# Draft: Convex Coolify Better Auth Debug

## Requirements (confirmed)
- research how this should work with Coolify, Convex, and Let's Encrypt
- explain whether current sign-up flow is correct
- determine likely causes of Convex errors like `No available server` and TLS failures
- account for local Next.js (`SITE_URL=http://localhost:3000`) talking to Convex hosted on Coolify/VPS

## Technical Decisions
- investigate repo auth flow before drawing conclusions
- compare repo implementation against authoritative Better Auth + Convex guidance
- include infrastructure-side TLS/proxy hypotheses, not just app-code explanations

## Research Findings
- local app calls `authClient.signUp.email(...)` from `src/app/sign-up/page.tsx`
- Next route proxies Better Auth via `src/app/api/auth/[...all]/route.ts`
- server-side Better Auth bridge is configured in `src/lib/auth-server.ts`
- authoritative Better Auth + Convex guidance confirms sign-up/sign-in must happen from the client; `authClient.signUp.email(...)` is the canonical flow
- auth requests go browser -> Next `/api/auth/...` -> server-side fetch to Convex site URL; TLS is evaluated on that server-to-server hop, not in the browser
- Better Auth with Convex writes to auth component tables like `user`, `account`, `session`, `verification`; custom app user syncing requires additional trigger-style logic
- Coolify/Traefik can present a self-signed fallback cert when ACME/Let's Encrypt or routing is wrong, even if the public browser path appears healthy
- `No available server` aligns more with Coolify/Traefik upstream health/routing issues than with incorrect Better Auth API usage
- user confirmed local `SITE_URL` is `http://localhost:3000` and Convex runs remotely on Coolify with distinct backend, dashboard, and backend-site hostnames
- user's Coolify env exposes `SERVICE_URL_BACKEND=https://convex-backend.mentat.ovh` and `SERVICE_URL_BACKEND_SITE=https://backend-site-olnjg91x5ervt6j6owwgnlha.mentat.ovh`; these hostnames must not be conflated with the dashboard URL

## Open Questions
- which exact host is currently configured in `NEXT_PUBLIC_CONVEX_SITE_URL`
- whether the Next runtime reaches a different internal/proxied hostname than the browser does
- whether Coolify proxy health/port/DNS/IPv6 configuration is intermittently breaking Convex upstream availability

## Scope Boundaries
- INCLUDE: repo auth flow, Better Auth/Convex expectations, Coolify/Let's Encrypt TLS behavior
- EXCLUDE: implementing fixes in source files during research