RBAC
Agorio Cloud enforces role-based access control across an organization. Access is checked in
cloud/lib/rbac.ts via requireRole, which gates server actions and pages against a role
hierarchy.
Role hierarchy
From most to least privileged:
- owner — full control, including billing and deleting the org.
- admin — manage team members and most settings.
- member — day-to-day use (view traces, manage API keys).
- viewer — read-only access to traces and logs.
requireRole enforces this hierarchy: a check for member is satisfied by member, admin, or
owner. The default org is lazy-seeded on first access, so a new account works without manual
setup.
Team administration
The /team UI lets owners and admins:
- Invite members (an invite email is sent via Resend).
- Change roles for existing members.
- Remove members.
Sessions across subdomains
Because the marketing site (agorio.dev) and the Cloud app (cloud.agorio.dev) share auth,
session cookies are scoped to .agorio.dev, so signing in on one carries to the other.