Role split and owner gating

scripts/verify-personal-org.mjs

@@ -0,0 +1,32 @@
+// Standalone JS port of `lib/personal-org.ts::isPersonalOrgName`
+// for offline verification.
+
+const PERSONAL_ORG_SUFFIX = " (Personal)";
+
+function isPersonalOrgName(orgName) {
+  if (!orgName) return false;
+  return orgName.trimEnd().endsWith(PERSONAL_ORG_SUFFIX);
+}
+
+const cases = [
+  ["Bob Müller (Personal)", true,  "personal account"],
+  ["Acme GmbH",             false, "company"],
+  ["Acme (Personal) Ltd",   false, "suffix in middle does not count"],
+  ["Bob (Personal)  ",      true,  "trailing whitespace tolerated"],
+  ["Bob (personal)",        false, "case-sensitive — lowercase doesn't match"],
+  ["",                      false, "empty"],
+  [null,                    false, "null"],
+  [undefined,               false, "undefined"],
+  ["Bob (Personal)x",       false, "non-trailing suffix"],
+  [" (Personal)",           true,  "minimal — empty user name (degenerate but matches)"],
+];
+
+let pass = 0, fail = 0;
+for (const [name, expected, note] of cases) {
+  const got = isPersonalOrgName(name);
+  const ok = got === expected;
+  console.log(`${ok ? "PASS" : "FAIL"}  got=${got}  want=${expected}  [${note}]  input=${JSON.stringify(name)}`);
+  if (ok) pass++; else fail++;
+}
+console.log(`\n${pass} pass, ${fail} fail`);
+process.exit(fail === 0 ? 0 : 1);

scripts/verify-role-gates.mjs

@@ -0,0 +1,38 @@
+// Standalone JS port of `lib/session.ts::canMutate` and `isCustomerOwner`
+// for offline verification.
+//
+// SessionUser shape mirrors the TypeScript interface:
+//   { roles: Role[], isPlatform: boolean, ... }
+
+function canMutate(user) {
+  return user.isPlatform || user.roles.includes("owner");
+}
+
+function isCustomerOwner(user) {
+  return !user.isPlatform && user.roles.includes("owner");
+}
+
+const cases = [
+  // [user, fn, expected, note]
+  [{ isPlatform: true,  roles: ["platform_admin"] },          canMutate, true,  "platform admin can mutate"],
+  [{ isPlatform: true,  roles: ["platform_operator"] },       canMutate, true,  "platform operator can mutate"],
+  [{ isPlatform: false, roles: ["owner"] },                   canMutate, true,  "customer owner can mutate"],
+  [{ isPlatform: false, roles: ["user"] },                    canMutate, false, "customer user cannot mutate"],
+  [{ isPlatform: false, roles: [] },                          canMutate, false, "no roles cannot mutate"],
+  [{ isPlatform: false, roles: ["owner", "user"] },           canMutate, true,  "owner+user (owner wins)"],
+
+  [{ isPlatform: true,  roles: ["platform_admin", "owner"] }, isCustomerOwner, false, "platform user with owner role is NOT customerOwner"],
+  [{ isPlatform: false, roles: ["owner"] },                   isCustomerOwner, true,  "pure customer owner"],
+  [{ isPlatform: false, roles: ["user"] },                    isCustomerOwner, false, "customer user is not customerOwner"],
+  [{ isPlatform: false, roles: [] },                          isCustomerOwner, false, "empty roles is not customerOwner"],
+];
+
+let pass = 0, fail = 0;
+for (const [user, fn, expected, note] of cases) {
+  const got = fn(user);
+  const ok = got === expected;
+  console.log(`${ok ? "PASS" : "FAIL"}  got=${got}  want=${expected}  [${note}]`);
+  if (ok) pass++; else fail++;
+}
+console.log(`\n${pass} pass, ${fail} fail`);
+process.exit(fail === 0 ? 0 : 1);

src/app/[locale]/dashboard/new/page.tsx

@@ -0,0 +1,55 @@
+import { getSessionUser, canMutate } from "@/lib/session";
+import { getTranslations } from "next-intl/server";
+import { redirect } from "next/navigation";
+import { OnboardingFlow } from "@/components/onboarding/onboarding-flow";
+import Link from "next/link";
+
+/**
+ * /dashboard/new — wizard for creating an additional instance for an
+ * existing customer. Reachable from the dashboard "+ Create new instance"
+ * link.
+ *
+ * Slice 3: this page is the entry point for follow-up instances. The
+ * first-instance case is still served inline on /dashboard. Both paths
+ * mount the same <OnboardingFlow>; the API resolves the difference
+ * server-side based on whether prior approved rows exist for the org.
+ *
+ * Platform admins are redirected to /dashboard — they shouldn't be
+ * creating tenant instances under their own org.
+ *
+ * Slice 5: customer-side `user` role is also redirected — only owners
+ * may create new instances. The server-side POST handler enforces the
+ * same; this redirect is purely UX so /user-role members don't land on
+ * a wizard that will 403 on submit.
+ */
+export default async function NewInstancePage() {
+  const user = await getSessionUser();
+  if (!user) redirect("/login");
+  if (user.isPlatform) redirect("/dashboard");
+  if (!canMutate(user)) redirect("/dashboard");
+
+  const t = await getTranslations("dashboard");
+
+  return (
+    <div>
+      <div className="mb-8 animate-in">
+        <Link
+          href="/dashboard"
+          className="inline-flex items-center gap-1.5 mb-4 text-xs font-medium text-text-muted hover:text-text-primary transition-colors"
+        >
+          <span>←</span> {t("title")}
+        </Link>
+        <h1 className="font-display text-2xl font-semibold accent-rule mb-2">
+          {t("createInstance")}
+        </h1>
+        <p className="text-text-secondary text-sm mt-4">
+          {t("createInstanceDescription")}
+        </p>
+      </div>
+
+      <div className="animate-in animate-in-delay-1">
+        <OnboardingFlow orgName={user.orgName} />
+      </div>
+    </div>
+  );
+}

src/app/[locale]/dashboard/page.tsx

@@ -1,12 +1,12 @@
-import { getSessionUser } from "@/lib/session";
+import { getSessionUser, canMutate } from "@/lib/session";
 import { getTranslations, getFormatter } from "next-intl/server";
 import { redirect } from "next/navigation";
 import { listTenants } from "@/lib/k8s";
-import { getTenantRequestByOrgId } from "@/lib/db";
+import { listActiveTenantRequestsByOrgId } from "@/lib/db";
 import { Card, CardHeader } from "@/components/ui/card";
 import { StatusBadge } from "@/components/ui/status-badge";
-import { UsageDisplay } from "@/components/dashboard/usage-display";
 import { OnboardingFlow } from "@/components/onboarding/onboarding-flow";
+import { ProvisioningStatus } from "@/components/onboarding/provisioning-status";
 import { formatDateTime } from "@/lib/format";
 import Link from "next/link";
 
@@ -20,7 +20,7 @@ export default async function DashboardPage() {
 
   const allTenants = await listTenants();
 
-  // Platform users see overview of all tenants
+  // Platform users see overview of all tenants — unchanged from pre-Slice-3.
   if (user.isPlatform) {
     const phaseCount = allTenants.reduce<Record<string, number>>((acc, t) => {
       const phase = t.status?.phase ?? "Pending";
@@ -133,19 +133,54 @@ export default async function DashboardPage() {
     );
   }
 
-  // Regular user: find their tenant
+  // ---------------------------------------------------------------------
-  const myTenant = allTenants.find(
+  // Customer view (Slice 3 multi-tenant)
+  // ---------------------------------------------------------------------
+
+  const orgTenants = allTenants.filter(
     (t) => t.metadata.labels?.["pieced.ch/zitadel-org-id"] === user.orgId
   );
+  const orgRequests = await listActiveTenantRequestsByOrgId(user.orgId);
 
-  // No tenant → check for existing request, show onboarding flow
+  // Pending/in-flight requests that don't yet have a tenant CR. Once the
-  if (!myTenant) {
+  // CR exists, the tenant card carries the live phase, so a separate
-    const existingRequest = await getTenantRequestByOrgId(user.orgId);
+  // "request" card would just duplicate it.
-    // Treat "deleted" as no request — customer can re-onboard
+  const inflightRequests = orgRequests.filter(
-    const initialState =
+    (r) => !r.tenantName || !orgTenants.some((t) => t.metadata.name === r.tenantName)
-      !existingRequest || existingRequest.status === "deleted"
+  );
-        ? "no_request"
+
-        : existingRequest.status;
+  // Slice 5: only owners (and platform users, who'd typically be using
+  // the admin panel anyway) see the "Create new instance" link. A
+  // `user`-role member sees the dashboard but not the create flow —
+  // they need to ask an owner.
+  const canCreate = canMutate(user);
+
+  // First-time user: empty company. Show the onboarding wizard inline.
+  // Note: the registering user is always granted `owner` on their new
+  // org by registerCustomer, so this branch is only reachable by an
+  // owner — no role check needed here. But a customer-side `user`
+  // promoted into a fresh empty org (Slice 7 invites) would also land
+  // here without permission to submit. Belt-and-braces gate.
+  if (orgTenants.length === 0 && inflightRequests.length === 0) {
+    if (!canCreate) {
+      return (
+        <div>
+          <div className="mb-8 animate-in">
+            <h1 className="font-display text-2xl font-semibold accent-rule mb-2">
+              {t("title")}
+            </h1>
+            <p className="text-text-secondary text-sm mt-4">
+              {t("welcome", { name: user.name || user.email })}
+            </p>
+          </div>
+          <Card className="animate-in animate-in-delay-1">
+            <p className="text-sm text-text-secondary text-center py-6">
+              {t("noAccessNoInstances")}
+            </p>
+          </Card>
+        </div>
+      );
+    }
 
     return (
       <div>
@@ -159,70 +194,109 @@ export default async function DashboardPage() {
         </div>
 
         <div className="animate-in animate-in-delay-1">
-          <OnboardingFlow
+          <OnboardingFlow orgName={user.orgName} />
-            orgName={user.orgName}
-            initialState={initialState as any}
-          />
         </div>
       </div>
     );
   }
 
-  const tenantName = myTenant.metadata.name;
+  // Returning customer: list of tenants + in-flight requests, plus
-
+  // a button to add another instance (owners only).
   return (
     <div>
-      <div className="mb-8 animate-in">
+      <div className="mb-8 animate-in flex items-start justify-between gap-4">
-        <h1 className="font-display text-2xl font-semibold accent-rule mb-2">
+        <div>
-          {t("title")}
+          <h1 className="font-display text-2xl font-semibold accent-rule mb-2">
-        </h1>
+            {t("title")}
-        <p className="text-text-secondary text-sm mt-4">
+          </h1>
-          {t("welcome", { name: user.name || user.email })}
+          <p className="text-text-secondary text-sm mt-4">
-        </p>
+            {t("welcome", { name: user.name || user.email })}
+          </p>
+        </div>
+
+        {canCreate && (
+          <Link
+            href="/dashboard/new"
+            className="shrink-0 inline-flex items-center gap-1.5 py-2 px-4 bg-accent text-white text-xs font-medium rounded-lg hover:bg-accent-dim transition-colors"
+          >
+            <span>+</span> {t("createInstance")}
+          </Link>
+        )}
       </div>
 
-      {/* Instance status card */}
+      {/* In-flight (pending/approved/provisioning/rejected) requests */}
-      <div className="mb-6 animate-in animate-in-delay-1">
+      {inflightRequests.length > 0 && (
-        <Card>
+        <div className="mb-8 animate-in animate-in-delay-1">
-          <CardHeader>{t("instanceStatus")}</CardHeader>
+          <h2 className="text-xs font-semibold uppercase tracking-wider text-text-muted mb-3">
-          <div className="flex items-center gap-4">
+            {t("inflightRequests")}
-            <StatusBadge phase={myTenant.status?.phase ?? "Pending"} />
+          </h2>
-            {myTenant.spec.agentName && (
+          <div className="space-y-3">
-              <span className="text-sm text-text-secondary">
+            {inflightRequests.map((r) => (
-                {myTenant.spec.agentName}
+              <ProvisioningStatus key={r.id} requestId={r.id} />
-              </span>
+            ))}
-            )}
           </div>
-          {myTenant.spec.packages && myTenant.spec.packages.length > 0 && (
+        </div>
-            <div className="flex flex-wrap gap-2 mt-3">
+      )}
-              {myTenant.spec.packages.map((pkg) => (
-                <span
-                  key={pkg}
-                  className="text-xs font-mono bg-accent/10 text-accent border border-accent/20 rounded-full px-2.5 py-0.5"
-                >
-                  {pkg}
-                </span>
-              ))}
-            </div>
-          )}
-        </Card>
-      </div>
 
