fix auth adoption provider fallback (#254)

zbeyens · web-flow · commit 0a2dde828650 · 2026-04-29T19:17:31.000+02:00
diff --git a/.changeset/install-kitcn-skill.md b/.changeset/install-kitcn-skill.md
@@ -4,4 +4,5 @@
 
 ## Patches
 
-- Improve agent guidance to install and use the `kitcn` skill before reading documentation.
+- Fix raw Convex auth adoption for TanStack Start apps that do not keep a kitcn provider at the default path.
+- Clarify organization auth guidance for Stripe-style plugin side effects in Convex actions.
diff --git a/docs/solutions/integration-issues/better-auth-external-plugin-calls-need-actions-20260429.md b/docs/solutions/integration-issues/better-auth-external-plugin-calls-need-actions-20260429.md
@@ -0,0 +1,76 @@
+---
+title: Better Auth external plugin calls need Convex actions
+date: 2026-04-29
+category: integration-issues
+module: auth-runtime
+problem_type: runtime_error
+component: authentication
+symptoms:
+  - `ctx.auth.api.updateOrganization()` fails inside a Convex mutation when the Stripe plugin is installed.
+  - Convex throws `Can't use setTimeout in queries and mutations`.
+root_cause: wrong_api
+resolution_type: documentation_update
+severity: high
+tags: [auth, better-auth, stripe, convex, actions]
+---
+
+# Better Auth external plugin calls need Convex actions
+
+## Problem
+
+Better Auth API endpoints can run plugin hooks in addition to local database
+writes. When an endpoint reaches Stripe, Polar, or direct email delivery from a
+Convex mutation, the external SDK can call APIs such as `setTimeout` or `fetch`
+that Convex mutations do not allow.
+
+## Symptoms
+
+- `auth.api.updateOrganization()` works until `@better-auth/stripe` is present.
+- Convex throws `Can't use setTimeout in queries and mutations`.
+- The stack points into `stripe/esm/RequestSender.js` or another external SDK.
+
+## What Didn't Work
+
+- Treating `ctx.auth.api.*` as a safe mutation helper for every organization
+  write. Some endpoints are DB-only in one plugin set and side-effectful in
+  another.
+- Creating placeholder provider files or changing adapter write behavior. The
+  failure happens before Convex can allow external SDK work in a mutation.
+
+## Solution
+
+Use mutations only for local Convex writes. Use actions for Better Auth
+endpoints that may run external plugin work.
+
+For simple organization profile updates, stay local:
+
+```ts
+await ctx.orm
+  .update(organization)
+  .set(data)
+  .where(eq(organization.id, input.organizationId));
+```
+
+For operations that call Stripe, Polar, or direct email delivery, expose an
+`authAction` and bridge back into queries or mutations through generated
+callers when local reads or writes are needed.
+
+## Why This Works
+
+Convex mutations are deterministic database transactions. External SDKs are not
+allowed there. Actions are the Convex function type designed for external I/O,
+and generated callers keep the app code typed when action code needs local data.
+
+## Prevention
+
+- Do not document `ctx.auth.api.*` as universally mutation-safe.
+- Prefer `ctx.orm` for simple reads and updates.
+- Use `authAction` for user-facing billing, payment, portal, email, and other
+  SDK-backed flows.
+- When adding auth plugin docs, explicitly classify each example as DB-only
+  mutation work or external-I/O action work.
+
+## Related Issues
+
+- `docs/solutions/integration-issues/auth-plugin-timestamp-writes-must-respect-table-schema-20260422.md`
+- `docs/solutions/integration-issues/raw-convex-start-auth-adoption-must-patch-start-provider-and-react-client-20260410.md`
diff --git a/docs/solutions/integration-issues/raw-convex-start-auth-adoption-must-patch-start-provider-and-react-client-20260410.md b/docs/solutions/integration-issues/raw-convex-start-auth-adoption-must-patch-start-provider-and-react-client-20260410.md
@@ -1,6 +1,7 @@
 ---
 title: Raw Convex Start auth adoption must patch Start provider and React client
 category: integration-issues
+last_updated: 2026-04-29
 tags:
   - convex
   - auth
@@ -10,6 +11,7 @@ tags:
   - scaffolding
 symptoms:
   - `kitcn add auth --preset convex --yes` fails on TanStack Start with `Auth preset "convex" requires a Vite-style client entry file (main.tsx/main.jsx).`
+  - `kitcn add auth --preset convex --yes --overwrite` fails on TanStack Start with `Auth preset "convex" for TanStack Start expects src/lib/convex/convex-provider.tsx.`
   - raw Convex Start auth adoption writes `process.env.NEXT_PUBLIC_CONVEX_SITE_URL!` into `src/lib/convex/auth-client.ts`
   - TanStack Start is detected as a supported shell, but raw auth adoption still behaves like plain Vite
 module: auth-adoption
@@ -35,6 +37,9 @@ Two raw-preset branches were missing for TanStack Start:
 2. template resolution only swapped the default Start auth client template, not
    the raw Convex auth client template, so Start inherited the Next
    `NEXT_PUBLIC_CONVEX_SITE_URL` variant
+3. the raw Start provider patch still treated the kitcn-init provider path as
+   mandatory, even though raw adoption must work in apps that own provider
+   wiring elsewhere
 
