Suspendedremoval display in Frontend

Suspendedremoval
2026-05-01 21:39:16 +02:00 · 2026-05-01 18:17:04 +02:00 · 2026-05-01 18:11:42 +02:00 · 2026-05-01 18:07:00 +02:00
16 changed files with 968 additions and 102 deletions
--- a/src/app/[locale]/dashboard/page.tsx
+++ b/src/app/[locale]/dashboard/page.tsx
@@ -2,7 +2,10 @@ import { getSessionUser, canMutate } from "@/lib/session";
 import { getTranslations, getFormatter } from "next-intl/server";
 import { redirect } from "next/navigation";
 import { listTenants } from "@/lib/k8s";
-import { listActiveTenantRequestsByOrgId } from "@/lib/db";
+import {
+  listActiveTenantRequestsByOrgId,
+  syncProvisioningStatuses,
+} from "@/lib/db";
 import {
  listVisibleTenants,
  canSeeInflightRequests,
@@ -160,6 +163,23 @@ export default async function DashboardPage() {

  // Pending/in-flight requests are only shown to roles that can act on
  // them. `user`-role customers see no request cards.
+  //
+  // syncProvisioningStatuses runs on every dashboard load: it walks
+  // active and provisioning rows and reconciles them against the
+  // current cluster state. Without this, the operator-initiated
+  // 60-day TTL deletion (Bug 37b) leaves the portal showing "Your
+  // assistant is ready!" cards for tenants that no longer exist —
+  // the operator deletes the CR, but the DB row stays at active=true
+  // until something updates it. Running the sync at every dashboard
+  // load keeps the portal eventually consistent with the cluster
+  // without needing a separate cron/job.
+  //
+  // Cost: one K8s GET per row in (active, provisioning) status. At
+  // pilot scale this is small; if it grows we'd cache or move to a
+  // periodic background job.
+  if (canSeeInflightRequests(user)) {
+    await syncProvisioningStatuses();
+  }
  const orgRequests = canSeeInflightRequests(user)
    ? await listActiveTenantRequestsByOrgId(user.orgId)
    : [];
@@ -174,7 +194,16 @@ export default async function DashboardPage() {
    (t) => t.metadata.labels?.["pieced.ch/zitadel-org-id"] === user.orgId
  );
  const inflightRequests = orgRequests.filter(
-    (r) => !r.tenantName || !orgScopedTenants.some((t) => t.metadata.name === r.tenantName)
+    (r) =>
+      // Only show provision (initial creation) requests on the
+      // dashboard. Resume requests (Bug 37a) belong with their
+      // specific tenant — the SubscriptionToggle on the tenant
+      // detail page renders the pending state there. Showing them
+      // on the dashboard too would duplicate the surface and
+      // confuse customers about which tenant they refer to.
+      r.requestType !== "resume" &&
+      (!r.tenantName ||
+        !orgScopedTenants.some((t) => t.metadata.name === r.tenantName))
  );

  // Slice 5: only owners (and platform users, who'd typically be using
--- a/src/app/[locale]/tenants/[name]/page.tsx
+++ b/src/app/[locale]/tenants/[name]/page.tsx
@@ -3,6 +3,7 @@ import { getTranslations, getFormatter } from "next-intl/server";
 import { redirect, notFound } from "next/navigation";
 import { getTenant } from "@/lib/k8s";
 import { canUserSeeTenant } from "@/lib/visibility";
+import { getPendingResumeRequestForTenant } from "@/lib/db";
 import { StatusBadge } from "@/components/ui/status-badge";
 import { WarningBadge } from "@/components/ui/warning-badge";
 import { UsageDisplay } from "@/components/dashboard/usage-display";
@@ -47,6 +48,13 @@ export default async function TenantDetailPage({
  // The current state comes from spec.suspend on the CR.
  const isSuspended = Boolean(tenant.spec.suspend);

+  // Bug 37a: when the tenant is suspended, an owner can request
+  // reactivation (admin-gated). Look up whether one is in flight so
+  // the SubscriptionToggle can render the right state.
+  const pendingResumeRequest = isSuspended
+    ? await getPendingResumeRequestForTenant(name)
+    : null;
+
  // Bug 7: assigned-users panel is meaningless for personal tenants
  // (sole-owner by definition; the only "assignee" is the owner
  // themselves). We hide the panel when EITHER the CR carries the
@@ -208,7 +216,19 @@ export default async function TenantDetailPage({
              ? t("subscriptionDescriptionSuspended")
              : t("subscriptionDescriptionActive")}
          </p>
-          <SubscriptionToggle tenantName={name} suspended={isSuspended} />
+          <SubscriptionToggle
+            tenantName={name}
+            suspended={isSuspended}
+            isPlatform={user.isPlatform}
+            pendingResumeRequest={
+              pendingResumeRequest
+                ? {
+                    id: pendingResumeRequest.id,
+                    createdAt: pendingResumeRequest.createdAt,
+                  }
+                : null
+            }
+          />
        </section>
      )}
    </div>
--- a/src/app/api/admin/requests/[id]/approve/route.ts
+++ b/src/app/api/admin/requests/[id]/approve/route.ts
@@ -5,7 +5,7 @@ import {
  updateTenantRequestStatus,
  clearEncryptedSecrets,
 } from "@/lib/db";
-import { createTenant } from "@/lib/k8s";
+import { createTenant, patchTenantSpec, setTenantAnnotation } from "@/lib/k8s";
 import { sendApprovalEmail } from "@/lib/email";
 import { decryptSecrets } from "@/lib/crypto";
 import { writePackageSecrets } from "@/lib/openbao";
@@ -19,14 +19,26 @@ import { safeError } from "@/lib/errors";

 /**
 * POST /api/admin/requests/[id]/approve
- * Approve a tenant request:
- * 1. Decrypt stored package secrets (if any)
- * 2. Write each package's secrets to OpenBao at secret/data/tenants/{tenant-name}/{package}
- * 3. Null the encrypted_secrets column
- * 4. Build workspace files (SOUL.md, AGENTS.md, TOOLS.md)
- * 5. Create PiecedTenant CR
- * 6. Update request status, notify customer.
- * Also supports re-approving a previously rejected request (clears admin notes).
+ *
+ * Approve a request. Two paths depending on request_type:
+ *
+ * Provision (the original purpose):
+ *  1. Decrypt stored package secrets (if any)
+ *  2. Write each package's secrets to OpenBao
+ *  3. Null the encrypted_secrets column
+ *  4. Build workspace files (SOUL.md, AGENTS.md, TOOLS.md)
+ *  5. Create PiecedTenant CR
+ *  6. Update request status, notify customer.
+ *  Supports re-approving a previously rejected request (clears admin notes).
+ *
+ * Resume (Bug 37a):
+ *  1. PATCH spec.suspend=false on the existing PiecedTenant CR.
+ *  2. Clear the `pieced.ch/resume-request-pending` annotation so the
+ *     operator knows the request is settled (and doesn't pause its
+ *     60-day TTL forever — though now that the tenant isn't suspended,
+ *     the timer is moot).
+ *  3. Mark request approved, notify customer.
+ *  No CR creation, no secret materialisation, no workspace files.
 */
 export async function POST(
  request: Request,
@@ -60,6 +72,58 @@ export async function POST(
    );
  }

