Billing rework

src/app/[locale]/dashboard/edit/[id]/page.tsx

@@ -0,0 +1,87 @@
+import { getSessionUser, canMutate } from "@/lib/session";
+import { redirect } from "next/navigation";
+import { getTranslations } from "next-intl/server";
+import { getTenantRequestById } from "@/lib/db";
+import { OnboardingFlow } from "@/components/onboarding/onboarding-flow";
+import { BackLink } from "@/components/ui/back-link";
+
+/**
+ * /dashboard/edit/[id] — re-opens the onboarding wizard with the
+ * fields of a still-pending request pre-filled (Bug 6). On submit,
+ * the wizard PATCHes /api/onboarding/[id] instead of POSTing to
+ * /api/onboarding.
+ *
+ * Hard guards
+ * -----------
+ * - Logged-in customer owner (or platform user) only — same as the
+ *   /dashboard/new page.
+ * - Request must exist, belong to the caller's org, and be in 'pending'
+ *   status. Editing approved/provisioning rows would race against the
+ *   operator; we redirect such cases back to the dashboard rather than
+ *   render an invalid wizard.
+ *
+ * Pre-fill
+ * --------
+ * The wizard takes a single `editingRequest` prop — when present, it
+ * (a) pre-populates state from those values and (b) targets the PATCH
+ * endpoint on submit. When absent, it behaves exactly as today (POST
+ * to /api/onboarding).
+ *
+ * Note on encrypted secrets
+ * -------------------------
+ * Per-package secrets are NEVER decrypted server-side and exposed to
+ * the client (would be a clear security regression). When editing,
+ * the wizard opens with empty secret fields and the user re-enters
+ * any they want to change. If they don't touch the package-secrets
+ * UI, the existing encrypted blob in the DB is preserved by the
+ * PATCH endpoint (it only re-encrypts when the wizard sends a
+ * non-empty secrets payload).
+ */
+export default async function EditRequestPage({
+  params,
+}: {
+  params: Promise<{ id: string; locale: string }>;
+}) {
+  const { id } = await params;
+  const user = await getSessionUser();
+  if (!user) redirect("/login");
+  if (user.isPlatform) redirect("/dashboard");
+  if (!canMutate(user)) redirect("/dashboard");
+
+  const tr = await getTenantRequestById(id);
+  if (!tr) redirect("/dashboard");
+  if (tr.zitadelOrgId !== user.orgId) redirect("/dashboard");
+  if (tr.status !== "pending") redirect("/dashboard");
+
+  const t = await getTranslations("dashboard");
+  const tOnboarding = await getTranslations("onboarding");
+
+  return (
+    <div className="container max-w-3xl mx-auto px-4 py-8">
+      <div className="mb-8 animate-in">
+        <BackLink href="/dashboard" label={t("title")} />
+        <h1 className="font-display text-2xl font-semibold accent-rule mb-2">
+          {tOnboarding("editRequestTitle")}
+        </h1>
+        <p className="text-sm text-text-secondary">
+          {tOnboarding("editRequestDescription")}
+        </p>
+      </div>
+      <OnboardingFlow
+        orgName={user.orgName}
+        userName={user.name}
+        userEmail={user.email}
+        editingRequest={{
+          id: tr.id,
+          instanceName: tr.instanceName ?? "",
+          agentName: tr.agentName,
+          soulMd: tr.soulMd ?? "",
+          agentsMd: tr.agentsMd ?? "",
+          packages: tr.packages,
+          billingAddress: tr.billingAddress,
+          billingNotes: tr.billingNotes ?? "",
+        }}
+      />
+    </div>
+  );
+}

src/app/[locale]/dashboard/new/page.tsx

@@ -4,7 +4,7 @@ import { redirect } from "next/navigation";
 import { OnboardingFlow } from "@/components/onboarding/onboarding-flow";
 import { BackLink } from "@/components/ui/back-link";
 import { listTenants } from "@/lib/k8s";
-import { listActiveTenantRequestsByOrgId } from "@/lib/db";
+import { listActiveTenantRequestsByOrgId, getOrgBilling } from "@/lib/db";
 import { personalAccountAtCapacity } from "@/lib/personal-org";
 
 /**
@@ -55,6 +55,8 @@ export default async function NewInstancePage() {
   }
 
   const t = await getTranslations("dashboard");
+  const orgBilling = await getOrgBilling(user.orgId);
+  const hasOrgBilling = orgBilling !== null;
 
   return (
     <div>
@@ -73,6 +75,7 @@ export default async function NewInstancePage() {
           orgName={user.orgName}
           userName={user.name}
           userEmail={user.email}
+          hasOrgBilling={hasOrgBilling}
         />
       </div>
     </div>

src/app/[locale]/dashboard/page.tsx

@@ -2,7 +2,11 @@ import { getSessionUser, canMutate } from "@/lib/session";
 import { getTranslations, getFormatter } from "next-intl/server";
 import { redirect } from "next/navigation";
 import { listTenants } from "@/lib/k8s";
-import { listActiveTenantRequestsByOrgId } from "@/lib/db";
+import {
+  listActiveTenantRequestsByOrgId,
+  syncProvisioningStatuses,
+  getOrgBilling,
+} from "@/lib/db";
 import {
   listVisibleTenants,
   canSeeInflightRequests,
@@ -11,6 +15,7 @@ import {
 import { personalAccountAtCapacity } from "@/lib/personal-org";
 import { Card, CardHeader } from "@/components/ui/card";
 import { StatusBadge } from "@/components/ui/status-badge";
+import { WarningBadge } from "@/components/ui/warning-badge";
 import { OnboardingFlow } from "@/components/onboarding/onboarding-flow";
 import { ProvisioningStatus } from "@/components/onboarding/provisioning-status";
 import { formatDateTime } from "@/lib/format";
@@ -159,10 +164,35 @@ export default async function DashboardPage() {
 
   // Pending/in-flight requests are only shown to roles that can act on
   // them. `user`-role customers see no request cards.
+  //
+  // syncProvisioningStatuses runs on every dashboard load: it walks
+  // active and provisioning rows and reconciles them against the
+  // current cluster state. Without this, the operator-initiated
+  // 60-day TTL deletion (Bug 37b) leaves the portal showing "Your
+  // assistant is ready!" cards for tenants that no longer exist —
+  // the operator deletes the CR, but the DB row stays at active=true
+  // until something updates it. Running the sync at every dashboard
+  // load keeps the portal eventually consistent with the cluster
+  // without needing a separate cron/job.
+  //
+  // Cost: one K8s GET per row in (active, provisioning) status. At
+  // pilot scale this is small; if it grows we'd cache or move to a
+  // periodic background job.
+  if (canSeeInflightRequests(user)) {
+    await syncProvisioningStatuses();
+  }
   const orgRequests = canSeeInflightRequests(user)
     ? await listActiveTenantRequestsByOrgId(user.orgId)
     : [];
 
+  // Bug 35: orgs that already have a billing record skip the wizard's
+  // billing step. Fetched here so the dashboard's empty-state mount of
+  // OnboardingFlow knows what to do; for the additional-tenant flow at
+  // /dashboard/new we fetch the same flag in that route's own server
+  // component.
+  const orgBilling = await getOrgBilling(user.orgId);
+  const hasOrgBilling = orgBilling !== null;
+
   // Pending requests that don't yet have a tenant CR. Once the CR
   // exists, the tenant card carries the live phase, so a separate
   // "request" card would just duplicate it. We compare against
@@ -173,7 +203,16 @@ export default async function DashboardPage() {
     (t) => t.metadata.labels?.["pieced.ch/zitadel-org-id"] === user.orgId
   );
   const inflightRequests = orgRequests.filter(
-    (r) => !r.tenantName || !orgScopedTenants.some((t) => t.metadata.name === r.tenantName)
+    (r) =>
+      // Only show provision (initial creation) requests on the
+      // dashboard. Resume requests (Bug 37a) belong with their
+      // specific tenant — the SubscriptionToggle on the tenant
+      // detail page renders the pending state there. Showing them
+      // on the dashboard too would duplicate the surface and
+      // confuse customers about which tenant they refer to.
+      r.requestType !== "resume" &&
+      (!r.tenantName ||
+        !orgScopedTenants.some((t) => t.metadata.name === r.tenantName))
   );
 
   // Slice 5: only owners (and platform users, who'd typically be using
@@ -277,6 +316,7 @@ export default async function DashboardPage() {
             orgName={user.orgName}
             userName={user.name}
             userEmail={user.email}
+            hasOrgBilling={hasOrgBilling}
           />
         </div>
       </div>
@@ -315,7 +355,11 @@ export default async function DashboardPage() {
           </h2>
           <div className="space-y-3">
             {inflightRequests.map((r) => (
-              <ProvisioningStatus key={r.id} requestId={r.id} />
+              <ProvisioningStatus
+                key={r.id}
+                requestId={r.id}
+                canAct={canMutate(user)}
+              />
             ))}
           </div>
         </div>
@@ -344,7 +388,10 @@ export default async function DashboardPage() {
                         {tenant.metadata.name}
                       </div>
                     </div>
+                    <div className="flex items-center gap-2 shrink-0">
                       <StatusBadge phase={tenant.status?.phase ?? "Pending"} />
+                      <WarningBadge warnings={tenant.status?.warnings ?? []} />
+                    </div>
                   </div>
 
                   {tenant.spec.agentName && (

src/app/[locale]/settings/billing/page.tsx

@@ -0,0 +1,46 @@
+import { getTranslations } from "next-intl/server";
+import { redirect, notFound } from "next/navigation";
+import { getSessionUser, canMutate } from "@/lib/session";
+import { getOrgBilling } from "@/lib/db";
+import { BillingSettingsForm } from "@/components/settings/billing-settings-form";
+
+/**
+ * /settings/billing — view and edit org-scoped billing (Bug 34/35).
+ *
+ * Server-side fetches the existing record (if any) and passes it to
+ * the client form. The form posts to PUT /api/billing on submit.
+ *
+ * Access: same gate as the API — owners and platform admins. `user`
+ * role redirects to /settings (which also wouldn't list billing for
+ * them). 403 here would be friendlier than redirect, but the most
+ * likely cause of a `user` landing on this URL is sharing a bookmark
+ * with their owner — silent redirect is gentle.
+ */
+export default async function BillingSettingsPage() {
+  const user = await getSessionUser();
+  if (!user) redirect("/login");
+  if (!canMutate(user)) {
+    redirect("/settings");
+  }
+  const t = await getTranslations("settingsBilling");
+
+  const billing = await getOrgBilling(user.orgId);
+
+  return (
+    <main className="max-w-3xl mx-auto px-6 py-8">
+      <div className="mb-8 animate-in">
+        <h1 className="font-display text-2xl font-semibold accent-rule">
+          {t("title")}
+        </h1>
+        <p className="text-sm text-text-secondary mt-3">{t("subtitle")}</p>
+      </div>
+
+      <BillingSettingsForm
+        initial={billing}
+        isPersonal={user.isPersonal}
+        orgName={user.orgName}
+        userName={user.name}
+      />
+    </main>
+  );
+}

src/app/[locale]/settings/page.tsx

@@ -0,0 +1,76 @@
+import { getTranslations } from "next-intl/server";
+import { redirect } from "next/navigation";
+import Link from "next/link";
+import { getSessionUser, canMutate } from "@/lib/session";
+import { Card } from "@/components/ui/card";
+
+/**
+ * /settings — landing page for user/org-level configuration (Bug 35
+ * intentionally landed billing here rather than at /billing because we
+ * expect more settings categories: notifications, API keys, default
+ * workspace templates, etc.). Currently lists a single category card;
+ * the layout scales to a sidebar nav once there are 3+.
+ *
+ * Access: any authenticated user (the cards themselves gate further;
+ * non-owner users would not see "Billing" as actionable, etc.).
+ */
+export default async function SettingsPage() {
+  const user = await getSessionUser();
+  if (!user) redirect("/login");
+  const t = await getTranslations("settings");
+
+  // Build the list of settings cards. Each entry has a stable key, a
+  // route, and a visibility predicate. Currently only billing; this
+  // shape leaves headroom for adding more without restructuring.
+  const sections: Array<{
+    key: string;
+    href: string;
+    title: string;
+    description: string;
+    visible: boolean;
+  }> = [
+    {
+      key: "billing",
+      href: "/settings/billing",
+      title: t("billingTitle"),
+      description: t("billingDescription"),
+      // Owners and platform admins can edit billing. `user` role
+      // can't even view it — billing details aren't useful to them.
+      visible: canMutate(user),
+    },
+  ];
+
+  const visibleSections = sections.filter((s) => s.visible);
+
+  return (
+    <main className="max-w-4xl mx-auto px-6 py-8">
+      <div className="mb-8 animate-in">
+        <h1 className="font-display text-2xl font-semibold accent-rule">
+          {t("title")}
+        </h1>
+        <p className="text-sm text-text-secondary mt-3">{t("subtitle")}</p>
+      </div>
+
+      {visibleSections.length === 0 && (
+        <Card className="animate-in animate-in-delay-1">
+          <p className="text-sm text-text-secondary">{t("nothingForYou")}</p>
+        </Card>
+      )}
+
+      <div className="grid gap-3 animate-in animate-in-delay-1">
+        {visibleSections.map((s) => (
+          <Link
+            key={s.key}
+            href={s.href}
+            className="block rounded-xl border border-border bg-surface-1 p-4 hover:border-text-secondary transition-colors"
+          >
+            <div className="font-medium text-text-primary">{s.title}</div>
+            <div className="text-xs text-text-secondary mt-1">
+              {s.description}
+            </div>
+          </Link>
+        ))}
+      </div>
+    </main>
+  );
+}

src/app/[locale]/tenants/[name]/page.tsx

@@ -3,7 +3,9 @@ import { getTranslations, getFormatter } from "next-intl/server";
 import { redirect, notFound } from "next/navigation";
 import { getTenant } from "@/lib/k8s";
 import { canUserSeeTenant } from "@/lib/visibility";
+import { getPendingResumeRequestForTenant } from "@/lib/db";
 import { StatusBadge } from "@/components/ui/status-badge";
+import { WarningBadge } from "@/components/ui/warning-badge";
 import { UsageDisplay } from "@/components/dashboard/usage-display";
 import { PackageList } from "@/components/packages/package-list";
 import { WorkspaceEditor } from "@/components/packages/workspace-editor";
@@ -46,6 +48,13 @@ export default async function TenantDetailPage({
   // The current state comes from spec.suspend on the CR.
   const isSuspended = Boolean(tenant.spec.suspend);
 
+  // Bug 37a: when the tenant is suspended, an owner can request
+  // reactivation (admin-gated). Look up whether one is in flight so
+  // the SubscriptionToggle can render the right state.
+  const pendingResumeRequest = isSuspended
+    ? await getPendingResumeRequestForTenant(name)
+    : null;
+
   // Bug 7: assigned-users panel is meaningless for personal tenants
   // (sole-owner by definition; the only "assignee" is the owner
   // themselves). We hide the panel when EITHER the CR carries the
@@ -66,18 +75,12 @@ export default async function TenantDetailPage({
   );
   const channelUsers = tenant.spec.channelUsers || {};
 
-  // Admins inspecting another tenant's usage: pass teamId AND keyAlias so
+  // Bug 19 fix: every viewer (customer or admin) passes the tenant
-  // the backend filters spend logs by this specific tenant's virtual key.
+  // name to UsageDisplay. The /api/usage route resolves team+alias
-  // Without keyAlias the response would include sibling tenants in the
+  // from the tenant CR's status and applies the visibility check, so
-  // same org, since teams are now shared (Slice 2).
+  // no per-role branching is needed here. Previous version only
-  // Customers viewing their own: pass nothing — backend resolves both
+  // passed identifiers for platform admins; customers got "the first
-  // from the session-bound tenant.
+  // visible tenant" by API fallback, mingling siblings.
-  const usageTeamId = user.isPlatform
-    ? tenant.status?.litellmTeamId || undefined
-    : undefined;
-  const usageKeyAlias = user.isPlatform
-    ? tenant.status?.litellmKeyAlias || undefined
-    : undefined;
 
   return (
     <div>
@@ -88,6 +91,7 @@ export default async function TenantDetailPage({
             {tenant.spec.displayName || name}
           </h1>
           <StatusBadge phase={tenant.status?.phase ?? "Pending"} />
+          <WarningBadge warnings={tenant.status?.warnings ?? []} />
         </div>
         {tenant.spec.agentName && (
           <p className="text-sm text-text-secondary mt-3">
@@ -138,6 +142,53 @@ export default async function TenantDetailPage({
               <div className="text-xs text-text-secondary mt-1">
                 {t("suspendedDescription")}
               </div>
+              {/* Retention countdown. suspendedAt is stamped by the
+                  operator on first transition to suspended; missing
+                  values fall through silently rather than rendering
+                  garbage (operator hasn't reconciled yet, edge case).
+                  The 60-day window is the operator's
+                  retentionAfterSuspend constant; if you change one,
+                  change both. We don't expose the constant via API —
+                  the value rarely changes and duplicating it here
+                  beats fetching a single int over the network. */}
+              {tenant.status?.suspendedAt && (() => {
+                const suspendedAt = new Date(tenant.status.suspendedAt);
+                const deletionAt = new Date(suspendedAt);
+                deletionAt.setDate(deletionAt.getDate() + 60);
+                const now = new Date();
+                const msRemaining = deletionAt.getTime() - now.getTime();
+                const daysRemaining = Math.max(
+                  0,
+                  Math.ceil(msRemaining / (1000 * 60 * 60 * 24))
+                );
+                // < 7 days: red/critical to draw attention. Otherwise
+                // amber, matching the banner.
+                const urgent = daysRemaining < 7;
+                return (
+                  <div
+                    className={`text-xs mt-2 ${
+                      urgent ? "text-red-400" : "text-text-muted"
+                    }`}
+                  >
+                    {t("suspendedSince", {
+                      date: formatDateTime(
+                        tenant.status.suspendedAt,
+                        f
+                      ),
+                    })}
+                    {" · "}
+                    {daysRemaining > 0
+                      ? t("suspendedDeletionIn", {
+                          days: daysRemaining,
+                          date: formatDateTime(
+                            deletionAt.toISOString(),
+                            f
+                          ),
+                        })
+                      : t("suspendedDeletionImminent")}
+                  </div>
+                );
+              })()}
             </div>
           </div>
         </div>
@@ -148,7 +199,7 @@ export default async function TenantDetailPage({
         <h2 className="text-xs font-semibold uppercase tracking-wider text-text-muted mb-3">
           {t("usage")}
         </h2>
-        <UsageDisplay teamId={usageTeamId} keyAlias={usageKeyAlias} />
+        <UsageDisplay tenant={name} />
       </section>
 
       {/* Packages */}
@@ -212,7 +263,19 @@ export default async function TenantDetailPage({
               ? t("subscriptionDescriptionSuspended")
               : t("subscriptionDescriptionActive")}
           </p>
-          <SubscriptionToggle tenantName={name} suspended={isSuspended} />
+          <SubscriptionToggle
+            tenantName={name}
+            suspended={isSuspended}
+            isPlatform={user.isPlatform}
+            pendingResumeRequest={
+              pendingResumeRequest
+                ? {
+                    id: pendingResumeRequest.id,
+                    createdAt: pendingResumeRequest.createdAt,
+                  }
+                : null
+            }
+          />
         </section>
       )}
     </div>

src/app/api/admin/requests/[id]/approve/route.ts

@@ -5,8 +5,8 @@ import {
   updateTenantRequestStatus,
   clearEncryptedSecrets,
 } from "@/lib/db";
-import { createTenant } from "@/lib/k8s";
+import { createTenant, patchTenantSpec, setTenantAnnotation } from "@/lib/k8s";
-import { sendApprovalEmail } from "@/lib/email";
+import { sendApprovalEmail, sendResumeApprovalEmail } from "@/lib/email";
 import { decryptSecrets } from "@/lib/crypto";
 import { writePackageSecrets } from "@/lib/openbao";
 import {
@@ -19,14 +19,26 @@ import { safeError } from "@/lib/errors";
 
 /**
  * POST /api/admin/requests/[id]/approve
- * Approve a tenant request:
+ *
+ * Approve a request. Two paths depending on request_type:
+ *
+ * Provision (the original purpose):
  *  1. Decrypt stored package secrets (if any)
- * 2. Write each package's secrets to OpenBao at secret/data/tenants/{tenant-name}/{package}
+ *  2. Write each package's secrets to OpenBao
  *  3. Null the encrypted_secrets column
  *  4. Build workspace files (SOUL.md, AGENTS.md, TOOLS.md)
  *  5. Create PiecedTenant CR
  *  6. Update request status, notify customer.
- * Also supports re-approving a previously rejected request (clears admin notes).
+ *  Supports re-approving a previously rejected request (clears admin notes).
+ *
+ * Resume (Bug 37a):
+ *  1. PATCH spec.suspend=false on the existing PiecedTenant CR.
+ *  2. Clear the `pieced.ch/resume-request-pending` annotation so the
+ *     operator knows the request is settled (and doesn't pause its
+ *     60-day TTL forever — though now that the tenant isn't suspended,
+ *     the timer is moot).
+ *  3. Mark request approved, notify customer.
+ *  No CR creation, no secret materialisation, no workspace files.
  */
 export async function POST(
   request: Request,
@@ -60,6 +72,58 @@ export async function POST(
     );
   }
 
+  // Resume request: short path. Just patch the existing tenant, clear
+  // the annotation, mark approved.
+  if (tenantRequest.requestType === "resume") {
+    if (!tenantRequest.tenantName) {
+      // Shouldn't happen — resume requests are created with tenant_name
+      // set. Defensive 500 if it does.
+      return NextResponse.json(
+        { error: "Resume request has no tenant_name" },
+        { status: 500 }
+      );
+    }
+    try {
+      await patchTenantSpec(tenantRequest.tenantName, { suspend: false });
+      // Clear the annotation that pauses the operator's 60-day TTL.
+      // Best-effort — annotation cleanup is also done by the operator
+      // when it sees suspend=false on the next reconcile (it clears
+      // status.suspendedAt), but explicitly clearing here keeps the
+      // CR clean.
+      try {
+        await setTenantAnnotation(
+          tenantRequest.tenantName,
+          "pieced.ch/resume-request-pending",
+          null
+        );
+      } catch (e) {
+        console.warn(
+          "post-approve annotation clear failed; not blocking",
+          e
+        );
+      }
+
+      await updateTenantRequestStatus(id, "approved", { adminNotes });
+
+      await sendResumeApprovalEmail(
+        tenantRequest.contactEmail,
+        tenantRequest.contactName,
+        tenantRequest.companyName
+      ).catch((e) => console.error("resume approval email failed:", e));
+
+      return NextResponse.json({
+        message: "Resume approved. Tenant is reactivating.",
+        tenantName: tenantRequest.tenantName,
+      });
+    } catch (e: any) {
+      console.error("Resume approval failed:", e);
+      return NextResponse.json(
+        { error: safeError(e, "Failed to approve resume") },
+        { status: 500 }
+      );
+    }
+  }
+
   const isReApproval = tenantRequest.status === "rejected";
 
   // Build the CR name: see `lib/tenant-naming.ts` for the format spec.

src/app/api/admin/requests/[id]/reject/route.ts

@@ -1,11 +1,19 @@
 import { NextResponse } from "next/server";
 import { requirePlatformRole } from "@/lib/session";
 import { getTenantRequestById, updateTenantRequestStatus } from "@/lib/db";
-import { sendRejectionEmail } from "@/lib/email";
+import { setTenantAnnotation } from "@/lib/k8s";
+import { sendRejectionEmail, sendResumeRejectionEmail } from "@/lib/email";
 
 /**
  * POST /api/admin/requests/[id]/reject
  * Reject a tenant request and notify the customer.
+ *
+ * For resume requests (Bug 37a): also clears the
+ * `pieced.ch/resume-request-pending` annotation on the tenant CR.
+ * The operator's 60-day TTL then resumes counting from the original
+ * suspendedAt — rejection doesn't reset it. The customer can submit
+ * a fresh resume request later if circumstances change, but that
+ * starts a new pending row and re-stamps the annotation.
  */
 export async function POST(
   request: Request,
@@ -37,13 +45,45 @@ export async function POST(
     adminNotes,
   });
 
