feat: 添加密码管理功能，包括 API、数据库支持和前端界面

openspec/changes/archive/2026-01-23-add-password-manager/specs/api/spec.md

@@ -0,0 +1,41 @@
+## ADDED Requirements
+
+### Requirement: Credential storage API
+The system SHALL provide authenticated CRUD APIs for credentials scoped to the current user.
+
+#### Scenario: Create credential
+- **WHEN** an authenticated user calls `POST /credentials` with `siteOrigin`, `username`, and `password`
+- **THEN** the server stores the credential and returns the created record
+
+#### Scenario: List credentials
+- **WHEN** an authenticated user calls `GET /credentials?siteOrigin=...`
+- **THEN** the server returns the matching credentials for that user
+
+#### Scenario: Update credential
+- **WHEN** an authenticated user calls `PATCH /credentials/{id}`
+- **THEN** the server updates the credential and returns the updated record
+
+#### Scenario: Delete credential
+- **WHEN** an authenticated user calls `DELETE /credentials/{id}`
+- **THEN** the server deletes the credential
+
+### Requirement: Credential plaintext reveal
+The system SHALL allow authenticated users to request plaintext passwords for their own credentials.
+
+#### Scenario: User requests plaintext
+- **GIVEN** an authenticated user
+- **WHEN** the user requests plaintext credential data
+- **THEN** the server returns plaintext passwords for that user
+
+#### Scenario: Admin requests plaintext
+- **GIVEN** an authenticated admin user
+- **WHEN** the admin requests plaintext credential data
+- **THEN** the server returns plaintext passwords for the target user
+
+### Requirement: Admin credential access
+The system SHALL allow an admin to list and manage any user’s credentials.
+
+#### Scenario: Admin lists user credentials
+- **GIVEN** an authenticated admin user
+- **WHEN** the admin calls `GET /admin/users/{id}/credentials`
+- **THEN** the server returns that user’s credentials