Merge pull request #452 from TencentCloudBase/feature/skill-boundary-review

docs(skills): ✂️ tighten skill routing boundaries

Author: binggg

config/source/skills/auth-nodejs/SKILL.md

@@ -1,9 +1,39 @@
 ---
 name: auth-nodejs-cloudbase
-description: Complete guide for CloudBase Auth using the CloudBase Node SDK – caller identity, user lookup, custom login tickets, and server-side best practices.
+description: CloudBase Node SDK auth guide for server-side identity, user lookup, and custom login tickets. This skill should be used when Node.js code must read caller identity, inspect end users, or bridge an existing user system into CloudBase; not when configuring providers or building client login UI.
 alwaysApply: false
 ---
 
+## Activation Contract
+
+### Use this first when
+
+- Node.js code in cloud functions or backend services must read caller identity, look up users, or issue custom login tickets.
+- The backend responsibility is auth / identity, not provider setup or frontend login UI.
+
+### Read before writing code if
+
+- The task mentions `@cloudbase/node-sdk`, server-side auth, custom login tickets, or "who is calling".
+- The request mixes frontend login with backend identity logic; split the flow and route client-side work elsewhere.
+
+### Then also read
+
+- Provider setup / publishable key -> `../auth-tool/SKILL.md`
+- Web login UI that consumes custom tickets -> `../auth-web/SKILL.md`
+- Raw HTTP auth client -> `../http-api/SKILL.md`
+
+### Do NOT use for
+
+- Provider enable/disable or login console configuration.
+- Frontend login / sign-up UI.
+- Mini program native auth.
+
+### Common mistakes / gotchas
+
+- Using this skill as the entry point for every auth request.
+- Mixing provider-management work with Node-side identity code.
+- Reaching for raw HTTP examples when Node SDK already covers the job.
+
 ## When to use this skill
 
 Use this skill whenever the task involves **server-side authentication or identity** in a CloudBase project, and the code is running in **Node.js**, for example:

config/source/skills/auth-tool/SKILL.md

@@ -1,35 +1,40 @@
 ---
 name: auth-tool-cloudbase
-description: First-step CloudBase auth provider setup skill for login and registration flows. Use it before auth-web to configure and manage authentication providers for web applications - enable/disable login methods (SMS, Email, WeChat Open Platform, Google, Anonymous, Username/password, OAuth, SAML, CAS, Dingding, etc.) and configure provider settings via MCP tools `callCloudApi`.
+description: CloudBase auth provider configuration and login-readiness guide. This skill should be used when users need to inspect, enable, disable, or configure auth providers, publishable-key prerequisites, login methods, SMS/email sender setup, or other provider-side readiness before implementing a client or backend auth flow.
 alwaysApply: false
 ---
 
 ## Activation Contract
 
 ### Use this first when
 
-- The user mentions login, registration, authentication, provider setup, SMS, email, anonymous login, or third-party login.
-- A Web, native App, or backend flow needs CloudBase auth configuration before implementation.
-- For any CloudBase Web auth flow, activate this skill before `auth-web`.
+- The task is to inspect, enable, disable, or configure CloudBase auth providers, login methods, publishable key prerequisites, SMS/email delivery, or third-party login readiness.
+- An auth implementation cannot proceed until provider status and login configuration are confirmed.
+- A CloudBase Web auth flow needs provider verification before `auth-web`.
 
 ### Read before writing code if
 
-- The request includes any auth UI or auth API work. Provider status must be checked first.
-- When the task is a Web auth flow, read `auth-web` after this skill and before writing frontend code.
+- The request mentions provider setup, auth console configuration, publishable key retrieval, login method availability, SMS/email sender setup, or third-party provider credentials.
+- The task mixes provider configuration with Web, mini program, Node, or raw HTTP auth implementation.
 
 ### Then also read
 
 - Web auth UI -> `../auth-web/SKILL.md`
-- Mini program auth -> `../auth-wechat/SKILL.md`
-- Native App / raw HTTP -> `../http-api/SKILL.md`
+- Mini program native auth -> `../auth-wechat/SKILL.md`
+- Node server-side identity / custom ticket -> `../auth-nodejs/SKILL.md`
+- Native App / raw HTTP auth client -> `../http-api/SKILL.md`
 
 ### Do NOT use this as
 
-- A replacement for platform implementation rules. This skill configures providers; it does not define the full frontend or client integration path.
+- The default implementation guide for every login or registration request.
+- A replacement for mini program native auth behavior when no provider change is involved.
+- A replacement for Node-side caller identity, user lookup, or custom login ticket flows.
+- A replacement for frontend integration, session handling, or client UX implementation.
 