-  // Notify customer
+  // Resume rejection: clear the annotation so the operator's TTL
+  // resumes. Best-effort — failure is logged, not propagated.
+  if (
+    tenantRequest.requestType === "resume" &&
+    tenantRequest.tenantName
+  ) {
+    try {
+      await setTenantAnnotation(
+        tenantRequest.tenantName,
+        "pieced.ch/resume-request-pending",
+        null
+      );
+    } catch (e) {
+      console.warn(
+        "post-reject annotation clear failed; operator's TTL will pause until annotation removed by admin",
+        e
+      );
+    }
+  }
+
+  // Notify customer. Resume requests get a different email — the
+  // tenant already exists; copy needs to mention "stays suspended" and
+  // the 60-day retention deadline. Provision rejections use the
+  // original onboarding-rejection wording.
+  if (tenantRequest.requestType === "resume") {
+    await sendResumeRejectionEmail(
+      tenantRequest.contactEmail,
+      tenantRequest.contactName,
+      tenantRequest.companyName,
+      adminNotes
+    );
+  } else {
     await sendRejectionEmail(
       tenantRequest.contactEmail,
       tenantRequest.contactName,
       tenantRequest.companyName,
       adminNotes
     );
+  }
 
   return NextResponse.json({
     message: "Request rejected.",

src/app/api/billing/route.ts

@@ -0,0 +1,128 @@
+import { NextRequest, NextResponse } from "next/server";
+import { z } from "zod";
+import { getSessionUser, canMutate } from "@/lib/session";
+import { getOrgBilling, upsertOrgBilling } from "@/lib/db";
+import { safeError } from "@/lib/errors";
+
+/**
+ * Org-scoped billing API (Bug 35).
+ *
+ * GET — return the current billing record for the caller's org, or
+ * 404 if none has been captured yet. The /settings/billing page
+ * renders an empty form on 404 (first-time edit) and a pre-filled
+ * form on 200.
+ *
+ * PUT — upsert the billing record. Required for any subsequent tenant
+ * provisioning unless the caller is on a personal org. Validation:
+ *   - All address fields required.
+ *   - VAT number required for company orgs (where `user.isPersonal`
+ *     is false). Optional for personal orgs.
+ *   - billing_email validated as RFC-5322-ish.
+ *
+ * Authorization:
+ *   - GET: any authenticated user in the org. We expose only their
+ *     own org's billing — orgId is scoped from the session.
+ *   - PUT: owners and platform admins (canMutate check). Customers
+ *     in `user` role cannot edit billing.
+ */
+
+const billingSchema = z.object({
+  companyName: z.string().min(1).max(200),
+  streetAddress: z.string().min(1).max(200),
+  postalCode: z.string().min(1).max(20),
+  city: z.string().min(1).max(100),
+  country: z.string().min(2).max(3), // ISO 3166-1 alpha-2 or alpha-3
+  vatNumber: z
+    .string()
+    .max(50)
+    .nullable()
+    .optional()
+    .transform((v) => (v && v.trim() !== "" ? v.trim() : null)),
+  billingEmail: z.string().email().max(200),
+  notes: z
+    .string()
+    .max(2000)
+    .nullable()
+    .optional()
+    .transform((v) => (v && v.trim() !== "" ? v.trim() : null)),
+});
+
+export async function GET() {
+  const user = await getSessionUser();
+  if (!user) {
+    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+  }
+  const billing = await getOrgBilling(user.orgId);
+  if (!billing) {
+    // 404 carries semantic meaning here — "no record yet". Callers
+    // (settings page, wizard) treat this as the empty-form state.
+    return NextResponse.json(
+      { error: "No billing record for this org" },
+      { status: 404 }
+    );
+  }
+  return NextResponse.json({ billing });
+}
+
+export async function PUT(req: NextRequest) {
+  const user = await getSessionUser();
+  if (!user) {
+    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+  }
+  if (!canMutate(user)) {
+    return NextResponse.json({ error: "Forbidden" }, { status: 403 });
+  }
+
+  const body = await req.json().catch(() => null);
+  const parsed = billingSchema.safeParse(body);
+  if (!parsed.success) {
+    return NextResponse.json(
+      { error: "Invalid input", details: parsed.error.flatten() },
+      { status: 400 }
+    );
+  }
+
+  // Company orgs (B2B) require companyName AND VAT. Personal orgs
+  // (B2C — private individuals) need neither; their /settings/billing
+  // form hides both fields and we don't ask the API to enforce them.
+  if (!user.isPersonal) {
+    const missing: Record<string, string[]> = {};
+    if (!parsed.data.companyName || parsed.data.companyName.trim().length === 0) {
+      missing.companyName = ["Required for companies"];
+    }
+    if (!parsed.data.vatNumber) {
+      missing.vatNumber = ["Required for companies"];
+    }
+    if (Object.keys(missing).length > 0) {
+      return NextResponse.json(
+        {
+          error:
+            "Company name and VAT number are required for company accounts.",
+          details: { fieldErrors: missing },
+        },
+        { status: 400 }
+      );
+    }
+  }
+
+  try {
+    const billing = await upsertOrgBilling({
+      zitadelOrgId: user.orgId,
+      companyName: parsed.data.companyName,
+      streetAddress: parsed.data.streetAddress,
+      postalCode: parsed.data.postalCode,
+      city: parsed.data.city,
+      country: parsed.data.country,
+      vatNumber: parsed.data.vatNumber,
+      billingEmail: parsed.data.billingEmail,
+      notes: parsed.data.notes,
+    });
+    return NextResponse.json({ billing });
+  } catch (e: any) {
+    console.error("Failed to upsert org billing:", e);
+    return NextResponse.json(
+      { error: safeError(e, "Failed to save billing") },
+      { status: 500 }
+    );
+  }
+}

src/app/api/onboarding/[id]/dismiss/route.ts

@@ -0,0 +1,65 @@
+import { NextRequest, NextResponse } from "next/server";
+import { getSessionUser, canMutate } from "@/lib/session";
+import { dismissTenantRequest, getTenantRequestById } from "@/lib/db";
+import { safeError } from "@/lib/errors";
+
+/**
+ * POST /api/onboarding/[id]/dismiss
+ *
+ * Customer-side acknowledgement of a rejected or cancelled request
+ * (Bug 13). Sets `dismissed_at = now()` so the row stops appearing
+ * in the dashboard's `listActiveTenantRequestsByOrgId` query. The
+ * row itself is preserved for audit.
+ *
+ * Authorization mirrors the GET / DELETE / PATCH endpoints on this
+ * resource: customer owners (or platform staff) of the row's org.
+ *
+ * Idempotent: dismissing an already-dismissed request returns 200
+ * with no change. We refuse to dismiss non-terminal rows (pending,
+ * approved, provisioning, active) — those are still actionable, and
+ * "hiding" them would stash live state from the customer.
+ */
+export async function POST(
+  _req: NextRequest,
+  { params }: { params: Promise<{ id: string }> }
+) {
+  const user = await getSessionUser();
+  if (!user) {
+    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+  }
+  if (!canMutate(user)) {
+    return NextResponse.json({ error: "Forbidden" }, { status: 403 });
+  }
+
+  const { id } = await params;
+  const tr = await getTenantRequestById(id);
+  if (!tr) {
+    return NextResponse.json({ error: "Not found" }, { status: 404 });
+  }
+  if (!user.isPlatform && tr.zitadelOrgId !== user.orgId) {
+    return NextResponse.json({ error: "Not found" }, { status: 404 });
+  }
+
+  if (tr.status !== "rejected" && tr.status !== "cancelled") {
+    return NextResponse.json(
+      {
+        error:
+          "Only rejected or cancelled requests can be dismissed. Active requests stay visible.",
+        code: "not_dismissable",
+        currentStatus: tr.status,
+      },
+      { status: 409 }
+    );
+  }
+
+  try {
+    await dismissTenantRequest(id);
+    return NextResponse.json({ message: "Dismissed.", id });
+  } catch (e: any) {
+    console.error("Failed to dismiss request:", e);
+    return NextResponse.json(
+      { error: safeError(e, "Failed to dismiss request") },
+      { status: 500 }
+    );
+  }
+}

src/app/api/onboarding/[id]/route.ts

@@ -0,0 +1,227 @@
+import { NextRequest, NextResponse } from "next/server";
+import { getSessionUser, canMutate } from "@/lib/session";
+import {
+  getTenantRequestById,
+  updateTenantRequestStatus,
+  updateTenantRequestEditableFields,
+} from "@/lib/db";
+import { encryptSecrets } from "@/lib/crypto";
+import { setTenantAnnotation } from "@/lib/k8s";
+import { onboardingSchema } from "@/lib/validation";
+import { safeError } from "@/lib/errors";
+
+/**
+ * Customer-side controls for a single tenant_request row.
+ *
+ *   - DELETE /api/onboarding/[id]  → cancel a still-pending request
+ *   - PATCH  /api/onboarding/[id]  → edit fields of a still-pending
+ *                                    request (Bug 6)
+ *
+ * Both endpoints share the same authorization check: the caller must
+ * be a customer owner (or platform staff) of the request's org. We
+ * also enforce status === 'pending' on the row — once an admin has
+ * acted on it, the customer can no longer mutate it from the portal.
+ *
+ * Reading these is via the existing GET /api/onboarding?id=... handler.
+ */
+
+async function loadAuthorized(
+  id: string
+): Promise<
+  | { error: NextResponse }
+  | { req: Awaited<ReturnType<typeof getTenantRequestById>>; }
+> {
+  const user = await getSessionUser();
+  if (!user) {
+    return {
+      error: NextResponse.json({ error: "Unauthorized" }, { status: 401 }),
+    };
+  }
+  if (!canMutate(user)) {
+    return {
+      error: NextResponse.json({ error: "Forbidden" }, { status: 403 }),
+    };
+  }
+  const tr = await getTenantRequestById(id);
+  if (!tr) {
+    return {
+      error: NextResponse.json({ error: "Not found" }, { status: 404 }),
+    };
+  }
+  // Customers may only read their own org's requests; platform users
+  // may read any. Same scope as `GET /api/onboarding?id=...`.
+  if (!user.isPlatform && tr.zitadelOrgId !== user.orgId) {
+    return {
+      error: NextResponse.json({ error: "Not found" }, { status: 404 }),
+    };
+  }
+  return { req: tr };
+}
+
+/**
+ * DELETE /api/onboarding/[id]
+ *
+ * Customer cancels a still-pending request. Status flips to 'cancelled';
+ * the row is preserved for audit. The customer can dismiss the
+ * cancelled card afterwards (Bug 13 reuse — same dismissal mechanism).
+ *
+ * Once admin has approved/provisioned/rejected, this endpoint refuses
+ * (409). Cancelling a tenant that's already running goes through the
+ * subscription-suspend flow on the tenant detail page, not here.
+ */
+export async function DELETE(
+  _req: NextRequest,
+  { params }: { params: Promise<{ id: string }> }
+) {
+  const { id } = await params;
+  const loaded = await loadAuthorized(id);
+  if ("error" in loaded) return loaded.error;
+  const tr = loaded.req!;
+
+  if (tr.status !== "pending") {
+    return NextResponse.json(
+      {
+        error:
+          "Only pending requests can be cancelled. Approved or provisioning instances must be managed from the tenant page.",
+        code: "not_pending",
+        currentStatus: tr.status,
+      },
+      { status: 409 }
+    );
+  }
+
+  try {
+    await updateTenantRequestStatus(id, "cancelled");
+
+    // Customer cancels their own pending resume request: clear the
+    // operator-side annotation so the 60-day TTL resumes counting.
+    // Best-effort — the operator handles missing annotation gracefully.
+    if (tr.requestType === "resume" && tr.tenantName) {
+      try {
+        await setTenantAnnotation(
+          tr.tenantName,
+          "pieced.ch/resume-request-pending",
+          null
+        );
+      } catch (e) {
+        console.warn(
+          "post-cancel annotation clear failed; not blocking",
+          e
+        );
+      }
+    }
+
+    return NextResponse.json({ message: "Request cancelled.", id });
+  } catch (e: any) {
+    console.error("Failed to cancel request:", e);
+    return NextResponse.json(
+      { error: safeError(e, "Failed to cancel request") },
+      { status: 500 }
+    );
+  }
+}
+
+/**
+ * PATCH /api/onboarding/[id]
+ *
+ * Customer edits a still-pending request. Validation is the same as on
+ * POST /api/onboarding (shared schema). Only customer-input fields are
+ * editable; status/tenant_name/admin_notes/etc. are server-managed.
+ *
+ * Note on company-level fields
+ * ----------------------------
+ * For a follow-up instance (org has prior approved rows), the POST
+ * handler intentionally ignores the wizard's billingAddress and uses
+ * the on-file value instead. We mirror that here: company-level fields
+ * (companyName, contactName, contactEmail, billingAddress) on a
+ * follow-up edit are NOT updated through this endpoint. The customer
+ * should use a future settings page (Bug 11) for those. For now,
+ * editing only mutates per-instance fields — agent name, instance
+ * name, packages, soulMd, agentsMd, billingNotes, packageSecrets.
+ *
+ * For the FIRST instance (no prior approved rows), billingAddress IS
+ * editable here, since the customer is still defining their company's
+ * billing data.
+ */
+export async function PATCH(
+  req: NextRequest,
+  { params }: { params: Promise<{ id: string }> }
+) {
+  const { id } = await params;
+  const loaded = await loadAuthorized(id);
+  if ("error" in loaded) return loaded.error;
+  const tr = loaded.req!;
+
+  if (tr.status !== "pending") {
+    return NextResponse.json(
+      {
+        error: "Only pending requests can be edited.",
+        code: "not_pending",
+        currentStatus: tr.status,
+      },
+      { status: 409 }
+    );
+  }
+
+  const body = await req.json().catch(() => null);
+  const parsed = onboardingSchema.safeParse(body);
+  if (!parsed.success) {
+    return NextResponse.json(
+      { error: "Invalid input", details: parsed.error.flatten() },
+      { status: 400 }
+    );
+  }
+  const input = parsed.data;
+
+  // Re-encrypt package secrets if present in the patch body. When the
+  // user re-opens the wizard to edit, the secrets array is populated
+  // afresh from the wizard (we never decrypt and return existing
+  // secrets — that'd be a security regression). If the user didn't
+  // touch any secret-bearing package, the wizard sends no
+  // packageSecrets and we leave the existing encrypted blob alone.
+  let encryptedSecrets: Buffer | null | undefined;
+  if (input.packageSecrets && Object.keys(input.packageSecrets).length > 0) {
+    try {
+      encryptedSecrets = await encryptSecrets(input.packageSecrets);
+    } catch (e: any) {
+      console.error("Failed to encrypt package secrets:", e);
+      return NextResponse.json(
+        { error: "Failed to secure credentials. Please try again." },
+        { status: 500 }
+      );
+    }
+  }
+
+  // Only first-instance edits get billingAddress; follow-ups inherit
+  // company billing from the on-file approved row.
+  const isFirstInstance = !tr.tenantName; // approximation; covers the
+  // "no prior approved row for this org" case the POST handler treats
+  // identically. A more rigorous check would call
+  // getMostRecentApprovedRequestForOrg, but in practice an org with
+  // an approved row for some other tenant has a tenantName on those
+  // rows, not on the pending one being edited — so the simple check
+  // here is fine for the only state the endpoint accepts (pending).
+
+  try {
+    const updated = await updateTenantRequestEditableFields(id, {
+      instanceName: input.instanceName,
+      agentName: input.agentName,
+      soulMd: input.soulMd,
+      agentsMd: input.agentsMd,
+      packages: input.packages ?? [],
+      billingAddress: isFirstInstance ? input.billingAddress : undefined,
+      billingNotes: input.billingNotes,
+      encryptedSecrets,
+    });
+    if (!updated) {
+      return NextResponse.json({ error: "Not found" }, { status: 404 });
+    }
+    return NextResponse.json({ message: "Request updated.", id });
+  } catch (e: any) {
+    console.error("Failed to edit request:", e);
+    return NextResponse.json(
+      { error: safeError(e, "Failed to edit request") },
+      { status: 500 }
+    );
+  }
+}

src/app/api/onboarding/route.ts

@@ -6,6 +6,8 @@ import {
   listTenantRequestsByOrgId,
   listActiveTenantRequestsByOrgId,
   getMostRecentApprovedRequestForOrg,
+  getOrgBilling,
+  upsertOrgBilling,
 } from "@/lib/db";
 import { getTenant, listTenants } from "@/lib/k8s";
 import {
@@ -16,7 +18,7 @@ import {
 import { sendAdminNotificationEmail } from "@/lib/email";
 import { encryptSecrets } from "@/lib/crypto";
 import { isPersonalOrgName } from "@/lib/personal-org";
-import { onboardingSchema } from "@/lib/validation";
+import { onboardingSchema, billingAddressSchema } from "@/lib/validation";
 import type { OnboardingInput, PiecedTenant, TenantRequest } from "@/types";
 import { z } from "zod";
 
@@ -24,15 +26,33 @@ import { z } from "zod";
  * Helper: shape a TenantRequest row for client consumption.
  * Hides server-only fields (encryptedSecrets, internal db ids).
  */
+/**
+ * Helper: shape a TenantRequest row for client consumption.
+ * Hides server-only fields (encryptedSecrets, internal db ids).
+ *
+ * Slice 7 / Bug 6: surfaces enough fields for the customer-side edit
+ * flow to pre-fill the wizard. soulMd, agentsMd, billingAddress,
+ * billingNotes were previously kept off the public shape because the
+ * pre-Slice-3 dashboard didn't render them. Edit needs them.
+ *
+ * Bug 13: surfaces dismissedAt so the dashboard can distinguish
+ * "freshly rejected, show prominently" from "rejected and acknowledged,
+ * keep hidden" without an extra API call.
+ */
 function publicRequestShape(r: TenantRequest) {
   return {
     id: r.id,
     instanceName: r.instanceName,
     agentName: r.agentName,
+    soulMd: r.soulMd,
+    agentsMd: r.agentsMd,
     packages: r.packages,
+    billingAddress: r.billingAddress,
+    billingNotes: r.billingNotes,
     status: r.status,
     adminNotes: r.adminNotes,
     tenantName: r.tenantName,
+    dismissedAt: r.dismissedAt ?? null,
     createdAt: r.createdAt,
     updatedAt: r.updatedAt,
   };
@@ -237,8 +257,137 @@ export async function POST(request: Request) {
   const companyName = prior?.companyName ?? user.orgName;
   const contactName = prior?.contactName ?? user.name;
   const contactEmail = prior?.contactEmail ?? user.email;
-  const billingAddress = prior?.billingAddress ?? input.billingAddress;
+
-  const billingNotes = input.billingNotes ?? prior?.billingNotes;
+  // Bug 35: org-scoped billing.
+  //
+  // Resolution rules:
+  //   1. If org_billing exists, use it (synthesise a BillingAddress
+  //      shape for the audit copy on tenant_requests). Wizard's
+  //      submitted billingAddress is ignored — the org has billing
+  //      on file, the wizard skipped that step.
+  //   2. If no org_billing AND wizard supplied billingAddress, use
+  //      the wizard's data and save to org_billing for next time.
+  //      VAT is enforced by billingAddressSchema (required for
+  //      everyone).
+  //   3. If no org_billing AND no wizard billingAddress: reject.
+  //      Billing is required for all customers regardless of
+  //      personal/company org structure — we're a commercial
+  //      product. Personal accounts (sole proprietors, individuals)
+  //      are still subject to billing capture.
+  //
+  // The synthetic BillingAddress for case 1 collapses fields that
+  // org_billing has more granularly; good enough for audit, since
+  // /settings/billing is the authoritative editor going forward.
+  const orgBilling = await getOrgBilling(user.orgId);
+  let billingAddress: TenantRequest["billingAddress"];
+  let billingNotes = input.billingNotes ?? prior?.billingNotes;
+
+  if (orgBilling) {
+    billingAddress = {
+      company: orgBilling.companyName,
+      street: orgBilling.streetAddress,
+      postalCode: orgBilling.postalCode,
+      city: orgBilling.city,
+      country: orgBilling.country,
+      vatNumber: orgBilling.vatNumber ?? undefined,
+    };
+  } else if (input.billingAddress) {
+    // Wizard supplied billing — re-validate the strict shape (the
+    // outer onboardingSchema marks it optional now, so we can't rely
+    // on its enforcement of the inner required fields).
+    const billingCheck = billingAddressSchema.safeParse(input.billingAddress);
+    if (!billingCheck.success) {
+      return NextResponse.json(
+        {
+          error: "Invalid billing address",
+          details: billingCheck.error.flatten(),
+        },
+        { status: 400 }
+      );
+    }
+
+    // Company orgs (B2B) require companyName AND vatNumber.
+    // Personal orgs (B2C — private individuals) require neither;
+    // the wizard hides both fields for them and the API doesn't
+    // enforce.
+    if (!isPersonal) {
+      const missing: Record<string, string[]> = {};
+      if (
+        !billingCheck.data.company ||
+        billingCheck.data.company.trim().length === 0
+      ) {
+        missing["billingAddress.company"] = ["Required for companies"];
+      }
+      if (
+        !billingCheck.data.vatNumber ||
+        billingCheck.data.vatNumber.length === 0
+      ) {
+        missing["billingAddress.vatNumber"] = ["Required for companies"];
+      }
+      if (Object.keys(missing).length > 0) {
+        return NextResponse.json(
+          {
+            error:
+              "Company name and VAT number are required for company accounts.",
+            details: { fieldErrors: missing },
+          },
+          { status: 400 }
+        );
+      }
+    }
+
+    billingAddress = billingCheck.data;
+
+    // Persist to org_billing. For personal customers (B2C, no
+    // company line), fall back to their display name from the
+    // session — invoices addressed to their actual name rather than
+    // an opaque org id like "personal-3f2a8b1c". For companies the
+    // wizard's company field is filled.
+    const personalDisplayName = (user.name || user.email || "").trim();
+    try {
+      await upsertOrgBilling({
+        zitadelOrgId: user.orgId,
+        companyName:
+          (billingCheck.data.company || "").trim() ||
+          (isPersonal ? personalDisplayName : user.orgName) ||
+          user.orgName,
+        streetAddress: billingCheck.data.street,
+        postalCode: billingCheck.data.postalCode,
+        city: billingCheck.data.city,
+        country: billingCheck.data.country,
+        // Personal: undefined (no VAT). Company: enforced non-empty
+        // by the check above.
+        vatNumber: isPersonal ? null : billingCheck.data.vatNumber!,
+        billingEmail: contactEmail,
+        notes: billingNotes ?? null,
+      });
+    } catch (e) {
+      // Non-fatal — the tenant_request still gets created with the
+      // billingAddress audit copy. The customer can re-save via
+      // /settings/billing if this failed.
+      console.warn(
+        "failed to save org_billing on first capture; tenant_request still created with audit copy",
+        e
+      );
+    }
+  } else {
+    // No billing supplied AND no org_billing record. Required for
+    // everyone — commercial product, no personal-orgs-skip
+    // shortcut. Customer must complete the wizard's billing step
+    // or set up /settings/billing first.
+    return NextResponse.json(
+      {
+        error:
+          "Billing information is required. Please complete the billing step or set it up at /settings/billing.",
+        details: {
+          fieldErrors: {
+            billingAddress: ["Required"],
+          },
+        },
+      },
+      { status: 400 }
+    );
+  }
 
