# Change: Add password manager (Web + Extension)

## Why
Provide built-in credential saving and autofill for users, with centralized management and admin oversight.

## What Changes
- Add credential save + autofill flows in the extension (explicit user confirmation required).
- Add a Web password management page (desktop only) with view/edit/delete.
- Add APIs for credential CRUD and admin access; plaintext view available during the current browser session.
- Add database schema for credential storage (per-user, per-site, multiple accounts).
- Add tests for API and DB flows.

## Impact
- Affected specs: api, password-manager
- Affected code: apps/server, apps/web, apps/extension, migrations, spec/openapi.yaml

## Assumptions (confirm)
- “同一网站” is defined as the URL origin (scheme + host + port).
- The extension prompts on form submit after username + password are provided.
- Credentials are stored encrypted at rest and decrypted server-side for plaintext display.