fix: object URL leak, CDP before goto, limit raw secrets in extract

- AuthCaptureDialog: revokeObjectURL on each frame to prevent memory leak
- CDP Network capture starts before initial page.goto, not after
- /extract defaults to candidates-only; pass ?include_raw=true for full data

frontend/src/components/AuthCaptureDialog.vue

@@ -180,6 +180,7 @@ const frameRef = ref<HTMLElement | null>(null)
 let ws: WebSocket | null = null
 let pointerDown = false
 let frameW = 1; let frameH = 1  // natural dimensions of the frame
+let prevFrameUrl = ''  // previous blob URL to revoke
 
 // ——— Launch ———
 
@@ -212,11 +213,11 @@ function connectWs() {
 
   ws.onmessage = (evt) => {
     if (evt.data instanceof ArrayBuffer) {
-      // Binary JPEG frame
+      // Binary JPEG frame — revoke previous to avoid memory leak
+      if (prevFrameUrl) URL.revokeObjectURL(prevFrameUrl)
       const blob = new Blob([evt.data], { type: 'image/jpeg' })
-      frameUrl.value = URL.createObjectURL(blob)
-      // Revoke previous URL after a tick to free memory
-      setTimeout(() => { /* old URL auto-revoked */ }, 100)
+      prevFrameUrl = URL.createObjectURL(blob)
+      frameUrl.value = prevFrameUrl
     } else {
       // JSON message (init, error, etc.)
       try {