user-system/docs/evidence/ops/2026-03-26/e2e/ACCOUNT_BINDING_CLOSURE_20260326-224700.md

# ACCOUNT_BINDING_CLOSURE_20260326-224700

## Scope

- PRD `1.5 用户信息管理 -> 账号绑定与解绑`
- email bind / replace / unbind
- phone bind / replace / unbind
- self-service security page closure

## Implemented Closure

- Backend:
  - added protected self-service endpoints:
    - `POST /api/v1/users/me/bind-email/code`
    - `POST /api/v1/users/me/bind-email`
    - `DELETE /api/v1/users/me/bind-email`
    - `POST /api/v1/users/me/bind-phone/code`
    - `POST /api/v1/users/me/bind-phone`
    - `DELETE /api/v1/users/me/bind-phone`
  - bind now requires both target-channel verification code and current-account sensitive verification when password or TOTP is configured.
  - unbind now requires current-account sensitive verification when password or TOTP is configured, and blocks removal if no login method would remain.
  - direct self-update of `email` / `phone` through `PUT /api/v1/users/:id` is now blocked for non-admin self-service usage.
- Frontend:
  - `/profile/security` now contains a real email/phone binding management section.
  - `/profile` no longer exposes direct editable email/phone fields; users are redirected to security settings for verified binding flows.

## Validation

- `go test ./... -count=1`
- `go build ./cmd/server`
- `cd D:\project\frontend\admin && npm.cmd run lint`
- `cd D:\project\frontend\admin && npm.cmd run test:run`
- `cd D:\project\frontend\admin && npm.cmd run build`
- `cd D:\project\frontend\admin && powershell -ExecutionPolicy Bypass -File .\scripts\run-playwright-auth-e2e.ps1`

## Boundary

- Email bind/replace is only available when SMTP-backed email code capability is enabled.
- Phone bind/replace is only available when Aliyun or Tencent SMS capability is enabled.
- This closure is product-complete and regression-verified, but it does not change the previously stated boundary that live third-party OAuth provider proof and external production delivery evidence remain separate gaps.