Xu_BrowserBookmark/openspec/changes/archive/2026-01-23-add-password-manager/proposal.md

Change: Add password manager (Web + Extension)

Why

Provide built-in credential saving and autofill for users, with centralized management and admin oversight.

What Changes

• Add credential save + autofill flows in the extension (explicit user confirmation required).
• Add a Web password management page (desktop only) with view/edit/delete.
• Add APIs for credential CRUD and admin access; plaintext view available during the current browser session.
• Add database schema for credential storage (per-user, per-site, multiple accounts).
• Add tests for API and DB flows.

Impact

• Affected specs: api, password-manager
• Affected code: apps/server, apps/web, apps/extension, migrations, spec/openapi.yaml

Assumptions (confirm)

• “同一网站” is defined as the URL origin (scheme + host + port).
• The extension prompts on form submit after username + password are provided.
• Credentials are stored encrypted at rest and decrypted server-side for plaintext display.