Personal accounts

Multitenantperorg enabling
OneLiteLLM team per company+virt keys
2026-04-26 22:26:33 +02:00 · 2026-04-26 22:09:26 +02:00 · 2026-04-26 21:21:02 +02:00 · 2026-04-26 18:47:50 +02:00 · 2026-04-25 22:48:05 +02:00
27 changed files with 1362 additions and 333 deletions
--- a/.gitea/workflows/build.yml
+++ b/.gitea/workflows/build.yml
@@ -61,29 +61,22 @@ jobs:
          fi
          echo "version=${next}" >> "$GITHUB_OUTPUT"
-      - name: Install skopeo
+      - name: Build and push image
        run: |
          apt-get update -qq && apt-get install -y -qq skopeo
      - name: Push with skopeo debug
        env:
          REG_USER: ${{ secrets.REGISTRY_USERNAME }}
          REG_PASS: ${{ secrets.REGISTRY_PASSWORD }}
          VERSION: ${{ steps.version.outputs.version }}
        run: |
          set -euo pipefail
-          
+          printf '%s' "$REG_PASS" \
-          docker build --pull -t "${REGISTRY}/${IMAGE}:${VERSION}" .
+            | docker login "${REGISTRY}" -u "$REG_USER" --password-stdin
-          docker save "${REGISTRY}/${IMAGE}:${VERSION}" -o /tmp/image.tar
+          docker build \
-          
+            --pull \
-          AUTH=$(printf '%s:%s' "$REG_USER" "$REG_PASS" | base64 -w0)
+            -t "${REGISTRY}/${IMAGE}:${VERSION}" \
-          mkdir -p /tmp/auth
+            -t "${REGISTRY}/${IMAGE}:latest" \
-          printf '{"auths":{"%s":{"auth":"%s"}}}\n' "$REGISTRY" "$AUTH" > /tmp/auth/auth.json
+            .
-          
+          docker push "${REGISTRY}/${IMAGE}:${VERSION}"
-          # --debug prints HTTP request/response details
+          docker push "${REGISTRY}/${IMAGE}:latest"
          skopeo --debug copy --authfile /tmp/auth/auth.json \
            "docker-archive:/tmp/image.tar" \
            "docker://${REGISTRY}/${IMAGE}:${VERSION}" 2>&1 | tail -100
      - name: Tag git commit with version
        env:
--- a/scripts/verify-find-key-by-alias.mjs
+++ b/scripts/verify-find-key-by-alias.mjs
@@ -0,0 +1,64 @@
 // Smoke-test for the FindKeyByAlias parsing logic — runs the JSON
 // permutations LiteLLM has been seen to emit through the unmarshal
 // paths and confirms each ends up at the expected outcome.
 //
 // Since the operator can't run inside this sandbox, this is a
 // JS port of the parsing flow. It exercises decisions the Go code
 // makes line-for-line.
 const cases = [
  {
    name: "newer object shape, alias matches",
    body: { keys: [{ token: "tk-1", key_alias: "acme-abc12345" }, { token: "tk-2", key_alias: "beta-def67890" }] },
    expected: "tk-1",
  },
  {
    name: "newer object shape, alias does not match",
    body: { keys: [{ token: "tk-2", key_alias: "beta-def67890" }] },
    expected: "",
  },
  {
    name: "newer object shape, empty keys array",
    body: { keys: [] },
    expected: "",
  },
  {
    name: "older string shape — cannot filter, return empty",
    body: { keys: ["sk-abc", "sk-def"] },
    expected: "",
  },
  {
    name: "matching alias but missing token field",
    body: { keys: [{ key_alias: "acme-abc12345" }] },
    expected: "",
  },
 ];
 function findKeyByAlias(body, keyAlias) {
  // Mirror the Go logic exactly.
  let asObjects;
  try {
    asObjects = body;
    if (!asObjects || !Array.isArray(asObjects.keys)) return "";
    for (const k of asObjects.keys) {
      // Skip non-objects (= older string shape)
      if (typeof k !== "object" || k === null) continue;
      if (k.key_alias === keyAlias && k.token) {
        return k.token;
      }
    }
  } catch {
    return "";
  }
  return "";
 }
 let pass = 0, fail = 0;
 for (const c of cases) {
  const got = findKeyByAlias(c.body, "acme-abc12345");
  const ok = got === c.expected;
  console.log(`${ok ? "PASS" : "FAIL"}  got="${got}"  want="${c.expected}"  [${c.name}]`);
  if (ok) pass++; else fail++;
 }
 console.log(`\n${pass} pass, ${fail} fail`);
 process.exit(fail === 0 ? 0 : 1);
--- a/scripts/verify-personal-org.mjs
+++ b/scripts/verify-personal-org.mjs
@@ -0,0 +1,32 @@
 // Standalone JS port of `lib/personal-org.ts::isPersonalOrgName`
 // for offline verification.
 const PERSONAL_ORG_SUFFIX = " (Personal)";
 function isPersonalOrgName(orgName) {
  if (!orgName) return false;
  return orgName.trimEnd().endsWith(PERSONAL_ORG_SUFFIX);
 }
 const cases = [
  ["Bob Müller (Personal)", true,  "personal account"],
  ["Acme GmbH",             false, "company"],
  ["Acme (Personal) Ltd",   false, "suffix in middle does not count"],
  ["Bob (Personal)  ",      true,  "trailing whitespace tolerated"],
  ["Bob (personal)",        false, "case-sensitive — lowercase doesn't match"],
  ["",                      false, "empty"],
  [null,                    false, "null"],
  [undefined,               false, "undefined"],
  ["Bob (Personal)x",       false, "non-trailing suffix"],
  [" (Personal)",           true,  "minimal — empty user name (degenerate but matches)"],
 ];
 let pass = 0, fail = 0;
 for (const [name, expected, note] of cases) {
  const got = isPersonalOrgName(name);
  const ok = got === expected;
  console.log(`${ok ? "PASS" : "FAIL"}  got=${got}  want=${expected}  [${note}]  input=${JSON.stringify(name)}`);
  if (ok) pass++; else fail++;
 }
 console.log(`\n${pass} pass, ${fail} fail`);
 process.exit(fail === 0 ? 0 : 1);
--- a/scripts/verify-tenant-naming.mjs
+++ b/scripts/verify-tenant-naming.mjs
@@ -0,0 +1,97 @@
 // Standalone JS port of deriveTenantName for offline verification.
 // Mirror lib/tenant-naming.ts byte-for-byte logic.
 const MAX_NAMESPACE_LEN = 63;
 const NAMESPACE_PREFIX = "tenant-";
 const MAX_TENANT_NAME_LEN = MAX_NAMESPACE_LEN - NAMESPACE_PREFIX.length;
 const SUFFIX_HEX_LEN = 8;
 const SUFFIX_TOTAL_LEN = SUFFIX_HEX_LEN + 1;
 const MAX_SLUG_LEN = MAX_TENANT_NAME_LEN - SUFFIX_TOTAL_LEN;
 function slugify(input) {
  return input
    .toLowerCase()
    .replace(/[^a-z0-9]+/g, "-")
    .replace(/^-+|-+$/g, "");
 }
 function requestIdSuffix(requestId) {
  const hex = requestId.replace(/-/g, "").toLowerCase();
  if (!/^[0-9a-f]{8}/.test(hex)) {
    throw new Error(`Invalid request id: ${requestId}`);
  }
  return hex.slice(0, SUFFIX_HEX_LEN);
 }
 function deriveTenantName(kind, companyName, requestId) {
  const suffix = requestIdSuffix(requestId);
  if (kind === "personal") return `p-${suffix}`;
  const rawSlug = slugify(companyName);
  const slug = rawSlug.slice(0, MAX_SLUG_LEN).replace(/-+$/, "");
  if (!slug) return `t-${suffix}`;
  return `${slug}-${suffix}`;
 }
 // ---------------------------------------------------------------------------
 // Tests
 // ---------------------------------------------------------------------------
 const cases = [
  // [kind, companyName, requestId, expected, note]
  ["company", "Acme GmbH", "abc12345-1234-1234-1234-123456789abc", "acme-gmbh-abc12345", "basic company"],
  ["company", "Müller AG", "abc12345-aaaa", "m-ller-ag-abc12345", "umlaut → '-'"],
  ["company", "!!!", "abc12345-aaaa", "t-abc12345", "no alnum → 't-' fallback"],
  ["personal", "irrelevant", "abc12345-aaaa", "p-abc12345", "personal ignores companyName"],
  ["personal", "", "abc12345-aaaa", "p-abc12345", "personal with empty companyName"],
  ["company", "  Trim  Me  ", "abc12345-aaaa", "trim-me-abc12345", "leading/trailing whitespace"],
  ["company", "Foo---Bar", "abc12345-aaaa", "foo-bar-abc12345", "consecutive hyphens collapse"],
  ["company", "A very long company name that absolutely will exceed the slug limit easily", "abc12345-aaaa", null, "must be <= 56 chars"],
  ["company", "----", "abc12345-aaaa", "t-abc12345", "all-hyphen → fallback"],
  ["company", "ACME", "ABCDEF12-...", "acme-abcdef12", "uppercase UUID is lowercased"],
 ];
 let pass = 0, fail = 0;
 for (const [kind, name, id, expected, note] of cases) {
  let got;
  let err = null;
  try {
    got = deriveTenantName(kind, name, id);
  } catch (e) {
    err = e.message;
  }
  // Special length-only cases
  if (expected === null) {
    const ok = got && got.length <= 56;
    console.log(`${ok ? "PASS" : "FAIL"}  len(${got}) = ${got?.length}  [${note}]`);
    if (ok) pass++; else fail++;
    continue;
  }
  if (err) {
    console.log(`THROW ${err}  [${note}]`);
    if (expected === "throw") pass++; else fail++;
    continue;
  }
  const ok = got === expected;
  console.log(`${ok ? "PASS" : "FAIL"}  got=${got}  want=${expected}  [${note}]`);
  if (ok) pass++; else fail++;
 }
 // Should-throw cases
 console.log("\nThrow cases:");
 const throwCases = [
  ["company", "Acme", "", "empty requestId"],
  ["company", "Acme", "xyz", "non-hex requestId"],
  ["company", "Acme", "1234567", "too short (7 chars)"],
 ];
 for (const [kind, name, id, note] of throwCases) {
  let threw = false;
  try { deriveTenantName(kind, name, id); } catch { threw = true; }
  console.log(`${threw ? "PASS" : "FAIL"}  threw=${threw}  [${note}]`);
  if (threw) pass++; else fail++;
 }
 console.log(`\n${pass} pass, ${fail} fail`);
 process.exit(fail === 0 ? 0 : 1);
--- a/src/app/[locale]/dashboard/new/page.tsx
+++ b/src/app/[locale]/dashboard/new/page.tsx
@@ -0,0 +1,49 @@
 import { getSessionUser } from "@/lib/session";
 import { getTranslations } from "next-intl/server";
 import { redirect } from "next/navigation";
 import { OnboardingFlow } from "@/components/onboarding/onboarding-flow";
 import Link from "next/link";
 /**
 * /dashboard/new — wizard for creating an additional instance for an
 * existing customer. Reachable from the dashboard "+ Create new instance"
 * link.
 *
 * Slice 3: this page is the entry point for follow-up instances. The
 * first-instance case is still served inline on /dashboard. Both paths
 * mount the same <OnboardingFlow>; the API resolves the difference
 * server-side based on whether prior approved rows exist for the org.
 *
 * Platform admins are redirected to /dashboard — they shouldn't be
 * creating tenant instances under their own org.
