Group B fixes

src/app/api/admin/requests/[id]/approve/route.ts

@@ -123,6 +123,15 @@ export async function POST(
       },
       {
         "pieced.ch/zitadel-org-id": tenantRequest.zitadelOrgId,
+        // Bug 7: stamp the personal flag on the CR so callers (notably
+        // the tenant detail page) can hide assignment-related UI
+        // without an extra DB join. Slice 4 already tracks this on the
+        // request row; the CR label is the same fact at the K8s layer.
+        // Legacy tenants approved before this change won't carry the
+        // label — operators can backfill with `kubectl label`.
+        ...(tenantRequest.isPersonal
+          ? { "pieced.ch/personal": "true" }
+          : {}),
       }
     );
 

src/app/api/onboarding/route.ts

@@ -217,6 +217,31 @@ export async function POST(request: Request) {
   // the org-name check should agree.)
   const isPersonal = prior?.isPersonal ?? isPersonalOrgName(user.orgName);
 
+  // Bug 5: personal accounts are 1-instance by design. If there's
+  // already an active tenant or an in-flight request for this user's
+  // org, reject the submission outright. Server-side only check;
+  // matching UI guards live on /dashboard (button hidden) and
+  // /dashboard/new (server-redirect to /dashboard).
+  if (isPersonal) {
+    const [allTenants, activeRequests] = await Promise.all([
+      listTenants(),
+      listActiveTenantRequestsByOrgId(user.orgId),
+    ]);
+    const ownTenants = allTenants.filter(
+      (t) => t.metadata.labels?.["pieced.ch/zitadel-org-id"] === user.orgId
+    );
+    if (ownTenants.length > 0 || activeRequests.length > 0) {
+      return NextResponse.json(
+        {
+          error:
+            "Personal accounts are limited to one instance. Cancel your existing request or contact support to change plan.",
+          code: "personal_account_at_capacity",
+        },
+        { status: 403 }
+      );
+    }
+  }
+
   // Encrypt package secrets if provided
   let encryptedSecrets: Buffer | undefined;
   if (input.packageSecrets && Object.keys(input.packageSecrets).length > 0) {

src/app/api/register/route.ts

@@ -2,6 +2,7 @@ import { NextRequest, NextResponse } from "next/server";
 import { registerCustomer } from "@/lib/zitadel";
 import { rateLimit } from "@/lib/rate-limit";
 import { checkDuplicateDomain } from "@/lib/db";
+import { generatePersonalOrgName } from "@/lib/personal-org";
 import type { RegistrationInput } from "@/types";
 import { z } from "zod";
 
@@ -13,11 +14,10 @@ import { z } from "zod";
  * - `companyName` is no longer always required. It's required when
  *   `isPersonal` is false/absent, ignored when `isPersonal` is true.
  * - `isPersonal` flag distinguishes personal accounts. The server
- *   derives the ZITADEL org name from `${givenName} ${familyName}
- *   (Personal)` for personals — the suffix is the canonical marker
- *   that downstream code (onboarding POST, admin views) uses to
- *   distinguish personal orgs from companies. Customers cannot rename
- *   their own org, so the suffix is stable.
+ *   derives the ZITADEL org name from a generated opaque ID
+ *   (`personal-{8hex}`) — see `lib/personal-org.ts` for the format
+ *   spec. Customers cannot rename their own org, so the marker is
+ *   stable.
  * - Personal accounts skip the duplicate-domain check entirely. Their
  *   row is also excluded from future domain checks (see
  *   `lib/domain-check.ts::findDuplicateInDb`).
@@ -44,15 +44,6 @@ const registrationSchema = z
 const RATE_LIMIT = 3;
 const RATE_WINDOW_MS = 3_600_000; // 1 hour
 
-/**
- * Suffix appended to personal-account ZITADEL org names. Used here to
- * build the org name and elsewhere (session.orgName check) to detect
- * whether the current user is on a personal org.
- *
- * Keep this in sync with `isPersonalOrgName()` in `lib/personal-org.ts`.
- */
-const PERSONAL_ORG_SUFFIX = " (Personal)";
-
 export async function POST(request: NextRequest) {
   // --- Rate limiting ---
   const ip =
@@ -116,14 +107,13 @@ export async function POST(request: NextRequest) {
     //
     // For company: use the customer-supplied companyName (already
     //   validated to be present + ≥2 chars by the schema refinement).
-    // For personal: synthesise from full name + " (Personal)" suffix.
-    //   The suffix is the canonical marker for personal orgs.
-    //
-    // ZITADEL does NOT enforce org-name uniqueness, so two "Hans Müller
-    // (Personal)" orgs can coexist; the org id is what matters for our
-    // labelling and lookups, the name is human-readable only.
+    // For personal: a fresh opaque ID like "personal-3f2a8b1c". The
+    //   user's actual display name is per-user (`session.user.name`),
+    //   so the GUI shows that instead — see `displayOrgNameFor()`.
+    //   This keeps personal orgs collision-free (Bug 9: two people
+    //   named "Eva Müller" both being able to register).
     const orgName = isPersonal
-      ? `${input.givenName.trim()} ${input.familyName.trim()}${PERSONAL_ORG_SUFFIX}`
+      ? generatePersonalOrgName()
       : input.companyName!.trim();
 
     const result = await registerCustomer({

src/app/api/team/[userId]/role/route.ts

@@ -53,6 +53,12 @@ export async function PATCH(
   if (!isCustomerOwner(user)) {
     return NextResponse.json({ error: "Forbidden" }, { status: 403 });
   }
+  if (user.isPersonal) {
+    return NextResponse.json(
+      { error: "Personal accounts have no team roles to change." },
+      { status: 403 }
+    );
+  }
 
   const { userId } = await params;
 

src/app/api/team/invite/route.ts

@@ -35,6 +35,16 @@ export async function POST(req: Request) {
   if (!canMutate(user)) {
     return NextResponse.json({ error: "Forbidden" }, { status: 403 });
   }
+  if (user.isPersonal) {
+    return NextResponse.json(
+      {
+        error:
+          "Personal accounts cannot invite additional members. Upgrade to a company account to add a team.",
+        code: "personal_account",
+      },
+      { status: 403 }
+    );
+  }
 
   const body = await req.json().catch(() => null);
   const parsed = inviteSchema.safeParse(body);

src/app/api/team/route.ts

@@ -24,6 +24,12 @@ export async function GET() {
   if (!canMutate(user)) {
     return NextResponse.json({ error: "Forbidden" }, { status: 403 });
   }
+  if (user.isPersonal) {
+    return NextResponse.json(
+      { error: "Personal accounts do not have a team." },
+      { status: 403 }
+    );
+  }
 
   try {
     const members = await getOrgMembers(user.orgId);

src/app/api/tenants/[name]/assignments/route.ts

@@ -128,6 +128,23 @@ export async function POST(
       { status: 500 }
     );
   }
+  // Bug 7 server-side counterpart: personal tenants are sole-owner
+  // by definition. Reject any assignment attempt — this matches the
+  // hidden panel on the detail page and stops a determined client
+  // (or platform user with a legacy unlabeled personal tenant) from
+  // creating spurious rows.
+  if (
+    tenant.metadata.labels?.["pieced.ch/personal"] === "true" ||
+    (!user.isPlatform && user.isPersonal)
+  ) {
+    return NextResponse.json(
+      {
+        error: "Personal tenants do not support additional assignments.",
+        code: "personal_tenant",
+      },
+      { status: 403 }
+    );
+  }
 
   const body = await req.json().catch(() => null);
   const parsed = assignSchema.safeParse(body);