feat(web/core): 비밀번호 변경 화면, 어드민 PIN 인증 분리, Marketplace 진입점 추가

- ChangePasswordView: 임시 비번 첫 로그인 시 강제 변경 화면 구현 (정책 체크리스트 포함)
- AdminView: isAdmin/isPinVerified 분리 — 역할 보유와 PIN 인증을 독립 상태로 관리
- AppShell: Admin 버튼 비관리자 숨김, Member → User 표기 변경, Marketplace 메뉴 추가
- MarketplaceView: Phase 3 플레이스홀더 진입점 추가
- @fieldstack/core: ESM 빌드로 전환 (module: ESNext), web 패키지 의존성 추가
- vite.config.ts 추가

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: SOIV

apps/web/package.json

@@ -18,6 +18,7 @@
     "vitest": "^2.1.9"
   },
   "dependencies": {
+    "@fieldstack/core": "workspace:^",
     "react": "^19.2.4",
     "react-dom": "^19.2.4"
   }

apps/web/src/components/AppShell.tsx

@@ -1,7 +1,7 @@
 import type { ReactNode } from "react";
 import "../styles/shell.css";
 
-export type RouteKey = "login" | "home" | "admin";
+export type RouteKey = "login" | "home" | "marketplace" | "admin" | "change-password";
 
 interface AppShellProps {
   installMode: "normal" | "bypass";
@@ -10,7 +10,6 @@ interface AppShellProps {
   currentUser: { email: string } | null;
   notice: string;
   onNavigate: (route: RouteKey) => void;
-  onAdminAccess: () => void;
   onLogout: () => void;
   onOpenSettings: () => void;
   children: ReactNode;
@@ -26,7 +25,6 @@ export function AppShell({
   currentUser,
   notice,
   onNavigate,
-  onAdminAccess,
   onLogout,
   onOpenSettings,
   children,
@@ -56,6 +54,17 @@ export function AppShell({
                 Home
               </button>
             </li>
+            <li>
+              <button
+                type="button"
+                className="shell-nav-item"
+                aria-current={route === "marketplace" ? "page" : undefined}
+                onClick={() => onNavigate("marketplace")}
+              >
+                <span className="shell-nav-icon" aria-hidden="true">⬡</span>
+                Marketplace
+              </button>
+            </li>
           </ul>
 
           {/* Modules */}
@@ -87,7 +96,7 @@ export function AppShell({
               <div className="shell-user-avatar" aria-hidden="true">{userInitial}</div>
               <div className="shell-user-info">
                 <p className="shell-user-email">{currentUser.email}</p>
-                <p className="shell-user-role">{isAdmin ? "Administrator" : "Member"}</p>
+                <p className="shell-user-role">{isAdmin ? "Administrator" : "User"}</p>
               </div>
             </div>
           )}
@@ -100,18 +109,17 @@ export function AppShell({
             <span className="shell-nav-icon" aria-hidden="true">⚙</span>
             Settings
           </button>
-          <button
-            type="button"
-            className="shell-nav-item"
-            aria-current={route === "admin" ? "page" : undefined}
-            onClick={onAdminAccess}
-          >
-            <span className="shell-nav-icon" aria-hidden="true">⚡</span>
-            Admin
-            {!isAdmin && (
-              <span className="shell-nav-lock" aria-label="인증 필요" aria-hidden="true">🔒</span>
-            )}
-          </button>
+          {isAdmin && (
+            <button
+              type="button"
+              className="shell-nav-item"
+              aria-current={route === "admin" ? "page" : undefined}
+              onClick={() => onNavigate("admin")}
+            >
+              <span className="shell-nav-icon" aria-hidden="true">⚡</span>
+              Admin
+            </button>
+          )}
           <button
             type="button"
             className="shell-nav-item shell-nav-item-danger"

apps/web/src/main.tsx

@@ -10,6 +10,8 @@ import { HomeView } from "./views/HomeView";
 import { LoginView } from "./views/LoginView";
 import { SettingsView } from "./views/SettingsView";
 import { AdminView } from "./views/AdminView";
+import { MarketplaceView } from "./views/MarketplaceView";
+import { ChangePasswordView } from "./views/ChangePasswordView";
 
 // ─── Types ────────────────────────────────────────────────────
 type InstallMode = "normal" | "bypass";
@@ -37,10 +39,8 @@ function resolveInstallMode(runtimeEnv: WebRuntimeEnv): InstallMode {
 
 function getRouteFromHash(rawHash: string): RouteKey {
   const hash = rawHash.replace("#", "");
-  if (hash === "settings") {
-    return "home";
-  }
-  if (hash === "home" || hash === "admin" || hash === "login") {
+  if (hash === "settings") return "home";
+  if (hash === "home" || hash === "marketplace" || hash === "admin" || hash === "login" || hash === "change-password") {
     return hash;
   }
   return "login";
@@ -55,9 +55,11 @@ function canAccessRoute(route: RouteKey, isAuthenticated: boolean): boolean {
 