 */
 export default async function NewInstancePage() {
  const user = await getSessionUser();
  if (!user) redirect("/login");
  if (user.isPlatform) redirect("/dashboard");
  const t = await getTranslations("dashboard");
  return (
    <div>
      <div className="mb-8 animate-in">
        <Link
          href="/dashboard"
          className="inline-flex items-center gap-1.5 mb-4 text-xs font-medium text-text-muted hover:text-text-primary transition-colors"
        >
          <span>←</span> {t("title")}
        </Link>
        <h1 className="font-display text-2xl font-semibold accent-rule mb-2">
          {t("createInstance")}
        </h1>
        <p className="text-text-secondary text-sm mt-4">
          {t("createInstanceDescription")}
        </p>
      </div>
      <div className="animate-in animate-in-delay-1">
        <OnboardingFlow orgName={user.orgName} />
      </div>
    </div>
  );
 }
--- a/src/app/[locale]/dashboard/page.tsx
+++ b/src/app/[locale]/dashboard/page.tsx
@@ -2,11 +2,11 @@ import { getSessionUser } from "@/lib/session";
 import { getTranslations, getFormatter } from "next-intl/server";
 import { redirect } from "next/navigation";
 import { listTenants } from "@/lib/k8s";
-import { getTenantRequestByOrgId } from "@/lib/db";
+import { listActiveTenantRequestsByOrgId } from "@/lib/db";
 import { Card, CardHeader } from "@/components/ui/card";
 import { StatusBadge } from "@/components/ui/status-badge";
 import { UsageDisplay } from "@/components/dashboard/usage-display";
 import { OnboardingFlow } from "@/components/onboarding/onboarding-flow";
 import { ProvisioningStatus } from "@/components/onboarding/provisioning-status";
 import { formatDateTime } from "@/lib/format";
 import Link from "next/link";
@@ -20,7 +20,7 @@ export default async function DashboardPage() {
  const allTenants = await listTenants();
-  // Platform users see overview of all tenants
+  // Platform users see overview of all tenants — unchanged from pre-Slice-3.
  if (user.isPlatform) {
    const phaseCount = allTenants.reduce<Record<string, number>>((acc, t) => {
      const phase = t.status?.phase ?? "Pending";
@@ -133,20 +133,24 @@ export default async function DashboardPage() {
    );
  }
-  // Regular user: find their tenant
+  // ---------------------------------------------------------------------
-  const myTenant = allTenants.find(
+  // Customer view (Slice 3 multi-tenant)
  // ---------------------------------------------------------------------
  const orgTenants = allTenants.filter(
    (t) => t.metadata.labels?.["pieced.ch/zitadel-org-id"] === user.orgId
  );
  const orgRequests = await listActiveTenantRequestsByOrgId(user.orgId);
-  // No tenant → check for existing request, show onboarding flow
+  // Pending/in-flight requests that don't yet have a tenant CR. Once the
-  if (!myTenant) {
+  // CR exists, the tenant card carries the live phase, so a separate
-    const existingRequest = await getTenantRequestByOrgId(user.orgId);
+  // "request" card would just duplicate it.
-    // Treat "deleted" as no request — customer can re-onboard
+  const inflightRequests = orgRequests.filter(
-    const initialState =
+    (r) => !r.tenantName || !orgTenants.some((t) => t.metadata.name === r.tenantName)
-      !existingRequest || existingRequest.status === "deleted"
+  );
        ? "no_request"
        : existingRequest.status;
  // First-time user: empty company. Show the onboarding wizard inline.
  if (orgTenants.length === 0 && inflightRequests.length === 0) {
    return (
      <div>
        <div className="mb-8 animate-in">
@@ -159,20 +163,18 @@ export default async function DashboardPage() {
        </div>
        <div className="animate-in animate-in-delay-1">
-          <OnboardingFlow
+          <OnboardingFlow orgName={user.orgName} />
            orgName={user.orgName}
            initialState={initialState as any}
          />
        </div>
      </div>
    );
  }
-  const tenantName = myTenant.metadata.name;
+  // Returning customer: list of tenants + in-flight requests, plus
-
+  // a button to add another instance.
  return (
    <div>
-      <div className="mb-8 animate-in">
+      <div className="mb-8 animate-in flex items-start justify-between gap-4">
        <div>
          <h1 className="font-display text-2xl font-semibold accent-rule mb-2">
            {t("title")}
          </h1>
@@ -181,48 +183,87 @@ export default async function DashboardPage() {
          </p>
        </div>
-      {/* Instance status card */}
+        <Link
-      <div className="mb-6 animate-in animate-in-delay-1">
+          href="/dashboard/new"
-        <Card>
+          className="shrink-0 inline-flex items-center gap-1.5 py-2 px-4 bg-accent text-white text-xs font-medium rounded-lg hover:bg-accent-dim transition-colors"
-          <CardHeader>{t("instanceStatus")}</CardHeader>
+        >
-          <div className="flex items-center gap-4">
+          <span>+</span> {t("createInstance")}
-            <StatusBadge phase={myTenant.status?.phase ?? "Pending"} />
+        </Link>
            {myTenant.spec.agentName && (
              <span className="text-sm text-text-secondary">
                {myTenant.spec.agentName}
              </span>
            )}
      </div>
-          {myTenant.spec.packages && myTenant.spec.packages.length > 0 && (
+
-            <div className="flex flex-wrap gap-2 mt-3">
+      {/* In-flight (pending/approved/provisioning/rejected) requests */}
-              {myTenant.spec.packages.map((pkg) => (
+      {inflightRequests.length > 0 && (
        <div className="mb-8 animate-in animate-in-delay-1">
          <h2 className="text-xs font-semibold uppercase tracking-wider text-text-muted mb-3">
            {t("inflightRequests")}
          </h2>
          <div className="space-y-3">
            {inflightRequests.map((r) => (
              <ProvisioningStatus key={r.id} requestId={r.id} />
            ))}
          </div>
        </div>
      )}
      {/* Active tenants */}
      {orgTenants.length > 0 && (
        <div className="animate-in animate-in-delay-2">
          <h2 className="text-xs font-semibold uppercase tracking-wider text-text-muted mb-3">
            {t("instances")}
          </h2>
          <div className="grid gap-4 md:grid-cols-2">
            {orgTenants.map((tenant) => (
              <Link
                key={tenant.metadata.name}
                href={`/tenants/${tenant.metadata.name}`}
                className="block group"
              >
                <Card className="h-full hover:border-accent/40 transition-colors">
                  <div className="flex items-start justify-between gap-3 mb-3">
                    <div className="min-w-0">
                      <div className="text-sm font-semibold text-text-primary truncate">
                        {tenant.spec.displayName || tenant.metadata.name}
                      </div>
                      <div className="font-mono text-xs text-text-muted truncate mt-0.5">
                        {tenant.metadata.name}
                      </div>
                    </div>
                    <StatusBadge phase={tenant.status?.phase ?? "Pending"} />
                  </div>
                  {tenant.spec.agentName && (
                    <div className="text-xs text-text-secondary mb-2">
                      {tenant.spec.agentName}
                    </div>
                  )}
                  {tenant.spec.packages && tenant.spec.packages.length > 0 && (
                    <div className="flex flex-wrap gap-1.5 mb-3">
                      {tenant.spec.packages.slice(0, 4).map((pkg) => (
                        <span
                          key={pkg}
-                  className="text-xs font-mono bg-accent/10 text-accent border border-accent/20 rounded-full px-2.5 py-0.5"
+                          className="text-xs font-mono bg-accent/10 text-accent border border-accent/20 rounded-full px-2 py-0.5"
                        >
                          {pkg}
                        </span>
                      ))}
                      {tenant.spec.packages.length > 4 && (
                        <span className="text-xs text-text-muted">
                          +{tenant.spec.packages.length - 4}
                        </span>
                      )}
                    </div>
                  )}
                  <div className="text-xs font-medium text-accent group-hover:text-accent-dim transition-colors">
                    {t("manage")} →
                  </div>
                </Card>
      </div>
      {/* Usage — no teamId passed, backend resolves from session */}
      <div className="mb-6 animate-in animate-in-delay-2">
        <h2 className="text-xs font-semibold uppercase tracking-wider text-text-muted mb-3">
          {t("usage")}
        </h2>
        <UsageDisplay />
      </div>
      {/* Link to tenant detail */}
      <Link
        href={`/tenants/${tenantName}`}
        className="inline-flex items-center gap-1.5 text-xs font-medium text-accent hover:text-accent-dim transition-colors animate-in animate-in-delay-3"
      >
        <span>→</span> {t("manage")}
              </Link>
            ))}
          </div>
        </div>
      )}
    </div>
  );
 }
--- a/src/app/[locale]/register/page.tsx
+++ b/src/app/[locale]/register/page.tsx
@@ -7,6 +7,13 @@ import { Card } from "@/components/ui/card";
 type FormState = "idle" | "submitting" | "success" | "error";
 /**
 * Slice 4: a "Register as individual" toggle distinguishes personal
 * accounts from company registrations. When the toggle is on:
 *   - the company name field is hidden (and not sent)
 *   - the server skips the duplicate-domain check
 *   - the ZITADEL org is named "{givenName} {familyName} (Personal)"
 */
 export default function RegisterPage() {
  const t = useTranslations("register");
  const tCommon = useTranslations("common");
@@ -18,6 +25,7 @@ export default function RegisterPage() {
    familyName: "",
    email: "",
  });
  const [isPersonal, setIsPersonal] = useState(false);
  const [state, setState] = useState<FormState>("idle");
  const [error, setError] = useState("");
@@ -31,15 +39,23 @@ export default function RegisterPage() {
    setState("submitting");
    try {
-      const res = await fetch("/api/register", {
+      // Build the request body explicitly. For personals we omit
-        method: "POST",
+      // companyName so the server knows to derive the org name from
-        headers: { "Content-Type": "application/json" },
+      // the user's full name. The Zod schema accepts the omission.
-        body: JSON.stringify({
+      const body: Record<string, unknown> = {
          companyName: form.companyName,
        givenName: form.givenName,
        familyName: form.familyName,
        email: form.email,
-        }),
+        isPersonal,
      };
      if (!isPersonal) {
        body.companyName = form.companyName;
      }
      const res = await fetch("/api/register", {
        method: "POST",
        headers: { "Content-Type": "application/json" },
        body: JSON.stringify(body),
      });
      if (!res.ok) {
@@ -104,7 +120,26 @@ export default function RegisterPage() {
        <Card className="animate-in animate-in-delay-1">
          <form onSubmit={handleSubmit} className="space-y-4">
-            {/* Company name */}
+            {/* Personal-account toggle */}
            <label className="flex items-start gap-3 cursor-pointer select-none p-3 rounded-lg border border-border bg-surface-2 hover:border-accent/40 transition-colors">
              <input
                type="checkbox"
                checked={isPersonal}
                onChange={(e) => setIsPersonal(e.target.checked)}
                className="mt-0.5 h-4 w-4 rounded border-border bg-surface-1 text-accent focus:ring-1 focus:ring-accent focus:ring-offset-0"
              />
              <div className="flex-1 min-w-0">
                <div className="text-sm font-medium text-text-primary">
                  {t("individualToggle")}
                </div>
                <div className="text-xs text-text-muted mt-0.5">
                  {t("individualHint")}
                </div>
              </div>
            </label>
            {/* Company name — hidden for personal */}
            {!isPersonal && (
              <div>
                <label className="block text-xs font-semibold uppercase tracking-wider text-text-muted mb-1.5">
                  {t("companyName")}
@@ -119,6 +154,7 @@ export default function RegisterPage() {
                  className="w-full px-3 py-2 bg-surface-2 border border-border rounded-lg text-sm text-text-primary placeholder:text-text-muted focus:outline-none focus:ring-1 focus:ring-accent focus:border-accent transition-colors"
                />
              </div>
            )}
            {/* Name row */}
            <div className="grid grid-cols-2 gap-3">
@@ -161,7 +197,7 @@ export default function RegisterPage() {
                required
                value={form.email}
                onChange={handleChange}
-                placeholder="you@company.ch"
+                placeholder={isPersonal ? "you@example.ch" : "you@company.ch"}
                className="w-full px-3 py-2 bg-surface-2 border border-border rounded-lg text-sm text-text-primary placeholder:text-text-muted focus:outline-none focus:ring-1 focus:ring-accent focus:border-accent transition-colors"
              />
            </div>
--- a/src/app/[locale]/tenants/[name]/page.tsx
+++ b/src/app/[locale]/tenants/[name]/page.tsx
@@ -41,11 +41,18 @@ export default async function TenantDetailPage({
  );
  const channelUsers = tenant.spec.channelUsers || {};
-  // Admins inspecting another tenant's usage: pass teamId explicitly.
+  // Admins inspecting another tenant's usage: pass teamId AND keyAlias so
-  // Customers viewing their own: no teamId, backend resolves from session.
+  // the backend filters spend logs by this specific tenant's virtual key.
  // Without keyAlias the response would include sibling tenants in the
  // same org, since teams are now shared (Slice 2).
