Suspendedremoval display in Frontend

Suspendedremoval
2026-05-01 21:39:16 +02:00 · 2026-05-01 18:17:04 +02:00 · 2026-05-01 18:11:42 +02:00 · 2026-05-01 18:07:00 +02:00 · 2026-05-01 16:56:33 +02:00 · 2026-05-01 13:34:56 +02:00
22 changed files with 1440 additions and 261 deletions
--- a/src/app/[locale]/dashboard/page.tsx
+++ b/src/app/[locale]/dashboard/page.tsx
@@ -2,7 +2,10 @@ import { getSessionUser, canMutate } from "@/lib/session";
 import { getTranslations, getFormatter } from "next-intl/server";
 import { redirect } from "next/navigation";
 import { listTenants } from "@/lib/k8s";
-import { listActiveTenantRequestsByOrgId } from "@/lib/db";
+import {
  listActiveTenantRequestsByOrgId,
  syncProvisioningStatuses,
 } from "@/lib/db";
 import {
  listVisibleTenants,
  canSeeInflightRequests,
@@ -11,6 +14,7 @@ import {
 import { personalAccountAtCapacity } from "@/lib/personal-org";
 import { Card, CardHeader } from "@/components/ui/card";
 import { StatusBadge } from "@/components/ui/status-badge";
 import { WarningBadge } from "@/components/ui/warning-badge";
 import { OnboardingFlow } from "@/components/onboarding/onboarding-flow";
 import { ProvisioningStatus } from "@/components/onboarding/provisioning-status";
 import { formatDateTime } from "@/lib/format";
@@ -159,6 +163,23 @@ export default async function DashboardPage() {
  // Pending/in-flight requests are only shown to roles that can act on
  // them. `user`-role customers see no request cards.
  //
  // syncProvisioningStatuses runs on every dashboard load: it walks
  // active and provisioning rows and reconciles them against the
  // current cluster state. Without this, the operator-initiated
  // 60-day TTL deletion (Bug 37b) leaves the portal showing "Your
  // assistant is ready!" cards for tenants that no longer exist —
  // the operator deletes the CR, but the DB row stays at active=true
  // until something updates it. Running the sync at every dashboard
  // load keeps the portal eventually consistent with the cluster
  // without needing a separate cron/job.
  //
  // Cost: one K8s GET per row in (active, provisioning) status. At
  // pilot scale this is small; if it grows we'd cache or move to a
  // periodic background job.
  if (canSeeInflightRequests(user)) {
    await syncProvisioningStatuses();
  }
  const orgRequests = canSeeInflightRequests(user)
    ? await listActiveTenantRequestsByOrgId(user.orgId)
    : [];
@@ -173,7 +194,16 @@ export default async function DashboardPage() {
    (t) => t.metadata.labels?.["pieced.ch/zitadel-org-id"] === user.orgId
  );
  const inflightRequests = orgRequests.filter(
-    (r) => !r.tenantName || !orgScopedTenants.some((t) => t.metadata.name === r.tenantName)
+    (r) =>
      // Only show provision (initial creation) requests on the
      // dashboard. Resume requests (Bug 37a) belong with their
      // specific tenant — the SubscriptionToggle on the tenant
      // detail page renders the pending state there. Showing them
      // on the dashboard too would duplicate the surface and
      // confuse customers about which tenant they refer to.
      r.requestType !== "resume" &&
      (!r.tenantName ||
        !orgScopedTenants.some((t) => t.metadata.name === r.tenantName))
  );
  // Slice 5: only owners (and platform users, who'd typically be using
@@ -348,7 +378,10 @@ export default async function DashboardPage() {
                        {tenant.metadata.name}
                      </div>
                    </div>
-                    <StatusBadge phase={tenant.status?.phase ?? "Pending"} />
+                    <div className="flex items-center gap-2 shrink-0">
                      <StatusBadge phase={tenant.status?.phase ?? "Pending"} />
                      <WarningBadge warnings={tenant.status?.warnings ?? []} />
                    </div>
                  </div>
                  {tenant.spec.agentName && (
--- a/src/app/[locale]/tenants/[name]/page.tsx
+++ b/src/app/[locale]/tenants/[name]/page.tsx
@@ -3,7 +3,9 @@ import { getTranslations, getFormatter } from "next-intl/server";
 import { redirect, notFound } from "next/navigation";
 import { getTenant } from "@/lib/k8s";
 import { canUserSeeTenant } from "@/lib/visibility";
 import { getPendingResumeRequestForTenant } from "@/lib/db";
 import { StatusBadge } from "@/components/ui/status-badge";
 import { WarningBadge } from "@/components/ui/warning-badge";
 import { UsageDisplay } from "@/components/dashboard/usage-display";
 import { PackageList } from "@/components/packages/package-list";
 import { WorkspaceEditor } from "@/components/packages/workspace-editor";
@@ -46,6 +48,13 @@ export default async function TenantDetailPage({
  // The current state comes from spec.suspend on the CR.
  const isSuspended = Boolean(tenant.spec.suspend);
  // Bug 37a: when the tenant is suspended, an owner can request
  // reactivation (admin-gated). Look up whether one is in flight so
  // the SubscriptionToggle can render the right state.
  const pendingResumeRequest = isSuspended
    ? await getPendingResumeRequestForTenant(name)
    : null;
  // Bug 7: assigned-users panel is meaningless for personal tenants
  // (sole-owner by definition; the only "assignee" is the owner
  // themselves). We hide the panel when EITHER the CR carries the
@@ -66,18 +75,12 @@ export default async function TenantDetailPage({
  );
  const channelUsers = tenant.spec.channelUsers || {};
-  // Admins inspecting another tenant's usage: pass teamId AND keyAlias so
+  // Bug 19 fix: every viewer (customer or admin) passes the tenant
-  // the backend filters spend logs by this specific tenant's virtual key.
+  // name to UsageDisplay. The /api/usage route resolves team+alias
-  // Without keyAlias the response would include sibling tenants in the
+  // from the tenant CR's status and applies the visibility check, so
-  // same org, since teams are now shared (Slice 2).
+  // no per-role branching is needed here. Previous version only
-  // Customers viewing their own: pass nothing — backend resolves both
+  // passed identifiers for platform admins; customers got "the first
-  // from the session-bound tenant.
+  // visible tenant" by API fallback, mingling siblings.
  const usageTeamId = user.isPlatform
    ? tenant.status?.litellmTeamId || undefined
    : undefined;
  const usageKeyAlias = user.isPlatform
    ? tenant.status?.litellmKeyAlias || undefined
    : undefined;
  return (
    <div>
@@ -88,6 +91,7 @@ export default async function TenantDetailPage({
            {tenant.spec.displayName || name}
          </h1>
          <StatusBadge phase={tenant.status?.phase ?? "Pending"} />
          <WarningBadge warnings={tenant.status?.warnings ?? []} />
        </div>
        {tenant.spec.agentName && (
          <p className="text-sm text-text-secondary mt-3">
@@ -148,7 +152,7 @@ export default async function TenantDetailPage({
        <h2 className="text-xs font-semibold uppercase tracking-wider text-text-muted mb-3">
          {t("usage")}
        </h2>
-        <UsageDisplay teamId={usageTeamId} keyAlias={usageKeyAlias} />
+        <UsageDisplay tenant={name} />
      </section>
      {/* Packages */}
@@ -212,7 +216,19 @@ export default async function TenantDetailPage({
              ? t("subscriptionDescriptionSuspended")
              : t("subscriptionDescriptionActive")}
          </p>
-          <SubscriptionToggle tenantName={name} suspended={isSuspended} />
+          <SubscriptionToggle
            tenantName={name}
            suspended={isSuspended}
            isPlatform={user.isPlatform}
            pendingResumeRequest={
              pendingResumeRequest
                ? {
                    id: pendingResumeRequest.id,
                    createdAt: pendingResumeRequest.createdAt,
                  }
                : null
            }
          />
        </section>
      )}
    </div>
--- a/src/app/api/admin/requests/[id]/approve/route.ts
+++ b/src/app/api/admin/requests/[id]/approve/route.ts
@@ -5,7 +5,7 @@ import {
  updateTenantRequestStatus,
  clearEncryptedSecrets,
 } from "@/lib/db";
-import { createTenant } from "@/lib/k8s";
+import { createTenant, patchTenantSpec, setTenantAnnotation } from "@/lib/k8s";
 import { sendApprovalEmail } from "@/lib/email";
 import { decryptSecrets } from "@/lib/crypto";
 import { writePackageSecrets } from "@/lib/openbao";
@@ -19,14 +19,26 @@ import { safeError } from "@/lib/errors";
 /**
 * POST /api/admin/requests/[id]/approve
- * Approve a tenant request:
+ *
- * 1. Decrypt stored package secrets (if any)
+ * Approve a request. Two paths depending on request_type:
- * 2. Write each package's secrets to OpenBao at secret/data/tenants/{tenant-name}/{package}
+ *
- * 3. Null the encrypted_secrets column
+ * Provision (the original purpose):
- * 4. Build workspace files (SOUL.md, AGENTS.md, TOOLS.md)
+ *  1. Decrypt stored package secrets (if any)
- * 5. Create PiecedTenant CR
+ *  2. Write each package's secrets to OpenBao
- * 6. Update request status, notify customer.
+ *  3. Null the encrypted_secrets column
- * Also supports re-approving a previously rejected request (clears admin notes).
+ *  4. Build workspace files (SOUL.md, AGENTS.md, TOOLS.md)
 *  5. Create PiecedTenant CR
 *  6. Update request status, notify customer.
 *  Supports re-approving a previously rejected request (clears admin notes).
 *
 * Resume (Bug 37a):
 *  1. PATCH spec.suspend=false on the existing PiecedTenant CR.
 *  2. Clear the `pieced.ch/resume-request-pending` annotation so the
 *     operator knows the request is settled (and doesn't pause its
 *     60-day TTL forever — though now that the tenant isn't suspended,
 *     the timer is moot).
 *  3. Mark request approved, notify customer.
 *  No CR creation, no secret materialisation, no workspace files.
 */
 export async function POST(
  request: Request,
@@ -60,6 +72,58 @@ export async function POST(
    );
  }
  // Resume request: short path. Just patch the existing tenant, clear
  // the annotation, mark approved.
  if (tenantRequest.requestType === "resume") {
    if (!tenantRequest.tenantName) {
      // Shouldn't happen — resume requests are created with tenant_name
      // set. Defensive 500 if it does.
      return NextResponse.json(
        { error: "Resume request has no tenant_name" },
        { status: 500 }
      );
    }
    try {
      await patchTenantSpec(tenantRequest.tenantName, { suspend: false });
      // Clear the annotation that pauses the operator's 60-day TTL.
      // Best-effort — annotation cleanup is also done by the operator
      // when it sees suspend=false on the next reconcile (it clears
      // status.suspendedAt), but explicitly clearing here keeps the
      // CR clean.
      try {
        await setTenantAnnotation(
          tenantRequest.tenantName,
          "pieced.ch/resume-request-pending",
          null
        );
      } catch (e) {
        console.warn(
          "post-approve annotation clear failed; not blocking",
          e
        );
      }
      await updateTenantRequestStatus(id, "approved", { adminNotes });
      await sendApprovalEmail(
        tenantRequest.contactEmail,
        tenantRequest.contactName,
        tenantRequest.companyName
      ).catch((e) => console.error("approval email failed:", e));
      return NextResponse.json({
        message: "Resume approved. Tenant is reactivating.",
        tenantName: tenantRequest.tenantName,
      });
    } catch (e: any) {
      console.error("Resume approval failed:", e);
      return NextResponse.json(
        { error: safeError(e, "Failed to approve resume") },
        { status: 500 }
      );
    }
  }
  const isReApproval = tenantRequest.status === "rejected";
  // Build the CR name: see `lib/tenant-naming.ts` for the format spec.
