Group F - Fix spending per tenant

src/app/[locale]/dashboard/edit/[id]/page.tsx

@@ -0,0 +1,87 @@
+import { getSessionUser, canMutate } from "@/lib/session";
+import { redirect } from "next/navigation";
+import { getTranslations } from "next-intl/server";
+import { getTenantRequestById } from "@/lib/db";
+import { OnboardingFlow } from "@/components/onboarding/onboarding-flow";
+import { BackLink } from "@/components/ui/back-link";
+
+/**
+ * /dashboard/edit/[id] — re-opens the onboarding wizard with the
+ * fields of a still-pending request pre-filled (Bug 6). On submit,
+ * the wizard PATCHes /api/onboarding/[id] instead of POSTing to
+ * /api/onboarding.
+ *
+ * Hard guards
+ * -----------
+ * - Logged-in customer owner (or platform user) only — same as the
+ *   /dashboard/new page.
+ * - Request must exist, belong to the caller's org, and be in 'pending'
+ *   status. Editing approved/provisioning rows would race against the
+ *   operator; we redirect such cases back to the dashboard rather than
+ *   render an invalid wizard.
+ *
+ * Pre-fill
+ * --------
+ * The wizard takes a single `editingRequest` prop — when present, it
+ * (a) pre-populates state from those values and (b) targets the PATCH
+ * endpoint on submit. When absent, it behaves exactly as today (POST
+ * to /api/onboarding).
+ *
+ * Note on encrypted secrets
+ * -------------------------
+ * Per-package secrets are NEVER decrypted server-side and exposed to
+ * the client (would be a clear security regression). When editing,
+ * the wizard opens with empty secret fields and the user re-enters
+ * any they want to change. If they don't touch the package-secrets
+ * UI, the existing encrypted blob in the DB is preserved by the
+ * PATCH endpoint (it only re-encrypts when the wizard sends a
+ * non-empty secrets payload).
+ */
+export default async function EditRequestPage({
+  params,
+}: {
+  params: Promise<{ id: string; locale: string }>;
+}) {
+  const { id } = await params;
+  const user = await getSessionUser();
+  if (!user) redirect("/login");
+  if (user.isPlatform) redirect("/dashboard");
+  if (!canMutate(user)) redirect("/dashboard");
+
+  const tr = await getTenantRequestById(id);
+  if (!tr) redirect("/dashboard");
+  if (tr.zitadelOrgId !== user.orgId) redirect("/dashboard");
+  if (tr.status !== "pending") redirect("/dashboard");
+
+  const t = await getTranslations("dashboard");
+  const tOnboarding = await getTranslations("onboarding");
+
+  return (
+    <div className="container max-w-3xl mx-auto px-4 py-8">
+      <div className="mb-8 animate-in">
+        <BackLink href="/dashboard" label={t("title")} />
+        <h1 className="font-display text-2xl font-semibold accent-rule mb-2">
+          {tOnboarding("editRequestTitle")}
+        </h1>
+        <p className="text-sm text-text-secondary">
+          {tOnboarding("editRequestDescription")}
+        </p>
+      </div>
+      <OnboardingFlow
+        orgName={user.orgName}
+        userName={user.name}
+        userEmail={user.email}
+        editingRequest={{
+          id: tr.id,
+          instanceName: tr.instanceName ?? "",
+          agentName: tr.agentName,
+          soulMd: tr.soulMd ?? "",
+          agentsMd: tr.agentsMd ?? "",
+          packages: tr.packages,
+          billingAddress: tr.billingAddress,
+          billingNotes: tr.billingNotes ?? "",
+        }}
+      />
+    </div>
+  );
+}

src/app/[locale]/dashboard/page.tsx

@@ -11,6 +11,7 @@ import {
 import { personalAccountAtCapacity } from "@/lib/personal-org";
 import { Card, CardHeader } from "@/components/ui/card";
 import { StatusBadge } from "@/components/ui/status-badge";
+import { WarningBadge } from "@/components/ui/warning-badge";
 import { OnboardingFlow } from "@/components/onboarding/onboarding-flow";
 import { ProvisioningStatus } from "@/components/onboarding/provisioning-status";
 import { formatDateTime } from "@/lib/format";
@@ -315,7 +316,11 @@ export default async function DashboardPage() {
           </h2>
           <div className="space-y-3">
             {inflightRequests.map((r) => (
-              <ProvisioningStatus key={r.id} requestId={r.id} />
+              <ProvisioningStatus
+                key={r.id}
+                requestId={r.id}
+                canAct={canMutate(user)}
+              />
             ))}
           </div>
         </div>
@@ -344,7 +349,10 @@ export default async function DashboardPage() {
                         {tenant.metadata.name}
                       </div>
                     </div>
-                    <StatusBadge phase={tenant.status?.phase ?? "Pending"} />
+                    <div className="flex items-center gap-2 shrink-0">
+                      <StatusBadge phase={tenant.status?.phase ?? "Pending"} />
+                      <WarningBadge warnings={tenant.status?.warnings ?? []} />
+                    </div>
                   </div>
 
                   {tenant.spec.agentName && (

src/app/[locale]/tenants/[name]/page.tsx

@@ -4,11 +4,13 @@ import { redirect, notFound } from "next/navigation";
 import { getTenant } from "@/lib/k8s";
 import { canUserSeeTenant } from "@/lib/visibility";
 import { StatusBadge } from "@/components/ui/status-badge";
+import { WarningBadge } from "@/components/ui/warning-badge";
 import { UsageDisplay } from "@/components/dashboard/usage-display";
 import { PackageList } from "@/components/packages/package-list";
 import { WorkspaceEditor } from "@/components/packages/workspace-editor";
 import { ChannelUsers } from "@/components/channel-users/channel-users";
 import { AssignedUsersPanel } from "@/components/tenants/assigned-users-panel";
+import { SubscriptionToggle } from "@/components/tenants/subscription-toggle";
 import { formatDateTime, formatRelative } from "@/lib/format";
 
 const CHANNEL_PACKAGES = ["telegram", "discord", "email"];
@@ -40,6 +42,11 @@ export default async function TenantDetailPage({
   // the same page but with edit controls hidden / fields read-only.
   const canEdit = canMutate(user);
 
+  // Bug 31: customer-side cancel/resume control. Same gate as canEdit
+  // — only owners (or platform staff) may toggle the subscription.
+  // The current state comes from spec.suspend on the CR.
+  const isSuspended = Boolean(tenant.spec.suspend);
+
   // Bug 7: assigned-users panel is meaningless for personal tenants
   // (sole-owner by definition; the only "assignee" is the owner
   // themselves). We hide the panel when EITHER the CR carries the
@@ -60,18 +67,12 @@ export default async function TenantDetailPage({
   );
   const channelUsers = tenant.spec.channelUsers || {};
 
-  // Admins inspecting another tenant's usage: pass teamId AND keyAlias so
+  // Bug 19 fix: every viewer (customer or admin) passes the tenant
-  // the backend filters spend logs by this specific tenant's virtual key.
+  // name to UsageDisplay. The /api/usage route resolves team+alias
-  // Without keyAlias the response would include sibling tenants in the
+  // from the tenant CR's status and applies the visibility check, so
-  // same org, since teams are now shared (Slice 2).
+  // no per-role branching is needed here. Previous version only
-  // Customers viewing their own: pass nothing — backend resolves both
+  // passed identifiers for platform admins; customers got "the first
-  // from the session-bound tenant.
+  // visible tenant" by API fallback, mingling siblings.
-  const usageTeamId = user.isPlatform
-    ? tenant.status?.litellmTeamId || undefined
-    : undefined;
-  const usageKeyAlias = user.isPlatform
-    ? tenant.status?.litellmKeyAlias || undefined
-    : undefined;
 
   return (
     <div>
@@ -82,6 +83,7 @@ export default async function TenantDetailPage({
             {tenant.spec.displayName || name}
           </h1>
           <StatusBadge phase={tenant.status?.phase ?? "Pending"} />
+          <WarningBadge warnings={tenant.status?.warnings ?? []} />
         </div>
         {tenant.spec.agentName && (
           <p className="text-sm text-text-secondary mt-3">
@@ -102,12 +104,47 @@ export default async function TenantDetailPage({
         )}
       </div>
 
+      {/* Bug 31: prominent banner when the subscription is cancelled.
+          Sits between header and content so it's the first thing the
+          owner sees. Says clearly what state means, and that data is
+          preserved. The Resume action lives in the SubscriptionToggle
+          at the bottom — duplicating it here would clutter the banner
+          for the much-more-common active case. */}
+      {isSuspended && (
+        <div className="mb-8 animate-in animate-in-delay-1 bg-amber-500/10 border border-amber-500/30 rounded-xl p-4">
+          <div className="flex items-start gap-3">
+            <svg
+              className="h-5 w-5 text-amber-400 shrink-0 mt-0.5"
+              fill="none"
+              viewBox="0 0 24 24"
+              stroke="currentColor"
+              strokeWidth={1.5}
+              aria-hidden="true"
+            >
+              <path
+                strokeLinecap="round"
+                strokeLinejoin="round"
+                d="M12 9v3.75m9-.75a9 9 0 11-18 0 9 9 0 0118 0zM12 15.75h.008v.008H12v-.008z"
+              />
+            </svg>
+            <div className="min-w-0">
+              <div className="text-sm font-semibold text-amber-300">
+                {t("suspendedTitle")}
+              </div>
+              <div className="text-xs text-text-secondary mt-1">
+                {t("suspendedDescription")}
+              </div>
+            </div>
+          </div>
+        </div>
+      )}
+
       {/* Usage */}
       <section className="mb-8 animate-in animate-in-delay-1">
         <h2 className="text-xs font-semibold uppercase tracking-wider text-text-muted mb-3">
           {t("usage")}
         </h2>
-        <UsageDisplay teamId={usageTeamId} keyAlias={usageKeyAlias} />
+        <UsageDisplay tenant={name} />
       </section>
 
       {/* Packages */}
@@ -155,6 +192,25 @@ export default async function TenantDetailPage({
           <AssignedUsersPanel tenantName={name} canEdit={canEdit} />
         </section>
       )}
+
+      {/* Bug 31: subscription cancel/resume — owners + platform staff
+          only. Lives at the bottom of the page (rather than near the
+          status badge) to add deliberate friction; mis-clicking
+          "Cancel subscription" from the top would be too easy. The
+          control itself opens a confirmation modal before sending. */}
+      {canEdit && (
+        <section className="mt-12 pt-8 border-t border-border animate-in animate-in-delay-4">
+          <h2 className="text-xs font-semibold uppercase tracking-wider text-text-muted mb-3">
+            {t("subscriptionTitle")}
+          </h2>
+          <p className="text-sm text-text-secondary mb-4">
+            {isSuspended
+              ? t("subscriptionDescriptionSuspended")
+              : t("subscriptionDescriptionActive")}
+          </p>
+          <SubscriptionToggle tenantName={name} suspended={isSuspended} />
+        </section>
+      )}
     </div>
   );
 }

src/app/api/onboarding/[id]/dismiss/route.ts

@@ -0,0 +1,65 @@
+import { NextRequest, NextResponse } from "next/server";
+import { getSessionUser, canMutate } from "@/lib/session";
+import { dismissTenantRequest, getTenantRequestById } from "@/lib/db";
+import { safeError } from "@/lib/errors";
+
+/**
+ * POST /api/onboarding/[id]/dismiss
+ *
+ * Customer-side acknowledgement of a rejected or cancelled request
+ * (Bug 13). Sets `dismissed_at = now()` so the row stops appearing
+ * in the dashboard's `listActiveTenantRequestsByOrgId` query. The
+ * row itself is preserved for audit.
+ *
+ * Authorization mirrors the GET / DELETE / PATCH endpoints on this
+ * resource: customer owners (or platform staff) of the row's org.
+ *
+ * Idempotent: dismissing an already-dismissed request returns 200
+ * with no change. We refuse to dismiss non-terminal rows (pending,
+ * approved, provisioning, active) — those are still actionable, and
+ * "hiding" them would stash live state from the customer.
+ */
+export async function POST(
+  _req: NextRequest,
+  { params }: { params: Promise<{ id: string }> }
+) {
+  const user = await getSessionUser();
+  if (!user) {
+    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+  }
+  if (!canMutate(user)) {
+    return NextResponse.json({ error: "Forbidden" }, { status: 403 });
+  }
+
+  const { id } = await params;
+  const tr = await getTenantRequestById(id);
+  if (!tr) {
+    return NextResponse.json({ error: "Not found" }, { status: 404 });
+  }
+  if (!user.isPlatform && tr.zitadelOrgId !== user.orgId) {
+    return NextResponse.json({ error: "Not found" }, { status: 404 });
+  }
+
+  if (tr.status !== "rejected" && tr.status !== "cancelled") {
+    return NextResponse.json(
+      {
+        error:
+          "Only rejected or cancelled requests can be dismissed. Active requests stay visible.",
+        code: "not_dismissable",
+        currentStatus: tr.status,
+      },
+      { status: 409 }
+    );
+  }
+
+  try {
+    await dismissTenantRequest(id);
+    return NextResponse.json({ message: "Dismissed.", id });
+  } catch (e: any) {
+    console.error("Failed to dismiss request:", e);
+    return NextResponse.json(
+      { error: safeError(e, "Failed to dismiss request") },
+      { status: 500 }
+    );
+  }
+}