+  // Resume request: short path. Just patch the existing tenant, clear
+  // the annotation, mark approved.
+  if (tenantRequest.requestType === "resume") {
+    if (!tenantRequest.tenantName) {
+      // Shouldn't happen — resume requests are created with tenant_name
+      // set. Defensive 500 if it does.
+      return NextResponse.json(
+        { error: "Resume request has no tenant_name" },
+        { status: 500 }
+      );
+    }
+    try {
+      await patchTenantSpec(tenantRequest.tenantName, { suspend: false });
+      // Clear the annotation that pauses the operator's 60-day TTL.
+      // Best-effort — annotation cleanup is also done by the operator
+      // when it sees suspend=false on the next reconcile (it clears
+      // status.suspendedAt), but explicitly clearing here keeps the
+      // CR clean.
+      try {
+        await setTenantAnnotation(
+          tenantRequest.tenantName,
+          "pieced.ch/resume-request-pending",
+          null
+        );
+      } catch (e) {
+        console.warn(
+          "post-approve annotation clear failed; not blocking",
+          e
+        );
+      }
+
+      await updateTenantRequestStatus(id, "approved", { adminNotes });
+
+      await sendApprovalEmail(
+        tenantRequest.contactEmail,
+        tenantRequest.contactName,
+        tenantRequest.companyName
+      ).catch((e) => console.error("approval email failed:", e));
+
+      return NextResponse.json({
+        message: "Resume approved. Tenant is reactivating.",
+        tenantName: tenantRequest.tenantName,
+      });
+    } catch (e: any) {
+      console.error("Resume approval failed:", e);
+      return NextResponse.json(
+        { error: safeError(e, "Failed to approve resume") },
+        { status: 500 }
+      );
+    }
+  }
+
  const isReApproval = tenantRequest.status === "rejected";

  // Build the CR name: see `lib/tenant-naming.ts` for the format spec.
--- a/src/app/api/admin/requests/[id]/reject/route.ts
+++ b/src/app/api/admin/requests/[id]/reject/route.ts
@@ -1,11 +1,19 @@
 import { NextResponse } from "next/server";
 import { requirePlatformRole } from "@/lib/session";
 import { getTenantRequestById, updateTenantRequestStatus } from "@/lib/db";
+import { setTenantAnnotation } from "@/lib/k8s";
 import { sendRejectionEmail } from "@/lib/email";

 /**
 * POST /api/admin/requests/[id]/reject
 * Reject a tenant request and notify the customer.
+ *
+ * For resume requests (Bug 37a): also clears the
+ * `pieced.ch/resume-request-pending` annotation on the tenant CR.
+ * The operator's 60-day TTL then resumes counting from the original
+ * suspendedAt — rejection doesn't reset it. The customer can submit
+ * a fresh resume request later if circumstances change, but that
+ * starts a new pending row and re-stamps the annotation.
 */
 export async function POST(
  request: Request,
@@ -37,6 +45,26 @@ export async function POST(
    adminNotes,
  });

+  // Resume rejection: clear the annotation so the operator's TTL
+  // resumes. Best-effort — failure is logged, not propagated.
+  if (
+    tenantRequest.requestType === "resume" &&
+    tenantRequest.tenantName
+  ) {
+    try {
+      await setTenantAnnotation(
+        tenantRequest.tenantName,
+        "pieced.ch/resume-request-pending",
+        null
+      );
+    } catch (e) {
+      console.warn(
+        "post-reject annotation clear failed; operator's TTL will pause until annotation removed by admin",
+        e
+      );
+    }
+  }
+
  // Notify customer
  await sendRejectionEmail(
    tenantRequest.contactEmail,
--- a/src/app/api/onboarding/[id]/route.ts
+++ b/src/app/api/onboarding/[id]/route.ts
@@ -6,6 +6,7 @@ import {
  updateTenantRequestEditableFields,
 } from "@/lib/db";
 import { encryptSecrets } from "@/lib/crypto";
+import { setTenantAnnotation } from "@/lib/k8s";
 import { onboardingSchema } from "@/lib/validation";
 import { safeError } from "@/lib/errors";

@@ -91,6 +92,25 @@ export async function DELETE(

  try {
    await updateTenantRequestStatus(id, "cancelled");
+
+    // Customer cancels their own pending resume request: clear the
+    // operator-side annotation so the 60-day TTL resumes counting.
+    // Best-effort — the operator handles missing annotation gracefully.
+    if (tr.requestType === "resume" && tr.tenantName) {
+      try {
+        await setTenantAnnotation(
+          tr.tenantName,
+          "pieced.ch/resume-request-pending",
+          null
+        );
+      } catch (e) {
+        console.warn(
+          "post-cancel annotation clear failed; not blocking",
+          e
+        );
+      }
+    }
+
    return NextResponse.json({ message: "Request cancelled.", id });
  } catch (e: any) {
    console.error("Failed to cancel request:", e);
--- a/src/app/api/tenants/[name]/resume-request/route.ts
+++ b/src/app/api/tenants/[name]/resume-request/route.ts
@@ -0,0 +1,153 @@
+import { NextRequest, NextResponse } from "next/server";
+import { getSessionUser, canMutate } from "@/lib/session";
+import { getTenant, setTenantAnnotation } from "@/lib/k8s";
+import { canUserSeeTenant } from "@/lib/visibility";
+import {
+  createResumeRequest,
+  getPendingResumeRequestForTenant,
+  getTenantRequestByTenantName,
+} from "@/lib/db";
+import { safeError } from "@/lib/errors";
+
+/**
+ * POST /api/tenants/[name]/resume-request
+ *
+ * Owner-initiated request to reactivate a suspended tenant (Bug 37a).
+ * Creates a pending tenant_request of type 'resume' for admin review,
+ * and stamps the PiecedTenant CR with an annotation that pauses the
+ * operator's 60-day deletion timer.
+ *
+ * Why a request flow at all
+ * -------------------------
+ * Customers can self-serve cancel; resume requires admin oversight.
+ * Reactivation may involve re-validating billing, confirming the
+ * customer still wants to be active, or other manual steps. The
+ * request flow gives admins a queue to review, with the same approve/
+ * reject UX as initial provision requests.
+ *
+ * Authorization
+ * -------------
+ * Owners and platform admins. Platform admins shouldn't normally use
+ * this endpoint — they have direct PATCH suspend access — but it's
+ * permissive in case admin tooling pivots.
+ *
+ * Validation
+ * ----------
+ *  - Tenant must exist and be visible to the caller.
+ *  - Tenant must be currently suspended. Resuming an active tenant
+ *    is meaningless.
+ *  - At most one pending resume request per tenant. Enforced by the
+ *    DB's partial unique index, but we also check explicitly here to
+ *    return a friendly 409 instead of a 500.
+ *
+ * Side effects on success
+ * -----------------------
+ *  - INSERT into tenant_requests (request_type='resume', status='pending')
+ *  - PATCH annotation `pieced.ch/resume-request-pending=<request-id>` on
+ *    the CR. This is the operator's signal to pause its 60-day deletion
+ *    timer until the request transitions to terminal.
+ *
+ * The annotation set is best-effort: if the K8s PATCH fails after the
+ * DB insert, the row exists without the annotation. The customer
+ * sees the request as pending; admin can still approve. The only
+ * functional consequence is the 60-day timer doesn't pause until the
+ * next request transition, which is fine in practice (admin response
+ * times are dramatically shorter than 60 days).
+ */
+export async function POST(
+  req: NextRequest,
+  { params }: { params: Promise<{ name: string }> }
+) {
+  const user = await getSessionUser();
+  if (!user) {
+    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+  }
+  if (!canMutate(user)) {
+    return NextResponse.json({ error: "Forbidden" }, { status: 403 });
+  }
+
+  const { name } = await params;
+  const tenant = await getTenant(name);
+  if (!tenant) {
+    return NextResponse.json({ error: "Not found" }, { status: 404 });
+  }
+  if (!(await canUserSeeTenant(user, tenant))) {
+    return NextResponse.json({ error: "Not found" }, { status: 404 });
+  }
+
+  if (!tenant.spec.suspend) {
+    return NextResponse.json(
+      { error: "Tenant is not suspended; nothing to resume." },
+      { status: 409 }
+    );
+  }
+
+  // Already a pending request? Don't duplicate.
+  const existing = await getPendingResumeRequestForTenant(name);
+  if (existing) {
+    return NextResponse.json(
+      {
+        error: "A resume request for this tenant is already pending.",
+        request: { id: existing.id, createdAt: existing.createdAt },
+      },
+      { status: 409 }
+    );
+  }
+
+  // Pull traceability fields (companyName, agentName) from the original
+  // provision request. The schema marks these NOT NULL, so we have to
+  // populate them; copying from the provision row keeps the resume
+  // row navigable in the admin UI without making up values.
+  const provision = await getTenantRequestByTenantName(name);
+
+  try {
+    const resumeRequest = await createResumeRequest({
+      tenantName: name,
+      zitadelOrgId:
+        tenant.metadata.labels?.["pieced.ch/zitadel-org-id"] ?? user.orgId,
+      zitadelUserId: user.id,
+      contactName: user.name,
+      contactEmail: user.email,
+      companyName: provision?.companyName ?? tenant.spec.displayName ?? name,
+      agentName: provision?.agentName ?? "Assistant",
+    });
+
+    // Stamp the annotation so the operator pauses its TTL. If this
+    // fails the request still exists; surface the error so admin
+    // tooling can re-stamp if needed, but don't roll back.
+    try {
+      await setTenantAnnotation(
+        name,
+        "pieced.ch/resume-request-pending",
+        resumeRequest.id
+      );
+    } catch (e) {
+      console.warn(
+        "resume request created but annotation could not be set; operator's 60-day timer will not pause until next reconcile triggered by request transition",
+        e
+      );
+    }
+
+    return NextResponse.json(
+      {
+        message: "Resume request submitted. An admin will review shortly.",
+        request: { id: resumeRequest.id, status: resumeRequest.status },
+      },
+      { status: 201 }
+    );
+  } catch (e: any) {
+    // Unique violation (a pending row already exists for this tenant)
+    // is friendly-handled above; this catches everything else.
+    if (e.code === "23505") {
+      return NextResponse.json(
+        { error: "A resume request for this tenant is already pending." },
+        { status: 409 }
+      );
+    }
+    console.error("Resume request creation failed:", e);
+    return NextResponse.json(
+      { error: safeError(e, "Failed to submit resume request") },
+      { status: 500 }
+    );
+  }
+}
--- a/src/app/api/tenants/[name]/suspend/route.ts
+++ b/src/app/api/tenants/[name]/suspend/route.ts
@@ -1,7 +1,7 @@
 import { NextRequest, NextResponse } from "next/server";
 import { z } from "zod";
 import { getSessionUser, canMutate } from "@/lib/session";
-import { getTenant, patchTenantSpec } from "@/lib/k8s";
+import { getTenant, patchTenantSpec, setTenantAnnotation } from "@/lib/k8s";
 import { canUserSeeTenant } from "@/lib/visibility";
 import { safeError } from "@/lib/errors";

