fix: object URL leak, CDP before goto, limit raw secrets in extract

- AuthCaptureDialog: revokeObjectURL on each frame to prevent memory leak
- CDP Network capture starts before initial page.goto, not after
- /extract defaults to candidates-only; pass ?include_raw=true for full data

backend/app/routers/auth_capture.py

@@ -89,12 +89,13 @@ async def create_capture_session(
 @router.get("/sessions/{session_id}/extract", response_model=CaptureExtractResponse)
 async def extract_credentials(
     session_id: str,
+    include_raw: bool = Query(default=False, description="Include full cookies/storage/headers in response"),
     _=Depends(get_current_user),
 ):
-    """Extract all auth credentials from the browser session.
+    """Extract auth credentials from the browser session.
 
-    Returns cookies, localStorage, sessionStorage, and curated candidates.
-    Candidate values are masked in logs.
+    By default only returns curated candidates (typed, scored, with masked preview).
+    Pass include_raw=true to also get full cookies, localStorage, and headers.
     """
     try:
         session = browser_sessions.get_session(session_id)
@@ -106,6 +107,9 @@ async def extract_credentials(
     except Exception as exc:
         raise _browser_error(exc)
 
+    if not include_raw:
+        # Strip raw data — only keep curated candidates
+        return CaptureExtractResponse(candidates=result.get("candidates", []))
     return CaptureExtractResponse(**result)