chore: migrate frontend auth from Clerk to Better Auth

[NathanFlurry]

Summary

• Replace ClerkProvider with Better Auth client in the frontend
• Rewrite sign-in, sign-up, and onboarding pages to use Better Auth
• Update org switching, context providers, and E2E test auth setup
• Remove all Clerk dependencies and references

Test plan

• Sign in / sign up flows work end-to-end
• Google OAuth flow works
• Org creation and switching works
• E2E tests pass with new auth setup

🤖 Generated with Claude Code

[railway-app]

🚅 Deployed to the rivet-pr-4568 environment in rivet-frontend

Service	Status	Web	Updated (UTC)
frontend-inspector	❌ Build Failed (View Logs)	Web	Apr 6, 2026 at 10:05 pm
frontend-cloud	❌ Build Failed (View Logs)	Web	Apr 6, 2026 at 10:01 pm
website	❌ Build Failed (View Logs)	Web	Apr 6, 2026 at 10:01 pm
ladle	❌ Build Failed (View Logs)	Web	Apr 6, 2026 at 10:00 pm
kitchen-sink	❌ Build Failed (View Logs)	Web	Apr 6, 2026 at 10:00 pm
mcp-hub	✅ Success (View Logs)	Web	Apr 6, 2026 at 9:56 pm

[jog1t]

• refactor(better-auth): login/signup #4592
• chore: migrate frontend auth from Clerk to Better Auth #4568 👈 (View in Graphite)
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[claude]

PR Review: Migrate Frontend Auth from Clerk to Better Auth

This PR replaces Clerk with Better Auth across the Rivet frontend, removing all @clerk/* packages, rewriting sign-in/sign-up pages as plain React forms, updating route guards, context providers, org switching, and E2E test setup. It also adds a custom SSE streaming implementation.

---

Issues

1. Empty bearer token sent on every cloud API request (functional/security bug)

frontend/src/app/data-providers/cloud-data-provider.tsx: The token callback unconditionally returns "", which sends an Authorization: Bearer header with an empty value on every cloud API request. If the cloud API validates or logs authorization headers this will cause auth failures or noisy logs. Since the intent is to rely on withCredentials: true (session cookies), the token field should be removed entirely or the SDK's token mechanism disabled cleanly.

2. Logic inversion bug in redirectToOrganization callers

frontend/src/routes/_context/index.tsx: The new redirectToOrganization in frontend/src/lib/auth.ts either throws a redirect or returns undefined -- it never returns a truthy value. So !undefined === true is always true, meaning the fallback throw redirect({ to: "/login" }) always fires if redirectToOrganization does not throw first. This is a logic inversion -- the condition is backwards relative to the original Clerk-based behaviour.

3. E2E cookie propagation is incomplete

frontend/e2e/auth.setup.ts: The sign-in POST is made via Playwright's request fixture, which is a separate context from the browser page. Cookies set on request are not automatically shared with page. The subsequent page.goto("/") likely does not carry the session cookie, so saved auth state won't include it and authenticated test runs will fail. Cookies from the request context need to be explicitly transferred to the page context.

4. Hardcoded localhost URL in E2E auth setup

frontend/e2e/auth.setup.ts: The Better Auth sign-in URL is hardcoded as http://localhost:43710. This will break in CI or any environment where the port differs. Should use a configurable env var.

5. activeOrganizationId fallback to empty string produces broken URL

frontend/src/routes/_context/_cloud/new/index.tsx: const orgId = session.data?.session?.activeOrganizationId ?? "" -- when session data is absent this redirects to /orgs//new (empty segment). A guard to redirect to login or throw notFound() when the org ID is missing is needed.

6. Unnecessary try/catch that just re-throws

frontend/src/app/login.tsx handleSubmit: The catch block catches and immediately re-throws without doing anything useful. Remove it.

7. Duplicate slug generation logic

The generateSlug function appears verbatim in two files: frontend/src/app/dialogs/create-organization-frame.tsx and frontend/src/routes/onboarding/choose-organization.tsx. Extract to a shared utility.

---

Gaps to Track

• Profile/Settings/Members UI: The dropdown items for profile, settings, and org members were removed with no replacement. Users currently have no way to manage their profile or org settings.
• Invitation acceptance flow: /onboarding/accept-invitation route was deleted. If Better Auth supports org invitations, there is no UI to accept them.
• Sentry/PostHog user identification: waitForClerk.ts (which called Sentry.setUser and posthog.setPersonProperties after login) was deleted with no replacement. Error reports will lose user identity context.

---

Minor Notes

• The pre-existing VITE_APP_ASSETS_URL=https://assets2.rivet.gg in frontend/.env uses the deprecated rivet.gg domain. Per CLAUDE.md this should be rivet.dev.
• better-auth pulls in server-side peer deps (drizzle-orm, next, pg) that may affect bundle size. Verify tree-shaking is working correctly by importing only from better-auth/react and better-auth/client subpaths.