src/app/api/onboarding/[id]/route.ts

@@ -0,0 +1,207 @@
+import { NextRequest, NextResponse } from "next/server";
+import { getSessionUser, canMutate } from "@/lib/session";
+import {
+  getTenantRequestById,
+  updateTenantRequestStatus,
+  updateTenantRequestEditableFields,
+} from "@/lib/db";
+import { encryptSecrets } from "@/lib/crypto";
+import { onboardingSchema } from "@/lib/validation";
+import { safeError } from "@/lib/errors";
+
+/**
+ * Customer-side controls for a single tenant_request row.
+ *
+ *   - DELETE /api/onboarding/[id]  → cancel a still-pending request
+ *   - PATCH  /api/onboarding/[id]  → edit fields of a still-pending
+ *                                    request (Bug 6)
+ *
+ * Both endpoints share the same authorization check: the caller must
+ * be a customer owner (or platform staff) of the request's org. We
+ * also enforce status === 'pending' on the row — once an admin has
+ * acted on it, the customer can no longer mutate it from the portal.
+ *
+ * Reading these is via the existing GET /api/onboarding?id=... handler.
+ */
+
+async function loadAuthorized(
+  id: string
+): Promise<
+  | { error: NextResponse }
+  | { req: Awaited<ReturnType<typeof getTenantRequestById>>; }
+> {
+  const user = await getSessionUser();
+  if (!user) {
+    return {
+      error: NextResponse.json({ error: "Unauthorized" }, { status: 401 }),
+    };
+  }
+  if (!canMutate(user)) {
+    return {
+      error: NextResponse.json({ error: "Forbidden" }, { status: 403 }),
+    };
+  }
+  const tr = await getTenantRequestById(id);
+  if (!tr) {
+    return {
+      error: NextResponse.json({ error: "Not found" }, { status: 404 }),
+    };
+  }
+  // Customers may only read their own org's requests; platform users
+  // may read any. Same scope as `GET /api/onboarding?id=...`.
+  if (!user.isPlatform && tr.zitadelOrgId !== user.orgId) {
+    return {
+      error: NextResponse.json({ error: "Not found" }, { status: 404 }),
+    };
+  }
+  return { req: tr };
+}
+
+/**
+ * DELETE /api/onboarding/[id]
+ *
+ * Customer cancels a still-pending request. Status flips to 'cancelled';
+ * the row is preserved for audit. The customer can dismiss the
+ * cancelled card afterwards (Bug 13 reuse — same dismissal mechanism).
+ *
+ * Once admin has approved/provisioned/rejected, this endpoint refuses
+ * (409). Cancelling a tenant that's already running goes through the
+ * subscription-suspend flow on the tenant detail page, not here.
+ */
+export async function DELETE(
+  _req: NextRequest,
+  { params }: { params: Promise<{ id: string }> }
+) {
+  const { id } = await params;
+  const loaded = await loadAuthorized(id);
+  if ("error" in loaded) return loaded.error;
+  const tr = loaded.req!;
+
+  if (tr.status !== "pending") {
+    return NextResponse.json(
+      {
+        error:
+          "Only pending requests can be cancelled. Approved or provisioning instances must be managed from the tenant page.",
+        code: "not_pending",
+        currentStatus: tr.status,
+      },
+      { status: 409 }
+    );
+  }
+
+  try {
+    await updateTenantRequestStatus(id, "cancelled");
+    return NextResponse.json({ message: "Request cancelled.", id });
+  } catch (e: any) {
+    console.error("Failed to cancel request:", e);
+    return NextResponse.json(
+      { error: safeError(e, "Failed to cancel request") },
+      { status: 500 }
+    );
+  }
+}
+
+/**
+ * PATCH /api/onboarding/[id]
+ *
+ * Customer edits a still-pending request. Validation is the same as on
+ * POST /api/onboarding (shared schema). Only customer-input fields are
+ * editable; status/tenant_name/admin_notes/etc. are server-managed.
+ *
+ * Note on company-level fields
+ * ----------------------------
+ * For a follow-up instance (org has prior approved rows), the POST
+ * handler intentionally ignores the wizard's billingAddress and uses
+ * the on-file value instead. We mirror that here: company-level fields
+ * (companyName, contactName, contactEmail, billingAddress) on a
+ * follow-up edit are NOT updated through this endpoint. The customer
+ * should use a future settings page (Bug 11) for those. For now,
+ * editing only mutates per-instance fields — agent name, instance
+ * name, packages, soulMd, agentsMd, billingNotes, packageSecrets.
+ *
+ * For the FIRST instance (no prior approved rows), billingAddress IS
+ * editable here, since the customer is still defining their company's
+ * billing data.
+ */
+export async function PATCH(
+  req: NextRequest,
+  { params }: { params: Promise<{ id: string }> }
+) {
+  const { id } = await params;
+  const loaded = await loadAuthorized(id);
+  if ("error" in loaded) return loaded.error;
+  const tr = loaded.req!;
+
+  if (tr.status !== "pending") {
+    return NextResponse.json(
+      {
+        error: "Only pending requests can be edited.",
+        code: "not_pending",
+        currentStatus: tr.status,
+      },
+      { status: 409 }
+    );
+  }
+
+  const body = await req.json().catch(() => null);
+  const parsed = onboardingSchema.safeParse(body);
+  if (!parsed.success) {
+    return NextResponse.json(
+      { error: "Invalid input", details: parsed.error.flatten() },
+      { status: 400 }
+    );
+  }
+  const input = parsed.data;
+
+  // Re-encrypt package secrets if present in the patch body. When the
+  // user re-opens the wizard to edit, the secrets array is populated
+  // afresh from the wizard (we never decrypt and return existing
+  // secrets — that'd be a security regression). If the user didn't
+  // touch any secret-bearing package, the wizard sends no
+  // packageSecrets and we leave the existing encrypted blob alone.
+  let encryptedSecrets: Buffer | null | undefined;
+  if (input.packageSecrets && Object.keys(input.packageSecrets).length > 0) {
+    try {
+      encryptedSecrets = await encryptSecrets(input.packageSecrets);
+    } catch (e: any) {
+      console.error("Failed to encrypt package secrets:", e);
+      return NextResponse.json(
+        { error: "Failed to secure credentials. Please try again." },
+        { status: 500 }
+      );
+    }
+  }
+
+  // Only first-instance edits get billingAddress; follow-ups inherit
+  // company billing from the on-file approved row.
+  const isFirstInstance = !tr.tenantName; // approximation; covers the
+  // "no prior approved row for this org" case the POST handler treats
+  // identically. A more rigorous check would call
+  // getMostRecentApprovedRequestForOrg, but in practice an org with
+  // an approved row for some other tenant has a tenantName on those
+  // rows, not on the pending one being edited — so the simple check
+  // here is fine for the only state the endpoint accepts (pending).
+
+  try {
+    const updated = await updateTenantRequestEditableFields(id, {
+      instanceName: input.instanceName,
+      agentName: input.agentName,
+      soulMd: input.soulMd,
+      agentsMd: input.agentsMd,
+      packages: input.packages ?? [],
+      billingAddress: isFirstInstance ? input.billingAddress : undefined,
+      billingNotes: input.billingNotes,
+      encryptedSecrets,
+    });
+    if (!updated) {
+      return NextResponse.json({ error: "Not found" }, { status: 404 });
+    }
+    return NextResponse.json({ message: "Request updated.", id });
+  } catch (e: any) {
+    console.error("Failed to edit request:", e);
+    return NextResponse.json(
+      { error: safeError(e, "Failed to edit request") },
+      { status: 500 }
+    );
+  }
+}

src/app/api/onboarding/route.ts

@@ -24,15 +24,33 @@ import { z } from "zod";
  * Helper: shape a TenantRequest row for client consumption.
  * Hides server-only fields (encryptedSecrets, internal db ids).
  */
+/**
+ * Helper: shape a TenantRequest row for client consumption.
+ * Hides server-only fields (encryptedSecrets, internal db ids).
+ *
+ * Slice 7 / Bug 6: surfaces enough fields for the customer-side edit
+ * flow to pre-fill the wizard. soulMd, agentsMd, billingAddress,
+ * billingNotes were previously kept off the public shape because the
+ * pre-Slice-3 dashboard didn't render them. Edit needs them.
+ *
+ * Bug 13: surfaces dismissedAt so the dashboard can distinguish
+ * "freshly rejected, show prominently" from "rejected and acknowledged,
+ * keep hidden" without an extra API call.
+ */
 function publicRequestShape(r: TenantRequest) {
   return {
     id: r.id,
     instanceName: r.instanceName,
     agentName: r.agentName,
+    soulMd: r.soulMd,
+    agentsMd: r.agentsMd,
     packages: r.packages,
+    billingAddress: r.billingAddress,
+    billingNotes: r.billingNotes,
     status: r.status,
     adminNotes: r.adminNotes,
     tenantName: r.tenantName,
+    dismissedAt: r.dismissedAt ?? null,
     createdAt: r.createdAt,
     updatedAt: r.updatedAt,
   };

src/app/api/tenants/[name]/suspend/route.ts

@@ -0,0 +1,106 @@
+import { NextRequest, NextResponse } from "next/server";
+import { z } from "zod";
+import { getSessionUser, canMutate } from "@/lib/session";
+import { getTenant, patchTenantSpec } from "@/lib/k8s";
+import { canUserSeeTenant } from "@/lib/visibility";
+import { safeError } from "@/lib/errors";
+
+const patchSchema = z.object({
+  suspend: z.boolean(),
+});
+
+/**
+ * PATCH /api/tenants/[name]/suspend
+ *
+ * Customer-side "Cancel subscription" / "Resume" toggle (Bug 31).
+ *
+ * Sets `spec.suspend` on the PiecedTenant CR. The operator interprets
+ * this flag as "stop reconciling this tenant" — workloads, packages,
+ * and channel-user changes are no longer applied. Existing data is
+ * preserved (namespace, ConfigMaps, OpenBao secrets, CNPG database,
+ * billing records). Resuming sets the flag back to false and the
+ * operator picks up reconciliation on the next loop.
+ *
+ * Authorization
+ * -------------
+ * - Customer-side: only an `owner` of the tenant's org may call this.
+ *   `canMutate` is the right gate (mirrors the rest of the customer
+ *   API surface). User-role members cannot cancel a subscription.
+ * - Platform staff: allowed via `canMutate`'s isPlatform branch, but
+ *   in practice they should use admin tooling for this — the action
+ *   is exposed here for the customer's benefit.
+ *
+ * Visibility check is via `canUserSeeTenant` — same notFound() trick
+ * as the detail page, so we don't leak existence of tenants the
+ * caller can't see.
+ *
+ * Note on workload teardown
+ * -------------------------
+ * As of this writing, the operator's `suspend` handling is "skip
+ * reconciliation and set status.phase to Suspended". The underlying
+ * StatefulSet keeps running until next reconciliation, which won't
+ * happen while suspended. Group D will add scale-to-zero so cancelled
+ * subscriptions actually stop incurring compute. Until then, an
+ * operator following up with a `kubectl scale` is the workaround.
+ * Customer data is preserved either way.
+ */
+export async function PATCH(
+  req: NextRequest,
+  { params }: { params: Promise<{ name: string }> }
+) {
+  const user = await getSessionUser();
+  if (!user) {
+    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+  }
+  if (!canMutate(user)) {
+    return NextResponse.json({ error: "Forbidden" }, { status: 403 });
+  }
+
+  const { name } = await params;
+  const tenant = await getTenant(name);
+  if (!tenant) {
+    return NextResponse.json({ error: "Not found" }, { status: 404 });
+  }
+  // Identical pattern to the detail page — don't leak existence.
+  if (!(await canUserSeeTenant(user, tenant))) {
+    return NextResponse.json({ error: "Not found" }, { status: 404 });
+  }
+
+  const body = await req.json().catch(() => null);
+  const parsed = patchSchema.safeParse(body);
+  if (!parsed.success) {
+    return NextResponse.json(
+      { error: "Invalid input", details: parsed.error.flatten() },
+      { status: 400 }
+    );
+  }
+  const { suspend } = parsed.data;
+
+  // No-op early exit. Avoids a needless K8s patch + status churn when
+  // the user double-clicks the button or the UI is briefly out of sync.
+  if (Boolean(tenant.spec.suspend) === suspend) {
+    return NextResponse.json(
+      { message: "No change.", suspend },
+      { status: 200 }
+    );
+  }
+
+  try {
+    await patchTenantSpec(name, { suspend });
+    return NextResponse.json(
+      {
+        message: suspend
+          ? "Subscription cancelled. Your data is preserved."
+          : "Subscription resumed.",
+        suspend,
+      },
+      { status: 200 }
+    );
+  } catch (e: any) {
+    console.error("Suspend toggle failed:", e);
+    return NextResponse.json(
+      { error: safeError(e, "Failed to update subscription") },
+      { status: e.statusCode || 500 }
+    );
+  }
+}

