[1.0.1][Security] Eliminate insecure auth secret fallbacks and shorten session lifetime

[0sm0s1z]

Summary

UI auth config still contains insecure fallback secrets and effectively indefinite sessions.

Why this matters

• Hardcoded default secrets can be exploited if deployed unchanged.
• 100-year session lifetime weakens account/session security posture.

Evidence

• sirius-ui/src/server/auth.ts:
  • fallback NEXTAUTH_SECRET value (change-this-secret-in-production-please)
  • session.maxAge set to ~100 years
• sirius-ui/src/env.mjs:
  • fallback auth/client values remain present

Current behavior

• app can run with insecure fallback secrets
• session duration is effectively indefinite

Expected behavior

• production must require strong explicit secrets
• no insecure fallback defaults for auth secrets
• session lifetime should be bounded (e.g., 24h-7d depending on policy)

Proposed fix

1. Remove insecure fallback for NEXTAUTH_SECRET in production paths.
2. Enforce startup validation for required auth secrets.
3. Reduce session.maxAge to policy-approved value.
4. Document secure secret generation/rotation procedure.
5. Add test coverage for missing secret rejection and session TTL policy.

Acceptance criteria

• Production startup fails when auth secrets are missing/placeholder.
• No hardcoded insecure secret fallback used in production paths.
• Session maxAge is reduced to approved policy value.
• Auth docs updated with required env vars and secret handling.

Release target

1.0.1 security hardening