 ### Common mistakes / gotchas
 
 - Writing login UI before enabling the required provider.
+- Treating any mention of "auth" as a provider-management task.
 - Implementing Web login in cloud functions.
 - Routing native App auth to Web SDK flows.
 

config/source/skills/auth-wechat/SKILL.md

@@ -1,16 +1,45 @@
 ---
 name: auth-wechat-miniprogram
-description: Complete guide for WeChat Mini Program authentication with CloudBase - native login, user identity, and cloud function integration.
+description: CloudBase WeChat Mini Program native authentication guide. This skill should be used when users need mini program identity handling, OPENID/UNIONID access, or `wx.cloud` auth behavior in projects where login is native and automatic.
 alwaysApply: false
 ---
 
+## Activation Contract
+
+### Use this first when
+
+- The task is about WeChat Mini Program auth behavior, `wx.cloud` identity, `OPENID` / `UNIONID`, or how a mini program caller is identified in CloudBase.
+- The project is a CloudBase mini program and the auth question is about native mini program identity rather than provider configuration.
+
+### Read before writing code if
+
+- The request mentions mini program login, user identity in cloud functions, or `wx.cloud` auth assumptions.
+- The user expects a Web-style login page or explicit token exchange in a mini program; route them back to native mini program auth behavior.
+
+### Then also read
+
+- Mini program project implementation -> `../miniprogram-development/SKILL.md`
+- Cloud function implementation -> `../cloud-functions/SKILL.md`
+
+### Do NOT use for
+
+- Web-based WeChat login or Web auth UI.
+- Provider enable/disable or auth console setup.
+- Generic Node-side auth flows outside mini program identity handling.
+
+### Common mistakes / gotchas
+
+- Generating a Web-style login page for a `wx.cloud` mini program.
+- Treating mini program auth as a provider-configuration problem.
+- Forgetting that caller identity is injected in cloud functions automatically.
+
 ## When to use this skill
 
 Use this skill for **WeChat Mini Program (小程序) authentication** in a CloudBase project.
 
 Use it when you need to:
 
-- Implement WeChat Mini Program login with CloudBase
+- Implement identity-aware WeChat Mini Program flows with CloudBase
 - Access user identity (openid, unionid) in cloud functions
 - Understand how WeChat authentication integrates with CloudBase
 - Build Mini Program features that require user identification

config/source/skills/cloud-functions/SKILL.md

@@ -1,6 +1,6 @@
 ---
 name: cloud-functions
-description: Complete guide for CloudBase cloud functions development - supports both Event Functions (Node.js) and HTTP Functions (multi-language Web services). Covers runtime selection, deployment, logging, invocation, scf_bootstrap, SSE, WebSocket, and HTTP access configuration.
+description: CloudBase function runtime guide for building, deploying, and debugging your own Event Functions or HTTP Functions. This skill should be used when users need application runtime code on CloudBase, not when they are merely calling CloudBase official platform APIs.
 alwaysApply: false
 ---
 
@@ -10,24 +10,27 @@ alwaysApply: false
 
 ### Use this first when
 
-- The task is to create, update, deploy, inspect, or debug a CloudBase Event Function or HTTP Function.
+- The task is to create, update, deploy, inspect, or debug a CloudBase Event Function or HTTP Function that serves application runtime logic.
 
 ### Read before writing code if
 
-- The request mentions runtime, HTTP function, `scf_bootstrap`, function logs, or function deployment.
+- The request mentions runtime, HTTP function, `scf_bootstrap`, function logs, or function deployment for an application service you are building.
 
 ### Then also read
 
 - Auth setup or provider-related backend work -> `../auth-tool/SKILL.md`
 - AI in functions -> `../ai-model-nodejs/SKILL.md`
+- Calling CloudBase official platform APIs from a client or script -> `../http-api/SKILL.md`
 
 ### Do NOT use for
 
 - CloudRun container services or Web authentication UI implementation.
+- CloudBase official platform API clients or raw HTTP integrations that only consume platform endpoints.
 
 ### Common mistakes / gotchas
 
 - Picking the wrong function type and trying to compensate later.
+- Confusing official CloudBase API client work with building your own HTTP function.
 - Mixing Event Function code shape (`exports.main(event, context)`) with HTTP Function code shape (`req` / `res` on port 9000).
 - Treating HTTP Access as the implementation model for HTTP Functions. HTTP Access is a gateway configuration for Event Functions, not the HTTP Function runtime model.
 - Forgetting that runtime cannot be changed after creation.
@@ -461,7 +464,7 @@ wss.on('connection', (ws) => {
 
 **Primary Method:** Use `queryFunctions(action="listFunctionLogs")` and `queryFunctions(action="getFunctionLogDetail")` (see MCP tool documentation).
 