src/app/api/usage/route.ts

@@ -8,64 +8,109 @@ import { safeError } from "@/lib/errors";
 /**
  * GET /api/usage
  *
- * Customers: tenant resolved server-side from the user's orgId. The
+ * Per-tenant spend/token usage for a given month.
- *            response is filtered by the tenant's `litellmKeyAlias` so
- *            sibling tenants in the same org don't bleed into the total.
- * Platform admins: may pass ?teamId=... to inspect any team. They may
- *                  also pass ?keyAlias=... to scope to a single tenant.
  *
- * Slice 2 note
+ * Resolution rules (in priority order)
- * ------------
+ * ------------------------------------
- * LiteLLM teams are now shared across all tenants of an org. The team's
+ *  1. `?tenant=<name>` query param — the canonical path. The route
- * `/team/info` budget is the *company* budget; the per-tenant numbers
+ *     looks up the PiecedTenant CR by name, runs it through the
- * come from filtering spend logs by `key_alias`. If a tenant has no
+ *     viewer's visibility filter, and reads `status.litellmTeamId` +
- * `litellmKeyAlias` in status (transitional state right after upgrade,
+ *     `status.litellmKeyAlias`. This is what the tenant-detail page
- * before the operator has reconciled), we fall back to team-level
+ *     calls with for both customers and admins.
- * filtering — the numbers will be slightly inflated for that one
+ *  2. `?teamId=<id>` (+ optional `?keyAlias=<alias>`) — admin escape
- * reconcile cycle.
+ *     hatch for debugging across orgs (e.g. opening the platform
+ *     panel without a specific tenant in mind). Platform-only;
+ *     ignored for customer sessions.
+ *  3. No params — 400. We deliberately do NOT fall back to "the
+ *     first visible tenant". Bug 19: that fallback meant siblings
+ *     in the same org showed identical numbers because the API
+ *     always picked the same "first" tenant regardless of which
+ *     detail page the customer was viewing. Forcing callers to be
+ *     explicit makes the bug structurally impossible to reintroduce.
+ *
+ * Filtering
+ * ---------
+ * LiteLLM's `/spend/logs/v2` accepts a server-side `key_alias` filter.
+ * We pass it through directly — no more "fetch all team pages and
+ * post-filter in JS" (which was O(team_total) memory per request and
+ * masked the routing bug above by being slow enough that nobody
+ * noticed which alias was actually being used).
+ *
+ * The team-level budget is still surfaced as the *org* budget, since
+ * teams are org-scoped post-Slice-2. That's intentional: the customer
+ * sees "your company has X budget remaining" alongside "this tenant
+ * cost Y this month".
  */
 export async function GET(req: NextRequest) {
   const user = await getSessionUser();
   if (!user)
     return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
 
+  const tenantName = req.nextUrl.searchParams.get("tenant");
   let teamId: string | null = null;
   let keyAlias: string | null = null;
 
-  if (user.isPlatform) {
+  if (tenantName) {
-    teamId = req.nextUrl.searchParams.get("teamId") ?? null;
+    // Path 1: resolve from tenant name with visibility check.
-    keyAlias = req.nextUrl.searchParams.get("keyAlias") ?? null;
+    //
-  }
+    // listVisibleTenants enforces the same visibility rules as every
-
+    // other read endpoint:
-  // For customers (or admins without explicit params): resolve from
+    //   - platform admins see everything
-  // the user's *visible* tenants. With Slice 6, a `user`-role member
+    //   - owners see all tenants in their org
-  // can only see usage for tenants they're assigned to — a non-assigned
+    //   - users see only the tenants they're assigned to (Slice 6)
-  // user defaults to "no active tenant" (404).
+    //
-  //
+    // Filtering through that list rather than reading the CR directly
-  // Owner and platform get the full org-scoped list and pick the first
+    // means a malicious caller can't probe arbitrary tenant names to
-  // tenant, matching the dashboard's "current instance" semantics.
+    // learn what exists in other orgs.
-  if (!teamId) {
     const allTenants = await listTenants();
     const visible = await listVisibleTenants(user, allTenants);
-    const orgTenant = visible.find((t) => !!t.status?.litellmTeamId);
+    const tenant = visible.find((t) => t.metadata.name === tenantName);
 
-    if (!orgTenant?.status?.litellmTeamId) {
+    if (!tenant) {
       return NextResponse.json(
-        { error: "No active tenant found for your organization" },
+        { error: "Tenant not found or not accessible" },
         { status: 404 }
       );
     }
-    teamId = orgTenant.status.litellmTeamId;
+    if (!tenant.status?.litellmTeamId) {
-
+      // Tenant exists but the operator hasn't reconciled it yet.
-    // If the operator has populated the per-tenant key alias, filter by it.
+      // Common right after onboarding; the customer should see a
-    // Falling back to team-level (no alias) will return the org total, which
+      // friendly empty state, not a 500.
-    // is acceptable transitionally but means siblings' usage shows up here.
+      return NextResponse.json(
-    if (orgTenant.status.litellmKeyAlias) {
+        { error: "Tenant is still provisioning, no usage data yet" },
-      keyAlias = orgTenant.status.litellmKeyAlias;
+        { status: 409 }
+      );
     }
+    teamId = tenant.status.litellmTeamId;
+    // litellmKeyAlias is set by the operator's LiteLLM reconcile step
+    // alongside litellmTeamId, so if teamId is present this should be
+    // too. Defensive fallback to team-level if missing — in that case
+    // the customer briefly sees company totals until the next operator
+    // reconcile, which is better than 500.
+    keyAlias = tenant.status.litellmKeyAlias ?? null;
+  } else if (user.isPlatform) {
+    // Path 2: admin escape hatch.
+    teamId = req.nextUrl.searchParams.get("teamId");
+    keyAlias = req.nextUrl.searchParams.get("keyAlias");
+    if (!teamId) {
+      return NextResponse.json(
+        {
+          error:
+            "Either ?tenant=<name> or ?teamId=<id> (admin) must be provided",
+        },
+        { status: 400 }
+      );
+    }
+  } else {
+    // Path 3: no resolution possible. See doc above for why we don't
+    // pick a default.
+    return NextResponse.json(
+      { error: "Tenant must be specified via ?tenant=<name>" },
+      { status: 400 }
+    );
   }
 
-  // Month param: YYYY-MM, defaults to current month
+  // Month param: YYYY-MM, defaults to current month.
   const now = new Date();
   const monthParam =
     req.nextUrl.searchParams.get("month") ||
@@ -81,11 +126,11 @@ export async function GET(req: NextRequest) {
   try {
     const teamInfo = await getTeamInfo(teamId);
 
-    // Fetch all pages from the team. We always query at the team level —
+    // Page through results — server-side filtered by key_alias when
-    // LiteLLM's /spend/logs/v2 doesn't filter by key_alias reliably across
+    // provided. Pagination still needed because LiteLLM caps
-    // versions, so we paginate and post-filter in code. For pilot scale
+    // page_size at 100, and a busy tenant can easily exceed that in
-    // this is cheap; if a single team ever exceeds ~10k entries/month we
+    // a month. With server-side filtering this stays cheap regardless
-    // can revisit.
+    // of how busy sibling tenants in the same team are.
     const allRequests: any[] = [];
     let page = 1;
     while (true) {
@@ -94,33 +139,25 @@ export async function GET(req: NextRequest) {
         startStr,
         endStr,
         page,
-        100
+        100,
+        keyAlias
       );
       allRequests.push(...(result.data || []));
       if (page >= (result.total_pages || 1)) break;
       page++;
+      // Defensive cap. A pathological response with bogus total_pages
+      // shouldn't be able to spin us forever. 50 pages × 100 = 5000
+      // entries/month/tenant is well above any realistic usage at
+      // pilot scale.
+      if (page > 50) break;
     }
 
-    // Apply key_alias post-filter when scoping to a single tenant. Match
+    // Aggregate by day.
-    // both `key_alias` (newer LiteLLM) and `metadata.user_api_key_alias`
-    // (older builds nest it inside metadata).
-    const scoped = keyAlias
-      ? allRequests.filter((r) => {
-          const alias =
-            r.key_alias ??
-            r.metadata?.user_api_key_alias ??
-            r.api_key_alias ??
-            null;
-          return alias === keyAlias;
-        })
-      : allRequests;
-
-    // Aggregate by day
     const byDay: Record<
       string,
       { inputTokens: number; outputTokens: number; spend: number }
     > = {};
-    for (const r of scoped) {
+    for (const r of allRequests) {
       const day = (r.startTime || r.endTime || "").slice(0, 10);
       if (!day) continue;
       if (!byDay[day])
@@ -134,30 +171,30 @@ export async function GET(req: NextRequest) {
       .sort(([a], [b]) => a.localeCompare(b))
       .map(([date, d]) => ({ date, ...d }));
 
-    const totalInput = scoped.reduce(
+    const totalInput = allRequests.reduce(
       (s, r) => s + (r.prompt_tokens || 0),
       0
     );
-    const totalOutput = scoped.reduce(
+    const totalOutput = allRequests.reduce(
       (s, r) => s + (r.completion_tokens || 0),
       0
     );
-    const totalSpend = scoped.reduce((s, r) => s + (r.spend || 0), 0);
+    const totalSpend = allRequests.reduce((s, r) => s + (r.spend || 0), 0);
 
     return NextResponse.json({
       teamId,
-      keyAlias, // null when not filtering — useful for the client to know it sees company-wide data
+      keyAlias, // null when admin queries team-wide (no specific tenant)
       month: monthParam,
       currentPeriod: {
         inputTokens: totalInput,
         outputTokens: totalOutput,
         totalSpend,
-        requestCount: scoped.length,
+        requestCount: allRequests.length,
       },
       // Budget is always team-level (= company budget). Spend reported
       // here is the team total, not the per-key total — the customer
-      // wants to see "how much of our company budget is left", not just
+      // wants to see "how much of our company budget is left", not
-      // "how much has this one tenant cost".
+      // just "how much has this one tenant cost".
       budget: {
         maxBudget: teamInfo?.team_info?.max_budget ?? null,
         spend: teamInfo?.team_info?.spend ?? 0,

src/components/admin/admin-panel.tsx

@@ -199,7 +199,22 @@ export function AdminPanel({ initialTenants }: AdminPanelProps) {
         throw new Error(data.error || "Delete failed");
       }
       setDeleteModal(null);
-      await fetchTenants();
+      // Bug 32: K8s deletion is asynchronous — the resource enters a
+      // Terminating phase with a deletionTimestamp set, finalizers run,
+      // then the resource is fully removed. fetchTenants() right
+      // after the API call would race the K8s store and often still
+      // include the just-deleted row. Two complementary fixes:
+      //   1. Optimistically drop the row from local state so the UI
+      //      reflects the user's intent immediately.
+      //   2. Schedule a delayed refetch (1.5s) to pick up any side
+      //      effects (cascaded request rows, freshly-released names).
+      // The immediate fetchTenants() is kept as a "best chance" — if
+      // K8s does report the deletion synchronously (rare), we get the
+      // freshest data. If it doesn't, the optimistic update has us
+      // covered until the delayed refetch lands.
+      setTenants((prev) => prev.filter((t) => t.metadata.name !== name));
+      fetchTenants();
+      setTimeout(() => fetchTenants(), 1500);
     } catch (e: any) {
       setError(e.message);
     } finally {

src/components/dashboard/usage-display.tsx

@@ -94,17 +94,27 @@ function UsageChart({ data }: { data: DailyUsage[] }) {
 /**
  * Usage display widget.
  *
- * - Customers: don't pass teamId or keyAlias — the backend resolves both
+ * Pass `tenant=<name>` for the canonical path — works for both
- *   from the session-bound tenant.
+ * customers and admins, the API resolves team+alias from the tenant
- * - Admins inspecting a specific tenant: pass `teamId` (the org-level
+ * CR's status. The visibility check on the API ensures users can't
- *   LiteLLM team id) AND `keyAlias` (the tenant's virtual-key alias).
+ * query tenants they shouldn't see.
- *   Without `keyAlias`, the response includes spend from sibling tenants
+ *
- *   in the same org, since teams are shared since Slice 2.
+ * `teamId`/`keyAlias` remain available as a platform-admin escape
+ * hatch for cross-org debugging, but the tenant-detail and dashboard
+ * paths should always use `tenant`.
+ *
+ * Bug 19 fix: previous version omitted both props for customer
+ * sessions, expecting the API to "figure it out". The API's fallback
+ * was "first visible tenant", which meant siblings in the same org
+ * showed identical numbers regardless of which detail page was open.
+ * Now the page passes the tenant name explicitly; no fallback exists.
  */
 export function UsageDisplay({
+  tenant,
   teamId,
   keyAlias,
 }: {
+  tenant?: string | null;
   teamId?: string | null;
   keyAlias?: string | null;
 }) {
@@ -121,11 +131,13 @@ export function UsageDisplay({
     setError(null);
 
     const params = new URLSearchParams({ month });
-    if (teamId) {
+    if (tenant) {
+      params.set("tenant", tenant);
+    } else if (teamId) {
+      // Admin escape hatch — only honoured by the API when the
+      // viewer is platform-role.
       params.set("teamId", teamId);
-    }
+      if (keyAlias) params.set("keyAlias", keyAlias);
-    if (keyAlias) {
-      params.set("keyAlias", keyAlias);
     }
 
     fetch(`/api/usage?${params}`)
@@ -133,7 +145,7 @@ export function UsageDisplay({
       .then(setData)
       .catch((e) => setError(e.message))
       .finally(() => setLoading(false));
-  }, [teamId, keyAlias, month]);
+  }, [tenant, teamId, keyAlias, month]);
 
   useEffect(() => { fetchUsage(); }, [fetchUsage]);
 

src/components/layout/nav-shell.tsx

@@ -13,8 +13,13 @@ function NavBar() {
   const pathname = usePathname();
   const user = (session as any)?.platformUser;
 
