Suspendedremoval

src/app/[locale]/dashboard/edit/[id]/page.tsx

@@ -0,0 +1,87 @@
+import { getSessionUser, canMutate } from "@/lib/session";
+import { redirect } from "next/navigation";
+import { getTranslations } from "next-intl/server";
+import { getTenantRequestById } from "@/lib/db";
+import { OnboardingFlow } from "@/components/onboarding/onboarding-flow";
+import { BackLink } from "@/components/ui/back-link";
+
+/**
+ * /dashboard/edit/[id] — re-opens the onboarding wizard with the
+ * fields of a still-pending request pre-filled (Bug 6). On submit,
+ * the wizard PATCHes /api/onboarding/[id] instead of POSTing to
+ * /api/onboarding.
+ *
+ * Hard guards
+ * -----------
+ * - Logged-in customer owner (or platform user) only — same as the
+ *   /dashboard/new page.
+ * - Request must exist, belong to the caller's org, and be in 'pending'
+ *   status. Editing approved/provisioning rows would race against the
+ *   operator; we redirect such cases back to the dashboard rather than
+ *   render an invalid wizard.
+ *
+ * Pre-fill
+ * --------
+ * The wizard takes a single `editingRequest` prop — when present, it
+ * (a) pre-populates state from those values and (b) targets the PATCH
+ * endpoint on submit. When absent, it behaves exactly as today (POST
+ * to /api/onboarding).
+ *
+ * Note on encrypted secrets
+ * -------------------------
+ * Per-package secrets are NEVER decrypted server-side and exposed to
+ * the client (would be a clear security regression). When editing,
+ * the wizard opens with empty secret fields and the user re-enters
+ * any they want to change. If they don't touch the package-secrets
+ * UI, the existing encrypted blob in the DB is preserved by the
+ * PATCH endpoint (it only re-encrypts when the wizard sends a
+ * non-empty secrets payload).
+ */
+export default async function EditRequestPage({
+  params,
+}: {
+  params: Promise<{ id: string; locale: string }>;
+}) {
+  const { id } = await params;
+  const user = await getSessionUser();
+  if (!user) redirect("/login");
+  if (user.isPlatform) redirect("/dashboard");
+  if (!canMutate(user)) redirect("/dashboard");
+
+  const tr = await getTenantRequestById(id);
+  if (!tr) redirect("/dashboard");
+  if (tr.zitadelOrgId !== user.orgId) redirect("/dashboard");
+  if (tr.status !== "pending") redirect("/dashboard");
+
+  const t = await getTranslations("dashboard");
+  const tOnboarding = await getTranslations("onboarding");
+
+  return (
+    <div className="container max-w-3xl mx-auto px-4 py-8">
+      <div className="mb-8 animate-in">
+        <BackLink href="/dashboard" label={t("title")} />
+        <h1 className="font-display text-2xl font-semibold accent-rule mb-2">
+          {tOnboarding("editRequestTitle")}
+        </h1>
+        <p className="text-sm text-text-secondary">
+          {tOnboarding("editRequestDescription")}
+        </p>
+      </div>
+      <OnboardingFlow
+        orgName={user.orgName}
+        userName={user.name}
+        userEmail={user.email}
+        editingRequest={{
+          id: tr.id,
+          instanceName: tr.instanceName ?? "",
+          agentName: tr.agentName,
+          soulMd: tr.soulMd ?? "",
+          agentsMd: tr.agentsMd ?? "",
+          packages: tr.packages,
+          billingAddress: tr.billingAddress,
+          billingNotes: tr.billingNotes ?? "",
+        }}
+      />
+    </div>
+  );
+}

src/app/[locale]/dashboard/new/page.tsx

@@ -3,6 +3,9 @@ import { getTranslations } from "next-intl/server";
 import { redirect } from "next/navigation";
 import { OnboardingFlow } from "@/components/onboarding/onboarding-flow";
 import { BackLink } from "@/components/ui/back-link";
+import { listTenants } from "@/lib/k8s";
+import { listActiveTenantRequestsByOrgId } from "@/lib/db";
+import { personalAccountAtCapacity } from "@/lib/personal-org";
 
 /**
  * /dashboard/new — wizard for creating an additional instance for an
@@ -21,6 +24,10 @@ import { BackLink } from "@/components/ui/back-link";
  * may create new instances. The server-side POST handler enforces the
  * same; this redirect is purely UX so /user-role members don't land on
  * a wizard that will 403 on submit.
+ *
+ * Bug 5: personal accounts that already hold a tenant or have one
+ * in-flight are sent back to the dashboard with the same UX rationale.
+ * Matching API guard lives in `/api/onboarding`.
  */
 export default async function NewInstancePage() {
   const user = await getSessionUser();
@@ -28,6 +35,25 @@ export default async function NewInstancePage() {
   if (user.isPlatform) redirect("/dashboard");
   if (!canMutate(user)) redirect("/dashboard");
 
+  if (user.isPersonal) {
+    const [allTenants, activeRequests] = await Promise.all([
+      listTenants(),
+      listActiveTenantRequestsByOrgId(user.orgId),
+    ]);
+    const ownTenants = allTenants.filter(
+      (t) => t.metadata.labels?.["pieced.ch/zitadel-org-id"] === user.orgId
+    );
+    if (
+      personalAccountAtCapacity(
+        user.isPersonal,
+        ownTenants.length,
+        activeRequests.length
+      )
+    ) {
+      redirect("/dashboard");
+    }
+  }
+
   const t = await getTranslations("dashboard");
 
   return (
@@ -43,7 +69,11 @@ export default async function NewInstancePage() {
       </div>
 
       <div className="animate-in animate-in-delay-1">
-        <OnboardingFlow orgName={user.orgName} />
+        <OnboardingFlow
+          orgName={user.orgName}
+          userName={user.name}
+          userEmail={user.email}
+        />
       </div>
     </div>
   );

src/app/[locale]/dashboard/page.tsx

@@ -8,8 +8,10 @@ import {
   canSeeInflightRequests,
   isUserScoped,
 } from "@/lib/visibility";
+import { personalAccountAtCapacity } from "@/lib/personal-org";
 import { Card, CardHeader } from "@/components/ui/card";
 import { StatusBadge } from "@/components/ui/status-badge";
+import { WarningBadge } from "@/components/ui/warning-badge";
 import { OnboardingFlow } from "@/components/onboarding/onboarding-flow";
 import { ProvisioningStatus } from "@/components/onboarding/provisioning-status";
 import { formatDateTime } from "@/lib/format";
@@ -172,14 +174,33 @@ export default async function DashboardPage() {
     (t) => t.metadata.labels?.["pieced.ch/zitadel-org-id"] === user.orgId
   );
   const inflightRequests = orgRequests.filter(
-    (r) => !r.tenantName || !orgScopedTenants.some((t) => t.metadata.name === r.tenantName)
+    (r) =>
+      // Only show provision (initial creation) requests on the
+      // dashboard. Resume requests (Bug 37a) belong with their
+      // specific tenant — the SubscriptionToggle on the tenant
+      // detail page renders the pending state there. Showing them
+      // on the dashboard too would duplicate the surface and
+      // confuse customers about which tenant they refer to.
+      r.requestType !== "resume" &&
+      (!r.tenantName ||
+        !orgScopedTenants.some((t) => t.metadata.name === r.tenantName))
   );
 
   // Slice 5: only owners (and platform users, who'd typically be using
   // the admin panel anyway) see the "Create new instance" link. A
   // `user`-role member sees the dashboard but not the create flow —
   // they need to ask an owner.
-  const canCreate = canMutate(user);
+  //
+  // Bug 5: personal accounts are 1-instance by design. Once a personal
+  // account has either an active tenant OR an in-flight request, the
+  // create button must disappear. The matching server-side guard is
+  // in `/api/onboarding` so direct POSTs are also rejected.
+  const personalAtCapacity = personalAccountAtCapacity(
+    user.isPersonal,
+    orgScopedTenants.length,
+    inflightRequests.length
+  );
+  const canCreate = canMutate(user) && !personalAtCapacity;
 
   // First-time / no-visibility branch.
   //
@@ -262,7 +283,11 @@ export default async function DashboardPage() {
         </div>
 
         <div className="animate-in animate-in-delay-1">
-          <OnboardingFlow orgName={user.orgName} />
+          <OnboardingFlow
+            orgName={user.orgName}
+            userName={user.name}
+            userEmail={user.email}
+          />
         </div>
       </div>
     );
@@ -300,7 +325,11 @@ export default async function DashboardPage() {
           </h2>
           <div className="space-y-3">
             {inflightRequests.map((r) => (
-              <ProvisioningStatus key={r.id} requestId={r.id} />
+              <ProvisioningStatus
+                key={r.id}
+                requestId={r.id}
+                canAct={canMutate(user)}
+              />
             ))}
           </div>
         </div>
@@ -329,7 +358,10 @@ export default async function DashboardPage() {
                         {tenant.metadata.name}
                       </div>
                     </div>
-                    <StatusBadge phase={tenant.status?.phase ?? "Pending"} />
+                    <div className="flex items-center gap-2 shrink-0">
+                      <StatusBadge phase={tenant.status?.phase ?? "Pending"} />
+                      <WarningBadge warnings={tenant.status?.warnings ?? []} />
+                    </div>
                   </div>
 
                   {tenant.spec.agentName && (

src/app/[locale]/register/page.tsx

@@ -6,42 +6,66 @@ import { useRouter } from "next/navigation";
 import { Card } from "@/components/ui/card";
 
 type FormState = "idle" | "submitting" | "success" | "error";
+type AccountType = "personal" | "company";
 
 /**
- * Slice 4: a "Register as individual" toggle distinguishes personal
+ * Registration entry — Bug 1 redesign.
- * accounts from company registrations. When the toggle is on:
+ *
- *   - the company name field is hidden (and not sent)
+ * Previously a hidden checkbox ("Register as an individual") sat on top
- *   - the server skips the duplicate-domain check
+ * of the company-flavoured form, which buried personal accounts under a
- *   - the ZITADEL org is named "{givenName} {familyName} (Personal)"
+ * single click that most users miss. The new layout puts a primary
+ * account-type chooser at the top: two large cards, one for Personal,
+ * one for Company. Selection is required before the form below
+ * appears, so the rest of the layout adapts cleanly without a
+ * collapsing-checkbox feel.
+ *
+ * Bug 12: per-field validation runs on submit. The native HTML required
+ * attribute already blocks empty submits at the browser level; the
+ * server-side Zod schema in `/api/register` is the authoritative
+ * second line of defence.
+ *
+ * Behaviour:
+ *   - "Personal account": company-name field is hidden; on submit, the
+ *     server generates an opaque `personal-{8hex}` org name (Bug 9).
+ *   - "Company account": company-name field is required; the server
+ *     additionally runs the duplicate-domain check.
+ *   - Returning users (those who arrive here by accident) can switch
+ *     types after picking — the choice cards stay clickable above the
+ *     form. Field state is preserved across switches so they don't
+ *     have to re-type their name.
  */
 export default function RegisterPage() {
   const t = useTranslations("register");
   const tCommon = useTranslations("common");
   const router = useRouter();
 
+  const [accountType, setAccountType] = useState<AccountType | null>(null);
+
   const [form, setForm] = useState({
     companyName: "",
     givenName: "",
     familyName: "",
     email: "",
   });
-  const [isPersonal, setIsPersonal] = useState(false);
   const [state, setState] = useState<FormState>("idle");
   const [error, setError] = useState("");
 
+  const isPersonal = accountType === "personal";
+
   const handleChange = (e: React.ChangeEvent<HTMLInputElement>) => {
     setForm((prev) => ({ ...prev, [e.target.name]: e.target.value }));
   };
 
   const handleSubmit = async (e: React.FormEvent) => {
     e.preventDefault();
+    if (!accountType) return; // Should be impossible — submit button is gated
     setError("");
     setState("submitting");
 
     try {
       // Build the request body explicitly. For personals we omit
-      // companyName so the server knows to derive the org name from
+      // companyName so the server generates an opaque ZITADEL org name
-      // the user's full name. The Zod schema accepts the omission.
+      // (`personal-{8hex}`); the Zod schema accepts the omission.
       const body: Record<string, unknown> = {
         givenName: form.givenName,
         familyName: form.familyName,
@@ -60,9 +84,6 @@ export default function RegisterPage() {
 
       if (!res.ok) {
         const data = await res.json();
-        // Localize known structured codes; fall back to server-supplied
-        // English message for everything else (validation, ZITADEL errors,
-        // generic 500s).
         if (data.code === "duplicate_domain" && data.domain) {
           throw new Error(t("duplicateDomain", { domain: data.domain }));
         }
@@ -118,120 +139,212 @@ export default function RegisterPage() {
           <p className="text-sm text-text-secondary">{t("subtitle")}</p>
         </div>
 
-        <Card className="animate-in animate-in-delay-1">
+        {/* Account type chooser — required first step */}
-          <form onSubmit={handleSubmit} className="space-y-4">
+        <div
-            {/* Personal-account toggle */}
+          role="radiogroup"
-            <label className="flex items-start gap-3 cursor-pointer select-none p-3 rounded-lg border border-border bg-surface-2 hover:border-accent/40 transition-colors">
+          aria-label={t("accountTypeLabel")}
-              <input
+          className="grid grid-cols-2 gap-3 mb-6 animate-in animate-in-delay-1"
-                type="checkbox"
+        >
-                checked={isPersonal}
+          <AccountTypeCard
-                onChange={(e) => setIsPersonal(e.target.checked)}
+            selected={accountType === "personal"}
-                className="mt-0.5 h-4 w-4 rounded border-border bg-surface-1 text-accent focus:ring-1 focus:ring-accent focus:ring-offset-0"
+            onClick={() => setAccountType("personal")}
-              />
+            label={t("personalCardTitle")}
-              <div className="flex-1 min-w-0">
+            description={t("personalCardDescription")}
-                <div className="text-sm font-medium text-text-primary">
+            icon={
-                  {t("individualToggle")}
+              <svg
+                className="h-5 w-5"
+                fill="none"
+                viewBox="0 0 24 24"
+                stroke="currentColor"
+                strokeWidth={1.5}
+                aria-hidden="true"
+              >
+                <path
+                  strokeLinecap="round"
+                  strokeLinejoin="round"
+                  d="M16 7a4 4 0 11-8 0 4 4 0 018 0zM12 14a7 7 0 00-7 7h14a7 7 0 00-7-7z"
+                />
+              </svg>
+            }
+          />
+          <AccountTypeCard
+            selected={accountType === "company"}
+            onClick={() => setAccountType("company")}
+            label={t("companyCardTitle")}
+            description={t("companyCardDescription")}
+            icon={
+              <svg
+                className="h-5 w-5"
+                fill="none"
+                viewBox="0 0 24 24"
+                stroke="currentColor"
+                strokeWidth={1.5}
+                aria-hidden="true"
+              >
+                <path
+                  strokeLinecap="round"
+                  strokeLinejoin="round"
+                  d="M3 21V7l9-4 9 4v14M9 21V11h6v10M5 21h14"
+                />
+              </svg>
+            }
+          />
+        </div>
+
+        {/* Form — only shown after a choice is made. Animation
+            delay-2 lines up with the cards animating in first, so
+            the form feels like it appears in response to selection. */}
+        {accountType && (
+          <Card className="animate-in animate-in-delay-2">
+            <form onSubmit={handleSubmit} className="space-y-4" noValidate>
+              {/* Company name — only for company accounts (Bug 2 mirror) */}
+              {!isPersonal && (
+                <div>
+                  <label className="block text-xs font-semibold uppercase tracking-wider text-text-muted mb-1.5">
+                    {t("companyName")}
+                  </label>
+                  <input
+                    name="companyName"
+                    type="text"
+                    required
+                    value={form.companyName}
+                    onChange={handleChange}
+                    placeholder={t("companyNamePlaceholder")}
+                    className="w-full px-3 py-2 bg-surface-2 border border-border rounded-lg text-sm text-text-primary placeholder:text-text-muted focus:outline-none focus:ring-1 focus:ring-accent focus:border-accent transition-colors"
+                  />
                 </div>
-                <div className="text-xs text-text-muted mt-0.5">
+              )}
-                  {t("individualHint")}
+
+              {/* Name row */}
+              <div className="grid grid-cols-2 gap-3">
+                <div>
+                  <label className="block text-xs font-semibold uppercase tracking-wider text-text-muted mb-1.5">
+                    {t("givenName")}
+                  </label>
+                  <input
+                    name="givenName"
+                    type="text"
+                    required
+                    value={form.givenName}
+                    onChange={handleChange}
+                    className="w-full px-3 py-2 bg-surface-2 border border-border rounded-lg text-sm text-text-primary placeholder:text-text-muted focus:outline-none focus:ring-1 focus:ring-accent focus:border-accent transition-colors"
+                  />
+                </div>
+                <div>
+                  <label className="block text-xs font-semibold uppercase tracking-wider text-text-muted mb-1.5">
+                    {t("familyName")}
+                  </label>
+                  <input
+                    name="familyName"
+                    type="text"
+                    required
+                    value={form.familyName}
+                    onChange={handleChange}
+                    className="w-full px-3 py-2 bg-surface-2 border border-border rounded-lg text-sm text-text-primary placeholder:text-text-muted focus:outline-none focus:ring-1 focus:ring-accent focus:border-accent transition-colors"
+                  />
                 </div>
               </div>
-            </label>
 
-            {/* Company name — hidden for personal */}
+              {/* Email */}
-            {!isPersonal && (
               <div>
                 <label className="block text-xs font-semibold uppercase tracking-wider text-text-muted mb-1.5">
-                  {t("companyName")}
+                  {t("email")}
                 </label>
                 <input
-                  name="companyName"
+                  name="email"
-                  type="text"
+                  type="email"
                   required
-                  value={form.companyName}
+                  value={form.email}
                   onChange={handleChange}
-                  placeholder={t("companyNamePlaceholder")}
+                  placeholder={isPersonal ? "you@example.ch" : "you@company.ch"}
                   className="w-full px-3 py-2 bg-surface-2 border border-border rounded-lg text-sm text-text-primary placeholder:text-text-muted focus:outline-none focus:ring-1 focus:ring-accent focus:border-accent transition-colors"
                 />
               </div>
-            )}
 
-            {/* Name row */}
+              {error && (
-            <div className="grid grid-cols-2 gap-3">
+                <div className="text-xs text-red-400 bg-red-400/10 border border-red-400/20 rounded-lg px-3 py-2">
-              <div>
+                  {error}
-                <label className="block text-xs font-semibold uppercase tracking-wider text-text-muted mb-1.5">
+                </div>
-                  {t("givenName")}
+              )}
-                </label>
-                <input
-                  name="givenName"
-                  type="text"
-                  required
-                  value={form.givenName}
-                  onChange={handleChange}
-                  className="w-full px-3 py-2 bg-surface-2 border border-border rounded-lg text-sm text-text-primary placeholder:text-text-muted focus:outline-none focus:ring-1 focus:ring-accent focus:border-accent transition-colors"
-                />
-              </div>
-              <div>
-                <label className="block text-xs font-semibold uppercase tracking-wider text-text-muted mb-1.5">
-                  {t("familyName")}
-                </label>
-                <input
-                  name="familyName"
-                  type="text"
-                  required
-                  value={form.familyName}
-                  onChange={handleChange}
-                  className="w-full px-3 py-2 bg-surface-2 border border-border rounded-lg text-sm text-text-primary placeholder:text-text-muted focus:outline-none focus:ring-1 focus:ring-accent focus:border-accent transition-colors"
-                />
-              </div>
-            </div>
 
-            {/* Email */}
+              <button
-            <div>
+                type="submit"
-              <label className="block text-xs font-semibold uppercase tracking-wider text-text-muted mb-1.5">
+                disabled={state === "submitting"}
-                {t("email")}
+                className="w-full py-2.5 px-4 bg-accent text-white text-sm font-medium rounded-lg hover:bg-accent-dim transition-colors disabled:opacity-50 disabled:cursor-not-allowed"
-              </label>
+              >
-              <input
+                {state === "submitting" ? tCommon("loading") : t("submit")}
-                name="email"
+              </button>
-                type="email"
+            </form>
-                required
-                value={form.email}
-                onChange={handleChange}
-                placeholder={isPersonal ? "you@example.ch" : "you@company.ch"}
-                className="w-full px-3 py-2 bg-surface-2 border border-border rounded-lg text-sm text-text-primary placeholder:text-text-muted focus:outline-none focus:ring-1 focus:ring-accent focus:border-accent transition-colors"
-              />
-            </div>
 
-            {error && (
+            <p className="text-xs text-text-muted text-center mt-4">
-              <div className="text-xs text-red-400 bg-red-400/10 border border-red-400/20 rounded-lg px-3 py-2">
+              {t("hasAccount")}{" "}
-                {error}
+              <a
-              </div>
+                href="/login"
-            )}
+                className="text-accent hover:text-accent-dim transition-colors"
+              >
+                {tCommon("login")}
+              </a>
+            </p>
+          </Card>
+        )}
 
-            <button
+        <p className="text-xs text-text-muted text-center mt-6 animate-in animate-in-delay-3">
-              type="submit"
-              disabled={state === "submitting"}
-              className="w-full py-2.5 px-4 bg-accent text-white text-sm font-medium rounded-lg hover:bg-accent-dim transition-colors disabled:opacity-50 disabled:cursor-not-allowed"
-            >
-              {state === "submitting" ? tCommon("loading") : t("submit")}
-            </button>
-          </form>
-
-          <p className="text-xs text-text-muted text-center mt-4">
-            {t("hasAccount")}{" "}
-            <a
-              href="/login"
-              className="text-accent hover:text-accent-dim transition-colors"
-            >
-              {tCommon("login")}
-            </a>
-          </p>
-        </Card>
-
-        <p className="text-xs text-text-muted text-center mt-6 animate-in animate-in-delay-2">
           {t("footer")}
         </p>
       </div>
     </div>
   );
 }
+
+/**
+ * Account-type radio card. Visually a card, semantically a radio: arrow
+ * keys move between cards, Space/Enter selects.
+ *
+ * Selected state is rendered with the accent ring + tinted background;
+ * unselected is the standard surface-2 with hover affordance. The icon
+ * and text colours intensify when selected to give a clear "this one
+ * is on" signal beyond just the border colour.
+ */
+function AccountTypeCard({
+  selected,
+  onClick,
+  label,
+  description,
+  icon,
+}: {
+  selected: boolean;
+  onClick: () => void;
+  label: string;
+  description: string;
+  icon: React.ReactNode;
+}) {
+  return (
+    <button
+      type="button"
+      role="radio"
+      aria-checked={selected}
+      onClick={onClick}
+      className={`text-left rounded-xl border p-4 transition-colors cursor-pointer focus:outline-none focus:ring-2 focus:ring-accent/40 ${
+        selected
+          ? "border-accent bg-accent/10"
+          : "border-border bg-surface-2 hover:border-accent/40 hover:bg-surface-3/30"
+      }`}
+    >
+      <div
+        className={`mb-2 ${
+          selected ? "text-accent" : "text-text-muted"
+        }`}
+      >
+        {icon}
+      </div>
+      <div
+        className={`text-sm font-semibold mb-0.5 ${
+          selected ? "text-text-primary" : "text-text-primary"
+        }`}
+      >
+        {label}
+      </div>
+      <div className="text-xs text-text-muted leading-snug">{description}</div>
+    </button>
+  );
+}

src/app/[locale]/team/page.tsx

@@ -21,6 +21,12 @@ export default async function TeamPage() {
   const user = await getSessionUser();
   if (!user) redirect("/login");
   if (!canMutate(user)) redirect("/dashboard");
+  // Bug 8: personal accounts have no team to manage. The page is
+  // structurally meaningless and the invite form would create extra
+  // ZITADEL users in a single-user org. Redirect cleanly. The matching
+  // API guards in `/api/team` and `/api/team/invite` enforce the same
+  // rule on direct calls.
+  if (user.isPersonal) redirect("/dashboard");
 
   const t = await getTranslations("team");
   const tDashboard = await getTranslations("dashboard");

src/app/[locale]/tenants/[name]/page.tsx

@@ -3,12 +3,15 @@ import { getTranslations, getFormatter } from "next-intl/server";
 import { redirect, notFound } from "next/navigation";
 import { getTenant } from "@/lib/k8s";
 import { canUserSeeTenant } from "@/lib/visibility";
+import { getPendingResumeRequestForTenant } from "@/lib/db";
 import { StatusBadge } from "@/components/ui/status-badge";
+import { WarningBadge } from "@/components/ui/warning-badge";
 import { UsageDisplay } from "@/components/dashboard/usage-display";
 import { PackageList } from "@/components/packages/package-list";
 import { WorkspaceEditor } from "@/components/packages/workspace-editor";
 import { ChannelUsers } from "@/components/channel-users/channel-users";
 import { AssignedUsersPanel } from "@/components/tenants/assigned-users-panel";
+import { SubscriptionToggle } from "@/components/tenants/subscription-toggle";
 import { formatDateTime, formatRelative } from "@/lib/format";
 
 const CHANNEL_PACKAGES = ["telegram", "discord", "email"];
@@ -40,6 +43,31 @@ export default async function TenantDetailPage({
   // the same page but with edit controls hidden / fields read-only.
   const canEdit = canMutate(user);
 
+  // Bug 31: customer-side cancel/resume control. Same gate as canEdit
+  // — only owners (or platform staff) may toggle the subscription.
+  // The current state comes from spec.suspend on the CR.
+  const isSuspended = Boolean(tenant.spec.suspend);
+
+  // Bug 37a: when the tenant is suspended, an owner can request
+  // reactivation (admin-gated). Look up whether one is in flight so
+  // the SubscriptionToggle can render the right state.
+  const pendingResumeRequest = isSuspended
+    ? await getPendingResumeRequestForTenant(name)
+    : null;
+
+  // Bug 7: assigned-users panel is meaningless for personal tenants
+  // (sole-owner by definition; the only "assignee" is the owner
+  // themselves). We hide the panel when EITHER the CR carries the
+  // `pieced.ch/personal=true` label (set at approve time for new
+  // personal tenants) OR the viewer is on a personal account (covers
+  // legacy tenants approved before the label was added; the customer
+  // sees their own personal tenant). Platform admins viewing a legacy
+  // unlabeled personal tenant are the only case where this falls
+  // through to "show panel" — operators can `kubectl label` to fix.
+  const isPersonalTenant =
+    tenant.metadata.labels?.["pieced.ch/personal"] === "true" ||
+    user.isPersonal;
+
   const enabledPackages = tenant.spec.packages || [];
   const workspaceFiles = tenant.spec.workspaceFiles || {};
   const enabledChannels = enabledPackages.filter((pkg) =>
@@ -47,18 +75,12 @@ export default async function TenantDetailPage({
   );
   const channelUsers = tenant.spec.channelUsers || {};
 