  // Customers viewing their own: pass nothing — backend resolves both
  // from the session-bound tenant.
  const usageTeamId = user.isPlatform
    ? tenant.status?.litellmTeamId || undefined
    : undefined;
  const usageKeyAlias = user.isPlatform
    ? tenant.status?.litellmKeyAlias || undefined
    : undefined;
  return (
    <div>
@@ -81,7 +88,7 @@ export default async function TenantDetailPage({
        <h2 className="text-xs font-semibold uppercase tracking-wider text-text-muted mb-3">
          {t("usage")}
        </h2>
-        <UsageDisplay teamId={usageTeamId} />
+        <UsageDisplay teamId={usageTeamId} keyAlias={usageKeyAlias} />
      </section>
      {/* Packages */}
--- a/src/app/api/admin/health/route.ts
+++ b/src/app/api/admin/health/route.ts
@@ -4,6 +4,7 @@ import { listTenants } from "@/lib/k8s";
 import {
  getLitellmHealth,
  getGlobalSpend,
  getPerKeySpend,
  getPerTeamSpend,
 } from "@/lib/litellm";
@@ -28,6 +29,17 @@ async function checkVllmHealth(): Promise<{
 /**
 * GET /api/admin/health
 * Returns system health overview for the admin panel.
 *
 * Slice 2 spend layout
 * --------------------
 * - `spend.global`           — total across all teams (LiteLLM-reported)
 * - `spend.perTenant[name]`  — per-tenant CHF, derived from the per-key
 *                              spend map keyed by `litellmKeyAlias`. Only
 *                              populated for tenants whose status carries
 *                              an alias (post-Slice-2 reconciled CRs).
 * - `spend.perOrg[teamId]`   — company-level total (= LiteLLM team total).
 *                              Useful for the admin overview to see
 *                              spend-per-customer at a glance.
 */
 export async function GET() {
  try {
@@ -36,17 +48,17 @@ export async function GET() {
    return NextResponse.json({ error: "Forbidden" }, { status: 403 });
  }
-  const [tenants, litellm, vllm, globalSpend, perTeamSpend] =
+  const [tenants, litellm, vllm, globalSpend, perKeySpend, perTeamSpend] =
    await Promise.allSettled([
      listTenants(),
      getLitellmHealth(),
      checkVllmHealth(),
      getGlobalSpend(),
      getPerKeySpend(),
      getPerTeamSpend(),
    ]);
-  const allTenants =
+  const allTenants = tenants.status === "fulfilled" ? tenants.value : [];
    tenants.status === "fulfilled" ? tenants.value : [];
  // Count tenants by phase
  const phaseCounts: Record<string, number> = {};
@@ -57,15 +69,27 @@ export async function GET() {
    phaseCounts[phase] = (phaseCounts[phase] || 0) + 1;
  }
-  // Build per-tenant spend map (tenantName → spend)
+  // Build per-tenant spend map (tenantName → spend) from the per-key map.
-  const spendMap: Record<string, number> = {};
+  // Tenants without a `litellmKeyAlias` in status are skipped — they
  // simply won't appear in this map until they've been reconciled by
  // the Slice-2 operator.
  const keySpend =
    perKeySpend.status === "fulfilled" ? perKeySpend.value : new Map();
  const tenantSpend: Record<string, number> = {};
  for (const t of allTenants) {
    const alias = t.status?.litellmKeyAlias;
    if (alias && keySpend.has(alias)) {
      tenantSpend[t.metadata.name] = keySpend.get(alias)!;
    }
  }
  // Build per-org spend map (teamId → spend). Multiple tenants of the
  // same org share a teamId, so the same number appears for each.
  const teamSpend =
    perTeamSpend.status === "fulfilled" ? perTeamSpend.value : new Map();
-  for (const t of allTenants) {
+  const orgSpend: Record<string, number> = {};
-    const teamId = t.status?.litellmTeamId;
+  for (const [teamId, spend] of teamSpend.entries()) {
-    if (teamId && teamSpend.has(teamId)) {
+    orgSpend[teamId] = spend;
      spendMap[t.metadata.name] = teamSpend.get(teamId)!;
    }
  }
  return NextResponse.json({
@@ -76,7 +100,8 @@ export async function GET() {
    spend: {
      global:
        globalSpend.status === "fulfilled" ? globalSpend.value : 0,
-      perTenant: spendMap,
+      perTenant: tenantSpend,
      perOrg: orgSpend,
    },
    services: {
      litellm:
--- a/src/app/api/admin/requests/[id]/approve/route.ts
+++ b/src/app/api/admin/requests/[id]/approve/route.ts
@@ -14,6 +14,7 @@ import {
  getDefaultAgentsMd,
  generateToolsMd,
 } from "@/lib/workspace-defaults";
 import { deriveTenantName } from "@/lib/tenant-naming";
 import { safeError } from "@/lib/errors";
 /**
@@ -61,13 +62,14 @@ export async function POST(
  const isReApproval = tenantRequest.status === "rejected";
-  // Derive tenant name from company name: lowercase, alphanumeric + hyphens
+  // Build the CR name: see `lib/tenant-naming.ts` for the format spec.
-  const tenantName =
+  // Slice 4: for personal accounts the slug is replaced by the literal
-    tenantRequest.companyName
+  // "p-" prefix so no PII is embedded in the K8s namespace name.
-      .toLowerCase()
+  const tenantName = deriveTenantName(
-      .replace(/[^a-z0-9]+/g, "-")
+    tenantRequest.isPersonal ? "personal" : "company",
-      .replace(/^-|-$/g, "")
+    tenantRequest.companyName,
-      .slice(0, 63) || `tenant-${tenantRequest.id.slice(0, 8)}`;
+    tenantRequest.id
  );
  try {
    // Step 1: Decrypt and write package secrets to OpenBao (if collected during wizard)
@@ -98,11 +100,23 @@ export async function POST(
      "TOOLS.md": toolsMd,
    };
-    // Step 4: Create the PiecedTenant CR
+    // Step 4: Create the PiecedTenant CR.
    // displayName precedence:
    //   1. customer-chosen instance name (Slice 3 multi-tenant)
    //   2. for personal accounts, the contact name (avoids exposing the
    //      synthetic "{name} (Personal)" company name in the OpenClaw UI)
    //   3. company name otherwise
    const displayName =
      tenantRequest.instanceName && tenantRequest.instanceName.trim().length > 0
        ? tenantRequest.instanceName.trim()
        : tenantRequest.isPersonal
          ? tenantRequest.contactName || "Assistant"
          : tenantRequest.companyName;
    await createTenant(
      tenantName,
      {
-        displayName: tenantRequest.companyName,
+        displayName,
        agentName: tenantRequest.agentName,
        packages,
        workspaceFiles,
--- a/src/app/api/onboarding/route.ts
+++ b/src/app/api/onboarding/route.ts
@@ -1,17 +1,27 @@
-import { NextResponse } from "next/server";
+import { NextRequest, NextResponse } from "next/server";
 import { getSessionUser } from "@/lib/session";
 import {
  createTenantRequest,
-  getTenantRequestByOrgId,
+  getTenantRequestById,
-  deleteTenantRequest,
+  listTenantRequestsByOrgId,
  listActiveTenantRequestsByOrgId,
  getMostRecentApprovedRequestForOrg,
 } from "@/lib/db";
 import { getTenant, listTenants } from "@/lib/k8s";
 import { sendAdminNotificationEmail } from "@/lib/email";
 import { encryptSecrets } from "@/lib/crypto";
-import type { OnboardingInput } from "@/types";
+import { isPersonalOrgName } from "@/lib/personal-org";
 import type { OnboardingInput, PiecedTenant, TenantRequest } from "@/types";
 import { z } from "zod";
 const onboardingSchema = z.object({
  instanceName: z
    .string()
    .trim()
    .max(80)
    .optional()
    // Empty string from a form input → drop to undefined so the DB stores NULL
    .transform((v) => (v && v.length > 0 ? v : undefined)),
  agentName: z.string().min(1).max(50),
  soulMd: z.string().max(10_000).optional(),
  agentsMd: z.string().max(10_000).optional(),
@@ -30,59 +40,116 @@ const onboardingSchema = z.object({
 });
 /**
- * GET /api/onboarding
+ * Helper: shape a TenantRequest row for client consumption.
- * Check the current onboarding state for the logged-in user's org.
+ * Hides server-only fields (encryptedSecrets, internal db ids).
 */
-export async function GET() {
+function publicRequestShape(r: TenantRequest) {
  return {
    id: r.id,
    instanceName: r.instanceName,
    agentName: r.agentName,
    packages: r.packages,
    status: r.status,
    adminNotes: r.adminNotes,
    tenantName: r.tenantName,
    createdAt: r.createdAt,
    updatedAt: r.updatedAt,
  };
 }
 function publicTenantShape(t: PiecedTenant) {
  return {
    name: t.metadata.name,
    displayName: t.spec.displayName,
    phase: t.status?.phase ?? "Pending",
    suspended: t.spec.suspend ?? false,
    packages: t.spec.packages ?? [],
    creationTimestamp: t.metadata.creationTimestamp,
    conditions: t.status?.conditions ?? [],
  };
 }
 /**
 * GET /api/onboarding
 *
 * Two response shapes depending on the `?id=` query:
 *
 *   - With `?id=<requestId>`: returns the single request's status plus
 *     the linked tenant's phase if approved. Used by ProvisioningStatus
 *     to poll a specific request. The id is validated against the
 *     caller's orgId so admins-and-only-admins can read across orgs.
 *
 *   - Without `id`: returns lists of all in-flight requests and active
 *     tenants for the caller's org. Used by the dashboard to render the
 *     multi-tenant view.
 *
 * Slice 3 note: this replaces the old single-state response shape
 * (`{ state: "...", request: {...} }`). Pre-Slice-3 callers will see
 * the new shape and need to be updated. The only known caller is
 * `<ProvisioningStatus>`, updated in lockstep.
 */
 export async function GET(req: NextRequest) {
  const user = await getSessionUser();
  if (!user) {
    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
  }
-  // Check if there's already a running tenant for this org
+  const requestedId = req.nextUrl.searchParams.get("id");
  const allTenants = await listTenants();
  const myTenant = allTenants.find(
    (t) => t.metadata.labels?.["pieced.ch/zitadel-org-id"] === user.orgId
  );
-  if (myTenant) {
+  if (requestedId) {
    const tr = await getTenantRequestById(requestedId);
    if (!tr) {
      return NextResponse.json({ error: "Not found" }, { status: 404 });
    }
    // Customers may only read their own org's requests; platform
    // admins/operators may read any.
    if (!user.isPlatform && tr.zitadelOrgId !== user.orgId) {
      return NextResponse.json({ error: "Not found" }, { status: 404 });
    }
    let tenant: PiecedTenant | null = null;
    if (tr.tenantName) {
      tenant = (await getTenant(tr.tenantName)) ?? null;
    }
    return NextResponse.json({
-      state: "active",
+      request: publicRequestShape(tr),
-      tenantName: myTenant.metadata.name,
+      tenant: tenant ? publicTenantShape(tenant) : null,
      phase: myTenant.status?.phase ?? "Unknown",
    });
  }
-  // Check if there's a pending request
+  // List view: requests + tenants for this org
-  const request = await getTenantRequestByOrgId(user.orgId);
+  const [requests, allTenants] = await Promise.all([
    listActiveTenantRequestsByOrgId(user.orgId),
    listTenants(),
  ]);
-  if (!request || request.status === "deleted") {
+  const orgTenants = allTenants.filter(
-    return NextResponse.json({ state: "no_request" });
+    (t) => t.metadata.labels?.["pieced.ch/zitadel-org-id"] === user.orgId
-  }
+  );
  return NextResponse.json({
-    state: request.status,
+    requests: requests.map(publicRequestShape),
-    request: {
+    tenants: orgTenants.map(publicTenantShape),
      id: request.id,
      agentName: request.agentName,
      packages: request.packages,
      status: request.status,
      adminNotes: request.adminNotes,
      tenantName: request.tenantName,
      createdAt: request.createdAt,
    },
  });
 }
 /**
 * POST /api/onboarding
 * Submit the onboarding wizard. Creates a tenant_request with status "pending".
 * The actual PiecedTenant CR is NOT created yet — admin approval required.
 *
- * If packageSecrets are provided (for packages requiring credentials like
+ * Always creates a NEW tenant_request row, regardless of how many other
- * Telegram, Discord, Email), they are encrypted with AES-256-GCM and stored
+ * rows already exist for this org. The pre-Slice-3 409 ("you already
- * as a BYTEA blob. They are decrypted only during admin approval to write
+ * have a request") is gone — multi-tenant is the design now.
- * to OpenBao.
+ *
 * For additional instances in an existing company, the customer's prior
 * approved row is used to seed billing/contact info, so the wizard
 * doesn't need to re-collect data already on file. The wizard *does*
 * still send a billingAddress payload (the field is required by the
 * schema), but in practice the client can pre-fill it from
 * `getMostRecentApprovedRequestForOrg`.