-  const isLogin = pathname === "/login";
+  // Hide the nav entirely on auth-only routes. These pages have no
-  if (isLogin) return null;
+  // session yet — showing "Dashboard" / "Sign Out" is misleading at
+  // best (the buttons would 401 or redirect-loop). Keep this list
+  // narrow and route-exact: anything else we add to the auth flow
+  // (e.g. password reset) needs to be added here too.
+  const isAuthRoute = pathname === "/login" || pathname === "/register";
+  if (isAuthRoute) return null;
 
   return (
     <header className="sticky top-0 z-50 border-b border-border bg-surface-1/80 backdrop-blur-md">

src/components/onboarding/onboarding-flow.tsx

@@ -12,6 +12,14 @@ interface OnboardingFlowProps {
    */
   userName?: string;
   userEmail?: string;
+  /**
+   * Bug 6: when present, the wizard is rendered in edit mode against
+   * the given pending request. See `OnboardingWizard` for the full
+   * shape and behavioural contract.
+   */
+  editingRequest?: React.ComponentProps<
+    typeof OnboardingWizard
+  >["editingRequest"];
 }
 
 /**
@@ -29,6 +37,7 @@ export function OnboardingFlow({
   orgName,
   userName,
   userEmail,
+  editingRequest,
 }: OnboardingFlowProps) {
   const router = useRouter();
 
@@ -37,6 +46,7 @@ export function OnboardingFlow({
       orgName={orgName}
       userName={userName}
       userEmail={userEmail}
+      editingRequest={editingRequest}
       onComplete={() => {
         // Navigate back to /dashboard and re-fetch on the server. The
         // parent server component will see the new `pending` row and

src/components/onboarding/provisioning-status.tsx

@@ -1,6 +1,8 @@
 "use client";
 
 import { useState, useEffect, useCallback } from "react";
+import Link from "next/link";
+import { useRouter } from "next/navigation";
 import { useTranslations, useFormatter } from "next-intl";
 import { Card } from "@/components/ui/card";
 import { StatusBadge } from "@/components/ui/status-badge";
@@ -14,6 +16,7 @@ interface RequestSummary {
   status: string;
   adminNotes?: string;
   tenantName?: string;
+  dismissedAt?: string | null;
   createdAt?: string;
   updatedAt?: string;
 }
@@ -36,21 +39,42 @@ interface SingleRequestState {
   tenant: TenantSummary | null;
 }
 
+interface Props {
+  requestId: string;
+  /**
+   * Whether the viewer can act on this request — cancel a pending one,
+   * dismiss a rejected one, etc. True for owner + platform; false for
+   * `user`-role customers (who shouldn't see in-flight requests at all,
+   * but defence in depth — `canSeeInflightRequests` already gates the
+   * dashboard side).
+   */
+  canAct: boolean;
+}
+
 /**
  * ProvisioningStatus
  *
  * Polls /api/onboarding?id=<requestId> every 5s until the request reaches
- * a terminal state. Slice 3: takes a `requestId` prop so multiple of these
+ * a terminal state. Slice 3: takes a `requestId` prop so multiple of
- * can render on the same dashboard for different in-flight requests.
+ * these can render on the same dashboard for different in-flight
+ * requests.
  *
- * The pre-Slice-3 version polled /api/onboarding with no params and
+ * Slice 7 / Bug 6 + 13:
- * assumed one-request-per-org — that endpoint shape is gone now.
+ *   - pending → cancel + edit buttons
+ *   - rejected → admin notes block + dismiss button
+ *   - cancelled → small acknowledgement card + dismiss button
+ *   - terminal Ready/Active states unchanged
  */
-export function ProvisioningStatus({ requestId }: { requestId: string }) {
+export function ProvisioningStatus({ requestId, canAct }: Props) {
   const t = useTranslations("onboarding");
+  const tCommon = useTranslations("common");
   const f = useFormatter();
+  const router = useRouter();
+
   const [data, setData] = useState<SingleRequestState | null>(null);
   const [error, setError] = useState("");
+  const [actionPending, setActionPending] = useState(false);
+  const [confirmCancel, setConfirmCancel] = useState(false);
 
   const poll = useCallback(async () => {
     try {
@@ -67,11 +91,11 @@ export function ProvisioningStatus({ requestId }: { requestId: string }) {
 
   useEffect(() => {
     poll();
-
     const status = data?.request?.status;
     const phase = data?.tenant?.phase;
     const terminal =
       status === "rejected" ||
+      status === "cancelled" ||
       status === "active" ||
       phase === "Ready" ||
       phase === "Running";
@@ -82,7 +106,54 @@ export function ProvisioningStatus({ requestId }: { requestId: string }) {
     return () => clearInterval(interval);
   }, [poll, data?.request?.status, data?.tenant?.phase]);
 
-  if (error) {
+  const handleCancel = async () => {
+    setActionPending(true);
+    setError("");
+    try {
+      const res = await fetch(
+        `/api/onboarding/${encodeURIComponent(requestId)}`,
+        { method: "DELETE" }
+      );
+      if (!res.ok) {
+        const body = await res.json().catch(() => ({}));
+        throw new Error(body.error || t("cancelFailed"));
+      }
+      setConfirmCancel(false);
+      // Re-poll so the card transitions to "cancelled" state without a
+      // full route refresh — the dashboard's surrounding tenant cards
+      // are unaffected.
+      await poll();
+      router.refresh();
+    } catch (err: any) {
+      setError(err.message);
+    } finally {
+      setActionPending(false);
+    }
+  };
+
+  const handleDismiss = async () => {
+    setActionPending(true);
+    setError("");
+    try {
+      const res = await fetch(
+        `/api/onboarding/${encodeURIComponent(requestId)}/dismiss`,
+        { method: "POST" }
+      );
+      if (!res.ok) {
+        const body = await res.json().catch(() => ({}));
+        throw new Error(body.error || t("dismissFailed"));
+      }
+      // Server-rendered list query (`listActiveTenantRequestsByOrgId`)
+      // filters out dismissed rows — refresh to drop this card.
+      router.refresh();
+    } catch (err: any) {
+      setError(err.message);
+    } finally {
+      setActionPending(false);
+    }
+  };
+
+  if (error && !data) {
     return (
       <Card>
         <div className="text-xs text-red-400">{error}</div>
@@ -107,7 +178,7 @@ export function ProvisioningStatus({ requestId }: { requestId: string }) {
     data.request.tenantName ||
     data.request.agentName;
 
-  // Pending admin approval
+  // ─── Pending: awaiting admin approval ───────────────────────────────
   if (status === "pending") {
     return (
       <Card className="animate-in">
@@ -131,7 +202,9 @@ export function ProvisioningStatus({ requestId }: { requestId: string }) {
             {t("pendingTitle")}
           </h2>
           {label && (
-            <p className="text-xs font-mono text-text-secondary mb-2">{label}</p>
+            <p className="text-xs font-mono text-text-secondary mb-2">
+              {label}
+            </p>
           )}
           <p className="text-sm text-text-secondary max-w-sm mx-auto">
             {t("pendingDescription")}
@@ -150,12 +223,76 @@ export function ProvisioningStatus({ requestId }: { requestId: string }) {
               </span>
             </p>
           )}
+
+          {/* Bug 6 — owner-only edit + cancel actions while still
+              pending. Once admin acts, both buttons disappear (the
+              status branch changes). */}
+          {canAct && (
+            <div className="flex justify-center gap-2 mt-5">
+              <Link
+                href={`/dashboard/edit/${encodeURIComponent(requestId)}`}
+                className="text-sm font-medium px-4 py-2 rounded-lg border border-border text-text-secondary hover:text-text-primary hover:border-text-secondary transition-colors"
+              >
+                {t("editRequest")}
+              </Link>
+              <button
+                type="button"
+                onClick={() => setConfirmCancel(true)}
+                className="text-sm font-medium px-4 py-2 rounded-lg border border-red-500/30 text-red-400 hover:bg-red-500/10 transition-colors"
+              >
+                {t("cancelRequest")}
+              </button>
+            </div>
+          )}
+          {error && (
+            <p className="text-xs text-red-400 mt-3">{error}</p>
+          )}
         </div>
+
+        {confirmCancel && (
+          <div
+            role="dialog"
+            aria-modal="true"
+            className="fixed inset-0 z-50 flex items-center justify-center p-4 bg-black/60 backdrop-blur-sm"
+            onClick={(e) => {
+              if (e.target === e.currentTarget) setConfirmCancel(false);
+            }}
+          >
+            <div className="bg-surface-1 border border-border rounded-xl p-6 max-w-md w-full">
+              <h3 className="font-display text-lg font-semibold text-text-primary mb-2">
+                {t("cancelConfirmRequestTitle")}
+              </h3>
+              <p className="text-sm text-text-secondary mb-5">
+                {t("cancelConfirmRequestDescription")}
+              </p>
+              <div className="flex justify-end gap-2">
+                <button
+                  type="button"
+                  onClick={() => setConfirmCancel(false)}
+                  disabled={actionPending}
+                  className="text-sm px-4 py-2 rounded-lg border border-border text-text-secondary hover:text-text-primary transition-colors"
+                >
+                  {tCommon("cancel")}
+                </button>
+                <button
+                  type="button"
+                  onClick={handleCancel}
+                  disabled={actionPending}
+                  className="text-sm px-4 py-2 rounded-lg bg-red-500 text-white hover:bg-red-600 transition-colors disabled:opacity-50"
+                >
+                  {actionPending
+                    ? tCommon("loading")
+                    : t("cancelRequestConfirm")}
+                </button>
+              </div>
+            </div>
+          </div>
+        )}
       </Card>
     );
   }
 
-  // Rejected
+  // ─── Rejected: admin declined ───────────────────────────────────────
   if (status === "rejected") {
     return (
       <Card className="animate-in">
@@ -179,22 +316,94 @@ export function ProvisioningStatus({ requestId }: { requestId: string }) {
             {t("rejectedTitle")}
           </h2>
           {label && (
-            <p className="text-xs font-mono text-text-secondary mb-2">{label}</p>
+            <p className="text-xs font-mono text-text-secondary mb-2">
+              {label}
+            </p>
           )}
           <p className="text-sm text-text-secondary max-w-sm mx-auto">
             {t("rejectedDescription")}
           </p>
           {data.request.adminNotes && (
-            <p className="text-xs text-text-muted mt-3 bg-surface-2 border border-border rounded-lg p-3 max-w-sm mx-auto">
+            <div className="text-left text-xs text-text-secondary mt-4 bg-surface-2 border border-border rounded-lg p-3 max-w-sm mx-auto">
-              {data.request.adminNotes}
+              <div className="font-semibold uppercase tracking-wider text-text-muted text-[10px] mb-1.5">
-            </p>
+                {t("rejectionReason")}
+              </div>
+              <div className="whitespace-pre-wrap">
+                {data.request.adminNotes}
+              </div>
+            </div>
           )}
+          {/* Bug 13: dismiss removes this card from the dashboard but
+              keeps the row in the DB for audit. The customer can also
+              just resubmit via the wizard — both paths are valid. */}
+          {canAct && (
+            <div className="flex justify-center mt-5">
+              <button
+                type="button"
+                onClick={handleDismiss}
+                disabled={actionPending}
+                className="text-sm font-medium px-4 py-2 rounded-lg border border-border text-text-secondary hover:text-text-primary hover:border-text-secondary transition-colors disabled:opacity-50"
+              >
+                {actionPending ? tCommon("loading") : t("dismiss")}
+              </button>
+            </div>
+          )}
+          {error && <p className="text-xs text-red-400 mt-3">{error}</p>}
         </div>
       </Card>
     );
   }
 
-  // Provisioning in progress (status approved/provisioning, optionally with tenant phase < Ready)
+  // ─── Cancelled: customer cancelled before admin acted (Bug 6) ──────
+  if (status === "cancelled") {
+    return (
+      <Card className="animate-in">
+        <div className="text-center py-6">
+          <div className="h-14 w-14 rounded-xl bg-text-muted/15 flex items-center justify-center mx-auto mb-4">
+            <svg
+              className="h-7 w-7 text-text-muted"
+              fill="none"
+              viewBox="0 0 24 24"
+              stroke="currentColor"
+              strokeWidth={1.5}
+            >
+              <path
+                strokeLinecap="round"
+                strokeLinejoin="round"
+                d="M9.75 9.75l4.5 4.5m0-4.5l-4.5 4.5M21 12a9 9 0 11-18 0 9 9 0 0118 0z"
+              />
+            </svg>
+          </div>
+          <h2 className="font-display text-lg font-semibold text-text-primary mb-2">
+            {t("cancelledTitle")}
+          </h2>
+          {label && (
+            <p className="text-xs font-mono text-text-secondary mb-2">
+              {label}
+            </p>
+          )}
+          <p className="text-sm text-text-secondary max-w-sm mx-auto">
+            {t("cancelledDescription")}
+          </p>
+          {canAct && (
+            <div className="flex justify-center mt-5">
+              <button
+                type="button"
+                onClick={handleDismiss}
+                disabled={actionPending}
+                className="text-sm font-medium px-4 py-2 rounded-lg border border-border text-text-secondary hover:text-text-primary hover:border-text-secondary transition-colors disabled:opacity-50"
+              >
+                {actionPending ? tCommon("loading") : t("dismiss")}
+              </button>
+            </div>
+          )}
+          {error && <p className="text-xs text-red-400 mt-3">{error}</p>}
+        </div>
+      </Card>
+    );
+  }
+
+  // ─── Provisioning: approved, operator working ──────────────────────
   if (
     status === "approved" ||
     status === "provisioning" ||
@@ -213,7 +422,9 @@ export function ProvisioningStatus({ requestId }: { requestId: string }) {
             {t("provisioningTitle")}
           </h2>
           {label && (
-            <p className="text-xs font-mono text-text-secondary mb-2">{label}</p>
+            <p className="text-xs font-mono text-text-secondary mb-2">
+              {label}
+            </p>
           )}
           <p className="text-sm text-text-secondary">
             {t("provisioningDescription")}
@@ -249,7 +460,7 @@ export function ProvisioningStatus({ requestId }: { requestId: string }) {
     );
   }
 