@@ -12,37 +12,38 @@ const patchSchema = z.object({
 /**
 * PATCH /api/tenants/[name]/suspend
 *
- * Customer-side "Cancel subscription" / "Resume" toggle (Bug 31).
+ * Direct suspend control on the PiecedTenant CR. Sets `spec.suspend`
+ * to true (cancel) or false (resume).
 *
- * Sets `spec.suspend` on the PiecedTenant CR. The operator interprets
- * this flag as "stop reconciling this tenant" — workloads, packages,
- * and channel-user changes are no longer applied. Existing data is
- * preserved (namespace, ConfigMaps, OpenBao secrets, CNPG database,
- * billing records). Resuming sets the flag back to false and the
- * operator picks up reconciliation on the next loop.
+ * Authorization (Bug 37a)
+ * -----------------------
+ * - suspend=true  → owners and platform admins may call.
+ * - suspend=false → platform admins ONLY. Owners must go through the
+ *   resume-request flow (POST /api/tenants/[name]/resume-request),
+ *   which creates a pending request for admin approval. This
+ *   asymmetry is by design: cancellation is self-service (low risk;
+ *   reversible by request); reactivation requires admin oversight
+ *   (e.g. to re-validate billing, confirm intent).
 *
- * Authorization
- * -------------
- * - Customer-side: only an `owner` of the tenant's org may call this.
- *   `canMutate` is the right gate (mirrors the rest of the customer
- *   API surface). User-role members cannot cancel a subscription.
- * - Platform staff: allowed via `canMutate`'s isPlatform branch, but
- *   in practice they should use admin tooling for this — the action
- *   is exposed here for the customer's benefit.
+ * Customer flow:
+ *   - Cancel:  PATCH suspend=true  here
+ *   - Resume:  POST /resume-request — creates a 'resume' tenant_request,
+ *              admin approves via /api/admin/requests/[id]/approve which
+ *              then PATCHes suspend=false here as a platform user.
 *
- * Visibility check is via `canUserSeeTenant` — same notFound() trick
- * as the detail page, so we don't leak existence of tenants the
- * caller can't see.
+ * Workload behaviour
+ * ------------------
+ * On suspend=true the operator deletes the OpenClawInstance, stopping
+ * the pod within seconds. Tenant data — namespace, ConfigMaps,
+ * OpenBao secrets, CNPG database, LiteLLM team — is retained.
 *
- * Note on workload teardown
- * -------------------------
- * As of this writing, the operator's `suspend` handling is "skip
- * reconciliation and set status.phase to Suspended". The underlying
- * StatefulSet keeps running until next reconciliation, which won't
- * happen while suspended. Group D will add scale-to-zero so cancelled
- * subscriptions actually stop incurring compute. Until then, an
- * operator following up with a `kubectl scale` is the workaround.
- * Customer data is preserved either way.
+ * Suspended tenants enter a 60-day retention window (operator
+ * constant `retentionAfterSuspend`); after that, the tenant is fully
+ * deleted unless a pending resume request exists. The operator
+ * checks the `pieced.ch/resume-request-pending` annotation to know
+ * about pending requests; we set it here when admin approves the
+ * resume (transitively, via the admin-approve endpoint), and clear
+ * it when the request reaches a terminal state.
 */
 export async function PATCH(
  req: NextRequest,
@@ -76,6 +77,18 @@ export async function PATCH(
  }
  const { suspend } = parsed.data;

+  // Bug 37a: resume (suspend=false) is platform-admin only via this
+  // endpoint. Owners must go through the resume-request flow.
+  if (!suspend && !user.isPlatform) {
+    return NextResponse.json(
+      {
+        error:
+          "Resume requires platform-admin approval. Submit a resume request via /api/tenants/[name]/resume-request.",
+      },
+      { status: 403 }
+    );
+  }
+
  // No-op early exit. Avoids a needless K8s patch + status churn when
  // the user double-clicks the button or the UI is briefly out of sync.
  if (Boolean(tenant.spec.suspend) === suspend) {
@@ -87,10 +100,32 @@ export async function PATCH(

  try {
    await patchTenantSpec(name, { suspend });
+
+    // On admin-side resume, also clear the pending-resume-request
+    // annotation if it exists. Belt-and-suspenders: the admin-approve
+    // endpoint already clears it on its happy path, but a platform
+    // user resuming directly via this endpoint shouldn't leave the
+    // annotation behind. Best-effort: failure to clear the annotation
+    // is logged but doesn't fail the resume.
+    if (!suspend) {
+      try {
+        await setTenantAnnotation(
+          name,
+          "pieced.ch/resume-request-pending",
+          null
+        );
+      } catch (e) {
+        console.warn(
+          "failed to clear resume-request-pending annotation; operator will see it stale until next request transition",
+          e
+        );
+      }
+    }
+
    return NextResponse.json(
      {
        message: suspend
-          ? "Subscription cancelled. Your data is preserved."
+          ? "Subscription cancelled. Your data is preserved for 60 days."
          : "Subscription resumed.",
        suspend,
      },
--- a/src/components/admin/admin-panel.tsx
+++ b/src/components/admin/admin-panel.tsx
@@ -362,9 +362,28 @@ export function AdminPanel({ initialTenants }: AdminPanelProps) {
                        className="border-b border-border last:border-0 hover:bg-surface-2/50 transition-colors"
                      >
                        <td className="px-4 py-3">
-                          <div className="font-medium text-text-primary text-sm">
+                          <div className="font-medium text-text-primary text-sm flex items-center gap-2">
                            {req.companyName}
+                            {/* Bug 37a: distinguish resume requests in the
+                                queue. Provision and resume share status
+                                semantics but very different action
+                                consequences — a resume approval just
+                                un-suspends an existing tenant, no
+                                provisioning workflow runs. */}
+                            {req.requestType === "resume" && (
+                              <span
+                                className="px-1.5 py-0.5 text-[10px] font-semibold rounded uppercase tracking-wider bg-success/15 text-success"
+                                title={t("resumeRequestTooltip")}
+                              >
+                                {t("resumeRequestBadge")}
+                              </span>
+                            )}
                          </div>
+                          {req.requestType === "resume" && req.tenantName && (
+                            <div className="text-text-muted text-xs font-mono mt-0.5">
+                              {req.tenantName}
+                            </div>
+                          )}
                        </td>
                        <td className="px-4 py-3">
                          <div className="text-text-primary text-sm">
--- a/src/components/tenants/subscription-toggle.tsx
+++ b/src/components/tenants/subscription-toggle.tsx
@@ -2,49 +2,74 @@