 *
 * Encrypted package secrets, if provided, are AES-256-GCM-sealed and
 * stored as a BYTEA blob. They are decrypted only during admin approval
 * to write to OpenBao.
 */
 export async function POST(request: Request) {
  const user = await getSessionUser();
@@ -99,40 +166,27 @@ export async function POST(request: Request) {
    );
  }
  // Check for existing request
  const existing = await getTenantRequestByOrgId(user.orgId);
  if (existing && existing.status !== "deleted") {
    return NextResponse.json(
      { error: "Onboarding request already submitted.", request: existing },
      { status: 409 }
    );
  }
  // If previous request was deleted, remove it so a fresh one can be created
  if (existing && existing.status === "deleted") {
    await deleteTenantRequest(existing.id);
  }
  // Check for existing tenant
  const allTenants = await listTenants();
  const myTenant = allTenants.find(
    (t) => t.metadata.labels?.["pieced.ch/zitadel-org-id"] === user.orgId
  );
  if (myTenant) {
    return NextResponse.json(
      {
        error: "You already have a tenant provisioned.",
        tenantName: myTenant.metadata.name,
      },
      { status: 409 }
    );
  }
  const input: OnboardingInput & {
    packageSecrets?: Record<string, Record<string, string>>;
  } = parsed.data;
  // Look up an existing approved request for this org to inherit
  // company-level billing data. For brand-new orgs (first registration),
  // there is no prior row and we use the form-supplied billingAddress
  // verbatim. For follow-up requests, we ignore the form-supplied
  // company line in favour of the recorded company name.
  const prior = await getMostRecentApprovedRequestForOrg(user.orgId);
  // Slice 4: detect personal-account orgs by the canonical " (Personal)"
  // suffix on the ZITADEL org name. Set at registration, stable for the
  // lifetime of the org. Persisted on the row so admin views and the
  // approve handler don't have to re-derive it.
  //
  // If any prior row has is_personal set, prefer that — it's the same
  // org and the value can't change. (The prior-row check is defensive;
  // the org-name check should agree.)
  const isPersonal = prior?.isPersonal ?? isPersonalOrgName(user.orgName);
  // Encrypt package secrets if provided
  let encryptedSecrets: Buffer | undefined;
  if (input.packageSecrets && Object.keys(input.packageSecrets).length > 0) {
@@ -147,34 +201,56 @@ export async function POST(request: Request) {
    }
  }
  // For follow-up instances, prefer the on-file company name and contact
  // details; the user can't change those by re-typing them in the wizard.
  const companyName = prior?.companyName ?? user.orgName;
  const contactName = prior?.contactName ?? user.name;
  const contactEmail = prior?.contactEmail ?? user.email;
  const billingAddress = prior?.billingAddress ?? input.billingAddress;
  const billingNotes = input.billingNotes ?? prior?.billingNotes;
  const tenantRequest = await createTenantRequest({
    zitadelOrgId: user.orgId,
    zitadelUserId: user.id,
-    companyName: user.orgName,
+    companyName,
-    contactName: user.name,
+    instanceName: input.instanceName,
-    contactEmail: user.email,
+    contactName,
    contactEmail,
    agentName: input.agentName,
    soulMd: input.soulMd,
    agentsMd: input.agentsMd,
    packages: input.packages ?? [],
-    billingAddress: input.billingAddress,
+    billingAddress,
-    billingNotes: input.billingNotes,
+    billingNotes,
    encryptedSecrets,
    isPersonal,
  });
-  // Notify admin about the new request
+  // Notify admin about the new request. For follow-up instances, include
  // the instance name in the notification so the admin sees what's
  // being requested without opening the panel.
  try {
    await sendAdminNotificationEmail(
      tenantRequest.contactEmail,
      tenantRequest.contactName,
-      tenantRequest.companyName
+      tenantRequest.instanceName
        ? `${tenantRequest.companyName} (${tenantRequest.instanceName})`
        : tenantRequest.companyName
    );
  } catch (e) {
    console.error("Failed to send admin notification:", e);
  }
  // For diagnostics: how many other in-flight requests does this org
  // already have? Useful for the admin queue.
  const allRequests = await listTenantRequestsByOrgId(user.orgId);
  return NextResponse.json(
-    { message: "Request submitted.", request: tenantRequest },
+    {
      message: "Request submitted.",
      request: publicRequestShape(tenantRequest),
      orgRequestCount: allRequests.length,
    },
    { status: 201 }
  );
 }
--- a/src/app/api/register/route.ts
+++ b/src/app/api/register/route.ts
@@ -5,18 +5,54 @@ import { checkDuplicateDomain } from "@/lib/db";
 import type { RegistrationInput } from "@/types";
 import { z } from "zod";
-const registrationSchema = z.object({
+/**
-  companyName: z.string().min(2).max(100),
+ * Registration schema.
 *
 * Slice 4 changes
 * ---------------
 * - `companyName` is no longer always required. It's required when
 *   `isPersonal` is false/absent, ignored when `isPersonal` is true.
 * - `isPersonal` flag distinguishes personal accounts. The server
 *   derives the ZITADEL org name from `${givenName} ${familyName}
 *   (Personal)` for personals — the suffix is the canonical marker
 *   that downstream code (onboarding POST, admin views) uses to
 *   distinguish personal orgs from companies. Customers cannot rename
 *   their own org, so the suffix is stable.
 * - Personal accounts skip the duplicate-domain check entirely. Their
 *   row is also excluded from future domain checks (see
 *   `lib/domain-check.ts::findDuplicateInDb`).
 */
 const registrationSchema = z
  .object({
    companyName: z.string().min(2).max(100).optional(),
    givenName: z.string().min(1).max(100),
    familyName: z.string().min(1).max(100),
    email: z.string().email(),
    preferredLanguage: z.enum(["en", "de", "fr", "it"]).optional(),
-});
+    isPersonal: z.boolean().optional().default(false),
  })
  .refine(
    (data) =>
      data.isPersonal || (data.companyName && data.companyName.trim().length >= 2),
    {
      message: "Company name is required for company registrations",
      path: ["companyName"],
    }
  );
 /** 3 registrations per IP per hour */
 const RATE_LIMIT = 3;
 const RATE_WINDOW_MS = 3_600_000; // 1 hour
 /**
 * Suffix appended to personal-account ZITADEL org names. Used here to
 * build the org name and elsewhere (session.orgName check) to detect
 * whether the current user is on a personal org.
 *
 * Keep this in sync with `isPersonalOrgName()` in `lib/personal-org.ts`.
 */
 const PERSONAL_ORG_SUFFIX = " (Personal)";
 export async function POST(request: NextRequest) {
  // --- Rate limiting ---
  const ip =
@@ -53,17 +89,16 @@ export async function POST(request: NextRequest) {
    }
    const input: RegistrationInput = parsed.data;
    const isPersonal = input.isPersonal === true;
-    // --- Duplicate-domain check ---
+    // --- Duplicate-domain check (skipped for personal accounts) ---
    //
-    // Block if another active tenant_request or ZITADEL org already exists
+    // Personal accounts are explicitly allowed to use any email domain
-    // for this corporate email domain. Public domains (gmail, gmx, etc.)
+    // (including corporate). Their tenant_request rows are excluded
-    // are exempted by checkDuplicateDomain.
+    // from this check by lib/domain-check.ts, so a personal account
-    //
+    // doesn't block a later real-company registration on the same
-    // We return a structured `code: "duplicate_domain"` with the matched
+    // domain.
-    // domain so the client can render the localized message via
+    if (!isPersonal) {
    // register.duplicateDomain (with {domain} interpolation). The fallback
    // English string is included for non-i18n clients (curl, monitoring).
      const dup = await checkDuplicateDomain(input.email);
      if (dup.blocked && dup.domain) {
        return NextResponse.json(
@@ -75,9 +110,24 @@ export async function POST(request: NextRequest) {
          { status: 409 },
        );
      }
    }
    // --- Determine the ZITADEL org name ---
    //
    // For company: use the customer-supplied companyName (already
    //   validated to be present + ≥2 chars by the schema refinement).
    // For personal: synthesise from full name + " (Personal)" suffix.
    //   The suffix is the canonical marker for personal orgs.
    //
    // ZITADEL does NOT enforce org-name uniqueness, so two "Hans Müller
    // (Personal)" orgs can coexist; the org id is what matters for our
    // labelling and lookups, the name is human-readable only.
    const orgName = isPersonal
      ? `${input.givenName.trim()} ${input.familyName.trim()}${PERSONAL_ORG_SUFFIX}`
      : input.companyName!.trim();
    const result = await registerCustomer({
-      companyName: input.companyName,
+      companyName: orgName,
      email: input.email,
      givenName: input.givenName,
      familyName: input.familyName,
@@ -88,6 +138,7 @@ export async function POST(request: NextRequest) {
      {
        orgId: result.orgId,
        userId: result.userId,
        isPersonal,
        message:
          "Registration successful. You will receive an invitation email to set your password.",
      },
--- a/src/app/api/usage/route.ts
+++ b/src/app/api/usage/route.ts
@@ -7,9 +7,21 @@ import { safeError } from "@/lib/errors";
 /**
 * GET /api/usage
 *
- * Customers: teamId is resolved server-side from the tenant matching the
+ * Customers: tenant resolved server-side from the user's orgId. The
- *            user's orgId. No client-supplied teamId accepted.
+ *            response is filtered by the tenant's `litellmKeyAlias` so
- * Platform admins: may pass ?teamId=... to inspect any tenant's usage.
+ *            sibling tenants in the same org don't bleed into the total.
 * Platform admins: may pass ?teamId=... to inspect any team. They may
 *                  also pass ?keyAlias=... to scope to a single tenant.
 *
 * Slice 2 note
 * ------------
 * LiteLLM teams are now shared across all tenants of an org. The team's
 * `/team/info` budget is the *company* budget; the per-tenant numbers
 * come from filtering spend logs by `key_alias`. If a tenant has no
 * `litellmKeyAlias` in status (transitional state right after upgrade,
 * before the operator has reconciled), we fall back to team-level
 * filtering — the numbers will be slightly inflated for that one
 * reconcile cycle.
 */
 export async function GET(req: NextRequest) {
  const user = await getSessionUser();
@@ -17,13 +29,14 @@ export async function GET(req: NextRequest) {
    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
  let teamId: string | null = null;
  let keyAlias: string | null = null;
  if (user.isPlatform) {
    // Admins may pass a specific teamId to inspect any tenant
    teamId = req.nextUrl.searchParams.get("teamId") ?? null;
    keyAlias = req.nextUrl.searchParams.get("keyAlias") ?? null;
  }
-  // For customers (or admins without explicit teamId): resolve from their tenant
+  // For customers (or admins without explicit params): resolve from their tenant.
  if (!teamId) {
    const tenants = await listTenants();
    const orgTenant = tenants.find(
@@ -37,6 +50,13 @@ export async function GET(req: NextRequest) {
      );
    }
    teamId = orgTenant.status.litellmTeamId;
    // If the operator has populated the per-tenant key alias, filter by it.