-      {/* Usage — no teamId passed, backend resolves from session */}
+      {/* Active tenants */}
-      <div className="mb-6 animate-in animate-in-delay-2">
+      {orgTenants.length > 0 && (
-        <h2 className="text-xs font-semibold uppercase tracking-wider text-text-muted mb-3">
+        <div className="animate-in animate-in-delay-2">
-          {t("usage")}
+          <h2 className="text-xs font-semibold uppercase tracking-wider text-text-muted mb-3">
-        </h2>
+            {t("instances")}
-        <UsageDisplay />
+          </h2>
-      </div>
+          <div className="grid gap-4 md:grid-cols-2">
+            {orgTenants.map((tenant) => (
+              <Link
+                key={tenant.metadata.name}
+                href={`/tenants/${tenant.metadata.name}`}
+                className="block group"
+              >
+                <Card className="h-full hover:border-accent/40 transition-colors">
+                  <div className="flex items-start justify-between gap-3 mb-3">
+                    <div className="min-w-0">
+                      <div className="text-sm font-semibold text-text-primary truncate">
+                        {tenant.spec.displayName || tenant.metadata.name}
+                      </div>
+                      <div className="font-mono text-xs text-text-muted truncate mt-0.5">
+                        {tenant.metadata.name}
+                      </div>
+                    </div>
+                    <StatusBadge phase={tenant.status?.phase ?? "Pending"} />
+                  </div>
 
-      {/* Link to tenant detail */}
+                  {tenant.spec.agentName && (
-      <Link
+                    <div className="text-xs text-text-secondary mb-2">
-        href={`/tenants/${tenantName}`}
+                      {tenant.spec.agentName}
-        className="inline-flex items-center gap-1.5 text-xs font-medium text-accent hover:text-accent-dim transition-colors animate-in animate-in-delay-3"
+                    </div>
-      >
+                  )}
-        <span>→</span> {t("manage")}
+
-      </Link>
+                  {tenant.spec.packages && tenant.spec.packages.length > 0 && (
+                    <div className="flex flex-wrap gap-1.5 mb-3">
+                      {tenant.spec.packages.slice(0, 4).map((pkg) => (
+                        <span
+                          key={pkg}
+                          className="text-xs font-mono bg-accent/10 text-accent border border-accent/20 rounded-full px-2 py-0.5"
+                        >
+                          {pkg}
+                        </span>
+                      ))}
+                      {tenant.spec.packages.length > 4 && (
+                        <span className="text-xs text-text-muted">
+                          +{tenant.spec.packages.length - 4}
+                        </span>
+                      )}
+                    </div>
+                  )}
+
+                  <div className="text-xs font-medium text-accent group-hover:text-accent-dim transition-colors">
+                    {t("manage")} →
+                  </div>
+                </Card>
+              </Link>
+            ))}
+          </div>
+        </div>
+      )}
     </div>
   );
 }

src/app/[locale]/register/page.tsx

@@ -7,6 +7,13 @@ import { Card } from "@/components/ui/card";
 
 type FormState = "idle" | "submitting" | "success" | "error";
 
+/**
+ * Slice 4: a "Register as individual" toggle distinguishes personal
+ * accounts from company registrations. When the toggle is on:
+ *   - the company name field is hidden (and not sent)
+ *   - the server skips the duplicate-domain check
+ *   - the ZITADEL org is named "{givenName} {familyName} (Personal)"
+ */
 export default function RegisterPage() {
   const t = useTranslations("register");
   const tCommon = useTranslations("common");
@@ -18,6 +25,7 @@ export default function RegisterPage() {
     familyName: "",
     email: "",
   });
+  const [isPersonal, setIsPersonal] = useState(false);
   const [state, setState] = useState<FormState>("idle");
   const [error, setError] = useState("");
 
@@ -31,15 +39,23 @@ export default function RegisterPage() {
     setState("submitting");
 
     try {
+      // Build the request body explicitly. For personals we omit
+      // companyName so the server knows to derive the org name from
+      // the user's full name. The Zod schema accepts the omission.
+      const body: Record<string, unknown> = {
+        givenName: form.givenName,
+        familyName: form.familyName,
+        email: form.email,
+        isPersonal,
+      };
+      if (!isPersonal) {
+        body.companyName = form.companyName;
+      }
+
       const res = await fetch("/api/register", {
         method: "POST",
         headers: { "Content-Type": "application/json" },
-        body: JSON.stringify({
+        body: JSON.stringify(body),
-          companyName: form.companyName,
-          givenName: form.givenName,
-          familyName: form.familyName,
-          email: form.email,
-        }),
       });
 
       if (!res.ok) {
@@ -104,21 +120,41 @@ export default function RegisterPage() {
 
         <Card className="animate-in animate-in-delay-1">
           <form onSubmit={handleSubmit} className="space-y-4">
-            {/* Company name */}
+            {/* Personal-account toggle */}
-            <div>
+            <label className="flex items-start gap-3 cursor-pointer select-none p-3 rounded-lg border border-border bg-surface-2 hover:border-accent/40 transition-colors">
-              <label className="block text-xs font-semibold uppercase tracking-wider text-text-muted mb-1.5">
-                {t("companyName")}
-              </label>
               <input
-                name="companyName"
+                type="checkbox"
-                type="text"
+                checked={isPersonal}
-                required
+                onChange={(e) => setIsPersonal(e.target.checked)}
-                value={form.companyName}
+                className="mt-0.5 h-4 w-4 rounded border-border bg-surface-1 text-accent focus:ring-1 focus:ring-accent focus:ring-offset-0"
-                onChange={handleChange}
-                placeholder={t("companyNamePlaceholder")}
-                className="w-full px-3 py-2 bg-surface-2 border border-border rounded-lg text-sm text-text-primary placeholder:text-text-muted focus:outline-none focus:ring-1 focus:ring-accent focus:border-accent transition-colors"
               />
-            </div>
+              <div className="flex-1 min-w-0">
+                <div className="text-sm font-medium text-text-primary">
+                  {t("individualToggle")}
+                </div>
+                <div className="text-xs text-text-muted mt-0.5">
+                  {t("individualHint")}
+                </div>
+              </div>
+            </label>
+
+            {/* Company name — hidden for personal */}
+            {!isPersonal && (
+              <div>
+                <label className="block text-xs font-semibold uppercase tracking-wider text-text-muted mb-1.5">
+                  {t("companyName")}
+                </label>
+                <input
+                  name="companyName"
+                  type="text"
+                  required
+                  value={form.companyName}
+                  onChange={handleChange}
+                  placeholder={t("companyNamePlaceholder")}
+                  className="w-full px-3 py-2 bg-surface-2 border border-border rounded-lg text-sm text-text-primary placeholder:text-text-muted focus:outline-none focus:ring-1 focus:ring-accent focus:border-accent transition-colors"
+                />
+              </div>
+            )}
 
             {/* Name row */}
             <div className="grid grid-cols-2 gap-3">
@@ -161,7 +197,7 @@ export default function RegisterPage() {
                 required
                 value={form.email}
                 onChange={handleChange}
-                placeholder="you@company.ch"
+                placeholder={isPersonal ? "you@example.ch" : "you@company.ch"}
                 className="w-full px-3 py-2 bg-surface-2 border border-border rounded-lg text-sm text-text-primary placeholder:text-text-muted focus:outline-none focus:ring-1 focus:ring-accent focus:border-accent transition-colors"
               />
             </div>

src/app/[locale]/tenants/[name]/page.tsx

@@ -1,4 +1,4 @@
-import { getSessionUser } from "@/lib/session";
+import { getSessionUser, canMutate } from "@/lib/session";
 import { getTranslations, getFormatter } from "next-intl/server";
 import { redirect, notFound } from "next/navigation";
 import { getTenant } from "@/lib/k8s";
@@ -34,6 +34,11 @@ export default async function TenantDetailPage({
     notFound();
   }
 
+  // Slice 5: editable surface gated on owner role. Platform users always
+  // can edit; customer-side, only `owner` may. `user`-role members see
+  // the same page but with edit controls hidden / fields read-only.
+  const canEdit = canMutate(user);
+
   const enabledPackages = tenant.spec.packages || [];
   const workspaceFiles = tenant.spec.workspaceFiles || {};
   const enabledChannels = enabledPackages.filter((pkg) =>
@@ -100,6 +105,7 @@ export default async function TenantDetailPage({
           tenantName={name}
           enabledPackages={enabledPackages}
           conditions={tenant.status?.conditions}
+          canEdit={canEdit}
         />
       </section>
 
@@ -110,6 +116,7 @@ export default async function TenantDetailPage({
             tenantName={name}
             enabledChannels={enabledChannels}
             initialChannelUsers={channelUsers}
+            canEdit={canEdit}
           />
         </section>
       )}
@@ -119,7 +126,7 @@ export default async function TenantDetailPage({
         <h2 className="text-xs font-semibold uppercase tracking-wider text-text-muted mb-3">
           {t("workspaceFiles")}
         </h2>
-        <WorkspaceEditor tenantName={name} files={workspaceFiles} />
+        <WorkspaceEditor tenantName={name} files={workspaceFiles} canEdit={canEdit} />
       </section>
     </div>
   );

src/app/api/admin/requests/[id]/approve/route.ts

@@ -63,10 +63,10 @@ export async function POST(
   const isReApproval = tenantRequest.status === "rejected";
 
   // Build the CR name: see `lib/tenant-naming.ts` for the format spec.
-  // For now all approvals are kind="company" — the personal branch is
+  // Slice 4: for personal accounts the slug is replaced by the literal
-  // wired but unused until Slice 4 introduces the `is_personal` column.
+  // "p-" prefix so no PII is embedded in the K8s namespace name.
   const tenantName = deriveTenantName(
-    "company",
+    tenantRequest.isPersonal ? "personal" : "company",
     tenantRequest.companyName,
     tenantRequest.id
   );
@@ -100,11 +100,23 @@ export async function POST(
       "TOOLS.md": toolsMd,
     };
 
-    // Step 4: Create the PiecedTenant CR
+    // Step 4: Create the PiecedTenant CR.
+    // displayName precedence:
+    //   1. customer-chosen instance name (Slice 3 multi-tenant)
+    //   2. for personal accounts, the contact name (avoids exposing the
+    //      synthetic "{name} (Personal)" company name in the OpenClaw UI)
+    //   3. company name otherwise
+    const displayName =
+      tenantRequest.instanceName && tenantRequest.instanceName.trim().length > 0
+        ? tenantRequest.instanceName.trim()
+        : tenantRequest.isPersonal
+          ? tenantRequest.contactName || "Assistant"
+          : tenantRequest.companyName;
+
     await createTenant(
       tenantName,
       {
-        displayName: tenantRequest.companyName,
+        displayName,
         agentName: tenantRequest.agentName,
         packages,
         workspaceFiles,

src/app/api/onboarding/route.ts

@@ -1,17 +1,27 @@
-import { NextResponse } from "next/server";
+import { NextRequest, NextResponse } from "next/server";
-import { getSessionUser } from "@/lib/session";
+import { getSessionUser, canMutate } from "@/lib/session";
 import {
   createTenantRequest,
-  getTenantRequestByOrgId,
+  getTenantRequestById,
-  deleteTenantRequest,
+  listTenantRequestsByOrgId,
+  listActiveTenantRequestsByOrgId,
+  getMostRecentApprovedRequestForOrg,
 } from "@/lib/db";
 import { getTenant, listTenants } from "@/lib/k8s";
 import { sendAdminNotificationEmail } from "@/lib/email";
 import { encryptSecrets } from "@/lib/crypto";
-import type { OnboardingInput } from "@/types";
+import { isPersonalOrgName } from "@/lib/personal-org";
+import type { OnboardingInput, PiecedTenant, TenantRequest } from "@/types";
 import { z } from "zod";
 
 const onboardingSchema = z.object({
+  instanceName: z
+    .string()
+    .trim()
+    .max(80)
+    .optional()
+    // Empty string from a form input → drop to undefined so the DB stores NULL
+    .transform((v) => (v && v.length > 0 ? v : undefined)),
   agentName: z.string().min(1).max(50),
   soulMd: z.string().max(10_000).optional(),
   agentsMd: z.string().max(10_000).optional(),
@@ -30,59 +40,116 @@ const onboardingSchema = z.object({
 });
 
