Group D fixes

src/app/[locale]/dashboard/edit/[id]/page.tsx

@@ -0,0 +1,87 @@
+import { getSessionUser, canMutate } from "@/lib/session";
+import { redirect } from "next/navigation";
+import { getTranslations } from "next-intl/server";
+import { getTenantRequestById } from "@/lib/db";
+import { OnboardingFlow } from "@/components/onboarding/onboarding-flow";
+import { BackLink } from "@/components/ui/back-link";
+
+/**
+ * /dashboard/edit/[id] — re-opens the onboarding wizard with the
+ * fields of a still-pending request pre-filled (Bug 6). On submit,
+ * the wizard PATCHes /api/onboarding/[id] instead of POSTing to
+ * /api/onboarding.
+ *
+ * Hard guards
+ * -----------
+ * - Logged-in customer owner (or platform user) only — same as the
+ *   /dashboard/new page.
+ * - Request must exist, belong to the caller's org, and be in 'pending'
+ *   status. Editing approved/provisioning rows would race against the
+ *   operator; we redirect such cases back to the dashboard rather than
+ *   render an invalid wizard.
+ *
+ * Pre-fill
+ * --------
+ * The wizard takes a single `editingRequest` prop — when present, it
+ * (a) pre-populates state from those values and (b) targets the PATCH
+ * endpoint on submit. When absent, it behaves exactly as today (POST
+ * to /api/onboarding).
+ *
+ * Note on encrypted secrets
+ * -------------------------
+ * Per-package secrets are NEVER decrypted server-side and exposed to
+ * the client (would be a clear security regression). When editing,
+ * the wizard opens with empty secret fields and the user re-enters
+ * any they want to change. If they don't touch the package-secrets
+ * UI, the existing encrypted blob in the DB is preserved by the
+ * PATCH endpoint (it only re-encrypts when the wizard sends a
+ * non-empty secrets payload).
+ */
+export default async function EditRequestPage({
+  params,
+}: {
+  params: Promise<{ id: string; locale: string }>;
+}) {
+  const { id } = await params;
+  const user = await getSessionUser();
+  if (!user) redirect("/login");
+  if (user.isPlatform) redirect("/dashboard");
+  if (!canMutate(user)) redirect("/dashboard");
+
+  const tr = await getTenantRequestById(id);
+  if (!tr) redirect("/dashboard");
+  if (tr.zitadelOrgId !== user.orgId) redirect("/dashboard");
+  if (tr.status !== "pending") redirect("/dashboard");
+
+  const t = await getTranslations("dashboard");
+  const tOnboarding = await getTranslations("onboarding");
+
+  return (
+    <div className="container max-w-3xl mx-auto px-4 py-8">
+      <div className="mb-8 animate-in">
+        <BackLink href="/dashboard" label={t("title")} />
+        <h1 className="font-display text-2xl font-semibold accent-rule mb-2">
+          {tOnboarding("editRequestTitle")}
+        </h1>
+        <p className="text-sm text-text-secondary">
+          {tOnboarding("editRequestDescription")}
+        </p>
+      </div>
+      <OnboardingFlow
+        orgName={user.orgName}
+        userName={user.name}
+        userEmail={user.email}
+        editingRequest={{
+          id: tr.id,
+          instanceName: tr.instanceName ?? "",
+          agentName: tr.agentName,
+          soulMd: tr.soulMd ?? "",
+          agentsMd: tr.agentsMd ?? "",
+          packages: tr.packages,
+          billingAddress: tr.billingAddress,
+          billingNotes: tr.billingNotes ?? "",
+        }}
+      />
+    </div>
+  );
+}

src/app/[locale]/dashboard/page.tsx

@@ -315,7 +315,11 @@ export default async function DashboardPage() {
           </h2>
           <div className="space-y-3">
             {inflightRequests.map((r) => (
-              <ProvisioningStatus key={r.id} requestId={r.id} />
+              <ProvisioningStatus
+                key={r.id}
+                requestId={r.id}
+                canAct={canMutate(user)}
+              />
             ))}
           </div>
         </div>

src/app/api/onboarding/[id]/dismiss/route.ts

@@ -0,0 +1,65 @@
+import { NextRequest, NextResponse } from "next/server";
+import { getSessionUser, canMutate } from "@/lib/session";
+import { dismissTenantRequest, getTenantRequestById } from "@/lib/db";
+import { safeError } from "@/lib/errors";
+
+/**
+ * POST /api/onboarding/[id]/dismiss
+ *
+ * Customer-side acknowledgement of a rejected or cancelled request
+ * (Bug 13). Sets `dismissed_at = now()` so the row stops appearing
+ * in the dashboard's `listActiveTenantRequestsByOrgId` query. The
+ * row itself is preserved for audit.
+ *
+ * Authorization mirrors the GET / DELETE / PATCH endpoints on this
+ * resource: customer owners (or platform staff) of the row's org.
+ *
+ * Idempotent: dismissing an already-dismissed request returns 200
+ * with no change. We refuse to dismiss non-terminal rows (pending,
+ * approved, provisioning, active) — those are still actionable, and
+ * "hiding" them would stash live state from the customer.
+ */
+export async function POST(
+  _req: NextRequest,
+  { params }: { params: Promise<{ id: string }> }
+) {
+  const user = await getSessionUser();
+  if (!user) {
+    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+  }
+  if (!canMutate(user)) {
+    return NextResponse.json({ error: "Forbidden" }, { status: 403 });
+  }
+
+  const { id } = await params;
+  const tr = await getTenantRequestById(id);
+  if (!tr) {
+    return NextResponse.json({ error: "Not found" }, { status: 404 });
+  }
+  if (!user.isPlatform && tr.zitadelOrgId !== user.orgId) {
+    return NextResponse.json({ error: "Not found" }, { status: 404 });
+  }
+
+  if (tr.status !== "rejected" && tr.status !== "cancelled") {
+    return NextResponse.json(
+      {
+        error:
+          "Only rejected or cancelled requests can be dismissed. Active requests stay visible.",
+        code: "not_dismissable",
+        currentStatus: tr.status,
+      },
+      { status: 409 }
+    );
+  }
+
+  try {
+    await dismissTenantRequest(id);
+    return NextResponse.json({ message: "Dismissed.", id });
+  } catch (e: any) {
+    console.error("Failed to dismiss request:", e);
+    return NextResponse.json(
+      { error: safeError(e, "Failed to dismiss request") },
+      { status: 500 }
+    );
+  }
+}