-  // Admins inspecting another tenant's usage: pass teamId AND keyAlias so
+  // Bug 19 fix: every viewer (customer or admin) passes the tenant
-  // the backend filters spend logs by this specific tenant's virtual key.
+  // name to UsageDisplay. The /api/usage route resolves team+alias
-  // Without keyAlias the response would include sibling tenants in the
+  // from the tenant CR's status and applies the visibility check, so
-  // same org, since teams are now shared (Slice 2).
+  // no per-role branching is needed here. Previous version only
-  // Customers viewing their own: pass nothing — backend resolves both
+  // passed identifiers for platform admins; customers got "the first
-  // from the session-bound tenant.
+  // visible tenant" by API fallback, mingling siblings.
-  const usageTeamId = user.isPlatform
-    ? tenant.status?.litellmTeamId || undefined
-    : undefined;
-  const usageKeyAlias = user.isPlatform
-    ? tenant.status?.litellmKeyAlias || undefined
-    : undefined;
 
   return (
     <div>
@@ -69,6 +91,7 @@ export default async function TenantDetailPage({
             {tenant.spec.displayName || name}
           </h1>
           <StatusBadge phase={tenant.status?.phase ?? "Pending"} />
+          <WarningBadge warnings={tenant.status?.warnings ?? []} />
         </div>
         {tenant.spec.agentName && (
           <p className="text-sm text-text-secondary mt-3">
@@ -89,12 +112,47 @@ export default async function TenantDetailPage({
         )}
       </div>
 
+      {/* Bug 31: prominent banner when the subscription is cancelled.
+          Sits between header and content so it's the first thing the
+          owner sees. Says clearly what state means, and that data is
+          preserved. The Resume action lives in the SubscriptionToggle
+          at the bottom — duplicating it here would clutter the banner
+          for the much-more-common active case. */}
+      {isSuspended && (
+        <div className="mb-8 animate-in animate-in-delay-1 bg-amber-500/10 border border-amber-500/30 rounded-xl p-4">
+          <div className="flex items-start gap-3">
+            <svg
+              className="h-5 w-5 text-amber-400 shrink-0 mt-0.5"
+              fill="none"
+              viewBox="0 0 24 24"
+              stroke="currentColor"
+              strokeWidth={1.5}
+              aria-hidden="true"
+            >
+              <path
+                strokeLinecap="round"
+                strokeLinejoin="round"
+                d="M12 9v3.75m9-.75a9 9 0 11-18 0 9 9 0 0118 0zM12 15.75h.008v.008H12v-.008z"
+              />
+            </svg>
+            <div className="min-w-0">
+              <div className="text-sm font-semibold text-amber-300">
+                {t("suspendedTitle")}
+              </div>
+              <div className="text-xs text-text-secondary mt-1">
+                {t("suspendedDescription")}
+              </div>
+            </div>
+          </div>
+        </div>
+      )}
+
       {/* Usage */}
       <section className="mb-8 animate-in animate-in-delay-1">
         <h2 className="text-xs font-semibold uppercase tracking-wider text-text-muted mb-3">
           {t("usage")}
         </h2>
-        <UsageDisplay teamId={usageTeamId} keyAlias={usageKeyAlias} />
+        <UsageDisplay tenant={name} />
       </section>
 
       {/* Packages */}
@@ -132,13 +190,47 @@ export default async function TenantDetailPage({
 
       {/* Slice 7: Assigned users — visible to anyone who can see the
           tenant, editable only by owners/platform users. The component
-          fetches its own data so the page doesn't need to await. */}
+          fetches its own data so the page doesn't need to await.
-      <section className="mt-8 animate-in animate-in-delay-4">
+          Bug 7: hidden entirely for personal tenants. */}
-        <h2 className="text-xs font-semibold uppercase tracking-wider text-text-muted mb-3">
+      {!isPersonalTenant && (
-          {t("assignedUsers")}
+        <section className="mt-8 animate-in animate-in-delay-4">
-        </h2>
+          <h2 className="text-xs font-semibold uppercase tracking-wider text-text-muted mb-3">
-        <AssignedUsersPanel tenantName={name} canEdit={canEdit} />
+            {t("assignedUsers")}
-      </section>
+          </h2>
+          <AssignedUsersPanel tenantName={name} canEdit={canEdit} />
+        </section>
+      )}
+
+      {/* Bug 31: subscription cancel/resume — owners + platform staff
+          only. Lives at the bottom of the page (rather than near the
+          status badge) to add deliberate friction; mis-clicking
+          "Cancel subscription" from the top would be too easy. The
+          control itself opens a confirmation modal before sending. */}
+      {canEdit && (
+        <section className="mt-12 pt-8 border-t border-border animate-in animate-in-delay-4">
+          <h2 className="text-xs font-semibold uppercase tracking-wider text-text-muted mb-3">
+            {t("subscriptionTitle")}
+          </h2>
+          <p className="text-sm text-text-secondary mb-4">
+            {isSuspended
+              ? t("subscriptionDescriptionSuspended")
+              : t("subscriptionDescriptionActive")}
+          </p>
+          <SubscriptionToggle
+            tenantName={name}
+            suspended={isSuspended}
+            isPlatform={user.isPlatform}
+            pendingResumeRequest={
+              pendingResumeRequest
+                ? {
+                    id: pendingResumeRequest.id,
+                    createdAt: pendingResumeRequest.createdAt,
+                  }
+                : null
+            }
+          />
+        </section>
+      )}
     </div>
   );
 }

src/app/api/admin/requests/[id]/approve/route.ts

@@ -5,7 +5,7 @@ import {
   updateTenantRequestStatus,
   clearEncryptedSecrets,
 } from "@/lib/db";
-import { createTenant } from "@/lib/k8s";
+import { createTenant, patchTenantSpec, setTenantAnnotation } from "@/lib/k8s";
 import { sendApprovalEmail } from "@/lib/email";
 import { decryptSecrets } from "@/lib/crypto";
 import { writePackageSecrets } from "@/lib/openbao";
@@ -19,14 +19,26 @@ import { safeError } from "@/lib/errors";
 
 /**
  * POST /api/admin/requests/[id]/approve
- * Approve a tenant request:
+ *
- * 1. Decrypt stored package secrets (if any)
+ * Approve a request. Two paths depending on request_type:
- * 2. Write each package's secrets to OpenBao at secret/data/tenants/{tenant-name}/{package}
+ *
- * 3. Null the encrypted_secrets column
+ * Provision (the original purpose):
- * 4. Build workspace files (SOUL.md, AGENTS.md, TOOLS.md)
+ *  1. Decrypt stored package secrets (if any)
- * 5. Create PiecedTenant CR
+ *  2. Write each package's secrets to OpenBao
- * 6. Update request status, notify customer.
+ *  3. Null the encrypted_secrets column
- * Also supports re-approving a previously rejected request (clears admin notes).
+ *  4. Build workspace files (SOUL.md, AGENTS.md, TOOLS.md)
+ *  5. Create PiecedTenant CR
+ *  6. Update request status, notify customer.
+ *  Supports re-approving a previously rejected request (clears admin notes).
+ *
+ * Resume (Bug 37a):
+ *  1. PATCH spec.suspend=false on the existing PiecedTenant CR.
+ *  2. Clear the `pieced.ch/resume-request-pending` annotation so the
+ *     operator knows the request is settled (and doesn't pause its
+ *     60-day TTL forever — though now that the tenant isn't suspended,
+ *     the timer is moot).
+ *  3. Mark request approved, notify customer.
+ *  No CR creation, no secret materialisation, no workspace files.
  */
 export async function POST(
   request: Request,
@@ -60,6 +72,58 @@ export async function POST(
     );
   }
 
+  // Resume request: short path. Just patch the existing tenant, clear
+  // the annotation, mark approved.
+  if (tenantRequest.requestType === "resume") {
+    if (!tenantRequest.tenantName) {
+      // Shouldn't happen — resume requests are created with tenant_name
+      // set. Defensive 500 if it does.
+      return NextResponse.json(
+        { error: "Resume request has no tenant_name" },
+        { status: 500 }
+      );
+    }
+    try {
+      await patchTenantSpec(tenantRequest.tenantName, { suspend: false });
+      // Clear the annotation that pauses the operator's 60-day TTL.
+      // Best-effort — annotation cleanup is also done by the operator
+      // when it sees suspend=false on the next reconcile (it clears
+      // status.suspendedAt), but explicitly clearing here keeps the
+      // CR clean.
+      try {
+        await setTenantAnnotation(
+          tenantRequest.tenantName,
+          "pieced.ch/resume-request-pending",
+          null
+        );
+      } catch (e) {
+        console.warn(
+          "post-approve annotation clear failed; not blocking",
+          e
+        );
+      }
+
+      await updateTenantRequestStatus(id, "approved", { adminNotes });
+
+      await sendApprovalEmail(
+        tenantRequest.contactEmail,
+        tenantRequest.contactName,
+        tenantRequest.companyName
+      ).catch((e) => console.error("approval email failed:", e));
+
+      return NextResponse.json({
+        message: "Resume approved. Tenant is reactivating.",
+        tenantName: tenantRequest.tenantName,
+      });
+    } catch (e: any) {
+      console.error("Resume approval failed:", e);
+      return NextResponse.json(
+        { error: safeError(e, "Failed to approve resume") },
+        { status: 500 }
+      );
+    }
+  }
+
   const isReApproval = tenantRequest.status === "rejected";
 
   // Build the CR name: see `lib/tenant-naming.ts` for the format spec.
@@ -123,6 +187,15 @@ export async function POST(
       },
       {
         "pieced.ch/zitadel-org-id": tenantRequest.zitadelOrgId,
+        // Bug 7: stamp the personal flag on the CR so callers (notably
+        // the tenant detail page) can hide assignment-related UI
+        // without an extra DB join. Slice 4 already tracks this on the
+        // request row; the CR label is the same fact at the K8s layer.
+        // Legacy tenants approved before this change won't carry the
+        // label — operators can backfill with `kubectl label`.
+        ...(tenantRequest.isPersonal
+          ? { "pieced.ch/personal": "true" }
+          : {}),
       }
     );
 

src/app/api/admin/requests/[id]/reject/route.ts

@@ -1,11 +1,19 @@
 import { NextResponse } from "next/server";
 import { requirePlatformRole } from "@/lib/session";
 import { getTenantRequestById, updateTenantRequestStatus } from "@/lib/db";
+import { setTenantAnnotation } from "@/lib/k8s";
 import { sendRejectionEmail } from "@/lib/email";
 
 /**
  * POST /api/admin/requests/[id]/reject
  * Reject a tenant request and notify the customer.
+ *
+ * For resume requests (Bug 37a): also clears the
+ * `pieced.ch/resume-request-pending` annotation on the tenant CR.
+ * The operator's 60-day TTL then resumes counting from the original
+ * suspendedAt — rejection doesn't reset it. The customer can submit
+ * a fresh resume request later if circumstances change, but that
+ * starts a new pending row and re-stamps the annotation.
  */
 export async function POST(
   request: Request,
@@ -37,6 +45,26 @@ export async function POST(
     adminNotes,
   });
 
+  // Resume rejection: clear the annotation so the operator's TTL
+  // resumes. Best-effort — failure is logged, not propagated.
+  if (
+    tenantRequest.requestType === "resume" &&
+    tenantRequest.tenantName
+  ) {
+    try {
+      await setTenantAnnotation(
+        tenantRequest.tenantName,
+        "pieced.ch/resume-request-pending",
+        null
+      );
+    } catch (e) {
+      console.warn(
+        "post-reject annotation clear failed; operator's TTL will pause until annotation removed by admin",
+        e
+      );
+    }
+  }
+
   // Notify customer
   await sendRejectionEmail(
     tenantRequest.contactEmail,

src/app/api/onboarding/[id]/dismiss/route.ts

@@ -0,0 +1,65 @@
+import { NextRequest, NextResponse } from "next/server";
+import { getSessionUser, canMutate } from "@/lib/session";
+import { dismissTenantRequest, getTenantRequestById } from "@/lib/db";
+import { safeError } from "@/lib/errors";
+
+/**
+ * POST /api/onboarding/[id]/dismiss
+ *
+ * Customer-side acknowledgement of a rejected or cancelled request
+ * (Bug 13). Sets `dismissed_at = now()` so the row stops appearing
+ * in the dashboard's `listActiveTenantRequestsByOrgId` query. The
+ * row itself is preserved for audit.
+ *
+ * Authorization mirrors the GET / DELETE / PATCH endpoints on this
+ * resource: customer owners (or platform staff) of the row's org.
+ *
+ * Idempotent: dismissing an already-dismissed request returns 200
+ * with no change. We refuse to dismiss non-terminal rows (pending,
+ * approved, provisioning, active) — those are still actionable, and
+ * "hiding" them would stash live state from the customer.
+ */
+export async function POST(
+  _req: NextRequest,
+  { params }: { params: Promise<{ id: string }> }
+) {
+  const user = await getSessionUser();
+  if (!user) {
+    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+  }
+  if (!canMutate(user)) {
+    return NextResponse.json({ error: "Forbidden" }, { status: 403 });
+  }
+
+  const { id } = await params;
+  const tr = await getTenantRequestById(id);
+  if (!tr) {
+    return NextResponse.json({ error: "Not found" }, { status: 404 });
+  }
+  if (!user.isPlatform && tr.zitadelOrgId !== user.orgId) {
+    return NextResponse.json({ error: "Not found" }, { status: 404 });
+  }
+
+  if (tr.status !== "rejected" && tr.status !== "cancelled") {
+    return NextResponse.json(
+      {
+        error:
+          "Only rejected or cancelled requests can be dismissed. Active requests stay visible.",
+        code: "not_dismissable",
+        currentStatus: tr.status,
+      },
+      { status: 409 }
+    );
+  }
+
+  try {
+    await dismissTenantRequest(id);
+    return NextResponse.json({ message: "Dismissed.", id });
+  } catch (e: any) {
+    console.error("Failed to dismiss request:", e);
+    return NextResponse.json(
+      { error: safeError(e, "Failed to dismiss request") },
+      { status: 500 }
+    );
+  }
+}

src/app/api/onboarding/[id]/route.ts

@@ -0,0 +1,227 @@
+import { NextRequest, NextResponse } from "next/server";
+import { getSessionUser, canMutate } from "@/lib/session";
+import {
+  getTenantRequestById,
+  updateTenantRequestStatus,
+  updateTenantRequestEditableFields,
+} from "@/lib/db";
+import { encryptSecrets } from "@/lib/crypto";
+import { setTenantAnnotation } from "@/lib/k8s";
+import { onboardingSchema } from "@/lib/validation";
+import { safeError } from "@/lib/errors";
+
+/**
+ * Customer-side controls for a single tenant_request row.
+ *
+ *   - DELETE /api/onboarding/[id]  → cancel a still-pending request
+ *   - PATCH  /api/onboarding/[id]  → edit fields of a still-pending
+ *                                    request (Bug 6)
+ *
+ * Both endpoints share the same authorization check: the caller must
+ * be a customer owner (or platform staff) of the request's org. We
+ * also enforce status === 'pending' on the row — once an admin has
+ * acted on it, the customer can no longer mutate it from the portal.
+ *
+ * Reading these is via the existing GET /api/onboarding?id=... handler.
+ */
+
+async function loadAuthorized(
+  id: string
+): Promise<
+  | { error: NextResponse }
+  | { req: Awaited<ReturnType<typeof getTenantRequestById>>; }
+> {
+  const user = await getSessionUser();
+  if (!user) {
+    return {
+      error: NextResponse.json({ error: "Unauthorized" }, { status: 401 }),
+    };
+  }
+  if (!canMutate(user)) {
+    return {
+      error: NextResponse.json({ error: "Forbidden" }, { status: 403 }),
+    };
+  }
+  const tr = await getTenantRequestById(id);
+  if (!tr) {
+    return {
+      error: NextResponse.json({ error: "Not found" }, { status: 404 }),
+    };
+  }
+  // Customers may only read their own org's requests; platform users
+  // may read any. Same scope as `GET /api/onboarding?id=...`.
+  if (!user.isPlatform && tr.zitadelOrgId !== user.orgId) {
+    return {
+      error: NextResponse.json({ error: "Not found" }, { status: 404 }),
+    };
+  }
+  return { req: tr };
+}
+
+/**
+ * DELETE /api/onboarding/[id]
+ *
+ * Customer cancels a still-pending request. Status flips to 'cancelled';
+ * the row is preserved for audit. The customer can dismiss the
+ * cancelled card afterwards (Bug 13 reuse — same dismissal mechanism).
+ *
+ * Once admin has approved/provisioned/rejected, this endpoint refuses
+ * (409). Cancelling a tenant that's already running goes through the
+ * subscription-suspend flow on the tenant detail page, not here.
+ */
+export async function DELETE(
+  _req: NextRequest,
+  { params }: { params: Promise<{ id: string }> }
+) {
+  const { id } = await params;
+  const loaded = await loadAuthorized(id);
+  if ("error" in loaded) return loaded.error;
+  const tr = loaded.req!;
+
+  if (tr.status !== "pending") {
+    return NextResponse.json(
+      {
+        error:
+          "Only pending requests can be cancelled. Approved or provisioning instances must be managed from the tenant page.",
+        code: "not_pending",
+        currentStatus: tr.status,
+      },
+      { status: 409 }
+    );
+  }
+
+  try {
+    await updateTenantRequestStatus(id, "cancelled");
+
+    // Customer cancels their own pending resume request: clear the
+    // operator-side annotation so the 60-day TTL resumes counting.
+    // Best-effort — the operator handles missing annotation gracefully.
+    if (tr.requestType === "resume" && tr.tenantName) {
+      try {
+        await setTenantAnnotation(
+          tr.tenantName,
+          "pieced.ch/resume-request-pending",
+          null
+        );
+      } catch (e) {
+        console.warn(
+          "post-cancel annotation clear failed; not blocking",
+          e
+        );
+      }
+    }
+
+    return NextResponse.json({ message: "Request cancelled.", id });
+  } catch (e: any) {
+    console.error("Failed to cancel request:", e);
+    return NextResponse.json(
+      { error: safeError(e, "Failed to cancel request") },
+      { status: 500 }
+    );
+  }
+}
+
+/**
+ * PATCH /api/onboarding/[id]
+ *
+ * Customer edits a still-pending request. Validation is the same as on
+ * POST /api/onboarding (shared schema). Only customer-input fields are
+ * editable; status/tenant_name/admin_notes/etc. are server-managed.
+ *
+ * Note on company-level fields
+ * ----------------------------
+ * For a follow-up instance (org has prior approved rows), the POST
+ * handler intentionally ignores the wizard's billingAddress and uses
+ * the on-file value instead. We mirror that here: company-level fields
+ * (companyName, contactName, contactEmail, billingAddress) on a
+ * follow-up edit are NOT updated through this endpoint. The customer
+ * should use a future settings page (Bug 11) for those. For now,
+ * editing only mutates per-instance fields — agent name, instance
+ * name, packages, soulMd, agentsMd, billingNotes, packageSecrets.
+ *
+ * For the FIRST instance (no prior approved rows), billingAddress IS
+ * editable here, since the customer is still defining their company's
+ * billing data.
+ */
+export async function PATCH(
+  req: NextRequest,
+  { params }: { params: Promise<{ id: string }> }
+) {
+  const { id } = await params;
+  const loaded = await loadAuthorized(id);
+  if ("error" in loaded) return loaded.error;
+  const tr = loaded.req!;
+
+  if (tr.status !== "pending") {
+    return NextResponse.json(
+      {
+        error: "Only pending requests can be edited.",
+        code: "not_pending",
+        currentStatus: tr.status,
+      },
+      { status: 409 }
+    );
+  }
+
+  const body = await req.json().catch(() => null);
+  const parsed = onboardingSchema.safeParse(body);
+  if (!parsed.success) {
+    return NextResponse.json(
+      { error: "Invalid input", details: parsed.error.flatten() },
+      { status: 400 }
+    );
+  }
+  const input = parsed.data;
+
+  // Re-encrypt package secrets if present in the patch body. When the
+  // user re-opens the wizard to edit, the secrets array is populated
+  // afresh from the wizard (we never decrypt and return existing
+  // secrets — that'd be a security regression). If the user didn't
+  // touch any secret-bearing package, the wizard sends no
+  // packageSecrets and we leave the existing encrypted blob alone.
+  let encryptedSecrets: Buffer | null | undefined;
+  if (input.packageSecrets && Object.keys(input.packageSecrets).length > 0) {
+    try {
+      encryptedSecrets = await encryptSecrets(input.packageSecrets);
+    } catch (e: any) {
+      console.error("Failed to encrypt package secrets:", e);
+      return NextResponse.json(
+        { error: "Failed to secure credentials. Please try again." },
+        { status: 500 }
+      );
+    }
+  }
+
+  // Only first-instance edits get billingAddress; follow-ups inherit
+  // company billing from the on-file approved row.
+  const isFirstInstance = !tr.tenantName; // approximation; covers the
+  // "no prior approved row for this org" case the POST handler treats
+  // identically. A more rigorous check would call
+  // getMostRecentApprovedRequestForOrg, but in practice an org with
+  // an approved row for some other tenant has a tenantName on those
+  // rows, not on the pending one being edited — so the simple check
+  // here is fine for the only state the endpoint accepts (pending).
+
+  try {
+    const updated = await updateTenantRequestEditableFields(id, {
+      instanceName: input.instanceName,
+      agentName: input.agentName,
+      soulMd: input.soulMd,
+      agentsMd: input.agentsMd,
+      packages: input.packages ?? [],
+      billingAddress: isFirstInstance ? input.billingAddress : undefined,
+      billingNotes: input.billingNotes,
+      encryptedSecrets,
+    });
+    if (!updated) {
+      return NextResponse.json({ error: "Not found" }, { status: 404 });
+    }
+    return NextResponse.json({ message: "Request updated.", id });
+  } catch (e: any) {
+    console.error("Failed to edit request:", e);
+    return NextResponse.json(
+      { error: safeError(e, "Failed to edit request") },
+      { status: 500 }
+    );
+  }
+}

src/app/api/onboarding/route.ts

@@ -16,47 +16,41 @@ import {
 import { sendAdminNotificationEmail } from "@/lib/email";
 import { encryptSecrets } from "@/lib/crypto";
 import { isPersonalOrgName } from "@/lib/personal-org";
+import { onboardingSchema } from "@/lib/validation";
 import type { OnboardingInput, PiecedTenant, TenantRequest } from "@/types";
 import { z } from "zod";
 
-const onboardingSchema = z.object({
-  instanceName: z
-    .string()
-    .trim()
-    .max(80)
-    .optional()
-    // Empty string from a form input → drop to undefined so the DB stores NULL
-    .transform((v) => (v && v.length > 0 ? v : undefined)),
-  agentName: z.string().min(1).max(50),
-  soulMd: z.string().max(10_000).optional(),
-  agentsMd: z.string().max(10_000).optional(),
-  packages: z.array(z.string()).optional(),
-  packageSecrets: z
-    .record(z.string(), z.record(z.string(), z.string()))
-    .optional(),
-  billingAddress: z.object({
-    company: z.string().optional(),
-    street: z.string().optional(),
-    city: z.string().optional(),
-    postalCode: z.string().optional(),
-    country: z.string().optional(),
-  }),
-  billingNotes: z.string().max(2_000).optional(),
-});
-
 /**
  * Helper: shape a TenantRequest row for client consumption.
  * Hides server-only fields (encryptedSecrets, internal db ids).
  */
+/**
+ * Helper: shape a TenantRequest row for client consumption.
+ * Hides server-only fields (encryptedSecrets, internal db ids).
+ *
+ * Slice 7 / Bug 6: surfaces enough fields for the customer-side edit
+ * flow to pre-fill the wizard. soulMd, agentsMd, billingAddress,
+ * billingNotes were previously kept off the public shape because the
+ * pre-Slice-3 dashboard didn't render them. Edit needs them.
+ *
+ * Bug 13: surfaces dismissedAt so the dashboard can distinguish
+ * "freshly rejected, show prominently" from "rejected and acknowledged,
+ * keep hidden" without an extra API call.
+ */
 function publicRequestShape(r: TenantRequest) {
   return {
     id: r.id,
     instanceName: r.instanceName,
     agentName: r.agentName,
+    soulMd: r.soulMd,
+    agentsMd: r.agentsMd,
     packages: r.packages,
+    billingAddress: r.billingAddress,
+    billingNotes: r.billingNotes,
     status: r.status,
     adminNotes: r.adminNotes,
     tenantName: r.tenantName,
+    dismissedAt: r.dismissedAt ?? null,
     createdAt: r.createdAt,
     updatedAt: r.updatedAt,
   };
@@ -217,6 +211,31 @@ export async function POST(request: Request) {
   // the org-name check should agree.)
   const isPersonal = prior?.isPersonal ?? isPersonalOrgName(user.orgName);
 
+  // Bug 5: personal accounts are 1-instance by design. If there's
+  // already an active tenant or an in-flight request for this user's
+  // org, reject the submission outright. Server-side only check;
+  // matching UI guards live on /dashboard (button hidden) and
+  // /dashboard/new (server-redirect to /dashboard).
+  if (isPersonal) {
+    const [allTenants, activeRequests] = await Promise.all([
+      listTenants(),
+      listActiveTenantRequestsByOrgId(user.orgId),
+    ]);
+    const ownTenants = allTenants.filter(
+      (t) => t.metadata.labels?.["pieced.ch/zitadel-org-id"] === user.orgId
+    );
+    if (ownTenants.length > 0 || activeRequests.length > 0) {
+      return NextResponse.json(
+        {
+          error:
+            "Personal accounts are limited to one instance. Cancel your existing request or contact support to change plan.",
+          code: "personal_account_at_capacity",
+        },
+        { status: 403 }
+      );
+    }
+  }
+
   // Encrypt package secrets if provided
   let encryptedSecrets: Buffer | undefined;
   if (input.packageSecrets && Object.keys(input.packageSecrets).length > 0) {

src/app/api/register/route.ts

@@ -2,6 +2,7 @@ import { NextRequest, NextResponse } from "next/server";
 import { registerCustomer } from "@/lib/zitadel";
 import { rateLimit } from "@/lib/rate-limit";
 import { checkDuplicateDomain } from "@/lib/db";
+import { generatePersonalOrgName } from "@/lib/personal-org";
 import type { RegistrationInput } from "@/types";
 import { z } from "zod";
 
@@ -13,11 +14,10 @@ import { z } from "zod";
  * - `companyName` is no longer always required. It's required when
  *   `isPersonal` is false/absent, ignored when `isPersonal` is true.
  * - `isPersonal` flag distinguishes personal accounts. The server
- *   derives the ZITADEL org name from `${givenName} ${familyName}
+ *   derives the ZITADEL org name from a generated opaque ID
- *   (Personal)` for personals — the suffix is the canonical marker
+ *   (`personal-{8hex}`) — see `lib/personal-org.ts` for the format
- *   that downstream code (onboarding POST, admin views) uses to
+ *   spec. Customers cannot rename their own org, so the marker is
- *   distinguish personal orgs from companies. Customers cannot rename
+ *   stable.
- *   their own org, so the suffix is stable.
  * - Personal accounts skip the duplicate-domain check entirely. Their
  *   row is also excluded from future domain checks (see
  *   `lib/domain-check.ts::findDuplicateInDb`).
@@ -44,15 +44,6 @@ const registrationSchema = z
 const RATE_LIMIT = 3;
 const RATE_WINDOW_MS = 3_600_000; // 1 hour
 