   const tenantRequest = await createTenantRequest({
     zitadelOrgId: user.orgId,

src/app/api/tenants/[name]/resume-request/route.ts

@@ -0,0 +1,153 @@
+import { NextRequest, NextResponse } from "next/server";
+import { getSessionUser, canMutate } from "@/lib/session";
+import { getTenant, setTenantAnnotation } from "@/lib/k8s";
+import { canUserSeeTenant } from "@/lib/visibility";
+import {
+  createResumeRequest,
+  getPendingResumeRequestForTenant,
+  getTenantRequestByTenantName,
+} from "@/lib/db";
+import { safeError } from "@/lib/errors";
+
+/**
+ * POST /api/tenants/[name]/resume-request
+ *
+ * Owner-initiated request to reactivate a suspended tenant (Bug 37a).
+ * Creates a pending tenant_request of type 'resume' for admin review,
+ * and stamps the PiecedTenant CR with an annotation that pauses the
+ * operator's 60-day deletion timer.
+ *
+ * Why a request flow at all
+ * -------------------------
+ * Customers can self-serve cancel; resume requires admin oversight.
+ * Reactivation may involve re-validating billing, confirming the
+ * customer still wants to be active, or other manual steps. The
+ * request flow gives admins a queue to review, with the same approve/
+ * reject UX as initial provision requests.
+ *
+ * Authorization
+ * -------------
+ * Owners and platform admins. Platform admins shouldn't normally use
+ * this endpoint — they have direct PATCH suspend access — but it's
+ * permissive in case admin tooling pivots.
+ *
+ * Validation
+ * ----------
+ *  - Tenant must exist and be visible to the caller.
+ *  - Tenant must be currently suspended. Resuming an active tenant
+ *    is meaningless.
+ *  - At most one pending resume request per tenant. Enforced by the
+ *    DB's partial unique index, but we also check explicitly here to
+ *    return a friendly 409 instead of a 500.
+ *
+ * Side effects on success
+ * -----------------------
+ *  - INSERT into tenant_requests (request_type='resume', status='pending')
+ *  - PATCH annotation `pieced.ch/resume-request-pending=<request-id>` on
+ *    the CR. This is the operator's signal to pause its 60-day deletion
+ *    timer until the request transitions to terminal.
+ *
+ * The annotation set is best-effort: if the K8s PATCH fails after the
+ * DB insert, the row exists without the annotation. The customer
+ * sees the request as pending; admin can still approve. The only
+ * functional consequence is the 60-day timer doesn't pause until the
+ * next request transition, which is fine in practice (admin response
+ * times are dramatically shorter than 60 days).
+ */
+export async function POST(
+  req: NextRequest,
+  { params }: { params: Promise<{ name: string }> }
+) {
+  const user = await getSessionUser();
+  if (!user) {
+    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+  }
+  if (!canMutate(user)) {
+    return NextResponse.json({ error: "Forbidden" }, { status: 403 });
+  }
+
+  const { name } = await params;
+  const tenant = await getTenant(name);
+  if (!tenant) {
+    return NextResponse.json({ error: "Not found" }, { status: 404 });
+  }
+  if (!(await canUserSeeTenant(user, tenant))) {
+    return NextResponse.json({ error: "Not found" }, { status: 404 });
+  }
+
+  if (!tenant.spec.suspend) {
+    return NextResponse.json(
+      { error: "Tenant is not suspended; nothing to resume." },
+      { status: 409 }
+    );
+  }
+
+  // Already a pending request? Don't duplicate.
+  const existing = await getPendingResumeRequestForTenant(name);
+  if (existing) {
+    return NextResponse.json(
+      {
+        error: "A resume request for this tenant is already pending.",
+        request: { id: existing.id, createdAt: existing.createdAt },
+      },
+      { status: 409 }
+    );
+  }
+
+  // Pull traceability fields (companyName, agentName) from the original
+  // provision request. The schema marks these NOT NULL, so we have to
+  // populate them; copying from the provision row keeps the resume
+  // row navigable in the admin UI without making up values.
+  const provision = await getTenantRequestByTenantName(name);
+
+  try {
+    const resumeRequest = await createResumeRequest({
+      tenantName: name,
+      zitadelOrgId:
+        tenant.metadata.labels?.["pieced.ch/zitadel-org-id"] ?? user.orgId,
+      zitadelUserId: user.id,
+      contactName: user.name,
+      contactEmail: user.email,
+      companyName: provision?.companyName ?? tenant.spec.displayName ?? name,
+      agentName: provision?.agentName ?? "Assistant",
+    });
+
+    // Stamp the annotation so the operator pauses its TTL. If this
+    // fails the request still exists; surface the error so admin
+    // tooling can re-stamp if needed, but don't roll back.
+    try {
+      await setTenantAnnotation(
+        name,
+        "pieced.ch/resume-request-pending",
+        resumeRequest.id
+      );
+    } catch (e) {
+      console.warn(
+        "resume request created but annotation could not be set; operator's 60-day timer will not pause until next reconcile triggered by request transition",
+        e
+      );
+    }
+
+    return NextResponse.json(
+      {
+        message: "Resume request submitted. An admin will review shortly.",
+        request: { id: resumeRequest.id, status: resumeRequest.status },
+      },
+      { status: 201 }
+    );
+  } catch (e: any) {
+    // Unique violation (a pending row already exists for this tenant)
+    // is friendly-handled above; this catches everything else.
+    if (e.code === "23505") {
+      return NextResponse.json(
+        { error: "A resume request for this tenant is already pending." },
+        { status: 409 }
+      );
+    }
+    console.error("Resume request creation failed:", e);
+    return NextResponse.json(
+      { error: safeError(e, "Failed to submit resume request") },
+      { status: 500 }
+    );
+  }
+}

src/app/api/tenants/[name]/suspend/route.ts

@@ -1,7 +1,7 @@
 import { NextRequest, NextResponse } from "next/server";
 import { z } from "zod";
 import { getSessionUser, canMutate } from "@/lib/session";
-import { getTenant, patchTenantSpec } from "@/lib/k8s";
+import { getTenant, patchTenantSpec, setTenantAnnotation } from "@/lib/k8s";
 import { canUserSeeTenant } from "@/lib/visibility";
 import { safeError } from "@/lib/errors";
 
@@ -12,37 +12,38 @@ const patchSchema = z.object({
 /**
  * PATCH /api/tenants/[name]/suspend
  *
- * Customer-side "Cancel subscription" / "Resume" toggle (Bug 31).
+ * Direct suspend control on the PiecedTenant CR. Sets `spec.suspend`
+ * to true (cancel) or false (resume).
  *
- * Sets `spec.suspend` on the PiecedTenant CR. The operator interprets
+ * Authorization (Bug 37a)
- * this flag as "stop reconciling this tenant" — workloads, packages,
+ * -----------------------
- * and channel-user changes are no longer applied. Existing data is
+ * - suspend=true  → owners and platform admins may call.
- * preserved (namespace, ConfigMaps, OpenBao secrets, CNPG database,
+ * - suspend=false → platform admins ONLY. Owners must go through the
- * billing records). Resuming sets the flag back to false and the
+ *   resume-request flow (POST /api/tenants/[name]/resume-request),
- * operator picks up reconciliation on the next loop.
+ *   which creates a pending request for admin approval. This
+ *   asymmetry is by design: cancellation is self-service (low risk;
+ *   reversible by request); reactivation requires admin oversight
+ *   (e.g. to re-validate billing, confirm intent).
  *
- * Authorization
+ * Customer flow:
- * -------------
+ *   - Cancel:  PATCH suspend=true  here
- * - Customer-side: only an `owner` of the tenant's org may call this.
+ *   - Resume:  POST /resume-request — creates a 'resume' tenant_request,
- *   `canMutate` is the right gate (mirrors the rest of the customer
+ *              admin approves via /api/admin/requests/[id]/approve which
- *   API surface). User-role members cannot cancel a subscription.
+ *              then PATCHes suspend=false here as a platform user.
- * - Platform staff: allowed via `canMutate`'s isPlatform branch, but
- *   in practice they should use admin tooling for this — the action
- *   is exposed here for the customer's benefit.
  *
- * Visibility check is via `canUserSeeTenant` — same notFound() trick
+ * Workload behaviour
- * as the detail page, so we don't leak existence of tenants the
+ * ------------------
- * caller can't see.
+ * On suspend=true the operator deletes the OpenClawInstance, stopping
+ * the pod within seconds. Tenant data — namespace, ConfigMaps,
+ * OpenBao secrets, CNPG database, LiteLLM team — is retained.
  *
- * Note on workload teardown
+ * Suspended tenants enter a 60-day retention window (operator
- * -------------------------
+ * constant `retentionAfterSuspend`); after that, the tenant is fully
- * As of this writing, the operator's `suspend` handling is "skip
+ * deleted unless a pending resume request exists. The operator
- * reconciliation and set status.phase to Suspended". The underlying
+ * checks the `pieced.ch/resume-request-pending` annotation to know
- * StatefulSet keeps running until next reconciliation, which won't
+ * about pending requests; we set it here when admin approves the
- * happen while suspended. Group D will add scale-to-zero so cancelled
+ * resume (transitively, via the admin-approve endpoint), and clear
- * subscriptions actually stop incurring compute. Until then, an
+ * it when the request reaches a terminal state.
- * operator following up with a `kubectl scale` is the workaround.
- * Customer data is preserved either way.
  */
 export async function PATCH(
   req: NextRequest,
@@ -76,6 +77,18 @@ export async function PATCH(
   }
   const { suspend } = parsed.data;
 
+  // Bug 37a: resume (suspend=false) is platform-admin only via this
+  // endpoint. Owners must go through the resume-request flow.
+  if (!suspend && !user.isPlatform) {
+    return NextResponse.json(
+      {
+        error:
+          "Resume requires platform-admin approval. Submit a resume request via /api/tenants/[name]/resume-request.",
+      },
+      { status: 403 }
+    );
+  }
+
   // No-op early exit. Avoids a needless K8s patch + status churn when
   // the user double-clicks the button or the UI is briefly out of sync.
   if (Boolean(tenant.spec.suspend) === suspend) {
@@ -87,10 +100,32 @@ export async function PATCH(
 
   try {
     await patchTenantSpec(name, { suspend });
+
+    // On admin-side resume, also clear the pending-resume-request
+    // annotation if it exists. Belt-and-suspenders: the admin-approve
+    // endpoint already clears it on its happy path, but a platform
+    // user resuming directly via this endpoint shouldn't leave the
+    // annotation behind. Best-effort: failure to clear the annotation
+    // is logged but doesn't fail the resume.
+    if (!suspend) {
+      try {
+        await setTenantAnnotation(
+          name,
+          "pieced.ch/resume-request-pending",
+          null
+        );
+      } catch (e) {
+        console.warn(
+          "failed to clear resume-request-pending annotation; operator will see it stale until next request transition",
+          e
+        );
+      }
+    }
+
     return NextResponse.json(
       {
         message: suspend
-          ? "Subscription cancelled. Your data is preserved."
+          ? "Subscription cancelled. Your data is preserved for 60 days."
           : "Subscription resumed.",
         suspend,
       },

src/app/api/usage/route.ts

@@ -8,64 +8,109 @@ import { safeError } from "@/lib/errors";
 /**
  * GET /api/usage
  *
- * Customers: tenant resolved server-side from the user's orgId. The
+ * Per-tenant spend/token usage for a given month.
- *            response is filtered by the tenant's `litellmKeyAlias` so
- *            sibling tenants in the same org don't bleed into the total.
- * Platform admins: may pass ?teamId=... to inspect any team. They may
- *                  also pass ?keyAlias=... to scope to a single tenant.
  *
- * Slice 2 note
+ * Resolution rules (in priority order)
- * ------------
+ * ------------------------------------
- * LiteLLM teams are now shared across all tenants of an org. The team's
+ *  1. `?tenant=<name>` query param — the canonical path. The route
- * `/team/info` budget is the *company* budget; the per-tenant numbers
+ *     looks up the PiecedTenant CR by name, runs it through the
- * come from filtering spend logs by `key_alias`. If a tenant has no
+ *     viewer's visibility filter, and reads `status.litellmTeamId` +
- * `litellmKeyAlias` in status (transitional state right after upgrade,
+ *     `status.litellmKeyAlias`. This is what the tenant-detail page
- * before the operator has reconciled), we fall back to team-level
+ *     calls with for both customers and admins.
- * filtering — the numbers will be slightly inflated for that one
+ *  2. `?teamId=<id>` (+ optional `?keyAlias=<alias>`) — admin escape
- * reconcile cycle.
+ *     hatch for debugging across orgs (e.g. opening the platform
+ *     panel without a specific tenant in mind). Platform-only;
+ *     ignored for customer sessions.
+ *  3. No params — 400. We deliberately do NOT fall back to "the
+ *     first visible tenant". Bug 19: that fallback meant siblings
+ *     in the same org showed identical numbers because the API
+ *     always picked the same "first" tenant regardless of which
+ *     detail page the customer was viewing. Forcing callers to be
+ *     explicit makes the bug structurally impossible to reintroduce.
+ *
+ * Filtering
+ * ---------
+ * LiteLLM's `/spend/logs/v2` accepts a server-side `key_alias` filter.
+ * We pass it through directly — no more "fetch all team pages and
+ * post-filter in JS" (which was O(team_total) memory per request and
+ * masked the routing bug above by being slow enough that nobody
+ * noticed which alias was actually being used).
+ *
+ * The team-level budget is still surfaced as the *org* budget, since
+ * teams are org-scoped post-Slice-2. That's intentional: the customer
+ * sees "your company has X budget remaining" alongside "this tenant
+ * cost Y this month".
  */
 export async function GET(req: NextRequest) {
   const user = await getSessionUser();
   if (!user)
     return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
 
+  const tenantName = req.nextUrl.searchParams.get("tenant");
   let teamId: string | null = null;
   let keyAlias: string | null = null;
 
-  if (user.isPlatform) {
+  if (tenantName) {
-    teamId = req.nextUrl.searchParams.get("teamId") ?? null;
+    // Path 1: resolve from tenant name with visibility check.
-    keyAlias = req.nextUrl.searchParams.get("keyAlias") ?? null;
-  }
-
-  // For customers (or admins without explicit params): resolve from
-  // the user's *visible* tenants. With Slice 6, a `user`-role member
-  // can only see usage for tenants they're assigned to — a non-assigned
-  // user defaults to "no active tenant" (404).
     //
-  // Owner and platform get the full org-scoped list and pick the first
+    // listVisibleTenants enforces the same visibility rules as every
-  // tenant, matching the dashboard's "current instance" semantics.
+    // other read endpoint:
-  if (!teamId) {
+    //   - platform admins see everything
+    //   - owners see all tenants in their org
+    //   - users see only the tenants they're assigned to (Slice 6)
+    //
+    // Filtering through that list rather than reading the CR directly
+    // means a malicious caller can't probe arbitrary tenant names to
+    // learn what exists in other orgs.
     const allTenants = await listTenants();
     const visible = await listVisibleTenants(user, allTenants);
-    const orgTenant = visible.find((t) => !!t.status?.litellmTeamId);
+    const tenant = visible.find((t) => t.metadata.name === tenantName);
 
-    if (!orgTenant?.status?.litellmTeamId) {
+    if (!tenant) {
       return NextResponse.json(
-        { error: "No active tenant found for your organization" },
+        { error: "Tenant not found or not accessible" },
         { status: 404 }
       );
     }
-    teamId = orgTenant.status.litellmTeamId;
+    if (!tenant.status?.litellmTeamId) {
-
+      // Tenant exists but the operator hasn't reconciled it yet.
-    // If the operator has populated the per-tenant key alias, filter by it.
+      // Common right after onboarding; the customer should see a
-    // Falling back to team-level (no alias) will return the org total, which
+      // friendly empty state, not a 500.
-    // is acceptable transitionally but means siblings' usage shows up here.
+      return NextResponse.json(
-    if (orgTenant.status.litellmKeyAlias) {
+        { error: "Tenant is still provisioning, no usage data yet" },
-      keyAlias = orgTenant.status.litellmKeyAlias;
+        { status: 409 }
+      );
     }
+    teamId = tenant.status.litellmTeamId;
+    // litellmKeyAlias is set by the operator's LiteLLM reconcile step
+    // alongside litellmTeamId, so if teamId is present this should be
+    // too. Defensive fallback to team-level if missing — in that case
+    // the customer briefly sees company totals until the next operator
+    // reconcile, which is better than 500.
+    keyAlias = tenant.status.litellmKeyAlias ?? null;
+  } else if (user.isPlatform) {
+    // Path 2: admin escape hatch.
+    teamId = req.nextUrl.searchParams.get("teamId");
+    keyAlias = req.nextUrl.searchParams.get("keyAlias");
+    if (!teamId) {
+      return NextResponse.json(
+        {
+          error:
+            "Either ?tenant=<name> or ?teamId=<id> (admin) must be provided",
+        },
+        { status: 400 }
+      );
+    }
+  } else {
+    // Path 3: no resolution possible. See doc above for why we don't
+    // pick a default.
+    return NextResponse.json(
+      { error: "Tenant must be specified via ?tenant=<name>" },
+      { status: 400 }
+    );
   }
 
-  // Month param: YYYY-MM, defaults to current month
+  // Month param: YYYY-MM, defaults to current month.
   const now = new Date();
   const monthParam =
     req.nextUrl.searchParams.get("month") ||
@@ -81,11 +126,11 @@ export async function GET(req: NextRequest) {
   try {
     const teamInfo = await getTeamInfo(teamId);
 
-    // Fetch all pages from the team. We always query at the team level —
+    // Page through results — server-side filtered by key_alias when
-    // LiteLLM's /spend/logs/v2 doesn't filter by key_alias reliably across
+    // provided. Pagination still needed because LiteLLM caps
-    // versions, so we paginate and post-filter in code. For pilot scale
+    // page_size at 100, and a busy tenant can easily exceed that in
-    // this is cheap; if a single team ever exceeds ~10k entries/month we
+    // a month. With server-side filtering this stays cheap regardless
-    // can revisit.
+    // of how busy sibling tenants in the same team are.
     const allRequests: any[] = [];
     let page = 1;
     while (true) {
@@ -94,33 +139,25 @@ export async function GET(req: NextRequest) {
         startStr,
         endStr,
         page,
-        100
+        100,
+        keyAlias
       );
       allRequests.push(...(result.data || []));
       if (page >= (result.total_pages || 1)) break;
       page++;
+      // Defensive cap. A pathological response with bogus total_pages
+      // shouldn't be able to spin us forever. 50 pages × 100 = 5000
+      // entries/month/tenant is well above any realistic usage at
+      // pilot scale.
+      if (page > 50) break;
     }
 
-    // Apply key_alias post-filter when scoping to a single tenant. Match
+    // Aggregate by day.
-    // both `key_alias` (newer LiteLLM) and `metadata.user_api_key_alias`
-    // (older builds nest it inside metadata).
-    const scoped = keyAlias
-      ? allRequests.filter((r) => {
-          const alias =
-            r.key_alias ??
-            r.metadata?.user_api_key_alias ??
-            r.api_key_alias ??
-            null;
-          return alias === keyAlias;
-        })
-      : allRequests;
-
-    // Aggregate by day
     const byDay: Record<
       string,
       { inputTokens: number; outputTokens: number; spend: number }
     > = {};
-    for (const r of scoped) {
+    for (const r of allRequests) {
       const day = (r.startTime || r.endTime || "").slice(0, 10);
       if (!day) continue;
       if (!byDay[day])
@@ -134,30 +171,30 @@ export async function GET(req: NextRequest) {
       .sort(([a], [b]) => a.localeCompare(b))
       .map(([date, d]) => ({ date, ...d }));
 
-    const totalInput = scoped.reduce(
+    const totalInput = allRequests.reduce(
       (s, r) => s + (r.prompt_tokens || 0),
       0
     );
-    const totalOutput = scoped.reduce(
+    const totalOutput = allRequests.reduce(
       (s, r) => s + (r.completion_tokens || 0),
       0
     );
-    const totalSpend = scoped.reduce((s, r) => s + (r.spend || 0), 0);
+    const totalSpend = allRequests.reduce((s, r) => s + (r.spend || 0), 0);
 
     return NextResponse.json({
       teamId,
-      keyAlias, // null when not filtering — useful for the client to know it sees company-wide data
+      keyAlias, // null when admin queries team-wide (no specific tenant)
       month: monthParam,
       currentPeriod: {
         inputTokens: totalInput,
         outputTokens: totalOutput,
         totalSpend,
-        requestCount: scoped.length,
+        requestCount: allRequests.length,
       },
       // Budget is always team-level (= company budget). Spend reported
       // here is the team total, not the per-key total — the customer
-      // wants to see "how much of our company budget is left", not just
+      // wants to see "how much of our company budget is left", not
-      // "how much has this one tenant cost".
+      // just "how much has this one tenant cost".
       budget: {
         maxBudget: teamInfo?.team_info?.max_budget ?? null,
         spend: teamInfo?.team_info?.spend ?? 0,

src/components/admin/admin-panel.tsx

@@ -362,9 +362,28 @@ export function AdminPanel({ initialTenants }: AdminPanelProps) {
                         className="border-b border-border last:border-0 hover:bg-surface-2/50 transition-colors"
                       >
                         <td className="px-4 py-3">
-                          <div className="font-medium text-text-primary text-sm">
+                          <div className="font-medium text-text-primary text-sm flex items-center gap-2">
                             {req.companyName}
+                            {/* Bug 37a: distinguish resume requests in the
+                                queue. Provision and resume share status
+                                semantics but very different action
+                                consequences — a resume approval just
+                                un-suspends an existing tenant, no
+                                provisioning workflow runs. */}
+                            {req.requestType === "resume" && (
+                              <span
+                                className="px-1.5 py-0.5 text-[10px] font-semibold rounded uppercase tracking-wider bg-success/15 text-success"
+                                title={t("resumeRequestTooltip")}
+                              >
+                                {t("resumeRequestBadge")}
+                              </span>
+                            )}
                           </div>
+                          {req.requestType === "resume" && req.tenantName && (
+                            <div className="text-text-muted text-xs font-mono mt-0.5">
+                              {req.tenantName}
+                            </div>
+                          )}
                         </td>
                         <td className="px-4 py-3">
                           <div className="text-text-primary text-sm">

src/components/dashboard/usage-display.tsx

@@ -94,17 +94,27 @@ function UsageChart({ data }: { data: DailyUsage[] }) {
 /**
  * Usage display widget.
  *
- * - Customers: don't pass teamId or keyAlias — the backend resolves both
+ * Pass `tenant=<name>` for the canonical path — works for both
- *   from the session-bound tenant.
+ * customers and admins, the API resolves team+alias from the tenant
- * - Admins inspecting a specific tenant: pass `teamId` (the org-level
+ * CR's status. The visibility check on the API ensures users can't
- *   LiteLLM team id) AND `keyAlias` (the tenant's virtual-key alias).
+ * query tenants they shouldn't see.
- *   Without `keyAlias`, the response includes spend from sibling tenants
+ *
- *   in the same org, since teams are shared since Slice 2.
+ * `teamId`/`keyAlias` remain available as a platform-admin escape
+ * hatch for cross-org debugging, but the tenant-detail and dashboard
+ * paths should always use `tenant`.
+ *
+ * Bug 19 fix: previous version omitted both props for customer
+ * sessions, expecting the API to "figure it out". The API's fallback
+ * was "first visible tenant", which meant siblings in the same org
+ * showed identical numbers regardless of which detail page was open.
+ * Now the page passes the tenant name explicitly; no fallback exists.
  */
 export function UsageDisplay({
+  tenant,
   teamId,
   keyAlias,
 }: {
+  tenant?: string | null;
   teamId?: string | null;
   keyAlias?: string | null;
 }) {
@@ -121,11 +131,13 @@ export function UsageDisplay({
     setError(null);
 
     const params = new URLSearchParams({ month });
-    if (teamId) {
+    if (tenant) {
+      params.set("tenant", tenant);
+    } else if (teamId) {
+      // Admin escape hatch — only honoured by the API when the
+      // viewer is platform-role.
       params.set("teamId", teamId);
-    }
+      if (keyAlias) params.set("keyAlias", keyAlias);
-    if (keyAlias) {
-      params.set("keyAlias", keyAlias);
     }
 
     fetch(`/api/usage?${params}`)
@@ -133,7 +145,7 @@ export function UsageDisplay({
       .then(setData)
       .catch((e) => setError(e.message))
       .finally(() => setLoading(false));
-  }, [teamId, keyAlias, month]);
+  }, [tenant, teamId, keyAlias, month]);
 
   useEffect(() => { fetchUsage(); }, [fetchUsage]);
 

src/components/layout/nav-shell.tsx

@@ -59,6 +59,21 @@ function NavBar() {
                   {t("team")}
                 </NavLink>
               )}
+            {/* Bug 35: /settings is shown to anyone who can mutate org-level
+                state — owners and platform admins. Personal accounts also
+                see it; their billing page is optional but the entry point
+                exists for consistency. `user`-role customers don't see it
+                (canMutate is false). */}
+            {user &&
+              (user.isPlatform ||
+                (Array.isArray(user.roles) && user.roles.includes("owner"))) && (
+                <NavLink
+                  href="/settings"
+                  active={pathname.startsWith("/settings")}
+                >
+                  {t("settings")}
+                </NavLink>
+              )}
             {user?.isPlatform && (
               <NavLink href="/admin" active={pathname === "/admin"}>
                 {t("admin")}

src/components/onboarding/onboarding-flow.tsx

@@ -12,6 +12,21 @@ interface OnboardingFlowProps {
    */
   userName?: string;
   userEmail?: string;
+  /**
+   * Bug 35: true if the org already has a billing record. The wizard
+   * uses this to skip the billing step on subsequent tenants — capture
+   * once at first onboarding, reuse afterwards. Editable later via
+   * /settings/billing.
+   */
+  hasOrgBilling?: boolean;
+  /**
+   * Bug 6: when present, the wizard is rendered in edit mode against
+   * the given pending request. See `OnboardingWizard` for the full
+   * shape and behavioural contract.
+   */
+  editingRequest?: React.ComponentProps<
+    typeof OnboardingWizard
+  >["editingRequest"];
 }
 
