Add initial Portal version

src/app/api/tenants/[name]/route.ts

@@ -0,0 +1,95 @@
+import { NextRequest, NextResponse } from "next/server";
+import { auth } from "@/lib/auth";
+import { getTenant, patchTenantSpec } from "@/lib/k8s";
+
+function isPlatformRole(roles: string[]): boolean {
+  return roles.some((r) =>
+    ["platform_admin", "platform_operator"].includes(r)
+  );
+}
+
+export async function GET(
+  _req: NextRequest,
+  { params }: { params: Promise<{ name: string }> }
+) {
+  const session = await auth();
+  if (!session?.user) {
+    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+  }
+
+  const { name } = await params;
+  const { orgId, roles } = session.user as any;
+
+  try {
+    const tenant = await getTenant(name);
+    if (!tenant) {
+      return NextResponse.json({ error: "Not found" }, { status: 404 });
+    }
+
+    // Scope check: non-platform users can only see their own org's tenants
+    if (
+      !isPlatformRole(roles || []) &&
+      tenant.metadata?.labels?.["zitadel-org-id"] !== orgId
+    ) {
+      return NextResponse.json({ error: "Forbidden" }, { status: 403 });
+    }
+
+    return NextResponse.json(tenant);
+  } catch (e: any) {
+    return NextResponse.json(
+      { error: "K8s API error", detail: e.message },
+      { status: e.statusCode || 500 }
+    );
+  }
+}
+
+export async function PATCH(
+  req: NextRequest,
+  { params }: { params: Promise<{ name: string }> }
+) {
+  const session = await auth();
+  if (!session?.user) {
+    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+  }
+
+  const { name } = await params;
+  const { orgId, roles } = session.user as any;
+  const body = await req.json();
+  const userRoles = roles || [];
+
+  // Only owner or platform roles can patch
+  if (!isPlatformRole(userRoles) && !userRoles.includes("owner")) {
+    return NextResponse.json({ error: "Forbidden" }, { status: 403 });
+  }
+
+  try {
+    // Ownership check
+    const existing = await getTenant(name);
+    if (!existing) {
+      return NextResponse.json({ error: "Not found" }, { status: 404 });
+    }
+    if (
+      !isPlatformRole(userRoles) &&
+      existing.metadata?.labels?.["zitadel-org-id"] !== orgId
+    ) {
+      return NextResponse.json({ error: "Forbidden" }, { status: 403 });
+    }
+
+    // Build partial spec — only allow specific fields
+    const specPatch: Record<string, any> = {};
+    if (body.packages !== undefined) specPatch.packages = body.packages;
+    if (body.workspaceFiles !== undefined)
+      specPatch.workspaceFiles = body.workspaceFiles;
+    if (body.displayName !== undefined)
+      specPatch.displayName = body.displayName;
+    if (body.agentName !== undefined) specPatch.agentName = body.agentName;
+
+    const updated = await patchTenantSpec(name, specPatch);
+    return NextResponse.json(updated);
+  } catch (e: any) {
+    return NextResponse.json(
+      { error: "Patch failed", detail: e.message },
+      { status: e.statusCode || 500 }
+    );
+  }
+}

