create-z3 0.0.55 → 0.0.57

package/dist/index.js

@@ -1817,6 +1817,75 @@ async function replacePlaceholder(filePath, placeholder, content, options) {
   }
   await fs3.writeFile(filePath, updatedLines.join("\n"), "utf-8");
 }
+function generateOrganizationsPlugin() {
+  return `organization({
+    roles: {
+      admin: {
+        permissions: ["organization:read", "organization:write", "member:write"]
+      },
+      member: {
+        permissions: ["organization:read"]
+      }
+    },
+    adminRole: "admin"
+  }),`;
+}
+function generateOrganizationsSchema() {
+  return `// Organization tables
+  [TABLE_SLUG_ORGANIZATIONS]: defineTable({
+    name: v.string(),
+    slug: v.string(),
+    metadata: v.optional(v.any()),
+    logo: v.optional(v.string()),
+    createdAt: v.number(),
+    updatedAt: v.number(),
+  })
+    .index("by_slug", ["slug"]),
+
+  [TABLE_SLUG_ORGANIZATION_MEMBERS]: defineTable({
+    userId: v.id(TABLE_SLUG_USERS),
+    organizationId: v.id(TABLE_SLUG_ORGANIZATIONS),
+    role: v.string(),
+    createdAt: v.number(),
+    updatedAt: v.number(),
+  })
+    .index("by_user", ["userId"])
+    .index("by_organization", ["organizationId"])
+    .index("by_user_organization", ["userId", "organizationId"]),`;
+}
+function generateUserOrganizationFields() {
+  return `activeOrganizationId: v.optional(v.id(TABLE_SLUG_ORGANIZATIONS)),`;
+}
+function generateOrganizationRoles() {
+  return `
+export const ORGANIZATION_ROLES = {
+  admin: "admin",
+  member: "member",
+} as const;
+export type OrganizationRole = (typeof ORGANIZATION_ROLES)[keyof typeof ORGANIZATION_ROLES];`;
+}
+function generateOrganizationTableConstants() {
+  return `export const TABLE_SLUG_ORGANIZATIONS = "organization" as const;
+export const TABLE_SLUG_ORGANIZATION_MEMBERS = "organization_member" as const;`;
+}
+function generateOrganizationTableImports() {
+  return `,
+  TABLE_SLUG_ORGANIZATIONS,
+  TABLE_SLUG_ORGANIZATION_MEMBERS`;
+}
+function generateUserWithOrganizationType() {
+  return `import { OrganizationRole } from './constants/auth';
+
+export type UserWithOrganization = User & {
+  organization?: {
+    id: string;
+    name: string;
+    slug: string;
+    role: OrganizationRole;
+    metadata?: any;
+  } | null;
+};`;
+}
 function generateCredentialsValue(enabled) {
   return `credentials={${enabled}}`;
 }
@@ -2196,6 +2265,18 @@ Make sure you are authenticated with GitHub CLI (run "gh auth login")`
       oauthUISpinner.fail("Failed to configure OAuth UI");
       throw error;
     }
+    const multitenancySpinner = ora("Configuring multitenancy...").start();
+    try {
+      await this.updateMultitenancyConfig(options.multitenancy);
+      if (options.multitenancy) {
+        multitenancySpinner.succeed("Multitenancy configuration updated");
+      } else {
+        multitenancySpinner.succeed("Multitenancy placeholders cleaned up");
+      }
+    } catch (error) {
+      multitenancySpinner.fail("Failed to configure multitenancy");
+      throw error;
+    }
     const envSpinner = ora("Updating .env.example...").start();
     try {
       await this.updateEnvExample(options.oauthProviders);
@@ -2389,6 +2470,59 @@ var TanStackInstaller = class extends FrameworkInstaller {
       runtimeMapping
     );
   }
+  /**
+   * Configure multitenancy with organizations
+   * Updates auth plugins, schema, and user types for organization support
+   * Target files:
+   * - convex/auth/plugins/index.ts - Add organization plugin
+   * - convex/schema.ts - Add organization and membership tables
+   * - src/db/constants/auth.ts - Add organization roles
+   * - src/db/types.ts - Update user type with organization
+   *
+   * @param enabled - Whether multitenancy is enabled
+   */
+  async updateMultitenancyConfig(enabled) {
+    const pluginsFilePath = join2(this.targetPath, "convex/auth/plugins/index.ts");
+    await replacePlaceholder(
+      pluginsFilePath,
+      "// {{ORGANIZATIONS_PLUGIN}}",
+      enabled ? generateOrganizationsPlugin() : ""
+    );
+    const schemaFilePath = join2(this.targetPath, "convex/schema.ts");
+    await replacePlaceholder(
+      schemaFilePath,
+      "// {{ORGANIZATION_TABLE_IMPORTS}}",
+      enabled ? generateOrganizationTableImports() : ""
+    );
+    await replacePlaceholder(
+      schemaFilePath,
+      "// {{ORGANIZATIONS_SCHEMA}}",
+      enabled ? generateOrganizationsSchema() : ""
+    );
+    await replacePlaceholder(
+      schemaFilePath,
+      "// {{USER_ORGANIZATION_FIELDS}}",
+      enabled ? generateUserOrganizationFields() : ""
+    );
+    const constantsFilePath = join2(this.targetPath, "src/db/constants/auth.ts");
+    await replacePlaceholder(
+      constantsFilePath,
+      "// {{ORGANIZATION_ROLES}}",
+      enabled ? generateOrganizationRoles() : ""
+    );
+    const constantsIndexFilePath = join2(this.targetPath, "src/db/constants/index.ts");
+    await replacePlaceholder(
+      constantsIndexFilePath,
+      "// {{ORGANIZATION_TABLES}}",
+      enabled ? generateOrganizationTableConstants() : ""
+    );
+    const typesFilePath = join2(this.targetPath, "src/db/types.ts");
+    await replacePlaceholder(
+      typesFilePath,
+      "// {{USER_WITH_ORGANIZATION_TYPE}}",
+      enabled ? generateUserWithOrganizationType() : ""
+    );
+  }
 };
 