 The bug was not in auth bootstrap itself. It was in scaffold selection.
 
@@ -44,18 +49,21 @@ Keep the raw Convex preset minimal on TanStack Start.
 
 Do not route Start through the richer kitcn auth scaffold. Instead:
 
-1. patch `src/lib/convex/convex-provider.tsx` in place, the same way raw Next
-   patches its provider shell
+1. patch `src/lib/convex/convex-provider.tsx` in place when it exists, the same
+   way raw Next patches its provider shell
 2. keep the raw auth client shape with no `createAuthMutations()`
 3. use the React/Vite raw auth client template for Start so it reads
    `import.meta.env.VITE_CONVEX_SITE_URL!`
+4. if the Start provider file is absent, skip that patch with a manual action
+   instead of failing the whole auth adoption
 
 That preserves the raw Convex contract:
 
 - no `kitcn.json`
 - no cRPC scaffold churn
 - no generated `/auth` page
 - no Start auth proxy route
+- no forced placeholder provider file just to let the command finish
 
 ## Verification
 
@@ -76,7 +84,8 @@ That preserves the raw Convex contract:
    auth template branch too
 3. For raw preset adoption, patch the narrowest existing provider shell instead
    of replacing it with the full managed auth baseline
-4. Keep a dedicated bootstrap-heavy raw Start scenario so raw auth adoption
+4. Missing raw-provider shells should become manual actions, not hard errors
+5. Keep a dedicated bootstrap-heavy raw Start scenario so raw auth adoption
    drift fails in scenario validation, not in user migration threads
 