 /**
@@ -29,6 +44,8 @@ export function OnboardingFlow({
   orgName,
   userName,
   userEmail,
+  hasOrgBilling,
+  editingRequest,
 }: OnboardingFlowProps) {
   const router = useRouter();
 
@@ -37,6 +54,8 @@ export function OnboardingFlow({
       orgName={orgName}
       userName={userName}
       userEmail={userEmail}
+      hasOrgBilling={hasOrgBilling}
+      editingRequest={editingRequest}
       onComplete={() => {
         // Navigate back to /dashboard and re-fetch on the server. The
         // parent server component will see the new `pending` row and

src/components/onboarding/provisioning-status.tsx

@@ -1,8 +1,11 @@
 "use client";
 
 import { useState, useEffect, useCallback } from "react";
+import Link from "next/link";
+import { useRouter } from "next/navigation";
 import { useTranslations, useFormatter } from "next-intl";
 import { Card } from "@/components/ui/card";
+import { Modal } from "@/components/ui/modal";
 import { StatusBadge } from "@/components/ui/status-badge";
 import { formatDateTime, formatRelative } from "@/lib/format";
 
@@ -14,6 +17,7 @@ interface RequestSummary {
   status: string;
   adminNotes?: string;
   tenantName?: string;
+  dismissedAt?: string | null;
   createdAt?: string;
   updatedAt?: string;
 }
@@ -36,21 +40,42 @@ interface SingleRequestState {
   tenant: TenantSummary | null;
 }
 
+interface Props {
+  requestId: string;
+  /**
+   * Whether the viewer can act on this request — cancel a pending one,
+   * dismiss a rejected one, etc. True for owner + platform; false for
+   * `user`-role customers (who shouldn't see in-flight requests at all,
+   * but defence in depth — `canSeeInflightRequests` already gates the
+   * dashboard side).
+   */
+  canAct: boolean;
+}
+
 /**
  * ProvisioningStatus
  *
  * Polls /api/onboarding?id=<requestId> every 5s until the request reaches
- * a terminal state. Slice 3: takes a `requestId` prop so multiple of these
+ * a terminal state. Slice 3: takes a `requestId` prop so multiple of
- * can render on the same dashboard for different in-flight requests.
+ * these can render on the same dashboard for different in-flight
+ * requests.
  *
- * The pre-Slice-3 version polled /api/onboarding with no params and
+ * Slice 7 / Bug 6 + 13:
- * assumed one-request-per-org — that endpoint shape is gone now.
+ *   - pending → cancel + edit buttons
+ *   - rejected → admin notes block + dismiss button
+ *   - cancelled → small acknowledgement card + dismiss button
+ *   - terminal Ready/Active states unchanged
  */
-export function ProvisioningStatus({ requestId }: { requestId: string }) {
+export function ProvisioningStatus({ requestId, canAct }: Props) {
   const t = useTranslations("onboarding");
+  const tCommon = useTranslations("common");
   const f = useFormatter();
+  const router = useRouter();
+
   const [data, setData] = useState<SingleRequestState | null>(null);
   const [error, setError] = useState("");
+  const [actionPending, setActionPending] = useState(false);
+  const [confirmCancel, setConfirmCancel] = useState(false);
 
   const poll = useCallback(async () => {
     try {
@@ -67,11 +92,11 @@ export function ProvisioningStatus({ requestId }: { requestId: string }) {
 
   useEffect(() => {
     poll();
-
     const status = data?.request?.status;
     const phase = data?.tenant?.phase;
     const terminal =
       status === "rejected" ||
+      status === "cancelled" ||
       status === "active" ||
       phase === "Ready" ||
       phase === "Running";
@@ -82,7 +107,54 @@ export function ProvisioningStatus({ requestId }: { requestId: string }) {
     return () => clearInterval(interval);
   }, [poll, data?.request?.status, data?.tenant?.phase]);
 
-  if (error) {
+  const handleCancel = async () => {
+    setActionPending(true);
+    setError("");
+    try {
+      const res = await fetch(
+        `/api/onboarding/${encodeURIComponent(requestId)}`,
+        { method: "DELETE" }
+      );
+      if (!res.ok) {
+        const body = await res.json().catch(() => ({}));
+        throw new Error(body.error || t("cancelFailed"));
+      }
+      setConfirmCancel(false);
+      // Re-poll so the card transitions to "cancelled" state without a
+      // full route refresh — the dashboard's surrounding tenant cards
+      // are unaffected.
+      await poll();
+      router.refresh();
+    } catch (err: any) {
+      setError(err.message);
+    } finally {
+      setActionPending(false);
+    }
+  };
+
+  const handleDismiss = async () => {
+    setActionPending(true);
+    setError("");
+    try {
+      const res = await fetch(
+        `/api/onboarding/${encodeURIComponent(requestId)}/dismiss`,
+        { method: "POST" }
+      );
+      if (!res.ok) {
+        const body = await res.json().catch(() => ({}));
+        throw new Error(body.error || t("dismissFailed"));
+      }
+      // Server-rendered list query (`listActiveTenantRequestsByOrgId`)
+      // filters out dismissed rows — refresh to drop this card.
+      router.refresh();
+    } catch (err: any) {
+      setError(err.message);
+    } finally {
+      setActionPending(false);
+    }
+  };
+
+  if (error && !data) {
     return (
       <Card>
         <div className="text-xs text-red-400">{error}</div>
@@ -107,7 +179,7 @@ export function ProvisioningStatus({ requestId }: { requestId: string }) {
     data.request.tenantName ||
     data.request.agentName;
 
-  // Pending admin approval
+  // ─── Pending: awaiting admin approval ───────────────────────────────
   if (status === "pending") {
     return (
       <Card className="animate-in">
@@ -131,7 +203,9 @@ export function ProvisioningStatus({ requestId }: { requestId: string }) {
             {t("pendingTitle")}
           </h2>
           {label && (
-            <p className="text-xs font-mono text-text-secondary mb-2">{label}</p>
+            <p className="text-xs font-mono text-text-secondary mb-2">
+              {label}
+            </p>
           )}
           <p className="text-sm text-text-secondary max-w-sm mx-auto">
             {t("pendingDescription")}
@@ -150,12 +224,71 @@ export function ProvisioningStatus({ requestId }: { requestId: string }) {
               </span>
             </p>
           )}
+
+          {/* Bug 6 — owner-only edit + cancel actions while still
+              pending. Once admin acts, both buttons disappear (the
+              status branch changes). */}
+          {canAct && (
+            <div className="flex justify-center gap-2 mt-5">
+              <Link
+                href={`/dashboard/edit/${encodeURIComponent(requestId)}`}
+                className="text-sm font-medium px-4 py-2 rounded-lg border border-border text-text-secondary hover:text-text-primary hover:border-text-secondary transition-colors"
+              >
+                {t("editRequest")}
+              </Link>
+              <button
+                type="button"
+                onClick={() => setConfirmCancel(true)}
+                className="text-sm font-medium px-4 py-2 rounded-lg border border-red-500/30 text-red-400 hover:bg-red-500/10 transition-colors"
+              >
+                {t("cancelRequest")}
+              </button>
             </div>
+          )}
+          {error && (
+            <p className="text-xs text-red-400 mt-3">{error}</p>
+          )}
+        </div>
+
+        {confirmCancel && (
+          <Modal
+            open={confirmCancel}
+            onClose={() => setConfirmCancel(false)}
+            ariaLabel={t("cancelConfirmRequestTitle")}
+          >
+            <h3 className="font-display text-lg font-semibold text-text-primary mb-2">
+              {t("cancelConfirmRequestTitle")}
+            </h3>
+            <p className="text-sm text-text-secondary mb-5">
+              {t("cancelConfirmRequestDescription")}
+            </p>
+            <div className="flex justify-end gap-2">
+              <button
+                type="button"
+                onClick={() => setConfirmCancel(false)}
+                disabled={actionPending}
+                className="text-sm px-4 py-2 rounded-lg border border-border text-text-secondary hover:text-text-primary transition-colors"
+              >
+                {tCommon("cancel")}
+              </button>
+              <button
+                type="button"
+                onClick={handleCancel}
+                disabled={actionPending}
+                className="text-sm px-4 py-2 rounded-lg bg-red-500 text-white hover:bg-red-600 transition-colors disabled:opacity-50"
+              >
+                {actionPending
+                  ? tCommon("loading")
+                  : t("cancelRequestConfirm")}
+              </button>
+            </div>
+          </Modal>
+        )}
       </Card>
     );
   }
 
-  // Rejected
+  // ─── Rejected: admin declined ───────────────────────────────────────
   if (status === "rejected") {
     return (
       <Card className="animate-in">
@@ -179,22 +312,94 @@ export function ProvisioningStatus({ requestId }: { requestId: string }) {
             {t("rejectedTitle")}
           </h2>
           {label && (
-            <p className="text-xs font-mono text-text-secondary mb-2">{label}</p>
+            <p className="text-xs font-mono text-text-secondary mb-2">
+              {label}
+            </p>
           )}
           <p className="text-sm text-text-secondary max-w-sm mx-auto">
             {t("rejectedDescription")}
           </p>
           {data.request.adminNotes && (
-            <p className="text-xs text-text-muted mt-3 bg-surface-2 border border-border rounded-lg p-3 max-w-sm mx-auto">
+            <div className="text-left text-xs text-text-secondary mt-4 bg-surface-2 border border-border rounded-lg p-3 max-w-sm mx-auto">
+              <div className="font-semibold uppercase tracking-wider text-text-muted text-[10px] mb-1.5">
+                {t("rejectionReason")}
+              </div>
+              <div className="whitespace-pre-wrap">
                 {data.request.adminNotes}
-            </p>
+              </div>
+            </div>
           )}
+          {/* Bug 13: dismiss removes this card from the dashboard but
+              keeps the row in the DB for audit. The customer can also
+              just resubmit via the wizard — both paths are valid. */}
+          {canAct && (
+            <div className="flex justify-center mt-5">
+              <button
+                type="button"
+                onClick={handleDismiss}
+                disabled={actionPending}
+                className="text-sm font-medium px-4 py-2 rounded-lg border border-border text-text-secondary hover:text-text-primary hover:border-text-secondary transition-colors disabled:opacity-50"
+              >
+                {actionPending ? tCommon("loading") : t("dismiss")}
+              </button>
+            </div>
+          )}
+          {error && <p className="text-xs text-red-400 mt-3">{error}</p>}
         </div>
       </Card>
     );
   }
 
-  // Provisioning in progress (status approved/provisioning, optionally with tenant phase < Ready)
+  // ─── Cancelled: customer cancelled before admin acted (Bug 6) ──────
+  if (status === "cancelled") {
+    return (
+      <Card className="animate-in">
+        <div className="text-center py-6">
+          <div className="h-14 w-14 rounded-xl bg-text-muted/15 flex items-center justify-center mx-auto mb-4">
+            <svg
+              className="h-7 w-7 text-text-muted"
+              fill="none"
+              viewBox="0 0 24 24"
+              stroke="currentColor"
+              strokeWidth={1.5}
+            >
+              <path
+                strokeLinecap="round"
+                strokeLinejoin="round"
+                d="M9.75 9.75l4.5 4.5m0-4.5l-4.5 4.5M21 12a9 9 0 11-18 0 9 9 0 0118 0z"
+              />
+            </svg>
+          </div>
+          <h2 className="font-display text-lg font-semibold text-text-primary mb-2">
+            {t("cancelledTitle")}
+          </h2>
+          {label && (
+            <p className="text-xs font-mono text-text-secondary mb-2">
+              {label}
+            </p>
+          )}
+          <p className="text-sm text-text-secondary max-w-sm mx-auto">
+            {t("cancelledDescription")}
+          </p>
+          {canAct && (
+            <div className="flex justify-center mt-5">
+              <button
+                type="button"
+                onClick={handleDismiss}
+                disabled={actionPending}
+                className="text-sm font-medium px-4 py-2 rounded-lg border border-border text-text-secondary hover:text-text-primary hover:border-text-secondary transition-colors disabled:opacity-50"
+              >
+                {actionPending ? tCommon("loading") : t("dismiss")}
+              </button>
+            </div>
+          )}
+          {error && <p className="text-xs text-red-400 mt-3">{error}</p>}
+        </div>
+      </Card>
+    );
+  }
+
+  // ─── Provisioning: approved, operator working ──────────────────────
   if (
     status === "approved" ||
     status === "provisioning" ||
@@ -213,7 +418,9 @@ export function ProvisioningStatus({ requestId }: { requestId: string }) {
             {t("provisioningTitle")}
           </h2>
           {label && (
-            <p className="text-xs font-mono text-text-secondary mb-2">{label}</p>
+            <p className="text-xs font-mono text-text-secondary mb-2">
+              {label}
+            </p>
           )}
           <p className="text-sm text-text-secondary">
             {t("provisioningDescription")}
@@ -249,7 +456,7 @@ export function ProvisioningStatus({ requestId }: { requestId: string }) {
     );
   }
 
-  // Active / Ready
+  // ─── Active / Ready ─────────────────────────────────────────────────
   if (status === "active") {
     return (
       <Card className="animate-in">
@@ -273,7 +480,9 @@ export function ProvisioningStatus({ requestId }: { requestId: string }) {
             {t("readyTitle")}
           </h2>
           {label && (
-            <p className="text-xs font-mono text-text-secondary mb-2">{label}</p>
+            <p className="text-xs font-mono text-text-secondary mb-2">
+              {label}
+            </p>
           )}
           <p className="text-sm text-text-secondary max-w-sm mx-auto mb-4">
             {t("readyDescription")}

src/components/onboarding/wizard.tsx

@@ -16,7 +16,26 @@ import {
 
 type Step = "welcome" | "configure" | "billing" | "confirm";
 
-const STEPS: Step[] = ["welcome", "configure", "billing", "confirm"];
+// The step list. Composed once and used to compute "next/prev" arrows
+// and progress indicator. Bug 35: the billing step is conditional —
+// orgs that already have billing on file (subsequent tenants, or
+// pre-filled via /settings/billing) skip it. The wizard's submit
+// payload omits billingAddress in that case; the API picks up the
+// existing org_billing row server-side.
+function makeSteps(opts: {
+  hasOrgBilling: boolean;
+  isEditing: boolean;
+}): Step[] {
+  const base: Step[] = ["welcome", "configure", "billing", "confirm"];
+  // Edit mode currently still shows the billing step because we want
+  // the customer to be able to fix billing on a still-pending request
+  // BEFORE it reaches admin. Once approved, edits go through
+  // /settings/billing instead. Same step set for editing as new for now.
+  if (opts.hasOrgBilling && !opts.isEditing) {
+    return base.filter((s) => s !== "billing");
+  }
+  return base;
+}
 
 // Inline fallbacks — only used if the API call to /api/workspace-defaults fails
 const FALLBACK_SOUL = `# AI Assistant
@@ -64,6 +83,48 @@ interface WizardProps {
    */
   userName?: string;
   userEmail?: string;
+  /**
+   * Bug 35: when true, the wizard skips the billing step. The org
+   * already has billing on file (captured during a previous tenant's
+   * onboarding, or set directly via /settings/billing), and we don't
+   * re-prompt for it. The submit payload omits billingAddress in that
+   * case; the API picks up the existing record server-side.
+   *
+   * In edit mode this is ignored — the wizard re-renders the step
+   * with the request's original billingAddress so the customer can
+   * fix it before admin approves.
+   */
+  hasOrgBilling?: boolean;
+  /**
+   * Bug 6: when present, the wizard renders in "edit" mode — fields
+   * are pre-populated from the request, the SOUL.md auto-fetch is
+   * skipped (we trust the existing values), and the submit button
+   * PATCHes /api/onboarding/[id] instead of POSTing /api/onboarding.
+   *
+   * Per-package secrets are deliberately NOT pre-filled, even if the
+   * customer originally supplied them — server-side decryption to
+   * the client would be a security regression. The user re-enters
+   * any secrets they want to change; if they leave them blank, the
+   * existing encrypted blob in the DB is preserved by the PATCH
+   * endpoint.
+   */
+  editingRequest?: {
+    id: string;
+    instanceName: string;
+    agentName: string;
+    soulMd: string;
+    agentsMd: string;
+    packages: string[];
+    billingAddress: {
+      company?: string;
+      street?: string;
+      city?: string;
+      postalCode?: string;
+      country?: string;
+      vatNumber?: string;
+    };
+    billingNotes: string;
+  };
   onComplete: () => void;
 }
 
@@ -71,6 +132,8 @@ export function OnboardingWizard({
   orgName,
   userName,
   userEmail,
+  hasOrgBilling,
+  editingRequest,
   onComplete,
 }: WizardProps) {
   const t = useTranslations("onboarding");
@@ -91,14 +154,46 @@ export function OnboardingWizard({
     orgName,
     isPersonal,
   });
+  const isEditing = Boolean(editingRequest);
+  // STEPS is recomputed from props so toggling hasOrgBilling at the
+  // server level (e.g. between renders if the customer just saved
+  // billing on /settings/billing in another tab) flows through. Cheap.
+  const STEPS = makeSteps({
+    hasOrgBilling: Boolean(hasOrgBilling),
+    isEditing,
+  });
 
-  const [step, setStep] = useState<Step>("welcome");
+  // Edit mode jumps straight to the configure step — the welcome step
+  // is a first-time onboarding affordance and only adds friction when
+  // the customer is fixing a typo.
+  const [step, setStep] = useState<Step>(isEditing ? "configure" : "welcome");
   const [submitting, setSubmitting] = useState(false);
   const [error, setError] = useState("");
   const [advancedOpen, setAdvancedOpen] = useState(false);
-  const [defaultsLoaded, setDefaultsLoaded] = useState(false);
+  // In edit mode we already have soulMd/agentsMd from the request;
+  // skip the workspace-defaults round trip that would overwrite them.
+  const [defaultsLoaded, setDefaultsLoaded] = useState(isEditing);
 
-  const [config, setConfig] = useState({
+  const [config, setConfig] = useState(() => {
+    if (editingRequest) {
+      return {
+        instanceName: editingRequest.instanceName,
+        agentName: editingRequest.agentName,
+        soulMd: editingRequest.soulMd,
+        agentsMd: editingRequest.agentsMd,
+        packages: editingRequest.packages,
+        billingAddress: {
+          company: editingRequest.billingAddress.company ?? "",
+          street: editingRequest.billingAddress.street ?? "",
+          city: editingRequest.billingAddress.city ?? "",
+          postalCode: editingRequest.billingAddress.postalCode ?? "",
+          country: editingRequest.billingAddress.country ?? "CH",
+          vatNumber: editingRequest.billingAddress.vatNumber ?? "",
+        },
+        billingNotes: editingRequest.billingNotes,
+      };
+    }
+    return {
       instanceName: "",
       agentName: "Assistant",
       soulMd: FALLBACK_SOUL.replace("{company}", displayOrgName),
@@ -113,8 +208,10 @@ export function OnboardingWizard({
         city: "",
         postalCode: "",
         country: "CH",
+        vatNumber: "",
       },
       billingNotes: "",
+    };
   });
 
   // TOOLS.md preview — readonly, auto-generated
@@ -308,11 +405,34 @@ export function OnboardingWizard({
         }
       }
 
-      const res = await fetch("/api/onboarding", {
+      // Bug 6: edit mode targets the per-row endpoint with PATCH;
-        method: "POST",
+      // create mode targets the collection endpoint with POST. Body
+      // shape is the same — both routes parse it through
+      // onboardingSchema.
+      const url = editingRequest
+        ? `/api/onboarding/${encodeURIComponent(editingRequest.id)}`
+        : "/api/onboarding";
+      const method = editingRequest ? "PATCH" : "POST";
+
+      // Bug 35: when the org already has billing on file, the wizard
+      // skipped the billing step and `config.billingAddress` is the
+      // empty default. Strip it from the payload so the API picks up
+      // the existing org_billing record server-side rather than
+      // validating the empty form against billingStepSchema (which
+      // would reject for a company org).
+      const submitConfig = hasOrgBilling
+        ? (() => {
+            const { billingAddress: _bill, billingNotes: _notes, ...rest } =
+              config;
+            return rest;
+          })()
+        : config;
+
+      const res = await fetch(url, {
+        method,
         headers: { "Content-Type": "application/json" },
         body: JSON.stringify({
-          ...config,
+          ...submitConfig,
           packageSecrets:
             Object.keys(secretsPayload).length > 0
               ? secretsPayload
@@ -842,6 +962,39 @@ export function OnboardingWizard({
               </select>
             </FieldWithError>
 