-/**
- * Suffix appended to personal-account ZITADEL org names. Used here to
- * build the org name and elsewhere (session.orgName check) to detect
- * whether the current user is on a personal org.
- *
- * Keep this in sync with `isPersonalOrgName()` in `lib/personal-org.ts`.
- */
-const PERSONAL_ORG_SUFFIX = " (Personal)";
-
 export async function POST(request: NextRequest) {
   // --- Rate limiting ---
   const ip =
@@ -116,14 +107,13 @@ export async function POST(request: NextRequest) {
     //
     // For company: use the customer-supplied companyName (already
     //   validated to be present + ≥2 chars by the schema refinement).
-    // For personal: synthesise from full name + " (Personal)" suffix.
+    // For personal: a fresh opaque ID like "personal-3f2a8b1c". The
-    //   The suffix is the canonical marker for personal orgs.
+    //   user's actual display name is per-user (`session.user.name`),
-    //
+    //   so the GUI shows that instead — see `displayOrgNameFor()`.
-    // ZITADEL does NOT enforce org-name uniqueness, so two "Hans Müller
+    //   This keeps personal orgs collision-free (Bug 9: two people
-    // (Personal)" orgs can coexist; the org id is what matters for our
+    //   named "Eva Müller" both being able to register).
-    // labelling and lookups, the name is human-readable only.
     const orgName = isPersonal
-      ? `${input.givenName.trim()} ${input.familyName.trim()}${PERSONAL_ORG_SUFFIX}`
+      ? generatePersonalOrgName()
       : input.companyName!.trim();
 
     const result = await registerCustomer({

src/app/api/team/[userId]/role/route.ts

@@ -53,6 +53,12 @@ export async function PATCH(
   if (!isCustomerOwner(user)) {
     return NextResponse.json({ error: "Forbidden" }, { status: 403 });
   }
+  if (user.isPersonal) {
+    return NextResponse.json(
+      { error: "Personal accounts have no team roles to change." },
+      { status: 403 }
+    );
+  }
 
   const { userId } = await params;
 

src/app/api/team/invite/route.ts

@@ -35,6 +35,16 @@ export async function POST(req: Request) {
   if (!canMutate(user)) {
     return NextResponse.json({ error: "Forbidden" }, { status: 403 });
   }
+  if (user.isPersonal) {
+    return NextResponse.json(
+      {
+        error:
+          "Personal accounts cannot invite additional members. Upgrade to a company account to add a team.",
+        code: "personal_account",
+      },
+      { status: 403 }
+    );
+  }
 
   const body = await req.json().catch(() => null);
   const parsed = inviteSchema.safeParse(body);

src/app/api/team/route.ts

@@ -24,6 +24,12 @@ export async function GET() {
   if (!canMutate(user)) {
     return NextResponse.json({ error: "Forbidden" }, { status: 403 });
   }
+  if (user.isPersonal) {
+    return NextResponse.json(
+      { error: "Personal accounts do not have a team." },
+      { status: 403 }
+    );
+  }
 
   try {
     const members = await getOrgMembers(user.orgId);

src/app/api/tenants/[name]/assignments/route.ts

@@ -128,6 +128,23 @@ export async function POST(
       { status: 500 }
     );
   }
+  // Bug 7 server-side counterpart: personal tenants are sole-owner
+  // by definition. Reject any assignment attempt — this matches the
+  // hidden panel on the detail page and stops a determined client
+  // (or platform user with a legacy unlabeled personal tenant) from
+  // creating spurious rows.
+  if (
+    tenant.metadata.labels?.["pieced.ch/personal"] === "true" ||
+    (!user.isPlatform && user.isPersonal)
+  ) {
+    return NextResponse.json(
+      {
+        error: "Personal tenants do not support additional assignments.",
+        code: "personal_tenant",
+      },
+      { status: 403 }
+    );
+  }
 
   const body = await req.json().catch(() => null);
   const parsed = assignSchema.safeParse(body);

src/app/api/tenants/[name]/resume-request/route.ts

@@ -0,0 +1,153 @@
+import { NextRequest, NextResponse } from "next/server";
+import { getSessionUser, canMutate } from "@/lib/session";
+import { getTenant, setTenantAnnotation } from "@/lib/k8s";
+import { canUserSeeTenant } from "@/lib/visibility";
+import {
+  createResumeRequest,
+  getPendingResumeRequestForTenant,
+  getTenantRequestByTenantName,
+} from "@/lib/db";
+import { safeError } from "@/lib/errors";
+
+/**
+ * POST /api/tenants/[name]/resume-request
+ *
+ * Owner-initiated request to reactivate a suspended tenant (Bug 37a).
+ * Creates a pending tenant_request of type 'resume' for admin review,
+ * and stamps the PiecedTenant CR with an annotation that pauses the
+ * operator's 60-day deletion timer.
+ *
+ * Why a request flow at all
+ * -------------------------
+ * Customers can self-serve cancel; resume requires admin oversight.
+ * Reactivation may involve re-validating billing, confirming the
+ * customer still wants to be active, or other manual steps. The
+ * request flow gives admins a queue to review, with the same approve/
+ * reject UX as initial provision requests.
+ *
+ * Authorization
+ * -------------
+ * Owners and platform admins. Platform admins shouldn't normally use
+ * this endpoint — they have direct PATCH suspend access — but it's
+ * permissive in case admin tooling pivots.
+ *
+ * Validation
+ * ----------
+ *  - Tenant must exist and be visible to the caller.
+ *  - Tenant must be currently suspended. Resuming an active tenant
+ *    is meaningless.
+ *  - At most one pending resume request per tenant. Enforced by the
+ *    DB's partial unique index, but we also check explicitly here to
+ *    return a friendly 409 instead of a 500.
+ *
+ * Side effects on success
+ * -----------------------
+ *  - INSERT into tenant_requests (request_type='resume', status='pending')
+ *  - PATCH annotation `pieced.ch/resume-request-pending=<request-id>` on
+ *    the CR. This is the operator's signal to pause its 60-day deletion
+ *    timer until the request transitions to terminal.
+ *
+ * The annotation set is best-effort: if the K8s PATCH fails after the
+ * DB insert, the row exists without the annotation. The customer
+ * sees the request as pending; admin can still approve. The only
+ * functional consequence is the 60-day timer doesn't pause until the
+ * next request transition, which is fine in practice (admin response
+ * times are dramatically shorter than 60 days).
+ */
+export async function POST(
+  req: NextRequest,
+  { params }: { params: Promise<{ name: string }> }
+) {
+  const user = await getSessionUser();
+  if (!user) {
+    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+  }
+  if (!canMutate(user)) {
+    return NextResponse.json({ error: "Forbidden" }, { status: 403 });
+  }
+
+  const { name } = await params;
+  const tenant = await getTenant(name);
+  if (!tenant) {
+    return NextResponse.json({ error: "Not found" }, { status: 404 });
+  }
+  if (!(await canUserSeeTenant(user, tenant))) {
+    return NextResponse.json({ error: "Not found" }, { status: 404 });
+  }
+
+  if (!tenant.spec.suspend) {
+    return NextResponse.json(
+      { error: "Tenant is not suspended; nothing to resume." },
+      { status: 409 }
+    );
+  }
+
+  // Already a pending request? Don't duplicate.
+  const existing = await getPendingResumeRequestForTenant(name);
+  if (existing) {
+    return NextResponse.json(
+      {
+        error: "A resume request for this tenant is already pending.",
+        request: { id: existing.id, createdAt: existing.createdAt },
+      },
+      { status: 409 }
+    );
+  }
+
+  // Pull traceability fields (companyName, agentName) from the original
+  // provision request. The schema marks these NOT NULL, so we have to
+  // populate them; copying from the provision row keeps the resume
+  // row navigable in the admin UI without making up values.
+  const provision = await getTenantRequestByTenantName(name);
+
+  try {
+    const resumeRequest = await createResumeRequest({
+      tenantName: name,
+      zitadelOrgId:
+        tenant.metadata.labels?.["pieced.ch/zitadel-org-id"] ?? user.orgId,
+      zitadelUserId: user.id,
+      contactName: user.name,
+      contactEmail: user.email,
+      companyName: provision?.companyName ?? tenant.spec.displayName ?? name,
+      agentName: provision?.agentName ?? "Assistant",
+    });
+
+    // Stamp the annotation so the operator pauses its TTL. If this
+    // fails the request still exists; surface the error so admin
+    // tooling can re-stamp if needed, but don't roll back.
+    try {
+      await setTenantAnnotation(
+        name,
+        "pieced.ch/resume-request-pending",
+        resumeRequest.id
+      );
+    } catch (e) {
+      console.warn(
+        "resume request created but annotation could not be set; operator's 60-day timer will not pause until next reconcile triggered by request transition",
+        e
+      );
+    }
+
+    return NextResponse.json(
+      {
+        message: "Resume request submitted. An admin will review shortly.",
+        request: { id: resumeRequest.id, status: resumeRequest.status },
+      },
+      { status: 201 }
+    );
+  } catch (e: any) {
+    // Unique violation (a pending row already exists for this tenant)
+    // is friendly-handled above; this catches everything else.
+    if (e.code === "23505") {
+      return NextResponse.json(
+        { error: "A resume request for this tenant is already pending." },
+        { status: 409 }
+      );
+    }
+    console.error("Resume request creation failed:", e);
+    return NextResponse.json(
+      { error: safeError(e, "Failed to submit resume request") },
+      { status: 500 }
+    );
+  }
+}

src/app/api/tenants/[name]/suspend/route.ts

@@ -0,0 +1,141 @@
+import { NextRequest, NextResponse } from "next/server";
+import { z } from "zod";
+import { getSessionUser, canMutate } from "@/lib/session";
+import { getTenant, patchTenantSpec, setTenantAnnotation } from "@/lib/k8s";
+import { canUserSeeTenant } from "@/lib/visibility";
+import { safeError } from "@/lib/errors";
+
+const patchSchema = z.object({
+  suspend: z.boolean(),
+});
+
+/**
+ * PATCH /api/tenants/[name]/suspend
+ *
+ * Direct suspend control on the PiecedTenant CR. Sets `spec.suspend`
+ * to true (cancel) or false (resume).
+ *
+ * Authorization (Bug 37a)
+ * -----------------------
+ * - suspend=true  → owners and platform admins may call.
+ * - suspend=false → platform admins ONLY. Owners must go through the
+ *   resume-request flow (POST /api/tenants/[name]/resume-request),
+ *   which creates a pending request for admin approval. This
+ *   asymmetry is by design: cancellation is self-service (low risk;
+ *   reversible by request); reactivation requires admin oversight
+ *   (e.g. to re-validate billing, confirm intent).
+ *
+ * Customer flow:
+ *   - Cancel:  PATCH suspend=true  here
+ *   - Resume:  POST /resume-request — creates a 'resume' tenant_request,
+ *              admin approves via /api/admin/requests/[id]/approve which
+ *              then PATCHes suspend=false here as a platform user.
+ *
+ * Workload behaviour
+ * ------------------
+ * On suspend=true the operator deletes the OpenClawInstance, stopping
+ * the pod within seconds. Tenant data — namespace, ConfigMaps,
+ * OpenBao secrets, CNPG database, LiteLLM team — is retained.
+ *
+ * Suspended tenants enter a 60-day retention window (operator
+ * constant `retentionAfterSuspend`); after that, the tenant is fully
+ * deleted unless a pending resume request exists. The operator
+ * checks the `pieced.ch/resume-request-pending` annotation to know
+ * about pending requests; we set it here when admin approves the
+ * resume (transitively, via the admin-approve endpoint), and clear
+ * it when the request reaches a terminal state.
+ */
+export async function PATCH(
+  req: NextRequest,
+  { params }: { params: Promise<{ name: string }> }
+) {
+  const user = await getSessionUser();
+  if (!user) {
+    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+  }
+  if (!canMutate(user)) {
+    return NextResponse.json({ error: "Forbidden" }, { status: 403 });
+  }
+
+  const { name } = await params;
+  const tenant = await getTenant(name);
+  if (!tenant) {
+    return NextResponse.json({ error: "Not found" }, { status: 404 });
+  }
+  // Identical pattern to the detail page — don't leak existence.
+  if (!(await canUserSeeTenant(user, tenant))) {
+    return NextResponse.json({ error: "Not found" }, { status: 404 });
+  }
+
+  const body = await req.json().catch(() => null);
+  const parsed = patchSchema.safeParse(body);
+  if (!parsed.success) {
+    return NextResponse.json(
+      { error: "Invalid input", details: parsed.error.flatten() },
+      { status: 400 }
+    );
+  }
+  const { suspend } = parsed.data;
+
+  // Bug 37a: resume (suspend=false) is platform-admin only via this
+  // endpoint. Owners must go through the resume-request flow.
+  if (!suspend && !user.isPlatform) {
+    return NextResponse.json(
+      {
+        error:
+          "Resume requires platform-admin approval. Submit a resume request via /api/tenants/[name]/resume-request.",
+      },
+      { status: 403 }
+    );
+  }
+
+  // No-op early exit. Avoids a needless K8s patch + status churn when
+  // the user double-clicks the button or the UI is briefly out of sync.
+  if (Boolean(tenant.spec.suspend) === suspend) {
+    return NextResponse.json(
+      { message: "No change.", suspend },
+      { status: 200 }
+    );
+  }
+
+  try {
+    await patchTenantSpec(name, { suspend });
+
+    // On admin-side resume, also clear the pending-resume-request
+    // annotation if it exists. Belt-and-suspenders: the admin-approve
+    // endpoint already clears it on its happy path, but a platform
+    // user resuming directly via this endpoint shouldn't leave the
+    // annotation behind. Best-effort: failure to clear the annotation
+    // is logged but doesn't fail the resume.
+    if (!suspend) {
+      try {
+        await setTenantAnnotation(
+          name,
+          "pieced.ch/resume-request-pending",
+          null
+        );
+      } catch (e) {
+        console.warn(
+          "failed to clear resume-request-pending annotation; operator will see it stale until next request transition",
+          e
+        );
+      }
+    }
+
+    return NextResponse.json(
+      {
+        message: suspend
+          ? "Subscription cancelled. Your data is preserved for 60 days."
+          : "Subscription resumed.",
+        suspend,
+      },
+      { status: 200 }
+    );
+  } catch (e: any) {
+    console.error("Suspend toggle failed:", e);
+    return NextResponse.json(
+      { error: safeError(e, "Failed to update subscription") },
+      { status: e.statusCode || 500 }
+    );
+  }
+}

src/app/api/usage/route.ts

@@ -8,64 +8,109 @@ import { safeError } from "@/lib/errors";
 /**
  * GET /api/usage
  *
- * Customers: tenant resolved server-side from the user's orgId. The
+ * Per-tenant spend/token usage for a given month.
- *            response is filtered by the tenant's `litellmKeyAlias` so
- *            sibling tenants in the same org don't bleed into the total.
- * Platform admins: may pass ?teamId=... to inspect any team. They may
- *                  also pass ?keyAlias=... to scope to a single tenant.
  *
- * Slice 2 note
+ * Resolution rules (in priority order)
- * ------------
+ * ------------------------------------
- * LiteLLM teams are now shared across all tenants of an org. The team's
+ *  1. `?tenant=<name>` query param — the canonical path. The route
- * `/team/info` budget is the *company* budget; the per-tenant numbers
+ *     looks up the PiecedTenant CR by name, runs it through the
- * come from filtering spend logs by `key_alias`. If a tenant has no
+ *     viewer's visibility filter, and reads `status.litellmTeamId` +
- * `litellmKeyAlias` in status (transitional state right after upgrade,
+ *     `status.litellmKeyAlias`. This is what the tenant-detail page
- * before the operator has reconciled), we fall back to team-level
+ *     calls with for both customers and admins.
- * filtering — the numbers will be slightly inflated for that one
+ *  2. `?teamId=<id>` (+ optional `?keyAlias=<alias>`) — admin escape
- * reconcile cycle.
+ *     hatch for debugging across orgs (e.g. opening the platform
+ *     panel without a specific tenant in mind). Platform-only;
+ *     ignored for customer sessions.
+ *  3. No params — 400. We deliberately do NOT fall back to "the
+ *     first visible tenant". Bug 19: that fallback meant siblings
+ *     in the same org showed identical numbers because the API
+ *     always picked the same "first" tenant regardless of which
+ *     detail page the customer was viewing. Forcing callers to be
+ *     explicit makes the bug structurally impossible to reintroduce.
+ *
+ * Filtering
+ * ---------
+ * LiteLLM's `/spend/logs/v2` accepts a server-side `key_alias` filter.
+ * We pass it through directly — no more "fetch all team pages and
+ * post-filter in JS" (which was O(team_total) memory per request and
+ * masked the routing bug above by being slow enough that nobody
+ * noticed which alias was actually being used).
+ *
+ * The team-level budget is still surfaced as the *org* budget, since
+ * teams are org-scoped post-Slice-2. That's intentional: the customer
+ * sees "your company has X budget remaining" alongside "this tenant
+ * cost Y this month".
  */
 export async function GET(req: NextRequest) {
   const user = await getSessionUser();
   if (!user)
     return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
 
+  const tenantName = req.nextUrl.searchParams.get("tenant");
   let teamId: string | null = null;
   let keyAlias: string | null = null;
 
-  if (user.isPlatform) {
+  if (tenantName) {
-    teamId = req.nextUrl.searchParams.get("teamId") ?? null;
+    // Path 1: resolve from tenant name with visibility check.
-    keyAlias = req.nextUrl.searchParams.get("keyAlias") ?? null;
+    //
-  }
+    // listVisibleTenants enforces the same visibility rules as every
-
+    // other read endpoint:
-  // For customers (or admins without explicit params): resolve from
+    //   - platform admins see everything
-  // the user's *visible* tenants. With Slice 6, a `user`-role member
+    //   - owners see all tenants in their org
-  // can only see usage for tenants they're assigned to — a non-assigned
+    //   - users see only the tenants they're assigned to (Slice 6)
-  // user defaults to "no active tenant" (404).
+    //
-  //
+    // Filtering through that list rather than reading the CR directly
-  // Owner and platform get the full org-scoped list and pick the first
+    // means a malicious caller can't probe arbitrary tenant names to
-  // tenant, matching the dashboard's "current instance" semantics.
+    // learn what exists in other orgs.
-  if (!teamId) {
     const allTenants = await listTenants();
     const visible = await listVisibleTenants(user, allTenants);
-    const orgTenant = visible.find((t) => !!t.status?.litellmTeamId);
+    const tenant = visible.find((t) => t.metadata.name === tenantName);
 
-    if (!orgTenant?.status?.litellmTeamId) {
+    if (!tenant) {
       return NextResponse.json(
-        { error: "No active tenant found for your organization" },
+        { error: "Tenant not found or not accessible" },
         { status: 404 }
       );
     }
-    teamId = orgTenant.status.litellmTeamId;
+    if (!tenant.status?.litellmTeamId) {
-
+      // Tenant exists but the operator hasn't reconciled it yet.
-    // If the operator has populated the per-tenant key alias, filter by it.
+      // Common right after onboarding; the customer should see a
-    // Falling back to team-level (no alias) will return the org total, which
+      // friendly empty state, not a 500.
-    // is acceptable transitionally but means siblings' usage shows up here.
+      return NextResponse.json(
-    if (orgTenant.status.litellmKeyAlias) {
+        { error: "Tenant is still provisioning, no usage data yet" },
-      keyAlias = orgTenant.status.litellmKeyAlias;
+        { status: 409 }
+      );
     }
+    teamId = tenant.status.litellmTeamId;
+    // litellmKeyAlias is set by the operator's LiteLLM reconcile step
+    // alongside litellmTeamId, so if teamId is present this should be
+    // too. Defensive fallback to team-level if missing — in that case
+    // the customer briefly sees company totals until the next operator
+    // reconcile, which is better than 500.
+    keyAlias = tenant.status.litellmKeyAlias ?? null;
+  } else if (user.isPlatform) {
+    // Path 2: admin escape hatch.
+    teamId = req.nextUrl.searchParams.get("teamId");
+    keyAlias = req.nextUrl.searchParams.get("keyAlias");
+    if (!teamId) {
+      return NextResponse.json(
+        {
+          error:
+            "Either ?tenant=<name> or ?teamId=<id> (admin) must be provided",
+        },
+        { status: 400 }
+      );
+    }
+  } else {
+    // Path 3: no resolution possible. See doc above for why we don't
+    // pick a default.
+    return NextResponse.json(
+      { error: "Tenant must be specified via ?tenant=<name>" },
+      { status: 400 }
+    );
   }
 
-  // Month param: YYYY-MM, defaults to current month
+  // Month param: YYYY-MM, defaults to current month.
   const now = new Date();
   const monthParam =
     req.nextUrl.searchParams.get("month") ||
@@ -81,11 +126,11 @@ export async function GET(req: NextRequest) {
   try {
     const teamInfo = await getTeamInfo(teamId);
 
-    // Fetch all pages from the team. We always query at the team level —
+    // Page through results — server-side filtered by key_alias when
-    // LiteLLM's /spend/logs/v2 doesn't filter by key_alias reliably across
+    // provided. Pagination still needed because LiteLLM caps
-    // versions, so we paginate and post-filter in code. For pilot scale
+    // page_size at 100, and a busy tenant can easily exceed that in
-    // this is cheap; if a single team ever exceeds ~10k entries/month we
+    // a month. With server-side filtering this stays cheap regardless
-    // can revisit.
+    // of how busy sibling tenants in the same team are.
     const allRequests: any[] = [];
     let page = 1;
     while (true) {
@@ -94,33 +139,25 @@ export async function GET(req: NextRequest) {
         startStr,
         endStr,
         page,
-        100
+        100,
+        keyAlias
       );
       allRequests.push(...(result.data || []));
       if (page >= (result.total_pages || 1)) break;
       page++;
+      // Defensive cap. A pathological response with bogus total_pages
+      // shouldn't be able to spin us forever. 50 pages × 100 = 5000
+      // entries/month/tenant is well above any realistic usage at
+      // pilot scale.
+      if (page > 50) break;
     }
 
-    // Apply key_alias post-filter when scoping to a single tenant. Match
+    // Aggregate by day.
-    // both `key_alias` (newer LiteLLM) and `metadata.user_api_key_alias`
-    // (older builds nest it inside metadata).
-    const scoped = keyAlias
-      ? allRequests.filter((r) => {
-          const alias =
-            r.key_alias ??
-            r.metadata?.user_api_key_alias ??
-            r.api_key_alias ??
-            null;
-          return alias === keyAlias;
-        })
-      : allRequests;
-
-    // Aggregate by day
     const byDay: Record<
       string,
       { inputTokens: number; outputTokens: number; spend: number }
     > = {};
-    for (const r of scoped) {
+    for (const r of allRequests) {
       const day = (r.startTime || r.endTime || "").slice(0, 10);
       if (!day) continue;
       if (!byDay[day])
@@ -134,30 +171,30 @@ export async function GET(req: NextRequest) {
       .sort(([a], [b]) => a.localeCompare(b))
       .map(([date, d]) => ({ date, ...d }));
 
-    const totalInput = scoped.reduce(
+    const totalInput = allRequests.reduce(
       (s, r) => s + (r.prompt_tokens || 0),
       0
     );
-    const totalOutput = scoped.reduce(
+    const totalOutput = allRequests.reduce(
       (s, r) => s + (r.completion_tokens || 0),
       0
     );
-    const totalSpend = scoped.reduce((s, r) => s + (r.spend || 0), 0);
+    const totalSpend = allRequests.reduce((s, r) => s + (r.spend || 0), 0);
 
     return NextResponse.json({
       teamId,
-      keyAlias, // null when not filtering — useful for the client to know it sees company-wide data
+      keyAlias, // null when admin queries team-wide (no specific tenant)
       month: monthParam,
       currentPeriod: {
         inputTokens: totalInput,
         outputTokens: totalOutput,
         totalSpend,
-        requestCount: scoped.length,
+        requestCount: allRequests.length,
       },
       // Budget is always team-level (= company budget). Spend reported
       // here is the team total, not the per-key total — the customer
-      // wants to see "how much of our company budget is left", not just
+      // wants to see "how much of our company budget is left", not
-      // "how much has this one tenant cost".
+      // just "how much has this one tenant cost".
       budget: {
         maxBudget: teamInfo?.team_info?.max_budget ?? null,
         spend: teamInfo?.team_info?.spend ?? 0,

src/components/admin/admin-panel.tsx

@@ -199,7 +199,22 @@ export function AdminPanel({ initialTenants }: AdminPanelProps) {
         throw new Error(data.error || "Delete failed");
       }
       setDeleteModal(null);
-      await fetchTenants();
+      // Bug 32: K8s deletion is asynchronous — the resource enters a
+      // Terminating phase with a deletionTimestamp set, finalizers run,
+      // then the resource is fully removed. fetchTenants() right
+      // after the API call would race the K8s store and often still
+      // include the just-deleted row. Two complementary fixes:
+      //   1. Optimistically drop the row from local state so the UI
+      //      reflects the user's intent immediately.
+      //   2. Schedule a delayed refetch (1.5s) to pick up any side
+      //      effects (cascaded request rows, freshly-released names).
+      // The immediate fetchTenants() is kept as a "best chance" — if
+      // K8s does report the deletion synchronously (rare), we get the
+      // freshest data. If it doesn't, the optimistic update has us
+      // covered until the delayed refetch lands.
+      setTenants((prev) => prev.filter((t) => t.metadata.name !== name));
+      fetchTenants();
+      setTimeout(() => fetchTenants(), 1500);
     } catch (e: any) {
       setError(e.message);
     } finally {
@@ -347,9 +362,28 @@ export function AdminPanel({ initialTenants }: AdminPanelProps) {
                         className="border-b border-border last:border-0 hover:bg-surface-2/50 transition-colors"
                       >
                         <td className="px-4 py-3">
-                          <div className="font-medium text-text-primary text-sm">
+                          <div className="font-medium text-text-primary text-sm flex items-center gap-2">
                             {req.companyName}
+                            {/* Bug 37a: distinguish resume requests in the
+                                queue. Provision and resume share status
+                                semantics but very different action
+                                consequences — a resume approval just
+                                un-suspends an existing tenant, no
+                                provisioning workflow runs. */}
+                            {req.requestType === "resume" && (
+                              <span
+                                className="px-1.5 py-0.5 text-[10px] font-semibold rounded uppercase tracking-wider bg-success/15 text-success"
+                                title={t("resumeRequestTooltip")}
+                              >
+                                {t("resumeRequestBadge")}
+                              </span>
+                            )}
                           </div>
+                          {req.requestType === "resume" && req.tenantName && (
+                            <div className="text-text-muted text-xs font-mono mt-0.5">
+                              {req.tenantName}
+                            </div>
+                          )}
                         </td>
                         <td className="px-4 py-3">
                           <div className="text-text-primary text-sm">

src/components/dashboard/usage-display.tsx

@@ -94,17 +94,27 @@ function UsageChart({ data }: { data: DailyUsage[] }) {
 /**
  * Usage display widget.
  *
- * - Customers: don't pass teamId or keyAlias — the backend resolves both
+ * Pass `tenant=<name>` for the canonical path — works for both
- *   from the session-bound tenant.
+ * customers and admins, the API resolves team+alias from the tenant
- * - Admins inspecting a specific tenant: pass `teamId` (the org-level
+ * CR's status. The visibility check on the API ensures users can't
- *   LiteLLM team id) AND `keyAlias` (the tenant's virtual-key alias).
+ * query tenants they shouldn't see.
- *   Without `keyAlias`, the response includes spend from sibling tenants
+ *
- *   in the same org, since teams are shared since Slice 2.
+ * `teamId`/`keyAlias` remain available as a platform-admin escape
+ * hatch for cross-org debugging, but the tenant-detail and dashboard
+ * paths should always use `tenant`.
+ *
+ * Bug 19 fix: previous version omitted both props for customer
+ * sessions, expecting the API to "figure it out". The API's fallback
+ * was "first visible tenant", which meant siblings in the same org
+ * showed identical numbers regardless of which detail page was open.
+ * Now the page passes the tenant name explicitly; no fallback exists.
  */
 export function UsageDisplay({
+  tenant,
   teamId,
   keyAlias,
 }: {
+  tenant?: string | null;
   teamId?: string | null;
   keyAlias?: string | null;
 }) {
@@ -121,11 +131,13 @@ export function UsageDisplay({
     setError(null);
 
     const params = new URLSearchParams({ month });
-    if (teamId) {
+    if (tenant) {
+      params.set("tenant", tenant);
+    } else if (teamId) {
+      // Admin escape hatch — only honoured by the API when the
+      // viewer is platform-role.
       params.set("teamId", teamId);
-    }
+      if (keyAlias) params.set("keyAlias", keyAlias);
-    if (keyAlias) {
-      params.set("keyAlias", keyAlias);
     }
 
     fetch(`/api/usage?${params}`)
@@ -133,7 +145,7 @@ export function UsageDisplay({
       .then(setData)
       .catch((e) => setError(e.message))
       .finally(() => setLoading(false));
-  }, [teamId, keyAlias, month]);
+  }, [tenant, teamId, keyAlias, month]);
 
   useEffect(() => { fetchUsage(); }, [fetchUsage]);
 

src/components/layout/nav-shell.tsx

@@ -13,8 +13,13 @@ function NavBar() {
   const pathname = usePathname();
   const user = (session as any)?.platformUser;
 