 /**
- * GET /api/onboarding
+ * Helper: shape a TenantRequest row for client consumption.
- * Check the current onboarding state for the logged-in user's org.
+ * Hides server-only fields (encryptedSecrets, internal db ids).
  */
-export async function GET() {
+function publicRequestShape(r: TenantRequest) {
+  return {
+    id: r.id,
+    instanceName: r.instanceName,
+    agentName: r.agentName,
+    packages: r.packages,
+    status: r.status,
+    adminNotes: r.adminNotes,
+    tenantName: r.tenantName,
+    createdAt: r.createdAt,
+    updatedAt: r.updatedAt,
+  };
+}
+
+function publicTenantShape(t: PiecedTenant) {
+  return {
+    name: t.metadata.name,
+    displayName: t.spec.displayName,
+    phase: t.status?.phase ?? "Pending",
+    suspended: t.spec.suspend ?? false,
+    packages: t.spec.packages ?? [],
+    creationTimestamp: t.metadata.creationTimestamp,
+    conditions: t.status?.conditions ?? [],
+  };
+}
+
+/**
+ * GET /api/onboarding
+ *
+ * Two response shapes depending on the `?id=` query:
+ *
+ *   - With `?id=<requestId>`: returns the single request's status plus
+ *     the linked tenant's phase if approved. Used by ProvisioningStatus
+ *     to poll a specific request. The id is validated against the
+ *     caller's orgId so admins-and-only-admins can read across orgs.
+ *
+ *   - Without `id`: returns lists of all in-flight requests and active
+ *     tenants for the caller's org. Used by the dashboard to render the
+ *     multi-tenant view.
+ *
+ * Slice 3 note: this replaces the old single-state response shape
+ * (`{ state: "...", request: {...} }`). Pre-Slice-3 callers will see
+ * the new shape and need to be updated. The only known caller is
+ * `<ProvisioningStatus>`, updated in lockstep.
+ */
+export async function GET(req: NextRequest) {
   const user = await getSessionUser();
   if (!user) {
     return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
   }
 
-  // Check if there's already a running tenant for this org
+  const requestedId = req.nextUrl.searchParams.get("id");
-  const allTenants = await listTenants();
-  const myTenant = allTenants.find(
-    (t) => t.metadata.labels?.["pieced.ch/zitadel-org-id"] === user.orgId
-  );
 
-  if (myTenant) {
+  if (requestedId) {
+    const tr = await getTenantRequestById(requestedId);
+    if (!tr) {
+      return NextResponse.json({ error: "Not found" }, { status: 404 });
+    }
+    // Customers may only read their own org's requests; platform
+    // admins/operators may read any.
+    if (!user.isPlatform && tr.zitadelOrgId !== user.orgId) {
+      return NextResponse.json({ error: "Not found" }, { status: 404 });
+    }
+
+    let tenant: PiecedTenant | null = null;
+    if (tr.tenantName) {
+      tenant = (await getTenant(tr.tenantName)) ?? null;
+    }
     return NextResponse.json({
-      state: "active",
+      request: publicRequestShape(tr),
-      tenantName: myTenant.metadata.name,
+      tenant: tenant ? publicTenantShape(tenant) : null,
-      phase: myTenant.status?.phase ?? "Unknown",
     });
   }
 
-  // Check if there's a pending request
+  // List view: requests + tenants for this org
-  const request = await getTenantRequestByOrgId(user.orgId);
+  const [requests, allTenants] = await Promise.all([
+    listActiveTenantRequestsByOrgId(user.orgId),
+    listTenants(),
+  ]);
 
-  if (!request || request.status === "deleted") {
+  const orgTenants = allTenants.filter(
-    return NextResponse.json({ state: "no_request" });
+    (t) => t.metadata.labels?.["pieced.ch/zitadel-org-id"] === user.orgId
-  }
+  );
 
   return NextResponse.json({
-    state: request.status,
+    requests: requests.map(publicRequestShape),
-    request: {
+    tenants: orgTenants.map(publicTenantShape),
-      id: request.id,
-      agentName: request.agentName,
-      packages: request.packages,
-      status: request.status,
-      adminNotes: request.adminNotes,
-      tenantName: request.tenantName,
-      createdAt: request.createdAt,
-    },
   });
 }
 
 /**
  * POST /api/onboarding
- * Submit the onboarding wizard. Creates a tenant_request with status "pending".
- * The actual PiecedTenant CR is NOT created yet — admin approval required.
  *
- * If packageSecrets are provided (for packages requiring credentials like
+ * Always creates a NEW tenant_request row, regardless of how many other
- * Telegram, Discord, Email), they are encrypted with AES-256-GCM and stored
+ * rows already exist for this org. The pre-Slice-3 409 ("you already
- * as a BYTEA blob. They are decrypted only during admin approval to write
+ * have a request") is gone — multi-tenant is the design now.
- * to OpenBao.
+ *
+ * For additional instances in an existing company, the customer's prior
+ * approved row is used to seed billing/contact info, so the wizard
+ * doesn't need to re-collect data already on file. The wizard *does*
+ * still send a billingAddress payload (the field is required by the
+ * schema), but in practice the client can pre-fill it from
+ * `getMostRecentApprovedRequestForOrg`.
+ *
+ * Encrypted package secrets, if provided, are AES-256-GCM-sealed and
+ * stored as a BYTEA blob. They are decrypted only during admin approval
+ * to write to OpenBao.
  */
 export async function POST(request: Request) {
   const user = await getSessionUser();
@@ -90,6 +157,15 @@ export async function POST(request: Request) {
     return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
   }
 
+  // Slice 5: only owners (or platform users) may create new instances.
+  // A `user`-role member of an existing org cannot self-provision.
+  if (!canMutate(user)) {
+    return NextResponse.json(
+      { error: "Only the organization owner can create new instances." },
+      { status: 403 }
+    );
+  }
+
   const body = await request.json();
   const parsed = onboardingSchema.safeParse(body);
   if (!parsed.success) {
@@ -99,40 +175,27 @@ export async function POST(request: Request) {
     );
   }
 
-  // Check for existing request
-  const existing = await getTenantRequestByOrgId(user.orgId);
-  if (existing && existing.status !== "deleted") {
-    return NextResponse.json(
-      { error: "Onboarding request already submitted.", request: existing },
-      { status: 409 }
-    );
-  }
-
-  // If previous request was deleted, remove it so a fresh one can be created
-  if (existing && existing.status === "deleted") {
-    await deleteTenantRequest(existing.id);
-  }
-
-  // Check for existing tenant
-  const allTenants = await listTenants();
-  const myTenant = allTenants.find(
-    (t) => t.metadata.labels?.["pieced.ch/zitadel-org-id"] === user.orgId
-  );
-
-  if (myTenant) {
-    return NextResponse.json(
-      {
-        error: "You already have a tenant provisioned.",
-        tenantName: myTenant.metadata.name,
-      },
-      { status: 409 }
-    );
-  }
-
   const input: OnboardingInput & {
     packageSecrets?: Record<string, Record<string, string>>;
   } = parsed.data;
 
+  // Look up an existing approved request for this org to inherit
+  // company-level billing data. For brand-new orgs (first registration),
+  // there is no prior row and we use the form-supplied billingAddress
+  // verbatim. For follow-up requests, we ignore the form-supplied
+  // company line in favour of the recorded company name.
+  const prior = await getMostRecentApprovedRequestForOrg(user.orgId);
+
+  // Slice 4: detect personal-account orgs by the canonical " (Personal)"
+  // suffix on the ZITADEL org name. Set at registration, stable for the
+  // lifetime of the org. Persisted on the row so admin views and the
+  // approve handler don't have to re-derive it.
+  //
+  // If any prior row has is_personal set, prefer that — it's the same
+  // org and the value can't change. (The prior-row check is defensive;
+  // the org-name check should agree.)
+  const isPersonal = prior?.isPersonal ?? isPersonalOrgName(user.orgName);
+
   // Encrypt package secrets if provided
   let encryptedSecrets: Buffer | undefined;
   if (input.packageSecrets && Object.keys(input.packageSecrets).length > 0) {
@@ -147,34 +210,56 @@ export async function POST(request: Request) {
     }
   }
 
+  // For follow-up instances, prefer the on-file company name and contact
+  // details; the user can't change those by re-typing them in the wizard.
+  const companyName = prior?.companyName ?? user.orgName;
+  const contactName = prior?.contactName ?? user.name;
+  const contactEmail = prior?.contactEmail ?? user.email;
+  const billingAddress = prior?.billingAddress ?? input.billingAddress;
+  const billingNotes = input.billingNotes ?? prior?.billingNotes;
+
   const tenantRequest = await createTenantRequest({
     zitadelOrgId: user.orgId,
     zitadelUserId: user.id,
-    companyName: user.orgName,
+    companyName,
-    contactName: user.name,
+    instanceName: input.instanceName,
-    contactEmail: user.email,
+    contactName,
+    contactEmail,
     agentName: input.agentName,
     soulMd: input.soulMd,
     agentsMd: input.agentsMd,
     packages: input.packages ?? [],
-    billingAddress: input.billingAddress,
+    billingAddress,
-    billingNotes: input.billingNotes,
+    billingNotes,
     encryptedSecrets,
+    isPersonal,
   });
 
-  // Notify admin about the new request
+  // Notify admin about the new request. For follow-up instances, include
+  // the instance name in the notification so the admin sees what's
+  // being requested without opening the panel.
   try {
     await sendAdminNotificationEmail(
       tenantRequest.contactEmail,
       tenantRequest.contactName,
-      tenantRequest.companyName
+      tenantRequest.instanceName
+        ? `${tenantRequest.companyName} (${tenantRequest.instanceName})`
+        : tenantRequest.companyName
     );
   } catch (e) {
     console.error("Failed to send admin notification:", e);
   }
 
+  // For diagnostics: how many other in-flight requests does this org
+  // already have? Useful for the admin queue.
+  const allRequests = await listTenantRequestsByOrgId(user.orgId);
+
   return NextResponse.json(
-    { message: "Request submitted.", request: tenantRequest },
+    {
+      message: "Request submitted.",
+      request: publicRequestShape(tenantRequest),
+      orgRequestCount: allRequests.length,
+    },
     { status: 201 }
   );
 }

src/app/api/register/route.ts

@@ -5,18 +5,54 @@ import { checkDuplicateDomain } from "@/lib/db";
 import type { RegistrationInput } from "@/types";
 import { z } from "zod";
 
-const registrationSchema = z.object({
+/**
-  companyName: z.string().min(2).max(100),
+ * Registration schema.
-  givenName: z.string().min(1).max(100),
+ *
-  familyName: z.string().min(1).max(100),
+ * Slice 4 changes
-  email: z.string().email(),
+ * ---------------
-  preferredLanguage: z.enum(["en", "de", "fr", "it"]).optional(),
+ * - `companyName` is no longer always required. It's required when
-});
+ *   `isPersonal` is false/absent, ignored when `isPersonal` is true.
+ * - `isPersonal` flag distinguishes personal accounts. The server
+ *   derives the ZITADEL org name from `${givenName} ${familyName}
+ *   (Personal)` for personals — the suffix is the canonical marker
+ *   that downstream code (onboarding POST, admin views) uses to
+ *   distinguish personal orgs from companies. Customers cannot rename
+ *   their own org, so the suffix is stable.
+ * - Personal accounts skip the duplicate-domain check entirely. Their
+ *   row is also excluded from future domain checks (see
+ *   `lib/domain-check.ts::findDuplicateInDb`).
+ */
+const registrationSchema = z
+  .object({
+    companyName: z.string().min(2).max(100).optional(),
+    givenName: z.string().min(1).max(100),
+    familyName: z.string().min(1).max(100),
+    email: z.string().email(),
+    preferredLanguage: z.enum(["en", "de", "fr", "it"]).optional(),
+    isPersonal: z.boolean().optional().default(false),
+  })
+  .refine(
+    (data) =>
+      data.isPersonal || (data.companyName && data.companyName.trim().length >= 2),
+    {
+      message: "Company name is required for company registrations",
+      path: ["companyName"],
+    }
+  );
 