    // Falling back to team-level (no alias) will return the org total, which
    // is acceptable transitionally but means siblings' usage shows up here.
    if (orgTenant.status.litellmKeyAlias) {
      keyAlias = orgTenant.status.litellmKeyAlias;
    }
  }
  // Month param: YYYY-MM, defaults to current month
@@ -55,7 +75,11 @@ export async function GET(req: NextRequest) {
  try {
    const teamInfo = await getTeamInfo(teamId);
-    // Fetch all pages
+    // Fetch all pages from the team. We always query at the team level —
    // LiteLLM's /spend/logs/v2 doesn't filter by key_alias reliably across
    // versions, so we paginate and post-filter in code. For pilot scale
    // this is cheap; if a single team ever exceeds ~10k entries/month we
    // can revisit.
    const allRequests: any[] = [];
    let page = 1;
    while (true) {
@@ -71,12 +95,26 @@ export async function GET(req: NextRequest) {
      page++;
    }
    // Apply key_alias post-filter when scoping to a single tenant. Match
    // both `key_alias` (newer LiteLLM) and `metadata.user_api_key_alias`
    // (older builds nest it inside metadata).
    const scoped = keyAlias
      ? allRequests.filter((r) => {
          const alias =
            r.key_alias ??
            r.metadata?.user_api_key_alias ??
            r.api_key_alias ??
            null;
          return alias === keyAlias;
        })
      : allRequests;
    // Aggregate by day
    const byDay: Record<
      string,
      { inputTokens: number; outputTokens: number; spend: number }
    > = {};
-    for (const r of allRequests) {
+    for (const r of scoped) {
      const day = (r.startTime || r.endTime || "").slice(0, 10);
      if (!day) continue;
      if (!byDay[day])
@@ -90,25 +128,30 @@ export async function GET(req: NextRequest) {
      .sort(([a], [b]) => a.localeCompare(b))
      .map(([date, d]) => ({ date, ...d }));
-    const totalInput = allRequests.reduce(
+    const totalInput = scoped.reduce(
      (s, r) => s + (r.prompt_tokens || 0),
      0
    );
-    const totalOutput = allRequests.reduce(
+    const totalOutput = scoped.reduce(
      (s, r) => s + (r.completion_tokens || 0),
      0
    );
-    const totalSpend = allRequests.reduce((s, r) => s + (r.spend || 0), 0);
+    const totalSpend = scoped.reduce((s, r) => s + (r.spend || 0), 0);
    return NextResponse.json({
      teamId,
      keyAlias, // null when not filtering — useful for the client to know it sees company-wide data
      month: monthParam,
      currentPeriod: {
        inputTokens: totalInput,
        outputTokens: totalOutput,
        totalSpend,
-        requestCount: allRequests.length,
+        requestCount: scoped.length,
      },
      // Budget is always team-level (= company budget). Spend reported
      // here is the team total, not the per-key total — the customer
      // wants to see "how much of our company budget is left", not just
      // "how much has this one tenant cost".
      budget: {
        maxBudget: teamInfo?.team_info?.max_budget ?? null,
        spend: teamInfo?.team_info?.spend ?? 0,
--- a/src/components/dashboard/usage-display.tsx
+++ b/src/components/dashboard/usage-display.tsx
@@ -94,10 +94,20 @@ function UsageChart({ data }: { data: DailyUsage[] }) {
 /**
 * Usage display widget.
 *
- * - Customers: don't pass teamId — the backend resolves it from the session.
+ * - Customers: don't pass teamId or keyAlias — the backend resolves both
- * - Admins inspecting a specific tenant: pass teamId to override.
+ *   from the session-bound tenant.
 * - Admins inspecting a specific tenant: pass `teamId` (the org-level
 *   LiteLLM team id) AND `keyAlias` (the tenant's virtual-key alias).
 *   Without `keyAlias`, the response includes spend from sibling tenants
 *   in the same org, since teams are shared since Slice 2.
 */
-export function UsageDisplay({ teamId }: { teamId?: string | null }) {
+export function UsageDisplay({
  teamId,
  keyAlias,
 }: {
  teamId?: string | null;
  keyAlias?: string | null;
 }) {
  const t = useTranslations("usage");
  const [month, setMonth] = useState(getCurrentMonth);
  const [data, setData] = useState<UsageData | null>(null);
@@ -114,13 +124,16 @@ export function UsageDisplay({ teamId }: { teamId?: string | null }) {
    if (teamId) {
      params.set("teamId", teamId);
    }
    if (keyAlias) {
      params.set("keyAlias", keyAlias);
    }
    fetch(`/api/usage?${params}`)
      .then((res) => { if (!res.ok) throw new Error(`${res.status}`); return res.json(); })
      .then(setData)
      .catch((e) => setError(e.message))
      .finally(() => setLoading(false));
-  }, [teamId, month]);
+  }, [teamId, keyAlias, month]);
  useEffect(() => { fetchUsage(); }, [fetchUsage]);
--- a/src/components/onboarding/onboarding-flow.tsx
+++ b/src/components/onboarding/onboarding-flow.tsx
@@ -1,31 +1,36 @@
 "use client";
-import { useState, useEffect } from "react";
+import { useRouter } from "next/navigation";
 import { OnboardingWizard } from "./wizard";
 import { ProvisioningStatus } from "./provisioning-status";
 interface OnboardingFlowProps {
  orgName: string;
  initialState: "no_request" | "pending" | "approved" | "provisioning" | "rejected";
 }
 /**
- * Orchestrates the onboarding experience:
+ * Wraps the onboarding wizard. On successful submission, refreshes the
- * - no_request → show wizard
+ * router so the parent server component re-renders with the new pending
- * - pending/approved/provisioning/rejected → show status
+ * request visible in the dashboard list.
- * - After wizard submission → switch to status polling
+ *
 * Slice 3: this component used to manage the no_request → pending →
 * provisioning → active state machine, with conditional rendering of
 * `<ProvisioningStatus>`. That state is now reflected at the dashboard
 * level (which renders one `<ProvisioningStatus>` per pending request),
 * so this wrapper does just one thing: show the wizard, then navigate.
 */
-export function OnboardingFlow({ orgName, initialState }: OnboardingFlowProps) {
+export function OnboardingFlow({ orgName }: OnboardingFlowProps) {
-  const [showWizard, setShowWizard] = useState(initialState === "no_request");
+  const router = useRouter();
  if (showWizard) {
  return (
    <OnboardingWizard
      orgName={orgName}
-        onComplete={() => setShowWizard(false)}
+      onComplete={() => {
        // Navigate back to /dashboard and re-fetch on the server. The
        // parent server component will see the new `pending` row and
        // render its `<ProvisioningStatus>` card automatically.
        router.push("/dashboard");
        router.refresh();
      }}
    />
  );
  }
  return <ProvisioningStatus />;
 }
--- a/src/components/onboarding/provisioning-status.tsx
+++ b/src/components/onboarding/provisioning-status.tsx
@@ -6,64 +6,81 @@ import { Card } from "@/components/ui/card";
 import { StatusBadge } from "@/components/ui/status-badge";
 import { formatDateTime, formatRelative } from "@/lib/format";
-interface OnboardingState {
+interface RequestSummary {
  state: string;
  request?: {
  id: string;
-    status: string;
+  instanceName?: string | null;
    companyName: string;
  agentName: string;
  packages: string[];
  status: string;
  adminNotes?: string;
  tenantName?: string;
  createdAt?: string;
-  };
+  updatedAt?: string;
-  tenant?: {
+}
 interface TenantSummary {
  name: string;
  displayName: string;
  phase: string;
-    message?: string;
+  conditions: Array<{
    conditions?: Array<{
    type: string;
    status: string;
    reason?: string;
    message?: string;
    lastTransitionTime?: string;
  }>;
  };
 }
-export function ProvisioningStatus() {
+interface SingleRequestState {
  request: RequestSummary;
  tenant: TenantSummary | null;
 }
 /**
 * ProvisioningStatus
 *
 * Polls /api/onboarding?id=<requestId> every 5s until the request reaches
 * a terminal state. Slice 3: takes a `requestId` prop so multiple of these
 * can render on the same dashboard for different in-flight requests.
 *
 * The pre-Slice-3 version polled /api/onboarding with no params and
 * assumed one-request-per-org — that endpoint shape is gone now.
 */
 export function ProvisioningStatus({ requestId }: { requestId: string }) {
  const t = useTranslations("onboarding");
  const f = useFormatter();
-  const [data, setData] = useState<OnboardingState | null>(null);
+  const [data, setData] = useState<SingleRequestState | null>(null);
  const [error, setError] = useState("");
  const poll = useCallback(async () => {
    try {
-      const res = await fetch("/api/onboarding");
+      const res = await fetch(
        `/api/onboarding?id=${encodeURIComponent(requestId)}`
      );
      if (!res.ok) throw new Error("Failed to fetch status");
      const json = await res.json();
      setData(json);
    } catch (err: any) {
      setError(err.message);
    }
-  }, []);
+  }, [requestId]);
  useEffect(() => {
    poll();
-    // Poll every 5 seconds while not in a terminal state
+    const status = data?.request?.status;
-    const interval = setInterval(() => {
+    const phase = data?.tenant?.phase;
-      if (
+    const terminal =
-        data?.state === "provisioned" ||
+      status === "rejected" ||
-        data?.state === "rejected" ||
+      status === "active" ||
-        data?.state === "active"
+      phase === "Ready" ||
-      ) {
+      phase === "Running";
        return;
      }
      poll();
    }, 5000);
    if (terminal) return;
    const interval = setInterval(poll, 5000);
    return () => clearInterval(interval);
-  }, [poll, data?.state]);
+  }, [poll, data?.request?.status, data?.tenant?.phase]);
  if (error) {
    return (
@@ -84,8 +101,14 @@ export function ProvisioningStatus() {
    );
  }
  const status = data.request.status;
  const label =
    data.request.instanceName ||
    data.request.tenantName ||
    data.request.agentName;
  // Pending admin approval
-  if (data.state === "pending") {
+  if (status === "pending") {
    return (
      <Card className="animate-in">
        <div className="text-center py-6">
@@ -107,10 +130,13 @@ export function ProvisioningStatus() {
          <h2 className="font-display text-lg font-semibold text-text-primary mb-2">
            {t("pendingTitle")}
          </h2>
          {label && (
            <p className="text-xs font-mono text-text-secondary mb-2">{label}</p>
          )}
          <p className="text-sm text-text-secondary max-w-sm mx-auto">
            {t("pendingDescription")}
          </p>
-          {data.request?.createdAt && (
+          {data.request.createdAt && (
            <p
              className="text-xs text-text-muted mt-4"
              title={formatDateTime(data.request.createdAt, f)}
@@ -130,7 +156,7 @@ export function ProvisioningStatus() {
  }
  // Rejected
-  if (data.state === "rejected") {
+  if (status === "rejected") {
    return (
      <Card className="animate-in">
        <div className="text-center py-6">
@@ -152,10 +178,13 @@ export function ProvisioningStatus() {
          <h2 className="font-display text-lg font-semibold text-text-primary mb-2">
            {t("rejectedTitle")}
          </h2>
          {label && (
            <p className="text-xs font-mono text-text-secondary mb-2">{label}</p>
          )}
          <p className="text-sm text-text-secondary max-w-sm mx-auto">
            {t("rejectedDescription")}
          </p>
-          {data.request?.adminNotes && (
+          {data.request.adminNotes && (
            <p className="text-xs text-text-muted mt-3 bg-surface-2 border border-border rounded-lg p-3 max-w-sm mx-auto">
              {data.request.adminNotes}
            </p>
@@ -165,10 +194,11 @@ export function ProvisioningStatus() {
    );
  }
-  // Provisioning in progress
+  // Provisioning in progress (status approved/provisioning, optionally with tenant phase < Ready)
  if (
-    data.state === "approved" ||
+    status === "approved" ||
-    data.state === "provisioning"
+    status === "provisioning" ||
    (status === "active" && data.tenant && data.tenant.phase !== "Ready")
  ) {
    const phase = data.tenant?.phase ?? "Pending";
    const conditions = data.tenant?.conditions ?? [];
@@ -182,6 +212,9 @@ export function ProvisioningStatus() {
          <h2 className="font-display text-lg font-semibold text-text-primary mb-2">
            {t("provisioningTitle")}
          </h2>
          {label && (
            <p className="text-xs font-mono text-text-secondary mb-2">{label}</p>
          )}
          <p className="text-sm text-text-secondary">
            {t("provisioningDescription")}
          </p>
@@ -216,8 +249,8 @@ export function ProvisioningStatus() {
    );
  }
-  // Provisioned / Running
+  // Active / Ready
-  if (data.state === "provisioned") {
+  if (status === "active") {
    return (
      <Card className="animate-in">
        <div className="text-center py-6">
@@ -239,6 +272,9 @@ export function ProvisioningStatus() {
          <h2 className="font-display text-lg font-semibold text-text-primary mb-2">
            {t("readyTitle")}
          </h2>
          {label && (
            <p className="text-xs font-mono text-text-secondary mb-2">{label}</p>
          )}
          <p className="text-sm text-text-secondary max-w-sm mx-auto mb-4">
            {t("readyDescription")}
          </p>
--- a/src/components/onboarding/wizard.tsx
+++ b/src/components/onboarding/wizard.tsx
@@ -4,6 +4,7 @@ import { useState, useCallback, useEffect, useRef } from "react";
 import { useTranslations } from "next-intl";
 import { Card } from "@/components/ui/card";
 import { PACKAGE_CATALOG, type PackageDef } from "@/lib/packages";
 import { isPersonalOrgName, PERSONAL_ORG_SUFFIX } from "@/lib/personal-org";
 type Step = "welcome" | "configure" | "billing" | "confirm";
@@ -55,6 +56,16 @@ export function OnboardingWizard({ orgName, onComplete }: WizardProps) {
  const tPkg = useTranslations("packages");
  const tCommon = useTranslations("common");
  // Slice 4: personal accounts have an org name of the form
  // "{givenName} {familyName} (Personal)". For SOUL.md and the billing
  // company line, strip the suffix so the visible string is the user's
  // actual name (no stray "(Personal)" leaking onto invoices or into
  // the assistant's prompt).