-  const isLogin = pathname === "/login";
+  // Hide the nav entirely on auth-only routes. These pages have no
-  if (isLogin) return null;
+  // session yet — showing "Dashboard" / "Sign Out" is misleading at
+  // best (the buttons would 401 or redirect-loop). Keep this list
+  // narrow and route-exact: anything else we add to the auth flow
+  // (e.g. password reset) needs to be added here too.
+  const isAuthRoute = pathname === "/login" || pathname === "/register";
+  if (isAuthRoute) return null;
 
   return (
     <header className="sticky top-0 z-50 border-b border-border bg-surface-1/80 backdrop-blur-md">
@@ -40,11 +45,14 @@ function NavBar() {
             <NavLink href="/dashboard" active={pathname === "/dashboard"}>
               {t("dashboard")}
             </NavLink>
-            {/* Slice 7: /team is owner+platform only. Match server-side
+            {/* Slice 7: /team is owner+platform only AND personal
-                gate (canMutate). The roles array carries either "owner"
+                accounts are excluded — they have no team to manage
-                or "user" for customer sessions; isPlatform covers the
+                (Bug 8). Match server-side gates (`canMutate`,
-                platform side. */}
+                `user.isPersonal === false`). The roles array carries
+                either "owner" or "user" for customer sessions;
+                isPlatform covers the platform side. */}
             {user &&
+              !user.isPersonal &&
               (user.isPlatform ||
                 (Array.isArray(user.roles) && user.roles.includes("owner"))) && (
                 <NavLink href="/team" active={pathname === "/team"}>
@@ -62,8 +70,17 @@ function NavBar() {
         {/* Right side */}
         <div className="flex items-center gap-4">
           {user && (
+            // For personal accounts the orgName is opaque
+            // ("personal-3f2a8b1c") or a synthetic legacy
+            // "Name (Personal)" — neither is what we want in the nav.
+            // Show the user's display name instead. The detection logic
+            // and fallback chain live in `lib/personal-org.ts`; keeping
+            // a thin inline branch here avoids importing a server-only
+            // helper into a client component.
             <span className="hidden md:inline text-xs text-text-secondary font-mono">
-              {user.orgName}
+              {user.isPersonal
+                ? user.name || (user.email ? user.email.split("@")[0] : user.orgName)
+                : user.orgName}
             </span>
           )}
           <LanguageSwitcher />

src/components/onboarding/onboarding-flow.tsx

@@ -5,6 +5,21 @@ import { OnboardingWizard } from "./wizard";
 
 interface OnboardingFlowProps {
   orgName: string;
+  /**
+   * The user's display name. Forwarded to the wizard so personal
+   * accounts can show the user's own name where they would otherwise
+   * see an opaque org name. Ignored for company accounts.
+   */
+  userName?: string;
+  userEmail?: string;
+  /**
+   * Bug 6: when present, the wizard is rendered in edit mode against
+   * the given pending request. See `OnboardingWizard` for the full
+   * shape and behavioural contract.
+   */
+  editingRequest?: React.ComponentProps<
+    typeof OnboardingWizard
+  >["editingRequest"];
 }
 
 /**
@@ -18,12 +33,20 @@ interface OnboardingFlowProps {
  * level (which renders one `<ProvisioningStatus>` per pending request),
  * so this wrapper does just one thing: show the wizard, then navigate.
  */
-export function OnboardingFlow({ orgName }: OnboardingFlowProps) {
+export function OnboardingFlow({
+  orgName,
+  userName,
+  userEmail,
+  editingRequest,
+}: OnboardingFlowProps) {
   const router = useRouter();
 
   return (
     <OnboardingWizard
       orgName={orgName}
+      userName={userName}
+      userEmail={userEmail}
+      editingRequest={editingRequest}
       onComplete={() => {
         // Navigate back to /dashboard and re-fetch on the server. The
         // parent server component will see the new `pending` row and

src/components/onboarding/provisioning-status.tsx

@@ -1,8 +1,11 @@
 "use client";
 
 import { useState, useEffect, useCallback } from "react";
+import Link from "next/link";
+import { useRouter } from "next/navigation";
 import { useTranslations, useFormatter } from "next-intl";
 import { Card } from "@/components/ui/card";
+import { Modal } from "@/components/ui/modal";
 import { StatusBadge } from "@/components/ui/status-badge";
 import { formatDateTime, formatRelative } from "@/lib/format";
 
@@ -14,6 +17,7 @@ interface RequestSummary {
   status: string;
   adminNotes?: string;
   tenantName?: string;
+  dismissedAt?: string | null;
   createdAt?: string;
   updatedAt?: string;
 }
@@ -36,21 +40,42 @@ interface SingleRequestState {
   tenant: TenantSummary | null;
 }
 
+interface Props {
+  requestId: string;
+  /**
+   * Whether the viewer can act on this request — cancel a pending one,
+   * dismiss a rejected one, etc. True for owner + platform; false for
+   * `user`-role customers (who shouldn't see in-flight requests at all,
+   * but defence in depth — `canSeeInflightRequests` already gates the
+   * dashboard side).
+   */
+  canAct: boolean;
+}
+
 /**
  * ProvisioningStatus
  *
  * Polls /api/onboarding?id=<requestId> every 5s until the request reaches
- * a terminal state. Slice 3: takes a `requestId` prop so multiple of these
+ * a terminal state. Slice 3: takes a `requestId` prop so multiple of
- * can render on the same dashboard for different in-flight requests.
+ * these can render on the same dashboard for different in-flight
+ * requests.
  *
- * The pre-Slice-3 version polled /api/onboarding with no params and
+ * Slice 7 / Bug 6 + 13:
- * assumed one-request-per-org — that endpoint shape is gone now.
+ *   - pending → cancel + edit buttons
+ *   - rejected → admin notes block + dismiss button
+ *   - cancelled → small acknowledgement card + dismiss button
+ *   - terminal Ready/Active states unchanged
  */
-export function ProvisioningStatus({ requestId }: { requestId: string }) {
+export function ProvisioningStatus({ requestId, canAct }: Props) {
   const t = useTranslations("onboarding");
+  const tCommon = useTranslations("common");
   const f = useFormatter();
+  const router = useRouter();
+
   const [data, setData] = useState<SingleRequestState | null>(null);
   const [error, setError] = useState("");
+  const [actionPending, setActionPending] = useState(false);
+  const [confirmCancel, setConfirmCancel] = useState(false);
 
   const poll = useCallback(async () => {
     try {
@@ -67,11 +92,11 @@ export function ProvisioningStatus({ requestId }: { requestId: string }) {
 
   useEffect(() => {
     poll();
-
     const status = data?.request?.status;
     const phase = data?.tenant?.phase;
     const terminal =
       status === "rejected" ||
+      status === "cancelled" ||
       status === "active" ||
       phase === "Ready" ||
       phase === "Running";
@@ -82,7 +107,54 @@ export function ProvisioningStatus({ requestId }: { requestId: string }) {
     return () => clearInterval(interval);
   }, [poll, data?.request?.status, data?.tenant?.phase]);
 
-  if (error) {
+  const handleCancel = async () => {
+    setActionPending(true);
+    setError("");
+    try {
+      const res = await fetch(
+        `/api/onboarding/${encodeURIComponent(requestId)}`,
+        { method: "DELETE" }
+      );
+      if (!res.ok) {
+        const body = await res.json().catch(() => ({}));
+        throw new Error(body.error || t("cancelFailed"));
+      }
+      setConfirmCancel(false);
+      // Re-poll so the card transitions to "cancelled" state without a
+      // full route refresh — the dashboard's surrounding tenant cards
+      // are unaffected.
+      await poll();
+      router.refresh();
+    } catch (err: any) {
+      setError(err.message);
+    } finally {
+      setActionPending(false);
+    }
+  };
+
+  const handleDismiss = async () => {
+    setActionPending(true);
+    setError("");
+    try {
+      const res = await fetch(
+        `/api/onboarding/${encodeURIComponent(requestId)}/dismiss`,
+        { method: "POST" }
+      );
+      if (!res.ok) {
+        const body = await res.json().catch(() => ({}));
+        throw new Error(body.error || t("dismissFailed"));
+      }
+      // Server-rendered list query (`listActiveTenantRequestsByOrgId`)
+      // filters out dismissed rows — refresh to drop this card.
+      router.refresh();
+    } catch (err: any) {
+      setError(err.message);
+    } finally {
+      setActionPending(false);
+    }
+  };
+
+  if (error && !data) {
     return (
       <Card>
         <div className="text-xs text-red-400">{error}</div>
@@ -107,7 +179,7 @@ export function ProvisioningStatus({ requestId }: { requestId: string }) {
     data.request.tenantName ||
     data.request.agentName;
 
-  // Pending admin approval
+  // ─── Pending: awaiting admin approval ───────────────────────────────
   if (status === "pending") {
     return (
       <Card className="animate-in">
@@ -131,7 +203,9 @@ export function ProvisioningStatus({ requestId }: { requestId: string }) {
             {t("pendingTitle")}
           </h2>
           {label && (
-            <p className="text-xs font-mono text-text-secondary mb-2">{label}</p>
+            <p className="text-xs font-mono text-text-secondary mb-2">
+              {label}
+            </p>
           )}
           <p className="text-sm text-text-secondary max-w-sm mx-auto">
             {t("pendingDescription")}
@@ -150,12 +224,71 @@ export function ProvisioningStatus({ requestId }: { requestId: string }) {
               </span>
             </p>
           )}
+
+          {/* Bug 6 — owner-only edit + cancel actions while still
+              pending. Once admin acts, both buttons disappear (the
+              status branch changes). */}
+          {canAct && (
+            <div className="flex justify-center gap-2 mt-5">
+              <Link
+                href={`/dashboard/edit/${encodeURIComponent(requestId)}`}
+                className="text-sm font-medium px-4 py-2 rounded-lg border border-border text-text-secondary hover:text-text-primary hover:border-text-secondary transition-colors"
+              >
+                {t("editRequest")}
+              </Link>
+              <button
+                type="button"
+                onClick={() => setConfirmCancel(true)}
+                className="text-sm font-medium px-4 py-2 rounded-lg border border-red-500/30 text-red-400 hover:bg-red-500/10 transition-colors"
+              >
+                {t("cancelRequest")}
+              </button>
+            </div>
+          )}
+          {error && (
+            <p className="text-xs text-red-400 mt-3">{error}</p>
+          )}
         </div>
+
+        {confirmCancel && (
+          <Modal
+            open={confirmCancel}
+            onClose={() => setConfirmCancel(false)}
+            ariaLabel={t("cancelConfirmRequestTitle")}
+          >
+            <h3 className="font-display text-lg font-semibold text-text-primary mb-2">
+              {t("cancelConfirmRequestTitle")}
+            </h3>
+            <p className="text-sm text-text-secondary mb-5">
+              {t("cancelConfirmRequestDescription")}
+            </p>
+            <div className="flex justify-end gap-2">
+              <button
+                type="button"
+                onClick={() => setConfirmCancel(false)}
+                disabled={actionPending}
+                className="text-sm px-4 py-2 rounded-lg border border-border text-text-secondary hover:text-text-primary transition-colors"
+              >
+                {tCommon("cancel")}
+              </button>
+              <button
+                type="button"
+                onClick={handleCancel}
+                disabled={actionPending}
+                className="text-sm px-4 py-2 rounded-lg bg-red-500 text-white hover:bg-red-600 transition-colors disabled:opacity-50"
+              >
+                {actionPending
+                  ? tCommon("loading")
+                  : t("cancelRequestConfirm")}
+              </button>
+            </div>
+          </Modal>
+        )}
       </Card>
     );
   }
 
-  // Rejected
+  // ─── Rejected: admin declined ───────────────────────────────────────
   if (status === "rejected") {
     return (
       <Card className="animate-in">
@@ -179,22 +312,94 @@ export function ProvisioningStatus({ requestId }: { requestId: string }) {
             {t("rejectedTitle")}
           </h2>
           {label && (
-            <p className="text-xs font-mono text-text-secondary mb-2">{label}</p>
+            <p className="text-xs font-mono text-text-secondary mb-2">
+              {label}
+            </p>
           )}
           <p className="text-sm text-text-secondary max-w-sm mx-auto">
             {t("rejectedDescription")}
           </p>
           {data.request.adminNotes && (
-            <p className="text-xs text-text-muted mt-3 bg-surface-2 border border-border rounded-lg p-3 max-w-sm mx-auto">
+            <div className="text-left text-xs text-text-secondary mt-4 bg-surface-2 border border-border rounded-lg p-3 max-w-sm mx-auto">
-              {data.request.adminNotes}
+              <div className="font-semibold uppercase tracking-wider text-text-muted text-[10px] mb-1.5">
-            </p>
+                {t("rejectionReason")}
+              </div>
+              <div className="whitespace-pre-wrap">
+                {data.request.adminNotes}
+              </div>
+            </div>
           )}
+          {/* Bug 13: dismiss removes this card from the dashboard but
+              keeps the row in the DB for audit. The customer can also
+              just resubmit via the wizard — both paths are valid. */}
+          {canAct && (
+            <div className="flex justify-center mt-5">
+              <button
+                type="button"
+                onClick={handleDismiss}
+                disabled={actionPending}
+                className="text-sm font-medium px-4 py-2 rounded-lg border border-border text-text-secondary hover:text-text-primary hover:border-text-secondary transition-colors disabled:opacity-50"
+              >
+                {actionPending ? tCommon("loading") : t("dismiss")}
+              </button>
+            </div>
+          )}
+          {error && <p className="text-xs text-red-400 mt-3">{error}</p>}
         </div>
       </Card>
     );
   }
 
-  // Provisioning in progress (status approved/provisioning, optionally with tenant phase < Ready)
+  // ─── Cancelled: customer cancelled before admin acted (Bug 6) ──────
+  if (status === "cancelled") {
+    return (
+      <Card className="animate-in">
+        <div className="text-center py-6">
+          <div className="h-14 w-14 rounded-xl bg-text-muted/15 flex items-center justify-center mx-auto mb-4">
+            <svg
+              className="h-7 w-7 text-text-muted"
+              fill="none"
+              viewBox="0 0 24 24"
+              stroke="currentColor"
+              strokeWidth={1.5}
+            >
+              <path
+                strokeLinecap="round"
+                strokeLinejoin="round"
+                d="M9.75 9.75l4.5 4.5m0-4.5l-4.5 4.5M21 12a9 9 0 11-18 0 9 9 0 0118 0z"
+              />
+            </svg>
+          </div>
+          <h2 className="font-display text-lg font-semibold text-text-primary mb-2">
+            {t("cancelledTitle")}
+          </h2>
+          {label && (
+            <p className="text-xs font-mono text-text-secondary mb-2">
+              {label}
+            </p>
+          )}
+          <p className="text-sm text-text-secondary max-w-sm mx-auto">
+            {t("cancelledDescription")}
+          </p>
+          {canAct && (
+            <div className="flex justify-center mt-5">
+              <button
+                type="button"
+                onClick={handleDismiss}
+                disabled={actionPending}
+                className="text-sm font-medium px-4 py-2 rounded-lg border border-border text-text-secondary hover:text-text-primary hover:border-text-secondary transition-colors disabled:opacity-50"
+              >
+                {actionPending ? tCommon("loading") : t("dismiss")}
+              </button>
+            </div>
+          )}
+          {error && <p className="text-xs text-red-400 mt-3">{error}</p>}
+        </div>
+      </Card>
+    );
+  }
+
+  // ─── Provisioning: approved, operator working ──────────────────────
   if (
     status === "approved" ||
     status === "provisioning" ||
@@ -213,7 +418,9 @@ export function ProvisioningStatus({ requestId }: { requestId: string }) {
             {t("provisioningTitle")}
           </h2>
           {label && (
-            <p className="text-xs font-mono text-text-secondary mb-2">{label}</p>
+            <p className="text-xs font-mono text-text-secondary mb-2">
+              {label}
+            </p>
           )}
           <p className="text-sm text-text-secondary">
             {t("provisioningDescription")}
@@ -249,7 +456,7 @@ export function ProvisioningStatus({ requestId }: { requestId: string }) {
     );
   }
 
-  // Active / Ready
+  // ─── Active / Ready ─────────────────────────────────────────────────
   if (status === "active") {
     return (
       <Card className="animate-in">
@@ -273,7 +480,9 @@ export function ProvisioningStatus({ requestId }: { requestId: string }) {
             {t("readyTitle")}
           </h2>
           {label && (
-            <p className="text-xs font-mono text-text-secondary mb-2">{label}</p>
+            <p className="text-xs font-mono text-text-secondary mb-2">
+              {label}
+            </p>
           )}
           <p className="text-sm text-text-secondary max-w-sm mx-auto mb-4">
             {t("readyDescription")}

src/components/onboarding/wizard.tsx

@@ -4,7 +4,15 @@ import { useState, useCallback, useEffect, useRef } from "react";
 import { useTranslations } from "next-intl";
 import { Card } from "@/components/ui/card";
 import { PACKAGE_CATALOG, type PackageDef } from "@/lib/packages";
-import { isPersonalOrgName, PERSONAL_ORG_SUFFIX } from "@/lib/personal-org";
+import { isPersonalOrgName, displayOrgNameFor } from "@/lib/personal-org";
+import {
+  configureStepSchema,
+  billingStepSchema,
+  onboardingSchema,
+  fieldErrors,
+  SUPPORTED_COUNTRIES,
+  type SupportedCountry,
+} from "@/lib/validation";
 
 type Step = "welcome" | "configure" | "billing" | "confirm";
 
@@ -48,47 +56,120 @@ const CATEGORIES = [
 
 interface WizardProps {
   orgName: string;
+  /**
+   * The user's display name. Used as the visible label for personal
+   * accounts (where `orgName` is an opaque ID like "personal-3f2a8b1c"
+   * or a synthetic legacy "{name} (Personal)" string). Ignored for
+   * company accounts.
+   */
+  userName?: string;
+  userEmail?: string;
+  /**
+   * Bug 6: when present, the wizard renders in "edit" mode — fields
+   * are pre-populated from the request, the SOUL.md auto-fetch is
+   * skipped (we trust the existing values), and the submit button
+   * PATCHes /api/onboarding/[id] instead of POSTing /api/onboarding.
+   *
+   * Per-package secrets are deliberately NOT pre-filled, even if the
+   * customer originally supplied them — server-side decryption to
+   * the client would be a security regression. The user re-enters
+   * any secrets they want to change; if they leave them blank, the
+   * existing encrypted blob in the DB is preserved by the PATCH
+   * endpoint.
+   */
+  editingRequest?: {
+    id: string;
+    instanceName: string;
+    agentName: string;
+    soulMd: string;
+    agentsMd: string;
+    packages: string[];
+    billingAddress: {
+      company?: string;
+      street?: string;
+      city?: string;
+      postalCode?: string;
+      country?: string;
+    };
+    billingNotes: string;
+  };
   onComplete: () => void;
 }
 
-export function OnboardingWizard({ orgName, onComplete }: WizardProps) {
+export function OnboardingWizard({
+  orgName,
+  userName,
+  userEmail,
+  editingRequest,
+  onComplete,
+}: WizardProps) {
   const t = useTranslations("onboarding");
   const tPkg = useTranslations("packages");
   const tCommon = useTranslations("common");
+  const tCountries = useTranslations("countries");
 
-  // Slice 4: personal accounts have an org name of the form
+  // Personal accounts have an org name that is either the legacy
-  // "{givenName} {familyName} (Personal)". For SOUL.md and the billing
+  // "{givenName} {familyName} (Personal)" or the current opaque
-  // company line, strip the suffix so the visible string is the user's
+  // "personal-{8hex}" form. Either way, the customer-facing display
-  // actual name (no stray "(Personal)" leaking onto invoices or into
+  // should be the user's own name — never the org name. SOUL.md
-  // the assistant's prompt).
+  // interpolation and the billing form follow the same rule so
+  // invoices and prompts don't leak "(Personal)" or "personal-3f2a..".
   const isPersonal = isPersonalOrgName(orgName);
-  const displayOrgName = isPersonal
+  const displayOrgName = displayOrgNameFor({
-    ? orgName.slice(0, -PERSONAL_ORG_SUFFIX.length).trim()
+    name: userName,
-    : orgName;
+    email: userEmail,
+    orgName,
+    isPersonal,
+  });
+  const isEditing = Boolean(editingRequest);
 
-  const [step, setStep] = useState<Step>("welcome");
+  // Edit mode jumps straight to the configure step — the welcome step
+  // is a first-time onboarding affordance and only adds friction when
+  // the customer is fixing a typo.
+  const [step, setStep] = useState<Step>(isEditing ? "configure" : "welcome");
   const [submitting, setSubmitting] = useState(false);
   const [error, setError] = useState("");
   const [advancedOpen, setAdvancedOpen] = useState(false);
-  const [defaultsLoaded, setDefaultsLoaded] = useState(false);
+  // In edit mode we already have soulMd/agentsMd from the request;
+  // skip the workspace-defaults round trip that would overwrite them.
+  const [defaultsLoaded, setDefaultsLoaded] = useState(isEditing);
 
-  const [config, setConfig] = useState({
+  const [config, setConfig] = useState(() => {
-    instanceName: "",
+    if (editingRequest) {
-    agentName: "Assistant",
+      return {
-    soulMd: FALLBACK_SOUL.replace("{company}", displayOrgName),
+        instanceName: editingRequest.instanceName,
-    agentsMd: FALLBACK_AGENTS,
+        agentName: editingRequest.agentName,
-    packages: [] as string[],
+        soulMd: editingRequest.soulMd,
-    billingAddress: {
+        agentsMd: editingRequest.agentsMd,
-      // For personal accounts, leave the company field empty — it'll
+        packages: editingRequest.packages,
-      // appear on invoices. The user can still type something if they
+        billingAddress: {
-      // want to.
+          company: editingRequest.billingAddress.company ?? "",
-      company: isPersonal ? "" : displayOrgName,
+          street: editingRequest.billingAddress.street ?? "",
-      street: "",
+          city: editingRequest.billingAddress.city ?? "",
-      city: "",
+          postalCode: editingRequest.billingAddress.postalCode ?? "",
-      postalCode: "",
+          country: editingRequest.billingAddress.country ?? "CH",
-      country: "CH",
+        },
-    },
+        billingNotes: editingRequest.billingNotes,
-    billingNotes: "",
+      };
+    }
+    return {
+      instanceName: "",
+      agentName: "Assistant",
+      soulMd: FALLBACK_SOUL.replace("{company}", displayOrgName),
+      agentsMd: FALLBACK_AGENTS,
+      packages: [] as string[],
+      billingAddress: {
+        // For personal accounts, leave the company field empty — it'll
+        // appear on invoices. The user can still type something if they
+        // want to.
+        company: isPersonal ? "" : displayOrgName,
+        street: "",
+        city: "",
+        postalCode: "",
+        country: "CH",
+      },
+      billingNotes: "",
+    };
   });
 
   // TOOLS.md preview — readonly, auto-generated
@@ -142,11 +223,70 @@ export function OnboardingWizard({ orgName, onComplete }: WizardProps) {
 
   const stepIndex = STEPS.indexOf(step);
 
+  // Bug 12 — per-step validation. `errors` holds field-path → message
+  // for the inline labels under each input. We only populate it on
+  // attempted advancement; touching a field clears its own error so
+  // valid input doesn't keep showing stale messages.
+  const [errors, setErrors] = useState<Record<string, string>>({});
+  const clearError = useCallback((path: string) => {
+    setErrors((prev) => {
+      if (!prev[path]) return prev;
+      const next = { ...prev };
+      delete next[path];
+      return next;
+    });
+  }, []);
+
+  /**
+   * Validate the current step against its schema. On success: clear
+   * errors and return true. On failure: populate errors and return
+   * false so the caller can refuse to advance.
+   *
+   * Welcome and configure-step have no schema interaction with billing
+   * fields — keeping the schemas narrow means we don't surface a
+   * billing error when the user is still typing on the configure step.
+   */
+  const validateStep = (s: Step): boolean => {
+    if (s === "welcome") return true;
+    if (s === "configure") {
+      const r = configureStepSchema.safeParse({ agentName: config.agentName });
+      if (r.success) {
+        setErrors({});
+        return true;
+      }
+      setErrors(fieldErrors(r.error));
+      return false;
+    }
+    if (s === "billing") {
+      const r = billingStepSchema.safeParse({
+        billingAddress: config.billingAddress,
+      });
+      if (r.success) {
+        setErrors({});
+        return true;
+      }
+      setErrors(fieldErrors(r.error));
+      return false;
+    }
+    // confirm: validate the union (defence in depth — submit handler
+    // also runs onboardingSchema before POST).
+    const r = onboardingSchema.safeParse(config);
+    if (r.success) {
+      setErrors({});
+      return true;
+    }
+    setErrors(fieldErrors(r.error));
+    return false;
+  };
+
   const goNext = () => {
+    if (!validateStep(step)) return;
     if (stepIndex < STEPS.length - 1) setStep(STEPS[stepIndex + 1]);
   };
 
   const goBack = () => {
+    // Going back never re-validates; the user's existing errors stay
+    // pinned to fields so they can fix them after navigating back.
     if (stepIndex > 0) setStep(STEPS[stepIndex - 1]);
   };
 