+            {/* Bug 35: VAT identifier. Required for company customers
+                (B2B). Hidden entirely for personal customers (B2C —
+                private individuals don't have a VAT number); the API
+                enforces the same rule. Editable later via
+                /settings/billing for company customers if their VAT
+                id changes. */}
+            {!isPersonal && (
+              <FieldWithError error={errors["billingAddress.vatNumber"]}>
+                <label className="block text-xs font-semibold uppercase tracking-wider text-text-muted mb-1.5">
+                  {t("billingVatNumber")} <RequiredMark />
+                </label>
+                <input
+                  type="text"
+                  value={config.billingAddress.vatNumber ?? ""}
+                  onChange={(e) => {
+                    clearError("billingAddress.vatNumber");
+                    setConfig((prev) => ({
+                      ...prev,
+                      billingAddress: {
+                        ...prev.billingAddress,
+                        vatNumber: e.target.value,
+                      },
+                    }));
+                  }}
+                  placeholder="CHE-123.456.789 MWST"
+                  className={inputClass(errors["billingAddress.vatNumber"])}
+                />
+                <p className="text-xs text-text-muted mt-1">
+                  {t("billingVatHelp")}
+                </p>
+              </FieldWithError>
+            )}
+
             <div>
               <label className="block text-xs font-semibold uppercase tracking-wider text-text-muted mb-1.5">
                 {t("billingNotes")}
@@ -1017,7 +1170,11 @@ export function OnboardingWizard({
               disabled={submitting}
               className="py-2.5 px-6 bg-accent text-white text-sm font-medium rounded-lg hover:bg-accent-dim transition-colors disabled:opacity-50 disabled:cursor-not-allowed"
             >
-              {submitting ? tCommon("loading") : t("submitRequest")}
+              {submitting
+                ? tCommon("loading")
+                : isEditing
+                ? t("saveChanges")
+                : t("submitRequest")}
             </button>
           </div>
         </Card>

src/components/settings/billing-settings-form.tsx

@@ -0,0 +1,264 @@
+"use client";
+
+import { useState } from "react";
+import { useRouter } from "next/navigation";
+import { useTranslations } from "next-intl";
+import type { OrgBilling } from "@/types";
+import { Card } from "@/components/ui/card";
+
+interface Props {
+  /** Existing billing record, or null on first edit. */
+  initial: OrgBilling | null;
+  /**
+   * True if the caller is on a personal org. Personal customers
+   * (B2C — private individuals) don't have a company name or VAT
+   * number; the form re-labels the company-name field as "Full name"
+   * and hides VAT.
+   */
+  isPersonal: boolean;
+  /** Default company name for company orgs on first edit. */
+  orgName: string;
+  /** Default full-name for personal orgs on first edit. */
+  userName: string;
+}
+
+/**
+ * Editable billing form. Used by /settings/billing; the wizard's
+ * inline billing step (Bug 35 phase 2) reuses the same shape but is
+ * implemented separately because of its different submit semantics
+ * (one combined wizard submit, vs. this page's standalone PUT).
+ *
+ * The form does NOT do client-side VAT format validation — too many
+ * country variations to get right, and the API will reject empty
+ * VAT for company orgs anyway. The asterisk on the field plus the
+ * server error suffices.
+ */
+export function BillingSettingsForm({
+  initial,
+  isPersonal,
+  orgName,
+  userName,
+}: Props) {
+  const t = useTranslations("settingsBilling");
+  const tCommon = useTranslations("common");
+  const router = useRouter();
+
+  const [companyName, setCompanyName] = useState(
+    initial?.companyName ?? (isPersonal ? userName : orgName)
+  );
+  const [streetAddress, setStreetAddress] = useState(
+    initial?.streetAddress ?? ""
+  );
+  const [postalCode, setPostalCode] = useState(initial?.postalCode ?? "");
+  const [city, setCity] = useState(initial?.city ?? "");
+  const [country, setCountry] = useState(initial?.country ?? "CH");
+  const [vatNumber, setVatNumber] = useState(initial?.vatNumber ?? "");
+  const [billingEmail, setBillingEmail] = useState(initial?.billingEmail ?? "");
+  const [notes, setNotes] = useState(initial?.notes ?? "");
+
+  const [submitting, setSubmitting] = useState(false);
+  const [error, setError] = useState("");
+  const [success, setSuccess] = useState(false);
+
+  const onSubmit = async (e: React.FormEvent) => {
+    e.preventDefault();
+    setSubmitting(true);
+    setError("");
+    setSuccess(false);
+    try {
+      const res = await fetch("/api/billing", {
+        method: "PUT",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({
+          companyName,
+          streetAddress,
+          postalCode,
+          city,
+          country,
+          vatNumber: vatNumber.trim() || null,
+          billingEmail,
+          notes: notes.trim() || null,
+        }),
+      });
+      if (!res.ok) {
+        const data = await res.json().catch(() => ({}));
+        throw new Error(data.error || t("saveFailed"));
+      }
+      setSuccess(true);
+      // Refresh server props so the form re-renders with the saved
+      // record's timestamps. Subtle but useful: the "last updated"
+      // line below ticks forward.
+      router.refresh();
+    } catch (e: any) {
+      setError(e.message);
+    } finally {
+      setSubmitting(false);
+    }
+  };
+
+  return (
+    <Card className="animate-in animate-in-delay-1">
+      <form onSubmit={onSubmit} className="space-y-4">
+        {/* Bug 35: this field stores `company_name` in the DB but
+            the label changes by customer type:
+              - Company (B2B): "Company name" — the legal entity.
+              - Personal (B2C): "Full name" — the individual's
+                invoice name (may differ from their session display
+                name; e.g. legal name vs friendly name).
+            Required for both. The DB column is NOT NULL either way. */}
+        <div>
+          <label className="block text-xs uppercase tracking-wider text-text-muted mb-1">
+            {isPersonal ? t("fullName") : t("companyName")}{" "}
+            <span className="text-red-400">*</span>
+          </label>
+          <input
+            type="text"
+            required
+            value={companyName}
+            onChange={(e) => setCompanyName(e.target.value)}
+            className="w-full px-3 py-2 rounded-lg border border-border bg-surface-2 text-text-primary text-sm focus:outline-none focus:border-text-secondary"
+          />
+        </div>
+
+        <div>
+          <label className="block text-xs uppercase tracking-wider text-text-muted mb-1">
+            {t("streetAddress")} <span className="text-red-400">*</span>
+          </label>
+          <input
+            type="text"
+            required
+            value={streetAddress}
+            onChange={(e) => setStreetAddress(e.target.value)}
+            className="w-full px-3 py-2 rounded-lg border border-border bg-surface-2 text-text-primary text-sm focus:outline-none focus:border-text-secondary"
+          />
+        </div>
+
+        <div className="grid grid-cols-1 sm:grid-cols-3 gap-3">
+          <div>
+            <label className="block text-xs uppercase tracking-wider text-text-muted mb-1">
+              {t("postalCode")} <span className="text-red-400">*</span>
+            </label>
+            <input
+              type="text"
+              required
+              value={postalCode}
+              onChange={(e) => setPostalCode(e.target.value)}
+              className="w-full px-3 py-2 rounded-lg border border-border bg-surface-2 text-text-primary text-sm focus:outline-none focus:border-text-secondary"
+            />
+          </div>
+          <div className="sm:col-span-2">
+            <label className="block text-xs uppercase tracking-wider text-text-muted mb-1">
+              {t("city")} <span className="text-red-400">*</span>
+            </label>
+            <input
+              type="text"
+              required
+              value={city}
+              onChange={(e) => setCity(e.target.value)}
+              className="w-full px-3 py-2 rounded-lg border border-border bg-surface-2 text-text-primary text-sm focus:outline-none focus:border-text-secondary"
+            />
+          </div>
+        </div>
+
+        <div>
+          <label className="block text-xs uppercase tracking-wider text-text-muted mb-1">
+            {t("country")} <span className="text-red-400">*</span>
+          </label>
+          <select
+            required
+            value={country}
+            onChange={(e) => setCountry(e.target.value)}
+            className="w-full px-3 py-2 rounded-lg border border-border bg-surface-2 text-text-primary text-sm focus:outline-none focus:border-text-secondary"
+          >
+            <option value="CH">Switzerland</option>
+            <option value="LI">Liechtenstein</option>
+            <option value="DE">Germany</option>
+            <option value="AT">Austria</option>
+            <option value="FR">France</option>
+            <option value="IT">Italy</option>
+          </select>
+        </div>
+
+        {/* Bug 35: VAT visible only for company customers (B2B).
+            Personal customers (B2C — private individuals) don't have
+            a VAT number; the API likewise doesn't require one for
+            them. */}
+        {!isPersonal && (
+          <div>
+            <label className="block text-xs uppercase tracking-wider text-text-muted mb-1">
+              {t("vatNumber")} <span className="text-red-400">*</span>
+            </label>
+            <input
+              type="text"
+              required
+              value={vatNumber}
+              onChange={(e) => setVatNumber(e.target.value)}
+              placeholder="CHE-123.456.789 MWST"
+              className="w-full px-3 py-2 rounded-lg border border-border bg-surface-2 text-text-primary text-sm focus:outline-none focus:border-text-secondary"
+            />
+            <p className="text-xs text-text-muted mt-1">{t("vatHelp")}</p>
+          </div>
+        )}
+
+        <div>
+          <label className="block text-xs uppercase tracking-wider text-text-muted mb-1">
+            {t("billingEmail")} <span className="text-red-400">*</span>
+          </label>
+          <input
+            type="email"
+            required
+            value={billingEmail}
+            onChange={(e) => setBillingEmail(e.target.value)}
+            placeholder="invoices@example.com"
+            className="w-full px-3 py-2 rounded-lg border border-border bg-surface-2 text-text-primary text-sm focus:outline-none focus:border-text-secondary"
+          />
+          <p className="text-xs text-text-muted mt-1">{t("billingEmailHelp")}</p>
+        </div>
+
+        <div>
+          <label className="block text-xs uppercase tracking-wider text-text-muted mb-1">
+            {t("notes")}{" "}
+            <span className="text-text-muted normal-case">
+              ({tCommon("optional")})
+            </span>
+          </label>
+          <textarea
+            value={notes}
+            onChange={(e) => setNotes(e.target.value)}
+            rows={3}
+            className="w-full px-3 py-2 rounded-lg border border-border bg-surface-2 text-text-primary text-sm focus:outline-none focus:border-text-secondary"
+            placeholder={t("notesPlaceholder")}
+          />
+        </div>
+
+        {error && (
+          <div className="text-xs text-red-400 bg-red-400/10 border border-red-400/20 rounded-lg px-3 py-2">
+            {error}
+          </div>
+        )}
+        {success && !error && (
+          <div className="text-xs text-success bg-success/10 border border-success/20 rounded-lg px-3 py-2">
+            {t("saved")}
+          </div>
+        )}
+
+        <div className="flex items-center justify-between gap-3">
+          {initial?.updatedAt && (
+            <div className="text-xs text-text-muted">
+              {t("lastUpdated", {
+                when: new Date(initial.updatedAt).toLocaleString(),
+              })}
+            </div>
+          )}
+          <button
+            type="submit"
+            disabled={submitting}
+            className="ml-auto text-sm font-medium px-4 py-2 rounded-lg bg-accent text-white hover:bg-accent/90 transition-colors disabled:opacity-50"
+          >
+            {submitting ? tCommon("loading") : t("save")}
+          </button>
+        </div>
+      </form>
+    </Card>
+  );
+}

src/components/tenants/subscription-toggle.tsx

@@ -2,48 +2,74 @@
 
 import { useState } from "react";
 import { useRouter } from "next/navigation";
-import { useTranslations } from "next-intl";
+import { useTranslations, useFormatter } from "next-intl";
+import { Modal } from "@/components/ui/modal";
+import { formatRelative } from "@/lib/format";
 
 interface Props {
   tenantName: string;
   /**
-   * Current suspend state — server-derived. The control toggles this
+   * Current suspend state — server-derived. Drives which control the
-   * via PATCH /api/tenants/[name]/suspend, then refreshes the route
+   * customer sees: "Cancel subscription" while active, the
-   * so server-component-side data (status badge, suspended notice)
+   * resume-request flow while suspended.
-   * re-renders.
    */
   suspended: boolean;
+  /**
+   * True when the viewer has platform admin role. Platform users are
+   * the only ones who can directly resume a tenant via PATCH; owners
+   * must go through the resume-request flow. We use this in the
+   * suspended branch to decide whether to render a direct "Resume"
+   * button or the "Request reactivation" workflow.
+   */
+  isPlatform: boolean;
+  /**
+   * If a resume request is currently pending for this tenant, its
+   * id and submitted-at. The component renders an info card with
+   * a cancel-request button instead of the request-reactivation
+   * button. Only meaningful when `suspended === true`.
+   */
+  pendingResumeRequest: { id: string; createdAt: string } | null;
 }
 
 /**
- * SubscriptionToggle — owner-side cancel/resume control (Bug 31).
+ * SubscriptionToggle — owner-side cancel/resume control.
  *
- * Renders a single button that toggles between "Cancel subscription"
+ * Three render states:
- * (when active) and "Resume subscription" (when suspended). Cancellation
+ *   1. Active: "Cancel subscription" button + confirmation modal
- * is gated behind a confirmation modal because it's destructive
+ *      (mentions 60-day retention before permanent deletion).
- * looking from the user's POV — even though no data is lost, the
+ *   2. Suspended, no pending resume request: "Request reactivation"
- * AI assistant becomes unavailable until they resume. Resume has no
+ *      button + simple confirmation modal explaining admin review.
- * modal; it's a strict subset of cancellation in terms of risk.
+ *   3. Suspended, pending resume request: status card "Reactivation
+ *      requested X days ago" + "Cancel request" button.
  *
- * The control intentionally lives at the bottom of the tenant detail
+ * Platform admins viewing a suspended tenant get a fourth state in
- * page rather than next to the status badge — putting it near the
+ * place of #2/#3: a direct "Resume now" button (no admin queue, no
- * top would invite mis-clicks. Customers who want to cancel scroll
+ * request flow). This is the admin escape hatch.
- * past the running configuration, billing-relevant info, and assigned
- * users first; that's the right friction level.
  *
- * Suspended tenants render a top-of-page banner separately (see the
+ * The control intentionally lives at the bottom of the tenant
- * detail page); this component focuses on the action itself.
+ * detail page rather than near the top — putting it next to the
+ * status badge would invite mis-clicks.
  */
-export function SubscriptionToggle({ tenantName, suspended }: Props) {
+export function SubscriptionToggle({
+  tenantName,
+  suspended,
+  isPlatform,
+  pendingResumeRequest,
+}: Props) {
   const t = useTranslations("tenantDetail");
   const tCommon = useTranslations("common");
+  const f = useFormatter();
   const router = useRouter();
 
-  const [confirmOpen, setConfirmOpen] = useState(false);
+  const [confirmCancelOpen, setConfirmCancelOpen] = useState(false);
+  const [confirmResumeOpen, setConfirmResumeOpen] = useState(false);
   const [submitting, setSubmitting] = useState(false);
   const [error, setError] = useState("");
 
-  const toggleSuspend = async (next: boolean) => {
+  // Customer-side cancel: PATCH suspend=true. Same path as before.
+  // The 60-day retention copy in the modal is the new bit (Bug 37b);
+  // mechanics are unchanged.
+  const cancel = async () => {
     setSubmitting(true);
     setError("");
     try {
@@ -52,18 +78,14 @@ export function SubscriptionToggle({ tenantName, suspended }: Props) {
         {
           method: "PATCH",
           headers: { "Content-Type": "application/json" },
-          body: JSON.stringify({ suspend: next }),
+          body: JSON.stringify({ suspend: true }),
         }
       );
       if (!res.ok) {
         const data = await res.json().catch(() => ({}));
         throw new Error(data.error || t("subscriptionUpdateFailed"));
       }
-      setConfirmOpen(false);
+      setConfirmCancelOpen(false);
-      // The status badge + suspended banner are server-rendered, so
-      // a route refresh is the simplest way to reflect the new state.
-      // Optimistic local toggle would diverge from the actual CR if
-      // the operator hasn't observed the patch yet.
       router.refresh();
     } catch (e: any) {
       setError(e.message);
@@ -72,56 +94,164 @@ export function SubscriptionToggle({ tenantName, suspended }: Props) {
     }
   };
 
+  // Owner-side resume request: POST a 'resume' tenant_request that
+  // sits pending until admin acts. Different from cancel: no PATCH
+  // on the CR — that happens only when admin approves.
+  const requestResume = async () => {
+    setSubmitting(true);
+    setError("");
+    try {
+      const res = await fetch(
+        `/api/tenants/${encodeURIComponent(tenantName)}/resume-request`,
+        {
+          method: "POST",
+          headers: { "Content-Type": "application/json" },
+        }
+      );
+      if (!res.ok) {
+        const data = await res.json().catch(() => ({}));
+        throw new Error(data.error || t("subscriptionUpdateFailed"));
+      }
+      setConfirmResumeOpen(false);
+      router.refresh();
+    } catch (e: any) {
+      setError(e.message);
+    } finally {
+      setSubmitting(false);
+    }
+  };
+
+  // Customer cancels their own pending resume request.
+  const cancelResumeRequest = async () => {
+    if (!pendingResumeRequest) return;
+    setSubmitting(true);
+    setError("");
+    try {
+      const res = await fetch(
+        `/api/onboarding/${pendingResumeRequest.id}`,
+        { method: "DELETE" }
+      );
+      if (!res.ok) {
+        const data = await res.json().catch(() => ({}));
+        throw new Error(data.error || t("subscriptionUpdateFailed"));
+      }
+      router.refresh();
+    } catch (e: any) {
+      setError(e.message);
+    } finally {
+      setSubmitting(false);
+    }
+  };
+
+  // Platform admin: direct resume, bypassing the request flow.
+  const adminResume = async () => {
+    setSubmitting(true);
+    setError("");
+    try {
+      const res = await fetch(
+        `/api/tenants/${encodeURIComponent(tenantName)}/suspend`,
+        {
+          method: "PATCH",
+          headers: { "Content-Type": "application/json" },
+          body: JSON.stringify({ suspend: false }),
+        }
+      );
+      if (!res.ok) {
+        const data = await res.json().catch(() => ({}));
+        throw new Error(data.error || t("subscriptionUpdateFailed"));
+      }
+      router.refresh();
+    } catch (e: any) {
+      setError(e.message);
+    } finally {
+      setSubmitting(false);
+    }
+  };
+
+  // ─── Suspended branch ───────────────────────────────────────────────
+
   if (suspended) {
+    // Platform admin sees direct resume. Independent of pending
+    // resume — admin can always resume immediately.
+    if (isPlatform) {
       return (
         <div>
           <button
             type="button"
-          onClick={() => toggleSuspend(false)}
+            onClick={adminResume}
             disabled={submitting}
             className="text-sm font-medium px-4 py-2 rounded-lg border border-success/30 text-success hover:bg-success/10 transition-colors disabled:opacity-50"
           >
-          {submitting ? tCommon("loading") : t("resumeSubscription")}
+            {submitting
+              ? tCommon("loading")
+              : t("resumeSubscription")}
           </button>
+          {pendingResumeRequest && (
+            <p className="text-xs text-text-muted mt-2">
+              {t("resumeRequestPendingNoteAdmin")}
+            </p>
+          )}
           {error && <p className="text-xs text-red-400 mt-2">{error}</p>}
         </div>
       );
     }
 
+    // Owner with pending resume request: render the request status
+    // card with cancel.
+    if (pendingResumeRequest) {
+      return (
+        <div>
+          <div className="rounded-xl border border-amber-500/30 bg-amber-500/5 px-4 py-3">
+            <div className="text-sm font-medium text-amber-400 mb-1">
+              {t("resumeRequestPendingTitle")}
+            </div>
+            <div className="text-xs text-text-secondary">
+              {t("resumeRequestPendingDescription", {
+                when: formatRelative(pendingResumeRequest.createdAt, f),
+              })}
+            </div>
+            <button
+              type="button"
+              onClick={cancelResumeRequest}
+              disabled={submitting}
+              className="mt-3 text-xs px-3 py-1.5 rounded-lg border border-border text-text-secondary hover:text-text-primary transition-colors disabled:opacity-50"
+            >
+              {submitting
+                ? tCommon("loading")
+                : t("cancelResumeRequest")}
+            </button>
+          </div>
+          {error && <p className="text-xs text-red-400 mt-2">{error}</p>}
+        </div>
+      );
+    }
+
+    // Owner with no pending request: offer to create one.
     return (
       <div>
         <button
           type="button"
-        onClick={() => setConfirmOpen(true)}
+          onClick={() => setConfirmResumeOpen(true)}
-        className="text-sm font-medium px-4 py-2 rounded-lg border border-border text-text-secondary hover:text-text-primary hover:border-text-secondary transition-colors"
+          className="text-sm font-medium px-4 py-2 rounded-lg border border-success/30 text-success hover:bg-success/10 transition-colors"
         >
-        {t("cancelSubscription")}
+          {t("requestReactivation")}
         </button>
-      {error && !confirmOpen && (
+        {error && !confirmResumeOpen && (
           <p className="text-xs text-red-400 mt-2">{error}</p>
         )}
 
-      {confirmOpen && (
+        {confirmResumeOpen && (
-        <div
+          <Modal
-          role="dialog"
+            open={confirmResumeOpen}
-          aria-modal="true"
+            onClose={() => setConfirmResumeOpen(false)}
-          className="fixed inset-0 z-50 flex items-center justify-center p-4 bg-black/60 backdrop-blur-sm"
+            ariaLabel={t("requestReactivationConfirmTitle")}
-          onClick={(e) => {
-            if (e.target === e.currentTarget) setConfirmOpen(false);
-          }}
           >
-          <div className="bg-surface-1 border border-border rounded-xl p-6 max-w-md w-full">
             <h3 className="font-display text-lg font-semibold text-text-primary mb-2">
-              {t("cancelConfirmTitle")}
+              {t("requestReactivationConfirmTitle")}
             </h3>
-            <p className="text-sm text-text-secondary mb-3">
+            <p className="text-sm text-text-secondary mb-5">
-              {t("cancelConfirmDescription")}
+              {t("requestReactivationConfirmDescription")}
             </p>
-            <ul className="text-xs text-text-muted list-disc list-inside space-y-1 mb-5">
-              <li>{t("cancelConfirmBullet1")}</li>
-              <li>{t("cancelConfirmBullet2")}</li>
-              <li>{t("cancelConfirmBullet3")}</li>
-            </ul>
 
             {error && (
               <div className="text-xs text-red-400 bg-red-400/10 border border-red-400/20 rounded-lg px-3 py-2 mb-3">
@@ -132,7 +262,7 @@ export function SubscriptionToggle({ tenantName, suspended }: Props) {
             <div className="flex justify-end gap-2">
               <button
                 type="button"
-                onClick={() => setConfirmOpen(false)}
+                onClick={() => setConfirmResumeOpen(false)}
                 disabled={submitting}
                 className="text-sm px-4 py-2 rounded-lg border border-border text-text-secondary hover:text-text-primary transition-colors"
               >
@@ -140,7 +270,78 @@ export function SubscriptionToggle({ tenantName, suspended }: Props) {
               </button>
               <button
                 type="button"
-                onClick={() => toggleSuspend(true)}
+                onClick={requestResume}
+                disabled={submitting}
+                className="text-sm px-4 py-2 rounded-lg bg-success text-white hover:bg-success/90 transition-colors disabled:opacity-50"
+              >
+                {submitting
+                  ? tCommon("loading")
+                  : t("requestReactivationConfirm")}
+              </button>
+            </div>
+          </Modal>
+        )}
+      </div>
+    );
+  }
+
+  // ─── Active branch ──────────────────────────────────────────────────
+
+  return (
+    <div>
+      <button
+        type="button"
+        onClick={() => setConfirmCancelOpen(true)}
+        className="text-sm font-medium px-4 py-2 rounded-lg border border-border text-text-secondary hover:text-text-primary hover:border-text-secondary transition-colors"
+      >
+        {t("cancelSubscription")}
+      </button>
+      {error && !confirmCancelOpen && (
+        <p className="text-xs text-red-400 mt-2">{error}</p>
+      )}
+
+      {confirmCancelOpen && (
+        <Modal
+          open={confirmCancelOpen}
+          onClose={() => setConfirmCancelOpen(false)}
+          ariaLabel={t("cancelConfirmTitle")}
+        >
+          <h3 className="font-display text-lg font-semibold text-text-primary mb-2">
+            {t("cancelConfirmTitle")}
+          </h3>
+          <p className="text-sm text-text-secondary mb-3">
+            {t("cancelConfirmDescription")}
+          </p>
+          <ul className="text-xs text-text-muted list-disc list-inside space-y-1 mb-3">
+            <li>{t("cancelConfirmBullet1")}</li>
+            <li>{t("cancelConfirmBullet2")}</li>
+            <li>{t("cancelConfirmBullet3")}</li>
+          </ul>
+          {/* Bug 37b: 60-day retention warning. Distinct paragraph so it
+              reads as a separate, more serious commitment than the
+              regular bullets above. */}
+          <div className="text-xs text-amber-400 bg-amber-400/10 border border-amber-400/20 rounded-lg px-3 py-2 mb-5">
+            {t("cancelConfirmRetentionWarning")}
+          </div>
+
+          {error && (
+            <div className="text-xs text-red-400 bg-red-400/10 border border-red-400/20 rounded-lg px-3 py-2 mb-3">
+              {error}
+            </div>
+          )}
+
+          <div className="flex justify-end gap-2">
+            <button
+              type="button"
+              onClick={() => setConfirmCancelOpen(false)}
+              disabled={submitting}
+              className="text-sm px-4 py-2 rounded-lg border border-border text-text-secondary hover:text-text-primary transition-colors"
+            >
+              {tCommon("cancel")}
+            </button>
+            <button
+              type="button"
+              onClick={cancel}
               disabled={submitting}
               className="text-sm px-4 py-2 rounded-lg bg-amber-500 text-white hover:bg-amber-600 transition-colors disabled:opacity-50"
             >
@@ -149,8 +350,7 @@ export function SubscriptionToggle({ tenantName, suspended }: Props) {
                 : t("cancelSubscriptionConfirm")}
             </button>
           </div>
-          </div>
+        </Modal>
-        </div>
       )}
     </div>
   );

