[Phase 1.4.2] Add session TTL and auto-expiry #24
Description
Phase
Phase 1 — Critical Security | Track 1.4 — Resource Controls | Priority: P1 MEDIUM
Problem
CWE: CWE-613 — Insufficient Session Expiration
Sessions persist indefinitely in plaintext JSONL files. No TTL, no expiry, no cleanup. This means:
- Sensitive conversation data accumulates forever
- Stale sessions consume disk space
- No way to force re-authentication
Fix
- Add configurable session TTL (default: 24 hours)
- Auto-expire sessions older than TTL on next access
- Add `session.cleanup()` method for manual purge
- Option for encrypted-at-rest sessions (AES-256, key from env var)
- Config: `"session": {"ttl_hours": 24, "encrypt": false}`
Acceptance Criteria
- Session TTL configurable in config.json
- Expired sessions automatically cleaned up
- Manual cleanup method available
- Optional encryption at rest
- Tests for: TTL enforcement, cleanup, encryption round-trip
References
- CWE-613
- Design Doc:
docs/plans/2026-03-29-security-ai-guardrails-performance-design.md