-  // Active / Ready
+  // ─── Active / Ready ─────────────────────────────────────────────────
   if (status === "active") {
     return (
       <Card className="animate-in">
@@ -273,7 +484,9 @@ export function ProvisioningStatus({ requestId }: { requestId: string }) {
             {t("readyTitle")}
           </h2>
           {label && (
-            <p className="text-xs font-mono text-text-secondary mb-2">{label}</p>
+            <p className="text-xs font-mono text-text-secondary mb-2">
+              {label}
+            </p>
           )}
           <p className="text-sm text-text-secondary max-w-sm mx-auto mb-4">
             {t("readyDescription")}

src/components/onboarding/wizard.tsx

@@ -64,6 +64,35 @@ interface WizardProps {
    */
   userName?: string;
   userEmail?: string;
+  /**
+   * Bug 6: when present, the wizard renders in "edit" mode — fields
+   * are pre-populated from the request, the SOUL.md auto-fetch is
+   * skipped (we trust the existing values), and the submit button
+   * PATCHes /api/onboarding/[id] instead of POSTing /api/onboarding.
+   *
+   * Per-package secrets are deliberately NOT pre-filled, even if the
+   * customer originally supplied them — server-side decryption to
+   * the client would be a security regression. The user re-enters
+   * any secrets they want to change; if they leave them blank, the
+   * existing encrypted blob in the DB is preserved by the PATCH
+   * endpoint.
+   */
+  editingRequest?: {
+    id: string;
+    instanceName: string;
+    agentName: string;
+    soulMd: string;
+    agentsMd: string;
+    packages: string[];
+    billingAddress: {
+      company?: string;
+      street?: string;
+      city?: string;
+      postalCode?: string;
+      country?: string;
+    };
+    billingNotes: string;
+  };
   onComplete: () => void;
 }
 
@@ -71,6 +100,7 @@ export function OnboardingWizard({
   orgName,
   userName,
   userEmail,
+  editingRequest,
   onComplete,
 }: WizardProps) {
   const t = useTranslations("onboarding");
@@ -91,30 +121,55 @@ export function OnboardingWizard({
     orgName,
     isPersonal,
   });
+  const isEditing = Boolean(editingRequest);
 
-  const [step, setStep] = useState<Step>("welcome");
+  // Edit mode jumps straight to the configure step — the welcome step
+  // is a first-time onboarding affordance and only adds friction when
+  // the customer is fixing a typo.
+  const [step, setStep] = useState<Step>(isEditing ? "configure" : "welcome");
   const [submitting, setSubmitting] = useState(false);
   const [error, setError] = useState("");
   const [advancedOpen, setAdvancedOpen] = useState(false);
-  const [defaultsLoaded, setDefaultsLoaded] = useState(false);
+  // In edit mode we already have soulMd/agentsMd from the request;
+  // skip the workspace-defaults round trip that would overwrite them.
+  const [defaultsLoaded, setDefaultsLoaded] = useState(isEditing);
 
-  const [config, setConfig] = useState({
+  const [config, setConfig] = useState(() => {
-    instanceName: "",
+    if (editingRequest) {
-    agentName: "Assistant",
+      return {
-    soulMd: FALLBACK_SOUL.replace("{company}", displayOrgName),
+        instanceName: editingRequest.instanceName,
-    agentsMd: FALLBACK_AGENTS,
+        agentName: editingRequest.agentName,
-    packages: [] as string[],
+        soulMd: editingRequest.soulMd,
-    billingAddress: {
+        agentsMd: editingRequest.agentsMd,
-      // For personal accounts, leave the company field empty — it'll
+        packages: editingRequest.packages,
-      // appear on invoices. The user can still type something if they
+        billingAddress: {
-      // want to.
+          company: editingRequest.billingAddress.company ?? "",
-      company: isPersonal ? "" : displayOrgName,
+          street: editingRequest.billingAddress.street ?? "",
-      street: "",
+          city: editingRequest.billingAddress.city ?? "",
-      city: "",
+          postalCode: editingRequest.billingAddress.postalCode ?? "",
-      postalCode: "",
+          country: editingRequest.billingAddress.country ?? "CH",
-      country: "CH",
+        },
-    },
+        billingNotes: editingRequest.billingNotes,
-    billingNotes: "",
+      };
+    }
+    return {
+      instanceName: "",
+      agentName: "Assistant",
+      soulMd: FALLBACK_SOUL.replace("{company}", displayOrgName),
+      agentsMd: FALLBACK_AGENTS,
+      packages: [] as string[],
+      billingAddress: {
+        // For personal accounts, leave the company field empty — it'll
+        // appear on invoices. The user can still type something if they
+        // want to.
+        company: isPersonal ? "" : displayOrgName,
+        street: "",
+        city: "",
+        postalCode: "",
+        country: "CH",
+      },
+      billingNotes: "",
+    };
   });
 
   // TOOLS.md preview — readonly, auto-generated
@@ -308,8 +363,17 @@ export function OnboardingWizard({
         }
       }
 
-      const res = await fetch("/api/onboarding", {
+      // Bug 6: edit mode targets the per-row endpoint with PATCH;
-        method: "POST",
+      // create mode targets the collection endpoint with POST. Body
+      // shape is the same — both routes parse it through
+      // onboardingSchema.
+      const url = editingRequest
+        ? `/api/onboarding/${encodeURIComponent(editingRequest.id)}`
+        : "/api/onboarding";
+      const method = editingRequest ? "PATCH" : "POST";
+
+      const res = await fetch(url, {
+        method,
         headers: { "Content-Type": "application/json" },
         body: JSON.stringify({
           ...config,
@@ -1017,7 +1081,11 @@ export function OnboardingWizard({
               disabled={submitting}
               className="py-2.5 px-6 bg-accent text-white text-sm font-medium rounded-lg hover:bg-accent-dim transition-colors disabled:opacity-50 disabled:cursor-not-allowed"
             >
-              {submitting ? tCommon("loading") : t("submitRequest")}
+              {submitting
+                ? tCommon("loading")
+                : isEditing
+                ? t("saveChanges")
+                : t("submitRequest")}
             </button>
           </div>
         </Card>

src/components/tenants/subscription-toggle.tsx

@@ -0,0 +1,157 @@
+"use client";
+
+import { useState } from "react";
+import { useRouter } from "next/navigation";
+import { useTranslations } from "next-intl";
+
+interface Props {
+  tenantName: string;
+  /**
+   * Current suspend state — server-derived. The control toggles this
+   * via PATCH /api/tenants/[name]/suspend, then refreshes the route
+   * so server-component-side data (status badge, suspended notice)
+   * re-renders.
+   */
+  suspended: boolean;
+}
+
+/**
+ * SubscriptionToggle — owner-side cancel/resume control (Bug 31).
+ *
+ * Renders a single button that toggles between "Cancel subscription"
+ * (when active) and "Resume subscription" (when suspended). Cancellation
+ * is gated behind a confirmation modal because it's destructive
+ * looking from the user's POV — even though no data is lost, the
+ * AI assistant becomes unavailable until they resume. Resume has no
+ * modal; it's a strict subset of cancellation in terms of risk.
+ *
+ * The control intentionally lives at the bottom of the tenant detail
+ * page rather than next to the status badge — putting it near the
+ * top would invite mis-clicks. Customers who want to cancel scroll
+ * past the running configuration, billing-relevant info, and assigned
+ * users first; that's the right friction level.
+ *
+ * Suspended tenants render a top-of-page banner separately (see the
+ * detail page); this component focuses on the action itself.
+ */
+export function SubscriptionToggle({ tenantName, suspended }: Props) {
+  const t = useTranslations("tenantDetail");
+  const tCommon = useTranslations("common");
+  const router = useRouter();
+
+  const [confirmOpen, setConfirmOpen] = useState(false);
+  const [submitting, setSubmitting] = useState(false);
+  const [error, setError] = useState("");
+
+  const toggleSuspend = async (next: boolean) => {
+    setSubmitting(true);
+    setError("");
+    try {
+      const res = await fetch(
+        `/api/tenants/${encodeURIComponent(tenantName)}/suspend`,
+        {
+          method: "PATCH",
+          headers: { "Content-Type": "application/json" },
+          body: JSON.stringify({ suspend: next }),
+        }
+      );
+      if (!res.ok) {
+        const data = await res.json().catch(() => ({}));
+        throw new Error(data.error || t("subscriptionUpdateFailed"));
+      }
+      setConfirmOpen(false);
+      // The status badge + suspended banner are server-rendered, so
+      // a route refresh is the simplest way to reflect the new state.
+      // Optimistic local toggle would diverge from the actual CR if
+      // the operator hasn't observed the patch yet.
+      router.refresh();
+    } catch (e: any) {
+      setError(e.message);
+    } finally {
+      setSubmitting(false);
+    }
+  };
+
+  if (suspended) {
+    return (
+      <div>
+        <button
+          type="button"
+          onClick={() => toggleSuspend(false)}
+          disabled={submitting}
+          className="text-sm font-medium px-4 py-2 rounded-lg border border-success/30 text-success hover:bg-success/10 transition-colors disabled:opacity-50"
+        >
+          {submitting ? tCommon("loading") : t("resumeSubscription")}
+        </button>
+        {error && <p className="text-xs text-red-400 mt-2">{error}</p>}
+      </div>
+    );
+  }
+
+  return (
+    <div>
+      <button
+        type="button"
+        onClick={() => setConfirmOpen(true)}
+        className="text-sm font-medium px-4 py-2 rounded-lg border border-border text-text-secondary hover:text-text-primary hover:border-text-secondary transition-colors"
+      >
+        {t("cancelSubscription")}
+      </button>
+      {error && !confirmOpen && (
+        <p className="text-xs text-red-400 mt-2">{error}</p>
+      )}
+
+      {confirmOpen && (
+        <div
+          role="dialog"
+          aria-modal="true"
+          className="fixed inset-0 z-50 flex items-center justify-center p-4 bg-black/60 backdrop-blur-sm"
+          onClick={(e) => {
+            if (e.target === e.currentTarget) setConfirmOpen(false);
+          }}
+        >
+          <div className="bg-surface-1 border border-border rounded-xl p-6 max-w-md w-full">
+            <h3 className="font-display text-lg font-semibold text-text-primary mb-2">
+              {t("cancelConfirmTitle")}
+            </h3>
+            <p className="text-sm text-text-secondary mb-3">
+              {t("cancelConfirmDescription")}
+            </p>
+            <ul className="text-xs text-text-muted list-disc list-inside space-y-1 mb-5">
+              <li>{t("cancelConfirmBullet1")}</li>
+              <li>{t("cancelConfirmBullet2")}</li>
+              <li>{t("cancelConfirmBullet3")}</li>
+            </ul>
+
+            {error && (
+              <div className="text-xs text-red-400 bg-red-400/10 border border-red-400/20 rounded-lg px-3 py-2 mb-3">
+                {error}
+              </div>
+            )}
+
+            <div className="flex justify-end gap-2">
+              <button
+                type="button"
+                onClick={() => setConfirmOpen(false)}
+                disabled={submitting}
+                className="text-sm px-4 py-2 rounded-lg border border-border text-text-secondary hover:text-text-primary transition-colors"
+              >
+                {tCommon("cancel")}
+              </button>
+              <button
+                type="button"
+                onClick={() => toggleSuspend(true)}
+                disabled={submitting}
+                className="text-sm px-4 py-2 rounded-lg bg-amber-500 text-white hover:bg-amber-600 transition-colors disabled:opacity-50"
+              >
+                {submitting
+                  ? tCommon("loading")
+                  : t("cancelSubscriptionConfirm")}
+              </button>
+            </div>
+          </div>
+        </div>
+      )}
+    </div>
+  );
+}