src/app/api/onboarding/[id]/route.ts

@@ -0,0 +1,207 @@
+import { NextRequest, NextResponse } from "next/server";
+import { getSessionUser, canMutate } from "@/lib/session";
+import {
+  getTenantRequestById,
+  updateTenantRequestStatus,
+  updateTenantRequestEditableFields,
+} from "@/lib/db";
+import { encryptSecrets } from "@/lib/crypto";
+import { onboardingSchema } from "@/lib/validation";
+import { safeError } from "@/lib/errors";
+
+/**
+ * Customer-side controls for a single tenant_request row.
+ *
+ *   - DELETE /api/onboarding/[id]  → cancel a still-pending request
+ *   - PATCH  /api/onboarding/[id]  → edit fields of a still-pending
+ *                                    request (Bug 6)
+ *
+ * Both endpoints share the same authorization check: the caller must
+ * be a customer owner (or platform staff) of the request's org. We
+ * also enforce status === 'pending' on the row — once an admin has
+ * acted on it, the customer can no longer mutate it from the portal.
+ *
+ * Reading these is via the existing GET /api/onboarding?id=... handler.
+ */
+
+async function loadAuthorized(
+  id: string
+): Promise<
+  | { error: NextResponse }
+  | { req: Awaited<ReturnType<typeof getTenantRequestById>>; }
+> {
+  const user = await getSessionUser();
+  if (!user) {
+    return {
+      error: NextResponse.json({ error: "Unauthorized" }, { status: 401 }),
+    };
+  }
+  if (!canMutate(user)) {
+    return {
+      error: NextResponse.json({ error: "Forbidden" }, { status: 403 }),
+    };
+  }
+  const tr = await getTenantRequestById(id);
+  if (!tr) {
+    return {
+      error: NextResponse.json({ error: "Not found" }, { status: 404 }),
+    };
+  }
+  // Customers may only read their own org's requests; platform users
+  // may read any. Same scope as `GET /api/onboarding?id=...`.
+  if (!user.isPlatform && tr.zitadelOrgId !== user.orgId) {
+    return {
+      error: NextResponse.json({ error: "Not found" }, { status: 404 }),
+    };
+  }
+  return { req: tr };
+}
+
+/**
+ * DELETE /api/onboarding/[id]
+ *
+ * Customer cancels a still-pending request. Status flips to 'cancelled';
+ * the row is preserved for audit. The customer can dismiss the
+ * cancelled card afterwards (Bug 13 reuse — same dismissal mechanism).
+ *
+ * Once admin has approved/provisioned/rejected, this endpoint refuses
+ * (409). Cancelling a tenant that's already running goes through the
+ * subscription-suspend flow on the tenant detail page, not here.
+ */
+export async function DELETE(
+  _req: NextRequest,
+  { params }: { params: Promise<{ id: string }> }
+) {
+  const { id } = await params;
+  const loaded = await loadAuthorized(id);
+  if ("error" in loaded) return loaded.error;
+  const tr = loaded.req!;
+
+  if (tr.status !== "pending") {
+    return NextResponse.json(
+      {
+        error:
+          "Only pending requests can be cancelled. Approved or provisioning instances must be managed from the tenant page.",
+        code: "not_pending",
+        currentStatus: tr.status,
+      },
+      { status: 409 }
+    );
+  }
+
+  try {
+    await updateTenantRequestStatus(id, "cancelled");
+    return NextResponse.json({ message: "Request cancelled.", id });
+  } catch (e: any) {
+    console.error("Failed to cancel request:", e);
+    return NextResponse.json(
+      { error: safeError(e, "Failed to cancel request") },
+      { status: 500 }
+    );
+  }
+}
+
+/**
+ * PATCH /api/onboarding/[id]
+ *
+ * Customer edits a still-pending request. Validation is the same as on
+ * POST /api/onboarding (shared schema). Only customer-input fields are
+ * editable; status/tenant_name/admin_notes/etc. are server-managed.
+ *
+ * Note on company-level fields
+ * ----------------------------
+ * For a follow-up instance (org has prior approved rows), the POST
+ * handler intentionally ignores the wizard's billingAddress and uses
+ * the on-file value instead. We mirror that here: company-level fields
+ * (companyName, contactName, contactEmail, billingAddress) on a
+ * follow-up edit are NOT updated through this endpoint. The customer
+ * should use a future settings page (Bug 11) for those. For now,
+ * editing only mutates per-instance fields — agent name, instance
+ * name, packages, soulMd, agentsMd, billingNotes, packageSecrets.
+ *
+ * For the FIRST instance (no prior approved rows), billingAddress IS
+ * editable here, since the customer is still defining their company's
+ * billing data.
+ */
+export async function PATCH(
+  req: NextRequest,
+  { params }: { params: Promise<{ id: string }> }
+) {
+  const { id } = await params;
+  const loaded = await loadAuthorized(id);
+  if ("error" in loaded) return loaded.error;
+  const tr = loaded.req!;
+
+  if (tr.status !== "pending") {
+    return NextResponse.json(
+      {
+        error: "Only pending requests can be edited.",
+        code: "not_pending",
+        currentStatus: tr.status,
+      },
+      { status: 409 }
+    );
+  }
+
+  const body = await req.json().catch(() => null);
+  const parsed = onboardingSchema.safeParse(body);
+  if (!parsed.success) {
+    return NextResponse.json(
+      { error: "Invalid input", details: parsed.error.flatten() },
+      { status: 400 }
+    );
+  }
+  const input = parsed.data;
+
+  // Re-encrypt package secrets if present in the patch body. When the
+  // user re-opens the wizard to edit, the secrets array is populated
+  // afresh from the wizard (we never decrypt and return existing
+  // secrets — that'd be a security regression). If the user didn't
+  // touch any secret-bearing package, the wizard sends no
+  // packageSecrets and we leave the existing encrypted blob alone.
+  let encryptedSecrets: Buffer | null | undefined;
+  if (input.packageSecrets && Object.keys(input.packageSecrets).length > 0) {
+    try {
+      encryptedSecrets = await encryptSecrets(input.packageSecrets);
+    } catch (e: any) {
+      console.error("Failed to encrypt package secrets:", e);
+      return NextResponse.json(
+        { error: "Failed to secure credentials. Please try again." },
+        { status: 500 }
+      );
+    }
+  }
+
+  // Only first-instance edits get billingAddress; follow-ups inherit
+  // company billing from the on-file approved row.
+  const isFirstInstance = !tr.tenantName; // approximation; covers the
+  // "no prior approved row for this org" case the POST handler treats
+  // identically. A more rigorous check would call
+  // getMostRecentApprovedRequestForOrg, but in practice an org with
+  // an approved row for some other tenant has a tenantName on those
+  // rows, not on the pending one being edited — so the simple check
+  // here is fine for the only state the endpoint accepts (pending).
+
+  try {
+    const updated = await updateTenantRequestEditableFields(id, {
+      instanceName: input.instanceName,
+      agentName: input.agentName,
+      soulMd: input.soulMd,
+      agentsMd: input.agentsMd,
+      packages: input.packages ?? [],
+      billingAddress: isFirstInstance ? input.billingAddress : undefined,
+      billingNotes: input.billingNotes,
+      encryptedSecrets,
+    });
+    if (!updated) {
+      return NextResponse.json({ error: "Not found" }, { status: 404 });
+    }
+    return NextResponse.json({ message: "Request updated.", id });
+  } catch (e: any) {
+    console.error("Failed to edit request:", e);
+    return NextResponse.json(
+      { error: safeError(e, "Failed to edit request") },
+      { status: 500 }
+    );
+  }
+}