 // ─── Session Storage Keys ─────────────────────────────────────
 const SS = {
-  auth:  "fs_auth",
-  admin: "fs_admin",
-  email: "fs_email",
+  auth:            "fs_auth",
+  admin:           "fs_admin",
+  pinVerified:     "fs_pin_verified",
+  email:           "fs_email",
+  mustChangePw:    "fs_must_change_pw",
 } as const;
 
 // ─── App Root ─────────────────────────────────────────────────
@@ -68,12 +70,18 @@ function App({ installMode }: { installMode: InstallMode }) {
   const [isAdmin, setIsAdmin] = useState(
     () => sessionStorage.getItem(SS.admin) === "true",
   );
+  const [isPinVerified, setIsPinVerified] = useState(
+    () => sessionStorage.getItem(SS.pinVerified) === "true",
+  );
   const [currentUser, setCurrentUser] = useState<{ email: string } | null>(
     () => {
       const email = sessionStorage.getItem(SS.email);
       return email ? { email } : null;
     },
   );
+  const [mustChangePassword, setMustChangePassword] = useState(
+    () => sessionStorage.getItem(SS.mustChangePw) === "true",
+  );
   const [isSettingsOpen, setIsSettingsOpen] = useState(false);
   const [isPinModalOpen, setIsPinModalOpen] = useState(false);
   const [notice, setNotice] = useState(
@@ -90,9 +98,11 @@ function App({ installMode }: { installMode: InstallMode }) {
   }, []);
 
   const effectiveRoute = useMemo<RouteKey>(() => {
-    if (canAccessRoute(route, isAuthenticated)) return route;
-    return "login";
-  }, [isAuthenticated, route]);
+    if (!canAccessRoute(route, isAuthenticated)) return "login";
+    // 비밀번호 변경 강제: change-password 이외의 모든 경로 차단
+    if (mustChangePassword && route !== "change-password") return "change-password";
+    return route;
+  }, [isAuthenticated, mustChangePassword, route]);
 
   useEffect(() => {
     if (window.location.hash !== `#${effectiveRoute}`) {
@@ -108,14 +118,25 @@ function App({ installMode }: { installMode: InstallMode }) {
   // Auth handlers
   const onLogin = (event: FormEvent<HTMLFormElement>) => {
     event.preventDefault();
-    const email = (new FormData(event.currentTarget).get("email") as string | null)
-      ?? "user@fieldstack.dev";
+    const formData = new FormData(event.currentTarget);
+    const email = (formData.get("email") as string | null) ?? "user@fieldstack.dev";
+    // mock: 비밀번호가 "temp1234"이면 임시 비번 첫 로그인으로 처리
+    const password = formData.get("password") as string | null;
+    const isTempLogin = password === "temp1234";
+
     setIsAuthenticated(true);
     setCurrentUser({ email });
     sessionStorage.setItem(SS.auth, "true");
     sessionStorage.setItem(SS.email, email);
-    setNotice("Login successful (mock).");
-    navigate("home");
+
+    if (isTempLogin) {
+      setMustChangePassword(true);
+      sessionStorage.setItem(SS.mustChangePw, "true");
+      navigate("change-password");
+    } else {
+      setNotice("Login successful (mock).");
+      navigate("home");
+    }
   };
 
   const onQuickLogin = () => {
@@ -128,28 +149,31 @@ function App({ installMode }: { installMode: InstallMode }) {
     navigate("home");
   };
 
-  const onAdminAccess = () => {
-    if (isAdmin) {
-      navigate("admin");
-    } else {
-      setIsPinModalOpen(true);
-    }
+  const onPasswordChanged = () => {
+    setMustChangePassword(false);
+    sessionStorage.removeItem(SS.mustChangePw);
+    setNotice("비밀번호가 변경되었습니다.");
+    navigate("home");
   };
 
   const onPinVerified = () => {
     setIsAdmin(true);
+    setIsPinVerified(true);
     setIsPinModalOpen(false);
     sessionStorage.setItem(SS.admin, "true");
+    sessionStorage.setItem(SS.pinVerified, "true");
     setNotice("관리자 인증 완료 (mock). 30분간 유효합니다.");
     navigate("admin");
   };
 
   const onLogout = () => {
     setIsAuthenticated(false);
     setIsAdmin(false);
+    setIsPinVerified(false);
     setCurrentUser(null);
     sessionStorage.removeItem(SS.auth);
     sessionStorage.removeItem(SS.admin);
+    sessionStorage.removeItem(SS.pinVerified);
     sessionStorage.removeItem(SS.email);
     setNotice("Logged out.");
     navigate("login");
@@ -170,6 +194,16 @@ function App({ installMode }: { installMode: InstallMode }) {
     );
   }
 