@@ -199,6 +339,17 @@ export function OnboardingWizard({ orgName, onComplete }: WizardProps) {
   };
 
   const handleSubmit = async () => {
+    // Defence in depth: re-run the full schema before sending. The
+    // server schema is the authoritative gate but we save a round trip
+    // by catching any client-side gaps here. In practice this should
+    // never fail at this point — the per-step validators have already
+    // caught everything — but a future regression in the per-step
+    // schemas would otherwise let the bad payload through.
+    if (!validateStep("confirm")) {
+      setError(t("validationError"));
+      return;
+    }
+
     setSubmitting(true);
     setError("");
 
@@ -212,8 +363,17 @@ export function OnboardingWizard({ orgName, onComplete }: WizardProps) {
         }
       }
 
-      const res = await fetch("/api/onboarding", {
+      // Bug 6: edit mode targets the per-row endpoint with PATCH;
-        method: "POST",
+      // create mode targets the collection endpoint with POST. Body
+      // shape is the same — both routes parse it through
+      // onboardingSchema.
+      const url = editingRequest
+        ? `/api/onboarding/${encodeURIComponent(editingRequest.id)}`
+        : "/api/onboarding";
+      const method = editingRequest ? "PATCH" : "POST";
+
+      const res = await fetch(url, {
+        method,
         headers: { "Content-Type": "application/json" },
         body: JSON.stringify({
           ...config,
@@ -339,19 +499,21 @@ export function OnboardingWizard({ orgName, onComplete }: WizardProps) {
               </p>
             </div>
 
-            <div>
+            <FieldWithError error={errors.agentName}>
               <label className="block text-xs font-semibold uppercase tracking-wider text-text-muted mb-1.5">
-                {t("agentName")}
+                {t("agentName")} <RequiredMark />
               </label>
               <input
                 type="text"
+                required
                 value={config.agentName}
-                onChange={(e) =>
+                onChange={(e) => {
-                  setConfig((prev) => ({ ...prev, agentName: e.target.value }))
+                  clearError("agentName");
-                }
+                  setConfig((prev) => ({ ...prev, agentName: e.target.value }));
-                className="w-full px-3 py-2 bg-surface-2 border border-border rounded-lg text-sm text-text-primary focus:outline-none focus:ring-1 focus:ring-accent focus:border-accent transition-colors"
+                }}
+                className={inputClass(errors.agentName)}
               />
-            </div>
+            </FieldWithError>
 
             <div>
               <label className="block text-xs font-semibold uppercase tracking-wider text-text-muted mb-1.5">
@@ -618,106 +780,131 @@ export function OnboardingWizard({ orgName, onComplete }: WizardProps) {
           </p>
 
           <div className="space-y-4">
-            <div>
+            {/* Bug 2: company line is meaningless for personal accounts.
-              <label className="block text-xs font-semibold uppercase tracking-wider text-text-muted mb-1.5">
+                Hide entirely rather than render an empty disabled field
-                {t("billingCompany")}
+                — the latter would just suggest the customer should
-              </label>
+                fill it in. */}
-              <input
+            {!isPersonal && (
-                type="text"
+              <div>
-                value={config.billingAddress.company}
+                <label className="block text-xs font-semibold uppercase tracking-wider text-text-muted mb-1.5">
-                onChange={(e) =>
+                  {t("billingCompany")}
-                  setConfig((prev) => ({
+                </label>
-                    ...prev,
+                <input
-                    billingAddress: {
+                  type="text"
-                      ...prev.billingAddress,
+                  value={config.billingAddress.company}
-                      company: e.target.value,
+                  onChange={(e) => {
-                    },
+                    clearError("billingAddress.company");
-                  }))
+                    setConfig((prev) => ({
-                }
+                      ...prev,
-                className="w-full px-3 py-2 bg-surface-2 border border-border rounded-lg text-sm text-text-primary focus:outline-none focus:ring-1 focus:ring-accent focus:border-accent transition-colors"
+                      billingAddress: {
-              />
+                        ...prev.billingAddress,
-            </div>
+                        company: e.target.value,
+                      },
+                    }));
+                  }}
+                  className="w-full px-3 py-2 bg-surface-2 border border-border rounded-lg text-sm text-text-primary focus:outline-none focus:ring-1 focus:ring-accent focus:border-accent transition-colors"
+                />
+              </div>
+            )}
 
-            <div>
+            <FieldWithError error={errors["billingAddress.street"]}>
               <label className="block text-xs font-semibold uppercase tracking-wider text-text-muted mb-1.5">
-                {t("billingStreet")}
+                {t("billingStreet")} <RequiredMark />
               </label>
               <input
                 type="text"
+                required
                 value={config.billingAddress.street}
-                onChange={(e) =>
+                onChange={(e) => {
+                  clearError("billingAddress.street");
                   setConfig((prev) => ({
                     ...prev,
                     billingAddress: {
                       ...prev.billingAddress,
                       street: e.target.value,
                     },
-                  }))
+                  }));
-                }
+                }}
-                className="w-full px-3 py-2 bg-surface-2 border border-border rounded-lg text-sm text-text-primary focus:outline-none focus:ring-1 focus:ring-accent focus:border-accent transition-colors"
+                className={inputClass(errors["billingAddress.street"])}
               />
-            </div>
+            </FieldWithError>
 
             <div className="grid grid-cols-3 gap-3">
-              <div>
+              <FieldWithError error={errors["billingAddress.postalCode"]}>
                 <label className="block text-xs font-semibold uppercase tracking-wider text-text-muted mb-1.5">
-                  {t("billingPostalCode")}
+                  {t("billingPostalCode")} <RequiredMark />
                 </label>
                 <input
                   type="text"
+                  required
                   value={config.billingAddress.postalCode}
-                  onChange={(e) =>
+                  onChange={(e) => {
+                    clearError("billingAddress.postalCode");
                     setConfig((prev) => ({
                       ...prev,
                       billingAddress: {
                         ...prev.billingAddress,
                         postalCode: e.target.value,
                       },
-                    }))
+                    }));
-                  }
+                  }}
-                  className="w-full px-3 py-2 bg-surface-2 border border-border rounded-lg text-sm text-text-primary focus:outline-none focus:ring-1 focus:ring-accent focus:border-accent transition-colors"
+                  className={inputClass(errors["billingAddress.postalCode"])}
                 />
-              </div>
+              </FieldWithError>
               <div className="col-span-2">
-                <label className="block text-xs font-semibold uppercase tracking-wider text-text-muted mb-1.5">
+                <FieldWithError error={errors["billingAddress.city"]}>
-                  {t("billingCity")}
+                  <label className="block text-xs font-semibold uppercase tracking-wider text-text-muted mb-1.5">
-                </label>
+                    {t("billingCity")} <RequiredMark />
-                <input
+                  </label>
-                  type="text"
+                  <input
-                  value={config.billingAddress.city}
+                    type="text"
-                  onChange={(e) =>
+                    required
-                    setConfig((prev) => ({
+                    value={config.billingAddress.city}
-                      ...prev,
+                    onChange={(e) => {
-                      billingAddress: {
+                      clearError("billingAddress.city");
-                        ...prev.billingAddress,
+                      setConfig((prev) => ({
-                        city: e.target.value,
+                        ...prev,
-                      },
+                        billingAddress: {
-                    }))
+                          ...prev.billingAddress,
-                  }
+                          city: e.target.value,
-                  className="w-full px-3 py-2 bg-surface-2 border border-border rounded-lg text-sm text-text-primary focus:outline-none focus:ring-1 focus:ring-accent focus:border-accent transition-colors"
+                        },
-                />
+                      }));
+                    }}
+                    className={inputClass(errors["billingAddress.city"])}
+                  />
+                </FieldWithError>
               </div>
             </div>
 
-            <div>
+            {/* Bug 3: country was a free-text field — typos broke
+                invoicing. Now a fixed list of DACH+ neighbours. Add
+                more codes to SUPPORTED_COUNTRIES in lib/validation.ts
+                when expanding markets. */}
+            <FieldWithError error={errors["billingAddress.country"]}>
               <label className="block text-xs font-semibold uppercase tracking-wider text-text-muted mb-1.5">
-                {t("billingCountry")}
+                {t("billingCountry")} <RequiredMark />
               </label>
-              <input
+              <select
-                type="text"
                 value={config.billingAddress.country}
-                onChange={(e) =>
+                onChange={(e) => {
+                  clearError("billingAddress.country");
                   setConfig((prev) => ({
                     ...prev,
                     billingAddress: {
                       ...prev.billingAddress,
-                      country: e.target.value,
+                      country: e.target.value as SupportedCountry,
                     },
-                  }))
+                  }));
-                }
+                }}
-                className="w-full px-3 py-2 bg-surface-2 border border-border rounded-lg text-sm text-text-primary focus:outline-none focus:ring-1 focus:ring-accent focus:border-accent transition-colors"
+                className={inputClass(errors["billingAddress.country"])}
-              />
+              >
-            </div>
+                {SUPPORTED_COUNTRIES.map((code) => (
+                  <option key={code} value={code}>
+                    {tCountries(code)}
+                  </option>
+                ))}
+              </select>
+            </FieldWithError>
 
             <div>
               <label className="block text-xs font-semibold uppercase tracking-wider text-text-muted mb-1.5">
@@ -765,67 +952,92 @@ export function OnboardingWizard({ orgName, onComplete }: WizardProps) {
             {t("confirmDescription")}
           </p>
 
+          {/* Bug 4 redesign: previously this step only showed agentName
+              and city — useless for actually reviewing what's about to
+              be submitted. Now it shows the real config: instance
+              name, agent name, packages, billing one-liner, contact
+              email, and notes. Each row uses two columns rather than
+              flex-justify-between so long values wrap underneath the
+              label rather than being squashed onto one line. */}
           <div className="space-y-4">
-            <div className="bg-surface-2 border border-border rounded-lg p-4 space-y-3">
+            <div className="bg-surface-2 border border-border rounded-lg p-4 divide-y divide-border">
-              {config.instanceName.trim() && (
+              <ReviewRow
-                <div className="flex justify-between text-sm">
+                label={t("instanceName")}
-                  <span className="text-text-muted">{t("instanceName")}</span>
+                value={
-                  <span className="text-text-primary font-mono">
+                  config.instanceName.trim() || (
-                    {config.instanceName.trim()}
+                    <span className="text-text-muted italic">
-                  </span>
+                      {t("reviewInstanceDefault")}
-                </div>
+                    </span>
-              )}
+                  )
-              <div className="flex justify-between text-sm">
+                }
-                <span className="text-text-muted">{t("agentName")}</span>
+                mono
-                <span className="text-text-primary font-mono">
+              />
-                  {config.agentName}
+              <ReviewRow
-                </span>
+                label={t("agentName")}
-              </div>
+                value={config.agentName}
-              {config.packages.length > 0 && (
+                mono
-                <div className="flex justify-between text-sm">
+              />
-                  <span className="text-text-muted">{t("packages")}</span>
+              <ReviewRow
-                  <div className="flex flex-wrap gap-1 justify-end">
+                label={t("packages")}
-                    {config.packages.map((pkg) => (
+                value={
-                      <span
+                  config.packages.length === 0 ? (
-                        key={pkg}
+                    <span className="text-text-muted italic">
-                        className="text-xs font-mono bg-accent/10 text-accent border border-accent/20 rounded-full px-2 py-0.5"
+                      {t("reviewNoPackages")}
-                      >
+                    </span>
-                        {pkg}
+                  ) : (
-                      </span>
+                    <div className="flex flex-wrap gap-1 justify-end">
-                    ))}
+                      {config.packages.map((pkg) => (
+                        <span
+                          key={pkg}
+                          className="text-xs font-mono bg-accent/10 text-accent border border-accent/20 rounded-full px-2 py-0.5"
+                        >
+                          {pkg}
+                        </span>
+                      ))}
+                    </div>
+                  )
+                }
+              />
+              <ReviewRow
+                label={t("reviewBillingTo")}
+                value={
+                  <div className="text-text-primary text-right">
+                    {/* For personal: skip the company line so the
+                        invoice rendering matches what the user actually
+                        entered. For company: include it as the first
+                        line. */}
+                    {!isPersonal &&
+                      config.billingAddress.company &&
+                      config.billingAddress.company.trim().length > 0 && (
+                        <div>{config.billingAddress.company}</div>
+                      )}
+                    <div>{config.billingAddress.street}</div>
+                    <div>
+                      {config.billingAddress.postalCode}{" "}
+                      {config.billingAddress.city}
+                    </div>
+                    <div className="text-text-muted">
+                      {tCountries(
+                        config.billingAddress.country as SupportedCountry
+                      )}
+                    </div>
                   </div>
-                </div>
+                }
-              )}
+              />
-              {config.packages.some((id) =>
+              <ReviewRow
-                PACKAGE_CATALOG.find((p) => p.id === id)?.requiresSecrets
+                label={t("reviewContactEmail")}
-              ) && (
+                value={userEmail || ""}
-                <div className="flex justify-between text-sm">
+                mono
-                  <span className="text-text-muted">
+              />
-                    {t("credentialsProvided")}
+              {config.billingNotes.trim().length > 0 && (
-                  </span>
+                <ReviewRow
-                  <span className="text-emerald-400 text-xs font-medium">
+                  label={t("billingNotes")}
-                    ✓
+                  value={
-                  </span>
+                    <span className="text-text-primary whitespace-pre-wrap text-right">
-                </div>
+                      {config.billingNotes}
-              )}
+                    </span>
-              {config.billingAddress.company && (
+                  }
-                <div className="flex justify-between text-sm">
+                />
-                  <span className="text-text-muted">
-                    {t("billingCompany")}
-                  </span>
-                  <span className="text-text-primary">
-                    {config.billingAddress.company}
-                  </span>
-                </div>
-              )}
-              {config.billingAddress.city && (
-                <div className="flex justify-between text-sm">
-                  <span className="text-text-muted">{t("billingCity")}</span>
-                  <span className="text-text-primary">
-                    {config.billingAddress.postalCode}{" "}
-                    {config.billingAddress.city}
-                  </span>
-                </div>
               )}
             </div>
 
@@ -838,6 +1050,25 @@ export function OnboardingWizard({ orgName, onComplete }: WizardProps) {
             </div>
           )}
 
+          {/* Aggregate validation errors — if any per-step schema check
+              missed something (it shouldn't, but defence in depth),
+              the user sees a consolidated list here rather than a
+              silent submit failure. */}
+          {Object.keys(errors).length > 0 && (
+            <div className="text-xs text-red-400 bg-red-400/10 border border-red-400/20 rounded-lg px-3 py-2 mt-4">
+              <div className="font-semibold mb-1">
+                {t("validationErrorsTitle")}
+              </div>
+              <ul className="list-disc list-inside space-y-0.5">
+                {Object.entries(errors).map(([path, msg]) => (
+                  <li key={path}>
+                    <span className="font-mono">{path}</span>: {msg}
+                  </li>
+                ))}
+              </ul>
+            </div>
+          )}
+
           <div className="flex justify-between mt-6">
             <button
               onClick={goBack}
@@ -850,7 +1081,11 @@ export function OnboardingWizard({ orgName, onComplete }: WizardProps) {
               disabled={submitting}
               className="py-2.5 px-6 bg-accent text-white text-sm font-medium rounded-lg hover:bg-accent-dim transition-colors disabled:opacity-50 disabled:cursor-not-allowed"
             >
-              {submitting ? tCommon("loading") : t("submitRequest")}
+              {submitting
+                ? tCommon("loading")
+                : isEditing
+                ? t("saveChanges")
+                : t("submitRequest")}
             </button>
           </div>
         </Card>
@@ -858,3 +1093,74 @@ export function OnboardingWizard({ orgName, onComplete }: WizardProps) {
     </div>
   );
 }
+
+/**
+ * Two-column review row used by the confirm step. Right-aligned value
+ * with the label as a muted prefix on the left.
+ */
+function ReviewRow({
+  label,
+  value,
+  mono,
+}: {
+  label: string;
+  value: React.ReactNode;
+  mono?: boolean;
+}) {
+  return (
+    <div className="flex justify-between gap-4 text-sm py-2 first:pt-0 last:pb-0">
+      <span className="text-text-muted shrink-0">{label}</span>
+      <span
+        className={`text-text-primary text-right min-w-0 break-words ${
+          mono ? "font-mono" : ""
+        }`}
+      >
+        {value}
+      </span>
+    </div>
+  );
+}
+
+/**
+ * Renders children + an inline error message if present. Children
+ * supply the label and input; this wrapper just appends the message.
+ */
+function FieldWithError({
+  error,
+  children,
+}: {
+  error?: string;
+  children: React.ReactNode;
+}) {
+  return (
+    <div>
+      {children}
+      {error && (
+        <p className="text-xs text-red-400 mt-1" role="alert">
+          {error}
+        </p>
+      )}
+    </div>
+  );
+}
+
+function RequiredMark() {
+  return (
+    <span aria-hidden="true" className="text-accent">
+      *
+    </span>
+  );
+}
+
+/**
+ * Tailwind class for input/select with optional error-state ring.
+ * Centralised here to keep the wizard's many fields visually
+ * consistent without repeating the long class string.
+ */
+function inputClass(error?: string): string {
+  return `w-full px-3 py-2 bg-surface-2 border rounded-lg text-sm text-text-primary placeholder:text-text-muted focus:outline-none focus:ring-1 transition-colors ${
+    error
+      ? "border-red-400/60 focus:ring-red-400 focus:border-red-400"
+      : "border-border focus:ring-accent focus:border-accent"
+  }`;
+}

src/components/tenants/subscription-toggle.tsx

@@ -0,0 +1,357 @@
+"use client";
+
+import { useState } from "react";
+import { useRouter } from "next/navigation";
+import { useTranslations, useFormatter } from "next-intl";
+import { Modal } from "@/components/ui/modal";
+import { formatRelative } from "@/lib/format";
+
+interface Props {
+  tenantName: string;
+  /**
+   * Current suspend state — server-derived. Drives which control the
+   * customer sees: "Cancel subscription" while active, the
+   * resume-request flow while suspended.
+   */
+  suspended: boolean;
+  /**
+   * True when the viewer has platform admin role. Platform users are
+   * the only ones who can directly resume a tenant via PATCH; owners
+   * must go through the resume-request flow. We use this in the
+   * suspended branch to decide whether to render a direct "Resume"
+   * button or the "Request reactivation" workflow.
+   */
+  isPlatform: boolean;
+  /**
+   * If a resume request is currently pending for this tenant, its
+   * id and submitted-at. The component renders an info card with
+   * a cancel-request button instead of the request-reactivation
+   * button. Only meaningful when `suspended === true`.
+   */
+  pendingResumeRequest: { id: string; createdAt: string } | null;
+}
+
+/**
+ * SubscriptionToggle — owner-side cancel/resume control.
+ *
+ * Three render states:
+ *   1. Active: "Cancel subscription" button + confirmation modal
+ *      (mentions 60-day retention before permanent deletion).
+ *   2. Suspended, no pending resume request: "Request reactivation"
+ *      button + simple confirmation modal explaining admin review.
+ *   3. Suspended, pending resume request: status card "Reactivation
+ *      requested X days ago" + "Cancel request" button.
+ *
+ * Platform admins viewing a suspended tenant get a fourth state in
+ * place of #2/#3: a direct "Resume now" button (no admin queue, no
+ * request flow). This is the admin escape hatch.
+ *
+ * The control intentionally lives at the bottom of the tenant
+ * detail page rather than near the top — putting it next to the
+ * status badge would invite mis-clicks.
+ */
+export function SubscriptionToggle({
+  tenantName,
+  suspended,
+  isPlatform,
+  pendingResumeRequest,
+}: Props) {
+  const t = useTranslations("tenantDetail");
+  const tCommon = useTranslations("common");
+  const f = useFormatter();
+  const router = useRouter();
+
+  const [confirmCancelOpen, setConfirmCancelOpen] = useState(false);
+  const [confirmResumeOpen, setConfirmResumeOpen] = useState(false);
+  const [submitting, setSubmitting] = useState(false);
+  const [error, setError] = useState("");
+
+  // Customer-side cancel: PATCH suspend=true. Same path as before.
+  // The 60-day retention copy in the modal is the new bit (Bug 37b);
+  // mechanics are unchanged.
+  const cancel = async () => {
+    setSubmitting(true);
+    setError("");
+    try {
+      const res = await fetch(
+        `/api/tenants/${encodeURIComponent(tenantName)}/suspend`,
+        {
+          method: "PATCH",
+          headers: { "Content-Type": "application/json" },
+          body: JSON.stringify({ suspend: true }),
+        }
+      );
+      if (!res.ok) {
+        const data = await res.json().catch(() => ({}));
+        throw new Error(data.error || t("subscriptionUpdateFailed"));
+      }
+      setConfirmCancelOpen(false);
+      router.refresh();
+    } catch (e: any) {
+      setError(e.message);
+    } finally {
+      setSubmitting(false);
+    }
+  };
+
+  // Owner-side resume request: POST a 'resume' tenant_request that
+  // sits pending until admin acts. Different from cancel: no PATCH
+  // on the CR — that happens only when admin approves.
+  const requestResume = async () => {
+    setSubmitting(true);
+    setError("");
+    try {
+      const res = await fetch(
+        `/api/tenants/${encodeURIComponent(tenantName)}/resume-request`,
+        {
+          method: "POST",
+          headers: { "Content-Type": "application/json" },
+        }
+      );
+      if (!res.ok) {
+        const data = await res.json().catch(() => ({}));
+        throw new Error(data.error || t("subscriptionUpdateFailed"));
+      }
+      setConfirmResumeOpen(false);
+      router.refresh();
+    } catch (e: any) {
+      setError(e.message);
+    } finally {
+      setSubmitting(false);
+    }
+  };
+
+  // Customer cancels their own pending resume request.
+  const cancelResumeRequest = async () => {
+    if (!pendingResumeRequest) return;
+    setSubmitting(true);
+    setError("");
+    try {
+      const res = await fetch(
+        `/api/onboarding/${pendingResumeRequest.id}`,
+        { method: "DELETE" }
+      );
+      if (!res.ok) {
+        const data = await res.json().catch(() => ({}));
+        throw new Error(data.error || t("subscriptionUpdateFailed"));
+      }
+      router.refresh();
+    } catch (e: any) {
+      setError(e.message);
+    } finally {
+      setSubmitting(false);
+    }
+  };
+
+  // Platform admin: direct resume, bypassing the request flow.
+  const adminResume = async () => {
+    setSubmitting(true);
+    setError("");
+    try {
+      const res = await fetch(
+        `/api/tenants/${encodeURIComponent(tenantName)}/suspend`,
+        {
+          method: "PATCH",
+          headers: { "Content-Type": "application/json" },
+          body: JSON.stringify({ suspend: false }),
+        }
+      );
+      if (!res.ok) {
+        const data = await res.json().catch(() => ({}));
+        throw new Error(data.error || t("subscriptionUpdateFailed"));
+      }
+      router.refresh();
+    } catch (e: any) {
+      setError(e.message);
+    } finally {
+      setSubmitting(false);
+    }
+  };
+
+  // ─── Suspended branch ───────────────────────────────────────────────
+
+  if (suspended) {
+    // Platform admin sees direct resume. Independent of pending
+    // resume — admin can always resume immediately.
+    if (isPlatform) {
+      return (
+        <div>
+          <button
+            type="button"
+            onClick={adminResume}
+            disabled={submitting}
+            className="text-sm font-medium px-4 py-2 rounded-lg border border-success/30 text-success hover:bg-success/10 transition-colors disabled:opacity-50"
+          >
+            {submitting
+              ? tCommon("loading")
+              : t("resumeSubscription")}
+          </button>
+          {pendingResumeRequest && (
+            <p className="text-xs text-text-muted mt-2">
+              {t("resumeRequestPendingNoteAdmin")}
+            </p>
+          )}
+          {error && <p className="text-xs text-red-400 mt-2">{error}</p>}
+        </div>
+      );
+    }
+
+    // Owner with pending resume request: render the request status
+    // card with cancel.
+    if (pendingResumeRequest) {
+      return (
+        <div>
+          <div className="rounded-xl border border-amber-500/30 bg-amber-500/5 px-4 py-3">
+            <div className="text-sm font-medium text-amber-400 mb-1">
+              {t("resumeRequestPendingTitle")}
+            </div>
+            <div className="text-xs text-text-secondary">
+              {t("resumeRequestPendingDescription", {
+                when: formatRelative(pendingResumeRequest.createdAt, f),
+              })}
+            </div>
+            <button
+              type="button"
+              onClick={cancelResumeRequest}
+              disabled={submitting}
+              className="mt-3 text-xs px-3 py-1.5 rounded-lg border border-border text-text-secondary hover:text-text-primary transition-colors disabled:opacity-50"
+            >
+              {submitting
+                ? tCommon("loading")
+                : t("cancelResumeRequest")}
+            </button>
+          </div>
+          {error && <p className="text-xs text-red-400 mt-2">{error}</p>}
+        </div>
+      );
+    }
+
+    // Owner with no pending request: offer to create one.
+    return (
+      <div>
+        <button
+          type="button"
+          onClick={() => setConfirmResumeOpen(true)}
+          className="text-sm font-medium px-4 py-2 rounded-lg border border-success/30 text-success hover:bg-success/10 transition-colors"
+        >
+          {t("requestReactivation")}
+        </button>
+        {error && !confirmResumeOpen && (
+          <p className="text-xs text-red-400 mt-2">{error}</p>
+        )}
+
+        {confirmResumeOpen && (
+          <Modal
+            open={confirmResumeOpen}
+            onClose={() => setConfirmResumeOpen(false)}
+            ariaLabel={t("requestReactivationConfirmTitle")}
+          >
+            <h3 className="font-display text-lg font-semibold text-text-primary mb-2">
+              {t("requestReactivationConfirmTitle")}
+            </h3>
+            <p className="text-sm text-text-secondary mb-5">
+              {t("requestReactivationConfirmDescription")}
+            </p>
+
+            {error && (
+              <div className="text-xs text-red-400 bg-red-400/10 border border-red-400/20 rounded-lg px-3 py-2 mb-3">
+                {error}
+              </div>
+            )}
+
+            <div className="flex justify-end gap-2">
+              <button
+                type="button"
+                onClick={() => setConfirmResumeOpen(false)}
+                disabled={submitting}
+                className="text-sm px-4 py-2 rounded-lg border border-border text-text-secondary hover:text-text-primary transition-colors"
+              >
+                {tCommon("cancel")}
+              </button>
+              <button
+                type="button"
+                onClick={requestResume}
+                disabled={submitting}
+                className="text-sm px-4 py-2 rounded-lg bg-success text-white hover:bg-success/90 transition-colors disabled:opacity-50"
+              >
+                {submitting
+                  ? tCommon("loading")
+                  : t("requestReactivationConfirm")}
+              </button>
+            </div>
+          </Modal>
+        )}
+      </div>
+    );
+  }
+
+  // ─── Active branch ──────────────────────────────────────────────────
+
+  return (
+    <div>
+      <button
+        type="button"
+        onClick={() => setConfirmCancelOpen(true)}
+        className="text-sm font-medium px-4 py-2 rounded-lg border border-border text-text-secondary hover:text-text-primary hover:border-text-secondary transition-colors"
+      >
+        {t("cancelSubscription")}
+      </button>
+      {error && !confirmCancelOpen && (
+        <p className="text-xs text-red-400 mt-2">{error}</p>
+      )}
+
+      {confirmCancelOpen && (
+        <Modal
+          open={confirmCancelOpen}
+          onClose={() => setConfirmCancelOpen(false)}
+          ariaLabel={t("cancelConfirmTitle")}
+        >
+          <h3 className="font-display text-lg font-semibold text-text-primary mb-2">
+            {t("cancelConfirmTitle")}
+          </h3>
+          <p className="text-sm text-text-secondary mb-3">
+            {t("cancelConfirmDescription")}
+          </p>
+          <ul className="text-xs text-text-muted list-disc list-inside space-y-1 mb-3">
+            <li>{t("cancelConfirmBullet1")}</li>
+            <li>{t("cancelConfirmBullet2")}</li>
+            <li>{t("cancelConfirmBullet3")}</li>
+          </ul>
+          {/* Bug 37b: 60-day retention warning. Distinct paragraph so it
+              reads as a separate, more serious commitment than the
+              regular bullets above. */}
+          <div className="text-xs text-amber-400 bg-amber-400/10 border border-amber-400/20 rounded-lg px-3 py-2 mb-5">
+            {t("cancelConfirmRetentionWarning")}
+          </div>
+
+          {error && (
+            <div className="text-xs text-red-400 bg-red-400/10 border border-red-400/20 rounded-lg px-3 py-2 mb-3">
+              {error}
+            </div>
+          )}
+
+          <div className="flex justify-end gap-2">
+            <button
+              type="button"
+              onClick={() => setConfirmCancelOpen(false)}
+              disabled={submitting}
+              className="text-sm px-4 py-2 rounded-lg border border-border text-text-secondary hover:text-text-primary transition-colors"
+            >
+              {tCommon("cancel")}
+            </button>
+            <button
+              type="button"
+              onClick={cancel}
+              disabled={submitting}
+              className="text-sm px-4 py-2 rounded-lg bg-amber-500 text-white hover:bg-amber-600 transition-colors disabled:opacity-50"
+            >
+              {submitting
+                ? tCommon("loading")
+                : t("cancelSubscriptionConfirm")}
+            </button>
+          </div>
+        </Modal>
+      )}
+    </div>
+  );
+}

