feat: one-click upstream auth refresh from custom page viewer

- Add linked_upstream_id to CustomPage model with DB migration
- New POST /api/custom-pages/{pid}/refresh-auth endpoint extracts
  credentials from active remote browser and updates linked upstream
- PageViewer toolbar shows key icon button when page has linked upstream
- CustomPages form adds upstream dropdown for remote_browser pages
- Auth capture extracts New-Api-User from localStorage uid/user/self API
- Upstream client sends New-Api-User header in cookie auth mode
- Fix auth capture dialog: transparent background, field persistence,
  login URL defaults to base_url/login, focus on click for keyboard input
- Fix upstream test ASCII encoding with non-header characters validation

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

backend/app/services/browser_session_service.py

@@ -129,7 +129,7 @@ class BrowserSessionService:
             elif event_type == "type":
                 text = str(payload.get("text", ""))
                 if text:
-                    await page.keyboard.type(text)
+                    await page.keyboard.insert_text(text)
             elif event_type == "key":
                 key = str(payload.get("key", ""))
                 if key:
@@ -325,6 +325,13 @@ class BrowserSessionService:
             raise KeyError("browser session not found")
         return session
 
+    def find_by_page_id(self, custom_page_id: int) -> BrowserSession:
+        """Find the active session for a custom page. Raises KeyError if none."""
+        for session in self._sessions.values():
+            if session.custom_page_id == custom_page_id and not session.page.is_closed():
+                return session
+        raise KeyError(f"no active browser session for page {custom_page_id}")
+
     _get = get_session  # alias for internal use
 
     def _ensure_open(self, session: BrowserSession) -> None: