fix: correct Experience API endpoints for TOTP and backup codes

- TOTP secret: /verification/totp/secret (not /verification/totp)
- Backup codes: generate via /verification/backup-code/generate first,
  then bind with the returned verificationId. Cannot bind BackupCode
  without generating codes first.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

ui/sign-in/src/SignInPage.tsx

@@ -9,7 +9,7 @@ import {
   verifyTotp, verifyBackupCode, submitMfa,
   startWebAuthnAuth, verifyWebAuthnAuth,
   startWebAuthnRegistration, verifyWebAuthnRegistration, bindMfaProfile,
-  createTotpSecret, verifyTotpSetup,
+  generateBackupCodes, createTotpSecret, verifyTotpSetup,
   skipMfaEnrollment, submitInteraction,
   MfaRequiredError, MfaEnrollmentError,
 } from './experience-api';
@@ -318,7 +318,8 @@ export function SignInPage() {
       const credential = await startWebAuthnReg({ optionsJSON: registrationOptions as any });
       const verifiedId = await verifyWebAuthnRegistration(verificationId, credential as unknown as Record<string, unknown>);
       await bindMfaProfile('WebAuthn', verifiedId);
-      await bindMfaProfile('BackupCode');
+      const bc = await generateBackupCodes();
+      await bindMfaProfile('BackupCode', bc.verificationId);
       const result = await submitInteraction();
       window.location.replace(result);
     } catch (err) {
@@ -353,7 +354,8 @@ export function SignInPage() {
     try {
       const verifiedId = await verifyTotpSetup(totpCode);
       await bindMfaProfile('Totp', verifiedId);
-      await bindMfaProfile('BackupCode');
+      const bc = await generateBackupCodes();
+      await bindMfaProfile('BackupCode', bc.verificationId);
       const result = await submitInteraction();
       window.location.replace(result);
     } catch (err) {