src/app/api/onboarding/route.ts

@@ -24,15 +24,33 @@ import { z } from "zod";
  * Helper: shape a TenantRequest row for client consumption.
  * Hides server-only fields (encryptedSecrets, internal db ids).
  */
+/**
+ * Helper: shape a TenantRequest row for client consumption.
+ * Hides server-only fields (encryptedSecrets, internal db ids).
+ *
+ * Slice 7 / Bug 6: surfaces enough fields for the customer-side edit
+ * flow to pre-fill the wizard. soulMd, agentsMd, billingAddress,
+ * billingNotes were previously kept off the public shape because the
+ * pre-Slice-3 dashboard didn't render them. Edit needs them.
+ *
+ * Bug 13: surfaces dismissedAt so the dashboard can distinguish
+ * "freshly rejected, show prominently" from "rejected and acknowledged,
+ * keep hidden" without an extra API call.
+ */
 function publicRequestShape(r: TenantRequest) {
   return {
     id: r.id,
     instanceName: r.instanceName,
     agentName: r.agentName,
+    soulMd: r.soulMd,
+    agentsMd: r.agentsMd,
     packages: r.packages,
+    billingAddress: r.billingAddress,
+    billingNotes: r.billingNotes,
     status: r.status,
     adminNotes: r.adminNotes,
     tenantName: r.tenantName,
+    dismissedAt: r.dismissedAt ?? null,
     createdAt: r.createdAt,
     updatedAt: r.updatedAt,
   };

src/components/onboarding/onboarding-flow.tsx

@@ -12,6 +12,14 @@ interface OnboardingFlowProps {
    */
   userName?: string;
   userEmail?: string;
+  /**
+   * Bug 6: when present, the wizard is rendered in edit mode against
+   * the given pending request. See `OnboardingWizard` for the full
+   * shape and behavioural contract.
+   */
+  editingRequest?: React.ComponentProps<
+    typeof OnboardingWizard
+  >["editingRequest"];
 }
 
 /**
@@ -29,6 +37,7 @@ export function OnboardingFlow({
   orgName,
   userName,
   userEmail,
+  editingRequest,
 }: OnboardingFlowProps) {
   const router = useRouter();
 
@@ -37,6 +46,7 @@ export function OnboardingFlow({
       orgName={orgName}
       userName={userName}
       userEmail={userEmail}
+      editingRequest={editingRequest}
       onComplete={() => {
         // Navigate back to /dashboard and re-fetch on the server. The
         // parent server component will see the new `pending` row and

src/components/onboarding/provisioning-status.tsx

@@ -1,6 +1,8 @@
 "use client";
 
 import { useState, useEffect, useCallback } from "react";
+import Link from "next/link";
+import { useRouter } from "next/navigation";
 import { useTranslations, useFormatter } from "next-intl";
 import { Card } from "@/components/ui/card";
 import { StatusBadge } from "@/components/ui/status-badge";
@@ -14,6 +16,7 @@ interface RequestSummary {
   status: string;
   adminNotes?: string;
   tenantName?: string;
+  dismissedAt?: string | null;
   createdAt?: string;
   updatedAt?: string;
 }
@@ -36,21 +39,42 @@ interface SingleRequestState {
   tenant: TenantSummary | null;
 }
 
+interface Props {
+  requestId: string;
+  /**
+   * Whether the viewer can act on this request — cancel a pending one,
+   * dismiss a rejected one, etc. True for owner + platform; false for
+   * `user`-role customers (who shouldn't see in-flight requests at all,
+   * but defence in depth — `canSeeInflightRequests` already gates the
+   * dashboard side).
+   */
+  canAct: boolean;
+}
+
 /**
  * ProvisioningStatus
  *
  * Polls /api/onboarding?id=<requestId> every 5s until the request reaches
- * a terminal state. Slice 3: takes a `requestId` prop so multiple of these
+ * a terminal state. Slice 3: takes a `requestId` prop so multiple of
- * can render on the same dashboard for different in-flight requests.
+ * these can render on the same dashboard for different in-flight
+ * requests.
  *
- * The pre-Slice-3 version polled /api/onboarding with no params and
+ * Slice 7 / Bug 6 + 13:
- * assumed one-request-per-org — that endpoint shape is gone now.
+ *   - pending → cancel + edit buttons
+ *   - rejected → admin notes block + dismiss button
+ *   - cancelled → small acknowledgement card + dismiss button
+ *   - terminal Ready/Active states unchanged
  */
-export function ProvisioningStatus({ requestId }: { requestId: string }) {
+export function ProvisioningStatus({ requestId, canAct }: Props) {
   const t = useTranslations("onboarding");
+  const tCommon = useTranslations("common");
   const f = useFormatter();
+  const router = useRouter();
+
   const [data, setData] = useState<SingleRequestState | null>(null);
   const [error, setError] = useState("");
+  const [actionPending, setActionPending] = useState(false);
+  const [confirmCancel, setConfirmCancel] = useState(false);
 
   const poll = useCallback(async () => {
     try {
@@ -67,11 +91,11 @@ export function ProvisioningStatus({ requestId }: { requestId: string }) {
 
   useEffect(() => {
     poll();
-
     const status = data?.request?.status;
     const phase = data?.tenant?.phase;
     const terminal =
       status === "rejected" ||
+      status === "cancelled" ||
       status === "active" ||
       phase === "Ready" ||
       phase === "Running";
@@ -82,7 +106,54 @@ export function ProvisioningStatus({ requestId }: { requestId: string }) {
     return () => clearInterval(interval);
   }, [poll, data?.request?.status, data?.tenant?.phase]);
 