src/components/ui/modal.tsx

@@ -0,0 +1,89 @@
+"use client";
+
+import { useEffect, useRef } from "react";
+import { createPortal } from "react-dom";
+
+interface Props {
+  open: boolean;
+  /** Called when user clicks the backdrop or presses Escape. */
+  onClose: () => void;
+  children: React.ReactNode;
+  /**
+   * ARIA label fallback when no labelled element exists inside.
+   * Optional; if you have a heading inside the modal with id, set
+   * `aria-labelledby` on a wrapper instead.
+   */
+  ariaLabel?: string;
+}
+
+/**
+ * Portal-based modal.
+ *
+ * Why a portal
+ * ------------
+ * `position: fixed` becomes positioned relative to a transformed
+ * ancestor's containing block, not the viewport, when ANY ancestor
+ * has a `transform`, `perspective`, or `filter` applied. Our
+ * `animate-in` utility sets `transform: translateY(0)` on a lot of
+ * dashboard/tenant-detail containers (because of the fade-up
+ * animation, which uses `animation-fill-mode: both` to keep the
+ * transform on after the animation finishes). That broke modals
+ * rendered as in-place children — they centred to the panel they
+ * lived in, not to the page.
+ *
+ * Rendering at `document.body` via `createPortal` escapes every
+ * containing-block ancestor and gives us true viewport coordinates.
+ *
+ * UX details
+ * ----------
+ * - Backdrop click triggers `onClose`. (Bubbling check: only fires
+ *   when the click target IS the backdrop, not the panel inside.)
+ * - Escape key triggers `onClose`. Standard modal expectation.
+ * - `body` overflow is locked while open so background content
+ *   doesn't scroll behind the modal.
+ * - Renders nothing on first paint server-side, then mounts on
+ *   client. `useEffect` gating ensures `document.body` is available;
+ *   without it Next.js SSR would throw on `document` reference.
+ */
+export function Modal({ open, onClose, children, ariaLabel }: Props) {
+  const closeRef = useRef(onClose);
+  closeRef.current = onClose;
+
+  useEffect(() => {
+    if (!open) return;
+
+    // Lock background scroll. Restore on unmount/close.
+    const previousOverflow = document.body.style.overflow;
+    document.body.style.overflow = "hidden";
+
+    const onKey = (e: KeyboardEvent) => {
+      if (e.key === "Escape") closeRef.current();
+    };
+    window.addEventListener("keydown", onKey);
+
+    return () => {
+      document.body.style.overflow = previousOverflow;
+      window.removeEventListener("keydown", onKey);
+    };
+  }, [open]);
+
+  if (!open) return null;
+  if (typeof document === "undefined") return null;
+
+  return createPortal(
+    <div
+      role="dialog"
+      aria-modal="true"
+      aria-label={ariaLabel}
+      className="fixed inset-0 z-50 flex items-center justify-center p-4 bg-black/60 backdrop-blur-sm"
+      onClick={(e) => {
+        if (e.target === e.currentTarget) onClose();
+      }}
+    >
+      <div className="bg-surface-1 border border-border rounded-xl p-6 max-w-md w-full max-h-[90vh] overflow-y-auto">
+        {children}
+      </div>
+    </div>,
+    document.body
+  );
+}

src/components/ui/status-badge.tsx

@@ -1,18 +1,44 @@
+"use client";
+
+import { useTranslations } from "next-intl";
+
+/**
+ * Visual treatment per phase. Each entry is a Tailwind class string
+ * applied to the badge. The `Pending` style is also used as a fallback
+ * for unknown phases — it's the most neutral colour.
+ *
+ * Slice 7 / Bug 31 added `Suspended`. It uses an amber-on-muted scheme
+ * to read as "intentionally paused" — distinct from `Error` (red) and
+ * `Deleting` (mute grey).
+ */
 const phaseStyles: Record<string, string> = {
-  Running:
+  Running: "bg-success/10 text-success border-success/20",
-    "bg-success/10 text-success border-success/20",
+  Ready: "bg-success/10 text-success border-success/20",
-  Provisioning:
+  Provisioning: "bg-warning/10 text-warning border-warning/20",
-    "bg-warning/10 text-warning border-warning/20",
+  // Reconfiguring shares the warning palette (yellow pulse) but renders
-  Pending:
+  // a distinct label, so customers see it differently from first-time
-    "bg-text-muted/10 text-text-secondary border-border",
+  // provisioning. Useful when packages or channel-users change and the
-  Error:
+  // pod restarts mid-life.
-    "bg-error/10 text-error border-error/20",
+  Reconfiguring: "bg-warning/10 text-warning border-warning/20",
-  Deleting:
+  Pending: "bg-text-muted/10 text-text-secondary border-border",
-    "bg-text-muted/10 text-text-muted border-border",
+  Suspended: "bg-amber-500/10 text-amber-400 border-amber-500/30",
+  Error: "bg-error/10 text-error border-error/20",
+  Deleting: "bg-text-muted/10 text-text-muted border-border",
 };
 
 export function StatusBadge({ phase }: { phase: string }) {
+  const t = useTranslations("phase");
   const style = phaseStyles[phase] ?? phaseStyles.Pending;
+  // Translation lookup with fallback to the raw phase. Keeps things
+  // working if a new operator-side phase ships before the portal has
+  // a label for it.
+  const label = (() => {
+    try {
+      return t(phase);
+    } catch {
+      return phase;
+    }
+  })();
   return (
     <span
       className={`inline-flex items-center gap-1.5 rounded-full border px-2.5 py-0.5 text-xs font-medium ${style}`}
@@ -23,7 +49,10 @@ export function StatusBadge({ phase }: { phase: string }) {
       {phase === "Provisioning" && (
         <span className="status-pulse h-1.5 w-1.5 rounded-full bg-warning" />
       )}
-      {phase}
+      {phase === "Reconfiguring" && (
+        <span className="status-pulse h-1.5 w-1.5 rounded-full bg-warning" />
+      )}
+      {label}
     </span>
   );
 }

src/components/ui/warning-badge.tsx

@@ -0,0 +1,118 @@
+"use client";
+
+import { useTranslations } from "next-intl";
+
+/**
+ * Tenant warning shape received from the operator's status.warnings.
+ * Mirror of the operator's `TenantWarning` type. See
+ * pieced-operator/api/v1alpha1/piecedtenant_types.go.
+ */
+export interface TenantWarning {
+  source: string;
+  reason?: string;
+  message?: string;
+  since?: string;
+}
+
+interface Props {
+  warnings: TenantWarning[];
+}
+
+/**
+ * Renders a small amber warning badge if there are any non-fatal
+ * warnings on the tenant. The badge sits visually next to the phase
+ * StatusBadge — they're separate concepts (phase = lifecycle, warnings
+ * = observed sub-issues) and may both be present at once (e.g. tenant
+ * is `Ready` but has a SkillPacksReady=False warning).
+ *
+ * Hover/focus reveals the warning detail. We don't truncate the message
+ * inside the tooltip; OCI/CRD condition messages tend to be short and
+ * include the actionable detail (which skill, which secret, which
+ * resolver). If a future warning source has a 5-line stacktrace as a
+ * message we'll need a different treatment; cross that bridge then.
+ *
+ * Returns null when there are no warnings — keep render-call sites
+ * simple, they don't have to gate on length themselves.
+ */
+export function WarningBadge({ warnings }: Props) {
+  const t = useTranslations("warnings");
+  if (!warnings || warnings.length === 0) return null;
+
+  const tooltipLabel = (() => {
+    try {
+      return warnings.length === 1
+        ? t("oneTooltip")
+        : t("manyTooltip", { count: warnings.length });
+    } catch {
+      return warnings.length === 1
+        ? "1 warning"
+        : `${warnings.length} warnings`;
+    }
+  })();
+
+  return (
+    <span className="relative group inline-flex">
+      <button
+        type="button"
+        // Button is non-actionable in itself — it exists purely to get
+        // keyboard focus for screen readers and keyboard users, so the
+        // tooltip isn't pointer-only. `aria-label` carries the summary;
+        // the full content is in the tooltip below for sighted users.
+        aria-label={tooltipLabel}
+        className="inline-flex items-center gap-1 rounded-full border border-amber-500/30 bg-amber-500/10 px-2 py-0.5 text-xs font-medium text-amber-400 hover:bg-amber-500/20 focus:outline-none focus:ring-1 focus:ring-amber-400 cursor-help"
+        // No onClick — this is informational, not actionable. Pure
+        // hover/focus widget. tabIndex defaults to 0 for buttons.
+      >
+        <svg
+          viewBox="0 0 24 24"
+          width={12}
+          height={12}
+          fill="none"
+          stroke="currentColor"
+          strokeWidth={2}
+          strokeLinecap="round"
+          strokeLinejoin="round"
+          aria-hidden="true"
+        >
+          <path d="M12 9v4" />
+          <path d="M12 17h.01" />
+          <path d="M10.29 3.86 1.82 18a2 2 0 0 0 1.71 3h16.94a2 2 0 0 0 1.71-3L13.71 3.86a2 2 0 0 0-3.42 0Z" />
+        </svg>
+        <span>{warnings.length}</span>
+      </button>
+
+      {/*
+        Tooltip. Hidden by default; shown on hover OR focus of the
+        sibling button. Positioned below-right so it doesn't collide with
+        the StatusBadge that typically sits left of this. Constrained
+        width so long messages wrap.
+        z-50 keeps it above table rows / cards.
+      */}
+      <div
+        role="tooltip"
+        className="invisible group-hover:visible group-focus-within:visible absolute left-0 top-full mt-1 z-50 w-72 rounded-lg border border-border bg-surface-1 p-3 shadow-lg text-left"
+      >
+        <div className="text-[10px] uppercase tracking-wider text-text-muted mb-2">
+          {tooltipLabel}
+        </div>
+        <ul className="space-y-2">
+          {warnings.map((w, i) => (
+            <li key={i} className="text-xs">
+              <div className="font-mono text-amber-400 break-all">
+                {w.source}
+              </div>
+              {w.reason && (
+                <div className="text-text-secondary">{w.reason}</div>
+              )}
+              {w.message && (
+                <div className="text-text-secondary mt-0.5 break-words">
+                  {w.message}
+                </div>
+              )}
+            </li>
+          ))}
+        </ul>
+      </div>
+    </span>
+  );
+}

src/lib/auth.ts

@@ -1,6 +1,7 @@
 import NextAuth from "next-auth";
 import type { NextAuthConfig } from "next-auth";
 import type { PlatformRole, Role, SessionUser, ZitadelClaims } from "@/types";
+import { isPersonalOrgName } from "@/lib/personal-org";
 
 const PLATFORM_ROLES: PlatformRole[] = ["platform_admin", "platform_operator"];
 
@@ -57,21 +58,42 @@ export const authConfig: NextAuthConfig = {
           claims["urn:zitadel:iam:org:project:roles"]
         );
         token.accessToken = account.access_token;
+        // Pin token.sub to the OIDC subject. Auth.js v5 otherwise puts a
+        // freshly generated UUID in token.sub on initial sign-in,
+        // ignoring what profile() returns for `id`. That UUID then
+        // becomes session.user.id everywhere downstream — including
+        // `tenant_user_assignments.assigned_by` and (more importantly)
+        // the WHERE clause used to look up the invited user's
+        // assignments on the dashboard. With a UUID in the session and
+        // a ZITADEL snowflake in the DB, the lookup matches nothing
+        // and assigned tenants never appear (Bug 27).
+        //
+        // Reference: https://github.com/nextauthjs/next-auth/issues/11174
+        // Auth.js respects an explicit token.sub assignment; the
+        // override below is preserved across subsequent jwt() calls.
+        if (typeof profile.sub === "string") {
+          token.sub = profile.sub;
+        }
       }
       return token;
     },
     async session({ session, token }) {
       const roles = (token.roles as Role[]) ?? [];
+      const orgName = (token.orgName as string) ?? "";
       const sessionUser: SessionUser = {
         id: token.sub!,
         name: session.user?.name ?? "",
         email: session.user?.email ?? "",
         orgId: token.orgId as string,
-        orgName: token.orgName as string,
+        orgName,
         roles,
         isPlatform: roles.some((r) =>
           PLATFORM_ROLES.includes(r as PlatformRole)
         ),
+        // Derived from orgName — see lib/personal-org.ts. Recognises
+        // both legacy " (Personal)" suffix and current "personal-{8hex}"
+        // opaque names.
+        isPersonal: isPersonalOrgName(orgName),
       };
       (session as any).platformUser = sessionUser;
       return session;

src/lib/db.ts

@@ -1,5 +1,5 @@
 import { Pool } from "pg";
-import type { TenantRequest, TenantRequestStatus } from "@/types";
+import type { BillingAddress, TenantRequest, TenantRequestStatus } from "@/types";
 import { listTenants, getTenant } from "./k8s";
 
 // ---------------------------------------------------------------------------
@@ -72,6 +72,47 @@ const MIGRATION_SQL = `
   ALTER TABLE tenant_requests ADD COLUMN IF NOT EXISTS agents_md TEXT;
   ALTER TABLE tenant_requests ADD COLUMN IF NOT EXISTS instance_name TEXT;
   ALTER TABLE tenant_requests ADD COLUMN IF NOT EXISTS is_personal BOOLEAN NOT NULL DEFAULT FALSE;
+  -- Bug 13: customer-side dismissal of rejected requests. NULL means "still
+  -- visible on the dashboard"; non-null means "customer clicked Dismiss".
+  -- Pending/approved/active rows keep this NULL by definition — the field
+  -- is only meaningful for rejected and cancelled rows.
+  ALTER TABLE tenant_requests ADD COLUMN IF NOT EXISTS dismissed_at TIMESTAMPTZ;
+
+  -- Bug 37a: resume requests use the same table as provision requests so
+  -- the customer dashboard and admin queue share rendering. Discriminator
+  -- is request_type. Default 'provision' on backfill keeps existing rows
+  -- working without explicit migration.
+  --
+  -- Resume rows have:
+  --   request_type     = 'resume'
+  --   tenant_name      = the existing tenant being requested for reactivation
+  --   zitadel_org_id   = the org owning that tenant
+  --   zitadel_user_id  = the requesting customer
+  --   status           = pending → approved/rejected (or cancelled by customer)
+  --   most provision-only fields (packages, billing_address, etc.) are NULL
+  ALTER TABLE tenant_requests ADD COLUMN IF NOT EXISTS request_type TEXT NOT NULL DEFAULT 'provision';
+  -- Constrain to the known set so a future code change can't accidentally
+  -- write a third type without first widening this constraint.
+  DO $$ BEGIN
+    ALTER TABLE tenant_requests ADD CONSTRAINT tenant_requests_request_type_check
+      CHECK (request_type IN ('provision', 'resume'));
+  EXCEPTION WHEN duplicate_object THEN NULL;
+  END $$;
+
+  -- Tenant_name uniqueness was originally meant for "one tenant CR per
+  -- approved provision request". Resume requests reuse a tenant_name,
+  -- so the uniqueness must now be scoped to provision rows only.
+  DROP INDEX IF EXISTS uniq_tenant_requests_tenant_name;
+  CREATE UNIQUE INDEX IF NOT EXISTS uniq_tenant_requests_tenant_name_provision
+    ON tenant_requests(tenant_name)
+    WHERE tenant_name IS NOT NULL AND request_type = 'provision';
+
+  -- Only one pending resume request per tenant at a time. Otherwise a
+  -- customer could spam-create resume requests (the admin queue would
+  -- bloat) or two admins might race on approving duplicates.
+  CREATE UNIQUE INDEX IF NOT EXISTS uniq_tenant_requests_pending_resume
+    ON tenant_requests(tenant_name)
+    WHERE tenant_name IS NOT NULL AND request_type = 'resume' AND status = 'pending';
 
   -- Slice 3: drop the legacy 1-org-1-request constraint if it exists
   ALTER TABLE tenant_requests DROP CONSTRAINT IF EXISTS tenant_requests_zitadel_org_id_key;
@@ -250,10 +291,21 @@ export async function listTenantRequestsByOrgId(
 }
 
 /**
- * As {@link listTenantRequestsByOrgId} but excludes terminal-failed states
+ * As {@link listTenantRequestsByOrgId} but tuned for the customer's
- * (rejected, deleted). Useful for the dashboard which wants to show
+ * dashboard view.
- * pending/approved/provisioning/active tenants and pending requests, not
+ *
- * historical rejections.
+ * Returns:
+ *   - All non-terminal rows (pending, approved, provisioning, active),
+ *     because the customer needs to see what's in flight.
+ *   - Terminal-failed rows (rejected, cancelled) that the customer
+ *     hasn't dismissed yet (Bug 13). Without this, a rejection that
+ *     happens while the customer isn't online would only be
+ *     communicated by email — easy to miss.
+ *
+ * Excludes:
+ *   - `deleted` rows (admin tore down the tenant — historical, not
+ *     actionable).
+ *   - Dismissed rejected/cancelled rows.
  */
 export async function listActiveTenantRequestsByOrgId(
   orgId: string
@@ -262,7 +314,8 @@ export async function listActiveTenantRequestsByOrgId(
   const result = await getPool().query<TenantRequest>(
     `SELECT * FROM tenant_requests
        WHERE zitadel_org_id = $1
-         AND status NOT IN ('deleted', 'rejected')
+         AND status <> 'deleted'
+         AND (status NOT IN ('rejected', 'cancelled') OR dismissed_at IS NULL)
        ORDER BY created_at DESC`,
     [orgId]
   );
@@ -354,6 +407,201 @@ export async function clearEncryptedSecrets(requestId: string): Promise<void> {
   );
 }
 
+/**
+ * Set dismissed_at = now() on a request row. Used when a customer
+ * clicks "Dismiss" on a rejected/cancelled card on their dashboard
+ * (Bug 13). The row stays in the database for history/audit but
+ * stops appearing in `listActiveTenantRequestsByOrgId`.
+ *
+ * Idempotent: dismissing an already-dismissed row is a no-op.
+ * Caller is responsible for verifying the row belongs to the user's
+ * org before calling.
+ */
+/**
+ * Create a resume request (Bug 37a). Used when an owner of a suspended
+ * tenant wants to reactivate it. Resume is admin-gated — the request
+ * sits as `pending` until a platform admin approves or rejects it.
+ *
+ * Tenant-name uniqueness is enforced for `pending` resume rows by a
+ * partial unique index, so a customer can't spam the queue with
+ * duplicate resume requests for the same tenant. The DB throws a
+ * unique-violation if they try; callers should catch that and translate
+ * to a 409.
+ *
+ * Why this lives in tenant_requests instead of a separate table:
+ *   - the lifecycle is identical (pending → approved/rejected, plus
+ *     customer-side cancel and dismiss-after-terminal)
+ *   - the customer dashboard renders pending+resume cards from the
+ *     same `listActiveTenantRequestsByOrgId` query — adding a separate
+ *     table would mean two queries and union-merging in the UI
+ *   - the admin queue likewise treats them uniformly
+ * The cost is a discriminator column (`request_type`) and most
+ * provision-only fields being null on resume rows. That's a tradeoff
+ * I think is worth it.
+ */
+export async function createResumeRequest(params: {
+  tenantName: string;
+  zitadelOrgId: string;
+  zitadelUserId: string;
+  contactName: string;
+  contactEmail: string;
+  // Provision-only fields default sensibly. company_name + agent_name
+  // are NOT NULL in the original schema; we copy them from the existing
+  // tenant request for traceability rather than storing dummy values.
+  companyName: string;
+  agentName: string;
+}): Promise<TenantRequest> {
+  await ensureSchema();
+  const result = await getPool().query(
+    `INSERT INTO tenant_requests (
+        zitadel_org_id, zitadel_user_id, company_name,
+        contact_name, contact_email, agent_name,
+        tenant_name, request_type, status
+     ) VALUES ($1, $2, $3, $4, $5, $6, $7, 'resume', 'pending')
+     RETURNING *`,
+    [
+      params.zitadelOrgId,
+      params.zitadelUserId,
+      params.companyName,
+      params.contactName,
+      params.contactEmail,
+      params.agentName,
+      params.tenantName,
+    ]
+  );
+  return mapRow(result.rows[0]);
+}
+
+/**
+ * Get the most recent provision request for a tenant_name. Used by
+ * Bug 37a's resume-request creation to populate company_name and
+ * agent_name (NOT NULL columns) from the original provision row
+ * rather than make up values.
+ *
+ * Returns null when no such row exists — should be impossible in
+ * normal flow (resume requests are only created for already-existing
+ * tenants whose CR was created via approving a provision request),
+ * but the caller should guard against it for safety.
+ */
+export async function getTenantRequestByTenantName(
+  tenantName: string
+): Promise<TenantRequest | null> {
+  await ensureSchema();
+  const result = await getPool().query(
+    `SELECT * FROM tenant_requests
+      WHERE tenant_name = $1
+        AND request_type = 'provision'
+      ORDER BY created_at DESC
+      LIMIT 1`,
+    [tenantName]
+  );
+  return result.rows.length > 0 ? mapRow(result.rows[0]) : null;
+}
+
+/**
+ * Return the in-flight (pending) resume request for a given tenant, if
+ * any. Used both to gate the customer's "Request reactivation" button
+ * (don't allow a second when one's already pending) and by the admin
+ * UI to navigate from the tenant detail page to the awaiting request.
+ *
+ * Returns null when no pending resume exists. Approved/rejected rows
+ * are never returned — they're terminal.
+ */
+export async function getPendingResumeRequestForTenant(
+  tenantName: string
+): Promise<TenantRequest | null> {
+  await ensureSchema();
+  const result = await getPool().query(
+    `SELECT * FROM tenant_requests
+      WHERE tenant_name = $1
+        AND request_type = 'resume'
+        AND status = 'pending'
+      LIMIT 1`,
+    [tenantName]
+  );
+  return result.rows.length > 0 ? mapRow(result.rows[0]) : null;
+}
+
+export async function dismissTenantRequest(id: string): Promise<void> {
+  await ensureSchema();
+  await getPool().query(
+    `UPDATE tenant_requests
+       SET dismissed_at = COALESCE(dismissed_at, now()),
+           updated_at = now()
+     WHERE id = $1`,
+    [id]
+  );
+}
+
+/**
+ * Update editable fields of a still-pending tenant request. Bug 6 — a
+ * customer who notices a typo or wants to add a package after submitting
+ * the wizard should be able to fix it without admin involvement.
+ *
+ * Only the customer-input fields are updateable. `status`, `tenant_name`,
+ * `admin_notes`, `encrypted_secrets`, `is_personal`, `zitadel_*` and
+ * timestamps are managed elsewhere and intentionally not here.
+ *
+ * The caller is responsible for:
+ *   - verifying the row belongs to the user's org
+ *   - verifying status === 'pending' (editing approved/provisioning rows
+ *     would race against the operator)
+ *
+ * Returns the updated row, or null if the id didn't match anything.
+ */
+export async function updateTenantRequestEditableFields(
+  id: string,
+  fields: {
+    instanceName?: string | null;
+    agentName?: string;
+    soulMd?: string;
+    agentsMd?: string | null;
+    packages?: string[];
+    billingAddress?: BillingAddress;
+    billingNotes?: string;
+    encryptedSecrets?: Buffer | null;
+  }
+): Promise<TenantRequest | null> {
+  await ensureSchema();
+
+  const sets: string[] = ["updated_at = now()"];
+  const values: any[] = [id];
+  let idx = 2;
+
+  // Map JS field names to SQL columns. Each entry is gated on
+  // `!== undefined` so passing only some fields just updates those.
+  const colMap: Array<[keyof typeof fields, string]> = [
+    ["instanceName", "instance_name"],
+    ["agentName", "agent_name"],
+    ["soulMd", "soul_md"],
+    ["agentsMd", "agents_md"],
+    ["packages", "packages"],
+    ["billingAddress", "billing_address"],
+    ["billingNotes", "billing_notes"],
+    ["encryptedSecrets", "encrypted_secrets"],
+  ];
+  for (const [jsField, sqlCol] of colMap) {
+    const v = fields[jsField];
+    if (v === undefined) continue;
+    sets.push(`${sqlCol} = $${idx}`);
+    values.push(v);
+    idx++;
+  }
+
+  if (sets.length === 1) {
+    // No editable fields supplied — return the row unchanged rather
+    // than running a useless UPDATE that just bumps updated_at.
+    const cur = await getTenantRequestById(id);
+    return cur;
+  }
+
+  const result = await getPool().query<TenantRequest>(
+    `UPDATE tenant_requests SET ${sets.join(", ")} WHERE id = $1 RETURNING *`,
+    values
+  );
+  return result.rows[0] ? mapRow(result.rows[0]) : null;
+}
+
 /**
  * Wrapper around domain-check.ts that injects the portal's connection pool.
  * Kept here so route handlers don't need direct access to the pool.
@@ -446,6 +694,11 @@ function mapRow(row: any): TenantRequest {
     tenantName: row.tenant_name,
     encryptedSecrets: row.encrypted_secrets ?? null,
     isPersonal: row.is_personal ?? false,
+    dismissedAt:
+      row.dismissed_at?.toISOString?.() ?? row.dismissed_at ?? null,
+    requestType: (row.request_type ?? "provision") as
+      | "provision"
+      | "resume",
     createdAt: row.created_at?.toISOString?.() ?? row.created_at,
     updatedAt: row.updated_at?.toISOString?.() ?? row.updated_at,
   };

src/lib/k8s.ts

@@ -130,3 +130,46 @@ export async function patchTenantSpec(
   }
   return res.json() as Promise<PiecedTenant>;
 }
+
+/**
+ * Set or clear an annotation on a PiecedTenant CR.
+ *
+ * Pass `value=null` to remove the annotation. K8s merge-patch removes
+ * a key when its value is null in the patch — that's exactly the
+ * semantic we want.
+ *
+ * Used by the resume-request flow (Bug 37a): the portal sets
+ * `pieced.ch/resume-request-pending` when a customer creates a
+ * resume request, and clears it when the request transitions to a
+ * terminal state. The operator reads this annotation to pause its
+ * 60-day deletion timer while a resume request is in flight.
+ *
+ * Annotations are namespaced informally — we use `pieced.ch/...` for
+ * everything we own, mirroring the labels.
+ */
+export async function setTenantAnnotation(
+  name: string,
+  key: string,
+  value: string | null
+): Promise<PiecedTenant> {
+  const url = `${getBaseUrl()}/apis/${API_VERSION}/${PLURAL}/${name}`;
+  const res = await fetch(url, {
+    method: "PATCH",
+    headers: {
+      Accept: "application/json",
+      "Content-Type": "application/merge-patch+json",
+      ...getAuthHeaders(),
+    },
+    body: JSON.stringify({
+      metadata: { annotations: { [key]: value } },
+    }),
+  });
+
+  if (!res.ok) {
+    const text = await res.text();
+    const err = new Error(`K8s annotate /${name}: ${res.status} ${text}`);
+    (err as any).statusCode = res.status;
+    throw err;
+  }
+  return res.json() as Promise<PiecedTenant>;
+}

src/lib/litellm.ts

@@ -32,12 +32,43 @@ export async function getTeamSpendLogs(
   return litellmFetch(`/global/spend/logs?${params}`);
 }
 
