## Context
We need a password manager across extension and web, with admin visibility and per-user isolation. Non-admin users must re-verify their login password to view plaintext.

## Goals / Non-Goals
- Goals:
  - Save credentials with explicit confirmation.
  - Autofill selector for saved accounts per site.
  - Admin can view all users’ credentials.
  - Non-admin must re-verify password before plaintext reveal.
  - Encrypt credentials at rest.
- Non-Goals:
  - Browser-level credential integration outside the extension.
  - Password sharing between users.

## Decisions
- Site key = URL origin (scheme + host + port).
- Storage model: one row per (user_id, site_origin, username), allowing multiple accounts per site.
- Encrypt password using AES-256-GCM with server-side master key (env), store iv + tag + ciphertext.
- Use a session-only toggle to reveal plaintext in the web UI (sessionStorage; reset on browser close).
- Extension content script detects login forms; popup asks to save; only on confirm does it call API.

## Risks / Trade-offs
- Storing decryptable passwords increases risk. Mitigation: encryption at rest, strict auth, session-only plaintext reveal, audit logging (future).

## Migration Plan
- Add DB migration for credential tables and indexes.
- Add API endpoints and update OpenAPI.
- Implement extension flows and web UI.
- Add tests for CRUD, reauth, admin access.

## Open Questions
- Confirm site matching scope (origin vs eTLD+1).
- Save prompt triggers on form submit (username + password present).