-  if (error) {
+  const handleCancel = async () => {
+    setActionPending(true);
+    setError("");
+    try {
+      const res = await fetch(
+        `/api/onboarding/${encodeURIComponent(requestId)}`,
+        { method: "DELETE" }
+      );
+      if (!res.ok) {
+        const body = await res.json().catch(() => ({}));
+        throw new Error(body.error || t("cancelFailed"));
+      }
+      setConfirmCancel(false);
+      // Re-poll so the card transitions to "cancelled" state without a
+      // full route refresh — the dashboard's surrounding tenant cards
+      // are unaffected.
+      await poll();
+      router.refresh();
+    } catch (err: any) {
+      setError(err.message);
+    } finally {
+      setActionPending(false);
+    }
+  };
+
+  const handleDismiss = async () => {
+    setActionPending(true);
+    setError("");
+    try {
+      const res = await fetch(
+        `/api/onboarding/${encodeURIComponent(requestId)}/dismiss`,
+        { method: "POST" }
+      );
+      if (!res.ok) {
+        const body = await res.json().catch(() => ({}));
+        throw new Error(body.error || t("dismissFailed"));
+      }
+      // Server-rendered list query (`listActiveTenantRequestsByOrgId`)
+      // filters out dismissed rows — refresh to drop this card.
+      router.refresh();
+    } catch (err: any) {
+      setError(err.message);
+    } finally {
+      setActionPending(false);
+    }
+  };
+
+  if (error && !data) {
     return (
       <Card>
         <div className="text-xs text-red-400">{error}</div>
@@ -107,7 +178,7 @@ export function ProvisioningStatus({ requestId }: { requestId: string }) {
     data.request.tenantName ||
     data.request.agentName;
 
-  // Pending admin approval
+  // ─── Pending: awaiting admin approval ───────────────────────────────
   if (status === "pending") {
     return (
       <Card className="animate-in">
@@ -131,7 +202,9 @@ export function ProvisioningStatus({ requestId }: { requestId: string }) {
             {t("pendingTitle")}
           </h2>
           {label && (
-            <p className="text-xs font-mono text-text-secondary mb-2">{label}</p>
+            <p className="text-xs font-mono text-text-secondary mb-2">
+              {label}
+            </p>
           )}
           <p className="text-sm text-text-secondary max-w-sm mx-auto">
             {t("pendingDescription")}
@@ -150,12 +223,76 @@ export function ProvisioningStatus({ requestId }: { requestId: string }) {
               </span>
             </p>
           )}
+
+          {/* Bug 6 — owner-only edit + cancel actions while still
+              pending. Once admin acts, both buttons disappear (the
+              status branch changes). */}
+          {canAct && (
+            <div className="flex justify-center gap-2 mt-5">
+              <Link
+                href={`/dashboard/edit/${encodeURIComponent(requestId)}`}
+                className="text-sm font-medium px-4 py-2 rounded-lg border border-border text-text-secondary hover:text-text-primary hover:border-text-secondary transition-colors"
+              >
+                {t("editRequest")}
+              </Link>
+              <button
+                type="button"
+                onClick={() => setConfirmCancel(true)}
+                className="text-sm font-medium px-4 py-2 rounded-lg border border-red-500/30 text-red-400 hover:bg-red-500/10 transition-colors"
+              >
+                {t("cancelRequest")}
+              </button>
             </div>
+          )}
+          {error && (
+            <p className="text-xs text-red-400 mt-3">{error}</p>
+          )}
+        </div>
+
+        {confirmCancel && (
+          <div
+            role="dialog"
+            aria-modal="true"
+            className="fixed inset-0 z-50 flex items-center justify-center p-4 bg-black/60 backdrop-blur-sm"
+            onClick={(e) => {
+              if (e.target === e.currentTarget) setConfirmCancel(false);
+            }}
+          >
+            <div className="bg-surface-1 border border-border rounded-xl p-6 max-w-md w-full">
+              <h3 className="font-display text-lg font-semibold text-text-primary mb-2">
+                {t("cancelConfirmRequestTitle")}
+              </h3>
+              <p className="text-sm text-text-secondary mb-5">
+                {t("cancelConfirmRequestDescription")}
+              </p>
+              <div className="flex justify-end gap-2">
+                <button
+                  type="button"
+                  onClick={() => setConfirmCancel(false)}
+                  disabled={actionPending}
+                  className="text-sm px-4 py-2 rounded-lg border border-border text-text-secondary hover:text-text-primary transition-colors"
+                >
+                  {tCommon("cancel")}
+                </button>
+                <button
+                  type="button"
+                  onClick={handleCancel}
+                  disabled={actionPending}
+                  className="text-sm px-4 py-2 rounded-lg bg-red-500 text-white hover:bg-red-600 transition-colors disabled:opacity-50"
+                >
+                  {actionPending
+                    ? tCommon("loading")
+                    : t("cancelRequestConfirm")}
+                </button>
+              </div>
+            </div>
+          </div>
+        )}
       </Card>
     );
   }
 
