Add initial Portal version

src/app/api/tenants/route.ts

@@ -0,0 +1,56 @@
+import { NextResponse } from "next/server";
+import { getSessionUser } from "@/lib/session";
+import { listTenants, getTenant, createTenant } from "@/lib/k8s";
+import type { PiecedTenantSpec } from "@/types";
+
+export async function GET() {
+  const user = await getSessionUser();
+  if (!user)
+    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+
+  const tenants = await listTenants();
+
+  if (user.isPlatform) {
+    return NextResponse.json(tenants);
+  }
+
+  // Customers see only their own tenant
+  const own = tenants.filter(
+    (t) => t.metadata.labels?.["pieced.ch/zitadel-org-id"] === user.orgId
+  );
+  return NextResponse.json(own);
+}
+
+export async function POST(request: Request) {
+  const user = await getSessionUser();
+  if (!user)
+    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+  if (!user.isPlatform && !user.roles.includes("owner")) {
+    return NextResponse.json({ error: "Forbidden" }, { status: 403 });
+  }
+
+  const body = (await request.json()) as {
+    name: string;
+    spec: PiecedTenantSpec;
+  };
+
+  if (!/^[a-z0-9][a-z0-9-]*[a-z0-9]$/.test(body.name) || body.name.length > 63) {
+    return NextResponse.json(
+      { error: "Invalid tenant name: lowercase alphanumeric and hyphens, 2-63 chars" },
+      { status: 400 }
+    );
+  }
+
+  const existing = await getTenant(body.name);
+  if (existing) {
+    return NextResponse.json(
+      { error: "Tenant already exists" },
+      { status: 409 }
+    );
+  }
+
+  const tenant = await createTenant(body.name, body.spec, {
+    "pieced.ch/zitadel-org-id": user.orgId,
+  });
+  return NextResponse.json(tenant, { status: 201 });
+}