src/app/api/tenants/[name]/secrets/route.ts

@@ -0,0 +1,100 @@
+import { NextRequest, NextResponse } from "next/server";
+import { auth } from "@/lib/auth";
+import { getTenant } from "@/lib/k8s";
+import { writePackageSecrets } from "@/lib/openbao";
+import { getPackageDef } from "@/lib/packages";
+
+export async function POST(
+  req: NextRequest,
+  { params }: { params: Promise<{ name: string }> }
+) {
+  const session = await auth();
+  if (!session?.user) {
+    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+  }
+
+  const { name } = await params;
+  const { orgId, roles } = session.user as any;
+  const userRoles = roles || [];
+
+  const isPlatform = userRoles.some((r: string) =>
+    ["platform_admin", "platform_operator"].includes(r)
+  );
+
+  if (!isPlatform && !userRoles.includes("owner")) {
+    return NextResponse.json({ error: "Forbidden" }, { status: 403 });
+  }
+
+  const body = await req.json();
+  const { packageId, secrets } = body as {
+    packageId: string;
+    secrets: Record<string, string>;
+  };
+
+  if (!packageId || !secrets || typeof secrets !== "object") {
+    return NextResponse.json(
+      { error: "Missing packageId or secrets" },
+      { status: 400 }
+    );
+  }
+
+  // Validate package exists and requires secrets
+  const pkgDef = getPackageDef(packageId);
+  if (!pkgDef) {
+    return NextResponse.json(
+      { error: "Unknown package" },
+      { status: 400 }
+    );
+  }
+  if (!pkgDef.requiresSecrets) {
+    return NextResponse.json(
+      { error: "Package does not require secrets" },
+      { status: 400 }
+    );
+  }
+
+  // Verify all required secret keys are present
+  const requiredKeys = (pkgDef.secrets || []).map((s) => s.key);
+  const missingKeys = requiredKeys.filter((k) => !secrets[k]?.trim());
+  if (missingKeys.length > 0) {
+    return NextResponse.json(
+      { error: `Missing required secrets: ${missingKeys.join(", ")}` },
+      { status: 400 }
+    );
+  }
+
+  // Verify tenant ownership
+  try {
+    const tenant = await getTenant(name);
+    if (!tenant) {
+      return NextResponse.json(
+        { error: "Tenant not found" },
+        { status: 404 }
+      );
+    }
+    if (
+      !isPlatform &&
+      tenant.metadata?.labels?.["zitadel-org-id"] !== orgId
+    ) {
+      return NextResponse.json({ error: "Forbidden" }, { status: 403 });
+    }
+  } catch (e: any) {
+    return NextResponse.json(
+      { error: "Tenant lookup failed" },
+      { status: e.statusCode || 500 }
+    );
+  }
+
+  // Write to OpenBao
+  try {
+    await writePackageSecrets(name, packageId, secrets);
+  } catch (err: any) {
+    console.error("OpenBao write error:", err.message);
+    return NextResponse.json(
+      { error: "Failed to store secrets" },
+      { status: 500 }
+    );
+  }
+
+  return NextResponse.json({ ok: true });
+}

src/app/api/tenants/route.ts

@@ -0,0 +1,56 @@
+import { NextResponse } from "next/server";
+import { getSessionUser } from "@/lib/session";
+import { listTenants, getTenant, createTenant } from "@/lib/k8s";
+import type { PiecedTenantSpec } from "@/types";
+
+export async function GET() {
+  const user = await getSessionUser();
+  if (!user)
+    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+
+  const tenants = await listTenants();
+
+  if (user.isPlatform) {
+    return NextResponse.json(tenants);
+  }
+
+  // Customers see only their own tenant
+  const own = tenants.filter(
+    (t) => t.metadata.labels?.["pieced.ch/zitadel-org-id"] === user.orgId
+  );
+  return NextResponse.json(own);
+}
+
+export async function POST(request: Request) {
+  const user = await getSessionUser();
+  if (!user)
+    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+  if (!user.isPlatform && !user.roles.includes("owner")) {
+    return NextResponse.json({ error: "Forbidden" }, { status: 403 });
+  }
+
+  const body = (await request.json()) as {
+    name: string;
+    spec: PiecedTenantSpec;
+  };
+
+  if (!/^[a-z0-9][a-z0-9-]*[a-z0-9]$/.test(body.name) || body.name.length > 63) {
+    return NextResponse.json(
+      { error: "Invalid tenant name: lowercase alphanumeric and hyphens, 2-63 chars" },
+      { status: 400 }
+    );
+  }
+
+  const existing = await getTenant(body.name);
+  if (existing) {
+    return NextResponse.json(
+      { error: "Tenant already exists" },
+      { status: 409 }
+    );
+  }
+
+  const tenant = await createTenant(body.name, body.spec, {
+    "pieced.ch/zitadel-org-id": user.orgId,
+  });
+  return NextResponse.json(tenant, { status: 201 });
+}