgId}`);
- if (!cond) return enabledPackages.includes(pkgId) ? "pending" : undefined;
- if (cond.status === "True") return "active";
- if (cond.status === "False") return "error";
- return "pending";
- }
+function getPackageStatus(
+ pkgId: string,
+ enabled: boolean,
+ conditions?: Props["conditions"]
+): "pending" | "active" | "error" | undefined {
+ if (!enabled) return undefined;
+ const cond = conditions?.find((c) => c.type === `Package/${pkgId}`);
+ if (!cond) return "pending";
+ if (cond.status === "True") return "active";
+ if (cond.reason === "SecretReady") return "active";
+ return "error";
+}
+
+export function PackageList({ tenantName, enabledPackages, conditions, onRefresh }: Props) {
+ const t = useTranslations("packages");
+ const router = useRouter();
+ const handleRefresh = onRefresh || (() => router.refresh());
return (
-
- {PACKAGE_CATALOG.map((pkg) => (
-
router.refresh()}
- />
- ))}
+
+ {CATEGORIES.map(({ key, labelKey }) => {
+ const packages = PACKAGE_CATALOG.filter((p) => p.category === key);
+ if (packages.length === 0) return null;
+
+ return (
+
+
+ {t(labelKey)}
+
+
+ {packages.map((pkg) => (
+
+ ))}
+
+
+ );
+ })}