Merge pull request #223 from udecode/codex/fix-auth-cli-cold-start

Author: zbeyens

.changeset/fix-auth-cli-cold-start.md

@@ -0,0 +1,7 @@
+---
+"kitcn": patch
+---
+
+## Patches
+
+- Fix `kitcn add auth` in fresh apps so the CLI does not require `better-auth` to be installed before the auth scaffold planner runs.

docs/solutions/integration-issues/auth-peer-and-fixture-sync-parity-20260323.md

@@ -1,6 +1,6 @@
 ---
 title: Auth scaffold peer installs and fixture sync must follow the packaged CLI path
-last_updated: 2026-04-01
+last_updated: 2026-04-17
 category: integration-issues
 tags:
   - auth
@@ -14,6 +14,7 @@ symptoms:
   - auth apps hit `Cannot find package '@opentelemetry/api'`
   - fresh Bun apps can warn during later `kitcn add ...` runs because `bun.lock` already carries Better Auth peers
   - plain non-auth apps can still fail codegen because the packaged CLI bundle imports Better Auth too early
+  - fresh `kitcn add auth` runs can fail before scaffold with `Cannot find package 'better-auth'`
   - `fixtures:sync` can say snapshots are fresh while `fixtures:check` still reports drift
 module: cli-fixtures-auth
 resolved: 2026-03-31
@@ -50,6 +51,10 @@ There were three separate mistakes:
 4. Fresh app baselines still omitted `@opentelemetry/api`, so Bun could keep
    warning on later `bun add` operations even after the auth-specific planning
    fix landed.
+5. First-pass auth schema registration still called
+   `loadDefaultManagedAuthOptions()` when `auth.ts` did not exist yet. That
+   pulled the managed Convex auth plugin into the published CLI before
+   `better-auth` was installed.
 
 ## Solution
 
@@ -74,6 +79,14 @@ Then cut the hot auth import out of the CLI bundle:
   lazy dynamic import that only runs when auth schema reconciliation actually
   happens
 
+Then keep first-pass auth scaffold on a static schema fallback:
+
+- if `convex/functions/auth.ts` is missing, resolve the default managed auth
+  schema from baked extension units instead of calling the Better Auth-backed
+  fallback loader
+- only reach for `loadDefaultManagedAuthOptions()` after auth is already
+  present and the app can legitimately load Better Auth runtime code
+
 Finally, make fixture sync mirror fixture check:
 
 - sync the generated app through the same packaged local install + validation
@@ -84,11 +97,12 @@ Finally, make fixture sync mirror fixture check:
 
 - `bun test packages/kitcn/src/cli/registry/dependencies.test.ts packages/kitcn/src/cli/supported-dependencies.test.ts`
 - `bun test ./packages/kitcn/src/cli/cli.commands.ts --test-name-pattern 'run\\(add auth --yes --no-codegen\\) patches the next baseline with minimal auth scaffolding|run\\(add auth --preset convex --yes\\) adopts a raw next convex app without kitcn baseline churn'`
-- `bun test packages/kitcn/src/cli/registry/items/auth/reconcile-auth-schema.test.ts`
+- `bun test packages/kitcn/src/cli/registry/items/auth/reconcile-auth-schema.test.ts packages/kitcn/src/cli/registry/items/auth/auth-item.test.ts`
 - `bun --cwd packages/kitcn build`
 - fresh packed CLI smoke: `KITCN_INSTALL_SPEC=<tarball> bunx --bun --package <tarball> kitcn init -t next --yes`
 - fresh packed CLI smoke: `bunx kitcn add auth --yes --no-codegen`
 - fresh packed CLI smoke: `bunx kitcn codegen`
+- fresh packed CLI smoke: `node node_modules/kitcn/dist/cli.mjs add auth --yes`
 
 ## Prevention
 
@@ -103,3 +117,5 @@ Finally, make fixture sync mirror fixture check:
 5. If Bun warnings only disappear after manually adding a package once, fix the
    generated app baseline or the CLI preflight. Do not teach users to ignore
    the warning.
+6. First-pass auth scaffold must not require Better Auth runtime code just to
+   compute the default managed schema.