--- a/src/app/api/admin/requests/[id]/reject/route.ts
+++ b/src/app/api/admin/requests/[id]/reject/route.ts
@@ -1,11 +1,19 @@
 import { NextResponse } from "next/server";
 import { requirePlatformRole } from "@/lib/session";
 import { getTenantRequestById, updateTenantRequestStatus } from "@/lib/db";
 import { setTenantAnnotation } from "@/lib/k8s";
 import { sendRejectionEmail } from "@/lib/email";
 /**
 * POST /api/admin/requests/[id]/reject
 * Reject a tenant request and notify the customer.
 *
 * For resume requests (Bug 37a): also clears the
 * `pieced.ch/resume-request-pending` annotation on the tenant CR.
 * The operator's 60-day TTL then resumes counting from the original
 * suspendedAt — rejection doesn't reset it. The customer can submit
 * a fresh resume request later if circumstances change, but that
 * starts a new pending row and re-stamps the annotation.
 */
 export async function POST(
  request: Request,
@@ -37,6 +45,26 @@ export async function POST(
    adminNotes,
  });
  // Resume rejection: clear the annotation so the operator's TTL
  // resumes. Best-effort — failure is logged, not propagated.
  if (
    tenantRequest.requestType === "resume" &&
    tenantRequest.tenantName
  ) {
    try {
      await setTenantAnnotation(
        tenantRequest.tenantName,
        "pieced.ch/resume-request-pending",
        null
      );
    } catch (e) {
      console.warn(
        "post-reject annotation clear failed; operator's TTL will pause until annotation removed by admin",
        e
      );
    }
  }
  // Notify customer
  await sendRejectionEmail(
    tenantRequest.contactEmail,
--- a/src/app/api/onboarding/[id]/route.ts
+++ b/src/app/api/onboarding/[id]/route.ts
@@ -6,6 +6,7 @@ import {
  updateTenantRequestEditableFields,
 } from "@/lib/db";
 import { encryptSecrets } from "@/lib/crypto";
 import { setTenantAnnotation } from "@/lib/k8s";
 import { onboardingSchema } from "@/lib/validation";
 import { safeError } from "@/lib/errors";
@@ -91,6 +92,25 @@ export async function DELETE(
  try {
    await updateTenantRequestStatus(id, "cancelled");
    // Customer cancels their own pending resume request: clear the
    // operator-side annotation so the 60-day TTL resumes counting.
    // Best-effort — the operator handles missing annotation gracefully.
    if (tr.requestType === "resume" && tr.tenantName) {
      try {
        await setTenantAnnotation(
          tr.tenantName,
          "pieced.ch/resume-request-pending",
          null
        );
      } catch (e) {
        console.warn(
          "post-cancel annotation clear failed; not blocking",
          e
        );
      }
    }
    return NextResponse.json({ message: "Request cancelled.", id });
  } catch (e: any) {
    console.error("Failed to cancel request:", e);
--- a/src/app/api/tenants/[name]/resume-request/route.ts
+++ b/src/app/api/tenants/[name]/resume-request/route.ts
@@ -0,0 +1,153 @@
 import { NextRequest, NextResponse } from "next/server";
 import { getSessionUser, canMutate } from "@/lib/session";
 import { getTenant, setTenantAnnotation } from "@/lib/k8s";
 import { canUserSeeTenant } from "@/lib/visibility";
 import {
  createResumeRequest,
  getPendingResumeRequestForTenant,
  getTenantRequestByTenantName,
 } from "@/lib/db";
 import { safeError } from "@/lib/errors";
 /**
 * POST /api/tenants/[name]/resume-request
 *
 * Owner-initiated request to reactivate a suspended tenant (Bug 37a).
 * Creates a pending tenant_request of type 'resume' for admin review,
 * and stamps the PiecedTenant CR with an annotation that pauses the
 * operator's 60-day deletion timer.
 *
 * Why a request flow at all
 * -------------------------
 * Customers can self-serve cancel; resume requires admin oversight.
 * Reactivation may involve re-validating billing, confirming the
 * customer still wants to be active, or other manual steps. The
 * request flow gives admins a queue to review, with the same approve/
 * reject UX as initial provision requests.
 *
 * Authorization
 * -------------
 * Owners and platform admins. Platform admins shouldn't normally use
 * this endpoint — they have direct PATCH suspend access — but it's
 * permissive in case admin tooling pivots.
 *
 * Validation
 * ----------
 *  - Tenant must exist and be visible to the caller.
 *  - Tenant must be currently suspended. Resuming an active tenant
 *    is meaningless.
 *  - At most one pending resume request per tenant. Enforced by the
 *    DB's partial unique index, but we also check explicitly here to
 *    return a friendly 409 instead of a 500.
 *
 * Side effects on success
 * -----------------------
 *  - INSERT into tenant_requests (request_type='resume', status='pending')
 *  - PATCH annotation `pieced.ch/resume-request-pending=<request-id>` on
 *    the CR. This is the operator's signal to pause its 60-day deletion
 *    timer until the request transitions to terminal.
 *
 * The annotation set is best-effort: if the K8s PATCH fails after the
 * DB insert, the row exists without the annotation. The customer
 * sees the request as pending; admin can still approve. The only
 * functional consequence is the 60-day timer doesn't pause until the
 * next request transition, which is fine in practice (admin response
 * times are dramatically shorter than 60 days).
 */
 export async function POST(
  req: NextRequest,
  { params }: { params: Promise<{ name: string }> }
 ) {
  const user = await getSessionUser();
  if (!user) {
    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
  }
  if (!canMutate(user)) {
    return NextResponse.json({ error: "Forbidden" }, { status: 403 });
  }
  const { name } = await params;
  const tenant = await getTenant(name);
  if (!tenant) {
    return NextResponse.json({ error: "Not found" }, { status: 404 });
  }
  if (!(await canUserSeeTenant(user, tenant))) {
    return NextResponse.json({ error: "Not found" }, { status: 404 });
  }
  if (!tenant.spec.suspend) {
    return NextResponse.json(
      { error: "Tenant is not suspended; nothing to resume." },
      { status: 409 }
    );
  }
  // Already a pending request? Don't duplicate.
  const existing = await getPendingResumeRequestForTenant(name);
  if (existing) {
    return NextResponse.json(
      {
        error: "A resume request for this tenant is already pending.",
        request: { id: existing.id, createdAt: existing.createdAt },
      },
      { status: 409 }
    );
  }
  // Pull traceability fields (companyName, agentName) from the original
  // provision request. The schema marks these NOT NULL, so we have to
  // populate them; copying from the provision row keeps the resume
  // row navigable in the admin UI without making up values.
  const provision = await getTenantRequestByTenantName(name);
  try {
    const resumeRequest = await createResumeRequest({
      tenantName: name,
      zitadelOrgId:
        tenant.metadata.labels?.["pieced.ch/zitadel-org-id"] ?? user.orgId,
      zitadelUserId: user.id,
      contactName: user.name,
      contactEmail: user.email,
      companyName: provision?.companyName ?? tenant.spec.displayName ?? name,
      agentName: provision?.agentName ?? "Assistant",
    });
    // Stamp the annotation so the operator pauses its TTL. If this
    // fails the request still exists; surface the error so admin
    // tooling can re-stamp if needed, but don't roll back.
    try {
      await setTenantAnnotation(
        name,
        "pieced.ch/resume-request-pending",
        resumeRequest.id
      );
    } catch (e) {
      console.warn(
        "resume request created but annotation could not be set; operator's 60-day timer will not pause until next reconcile triggered by request transition",
        e
      );
    }
    return NextResponse.json(
      {
        message: "Resume request submitted. An admin will review shortly.",
        request: { id: resumeRequest.id, status: resumeRequest.status },
      },
      { status: 201 }
    );
  } catch (e: any) {
    // Unique violation (a pending row already exists for this tenant)
    // is friendly-handled above; this catches everything else.
    if (e.code === "23505") {
      return NextResponse.json(
        { error: "A resume request for this tenant is already pending." },
        { status: 409 }
      );
    }
    console.error("Resume request creation failed:", e);
    return NextResponse.json(
      { error: safeError(e, "Failed to submit resume request") },
      { status: 500 }
    );
  }
 }
--- a/src/app/api/tenants/[name]/suspend/route.ts
+++ b/src/app/api/tenants/[name]/suspend/route.ts
@@ -1,7 +1,7 @@
 import { NextRequest, NextResponse } from "next/server";
 import { z } from "zod";
 import { getSessionUser, canMutate } from "@/lib/session";
-import { getTenant, patchTenantSpec } from "@/lib/k8s";
+import { getTenant, patchTenantSpec, setTenantAnnotation } from "@/lib/k8s";
 import { canUserSeeTenant } from "@/lib/visibility";
 import { safeError } from "@/lib/errors";
@@ -12,37 +12,38 @@ const patchSchema = z.object({
 /**
 * PATCH /api/tenants/[name]/suspend
 *
- * Customer-side "Cancel subscription" / "Resume" toggle (Bug 31).
+ * Direct suspend control on the PiecedTenant CR. Sets `spec.suspend`
 * to true (cancel) or false (resume).
 *
- * Sets `spec.suspend` on the PiecedTenant CR. The operator interprets
+ * Authorization (Bug 37a)
- * this flag as "stop reconciling this tenant" — workloads, packages,
+ * -----------------------
- * and channel-user changes are no longer applied. Existing data is
+ * - suspend=true  → owners and platform admins may call.
- * preserved (namespace, ConfigMaps, OpenBao secrets, CNPG database,
+ * - suspend=false → platform admins ONLY. Owners must go through the
- * billing records). Resuming sets the flag back to false and the
+ *   resume-request flow (POST /api/tenants/[name]/resume-request),
- * operator picks up reconciliation on the next loop.
+ *   which creates a pending request for admin approval. This
 *   asymmetry is by design: cancellation is self-service (low risk;
 *   reversible by request); reactivation requires admin oversight
 *   (e.g. to re-validate billing, confirm intent).
 *
- * Authorization
+ * Customer flow:
- * -------------
+ *   - Cancel:  PATCH suspend=true  here
- * - Customer-side: only an `owner` of the tenant's org may call this.
+ *   - Resume:  POST /resume-request — creates a 'resume' tenant_request,
- *   `canMutate` is the right gate (mirrors the rest of the customer
+ *              admin approves via /api/admin/requests/[id]/approve which
- *   API surface). User-role members cannot cancel a subscription.
+ *              then PATCHes suspend=false here as a platform user.
 * - Platform staff: allowed via `canMutate`'s isPlatform branch, but
 *   in practice they should use admin tooling for this — the action
 *   is exposed here for the customer's benefit.
 *
- * Visibility check is via `canUserSeeTenant` — same notFound() trick
+ * Workload behaviour
- * as the detail page, so we don't leak existence of tenants the
+ * ------------------
- * caller can't see.
+ * On suspend=true the operator deletes the OpenClawInstance, stopping
 * the pod within seconds. Tenant data — namespace, ConfigMaps,
 * OpenBao secrets, CNPG database, LiteLLM team — is retained.