-  // Rejected
+  // ─── Rejected: admin declined ───────────────────────────────────────
   if (status === "rejected") {
     return (
       <Card className="animate-in">
@@ -179,22 +316,94 @@ export function ProvisioningStatus({ requestId }: { requestId: string }) {
             {t("rejectedTitle")}
           </h2>
           {label && (
-            <p className="text-xs font-mono text-text-secondary mb-2">{label}</p>
+            <p className="text-xs font-mono text-text-secondary mb-2">
+              {label}
+            </p>
           )}
           <p className="text-sm text-text-secondary max-w-sm mx-auto">
             {t("rejectedDescription")}
           </p>
           {data.request.adminNotes && (
-            <p className="text-xs text-text-muted mt-3 bg-surface-2 border border-border rounded-lg p-3 max-w-sm mx-auto">
+            <div className="text-left text-xs text-text-secondary mt-4 bg-surface-2 border border-border rounded-lg p-3 max-w-sm mx-auto">
+              <div className="font-semibold uppercase tracking-wider text-text-muted text-[10px] mb-1.5">
+                {t("rejectionReason")}
+              </div>
+              <div className="whitespace-pre-wrap">
                 {data.request.adminNotes}
-            </p>
+              </div>
+            </div>
           )}
+          {/* Bug 13: dismiss removes this card from the dashboard but
+              keeps the row in the DB for audit. The customer can also
+              just resubmit via the wizard — both paths are valid. */}
+          {canAct && (
+            <div className="flex justify-center mt-5">
+              <button
+                type="button"
+                onClick={handleDismiss}
+                disabled={actionPending}
+                className="text-sm font-medium px-4 py-2 rounded-lg border border-border text-text-secondary hover:text-text-primary hover:border-text-secondary transition-colors disabled:opacity-50"
+              >
+                {actionPending ? tCommon("loading") : t("dismiss")}
+              </button>
+            </div>
+          )}
+          {error && <p className="text-xs text-red-400 mt-3">{error}</p>}
         </div>
       </Card>
     );
   }
 
-  // Provisioning in progress (status approved/provisioning, optionally with tenant phase < Ready)
+  // ─── Cancelled: customer cancelled before admin acted (Bug 6) ──────
+  if (status === "cancelled") {
+    return (
+      <Card className="animate-in">
+        <div className="text-center py-6">
+          <div className="h-14 w-14 rounded-xl bg-text-muted/15 flex items-center justify-center mx-auto mb-4">
+            <svg
+              className="h-7 w-7 text-text-muted"
+              fill="none"
+              viewBox="0 0 24 24"
+              stroke="currentColor"
+              strokeWidth={1.5}
+            >
+              <path
+                strokeLinecap="round"
+                strokeLinejoin="round"
+                d="M9.75 9.75l4.5 4.5m0-4.5l-4.5 4.5M21 12a9 9 0 11-18 0 9 9 0 0118 0z"
+              />
+            </svg>
+          </div>
+          <h2 className="font-display text-lg font-semibold text-text-primary mb-2">
+            {t("cancelledTitle")}
+          </h2>
+          {label && (
+            <p className="text-xs font-mono text-text-secondary mb-2">
+              {label}
+            </p>
+          )}
+          <p className="text-sm text-text-secondary max-w-sm mx-auto">
+            {t("cancelledDescription")}
+          </p>
+          {canAct && (
+            <div className="flex justify-center mt-5">
+              <button
+                type="button"
+                onClick={handleDismiss}
+                disabled={actionPending}
+                className="text-sm font-medium px-4 py-2 rounded-lg border border-border text-text-secondary hover:text-text-primary hover:border-text-secondary transition-colors disabled:opacity-50"
+              >
+                {actionPending ? tCommon("loading") : t("dismiss")}
+              </button>
+            </div>
+          )}
+          {error && <p className="text-xs text-red-400 mt-3">{error}</p>}
+        </div>
+      </Card>
+    );
+  }
+
+  // ─── Provisioning: approved, operator working ──────────────────────
   if (
     status === "approved" ||
     status === "provisioning" ||
@@ -213,7 +422,9 @@ export function ProvisioningStatus({ requestId }: { requestId: string }) {
             {t("provisioningTitle")}
           </h2>
           {label && (
-            <p className="text-xs font-mono text-text-secondary mb-2">{label}</p>
+            <p className="text-xs font-mono text-text-secondary mb-2">
+              {label}
+            </p>
           )}
           <p className="text-sm text-text-secondary">
             {t("provisioningDescription")}
@@ -249,7 +460,7 @@ export function ProvisioningStatus({ requestId }: { requestId: string }) {
     );
   }
 
-  // Active / Ready
+  // ─── Active / Ready ─────────────────────────────────────────────────
   if (status === "active") {
     return (
       <Card className="animate-in">
@@ -273,7 +484,9 @@ export function ProvisioningStatus({ requestId }: { requestId: string }) {
             {t("readyTitle")}
           </h2>
           {label && (
-            <p className="text-xs font-mono text-text-secondary mb-2">{label}</p>
+            <p className="text-xs font-mono text-text-secondary mb-2">
+              {label}
+            </p>
           )}
           <p className="text-sm text-text-secondary max-w-sm mx-auto mb-4">
             {t("readyDescription")}

src/components/onboarding/wizard.tsx

@@ -64,6 +64,35 @@ interface WizardProps {
    */
   userName?: string;
   userEmail?: string;
+  /**
+   * Bug 6: when present, the wizard renders in "edit" mode — fields
+   * are pre-populated from the request, the SOUL.md auto-fetch is
+   * skipped (we trust the existing values), and the submit button
+   * PATCHes /api/onboarding/[id] instead of POSTing /api/onboarding.
+   *
+   * Per-package secrets are deliberately NOT pre-filled, even if the
+   * customer originally supplied them — server-side decryption to
+   * the client would be a security regression. The user re-enters
+   * any secrets they want to change; if they leave them blank, the
+   * existing encrypted blob in the DB is preserved by the PATCH
+   * endpoint.
+   */
+  editingRequest?: {
+    id: string;
+    instanceName: string;
+    agentName: string;
+    soulMd: string;
+    agentsMd: string;
+    packages: string[];
+    billingAddress: {
+      company?: string;
+      street?: string;
+      city?: string;
+      postalCode?: string;
+      country?: string;
+    };
+    billingNotes: string;
+  };
   onComplete: () => void;
 }
 
@@ -71,6 +100,7 @@ export function OnboardingWizard({
   orgName,
   userName,
   userEmail,
+  editingRequest,
   onComplete,
 }: WizardProps) {
   const t = useTranslations("onboarding");
@@ -91,14 +121,38 @@ export function OnboardingWizard({
     orgName,
     isPersonal,
   });
+  const isEditing = Boolean(editingRequest);
 