packages/kitcn/src/cli/registry/items/auth/auth-item.ts

@@ -49,10 +49,9 @@ import { AUTH_START_SERVER_TEMPLATE } from './auth-start-server.template.js';
 import { AUTH_START_SERVER_CALL_TEMPLATE } from './auth-start-server-call.template.js';
 import {
   loadAuthOptionsFromDefinition,
-  loadDefaultManagedAuthOptions,
   preserveUserOwnedAuthScaffoldFiles,
   reconcileAuthScaffoldFiles,
-  renderManagedAuthSchemaUnits,
+  resolveManagedAuthSchemaUnits,
 } from './reconcile-auth-schema.js';
 
 const INIT_HTTP_API_USE_BLOCK_RE =
@@ -161,9 +160,6 @@ async function buildAuthSchemaRegistrationPlanFile(
   const schemaPath = getSchemaFilePath(params.functionsDir);
   const source = fs.readFileSync(schemaPath, 'utf8');
   const authDefinitionPath = resolve(params.functionsDir, 'auth.ts');
-  const authOptions =
-    (await loadAuthOptionsFromDefinition(authDefinitionPath)) ??
-    (await loadDefaultManagedAuthOptions());
   const authSchemaLock = params.lockfile.plugins.auth?.schema ?? null;
   const result = await reconcileRootSchemaOwnership({
     claimMatchingManaged:
@@ -176,8 +172,9 @@ async function buildAuthSchemaRegistrationPlanFile(
     promptAdapter: params.promptAdapter,
     schemaPath,
     source,
-    tables: await renderManagedAuthSchemaUnits({
-      authOptions,
+    tables: await resolveManagedAuthSchemaUnits({
+      authDefinitionPath,
+      loadAuthOptions: loadAuthOptionsFromDefinition,
     }),
     yes: params.yes,
   });

packages/kitcn/src/cli/registry/items/auth/auth-schema.template.ts

@@ -83,6 +83,137 @@ export function authExtension() {
 }
 `;
 
+export const DEFAULT_MANAGED_AUTH_EXTENSION_TEMPLATE = `// This file is auto-generated. Do not edit this file manually.
+// To regenerate the schema, run:
+// \`npx kitcn add auth --yes\`
+
+import {
+  boolean,
+  convexTable,
+  defineSchemaExtension,
+  index,
+  text,
+  timestamp,
+} from "kitcn/orm";
+
+export const userTable = convexTable(
+  "user",
+  {
+    name: text().notNull(),
+    email: text().notNull().unique(),
+    emailVerified: boolean().notNull(),
+    image: text(),
+    createdAt: timestamp().notNull(),
+    updatedAt: timestamp().notNull(),
+    userId: text(),
+  },
+  (userTable) => [
+    index("email_name").on(userTable.email, userTable.name),
+    index("name").on(userTable.name),
+  ]
+);
+
+export const sessionTable = convexTable(
+  "session",
+  {
+    expiresAt: timestamp().notNull(),
+    token: text().notNull().unique(),
+    createdAt: timestamp().notNull(),
+    updatedAt: timestamp().notNull(),
+    ipAddress: text(),
+    userAgent: text(),
+    userId: text().notNull().references(() => userTable.id),
+  },
+  (sessionTable) => [
+    index("expiresAt").on(sessionTable.expiresAt),
+    index("expiresAt_userId").on(sessionTable.expiresAt, sessionTable.userId),
+    index("userId").on(sessionTable.userId),
+  ]
+);
+
+export const accountTable = convexTable(
+  "account",
+  {
+    accountId: text().notNull(),
+    providerId: text().notNull(),
+    userId: text().notNull().references(() => userTable.id),
+    accessToken: text(),
+    refreshToken: text(),
+    idToken: text(),
+    accessTokenExpiresAt: timestamp(),
+    refreshTokenExpiresAt: timestamp(),
+    scope: text(),
+    password: text(),
+    createdAt: timestamp().notNull(),
+    updatedAt: timestamp().notNull(),
+  },
+  (accountTable) => [
+    index("accountId").on(accountTable.accountId),
+    index("accountId_providerId").on(accountTable.accountId, accountTable.providerId),
+    index("providerId_userId").on(accountTable.providerId, accountTable.userId),
+    index("userId").on(accountTable.userId),
+  ]
+);
+
+export const verificationTable = convexTable(
+  "verification",
+  {
+    identifier: text().notNull(),
+    value: text().notNull(),
+    expiresAt: timestamp().notNull(),
+    createdAt: timestamp().notNull(),
+    updatedAt: timestamp().notNull(),
+  },
+  (verificationTable) => [
+    index("expiresAt").on(verificationTable.expiresAt),
+    index("identifier").on(verificationTable.identifier),
+  ]
+);
+
+export const jwksTable = convexTable(
+  "jwks",
+  {
+    publicKey: text().notNull(),
+    privateKey: text().notNull(),
+    createdAt: timestamp().notNull(),
+    expiresAt: timestamp(),
+  }
+);
+
+export function authExtension() {
+  return defineSchemaExtension("auth", {
+  user: userTable,
+  session: sessionTable,
+  account: accountTable,
+  verification: verificationTable,
+  jwks: jwksTable,
+}).relations((r) => ({
+  user: {
+    sessions: r.many.session({
+      from: r.user.id,
+      to: r.session.userId,
+    }),
+    accounts: r.many.account({
+      from: r.user.id,
+      to: r.account.userId,
+    }),
+  },
+  session: {
+    user: r.one.user({
+      from: r.session.userId,
+      to: r.user.id,
+    }),
+  },
+  account: {
+    user: r.one.user({
+      from: r.account.userId,
+      to: r.user.id,
+    }),
+  },
+}));
+}
+`;
+
 export const AUTH_CONVEX_SCHEMA_TEMPLATE = `import { defineTable } from 'convex/server';
 import { v } from 'convex/values';
 