 ## Files Changed
diff --git a/fixtures/expo-auth/package.json b/fixtures/expo-auth/package.json
@@ -8,7 +8,7 @@
     "@tanstack/react-query": "5.95.2",
     "better-auth": "1.6.9",
     "convex": "1.36.1",
-    "expo": "~55.0.17",
+    "expo": "~55.0.18",
     "expo-constants": "~55.0.15",
     "expo-device": "~55.0.15",
     "expo-font": "~55.0.6",
diff --git a/fixtures/expo/package.json b/fixtures/expo/package.json
@@ -6,7 +6,7 @@
     "@react-navigation/native": "^7.1.33",
     "@tanstack/react-query": "5.95.2",
     "convex": "1.36.1",
-    "expo": "~55.0.17",
+    "expo": "~55.0.18",
     "expo-constants": "~55.0.15",
     "expo-device": "~55.0.15",
     "expo-font": "~55.0.6",
diff --git a/fixtures/next-auth/package.json b/fixtures/next-auth/package.json
@@ -9,7 +9,7 @@
     "convex": "1.36.1",
     "hono": "4.12.9",
     "kitcn": "workspace:*",
-    "lucide-react": "^1.11.0",
+    "lucide-react": "^1.14.0",
     "next": "16.1.7",
     "next-themes": "^0.4.6",
     "react": "^19.2.4",
diff --git a/fixtures/next/package.json b/fixtures/next/package.json
@@ -8,7 +8,7 @@
     "convex": "1.36.1",
     "hono": "4.12.9",
     "kitcn": "workspace:*",
-    "lucide-react": "^1.11.0",
+    "lucide-react": "^1.14.0",
     "next": "16.1.7",
     "next-themes": "^0.4.6",
     "react": "^19.2.4",
diff --git a/fixtures/start-auth/package.json b/fixtures/start-auth/package.json
@@ -17,7 +17,7 @@
     "convex": "1.36.1",
     "hono": "4.12.9",
     "kitcn": "workspace:*",
-    "lucide-react": "^1.11.0",
+    "lucide-react": "^1.14.0",
     "nitro": "latest",
     "react": "^19.2.4",
     "react-dom": "^19.2.4",
diff --git a/fixtures/start/package.json b/fixtures/start/package.json
@@ -16,7 +16,7 @@
     "convex": "1.36.1",
     "hono": "4.12.9",
     "kitcn": "workspace:*",
-    "lucide-react": "^1.11.0",
+    "lucide-react": "^1.14.0",
     "nitro": "latest",
     "react": "^19.2.4",
     "react-dom": "^19.2.4",
diff --git a/fixtures/vite-auth/package.json b/fixtures/vite-auth/package.json
@@ -11,7 +11,7 @@
     "convex": "1.36.1",
     "hono": "4.12.9",
     "kitcn": "workspace:*",
-    "lucide-react": "^1.11.0",
+    "lucide-react": "^1.14.0",
     "react": "^19.2.4",
     "react-dom": "^19.2.4",
     "shadcn": "latest",
diff --git a/fixtures/vite/package.json b/fixtures/vite/package.json
@@ -10,7 +10,7 @@
     "convex": "1.36.1",
     "hono": "4.12.9",
     "kitcn": "workspace:*",
-    "lucide-react": "^1.11.0",
+    "lucide-react": "^1.14.0",
     "react": "^19.2.4",
     "react-dom": "^19.2.4",
     "shadcn": "latest",
diff --git a/package.json b/package.json
@@ -13,12 +13,13 @@
     "build": "bun --cwd www build",
     "build:pkg": "bun --cwd packages/kitcn build",
     "build:watch": "bun --cwd packages/kitcn build:watch",
-    "check": "bun lint && bun typecheck && bun run test && bun run test:cli && bun run test:concave && bun run fixtures:check && bun run test:verify && bun run test:runtime",
+    "check": "bun lint && bun typecheck && bun run test && bun run test:cli && bun run test:concave && bun run fixtures:check:auto && bun run test:verify && bun run test:runtime",
     "check:ci": "bun lint && bun typecheck && bun run test && bun run test:cli && bun run test:concave && bun run fixtures:check",
     "deps:sync": "bun tooling/dependency-pins.ts sync",
     "deps:upgrade": "bun tooling/dependency-pins.ts upgrade",
     "dev": "bun --cwd www dev",
     "fixtures:check": "bun tooling/fixtures.ts check --backend concave",
+    "fixtures:check:auto": "bun run fixtures:sync && bun run fixtures:check",
     "fixtures:check:full": "bun --cwd packages/kitcn build && bun run fixtures:check",
     "fixtures:sync": "bun tooling/dependency-pins.ts sync --skip-validate && bun tooling/fixtures.ts sync --backend concave",
     "gen": "bun --cwd example gen",
diff --git a/packages/kitcn/skills/kitcn/references/features/auth-organizations.md b/packages/kitcn/skills/kitcn/references/features/auth-organizations.md
@@ -430,14 +430,18 @@ export const updateOrganization = authMutation
     if (input.name !== undefined) data.name = input.name;
     if (slug !== undefined) data.slug = slug;
 
-    await ctx.auth.api.updateOrganization({
-      body: { data, organizationId: input.organizationId },
-      headers: ctx.auth.headers,
-    });
+    await ctx.orm
+      .update(organization)
+      .set(data)
+      .where(eq(organization.id, input.organizationId));
     return null;
   });
 ```
 
+Use an `authAction` instead of an `authMutation` for any Better Auth endpoint
+that can run external plugin work such as Stripe, Polar, or email delivery.
+Convex mutations cannot call those SDKs.
+
 ### Delete Organization
 