+  // 비밀번호 강제 변경 (shell 없이 전체 화면)
+  if (effectiveRoute === "change-password") {
+    return (
+      <ChangePasswordView
+        isFirstLogin={mustChangePassword}
+        onChanged={onPasswordChanged}
+      />
+    );
+  }
+
   return (
     <>
       {isPinModalOpen && (
@@ -185,13 +219,13 @@ function App({ installMode }: { installMode: InstallMode }) {
         currentUser={currentUser}
         notice={notice}
         onNavigate={navigate}
-        onAdminAccess={onAdminAccess}
         onLogout={onLogout}
         onOpenSettings={() => setIsSettingsOpen(true)}
       >
         {effectiveRoute === "home" && <HomeView onOpenSettings={() => setIsSettingsOpen(true)} />}
+        {effectiveRoute === "marketplace" && <MarketplaceView />}
         {effectiveRoute === "admin" && (
-          <AdminView isAdmin={isAdmin} onRequestPin={() => setIsPinModalOpen(true)} />
+          <AdminView isPinVerified={isPinVerified} onRequestPin={() => setIsPinModalOpen(true)} />
         )}
         {isSettingsOpen && (
           <SettingsView
@@ -200,6 +234,11 @@ function App({ installMode }: { installMode: InstallMode }) {
             onToggleAdmin={() => {
               setIsAdmin((prev) => {
                 const next = !prev;
+                if (!next) {
+                  // 관리자 역할 해제 시 PIN 인증도 초기화
+                  setIsPinVerified(false);
+                  sessionStorage.removeItem(SS.pinVerified);
+                }
                 setNotice(next ? "Admin authority enabled (mock)." : "Admin authority disabled.");
                 return next;
               });

apps/web/src/styles/change-password.css

@@ -0,0 +1,104 @@
+.cpw-shell {
+  min-height: 100vh;
+  display: grid;
+  place-items: center;
+  padding: 24px 16px;
+  background: var(--bg);
+}
+
+.cpw-panel {
+  width: 100%;
+  max-width: 420px;
+}
+
+.cpw-header {
+  text-align: center;
+  display: grid;
+  gap: 6px;
+  margin-bottom: 20px;
+}
+
+.cpw-icon {
+  font-size: 32px;
+  line-height: 1;
+}
+
+.cpw-title {
+  margin: 0;
+  font-size: 20px;
+  font-weight: 800;
+  color: var(--text);
+}
+
+.cpw-desc {
+  margin: 0;
+  font-size: 13px;
+  color: var(--text-muted);
+  line-height: 1.6;
+}
+
+.cpw-form {
+  gap: 14px;
+}
+
+.cpw-input-error {
+  border-color: var(--err);
+  box-shadow: 0 0 0 3px rgba(248, 113, 113, 0.2);
+}
+
+.cpw-input-error:focus {
+  border-color: var(--err);
+  box-shadow: 0 0 0 3px rgba(248, 113, 113, 0.2);
+}
+
+.cpw-field-error {
+  margin: 2px 0 0;
+  font-size: 12px;
+  color: var(--err);
+}
+
+/* ── Policy Checklist ─────────────────────────────────────── */
+.cpw-policy {
+  list-style: none;
+  margin: -6px 0 0;
+  padding: 10px 12px;
+  border: 1px solid var(--border-subtle);
+  border-radius: 9px;
+  background: var(--bg-surface);
+  display: grid;
+  gap: 6px;
+}
+
+.cpw-policy-item {
+  display: flex;
+  align-items: center;
+  gap: 8px;
+  font-size: 12px;
+  color: var(--text-faint);
+  transition: color 150ms ease;
+}
+
+.cpw-policy-dot {
+  width: 6px;
+  height: 6px;
+  border-radius: 999px;
+  flex-shrink: 0;
+  background: var(--text-faint);
+  transition: background 150ms ease;
+}
+
+/* 조건 통과 */
+.cpw-policy-ok {
+  color: var(--ok);
+}
+.cpw-policy-ok .cpw-policy-dot {
+  background: var(--ok);
+}
+
+/* 조건 미통과 (입력 시작 후) */
+.cpw-policy-fail {
+  color: var(--err);
+}
+.cpw-policy-fail .cpw-policy-dot {
+  background: var(--err);
+}

apps/web/src/views/AdminView.tsx

@@ -1,7 +1,7 @@
 import "../styles/admin.css";
 
 interface AdminViewProps {
-  isAdmin: boolean;
+  isPinVerified: boolean;
   onRequestPin: () => void;
 }
 
@@ -25,8 +25,8 @@ const MOCK_AUDIT_LOG = [
   { id: 3, text: "설정 저장 이벤트", time: "12분 전", dot: "info" as const },
 ];
 
-export function AdminView({ isAdmin, onRequestPin }: AdminViewProps) {
-  if (!isAdmin) {
+export function AdminView({ isPinVerified, onRequestPin }: AdminViewProps) {
+  if (!isPinVerified) {
     return (
       <section className="panel admin-root" aria-labelledby="admin-gate-title">
         <div className="admin-lock-wrap">