fix(attribution): auth-web-cloudbase Skill 邮箱注册 API 流程说明不清晰 (issue_mnouau2z_bk9am7)

CodeBuddy Attribution Bot · CodeBuddy Attribution Bot · commit 39fb48103159 · 2026-04-17T13:38:14.000+08:00
diff --git a/config/source/skills/auth-tool/SKILL.md b/config/source/skills/auth-tool/SKILL.md
@@ -130,6 +130,7 @@ Parameter mapping for downstream Web auth code:
 - `queryAppAuth(action="getLoginConfig")` and `manageAppAuth(action="patchLoginStrategy")` return `sdkStyle: "supabase-like"` plus `sdkHints`; treat that as the preferred frontend-auth calling guide
 - `PhoneNumberLogin` controls phone OTP flows used by `auth-web` `auth.signInWithOtp({ phone })` and `auth.signUp({ phone })`
 - `EmailLogin` controls email OTP flows used by `auth-web` `auth.signInWithOtp({ email })` and `auth.signUp({ email })`
+- Email and phone signup complete through OTP verification. After `auth.signUp({ email|phone, ... })`, continue with the returned `verifyOtp({ token })`
 - `UserNameLogin` controls username/password Web auth flows used by `auth-web` `auth.signUp({ username, password })` and `auth.signInWithPassword({ username, password })`
 - If the account identifier is a plain username string, do not route it through email-only helpers such as `signInWithEmailAndPassword`
 - `UserNameLogin` also enables the broader password-login surface exposed by `auth.signInWithPassword({ username|email|phone, password })`
@@ -212,6 +213,7 @@ Email has two layers of configuration:
 - `ModifyLoginConfig.EmailLogin`: controls whether email/password login is enabled
 - `ModifyProvider(Id="email")`: controls the email sender channel and SMTP configuration
 - In Web auth code, this maps to `auth.signInWithOtp({ email })` and `auth.signUp({ email })`
+- `auth.signUp({ email })` is an email OTP registration step, not an `email + password` signup payload; finish the flow with `verifyOtp({ token })`
 
 Preferred MCP tool path:
 
diff --git a/config/source/skills/auth-web/SKILL.md b/config/source/skills/auth-web/SKILL.md
@@ -76,6 +76,8 @@ Use the same CDN address as `web-development`. Prefer npm installation in modern
 - `auth.signInWithOtp({ phone })` and `auth.signUp({ phone })` use the phone number in a `phone` field, not `phone_number`
 - `auth.signInWithOtp({ email })` and `auth.signUp({ email })` use `email`
 - `auth.signUp({ username, password })` and `auth.signInWithPassword({ username, password })` are the canonical username/password Web auth path
+- Email and phone registration are OTP flows: call `auth.signUp({ email|phone, ... })`, then complete the signup with the returned `data.verifyOtp({ token })`
+- Do not describe email registration as `auth.signUp({ email, password })`; for email-based password login, use `auth.signInWithPassword({ email, password })` after the account already exists
 - If the task gives accounts like `admin`, `editor`, or another plain string without `@`, treat it as a username-style identifier rather than an email address
 - `verifyOtp({ token })` expects the SMS or email code in `token`
 - `accessKey` is the publishable key from `queryAppAuth` / `manageAppAuth` via `auth-tool-cloudbase`, not a secret key
@@ -128,6 +130,8 @@ const phoneLogin = await auth.signInWithPassword({ phone: '13800138000', passwor
 - For username-style account systems, use username/password registration directly
 - Do not switch to email OTP or phone OTP unless the task explicitly says the account identifier is an email address or phone number
 - When the task uses plain usernames such as `admin`, `editor`, or `user01`, the canonical form code is `auth.signUp({ username, password })`
+- Email and phone signup are verification-code flows. Send the code with `auth.signUp(...)`, then call the returned `verifyOtp({ token })` to finish registration
+- Do not write email registration as `auth.signUp({ email, password })`; email/password is a sign-in flow, not the signup payload shown here
 ```js
 // Username + Password
 const usernameSignUp = await auth.signUp({
@@ -136,15 +140,13 @@ const usernameSignUp = await auth.signUp({
   nickname: 'User',
 })
 
-// Email Otp
+// Email OTP signup.
 // Use only when the task explicitly requires email addresses.
-// Email Otp
 const emailSignUp = await auth.signUp({ email: 'new@example.com', nickname: 'User' })
 const emailVerifyResult = await emailSignUp.data.verifyOtp({ token: '123456' })
 
-// Phone Otp
+// Phone OTP signup.
 // Use only when the task explicitly requires phone numbers.
-// Phone Otp
 const phoneSignUp = await auth.signUp({ phone: '13800138000', nickname: 'User' })
 const phoneVerifyResult = await phoneSignUp.data.verifyOtp({ token: '123456' })
 ```
diff --git a/mcp/src/tools/app-auth.test.ts b/mcp/src/tools/app-auth.test.ts
@@ -67,8 +67,8 @@ describe("app auth tools", () => {
     phoneOtp: "auth.signInWithOtp({ phone })",
     emailOtp: "auth.signInWithOtp({ email })",
     password: "auth.signInWithPassword({ username|email|phone, password })",
-    signup: "auth.signUp({ phone|email, ... })",
-    verifyOtp: "verifyOtp({ token })",
+    signup: "auth.signUp({ username, password }) or auth.signUp({ phone|email, ... })",
+    verifyOtp: "verifyOtp({ token }) for phone/email OTP signup or login",
     anonymous: "auth.signInAnonymously()",
   };
 
diff --git a/mcp/src/tools/app-auth.ts b/mcp/src/tools/app-auth.ts
@@ -36,8 +36,8 @@ const SUPABASE_LIKE_SDK_HINTS = {
   phoneOtp: "auth.signInWithOtp({ phone })",
   emailOtp: "auth.signInWithOtp({ email })",
   password: "auth.signInWithPassword({ username|email|phone, password })",
-  signup: "auth.signUp({ phone|email, ... })",
-  verifyOtp: "verifyOtp({ token })",
+  signup: "auth.signUp({ username, password }) or auth.signUp({ phone|email, ... })",
+  verifyOtp: "verifyOtp({ token }) for phone/email OTP signup or login",
   anonymous: "auth.signInAnonymously()",
 } as const;
 