+/**
+ * Fetch one page of spend logs for a team, optionally narrowed to a
+ * single virtual key by alias.
+ *
+ * Slice 2 / Bug 19 context
+ * ------------------------
+ * Teams in LiteLLM are now org-scoped (one team per org), and each
+ * tenant in the org has its own virtual key with `key_alias = tenant
+ * CR name`. Without `keyAlias`, this returns the full team's spend —
+ * which mingles every tenant in the org. The portal's per-tenant
+ * usage view passes `keyAlias` to filter server-side via LiteLLM's
+ * native `key_alias` query param. Confirmed available on the
+ * `/spend/logs/v2` endpoint via OpenAPI introspection — no need to
+ * page-and-post-filter as the previous slice did.
+ *
+ * Why this matters
+ * ----------------
+ * Previous implementation fetched all team pages, then post-filtered
+ * by alias in JS. Two problems: (1) at any reasonable scale this is
+ * O(team_total) memory per request even when only one tenant's data
+ * is needed; (2) more importantly, when called from the customer
+ * dashboard without an explicit alias, the route's "pick the first
+ * visible tenant" fallback meant both Acme tenants showed identical
+ * numbers — the alias used was always the first tenant in the
+ * visible list, regardless of which tenant page was being viewed.
+ *
+ * The route layer above is responsible for resolving the tenant
+ * identity correctly and passing the right alias here. This
+ * function's only job is to pass it through to LiteLLM.
+ */
 export async function getTeamSpendLogsV2(
   teamId: string,
   startDate: string,
   endDate: string,
   page: number = 1,
-  pageSize: number = 100
+  pageSize: number = 100,
+  keyAlias?: string | null
 ) {
   const params = new URLSearchParams({
     team_id: teamId,
@@ -46,6 +77,9 @@ export async function getTeamSpendLogsV2(
     page: String(page),
     page_size: String(pageSize),
   });
+  if (keyAlias) {
+    params.set("key_alias", keyAlias);
+  }
   return litellmFetch(`/spend/logs/v2?${params}`);
 }
 

src/lib/personal-org.ts

@@ -1,40 +1,147 @@
 /**
  * Personal-account helpers.
  *
- * Slice 4 establishes the convention that ZITADEL org names for personal
+ * Two ZITADEL org-name formats may identify a personal account:
- * accounts end with the literal " (Personal)" suffix. This file
- * centralises the suffix and the predicate so both registration (which
- * sets the suffix) and onboarding (which reads it from the session) use
- * the same canonical form.
  *
- * Why a name suffix and not ZITADEL org metadata?
+ * 1. Legacy (Slice 4 .. 7-pre-Bug9):
- * -----------------------------------------------
+ *      "{givenName} {familyName} (Personal)"
- * 1. The suffix is visible in ZITADEL Console, admin tools, JWT claims,
+ *    Embedded the user's name in the org name. Hit a uniqueness
- *    etc. — useful debugging signal at zero cost.
+ *    collision on common Swiss names (Bug 9: two people named "Eva
- * 2. Customers cannot rename their own org (requires IAM_OWNER, which
+ *    Müller" can't both register). Suffix is detected via
- *    only the SA holds), so the suffix is stable for the lifetime of
+ *    `PERSONAL_ORG_SUFFIX`.
- *    the org.
- * 3. No extra ZITADEL API calls at onboarding time to fetch metadata.
- * 4. No extra portal DB tables.
  *
- * The trade-off: an admin who manually renames a personal org via
+ * 2. Current (Slice 7+):
- * ZITADEL Console could remove the suffix, after which onboarding
+ *      "personal-{8 hex chars}"
- * would treat that org as a company. That's a deliberate destructive
+ *    Opaque, structurally collision-free, no PII. The user's display
- * action and the worst outcome is a misnamed K8s CR; nothing breaks.
+ *    name lives only in the per-user fields (`session.user.name`),
+ *    which is what the GUI shows wherever it would otherwise have
+ *    shown the org name. See `displayOrgNameFor()` below.
+ *
+ * Both formats are recognised as personal by `isPersonalOrgName()`.
+ * Existing legacy orgs continue to work; new orgs are created in the
+ * opaque format.
+ *
+ * Why a name pattern and not ZITADEL org metadata?
+ * ------------------------------------------------
+ * - Visible in ZITADEL Console, JWT claims, admin tools — useful debug
+ *   signal at zero cost.
+ * - Customers cannot rename their own org (requires IAM_OWNER, which
+ *   only the SA holds), so the marker is stable for the life of the
+ *   org.
+ * - No extra ZITADEL API calls at onboarding time.
+ * - No extra portal DB tables.
+ *
+ * Trade-off: an admin who manually renames a personal org via Console
+ * could remove the marker. That's a deliberate destructive action; the
+ * worst outcome is a misnamed K8s CR. Nothing breaks.
  */
 
+/** Suffix used by the legacy " (Personal)" naming scheme. */
 export const PERSONAL_ORG_SUFFIX = " (Personal)";
 
+/**
+ * Pattern for the current opaque-id naming scheme. The hex chunk is
+ * generated from `crypto.randomUUID()` — eight hex digits give 4 billion
+ * distinct values, far more than the pilot will ever need, while
+ * keeping the org name short and copy-pasteable.
+ */
+const PERSONAL_ORG_OPAQUE_RE = /^personal-[0-9a-f]{8}$/;
+
+/**
+ * Generate a fresh opaque org name for a personal account.
+ *
+ * The result is uniformly random in the form "personal-XXXXXXXX". Caller
+ * doesn't need a duplicate check — at 4e9 cardinality the birthday
+ * collision probability is negligible at pilot scale, and ZITADEL would
+ * reject a duplicate creation with a clean error which we let surface.
+ *
+ * `crypto.randomUUID()` is used because it's available natively in
+ * Node 20+ and edge runtimes. We slice the hex digits we need from
+ * the UUID rather than calling a separate randomBytes API; the result
+ * is the same.
+ */
+export function generatePersonalOrgName(): string {
+  const uuid = crypto.randomUUID(); // 8-4-4-4-12 hex digits
+  const hex = uuid.replace(/-/g, "").slice(0, 8);
+  return `personal-${hex}`;
+}
+
 /**
  * Returns true when the given ZITADEL org name marks a personal account.
  *
- * The check is exact-suffix match (after trimming). Whitespace inside
+ * Recognises both the legacy " (Personal)" suffix and the current
- * the suffix is significant — `" (personal)"` lowercase or `"(Personal)"`
+ * "personal-{8hex}" opaque form. Whitespace inside the legacy suffix is
- * without the leading space are not matches and not personal orgs.
+ * significant — `" (personal)"` lowercase or `"(Personal)"` without the
+ * leading space are NOT matches and are treated as company orgs.
  *
  * Pass `session.orgName` from the SessionUser at the call site.
  */
-export function isPersonalOrgName(orgName: string | null | undefined): boolean {
+export function isPersonalOrgName(
+  orgName: string | null | undefined
+): boolean {
   if (!orgName) return false;
-  return orgName.trimEnd().endsWith(PERSONAL_ORG_SUFFIX);
+  const trimmed = orgName.trimEnd();
+  if (PERSONAL_ORG_OPAQUE_RE.test(trimmed)) return true;
+  if (trimmed.endsWith(PERSONAL_ORG_SUFFIX)) return true;
+  return false;
+}
+
+/**
+ * The label to show wherever the GUI would otherwise show the user's
+ * org name. For company accounts this is the org name; for personal
+ * accounts the org name itself is opaque (or a synthetic legacy
+ * "Name (Personal)" string), so we substitute the user's display name.
+ *
+ * Use this anywhere a customer-facing string would render the
+ * organisation: nav header, billing forms, SOUL.md interpolation, etc.
+ */
+export function displayOrgNameFor(user: {
+  name?: string | null;
+  email?: string | null;
+  orgName?: string | null;
+  isPersonal?: boolean;
+}): string {
+  const orgName = user.orgName ?? "";
+  // Defensive: if `isPersonal` wasn't set on the session (older sessions
+  // pre-Slice-7-Bug-9), fall back to detecting from the name itself.
+  const personal = user.isPersonal ?? isPersonalOrgName(orgName);
+  if (!personal) return orgName;
+  // Legacy legacy "Name (Personal)" — strip the suffix and use what's
+  // left as a sensible display, since it's already the user's name.
+  if (orgName.trimEnd().endsWith(PERSONAL_ORG_SUFFIX)) {
+    return orgName.slice(0, -PERSONAL_ORG_SUFFIX.length).trim();
+  }
+  // New opaque form — show the user's display name. Fall back to email
+  // local-part if no display name is available, which is rare but
+  // possible during the brief window between user creation and the
+  // user setting their profile.
+  if (user.name && user.name.trim().length > 0) return user.name.trim();
+  if (user.email) return user.email.split("@")[0];
+  return orgName;
+}
+
+/**
+ * One-instance-per-account rule for personal accounts (Bug 5).
+ *
+ * Personal accounts are 1-instance by design: a single user, a single
+ * tenant. After the first tenant or in-flight request exists, the
+ * customer is over quota and any further onboarding submission must
+ * be blocked. Company accounts are unaffected.
+ *
+ * `tenantCount` and `requestCount` are measured against the customer's
+ * own org — caller is responsible for filtering before passing them
+ * in. Both values are non-negative integers; the predicate is true
+ * iff at least one of them is > 0.
+ *
+ * Used by the dashboard (hide the "+ Create new instance" button),
+ * /dashboard/new (server-redirect), and /api/onboarding (return 403).
+ * Keeping the rule in one place avoids three separate copies of the
+ * same boolean drifting apart.
+ */
+export function personalAccountAtCapacity(
+  isPersonal: boolean,
+  tenantCount: number,
+  requestCount: number
+): boolean {
+  return isPersonal && (tenantCount > 0 || requestCount > 0);
 }

src/lib/validation.ts

@@ -0,0 +1,164 @@
+import { z } from "zod";
+
+/**
+ * Shared validation schemas for the onboarding wizard and the
+ * registration form. Both client and server import from here so the
+ * rules can't drift apart.
+ *
+ * Bug 12 motivation: until now, all wizard fields could be empty and
+ * still submit — the server schema in `/api/onboarding` had every
+ * billing field optional, and the client did no validation at all.
+ * Required fields are now declared once, here, and used in three
+ * places:
+ *   1. The wizard's per-step `validateStep()` to gate `goNext()`.
+ *   2. The wizard's submit handler to render inline errors.
+ *   3. The server route's `safeParse()` so the rules are also
+ *      enforced on direct API calls.
+ *
+ * Don't mix UX-only state (e.g. "did the user touch this field yet")
+ * into these schemas — that belongs in the wizard's render layer.
+ * These schemas describe what the data has to look like, not the
+ * progressive-disclosure rules.
+ */
+
+// ISO-3166-1 alpha-2 codes accepted in the country dropdown. DACH+
+// neighbours: Switzerland, Germany, Austria, France, Italy, plus
+// Liechtenstein (Swiss customers with LI billing addresses are common
+// enough to include without inflating the list). Add to this set when
+// expanding into new markets.
+export const SUPPORTED_COUNTRIES = ["CH", "DE", "AT", "FR", "IT", "LI"] as const;
+export type SupportedCountry = (typeof SUPPORTED_COUNTRIES)[number];
+
+/**
+ * Country-specific postal-code patterns. Bug 33: previously a postal
+ * code could be anything (e.g. "abc"), which broke invoicing.
+ *
+ * Patterns are deliberately conservative — they reject obviously wrong
+ * input but don't try to be exhaustive valid-range checkers (e.g. CH
+ * codes are 1000-9999 in practice but \d{4} accepts 0000; the post
+ * office will reject downstream if it matters). If a future country
+ * has multi-format codes (e.g. UK postcodes with the inner-outer
+ * structure), add it as a regex here rather than trying to fit
+ * every country into the same shape.
+ */
+const POSTAL_CODE_PATTERNS: Record<SupportedCountry, RegExp> = {
+  CH: /^\d{4}$/,
+  DE: /^\d{5}$/,
+  AT: /^\d{4}$/,
+  FR: /^\d{5}$/,
+  IT: /^\d{5}$/,
+  LI: /^\d{4}$/,
+};
+
+/**
+ * Postal-code expectation in human terms — used in error messages so
+ * the user gets a useful hint ("expected 4 digits") rather than just
+ * a regex failure. Keep in sync with POSTAL_CODE_PATTERNS.
+ */
+const POSTAL_CODE_HINTS: Record<SupportedCountry, string> = {
+  CH: "4 digits",
+  DE: "5 digits",
+  AT: "4 digits",
+  FR: "5 digits",
+  IT: "5 digits",
+  LI: "4 digits",
+};
+
+/**
+ * Billing address — every field required at minimum non-empty length.
+ * Postal code is validated against the chosen country (Bug 33). Country
+ * is a fixed enum to prevent free-text typos that break invoicing.
+ *
+ * `superRefine` is the right hook here because we need to look at two
+ * fields (country + postalCode) together. The error path is set on
+ * `postalCode` so the wizard renders the inline error under the right
+ * input rather than at the form root.
+ */
+export const billingAddressSchema = z
+  .object({
+    // Company line is structurally optional — personal accounts leave it
+    // empty by design (Bug 2). Server-side, the wizard's UI hides the
+    // field for personals; the schema just doesn't require it.
+    company: z.string().trim().max(100).optional().default(""),
+    street: z.string().trim().min(1, "required").max(200),
+    postalCode: z.string().trim().min(1, "required").max(12),
+    city: z.string().trim().min(1, "required").max(100),
+    country: z.enum(SUPPORTED_COUNTRIES, {
+      message: "Please choose a country from the list",
+    }),
+  })
+  .superRefine((data, ctx) => {
+    const pattern = POSTAL_CODE_PATTERNS[data.country];
+    if (!pattern.test(data.postalCode)) {
+      ctx.addIssue({
+        code: "custom",
+        path: ["postalCode"],
+        message: `Invalid postal code (expected ${POSTAL_CODE_HINTS[data.country]})`,
+      });
+    }
+  });
+
+export type BillingAddressInput = z.infer<typeof billingAddressSchema>;
+
+/**
+ * Per-step schemas for progressive validation. Each step validates only
+ * the fields visible up to that point, so the user gets feedback at the
+ * step they're on rather than at the end.
+ *
+ * The `welcome` step has nothing to validate.
+ * The `configure` step requires a non-empty agentName.
+ * The `billing` step requires a complete billing address (with the
+ *   optional company line).
+ * The `confirm` step is the final submission and validates the union.
+ */
+export const configureStepSchema = z.object({
+  agentName: z.string().trim().min(1, "required").max(50),
+});
+
+export const billingStepSchema = z.object({
+  billingAddress: billingAddressSchema,
+});
+
+/**
+ * Full onboarding payload. Used by the API route and by the wizard's
+ * submit handler. `packageSecrets` is a free-shape map that gets
+ * encrypted by the server before it touches the DB.
+ */
+export const onboardingSchema = z.object({
+  instanceName: z
+    .string()
+    .trim()
+    .max(80)
+    .optional()
+    // Empty string from a form input → undefined so the DB stores NULL.
+    .transform((v) => (v && v.length > 0 ? v : undefined)),
+  agentName: z.string().trim().min(1, "required").max(50),
+  soulMd: z.string().max(10_000).optional(),
+  agentsMd: z.string().max(10_000).optional(),
+  packages: z.array(z.string()).optional(),
+  packageSecrets: z
+    .record(z.string(), z.record(z.string(), z.string()))
+    .optional(),
+  billingAddress: billingAddressSchema,
+  billingNotes: z.string().max(2_000).optional(),
+});
+
+export type OnboardingPayload = z.infer<typeof onboardingSchema>;
+
+/**
+ * Helper: flatten a Zod error into a flat field-path → message map.
+ * The wizard uses this to look up errors per input by their path.
+ *
+ * Returns `{}` on success (i.e. caller shouldn't call this on a parsed
+ * value; only on `safeParse(...).error`). Kept here rather than inline
+ * so both the wizard and any future field-level form (e.g. settings
+ * page reusing billingAddressSchema) can share it.
+ */
+export function fieldErrors(err: z.ZodError): Record<string, string> {
+  const out: Record<string, string> = {};
+  for (const issue of err.issues) {
+    const key = issue.path.join(".");
+    if (!(key in out)) out[key] = issue.message;
+  }
+  return out;
+}

src/messages/de.json

@@ -20,11 +20,11 @@
     "button": "Weiter mit ZITADEL",
     "footer": "On-Premises gehostet in der Schweiz",
     "noAccount": "Noch kein Konto?",
-    "register": "Firma registrieren"
+    "register": "Konto erstellen"
   },
   "register": {
     "title": "Konto erstellen",
-    "subtitle": "Registrieren Sie Ihre Firma für einen in der Schweiz gehosteten KI-Assistenten",
+    "subtitle": "Richten Sie Ihren Schweizer KI-Assistenten ein",
     "companyName": "Firmenname",
     "companyNamePlaceholder": "Muster GmbH",
     "givenName": "Vorname",
@@ -38,7 +38,12 @@
     "goToLogin": "Zur Anmeldung",
     "duplicateDomain": "Für die E-Mail-Domain {domain} ist bereits ein Konto registriert. Bitte wenden Sie sich an Ihren Firmenadministrator, um eingeladen zu werden, oder kontaktieren Sie den PieCed-IT-Support, falls dies ein Fehler ist.",
     "individualToggle": "Als Privatperson registrieren",
-    "individualHint": "Aktivieren Sie diese Option, wenn Sie sich nicht im Namen eines Unternehmens registrieren. Ihr Konto wird als persönlicher Arbeitsbereich eingerichtet."
+    "individualHint": "Aktivieren Sie diese Option, wenn Sie sich nicht im Namen eines Unternehmens registrieren. Ihr Konto wird als persönlicher Arbeitsbereich eingerichtet.",
+    "accountTypeLabel": "Kontotyp",
+    "personalCardTitle": "Privat",
+    "personalCardDescription": "Für Sie persönlich.",
+    "companyCardTitle": "Unternehmen",
+    "companyCardDescription": "Für Ihr Unternehmen oder Team."
   },
   "onboarding": {
     "loading": "Status wird geladen…",
@@ -89,7 +94,27 @@
     "submittedAt": "Eingereicht",
     "instanceName": "Instanzname",
     "instanceNamePlaceholder": "z.B. Produktion, Dev, Vertrieb",
-    "instanceNameHint": "Optionaler lesbarer Name, um diese Instanz von anderen in Ihrem Dashboard zu unterscheiden. Leer lassen, um den Firmennamen zu verwenden."
+    "instanceNameHint": "Optionaler lesbarer Name, um diese Instanz von anderen in Ihrem Dashboard zu unterscheiden. Leer lassen, um den Firmennamen zu verwenden.",
+    "validationError": "Bitte korrigieren Sie die Fehler vor dem Absenden.",
+    "validationErrorsTitle": "Einige Pflichtfelder fehlen oder sind ungültig:",
+    "reviewInstanceDefault": "(Standard — verwendet Firmenname)",
+    "reviewNoPackages": "Keine ausgewählt",
+    "reviewBillingTo": "Rechnungsempfänger",
+    "reviewContactEmail": "Kontakt-E-Mail",
+    "editRequestTitle": "Anfrage bearbeiten",
+    "editRequestDescription": "Passen Sie die Konfiguration an, bevor unser Team sie prüft.",
+    "editRequest": "Bearbeiten",
+    "cancelRequest": "Anfrage stornieren",
+    "cancelRequestConfirm": "Ja, Anfrage stornieren",
+    "cancelConfirmRequestTitle": "Diese Anfrage stornieren?",
+    "cancelConfirmRequestDescription": "Ihre ausstehende Anfrage wird als storniert markiert und aus der Warteschlange entfernt. Sie können jederzeit eine neue Anfrage einreichen.",
+    "cancelFailed": "Anfrage konnte nicht storniert werden.",
+    "cancelledTitle": "Anfrage storniert",
+    "cancelledDescription": "Sie haben diese Anfrage vor der Bearbeitung storniert. Es wurde keine Instanz erstellt.",
+    "dismiss": "Ausblenden",
+    "dismissFailed": "Konnte nicht ausgeblendet werden.",
+    "rejectionReason": "Angegebener Grund",
+    "saveChanges": "Änderungen speichern"
   },
   "dashboard": {
     "title": "Dashboard",
@@ -118,7 +143,30 @@
     "notFound": "Tenant nicht gefunden.",
     "usage": "Nutzung & Kosten",
     "provisioned": "Bereitgestellt",
-    "assignedUsers": "Zugewiesene Benutzer"
+    "assignedUsers": "Zugewiesene Benutzer",
+    "subscriptionTitle": "Abonnement",
+    "subscriptionDescriptionActive": "Kündigen Sie Ihr Abonnement, wenn Sie diesen Assistenten nicht mehr benötigen. Ihre Daten bleiben erhalten und Sie können jederzeit wieder aktivieren.",
+    "subscriptionDescriptionSuspended": "Ihr Abonnement ist gekündigt. Aktivieren Sie es wieder, um den Assistenten online zu bringen.",
+    "cancelSubscription": "Abonnement kündigen",
+    "cancelSubscriptionConfirm": "Ja, kündigen",
+    "resumeSubscription": "Abonnement reaktivieren",
+    "cancelConfirmTitle": "Dieses Abonnement kündigen?",
+    "cancelConfirmDescription": "Ihr Assistent wird nicht mehr verfügbar sein. Sie können jederzeit reaktivieren — Ihre Daten bleiben erhalten.",
+    "cancelConfirmBullet1": "Workspace-Dateien (SOUL.md, AGENTS.md) bleiben erhalten",
+    "cancelConfirmBullet2": "Paket-Anmeldedaten bleiben gespeichert",
+    "cancelConfirmBullet3": "Rechnungsdaten bleiben gespeichert",
+    "subscriptionUpdateFailed": "Abonnement konnte nicht aktualisiert werden.",
+    "suspendedTitle": "Abonnement gekündigt",
+    "suspendedDescription": "Ihr Assistent ist pausiert. Konfiguration und Daten bleiben erhalten. Verwenden Sie die Reaktivierungs-Schaltfläche unten auf dieser Seite, um ihn wieder online zu bringen.",
+    "requestReactivation": "Reaktivierung anfragen",
+    "requestReactivationConfirmTitle": "Reaktivierung anfragen?",
+    "requestReactivationConfirmDescription": "Ein Administrator prüft Ihre Anfrage und reaktiviert Ihren Tenant. Sie erhalten eine E-Mail, sobald die Anfrage genehmigt wurde.",
+    "requestReactivationConfirm": "Anfrage senden",
+    "cancelResumeRequest": "Anfrage stornieren",
+    "resumeRequestPendingTitle": "Reaktivierungsanfrage ausstehend",
+    "resumeRequestPendingDescription": "Eingereicht {when}. Ein Administrator wird die Anfrage in Kürze prüfen.",
+    "resumeRequestPendingNoteAdmin": "Ein Inhaber hat eine Reaktivierung angefragt; Sie können direkt oben fortfahren oder die Anfrage in der Admin-Warteschlange bearbeiten.",
+    "cancelConfirmRetentionWarning": "Ihre Daten bleiben nach der Kündigung 60 Tage lang erhalten. Danach werden alle Tenant-Daten – Konfiguration, Geheimnisse, Konversationen und Dateien – endgültig gelöscht."
   },
   "usage": {
     "inputTokens": "Input-Tokens",
@@ -258,7 +306,9 @@
     "loadingHealth": "Statusdaten werden geladen…",
     "statusHealthy": "OK",
     "statusDown": "Ausgefallen",
-    "spendChf": "Kosten (CHF)"
+    "spendChf": "Kosten (CHF)",
+    "resumeRequestBadge": "Wieder",
+    "resumeRequestTooltip": "Reaktivierungsanfrage für einen bestehenden Tenant. Bei Genehmigung wird der Tenant wieder aktiviert; keine Provisionierung läuft."
   },
   "channelUsers": {
     "title": "Autorisierte Benutzer",
@@ -304,5 +354,27 @@
     "pickUser": "Benutzer auswählen…",
     "assign": "Zuweisen",
     "revoke": "Entfernen"
+  },
+  "countries": {
+    "CH": "Schweiz",
+    "DE": "Deutschland",
+    "AT": "Österreich",
+    "FR": "Frankreich",
+    "IT": "Italien",
+    "LI": "Liechtenstein"
+  },
+  "phase": {
+    "Pending": "Ausstehend",
+    "Provisioning": "Wird bereitgestellt",
+    "Running": "Aktiv",
+    "Ready": "Bereit",
+    "Suspended": "Pausiert",
+    "Error": "Fehler",
+    "Deleting": "Wird gelöscht",
+    "Reconfiguring": "Wird neu konfiguriert"
+  },
+  "warnings": {
+    "oneTooltip": "1 Warnung",
+    "manyTooltip": "{count} Warnungen"
   }
 }