-**Alternative Method (Plan B):** If tools unavailable, use `callCloudApi`:
+**Alternative Method (Plan B):** If tools unavailable, use `callCloudApi` only after you first read the matching official CloudBase / Tencent Cloud documentation or knowledge base entry for the target action. Confirm action name, parameter contract, time range rules, and response structure before calling it. If the call fails, go back to the docs instead of trial-and-error parameter guessing.
 
 1. **Get Log List** - Use `GetFunctionLogs` action:
 ```
@@ -572,7 +575,7 @@ Use CloudBase HTTP API to invoke event functions:
 
 **Primary Method:** Use `manageGateway(action="createAccess")` (see MCP tool documentation).
 
-**Alternative Method (Plan B):** If tool unavailable, use `callCloudApi` with `CreateCloudBaseGWAPI`:
+**Alternative Method (Plan B):** If tool unavailable, use `callCloudApi` with `CreateCloudBaseGWAPI` only after you first read the matching official documentation or knowledge base entry and confirm the gateway contract. Do not guess fields such as auth mode, path transmission, or domain routing from memory; if the request fails, return to the docs and re-check the contract.
 
 ```
 callCloudApi({
@@ -693,13 +696,13 @@ For accessing VPC resources:
 **Logging:**
 - `queryFunctions(action="listFunctionLogs")` - Get function log list (basic info)
 - `queryFunctions(action="getFunctionLogDetail")` - Get detailed log content by RequestId
-- `callCloudApi` (Plan B) - Use `GetFunctionLogs` and `GetFunctionLogDetail` actions if direct tools unavailable
+- `callCloudApi` (Plan B) - Use `GetFunctionLogs` and `GetFunctionLogDetail` actions only after reading the matching official docs / knowledge base and confirming the contract; do not guess params from memory
 - Legacy aliases still seen in historical prompts: `getFunctionLogs`, `getFunctionLogDetail`
 
 **HTTP Access:**
 - `queryGateway(action="getAccess")` - Query current function gateway exposure
 - `manageGateway(action="createAccess")` - Create HTTP access for function
-- `callCloudApi` (Plan B) - Use `CreateCloudBaseGWAPI` action if direct tool unavailable
+- `callCloudApi` (Plan B) - Use `CreateCloudBaseGWAPI` only after reading the matching official docs / knowledge base and confirming auth, path, and domain parameters
 - Legacy alias still seen in historical prompts: `createFunctionHTTPAccess`
 
 **Triggers:**

config/source/skills/cloudbase-platform/SKILL.md

@@ -1,18 +1,51 @@
 ---
 name: cloudbase-platform
-description: CloudBase platform knowledge and best practices. Use this skill for general CloudBase platform understanding, including storage, hosting, authentication, cloud functions, database permissions, and data models.
+description: CloudBase platform overview and routing guide. This skill should be used when users need high-level capability selection, platform concepts, console navigation, or cross-platform best practices before choosing a more specific implementation skill.
 alwaysApply: false
 ---
 
+## Activation Contract
+
+### Use this first when
+
+- The user asks which CloudBase capability, service, or tool to use, or needs a high-level understanding of hosting, storage, authentication, cloud functions, or database options.
+- The task is about console navigation, cross-platform differences, permission models, or platform-level best practices before implementation.
+
+### Read before writing code if
+
+- It is still unclear whether the task belongs to Web, mini program, cloud functions, storage, MySQL / NoSQL, or auth.
+- The response needs platform selection, conceptual explanation, or control-plane navigation more than direct implementation steps.
+
+### Then also read
+
+- Web app implementation -> `../web-development/SKILL.md`
+- Web auth and provider setup -> `../auth-tool/SKILL.md`, `../auth-web/SKILL.md`
+- Mini program development -> `../miniprogram-development/SKILL.md`
+- Cloud functions -> `../cloud-functions/SKILL.md`
+- Official HTTP API clients -> `../http-api/SKILL.md`
+- Document database -> `../no-sql-web-sdk/SKILL.md` or `../no-sql-wx-mp-sdk/SKILL.md`
+- Relational database / data modeling -> `../relational-database-tool/SKILL.md` or `../data-model-creation/SKILL.md`
+- Cloud storage -> `../cloud-storage-web/SKILL.md`
+
+### Do NOT use for
+
+- Direct implementation of web pages, auth flows, functions, or database operations when a more specific skill already fits.
+- Low-level API parameter references or SDK recipes that belong in specialized skills.
+
+### Common mistakes / gotchas
+
+- Treating this general skill as the default entry point for all CloudBase development.
+- Staying here after the correct implementation skill is already clear.
+- Mixing platform overview with platform-specific API shapes or SDK details.
+
 ## When to use this skill
 