 import { useState } from "react";
 import { useRouter } from "next/navigation";
-import { useTranslations } from "next-intl";
+import { useTranslations, useFormatter } from "next-intl";
 import { Modal } from "@/components/ui/modal";
+import { formatRelative } from "@/lib/format";

 interface Props {
  tenantName: string;
  /**
-   * Current suspend state — server-derived. The control toggles this
-   * via PATCH /api/tenants/[name]/suspend, then refreshes the route
-   * so server-component-side data (status badge, suspended notice)
-   * re-renders.
+   * Current suspend state — server-derived. Drives which control the
+   * customer sees: "Cancel subscription" while active, the
+   * resume-request flow while suspended.
   */
  suspended: boolean;
+  /**
+   * True when the viewer has platform admin role. Platform users are
+   * the only ones who can directly resume a tenant via PATCH; owners
+   * must go through the resume-request flow. We use this in the
+   * suspended branch to decide whether to render a direct "Resume"
+   * button or the "Request reactivation" workflow.
+   */
+  isPlatform: boolean;
+  /**
+   * If a resume request is currently pending for this tenant, its
+   * id and submitted-at. The component renders an info card with
+   * a cancel-request button instead of the request-reactivation
+   * button. Only meaningful when `suspended === true`.
+   */
+  pendingResumeRequest: { id: string; createdAt: string } | null;
 }

 /**
- * SubscriptionToggle — owner-side cancel/resume control (Bug 31).
+ * SubscriptionToggle — owner-side cancel/resume control.
 *
- * Renders a single button that toggles between "Cancel subscription"
- * (when active) and "Resume subscription" (when suspended). Cancellation
- * is gated behind a confirmation modal because it's destructive
- * looking from the user's POV — even though no data is lost, the
- * AI assistant becomes unavailable until they resume. Resume has no
- * modal; it's a strict subset of cancellation in terms of risk.
+ * Three render states:
+ *   1. Active: "Cancel subscription" button + confirmation modal
+ *      (mentions 60-day retention before permanent deletion).
+ *   2. Suspended, no pending resume request: "Request reactivation"
+ *      button + simple confirmation modal explaining admin review.
+ *   3. Suspended, pending resume request: status card "Reactivation
+ *      requested X days ago" + "Cancel request" button.
 *
- * The control intentionally lives at the bottom of the tenant detail
- * page rather than next to the status badge — putting it near the
- * top would invite mis-clicks. Customers who want to cancel scroll
- * past the running configuration, billing-relevant info, and assigned
- * users first; that's the right friction level.
+ * Platform admins viewing a suspended tenant get a fourth state in
+ * place of #2/#3: a direct "Resume now" button (no admin queue, no
+ * request flow). This is the admin escape hatch.
 *
- * Suspended tenants render a top-of-page banner separately (see the
- * detail page); this component focuses on the action itself.
+ * The control intentionally lives at the bottom of the tenant
+ * detail page rather than near the top — putting it next to the
+ * status badge would invite mis-clicks.
 */
-export function SubscriptionToggle({ tenantName, suspended }: Props) {
+export function SubscriptionToggle({
+  tenantName,
+  suspended,
+  isPlatform,
+  pendingResumeRequest,
+}: Props) {
  const t = useTranslations("tenantDetail");
  const tCommon = useTranslations("common");
+  const f = useFormatter();
  const router = useRouter();

-  const [confirmOpen, setConfirmOpen] = useState(false);
+  const [confirmCancelOpen, setConfirmCancelOpen] = useState(false);
+  const [confirmResumeOpen, setConfirmResumeOpen] = useState(false);
  const [submitting, setSubmitting] = useState(false);
  const [error, setError] = useState("");

-  const toggleSuspend = async (next: boolean) => {
+  // Customer-side cancel: PATCH suspend=true. Same path as before.
+  // The 60-day retention copy in the modal is the new bit (Bug 37b);
+  // mechanics are unchanged.
+  const cancel = async () => {
    setSubmitting(true);
    setError("");
    try {
@@ -53,18 +78,14 @@ export function SubscriptionToggle({ tenantName, suspended }: Props) {
        {
          method: "PATCH",
          headers: { "Content-Type": "application/json" },
-          body: JSON.stringify({ suspend: next }),
+          body: JSON.stringify({ suspend: true }),
        }
      );
      if (!res.ok) {
        const data = await res.json().catch(() => ({}));
        throw new Error(data.error || t("subscriptionUpdateFailed"));
      }
-      setConfirmOpen(false);
-      // The status badge + suspended banner are server-rendered, so
-      // a route refresh is the simplest way to reflect the new state.
-      // Optimistic local toggle would diverge from the actual CR if
-      // the operator hasn't observed the patch yet.
+      setConfirmCancelOpen(false);
      router.refresh();
    } catch (e: any) {
      setError(e.message);
@@ -73,39 +94,216 @@ export function SubscriptionToggle({ tenantName, suspended }: Props) {
    }
  };

