## ADDED Requirements

### Requirement: Credential storage API
The system SHALL provide authenticated CRUD APIs for credentials scoped to the current user.

#### Scenario: Create credential
- **WHEN** an authenticated user calls `POST /credentials` with `siteOrigin`, `username`, and `password`
- **THEN** the server stores the credential and returns the created record

#### Scenario: List credentials
- **WHEN** an authenticated user calls `GET /credentials?siteOrigin=...`
- **THEN** the server returns the matching credentials for that user

#### Scenario: Update credential
- **WHEN** an authenticated user calls `PATCH /credentials/{id}`
- **THEN** the server updates the credential and returns the updated record

#### Scenario: Delete credential
- **WHEN** an authenticated user calls `DELETE /credentials/{id}`
- **THEN** the server deletes the credential

### Requirement: Credential plaintext reveal
The system SHALL allow authenticated users to request plaintext passwords for their own credentials.

#### Scenario: User requests plaintext
- **GIVEN** an authenticated user
- **WHEN** the user requests plaintext credential data
- **THEN** the server returns plaintext passwords for that user

#### Scenario: Admin requests plaintext
- **GIVEN** an authenticated admin user
- **WHEN** the admin requests plaintext credential data
- **THEN** the server returns plaintext passwords for the target user

### Requirement: Admin credential access
The system SHALL allow an admin to list and manage any user’s credentials.

#### Scenario: Admin lists user credentials
- **GIVEN** an authenticated admin user
- **WHEN** the admin calls `GET /admin/users/{id}/credentials`
- **THEN** the server returns that user’s credentials