 // src/installers/nextjs.ts
@@ -2522,6 +2656,59 @@ var NextJSInstaller = class extends FrameworkInstaller {
       runtimeMapping
     );
   }
+  /**
+   * Configure multitenancy with organizations
+   * Updates auth plugins, schema, and user types for organization support
+   * Target files:
+   * - convex/auth/plugins/index.ts - Add organization plugin
+   * - convex/schema.ts - Add organization and membership tables
+   * - src/db/constants/auth.ts - Add organization roles
+   * - src/db/types.ts - Update user type with organization
+   *
+   * @param enabled - Whether multitenancy is enabled
+   */
+  async updateMultitenancyConfig(enabled) {
+    const pluginsFilePath = join3(this.targetPath, "convex/auth/plugins/index.ts");
+    await replacePlaceholder(
+      pluginsFilePath,
+      "// {{ORGANIZATIONS_PLUGIN}}",
+      enabled ? generateOrganizationsPlugin() : ""
+    );
+    const schemaFilePath = join3(this.targetPath, "convex/schema.ts");
+    await replacePlaceholder(
+      schemaFilePath,
+      "// {{ORGANIZATION_TABLE_IMPORTS}}",
+      enabled ? generateOrganizationTableImports() : ""
+    );
+    await replacePlaceholder(
+      schemaFilePath,
+      "// {{ORGANIZATIONS_SCHEMA}}",
+      enabled ? generateOrganizationsSchema() : ""
+    );
+    await replacePlaceholder(
+      schemaFilePath,
+      "// {{USER_ORGANIZATION_FIELDS}}",
+      enabled ? generateUserOrganizationFields() : ""
+    );
+    const constantsFilePath = join3(this.targetPath, "src/db/constants/auth.ts");
+    await replacePlaceholder(
+      constantsFilePath,
+      "// {{ORGANIZATION_ROLES}}",
+      enabled ? generateOrganizationRoles() : ""
+    );
+    const constantsIndexFilePath = join3(this.targetPath, "src/db/constants/index.ts");
+    await replacePlaceholder(
+      constantsIndexFilePath,
+      "// {{ORGANIZATION_TABLES}}",
+      enabled ? generateOrganizationTableConstants() : ""
+    );
+    const typesFilePath = join3(this.targetPath, "src/db/types.ts");
+    await replacePlaceholder(
+      typesFilePath,
+      "// {{USER_WITH_ORGANIZATION_TYPE}}",
+      enabled ? generateUserWithOrganizationType() : ""
+    );
+  }
 };
 
