Make bcrypt work factor explicit (13 rounds)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/app/core/security.py

@@ -6,8 +6,11 @@ from jose import jwt
 from app.core.config import settings
 
 
+_BCRYPT_ROUNDS = 13  # ~300 ms on modern hardware; increase over time as CPUs get faster
+
+
 def hash_password(password: str) -> str:
-    return bcrypt.hashpw(password.encode(), bcrypt.gensalt()).decode()
+    return bcrypt.hashpw(password.encode(), bcrypt.gensalt(rounds=_BCRYPT_ROUNDS)).decode()
 
 
 def verify_password(plain: str, hashed: str) -> bool:

changelog/2026-04-17_groups-and-admin-nav.md

@@ -25,3 +25,15 @@ Added a Groups system (backend models, API, migration) and split the Admin sideb
 - `frontend/src/components/Sidebar.tsx` — Admin item is now an expandable accordion with Users and Groups sub-items
 - `backend/STATUS.md` — Documented groups endpoints, models, updated future work
 - `frontend/STATUS.md` — Documented new routes, pages, API client functions
+
+---
+
+# 2026-04-17 — Explicit bcrypt work factor
+
+**Timestamp:** 2026-04-17T15:00:00Z
+
+## Summary
+Made the bcrypt cost factor explicit (13 rounds, ~300 ms) in `hash_password` so it is easy to audit and increase over time.
+
+## Files Modified
+- `backend/app/core/security.py` — added `_BCRYPT_ROUNDS = 13`; passed `rounds=` to `bcrypt.gensalt()`