+  // Owner-side resume request: POST a 'resume' tenant_request that
+  // sits pending until admin acts. Different from cancel: no PATCH
+  // on the CR — that happens only when admin approves.
+  const requestResume = async () => {
+    setSubmitting(true);
+    setError("");
+    try {
+      const res = await fetch(
+        `/api/tenants/${encodeURIComponent(tenantName)}/resume-request`,
+        {
+          method: "POST",
+          headers: { "Content-Type": "application/json" },
+        }
+      );
+      if (!res.ok) {
+        const data = await res.json().catch(() => ({}));
+        throw new Error(data.error || t("subscriptionUpdateFailed"));
+      }
+      setConfirmResumeOpen(false);
+      router.refresh();
+    } catch (e: any) {
+      setError(e.message);
+    } finally {
+      setSubmitting(false);
+    }
+  };
+
+  // Customer cancels their own pending resume request.
+  const cancelResumeRequest = async () => {
+    if (!pendingResumeRequest) return;
+    setSubmitting(true);
+    setError("");
+    try {
+      const res = await fetch(
+        `/api/onboarding/${pendingResumeRequest.id}`,
+        { method: "DELETE" }
+      );
+      if (!res.ok) {
+        const data = await res.json().catch(() => ({}));
+        throw new Error(data.error || t("subscriptionUpdateFailed"));
+      }
+      router.refresh();
+    } catch (e: any) {
+      setError(e.message);
+    } finally {
+      setSubmitting(false);
+    }
+  };
+
+  // Platform admin: direct resume, bypassing the request flow.
+  const adminResume = async () => {
+    setSubmitting(true);
+    setError("");
+    try {
+      const res = await fetch(
+        `/api/tenants/${encodeURIComponent(tenantName)}/suspend`,
+        {
+          method: "PATCH",
+          headers: { "Content-Type": "application/json" },
+          body: JSON.stringify({ suspend: false }),
+        }
+      );
+      if (!res.ok) {
+        const data = await res.json().catch(() => ({}));
+        throw new Error(data.error || t("subscriptionUpdateFailed"));
+      }
+      router.refresh();
+    } catch (e: any) {
+      setError(e.message);
+    } finally {
+      setSubmitting(false);
+    }
+  };
+
+  // ─── Suspended branch ───────────────────────────────────────────────
+
  if (suspended) {
+    // Platform admin sees direct resume. Independent of pending
+    // resume — admin can always resume immediately.
+    if (isPlatform) {
+      return (
+        <div>
+          <button
+            type="button"
+            onClick={adminResume}
+            disabled={submitting}
+            className="text-sm font-medium px-4 py-2 rounded-lg border border-success/30 text-success hover:bg-success/10 transition-colors disabled:opacity-50"
+          >
+            {submitting
+              ? tCommon("loading")
+              : t("resumeSubscription")}
+          </button>
+          {pendingResumeRequest && (
+            <p className="text-xs text-text-muted mt-2">
+              {t("resumeRequestPendingNoteAdmin")}
+            </p>
+          )}
+          {error && <p className="text-xs text-red-400 mt-2">{error}</p>}
+        </div>
+      );
+    }
+
+    // Owner with pending resume request: render the request status
+    // card with cancel.
+    if (pendingResumeRequest) {
+      return (
+        <div>
+          <div className="rounded-xl border border-amber-500/30 bg-amber-500/5 px-4 py-3">
+            <div className="text-sm font-medium text-amber-400 mb-1">
+              {t("resumeRequestPendingTitle")}
+            </div>
+            <div className="text-xs text-text-secondary">
+              {t("resumeRequestPendingDescription", {
+                when: formatRelative(pendingResumeRequest.createdAt, f),
+              })}
+            </div>
+            <button
+              type="button"
+              onClick={cancelResumeRequest}
+              disabled={submitting}
+              className="mt-3 text-xs px-3 py-1.5 rounded-lg border border-border text-text-secondary hover:text-text-primary transition-colors disabled:opacity-50"
+            >
+              {submitting
+                ? tCommon("loading")
+                : t("cancelResumeRequest")}
+            </button>
+          </div>
+          {error && <p className="text-xs text-red-400 mt-2">{error}</p>}
+        </div>
+      );
+    }
+
+    // Owner with no pending request: offer to create one.
    return (
      <div>
        <button
          type="button"
-          onClick={() => toggleSuspend(false)}
-          disabled={submitting}
-          className="text-sm font-medium px-4 py-2 rounded-lg border border-success/30 text-success hover:bg-success/10 transition-colors disabled:opacity-50"
+          onClick={() => setConfirmResumeOpen(true)}
+          className="text-sm font-medium px-4 py-2 rounded-lg border border-success/30 text-success hover:bg-success/10 transition-colors"
        >
-          {submitting ? tCommon("loading") : t("resumeSubscription")}
+          {t("requestReactivation")}
        </button>
-        {error && <p className="text-xs text-red-400 mt-2">{error}</p>}
+        {error && !confirmResumeOpen && (
+          <p className="text-xs text-red-400 mt-2">{error}</p>
+        )}
+
+        {confirmResumeOpen && (
+          <Modal
+            open={confirmResumeOpen}
+            onClose={() => setConfirmResumeOpen(false)}
+            ariaLabel={t("requestReactivationConfirmTitle")}
+          >
+            <h3 className="font-display text-lg font-semibold text-text-primary mb-2">
+              {t("requestReactivationConfirmTitle")}
+            </h3>
+            <p className="text-sm text-text-secondary mb-5">
+              {t("requestReactivationConfirmDescription")}
+            </p>
+
+            {error && (
+              <div className="text-xs text-red-400 bg-red-400/10 border border-red-400/20 rounded-lg px-3 py-2 mb-3">
+                {error}
+              </div>
+            )}
+
+            <div className="flex justify-end gap-2">
+              <button
+                type="button"
+                onClick={() => setConfirmResumeOpen(false)}
+                disabled={submitting}
+                className="text-sm px-4 py-2 rounded-lg border border-border text-text-secondary hover:text-text-primary transition-colors"
+              >
+                {tCommon("cancel")}
+              </button>
+              <button
+                type="button"
+                onClick={requestResume}
+                disabled={submitting}
+                className="text-sm px-4 py-2 rounded-lg bg-success text-white hover:bg-success/90 transition-colors disabled:opacity-50"
+              >
+                {submitting
+                  ? tCommon("loading")
+                  : t("requestReactivationConfirm")}
+              </button>
+            </div>
+          </Modal>
+        )}
      </div>
    );
  }

+  // ─── Active branch ──────────────────────────────────────────────────
+
  return (
    <div>
      <button
        type="button"
-        onClick={() => setConfirmOpen(true)}
+        onClick={() => setConfirmCancelOpen(true)}
        className="text-sm font-medium px-4 py-2 rounded-lg border border-border text-text-secondary hover:text-text-primary hover:border-text-secondary transition-colors"
      >
        {t("cancelSubscription")}
      </button>
-      {error && !confirmOpen && (
+      {error && !confirmCancelOpen && (
        <p className="text-xs text-red-400 mt-2">{error}</p>
      )}

-      {confirmOpen && (
+      {confirmCancelOpen && (
        <Modal
-          open={confirmOpen}
-          onClose={() => setConfirmOpen(false)}
+          open={confirmCancelOpen}
+          onClose={() => setConfirmCancelOpen(false)}
          ariaLabel={t("cancelConfirmTitle")}
        >
          <h3 className="font-display text-lg font-semibold text-text-primary mb-2">
@@ -114,11 +312,17 @@ export function SubscriptionToggle({ tenantName, suspended }: Props) {
          <p className="text-sm text-text-secondary mb-3">
            {t("cancelConfirmDescription")}
          </p>
-          <ul className="text-xs text-text-muted list-disc list-inside space-y-1 mb-5">
+          <ul className="text-xs text-text-muted list-disc list-inside space-y-1 mb-3">
            <li>{t("cancelConfirmBullet1")}</li>
            <li>{t("cancelConfirmBullet2")}</li>
            <li>{t("cancelConfirmBullet3")}</li>
          </ul>
+          {/* Bug 37b: 60-day retention warning. Distinct paragraph so it
+              reads as a separate, more serious commitment than the
+              regular bullets above. */}
+          <div className="text-xs text-amber-400 bg-amber-400/10 border border-amber-400/20 rounded-lg px-3 py-2 mb-5">
+            {t("cancelConfirmRetentionWarning")}
+          </div>

          {error && (
            <div className="text-xs text-red-400 bg-red-400/10 border border-red-400/20 rounded-lg px-3 py-2 mb-3">
@@ -129,7 +333,7 @@ export function SubscriptionToggle({ tenantName, suspended }: Props) {
          <div className="flex justify-end gap-2">
            <button
              type="button"
-              onClick={() => setConfirmOpen(false)}
+              onClick={() => setConfirmCancelOpen(false)}
              disabled={submitting}
              className="text-sm px-4 py-2 rounded-lg border border-border text-text-secondary hover:text-text-primary transition-colors"
            >
@@ -137,7 +341,7 @@ export function SubscriptionToggle({ tenantName, suspended }: Props) {
            </button>
            <button
              type="button"
-              onClick={() => toggleSuspend(true)}
+              onClick={cancel}
              disabled={submitting}
              className="text-sm px-4 py-2 rounded-lg bg-amber-500 text-white hover:bg-amber-600 transition-colors disabled:opacity-50"
            >
--- a/src/lib/db.ts
+++ b/src/lib/db.ts
@@ -78,6 +78,42 @@ const MIGRATION_SQL = `
  -- is only meaningful for rejected and cancelled rows.
  ALTER TABLE tenant_requests ADD COLUMN IF NOT EXISTS dismissed_at TIMESTAMPTZ;