packages/kitcn/src/cli/registry/items/auth/reconcile-auth-schema.test.ts

@@ -10,6 +10,7 @@ import {
   preserveUserOwnedAuthScaffoldFiles,
   reconcileAuthScaffoldFiles,
   renderManagedAuthSchemaFile,
+  resolveManagedAuthSchemaUnits,
 } from './reconcile-auth-schema';
 
 const baseAuthOptions = {
@@ -100,6 +101,23 @@ describe('reconcile auth schema', () => {
     expect(content).toContain('"jwks"');
   });
 
+  test('uses static default managed auth schema units when auth definition is missing', async () => {
+    const units = await resolveManagedAuthSchemaUnits({
+      authDefinitionPath: '/repo/convex/functions/auth.ts',
+      loadAuthOptions: async () => null,
+      renderManagedUnits: async () => {
+        throw new Error('should not load better-auth-backed schema units');
+      },
+    });
+
+    expect(units.find((unit) => unit.key === 'jwks')?.declaration).toContain(
+      'export const jwksTable = convexTable('
+    );
+    expect(units.find((unit) => unit.key === 'user')?.registration).toContain(
+      'user: userTable'
+    );
+  });
+
   test('loads auth options from strict env-backed auth definitions', async () => {
     const dir = mkTempDir();
     const authDefinitionPath = path.join(dir, 'convex', 'functions', 'auth.ts');

packages/kitcn/src/cli/registry/items/auth/reconcile-auth-schema.ts

@@ -8,6 +8,7 @@ import { createSchemaExtensionOrm } from '../../../../auth/create-schema-orm';
 import { createProjectJiti } from '../../../utils/project-jiti.js';
 import { createTypeScriptProxy } from '../../../utils/typescript-runtime.js';
 import type { RootSchemaTableUnit } from '../../schema-ownership.js';
+import { DEFAULT_MANAGED_AUTH_EXTENSION_TEMPLATE } from './auth-schema.template.js';
 
 type AuthSchemaTemplateId = 'auth-schema' | 'auth-schema-convex';
 type UserOwnedAuthTemplateId =
@@ -286,6 +287,33 @@ export const renderManagedAuthSchemaUnits = async ({
     })
   );
 
+export const renderDefaultManagedAuthSchemaUnits = () =>
+  parseRootSchemaUnitsFromExtension(DEFAULT_MANAGED_AUTH_EXTENSION_TEMPLATE);
+
+export const resolveManagedAuthSchemaUnits = async ({
+  authDefinitionPath,
+  loadAuthOptions = loadAuthOptionsFromDefinition,
+  renderManagedUnits = renderManagedAuthSchemaUnits,
+}: {
+  authDefinitionPath: string;
+  loadAuthOptions?: (
+    authDefinitionPath: string
+  ) => Promise<BetterAuthOptions | null>;
+  renderManagedUnits?: (params: {
+    authOptions: BetterAuthOptions;
+  }) => Promise<RootSchemaTableUnit[]>;
+}) => {
+  const authOptions = await loadAuthOptions(authDefinitionPath);
+
+  if (!authOptions) {
+    return renderDefaultManagedAuthSchemaUnits();
+  }
+
+  return renderManagedUnits({
+    authOptions,
+  });
+};
+
 export const loadDefaultManagedAuthConfigProvider = async () =>
   withAuthSchemaEnv(async () => getAuthConfigProvider());