-  const [step, setStep] = useState<Step>("welcome");
+  // Edit mode jumps straight to the configure step — the welcome step
+  // is a first-time onboarding affordance and only adds friction when
+  // the customer is fixing a typo.
+  const [step, setStep] = useState<Step>(isEditing ? "configure" : "welcome");
   const [submitting, setSubmitting] = useState(false);
   const [error, setError] = useState("");
   const [advancedOpen, setAdvancedOpen] = useState(false);
-  const [defaultsLoaded, setDefaultsLoaded] = useState(false);
+  // In edit mode we already have soulMd/agentsMd from the request;
+  // skip the workspace-defaults round trip that would overwrite them.
+  const [defaultsLoaded, setDefaultsLoaded] = useState(isEditing);
 
-  const [config, setConfig] = useState({
+  const [config, setConfig] = useState(() => {
+    if (editingRequest) {
+      return {
+        instanceName: editingRequest.instanceName,
+        agentName: editingRequest.agentName,
+        soulMd: editingRequest.soulMd,
+        agentsMd: editingRequest.agentsMd,
+        packages: editingRequest.packages,
+        billingAddress: {
+          company: editingRequest.billingAddress.company ?? "",
+          street: editingRequest.billingAddress.street ?? "",
+          city: editingRequest.billingAddress.city ?? "",
+          postalCode: editingRequest.billingAddress.postalCode ?? "",
+          country: editingRequest.billingAddress.country ?? "CH",
+        },
+        billingNotes: editingRequest.billingNotes,
+      };
+    }
+    return {
       instanceName: "",
       agentName: "Assistant",
       soulMd: FALLBACK_SOUL.replace("{company}", displayOrgName),
@@ -115,6 +169,7 @@ export function OnboardingWizard({
         country: "CH",
       },
       billingNotes: "",
+    };
   });
 
   // TOOLS.md preview — readonly, auto-generated
@@ -308,8 +363,17 @@ export function OnboardingWizard({
         }
       }
 
-      const res = await fetch("/api/onboarding", {
+      // Bug 6: edit mode targets the per-row endpoint with PATCH;
-        method: "POST",
+      // create mode targets the collection endpoint with POST. Body
+      // shape is the same — both routes parse it through
+      // onboardingSchema.
+      const url = editingRequest
+        ? `/api/onboarding/${encodeURIComponent(editingRequest.id)}`
+        : "/api/onboarding";
+      const method = editingRequest ? "PATCH" : "POST";
+
+      const res = await fetch(url, {
+        method,
         headers: { "Content-Type": "application/json" },
         body: JSON.stringify({
           ...config,
@@ -1017,7 +1081,11 @@ export function OnboardingWizard({
               disabled={submitting}
               className="py-2.5 px-6 bg-accent text-white text-sm font-medium rounded-lg hover:bg-accent-dim transition-colors disabled:opacity-50 disabled:cursor-not-allowed"
             >
-              {submitting ? tCommon("loading") : t("submitRequest")}
+              {submitting
+                ? tCommon("loading")
+                : isEditing
+                ? t("saveChanges")
+                : t("submitRequest")}
             </button>
           </div>
         </Card>

src/components/ui/status-badge.tsx

@@ -15,6 +15,11 @@ const phaseStyles: Record<string, string> = {
   Running: "bg-success/10 text-success border-success/20",
   Ready: "bg-success/10 text-success border-success/20",
   Provisioning: "bg-warning/10 text-warning border-warning/20",
+  // Reconfiguring shares the warning palette (yellow pulse) but renders
+  // a distinct label, so customers see it differently from first-time
+  // provisioning. Useful when packages or channel-users change and the
+  // pod restarts mid-life.
+  Reconfiguring: "bg-warning/10 text-warning border-warning/20",
   Pending: "bg-text-muted/10 text-text-secondary border-border",
   Suspended: "bg-amber-500/10 text-amber-400 border-amber-500/30",
   Error: "bg-error/10 text-error border-error/20",
@@ -44,6 +49,9 @@ export function StatusBadge({ phase }: { phase: string }) {
       {phase === "Provisioning" && (
         <span className="status-pulse h-1.5 w-1.5 rounded-full bg-warning" />
       )}
+      {phase === "Reconfiguring" && (
+        <span className="status-pulse h-1.5 w-1.5 rounded-full bg-warning" />
+      )}
       {label}
     </span>
   );

src/lib/db.ts

@@ -1,5 +1,5 @@
 import { Pool } from "pg";
-import type { TenantRequest, TenantRequestStatus } from "@/types";
+import type { BillingAddress, TenantRequest, TenantRequestStatus } from "@/types";
 import { listTenants, getTenant } from "./k8s";
 
 // ---------------------------------------------------------------------------
@@ -72,6 +72,11 @@ const MIGRATION_SQL = `
   ALTER TABLE tenant_requests ADD COLUMN IF NOT EXISTS agents_md TEXT;
   ALTER TABLE tenant_requests ADD COLUMN IF NOT EXISTS instance_name TEXT;
   ALTER TABLE tenant_requests ADD COLUMN IF NOT EXISTS is_personal BOOLEAN NOT NULL DEFAULT FALSE;
+  -- Bug 13: customer-side dismissal of rejected requests. NULL means "still
+  -- visible on the dashboard"; non-null means "customer clicked Dismiss".
+  -- Pending/approved/active rows keep this NULL by definition — the field
+  -- is only meaningful for rejected and cancelled rows.
+  ALTER TABLE tenant_requests ADD COLUMN IF NOT EXISTS dismissed_at TIMESTAMPTZ;
 
   -- Slice 3: drop the legacy 1-org-1-request constraint if it exists
   ALTER TABLE tenant_requests DROP CONSTRAINT IF EXISTS tenant_requests_zitadel_org_id_key;
@@ -250,10 +255,21 @@ export async function listTenantRequestsByOrgId(
 }
 
 /**
- * As {@link listTenantRequestsByOrgId} but excludes terminal-failed states
+ * As {@link listTenantRequestsByOrgId} but tuned for the customer's
- * (rejected, deleted). Useful for the dashboard which wants to show
+ * dashboard view.
- * pending/approved/provisioning/active tenants and pending requests, not
+ *
- * historical rejections.
+ * Returns:
+ *   - All non-terminal rows (pending, approved, provisioning, active),
+ *     because the customer needs to see what's in flight.
+ *   - Terminal-failed rows (rejected, cancelled) that the customer
+ *     hasn't dismissed yet (Bug 13). Without this, a rejection that
+ *     happens while the customer isn't online would only be
+ *     communicated by email — easy to miss.
+ *
+ * Excludes:
+ *   - `deleted` rows (admin tore down the tenant — historical, not
+ *     actionable).
+ *   - Dismissed rejected/cancelled rows.
  */
 export async function listActiveTenantRequestsByOrgId(
   orgId: string
@@ -262,7 +278,8 @@ export async function listActiveTenantRequestsByOrgId(
   const result = await getPool().query<TenantRequest>(
     `SELECT * FROM tenant_requests
        WHERE zitadel_org_id = $1
-         AND status NOT IN ('deleted', 'rejected')
+         AND status <> 'deleted'
+         AND (status NOT IN ('rejected', 'cancelled') OR dismissed_at IS NULL)
        ORDER BY created_at DESC`,
     [orgId]
   );
@@ -354,6 +371,96 @@ export async function clearEncryptedSecrets(requestId: string): Promise<void> {
   );
 }
 
