feat: auth-capture — WS frame stream, drag events, continuous CDP, profile cleanup

- AuthCaptureDialog: real WebSocket for binary JPEG frame stream (no polling)
- Pointer drag: mousedown/mousemove/mouseup events for slider-captcha
- CDP capture starts at session creation, caches headers in session.captured_headers
- Ephemeral profile dir deleted on session close (shutil.rmtree)
- Candidate types unified: bearer_token / cookie / api_key / credential
- Frontend handleAuthCaptureSelect maps all 4 types to correct form fields

backend/app/services/browser_session_service.py

@@ -32,6 +32,8 @@ class BrowserSession:
     context: Any
     page: Any
     lock: asyncio.Lock
+    cdp_session: Any = None
+    captured_headers: list[dict] = None  # auth headers from CDP
 
 
 class BrowserSessionService:
@@ -163,10 +165,24 @@ class BrowserSessionService:
         session = self._discard_session(session_id)
         if not session:
             return
+        # Detach CDP session if active
+        if session.cdp_session:
+            try:
+                await session.cdp_session.detach()
+            except Exception:
+                pass
         try:
             await session.context.close()
         except Exception:
             pass
+        # Clean up ephemeral (auth-capture) profile directories
+        if session.profile_key and session.profile_key.startswith("auth-capture-"):
+            profile_dir = self._profile_dir(session.profile_key)
+            import shutil
+            try:
+                shutil.rmtree(profile_dir, ignore_errors=True)
+            except Exception:
+                pass
 
     async def shutdown(self) -> None:
         sessions = list(self._sessions)
@@ -368,14 +384,46 @@ class BrowserSessionService:
                 context=context,
                 page=page,
                 lock=asyncio.Lock(),
+                captured_headers=[],
             )
             self._sessions[session.id] = session
         try:
             await page.goto(url, wait_until="domcontentloaded", timeout=45000)
+            # Start CDP network capture immediately — so we don't miss login requests
+            await self._start_cdp_capture(session)
         except Exception:
             await self.close(session.id)
             raise
         return session
 
+    async def _start_cdp_capture(self, session: BrowserSession) -> None:
+        """Enable CDP Network domain and capture Authorization headers."""
+        try:
+            cdp = await session.context.new_cdp_session(session.page)
+            await cdp.send("Network.enable")
+
+            def on_request(params: dict) -> None:
+                headers = params.get("request", {}).get("headers", {})
+                auth = headers.get("authorization") or headers.get("Authorization")
+                api_key = headers.get("x-api-key") or headers.get("X-API-Key")
+                url = params.get("request", {}).get("url", "")
+                if auth:
+                    session.captured_headers.append({
+                        "type": "authorization",
+                        "value": auth,
+                        "url": url,
+                    })
+                if api_key:
+                    session.captured_headers.append({
+                        "type": "api_key",
+                        "value": api_key,
+                        "url": url,
+                    })
+
+            cdp.on("Network.requestWillBeSent", on_request)
+            session.cdp_session = cdp
+        except Exception as exc:
+            logger.debug("CDP capture not available: %s", exc)
+
 
 browser_sessions = BrowserSessionService()