 /** 3 registrations per IP per hour */
 const RATE_LIMIT = 3;
 const RATE_WINDOW_MS = 3_600_000; // 1 hour
 
+/**
+ * Suffix appended to personal-account ZITADEL org names. Used here to
+ * build the org name and elsewhere (session.orgName check) to detect
+ * whether the current user is on a personal org.
+ *
+ * Keep this in sync with `isPersonalOrgName()` in `lib/personal-org.ts`.
+ */
+const PERSONAL_ORG_SUFFIX = " (Personal)";
+
 export async function POST(request: NextRequest) {
   // --- Rate limiting ---
   const ip =
@@ -53,31 +89,45 @@ export async function POST(request: NextRequest) {
     }
 
     const input: RegistrationInput = parsed.data;
+    const isPersonal = input.isPersonal === true;
 
-    // --- Duplicate-domain check ---
+    // --- Duplicate-domain check (skipped for personal accounts) ---
     //
-    // Block if another active tenant_request or ZITADEL org already exists
+    // Personal accounts are explicitly allowed to use any email domain
-    // for this corporate email domain. Public domains (gmail, gmx, etc.)
+    // (including corporate). Their tenant_request rows are excluded
-    // are exempted by checkDuplicateDomain.
+    // from this check by lib/domain-check.ts, so a personal account
-    //
+    // doesn't block a later real-company registration on the same
-    // We return a structured `code: "duplicate_domain"` with the matched
+    // domain.
-    // domain so the client can render the localized message via
+    if (!isPersonal) {
-    // register.duplicateDomain (with {domain} interpolation). The fallback
+      const dup = await checkDuplicateDomain(input.email);
-    // English string is included for non-i18n clients (curl, monitoring).
+      if (dup.blocked && dup.domain) {
-    const dup = await checkDuplicateDomain(input.email);
+        return NextResponse.json(
-    if (dup.blocked && dup.domain) {
+          {
-      return NextResponse.json(
+            error: `An account for the email domain ${dup.domain} is already registered. Please contact your company administrator or PieCed IT support.`,
-        {
+            code: "duplicate_domain",
-          error: `An account for the email domain ${dup.domain} is already registered. Please contact your company administrator or PieCed IT support.`,
+            domain: dup.domain,
-          code: "duplicate_domain",
+          },
-          domain: dup.domain,
+          { status: 409 },
-        },
+        );
-        { status: 409 },
+      }
-      );
     }
 
+    // --- Determine the ZITADEL org name ---
+    //
+    // For company: use the customer-supplied companyName (already
+    //   validated to be present + ≥2 chars by the schema refinement).
+    // For personal: synthesise from full name + " (Personal)" suffix.
+    //   The suffix is the canonical marker for personal orgs.
+    //
+    // ZITADEL does NOT enforce org-name uniqueness, so two "Hans Müller
+    // (Personal)" orgs can coexist; the org id is what matters for our
+    // labelling and lookups, the name is human-readable only.
+    const orgName = isPersonal
+      ? `${input.givenName.trim()} ${input.familyName.trim()}${PERSONAL_ORG_SUFFIX}`
+      : input.companyName!.trim();
+
     const result = await registerCustomer({
-      companyName: input.companyName,
+      companyName: orgName,
       email: input.email,
       givenName: input.givenName,
       familyName: input.familyName,
@@ -88,6 +138,7 @@ export async function POST(request: NextRequest) {
       {
         orgId: result.orgId,
         userId: result.userId,
+        isPersonal,
         message:
           "Registration successful. You will receive an invitation email to set your password.",
       },

src/app/api/tenants/[name]/route.ts

@@ -1,5 +1,5 @@
 import { NextRequest, NextResponse } from "next/server";
-import { getSessionUser } from "@/lib/session";
+import { getSessionUser, canMutate } from "@/lib/session";
 import { getTenant, patchTenantSpec } from "@/lib/k8s";
 import { getPackageDef } from "@/lib/packages";
 import { safeError } from "@/lib/errors";
@@ -46,7 +46,7 @@ export async function PATCH(
   if (!user)
     return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
 
-  if (!user.isPlatform && !user.roles.includes("owner")) {
+  if (!canMutate(user)) {
     return NextResponse.json({ error: "Forbidden" }, { status: 403 });
   }
 

src/app/api/tenants/[name]/secrets/route.ts

@@ -1,5 +1,5 @@
 import { NextRequest, NextResponse } from "next/server";
-import { getSessionUser } from "@/lib/session";
+import { getSessionUser, canMutate } from "@/lib/session";
 import { getTenant } from "@/lib/k8s";
 import { writePackageSecrets } from "@/lib/openbao";
 import { getPackageDef } from "@/lib/packages";
@@ -12,7 +12,7 @@ export async function POST(
   if (!user)
     return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
 
-  if (!user.isPlatform && !user.roles.includes("owner")) {
+  if (!canMutate(user)) {
     return NextResponse.json({ error: "Forbidden" }, { status: 403 });
   }
 

src/components/channel-users/channel-users.tsx

@@ -17,12 +17,15 @@ interface ChannelUsersProps {
   enabledChannels: string[];
   /** Current channelUsers from the PiecedTenant spec */
   initialChannelUsers: Record<string, string[]>;
+  /** Slice 5: when false, add inputs and remove ✕ buttons are hidden. */
+  canEdit?: boolean;
 }
 
 export function ChannelUsers({
   tenantName,
   enabledChannels,
   initialChannelUsers,
+  canEdit = true,
 }: ChannelUsersProps) {
   const t = useTranslations("channelUsers");
   const router = useRouter();
@@ -146,44 +149,48 @@ export function ChannelUsers({
                     className="inline-flex items-center gap-1.5 px-2.5 py-1 text-xs font-mono bg-accent/10 text-accent border border-accent/20 rounded-full"
                   >
                     {userId}
-                    <button
+                    {canEdit && (
-                      onClick={() => handleRemove(channel, userId)}
+                      <button
-                      disabled={saving}
+                        onClick={() => handleRemove(channel, userId)}
-                      className="text-accent/60 hover:text-red-400 transition-colors disabled:opacity-50"
+                        disabled={saving}
-                      title={t("remove")}
+                        className="text-accent/60 hover:text-red-400 transition-colors disabled:opacity-50"
-                    >
+                        title={t("remove")}
-                      ✕
+                      >
-                    </button>
+                        ✕
+                      </button>
+                    )}
                   </span>
                 ))}
               </div>
             )}
 
-            {/* Add user */}
+            {/* Add user — hidden in read-only mode */}
-            <div className="flex gap-2">
+            {canEdit && (
-              <input
+              <div className="flex gap-2">
-                type="text"
+                <input
-                value={inputValues[channel] || ""}
+                  type="text"
-                onChange={(e) =>
+                  value={inputValues[channel] || ""}
-                  setInputValues((prev) => ({
+                  onChange={(e) =>
-                    ...prev,
+                    setInputValues((prev) => ({
-                    [channel]: e.target.value,
+                      ...prev,
-                  }))
+                      [channel]: e.target.value,
-                }
+                    }))
-                onKeyDown={(e) => {
+                  }
-                  if (e.key === "Enter") handleAdd(channel);
+                  onKeyDown={(e) => {
-                }}
+                    if (e.key === "Enter") handleAdd(channel);
-                placeholder={t("placeholder")}
+                  }}
-                className="flex-1 px-3 py-2 bg-surface-1 border border-border rounded-lg text-sm text-text-primary font-mono placeholder:text-text-muted focus:outline-none focus:ring-1 focus:ring-accent focus:border-accent transition-colors"
+                  placeholder={t("placeholder")}
-              />
+                  className="flex-1 px-3 py-2 bg-surface-1 border border-border rounded-lg text-sm text-text-primary font-mono placeholder:text-text-muted focus:outline-none focus:ring-1 focus:ring-accent focus:border-accent transition-colors"
-              <button
+                />
-                onClick={() => handleAdd(channel)}
+                <button
-                disabled={saving || !inputValues[channel]?.trim()}
+                  onClick={() => handleAdd(channel)}
-                className="px-4 py-2 text-sm font-medium bg-accent text-white rounded-lg hover:bg-accent-dim transition-colors disabled:opacity-50 disabled:cursor-not-allowed"
+                  disabled={saving || !inputValues[channel]?.trim()}
-              >
+                  className="px-4 py-2 text-sm font-medium bg-accent text-white rounded-lg hover:bg-accent-dim transition-colors disabled:opacity-50 disabled:cursor-not-allowed"
-                {saving ? "…" : t("add")}
+                >
-              </button>
+                  {saving ? "…" : t("add")}
-            </div>
+                </button>
+              </div>
+            )}
           </div>
         );
       })}

src/components/onboarding/onboarding-flow.tsx

@@ -1,31 +1,36 @@
 "use client";
 
-import { useState, useEffect } from "react";
+import { useRouter } from "next/navigation";
 import { OnboardingWizard } from "./wizard";
-import { ProvisioningStatus } from "./provisioning-status";
 
 interface OnboardingFlowProps {
   orgName: string;
-  initialState: "no_request" | "pending" | "approved" | "provisioning" | "rejected";
 }
 
 /**
- * Orchestrates the onboarding experience:
+ * Wraps the onboarding wizard. On successful submission, refreshes the
- * - no_request → show wizard
+ * router so the parent server component re-renders with the new pending
- * - pending/approved/provisioning/rejected → show status
+ * request visible in the dashboard list.
- * - After wizard submission → switch to status polling
+ *
+ * Slice 3: this component used to manage the no_request → pending →
+ * provisioning → active state machine, with conditional rendering of
+ * `<ProvisioningStatus>`. That state is now reflected at the dashboard
+ * level (which renders one `<ProvisioningStatus>` per pending request),
+ * so this wrapper does just one thing: show the wizard, then navigate.
  */
-export function OnboardingFlow({ orgName, initialState }: OnboardingFlowProps) {
+export function OnboardingFlow({ orgName }: OnboardingFlowProps) {
-  const [showWizard, setShowWizard] = useState(initialState === "no_request");
+  const router = useRouter();
 
-  if (showWizard) {
+  return (
-    return (
+    <OnboardingWizard
-      <OnboardingWizard
+      orgName={orgName}
-        orgName={orgName}
+      onComplete={() => {
-        onComplete={() => setShowWizard(false)}
+        // Navigate back to /dashboard and re-fetch on the server. The
-      />
+        // parent server component will see the new `pending` row and
-    );
+        // render its `<ProvisioningStatus>` card automatically.
-  }
+        router.push("/dashboard");
-
+        router.refresh();
-  return <ProvisioningStatus />;
+      }}
+    />
+  );
 }

src/components/onboarding/provisioning-status.tsx

@@ -6,64 +6,81 @@ import { Card } from "@/components/ui/card";
 import { StatusBadge } from "@/components/ui/status-badge";
 import { formatDateTime, formatRelative } from "@/lib/format";
 
-interface OnboardingState {
+interface RequestSummary {
-  state: string;
+  id: string;
-  request?: {
+  instanceName?: string | null;
-    id: string;
+  agentName: string;
-    status: string;
+  packages: string[];
-    companyName: string;
+  status: string;
-    agentName: string;
+  adminNotes?: string;
-    adminNotes?: string;
+  tenantName?: string;
-    createdAt?: string;
+  createdAt?: string;
-  };
+  updatedAt?: string;
-  tenant?: {
-    name: string;
-    phase: string;
-    message?: string;
-    conditions?: Array<{
-      type: string;
-      status: string;
-      reason?: string;
-      message?: string;
-      lastTransitionTime?: string;
-    }>;
-  };
 }
 