 *
- * Note on workload teardown
+ * Suspended tenants enter a 60-day retention window (operator
- * -------------------------
+ * constant `retentionAfterSuspend`); after that, the tenant is fully
- * As of this writing, the operator's `suspend` handling is "skip
+ * deleted unless a pending resume request exists. The operator
- * reconciliation and set status.phase to Suspended". The underlying
+ * checks the `pieced.ch/resume-request-pending` annotation to know
- * StatefulSet keeps running until next reconciliation, which won't
+ * about pending requests; we set it here when admin approves the
- * happen while suspended. Group D will add scale-to-zero so cancelled
+ * resume (transitively, via the admin-approve endpoint), and clear
- * subscriptions actually stop incurring compute. Until then, an
+ * it when the request reaches a terminal state.
 * operator following up with a `kubectl scale` is the workaround.
 * Customer data is preserved either way.
 */
 export async function PATCH(
  req: NextRequest,
@@ -76,6 +77,18 @@ export async function PATCH(
  }
  const { suspend } = parsed.data;
  // Bug 37a: resume (suspend=false) is platform-admin only via this
  // endpoint. Owners must go through the resume-request flow.
  if (!suspend && !user.isPlatform) {
    return NextResponse.json(
      {
        error:
          "Resume requires platform-admin approval. Submit a resume request via /api/tenants/[name]/resume-request.",
      },
      { status: 403 }
    );
  }
  // No-op early exit. Avoids a needless K8s patch + status churn when
  // the user double-clicks the button or the UI is briefly out of sync.
  if (Boolean(tenant.spec.suspend) === suspend) {
@@ -87,10 +100,32 @@ export async function PATCH(
  try {
    await patchTenantSpec(name, { suspend });
    // On admin-side resume, also clear the pending-resume-request
    // annotation if it exists. Belt-and-suspenders: the admin-approve
    // endpoint already clears it on its happy path, but a platform
    // user resuming directly via this endpoint shouldn't leave the
    // annotation behind. Best-effort: failure to clear the annotation
    // is logged but doesn't fail the resume.
    if (!suspend) {
      try {
        await setTenantAnnotation(
          name,
          "pieced.ch/resume-request-pending",
          null
        );
      } catch (e) {
        console.warn(
          "failed to clear resume-request-pending annotation; operator will see it stale until next request transition",
          e
        );
      }
    }
    return NextResponse.json(
      {
        message: suspend
-          ? "Subscription cancelled. Your data is preserved."
+          ? "Subscription cancelled. Your data is preserved for 60 days."
          : "Subscription resumed.",
        suspend,
      },
--- a/src/app/api/usage/route.ts
+++ b/src/app/api/usage/route.ts
@@ -8,64 +8,109 @@ import { safeError } from "@/lib/errors";
 /**
 * GET /api/usage
 *
- * Customers: tenant resolved server-side from the user's orgId. The
+ * Per-tenant spend/token usage for a given month.
 *            response is filtered by the tenant's `litellmKeyAlias` so
 *            sibling tenants in the same org don't bleed into the total.
 * Platform admins: may pass ?teamId=... to inspect any team. They may
 *                  also pass ?keyAlias=... to scope to a single tenant.
 *
- * Slice 2 note
+ * Resolution rules (in priority order)
- * ------------
+ * ------------------------------------
- * LiteLLM teams are now shared across all tenants of an org. The team's
+ *  1. `?tenant=<name>` query param — the canonical path. The route
- * `/team/info` budget is the *company* budget; the per-tenant numbers
+ *     looks up the PiecedTenant CR by name, runs it through the
- * come from filtering spend logs by `key_alias`. If a tenant has no
+ *     viewer's visibility filter, and reads `status.litellmTeamId` +
- * `litellmKeyAlias` in status (transitional state right after upgrade,
+ *     `status.litellmKeyAlias`. This is what the tenant-detail page
- * before the operator has reconciled), we fall back to team-level
+ *     calls with for both customers and admins.
- * filtering — the numbers will be slightly inflated for that one
+ *  2. `?teamId=<id>` (+ optional `?keyAlias=<alias>`) — admin escape
- * reconcile cycle.
+ *     hatch for debugging across orgs (e.g. opening the platform
 *     panel without a specific tenant in mind). Platform-only;
 *     ignored for customer sessions.
 *  3. No params — 400. We deliberately do NOT fall back to "the
 *     first visible tenant". Bug 19: that fallback meant siblings
 *     in the same org showed identical numbers because the API
 *     always picked the same "first" tenant regardless of which
 *     detail page the customer was viewing. Forcing callers to be
 *     explicit makes the bug structurally impossible to reintroduce.
 *
 * Filtering
 * ---------
 * LiteLLM's `/spend/logs/v2` accepts a server-side `key_alias` filter.
 * We pass it through directly — no more "fetch all team pages and
 * post-filter in JS" (which was O(team_total) memory per request and
 * masked the routing bug above by being slow enough that nobody
 * noticed which alias was actually being used).
 *
 * The team-level budget is still surfaced as the *org* budget, since
 * teams are org-scoped post-Slice-2. That's intentional: the customer
 * sees "your company has X budget remaining" alongside "this tenant
 * cost Y this month".
 */
 export async function GET(req: NextRequest) {
  const user = await getSessionUser();
  if (!user)
    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
  const tenantName = req.nextUrl.searchParams.get("tenant");
  let teamId: string | null = null;
  let keyAlias: string | null = null;
-  if (user.isPlatform) {
+  if (tenantName) {
-    teamId = req.nextUrl.searchParams.get("teamId") ?? null;
+    // Path 1: resolve from tenant name with visibility check.
-    keyAlias = req.nextUrl.searchParams.get("keyAlias") ?? null;
+    //
-  }
+    // listVisibleTenants enforces the same visibility rules as every
-
+    // other read endpoint:
-  // For customers (or admins without explicit params): resolve from
+    //   - platform admins see everything
-  // the user's *visible* tenants. With Slice 6, a `user`-role member
+    //   - owners see all tenants in their org
-  // can only see usage for tenants they're assigned to — a non-assigned
+    //   - users see only the tenants they're assigned to (Slice 6)
-  // user defaults to "no active tenant" (404).
+    //
-  //
+    // Filtering through that list rather than reading the CR directly
-  // Owner and platform get the full org-scoped list and pick the first
+    // means a malicious caller can't probe arbitrary tenant names to
-  // tenant, matching the dashboard's "current instance" semantics.
+    // learn what exists in other orgs.
  if (!teamId) {
    const allTenants = await listTenants();
    const visible = await listVisibleTenants(user, allTenants);
-    const orgTenant = visible.find((t) => !!t.status?.litellmTeamId);
+    const tenant = visible.find((t) => t.metadata.name === tenantName);
-    if (!orgTenant?.status?.litellmTeamId) {
+    if (!tenant) {
      return NextResponse.json(
-        { error: "No active tenant found for your organization" },
+        { error: "Tenant not found or not accessible" },
        { status: 404 }
      );
    }
-    teamId = orgTenant.status.litellmTeamId;
+    if (!tenant.status?.litellmTeamId) {
-
+      // Tenant exists but the operator hasn't reconciled it yet.
-    // If the operator has populated the per-tenant key alias, filter by it.
+      // Common right after onboarding; the customer should see a
-    // Falling back to team-level (no alias) will return the org total, which
+      // friendly empty state, not a 500.
-    // is acceptable transitionally but means siblings' usage shows up here.
+      return NextResponse.json(
-    if (orgTenant.status.litellmKeyAlias) {
+        { error: "Tenant is still provisioning, no usage data yet" },
-      keyAlias = orgTenant.status.litellmKeyAlias;
+        { status: 409 }
      );
    }
    teamId = tenant.status.litellmTeamId;
    // litellmKeyAlias is set by the operator's LiteLLM reconcile step
    // alongside litellmTeamId, so if teamId is present this should be
    // too. Defensive fallback to team-level if missing — in that case
    // the customer briefly sees company totals until the next operator
    // reconcile, which is better than 500.
    keyAlias = tenant.status.litellmKeyAlias ?? null;
  } else if (user.isPlatform) {
    // Path 2: admin escape hatch.
    teamId = req.nextUrl.searchParams.get("teamId");
    keyAlias = req.nextUrl.searchParams.get("keyAlias");
    if (!teamId) {
      return NextResponse.json(
        {
          error:
            "Either ?tenant=<name> or ?teamId=<id> (admin) must be provided",
        },
        { status: 400 }
      );
    }
  } else {
    // Path 3: no resolution possible. See doc above for why we don't
    // pick a default.
    return NextResponse.json(
      { error: "Tenant must be specified via ?tenant=<name>" },
      { status: 400 }
    );
  }
-  // Month param: YYYY-MM, defaults to current month
+  // Month param: YYYY-MM, defaults to current month.
  const now = new Date();
  const monthParam =
    req.nextUrl.searchParams.get("month") ||
@@ -81,11 +126,11 @@ export async function GET(req: NextRequest) {
  try {
    const teamInfo = await getTeamInfo(teamId);
-    // Fetch all pages from the team. We always query at the team level —
+    // Page through results — server-side filtered by key_alias when
-    // LiteLLM's /spend/logs/v2 doesn't filter by key_alias reliably across
+    // provided. Pagination still needed because LiteLLM caps
-    // versions, so we paginate and post-filter in code. For pilot scale
+    // page_size at 100, and a busy tenant can easily exceed that in
-    // this is cheap; if a single team ever exceeds ~10k entries/month we
+    // a month. With server-side filtering this stays cheap regardless
-    // can revisit.
+    // of how busy sibling tenants in the same team are.
    const allRequests: any[] = [];
    let page = 1;
    while (true) {
@@ -94,33 +139,25 @@ export async function GET(req: NextRequest) {
        startStr,
        endStr,
        page,
-        100
+        100,
        keyAlias
      );
      allRequests.push(...(result.data || []));
      if (page >= (result.total_pages || 1)) break;
      page++;
      // Defensive cap. A pathological response with bogus total_pages
      // shouldn't be able to spin us forever. 50 pages × 100 = 5000
      // entries/month/tenant is well above any realistic usage at
      // pilot scale.
      if (page > 50) break;
    }
-    // Apply key_alias post-filter when scoping to a single tenant. Match
+    // Aggregate by day.
    // both `key_alias` (newer LiteLLM) and `metadata.user_api_key_alias`
    // (older builds nest it inside metadata).
    const scoped = keyAlias
      ? allRequests.filter((r) => {
          const alias =
            r.key_alias ??
            r.metadata?.user_api_key_alias ??
            r.api_key_alias ??
            null;
          return alias === keyAlias;
        })
      : allRequests;
    // Aggregate by day
    const byDay: Record<
      string,
      { inputTokens: number; outputTokens: number; spend: number }
    > = {};
-    for (const r of scoped) {
+    for (const r of allRequests) {
      const day = (r.startTime || r.endTime || "").slice(0, 10);
      if (!day) continue;
      if (!byDay[day])
@@ -134,30 +171,30 @@ export async function GET(req: NextRequest) {
      .sort(([a], [b]) => a.localeCompare(b))
      .map(([date, d]) => ({ date, ...d }));
-    const totalInput = scoped.reduce(
+    const totalInput = allRequests.reduce(
      (s, r) => s + (r.prompt_tokens || 0),
      0
    );
-    const totalOutput = scoped.reduce(
+    const totalOutput = allRequests.reduce(
      (s, r) => s + (r.completion_tokens || 0),
      0
    );
-    const totalSpend = scoped.reduce((s, r) => s + (r.spend || 0), 0);
+    const totalSpend = allRequests.reduce((s, r) => s + (r.spend || 0), 0);
    return NextResponse.json({
      teamId,
-      keyAlias, // null when not filtering — useful for the client to know it sees company-wide data
+      keyAlias, // null when admin queries team-wide (no specific tenant)
      month: monthParam,
      currentPeriod: {
        inputTokens: totalInput,
        outputTokens: totalOutput,
        totalSpend,
-        requestCount: scoped.length,
+        requestCount: allRequests.length,
      },
      // Budget is always team-level (= company budget). Spend reported
      // here is the team total, not the per-key total — the customer
-      // wants to see "how much of our company budget is left", not just
+      // wants to see "how much of our company budget is left", not
-      // "how much has this one tenant cost".
