fix: use correct login endpoint up_login.dspy with password param

- Endpoint was /rbac/user/userpassword_login.dspy (401), changed to /rbac/user/up_login.dspy
- Form param was passwd (500 error), changed to password (matches login.ui form field name)

shared/src/commonMain/kotlin/com/bricks/mp/sage/SageClient.kt

@@ -17,7 +17,7 @@ import kotlinx.serialization.json.*
  * 
  * Sage 使用 Cookie Session 认证：
  * 1. GET 首页获取初始 session cookie
- * 2. POST /rbac/user/userpassword_login.dspy 登录
+ * 2. POST /rbac/user/up_login.dspy 登录
  * 3. 后续请求自动携带 cookie
  * 4. GET /xxx.ui 获取 JSON 格式的 UI 描述
  */
@@ -50,7 +50,7 @@ class SageClient {
 
     /**
      * 登录 Sage 服务器
-     * POST /rbac/user/userpassword_login.dspy
+     * POST /rbac/user/up_login.dspy
      */
     suspend fun login(username: String, password: String): Boolean = mutex.withLock {
         _loginError.value = null
@@ -61,10 +61,10 @@ class SageClient {
             println("[Sage] GET / status: ${indexResponse.status}")
 
             // Step 2: POST login
-            val url = "$baseUrl/rbac/user/userpassword_login.dspy"
+            val url = "$baseUrl/rbac/user/up_login.dspy"
             val encodedUser = java.net.URLEncoder.encode(username, "UTF-8")
             val encodedPass = java.net.URLEncoder.encode(password, "UTF-8")
-            val formBody = "username=$encodedUser&passwd=$encodedPass"
+            val formBody = "username=$encodedUser&password=$encodedPass"
 
             val response = client.post(url) {
                 header(HttpHeaders.UserAgent, "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36")