feat: auth capture — remote browser credential extraction

- BrowserSessionService: add create_ephemeral() for temp sessions
- New auth_capture_service.py: extract cookies, localStorage, sessionStorage from page
- New auth_capture router: POST /sessions, GET /sessions/{id}/extract, DELETE /sessions/{id}
- Frontend AuthCaptureDialog: URL input → browser view → extract → pick candidate
- Upstreams.vue: '提取' button next to Bearer Token field
- No sensitive values logged

backend/app/main.py

@@ -14,7 +14,7 @@ from app.models.admin_user import AdminUser
 from app.database import SessionLocal
 from app.utils.auth import hash_password, verify_password, validate_password_supported
 from app.services.scheduler import start_scheduler, stop_scheduler
-from app.routers import auth, upstreams, webhooks, logs, custom_pages, browser_sessions, websites
+from app.routers import auth, upstreams, webhooks, logs, custom_pages, browser_sessions, websites, auth_capture
 from app.services.browser_session_service import browser_sessions as browser_session_service
 
 logging.basicConfig(level=logging.INFO, format="%(asctime)s %(levelname)s %(name)s %(message)s")
@@ -97,6 +97,7 @@ app.include_router(logs.router)
 app.include_router(custom_pages.router)
 app.include_router(browser_sessions.router)
 app.include_router(websites.router)
+app.include_router(auth_capture.router)
 
 
 @app.get("/healthz")