 // src/index.ts
@@ -2645,6 +2832,21 @@ program.name("create-z3").version(packageJson.version).description("CLI for scaf
       console.log(chalk2.yellow("   Your app will have no user authentication."));
       console.log();
     }
+    let multitenancy = false;
+    if (emailPassword || oauthProviders.length > 0) {
+      multitenancy = await confirm({
+        message: "Enable multitenancy with organizations?",
+        default: false
+      });
+      if (multitenancy) {
+        console.log();
+        console.log(chalk2.cyan("\u{1F3E2} Organizations enabled:"));
+        console.log(chalk2.dim("   \u2022 Users can belong to multiple organizations"));
+        console.log(chalk2.dim("   \u2022 Role-based permissions per organization"));
+        console.log(chalk2.dim("   \u2022 Admin users can manage organization members"));
+        console.log();
+      }
+    }
     console.log();
     console.log(chalk2.dim("\u{1F4A1} TweakCN themes: Visit https://tweakcn.com/themes/[theme-id]"));
     console.log(chalk2.dim('   Click "Code" button and copy the CSS.'));
@@ -2688,6 +2890,7 @@ program.name("create-z3").version(packageJson.version).description("CLI for scaf
       framework,
       emailPasswordAuth: emailPassword,
       oauthProviders,
+      multitenancy,
       tweakcnTheme,
       initGit,
       installDependencies
@@ -2733,6 +2936,11 @@ program.name("create-z3").version(packageJson.version).description("CLI for scaf
     } else {
       console.log(chalk2.dim("Authentication: None selected"));
     }
+    if (multitenancy) {
+      console.log("Organizations: Enabled");
+    } else {
+      console.log("Organizations: Disabled");
+    }
     if (tweakcnTheme) {
       console.log("Theme: Custom TweakCN theme");
     } else {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "create-z3",
-  "version": "0.0.55",
+  "version": "0.0.57",
   "type": "module",
   "description": "CLI for scaffolding Z3 Stack applications (TanStack/Next.js + Convex + Better Auth)",
   "bin": {

package/templates/nextjs/convex/auth/index.ts

@@ -14,7 +14,7 @@ import type { DataModel } from "../_generated/dataModel"
 
 import schema from "../schema"
 import { convexAdapter } from "./adapter"
-import betterAuthPlugins from "./plugins"
+import { createPlugins } from "./plugins"
 
 export const createAuth = (
   ctx: GenericActionCtx<DataModel>,
@@ -31,7 +31,7 @@ export const createAuth = (
     logger: {
       disabled: optionsOnly
     },
-    plugins: betterAuthPlugins,
+    plugins: createPlugins(),
     secret: process.env.BETTER_AUTH_SECRET,
     session: {
       modelName: TABLE_SLUG_SESSIONS

package/templates/nextjs/convex/auth/plugins/index.ts

@@ -1,18 +1,21 @@
 import { nextCookies } from "better-auth/next-js"
-import { admin } from "better-auth/plugins"
+import { admin, organization } from "better-auth/plugins"
 import { apiKey } from "@better-auth/api-key"
 import { convex } from "@convex-dev/better-auth/plugins"
 import { USER_ROLES } from "~/db/constants"
 import authConfig from "@convex/auth.config"
 
-const plugins = [
+// Return a new array each call so plugin initialization (including the convex()
+// factory which internally calls the deprecated oidc-provider plugin) runs inside
+// createAuth() rather than at module-eval time. This lets the console.warn filter
+// in http.ts suppress the deprecation noise before it fires.
+export const createPlugins = () => [
   admin({
     adminRoles: [USER_ROLES.admin],
     defaultRole: USER_ROLES.user,
   }),
+  // {{ORGANIZATIONS_PLUGIN}}
   apiKey(),
   nextCookies(),
   convex({ authConfig }),
 ]
-
-export default plugins

package/templates/nextjs/convex/http.ts

@@ -7,9 +7,22 @@ const http = httpRouter();
 