src/messages/en.json

@@ -20,11 +20,11 @@
     "button": "Continue with ZITADEL",
     "footer": "Hosted on-premises in Switzerland",
     "noAccount": "No account yet?",
-    "register": "Register your company"
+    "register": "Create an account"
   },
   "register": {
     "title": "Create your account",
-    "subtitle": "Register your company for a Swiss-hosted AI assistant",
+    "subtitle": "Set up your Swiss-hosted AI assistant",
     "companyName": "Company Name",
     "companyNamePlaceholder": "Acme GmbH",
     "givenName": "First Name",
@@ -38,7 +38,12 @@
     "goToLogin": "Go to Sign In",
     "duplicateDomain": "An account for the email domain {domain} is already registered. Please contact your company administrator to be invited, or reach out to PieCed IT support if you believe this is in error.",
     "individualToggle": "Register as an individual",
-    "individualHint": "Tick this if you're not registering on behalf of a company. Your account will be set up as a personal workspace."
+    "individualHint": "Tick this if you're not registering on behalf of a company. Your account will be set up as a personal workspace.",
+    "accountTypeLabel": "Account type",
+    "personalCardTitle": "Personal",
+    "personalCardDescription": "For yourself.",
+    "companyCardTitle": "Company",
+    "companyCardDescription": "For your business or team."
   },
   "onboarding": {
     "loading": "Loading status…",
@@ -89,7 +94,27 @@
     "submittedAt": "Submitted",
     "instanceName": "Instance name",
     "instanceNamePlaceholder": "e.g. Production, Dev, Sales",
-    "instanceNameHint": "Optional human-readable name to distinguish this instance from others on your dashboard. Leave blank to use your company name."
+    "instanceNameHint": "Optional human-readable name to distinguish this instance from others on your dashboard. Leave blank to use your company name.",
+    "validationError": "Please fix the errors before submitting.",
+    "validationErrorsTitle": "Some required fields are missing or invalid:",
+    "reviewInstanceDefault": "(default — uses company name)",
+    "reviewNoPackages": "None selected",
+    "reviewBillingTo": "Billing to",
+    "reviewContactEmail": "Contact email",
+    "editRequestTitle": "Edit your request",
+    "editRequestDescription": "Adjust the configuration before our team reviews it.",
+    "editRequest": "Edit",
+    "cancelRequest": "Cancel request",
+    "cancelRequestConfirm": "Yes, cancel request",
+    "cancelConfirmRequestTitle": "Cancel this request?",
+    "cancelConfirmRequestDescription": "Your pending request will be marked as cancelled and removed from the review queue. You can submit a new request at any time.",
+    "cancelFailed": "Could not cancel request.",
+    "cancelledTitle": "Request cancelled",
+    "cancelledDescription": "You cancelled this request before it was processed. No instance was created.",
+    "dismiss": "Dismiss",
+    "dismissFailed": "Could not dismiss.",
+    "rejectionReason": "Reason given",
+    "saveChanges": "Save changes"
   },
   "dashboard": {
     "title": "Dashboard",
@@ -118,7 +143,30 @@
     "notFound": "Tenant not found.",
     "usage": "Usage & Spend",
     "provisioned": "Provisioned",
-    "assignedUsers": "Assigned users"
+    "assignedUsers": "Assigned users",
+    "subscriptionTitle": "Subscription",
+    "subscriptionDescriptionActive": "Cancel your subscription if you no longer need this assistant. Your data will be preserved and you can resume anytime.",
+    "subscriptionDescriptionSuspended": "Your subscription is cancelled. Resume to bring the assistant back online.",
+    "cancelSubscription": "Cancel subscription",
+    "cancelSubscriptionConfirm": "Yes, cancel",
+    "resumeSubscription": "Resume subscription",
+    "cancelConfirmTitle": "Cancel this subscription?",
+    "cancelConfirmDescription": "Your assistant will become unavailable. You can resume anytime — your data is preserved.",
+    "cancelConfirmBullet1": "Workspace files (SOUL.md, AGENTS.md) are kept",
+    "cancelConfirmBullet2": "Package credentials remain stored",
+    "cancelConfirmBullet3": "Billing information is kept on file",
+    "subscriptionUpdateFailed": "Could not update subscription.",
+    "suspendedTitle": "Subscription cancelled",
+    "suspendedDescription": "Your assistant is paused. Configuration and data are preserved. Use the Resume control at the bottom of this page to bring it back online.",
+    "requestReactivation": "Request reactivation",
+    "requestReactivationConfirmTitle": "Request reactivation?",
+    "requestReactivationConfirmDescription": "An administrator will review your request and reactivate your tenant. You'll be notified by email once it's approved.",
+    "requestReactivationConfirm": "Submit request",
+    "cancelResumeRequest": "Cancel request",
+    "resumeRequestPendingTitle": "Reactivation request pending",
+    "resumeRequestPendingDescription": "Submitted {when}. An administrator will review it shortly.",
+    "resumeRequestPendingNoteAdmin": "An owner has requested reactivation; you can resume directly above or process the request from the admin queue.",
+    "cancelConfirmRetentionWarning": "Your data is preserved for 60 days after cancellation. After that, all tenant data — configuration, secrets, conversations, and files — will be permanently deleted."
   },
   "usage": {
     "inputTokens": "Input Tokens",
@@ -258,7 +306,9 @@
     "loadingHealth": "Loading health data…",
     "statusHealthy": "Healthy",
     "statusDown": "Down",
-    "spendChf": "Spend (CHF)"
+    "spendChf": "Spend (CHF)",
+    "resumeRequestBadge": "Resume",
+    "resumeRequestTooltip": "Reactivation request for an existing tenant. Approving will un-suspend the tenant; no provisioning runs."
   },
   "channelUsers": {
     "title": "Authorized Users",
@@ -304,5 +354,27 @@
     "pickUser": "Select a user…",
     "assign": "Assign",
     "revoke": "Remove"
+  },
+  "countries": {
+    "CH": "Switzerland",
+    "DE": "Germany",
+    "AT": "Austria",
+    "FR": "France",
+    "IT": "Italy",
+    "LI": "Liechtenstein"
+  },
+  "phase": {
+    "Pending": "Pending",
+    "Provisioning": "Provisioning",
+    "Running": "Running",
+    "Ready": "Ready",
+    "Suspended": "Suspended",
+    "Error": "Error",
+    "Deleting": "Deleting",
+    "Reconfiguring": "Reconfiguring"
+  },
+  "warnings": {
+    "oneTooltip": "1 warning",
+    "manyTooltip": "{count} warnings"
   }
 }

src/messages/fr.json

@@ -20,11 +20,11 @@
     "button": "Continuer avec ZITADEL",
     "footer": "Hébergé on-premises en Suisse",
     "noAccount": "Pas encore de compte ?",
-    "register": "Enregistrer votre entreprise"
+    "register": "Créer un compte"
   },
   "register": {
     "title": "Créer votre compte",
-    "subtitle": "Enregistrez votre entreprise pour un assistant IA hébergé en Suisse",
+    "subtitle": "Configurez votre assistant IA hébergé en Suisse",
     "companyName": "Nom de l'entreprise",
     "companyNamePlaceholder": "Exemple SA",
     "givenName": "Prénom",
@@ -38,7 +38,12 @@
     "goToLogin": "Aller à la connexion",
     "duplicateDomain": "Un compte pour le domaine de courriel {domain} est déjà enregistré. Veuillez contacter l'administrateur de votre entreprise pour être invité, ou contactez le support PieCed IT si vous pensez qu'il s'agit d'une erreur.",
     "individualToggle": "S'inscrire en tant que particulier",
-    "individualHint": "Cochez cette case si vous ne vous inscrivez pas au nom d'une entreprise. Votre compte sera configuré comme espace de travail personnel."
+    "individualHint": "Cochez cette case si vous ne vous inscrivez pas au nom d'une entreprise. Votre compte sera configuré comme espace de travail personnel.",
+    "accountTypeLabel": "Type de compte",
+    "personalCardTitle": "Particulier",
+    "personalCardDescription": "Pour vous.",
+    "companyCardTitle": "Entreprise",
+    "companyCardDescription": "Pour votre entreprise ou équipe."
   },
   "onboarding": {
     "loading": "Chargement du statut…",
@@ -89,7 +94,27 @@
     "submittedAt": "Soumis",
     "instanceName": "Nom de l'instance",
     "instanceNamePlaceholder": "ex. Production, Dev, Ventes",
-    "instanceNameHint": "Nom lisible facultatif pour distinguer cette instance des autres sur votre tableau de bord. Laisser vide pour utiliser le nom de votre entreprise."
+    "instanceNameHint": "Nom lisible facultatif pour distinguer cette instance des autres sur votre tableau de bord. Laisser vide pour utiliser le nom de votre entreprise.",
+    "validationError": "Veuillez corriger les erreurs avant l'envoi.",
+    "validationErrorsTitle": "Certains champs obligatoires manquent ou sont invalides :",
+    "reviewInstanceDefault": "(par défaut — utilise le nom de l'entreprise)",
+    "reviewNoPackages": "Aucun sélectionné",
+    "reviewBillingTo": "Facturer à",
+    "reviewContactEmail": "E-mail de contact",
+    "editRequestTitle": "Modifier votre demande",
+    "editRequestDescription": "Ajustez la configuration avant que notre équipe ne l'examine.",
+    "editRequest": "Modifier",
+    "cancelRequest": "Annuler la demande",
+    "cancelRequestConfirm": "Oui, annuler la demande",
+    "cancelConfirmRequestTitle": "Annuler cette demande ?",
+    "cancelConfirmRequestDescription": "Votre demande en attente sera marquée comme annulée et retirée de la file. Vous pouvez soumettre une nouvelle demande à tout moment.",
+    "cancelFailed": "Impossible d'annuler la demande.",
+    "cancelledTitle": "Demande annulée",
+    "cancelledDescription": "Vous avez annulé cette demande avant son traitement. Aucune instance n'a été créée.",
+    "dismiss": "Masquer",
+    "dismissFailed": "Impossible de masquer.",
+    "rejectionReason": "Motif indiqué",
+    "saveChanges": "Enregistrer les modifications"
   },
   "dashboard": {
     "title": "Tableau de bord",
@@ -118,7 +143,30 @@
     "notFound": "Locataire non trouvé.",
     "usage": "Utilisation et coûts",
     "provisioned": "Provisionné",
-    "assignedUsers": "Utilisateurs attribués"
+    "assignedUsers": "Utilisateurs attribués",
+    "subscriptionTitle": "Abonnement",
+    "subscriptionDescriptionActive": "Annulez votre abonnement si vous n'avez plus besoin de cet assistant. Vos données seront conservées et vous pourrez reprendre à tout moment.",
+    "subscriptionDescriptionSuspended": "Votre abonnement est annulé. Reprenez pour remettre l'assistant en ligne.",
+    "cancelSubscription": "Annuler l'abonnement",
+    "cancelSubscriptionConfirm": "Oui, annuler",
+    "resumeSubscription": "Reprendre l'abonnement",
+    "cancelConfirmTitle": "Annuler cet abonnement ?",
+    "cancelConfirmDescription": "Votre assistant sera indisponible. Vous pouvez reprendre à tout moment — vos données sont préservées.",
+    "cancelConfirmBullet1": "Les fichiers de l'espace de travail (SOUL.md, AGENTS.md) sont conservés",
+    "cancelConfirmBullet2": "Les identifiants des packages restent stockés",
+    "cancelConfirmBullet3": "Les informations de facturation sont conservées",
+    "subscriptionUpdateFailed": "Impossible de mettre à jour l'abonnement.",
+    "suspendedTitle": "Abonnement annulé",
+    "suspendedDescription": "Votre assistant est en pause. La configuration et les données sont préservées. Utilisez le contrôle Reprendre en bas de cette page pour le remettre en ligne.",
+    "requestReactivation": "Demander la réactivation",
+    "requestReactivationConfirmTitle": "Demander la réactivation ?",
+    "requestReactivationConfirmDescription": "Un administrateur examinera votre demande et réactivera votre locataire. Vous recevrez un e-mail dès que la demande sera approuvée.",
+    "requestReactivationConfirm": "Envoyer la demande",
+    "cancelResumeRequest": "Annuler la demande",
+    "resumeRequestPendingTitle": "Demande de réactivation en attente",
+    "resumeRequestPendingDescription": "Soumise {when}. Un administrateur l'examinera sous peu.",
+    "resumeRequestPendingNoteAdmin": "Un propriétaire a demandé la réactivation ; vous pouvez reprendre directement ci-dessus ou traiter la demande depuis la file d'attente d'administration.",
+    "cancelConfirmRetentionWarning": "Vos données sont conservées pendant 60 jours après l'annulation. Passé ce délai, toutes les données du locataire — configuration, secrets, conversations et fichiers — seront définitivement supprimées."
   },
   "usage": {
     "inputTokens": "Tokens d'entrée",
@@ -258,7 +306,9 @@
     "loadingHealth": "Chargement des données de santé…",
     "statusHealthy": "OK",
     "statusDown": "Hors service",
-    "spendChf": "Coûts (CHF)"
+    "spendChf": "Coûts (CHF)",
+    "resumeRequestBadge": "Reprise",
+    "resumeRequestTooltip": "Demande de réactivation d'un locataire existant. L'approbation le réactivera ; aucun provisionnement ne s'exécute."
   },
   "channelUsers": {
     "title": "Utilisateurs autorisés",
@@ -304,5 +354,27 @@
     "pickUser": "Sélectionner un utilisateur…",
     "assign": "Attribuer",
     "revoke": "Retirer"
+  },
+  "countries": {
+    "CH": "Suisse",
+    "DE": "Allemagne",
+    "AT": "Autriche",
+    "FR": "France",
+    "IT": "Italie",
+    "LI": "Liechtenstein"
+  },
+  "phase": {
+    "Pending": "En attente",
+    "Provisioning": "Mise en service",
+    "Running": "Actif",
+    "Ready": "Prêt",
+    "Suspended": "Suspendu",
+    "Error": "Erreur",
+    "Deleting": "Suppression",
+    "Reconfiguring": "Reconfiguration"
+  },
+  "warnings": {
+    "oneTooltip": "1 avertissement",
+    "manyTooltip": "{count} avertissements"
   }
 }

src/messages/it.json

@@ -20,11 +20,11 @@
     "button": "Continua con ZITADEL",
     "footer": "Ospitato on-premises in Svizzera",
     "noAccount": "Non hai ancora un account?",
-    "register": "Registra la tua azienda"
+    "register": "Crea un account"
   },
   "register": {
     "title": "Crea il tuo account",
-    "subtitle": "Registra la tua azienda per un assistente IA ospitato in Svizzera",
+    "subtitle": "Configuri il suo assistente IA ospitato in Svizzera",
     "companyName": "Nome azienda",
     "companyNamePlaceholder": "Esempio SA",
     "givenName": "Nome",
@@ -38,7 +38,12 @@
     "goToLogin": "Vai all'accesso",
     "duplicateDomain": "Un account per il dominio e-mail {domain} è già registrato. Contatta l'amministratore della tua azienda per essere invitato, oppure contatta il supporto PieCed IT se ritieni che si tratti di un errore.",
     "individualToggle": "Registrati come privato",
-    "individualHint": "Seleziona questa opzione se non ti stai registrando per conto di un'azienda. Il tuo account sarà configurato come area di lavoro personale."
+    "individualHint": "Seleziona questa opzione se non ti stai registrando per conto di un'azienda. Il tuo account sarà configurato come area di lavoro personale.",
+    "accountTypeLabel": "Tipo di account",
+    "personalCardTitle": "Privato",
+    "personalCardDescription": "Per lei.",
+    "companyCardTitle": "Azienda",
+    "companyCardDescription": "Per la sua azienda o team."
   },
   "onboarding": {
     "loading": "Caricamento stato…",
@@ -89,7 +94,27 @@
     "submittedAt": "Inviato",
     "instanceName": "Nome istanza",
     "instanceNamePlaceholder": "es. Produzione, Dev, Vendite",
-    "instanceNameHint": "Nome leggibile facoltativo per distinguere questa istanza dalle altre nella dashboard. Lasciare vuoto per usare il nome dell'azienda."
+    "instanceNameHint": "Nome leggibile facoltativo per distinguere questa istanza dalle altre nella dashboard. Lasciare vuoto per usare il nome dell'azienda.",
+    "validationError": "Correggere gli errori prima di inviare.",
+    "validationErrorsTitle": "Alcuni campi obbligatori sono mancanti o non validi:",
+    "reviewInstanceDefault": "(predefinito — usa il nome dell'azienda)",
+    "reviewNoPackages": "Nessuno selezionato",
+    "reviewBillingTo": "Fatturare a",
+    "reviewContactEmail": "Email di contatto",
+    "editRequestTitle": "Modifica la sua richiesta",
+    "editRequestDescription": "Modifichi la configurazione prima che il nostro team la esamini.",
+    "editRequest": "Modifica",
+    "cancelRequest": "Annulla richiesta",
+    "cancelRequestConfirm": "Sì, annulla la richiesta",
+    "cancelConfirmRequestTitle": "Annullare questa richiesta?",
+    "cancelConfirmRequestDescription": "La sua richiesta in attesa sarà contrassegnata come annullata e rimossa dalla coda di revisione. Può inviare una nuova richiesta in qualsiasi momento.",
+    "cancelFailed": "Impossibile annullare la richiesta.",
+    "cancelledTitle": "Richiesta annullata",
+    "cancelledDescription": "Lei ha annullato questa richiesta prima dell'elaborazione. Nessuna istanza è stata creata.",
+    "dismiss": "Nascondi",
+    "dismissFailed": "Impossibile nascondere.",
+    "rejectionReason": "Motivo indicato",
+    "saveChanges": "Salva modifiche"
   },
   "dashboard": {
     "title": "Dashboard",
@@ -118,7 +143,30 @@
     "notFound": "Tenant non trovato.",
     "usage": "Utilizzo e costi",
     "provisioned": "Attivato",
-    "assignedUsers": "Utenti assegnati"
+    "assignedUsers": "Utenti assegnati",
+    "subscriptionTitle": "Abbonamento",
+    "subscriptionDescriptionActive": "Annulli il suo abbonamento se non ha più bisogno di questo assistente. I suoi dati saranno preservati e potrà riprendere in qualsiasi momento.",
+    "subscriptionDescriptionSuspended": "Il suo abbonamento è annullato. Riprenda per riportare l'assistente online.",
+    "cancelSubscription": "Annulla abbonamento",
+    "cancelSubscriptionConfirm": "Sì, annulla",
+    "resumeSubscription": "Riprendi abbonamento",
+    "cancelConfirmTitle": "Annullare questo abbonamento?",
+    "cancelConfirmDescription": "Il suo assistente diventerà non disponibile. Può riprendere in qualsiasi momento — i suoi dati sono preservati.",
+    "cancelConfirmBullet1": "I file del workspace (SOUL.md, AGENTS.md) sono mantenuti",
+    "cancelConfirmBullet2": "Le credenziali dei pacchetti rimangono memorizzate",
+    "cancelConfirmBullet3": "Le informazioni di fatturazione sono mantenute",
+    "subscriptionUpdateFailed": "Impossibile aggiornare l'abbonamento.",
+    "suspendedTitle": "Abbonamento annullato",
+    "suspendedDescription": "Il suo assistente è in pausa. Configurazione e dati sono preservati. Usi il controllo Riprendi in fondo a questa pagina per riportarlo online.",
+    "requestReactivation": "Richiedi riattivazione",
+    "requestReactivationConfirmTitle": "Richiedere la riattivazione?",
+    "requestReactivationConfirmDescription": "Un amministratore esaminerà la tua richiesta e riattiverà il tuo tenant. Riceverai un'email non appena la richiesta sarà approvata.",
+    "requestReactivationConfirm": "Invia richiesta",
+    "cancelResumeRequest": "Annulla richiesta",
+    "resumeRequestPendingTitle": "Richiesta di riattivazione in sospeso",
+    "resumeRequestPendingDescription": "Inviata {when}. Un amministratore la esaminerà a breve.",
+    "resumeRequestPendingNoteAdmin": "Un proprietario ha richiesto la riattivazione; puoi riprendere direttamente sopra o elaborare la richiesta dalla coda di amministrazione.",
+    "cancelConfirmRetentionWarning": "I tuoi dati sono conservati per 60 giorni dopo l'annullamento. Trascorso tale periodo, tutti i dati del tenant — configurazione, segreti, conversazioni e file — verranno eliminati definitivamente."
   },
   "usage": {
     "inputTokens": "Token di input",
@@ -258,7 +306,9 @@
     "loadingHealth": "Caricamento dati di stato…",
     "statusHealthy": "OK",
     "statusDown": "Non disponibile",
-    "spendChf": "Costi (CHF)"
+    "spendChf": "Costi (CHF)",
+    "resumeRequestBadge": "Ripresa",
+    "resumeRequestTooltip": "Richiesta di riattivazione di un tenant esistente. L'approvazione lo riattiverà; non viene eseguito alcun provisioning."
   },
   "channelUsers": {
     "title": "Utenti autorizzati",
@@ -304,5 +354,27 @@
     "pickUser": "Seleziona un utente…",
     "assign": "Assegna",
     "revoke": "Rimuovi"
+  },
+  "countries": {
+    "CH": "Svizzera",
+    "DE": "Germania",
+    "AT": "Austria",
+    "FR": "Francia",
+    "IT": "Italia",
+    "LI": "Liechtenstein"
+  },
+  "phase": {
+    "Pending": "In attesa",
+    "Provisioning": "In provisioning",
+    "Running": "Attivo",
+    "Ready": "Pronto",
+    "Suspended": "Sospeso",
+    "Error": "Errore",
+    "Deleting": "Eliminazione",
+    "Reconfiguring": "Riconfigurazione"
+  },
+  "warnings": {
+    "oneTooltip": "1 avviso",
+    "manyTooltip": "{count} avvisi"
   }
 }

src/types/index.ts

@@ -47,6 +47,23 @@ export interface SessionUser {
   orgName: string;
   roles: Role[];
   isPlatform: boolean;
+  /**
+   * True when the user's ZITADEL org is a personal account — i.e. a
+   * single-user org provisioned by the registration flow with
+   * `isPersonal: true`. Derived from `orgName` in the session callback;
+   * see `lib/personal-org.ts::isPersonalOrgName` for the detection
+   * rules (recognises both the legacy " (Personal)" suffix and the
+   * current "personal-{8hex}" opaque form).
+   *
+   * Drives several customer-facing behaviours:
+   *   - /team page is hidden (Bug 8): there's no team to manage.
+   *   - "Create new instance" is gated to a single tenant + request
+   *     (Bug 5): personal accounts are 1-instance by design.
+   *   - The assigned-users panel on /tenants/[name] is hidden (Bug 7).
+   *   - Wherever the GUI would otherwise show `orgName`, it shows the
+   *     user's display name instead (Bug 9 — the org name is opaque).
+   */
+  isPersonal: boolean;
 }
 
 // PiecedTenant CR (pieced.ch/v1alpha1)
@@ -61,7 +78,15 @@ export interface PiecedTenantSpec {
 }
 
 export interface PiecedTenantStatus {
-  phase: "Pending" | "Provisioning" | "Running" | "Ready" | "Error" | "Deleting";
+  phase:
+    | "Pending"
+    | "Provisioning"
+    | "Running"
+    | "Ready"
+    | "Reconfiguring"
+    | "Suspended"
+    | "Error"
+    | "Deleting";
   message?: string;
   observedGeneration?: number;
   /**
@@ -78,6 +103,21 @@ export interface PiecedTenantStatus {
   litellmKeyAlias?: string;
   tenantNamespace?: string;
   enabledPackages?: string[];
+  /**
+   * Non-fatal issues from downstream resources surfaced by the operator
+   * (e.g. an OpenClawInstance sub-condition reporting failure). The
+   * tenant is still usable — these are informational, rendered as a
+   * warning badge alongside the phase.
+   *
+   * `source` is "<Kind>/<ConditionType>" e.g. "OpenClawInstance/SkillPacksReady".
+   * `message` is shown in the tooltip when the user hovers the badge.
+   */
+  warnings?: Array<{
+    source: string;
+    reason?: string;
+    message?: string;
+    since?: string;
+  }>;
   conditions?: Array<{
     type: string;
     status: string;
@@ -112,8 +152,8 @@ export interface UsageSummary {
 export interface RegistrationInput {
   /**
    * Required for company registrations. Ignored when `isPersonal` is true —
-   * the server then derives the ZITADEL org name from the user's full name
+   * the server then generates an opaque ZITADEL org name of the form
-   * with a "(Personal)" suffix.
+   * `personal-{8hex}` (see `lib/personal-org.ts::generatePersonalOrgName`).
    */
   companyName?: string;
   givenName: string;
@@ -121,10 +161,11 @@ export interface RegistrationInput {
   email: string;
   preferredLanguage?: string;
   /**
-   * Slice 4: when true, registration creates a personal account (one
+   * Slice 4 + Bug 9: when true, registration creates a personal account
-   * person, no company). Domain-uniqueness check is skipped, ZITADEL org
+   * (one person, no company). Domain-uniqueness check is skipped, the
-   * is named "{givenName} {familyName} (Personal)", subsequent tenants
+   * ZITADEL org is named `personal-{8hex}` (opaque, collision-free),
-   * are named with the `p-{requestId[:8]}` convention.
+   * the user's display name lives only on the user record, and
+   * subsequent tenants are named with the `p-{requestId[:8]}` convention.
    */
   isPersonal?: boolean;
 }
@@ -144,6 +185,7 @@ export type TenantRequestStatus =
   | "provisioning" // PiecedTenant CR created, operator reconciling
   | "active" // Tenant running
   | "rejected" // Admin rejected
+  | "cancelled" // Customer cancelled before admin acted on it (Bug 6)
   | "deleted"; // Tenant was deleted by admin
 
 export interface TenantRequest {
@@ -177,6 +219,27 @@ export interface TenantRequest {
    * domain-uniqueness check on subsequent registrations.
    */
   isPersonal?: boolean;
+  /**
+   * Bug 13: when set, the customer has explicitly dismissed a rejected
+   * request from their dashboard. Used by `listActiveTenantRequestsByOrgId`
+   * to keep showing rejected rows until they're dismissed (so a customer
+   * who wasn't online when the rejection happened still sees it on next
+   * login). Always null for non-rejected statuses.
+   */
+  dismissedAt?: string | null;
+  /**
+   * Bug 37a: discriminator between provision (initial tenant creation,
+   * the original purpose of this table) and resume (admin-gated
+   * reactivation of a suspended tenant). Default 'provision' for all
+   * pre-existing rows; resume rows have most provision fields null
+   * but tenant_name set to the tenant being requested.
+   *
+   * Optional on the TS type so provision-only callers (like the
+   * onboarding wizard's create flow) don't need to know about resume
+   * requests. The DB column is NOT NULL DEFAULT 'provision', so rows
+   * loaded via `mapRow` always have a value populated.
+   */
+  requestType?: "provision" | "resume";
   createdAt: string;
   updatedAt: string;
 }