-export function ProvisioningStatus() {
+interface TenantSummary {
+  name: string;
+  displayName: string;
+  phase: string;
+  conditions: Array<{
+    type: string;
+    status: string;
+    reason?: string;
+    message?: string;
+    lastTransitionTime?: string;
+  }>;
+}
+
+interface SingleRequestState {
+  request: RequestSummary;
+  tenant: TenantSummary | null;
+}
+
+/**
+ * ProvisioningStatus
+ *
+ * Polls /api/onboarding?id=<requestId> every 5s until the request reaches
+ * a terminal state. Slice 3: takes a `requestId` prop so multiple of these
+ * can render on the same dashboard for different in-flight requests.
+ *
+ * The pre-Slice-3 version polled /api/onboarding with no params and
+ * assumed one-request-per-org — that endpoint shape is gone now.
+ */
+export function ProvisioningStatus({ requestId }: { requestId: string }) {
   const t = useTranslations("onboarding");
   const f = useFormatter();
-  const [data, setData] = useState<OnboardingState | null>(null);
+  const [data, setData] = useState<SingleRequestState | null>(null);
   const [error, setError] = useState("");
 
   const poll = useCallback(async () => {
     try {
-      const res = await fetch("/api/onboarding");
+      const res = await fetch(
+        `/api/onboarding?id=${encodeURIComponent(requestId)}`
+      );
       if (!res.ok) throw new Error("Failed to fetch status");
       const json = await res.json();
       setData(json);
     } catch (err: any) {
       setError(err.message);
     }
-  }, []);
+  }, [requestId]);
 
   useEffect(() => {
     poll();
 
-    // Poll every 5 seconds while not in a terminal state
+    const status = data?.request?.status;
-    const interval = setInterval(() => {
+    const phase = data?.tenant?.phase;
-      if (
+    const terminal =
-        data?.state === "provisioned" ||
+      status === "rejected" ||
-        data?.state === "rejected" ||
+      status === "active" ||
-        data?.state === "active"
+      phase === "Ready" ||
-      ) {
+      phase === "Running";
-        return;
-      }
-      poll();
-    }, 5000);
 
+    if (terminal) return;
+
+    const interval = setInterval(poll, 5000);
     return () => clearInterval(interval);
-  }, [poll, data?.state]);
+  }, [poll, data?.request?.status, data?.tenant?.phase]);
 
   if (error) {
     return (
@@ -84,8 +101,14 @@ export function ProvisioningStatus() {
     );
   }
 
+  const status = data.request.status;
+  const label =
+    data.request.instanceName ||
+    data.request.tenantName ||
+    data.request.agentName;
+
   // Pending admin approval
-  if (data.state === "pending") {
+  if (status === "pending") {
     return (
       <Card className="animate-in">
         <div className="text-center py-6">
@@ -107,10 +130,13 @@ export function ProvisioningStatus() {
           <h2 className="font-display text-lg font-semibold text-text-primary mb-2">
             {t("pendingTitle")}
           </h2>
+          {label && (
+            <p className="text-xs font-mono text-text-secondary mb-2">{label}</p>
+          )}
           <p className="text-sm text-text-secondary max-w-sm mx-auto">
             {t("pendingDescription")}
           </p>
-          {data.request?.createdAt && (
+          {data.request.createdAt && (
             <p
               className="text-xs text-text-muted mt-4"
               title={formatDateTime(data.request.createdAt, f)}
@@ -130,7 +156,7 @@ export function ProvisioningStatus() {
   }
 
   // Rejected
-  if (data.state === "rejected") {
+  if (status === "rejected") {
     return (
       <Card className="animate-in">
         <div className="text-center py-6">
@@ -152,10 +178,13 @@ export function ProvisioningStatus() {
           <h2 className="font-display text-lg font-semibold text-text-primary mb-2">
             {t("rejectedTitle")}
           </h2>
+          {label && (
+            <p className="text-xs font-mono text-text-secondary mb-2">{label}</p>
+          )}
           <p className="text-sm text-text-secondary max-w-sm mx-auto">
             {t("rejectedDescription")}
           </p>
-          {data.request?.adminNotes && (
+          {data.request.adminNotes && (
             <p className="text-xs text-text-muted mt-3 bg-surface-2 border border-border rounded-lg p-3 max-w-sm mx-auto">
               {data.request.adminNotes}
             </p>
@@ -165,10 +194,11 @@ export function ProvisioningStatus() {
     );
   }
 
-  // Provisioning in progress
+  // Provisioning in progress (status approved/provisioning, optionally with tenant phase < Ready)
   if (
-    data.state === "approved" ||
+    status === "approved" ||
-    data.state === "provisioning"
+    status === "provisioning" ||
+    (status === "active" && data.tenant && data.tenant.phase !== "Ready")
   ) {
     const phase = data.tenant?.phase ?? "Pending";
     const conditions = data.tenant?.conditions ?? [];
@@ -182,6 +212,9 @@ export function ProvisioningStatus() {
           <h2 className="font-display text-lg font-semibold text-text-primary mb-2">
             {t("provisioningTitle")}
           </h2>
+          {label && (
+            <p className="text-xs font-mono text-text-secondary mb-2">{label}</p>
+          )}
           <p className="text-sm text-text-secondary">
             {t("provisioningDescription")}
           </p>
@@ -216,8 +249,8 @@ export function ProvisioningStatus() {
     );
   }
 
-  // Provisioned / Running
+  // Active / Ready
-  if (data.state === "provisioned") {
+  if (status === "active") {
     return (
       <Card className="animate-in">
         <div className="text-center py-6">
@@ -239,6 +272,9 @@ export function ProvisioningStatus() {
           <h2 className="font-display text-lg font-semibold text-text-primary mb-2">
             {t("readyTitle")}
           </h2>
+          {label && (
+            <p className="text-xs font-mono text-text-secondary mb-2">{label}</p>
+          )}
           <p className="text-sm text-text-secondary max-w-sm mx-auto mb-4">
             {t("readyDescription")}
           </p>

src/components/onboarding/wizard.tsx

@@ -4,6 +4,7 @@ import { useState, useCallback, useEffect, useRef } from "react";
 import { useTranslations } from "next-intl";
 import { Card } from "@/components/ui/card";
 import { PACKAGE_CATALOG, type PackageDef } from "@/lib/packages";
+import { isPersonalOrgName, PERSONAL_ORG_SUFFIX } from "@/lib/personal-org";
 
 type Step = "welcome" | "configure" | "billing" | "confirm";
 
@@ -55,6 +56,16 @@ export function OnboardingWizard({ orgName, onComplete }: WizardProps) {
   const tPkg = useTranslations("packages");
   const tCommon = useTranslations("common");
 
+  // Slice 4: personal accounts have an org name of the form
+  // "{givenName} {familyName} (Personal)". For SOUL.md and the billing
+  // company line, strip the suffix so the visible string is the user's
+  // actual name (no stray "(Personal)" leaking onto invoices or into
+  // the assistant's prompt).
+  const isPersonal = isPersonalOrgName(orgName);
+  const displayOrgName = isPersonal
+    ? orgName.slice(0, -PERSONAL_ORG_SUFFIX.length).trim()
+    : orgName;
+
   const [step, setStep] = useState<Step>("welcome");
   const [submitting, setSubmitting] = useState(false);
   const [error, setError] = useState("");
@@ -62,12 +73,16 @@ export function OnboardingWizard({ orgName, onComplete }: WizardProps) {
   const [defaultsLoaded, setDefaultsLoaded] = useState(false);
 
   const [config, setConfig] = useState({
+    instanceName: "",
     agentName: "Assistant",
-    soulMd: FALLBACK_SOUL.replace("{company}", orgName),
+    soulMd: FALLBACK_SOUL.replace("{company}", displayOrgName),
     agentsMd: FALLBACK_AGENTS,
     packages: [] as string[],
     billingAddress: {
-      company: orgName,
+      // For personal accounts, leave the company field empty — it'll
+      // appear on invoices. The user can still type something if they
+      // want to.
+      company: isPersonal ? "" : displayOrgName,
       street: "",
       city: "",
       postalCode: "",
@@ -306,6 +321,24 @@ export function OnboardingWizard({ orgName, onComplete }: WizardProps) {
           </p>
 
           <div className="space-y-4">
+            <div>
+              <label className="block text-xs font-semibold uppercase tracking-wider text-text-muted mb-1.5">
+                {t("instanceName")}
+              </label>
+              <input
+                type="text"
+                value={config.instanceName}
+                onChange={(e) =>
+                  setConfig((prev) => ({ ...prev, instanceName: e.target.value }))
+                }
+                placeholder={t("instanceNamePlaceholder")}
+                className="w-full px-3 py-2 bg-surface-2 border border-border rounded-lg text-sm text-text-primary focus:outline-none focus:ring-1 focus:ring-accent focus:border-accent transition-colors"
+              />
+              <p className="text-xs text-text-muted mt-1">
+                {t("instanceNameHint")}
+              </p>
+            </div>
+
             <div>
               <label className="block text-xs font-semibold uppercase tracking-wider text-text-muted mb-1.5">
                 {t("agentName")}
@@ -734,6 +767,14 @@ export function OnboardingWizard({ orgName, onComplete }: WizardProps) {
 
           <div className="space-y-4">
             <div className="bg-surface-2 border border-border rounded-lg p-4 space-y-3">
+              {config.instanceName.trim() && (
+                <div className="flex justify-between text-sm">
+                  <span className="text-text-muted">{t("instanceName")}</span>
+                  <span className="text-text-primary font-mono">
+                    {config.instanceName.trim()}
+                  </span>
+                </div>
+              )}
               <div className="flex justify-between text-sm">
                 <span className="text-text-muted">{t("agentName")}</span>
                 <span className="text-text-primary font-mono">

src/components/packages/package-card.tsx

@@ -10,9 +10,18 @@ interface Props {
   status?: "pending" | "active" | "error";
   tenantName: string;
   onToggled: () => void;
+  /** Slice 5: when false, the enable/disable button is hidden. */
+  canEdit?: boolean;
 }
 
-export function PackageCard({ pkg, enabled, status, tenantName, onToggled }: Props) {
+export function PackageCard({
+  pkg,
+  enabled,
+  status,
+  tenantName,
+  onToggled,
+  canEdit = true,
+}: Props) {
   const t = useTranslations();
   const [showModal, setShowModal] = useState(false);
   const [secrets, setSecrets] = useState<Record<string, string>>({});
@@ -113,17 +122,27 @@ export function PackageCard({ pkg, enabled, status, tenantName, onToggled }: Pro
           {pkg.requiresSecrets && (
             <span className="text-[10px] text-text-muted">{t("packages.requiresApiKey")}</span>
           )}
-          <button
+          {canEdit ? (
-            onClick={enabled ? () => togglePackage(false) : handleEnable}
+            <button
-            disabled={saving}
+              onClick={enabled ? () => togglePackage(false) : handleEnable}
-            className={`ml-auto rounded-lg px-3 py-1.5 text-xs font-medium transition-all cursor-pointer ${
+              disabled={saving}
-              enabled
+              className={`ml-auto rounded-lg px-3 py-1.5 text-xs font-medium transition-all cursor-pointer ${
-                ? "bg-surface-3 text-text-secondary hover:text-text-primary hover:bg-surface-2"
+                enabled
-                : "bg-accent text-surface-0 hover:bg-accent-dim shadow-lg shadow-accent/20"
+                  ? "bg-surface-3 text-text-secondary hover:text-text-primary hover:bg-surface-2"
-            } disabled:opacity-50`}
+                  : "bg-accent text-surface-0 hover:bg-accent-dim shadow-lg shadow-accent/20"
-          >
+              } disabled:opacity-50`}
-            {saving ? "…" : enabled ? t("packages.disable") : t("packages.enable")}
+            >
-          </button>
+              {saving ? "…" : enabled ? t("packages.disable") : t("packages.enable")}
+            </button>
+          ) : (
+            // Slice 5: read-only viewers see a static badge instead of a
+            // toggle. The status badge above the divider already conveys
+            // "active/pending/error"; this just clarifies "you can't change
+            // it" without duplicating the status colour.
+            <span className="ml-auto text-[10px] text-text-muted italic">
+              {enabled ? t("packages.statusEnabled") : t("packages.statusDisabled")}
+            </span>
+          )}
         </div>
       </div>
 

src/components/packages/package-list.tsx

@@ -10,6 +10,8 @@ interface Props {
   enabledPackages: string[];
   conditions?: Array<{ type: string; status: string; reason?: string }>;
   onRefresh?: () => void;
+  /** Slice 5: when false, package toggles and edit affordances are hidden. */
+  canEdit?: boolean;
 }
 
 const CATEGORIES = [
@@ -30,7 +32,13 @@ function getPackageStatus(
   return "error";
 }
 
