feat: auth-capture — WS frame stream, drag events, continuous CDP, profile cleanup

- AuthCaptureDialog: real WebSocket for binary JPEG frame stream (no polling)
- Pointer drag: mousedown/mousemove/mouseup events for slider-captcha
- CDP capture starts at session creation, caches headers in session.captured_headers
- Ephemeral profile dir deleted on session close (shutil.rmtree)
- Candidate types unified: bearer_token / cookie / api_key / credential
- Frontend handleAuthCaptureSelect maps all 4 types to correct form fields

backend/app/services/auth_capture_service.py

@@ -59,51 +59,17 @@ async def extract_session_storage(page: Any) -> dict[str, str]:
         return {}
 
 
-async def extract_request_headers(page: Any) -> list[dict[str, str]]:
-    """Capture Authorization headers from network requests via CDP.
+async def extract_request_headers(session: Any) -> list[dict[str, str]]:
+    """Return Authorization / API-Key headers captured continuously by CDP.
 
-    Uses Chrome DevTools Protocol to subscribe to Network.requestWillBeSent
-    events and extract Authorization / X-API-Key headers from captured
-    requests.  Only catches requests made *after* CDP is enabled.
+    The CDP Network listener is started when the ephemeral session is created
+    (in BrowserSessionService.create_ephemeral), so headers from the login
+    flow are captured in real-time without needing a fresh CDP attach.
     """
-    captured: list[dict[str, str]] = []
-    cdp = None
-    try:
-        cdp = await page.context.new_cdp_session(page)
-        await cdp.send("Network.enable")
-
-        def on_request(params: dict) -> None:
-            headers = params.get("request", {}).get("headers", {})
-            auth = (headers.get("authorization") or headers.get("Authorization"))
-            api_key = (headers.get("x-api-key") or headers.get("X-API-Key"))
-            if auth:
-                captured.append({
-                    "type": "authorization",
-                    "value": auth,
-                    "url": params.get("request", {}).get("url", ""),
-                })
-                logger.debug("auth-capture CDP: captured Authorization header")
-            if api_key:
-                captured.append({
-                    "type": "api_key",
-                    "value": api_key,
-                    "url": params.get("request", {}).get("url", ""),
-                })
-                logger.debug("auth-capture CDP: captured X-API-Key header")
-
-        cdp.on("Network.requestWillBeSent", on_request)
-        # Give a moment for any in-flight requests to be captured
-        import asyncio
-        await asyncio.sleep(0.5)
-    except Exception as exc:
-        logger.debug("CDP network capture not available: %s", exc)
-    finally:
-        if cdp:
-            try:
-                await cdp.detach()
-            except Exception:
-                pass
-    return captured
+    if hasattr(session, "captured_headers") and session.captured_headers:
+        logger.debug("auth-capture: returning %d cached headers", len(session.captured_headers))
+        return list(session.captured_headers)
+    return []
 
 
 async def extract_all(session: Any) -> dict[str, Any]:
@@ -116,7 +82,7 @@ async def extract_all(session: Any) -> dict[str, Any]:
     cookies = await extract_cookies(session)
     local_storage = await extract_local_storage(page)
     session_storage = await extract_session_storage(page)
-    auth_headers = await extract_request_headers(page)
+    auth_headers = await extract_request_headers(session)
     candidates = _curate_candidates(cookies, local_storage, session_storage, auth_headers)
 
     return {
@@ -137,22 +103,21 @@ def _curate_candidates(
     """Scan extracted data for likely credentials with confidence scoring."""
     candidates: list[dict[str, Any]] = []
 
-    # 1. CDP-captured Authorization headers (highest confidence)
+    # 1. CDP-captured network headers (highest confidence)
     seen = set()
     for h in auth_headers:
         dedup_key = h["value"]
         if dedup_key in seen:
             continue
         seen.add(dedup_key)
+        htype = h.get("type", "authorization")
         preview = _preview(h["value"])
-        candidates.append({
-            "type": "bearer_token",
-            "source": f"network:{h['url'][:60]}",
-            "value": h["value"],
-            "preview": preview,
-            "label": f"Authorization — {h['url'][:40]}",
-            "confidence": 95,
-        })
+        if htype == "api_key":
+            _add(candidates, "api_key", f"network:{h['url'][:60]}", h["value"], preview,
+                 f"X-API-Key — {h['url'][:40]}", 95)
+        else:
+            _add(candidates, "bearer_token", f"network:{h['url'][:60]}", h["value"], preview,
+                 f"Authorization — {h['url'][:40]}", 95)
 
     # 2. localStorage/sessionStorage items
     for store_name, store in [("localStorage", local_storage), ("sessionStorage", session_storage)]: