Personal accounts (#118)

Author: mrubens

.gitignore

@@ -20,5 +20,5 @@ Thumbs.db
 .vercel
 
 # docker
-.docker/data
-.docker/logs
+**/.docker/data
+**/.docker/logs

apps/web/package.json

@@ -32,7 +32,7 @@
     "@radix-ui/react-toast": "^1.2.14",
     "@radix-ui/react-tooltip": "^1.2.7",
     "@roo-code-cloud/db": "workspace:^",
-    "@roo-code/types": "^1.26.0",
+    "@roo-code/types": "^1.28.0",
     "@sentry/nextjs": "^9.23.0",
     "@t3-oss/env-nextjs": "^0.13.6",
     "@tailwindcss/postcss": "^4.1.8",

apps/web/src/actions/agents.ts

@@ -29,6 +29,14 @@ export async function createAgent(
 
     const { userId, orgId, orgRole } = authResult;
 
+    // Agents are only available for organizations, not personal accounts
+    if (!orgId || !orgRole) {
+      return {
+        success: false,
+        error: 'Agents are only available for organization accounts.',
+      };
+    }
+
     if (orgRole !== 'org:admin') {
       return {
         success: false,
@@ -105,6 +113,14 @@ export async function revokeAgent(
 
     const { orgId, orgRole } = authResult;
 
+    // Agents are only available for organizations, not personal accounts
+    if (!orgId || !orgRole) {
+      return {
+        success: false,
+        error: 'Agents are only available for organization accounts.',
+      };
+    }
+
     if (orgRole !== 'org:admin') {
       return {
         success: false,

apps/web/src/actions/analytics/events.ts

@@ -92,17 +92,24 @@ export const getUsage = async ({
     requestedUserId: userId,
   });
 
-  if (!orgId) {
-    return {};
+  // For personal accounts, query by userId instead of orgId
+  if (!orgId && !effectiveUserId) {
+    return {}; // Personal accounts must have a userId
   }
 
   const userFilter = effectiveUserId ? 'AND userId = {userId: String}' : '';
 
+  // Build query conditions based on account type
+  const orgCondition = !orgId ? 'orgId IS NULL' : 'orgId = {orgId: String}';
+
   const queryParams: Record<string, string | number> = {
-    orgId: orgId!,
     timePeriod,
   };
 
+  if (orgId) {
+    queryParams.orgId = orgId;
+  }
+
   if (effectiveUserId) {
     queryParams.userId = effectiveUserId;
   }
@@ -117,7 +124,7 @@ export const getUsage = async ({
         SUM(COALESCE(cost, 0)) AS cost
       FROM events
       WHERE
-        orgId = {orgId: String}
+        ${orgCondition}
         AND timestamp >= toUnixTimestamp(now() - INTERVAL {timePeriod: Int32} DAY)
         ${userFilter}
       GROUP BY 1
@@ -332,8 +339,10 @@ export const getTasks = async ({
     effectiveUserId = authResult.effectiveUserId;
   }
 
-  if (!orgId) {
-    return [];
+  // For personal accounts, query by userId instead of orgId
+  // Exception: when skipAuth is true (for public shares), we can query without userId
+  if (!orgId && !effectiveUserId && !skipAuth) {
+    return []; // Personal accounts must have a userId unless we're skipping auth
   }
 
   const userFilter = effectiveUserId ? 'AND e.userId = {userId: String}' : '';
@@ -345,15 +354,25 @@ export const getTasks = async ({
 
   const messageTaskFilter = taskId ? 'AND taskId = {taskId: String}' : '';
 
+  // Build query conditions based on account type
+  const orgCondition = !orgId ? 'e.orgId IS NULL' : 'e.orgId = {orgId: String}';
+
+  const messageOrgCondition = !orgId
+    ? 'orgId IS NULL'
+    : 'orgId = {orgId: String}';
+
   const queryParams: Record<string, string | string[]> = {
-    orgId: orgId!,
     types: [
       TelemetryEventName.TASK_CREATED,
       TelemetryEventName.TASK_COMPLETED,
       TelemetryEventName.LLM_COMPLETION,
     ],
   };
 
+  if (orgId) {
+    queryParams.orgId = orgId;
+  }
+
   if (effectiveUserId) {
     queryParams.userId = effectiveUserId;
   }
@@ -370,7 +389,7 @@ export const getTasks = async ({
           argMin(text, ts) as title,
           argMin(mode, ts) as mode
         FROM messages
-        WHERE orgId = {orgId: String}
+        WHERE ${messageOrgCondition}
         ${messageUserFilter}
         ${messageTaskFilter}
         GROUP BY taskId
@@ -389,7 +408,7 @@ export const getTasks = async ({
       FROM events e
       LEFT JOIN first_messages fm ON e.taskId = fm.taskId
       WHERE
-        e.orgId = {orgId: String}
+        ${orgCondition}
         AND e.type IN ({types: Array(String)})
         AND e.modelId IS NOT NULL
         ${userFilter}
@@ -440,14 +459,17 @@ export const getHourlyUsageByUser = async ({
     requestedUserId: userId,
   });
 
-  if (!orgId) {
-    return [];
+  // For personal accounts, query by userId instead of orgId
+  if (!orgId && !effectiveUserId) {
+    return []; // Personal accounts must have a userId
   }
 
   const userFilter = effectiveUserId ? 'AND userId = {userId: String}' : '';
 
+  // Build query conditions based on account type
+  const orgCondition = !orgId ? 'orgId IS NULL' : 'orgId = {orgId: String}';
+
   const queryParams: Record<string, string | number | string[]> = {
-    orgId: orgId!,
     timePeriod,
     types: [
       TelemetryEventName.TASK_CREATED,
@@ -456,6 +478,10 @@ export const getHourlyUsageByUser = async ({
     ],
   };
 
+  if (orgId) {
+    queryParams.orgId = orgId;
+  }
+
   if (effectiveUserId) {
     queryParams.userId = effectiveUserId;
   }
@@ -470,7 +496,7 @@ export const getHourlyUsageByUser = async ({
         SUM(CASE WHEN type = '${TelemetryEventName.LLM_COMPLETION}' THEN COALESCE(cost, 0) ELSE 0 END) AS cost
       FROM events
       WHERE
-        orgId = {orgId: String}
+        ${orgCondition}
         AND timestamp >= toUnixTimestamp(now() - INTERVAL {timePeriod: Int32} DAY)
         AND type IN ({types: Array(String)})
         ${userFilter}

apps/web/src/actions/analytics/messages.ts

@@ -3,6 +3,7 @@
 import { z } from 'zod';
 
 import { analytics } from '@/lib/server';
+import { authorizeAnalytics } from '@/actions/auth';
 
 /**
  * getMessages
@@ -26,17 +27,44 @@ const messageSchema = z.object({
 
 export type Message = z.infer<typeof messageSchema>;
 
-export const getMessages = async (taskId: string): Promise<Message[]> => {
+export const getMessages = async (
+  taskId: string,
+  orgId?: string | null,
+  userId?: string | null,
+  skipAuth = false,
+): Promise<Message[]> => {
+  // Authorize the request - this will handle both personal and org contexts
+  // Skip auth for public shares viewed by unauthenticated users
+  if (!skipAuth) {
+    await authorizeAnalytics({
+      requestedOrgId: orgId,
+      requestedUserId: userId,
+      allowCrossUserAccess: true, // Allow viewing messages within authorized tasks
+    });
+  }
+
+  // For personal accounts, query with orgId IS NULL
+  // For organizations, query with specific orgId
+  const orgCondition = !orgId ? 'orgId IS NULL' : 'orgId = {orgId: String}';
+
+  const queryParams: Record<string, string> = { taskId };
+  if (orgId) {
+    queryParams.orgId = orgId;
+  }
+
   const results = await analytics.query({
     query: `
       SELECT *
       FROM messages
       WHERE taskId = {taskId: String}
+        AND ${orgCondition}
       ORDER BY ts ASC
     `,
     format: 'JSONEachRow',
-    query_params: { taskId },
+    query_params: queryParams,
   });
 
-  return z.array(messageSchema).parse(await results.json());
+  const messages = z.array(messageSchema).parse(await results.json());
+
+  return messages;
 };

apps/web/src/actions/auth.ts

@@ -18,8 +18,15 @@ export async function authorize(): Promise<AuthResult> {
     return { success: false, error: 'Unauthorized: User required' };
   }
 
+  // Personal context is valid - no org required
   if (!orgId) {
-    return { success: false, error: 'Unauthorized: Organization required' };
+    return {
+      success: true,
+      userType: 'user',
+      userId,
+      orgId: null,
+      orgRole: null,
+    };
   }
 
   return {
@@ -111,6 +118,27 @@ export async function authorizeAnalytics({
 }) {
   const { orgId: authOrgId, orgRole, userId: authUserId } = await auth();
 
+  if (!authUserId) {
+    throw new Error('Unauthorized: User required');
+  }
+
+  // Handle personal context
+  if (!authOrgId && !requestedOrgId) {
+    // Personal context - user can only access their own data
+    if (requestedUserId && requestedUserId !== authUserId) {
+      throw new Error(
+        'Unauthorized: Personal users can only access their own data',
+      );
+    }
+
+    return {
+      authOrgId: null,
+      authUserId,
+      orgRole: null,
+      effectiveUserId: authUserId,
+    };
+  }
+
   // Ensure user is authenticated and belongs to the organization
   if (!authOrgId || !authUserId || authOrgId !== requestedOrgId) {
     throw new Error('Unauthorized: Invalid organization access');

apps/web/src/actions/organizationSettings.ts

@@ -24,6 +24,11 @@ export async function getOrganizationSettings(): Promise<OrganizationSettings> {
     throw new Error('Unauthorized');
   }
 
+  // Organization settings are only available for organizations, not personal accounts
+  if (!authResult.orgId) {
+    return ORGANIZATION_DEFAULT;
+  }
+
   const settings = await db
     .select()
     .from(orgSettings)
@@ -64,6 +69,13 @@ export async function updateOrganization(data: UpdateOrganizationRequest) {
 
   const { userId, orgId } = authResult;
 
+  // Organization settings are only available for organizations, not personal accounts
+  if (!orgId) {
+    throw new Error(
+      'Organization settings are only available for organization accounts',
+    );
+  }
+
   const validatedData = updateOrganizationSchema.parse(data);
 
   // Perform database update in a transaction