 // Auth request handler - basePath hardcoded to /api/auth for now
 const authRequestHandler = httpAction(async (ctx, request) => {
-	// eslint-disable-next-line @typescript-eslint/no-unsafe-argument
-	const auth = createAuth(ctx);
-	return await auth.handler(request);
+	// Suppress the oidc-provider deprecation warning spammed by @convex-dev/better-auth
+	// on every request. Convex wraps console.warn per-invocation, so this must run
+	// inside the handler (not at module level) to intercept after Convex's wrapper is set.
+	// Remove once @convex-dev/better-auth migrates to @better-auth/oauth-provider.
+	const _warn = console.warn;
+	console.warn = (...args: unknown[]) => {
+		if (typeof args[0] === "string" && args[0].includes("oidc-provider")) return;
+		_warn(...args);
+	};
+	try {
+		// eslint-disable-next-line @typescript-eslint/no-unsafe-argument
+		const auth = createAuth(ctx);
+		return await auth.handler(request);
+	} finally {
+		console.warn = _warn;
+	}
 });
 
 // Register auth routes for GET and POST

package/templates/nextjs/convex/schema.ts

@@ -1,7 +1,15 @@
 import { defineSchema, defineTable } from "convex/server";
 import { v } from "convex/values"
 
-import { TABLE_SLUG_ACCOUNTS, TABLE_SLUG_API_KEYS, TABLE_SLUG_JWKS, TABLE_SLUG_SESSIONS, TABLE_SLUG_USERS, TABLE_SLUG_VERIFICATIONS } from "~/db/constants";
+import { 
+  TABLE_SLUG_ACCOUNTS, 
+  TABLE_SLUG_API_KEYS, 
+  TABLE_SLUG_JWKS, 
+  TABLE_SLUG_SESSIONS, 
+  TABLE_SLUG_USERS, 
+  TABLE_SLUG_VERIFICATIONS
+  // {{ORGANIZATION_TABLE_IMPORTS}}
+} from "~/db/constants";
 
 export default defineSchema({
   // Better Auth component tables (type definitions only - actual tables are in component)
@@ -23,7 +31,8 @@ export default defineSchema({
     roles: v.array(v.string()), // our multi-role field via additionalFields
     twoFactorEnabled: v.optional(v.union(v.null(), v.boolean())),
     updatedAt: v.number(),
-    userId: v.optional(v.union(v.null(), v.string()))
+    userId: v.optional(v.union(v.null(), v.string())),
+    // {{USER_ORGANIZATION_FIELDS}}
   })
     .index("by_email", ["email"]),
 
@@ -98,4 +107,6 @@ export default defineSchema({
   })
     .index("by_referenceId", ["referenceId"])
     .index("by_key", ["key"]),
+
+  // {{ORGANIZATIONS_SCHEMA}}
 })

package/templates/nextjs/src/db/constants/auth.ts

@@ -4,3 +4,5 @@ export const USER_ROLES = {
 } as const;
 export type UserRole = (typeof USER_ROLES)[keyof typeof USER_ROLES];
 
+// {{ORGANIZATION_ROLES}}
+

package/templates/nextjs/src/db/constants/index.ts

@@ -8,6 +8,8 @@ export const TABLE_SLUG_VERIFICATIONS = "verification" as const;
 export const TABLE_SLUG_JWKS = "jwks" as const;
 export const TABLE_SLUG_API_KEYS = "apikey" as const;
 
+// {{ORGANIZATION_TABLES}}
+
 export const COLLECTION_SLUG_MEDIA = "media" as const;
 
 export const AUTH_PROVIDERS = {

package/templates/nextjs/src/db/types.ts

@@ -3,3 +3,5 @@ import { TABLE_SLUG_USERS } from "./constants";
 
 export type User = Doc<typeof TABLE_SLUG_USERS>
 export type UserID = Id<typeof TABLE_SLUG_USERS>
+
+// {{USER_WITH_ORGANIZATION_TYPE}}

package/templates/tanstack-start/convex/auth/index.ts

@@ -14,7 +14,7 @@ import type { DataModel } from "../_generated/dataModel"
 
 import schema from "../schema"
 import { convexAdapter } from "./adapter"
-import betterAuthPlugins from "./plugins"
+import { createPlugins } from "./plugins"
 
 export const createAuth = (
   ctx: GenericActionCtx<DataModel>,
@@ -31,7 +31,7 @@ export const createAuth = (
     logger: {
       disabled: optionsOnly
     },
-    plugins: betterAuthPlugins,
+    plugins: createPlugins(),
     secret: process.env.BETTER_AUTH_SECRET,
     session: {
       modelName: TABLE_SLUG_SESSIONS

package/templates/tanstack-start/convex/auth/plugins/index.ts

@@ -1,16 +1,19 @@
-import { admin } from "better-auth/plugins"
+import { admin, organization } from "better-auth/plugins"
 import { apiKey } from "@better-auth/api-key"
 import { convex } from "@convex-dev/better-auth/plugins"
 import authConfig from "@convex/auth.config"
 import { USER_ROLES } from "~/db/constants"
 