+      // just "how much has this one tenant cost".
      budget: {
        maxBudget: teamInfo?.team_info?.max_budget ?? null,
        spend: teamInfo?.team_info?.spend ?? 0,
--- a/src/components/admin/admin-panel.tsx
+++ b/src/components/admin/admin-panel.tsx
@@ -362,9 +362,28 @@ export function AdminPanel({ initialTenants }: AdminPanelProps) {
                        className="border-b border-border last:border-0 hover:bg-surface-2/50 transition-colors"
                      >
                        <td className="px-4 py-3">
-                          <div className="font-medium text-text-primary text-sm">
+                          <div className="font-medium text-text-primary text-sm flex items-center gap-2">
                            {req.companyName}
                            {/* Bug 37a: distinguish resume requests in the
                                queue. Provision and resume share status
                                semantics but very different action
                                consequences — a resume approval just
                                un-suspends an existing tenant, no
                                provisioning workflow runs. */}
                            {req.requestType === "resume" && (
                              <span
                                className="px-1.5 py-0.5 text-[10px] font-semibold rounded uppercase tracking-wider bg-success/15 text-success"
                                title={t("resumeRequestTooltip")}
                              >
                                {t("resumeRequestBadge")}
                              </span>
                            )}
                          </div>
                          {req.requestType === "resume" && req.tenantName && (
                            <div className="text-text-muted text-xs font-mono mt-0.5">
                              {req.tenantName}
                            </div>
                          )}
                        </td>
                        <td className="px-4 py-3">
                          <div className="text-text-primary text-sm">
--- a/src/components/dashboard/usage-display.tsx
+++ b/src/components/dashboard/usage-display.tsx
@@ -94,17 +94,27 @@ function UsageChart({ data }: { data: DailyUsage[] }) {
 /**
 * Usage display widget.
 *
- * - Customers: don't pass teamId or keyAlias — the backend resolves both
+ * Pass `tenant=<name>` for the canonical path — works for both
- *   from the session-bound tenant.
+ * customers and admins, the API resolves team+alias from the tenant
- * - Admins inspecting a specific tenant: pass `teamId` (the org-level
+ * CR's status. The visibility check on the API ensures users can't
- *   LiteLLM team id) AND `keyAlias` (the tenant's virtual-key alias).
+ * query tenants they shouldn't see.
- *   Without `keyAlias`, the response includes spend from sibling tenants
+ *
- *   in the same org, since teams are shared since Slice 2.
+ * `teamId`/`keyAlias` remain available as a platform-admin escape
 * hatch for cross-org debugging, but the tenant-detail and dashboard
 * paths should always use `tenant`.
 *
 * Bug 19 fix: previous version omitted both props for customer
 * sessions, expecting the API to "figure it out". The API's fallback
 * was "first visible tenant", which meant siblings in the same org
 * showed identical numbers regardless of which detail page was open.
 * Now the page passes the tenant name explicitly; no fallback exists.
 */
 export function UsageDisplay({
  tenant,
  teamId,
  keyAlias,
 }: {
  tenant?: string | null;
  teamId?: string | null;
  keyAlias?: string | null;
 }) {
@@ -121,11 +131,13 @@ export function UsageDisplay({
    setError(null);
    const params = new URLSearchParams({ month });
-    if (teamId) {
+    if (tenant) {
      params.set("tenant", tenant);
    } else if (teamId) {
      // Admin escape hatch — only honoured by the API when the
      // viewer is platform-role.
      params.set("teamId", teamId);
-    }
+      if (keyAlias) params.set("keyAlias", keyAlias);
    if (keyAlias) {
      params.set("keyAlias", keyAlias);
    }
    fetch(`/api/usage?${params}`)
@@ -133,7 +145,7 @@ export function UsageDisplay({
      .then(setData)
      .catch((e) => setError(e.message))
      .finally(() => setLoading(false));
-  }, [teamId, keyAlias, month]);
+  }, [tenant, teamId, keyAlias, month]);
  useEffect(() => { fetchUsage(); }, [fetchUsage]);
--- a/src/components/onboarding/provisioning-status.tsx
+++ b/src/components/onboarding/provisioning-status.tsx
@@ -5,6 +5,7 @@ import Link from "next/link";
 import { useRouter } from "next/navigation";
 import { useTranslations, useFormatter } from "next-intl";
 import { Card } from "@/components/ui/card";
 import { Modal } from "@/components/ui/modal";
 import { StatusBadge } from "@/components/ui/status-badge";
 import { formatDateTime, formatRelative } from "@/lib/format";
@@ -250,43 +251,38 @@ export function ProvisioningStatus({ requestId, canAct }: Props) {
        </div>
        {confirmCancel && (
-          <div
+          <Modal
-            role="dialog"
+            open={confirmCancel}
-            aria-modal="true"
+            onClose={() => setConfirmCancel(false)}
-            className="fixed inset-0 z-50 flex items-center justify-center p-4 bg-black/60 backdrop-blur-sm"
+            ariaLabel={t("cancelConfirmRequestTitle")}
            onClick={(e) => {
              if (e.target === e.currentTarget) setConfirmCancel(false);
            }}
          >
-            <div className="bg-surface-1 border border-border rounded-xl p-6 max-w-md w-full">
+            <h3 className="font-display text-lg font-semibold text-text-primary mb-2">
-              <h3 className="font-display text-lg font-semibold text-text-primary mb-2">
+              {t("cancelConfirmRequestTitle")}
-                {t("cancelConfirmRequestTitle")}
+            </h3>
-              </h3>
+            <p className="text-sm text-text-secondary mb-5">
-              <p className="text-sm text-text-secondary mb-5">
+              {t("cancelConfirmRequestDescription")}
-                {t("cancelConfirmRequestDescription")}
+            </p>
-              </p>
+            <div className="flex justify-end gap-2">
-              <div className="flex justify-end gap-2">
+              <button
-                <button
+                type="button"
-                  type="button"
+                onClick={() => setConfirmCancel(false)}
-                  onClick={() => setConfirmCancel(false)}
+                disabled={actionPending}
-                  disabled={actionPending}
+                className="text-sm px-4 py-2 rounded-lg border border-border text-text-secondary hover:text-text-primary transition-colors"
-                  className="text-sm px-4 py-2 rounded-lg border border-border text-text-secondary hover:text-text-primary transition-colors"
+              >
-                >
+                {tCommon("cancel")}
-                  {tCommon("cancel")}
+              </button>
-                </button>
+              <button
-                <button
+                type="button"
-                  type="button"
+                onClick={handleCancel}
-                  onClick={handleCancel}
+                disabled={actionPending}
-                  disabled={actionPending}
+                className="text-sm px-4 py-2 rounded-lg bg-red-500 text-white hover:bg-red-600 transition-colors disabled:opacity-50"
-                  className="text-sm px-4 py-2 rounded-lg bg-red-500 text-white hover:bg-red-600 transition-colors disabled:opacity-50"
+              >
-                >
+                {actionPending
-                  {actionPending
+                  ? tCommon("loading")
-                    ? tCommon("loading")
+                  : t("cancelRequestConfirm")}
-                    : t("cancelRequestConfirm")}
+              </button>
                </button>
              </div>
            </div>
-          </div>
+          </Modal>
        )}
      </Card>
    );
--- a/src/components/tenants/subscription-toggle.tsx
+++ b/src/components/tenants/subscription-toggle.tsx
@@ -2,48 +2,74 @@
 import { useState } from "react";
 import { useRouter } from "next/navigation";
-import { useTranslations } from "next-intl";
+import { useTranslations, useFormatter } from "next-intl";
 import { Modal } from "@/components/ui/modal";
 import { formatRelative } from "@/lib/format";
 interface Props {
  tenantName: string;
  /**
-   * Current suspend state — server-derived. The control toggles this
+   * Current suspend state — server-derived. Drives which control the
-   * via PATCH /api/tenants/[name]/suspend, then refreshes the route
+   * customer sees: "Cancel subscription" while active, the
-   * so server-component-side data (status badge, suspended notice)
+   * resume-request flow while suspended.
   * re-renders.
   */
  suspended: boolean;
  /**
   * True when the viewer has platform admin role. Platform users are
   * the only ones who can directly resume a tenant via PATCH; owners
   * must go through the resume-request flow. We use this in the
   * suspended branch to decide whether to render a direct "Resume"
   * button or the "Request reactivation" workflow.
   */
  isPlatform: boolean;
  /**
   * If a resume request is currently pending for this tenant, its
   * id and submitted-at. The component renders an info card with
   * a cancel-request button instead of the request-reactivation
   * button. Only meaningful when `suspended === true`.
   */
  pendingResumeRequest: { id: string; createdAt: string } | null;
 }
 /**
- * SubscriptionToggle — owner-side cancel/resume control (Bug 31).
+ * SubscriptionToggle — owner-side cancel/resume control.
 *
- * Renders a single button that toggles between "Cancel subscription"
+ * Three render states:
- * (when active) and "Resume subscription" (when suspended). Cancellation
+ *   1. Active: "Cancel subscription" button + confirmation modal
- * is gated behind a confirmation modal because it's destructive
+ *      (mentions 60-day retention before permanent deletion).
- * looking from the user's POV — even though no data is lost, the
+ *   2. Suspended, no pending resume request: "Request reactivation"
- * AI assistant becomes unavailable until they resume. Resume has no
+ *      button + simple confirmation modal explaining admin review.
- * modal; it's a strict subset of cancellation in terms of risk.
+ *   3. Suspended, pending resume request: status card "Reactivation
 *      requested X days ago" + "Cancel request" button.
 *
- * The control intentionally lives at the bottom of the tenant detail
+ * Platform admins viewing a suspended tenant get a fourth state in
- * page rather than next to the status badge — putting it near the
+ * place of #2/#3: a direct "Resume now" button (no admin queue, no
- * top would invite mis-clicks. Customers who want to cancel scroll
+ * request flow). This is the admin escape hatch.
 * past the running configuration, billing-relevant info, and assigned
 * users first; that's the right friction level.
 *
- * Suspended tenants render a top-of-page banner separately (see the
+ * The control intentionally lives at the bottom of the tenant
- * detail page); this component focuses on the action itself.
+ * detail page rather than near the top — putting it next to the
 * status badge would invite mis-clicks.
 */
-export function SubscriptionToggle({ tenantName, suspended }: Props) {
+export function SubscriptionToggle({
  tenantName,
  suspended,
  isPlatform,
  pendingResumeRequest,
 }: Props) {
  const t = useTranslations("tenantDetail");
  const tCommon = useTranslations("common");
  const f = useFormatter();
  const router = useRouter();
-  const [confirmOpen, setConfirmOpen] = useState(false);
+  const [confirmCancelOpen, setConfirmCancelOpen] = useState(false);
  const [confirmResumeOpen, setConfirmResumeOpen] = useState(false);
  const [submitting, setSubmitting] = useState(false);
  const [error, setError] = useState("");
-  const toggleSuspend = async (next: boolean) => {
+  // Customer-side cancel: PATCH suspend=true. Same path as before.