src/components/ui/status-badge.tsx

@@ -1,18 +1,44 @@
+"use client";
+
+import { useTranslations } from "next-intl";
+
+/**
+ * Visual treatment per phase. Each entry is a Tailwind class string
+ * applied to the badge. The `Pending` style is also used as a fallback
+ * for unknown phases — it's the most neutral colour.
+ *
+ * Slice 7 / Bug 31 added `Suspended`. It uses an amber-on-muted scheme
+ * to read as "intentionally paused" — distinct from `Error` (red) and
+ * `Deleting` (mute grey).
+ */
 const phaseStyles: Record<string, string> = {
-  Running:
+  Running: "bg-success/10 text-success border-success/20",
-    "bg-success/10 text-success border-success/20",
+  Ready: "bg-success/10 text-success border-success/20",
-  Provisioning:
+  Provisioning: "bg-warning/10 text-warning border-warning/20",
-    "bg-warning/10 text-warning border-warning/20",
+  // Reconfiguring shares the warning palette (yellow pulse) but renders
-  Pending:
+  // a distinct label, so customers see it differently from first-time
-    "bg-text-muted/10 text-text-secondary border-border",
+  // provisioning. Useful when packages or channel-users change and the
-  Error:
+  // pod restarts mid-life.
-    "bg-error/10 text-error border-error/20",
+  Reconfiguring: "bg-warning/10 text-warning border-warning/20",
-  Deleting:
+  Pending: "bg-text-muted/10 text-text-secondary border-border",
-    "bg-text-muted/10 text-text-muted border-border",
+  Suspended: "bg-amber-500/10 text-amber-400 border-amber-500/30",
+  Error: "bg-error/10 text-error border-error/20",
+  Deleting: "bg-text-muted/10 text-text-muted border-border",
 };
 
 export function StatusBadge({ phase }: { phase: string }) {
+  const t = useTranslations("phase");
   const style = phaseStyles[phase] ?? phaseStyles.Pending;
+  // Translation lookup with fallback to the raw phase. Keeps things
+  // working if a new operator-side phase ships before the portal has
+  // a label for it.
+  const label = (() => {
+    try {
+      return t(phase);
+    } catch {
+      return phase;
+    }
+  })();
   return (
     <span
       className={`inline-flex items-center gap-1.5 rounded-full border px-2.5 py-0.5 text-xs font-medium ${style}`}
@@ -23,7 +49,10 @@ export function StatusBadge({ phase }: { phase: string }) {
       {phase === "Provisioning" && (
         <span className="status-pulse h-1.5 w-1.5 rounded-full bg-warning" />
       )}
-      {phase}
+      {phase === "Reconfiguring" && (
+        <span className="status-pulse h-1.5 w-1.5 rounded-full bg-warning" />
+      )}
+      {label}
     </span>
   );
 }

src/components/ui/warning-badge.tsx

@@ -0,0 +1,118 @@
+"use client";
+
+import { useTranslations } from "next-intl";
+
+/**
+ * Tenant warning shape received from the operator's status.warnings.
+ * Mirror of the operator's `TenantWarning` type. See
+ * pieced-operator/api/v1alpha1/piecedtenant_types.go.
+ */
+export interface TenantWarning {
+  source: string;
+  reason?: string;
+  message?: string;
+  since?: string;
+}
+
+interface Props {
+  warnings: TenantWarning[];
+}
+
+/**
+ * Renders a small amber warning badge if there are any non-fatal
+ * warnings on the tenant. The badge sits visually next to the phase
+ * StatusBadge — they're separate concepts (phase = lifecycle, warnings
+ * = observed sub-issues) and may both be present at once (e.g. tenant
+ * is `Ready` but has a SkillPacksReady=False warning).
+ *
+ * Hover/focus reveals the warning detail. We don't truncate the message
+ * inside the tooltip; OCI/CRD condition messages tend to be short and
+ * include the actionable detail (which skill, which secret, which
+ * resolver). If a future warning source has a 5-line stacktrace as a
+ * message we'll need a different treatment; cross that bridge then.
+ *
+ * Returns null when there are no warnings — keep render-call sites
+ * simple, they don't have to gate on length themselves.
+ */
+export function WarningBadge({ warnings }: Props) {
+  const t = useTranslations("warnings");
+  if (!warnings || warnings.length === 0) return null;
+
+  const tooltipLabel = (() => {
+    try {
+      return warnings.length === 1
+        ? t("oneTooltip")
+        : t("manyTooltip", { count: warnings.length });
+    } catch {
+      return warnings.length === 1
+        ? "1 warning"
+        : `${warnings.length} warnings`;
+    }
+  })();
+
+  return (
+    <span className="relative group inline-flex">
+      <button
+        type="button"
+        // Button is non-actionable in itself — it exists purely to get
+        // keyboard focus for screen readers and keyboard users, so the
+        // tooltip isn't pointer-only. `aria-label` carries the summary;
+        // the full content is in the tooltip below for sighted users.
+        aria-label={tooltipLabel}
+        className="inline-flex items-center gap-1 rounded-full border border-amber-500/30 bg-amber-500/10 px-2 py-0.5 text-xs font-medium text-amber-400 hover:bg-amber-500/20 focus:outline-none focus:ring-1 focus:ring-amber-400 cursor-help"
+        // No onClick — this is informational, not actionable. Pure
+        // hover/focus widget. tabIndex defaults to 0 for buttons.
+      >
+        <svg
+          viewBox="0 0 24 24"
+          width={12}
+          height={12}
+          fill="none"
+          stroke="currentColor"
+          strokeWidth={2}
+          strokeLinecap="round"
+          strokeLinejoin="round"
+          aria-hidden="true"
+        >
+          <path d="M12 9v4" />
+          <path d="M12 17h.01" />
+          <path d="M10.29 3.86 1.82 18a2 2 0 0 0 1.71 3h16.94a2 2 0 0 0 1.71-3L13.71 3.86a2 2 0 0 0-3.42 0Z" />
+        </svg>
+        <span>{warnings.length}</span>
+      </button>
+
+      {/*
+        Tooltip. Hidden by default; shown on hover OR focus of the
+        sibling button. Positioned below-right so it doesn't collide with
+        the StatusBadge that typically sits left of this. Constrained
+        width so long messages wrap.
+        z-50 keeps it above table rows / cards.
+      */}
+      <div
+        role="tooltip"
+        className="invisible group-hover:visible group-focus-within:visible absolute left-0 top-full mt-1 z-50 w-72 rounded-lg border border-border bg-surface-1 p-3 shadow-lg text-left"
+      >
+        <div className="text-[10px] uppercase tracking-wider text-text-muted mb-2">
+          {tooltipLabel}
+        </div>
+        <ul className="space-y-2">
+          {warnings.map((w, i) => (
+            <li key={i} className="text-xs">
+              <div className="font-mono text-amber-400 break-all">
+                {w.source}
+              </div>
+              {w.reason && (
+                <div className="text-text-secondary">{w.reason}</div>
+              )}
+              {w.message && (
+                <div className="text-text-secondary mt-0.5 break-words">
+                  {w.message}
+                </div>
+              )}
+            </li>
+          ))}
+        </ul>
+      </div>
+    </span>
+  );
+}

src/lib/db.ts

@@ -1,5 +1,5 @@
 import { Pool } from "pg";
-import type { TenantRequest, TenantRequestStatus } from "@/types";
+import type { BillingAddress, TenantRequest, TenantRequestStatus } from "@/types";
 import { listTenants, getTenant } from "./k8s";
 
 // ---------------------------------------------------------------------------
@@ -72,6 +72,11 @@ const MIGRATION_SQL = `
   ALTER TABLE tenant_requests ADD COLUMN IF NOT EXISTS agents_md TEXT;
   ALTER TABLE tenant_requests ADD COLUMN IF NOT EXISTS instance_name TEXT;
   ALTER TABLE tenant_requests ADD COLUMN IF NOT EXISTS is_personal BOOLEAN NOT NULL DEFAULT FALSE;
+  -- Bug 13: customer-side dismissal of rejected requests. NULL means "still
+  -- visible on the dashboard"; non-null means "customer clicked Dismiss".
+  -- Pending/approved/active rows keep this NULL by definition — the field
+  -- is only meaningful for rejected and cancelled rows.
+  ALTER TABLE tenant_requests ADD COLUMN IF NOT EXISTS dismissed_at TIMESTAMPTZ;
 
   -- Slice 3: drop the legacy 1-org-1-request constraint if it exists
   ALTER TABLE tenant_requests DROP CONSTRAINT IF EXISTS tenant_requests_zitadel_org_id_key;
@@ -250,10 +255,21 @@ export async function listTenantRequestsByOrgId(
 }
 
 /**
- * As {@link listTenantRequestsByOrgId} but excludes terminal-failed states
+ * As {@link listTenantRequestsByOrgId} but tuned for the customer's
- * (rejected, deleted). Useful for the dashboard which wants to show
+ * dashboard view.
- * pending/approved/provisioning/active tenants and pending requests, not
+ *
- * historical rejections.
+ * Returns:
+ *   - All non-terminal rows (pending, approved, provisioning, active),
+ *     because the customer needs to see what's in flight.
+ *   - Terminal-failed rows (rejected, cancelled) that the customer
+ *     hasn't dismissed yet (Bug 13). Without this, a rejection that
+ *     happens while the customer isn't online would only be
+ *     communicated by email — easy to miss.
+ *
+ * Excludes:
+ *   - `deleted` rows (admin tore down the tenant — historical, not
+ *     actionable).
+ *   - Dismissed rejected/cancelled rows.
  */
 export async function listActiveTenantRequestsByOrgId(
   orgId: string
@@ -262,7 +278,8 @@ export async function listActiveTenantRequestsByOrgId(
   const result = await getPool().query<TenantRequest>(
     `SELECT * FROM tenant_requests
        WHERE zitadel_org_id = $1
-         AND status NOT IN ('deleted', 'rejected')
+         AND status <> 'deleted'
+         AND (status NOT IN ('rejected', 'cancelled') OR dismissed_at IS NULL)
        ORDER BY created_at DESC`,
     [orgId]
   );
@@ -354,6 +371,96 @@ export async function clearEncryptedSecrets(requestId: string): Promise<void> {
   );
 }
 
+/**
+ * Set dismissed_at = now() on a request row. Used when a customer
+ * clicks "Dismiss" on a rejected/cancelled card on their dashboard
+ * (Bug 13). The row stays in the database for history/audit but
+ * stops appearing in `listActiveTenantRequestsByOrgId`.
+ *
+ * Idempotent: dismissing an already-dismissed row is a no-op.
+ * Caller is responsible for verifying the row belongs to the user's
+ * org before calling.
+ */
+export async function dismissTenantRequest(id: string): Promise<void> {
+  await ensureSchema();
+  await getPool().query(
+    `UPDATE tenant_requests
+       SET dismissed_at = COALESCE(dismissed_at, now()),
+           updated_at = now()
+     WHERE id = $1`,
+    [id]
+  );
+}
+
+/**
+ * Update editable fields of a still-pending tenant request. Bug 6 — a
+ * customer who notices a typo or wants to add a package after submitting
+ * the wizard should be able to fix it without admin involvement.
+ *
+ * Only the customer-input fields are updateable. `status`, `tenant_name`,
+ * `admin_notes`, `encrypted_secrets`, `is_personal`, `zitadel_*` and
+ * timestamps are managed elsewhere and intentionally not here.
+ *
+ * The caller is responsible for:
+ *   - verifying the row belongs to the user's org
+ *   - verifying status === 'pending' (editing approved/provisioning rows
+ *     would race against the operator)
+ *
+ * Returns the updated row, or null if the id didn't match anything.
+ */
+export async function updateTenantRequestEditableFields(
+  id: string,
+  fields: {
+    instanceName?: string | null;
+    agentName?: string;
+    soulMd?: string;
+    agentsMd?: string | null;
+    packages?: string[];
+    billingAddress?: BillingAddress;
+    billingNotes?: string;
+    encryptedSecrets?: Buffer | null;
+  }
+): Promise<TenantRequest | null> {
+  await ensureSchema();
+
+  const sets: string[] = ["updated_at = now()"];
+  const values: any[] = [id];
+  let idx = 2;
+
+  // Map JS field names to SQL columns. Each entry is gated on
+  // `!== undefined` so passing only some fields just updates those.
+  const colMap: Array<[keyof typeof fields, string]> = [
+    ["instanceName", "instance_name"],
+    ["agentName", "agent_name"],
+    ["soulMd", "soul_md"],
+    ["agentsMd", "agents_md"],
+    ["packages", "packages"],
+    ["billingAddress", "billing_address"],
+    ["billingNotes", "billing_notes"],
+    ["encryptedSecrets", "encrypted_secrets"],
+  ];
+  for (const [jsField, sqlCol] of colMap) {
+    const v = fields[jsField];
+    if (v === undefined) continue;
+    sets.push(`${sqlCol} = $${idx}`);
+    values.push(v);
+    idx++;
+  }
+
+  if (sets.length === 1) {
+    // No editable fields supplied — return the row unchanged rather
+    // than running a useless UPDATE that just bumps updated_at.
+    const cur = await getTenantRequestById(id);
+    return cur;
+  }
+
+  const result = await getPool().query<TenantRequest>(
+    `UPDATE tenant_requests SET ${sets.join(", ")} WHERE id = $1 RETURNING *`,
+    values
+  );
+  return result.rows[0] ? mapRow(result.rows[0]) : null;
+}
+
 /**
  * Wrapper around domain-check.ts that injects the portal's connection pool.
  * Kept here so route handlers don't need direct access to the pool.
@@ -446,6 +553,8 @@ function mapRow(row: any): TenantRequest {
     tenantName: row.tenant_name,
     encryptedSecrets: row.encrypted_secrets ?? null,
     isPersonal: row.is_personal ?? false,
+    dismissedAt:
+      row.dismissed_at?.toISOString?.() ?? row.dismissed_at ?? null,
     createdAt: row.created_at?.toISOString?.() ?? row.created_at,
     updatedAt: row.updated_at?.toISOString?.() ?? row.updated_at,
   };

src/lib/litellm.ts

@@ -32,12 +32,43 @@ export async function getTeamSpendLogs(
   return litellmFetch(`/global/spend/logs?${params}`);
 }
 
