feat: auth-capture — WS frame stream, drag events, continuous CDP, profile cleanup

- AuthCaptureDialog: real WebSocket for binary JPEG frame stream (no polling)
- Pointer drag: mousedown/mousemove/mouseup events for slider-captcha
- CDP capture starts at session creation, caches headers in session.captured_headers
- Ephemeral profile dir deleted on session close (shutil.rmtree)
- Candidate types unified: bearer_token / cookie / api_key / credential
- Frontend handleAuthCaptureSelect maps all 4 types to correct form fields

frontend/src/views/Upstreams.vue

@@ -460,13 +460,30 @@ function handleAuthCaptureSelect(candidate: { type: string; value: string; cooki
   if (candidate.type === 'bearer_token') {
     form.value.auth_type = 'bearer'
     form.value.auth_config.token = candidate.value
+    ElMessage.success('已填入 Bearer Token')
   } else if (candidate.type === 'cookie') {
     form.value.auth_type = 'cookie'
     form.value.auth_config.cookie_string = candidate.cookie_name && candidate.cookie_value
       ? `${candidate.cookie_name}=${candidate.cookie_value}`
       : candidate.value
+    ElMessage.success('已填入 Cookie')
+  } else if (candidate.type === 'api_key') {
+    form.value.auth_type = 'api_key'
+    form.value.auth_config.key = candidate.value
+    form.value.auth_config.header = 'X-API-Key'
+    ElMessage.success('已填入 API Key')
+  } else if (candidate.type === 'credential') {
+    // Try to guess — if value starts with 'sk-', treat as bearer
+    if (candidate.value.startsWith('sk-')) {
+      form.value.auth_type = 'bearer'
+      form.value.auth_config.token = candidate.value
+      ElMessage.success('已填入 Bearer Token (sk-key)')
+    } else {
+      form.value.auth_type = 'bearer'
+      form.value.auth_config.token = candidate.value
+      ElMessage.success('已填入认证信息')
+    }
   }
-  ElMessage.success(`已填入${candidate.type === 'cookie' ? 'Cookie' : 'Bearer Token'}认证信息`)
 }
 
 const quickPlatform = ref('sub2api')