  const isPersonal = isPersonalOrgName(orgName);
  const displayOrgName = isPersonal
    ? orgName.slice(0, -PERSONAL_ORG_SUFFIX.length).trim()
    : orgName;
  const [step, setStep] = useState<Step>("welcome");
  const [submitting, setSubmitting] = useState(false);
  const [error, setError] = useState("");
@@ -62,12 +73,16 @@ export function OnboardingWizard({ orgName, onComplete }: WizardProps) {
  const [defaultsLoaded, setDefaultsLoaded] = useState(false);
  const [config, setConfig] = useState({
    instanceName: "",
    agentName: "Assistant",
-    soulMd: FALLBACK_SOUL.replace("{company}", orgName),
+    soulMd: FALLBACK_SOUL.replace("{company}", displayOrgName),
    agentsMd: FALLBACK_AGENTS,
    packages: [] as string[],
    billingAddress: {
-      company: orgName,
+      // For personal accounts, leave the company field empty — it'll
      // appear on invoices. The user can still type something if they
      // want to.
      company: isPersonal ? "" : displayOrgName,
      street: "",
      city: "",
      postalCode: "",
@@ -306,6 +321,24 @@ export function OnboardingWizard({ orgName, onComplete }: WizardProps) {
          </p>
          <div className="space-y-4">
            <div>
              <label className="block text-xs font-semibold uppercase tracking-wider text-text-muted mb-1.5">
                {t("instanceName")}
              </label>
              <input
                type="text"
                value={config.instanceName}
                onChange={(e) =>
                  setConfig((prev) => ({ ...prev, instanceName: e.target.value }))
                }
                placeholder={t("instanceNamePlaceholder")}
                className="w-full px-3 py-2 bg-surface-2 border border-border rounded-lg text-sm text-text-primary focus:outline-none focus:ring-1 focus:ring-accent focus:border-accent transition-colors"
              />
              <p className="text-xs text-text-muted mt-1">
                {t("instanceNameHint")}
              </p>
            </div>
            <div>
              <label className="block text-xs font-semibold uppercase tracking-wider text-text-muted mb-1.5">
                {t("agentName")}
@@ -734,6 +767,14 @@ export function OnboardingWizard({ orgName, onComplete }: WizardProps) {
          <div className="space-y-4">
            <div className="bg-surface-2 border border-border rounded-lg p-4 space-y-3">
              {config.instanceName.trim() && (
                <div className="flex justify-between text-sm">
                  <span className="text-text-muted">{t("instanceName")}</span>
                  <span className="text-text-primary font-mono">
                    {config.instanceName.trim()}
                  </span>
                </div>
              )}
              <div className="flex justify-between text-sm">
                <span className="text-text-muted">{t("agentName")}</span>
                <span className="text-text-primary font-mono">
--- a/src/lib/db.ts
+++ b/src/lib/db.ts
@@ -22,12 +22,27 @@ function getPool(): Pool {
 // Schema migration (auto-run on first query)
 // ---------------------------------------------------------------------------
 // Notes on the Slice 3 changes
 // ----------------------------
 // 1. Removed `UNIQUE` from `zitadel_org_id` in the CREATE TABLE for fresh
 //    installs, AND emit a defensive `DROP CONSTRAINT IF EXISTS` for
 //    existing installs whose schema was created pre-Slice-3. The
 //    constraint was Postgres-autonamed; the name is deterministic.
 // 2. Added `instance_name TEXT` — the customer's human label per
 //    instance (e.g. "Production", "Dev"). NULL is fine and means "use
 //    the company name for display".
 // 3. Added a unique index on `tenant_name WHERE NOT NULL`. Multiple
 //    rows in the table can have NULL tenant_name (pending/rejected
 //    requests), but every approved row points to a distinct K8s CR.
 // 4. Added `(zitadel_org_id, status)` index for the list-by-org queries
 //    introduced this slice.
 const MIGRATION_SQL = `
  CREATE TABLE IF NOT EXISTS tenant_requests (
    id                UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-    zitadel_org_id    TEXT NOT NULL UNIQUE,
+    zitadel_org_id    TEXT NOT NULL,
    zitadel_user_id   TEXT NOT NULL,
    company_name      TEXT NOT NULL,
    instance_name     TEXT,
    contact_name      TEXT NOT NULL,
    contact_email     TEXT NOT NULL,
    agent_name        TEXT NOT NULL DEFAULT 'Assistant',
@@ -40,16 +55,26 @@ const MIGRATION_SQL = `
    admin_notes       TEXT,
    tenant_name       TEXT,
    encrypted_secrets BYTEA,
    is_personal       BOOLEAN NOT NULL DEFAULT FALSE,
    created_at        TIMESTAMPTZ NOT NULL DEFAULT now(),
    updated_at        TIMESTAMPTZ NOT NULL DEFAULT now()
  );
  CREATE INDEX IF NOT EXISTS idx_tenant_requests_status ON tenant_requests(status);
  CREATE INDEX IF NOT EXISTS idx_tenant_requests_org_id ON tenant_requests(zitadel_org_id);
  CREATE INDEX IF NOT EXISTS idx_tenant_requests_org_status ON tenant_requests(zitadel_org_id, status);
  CREATE UNIQUE INDEX IF NOT EXISTS uniq_tenant_requests_tenant_name
    ON tenant_requests(tenant_name)
    WHERE tenant_name IS NOT NULL;
  -- Idempotent column adds for existing databases
  ALTER TABLE tenant_requests ADD COLUMN IF NOT EXISTS encrypted_secrets BYTEA;
  ALTER TABLE tenant_requests ADD COLUMN IF NOT EXISTS agents_md TEXT;
  ALTER TABLE tenant_requests ADD COLUMN IF NOT EXISTS instance_name TEXT;
  ALTER TABLE tenant_requests ADD COLUMN IF NOT EXISTS is_personal BOOLEAN NOT NULL DEFAULT FALSE;
  -- Slice 3: drop the legacy 1-org-1-request constraint if it exists
  ALTER TABLE tenant_requests DROP CONSTRAINT IF EXISTS tenant_requests_zitadel_org_id_key;
  -- Workspace templates: admin-editable default content for workspace files
  CREATE TABLE IF NOT EXISTS workspace_templates (
@@ -131,15 +156,17 @@ export async function createTenantRequest(
  await ensureSchema();
  const result = await getPool().query<TenantRequest>(
    `INSERT INTO tenant_requests
-       (zitadel_org_id, zitadel_user_id, company_name, contact_name,
+       (zitadel_org_id, zitadel_user_id, company_name, instance_name,
-        contact_email, agent_name, soul_md, agents_md, packages, billing_address,
+        contact_name, contact_email, agent_name, soul_md, agents_md,
-        billing_notes, encrypted_secrets)
+        packages, billing_address, billing_notes, encrypted_secrets,
-     VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12)
+        is_personal)
     VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14)
     RETURNING *`,
    [
      params.zitadelOrgId,
      params.zitadelUserId,
      params.companyName,
      params.instanceName ?? null,
      params.contactName,
      params.contactEmail,
      params.agentName,
@@ -149,6 +176,7 @@ export async function createTenantRequest(
      JSON.stringify(params.billingAddress),
      params.billingNotes,
      params.encryptedSecrets ?? null,
      params.isPersonal ?? false,
    ]
  );
  return mapRow(result.rows[0]);
@@ -165,12 +193,67 @@ export async function getTenantRequestById(
  return result.rows[0] ? mapRow(result.rows[0]) : null;
 }
-export async function getTenantRequestByOrgId(
+/**
 * Slice 3: returns ALL requests for an org, most recent first.
 *
 * Replaces the pre-Slice-3 `getTenantRequestByOrgId` which returned the
 * single most recent row. Callers that previously assumed one-row-per-org
 * must now iterate or pick by status. The intent is explicit at every
 * call site, which is the point of the rename.
 *
 * Includes rows in every status (pending, approved, provisioning, active,
 * rejected, deleted). For "active or in-flight only" filtering, see
 * {@link listActiveTenantRequestsByOrgId}.
 */
 export async function listTenantRequestsByOrgId(
  orgId: string
 ): Promise<TenantRequest[]> {
  await ensureSchema();
  const result = await getPool().query<TenantRequest>(
    "SELECT * FROM tenant_requests WHERE zitadel_org_id = $1 ORDER BY created_at DESC",
    [orgId]
  );
  return result.rows.map(mapRow);
 }
 /**
 * As {@link listTenantRequestsByOrgId} but excludes terminal-failed states
 * (rejected, deleted). Useful for the dashboard which wants to show
 * pending/approved/provisioning/active tenants and pending requests, not
 * historical rejections.
 */
 export async function listActiveTenantRequestsByOrgId(
  orgId: string
 ): Promise<TenantRequest[]> {
  await ensureSchema();
  const result = await getPool().query<TenantRequest>(
    `SELECT * FROM tenant_requests
       WHERE zitadel_org_id = $1
         AND status NOT IN ('deleted', 'rejected')
       ORDER BY created_at DESC`,
    [orgId]
  );
  return result.rows.map(mapRow);
 }
 /**
 * Returns the most recent approved-or-active request for an org. Used to
 * seed billing/contact defaults when a customer creates an additional
 * instance — saves them re-typing data already on file.
 *
 * Returns null if the org has never had an approved instance (e.g. first
 * registration is still pending).
 */
 export async function getMostRecentApprovedRequestForOrg(
  orgId: string
 ): Promise<TenantRequest | null> {
  await ensureSchema();
  const result = await getPool().query<TenantRequest>(
-    "SELECT * FROM tenant_requests WHERE zitadel_org_id = $1 ORDER BY created_at DESC LIMIT 1",
+    `SELECT * FROM tenant_requests
       WHERE zitadel_org_id = $1
         AND status IN ('approved', 'provisioning', 'active')
       ORDER BY created_at DESC
       LIMIT 1`,
    [orgId]
  );
  return result.rows[0] ? mapRow(result.rows[0]) : null;
@@ -250,8 +333,10 @@ export async function checkDuplicateDomain(email: string) {
 }
 /**
- * Mark a tenant request as "deleted" when the associated tenant CR is deleted.
+ * Mark a single tenant request as "deleted" when the associated tenant CR
- * This allows the customer to re-submit the onboarding wizard.
+ * is deleted. With multi-tenant per org this affects exactly one row,
 * since tenant_name is unique by index. The customer's other instances
 * are untouched.
 */
 export async function markTenantRequestDeletedByTenantName(
  tenantName: string
@@ -275,6 +360,10 @@ export async function deleteTenantRequest(id: string): Promise<void> {
 /**
 * Sync provisioning statuses: for all requests with status "provisioning",
 * check if the PiecedTenant CR has reached "Ready" and update to "active".
 *
 * Slice 3 note: with multi-tenant per org, this iterates each row
 * individually (keyed by its own tenant_name), so multiple in-flight
 * tenants in the same org are handled correctly.
 */
 export async function syncProvisioningStatuses(): Promise<void> {
  await ensureSchema();
@@ -310,6 +399,7 @@ function mapRow(row: any): TenantRequest {
    zitadelOrgId: row.zitadel_org_id,
    zitadelUserId: row.zitadel_user_id,
    companyName: row.company_name,
    instanceName: row.instance_name ?? null,
    contactName: row.contact_name,
    contactEmail: row.contact_email,
    agentName: row.agent_name,
@@ -322,6 +412,7 @@ function mapRow(row: any): TenantRequest {
    adminNotes: row.admin_notes,
    tenantName: row.tenant_name,
    encryptedSecrets: row.encrypted_secrets ?? null,
    isPersonal: row.is_personal ?? false,
    createdAt: row.created_at?.toISOString?.() ?? row.created_at,
    updatedAt: row.updated_at?.toISOString?.() ?? row.updated_at,
  };
--- a/src/lib/domain-check.ts
+++ b/src/lib/domain-check.ts
@@ -140,6 +140,12 @@ export function isPublicEmailDomain(domain: string): boolean {
 * Look up active tenant_requests whose contact_email shares the given domain.
 * Active = status NOT IN ('rejected', 'deleted').
 *
 * Slice 4: personal-account rows (is_personal = TRUE) are excluded. A
 * person's personal account doesn't claim the domain on behalf of a
 * company — alice@acme.ch registering as a personal account must not
 * block the actual Acme GmbH from registering later. The personal flag
 * lives on the row itself, set by /api/register at creation time.