  // The 60-day retention copy in the modal is the new bit (Bug 37b);
  // mechanics are unchanged.
  const cancel = async () => {
    setSubmitting(true);
    setError("");
    try {
@@ -52,18 +78,14 @@ export function SubscriptionToggle({ tenantName, suspended }: Props) {
        {
          method: "PATCH",
          headers: { "Content-Type": "application/json" },
-          body: JSON.stringify({ suspend: next }),
+          body: JSON.stringify({ suspend: true }),
        }
      );
      if (!res.ok) {
        const data = await res.json().catch(() => ({}));
        throw new Error(data.error || t("subscriptionUpdateFailed"));
      }
-      setConfirmOpen(false);
+      setConfirmCancelOpen(false);
      // The status badge + suspended banner are server-rendered, so
      // a route refresh is the simplest way to reflect the new state.
      // Optimistic local toggle would diverge from the actual CR if
      // the operator hasn't observed the patch yet.
      router.refresh();
    } catch (e: any) {
      setError(e.message);
@@ -72,56 +94,164 @@ export function SubscriptionToggle({ tenantName, suspended }: Props) {
    }
  };
  // Owner-side resume request: POST a 'resume' tenant_request that
  // sits pending until admin acts. Different from cancel: no PATCH
  // on the CR — that happens only when admin approves.
  const requestResume = async () => {
    setSubmitting(true);
    setError("");
    try {
      const res = await fetch(
        `/api/tenants/${encodeURIComponent(tenantName)}/resume-request`,
        {
          method: "POST",
          headers: { "Content-Type": "application/json" },
        }
      );
      if (!res.ok) {
        const data = await res.json().catch(() => ({}));
        throw new Error(data.error || t("subscriptionUpdateFailed"));
      }
      setConfirmResumeOpen(false);
      router.refresh();
    } catch (e: any) {
      setError(e.message);
    } finally {
      setSubmitting(false);
    }
  };
  // Customer cancels their own pending resume request.
  const cancelResumeRequest = async () => {
    if (!pendingResumeRequest) return;
    setSubmitting(true);
    setError("");
    try {
      const res = await fetch(
        `/api/onboarding/${pendingResumeRequest.id}`,
        { method: "DELETE" }
      );
      if (!res.ok) {
        const data = await res.json().catch(() => ({}));
        throw new Error(data.error || t("subscriptionUpdateFailed"));
      }
      router.refresh();
    } catch (e: any) {
      setError(e.message);
    } finally {
      setSubmitting(false);
    }
  };
  // Platform admin: direct resume, bypassing the request flow.
  const adminResume = async () => {
    setSubmitting(true);
    setError("");
    try {
      const res = await fetch(
        `/api/tenants/${encodeURIComponent(tenantName)}/suspend`,
        {
          method: "PATCH",
          headers: { "Content-Type": "application/json" },
          body: JSON.stringify({ suspend: false }),
        }
      );
      if (!res.ok) {
        const data = await res.json().catch(() => ({}));
        throw new Error(data.error || t("subscriptionUpdateFailed"));
      }
      router.refresh();
    } catch (e: any) {
      setError(e.message);
    } finally {
      setSubmitting(false);
    }
  };
  // ─── Suspended branch ───────────────────────────────────────────────
  if (suspended) {
    // Platform admin sees direct resume. Independent of pending
    // resume — admin can always resume immediately.
    if (isPlatform) {
      return (
        <div>
          <button
            type="button"
            onClick={adminResume}
            disabled={submitting}
            className="text-sm font-medium px-4 py-2 rounded-lg border border-success/30 text-success hover:bg-success/10 transition-colors disabled:opacity-50"
          >
            {submitting
              ? tCommon("loading")
              : t("resumeSubscription")}
          </button>
          {pendingResumeRequest && (
            <p className="text-xs text-text-muted mt-2">
              {t("resumeRequestPendingNoteAdmin")}
            </p>
          )}
          {error && <p className="text-xs text-red-400 mt-2">{error}</p>}
        </div>
      );
    }
    // Owner with pending resume request: render the request status
    // card with cancel.
    if (pendingResumeRequest) {
      return (
        <div>
          <div className="rounded-xl border border-amber-500/30 bg-amber-500/5 px-4 py-3">
            <div className="text-sm font-medium text-amber-400 mb-1">
              {t("resumeRequestPendingTitle")}
            </div>
            <div className="text-xs text-text-secondary">
              {t("resumeRequestPendingDescription", {
                when: formatRelative(pendingResumeRequest.createdAt, f),
              })}
            </div>
            <button
              type="button"
              onClick={cancelResumeRequest}
              disabled={submitting}
              className="mt-3 text-xs px-3 py-1.5 rounded-lg border border-border text-text-secondary hover:text-text-primary transition-colors disabled:opacity-50"
            >
              {submitting
                ? tCommon("loading")
                : t("cancelResumeRequest")}
            </button>
          </div>
          {error && <p className="text-xs text-red-400 mt-2">{error}</p>}
        </div>
      );
    }
    // Owner with no pending request: offer to create one.
    return (
      <div>
        <button
          type="button"
-          onClick={() => toggleSuspend(false)}
+          onClick={() => setConfirmResumeOpen(true)}
-          disabled={submitting}
+          className="text-sm font-medium px-4 py-2 rounded-lg border border-success/30 text-success hover:bg-success/10 transition-colors"
          className="text-sm font-medium px-4 py-2 rounded-lg border border-success/30 text-success hover:bg-success/10 transition-colors disabled:opacity-50"
        >
-          {submitting ? tCommon("loading") : t("resumeSubscription")}
+          {t("requestReactivation")}
        </button>
-        {error && <p className="text-xs text-red-400 mt-2">{error}</p>}
+        {error && !confirmResumeOpen && (
-      </div>
+          <p className="text-xs text-red-400 mt-2">{error}</p>
-    );
+        )}
  }
-  return (
+        {confirmResumeOpen && (
-    <div>
+          <Modal
-      <button
+            open={confirmResumeOpen}
-        type="button"
+            onClose={() => setConfirmResumeOpen(false)}
-        onClick={() => setConfirmOpen(true)}
+            ariaLabel={t("requestReactivationConfirmTitle")}
-        className="text-sm font-medium px-4 py-2 rounded-lg border border-border text-text-secondary hover:text-text-primary hover:border-text-secondary transition-colors"
+          >
      >
        {t("cancelSubscription")}
      </button>
      {error && !confirmOpen && (
        <p className="text-xs text-red-400 mt-2">{error}</p>
      )}
      {confirmOpen && (
        <div
          role="dialog"
          aria-modal="true"
          className="fixed inset-0 z-50 flex items-center justify-center p-4 bg-black/60 backdrop-blur-sm"
          onClick={(e) => {
            if (e.target === e.currentTarget) setConfirmOpen(false);
          }}
        >
          <div className="bg-surface-1 border border-border rounded-xl p-6 max-w-md w-full">
            <h3 className="font-display text-lg font-semibold text-text-primary mb-2">
-              {t("cancelConfirmTitle")}
+              {t("requestReactivationConfirmTitle")}
            </h3>
-            <p className="text-sm text-text-secondary mb-3">
+            <p className="text-sm text-text-secondary mb-5">
-              {t("cancelConfirmDescription")}
+              {t("requestReactivationConfirmDescription")}
            </p>
            <ul className="text-xs text-text-muted list-disc list-inside space-y-1 mb-5">
              <li>{t("cancelConfirmBullet1")}</li>
              <li>{t("cancelConfirmBullet2")}</li>
              <li>{t("cancelConfirmBullet3")}</li>
            </ul>
            {error && (
              <div className="text-xs text-red-400 bg-red-400/10 border border-red-400/20 rounded-lg px-3 py-2 mb-3">
@@ -132,7 +262,7 @@ export function SubscriptionToggle({ tenantName, suspended }: Props) {
            <div className="flex justify-end gap-2">
              <button
                type="button"
-                onClick={() => setConfirmOpen(false)}
+                onClick={() => setConfirmResumeOpen(false)}
                disabled={submitting}
                className="text-sm px-4 py-2 rounded-lg border border-border text-text-secondary hover:text-text-primary transition-colors"
              >
@@ -140,17 +270,87 @@ export function SubscriptionToggle({ tenantName, suspended }: Props) {
              </button>
              <button
                type="button"
-                onClick={() => toggleSuspend(true)}
+                onClick={requestResume}
                disabled={submitting}
-                className="text-sm px-4 py-2 rounded-lg bg-amber-500 text-white hover:bg-amber-600 transition-colors disabled:opacity-50"
+                className="text-sm px-4 py-2 rounded-lg bg-success text-white hover:bg-success/90 transition-colors disabled:opacity-50"
              >
                {submitting
                  ? tCommon("loading")
-                  : t("cancelSubscriptionConfirm")}
+                  : t("requestReactivationConfirm")}
              </button>
            </div>
          </Modal>
        )}
      </div>
    );
  }
  // ─── Active branch ──────────────────────────────────────────────────
  return (
    <div>
      <button
        type="button"
        onClick={() => setConfirmCancelOpen(true)}
        className="text-sm font-medium px-4 py-2 rounded-lg border border-border text-text-secondary hover:text-text-primary hover:border-text-secondary transition-colors"
      >
        {t("cancelSubscription")}
      </button>
      {error && !confirmCancelOpen && (
        <p className="text-xs text-red-400 mt-2">{error}</p>
      )}
      {confirmCancelOpen && (
        <Modal
          open={confirmCancelOpen}
          onClose={() => setConfirmCancelOpen(false)}
          ariaLabel={t("cancelConfirmTitle")}
        >
          <h3 className="font-display text-lg font-semibold text-text-primary mb-2">
            {t("cancelConfirmTitle")}
          </h3>
          <p className="text-sm text-text-secondary mb-3">
            {t("cancelConfirmDescription")}
          </p>
          <ul className="text-xs text-text-muted list-disc list-inside space-y-1 mb-3">
            <li>{t("cancelConfirmBullet1")}</li>
            <li>{t("cancelConfirmBullet2")}</li>
            <li>{t("cancelConfirmBullet3")}</li>
          </ul>
          {/* Bug 37b: 60-day retention warning. Distinct paragraph so it
              reads as a separate, more serious commitment than the
              regular bullets above. */}
          <div className="text-xs text-amber-400 bg-amber-400/10 border border-amber-400/20 rounded-lg px-3 py-2 mb-5">
            {t("cancelConfirmRetentionWarning")}
          </div>
-        </div>
+
          {error && (
            <div className="text-xs text-red-400 bg-red-400/10 border border-red-400/20 rounded-lg px-3 py-2 mb-3">
              {error}
            </div>
          )}
          <div className="flex justify-end gap-2">
            <button
              type="button"
              onClick={() => setConfirmCancelOpen(false)}
              disabled={submitting}
              className="text-sm px-4 py-2 rounded-lg border border-border text-text-secondary hover:text-text-primary transition-colors"
            >
              {tCommon("cancel")}
            </button>
            <button
              type="button"
              onClick={cancel}
              disabled={submitting}
              className="text-sm px-4 py-2 rounded-lg bg-amber-500 text-white hover:bg-amber-600 transition-colors disabled:opacity-50"
            >
              {submitting
                ? tCommon("loading")
                : t("cancelSubscriptionConfirm")}
            </button>
          </div>
        </Modal>
      )}
    </div>
  );
--- a/src/components/ui/modal.tsx
+++ b/src/components/ui/modal.tsx
@@ -0,0 +1,89 @@
 "use client";
 import { useEffect, useRef } from "react";
 import { createPortal } from "react-dom";
 interface Props {
  open: boolean;
  /** Called when user clicks the backdrop or presses Escape. */
  onClose: () => void;
  children: React.ReactNode;
  /**
   * ARIA label fallback when no labelled element exists inside.