-const plugins = [
+// Return a new array each call so plugin initialization (including the convex()
+// factory which internally calls the deprecated oidc-provider plugin) runs inside
+// createAuth() rather than at module-eval time. This lets the console.warn filter
+// in http.ts suppress the deprecation noise before it fires.
+export const createPlugins = () => [
   admin({
     adminRoles: [USER_ROLES.admin],
     defaultRole: USER_ROLES.user
   }),
+  // {{ORGANIZATIONS_PLUGIN}}
   apiKey(),
   convex({ authConfig }),
 ]
-
-export default plugins

package/templates/tanstack-start/convex/http.ts

@@ -8,6 +8,15 @@ const http = httpRouter()
  * Auth handler - handles Better Auth requests with custom adapter
  */
 const authRequestHandler = httpAction(async (ctx, request) => {
+  // Suppress the oidc-provider deprecation warning spammed by @convex-dev/better-auth
+  // on every request. Convex wraps console.warn per-invocation, so this must run
+  // inside the handler (not at module level) to intercept after Convex's wrapper is set.
+  // Remove once @convex-dev/better-auth migrates to @better-auth/oauth-provider.
+  const _warn = console.warn
+  console.warn = (...args: unknown[]) => {
+    if (typeof args[0] === "string" && args[0].includes("oidc-provider")) return
+    _warn(...args)
+  }
   try {
     const auth = createAuth(ctx)
     const response = await auth.handler(request)
@@ -15,6 +24,8 @@ const authRequestHandler = httpAction(async (ctx, request) => {
   } catch (error) {
     console.error("❌ Auth error:", error)
     return new Response("Auth error", { status: 500 })
+  } finally {
+    console.warn = _warn
   }
 })
 

package/templates/tanstack-start/convex/schema.ts

@@ -7,7 +7,8 @@ import {
   TABLE_SLUG_JWKS,
   TABLE_SLUG_SESSIONS,
   TABLE_SLUG_USERS,
-  TABLE_SLUG_VERIFICATIONS,
+  TABLE_SLUG_VERIFICATIONS
+  // {{ORGANIZATION_TABLE_IMPORTS}}
 } from "~/db/constants";
 
 export default defineSchema({
@@ -31,6 +32,7 @@ export default defineSchema({
     banReason: v.optional(v.string()), // admin plugin
     role: v.optional(v.string()), // admin plugin — single string in BA 1.5
     roles: v.array(v.string()), // our multi-role field via additionalFields
+    // {{USER_ORGANIZATION_FIELDS}}
   })
     .index("by_email", ["email"]),
 
@@ -105,4 +107,6 @@ export default defineSchema({
   })
     .index("by_referenceId", ["referenceId"])
     .index("by_key", ["key"]),
+
+  // {{ORGANIZATIONS_SCHEMA}}
 })

package/templates/tanstack-start/src/db/constants/auth.ts

@@ -38,4 +38,6 @@ export const AUTH_PROVIDERS = {
 } as const;
 export type AuthProvider = (typeof AUTH_PROVIDERS)[keyof typeof AUTH_PROVIDERS];
 
+// {{ORGANIZATION_ROLES}}
+
 

package/templates/tanstack-start/src/db/constants/index.ts

@@ -7,3 +7,5 @@ export const TABLE_SLUG_SESSIONS = "session" as const;
 export const TABLE_SLUG_VERIFICATIONS = "verification" as const;
 export const TABLE_SLUG_JWKS = "jwks" as const;
 export const TABLE_SLUG_API_KEYS = "apikey" as const;
+
+// {{ORGANIZATION_TABLES}}

package/templates/tanstack-start/src/db/types.ts

@@ -3,3 +3,5 @@ import { TABLE_SLUG_USERS } from "./constants";
 
 export type User = Doc<typeof TABLE_SLUG_USERS>
 export type UserID = Id<typeof TABLE_SLUG_USERS>
+
+// {{USER_WITH_ORGANIZATION_TYPE}}