src/components/ui/modal.tsx

@@ -0,0 +1,89 @@
+"use client";
+
+import { useEffect, useRef } from "react";
+import { createPortal } from "react-dom";
+
+interface Props {
+  open: boolean;
+  /** Called when user clicks the backdrop or presses Escape. */
+  onClose: () => void;
+  children: React.ReactNode;
+  /**
+   * ARIA label fallback when no labelled element exists inside.
+   * Optional; if you have a heading inside the modal with id, set
+   * `aria-labelledby` on a wrapper instead.
+   */
+  ariaLabel?: string;
+}
+
+/**
+ * Portal-based modal.
+ *
+ * Why a portal
+ * ------------
+ * `position: fixed` becomes positioned relative to a transformed
+ * ancestor's containing block, not the viewport, when ANY ancestor
+ * has a `transform`, `perspective`, or `filter` applied. Our
+ * `animate-in` utility sets `transform: translateY(0)` on a lot of
+ * dashboard/tenant-detail containers (because of the fade-up
+ * animation, which uses `animation-fill-mode: both` to keep the
+ * transform on after the animation finishes). That broke modals
+ * rendered as in-place children — they centred to the panel they
+ * lived in, not to the page.
+ *
+ * Rendering at `document.body` via `createPortal` escapes every
+ * containing-block ancestor and gives us true viewport coordinates.
+ *
+ * UX details
+ * ----------
+ * - Backdrop click triggers `onClose`. (Bubbling check: only fires
+ *   when the click target IS the backdrop, not the panel inside.)
+ * - Escape key triggers `onClose`. Standard modal expectation.
+ * - `body` overflow is locked while open so background content
+ *   doesn't scroll behind the modal.
+ * - Renders nothing on first paint server-side, then mounts on
+ *   client. `useEffect` gating ensures `document.body` is available;
+ *   without it Next.js SSR would throw on `document` reference.
+ */
+export function Modal({ open, onClose, children, ariaLabel }: Props) {
+  const closeRef = useRef(onClose);
+  closeRef.current = onClose;
+
+  useEffect(() => {
+    if (!open) return;
+
+    // Lock background scroll. Restore on unmount/close.
+    const previousOverflow = document.body.style.overflow;
+    document.body.style.overflow = "hidden";
+
+    const onKey = (e: KeyboardEvent) => {
+      if (e.key === "Escape") closeRef.current();
+    };
+    window.addEventListener("keydown", onKey);
+
+    return () => {
+      document.body.style.overflow = previousOverflow;
+      window.removeEventListener("keydown", onKey);
+    };
+  }, [open]);
+
+  if (!open) return null;
+  if (typeof document === "undefined") return null;
+
+  return createPortal(
+    <div
+      role="dialog"
+      aria-modal="true"
+      aria-label={ariaLabel}
+      className="fixed inset-0 z-50 flex items-center justify-center p-4 bg-black/60 backdrop-blur-sm"
+      onClick={(e) => {
+        if (e.target === e.currentTarget) onClose();
+      }}
+    >
+      <div className="bg-surface-1 border border-border rounded-xl p-6 max-w-md w-full max-h-[90vh] overflow-y-auto">
+        {children}
+      </div>
+    </div>,
+    document.body
+  );
+}

src/components/ui/status-badge.tsx

@@ -15,6 +15,11 @@ const phaseStyles: Record<string, string> = {
   Running: "bg-success/10 text-success border-success/20",
   Ready: "bg-success/10 text-success border-success/20",
   Provisioning: "bg-warning/10 text-warning border-warning/20",
+  // Reconfiguring shares the warning palette (yellow pulse) but renders
+  // a distinct label, so customers see it differently from first-time
+  // provisioning. Useful when packages or channel-users change and the
+  // pod restarts mid-life.
+  Reconfiguring: "bg-warning/10 text-warning border-warning/20",
   Pending: "bg-text-muted/10 text-text-secondary border-border",
   Suspended: "bg-amber-500/10 text-amber-400 border-amber-500/30",
   Error: "bg-error/10 text-error border-error/20",
@@ -44,6 +49,9 @@ export function StatusBadge({ phase }: { phase: string }) {
       {phase === "Provisioning" && (
         <span className="status-pulse h-1.5 w-1.5 rounded-full bg-warning" />
       )}
+      {phase === "Reconfiguring" && (
+        <span className="status-pulse h-1.5 w-1.5 rounded-full bg-warning" />
+      )}
       {label}
     </span>
   );

src/components/ui/warning-badge.tsx

@@ -0,0 +1,118 @@
+"use client";
+
+import { useTranslations } from "next-intl";
+
+/**
+ * Tenant warning shape received from the operator's status.warnings.
+ * Mirror of the operator's `TenantWarning` type. See
+ * pieced-operator/api/v1alpha1/piecedtenant_types.go.
+ */
+export interface TenantWarning {
+  source: string;
+  reason?: string;
+  message?: string;
+  since?: string;
+}
+
+interface Props {
+  warnings: TenantWarning[];
+}
+
+/**
+ * Renders a small amber warning badge if there are any non-fatal
+ * warnings on the tenant. The badge sits visually next to the phase
+ * StatusBadge — they're separate concepts (phase = lifecycle, warnings
+ * = observed sub-issues) and may both be present at once (e.g. tenant
+ * is `Ready` but has a SkillPacksReady=False warning).
+ *
+ * Hover/focus reveals the warning detail. We don't truncate the message
+ * inside the tooltip; OCI/CRD condition messages tend to be short and
+ * include the actionable detail (which skill, which secret, which
+ * resolver). If a future warning source has a 5-line stacktrace as a
+ * message we'll need a different treatment; cross that bridge then.
+ *
+ * Returns null when there are no warnings — keep render-call sites
+ * simple, they don't have to gate on length themselves.
+ */
+export function WarningBadge({ warnings }: Props) {
+  const t = useTranslations("warnings");
+  if (!warnings || warnings.length === 0) return null;
+
+  const tooltipLabel = (() => {
+    try {
+      return warnings.length === 1
+        ? t("oneTooltip")
+        : t("manyTooltip", { count: warnings.length });
+    } catch {
+      return warnings.length === 1
+        ? "1 warning"
+        : `${warnings.length} warnings`;
+    }
+  })();
+
+  return (
+    <span className="relative group inline-flex">
+      <button
+        type="button"
+        // Button is non-actionable in itself — it exists purely to get
+        // keyboard focus for screen readers and keyboard users, so the
+        // tooltip isn't pointer-only. `aria-label` carries the summary;
+        // the full content is in the tooltip below for sighted users.
+        aria-label={tooltipLabel}
+        className="inline-flex items-center gap-1 rounded-full border border-amber-500/30 bg-amber-500/10 px-2 py-0.5 text-xs font-medium text-amber-400 hover:bg-amber-500/20 focus:outline-none focus:ring-1 focus:ring-amber-400 cursor-help"
+        // No onClick — this is informational, not actionable. Pure
+        // hover/focus widget. tabIndex defaults to 0 for buttons.
+      >
+        <svg
+          viewBox="0 0 24 24"
+          width={12}
+          height={12}
+          fill="none"
+          stroke="currentColor"
+          strokeWidth={2}
+          strokeLinecap="round"
+          strokeLinejoin="round"
+          aria-hidden="true"
+        >
+          <path d="M12 9v4" />
+          <path d="M12 17h.01" />
+          <path d="M10.29 3.86 1.82 18a2 2 0 0 0 1.71 3h16.94a2 2 0 0 0 1.71-3L13.71 3.86a2 2 0 0 0-3.42 0Z" />
+        </svg>
+        <span>{warnings.length}</span>
+      </button>
+
+      {/*
+        Tooltip. Hidden by default; shown on hover OR focus of the
+        sibling button. Positioned below-right so it doesn't collide with
+        the StatusBadge that typically sits left of this. Constrained
+        width so long messages wrap.
+        z-50 keeps it above table rows / cards.
+      */}
+      <div
+        role="tooltip"
+        className="invisible group-hover:visible group-focus-within:visible absolute left-0 top-full mt-1 z-50 w-72 rounded-lg border border-border bg-surface-1 p-3 shadow-lg text-left"
+      >
+        <div className="text-[10px] uppercase tracking-wider text-text-muted mb-2">
+          {tooltipLabel}
+        </div>
+        <ul className="space-y-2">
+          {warnings.map((w, i) => (
+            <li key={i} className="text-xs">
+              <div className="font-mono text-amber-400 break-all">
+                {w.source}
+              </div>
+              {w.reason && (
+                <div className="text-text-secondary">{w.reason}</div>
+              )}
+              {w.message && (
+                <div className="text-text-secondary mt-0.5 break-words">
+                  {w.message}
+                </div>
+              )}
+            </li>
+          ))}
+        </ul>
+      </div>
+    </span>
+  );
+}

src/lib/db.ts

@@ -1,5 +1,5 @@
 import { Pool } from "pg";
-import type { TenantRequest, TenantRequestStatus } from "@/types";
+import type { BillingAddress, OrgBilling, TenantRequest, TenantRequestStatus } from "@/types";
 import { listTenants, getTenant } from "./k8s";
 
 // ---------------------------------------------------------------------------
@@ -63,15 +63,61 @@ const MIGRATION_SQL = `
   CREATE INDEX IF NOT EXISTS idx_tenant_requests_status ON tenant_requests(status);
   CREATE INDEX IF NOT EXISTS idx_tenant_requests_org_id ON tenant_requests(zitadel_org_id);
   CREATE INDEX IF NOT EXISTS idx_tenant_requests_org_status ON tenant_requests(zitadel_org_id, status);
-  CREATE UNIQUE INDEX IF NOT EXISTS uniq_tenant_requests_tenant_name
+  -- Note: the unique constraint on tenant_name is NOT created here.
-    ON tenant_requests(tenant_name)
+  -- Pre-Bug-37 we had a non-partial UNIQUE on tenant_name, which is
-    WHERE tenant_name IS NOT NULL;
+  -- incompatible with resume requests (same tenant_name, different
+  -- request_type). The new partial unique indexes are created
+  -- further down in the migration block, after the request_type
+  -- column has been added and backfilled. This bootstrap section
+  -- only creates indexes that are safe regardless of request_type
+  -- semantics.
 
   -- Idempotent column adds for existing databases
   ALTER TABLE tenant_requests ADD COLUMN IF NOT EXISTS encrypted_secrets BYTEA;
   ALTER TABLE tenant_requests ADD COLUMN IF NOT EXISTS agents_md TEXT;
   ALTER TABLE tenant_requests ADD COLUMN IF NOT EXISTS instance_name TEXT;
   ALTER TABLE tenant_requests ADD COLUMN IF NOT EXISTS is_personal BOOLEAN NOT NULL DEFAULT FALSE;
+  -- Bug 13: customer-side dismissal of rejected requests. NULL means "still
+  -- visible on the dashboard"; non-null means "customer clicked Dismiss".
+  -- Pending/approved/active rows keep this NULL by definition — the field
+  -- is only meaningful for rejected and cancelled rows.
+  ALTER TABLE tenant_requests ADD COLUMN IF NOT EXISTS dismissed_at TIMESTAMPTZ;
+
+  -- Bug 37a: resume requests use the same table as provision requests so
+  -- the customer dashboard and admin queue share rendering. Discriminator
+  -- is request_type. Default 'provision' on backfill keeps existing rows
+  -- working without explicit migration.
+  --
+  -- Resume rows have:
+  --   request_type     = 'resume'
+  --   tenant_name      = the existing tenant being requested for reactivation
+  --   zitadel_org_id   = the org owning that tenant
+  --   zitadel_user_id  = the requesting customer
+  --   status           = pending → approved/rejected (or cancelled by customer)
+  --   most provision-only fields (packages, billing_address, etc.) are NULL
+  ALTER TABLE tenant_requests ADD COLUMN IF NOT EXISTS request_type TEXT NOT NULL DEFAULT 'provision';
+  -- Constrain to the known set so a future code change can't accidentally
+  -- write a third type without first widening this constraint.
+  DO $$ BEGIN
+    ALTER TABLE tenant_requests ADD CONSTRAINT tenant_requests_request_type_check
+      CHECK (request_type IN ('provision', 'resume'));
+  EXCEPTION WHEN duplicate_object THEN NULL;
+  END $$;
+
+  -- Tenant_name uniqueness was originally meant for "one tenant CR per
+  -- approved provision request". Resume requests reuse a tenant_name,
+  -- so the uniqueness must now be scoped to provision rows only.
+  DROP INDEX IF EXISTS uniq_tenant_requests_tenant_name;
+  CREATE UNIQUE INDEX IF NOT EXISTS uniq_tenant_requests_tenant_name_provision
+    ON tenant_requests(tenant_name)
+    WHERE tenant_name IS NOT NULL AND request_type = 'provision';
+
+  -- Only one pending resume request per tenant at a time. Otherwise a
+  -- customer could spam-create resume requests (the admin queue would
+  -- bloat) or two admins might race on approving duplicates.
+  CREATE UNIQUE INDEX IF NOT EXISTS uniq_tenant_requests_pending_resume
+    ON tenant_requests(tenant_name)
+    WHERE tenant_name IS NOT NULL AND request_type = 'resume' AND status = 'pending';
 
   -- Slice 3: drop the legacy 1-org-1-request constraint if it exists
   ALTER TABLE tenant_requests DROP CONSTRAINT IF EXISTS tenant_requests_zitadel_org_id_key;
@@ -115,6 +161,35 @@ const MIGRATION_SQL = `
   );
   CREATE INDEX IF NOT EXISTS idx_tua_user ON tenant_user_assignments(zitadel_user_id);
   CREATE INDEX IF NOT EXISTS idx_tua_org  ON tenant_user_assignments(zitadel_org_id);
+
+  -- Bug 35: org-scoped billing. One row per ZITADEL org; captured by
+  -- the first tenant request inline, editable afterwards via
+  -- /settings/billing. Subsequent tenant requests in the same org read
+  -- this and skip the billing step entirely.
+  --
+  -- vat_number is nullable: required at write time for company orgs
+  -- (enforced by the API, not the schema, because "company-or-personal"
+  -- isn't expressible as a column constraint). Notes is free-form
+  -- accounting context — VAT exemption reasons, special invoicing
+  -- arrangements, etc.
+  --
+  -- We do NOT migrate data from tenant_requests.billing_address into
+  -- this table automatically. Existing customers re-enter on next
+  -- tenant or via settings — the data set is small (single-digit
+  -- customers in pilot) and re-entering is the simplest path.
+  CREATE TABLE IF NOT EXISTS org_billing (
+    zitadel_org_id   TEXT PRIMARY KEY,
+    company_name     TEXT NOT NULL,
+    street_address   TEXT NOT NULL,
+    postal_code      TEXT NOT NULL,
+    city             TEXT NOT NULL,
+    country          TEXT NOT NULL,
+    vat_number       TEXT,
+    billing_email    TEXT NOT NULL,
+    notes            TEXT,
+    created_at       TIMESTAMPTZ NOT NULL DEFAULT now(),
+    updated_at       TIMESTAMPTZ NOT NULL DEFAULT now()
+  );
 `;
 
 let migrated = false;
@@ -250,10 +325,21 @@ export async function listTenantRequestsByOrgId(
 }
 
 /**
- * As {@link listTenantRequestsByOrgId} but excludes terminal-failed states
+ * As {@link listTenantRequestsByOrgId} but tuned for the customer's
- * (rejected, deleted). Useful for the dashboard which wants to show
+ * dashboard view.
- * pending/approved/provisioning/active tenants and pending requests, not
+ *
- * historical rejections.
+ * Returns:
+ *   - All non-terminal rows (pending, approved, provisioning, active),
+ *     because the customer needs to see what's in flight.
+ *   - Terminal-failed rows (rejected, cancelled) that the customer
+ *     hasn't dismissed yet (Bug 13). Without this, a rejection that
+ *     happens while the customer isn't online would only be
+ *     communicated by email — easy to miss.
+ *
+ * Excludes:
+ *   - `deleted` rows (admin tore down the tenant — historical, not
+ *     actionable).
+ *   - Dismissed rejected/cancelled rows.
  */
 export async function listActiveTenantRequestsByOrgId(
   orgId: string
@@ -262,7 +348,8 @@ export async function listActiveTenantRequestsByOrgId(
   const result = await getPool().query<TenantRequest>(
     `SELECT * FROM tenant_requests
        WHERE zitadel_org_id = $1
-         AND status NOT IN ('deleted', 'rejected')
+         AND status <> 'deleted'
+         AND (status NOT IN ('rejected', 'cancelled') OR dismissed_at IS NULL)
        ORDER BY created_at DESC`,
     [orgId]
   );
@@ -354,6 +441,201 @@ export async function clearEncryptedSecrets(requestId: string): Promise<void> {
   );
 }
 
+/**
+ * Set dismissed_at = now() on a request row. Used when a customer
+ * clicks "Dismiss" on a rejected/cancelled card on their dashboard
+ * (Bug 13). The row stays in the database for history/audit but
+ * stops appearing in `listActiveTenantRequestsByOrgId`.
+ *
+ * Idempotent: dismissing an already-dismissed row is a no-op.
+ * Caller is responsible for verifying the row belongs to the user's
+ * org before calling.
+ */
+/**
+ * Create a resume request (Bug 37a). Used when an owner of a suspended
+ * tenant wants to reactivate it. Resume is admin-gated — the request
+ * sits as `pending` until a platform admin approves or rejects it.
+ *
+ * Tenant-name uniqueness is enforced for `pending` resume rows by a
+ * partial unique index, so a customer can't spam the queue with
+ * duplicate resume requests for the same tenant. The DB throws a
+ * unique-violation if they try; callers should catch that and translate
+ * to a 409.
+ *
+ * Why this lives in tenant_requests instead of a separate table:
+ *   - the lifecycle is identical (pending → approved/rejected, plus
+ *     customer-side cancel and dismiss-after-terminal)
+ *   - the customer dashboard renders pending+resume cards from the
+ *     same `listActiveTenantRequestsByOrgId` query — adding a separate
+ *     table would mean two queries and union-merging in the UI
+ *   - the admin queue likewise treats them uniformly
+ * The cost is a discriminator column (`request_type`) and most
+ * provision-only fields being null on resume rows. That's a tradeoff
+ * I think is worth it.
+ */
+export async function createResumeRequest(params: {
+  tenantName: string;
+  zitadelOrgId: string;
+  zitadelUserId: string;
+  contactName: string;
+  contactEmail: string;
+  // Provision-only fields default sensibly. company_name + agent_name
+  // are NOT NULL in the original schema; we copy them from the existing
+  // tenant request for traceability rather than storing dummy values.
+  companyName: string;
+  agentName: string;
+}): Promise<TenantRequest> {
+  await ensureSchema();
+  const result = await getPool().query(
+    `INSERT INTO tenant_requests (
+        zitadel_org_id, zitadel_user_id, company_name,
+        contact_name, contact_email, agent_name,
+        tenant_name, request_type, status
+     ) VALUES ($1, $2, $3, $4, $5, $6, $7, 'resume', 'pending')
+     RETURNING *`,
+    [
+      params.zitadelOrgId,
+      params.zitadelUserId,
+      params.companyName,
+      params.contactName,
+      params.contactEmail,
+      params.agentName,
+      params.tenantName,
+    ]
+  );
+  return mapRow(result.rows[0]);
+}
+
+/**
+ * Get the most recent provision request for a tenant_name. Used by
+ * Bug 37a's resume-request creation to populate company_name and
+ * agent_name (NOT NULL columns) from the original provision row
+ * rather than make up values.
+ *
+ * Returns null when no such row exists — should be impossible in
+ * normal flow (resume requests are only created for already-existing
+ * tenants whose CR was created via approving a provision request),
+ * but the caller should guard against it for safety.
+ */
+export async function getTenantRequestByTenantName(
+  tenantName: string
+): Promise<TenantRequest | null> {
+  await ensureSchema();
+  const result = await getPool().query(
+    `SELECT * FROM tenant_requests
+      WHERE tenant_name = $1
+        AND request_type = 'provision'
+      ORDER BY created_at DESC
+      LIMIT 1`,
+    [tenantName]
+  );
+  return result.rows.length > 0 ? mapRow(result.rows[0]) : null;
+}
+
+/**
+ * Return the in-flight (pending) resume request for a given tenant, if
+ * any. Used both to gate the customer's "Request reactivation" button
+ * (don't allow a second when one's already pending) and by the admin
+ * UI to navigate from the tenant detail page to the awaiting request.
+ *
+ * Returns null when no pending resume exists. Approved/rejected rows
+ * are never returned — they're terminal.
+ */
+export async function getPendingResumeRequestForTenant(
+  tenantName: string
+): Promise<TenantRequest | null> {
+  await ensureSchema();
+  const result = await getPool().query(
+    `SELECT * FROM tenant_requests
+      WHERE tenant_name = $1
+        AND request_type = 'resume'
+        AND status = 'pending'
+      LIMIT 1`,
+    [tenantName]
+  );
+  return result.rows.length > 0 ? mapRow(result.rows[0]) : null;
+}
+
+export async function dismissTenantRequest(id: string): Promise<void> {
+  await ensureSchema();
+  await getPool().query(
+    `UPDATE tenant_requests
+       SET dismissed_at = COALESCE(dismissed_at, now()),
+           updated_at = now()
+     WHERE id = $1`,
+    [id]
+  );
+}
+
+/**
+ * Update editable fields of a still-pending tenant request. Bug 6 — a
+ * customer who notices a typo or wants to add a package after submitting
+ * the wizard should be able to fix it without admin involvement.
+ *
+ * Only the customer-input fields are updateable. `status`, `tenant_name`,
+ * `admin_notes`, `encrypted_secrets`, `is_personal`, `zitadel_*` and
+ * timestamps are managed elsewhere and intentionally not here.
+ *
+ * The caller is responsible for:
+ *   - verifying the row belongs to the user's org
+ *   - verifying status === 'pending' (editing approved/provisioning rows
+ *     would race against the operator)
+ *
+ * Returns the updated row, or null if the id didn't match anything.
+ */
+export async function updateTenantRequestEditableFields(
+  id: string,
+  fields: {
+    instanceName?: string | null;
+    agentName?: string;
+    soulMd?: string;
+    agentsMd?: string | null;
+    packages?: string[];
+    billingAddress?: BillingAddress;
+    billingNotes?: string;
+    encryptedSecrets?: Buffer | null;
+  }
+): Promise<TenantRequest | null> {
+  await ensureSchema();
+
+  const sets: string[] = ["updated_at = now()"];
+  const values: any[] = [id];
+  let idx = 2;
+
+  // Map JS field names to SQL columns. Each entry is gated on
+  // `!== undefined` so passing only some fields just updates those.
+  const colMap: Array<[keyof typeof fields, string]> = [
+    ["instanceName", "instance_name"],
+    ["agentName", "agent_name"],
+    ["soulMd", "soul_md"],
+    ["agentsMd", "agents_md"],
+    ["packages", "packages"],
+    ["billingAddress", "billing_address"],
+    ["billingNotes", "billing_notes"],
+    ["encryptedSecrets", "encrypted_secrets"],
+  ];
+  for (const [jsField, sqlCol] of colMap) {
+    const v = fields[jsField];
+    if (v === undefined) continue;
+    sets.push(`${sqlCol} = $${idx}`);
+    values.push(v);
+    idx++;
+  }
+
+  if (sets.length === 1) {
+    // No editable fields supplied — return the row unchanged rather
+    // than running a useless UPDATE that just bumps updated_at.
+    const cur = await getTenantRequestById(id);
+    return cur;
+  }
+
+  const result = await getPool().query<TenantRequest>(
+    `UPDATE tenant_requests SET ${sets.join(", ")} WHERE id = $1 RETURNING *`,
+    values
+  );
+  return result.rows[0] ? mapRow(result.rows[0]) : null;
+}
+
 /**
  * Wrapper around domain-check.ts that injects the portal's connection pool.
  * Kept here so route handlers don't need direct access to the pool.
@@ -391,8 +673,33 @@ export async function deleteTenantRequest(id: string): Promise<void> {
 }
 
 /**
- * Sync provisioning statuses: for all requests with status "provisioning",
+ * Reconcile the portal's tenant_requests table against actual cluster
- * check if the PiecedTenant CR has reached "Ready" and update to "active".
+ * state. Three passes, walking only rows with `tenant_name` set:
+ *
+ *   1. provisioning → active: when a tenant CR's phase reaches Ready
+ *      or Running, the portal flips the row to active so the
+ *      "provisioning…" card transitions into the running tenant view.
+ *
+ *   2. active/provisioning → deleted: when the corresponding CR no
+ *      longer exists in the cluster (404), or is mid-deletion (has
+ *      metadata.deletionTimestamp set), the row gets flipped to
+ *      `deleted`. The DB is otherwise blind to operator-initiated
+ *      deletions — when the 60-day TTL fires (Bug 37b) and the
+ *      operator deletes a suspended tenant, the portal would happily
+ *      keep showing the "Your assistant is ready!" card forever.
+ *      Without this reconciliation the dashboard drifts from reality.
+ *
+ *   3. pending resume → cancelled: when a pending resume request's
+ *      tenant is no longer suspended (admin resumed it directly,
+ *      tenant was deleted, or it was never suspended in the first
+ *      place), the request is moot. Flip to 'cancelled' so the
+ *      pending-resume unique index releases for any future genuine
+ *      resume request. We pick `cancelled` over `rejected` because
+ *      the customer didn't do anything wrong — circumstances just
+ *      changed.
+ *
+ * Errors are tolerated per-row: a transient API hiccup on one tenant
+ * shouldn't fail the whole sweep. Skipped rows get retried next call.
  *
  * Slice 3 note: with multi-tenant per org, this iterates each row
  * individually (keyed by its own tenant_name), so multiple in-flight
@@ -400,25 +707,79 @@ export async function deleteTenantRequest(id: string): Promise<void> {
  */
 export async function syncProvisioningStatuses(): Promise<void> {
   await ensureSchema();
+  // Active+provisioning rows: status reflects "the tenant should
+  // exist and be running".
+  // Pending resume rows: status reflects "the tenant is suspended,
+  // awaiting reactivation".
+  // Both need cluster-side validation; we fetch them in one query
+  // and dispatch on (status, request_type).
   const result = await getPool().query<TenantRequest>(
-    "SELECT * FROM tenant_requests WHERE status = 'provisioning'"
+    `SELECT * FROM tenant_requests
+       WHERE tenant_name IS NOT NULL
+         AND (
+           status IN ('provisioning', 'active')
+           OR (status = 'pending' AND request_type = 'resume')
+         )`
   );
 
   for (const row of result.rows) {
     const mapped = mapRow(row);
     if (!mapped.tenantName) continue;
 