+  -- Bug 37a: resume requests use the same table as provision requests so
+  -- the customer dashboard and admin queue share rendering. Discriminator
+  -- is request_type. Default 'provision' on backfill keeps existing rows
+  -- working without explicit migration.
+  --
+  -- Resume rows have:
+  --   request_type     = 'resume'
+  --   tenant_name      = the existing tenant being requested for reactivation
+  --   zitadel_org_id   = the org owning that tenant
+  --   zitadel_user_id  = the requesting customer
+  --   status           = pending → approved/rejected (or cancelled by customer)
+  --   most provision-only fields (packages, billing_address, etc.) are NULL
+  ALTER TABLE tenant_requests ADD COLUMN IF NOT EXISTS request_type TEXT NOT NULL DEFAULT 'provision';
+  -- Constrain to the known set so a future code change can't accidentally
+  -- write a third type without first widening this constraint.
+  DO $$ BEGIN
+    ALTER TABLE tenant_requests ADD CONSTRAINT tenant_requests_request_type_check
+      CHECK (request_type IN ('provision', 'resume'));
+  EXCEPTION WHEN duplicate_object THEN NULL;
+  END $$;
+
+  -- Tenant_name uniqueness was originally meant for "one tenant CR per
+  -- approved provision request". Resume requests reuse a tenant_name,
+  -- so the uniqueness must now be scoped to provision rows only.
+  DROP INDEX IF EXISTS uniq_tenant_requests_tenant_name;
+  CREATE UNIQUE INDEX IF NOT EXISTS uniq_tenant_requests_tenant_name_provision
+    ON tenant_requests(tenant_name)
+    WHERE tenant_name IS NOT NULL AND request_type = 'provision';
+
+  -- Only one pending resume request per tenant at a time. Otherwise a
+  -- customer could spam-create resume requests (the admin queue would
+  -- bloat) or two admins might race on approving duplicates.
+  CREATE UNIQUE INDEX IF NOT EXISTS uniq_tenant_requests_pending_resume
+    ON tenant_requests(tenant_name)
+    WHERE tenant_name IS NOT NULL AND request_type = 'resume' AND status = 'pending';
+
  -- Slice 3: drop the legacy 1-org-1-request constraint if it exists
  ALTER TABLE tenant_requests DROP CONSTRAINT IF EXISTS tenant_requests_zitadel_org_id_key;

@@ -381,6 +417,111 @@ export async function clearEncryptedSecrets(requestId: string): Promise<void> {
 * Caller is responsible for verifying the row belongs to the user's
 * org before calling.
 */
+/**
+ * Create a resume request (Bug 37a). Used when an owner of a suspended
+ * tenant wants to reactivate it. Resume is admin-gated — the request
+ * sits as `pending` until a platform admin approves or rejects it.
+ *
+ * Tenant-name uniqueness is enforced for `pending` resume rows by a
+ * partial unique index, so a customer can't spam the queue with
+ * duplicate resume requests for the same tenant. The DB throws a
+ * unique-violation if they try; callers should catch that and translate
+ * to a 409.
+ *
+ * Why this lives in tenant_requests instead of a separate table:
+ *   - the lifecycle is identical (pending → approved/rejected, plus
+ *     customer-side cancel and dismiss-after-terminal)
+ *   - the customer dashboard renders pending+resume cards from the
+ *     same `listActiveTenantRequestsByOrgId` query — adding a separate
+ *     table would mean two queries and union-merging in the UI
+ *   - the admin queue likewise treats them uniformly
+ * The cost is a discriminator column (`request_type`) and most
+ * provision-only fields being null on resume rows. That's a tradeoff
+ * I think is worth it.
+ */
+export async function createResumeRequest(params: {
+  tenantName: string;
+  zitadelOrgId: string;
+  zitadelUserId: string;
+  contactName: string;
+  contactEmail: string;
+  // Provision-only fields default sensibly. company_name + agent_name
+  // are NOT NULL in the original schema; we copy them from the existing
+  // tenant request for traceability rather than storing dummy values.
+  companyName: string;
+  agentName: string;
+}): Promise<TenantRequest> {
+  await ensureSchema();
+  const result = await getPool().query(
+    `INSERT INTO tenant_requests (
+        zitadel_org_id, zitadel_user_id, company_name,
+        contact_name, contact_email, agent_name,
+        tenant_name, request_type, status
+     ) VALUES ($1, $2, $3, $4, $5, $6, $7, 'resume', 'pending')
+     RETURNING *`,
+    [
+      params.zitadelOrgId,
+      params.zitadelUserId,
+      params.companyName,
+      params.contactName,
+      params.contactEmail,
+      params.agentName,
+      params.tenantName,
+    ]
+  );
+  return mapRow(result.rows[0]);
+}
+
+/**
+ * Get the most recent provision request for a tenant_name. Used by
+ * Bug 37a's resume-request creation to populate company_name and
+ * agent_name (NOT NULL columns) from the original provision row
+ * rather than make up values.
+ *
+ * Returns null when no such row exists — should be impossible in
+ * normal flow (resume requests are only created for already-existing
+ * tenants whose CR was created via approving a provision request),
+ * but the caller should guard against it for safety.
+ */
+export async function getTenantRequestByTenantName(
+  tenantName: string
+): Promise<TenantRequest | null> {
+  await ensureSchema();
+  const result = await getPool().query(
+    `SELECT * FROM tenant_requests
+      WHERE tenant_name = $1
+        AND request_type = 'provision'
+      ORDER BY created_at DESC
+      LIMIT 1`,
+    [tenantName]
+  );
+  return result.rows.length > 0 ? mapRow(result.rows[0]) : null;
+}
+
+/**
+ * Return the in-flight (pending) resume request for a given tenant, if
+ * any. Used both to gate the customer's "Request reactivation" button
+ * (don't allow a second when one's already pending) and by the admin
+ * UI to navigate from the tenant detail page to the awaiting request.
+ *
+ * Returns null when no pending resume exists. Approved/rejected rows
+ * are never returned — they're terminal.
+ */
+export async function getPendingResumeRequestForTenant(
+  tenantName: string
+): Promise<TenantRequest | null> {
+  await ensureSchema();
+  const result = await getPool().query(
+    `SELECT * FROM tenant_requests
+      WHERE tenant_name = $1
+        AND request_type = 'resume'
+        AND status = 'pending'
+      LIMIT 1`,
+    [tenantName]
+  );
+  return result.rows.length > 0 ? mapRow(result.rows[0]) : null;
+}
+
 export async function dismissTenantRequest(id: string): Promise<void> {
  await ensureSchema();
  await getPool().query(
@@ -498,8 +639,26 @@ export async function deleteTenantRequest(id: string): Promise<void> {
 }

 /**
- * Sync provisioning statuses: for all requests with status "provisioning",
- * check if the PiecedTenant CR has reached "Ready" and update to "active".
+ * Reconcile the portal's tenant_requests table against actual cluster
+ * state. Two passes, both walking only rows with `tenant_name` set
+ * (rows in pending/rejected/cancelled state don't have one and are
+ * irrelevant to this reconciliation):
+ *
+ *   1. provisioning → active: when a tenant CR's phase reaches Ready
+ *      or Running, the portal flips the row to active so the
+ *      "provisioning…" card transitions into the running tenant view.
+ *
+ *   2. active/provisioning → deleted: when the corresponding CR no
+ *      longer exists in the cluster (404), or is mid-deletion (has
+ *      metadata.deletionTimestamp set), the row gets flipped to
+ *      `deleted`. The DB is otherwise blind to operator-initiated
+ *      deletions — when the 60-day TTL fires (Bug 37b) and the
+ *      operator deletes a suspended tenant, the portal would happily
+ *      keep showing the "Your assistant is ready!" card forever.
+ *      Without this reconciliation the dashboard drifts from reality.
+ *
+ * Errors are tolerated per-row: a transient API hiccup on one tenant
+ * shouldn't fail the whole sweep. Skipped rows get retried next call.
 *
 * Slice 3 note: with multi-tenant per org, this iterates each row
 * individually (keyed by its own tenant_name), so multiple in-flight
@@ -507,24 +666,47 @@ export async function deleteTenantRequest(id: string): Promise<void> {
 */
 export async function syncProvisioningStatuses(): Promise<void> {
  await ensureSchema();
+  // Pull every row that *might* be reconcilable in one query — the
+  // status filter narrows to ones whose CR-vs-DB consistency is
+  // worth checking. Pending/rejected/cancelled rows have no
+  // tenant_name to compare against; deleted rows are terminal.
  const result = await getPool().query<TenantRequest>(
-    "SELECT * FROM tenant_requests WHERE status = 'provisioning'"
+    "SELECT * FROM tenant_requests WHERE status IN ('provisioning', 'active') AND tenant_name IS NOT NULL"
  );

  for (const row of result.rows) {
    const mapped = mapRow(row);
    if (!mapped.tenantName) continue;