+/**
+ * Set dismissed_at = now() on a request row. Used when a customer
+ * clicks "Dismiss" on a rejected/cancelled card on their dashboard
+ * (Bug 13). The row stays in the database for history/audit but
+ * stops appearing in `listActiveTenantRequestsByOrgId`.
+ *
+ * Idempotent: dismissing an already-dismissed row is a no-op.
+ * Caller is responsible for verifying the row belongs to the user's
+ * org before calling.
+ */
+export async function dismissTenantRequest(id: string): Promise<void> {
+  await ensureSchema();
+  await getPool().query(
+    `UPDATE tenant_requests
+       SET dismissed_at = COALESCE(dismissed_at, now()),
+           updated_at = now()
+     WHERE id = $1`,
+    [id]
+  );
+}
+
+/**
+ * Update editable fields of a still-pending tenant request. Bug 6 — a
+ * customer who notices a typo or wants to add a package after submitting
+ * the wizard should be able to fix it without admin involvement.
+ *
+ * Only the customer-input fields are updateable. `status`, `tenant_name`,
+ * `admin_notes`, `encrypted_secrets`, `is_personal`, `zitadel_*` and
+ * timestamps are managed elsewhere and intentionally not here.
+ *
+ * The caller is responsible for:
+ *   - verifying the row belongs to the user's org
+ *   - verifying status === 'pending' (editing approved/provisioning rows
+ *     would race against the operator)
+ *
+ * Returns the updated row, or null if the id didn't match anything.
+ */
+export async function updateTenantRequestEditableFields(
+  id: string,
+  fields: {
+    instanceName?: string | null;
+    agentName?: string;
+    soulMd?: string;
+    agentsMd?: string | null;
+    packages?: string[];
+    billingAddress?: BillingAddress;
+    billingNotes?: string;
+    encryptedSecrets?: Buffer | null;
+  }
+): Promise<TenantRequest | null> {
+  await ensureSchema();
+
+  const sets: string[] = ["updated_at = now()"];
+  const values: any[] = [id];
+  let idx = 2;
+
+  // Map JS field names to SQL columns. Each entry is gated on
+  // `!== undefined` so passing only some fields just updates those.
+  const colMap: Array<[keyof typeof fields, string]> = [
+    ["instanceName", "instance_name"],
+    ["agentName", "agent_name"],
+    ["soulMd", "soul_md"],
+    ["agentsMd", "agents_md"],
+    ["packages", "packages"],
+    ["billingAddress", "billing_address"],
+    ["billingNotes", "billing_notes"],
+    ["encryptedSecrets", "encrypted_secrets"],
+  ];
+  for (const [jsField, sqlCol] of colMap) {
+    const v = fields[jsField];
+    if (v === undefined) continue;
+    sets.push(`${sqlCol} = $${idx}`);
+    values.push(v);
+    idx++;
+  }
+
+  if (sets.length === 1) {
+    // No editable fields supplied — return the row unchanged rather
+    // than running a useless UPDATE that just bumps updated_at.
+    const cur = await getTenantRequestById(id);
+    return cur;
+  }
+
+  const result = await getPool().query<TenantRequest>(
+    `UPDATE tenant_requests SET ${sets.join(", ")} WHERE id = $1 RETURNING *`,
+    values
+  );
+  return result.rows[0] ? mapRow(result.rows[0]) : null;
+}
+
 /**
  * Wrapper around domain-check.ts that injects the portal's connection pool.
  * Kept here so route handlers don't need direct access to the pool.
@@ -446,6 +553,8 @@ function mapRow(row: any): TenantRequest {
     tenantName: row.tenant_name,
     encryptedSecrets: row.encrypted_secrets ?? null,
     isPersonal: row.is_personal ?? false,
+    dismissedAt:
+      row.dismissed_at?.toISOString?.() ?? row.dismissed_at ?? null,
     createdAt: row.created_at?.toISOString?.() ?? row.created_at,
     updatedAt: row.updated_at?.toISOString?.() ?? row.updated_at,
   };

src/messages/de.json

@@ -100,7 +100,21 @@
     "reviewInstanceDefault": "(Standard — verwendet Firmenname)",
     "reviewNoPackages": "Keine ausgewählt",
     "reviewBillingTo": "Rechnungsempfänger",
-    "reviewContactEmail": "Kontakt-E-Mail"
+    "reviewContactEmail": "Kontakt-E-Mail",
+    "editRequestTitle": "Anfrage bearbeiten",
+    "editRequestDescription": "Passen Sie die Konfiguration an, bevor unser Team sie prüft.",
+    "editRequest": "Bearbeiten",
+    "cancelRequest": "Anfrage stornieren",
+    "cancelRequestConfirm": "Ja, Anfrage stornieren",
+    "cancelConfirmRequestTitle": "Diese Anfrage stornieren?",
+    "cancelConfirmRequestDescription": "Ihre ausstehende Anfrage wird als storniert markiert und aus der Warteschlange entfernt. Sie können jederzeit eine neue Anfrage einreichen.",
+    "cancelFailed": "Anfrage konnte nicht storniert werden.",
+    "cancelledTitle": "Anfrage storniert",
+    "cancelledDescription": "Sie haben diese Anfrage vor der Bearbeitung storniert. Es wurde keine Instanz erstellt.",
+    "dismiss": "Ausblenden",
+    "dismissFailed": "Konnte nicht ausgeblendet werden.",
+    "rejectionReason": "Angegebener Grund",
+    "saveChanges": "Änderungen speichern"
   },
   "dashboard": {
     "title": "Dashboard",
@@ -345,6 +359,7 @@
     "Ready": "Bereit",
     "Suspended": "Pausiert",
     "Error": "Fehler",
-    "Deleting": "Wird gelöscht"
+    "Deleting": "Wird gelöscht",
+    "Reconfiguring": "Wird neu konfiguriert"
   }
 }

