feat: 添加密码管理功能，包括 API、数据库支持和前端界面

openspec/changes/archive/2026-01-23-add-password-manager/specs/api/spec.md

@@ -0,0 +1,41 @@
+## ADDED Requirements
+
+### Requirement: Credential storage API
+The system SHALL provide authenticated CRUD APIs for credentials scoped to the current user.
+
+#### Scenario: Create credential
+- **WHEN** an authenticated user calls `POST /credentials` with `siteOrigin`, `username`, and `password`
+- **THEN** the server stores the credential and returns the created record
+
+#### Scenario: List credentials
+- **WHEN** an authenticated user calls `GET /credentials?siteOrigin=...`
+- **THEN** the server returns the matching credentials for that user
+
+#### Scenario: Update credential
+- **WHEN** an authenticated user calls `PATCH /credentials/{id}`
+- **THEN** the server updates the credential and returns the updated record
+
+#### Scenario: Delete credential
+- **WHEN** an authenticated user calls `DELETE /credentials/{id}`
+- **THEN** the server deletes the credential
+
+### Requirement: Credential plaintext reveal
+The system SHALL allow authenticated users to request plaintext passwords for their own credentials.
+
+#### Scenario: User requests plaintext
+- **GIVEN** an authenticated user
+- **WHEN** the user requests plaintext credential data
+- **THEN** the server returns plaintext passwords for that user
+
+#### Scenario: Admin requests plaintext
+- **GIVEN** an authenticated admin user
+- **WHEN** the admin requests plaintext credential data
+- **THEN** the server returns plaintext passwords for the target user
+
+### Requirement: Admin credential access
+The system SHALL allow an admin to list and manage any user’s credentials.
+
+#### Scenario: Admin lists user credentials
+- **GIVEN** an authenticated admin user
+- **WHEN** the admin calls `GET /admin/users/{id}/credentials`
+- **THEN** the server returns that user’s credentials

openspec/changes/archive/2026-01-23-add-password-manager/specs/password-manager/spec.md

@@ -0,0 +1,44 @@
+## ADDED Requirements
+
+### Requirement: Extension save prompt
+The extension SHALL prompt the user to save credentials when a login form is detected and filled.
+
+#### Scenario: Save confirmed
+- **WHEN** the user confirms “保存/记住密码” in the prompt
+- **THEN** the extension sends the credential to the server for storage
+
+#### Scenario: Save canceled
+- **WHEN** the user cancels or dismisses the prompt
+- **THEN** the extension MUST NOT store the credential
+
+### Requirement: Extension autofill selector
+The extension SHALL show a credential selector near login fields for sites with saved accounts.
+
+#### Scenario: Select credential
+- **GIVEN** a site with multiple saved credentials
+- **WHEN** the user opens the selector and chooses one
+- **THEN** the username and password fields are filled with that credential
+
+### Requirement: Web password manager (desktop only)
+The web app SHALL provide a desktop-only password manager view.
+
+#### Scenario: Desktop view
+- **WHEN** the user visits the password manager page on desktop
+- **THEN** the page is visible and provides list/edit/delete
+
+#### Scenario: Mobile view hidden
+- **WHEN** the user visits the password manager page on mobile
+- **THEN** the page is hidden or redirects to a notice page
+
+### Requirement: Plaintext visibility control
+The system SHALL allow a user to reveal plaintext passwords for their own credentials during the current browser session.
+
+#### Scenario: User reveals plaintext
+- **GIVEN** a non-admin user
+- **WHEN** the user chooses to reveal plaintext
+- **THEN** the UI shows plaintext passwords during the current browser session
+
+#### Scenario: Admin view
+- **GIVEN** an admin user
+- **WHEN** the admin views credentials
+- **THEN** plaintext is visible