Add purge_expired_sessions, document security assumptions in Auth
- purge_expired_sessions: deletes all expired/corrupted sessions.
Call periodically to prevent unbounded table growth.
- Document: 256-bit token space, session fixation prevention, session
rotation on sign-in, single-instance SQLite requirement, cleanup
strategy.
34/34 auth tests pass.