+/**
+ * Fetch one page of spend logs for a team, optionally narrowed to a
+ * single virtual key by alias.
+ *
+ * Slice 2 / Bug 19 context
+ * ------------------------
+ * Teams in LiteLLM are now org-scoped (one team per org), and each
+ * tenant in the org has its own virtual key with `key_alias = tenant
+ * CR name`. Without `keyAlias`, this returns the full team's spend —
+ * which mingles every tenant in the org. The portal's per-tenant
+ * usage view passes `keyAlias` to filter server-side via LiteLLM's
+ * native `key_alias` query param. Confirmed available on the
+ * `/spend/logs/v2` endpoint via OpenAPI introspection — no need to
+ * page-and-post-filter as the previous slice did.
+ *
+ * Why this matters
+ * ----------------
+ * Previous implementation fetched all team pages, then post-filtered
+ * by alias in JS. Two problems: (1) at any reasonable scale this is
+ * O(team_total) memory per request even when only one tenant's data
+ * is needed; (2) more importantly, when called from the customer
+ * dashboard without an explicit alias, the route's "pick the first
+ * visible tenant" fallback meant both Acme tenants showed identical
+ * numbers — the alias used was always the first tenant in the
+ * visible list, regardless of which tenant page was being viewed.
+ *
+ * The route layer above is responsible for resolving the tenant
+ * identity correctly and passing the right alias here. This
+ * function's only job is to pass it through to LiteLLM.
+ */
 export async function getTeamSpendLogsV2(
   teamId: string,
   startDate: string,
   endDate: string,
   page: number = 1,
-  pageSize: number = 100
+  pageSize: number = 100,
+  keyAlias?: string | null
 ) {
   const params = new URLSearchParams({
     team_id: teamId,
@@ -46,6 +77,9 @@ export async function getTeamSpendLogsV2(
     page: String(page),
     page_size: String(pageSize),
   });
+  if (keyAlias) {
+    params.set("key_alias", keyAlias);
+  }
   return litellmFetch(`/spend/logs/v2?${params}`);
 }
 

src/lib/validation.ts

@@ -30,23 +30,73 @@ export const SUPPORTED_COUNTRIES = ["CH", "DE", "AT", "FR", "IT", "LI"] as const
 export type SupportedCountry = (typeof SUPPORTED_COUNTRIES)[number];
 
 /**
- * Billing address — every field required at minimum non-empty length.
+ * Country-specific postal-code patterns. Bug 33: previously a postal
- * Postal code rules vary too much across DACH+ to enforce a single
+ * code could be anything (e.g. "abc"), which broke invoicing.
- * regex usefully; we settle for "non-empty, ≤ 12 chars". Country is a
+ *
- * fixed enum to prevent free-text typos that break invoicing.
+ * Patterns are deliberately conservative — they reject obviously wrong
+ * input but don't try to be exhaustive valid-range checkers (e.g. CH
+ * codes are 1000-9999 in practice but \d{4} accepts 0000; the post
+ * office will reject downstream if it matters). If a future country
+ * has multi-format codes (e.g. UK postcodes with the inner-outer
+ * structure), add it as a regex here rather than trying to fit
+ * every country into the same shape.
  */
-export const billingAddressSchema = z.object({
+const POSTAL_CODE_PATTERNS: Record<SupportedCountry, RegExp> = {
-  // Company line is structurally optional — personal accounts leave it
+  CH: /^\d{4}$/,
-  // empty by design (Bug 2). Server-side, the wizard's UI hides the
+  DE: /^\d{5}$/,
-  // field for personals; the schema just doesn't require it.
+  AT: /^\d{4}$/,
-  company: z.string().trim().max(100).optional().default(""),
+  FR: /^\d{5}$/,
-  street: z.string().trim().min(1, "required").max(200),
+  IT: /^\d{5}$/,
-  postalCode: z.string().trim().min(1, "required").max(12),
+  LI: /^\d{4}$/,
-  city: z.string().trim().min(1, "required").max(100),
+};
-  country: z.enum(SUPPORTED_COUNTRIES, {
+
-    message: "Please choose a country from the list",
+/**
-  }),
+ * Postal-code expectation in human terms — used in error messages so
-});
+ * the user gets a useful hint ("expected 4 digits") rather than just
+ * a regex failure. Keep in sync with POSTAL_CODE_PATTERNS.
+ */
+const POSTAL_CODE_HINTS: Record<SupportedCountry, string> = {
+  CH: "4 digits",
+  DE: "5 digits",
+  AT: "4 digits",
+  FR: "5 digits",
+  IT: "5 digits",
+  LI: "4 digits",
+};
+
+/**
+ * Billing address — every field required at minimum non-empty length.
+ * Postal code is validated against the chosen country (Bug 33). Country
+ * is a fixed enum to prevent free-text typos that break invoicing.
+ *
+ * `superRefine` is the right hook here because we need to look at two
+ * fields (country + postalCode) together. The error path is set on
+ * `postalCode` so the wizard renders the inline error under the right
+ * input rather than at the form root.
+ */
+export const billingAddressSchema = z
+  .object({
+    // Company line is structurally optional — personal accounts leave it
+    // empty by design (Bug 2). Server-side, the wizard's UI hides the
+    // field for personals; the schema just doesn't require it.
+    company: z.string().trim().max(100).optional().default(""),
+    street: z.string().trim().min(1, "required").max(200),
+    postalCode: z.string().trim().min(1, "required").max(12),
+    city: z.string().trim().min(1, "required").max(100),
+    country: z.enum(SUPPORTED_COUNTRIES, {
+      message: "Please choose a country from the list",
+    }),
+  })
+  .superRefine((data, ctx) => {
+    const pattern = POSTAL_CODE_PATTERNS[data.country];
+    if (!pattern.test(data.postalCode)) {
+      ctx.addIssue({
+        code: "custom",
+        path: ["postalCode"],
+        message: `Invalid postal code (expected ${POSTAL_CODE_HINTS[data.country]})`,
+      });
+    }
+  });
 
 export type BillingAddressInput = z.infer<typeof billingAddressSchema>;
 

src/messages/de.json

@@ -20,7 +20,7 @@
     "button": "Weiter mit ZITADEL",
     "footer": "On-Premises gehostet in der Schweiz",
     "noAccount": "Noch kein Konto?",
-    "register": "Firma registrieren"
+    "register": "Konto erstellen"
   },
   "register": {
     "title": "Konto erstellen",
@@ -41,7 +41,7 @@
     "individualHint": "Aktivieren Sie diese Option, wenn Sie sich nicht im Namen eines Unternehmens registrieren. Ihr Konto wird als persönlicher Arbeitsbereich eingerichtet.",
     "accountTypeLabel": "Kontotyp",
     "personalCardTitle": "Privat",
-    "personalCardDescription": "Für Sie persönlich, ohne Firma.",
+    "personalCardDescription": "Für Sie persönlich.",
     "companyCardTitle": "Unternehmen",
     "companyCardDescription": "Für Ihr Unternehmen oder Team."
   },
@@ -100,7 +100,21 @@
     "reviewInstanceDefault": "(Standard — verwendet Firmenname)",
     "reviewNoPackages": "Keine ausgewählt",
     "reviewBillingTo": "Rechnungsempfänger",
-    "reviewContactEmail": "Kontakt-E-Mail"
+    "reviewContactEmail": "Kontakt-E-Mail",
+    "editRequestTitle": "Anfrage bearbeiten",
+    "editRequestDescription": "Passen Sie die Konfiguration an, bevor unser Team sie prüft.",
+    "editRequest": "Bearbeiten",
+    "cancelRequest": "Anfrage stornieren",
+    "cancelRequestConfirm": "Ja, Anfrage stornieren",
+    "cancelConfirmRequestTitle": "Diese Anfrage stornieren?",
+    "cancelConfirmRequestDescription": "Ihre ausstehende Anfrage wird als storniert markiert und aus der Warteschlange entfernt. Sie können jederzeit eine neue Anfrage einreichen.",
+    "cancelFailed": "Anfrage konnte nicht storniert werden.",
+    "cancelledTitle": "Anfrage storniert",
+    "cancelledDescription": "Sie haben diese Anfrage vor der Bearbeitung storniert. Es wurde keine Instanz erstellt.",
+    "dismiss": "Ausblenden",
+    "dismissFailed": "Konnte nicht ausgeblendet werden.",
+    "rejectionReason": "Angegebener Grund",
+    "saveChanges": "Änderungen speichern"
   },
   "dashboard": {
     "title": "Dashboard",
@@ -129,7 +143,21 @@
     "notFound": "Tenant nicht gefunden.",
     "usage": "Nutzung & Kosten",
     "provisioned": "Bereitgestellt",
-    "assignedUsers": "Zugewiesene Benutzer"
+    "assignedUsers": "Zugewiesene Benutzer",
+    "subscriptionTitle": "Abonnement",
+    "subscriptionDescriptionActive": "Kündigen Sie Ihr Abonnement, wenn Sie diesen Assistenten nicht mehr benötigen. Ihre Daten bleiben erhalten und Sie können jederzeit wieder aktivieren.",
+    "subscriptionDescriptionSuspended": "Ihr Abonnement ist gekündigt. Aktivieren Sie es wieder, um den Assistenten online zu bringen.",
+    "cancelSubscription": "Abonnement kündigen",
+    "cancelSubscriptionConfirm": "Ja, kündigen",
+    "resumeSubscription": "Abonnement reaktivieren",
+    "cancelConfirmTitle": "Dieses Abonnement kündigen?",
+    "cancelConfirmDescription": "Ihr Assistent wird nicht mehr verfügbar sein. Sie können jederzeit reaktivieren — Ihre Daten bleiben erhalten.",
+    "cancelConfirmBullet1": "Workspace-Dateien (SOUL.md, AGENTS.md) bleiben erhalten",
+    "cancelConfirmBullet2": "Paket-Anmeldedaten bleiben gespeichert",
+    "cancelConfirmBullet3": "Rechnungsdaten bleiben gespeichert",
+    "subscriptionUpdateFailed": "Abonnement konnte nicht aktualisiert werden.",
+    "suspendedTitle": "Abonnement gekündigt",
+    "suspendedDescription": "Ihr Assistent ist pausiert. Konfiguration und Daten bleiben erhalten. Verwenden Sie die Reaktivierungs-Schaltfläche unten auf dieser Seite, um ihn wieder online zu bringen."
   },
   "usage": {
     "inputTokens": "Input-Tokens",
@@ -323,5 +351,19 @@
     "FR": "Frankreich",
     "IT": "Italien",
     "LI": "Liechtenstein"
+  },
+  "phase": {
+    "Pending": "Ausstehend",
+    "Provisioning": "Wird bereitgestellt",
+    "Running": "Aktiv",
+    "Ready": "Bereit",
+    "Suspended": "Pausiert",
+    "Error": "Fehler",
+    "Deleting": "Wird gelöscht",
+    "Reconfiguring": "Wird neu konfiguriert"
+  },
+  "warnings": {
+    "oneTooltip": "1 Warnung",
+    "manyTooltip": "{count} Warnungen"
   }
 }