-export function PackageList({ tenantName, enabledPackages, conditions, onRefresh }: Props) {
+export function PackageList({
+  tenantName,
+  enabledPackages,
+  conditions,
+  onRefresh,
+  canEdit = true,
+}: Props) {
   const t = useTranslations("packages");
   const router = useRouter();
   const handleRefresh = onRefresh || (() => router.refresh());
@@ -55,6 +63,7 @@ export function PackageList({ tenantName, enabledPackages, conditions, onRefresh
                   status={getPackageStatus(pkg.id, enabledPackages.includes(pkg.id), conditions)}
                   tenantName={tenantName}
                   onToggled={handleRefresh}
+                  canEdit={canEdit}
                 />
               ))}
             </div>

src/components/packages/workspace-editor.tsx

@@ -8,9 +8,11 @@ const FILE_TABS = ["SOUL.md", "AGENTS.md", "TOOLS.md"] as const;
 interface Props {
   tenantName: string;
   files: Record<string, string>;
+  /** Slice 5: when false, save button hidden and textarea is read-only. */
+  canEdit?: boolean;
 }
 
-export function WorkspaceEditor({ tenantName, files }: Props) {
+export function WorkspaceEditor({ tenantName, files, canEdit = true }: Props) {
   const t = useTranslations("workspace");
   const [activeTab, setActiveTab] = useState<string>("SOUL.md");
   const [localFiles, setLocalFiles] = useState<Record<string, string>>(files);
@@ -19,6 +21,7 @@ export function WorkspaceEditor({ tenantName, files }: Props) {
   const [error, setError] = useState<string | null>(null);
 
   function handleChange(content: string) {
+    if (!canEdit) return;
     setLocalFiles((prev) => ({ ...prev, [activeTab]: content }));
     setDirty(true);
   }
@@ -62,20 +65,25 @@ export function WorkspaceEditor({ tenantName, files }: Props) {
             </button>
           ))}
         </div>
-        <button
+        {canEdit && (
-          onClick={handleSave}
+          <button
-          disabled={!dirty || saving}
+            onClick={handleSave}
-          className="rounded-lg bg-accent px-3 py-1 text-xs font-medium text-surface-0 hover:bg-accent-dim disabled:opacity-40 cursor-pointer"
+            disabled={!dirty || saving}
-        >
+            className="rounded-lg bg-accent px-3 py-1 text-xs font-medium text-surface-0 hover:bg-accent-dim disabled:opacity-40 cursor-pointer"
-          {saving ? "…" : t("save")}
+          >
-        </button>
+            {saving ? "…" : t("save")}
+          </button>
+        )}
       </div>
 
       <textarea
         value={localFiles[activeTab] || ""}
         onChange={(e) => handleChange(e.target.value)}
+        readOnly={!canEdit}
         spellCheck={false}
-        className="w-full min-h-[300px] resize-y bg-transparent p-4 font-mono text-sm text-text-secondary placeholder:text-text-muted focus:outline-none"
+        className={`w-full min-h-[300px] resize-y bg-transparent p-4 font-mono text-sm text-text-secondary placeholder:text-text-muted focus:outline-none ${
+          !canEdit ? "cursor-default" : ""
+        }`}
         placeholder={t("placeholder", { file: activeTab })}
       />
 

src/lib/auth.ts

@@ -1,14 +1,25 @@
 import NextAuth from "next-auth";
 import type { NextAuthConfig } from "next-auth";
-import type { PlatformRole, SessionUser, ZitadelClaims } from "@/types";
+import type { PlatformRole, Role, SessionUser, ZitadelClaims } from "@/types";
 
 const PLATFORM_ROLES: PlatformRole[] = ["platform_admin", "platform_operator"];
 
+/**
+ * Pull the role keys from the ZITADEL `urn:zitadel:iam:org:project:roles`
+ * claim. The claim is shaped as { roleKey: { orgId: orgName } } — we only
+ * need the keys.
+ *
+ * Slice 5: returns Role[] (the union) rather than PlatformRole[]. The
+ * keys can be either platform or customer roles depending on what the
+ * project authorization granted; the SessionUser carries them all and
+ * downstream helpers (canMutate, isCustomerOwner, requirePlatformRole)
+ * decide what each subset means.
+ */
 function extractRoles(
   rolesObj?: Record<string, Record<string, string>>
-): PlatformRole[] {
+): Role[] {
   if (!rolesObj) return [];
-  return Object.keys(rolesObj) as PlatformRole[];
+  return Object.keys(rolesObj) as Role[];
 }
 
 export const authConfig: NextAuthConfig = {
@@ -50,7 +61,7 @@ export const authConfig: NextAuthConfig = {
       return token;
     },
     async session({ session, token }) {
-      const roles = (token.roles as PlatformRole[]) ?? [];
+      const roles = (token.roles as Role[]) ?? [];
       const sessionUser: SessionUser = {
         id: token.sub!,
         name: session.user?.name ?? "",
@@ -58,7 +69,9 @@ export const authConfig: NextAuthConfig = {
         orgId: token.orgId as string,
         orgName: token.orgName as string,
         roles,
-        isPlatform: roles.some((r) => PLATFORM_ROLES.includes(r)),
+        isPlatform: roles.some((r) =>
+          PLATFORM_ROLES.includes(r as PlatformRole)
+        ),
       };
       (session as any).platformUser = sessionUser;
       return session;

src/lib/db.ts

@@ -22,12 +22,27 @@ function getPool(): Pool {
 // Schema migration (auto-run on first query)
 // ---------------------------------------------------------------------------
 
+// Notes on the Slice 3 changes
+// ----------------------------
+// 1. Removed `UNIQUE` from `zitadel_org_id` in the CREATE TABLE for fresh
+//    installs, AND emit a defensive `DROP CONSTRAINT IF EXISTS` for
+//    existing installs whose schema was created pre-Slice-3. The
+//    constraint was Postgres-autonamed; the name is deterministic.
+// 2. Added `instance_name TEXT` — the customer's human label per
+//    instance (e.g. "Production", "Dev"). NULL is fine and means "use
+//    the company name for display".
+// 3. Added a unique index on `tenant_name WHERE NOT NULL`. Multiple
+//    rows in the table can have NULL tenant_name (pending/rejected
+//    requests), but every approved row points to a distinct K8s CR.
+// 4. Added `(zitadel_org_id, status)` index for the list-by-org queries
+//    introduced this slice.
 const MIGRATION_SQL = `
   CREATE TABLE IF NOT EXISTS tenant_requests (
     id                UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-    zitadel_org_id    TEXT NOT NULL UNIQUE,
+    zitadel_org_id    TEXT NOT NULL,
     zitadel_user_id   TEXT NOT NULL,
     company_name      TEXT NOT NULL,
+    instance_name     TEXT,
     contact_name      TEXT NOT NULL,
     contact_email     TEXT NOT NULL,
     agent_name        TEXT NOT NULL DEFAULT 'Assistant',
@@ -40,16 +55,26 @@ const MIGRATION_SQL = `
     admin_notes       TEXT,
     tenant_name       TEXT,
     encrypted_secrets BYTEA,
+    is_personal       BOOLEAN NOT NULL DEFAULT FALSE,
     created_at        TIMESTAMPTZ NOT NULL DEFAULT now(),
     updated_at        TIMESTAMPTZ NOT NULL DEFAULT now()
   );
 
   CREATE INDEX IF NOT EXISTS idx_tenant_requests_status ON tenant_requests(status);
   CREATE INDEX IF NOT EXISTS idx_tenant_requests_org_id ON tenant_requests(zitadel_org_id);
+  CREATE INDEX IF NOT EXISTS idx_tenant_requests_org_status ON tenant_requests(zitadel_org_id, status);
+  CREATE UNIQUE INDEX IF NOT EXISTS uniq_tenant_requests_tenant_name
+    ON tenant_requests(tenant_name)
+    WHERE tenant_name IS NOT NULL;
 
   -- Idempotent column adds for existing databases
   ALTER TABLE tenant_requests ADD COLUMN IF NOT EXISTS encrypted_secrets BYTEA;
   ALTER TABLE tenant_requests ADD COLUMN IF NOT EXISTS agents_md TEXT;
+  ALTER TABLE tenant_requests ADD COLUMN IF NOT EXISTS instance_name TEXT;
+  ALTER TABLE tenant_requests ADD COLUMN IF NOT EXISTS is_personal BOOLEAN NOT NULL DEFAULT FALSE;
+
+  -- Slice 3: drop the legacy 1-org-1-request constraint if it exists
+  ALTER TABLE tenant_requests DROP CONSTRAINT IF EXISTS tenant_requests_zitadel_org_id_key;
 
   -- Workspace templates: admin-editable default content for workspace files
   CREATE TABLE IF NOT EXISTS workspace_templates (
@@ -131,15 +156,17 @@ export async function createTenantRequest(
   await ensureSchema();
   const result = await getPool().query<TenantRequest>(
     `INSERT INTO tenant_requests
-       (zitadel_org_id, zitadel_user_id, company_name, contact_name,
+       (zitadel_org_id, zitadel_user_id, company_name, instance_name,
-        contact_email, agent_name, soul_md, agents_md, packages, billing_address,
+        contact_name, contact_email, agent_name, soul_md, agents_md,
-        billing_notes, encrypted_secrets)
+        packages, billing_address, billing_notes, encrypted_secrets,
-     VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12)
+        is_personal)
+     VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14)
      RETURNING *`,
     [
       params.zitadelOrgId,
       params.zitadelUserId,
       params.companyName,
+      params.instanceName ?? null,
       params.contactName,
       params.contactEmail,
       params.agentName,
@@ -149,6 +176,7 @@ export async function createTenantRequest(
       JSON.stringify(params.billingAddress),
       params.billingNotes,
       params.encryptedSecrets ?? null,
+      params.isPersonal ?? false,
     ]
   );
   return mapRow(result.rows[0]);
@@ -165,12 +193,67 @@ export async function getTenantRequestById(
   return result.rows[0] ? mapRow(result.rows[0]) : null;
 }
 
-export async function getTenantRequestByOrgId(
+/**
+ * Slice 3: returns ALL requests for an org, most recent first.
+ *
+ * Replaces the pre-Slice-3 `getTenantRequestByOrgId` which returned the
+ * single most recent row. Callers that previously assumed one-row-per-org
+ * must now iterate or pick by status. The intent is explicit at every
+ * call site, which is the point of the rename.
+ *
+ * Includes rows in every status (pending, approved, provisioning, active,
+ * rejected, deleted). For "active or in-flight only" filtering, see
+ * {@link listActiveTenantRequestsByOrgId}.
+ */
+export async function listTenantRequestsByOrgId(
+  orgId: string
+): Promise<TenantRequest[]> {
+  await ensureSchema();
+  const result = await getPool().query<TenantRequest>(
+    "SELECT * FROM tenant_requests WHERE zitadel_org_id = $1 ORDER BY created_at DESC",
+    [orgId]
+  );
+  return result.rows.map(mapRow);
+}
+
+/**
+ * As {@link listTenantRequestsByOrgId} but excludes terminal-failed states
+ * (rejected, deleted). Useful for the dashboard which wants to show
+ * pending/approved/provisioning/active tenants and pending requests, not
+ * historical rejections.
+ */
+export async function listActiveTenantRequestsByOrgId(
+  orgId: string
+): Promise<TenantRequest[]> {
+  await ensureSchema();
+  const result = await getPool().query<TenantRequest>(
+    `SELECT * FROM tenant_requests
+       WHERE zitadel_org_id = $1
+         AND status NOT IN ('deleted', 'rejected')
+       ORDER BY created_at DESC`,
+    [orgId]
+  );
+  return result.rows.map(mapRow);
+}
+
+/**
+ * Returns the most recent approved-or-active request for an org. Used to
+ * seed billing/contact defaults when a customer creates an additional
+ * instance — saves them re-typing data already on file.
+ *
+ * Returns null if the org has never had an approved instance (e.g. first
+ * registration is still pending).
+ */
+export async function getMostRecentApprovedRequestForOrg(
   orgId: string
 ): Promise<TenantRequest | null> {
   await ensureSchema();
   const result = await getPool().query<TenantRequest>(
-    "SELECT * FROM tenant_requests WHERE zitadel_org_id = $1 ORDER BY created_at DESC LIMIT 1",
+    `SELECT * FROM tenant_requests
+       WHERE zitadel_org_id = $1
+         AND status IN ('approved', 'provisioning', 'active')
+       ORDER BY created_at DESC
+       LIMIT 1`,
     [orgId]
   );
   return result.rows[0] ? mapRow(result.rows[0]) : null;
@@ -250,8 +333,10 @@ export async function checkDuplicateDomain(email: string) {
 }
 