+    let tenant: Awaited<ReturnType<typeof getTenant>> = null;
    try {
-      const tenant = await getTenant(mapped.tenantName);
-      if (
-        tenant?.status?.phase === "Ready" ||
-        tenant?.status?.phase === "Running"
-      ) {
-        await updateTenantRequestStatus(mapped.id, "active");
-      }
+      tenant = await getTenant(mapped.tenantName);
    } catch {
-      // Tenant might not exist yet — skip
+      // Transient API error — skip this row, retry on next sweep.
+      continue;
+    }
+
+    // CR gone, or mid-deletion. Flip the row to 'deleted'. The
+    // `markTenantRequestDeletedByTenantName` helper also nulls the
+    // tenant_name column so any future tenant created with the same
+    // name (unlikely given UUID-suffixed naming, but possible) won't
+    // collide with the unique index on (tenant_name) WHERE
+    // request_type = 'provision'.
+    if (!tenant || tenant.metadata.deletionTimestamp) {
+      await markTenantRequestDeletedByTenantName(mapped.tenantName);
+      continue;
+    }
+
+    // CR exists and is healthy. Promote provisioning → active when
+    // the operator reports the tenant has reached steady state.
+    // Keep `active` rows on `active` regardless of phase — a
+    // temporarily-Reconfiguring tenant is still active from the
+    // portal's billing/visibility perspective.
+    if (
+      mapped.status === "provisioning" &&
+      (tenant.status?.phase === "Ready" || tenant.status?.phase === "Running")
+    ) {
+      await updateTenantRequestStatus(mapped.id, "active");
    }
  }
 }
@@ -555,6 +737,9 @@ function mapRow(row: any): TenantRequest {
    isPersonal: row.is_personal ?? false,
    dismissedAt:
      row.dismissed_at?.toISOString?.() ?? row.dismissed_at ?? null,
+    requestType: (row.request_type ?? "provision") as
+      | "provision"
+      | "resume",
    createdAt: row.created_at?.toISOString?.() ?? row.created_at,
    updatedAt: row.updated_at?.toISOString?.() ?? row.updated_at,
  };
--- a/src/lib/k8s.ts
+++ b/src/lib/k8s.ts
@@ -130,3 +130,46 @@ export async function patchTenantSpec(
  }
  return res.json() as Promise<PiecedTenant>;
 }
+
+/**
+ * Set or clear an annotation on a PiecedTenant CR.
+ *
+ * Pass `value=null` to remove the annotation. K8s merge-patch removes
+ * a key when its value is null in the patch — that's exactly the
+ * semantic we want.
+ *
+ * Used by the resume-request flow (Bug 37a): the portal sets
+ * `pieced.ch/resume-request-pending` when a customer creates a
+ * resume request, and clears it when the request transitions to a
+ * terminal state. The operator reads this annotation to pause its
+ * 60-day deletion timer while a resume request is in flight.
+ *
+ * Annotations are namespaced informally — we use `pieced.ch/...` for
+ * everything we own, mirroring the labels.
+ */
+export async function setTenantAnnotation(
+  name: string,
+  key: string,
+  value: string | null
+): Promise<PiecedTenant> {
+  const url = `${getBaseUrl()}/apis/${API_VERSION}/${PLURAL}/${name}`;
+  const res = await fetch(url, {
+    method: "PATCH",
+    headers: {
+      Accept: "application/json",
+      "Content-Type": "application/merge-patch+json",
+      ...getAuthHeaders(),
+    },
+    body: JSON.stringify({
+      metadata: { annotations: { [key]: value } },
+    }),
+  });
+
+  if (!res.ok) {
+    const text = await res.text();
+    const err = new Error(`K8s annotate /${name}: ${res.status} ${text}`);
+    (err as any).statusCode = res.status;
+    throw err;
+  }
+  return res.json() as Promise<PiecedTenant>;
+}
--- a/src/messages/de.json
+++ b/src/messages/de.json
@@ -157,7 +157,16 @@
    "cancelConfirmBullet3": "Rechnungsdaten bleiben gespeichert",
    "subscriptionUpdateFailed": "Abonnement konnte nicht aktualisiert werden.",
    "suspendedTitle": "Abonnement gekündigt",
-    "suspendedDescription": "Ihr Assistent ist pausiert. Konfiguration und Daten bleiben erhalten. Verwenden Sie die Reaktivierungs-Schaltfläche unten auf dieser Seite, um ihn wieder online zu bringen."
+    "suspendedDescription": "Ihr Assistent ist pausiert. Konfiguration und Daten bleiben erhalten. Verwenden Sie die Reaktivierungs-Schaltfläche unten auf dieser Seite, um ihn wieder online zu bringen.",
+    "requestReactivation": "Reaktivierung anfragen",
+    "requestReactivationConfirmTitle": "Reaktivierung anfragen?",
+    "requestReactivationConfirmDescription": "Ein Administrator prüft Ihre Anfrage und reaktiviert Ihren Tenant. Sie erhalten eine E-Mail, sobald die Anfrage genehmigt wurde.",
+    "requestReactivationConfirm": "Anfrage senden",
+    "cancelResumeRequest": "Anfrage stornieren",
+    "resumeRequestPendingTitle": "Reaktivierungsanfrage ausstehend",
+    "resumeRequestPendingDescription": "Eingereicht {when}. Ein Administrator wird die Anfrage in Kürze prüfen.",
+    "resumeRequestPendingNoteAdmin": "Ein Inhaber hat eine Reaktivierung angefragt; Sie können direkt oben fortfahren oder die Anfrage in der Admin-Warteschlange bearbeiten.",
+    "cancelConfirmRetentionWarning": "Ihre Daten bleiben nach der Kündigung 60 Tage lang erhalten. Danach werden alle Tenant-Daten – Konfiguration, Geheimnisse, Konversationen und Dateien – endgültig gelöscht."
  },
  "usage": {
    "inputTokens": "Input-Tokens",
@@ -297,7 +306,9 @@
    "loadingHealth": "Statusdaten werden geladen…",
    "statusHealthy": "OK",
    "statusDown": "Ausgefallen",
-    "spendChf": "Kosten (CHF)"
+    "spendChf": "Kosten (CHF)",
+    "resumeRequestBadge": "Wieder",
+    "resumeRequestTooltip": "Reaktivierungsanfrage für einen bestehenden Tenant. Bei Genehmigung wird der Tenant wieder aktiviert; keine Provisionierung läuft."
  },
  "channelUsers": {
    "title": "Autorisierte Benutzer",
--- a/src/messages/en.json
+++ b/src/messages/en.json
@@ -157,7 +157,16 @@
    "cancelConfirmBullet3": "Billing information is kept on file",
    "subscriptionUpdateFailed": "Could not update subscription.",
    "suspendedTitle": "Subscription cancelled",
-    "suspendedDescription": "Your assistant is paused. Configuration and data are preserved. Use the Resume control at the bottom of this page to bring it back online."
+    "suspendedDescription": "Your assistant is paused. Configuration and data are preserved. Use the Resume control at the bottom of this page to bring it back online.",
+    "requestReactivation": "Request reactivation",
+    "requestReactivationConfirmTitle": "Request reactivation?",
+    "requestReactivationConfirmDescription": "An administrator will review your request and reactivate your tenant. You'll be notified by email once it's approved.",
+    "requestReactivationConfirm": "Submit request",
+    "cancelResumeRequest": "Cancel request",
+    "resumeRequestPendingTitle": "Reactivation request pending",
+    "resumeRequestPendingDescription": "Submitted {when}. An administrator will review it shortly.",
+    "resumeRequestPendingNoteAdmin": "An owner has requested reactivation; you can resume directly above or process the request from the admin queue.",