src/messages/en.json

@@ -20,7 +20,7 @@
     "button": "Continue with ZITADEL",
     "footer": "Hosted on-premises in Switzerland",
     "noAccount": "No account yet?",
-    "register": "Register your company"
+    "register": "Create an account"
   },
   "register": {
     "title": "Create your account",
@@ -41,7 +41,7 @@
     "individualHint": "Tick this if you're not registering on behalf of a company. Your account will be set up as a personal workspace.",
     "accountTypeLabel": "Account type",
     "personalCardTitle": "Personal",
-    "personalCardDescription": "For yourself, no company.",
+    "personalCardDescription": "For yourself.",
     "companyCardTitle": "Company",
     "companyCardDescription": "For your business or team."
   },
@@ -100,7 +100,21 @@
     "reviewInstanceDefault": "(default — uses company name)",
     "reviewNoPackages": "None selected",
     "reviewBillingTo": "Billing to",
-    "reviewContactEmail": "Contact email"
+    "reviewContactEmail": "Contact email",
+    "editRequestTitle": "Edit your request",
+    "editRequestDescription": "Adjust the configuration before our team reviews it.",
+    "editRequest": "Edit",
+    "cancelRequest": "Cancel request",
+    "cancelRequestConfirm": "Yes, cancel request",
+    "cancelConfirmRequestTitle": "Cancel this request?",
+    "cancelConfirmRequestDescription": "Your pending request will be marked as cancelled and removed from the review queue. You can submit a new request at any time.",
+    "cancelFailed": "Could not cancel request.",
+    "cancelledTitle": "Request cancelled",
+    "cancelledDescription": "You cancelled this request before it was processed. No instance was created.",
+    "dismiss": "Dismiss",
+    "dismissFailed": "Could not dismiss.",
+    "rejectionReason": "Reason given",
+    "saveChanges": "Save changes"
   },
   "dashboard": {
     "title": "Dashboard",
@@ -129,7 +143,21 @@
     "notFound": "Tenant not found.",
     "usage": "Usage & Spend",
     "provisioned": "Provisioned",
-    "assignedUsers": "Assigned users"
+    "assignedUsers": "Assigned users",
+    "subscriptionTitle": "Subscription",
+    "subscriptionDescriptionActive": "Cancel your subscription if you no longer need this assistant. Your data will be preserved and you can resume anytime.",
+    "subscriptionDescriptionSuspended": "Your subscription is cancelled. Resume to bring the assistant back online.",
+    "cancelSubscription": "Cancel subscription",
+    "cancelSubscriptionConfirm": "Yes, cancel",
+    "resumeSubscription": "Resume subscription",
+    "cancelConfirmTitle": "Cancel this subscription?",
+    "cancelConfirmDescription": "Your assistant will become unavailable. You can resume anytime — your data is preserved.",
+    "cancelConfirmBullet1": "Workspace files (SOUL.md, AGENTS.md) are kept",
+    "cancelConfirmBullet2": "Package credentials remain stored",
+    "cancelConfirmBullet3": "Billing information is kept on file",
+    "subscriptionUpdateFailed": "Could not update subscription.",
+    "suspendedTitle": "Subscription cancelled",
+    "suspendedDescription": "Your assistant is paused. Configuration and data are preserved. Use the Resume control at the bottom of this page to bring it back online."
   },
   "usage": {
     "inputTokens": "Input Tokens",
@@ -323,5 +351,19 @@
     "FR": "France",
     "IT": "Italy",
     "LI": "Liechtenstein"
+  },
+  "phase": {
+    "Pending": "Pending",
+    "Provisioning": "Provisioning",
+    "Running": "Running",
+    "Ready": "Ready",
+    "Suspended": "Suspended",
+    "Error": "Error",
+    "Deleting": "Deleting",
+    "Reconfiguring": "Reconfiguring"
+  },
+  "warnings": {
+    "oneTooltip": "1 warning",
+    "manyTooltip": "{count} warnings"
   }
 }

src/messages/fr.json

@@ -20,7 +20,7 @@
     "button": "Continuer avec ZITADEL",
     "footer": "Hébergé on-premises en Suisse",
     "noAccount": "Pas encore de compte ?",
-    "register": "Enregistrer votre entreprise"
+    "register": "Créer un compte"
   },
   "register": {
     "title": "Créer votre compte",
@@ -41,7 +41,7 @@
     "individualHint": "Cochez cette case si vous ne vous inscrivez pas au nom d'une entreprise. Votre compte sera configuré comme espace de travail personnel.",
     "accountTypeLabel": "Type de compte",
     "personalCardTitle": "Particulier",
-    "personalCardDescription": "Pour vous, sans entreprise.",
+    "personalCardDescription": "Pour vous.",
     "companyCardTitle": "Entreprise",
     "companyCardDescription": "Pour votre entreprise ou équipe."
   },
@@ -100,7 +100,21 @@
     "reviewInstanceDefault": "(par défaut — utilise le nom de l'entreprise)",
     "reviewNoPackages": "Aucun sélectionné",
     "reviewBillingTo": "Facturer à",
-    "reviewContactEmail": "E-mail de contact"
+    "reviewContactEmail": "E-mail de contact",
+    "editRequestTitle": "Modifier votre demande",
+    "editRequestDescription": "Ajustez la configuration avant que notre équipe ne l'examine.",
+    "editRequest": "Modifier",
+    "cancelRequest": "Annuler la demande",
+    "cancelRequestConfirm": "Oui, annuler la demande",
+    "cancelConfirmRequestTitle": "Annuler cette demande ?",
+    "cancelConfirmRequestDescription": "Votre demande en attente sera marquée comme annulée et retirée de la file. Vous pouvez soumettre une nouvelle demande à tout moment.",
+    "cancelFailed": "Impossible d'annuler la demande.",
+    "cancelledTitle": "Demande annulée",
+    "cancelledDescription": "Vous avez annulé cette demande avant son traitement. Aucune instance n'a été créée.",
+    "dismiss": "Masquer",
+    "dismissFailed": "Impossible de masquer.",
+    "rejectionReason": "Motif indiqué",
+    "saveChanges": "Enregistrer les modifications"
   },
   "dashboard": {
     "title": "Tableau de bord",
@@ -129,7 +143,21 @@
     "notFound": "Locataire non trouvé.",
     "usage": "Utilisation et coûts",
     "provisioned": "Provisionné",
-    "assignedUsers": "Utilisateurs attribués"
+    "assignedUsers": "Utilisateurs attribués",
+    "subscriptionTitle": "Abonnement",
+    "subscriptionDescriptionActive": "Annulez votre abonnement si vous n'avez plus besoin de cet assistant. Vos données seront conservées et vous pourrez reprendre à tout moment.",
+    "subscriptionDescriptionSuspended": "Votre abonnement est annulé. Reprenez pour remettre l'assistant en ligne.",
+    "cancelSubscription": "Annuler l'abonnement",
+    "cancelSubscriptionConfirm": "Oui, annuler",
+    "resumeSubscription": "Reprendre l'abonnement",
+    "cancelConfirmTitle": "Annuler cet abonnement ?",
+    "cancelConfirmDescription": "Votre assistant sera indisponible. Vous pouvez reprendre à tout moment — vos données sont préservées.",
+    "cancelConfirmBullet1": "Les fichiers de l'espace de travail (SOUL.md, AGENTS.md) sont conservés",
+    "cancelConfirmBullet2": "Les identifiants des packages restent stockés",
+    "cancelConfirmBullet3": "Les informations de facturation sont conservées",
+    "subscriptionUpdateFailed": "Impossible de mettre à jour l'abonnement.",
+    "suspendedTitle": "Abonnement annulé",
+    "suspendedDescription": "Votre assistant est en pause. La configuration et les données sont préservées. Utilisez le contrôle Reprendre en bas de cette page pour le remettre en ligne."
   },
   "usage": {
     "inputTokens": "Tokens d'entrée",
@@ -323,5 +351,19 @@
     "FR": "France",
     "IT": "Italie",
     "LI": "Liechtenstein"
+  },
+  "phase": {
+    "Pending": "En attente",
+    "Provisioning": "Mise en service",
+    "Running": "Actif",
+    "Ready": "Prêt",
+    "Suspended": "Suspendu",
+    "Error": "Erreur",
+    "Deleting": "Suppression",
+    "Reconfiguring": "Reconfiguration"
+  },
+  "warnings": {
+    "oneTooltip": "1 avertissement",
+    "manyTooltip": "{count} avertissements"
   }
 }

src/messages/it.json

@@ -20,7 +20,7 @@
     "button": "Continua con ZITADEL",
     "footer": "Ospitato on-premises in Svizzera",
     "noAccount": "Non hai ancora un account?",
-    "register": "Registra la tua azienda"
+    "register": "Crea un account"
   },
   "register": {
     "title": "Crea il tuo account",
@@ -41,7 +41,7 @@
     "individualHint": "Seleziona questa opzione se non ti stai registrando per conto di un'azienda. Il tuo account sarà configurato come area di lavoro personale.",
     "accountTypeLabel": "Tipo di account",
     "personalCardTitle": "Privato",
-    "personalCardDescription": "Per lei, senza azienda.",
+    "personalCardDescription": "Per lei.",
     "companyCardTitle": "Azienda",
     "companyCardDescription": "Per la sua azienda o team."
   },
@@ -100,7 +100,21 @@
     "reviewInstanceDefault": "(predefinito — usa il nome dell'azienda)",
     "reviewNoPackages": "Nessuno selezionato",
     "reviewBillingTo": "Fatturare a",
-    "reviewContactEmail": "Email di contatto"
+    "reviewContactEmail": "Email di contatto",
+    "editRequestTitle": "Modifica la sua richiesta",
+    "editRequestDescription": "Modifichi la configurazione prima che il nostro team la esamini.",
+    "editRequest": "Modifica",
+    "cancelRequest": "Annulla richiesta",
+    "cancelRequestConfirm": "Sì, annulla la richiesta",
+    "cancelConfirmRequestTitle": "Annullare questa richiesta?",
+    "cancelConfirmRequestDescription": "La sua richiesta in attesa sarà contrassegnata come annullata e rimossa dalla coda di revisione. Può inviare una nuova richiesta in qualsiasi momento.",
+    "cancelFailed": "Impossibile annullare la richiesta.",
+    "cancelledTitle": "Richiesta annullata",
+    "cancelledDescription": "Lei ha annullato questa richiesta prima dell'elaborazione. Nessuna istanza è stata creata.",
+    "dismiss": "Nascondi",
+    "dismissFailed": "Impossibile nascondere.",
+    "rejectionReason": "Motivo indicato",
+    "saveChanges": "Salva modifiche"
   },
   "dashboard": {
     "title": "Dashboard",
@@ -129,7 +143,21 @@
     "notFound": "Tenant non trovato.",
     "usage": "Utilizzo e costi",
     "provisioned": "Attivato",
-    "assignedUsers": "Utenti assegnati"
+    "assignedUsers": "Utenti assegnati",
+    "subscriptionTitle": "Abbonamento",
+    "subscriptionDescriptionActive": "Annulli il suo abbonamento se non ha più bisogno di questo assistente. I suoi dati saranno preservati e potrà riprendere in qualsiasi momento.",
+    "subscriptionDescriptionSuspended": "Il suo abbonamento è annullato. Riprenda per riportare l'assistente online.",
+    "cancelSubscription": "Annulla abbonamento",
+    "cancelSubscriptionConfirm": "Sì, annulla",
+    "resumeSubscription": "Riprendi abbonamento",
+    "cancelConfirmTitle": "Annullare questo abbonamento?",
+    "cancelConfirmDescription": "Il suo assistente diventerà non disponibile. Può riprendere in qualsiasi momento — i suoi dati sono preservati.",
+    "cancelConfirmBullet1": "I file del workspace (SOUL.md, AGENTS.md) sono mantenuti",
+    "cancelConfirmBullet2": "Le credenziali dei pacchetti rimangono memorizzate",
+    "cancelConfirmBullet3": "Le informazioni di fatturazione sono mantenute",
+    "subscriptionUpdateFailed": "Impossibile aggiornare l'abbonamento.",
+    "suspendedTitle": "Abbonamento annullato",
+    "suspendedDescription": "Il suo assistente è in pausa. Configurazione e dati sono preservati. Usi il controllo Riprendi in fondo a questa pagina per riportarlo online."
   },
   "usage": {
     "inputTokens": "Token di input",
@@ -323,5 +351,19 @@
     "FR": "Francia",
     "IT": "Italia",
     "LI": "Liechtenstein"
+  },
+  "phase": {
+    "Pending": "In attesa",
+    "Provisioning": "In provisioning",
+    "Running": "Attivo",
+    "Ready": "Pronto",
+    "Suspended": "Sospeso",
+    "Error": "Errore",
+    "Deleting": "Eliminazione",
+    "Reconfiguring": "Riconfigurazione"
+  },
+  "warnings": {
+    "oneTooltip": "1 avviso",
+    "manyTooltip": "{count} avvisi"
   }
 }

src/types/index.ts

@@ -78,7 +78,15 @@ export interface PiecedTenantSpec {
 }
 
 export interface PiecedTenantStatus {
-  phase: "Pending" | "Provisioning" | "Running" | "Ready" | "Error" | "Deleting";
+  phase:
+    | "Pending"
+    | "Provisioning"
+    | "Running"
+    | "Ready"
+    | "Reconfiguring"
+    | "Suspended"
+    | "Error"
+    | "Deleting";
   message?: string;
   observedGeneration?: number;
   /**
@@ -95,6 +103,21 @@ export interface PiecedTenantStatus {
   litellmKeyAlias?: string;
   tenantNamespace?: string;
   enabledPackages?: string[];
+  /**
+   * Non-fatal issues from downstream resources surfaced by the operator
+   * (e.g. an OpenClawInstance sub-condition reporting failure). The
+   * tenant is still usable — these are informational, rendered as a
+   * warning badge alongside the phase.
+   *
+   * `source` is "<Kind>/<ConditionType>" e.g. "OpenClawInstance/SkillPacksReady".
+   * `message` is shown in the tooltip when the user hovers the badge.
+   */
+  warnings?: Array<{
+    source: string;
+    reason?: string;
+    message?: string;
+    since?: string;
+  }>;
   conditions?: Array<{
     type: string;
     status: string;
@@ -162,6 +185,7 @@ export type TenantRequestStatus =
   | "provisioning" // PiecedTenant CR created, operator reconciling
   | "active" // Tenant running
   | "rejected" // Admin rejected
+  | "cancelled" // Customer cancelled before admin acted on it (Bug 6)
   | "deleted"; // Tenant was deleted by admin
 
 export interface TenantRequest {
@@ -195,6 +219,14 @@ export interface TenantRequest {
    * domain-uniqueness check on subsequent registrations.
    */
   isPersonal?: boolean;
+  /**
+   * Bug 13: when set, the customer has explicitly dismissed a rejected
+   * request from their dashboard. Used by `listActiveTenantRequestsByOrgId`
+   * to keep showing rejected rows until they're dismissed (so a customer
+   * who wasn't online when the rejection happened still sees it on next
+   * login). Always null for non-rejected statuses.
+   */
+  dismissedAt?: string | null;
   createdAt: string;
   updatedAt: string;
 }