+    let tenant: Awaited<ReturnType<typeof getTenant>> = null;
     try {
-      const tenant = await getTenant(mapped.tenantName);
+      tenant = await getTenant(mapped.tenantName);
+    } catch {
+      // Transient API error — skip this row, retry on next sweep.
+      continue;
+    }
+
+    // Pending resume request: validity hinges on tenant being suspended.
     if (
-        tenant?.status?.phase === "Ready" ||
+      mapped.status === "pending" &&
-        tenant?.status?.phase === "Running"
+      mapped.requestType === "resume"
+    ) {
+      // Tenant doesn't exist or is being deleted: cancel the resume
+      // request (it can never be fulfilled). Don't fall through to
+      // the "deleted" branch below — that would also flip the
+      // provision row, which is the right thing for a CR-level
+      // deletion but we want this resume row specifically resolved
+      // here.
+      if (!tenant || tenant.metadata.deletionTimestamp) {
+        await updateTenantRequestStatus(mapped.id, "cancelled");
+        continue;
+      }
+      // Tenant is no longer suspended: the request is moot.
+      // Cancel it (the customer didn't do anything wrong; the
+      // condition the request was about no longer applies).
+      if (!tenant.spec.suspend) {
+        await updateTenantRequestStatus(mapped.id, "cancelled");
+        continue;
+      }
+      // Tenant still suspended, request still relevant. Leave as-is.
+      continue;
+    }
+
+    // Active or provisioning row: CR gone, or mid-deletion. Flip the
+    // row to 'deleted'. `markTenantRequestDeletedByTenantName` flips
+    // every row with this tenant_name (provision + any resume rows),
+    // which is the right thing for a CR-level deletion.
+    if (!tenant || tenant.metadata.deletionTimestamp) {
+      await markTenantRequestDeletedByTenantName(mapped.tenantName);
+      continue;
+    }
+
+    // CR exists and is healthy. Promote provisioning → active when
+    // the operator reports the tenant has reached steady state.
+    // Keep `active` rows on `active` regardless of phase — a
+    // temporarily-Reconfiguring tenant is still active from the
+    // portal's billing/visibility perspective.
+    if (
+      mapped.status === "provisioning" &&
+      (tenant.status?.phase === "Ready" || tenant.status?.phase === "Running")
     ) {
       await updateTenantRequestStatus(mapped.id, "active");
     }
-    } catch {
-      // Tenant might not exist yet — skip
-    }
   }
 }
 
@@ -446,11 +807,98 @@ function mapRow(row: any): TenantRequest {
     tenantName: row.tenant_name,
     encryptedSecrets: row.encrypted_secrets ?? null,
     isPersonal: row.is_personal ?? false,
+    dismissedAt:
+      row.dismissed_at?.toISOString?.() ?? row.dismissed_at ?? null,
+    requestType: (row.request_type ?? "provision") as
+      | "provision"
+      | "resume",
     createdAt: row.created_at?.toISOString?.() ?? row.created_at,
     updatedAt: row.updated_at?.toISOString?.() ?? row.updated_at,
   };
 }
 
+// ---------------------------------------------------------------------------
+// Bug 35: org-scoped billing
+// ---------------------------------------------------------------------------
+
+function rowToOrgBilling(row: any): OrgBilling {
+  return {
+    zitadelOrgId: row.zitadel_org_id,
+    companyName: row.company_name,
+    streetAddress: row.street_address,
+    postalCode: row.postal_code,
+    city: row.city,
+    country: row.country,
+    vatNumber: row.vat_number ?? null,
+    billingEmail: row.billing_email,
+    notes: row.notes ?? null,
+    createdAt: row.created_at?.toISOString?.() ?? row.created_at,
+    updatedAt: row.updated_at?.toISOString?.() ?? row.updated_at,
+  };
+}
+
+/**
+ * Fetch org billing if it exists. Returns null when the org has never
+ * captured billing — that's the signal the wizard uses to know
+ * whether to render the inline billing step on the first tenant
+ * request.
+ */
+export async function getOrgBilling(
+  zitadelOrgId: string
+): Promise<OrgBilling | null> {
+  await ensureSchema();
+  const result = await getPool().query(
+    "SELECT * FROM org_billing WHERE zitadel_org_id = $1",
+    [zitadelOrgId]
+  );
+  return result.rows.length > 0 ? rowToOrgBilling(result.rows[0]) : null;
+}
+
+/**
+ * Insert or update org billing. Single function for both because the
+ * UI flow makes the "first time vs editing" distinction in a single
+ * settings page that doesn't need to know which one it's doing.
+ *
+ * VAT-required-for-companies isn't enforced here — that's an API
+ * concern (the API knows whether the caller is a company org).
+ * Keeping the DB layer dumb.
+ */
+export async function upsertOrgBilling(
+  data: Omit<OrgBilling, "createdAt" | "updatedAt">
+): Promise<OrgBilling> {
+  await ensureSchema();
+  const result = await getPool().query(
+    `INSERT INTO org_billing (
+       zitadel_org_id, company_name, street_address, postal_code,
+       city, country, vat_number, billing_email, notes
+     )
+     VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)
+     ON CONFLICT (zitadel_org_id) DO UPDATE SET
+       company_name   = EXCLUDED.company_name,
+       street_address = EXCLUDED.street_address,
+       postal_code    = EXCLUDED.postal_code,
+       city           = EXCLUDED.city,
+       country        = EXCLUDED.country,
+       vat_number     = EXCLUDED.vat_number,
+       billing_email  = EXCLUDED.billing_email,
+       notes          = EXCLUDED.notes,
+       updated_at     = now()
+     RETURNING *`,
+    [
+      data.zitadelOrgId,
+      data.companyName,
+      data.streetAddress,
+      data.postalCode,
+      data.city,
+      data.country,
+      data.vatNumber ?? null,
+      data.billingEmail,
+      data.notes ?? null,
+    ]
+  );
+  return rowToOrgBilling(result.rows[0]);
+}
+
 // ---------------------------------------------------------------------------
 // Slice 6: tenant ↔ user assignments
 // ---------------------------------------------------------------------------

src/lib/email.ts

@@ -156,6 +156,121 @@ export async function sendRejectionEmail(
   }
 }
 
+/**
+ * Bug 37a: separate email for resume request approval. The tenant
+ * already exists; the message is "we're un-suspending it" rather than
+ * "we're provisioning a new instance". Avoids confusing the customer
+ * with onboarding language for a tenant they already had.
+ */
+export async function sendResumeApprovalEmail(
+  to: string,
+  contactName: string,
+  companyName: string
+): Promise<void> {
+  const safeName = escapeHtml(contactName);
+  const safeCompany = escapeHtml(companyName);
+
+  try {
+    await getTransporter().sendMail({
+      from: getFrom(),
+      to,
+      subject: `Your PieCed AI assistant has been reactivated — ${companyName}`,
+      text: [
+        `Hello ${contactName},`,
+        "",
+        `Good news — your reactivation request for ${companyName} has been approved.`,
+        "",
+        "Your AI assistant is being brought back online and should be ready in a few minutes.",
+        "You can check the status in your dashboard at https://app.pieced.ch",
+        "",
+        "Best regards,",
+        "PieCed IT",
+      ].join("\n"),
+      html: `
+        <div style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', sans-serif; max-width: 560px; margin: 0 auto; color: #e0e0e0; background: #1a1a1a; padding: 32px; border-radius: 12px;">
+          <h2 style="color: #ffffff; margin-top: 0;">Your AI assistant has been reactivated</h2>
+          <p>Hello ${safeName},</p>
+          <p>Good news — your reactivation request for <strong>${safeCompany}</strong> has been approved.</p>
+          <p>Your AI assistant is being brought back online and should be ready in a few minutes.</p>
+          <p>
+            <a href="https://app.pieced.ch" style="display: inline-block; padding: 10px 24px; background: #3b82f6; color: #ffffff; text-decoration: none; border-radius: 8px; font-weight: 500;">
+              Go to Dashboard
+            </a>
+          </p>
+          <hr style="border: none; border-top: 1px solid #333; margin: 24px 0;" />
+          <p style="color: #666; font-size: 12px;">PieCed IT — Hosted on-premises in Switzerland</p>
+        </div>
+      `,
+    });
+  } catch (err) {
+    console.error("Failed to send resume approval email:", err);
+  }
+}
+
+/**
+ * Bug 37a: separate email for resume request rejection. Differs from
+ * the onboarding rejection in two ways: it explicitly mentions the
+ * tenant remains suspended, and it points the customer to the
+ * 60-day retention window so they understand the deletion clock is
+ * still ticking. The latter is important — a customer reading a
+ * generic "request rejected" email might not realise their data is
+ * still on a countdown.
+ */
+export async function sendResumeRejectionEmail(
+  to: string,
+  contactName: string,
+  companyName: string,
+  adminNotes?: string
+): Promise<void> {
+  const safeName = escapeHtml(contactName);
+  const safeCompany = escapeHtml(companyName);
+  const safeNotes = adminNotes ? escapeHtml(adminNotes) : "";
+
+  try {
+    const notesBlock = adminNotes
+      ? `\nNote from our team:\n${adminNotes}\n`
+      : "";
+    const notesHtml = safeNotes
+      ? `<div style="background: #2a2a2a; border-left: 3px solid #ef4444; padding: 12px 16px; border-radius: 6px; margin: 16px 0;">
+           <p style="color: #ccc; font-size: 13px; margin: 0;"><strong>Note from our team:</strong></p>
+           <p style="color: #aaa; font-size: 13px; margin: 8px 0 0 0;">${safeNotes}</p>
+         </div>`
+      : "";
+
+    await getTransporter().sendMail({
+      from: getFrom(),
+      to,
+      subject: `Update on your reactivation request — ${companyName}`,
+      text: [
+        `Hello ${contactName},`,
+        "",
+        `Thank you for your reactivation request for ${companyName}. Unfortunately, we were unable to approve it at this time.`,
+        notesBlock,
+        "Your tenant remains suspended. As a reminder, your data is preserved for 60 days from the original cancellation date, after which it will be permanently deleted. You can submit a new reactivation request at any time before then.",
+        "",
+        "If you have questions, please reply to this email.",
+        "",
+        "Best regards,",
+        "PieCed IT",
+      ].join("\n"),
+      html: `
+        <div style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', sans-serif; max-width: 560px; margin: 0 auto; color: #e0e0e0; background: #1a1a1a; padding: 32px; border-radius: 12px;">
+          <h2 style="color: #ffffff; margin-top: 0;">Update on your reactivation request</h2>
+          <p>Hello ${safeName},</p>
+          <p>Thank you for your reactivation request for <strong>${safeCompany}</strong>. Unfortunately, we were unable to approve it at this time.</p>
+          ${notesHtml}
+          <p>Your tenant remains suspended. As a reminder, your data is preserved for 60 days from the original cancellation date, after which it will be permanently deleted. You can submit a new reactivation request at any time before then.</p>
+          <p>If you have questions, please reply to this email.</p>
+          <hr style="border: none; border-top: 1px solid #333; margin: 24px 0;" />
+          <p style="color: #666; font-size: 12px;">PieCed IT — Hosted on-premises in Switzerland</p>
+        </div>
+      `,
+    });
+  } catch (err) {
+    console.error("Failed to send resume rejection email:", err);
+  }
+}
+
 export async function sendAdminNotificationEmail(
   companyName: string,
   contactName: string,

src/lib/k8s.ts

@@ -130,3 +130,46 @@ export async function patchTenantSpec(
   }
   return res.json() as Promise<PiecedTenant>;
 }
+
+/**
+ * Set or clear an annotation on a PiecedTenant CR.
+ *
+ * Pass `value=null` to remove the annotation. K8s merge-patch removes
+ * a key when its value is null in the patch — that's exactly the
+ * semantic we want.
+ *
+ * Used by the resume-request flow (Bug 37a): the portal sets
+ * `pieced.ch/resume-request-pending` when a customer creates a
+ * resume request, and clears it when the request transitions to a
+ * terminal state. The operator reads this annotation to pause its
+ * 60-day deletion timer while a resume request is in flight.
+ *
+ * Annotations are namespaced informally — we use `pieced.ch/...` for
+ * everything we own, mirroring the labels.
+ */
+export async function setTenantAnnotation(
+  name: string,
+  key: string,
+  value: string | null
+): Promise<PiecedTenant> {
+  const url = `${getBaseUrl()}/apis/${API_VERSION}/${PLURAL}/${name}`;
+  const res = await fetch(url, {
+    method: "PATCH",
+    headers: {
+      Accept: "application/json",
+      "Content-Type": "application/merge-patch+json",
+      ...getAuthHeaders(),
+    },
+    body: JSON.stringify({
+      metadata: { annotations: { [key]: value } },
+    }),
+  });
+
+  if (!res.ok) {
+    const text = await res.text();
+    const err = new Error(`K8s annotate /${name}: ${res.status} ${text}`);
+    (err as any).statusCode = res.status;
+    throw err;
+  }
+  return res.json() as Promise<PiecedTenant>;
+}

src/lib/litellm.ts

@@ -32,12 +32,43 @@ export async function getTeamSpendLogs(
   return litellmFetch(`/global/spend/logs?${params}`);
 }
 
+/**
+ * Fetch one page of spend logs for a team, optionally narrowed to a
+ * single virtual key by alias.
+ *
+ * Slice 2 / Bug 19 context
+ * ------------------------
+ * Teams in LiteLLM are now org-scoped (one team per org), and each
+ * tenant in the org has its own virtual key with `key_alias = tenant
+ * CR name`. Without `keyAlias`, this returns the full team's spend —
+ * which mingles every tenant in the org. The portal's per-tenant
+ * usage view passes `keyAlias` to filter server-side via LiteLLM's
+ * native `key_alias` query param. Confirmed available on the
+ * `/spend/logs/v2` endpoint via OpenAPI introspection — no need to
+ * page-and-post-filter as the previous slice did.
+ *
+ * Why this matters
+ * ----------------
+ * Previous implementation fetched all team pages, then post-filtered
+ * by alias in JS. Two problems: (1) at any reasonable scale this is
+ * O(team_total) memory per request even when only one tenant's data
+ * is needed; (2) more importantly, when called from the customer
+ * dashboard without an explicit alias, the route's "pick the first
+ * visible tenant" fallback meant both Acme tenants showed identical
+ * numbers — the alias used was always the first tenant in the
+ * visible list, regardless of which tenant page was being viewed.
+ *
+ * The route layer above is responsible for resolving the tenant
+ * identity correctly and passing the right alias here. This
+ * function's only job is to pass it through to LiteLLM.
+ */
 export async function getTeamSpendLogsV2(
   teamId: string,
   startDate: string,
   endDate: string,
   page: number = 1,
-  pageSize: number = 100
+  pageSize: number = 100,
+  keyAlias?: string | null
 ) {
   const params = new URLSearchParams({
     team_id: teamId,
@@ -46,6 +77,9 @@ export async function getTeamSpendLogsV2(
     page: String(page),
     page_size: String(pageSize),
   });
+  if (keyAlias) {
+    params.set("key_alias", keyAlias);
+  }
   return litellmFetch(`/spend/logs/v2?${params}`);
 }
 

src/lib/validation.ts

@@ -86,6 +86,13 @@ export const billingAddressSchema = z
     country: z.enum(SUPPORTED_COUNTRIES, {
       message: "Please choose a country from the list",
     }),
+    // Bug 35: VAT identifier. Required for company customers (B2B);
+    // omitted entirely for personal customers (B2C — private
+    // individuals don't have a VAT number). The schema marks it
+    // optional because the same schema is used for both flows;
+    // company-vs-personal enforcement happens at the API layer where
+    // `user.isPersonal` is known.
+    vatNumber: z.string().trim().max(50).optional(),
   })
   .superRefine((data, ctx) => {
     const pattern = POSTAL_CODE_PATTERNS[data.country];
@@ -123,6 +130,12 @@ export const billingStepSchema = z.object({
  * Full onboarding payload. Used by the API route and by the wizard's
  * submit handler. `packageSecrets` is a free-shape map that gets
  * encrypted by the server before it touches the DB.
+ *
+ * Bug 35: `billingAddress` is now optional at the schema level. The
+ * wizard omits it entirely when the org already has an `org_billing`
+ * record. The API enforces "billing must exist by the end" by either
+ * looking up the existing org_billing row OR validating the supplied
+ * payload — neither path can be skipped without a 400.
  */
 export const onboardingSchema = z.object({
   instanceName: z
@@ -139,7 +152,7 @@ export const onboardingSchema = z.object({
   packageSecrets: z
     .record(z.string(), z.record(z.string(), z.string()))
     .optional(),
-  billingAddress: billingAddressSchema,
+  billingAddress: billingAddressSchema.optional(),
   billingNotes: z.string().max(2_000).optional(),
 });
 

src/messages/de.json

@@ -12,7 +12,9 @@
     "save": "Speichern",
     "error": "Ein Fehler ist aufgetreten",
     "register": "Registrieren",
-    "team": "Team"
+    "team": "Team",
+    "settings": "Einstellungen",
+    "optional": "optional"
   },
   "login": {
     "title": "PieCed Portal",
@@ -100,7 +102,23 @@
     "reviewInstanceDefault": "(Standard — verwendet Firmenname)",
     "reviewNoPackages": "Keine ausgewählt",
     "reviewBillingTo": "Rechnungsempfänger",
-    "reviewContactEmail": "Kontakt-E-Mail"
+    "reviewContactEmail": "Kontakt-E-Mail",
+    "editRequestTitle": "Anfrage bearbeiten",
+    "editRequestDescription": "Passen Sie die Konfiguration an, bevor unser Team sie prüft.",
+    "editRequest": "Bearbeiten",
+    "cancelRequest": "Anfrage stornieren",
+    "cancelRequestConfirm": "Ja, Anfrage stornieren",
+    "cancelConfirmRequestTitle": "Diese Anfrage stornieren?",
+    "cancelConfirmRequestDescription": "Ihre ausstehende Anfrage wird als storniert markiert und aus der Warteschlange entfernt. Sie können jederzeit eine neue Anfrage einreichen.",
+    "cancelFailed": "Anfrage konnte nicht storniert werden.",
+    "cancelledTitle": "Anfrage storniert",
+    "cancelledDescription": "Sie haben diese Anfrage vor der Bearbeitung storniert. Es wurde keine Instanz erstellt.",
+    "dismiss": "Ausblenden",
+    "dismissFailed": "Konnte nicht ausgeblendet werden.",
+    "rejectionReason": "Angegebener Grund",
+    "saveChanges": "Änderungen speichern",
+    "billingVatNumber": "MWST-Nummer",
+    "billingVatHelp": "Ihre registrierte MWST-Nummer. Falls Ihre Firma von der MWST befreit ist, leer lassen und in den Notizen erläutern."
   },
   "dashboard": {
     "title": "Dashboard",
@@ -143,7 +161,19 @@
     "cancelConfirmBullet3": "Rechnungsdaten bleiben gespeichert",
     "subscriptionUpdateFailed": "Abonnement konnte nicht aktualisiert werden.",
     "suspendedTitle": "Abonnement gekündigt",
-    "suspendedDescription": "Ihr Assistent ist pausiert. Konfiguration und Daten bleiben erhalten. Verwenden Sie die Reaktivierungs-Schaltfläche unten auf dieser Seite, um ihn wieder online zu bringen."
+    "suspendedDescription": "Ihr Assistent ist pausiert. Konfiguration und Daten bleiben erhalten. Verwenden Sie die Reaktivierungs-Schaltfläche unten auf dieser Seite, um ihn wieder online zu bringen.",
+    "requestReactivation": "Reaktivierung anfragen",
+    "requestReactivationConfirmTitle": "Reaktivierung anfragen?",
+    "requestReactivationConfirmDescription": "Ein Administrator prüft Ihre Anfrage und reaktiviert Ihren Tenant. Sie erhalten eine E-Mail, sobald die Anfrage genehmigt wurde.",
+    "requestReactivationConfirm": "Anfrage senden",
+    "cancelResumeRequest": "Anfrage stornieren",
+    "resumeRequestPendingTitle": "Reaktivierungsanfrage ausstehend",
+    "resumeRequestPendingDescription": "Eingereicht {when}. Ein Administrator wird die Anfrage in Kürze prüfen.",
+    "resumeRequestPendingNoteAdmin": "Ein Inhaber hat eine Reaktivierung angefragt; Sie können direkt oben fortfahren oder die Anfrage in der Admin-Warteschlange bearbeiten.",
+    "cancelConfirmRetentionWarning": "Ihre Daten bleiben nach der Kündigung 60 Tage lang erhalten. Danach werden alle Tenant-Daten – Konfiguration, Geheimnisse, Konversationen und Dateien – endgültig gelöscht.",
+    "suspendedSince": "Gekündigt am {date}",
+    "suspendedDeletionIn": "Datenlöschung in {days, plural, one {# Tag} other {# Tagen}} ({date})",
+    "suspendedDeletionImminent": "Daten werden jetzt gelöscht"
   },
   "usage": {
     "inputTokens": "Input-Tokens",
@@ -283,7 +313,9 @@
     "loadingHealth": "Statusdaten werden geladen…",
     "statusHealthy": "OK",
     "statusDown": "Ausgefallen",
-    "spendChf": "Kosten (CHF)"
+    "spendChf": "Kosten (CHF)",
+    "resumeRequestBadge": "Wieder",
+    "resumeRequestTooltip": "Reaktivierungsanfrage für einen bestehenden Tenant. Bei Genehmigung wird der Tenant wieder aktiviert; keine Provisionierung läuft."
   },
   "channelUsers": {
     "title": "Autorisierte Benutzer",
@@ -345,6 +377,38 @@
     "Ready": "Bereit",
     "Suspended": "Pausiert",
     "Error": "Fehler",
-    "Deleting": "Wird gelöscht"
+    "Deleting": "Wird gelöscht",
+    "Reconfiguring": "Wird neu konfiguriert"
+  },
+  "warnings": {
+    "oneTooltip": "1 Warnung",
+    "manyTooltip": "{count} Warnungen"
+  },
+  "settings": {
+    "title": "Einstellungen",
+    "subtitle": "Organisationsweite Konfiguration, die für alle Ihre Tenants gilt.",
+    "billingTitle": "Abrechnung",
+    "billingDescription": "Adresse, MWST-Nummer und Rechnungs-E-Mail für alle Ihre Tenants.",
+    "nothingForYou": "Für Ihre Rolle gibt es hier noch nichts. Inhaber können Organisationseinstellungen verwalten."
+  },
+  "settingsBilling": {
+    "title": "Abrechnung",
+    "subtitle": "Wird beim ersten Onboarding einmalig erfasst und für jeden Tenant Ihrer Organisation wiederverwendet. Aktualisieren Sie hier, wenn sich Ihre Abrechnungsdaten ändern.",
+    "companyName": "Firmenname",
+    "streetAddress": "Strasse",
+    "postalCode": "PLZ",
+    "city": "Ort",
+    "country": "Land",
+    "vatNumber": "MWST-Nummer",
+    "vatHelp": "Ihre registrierte MWST-Nummer (z. B. CHE-123.456.789 MWST für die Schweiz).",
+    "billingEmail": "Rechnungs-E-Mail",
+    "billingEmailHelp": "An diese Adresse werden Rechnungen und Abrechnungskommunikation gesendet.",
+    "notes": "Notizen",
+    "notesPlaceholder": "Alles, was die Buchhaltung wissen muss – MWST-Befreiung, besondere Rechnungsstellung usw.",
+    "save": "Speichern",
+    "saved": "Gespeichert.",
+    "saveFailed": "Konnte nicht gespeichert werden. Bitte erneut versuchen.",
+    "lastUpdated": "Zuletzt aktualisiert {when}",
+    "fullName": "Voller Name"
   }
 }