   * Optional; if you have a heading inside the modal with id, set
   * `aria-labelledby` on a wrapper instead.
   */
  ariaLabel?: string;
 }
 /**
 * Portal-based modal.
 *
 * Why a portal
 * ------------
 * `position: fixed` becomes positioned relative to a transformed
 * ancestor's containing block, not the viewport, when ANY ancestor
 * has a `transform`, `perspective`, or `filter` applied. Our
 * `animate-in` utility sets `transform: translateY(0)` on a lot of
 * dashboard/tenant-detail containers (because of the fade-up
 * animation, which uses `animation-fill-mode: both` to keep the
 * transform on after the animation finishes). That broke modals
 * rendered as in-place children — they centred to the panel they
 * lived in, not to the page.
 *
 * Rendering at `document.body` via `createPortal` escapes every
 * containing-block ancestor and gives us true viewport coordinates.
 *
 * UX details
 * ----------
 * - Backdrop click triggers `onClose`. (Bubbling check: only fires
 *   when the click target IS the backdrop, not the panel inside.)
 * - Escape key triggers `onClose`. Standard modal expectation.
 * - `body` overflow is locked while open so background content
 *   doesn't scroll behind the modal.
 * - Renders nothing on first paint server-side, then mounts on
 *   client. `useEffect` gating ensures `document.body` is available;
 *   without it Next.js SSR would throw on `document` reference.
 */
 export function Modal({ open, onClose, children, ariaLabel }: Props) {
  const closeRef = useRef(onClose);
  closeRef.current = onClose;
  useEffect(() => {
    if (!open) return;
    // Lock background scroll. Restore on unmount/close.
    const previousOverflow = document.body.style.overflow;
    document.body.style.overflow = "hidden";
    const onKey = (e: KeyboardEvent) => {
      if (e.key === "Escape") closeRef.current();
    };
    window.addEventListener("keydown", onKey);
    return () => {
      document.body.style.overflow = previousOverflow;
      window.removeEventListener("keydown", onKey);
    };
  }, [open]);
  if (!open) return null;
  if (typeof document === "undefined") return null;
  return createPortal(
    <div
      role="dialog"
      aria-modal="true"
      aria-label={ariaLabel}
      className="fixed inset-0 z-50 flex items-center justify-center p-4 bg-black/60 backdrop-blur-sm"
      onClick={(e) => {
        if (e.target === e.currentTarget) onClose();
      }}
    >
      <div className="bg-surface-1 border border-border rounded-xl p-6 max-w-md w-full max-h-[90vh] overflow-y-auto">
        {children}
      </div>
    </div>,
    document.body
  );
 }
--- a/src/components/ui/warning-badge.tsx
+++ b/src/components/ui/warning-badge.tsx
@@ -0,0 +1,118 @@
 "use client";
 import { useTranslations } from "next-intl";
 /**
 * Tenant warning shape received from the operator's status.warnings.
 * Mirror of the operator's `TenantWarning` type. See
 * pieced-operator/api/v1alpha1/piecedtenant_types.go.
 */
 export interface TenantWarning {
  source: string;
  reason?: string;
  message?: string;
  since?: string;
 }
 interface Props {
  warnings: TenantWarning[];
 }
 /**
 * Renders a small amber warning badge if there are any non-fatal
 * warnings on the tenant. The badge sits visually next to the phase
 * StatusBadge — they're separate concepts (phase = lifecycle, warnings
 * = observed sub-issues) and may both be present at once (e.g. tenant
 * is `Ready` but has a SkillPacksReady=False warning).
 *
 * Hover/focus reveals the warning detail. We don't truncate the message
 * inside the tooltip; OCI/CRD condition messages tend to be short and
 * include the actionable detail (which skill, which secret, which
 * resolver). If a future warning source has a 5-line stacktrace as a
 * message we'll need a different treatment; cross that bridge then.
 *
 * Returns null when there are no warnings — keep render-call sites
 * simple, they don't have to gate on length themselves.
 */
 export function WarningBadge({ warnings }: Props) {
  const t = useTranslations("warnings");
  if (!warnings || warnings.length === 0) return null;
  const tooltipLabel = (() => {
    try {
      return warnings.length === 1
        ? t("oneTooltip")
        : t("manyTooltip", { count: warnings.length });
    } catch {
      return warnings.length === 1
        ? "1 warning"
        : `${warnings.length} warnings`;
    }
  })();
  return (
    <span className="relative group inline-flex">
      <button
        type="button"
        // Button is non-actionable in itself — it exists purely to get
        // keyboard focus for screen readers and keyboard users, so the
        // tooltip isn't pointer-only. `aria-label` carries the summary;
        // the full content is in the tooltip below for sighted users.
        aria-label={tooltipLabel}
        className="inline-flex items-center gap-1 rounded-full border border-amber-500/30 bg-amber-500/10 px-2 py-0.5 text-xs font-medium text-amber-400 hover:bg-amber-500/20 focus:outline-none focus:ring-1 focus:ring-amber-400 cursor-help"
        // No onClick — this is informational, not actionable. Pure
        // hover/focus widget. tabIndex defaults to 0 for buttons.
      >
        <svg
          viewBox="0 0 24 24"
          width={12}
          height={12}
          fill="none"
          stroke="currentColor"
          strokeWidth={2}
          strokeLinecap="round"
          strokeLinejoin="round"
          aria-hidden="true"
        >
          <path d="M12 9v4" />
          <path d="M12 17h.01" />
          <path d="M10.29 3.86 1.82 18a2 2 0 0 0 1.71 3h16.94a2 2 0 0 0 1.71-3L13.71 3.86a2 2 0 0 0-3.42 0Z" />
        </svg>
        <span>{warnings.length}</span>
      </button>
      {/*
        Tooltip. Hidden by default; shown on hover OR focus of the
        sibling button. Positioned below-right so it doesn't collide with
        the StatusBadge that typically sits left of this. Constrained
        width so long messages wrap.
        z-50 keeps it above table rows / cards.
      */}
      <div
        role="tooltip"
        className="invisible group-hover:visible group-focus-within:visible absolute left-0 top-full mt-1 z-50 w-72 rounded-lg border border-border bg-surface-1 p-3 shadow-lg text-left"
      >
        <div className="text-[10px] uppercase tracking-wider text-text-muted mb-2">
          {tooltipLabel}
        </div>
        <ul className="space-y-2">
          {warnings.map((w, i) => (
            <li key={i} className="text-xs">
              <div className="font-mono text-amber-400 break-all">
                {w.source}
              </div>
              {w.reason && (
                <div className="text-text-secondary">{w.reason}</div>
              )}
              {w.message && (
                <div className="text-text-secondary mt-0.5 break-words">
                  {w.message}
                </div>
              )}
            </li>
          ))}
        </ul>
      </div>
    </span>
  );
 }
--- a/src/lib/db.ts
+++ b/src/lib/db.ts
@@ -78,6 +78,42 @@ const MIGRATION_SQL = `
  -- is only meaningful for rejected and cancelled rows.
  ALTER TABLE tenant_requests ADD COLUMN IF NOT EXISTS dismissed_at TIMESTAMPTZ;
  -- Bug 37a: resume requests use the same table as provision requests so
  -- the customer dashboard and admin queue share rendering. Discriminator
  -- is request_type. Default 'provision' on backfill keeps existing rows
  -- working without explicit migration.
  --
  -- Resume rows have:
  --   request_type     = 'resume'
  --   tenant_name      = the existing tenant being requested for reactivation
  --   zitadel_org_id   = the org owning that tenant
  --   zitadel_user_id  = the requesting customer
  --   status           = pending → approved/rejected (or cancelled by customer)
  --   most provision-only fields (packages, billing_address, etc.) are NULL
  ALTER TABLE tenant_requests ADD COLUMN IF NOT EXISTS request_type TEXT NOT NULL DEFAULT 'provision';
  -- Constrain to the known set so a future code change can't accidentally
  -- write a third type without first widening this constraint.
  DO $$ BEGIN
    ALTER TABLE tenant_requests ADD CONSTRAINT tenant_requests_request_type_check
      CHECK (request_type IN ('provision', 'resume'));
  EXCEPTION WHEN duplicate_object THEN NULL;
  END $$;
  -- Tenant_name uniqueness was originally meant for "one tenant CR per
  -- approved provision request". Resume requests reuse a tenant_name,
  -- so the uniqueness must now be scoped to provision rows only.
  DROP INDEX IF EXISTS uniq_tenant_requests_tenant_name;
  CREATE UNIQUE INDEX IF NOT EXISTS uniq_tenant_requests_tenant_name_provision
    ON tenant_requests(tenant_name)
    WHERE tenant_name IS NOT NULL AND request_type = 'provision';
  -- Only one pending resume request per tenant at a time. Otherwise a
  -- customer could spam-create resume requests (the admin queue would
  -- bloat) or two admins might race on approving duplicates.
  CREATE UNIQUE INDEX IF NOT EXISTS uniq_tenant_requests_pending_resume
    ON tenant_requests(tenant_name)
    WHERE tenant_name IS NOT NULL AND request_type = 'resume' AND status = 'pending';
  -- Slice 3: drop the legacy 1-org-1-request constraint if it exists
  ALTER TABLE tenant_requests DROP CONSTRAINT IF EXISTS tenant_requests_zitadel_org_id_key;
@@ -381,6 +417,111 @@ export async function clearEncryptedSecrets(requestId: string): Promise<void> {
 * Caller is responsible for verifying the row belongs to the user's
 * org before calling.
 */
 /**
 * Create a resume request (Bug 37a). Used when an owner of a suspended
 * tenant wants to reactivate it. Resume is admin-gated — the request
 * sits as `pending` until a platform admin approves or rejects it.
 *
 * Tenant-name uniqueness is enforced for `pending` resume rows by a
 * partial unique index, so a customer can't spam the queue with
 * duplicate resume requests for the same tenant. The DB throws a
 * unique-violation if they try; callers should catch that and translate
 * to a 409.
 *
 * Why this lives in tenant_requests instead of a separate table:
 *   - the lifecycle is identical (pending → approved/rejected, plus
 *     customer-side cancel and dismiss-after-terminal)
 *   - the customer dashboard renders pending+resume cards from the
 *     same `listActiveTenantRequestsByOrgId` query — adding a separate
 *     table would mean two queries and union-merging in the UI
 *   - the admin queue likewise treats them uniformly
 * The cost is a discriminator column (`request_type`) and most
 * provision-only fields being null on resume rows. That's a tradeoff
 * I think is worth it.
 */
 export async function createResumeRequest(params: {
  tenantName: string;
  zitadelOrgId: string;
  zitadelUserId: string;
  contactName: string;
  contactEmail: string;
  // Provision-only fields default sensibly. company_name + agent_name
  // are NOT NULL in the original schema; we copy them from the existing
  // tenant request for traceability rather than storing dummy values.
  companyName: string;
  agentName: string;
 }): Promise<TenantRequest> {
  await ensureSchema();
  const result = await getPool().query(
    `INSERT INTO tenant_requests (
        zitadel_org_id, zitadel_user_id, company_name,
        contact_name, contact_email, agent_name,
        tenant_name, request_type, status
     ) VALUES ($1, $2, $3, $4, $5, $6, $7, 'resume', 'pending')
     RETURNING *`,
    [
      params.zitadelOrgId,
      params.zitadelUserId,
      params.companyName,
      params.contactName,
      params.contactEmail,
      params.agentName,
      params.tenantName,
    ]
  );
  return mapRow(result.rows[0]);
 }
 /**
 * Get the most recent provision request for a tenant_name. Used by
 * Bug 37a's resume-request creation to populate company_name and
 * agent_name (NOT NULL columns) from the original provision row
 * rather than make up values.
