Finding: SD-AUTH-03 (MEDIUM) | Milestone: M-E2: Identity & Access (#16)
Problem: API keys never expire; compromised keys grant indefinite access.
Fix: Add expiresAt to ApiKey. Optionally accept ttlDays at key creation. validate() rejects expired keys.
Files: src/auth.ts
Acceptance: A key with expiresAt in the past is rejected by validate().
Finding: SD-AUTH-03 (MEDIUM) | Milestone: M-E2: Identity & Access (#16)
Problem: API keys never expire; compromised keys grant indefinite access.
Fix: Add expiresAt to ApiKey. Optionally accept ttlDays at key creation. validate() rejects expired keys.
Files: src/auth.ts
Acceptance: A key with expiresAt in the past is rejected by validate().