 /**
- * Mark a tenant request as "deleted" when the associated tenant CR is deleted.
+ * Mark a single tenant request as "deleted" when the associated tenant CR
- * This allows the customer to re-submit the onboarding wizard.
+ * is deleted. With multi-tenant per org this affects exactly one row,
+ * since tenant_name is unique by index. The customer's other instances
+ * are untouched.
  */
 export async function markTenantRequestDeletedByTenantName(
   tenantName: string
@@ -275,6 +360,10 @@ export async function deleteTenantRequest(id: string): Promise<void> {
 /**
  * Sync provisioning statuses: for all requests with status "provisioning",
  * check if the PiecedTenant CR has reached "Ready" and update to "active".
+ *
+ * Slice 3 note: with multi-tenant per org, this iterates each row
+ * individually (keyed by its own tenant_name), so multiple in-flight
+ * tenants in the same org are handled correctly.
  */
 export async function syncProvisioningStatuses(): Promise<void> {
   await ensureSchema();
@@ -310,6 +399,7 @@ function mapRow(row: any): TenantRequest {
     zitadelOrgId: row.zitadel_org_id,
     zitadelUserId: row.zitadel_user_id,
     companyName: row.company_name,
+    instanceName: row.instance_name ?? null,
     contactName: row.contact_name,
     contactEmail: row.contact_email,
     agentName: row.agent_name,
@@ -322,6 +412,7 @@ function mapRow(row: any): TenantRequest {
     adminNotes: row.admin_notes,
     tenantName: row.tenant_name,
     encryptedSecrets: row.encrypted_secrets ?? null,
+    isPersonal: row.is_personal ?? false,
     createdAt: row.created_at?.toISOString?.() ?? row.created_at,
     updatedAt: row.updated_at?.toISOString?.() ?? row.updated_at,
   };

src/lib/domain-check.ts

@@ -140,6 +140,12 @@ export function isPublicEmailDomain(domain: string): boolean {
  * Look up active tenant_requests whose contact_email shares the given domain.
  * Active = status NOT IN ('rejected', 'deleted').
  *
+ * Slice 4: personal-account rows (is_personal = TRUE) are excluded. A
+ * person's personal account doesn't claim the domain on behalf of a
+ * company — alice@acme.ch registering as a personal account must not
+ * block the actual Acme GmbH from registering later. The personal flag
+ * lives on the row itself, set by /api/register at creation time.
+ *
  * Uses LOWER() on both sides to handle any historical case inconsistency in
  * stored emails. The pattern '%@<domain>' is anchored so 'acme.ch' does not
  * match 'notacme.ch' or 'acme.ch.evil.com'.
@@ -151,7 +157,8 @@ async function findDuplicateInDb(
   const result = await pool.query<{ count: string }>(
     `SELECT COUNT(*) AS count FROM tenant_requests
      WHERE LOWER(contact_email) LIKE $1
-       AND status NOT IN ('rejected', 'deleted')`,
+       AND status NOT IN ('rejected', 'deleted')
+       AND is_personal = FALSE`,
     [`%@${domain.toLowerCase()}`]
   );
   return Number(result.rows[0]?.count ?? 0) > 0;

src/lib/personal-org.ts

@@ -0,0 +1,40 @@
+/**
+ * Personal-account helpers.
+ *
+ * Slice 4 establishes the convention that ZITADEL org names for personal
+ * accounts end with the literal " (Personal)" suffix. This file
+ * centralises the suffix and the predicate so both registration (which
+ * sets the suffix) and onboarding (which reads it from the session) use
+ * the same canonical form.
+ *
+ * Why a name suffix and not ZITADEL org metadata?
+ * -----------------------------------------------
+ * 1. The suffix is visible in ZITADEL Console, admin tools, JWT claims,
+ *    etc. — useful debugging signal at zero cost.
+ * 2. Customers cannot rename their own org (requires IAM_OWNER, which
+ *    only the SA holds), so the suffix is stable for the lifetime of
+ *    the org.
+ * 3. No extra ZITADEL API calls at onboarding time to fetch metadata.
+ * 4. No extra portal DB tables.
+ *
+ * The trade-off: an admin who manually renames a personal org via
+ * ZITADEL Console could remove the suffix, after which onboarding
+ * would treat that org as a company. That's a deliberate destructive
+ * action and the worst outcome is a misnamed K8s CR; nothing breaks.
+ */
+
+export const PERSONAL_ORG_SUFFIX = " (Personal)";
+
+/**
+ * Returns true when the given ZITADEL org name marks a personal account.
+ *
+ * The check is exact-suffix match (after trimming). Whitespace inside
+ * the suffix is significant — `" (personal)"` lowercase or `"(Personal)"`
+ * without the leading space are not matches and not personal orgs.
+ *
+ * Pass `session.orgName` from the SessionUser at the call site.
+ */
+export function isPersonalOrgName(orgName: string | null | undefined): boolean {
+  if (!orgName) return false;
+  return orgName.trimEnd().endsWith(PERSONAL_ORG_SUFFIX);
+}

src/lib/session.ts

@@ -1,19 +1,87 @@
 import { auth } from "@/lib/auth";
 import type { SessionUser } from "@/types";
 
+/**
+ * Read-only session lookup. Returns the SessionUser stashed on the
+ * NextAuth session by `auth.ts::callbacks.session`, or null if there
+ * is no authenticated session.
+ */
 export async function getSessionUser(): Promise<SessionUser | null> {
   const session = await auth();
   return (session as any)?.platformUser ?? null;
 }
 
+/**
+ * Throws if there is no authenticated session. Otherwise returns the
+ * SessionUser. Use at the top of any handler that requires a logged-in
+ * user regardless of role.
+ */
 export async function requireSession(): Promise<SessionUser> {
   const user = await getSessionUser();
   if (!user) throw new Error("Unauthorized");
   return user;
 }
 
+/**
+ * Throws unless the caller has a platform-level role
+ * (platform_admin or platform_operator). Use to gate /api/admin/*
+ * routes — these handle ANY customer's org and must not be accessible
+ * to customer-role users.
+ */
 export async function requirePlatformRole(): Promise<SessionUser> {
   const user = await requireSession();
   if (!user.isPlatform) throw new Error("Forbidden: platform role required");
   return user;
 }
+
+// ---------------------------------------------------------------------------
+// Slice 5: role predicates and gates
+// ---------------------------------------------------------------------------
+//
+// Naming convention: `is*` are pure predicates over a SessionUser,
+// safe to call inline in JSX/server components. `require*` throw on
+// failure and are meant for the top of route handlers.
+
+/**
+ * True when the user is a platform admin/operator OR holds the
+ * `owner` customer role on their org.
+ *
+ * This is the single check for "can mutate". Platform users always
+ * win because they administer all orgs cross-cut. Customer-side, only
+ * `owner` may mutate; `user` (and any future read-only customer role)
+ * cannot.
+ */
+export function canMutate(user: SessionUser): boolean {
+  return user.isPlatform || user.roles.includes("owner");
+}
+
+/**
+ * True when the user holds the customer `owner` role on their org.
+ * Excludes platform users — use {@link canMutate} when both should
+ * be allowed.
+ *
+ * Useful for permissions that are specifically about "this customer's
+ * own owner", e.g. "owner can invite users into their own org" — a
+ * platform user shouldn't be casually inviting users into a customer
+ * org, that's an admin-console action and goes through different
+ * tooling.
+ */
+export function isCustomerOwner(user: SessionUser): boolean {
+  return !user.isPlatform && user.roles.includes("owner");
+}
+
+/**
+ * Throws unless `canMutate(user) === true`. Use at the top of any
+ * mutating customer-side handler.
+ *
+ * The thrown error message is intentionally generic — handlers
+ * should catch and translate to a 403 JSON response so the client
+ * doesn't see a stack trace.
+ */
+export async function requireOwnerRole(): Promise<SessionUser> {
+  const user = await requireSession();
+  if (!canMutate(user)) {
+    throw new Error("Forbidden: owner role required");
+  }
+  return user;
+}

src/messages/de.json

@@ -35,7 +35,9 @@
     "successTitle": "Registrierung eingegangen",
     "successDescription": "Sie erhalten eine Einladungs-E-Mail mit einem Link, um Ihr Passwort festzulegen und Ihre E-Mail-Adresse zu bestätigen. Danach können Sie sich anmelden und Ihren KI-Assistenten einrichten.",
     "goToLogin": "Zur Anmeldung",
-    "duplicateDomain": "Für die E-Mail-Domain {domain} ist bereits ein Konto registriert. Bitte wenden Sie sich an Ihren Firmenadministrator, um eingeladen zu werden, oder kontaktieren Sie den PieCed-IT-Support, falls dies ein Fehler ist."
+    "duplicateDomain": "Für die E-Mail-Domain {domain} ist bereits ein Konto registriert. Bitte wenden Sie sich an Ihren Firmenadministrator, um eingeladen zu werden, oder kontaktieren Sie den PieCed-IT-Support, falls dies ein Fehler ist.",
+    "individualToggle": "Als Privatperson registrieren",
+    "individualHint": "Aktivieren Sie diese Option, wenn Sie sich nicht im Namen eines Unternehmens registrieren. Ihr Konto wird als persönlicher Arbeitsbereich eingerichtet."
   },
   "onboarding": {
     "loading": "Status wird geladen…",
@@ -83,7 +85,10 @@
     "readyTitle": "Ihr Assistent ist bereit!",
     "readyDescription": "Ihr KI-Assistent wurde bereitgestellt und ist aktiv. Sie können ihn nun über das Dashboard verwalten.",
     "goToDashboard": "Zum Dashboard",
-    "submittedAt": "Eingereicht"
+    "submittedAt": "Eingereicht",
+    "instanceName": "Instanzname",
+    "instanceNamePlaceholder": "z.B. Produktion, Dev, Vertrieb",
+    "instanceNameHint": "Optionaler lesbarer Name, um diese Instanz von anderen in Ihrem Dashboard zu unterscheiden. Leer lassen, um den Firmennamen zu verwenden."
   },
   "dashboard": {
     "title": "Dashboard",
@@ -94,7 +99,12 @@
     "noInstance": "Noch keine Instanz bereitgestellt.",
     "comingSoon": "Detailansicht folgt in Session 6.2",
     "noInstanceDescription": "Richten Sie Ihre KI-Assistenten-Instanz ein, um mit PieCed IT zu starten.",
-    "manage": "Instanz & Pakete verwalten"
+    "manage": "Instanz & Pakete verwalten",
+    "instances": "Ihre Instanzen",
+    "inflightRequests": "Laufende Anfragen",
+    "createInstance": "Neue Instanz erstellen",
+    "createInstanceDescription": "Eine weitere KI-Assistent-Instanz für Ihre Organisation bereitstellen. Die Anfrage wird von einem Administrator geprüft, bevor die Instanz erstellt wird.",
+    "noAccessNoInstances": "Ihre Organisation hat noch keine Instanzen. Bitte bitten Sie den Eigentümer der Organisation, eine einzurichten."
   },
   "tenantDetail": {
     "agent": "Agent",
@@ -170,7 +180,9 @@
     },
     "documentProcessing": {
       "description": "Aktivieren Sie Dokumentenverarbeitung, Zusammenfassung und Extraktion."
-    }
+    },
+    "statusEnabled": "aktiviert",
+    "statusDisabled": "deaktiviert"
   },
   "admin": {
     "title": "Plattform-Admin",

