Harden JWT: 8-hour expiry, add JWT vulnerability checks

- Reduce ACCESS_TOKEN_EXPIRE_MINUTES from 24h to 8h (no permanent sessions)
- Add JWT_PATTERNS to security_check.py: algorithm=none, verify_exp=False,
  multi-day timedelta, oversized EXPIRE_MINUTES, hardcoded secret
- Add JWT security checklist to security-auditor agent
- Document auth/session security items in TODO.md

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

.claude/agents/security-auditor.md

@@ -54,6 +54,24 @@ Systematically review in this order:
 6. CORS configuration (`app/main.py`)
 7. Frontend — token storage, XSS vectors, any `dangerouslySetInnerHTML`
 
+## JWT security checklist
+
+When reviewing any authentication code, verify all of the following:
+
+| Check | What to look for | Severity |
+|---|---|---|
+| Algorithm confusion | `algorithms=["none"]` or `algorithm="none"` in `jwt.decode()` | Critical |
+| Expiry enforcement | `verify_exp=False` or `options={"verify_exp": False}` | Critical |
+| Token lifetime | `ACCESS_TOKEN_EXPIRE_MINUTES` — must be ≤ 480 (8 h); flag `timedelta(days=...)` in token creation | High |
+| Secret key strength | `SECRET_KEY` must come from env var, ≥ 32 random chars; flag hardcoded strings | High |
+| Algorithm pinned | `jwt.decode()` must pass `algorithms=["HS256"]` (or project algorithm) explicitly — never a variable | High |
+| Missing claims | Token payload should include `sub`, `exp`, `iat`; flag if `iat` is absent | Medium |
+| Token storage | Frontend stores JWT in `localStorage` — note the XSS exposure tradeoff; recommend `httpOnly` cookie migration when hardening | Medium |
+| No refresh tokens | Project policy: no permanent sessions, no refresh tokens. Flag any `refresh_token` implementation | Medium |
+| No "remember me" | No `remember_me` or extended-expiry paths in auth flow | Medium |
+
+Current project policy: **8-hour JWT, no refresh tokens, no permanent login.**
+
 ## Hard rules
 
 - Never weaken an existing security control