 *
 * Uses LOWER() on both sides to handle any historical case inconsistency in
 * stored emails. The pattern '%@<domain>' is anchored so 'acme.ch' does not
 * match 'notacme.ch' or 'acme.ch.evil.com'.
@@ -151,7 +157,8 @@ async function findDuplicateInDb(
  const result = await pool.query<{ count: string }>(
    `SELECT COUNT(*) AS count FROM tenant_requests
     WHERE LOWER(contact_email) LIKE $1
-       AND status NOT IN ('rejected', 'deleted')`,
+       AND status NOT IN ('rejected', 'deleted')
       AND is_personal = FALSE`,
    [`%@${domain.toLowerCase()}`]
  );
  return Number(result.rows[0]?.count ?? 0) > 0;
--- a/src/lib/litellm.ts
+++ b/src/lib/litellm.ts
@@ -91,6 +91,10 @@ export async function getGlobalSpend(): Promise<number> {
 /**
 * Fetch per-team spend as a map: teamId → spend (CHF).
 * Uses /team/list which includes current spend per team.
 *
 * Since Slice 2, a "team" is the company-level budget shared across all
 * tenants of the same ZITADEL org. So this map gives company totals, not
 * per-tenant spend. For per-tenant attribution, use {@link getPerKeySpend}.
 */
 export async function getPerTeamSpend(): Promise<Map<string, number>> {
  const teams = await listTeams();
@@ -102,3 +106,54 @@ export async function getPerTeamSpend(): Promise<Map<string, number>> {
  }
  return map;
 }
 /**
 * Fetch per-virtual-key spend as a map: keyAlias → spend (CHF).
 *
 * Since Slice 2, each PiecedTenant CR owns one virtual key under its
 * org's team, with `key_alias = tenant.metadata.name`. Filtering by the
 * key alias is how we get genuinely per-tenant spend.
 *
 * Implementation
 * --------------
 * Calls `/key/list?return_full_object=true&include_team_keys=true`,
 * which returns objects with `spend` and `key_alias`. Older LiteLLM
 * builds may return raw token strings instead — we degrade gracefully
 * to an empty map in that case rather than throwing, since the admin
 * health page should still render even if per-tenant numbers are
 * temporarily unavailable.
 *
 * @returns Map<keyAlias, spend>. May be empty if the LiteLLM build
 *          doesn't expose key-alias info; callers must handle that.
 */
 export async function getPerKeySpend(): Promise<Map<string, number>> {
  const map = new Map<string, number>();
  try {
    const data = await litellmFetch(
      "/key/list?return_full_object=true&include_team_keys=true"
    );
    // Response shape: { keys: [ { key_alias, spend, token, ... } ] }
    // or sometimes { data: [...] }, or raw arrays. Be tolerant.
    const keys: any[] = Array.isArray(data?.keys)
      ? data.keys
      : Array.isArray(data?.data)
        ? data.data
        : Array.isArray(data)
          ? data
          : [];
    for (const k of keys) {
      // Skip raw-string entries from older API shapes — we can't attribute them.
      if (typeof k !== "object" || k === null) continue;
      const alias = k.key_alias ?? k.keyAlias;
      if (typeof alias !== "string" || !alias) continue;
      const spend =
        typeof k.spend === "number" ? k.spend : Number(k.spend) || 0;
      map.set(alias, spend);
    }
  } catch (e) {
    console.warn("getPerKeySpend failed, returning empty map:", e);
  }
  return map;
 }
--- a/src/lib/personal-org.ts
+++ b/src/lib/personal-org.ts
@@ -0,0 +1,40 @@
 /**
 * Personal-account helpers.
 *
 * Slice 4 establishes the convention that ZITADEL org names for personal
 * accounts end with the literal " (Personal)" suffix. This file
 * centralises the suffix and the predicate so both registration (which
 * sets the suffix) and onboarding (which reads it from the session) use
 * the same canonical form.
 *
 * Why a name suffix and not ZITADEL org metadata?
 * -----------------------------------------------
 * 1. The suffix is visible in ZITADEL Console, admin tools, JWT claims,
 *    etc. — useful debugging signal at zero cost.
 * 2. Customers cannot rename their own org (requires IAM_OWNER, which
 *    only the SA holds), so the suffix is stable for the lifetime of
 *    the org.
 * 3. No extra ZITADEL API calls at onboarding time to fetch metadata.
 * 4. No extra portal DB tables.
 *
 * The trade-off: an admin who manually renames a personal org via
 * ZITADEL Console could remove the suffix, after which onboarding
 * would treat that org as a company. That's a deliberate destructive
 * action and the worst outcome is a misnamed K8s CR; nothing breaks.
 */
 export const PERSONAL_ORG_SUFFIX = " (Personal)";
 /**
 * Returns true when the given ZITADEL org name marks a personal account.
 *
 * The check is exact-suffix match (after trimming). Whitespace inside
 * the suffix is significant — `" (personal)"` lowercase or `"(Personal)"`
 * without the leading space are not matches and not personal orgs.
 *
 * Pass `session.orgName` from the SessionUser at the call site.
 */
 export function isPersonalOrgName(orgName: string | null | undefined): boolean {
  if (!orgName) return false;
  return orgName.trimEnd().endsWith(PERSONAL_ORG_SUFFIX);
 }
--- a/src/lib/tenant-naming.ts
+++ b/src/lib/tenant-naming.ts
@@ -0,0 +1,132 @@
 /**
 * Deterministic tenant-name derivation for PiecedTenant CRs.
 *
 * Background
 * ----------
 * Every PiecedTenant CR's `metadata.name` becomes part of the tenant
 * namespace, which the operator builds as `tenant-{name}` (see
 * `pieced-operator/api/v1alpha1/piecedtenant_types.go::NamespaceName`).
 * Kubernetes namespace names follow the RFC 1123 DNS *label* spec:
 * lowercased alphanumeric + hyphens, must start and end with alnum,
 * and **max 63 characters**.
 *
 * That gives us 63 - len("tenant-") = 56 chars to play with for the CR
 * name itself. Anything longer is rejected at apply time, so we cap
 * here.
 *
 * Format
 * ------
 *   kind=company  →  {slug}-{requestIdHex8}     e.g. "acme-gmbh-abc12345"
 *   kind=personal →  p-{requestIdHex8}          e.g. "p-abc12345"
 *
 * The 8-hex-char suffix is taken from `tenant_requests.id` (a Postgres
 * `gen_random_uuid()` value, set at row insert). Two motivations:
 *
 *   1. Uniqueness — multiple requests for the same company name no longer
 *      collide (this is what unblocks Slice 3, multi-tenant per org).
 *   2. Stability — the suffix is known at approval time and never changes,
 *      so the operator and portal agree without coordination. We use the
 *      request UUID rather than the eventual LiteLLM virtual-key UUID
 *      because the latter doesn't exist until the operator runs.
 *
 * 8 hex chars = 32 bits of entropy. Collision probability with 100 active
 * tenants per company prefix is ~1e-6; for our pilot scale that's fine.
 *
 * Limits
 * ------
 * Suffix is always 8 + 1 (hyphen) = 9 chars. Slug therefore caps at
 * 56 - 9 = 47 chars, then we strip any trailing hyphens left by the cut.
 *
 * Examples
 * --------
 *   deriveTenantName("company",  "Acme GmbH", "abc12345-...") = "acme-gmbh-abc12345"
 *   deriveTenantName("company",  "Müller AG", "abc12345-...") = "m-ller-ag-abc12345"   (umlaut → "-")
 *   deriveTenantName("company",  "!!!",       "abc12345-...") = "t-abc12345"           (slug empty → "t-")
 *   deriveTenantName("personal", "",          "abc12345-...") = "p-abc12345"
 */
 export type TenantKind = "company" | "personal";
 const MAX_NAMESPACE_LEN = 63;
 const NAMESPACE_PREFIX = "tenant-";
 const MAX_TENANT_NAME_LEN = MAX_NAMESPACE_LEN - NAMESPACE_PREFIX.length; // 56
 const SUFFIX_HEX_LEN = 8;
 const SUFFIX_TOTAL_LEN = SUFFIX_HEX_LEN + 1; // including the joining "-"
 const MAX_SLUG_LEN = MAX_TENANT_NAME_LEN - SUFFIX_TOTAL_LEN; // 47
 export class InvalidRequestIdError extends Error {
  constructor(requestId: string) {
    super(
      `Cannot derive tenant name: requestId "${requestId}" does not contain ${SUFFIX_HEX_LEN} hex characters`
    );
    this.name = "InvalidRequestIdError";
  }
 }
 /**
 * Reduce an arbitrary string to a DNS-label-safe slug. Non-alnum runs
 * collapse to a single "-"; leading/trailing hyphens are stripped.
 *
 * Note this does not transliterate Unicode — "Müller" becomes "m-ller",
 * not "mueller". That's deliberate: transliteration introduces locale
 * dependencies (de-DE vs de-CH vs sv-SE all disagree on ä→a/ä→ae) and
 * we'd rather have a stable, ugly slug than a pretty one that changes
 * if we touch the locale config later. Customers see the human-readable
 * `displayName`, not the slug.
 */
 function slugify(input: string): string {
  return input
    .toLowerCase()
    .replace(/[^a-z0-9]+/g, "-")
    .replace(/^-+|-+$/g, "");
 }
 /**
 * Extract the first 8 hex chars of a UUID string. Strips hyphens and
 * lowercases first so callers can pass either "abc12345-..." or
 * "ABC12345..." form. Postgres `gen_random_uuid()` already emits the
 * canonical lowercase-hyphenated form, so this is just defense in depth
 * against any hand-inserted IDs.
 */
 function requestIdSuffix(requestId: string): string {
  const hex = requestId.replace(/-/g, "").toLowerCase();
  if (!/^[0-9a-f]{8}/.test(hex)) {
    throw new InvalidRequestIdError(requestId);
  }
  return hex.slice(0, SUFFIX_HEX_LEN);
 }
 /**
 * Build the PiecedTenant CR `metadata.name` for an approved tenant request.
 *
 * @param kind        "company" for normal customer accounts; "personal"
 *                    for individual accounts (Slice 4 — `is_personal=true`).
 * @param companyName Raw display name from the registration. Ignored when
 *                    kind="personal".
 * @param requestId   `tenant_requests.id` (Postgres UUID).
 * @returns           A K8s-safe CR name, ≤ 56 chars, with an 8-hex suffix.
 */
 export function deriveTenantName(
  kind: TenantKind,
  companyName: string,
  requestId: string
 ): string {
  const suffix = requestIdSuffix(requestId);
  if (kind === "personal") {
    return `p-${suffix}`;
  }
  // Company branch: slug-{suffix}, with empty-slug fallback.
  const rawSlug = slugify(companyName);
  // Cap then re-trim — slicing might leave a dangling hyphen if a non-alnum
  // run sat right at the boundary (e.g. "acme-foo-bar-..." cut to "acme-foo-").
  const slug = rawSlug.slice(0, MAX_SLUG_LEN).replace(/-+$/, "");
  if (!slug) {
    return `t-${suffix}`;
  }
  return `${slug}-${suffix}`;
 }
--- a/src/messages/de.json
+++ b/src/messages/de.json
@@ -35,7 +35,9 @@
    "successTitle": "Registrierung eingegangen",
    "successDescription": "Sie erhalten eine Einladungs-E-Mail mit einem Link, um Ihr Passwort festzulegen und Ihre E-Mail-Adresse zu bestätigen. Danach können Sie sich anmelden und Ihren KI-Assistenten einrichten.",
    "goToLogin": "Zur Anmeldung",
-    "duplicateDomain": "Für die E-Mail-Domain {domain} ist bereits ein Konto registriert. Bitte wenden Sie sich an Ihren Firmenadministrator, um eingeladen zu werden, oder kontaktieren Sie den PieCed-IT-Support, falls dies ein Fehler ist."
+    "duplicateDomain": "Für die E-Mail-Domain {domain} ist bereits ein Konto registriert. Bitte wenden Sie sich an Ihren Firmenadministrator, um eingeladen zu werden, oder kontaktieren Sie den PieCed-IT-Support, falls dies ein Fehler ist.",
    "individualToggle": "Als Privatperson registrieren",
    "individualHint": "Aktivieren Sie diese Option, wenn Sie sich nicht im Namen eines Unternehmens registrieren. Ihr Konto wird als persönlicher Arbeitsbereich eingerichtet."