+    "cancelConfirmRetentionWarning": "Your data is preserved for 60 days after cancellation. After that, all tenant data — configuration, secrets, conversations, and files — will be permanently deleted."
  },
  "usage": {
    "inputTokens": "Input Tokens",
@@ -297,7 +306,9 @@
    "loadingHealth": "Loading health data…",
    "statusHealthy": "Healthy",
    "statusDown": "Down",
-    "spendChf": "Spend (CHF)"
+    "spendChf": "Spend (CHF)",
+    "resumeRequestBadge": "Resume",
+    "resumeRequestTooltip": "Reactivation request for an existing tenant. Approving will un-suspend the tenant; no provisioning runs."
  },
  "channelUsers": {
    "title": "Authorized Users",
--- a/src/messages/fr.json
+++ b/src/messages/fr.json
@@ -157,7 +157,16 @@
    "cancelConfirmBullet3": "Les informations de facturation sont conservées",
    "subscriptionUpdateFailed": "Impossible de mettre à jour l'abonnement.",
    "suspendedTitle": "Abonnement annulé",
-    "suspendedDescription": "Votre assistant est en pause. La configuration et les données sont préservées. Utilisez le contrôle Reprendre en bas de cette page pour le remettre en ligne."
+    "suspendedDescription": "Votre assistant est en pause. La configuration et les données sont préservées. Utilisez le contrôle Reprendre en bas de cette page pour le remettre en ligne.",
+    "requestReactivation": "Demander la réactivation",
+    "requestReactivationConfirmTitle": "Demander la réactivation ?",
+    "requestReactivationConfirmDescription": "Un administrateur examinera votre demande et réactivera votre locataire. Vous recevrez un e-mail dès que la demande sera approuvée.",
+    "requestReactivationConfirm": "Envoyer la demande",
+    "cancelResumeRequest": "Annuler la demande",
+    "resumeRequestPendingTitle": "Demande de réactivation en attente",
+    "resumeRequestPendingDescription": "Soumise {when}. Un administrateur l'examinera sous peu.",
+    "resumeRequestPendingNoteAdmin": "Un propriétaire a demandé la réactivation ; vous pouvez reprendre directement ci-dessus ou traiter la demande depuis la file d'attente d'administration.",
+    "cancelConfirmRetentionWarning": "Vos données sont conservées pendant 60 jours après l'annulation. Passé ce délai, toutes les données du locataire — configuration, secrets, conversations et fichiers — seront définitivement supprimées."
  },
  "usage": {
    "inputTokens": "Tokens d'entrée",
@@ -297,7 +306,9 @@
    "loadingHealth": "Chargement des données de santé…",
    "statusHealthy": "OK",
    "statusDown": "Hors service",
-    "spendChf": "Coûts (CHF)"
+    "spendChf": "Coûts (CHF)",
+    "resumeRequestBadge": "Reprise",
+    "resumeRequestTooltip": "Demande de réactivation d'un locataire existant. L'approbation le réactivera ; aucun provisionnement ne s'exécute."
  },
  "channelUsers": {
    "title": "Utilisateurs autorisés",
--- a/src/messages/it.json
+++ b/src/messages/it.json
@@ -157,7 +157,16 @@
    "cancelConfirmBullet3": "Le informazioni di fatturazione sono mantenute",
    "subscriptionUpdateFailed": "Impossibile aggiornare l'abbonamento.",
    "suspendedTitle": "Abbonamento annullato",
-    "suspendedDescription": "Il suo assistente è in pausa. Configurazione e dati sono preservati. Usi il controllo Riprendi in fondo a questa pagina per riportarlo online."
+    "suspendedDescription": "Il suo assistente è in pausa. Configurazione e dati sono preservati. Usi il controllo Riprendi in fondo a questa pagina per riportarlo online.",
+    "requestReactivation": "Richiedi riattivazione",
+    "requestReactivationConfirmTitle": "Richiedere la riattivazione?",
+    "requestReactivationConfirmDescription": "Un amministratore esaminerà la tua richiesta e riattiverà il tuo tenant. Riceverai un'email non appena la richiesta sarà approvata.",
+    "requestReactivationConfirm": "Invia richiesta",
+    "cancelResumeRequest": "Annulla richiesta",
+    "resumeRequestPendingTitle": "Richiesta di riattivazione in sospeso",
+    "resumeRequestPendingDescription": "Inviata {when}. Un amministratore la esaminerà a breve.",
+    "resumeRequestPendingNoteAdmin": "Un proprietario ha richiesto la riattivazione; puoi riprendere direttamente sopra o elaborare la richiesta dalla coda di amministrazione.",
+    "cancelConfirmRetentionWarning": "I tuoi dati sono conservati per 60 giorni dopo l'annullamento. Trascorso tale periodo, tutti i dati del tenant — configurazione, segreti, conversazioni e file — verranno eliminati definitivamente."
  },
  "usage": {
    "inputTokens": "Token di input",
@@ -297,7 +306,9 @@
    "loadingHealth": "Caricamento dati di stato…",
    "statusHealthy": "OK",
    "statusDown": "Non disponibile",
-    "spendChf": "Costi (CHF)"
+    "spendChf": "Costi (CHF)",
+    "resumeRequestBadge": "Ripresa",
+    "resumeRequestTooltip": "Richiesta di riattivazione di un tenant esistente. L'approvazione lo riattiverà; non viene eseguito alcun provisioning."
  },
  "channelUsers": {
    "title": "Utenti autorizzati",
--- a/src/types/index.ts
+++ b/src/types/index.ts
@@ -134,6 +134,15 @@ export interface PiecedTenant {
    name: string;
    namespace?: string;
    creationTimestamp?: string;
+    /**
+     * Set by the API server when something issues a Delete on the CR.
+     * The CR continues to exist while finalizers run cleanup; once
+     * they all remove themselves, the API server permanently removes
+     * the CR. Used by the portal's status sync to detect tenants
+     * being torn down — the customer should see "Deleted" rather
+     * than "Ready" while the cleanup runs.
+     */
+    deletionTimestamp?: string;
    labels?: Record<string, string>;
    annotations?: Record<string, string>;
  };
@@ -227,6 +236,19 @@ export interface TenantRequest {
   * login). Always null for non-rejected statuses.
   */
  dismissedAt?: string | null;
+  /**
+   * Bug 37a: discriminator between provision (initial tenant creation,
+   * the original purpose of this table) and resume (admin-gated
+   * reactivation of a suspended tenant). Default 'provision' for all
+   * pre-existing rows; resume rows have most provision fields null
+   * but tenant_name set to the tenant being requested.
+   *
+   * Optional on the TS type so provision-only callers (like the
+   * onboarding wizard's create flow) don't need to know about resume
+   * requests. The DB column is NOT NULL DEFAULT 'provision', so rows
+   * loaded via `mapRow` always have a value populated.
+   */
+  requestType?: "provision" | "resume";
  createdAt: string;
  updatedAt: string;
 }
Author	SHA1	Message	Date
admin	b12bca8818	Suspendedremoval display in Frontend All checks were successful Build and Push / build (push) Successful in 1m28s Details	2026-05-01 21:39:16 +02:00
admin	a79d0defa4	Suspendedremoval All checks were successful Build and Push / build (push) Successful in 1m28s Details	2026-05-01 18:17:04 +02:00
admin	de1bb9bd02	Suspendedremoval Some checks failed Build and Push / build (push) Failing after 41s Details	2026-05-01 18:11:42 +02:00
admin	a5812dca9a	Suspendedremoval Some checks failed Build and Push / build (push) Failing after 48s Details	2026-05-01 18:07:00 +02:00