 ```ts
diff --git a/packages/kitcn/src/cli/registry/items/auth/auth-item.test.ts b/packages/kitcn/src/cli/registry/items/auth/auth-item.test.ts
@@ -606,4 +606,60 @@ ${userUnit.relations},
     );
     expect(plan?.content).toContain('...authSchema,');
   });
+
+  test('raw Convex Start auth adoption does not require kitcn provider file', () => {
+    const dir = fs.mkdtempSync(path.join(os.tmpdir(), 'kitcn-auth-item-'));
+    const oldCwd = process.cwd();
+    process.chdir(dir);
+
+    try {
+      const descriptor = getPluginCatalogEntry('auth');
+      const files = descriptor.integration?.buildPlanFiles?.({
+        config: createDefaultConfig(),
+        functionsDir: path.join(dir, 'convex', 'functions'),
+        lockfile: { plugins: {} },
+        overwrite: true,
+        preset: 'convex',
+        preview: false,
+        promptAdapter: {
+          confirm: async () => false,
+          isInteractive: () => false,
+          multiselect: async () => [],
+          select: async () => 'ignored',
+        },
+        roots: {
+          appRootDir: null,
+          clientLibRootDir: path.join(dir, 'src', 'lib'),
+          crpcFilePath: path.join(dir, 'convex', 'lib', 'crpc.ts'),
+          envFilePath: path.join(dir, 'convex', 'lib', 'get-env.ts'),
+          functionsRootDir: path.join(dir, 'convex', 'functions'),
+          libRootDir: path.join(dir, 'convex', 'lib'),
+          projectContext: {
+            appDir: 'src',
+            clientEntryFile: null,
+            componentsDir: 'src/components',
+            convexClientDir: 'src/lib/convex',
+            framework: 'tanstack-start',
+            mode: 'react',
+          },
+          sharedApiFilePath: path.join(dir, 'convex', 'shared', 'api.ts'),
+        },
+        yes: true,
+      });
+
+      expect(files).toEqual(
+        expect.arrayContaining([
+          expect.objectContaining({
+            action: 'skip',
+            manualActions: expect.arrayContaining([
+              expect.stringContaining('src/lib/convex/convex-provider.tsx'),
+            ]),
+            path: 'src/lib/convex/convex-provider.tsx',
+          }),
+        ])
+      );
+    } finally {
+      process.chdir(oldCwd);
+    }
+  });
 });
diff --git a/packages/kitcn/src/cli/registry/items/auth/auth-item.ts b/packages/kitcn/src/cli/registry/items/auth/auth-item.ts
@@ -1,9 +1,10 @@
 import fs from 'node:fs';
-import { resolve } from 'node:path';
+import { relative, resolve } from 'node:path';
 import {
   BETTER_AUTH_INSTALL_SPEC,
   OPENTELEMETRY_API_INSTALL_SPEC,
 } from '../../../supported-dependencies.js';
+import type { PluginInstallPlanFile } from '../../../types.js';
 import { defineInternalRegistryItem } from '../../define-item.js';
 import { createRegistryFile } from '../../files.js';
 import { INIT_EXPO_CONVEX_PROVIDER_TEMPLATE } from '../../init/expo/init-expo-convex-provider.template.js';
@@ -725,9 +726,20 @@ function buildAuthConvexStartProviderPlanFile(
     'convex-provider.tsx'
   );
   if (!fs.existsSync(providerPath)) {
-    throw new Error(
-      'Auth preset "convex" for TanStack Start expects src/lib/convex/convex-provider.tsx.'
+    const normalizedPath = relative(process.cwd(), providerPath).replaceAll(
+      '\\',
+      '/'
     );
+    return {
+      action: 'skip',
+      content: '',
+      kind: 'scaffold',
+      manualActions: [
+        `Wrap your existing Convex provider with ConvexAuthProvider using src/lib/convex/auth-client.ts, or place the provider at ${normalizedPath} before rerunning auth adoption.`,
+      ],
+      path: normalizedPath,
+      reason: 'No Start provider found to patch.',
+    } satisfies PluginInstallPlanFile;
   }
 
   const source = patchAuthConvexProviderSource(
diff --git a/tooling/scenario.config.ts b/tooling/scenario.config.ts
@@ -225,7 +225,8 @@ export const SCENARIO_DEFINITIONS: Record<ScenarioKey, ScenarioDefinition> = {
     validation: {
       beforeCheck: [
         ['convex', 'init'],
-        ['kitcn', 'add', 'auth', '--preset', 'convex', '--yes'],
+        ['kitcn', 'add', 'auth', '--preset', 'convex', '--yes', '--no-codegen'],
+        ['kitcn', 'codegen'],
       ],
       lint: false,
     },
@@ -243,7 +244,8 @@ export const SCENARIO_DEFINITIONS: Record<ScenarioKey, ScenarioDefinition> = {
     validation: {
       beforeCheck: [
         ['convex', 'init'],
-        ['kitcn', 'add', 'auth', '--preset', 'convex', '--yes'],
+        ['kitcn', 'add', 'auth', '--preset', 'convex', '--yes', '--no-codegen'],
+        ['kitcn', 'codegen'],
       ],
       lint: false,
     },
diff --git a/tooling/scenarios.test.ts b/tooling/scenarios.test.ts
diff --git a/www/content/docs/auth/plugins/organizations.mdx b/www/content/docs/auth/plugins/organizations.mdx