src/messages/en.json

@@ -12,7 +12,9 @@
     "save": "Save",
     "error": "An error occurred",
     "register": "Register",
-    "team": "Team"
+    "team": "Team",
+    "settings": "Settings",
+    "optional": "optional"
   },
   "login": {
     "title": "PieCed Portal",
@@ -100,7 +102,23 @@
     "reviewInstanceDefault": "(default — uses company name)",
     "reviewNoPackages": "None selected",
     "reviewBillingTo": "Billing to",
-    "reviewContactEmail": "Contact email"
+    "reviewContactEmail": "Contact email",
+    "editRequestTitle": "Edit your request",
+    "editRequestDescription": "Adjust the configuration before our team reviews it.",
+    "editRequest": "Edit",
+    "cancelRequest": "Cancel request",
+    "cancelRequestConfirm": "Yes, cancel request",
+    "cancelConfirmRequestTitle": "Cancel this request?",
+    "cancelConfirmRequestDescription": "Your pending request will be marked as cancelled and removed from the review queue. You can submit a new request at any time.",
+    "cancelFailed": "Could not cancel request.",
+    "cancelledTitle": "Request cancelled",
+    "cancelledDescription": "You cancelled this request before it was processed. No instance was created.",
+    "dismiss": "Dismiss",
+    "dismissFailed": "Could not dismiss.",
+    "rejectionReason": "Reason given",
+    "saveChanges": "Save changes",
+    "billingVatNumber": "VAT number",
+    "billingVatHelp": "Your registered VAT identifier. If your company is VAT-exempt, leave blank and explain in the notes field."
   },
   "dashboard": {
     "title": "Dashboard",
@@ -143,7 +161,19 @@
     "cancelConfirmBullet3": "Billing information is kept on file",
     "subscriptionUpdateFailed": "Could not update subscription.",
     "suspendedTitle": "Subscription cancelled",
-    "suspendedDescription": "Your assistant is paused. Configuration and data are preserved. Use the Resume control at the bottom of this page to bring it back online."
+    "suspendedDescription": "Your assistant is paused. Configuration and data are preserved. Use the Resume control at the bottom of this page to bring it back online.",
+    "requestReactivation": "Request reactivation",
+    "requestReactivationConfirmTitle": "Request reactivation?",
+    "requestReactivationConfirmDescription": "An administrator will review your request and reactivate your tenant. You'll be notified by email once it's approved.",
+    "requestReactivationConfirm": "Submit request",
+    "cancelResumeRequest": "Cancel request",
+    "resumeRequestPendingTitle": "Reactivation request pending",
+    "resumeRequestPendingDescription": "Submitted {when}. An administrator will review it shortly.",
+    "resumeRequestPendingNoteAdmin": "An owner has requested reactivation; you can resume directly above or process the request from the admin queue.",
+    "cancelConfirmRetentionWarning": "Your data is preserved for 60 days after cancellation. After that, all tenant data — configuration, secrets, conversations, and files — will be permanently deleted.",
+    "suspendedSince": "Suspended on {date}",
+    "suspendedDeletionIn": "data deletion in {days, plural, one {# day} other {# days}} ({date})",
+    "suspendedDeletionImminent": "data is being deleted now"
   },
   "usage": {
     "inputTokens": "Input Tokens",
@@ -283,7 +313,9 @@
     "loadingHealth": "Loading health data…",
     "statusHealthy": "Healthy",
     "statusDown": "Down",
-    "spendChf": "Spend (CHF)"
+    "spendChf": "Spend (CHF)",
+    "resumeRequestBadge": "Resume",
+    "resumeRequestTooltip": "Reactivation request for an existing tenant. Approving will un-suspend the tenant; no provisioning runs."
   },
   "channelUsers": {
     "title": "Authorized Users",
@@ -345,6 +377,38 @@
     "Ready": "Ready",
     "Suspended": "Suspended",
     "Error": "Error",
-    "Deleting": "Deleting"
+    "Deleting": "Deleting",
+    "Reconfiguring": "Reconfiguring"
+  },
+  "warnings": {
+    "oneTooltip": "1 warning",
+    "manyTooltip": "{count} warnings"
+  },
+  "settings": {
+    "title": "Settings",
+    "subtitle": "Manage org-level configuration that applies to all your tenants.",
+    "billingTitle": "Billing",
+    "billingDescription": "Address, VAT number, and invoice email used for all your tenants.",
+    "nothingForYou": "There's nothing here for your role yet. Owners can manage org settings."
+  },
+  "settingsBilling": {
+    "title": "Billing",
+    "subtitle": "Captured once at first onboarding and reused for every tenant in your organization. Update here whenever your billing details change.",
+    "companyName": "Company name",
+    "streetAddress": "Street address",
+    "postalCode": "Postal code",
+    "city": "City",
+    "country": "Country",
+    "vatNumber": "VAT number",
+    "vatHelp": "Your registered VAT identifier (e.g. CHE-123.456.789 MWST for Switzerland).",
+    "billingEmail": "Billing email",
+    "billingEmailHelp": "Where invoices and billing communication will be sent.",
+    "notes": "Notes",
+    "notesPlaceholder": "Anything else accounting needs to know — VAT exemption, special invoicing arrangements, etc.",
+    "save": "Save",
+    "saved": "Saved.",
+    "saveFailed": "Could not save. Please try again.",
+    "lastUpdated": "Last updated {when}",
+    "fullName": "Full name"
   }
 }

src/messages/fr.json

@@ -12,7 +12,9 @@
     "save": "Enregistrer",
     "error": "Une erreur est survenue",
     "register": "S'inscrire",
-    "team": "Équipe"
+    "team": "Équipe",
+    "settings": "Paramètres",
+    "optional": "facultatif"
   },
   "login": {
     "title": "Portail PieCed",
@@ -100,7 +102,23 @@
     "reviewInstanceDefault": "(par défaut — utilise le nom de l'entreprise)",
     "reviewNoPackages": "Aucun sélectionné",
     "reviewBillingTo": "Facturer à",
-    "reviewContactEmail": "E-mail de contact"
+    "reviewContactEmail": "E-mail de contact",
+    "editRequestTitle": "Modifier votre demande",
+    "editRequestDescription": "Ajustez la configuration avant que notre équipe ne l'examine.",
+    "editRequest": "Modifier",
+    "cancelRequest": "Annuler la demande",
+    "cancelRequestConfirm": "Oui, annuler la demande",
+    "cancelConfirmRequestTitle": "Annuler cette demande ?",
+    "cancelConfirmRequestDescription": "Votre demande en attente sera marquée comme annulée et retirée de la file. Vous pouvez soumettre une nouvelle demande à tout moment.",
+    "cancelFailed": "Impossible d'annuler la demande.",
+    "cancelledTitle": "Demande annulée",
+    "cancelledDescription": "Vous avez annulé cette demande avant son traitement. Aucune instance n'a été créée.",
+    "dismiss": "Masquer",
+    "dismissFailed": "Impossible de masquer.",
+    "rejectionReason": "Motif indiqué",
+    "saveChanges": "Enregistrer les modifications",
+    "billingVatNumber": "Numéro de TVA",
+    "billingVatHelp": "Votre identifiant TVA enregistré. Si votre entreprise est exonérée de TVA, laissez vide et précisez dans les notes."
   },
   "dashboard": {
     "title": "Tableau de bord",
@@ -143,7 +161,19 @@
     "cancelConfirmBullet3": "Les informations de facturation sont conservées",
     "subscriptionUpdateFailed": "Impossible de mettre à jour l'abonnement.",
     "suspendedTitle": "Abonnement annulé",
-    "suspendedDescription": "Votre assistant est en pause. La configuration et les données sont préservées. Utilisez le contrôle Reprendre en bas de cette page pour le remettre en ligne."
+    "suspendedDescription": "Votre assistant est en pause. La configuration et les données sont préservées. Utilisez le contrôle Reprendre en bas de cette page pour le remettre en ligne.",
+    "requestReactivation": "Demander la réactivation",
+    "requestReactivationConfirmTitle": "Demander la réactivation ?",
+    "requestReactivationConfirmDescription": "Un administrateur examinera votre demande et réactivera votre locataire. Vous recevrez un e-mail dès que la demande sera approuvée.",
+    "requestReactivationConfirm": "Envoyer la demande",
+    "cancelResumeRequest": "Annuler la demande",
+    "resumeRequestPendingTitle": "Demande de réactivation en attente",
+    "resumeRequestPendingDescription": "Soumise {when}. Un administrateur l'examinera sous peu.",
+    "resumeRequestPendingNoteAdmin": "Un propriétaire a demandé la réactivation ; vous pouvez reprendre directement ci-dessus ou traiter la demande depuis la file d'attente d'administration.",
+    "cancelConfirmRetentionWarning": "Vos données sont conservées pendant 60 jours après l'annulation. Passé ce délai, toutes les données du locataire — configuration, secrets, conversations et fichiers — seront définitivement supprimées.",
+    "suspendedSince": "Suspendu le {date}",
+    "suspendedDeletionIn": "suppression des données dans {days, plural, one {# jour} other {# jours}} ({date})",
+    "suspendedDeletionImminent": "les données sont en cours de suppression"
   },
   "usage": {
     "inputTokens": "Tokens d'entrée",
@@ -283,7 +313,9 @@
     "loadingHealth": "Chargement des données de santé…",
     "statusHealthy": "OK",
     "statusDown": "Hors service",
-    "spendChf": "Coûts (CHF)"
+    "spendChf": "Coûts (CHF)",
+    "resumeRequestBadge": "Reprise",
+    "resumeRequestTooltip": "Demande de réactivation d'un locataire existant. L'approbation le réactivera ; aucun provisionnement ne s'exécute."
   },
   "channelUsers": {
     "title": "Utilisateurs autorisés",
@@ -345,6 +377,38 @@
     "Ready": "Prêt",
     "Suspended": "Suspendu",
     "Error": "Erreur",
-    "Deleting": "Suppression"
+    "Deleting": "Suppression",
+    "Reconfiguring": "Reconfiguration"
+  },
+  "warnings": {
+    "oneTooltip": "1 avertissement",
+    "manyTooltip": "{count} avertissements"
+  },
+  "settings": {
+    "title": "Paramètres",
+    "subtitle": "Gérez la configuration au niveau de l'organisation, qui s'applique à tous vos locataires.",
+    "billingTitle": "Facturation",
+    "billingDescription": "Adresse, numéro de TVA et e-mail de facturation utilisés pour tous vos locataires.",
+    "nothingForYou": "Il n'y a rien ici pour votre rôle pour le moment. Les propriétaires peuvent gérer les paramètres de l'organisation."
+  },
+  "settingsBilling": {
+    "title": "Facturation",
+    "subtitle": "Saisie une fois lors de l'inscription et réutilisée pour chaque locataire de votre organisation. Mettez à jour ici dès que vos coordonnées de facturation changent.",
+    "companyName": "Nom de l'entreprise",
+    "streetAddress": "Adresse",
+    "postalCode": "Code postal",
+    "city": "Ville",
+    "country": "Pays",
+    "vatNumber": "Numéro de TVA",
+    "vatHelp": "Votre identifiant TVA enregistré (par ex. CHE-123.456.789 TVA pour la Suisse).",
+    "billingEmail": "E-mail de facturation",
+    "billingEmailHelp": "Adresse à laquelle les factures et la communication de facturation seront envoyées.",
+    "notes": "Notes",
+    "notesPlaceholder": "Tout ce que la comptabilité doit savoir – exonération de TVA, modalités de facturation particulières, etc.",
+    "save": "Enregistrer",
+    "saved": "Enregistré.",
+    "saveFailed": "Impossible d'enregistrer. Veuillez réessayer.",
+    "lastUpdated": "Dernière mise à jour {when}",
+    "fullName": "Nom complet"
   }
 }

src/messages/it.json

@@ -12,7 +12,9 @@
     "save": "Salva",
     "error": "Si è verificato un errore",
     "register": "Registrati",
-    "team": "Team"
+    "team": "Team",
+    "settings": "Impostazioni",
+    "optional": "facoltativo"
   },
   "login": {
     "title": "Portale PieCed",
@@ -100,7 +102,23 @@
     "reviewInstanceDefault": "(predefinito — usa il nome dell'azienda)",
     "reviewNoPackages": "Nessuno selezionato",
     "reviewBillingTo": "Fatturare a",
-    "reviewContactEmail": "Email di contatto"
+    "reviewContactEmail": "Email di contatto",
+    "editRequestTitle": "Modifica la sua richiesta",
+    "editRequestDescription": "Modifichi la configurazione prima che il nostro team la esamini.",
+    "editRequest": "Modifica",
+    "cancelRequest": "Annulla richiesta",
+    "cancelRequestConfirm": "Sì, annulla la richiesta",
+    "cancelConfirmRequestTitle": "Annullare questa richiesta?",
+    "cancelConfirmRequestDescription": "La sua richiesta in attesa sarà contrassegnata come annullata e rimossa dalla coda di revisione. Può inviare una nuova richiesta in qualsiasi momento.",
+    "cancelFailed": "Impossibile annullare la richiesta.",
+    "cancelledTitle": "Richiesta annullata",
+    "cancelledDescription": "Lei ha annullato questa richiesta prima dell'elaborazione. Nessuna istanza è stata creata.",
+    "dismiss": "Nascondi",
+    "dismissFailed": "Impossibile nascondere.",
+    "rejectionReason": "Motivo indicato",
+    "saveChanges": "Salva modifiche",
+    "billingVatNumber": "Partita IVA",
+    "billingVatHelp": "Il tuo identificativo IVA registrato. Se la tua azienda è esente IVA, lascia vuoto e spiega nelle note."
   },
   "dashboard": {
     "title": "Dashboard",
@@ -143,7 +161,19 @@
     "cancelConfirmBullet3": "Le informazioni di fatturazione sono mantenute",
     "subscriptionUpdateFailed": "Impossibile aggiornare l'abbonamento.",
     "suspendedTitle": "Abbonamento annullato",
-    "suspendedDescription": "Il suo assistente è in pausa. Configurazione e dati sono preservati. Usi il controllo Riprendi in fondo a questa pagina per riportarlo online."
+    "suspendedDescription": "Il suo assistente è in pausa. Configurazione e dati sono preservati. Usi il controllo Riprendi in fondo a questa pagina per riportarlo online.",
+    "requestReactivation": "Richiedi riattivazione",
+    "requestReactivationConfirmTitle": "Richiedere la riattivazione?",
+    "requestReactivationConfirmDescription": "Un amministratore esaminerà la tua richiesta e riattiverà il tuo tenant. Riceverai un'email non appena la richiesta sarà approvata.",
+    "requestReactivationConfirm": "Invia richiesta",
+    "cancelResumeRequest": "Annulla richiesta",
+    "resumeRequestPendingTitle": "Richiesta di riattivazione in sospeso",
+    "resumeRequestPendingDescription": "Inviata {when}. Un amministratore la esaminerà a breve.",
+    "resumeRequestPendingNoteAdmin": "Un proprietario ha richiesto la riattivazione; puoi riprendere direttamente sopra o elaborare la richiesta dalla coda di amministrazione.",
+    "cancelConfirmRetentionWarning": "I tuoi dati sono conservati per 60 giorni dopo l'annullamento. Trascorso tale periodo, tutti i dati del tenant — configurazione, segreti, conversazioni e file — verranno eliminati definitivamente.",
+    "suspendedSince": "Sospeso il {date}",
+    "suspendedDeletionIn": "eliminazione dei dati tra {days, plural, one {# giorno} other {# giorni}} ({date})",
+    "suspendedDeletionImminent": "i dati vengono eliminati ora"
   },
   "usage": {
     "inputTokens": "Token di input",
@@ -283,7 +313,9 @@
     "loadingHealth": "Caricamento dati di stato…",
     "statusHealthy": "OK",
     "statusDown": "Non disponibile",
-    "spendChf": "Costi (CHF)"
+    "spendChf": "Costi (CHF)",
+    "resumeRequestBadge": "Ripresa",
+    "resumeRequestTooltip": "Richiesta di riattivazione di un tenant esistente. L'approvazione lo riattiverà; non viene eseguito alcun provisioning."
   },
   "channelUsers": {
     "title": "Utenti autorizzati",
@@ -345,6 +377,38 @@
     "Ready": "Pronto",
     "Suspended": "Sospeso",
     "Error": "Errore",
-    "Deleting": "Eliminazione"
+    "Deleting": "Eliminazione",
+    "Reconfiguring": "Riconfigurazione"
+  },
+  "warnings": {
+    "oneTooltip": "1 avviso",
+    "manyTooltip": "{count} avvisi"
+  },
+  "settings": {
+    "title": "Impostazioni",
+    "subtitle": "Gestisci la configurazione a livello di organizzazione, valida per tutti i tuoi tenant.",
+    "billingTitle": "Fatturazione",
+    "billingDescription": "Indirizzo, numero di IVA ed e-mail di fatturazione usati per tutti i tuoi tenant.",
+    "nothingForYou": "Al momento non c'è nulla qui per il tuo ruolo. I proprietari possono gestire le impostazioni dell'organizzazione."
+  },
+  "settingsBilling": {
+    "title": "Fatturazione",
+    "subtitle": "Acquisita una sola volta al primo onboarding e riutilizzata per ogni tenant della tua organizzazione. Aggiorna qui ogni volta che i dati di fatturazione cambiano.",
+    "companyName": "Ragione sociale",
+    "streetAddress": "Indirizzo",
+    "postalCode": "CAP",
+    "city": "Città",
+    "country": "Paese",
+    "vatNumber": "Partita IVA",
+    "vatHelp": "Il tuo identificativo IVA registrato (es. CHE-123.456.789 IVA per la Svizzera).",
+    "billingEmail": "E-mail di fatturazione",
+    "billingEmailHelp": "Indirizzo a cui verranno inviate le fatture e le comunicazioni di fatturazione.",
+    "notes": "Note",
+    "notesPlaceholder": "Qualsiasi cosa la contabilità debba sapere — esenzione IVA, modalità di fatturazione particolari, ecc.",
+    "save": "Salva",
+    "saved": "Salvato.",
+    "saveFailed": "Impossibile salvare. Riprova.",
+    "lastUpdated": "Ultimo aggiornamento {when}",
+    "fullName": "Nome completo"
   }
 }

src/types/index.ts

@@ -83,6 +83,7 @@ export interface PiecedTenantStatus {
     | "Provisioning"
     | "Running"
     | "Ready"
+    | "Reconfiguring"
     | "Suspended"
     | "Error"
     | "Deleting";
@@ -102,6 +103,31 @@ export interface PiecedTenantStatus {
   litellmKeyAlias?: string;
   tenantNamespace?: string;
   enabledPackages?: string[];
+  /**
+   * RFC3339 timestamp of when the tenant first transitioned to
+   * suspended (Bug 37). Stamped by the operator on the first reconcile
+   * with `spec.suspend=true` and cleared when the tenant resumes. Used
+   * by the portal to render the "deleted in N days" countdown in the
+   * suspended banner. The retention policy is 60 days from this
+   * timestamp; see operator's `retentionAfterSuspend` constant for the
+   * authoritative value.
+   */
+  suspendedAt?: string;
+  /**
+   * Non-fatal issues from downstream resources surfaced by the operator
+   * (e.g. an OpenClawInstance sub-condition reporting failure). The
+   * tenant is still usable — these are informational, rendered as a
+   * warning badge alongside the phase.
+   *
+   * `source` is "<Kind>/<ConditionType>" e.g. "OpenClawInstance/SkillPacksReady".
+   * `message` is shown in the tooltip when the user hovers the badge.
+   */
+  warnings?: Array<{
+    source: string;
+    reason?: string;
+    message?: string;
+    since?: string;
+  }>;
   conditions?: Array<{
     type: string;
     status: string;
@@ -118,6 +144,15 @@ export interface PiecedTenant {
     name: string;
     namespace?: string;
     creationTimestamp?: string;
+    /**
+     * Set by the API server when something issues a Delete on the CR.
+     * The CR continues to exist while finalizers run cleanup; once
+     * they all remove themselves, the API server permanently removes
+     * the CR. Used by the portal's status sync to detect tenants
+     * being torn down — the customer should see "Deleted" rather
+     * than "Ready" while the cleanup runs.
+     */
+    deletionTimestamp?: string;
     labels?: Record<string, string>;
     annotations?: Record<string, string>;
   };
@@ -161,6 +196,41 @@ export interface BillingAddress {
   city?: string;
   postalCode?: string;
   country?: string;
+  /**
+   * VAT identifier. Required for new submissions (Bug 35); older
+   * tenant_requests rows in the audit table may have this absent.
+   */
+  vatNumber?: string;
+}
+
+/**
+ * Org-scoped billing record (Bug 35). One per ZITADEL org. Captured
+ * during the first tenant request, editable afterwards via the
+ * /settings/billing page. All future tenant requests in the same org
+ * reuse this without prompting again.
+ *
+ * Personal orgs (`isPersonal=true` in their context) currently don't
+ * fill this in — the wizard skips the step and the onboarding
+ * endpoint doesn't enforce it. If they later want billing on file
+ * (e.g. for invoices), they can fill the settings page manually.
+ *
+ * `vatNumber` is required for company orgs at write time, optional
+ * for personal. The API enforces this; the type itself keeps it
+ * optional because it's nullable in the DB and may be unset for
+ * personal orgs.
+ */
+export interface OrgBilling {
+  zitadelOrgId: string;
+  companyName: string;
+  streetAddress: string;
+  postalCode: string;
+  city: string;
+  country: string;
+  vatNumber?: string | null;
+  billingEmail: string;
+  notes?: string | null;
+  createdAt: string;
+  updatedAt: string;
 }
 
 export type TenantRequestStatus =
@@ -169,6 +239,7 @@ export type TenantRequestStatus =
   | "provisioning" // PiecedTenant CR created, operator reconciling
   | "active" // Tenant running
   | "rejected" // Admin rejected
+  | "cancelled" // Customer cancelled before admin acted on it (Bug 6)
   | "deleted"; // Tenant was deleted by admin
 
 export interface TenantRequest {
@@ -202,6 +273,27 @@ export interface TenantRequest {
    * domain-uniqueness check on subsequent registrations.
    */
   isPersonal?: boolean;
+  /**
+   * Bug 13: when set, the customer has explicitly dismissed a rejected
+   * request from their dashboard. Used by `listActiveTenantRequestsByOrgId`
+   * to keep showing rejected rows until they're dismissed (so a customer
+   * who wasn't online when the rejection happened still sees it on next
+   * login). Always null for non-rejected statuses.
+   */
+  dismissedAt?: string | null;
+  /**
+   * Bug 37a: discriminator between provision (initial tenant creation,
+   * the original purpose of this table) and resume (admin-gated
+   * reactivation of a suspended tenant). Default 'provision' for all
+   * pre-existing rows; resume rows have most provision fields null
+   * but tenant_name set to the tenant being requested.
+   *
+   * Optional on the TS type so provision-only callers (like the
+   * onboarding wizard's create flow) don't need to know about resume
+   * requests. The DB column is NOT NULL DEFAULT 'provision', so rows
+   * loaded via `mapRow` always have a value populated.
+   */
+  requestType?: "provision" | "resume";
   createdAt: string;
   updatedAt: string;
 }
@@ -220,6 +312,13 @@ export interface OnboardingInput {
   soulMd?: string;
   agentsMd?: string;
   packages?: string[];
-  billingAddress: BillingAddress;
+  /**
+   * Bug 35: optional at the type level because the wizard skips the
+   * billing step entirely when the org already has an `org_billing`
+   * record. The onboarding API enforces "billing must be resolved by
+   * the end" — either from `org_billing` lookup or from this field —
+   * via runtime checks; the type just allows both paths.
+   */
+  billingAddress?: BillingAddress;
   billingNotes?: string;
 }