  },
  "onboarding": {
    "loading": "Status wird geladen…",
@@ -83,7 +85,10 @@
    "readyTitle": "Ihr Assistent ist bereit!",
    "readyDescription": "Ihr KI-Assistent wurde bereitgestellt und ist aktiv. Sie können ihn nun über das Dashboard verwalten.",
    "goToDashboard": "Zum Dashboard",
-    "submittedAt": "Eingereicht"
+    "submittedAt": "Eingereicht",
    "instanceName": "Instanzname",
    "instanceNamePlaceholder": "z.B. Produktion, Dev, Vertrieb",
    "instanceNameHint": "Optionaler lesbarer Name, um diese Instanz von anderen in Ihrem Dashboard zu unterscheiden. Leer lassen, um den Firmennamen zu verwenden."
  },
  "dashboard": {
    "title": "Dashboard",
@@ -94,7 +99,11 @@
    "noInstance": "Noch keine Instanz bereitgestellt.",
    "comingSoon": "Detailansicht folgt in Session 6.2",
    "noInstanceDescription": "Richten Sie Ihre KI-Assistenten-Instanz ein, um mit PieCed IT zu starten.",
-    "manage": "Instanz & Pakete verwalten"
+    "manage": "Instanz & Pakete verwalten",
    "instances": "Ihre Instanzen",
    "inflightRequests": "Laufende Anfragen",
    "createInstance": "Neue Instanz erstellen",
    "createInstanceDescription": "Eine weitere KI-Assistent-Instanz für Ihre Organisation bereitstellen. Die Anfrage wird von einem Administrator geprüft, bevor die Instanz erstellt wird."
  },
  "tenantDetail": {
    "agent": "Agent",
--- a/src/messages/en.json
+++ b/src/messages/en.json
@@ -35,7 +35,9 @@
    "successTitle": "Registration received",
    "successDescription": "You will receive an invitation email with a link to set your password and verify your email address. Once completed, you can sign in to set up your AI assistant.",
    "goToLogin": "Go to Sign In",
-    "duplicateDomain": "An account for the email domain {domain} is already registered. Please contact your company administrator to be invited, or reach out to PieCed IT support if you believe this is in error."
+    "duplicateDomain": "An account for the email domain {domain} is already registered. Please contact your company administrator to be invited, or reach out to PieCed IT support if you believe this is in error.",
    "individualToggle": "Register as an individual",
    "individualHint": "Tick this if you're not registering on behalf of a company. Your account will be set up as a personal workspace."
  },
  "onboarding": {
    "loading": "Loading status…",
@@ -83,7 +85,10 @@
    "readyTitle": "Your assistant is ready!",
    "readyDescription": "Your AI assistant has been provisioned and is running. You can now manage it from the dashboard.",
    "goToDashboard": "Go to Dashboard",
-    "submittedAt": "Submitted"
+    "submittedAt": "Submitted",
    "instanceName": "Instance name",
    "instanceNamePlaceholder": "e.g. Production, Dev, Sales",
    "instanceNameHint": "Optional human-readable name to distinguish this instance from others on your dashboard. Leave blank to use your company name."
  },
  "dashboard": {
    "title": "Dashboard",
@@ -94,7 +99,11 @@
    "noInstance": "No instance provisioned yet.",
    "comingSoon": "Detailed view coming in Session 6.2",
    "noInstanceDescription": "Set up your AI assistant instance to get started with PieCed IT.",
-    "manage": "Manage instance & packages"
+    "manage": "Manage instance & packages",
    "instances": "Your instances",
    "inflightRequests": "In-flight requests",
    "createInstance": "Create new instance",
    "createInstanceDescription": "Provision an additional AI assistant instance for your organization. The request will be reviewed by an administrator before the instance is created."
  },
  "tenantDetail": {
    "agent": "Agent",
--- a/src/messages/fr.json
+++ b/src/messages/fr.json
@@ -35,7 +35,9 @@
    "successTitle": "Inscription reçue",
    "successDescription": "Vous recevrez un e-mail d'invitation avec un lien pour définir votre mot de passe et vérifier votre adresse e-mail. Ensuite, vous pourrez vous connecter et configurer votre assistant IA.",
    "goToLogin": "Aller à la connexion",
-    "duplicateDomain": "Un compte pour le domaine de courriel {domain} est déjà enregistré. Veuillez contacter l'administrateur de votre entreprise pour être invité, ou contactez le support PieCed IT si vous pensez qu'il s'agit d'une erreur."
+    "duplicateDomain": "Un compte pour le domaine de courriel {domain} est déjà enregistré. Veuillez contacter l'administrateur de votre entreprise pour être invité, ou contactez le support PieCed IT si vous pensez qu'il s'agit d'une erreur.",
    "individualToggle": "S'inscrire en tant que particulier",
    "individualHint": "Cochez cette case si vous ne vous inscrivez pas au nom d'une entreprise. Votre compte sera configuré comme espace de travail personnel."
  },
  "onboarding": {
    "loading": "Chargement du statut…",
@@ -83,7 +85,10 @@
    "readyTitle": "Votre assistant est prêt !",
    "readyDescription": "Votre assistant IA a été mis en service et est actif. Vous pouvez maintenant le gérer depuis le tableau de bord.",
    "goToDashboard": "Aller au tableau de bord",
-    "submittedAt": "Soumis"
+    "submittedAt": "Soumis",
    "instanceName": "Nom de l'instance",
    "instanceNamePlaceholder": "ex. Production, Dev, Ventes",
    "instanceNameHint": "Nom lisible facultatif pour distinguer cette instance des autres sur votre tableau de bord. Laisser vide pour utiliser le nom de votre entreprise."
  },
  "dashboard": {
    "title": "Tableau de bord",
@@ -94,7 +99,11 @@
    "noInstance": "Aucune instance provisionnée.",
    "comingSoon": "Vue détaillée à venir dans la Session 6.2",
    "noInstanceDescription": "Configurez votre instance d'assistant IA pour commencer avec PieCed IT.",
-    "manage": "Gérer l'instance et les paquets"
+    "manage": "Gérer l'instance et les paquets",
    "instances": "Vos instances",
    "inflightRequests": "Demandes en cours",
    "createInstance": "Créer une nouvelle instance",
    "createInstanceDescription": "Provisionner une instance supplémentaire d'assistant IA pour votre organisation. La demande sera examinée par un administrateur avant la création de l'instance."
  },
  "tenantDetail": {
    "agent": "Agent",
--- a/src/messages/it.json
+++ b/src/messages/it.json
@@ -35,7 +35,9 @@
    "successTitle": "Registrazione ricevuta",
    "successDescription": "Riceverai un'e-mail di invito con un link per impostare la password e verificare il tuo indirizzo e-mail. Dopodiché potrai accedere e configurare il tuo assistente IA.",
    "goToLogin": "Vai all'accesso",
-    "duplicateDomain": "Un account per il dominio e-mail {domain} è già registrato. Contatta l'amministratore della tua azienda per essere invitato, oppure contatta il supporto PieCed IT se ritieni che si tratti di un errore."
+    "duplicateDomain": "Un account per il dominio e-mail {domain} è già registrato. Contatta l'amministratore della tua azienda per essere invitato, oppure contatta il supporto PieCed IT se ritieni che si tratti di un errore.",
    "individualToggle": "Registrati come privato",
    "individualHint": "Seleziona questa opzione se non ti stai registrando per conto di un'azienda. Il tuo account sarà configurato come area di lavoro personale."
  },
  "onboarding": {
    "loading": "Caricamento stato…",
@@ -83,7 +85,10 @@
    "readyTitle": "Il tuo assistente è pronto!",
    "readyDescription": "Il tuo assistente IA è stato attivato ed è operativo. Ora puoi gestirlo dalla dashboard.",
    "goToDashboard": "Vai alla dashboard",
-    "submittedAt": "Inviato"
+    "submittedAt": "Inviato",
    "instanceName": "Nome istanza",
    "instanceNamePlaceholder": "es. Produzione, Dev, Vendite",
    "instanceNameHint": "Nome leggibile facoltativo per distinguere questa istanza dalle altre nella dashboard. Lasciare vuoto per usare il nome dell'azienda."
  },
  "dashboard": {
    "title": "Dashboard",
@@ -94,7 +99,11 @@
    "noInstance": "Nessuna istanza attivata.",
    "comingSoon": "Vista dettagliata in arrivo nella Sessione 6.2",
    "noInstanceDescription": "Configura la tua istanza di assistente IA per iniziare con PieCed IT.",
-    "manage": "Gestisci istanza e pacchetti"
+    "manage": "Gestisci istanza e pacchetti",
    "instances": "Le tue istanze",
    "inflightRequests": "Richieste in corso",
    "createInstance": "Crea nuova istanza",
    "createInstanceDescription": "Effettua il provisioning di un'ulteriore istanza dell'assistente IA per la tua organizzazione. La richiesta sarà esaminata da un amministratore prima della creazione dell'istanza."
  },
  "tenantDetail": {
    "agent": "Agente",
--- a/src/types/index.ts
+++ b/src/types/index.ts
@@ -37,7 +37,18 @@ export interface PiecedTenantStatus {
  phase: "Pending" | "Provisioning" | "Running" | "Ready" | "Error" | "Deleting";
  message?: string;
  observedGeneration?: number;
  /**
   * Org-level LiteLLM team id (since Slice 2 — shared across all tenants
   * of the same ZITADEL org). For per-tenant spend attribution use
   * `litellmKeyAlias`, not this field.
   */
  litellmTeamId?: string;
  /**
   * Per-tenant LiteLLM virtual-key alias (set to the CR name). Used by
   * the portal to filter spend logs to a single tenant within a shared
   * org-level team.
   */
  litellmKeyAlias?: string;
  tenantNamespace?: string;
  enabledPackages?: string[];
  conditions?: Array<{
@@ -72,11 +83,23 @@ export interface UsageSummary {
 // Registration
 export interface RegistrationInput {
-  companyName: string;
+  /**
   * Required for company registrations. Ignored when `isPersonal` is true —
   * the server then derives the ZITADEL org name from the user's full name
   * with a "(Personal)" suffix.
   */
  companyName?: string;
  givenName: string;
  familyName: string;
  email: string;
  preferredLanguage?: string;
  /**
   * Slice 4: when true, registration creates a personal account (one
   * person, no company). Domain-uniqueness check is skipped, ZITADEL org
   * is named "{givenName} {familyName} (Personal)", subsequent tenants
   * are named with the `p-{requestId[:8]}` convention.
   */
  isPersonal?: boolean;
 }
 // Billing address
@@ -101,6 +124,13 @@ export interface TenantRequest {
  zitadelOrgId: string;
  zitadelUserId: string;
  companyName: string;
  /**
   * Customer-chosen human label per instance (e.g. "Production", "Dev").
   * Optional. When set, used as the K8s `displayName` so the customer's
   * dashboard distinguishes their instances. When null, the company
   * name is used.
   */
  instanceName?: string | null;
  contactName: string;
  contactEmail: string;
  agentName: string;
@@ -113,12 +143,27 @@ export interface TenantRequest {
  adminNotes?: string;
  tenantName?: string;
  encryptedSecrets?: Buffer | null;
  /**
   * Slice 4: true for personal accounts. Drives CR-naming (`p-{suffix}`
   * vs `{slug}-{suffix}` in `lib/tenant-naming.ts`), display-name
   * fallback (contact name vs company name), and exclusion from the
   * domain-uniqueness check on subsequent registrations.
   */
  isPersonal?: boolean;
  createdAt: string;
  updatedAt: string;
 }
 // Onboarding wizard input
 export interface OnboardingInput {
  /**
   * Customer's human label for this instance. Optional; when blank, the
   * company name is used as the display name. Required when an org
   * already has at least one approved instance, to avoid two
   * indistinguishable rows on the dashboard — that constraint is
   * enforced server-side, not by the type.
   */
  instanceName?: string;
  agentName: string;
  soulMd?: string;
  agentsMd?: string;
Author	SHA1	Message	Date
admin	3521a0ff4f	Personal accounts All checks were successful Build and Push / build (push) Successful in 1m30s Details	2026-04-26 22:26:33 +02:00
admin	2c85bf8597	Multitenantperorg enabling All checks were successful Build and Push / build (push) Successful in 1m21s Details	2026-04-26 22:09:26 +02:00
admin	7b22bc4087	OneLiteLLM team per company+virt keys All checks were successful Build and Push / build (push) Successful in 1m24s Details	2026-04-26 21:21:02 +02:00
admin	1f48712e42	Tenant naming logic adjustments All checks were successful Build and Push / build (push) Successful in 1m22s Details	2026-04-26 18:47:50 +02:00
admin	0bf4c6cf4c	Debug pipeline	2026-04-25 22:48:05 +02:00