 *
 * Returns null when no such row exists — should be impossible in
 * normal flow (resume requests are only created for already-existing
 * tenants whose CR was created via approving a provision request),
 * but the caller should guard against it for safety.
 */
 export async function getTenantRequestByTenantName(
  tenantName: string
 ): Promise<TenantRequest | null> {
  await ensureSchema();
  const result = await getPool().query(
    `SELECT * FROM tenant_requests
      WHERE tenant_name = $1
        AND request_type = 'provision'
      ORDER BY created_at DESC
      LIMIT 1`,
    [tenantName]
  );
  return result.rows.length > 0 ? mapRow(result.rows[0]) : null;
 }
 /**
 * Return the in-flight (pending) resume request for a given tenant, if
 * any. Used both to gate the customer's "Request reactivation" button
 * (don't allow a second when one's already pending) and by the admin
 * UI to navigate from the tenant detail page to the awaiting request.
 *
 * Returns null when no pending resume exists. Approved/rejected rows
 * are never returned — they're terminal.
 */
 export async function getPendingResumeRequestForTenant(
  tenantName: string
 ): Promise<TenantRequest | null> {
  await ensureSchema();
  const result = await getPool().query(
    `SELECT * FROM tenant_requests
      WHERE tenant_name = $1
        AND request_type = 'resume'
        AND status = 'pending'
      LIMIT 1`,
    [tenantName]
  );
  return result.rows.length > 0 ? mapRow(result.rows[0]) : null;
 }
 export async function dismissTenantRequest(id: string): Promise<void> {
  await ensureSchema();
  await getPool().query(
@@ -498,8 +639,26 @@ export async function deleteTenantRequest(id: string): Promise<void> {
 }
 /**
- * Sync provisioning statuses: for all requests with status "provisioning",
+ * Reconcile the portal's tenant_requests table against actual cluster
- * check if the PiecedTenant CR has reached "Ready" and update to "active".
+ * state. Two passes, both walking only rows with `tenant_name` set
 * (rows in pending/rejected/cancelled state don't have one and are
 * irrelevant to this reconciliation):
 *
 *   1. provisioning → active: when a tenant CR's phase reaches Ready
 *      or Running, the portal flips the row to active so the
 *      "provisioning…" card transitions into the running tenant view.
 *
 *   2. active/provisioning → deleted: when the corresponding CR no
 *      longer exists in the cluster (404), or is mid-deletion (has
 *      metadata.deletionTimestamp set), the row gets flipped to
 *      `deleted`. The DB is otherwise blind to operator-initiated
 *      deletions — when the 60-day TTL fires (Bug 37b) and the
 *      operator deletes a suspended tenant, the portal would happily
 *      keep showing the "Your assistant is ready!" card forever.
 *      Without this reconciliation the dashboard drifts from reality.
 *
 * Errors are tolerated per-row: a transient API hiccup on one tenant
 * shouldn't fail the whole sweep. Skipped rows get retried next call.
 *
 * Slice 3 note: with multi-tenant per org, this iterates each row
 * individually (keyed by its own tenant_name), so multiple in-flight
@@ -507,24 +666,47 @@ export async function deleteTenantRequest(id: string): Promise<void> {
 */
 export async function syncProvisioningStatuses(): Promise<void> {
  await ensureSchema();
  // Pull every row that *might* be reconcilable in one query — the
  // status filter narrows to ones whose CR-vs-DB consistency is
  // worth checking. Pending/rejected/cancelled rows have no
  // tenant_name to compare against; deleted rows are terminal.
  const result = await getPool().query<TenantRequest>(
-    "SELECT * FROM tenant_requests WHERE status = 'provisioning'"
+    "SELECT * FROM tenant_requests WHERE status IN ('provisioning', 'active') AND tenant_name IS NOT NULL"
  );
  for (const row of result.rows) {
    const mapped = mapRow(row);
    if (!mapped.tenantName) continue;
    let tenant: Awaited<ReturnType<typeof getTenant>> = null;
    try {
-      const tenant = await getTenant(mapped.tenantName);
+      tenant = await getTenant(mapped.tenantName);
      if (
        tenant?.status?.phase === "Ready" ||
        tenant?.status?.phase === "Running"
      ) {
        await updateTenantRequestStatus(mapped.id, "active");
      }
    } catch {
-      // Tenant might not exist yet — skip
+      // Transient API error — skip this row, retry on next sweep.
      continue;
    }
    // CR gone, or mid-deletion. Flip the row to 'deleted'. The
    // `markTenantRequestDeletedByTenantName` helper also nulls the
    // tenant_name column so any future tenant created with the same
    // name (unlikely given UUID-suffixed naming, but possible) won't
    // collide with the unique index on (tenant_name) WHERE
    // request_type = 'provision'.
    if (!tenant || tenant.metadata.deletionTimestamp) {
      await markTenantRequestDeletedByTenantName(mapped.tenantName);
      continue;
    }
    // CR exists and is healthy. Promote provisioning → active when
    // the operator reports the tenant has reached steady state.
    // Keep `active` rows on `active` regardless of phase — a
    // temporarily-Reconfiguring tenant is still active from the
    // portal's billing/visibility perspective.
    if (
      mapped.status === "provisioning" &&
      (tenant.status?.phase === "Ready" || tenant.status?.phase === "Running")
    ) {
      await updateTenantRequestStatus(mapped.id, "active");
    }
  }
 }
@@ -555,6 +737,9 @@ function mapRow(row: any): TenantRequest {
    isPersonal: row.is_personal ?? false,
    dismissedAt:
      row.dismissed_at?.toISOString?.() ?? row.dismissed_at ?? null,
    requestType: (row.request_type ?? "provision") as
      | "provision"
      | "resume",
    createdAt: row.created_at?.toISOString?.() ?? row.created_at,
    updatedAt: row.updated_at?.toISOString?.() ?? row.updated_at,
  };
--- a/src/lib/k8s.ts
+++ b/src/lib/k8s.ts
@@ -130,3 +130,46 @@ export async function patchTenantSpec(
  }
  return res.json() as Promise<PiecedTenant>;
 }
 /**
 * Set or clear an annotation on a PiecedTenant CR.
 *
 * Pass `value=null` to remove the annotation. K8s merge-patch removes
 * a key when its value is null in the patch — that's exactly the
 * semantic we want.
 *
 * Used by the resume-request flow (Bug 37a): the portal sets
 * `pieced.ch/resume-request-pending` when a customer creates a
 * resume request, and clears it when the request transitions to a
 * terminal state. The operator reads this annotation to pause its
 * 60-day deletion timer while a resume request is in flight.
 *
 * Annotations are namespaced informally — we use `pieced.ch/...` for
 * everything we own, mirroring the labels.
 */
 export async function setTenantAnnotation(
  name: string,
  key: string,
  value: string | null
 ): Promise<PiecedTenant> {
  const url = `${getBaseUrl()}/apis/${API_VERSION}/${PLURAL}/${name}`;
  const res = await fetch(url, {
    method: "PATCH",
    headers: {
      Accept: "application/json",
      "Content-Type": "application/merge-patch+json",
      ...getAuthHeaders(),
    },
    body: JSON.stringify({
      metadata: { annotations: { [key]: value } },
    }),
  });
  if (!res.ok) {
    const text = await res.text();
    const err = new Error(`K8s annotate /${name}: ${res.status} ${text}`);
    (err as any).statusCode = res.status;
    throw err;
  }
  return res.json() as Promise<PiecedTenant>;
 }
--- a/src/lib/litellm.ts
+++ b/src/lib/litellm.ts
@@ -32,12 +32,43 @@ export async function getTeamSpendLogs(
  return litellmFetch(`/global/spend/logs?${params}`);
 }
 /**
 * Fetch one page of spend logs for a team, optionally narrowed to a
 * single virtual key by alias.
 *
 * Slice 2 / Bug 19 context
 * ------------------------
 * Teams in LiteLLM are now org-scoped (one team per org), and each
 * tenant in the org has its own virtual key with `key_alias = tenant
 * CR name`. Without `keyAlias`, this returns the full team's spend —
 * which mingles every tenant in the org. The portal's per-tenant
 * usage view passes `keyAlias` to filter server-side via LiteLLM's
 * native `key_alias` query param. Confirmed available on the
 * `/spend/logs/v2` endpoint via OpenAPI introspection — no need to
 * page-and-post-filter as the previous slice did.
 *
 * Why this matters
 * ----------------
 * Previous implementation fetched all team pages, then post-filtered
 * by alias in JS. Two problems: (1) at any reasonable scale this is
 * O(team_total) memory per request even when only one tenant's data
 * is needed; (2) more importantly, when called from the customer
 * dashboard without an explicit alias, the route's "pick the first
 * visible tenant" fallback meant both Acme tenants showed identical
 * numbers — the alias used was always the first tenant in the
 * visible list, regardless of which tenant page was being viewed.
 *
 * The route layer above is responsible for resolving the tenant
 * identity correctly and passing the right alias here. This
 * function's only job is to pass it through to LiteLLM.
 */
 export async function getTeamSpendLogsV2(
  teamId: string,
  startDate: string,
  endDate: string,
  page: number = 1,
-  pageSize: number = 100
+  pageSize: number = 100,
  keyAlias?: string | null
 ) {
  const params = new URLSearchParams({
    team_id: teamId,
@@ -46,6 +77,9 @@ export async function getTeamSpendLogsV2(
    page: String(page),
    page_size: String(pageSize),
  });
  if (keyAlias) {
    params.set("key_alias", keyAlias);
  }
  return litellmFetch(`/spend/logs/v2?${params}`);
 }
--- a/src/messages/de.json
+++ b/src/messages/de.json
@@ -157,7 +157,16 @@
    "cancelConfirmBullet3": "Rechnungsdaten bleiben gespeichert",
    "subscriptionUpdateFailed": "Abonnement konnte nicht aktualisiert werden.",
    "suspendedTitle": "Abonnement gekündigt",
-    "suspendedDescription": "Ihr Assistent ist pausiert. Konfiguration und Daten bleiben erhalten. Verwenden Sie die Reaktivierungs-Schaltfläche unten auf dieser Seite, um ihn wieder online zu bringen."
+    "suspendedDescription": "Ihr Assistent ist pausiert. Konfiguration und Daten bleiben erhalten. Verwenden Sie die Reaktivierungs-Schaltfläche unten auf dieser Seite, um ihn wieder online zu bringen.",
    "requestReactivation": "Reaktivierung anfragen",
    "requestReactivationConfirmTitle": "Reaktivierung anfragen?",
    "requestReactivationConfirmDescription": "Ein Administrator prüft Ihre Anfrage und reaktiviert Ihren Tenant. Sie erhalten eine E-Mail, sobald die Anfrage genehmigt wurde.",
    "requestReactivationConfirm": "Anfrage senden",
    "cancelResumeRequest": "Anfrage stornieren",
    "resumeRequestPendingTitle": "Reaktivierungsanfrage ausstehend",
    "resumeRequestPendingDescription": "Eingereicht {when}. Ein Administrator wird die Anfrage in Kürze prüfen.",
    "resumeRequestPendingNoteAdmin": "Ein Inhaber hat eine Reaktivierung angefragt; Sie können direkt oben fortfahren oder die Anfrage in der Admin-Warteschlange bearbeiten.",
    "cancelConfirmRetentionWarning": "Ihre Daten bleiben nach der Kündigung 60 Tage lang erhalten. Danach werden alle Tenant-Daten – Konfiguration, Geheimnisse, Konversationen und Dateien – endgültig gelöscht."