src/messages/en.json

@@ -100,7 +100,21 @@
     "reviewInstanceDefault": "(default — uses company name)",
     "reviewNoPackages": "None selected",
     "reviewBillingTo": "Billing to",
-    "reviewContactEmail": "Contact email"
+    "reviewContactEmail": "Contact email",
+    "editRequestTitle": "Edit your request",
+    "editRequestDescription": "Adjust the configuration before our team reviews it.",
+    "editRequest": "Edit",
+    "cancelRequest": "Cancel request",
+    "cancelRequestConfirm": "Yes, cancel request",
+    "cancelConfirmRequestTitle": "Cancel this request?",
+    "cancelConfirmRequestDescription": "Your pending request will be marked as cancelled and removed from the review queue. You can submit a new request at any time.",
+    "cancelFailed": "Could not cancel request.",
+    "cancelledTitle": "Request cancelled",
+    "cancelledDescription": "You cancelled this request before it was processed. No instance was created.",
+    "dismiss": "Dismiss",
+    "dismissFailed": "Could not dismiss.",
+    "rejectionReason": "Reason given",
+    "saveChanges": "Save changes"
   },
   "dashboard": {
     "title": "Dashboard",
@@ -345,6 +359,7 @@
     "Ready": "Ready",
     "Suspended": "Suspended",
     "Error": "Error",
-    "Deleting": "Deleting"
+    "Deleting": "Deleting",
+    "Reconfiguring": "Reconfiguring"
   }
 }

src/messages/fr.json

@@ -100,7 +100,21 @@
     "reviewInstanceDefault": "(par défaut — utilise le nom de l'entreprise)",
     "reviewNoPackages": "Aucun sélectionné",
     "reviewBillingTo": "Facturer à",
-    "reviewContactEmail": "E-mail de contact"
+    "reviewContactEmail": "E-mail de contact",
+    "editRequestTitle": "Modifier votre demande",
+    "editRequestDescription": "Ajustez la configuration avant que notre équipe ne l'examine.",
+    "editRequest": "Modifier",
+    "cancelRequest": "Annuler la demande",
+    "cancelRequestConfirm": "Oui, annuler la demande",
+    "cancelConfirmRequestTitle": "Annuler cette demande ?",
+    "cancelConfirmRequestDescription": "Votre demande en attente sera marquée comme annulée et retirée de la file. Vous pouvez soumettre une nouvelle demande à tout moment.",
+    "cancelFailed": "Impossible d'annuler la demande.",
+    "cancelledTitle": "Demande annulée",
+    "cancelledDescription": "Vous avez annulé cette demande avant son traitement. Aucune instance n'a été créée.",
+    "dismiss": "Masquer",
+    "dismissFailed": "Impossible de masquer.",
+    "rejectionReason": "Motif indiqué",
+    "saveChanges": "Enregistrer les modifications"
   },
   "dashboard": {
     "title": "Tableau de bord",
@@ -345,6 +359,7 @@
     "Ready": "Prêt",
     "Suspended": "Suspendu",
     "Error": "Erreur",
-    "Deleting": "Suppression"
+    "Deleting": "Suppression",
+    "Reconfiguring": "Reconfiguration"
   }
 }

src/messages/it.json

@@ -100,7 +100,21 @@
     "reviewInstanceDefault": "(predefinito — usa il nome dell'azienda)",
     "reviewNoPackages": "Nessuno selezionato",
     "reviewBillingTo": "Fatturare a",
-    "reviewContactEmail": "Email di contatto"
+    "reviewContactEmail": "Email di contatto",
+    "editRequestTitle": "Modifica la sua richiesta",
+    "editRequestDescription": "Modifichi la configurazione prima che il nostro team la esamini.",
+    "editRequest": "Modifica",
+    "cancelRequest": "Annulla richiesta",
+    "cancelRequestConfirm": "Sì, annulla la richiesta",
+    "cancelConfirmRequestTitle": "Annullare questa richiesta?",
+    "cancelConfirmRequestDescription": "La sua richiesta in attesa sarà contrassegnata come annullata e rimossa dalla coda di revisione. Può inviare una nuova richiesta in qualsiasi momento.",
+    "cancelFailed": "Impossibile annullare la richiesta.",
+    "cancelledTitle": "Richiesta annullata",
+    "cancelledDescription": "Lei ha annullato questa richiesta prima dell'elaborazione. Nessuna istanza è stata creata.",
+    "dismiss": "Nascondi",
+    "dismissFailed": "Impossibile nascondere.",
+    "rejectionReason": "Motivo indicato",
+    "saveChanges": "Salva modifiche"
   },
   "dashboard": {
     "title": "Dashboard",
@@ -345,6 +359,7 @@
     "Ready": "Pronto",
     "Suspended": "Sospeso",
     "Error": "Errore",
-    "Deleting": "Eliminazione"
+    "Deleting": "Eliminazione",
+    "Reconfiguring": "Riconfigurazione"
   }
 }

src/types/index.ts

@@ -83,6 +83,7 @@ export interface PiecedTenantStatus {
     | "Provisioning"
     | "Running"
     | "Ready"
+    | "Reconfiguring"
     | "Suspended"
     | "Error"
     | "Deleting";
@@ -169,6 +170,7 @@ export type TenantRequestStatus =
   | "provisioning" // PiecedTenant CR created, operator reconciling
   | "active" // Tenant running
   | "rejected" // Admin rejected
+  | "cancelled" // Customer cancelled before admin acted on it (Bug 6)
   | "deleted"; // Tenant was deleted by admin
 
 export interface TenantRequest {
@@ -202,6 +204,14 @@ export interface TenantRequest {
    * domain-uniqueness check on subsequent registrations.
    */
   isPersonal?: boolean;
+  /**
+   * Bug 13: when set, the customer has explicitly dismissed a rejected
+   * request from their dashboard. Used by `listActiveTenantRequestsByOrgId`
+   * to keep showing rejected rows until they're dismissed (so a customer
+   * who wasn't online when the rejection happened still sees it on next
+   * login). Always null for non-rejected statuses.
+   */
+  dismissedAt?: string | null;
   createdAt: string;
   updatedAt: string;
 }