 Use this skill for **CloudBase platform knowledge** when you need to:
 
 - Understand CloudBase storage and hosting concepts
-- Configure authentication for different platforms (Web vs Mini Program)
-- Deploy and manage cloud functions
+- Compare platform capabilities before implementation
+- Understand cross-platform auth differences (Web vs Mini Program)
 - Understand database permissions and access control
-- Work with data models (MySQL and NoSQL)
 - Access CloudBase console management pages
 
 **This skill provides foundational knowledge** that applies to all CloudBase projects, regardless of whether they are Web, Mini Program, or backend services.

config/source/skills/http-api/SKILL.md

@@ -1,32 +1,37 @@
 ---
 name: http-api-cloudbase
-description: Use CloudBase HTTP API to access CloudBase platform features (database, authentication, cloud functions, cloud hosting, cloud storage, AI) via HTTP protocol from backends or scripts that are not using SDKs.
+description: CloudBase official HTTP API client guide. This skill should be used when backends, scripts, or non-SDK clients must call CloudBase platform APIs over raw HTTP instead of using a platform SDK or MCP management tool.
 alwaysApply: false
 ---
 
 ## Activation Contract
 
 ### Use this first when
 
-- The request comes from Android, iOS, Flutter, React Native, non-Node backends, or admin scripts that must call CloudBase via raw HTTP.
+- The request comes from Android, iOS, Flutter, React Native, non-Node backends, or admin scripts that must call official CloudBase APIs via raw HTTP.
+- The task is to consume CloudBase platform endpoints, not to build a new HTTP service on CloudBase.
 
 ### Read before writing code if
 
 - The platform does not support a CloudBase SDK, or the user explicitly asks for HTTP API integration.
+- The user says "HTTP API" but it is unclear whether they mean official CloudBase endpoints or their own business API.
 
 ### Then also read
 
 - Auth configuration -> `../auth-tool/SKILL.md`
 - MySQL MCP management -> `../relational-database-tool/SKILL.md`
+- Your own HTTP service on CloudBase -> `../cloud-functions/SKILL.md` or `../cloudrun-development/SKILL.md`
 
 ### Do NOT use for
 
 - CloudBase Web SDK flows, mini program SDK flows, or MCP-driven management tasks.
+- Building your own HTTP service or REST API on CloudBase.
 
 ### Common mistakes / gotchas
 
 - Treating Web SDK examples as valid for native Apps.
 - Guessing endpoints without reading OpenAPI definitions.
+- Confusing official CloudBase HTTP APIs with your own function or CloudRun endpoint.
 - Mixing raw HTTP API integration with MCP management logic.
 
 ### Minimal checklist

config/source/skills/ui-design/SKILL.md

@@ -1,18 +1,20 @@
 ---
 name: ui-design
-description: Professional UI design and frontend interface guidelines. Use this skill when creating web pages, mini-program interfaces, prototypes, or any frontend UI components that require distinctive, production-grade design with exceptional aesthetic quality.
+description: UI design specification and visual direction guide. This skill should be used when users need aesthetic direction, layout decisions, prototypes, or interface design specs before implementation across web or mini program surfaces.
 alwaysApply: false
 ---
 
 ## Activation Contract
 
 ### Use this first when
 
-- The request involves any page, component, screen, visual prototype, or frontend styling work.
+- The request is to decide visual direction, produce a design specification, create a prototype, or make layout, typography, color, and visual hierarchy choices for an interface.
+- The implementation should follow a deliberate aesthetic rather than directly coding an already-approved design.
 
 ### Read before writing code if
 
-- The response will include UI code, layout structure, typography, color decisions, or visual behavior.
+- The response must choose typography, color, spacing, layout strategy, or other visual rules before code exists.
+- The user asks for "design", "prototype", "look and feel", or "style" rather than straight implementation.
 
 ### Then also read
 
@@ -22,11 +24,13 @@ alwaysApply: false
 ### Do NOT use for
 
 - Backend-only tasks, database design, or pure API work without interface output.
+- Straight implementation of an already-approved UI without new design decisions.
 
 ### Common mistakes / gotchas
 
 - Writing JSX, WXML, or CSS before outputting the design specification.
 - Falling back to generic AI layouts instead of an explicit aesthetic direction.
+- Jumping into implementation when the design intent is still unclear.
 - Ignoring platform constraints after the visual concept is defined.
 
 ### Minimal checklist