  },
  "usage": {
    "inputTokens": "Input-Tokens",
@@ -297,7 +306,9 @@
    "loadingHealth": "Statusdaten werden geladen…",
    "statusHealthy": "OK",
    "statusDown": "Ausgefallen",
-    "spendChf": "Kosten (CHF)"
+    "spendChf": "Kosten (CHF)",
    "resumeRequestBadge": "Wieder",
    "resumeRequestTooltip": "Reaktivierungsanfrage für einen bestehenden Tenant. Bei Genehmigung wird der Tenant wieder aktiviert; keine Provisionierung läuft."
  },
  "channelUsers": {
    "title": "Autorisierte Benutzer",
@@ -361,5 +372,9 @@
    "Error": "Fehler",
    "Deleting": "Wird gelöscht",
    "Reconfiguring": "Wird neu konfiguriert"
  },
  "warnings": {
    "oneTooltip": "1 Warnung",
    "manyTooltip": "{count} Warnungen"
  }
 }
--- a/src/messages/en.json
+++ b/src/messages/en.json
@@ -157,7 +157,16 @@
    "cancelConfirmBullet3": "Billing information is kept on file",
    "subscriptionUpdateFailed": "Could not update subscription.",
    "suspendedTitle": "Subscription cancelled",
-    "suspendedDescription": "Your assistant is paused. Configuration and data are preserved. Use the Resume control at the bottom of this page to bring it back online."
+    "suspendedDescription": "Your assistant is paused. Configuration and data are preserved. Use the Resume control at the bottom of this page to bring it back online.",
    "requestReactivation": "Request reactivation",
    "requestReactivationConfirmTitle": "Request reactivation?",
    "requestReactivationConfirmDescription": "An administrator will review your request and reactivate your tenant. You'll be notified by email once it's approved.",
    "requestReactivationConfirm": "Submit request",
    "cancelResumeRequest": "Cancel request",
    "resumeRequestPendingTitle": "Reactivation request pending",
    "resumeRequestPendingDescription": "Submitted {when}. An administrator will review it shortly.",
    "resumeRequestPendingNoteAdmin": "An owner has requested reactivation; you can resume directly above or process the request from the admin queue.",
    "cancelConfirmRetentionWarning": "Your data is preserved for 60 days after cancellation. After that, all tenant data — configuration, secrets, conversations, and files — will be permanently deleted."
  },
  "usage": {
    "inputTokens": "Input Tokens",
@@ -297,7 +306,9 @@
    "loadingHealth": "Loading health data…",
    "statusHealthy": "Healthy",
    "statusDown": "Down",
-    "spendChf": "Spend (CHF)"
+    "spendChf": "Spend (CHF)",
    "resumeRequestBadge": "Resume",
    "resumeRequestTooltip": "Reactivation request for an existing tenant. Approving will un-suspend the tenant; no provisioning runs."
  },
  "channelUsers": {
    "title": "Authorized Users",
@@ -361,5 +372,9 @@
    "Error": "Error",
    "Deleting": "Deleting",
    "Reconfiguring": "Reconfiguring"
  },
  "warnings": {
    "oneTooltip": "1 warning",
    "manyTooltip": "{count} warnings"
  }
 }
--- a/src/messages/fr.json
+++ b/src/messages/fr.json
@@ -157,7 +157,16 @@
    "cancelConfirmBullet3": "Les informations de facturation sont conservées",
    "subscriptionUpdateFailed": "Impossible de mettre à jour l'abonnement.",
    "suspendedTitle": "Abonnement annulé",
-    "suspendedDescription": "Votre assistant est en pause. La configuration et les données sont préservées. Utilisez le contrôle Reprendre en bas de cette page pour le remettre en ligne."
+    "suspendedDescription": "Votre assistant est en pause. La configuration et les données sont préservées. Utilisez le contrôle Reprendre en bas de cette page pour le remettre en ligne.",
    "requestReactivation": "Demander la réactivation",
    "requestReactivationConfirmTitle": "Demander la réactivation ?",
    "requestReactivationConfirmDescription": "Un administrateur examinera votre demande et réactivera votre locataire. Vous recevrez un e-mail dès que la demande sera approuvée.",
    "requestReactivationConfirm": "Envoyer la demande",
    "cancelResumeRequest": "Annuler la demande",
    "resumeRequestPendingTitle": "Demande de réactivation en attente",
    "resumeRequestPendingDescription": "Soumise {when}. Un administrateur l'examinera sous peu.",
    "resumeRequestPendingNoteAdmin": "Un propriétaire a demandé la réactivation ; vous pouvez reprendre directement ci-dessus ou traiter la demande depuis la file d'attente d'administration.",
    "cancelConfirmRetentionWarning": "Vos données sont conservées pendant 60 jours après l'annulation. Passé ce délai, toutes les données du locataire — configuration, secrets, conversations et fichiers — seront définitivement supprimées."
  },
  "usage": {
    "inputTokens": "Tokens d'entrée",
@@ -297,7 +306,9 @@
    "loadingHealth": "Chargement des données de santé…",
    "statusHealthy": "OK",
    "statusDown": "Hors service",
-    "spendChf": "Coûts (CHF)"
+    "spendChf": "Coûts (CHF)",
    "resumeRequestBadge": "Reprise",
    "resumeRequestTooltip": "Demande de réactivation d'un locataire existant. L'approbation le réactivera ; aucun provisionnement ne s'exécute."
  },
  "channelUsers": {
    "title": "Utilisateurs autorisés",
@@ -361,5 +372,9 @@
    "Error": "Erreur",
    "Deleting": "Suppression",
    "Reconfiguring": "Reconfiguration"
  },
  "warnings": {
    "oneTooltip": "1 avertissement",
    "manyTooltip": "{count} avertissements"
  }
 }
--- a/src/messages/it.json
+++ b/src/messages/it.json
@@ -157,7 +157,16 @@
    "cancelConfirmBullet3": "Le informazioni di fatturazione sono mantenute",
    "subscriptionUpdateFailed": "Impossibile aggiornare l'abbonamento.",
    "suspendedTitle": "Abbonamento annullato",
-    "suspendedDescription": "Il suo assistente è in pausa. Configurazione e dati sono preservati. Usi il controllo Riprendi in fondo a questa pagina per riportarlo online."
+    "suspendedDescription": "Il suo assistente è in pausa. Configurazione e dati sono preservati. Usi il controllo Riprendi in fondo a questa pagina per riportarlo online.",
    "requestReactivation": "Richiedi riattivazione",
    "requestReactivationConfirmTitle": "Richiedere la riattivazione?",
    "requestReactivationConfirmDescription": "Un amministratore esaminerà la tua richiesta e riattiverà il tuo tenant. Riceverai un'email non appena la richiesta sarà approvata.",
    "requestReactivationConfirm": "Invia richiesta",
    "cancelResumeRequest": "Annulla richiesta",
    "resumeRequestPendingTitle": "Richiesta di riattivazione in sospeso",
    "resumeRequestPendingDescription": "Inviata {when}. Un amministratore la esaminerà a breve.",
    "resumeRequestPendingNoteAdmin": "Un proprietario ha richiesto la riattivazione; puoi riprendere direttamente sopra o elaborare la richiesta dalla coda di amministrazione.",
    "cancelConfirmRetentionWarning": "I tuoi dati sono conservati per 60 giorni dopo l'annullamento. Trascorso tale periodo, tutti i dati del tenant — configurazione, segreti, conversazioni e file — verranno eliminati definitivamente."
  },
  "usage": {
    "inputTokens": "Token di input",
@@ -297,7 +306,9 @@
    "loadingHealth": "Caricamento dati di stato…",
    "statusHealthy": "OK",
    "statusDown": "Non disponibile",
-    "spendChf": "Costi (CHF)"
+    "spendChf": "Costi (CHF)",
    "resumeRequestBadge": "Ripresa",
    "resumeRequestTooltip": "Richiesta di riattivazione di un tenant esistente. L'approvazione lo riattiverà; non viene eseguito alcun provisioning."
  },
  "channelUsers": {
    "title": "Utenti autorizzati",
@@ -361,5 +372,9 @@
    "Error": "Errore",
    "Deleting": "Eliminazione",
    "Reconfiguring": "Riconfigurazione"
  },
  "warnings": {
    "oneTooltip": "1 avviso",
    "manyTooltip": "{count} avvisi"
  }
 }
--- a/src/types/index.ts
+++ b/src/types/index.ts
@@ -103,6 +103,21 @@ export interface PiecedTenantStatus {
  litellmKeyAlias?: string;
  tenantNamespace?: string;
  enabledPackages?: string[];
  /**
   * Non-fatal issues from downstream resources surfaced by the operator
   * (e.g. an OpenClawInstance sub-condition reporting failure). The
   * tenant is still usable — these are informational, rendered as a
   * warning badge alongside the phase.
   *
   * `source` is "<Kind>/<ConditionType>" e.g. "OpenClawInstance/SkillPacksReady".
   * `message` is shown in the tooltip when the user hovers the badge.
   */
  warnings?: Array<{
    source: string;
    reason?: string;
    message?: string;
    since?: string;
  }>;
  conditions?: Array<{
    type: string;
    status: string;
@@ -119,6 +134,15 @@ export interface PiecedTenant {
    name: string;
    namespace?: string;
    creationTimestamp?: string;
    /**
     * Set by the API server when something issues a Delete on the CR.
     * The CR continues to exist while finalizers run cleanup; once
     * they all remove themselves, the API server permanently removes
     * the CR. Used by the portal's status sync to detect tenants
     * being torn down — the customer should see "Deleted" rather
     * than "Ready" while the cleanup runs.
     */
    deletionTimestamp?: string;
    labels?: Record<string, string>;
    annotations?: Record<string, string>;
  };
@@ -212,6 +236,19 @@ export interface TenantRequest {
   * login). Always null for non-rejected statuses.
   */
  dismissedAt?: string | null;
  /**
   * Bug 37a: discriminator between provision (initial tenant creation,
   * the original purpose of this table) and resume (admin-gated
   * reactivation of a suspended tenant). Default 'provision' for all
   * pre-existing rows; resume rows have most provision fields null
   * but tenant_name set to the tenant being requested.
   *
   * Optional on the TS type so provision-only callers (like the
   * onboarding wizard's create flow) don't need to know about resume
   * requests. The DB column is NOT NULL DEFAULT 'provision', so rows
   * loaded via `mapRow` always have a value populated.
   */
  requestType?: "provision" | "resume";
  createdAt: string;
  updatedAt: string;
 }
Author	SHA1	Message	Date
admin	b12bca8818	Suspendedremoval display in Frontend All checks were successful Build and Push / build (push) Successful in 1m28s Details	2026-05-01 21:39:16 +02:00
admin	a79d0defa4	Suspendedremoval All checks were successful Build and Push / build (push) Successful in 1m28s Details	2026-05-01 18:17:04 +02:00
admin	de1bb9bd02	Suspendedremoval Some checks failed Build and Push / build (push) Failing after 41s Details	2026-05-01 18:11:42 +02:00
admin	a5812dca9a	Suspendedremoval Some checks failed Build and Push / build (push) Failing after 48s Details	2026-05-01 18:07:00 +02:00
admin	7d58c78cb9	Fix modal popup All checks were successful Build and Push / build (push) Successful in 1m22s Details	2026-05-01 16:56:33 +02:00
admin	f308c84325	Group F - Fix spending per tenant All checks were successful Build and Push / build (push) Successful in 1m22s Details	2026-05-01 13:34:56 +02:00
admin	2cf5b56441	OCI Warning status All checks were successful Build and Push / build (push) Successful in 2m12s Details	2026-05-01 10:25:50 +02:00