src/messages/en.json

@@ -35,7 +35,9 @@
     "successTitle": "Registration received",
     "successDescription": "You will receive an invitation email with a link to set your password and verify your email address. Once completed, you can sign in to set up your AI assistant.",
     "goToLogin": "Go to Sign In",
-    "duplicateDomain": "An account for the email domain {domain} is already registered. Please contact your company administrator to be invited, or reach out to PieCed IT support if you believe this is in error."
+    "duplicateDomain": "An account for the email domain {domain} is already registered. Please contact your company administrator to be invited, or reach out to PieCed IT support if you believe this is in error.",
+    "individualToggle": "Register as an individual",
+    "individualHint": "Tick this if you're not registering on behalf of a company. Your account will be set up as a personal workspace."
   },
   "onboarding": {
     "loading": "Loading status…",
@@ -83,7 +85,10 @@
     "readyTitle": "Your assistant is ready!",
     "readyDescription": "Your AI assistant has been provisioned and is running. You can now manage it from the dashboard.",
     "goToDashboard": "Go to Dashboard",
-    "submittedAt": "Submitted"
+    "submittedAt": "Submitted",
+    "instanceName": "Instance name",
+    "instanceNamePlaceholder": "e.g. Production, Dev, Sales",
+    "instanceNameHint": "Optional human-readable name to distinguish this instance from others on your dashboard. Leave blank to use your company name."
   },
   "dashboard": {
     "title": "Dashboard",
@@ -94,7 +99,12 @@
     "noInstance": "No instance provisioned yet.",
     "comingSoon": "Detailed view coming in Session 6.2",
     "noInstanceDescription": "Set up your AI assistant instance to get started with PieCed IT.",
-    "manage": "Manage instance & packages"
+    "manage": "Manage instance & packages",
+    "instances": "Your instances",
+    "inflightRequests": "In-flight requests",
+    "createInstance": "Create new instance",
+    "createInstanceDescription": "Provision an additional AI assistant instance for your organization. The request will be reviewed by an administrator before the instance is created.",
+    "noAccessNoInstances": "Your organization doesn't have any instances yet. Please ask the organization owner to set one up."
   },
   "tenantDetail": {
     "agent": "Agent",
@@ -170,7 +180,9 @@
     },
     "documentProcessing": {
       "description": "Enable document parsing, summarization, and extraction."
-    }
+    },
+    "statusEnabled": "enabled",
+    "statusDisabled": "disabled"
   },
   "admin": {
     "title": "Platform Admin",

src/messages/fr.json

@@ -35,7 +35,9 @@
     "successTitle": "Inscription reçue",
     "successDescription": "Vous recevrez un e-mail d'invitation avec un lien pour définir votre mot de passe et vérifier votre adresse e-mail. Ensuite, vous pourrez vous connecter et configurer votre assistant IA.",
     "goToLogin": "Aller à la connexion",
-    "duplicateDomain": "Un compte pour le domaine de courriel {domain} est déjà enregistré. Veuillez contacter l'administrateur de votre entreprise pour être invité, ou contactez le support PieCed IT si vous pensez qu'il s'agit d'une erreur."
+    "duplicateDomain": "Un compte pour le domaine de courriel {domain} est déjà enregistré. Veuillez contacter l'administrateur de votre entreprise pour être invité, ou contactez le support PieCed IT si vous pensez qu'il s'agit d'une erreur.",
+    "individualToggle": "S'inscrire en tant que particulier",
+    "individualHint": "Cochez cette case si vous ne vous inscrivez pas au nom d'une entreprise. Votre compte sera configuré comme espace de travail personnel."
   },
   "onboarding": {
     "loading": "Chargement du statut…",
@@ -83,7 +85,10 @@
     "readyTitle": "Votre assistant est prêt !",
     "readyDescription": "Votre assistant IA a été mis en service et est actif. Vous pouvez maintenant le gérer depuis le tableau de bord.",
     "goToDashboard": "Aller au tableau de bord",
-    "submittedAt": "Soumis"
+    "submittedAt": "Soumis",
+    "instanceName": "Nom de l'instance",
+    "instanceNamePlaceholder": "ex. Production, Dev, Ventes",
+    "instanceNameHint": "Nom lisible facultatif pour distinguer cette instance des autres sur votre tableau de bord. Laisser vide pour utiliser le nom de votre entreprise."
   },
   "dashboard": {
     "title": "Tableau de bord",
@@ -94,7 +99,12 @@
     "noInstance": "Aucune instance provisionnée.",
     "comingSoon": "Vue détaillée à venir dans la Session 6.2",
     "noInstanceDescription": "Configurez votre instance d'assistant IA pour commencer avec PieCed IT.",
-    "manage": "Gérer l'instance et les paquets"
+    "manage": "Gérer l'instance et les paquets",
+    "instances": "Vos instances",
+    "inflightRequests": "Demandes en cours",
+    "createInstance": "Créer une nouvelle instance",
+    "createInstanceDescription": "Provisionner une instance supplémentaire d'assistant IA pour votre organisation. La demande sera examinée par un administrateur avant la création de l'instance.",
+    "noAccessNoInstances": "Votre organisation n'a pas encore d'instances. Demandez au propriétaire de l'organisation d'en configurer une."
   },
   "tenantDetail": {
     "agent": "Agent",
@@ -170,7 +180,9 @@
     },
     "documentProcessing": {
       "description": "Activez l'analyse, le résumé et l'extraction de documents."
-    }
+    },
+    "statusEnabled": "activé",
+    "statusDisabled": "désactivé"
   },
   "admin": {
     "title": "Admin plateforme",

src/messages/it.json

@@ -35,7 +35,9 @@
     "successTitle": "Registrazione ricevuta",
     "successDescription": "Riceverai un'e-mail di invito con un link per impostare la password e verificare il tuo indirizzo e-mail. Dopodiché potrai accedere e configurare il tuo assistente IA.",
     "goToLogin": "Vai all'accesso",
-    "duplicateDomain": "Un account per il dominio e-mail {domain} è già registrato. Contatta l'amministratore della tua azienda per essere invitato, oppure contatta il supporto PieCed IT se ritieni che si tratti di un errore."
+    "duplicateDomain": "Un account per il dominio e-mail {domain} è già registrato. Contatta l'amministratore della tua azienda per essere invitato, oppure contatta il supporto PieCed IT se ritieni che si tratti di un errore.",
+    "individualToggle": "Registrati come privato",
+    "individualHint": "Seleziona questa opzione se non ti stai registrando per conto di un'azienda. Il tuo account sarà configurato come area di lavoro personale."
   },
   "onboarding": {
     "loading": "Caricamento stato…",
@@ -83,7 +85,10 @@
     "readyTitle": "Il tuo assistente è pronto!",
     "readyDescription": "Il tuo assistente IA è stato attivato ed è operativo. Ora puoi gestirlo dalla dashboard.",
     "goToDashboard": "Vai alla dashboard",
-    "submittedAt": "Inviato"
+    "submittedAt": "Inviato",
+    "instanceName": "Nome istanza",
+    "instanceNamePlaceholder": "es. Produzione, Dev, Vendite",
+    "instanceNameHint": "Nome leggibile facoltativo per distinguere questa istanza dalle altre nella dashboard. Lasciare vuoto per usare il nome dell'azienda."
   },
   "dashboard": {
     "title": "Dashboard",
@@ -94,7 +99,12 @@
     "noInstance": "Nessuna istanza attivata.",
     "comingSoon": "Vista dettagliata in arrivo nella Sessione 6.2",
     "noInstanceDescription": "Configura la tua istanza di assistente IA per iniziare con PieCed IT.",
-    "manage": "Gestisci istanza e pacchetti"
+    "manage": "Gestisci istanza e pacchetti",
+    "instances": "Le tue istanze",
+    "inflightRequests": "Richieste in corso",
+    "createInstance": "Crea nuova istanza",
+    "createInstanceDescription": "Effettua il provisioning di un'ulteriore istanza dell'assistente IA per la tua organizzazione. La richiesta sarà esaminata da un amministratore prima della creazione dell'istanza.",
+    "noAccessNoInstances": "La tua organizzazione non ha ancora istanze. Chiedi al proprietario dell'organizzazione di configurarne una."
   },
   "tenantDetail": {
     "agent": "Agente",
@@ -170,7 +180,9 @@
     },
     "documentProcessing": {
       "description": "Attiva l'analisi, il riassunto e l'estrazione di documenti."
-    }
+    },
+    "statusEnabled": "abilitato",
+    "statusDisabled": "disabilitato"
   },
   "admin": {
     "title": "Admin piattaforma",

src/types/index.ts

@@ -5,12 +5,39 @@ export interface ZitadelClaims {
   "urn:zitadel:iam:org:project:roles"?: Record<string, Record<string, string>>;
 }
 
-export type PlatformRole =
+/**
-  | "platform_admin"
+ * Platform-level roles, granted to PieCed staff only. Hold the IAM-level
-  | "platform_operator"
+ * authority to administer the entire installation regardless of which
-  | "owner"
+ * customer org a request lands on.
-  | "user"
+ */
-  | "viewer";
+export type PlatformRole = "platform_admin" | "platform_operator";
+
+/**
+ * Customer-level roles, granted by ZITADEL project authorizations on
+ * each customer org's "OpenClaw Platform" project grant.
+ *
+ * Slice 5 dropped the previously-defined `viewer` role. With the portal
+ * acting purely as a control plane (the assistant itself runs at
+ * separate URLs with their own auth), `user` and `viewer` collapsed
+ * to the same surface — read-only access to instance state and usage.
+ *
+ * - `owner` can mutate (packages, workspace files, channel users,
+ *   instance creation, member invites in Slice 7).
+ * - `user` is read-only in the portal. From Slice 6 onwards `user`
+ *   visibility is also narrowed to assigned tenants only.
+ */
+export type CustomerRole = "owner" | "user";
+
+/** Union of all roles a JWT can carry. */
+export type Role = PlatformRole | CustomerRole;
+
+/**
+ * @deprecated Use {@link Role} for the union, or {@link PlatformRole}
+ *             / {@link CustomerRole} when you mean a specific subset.
+ *             Kept as a re-export only so existing imports don't
+ *             explode in mid-migration commits.
+ */
+export type LegacyPlatformRole = Role;
 
 export interface SessionUser {
   id: string;
@@ -18,7 +45,7 @@ export interface SessionUser {
   email: string;
   orgId: string;
   orgName: string;
-  roles: PlatformRole[];
+  roles: Role[];
   isPlatform: boolean;
 }
 
@@ -83,11 +110,23 @@ export interface UsageSummary {
 
 // Registration
 export interface RegistrationInput {
-  companyName: string;
+  /**
+   * Required for company registrations. Ignored when `isPersonal` is true —
+   * the server then derives the ZITADEL org name from the user's full name
+   * with a "(Personal)" suffix.
+   */
+  companyName?: string;
   givenName: string;
   familyName: string;
   email: string;
   preferredLanguage?: string;
+  /**
+   * Slice 4: when true, registration creates a personal account (one
+   * person, no company). Domain-uniqueness check is skipped, ZITADEL org
+   * is named "{givenName} {familyName} (Personal)", subsequent tenants
+   * are named with the `p-{requestId[:8]}` convention.
+   */
+  isPersonal?: boolean;
 }
 
 // Billing address
@@ -112,6 +151,13 @@ export interface TenantRequest {
   zitadelOrgId: string;
   zitadelUserId: string;
   companyName: string;
+  /**
+   * Customer-chosen human label per instance (e.g. "Production", "Dev").
+   * Optional. When set, used as the K8s `displayName` so the customer's
+   * dashboard distinguishes their instances. When null, the company
+   * name is used.
+   */
+  instanceName?: string | null;
   contactName: string;
   contactEmail: string;
   agentName: string;
@@ -124,12 +170,27 @@ export interface TenantRequest {
   adminNotes?: string;
   tenantName?: string;
   encryptedSecrets?: Buffer | null;
+  /**
+   * Slice 4: true for personal accounts. Drives CR-naming (`p-{suffix}`
+   * vs `{slug}-{suffix}` in `lib/tenant-naming.ts`), display-name
+   * fallback (contact name vs company name), and exclusion from the
+   * domain-uniqueness check on subsequent registrations.
+   */
+  isPersonal?: boolean;
   createdAt: string;
   updatedAt: string;
 }
 
 // Onboarding wizard input
 export interface OnboardingInput {
+  /**
+   * Customer's human label for this instance. Optional; when blank, the
+   * company name is used as the display name. Required when an org
+   * already has at least one approved instance, to avoid two
+   * indistinguishable rows on the dashboard — that constraint is
+   * enforced server-side, not by the type.
+   */
+  instanceName?: string;
   agentName: string;
   soulMd?: string;
   agentsMd?: string;