api.py: minor cleanups (Track 1 inventory findings)

- Fix /auth/check endpoint that referenced undefined SESSIONS
  (Phase 1 finding — would NameError 500 on every call). Now uses
  session_exists(token), the live session-validation mechanism
  defined elsewhere in api.py.
- Remove unused DB_PATH ChromaDB-era constant (paired with the
  ChromaDB directory deletion and aaronai-maintenance.service
  removal earlier this session).

Found by Track 1 inventory 2026-05-02. Cross-repo verification of
share_time (third candidate from the original cleanup proposal)
revealed it is working stores-and-returns persistence rather than
dead code; share_time intentionally not modified.

Inventory document edits are committed separately under the docs/
tracking decision.

scripts/api.py

@@ -34,7 +34,6 @@ from apscheduler.triggers.cron import CronTrigger
 load_dotenv(Path.home() / "aaronai" / ".env")
 
 MEMORY_PATH = Path.home() / "aaronai" / "memory.md"
-DB_PATH = str(Path.home() / "aaronai" / "db")
 CONVERSATIONS_DB = str(Path.home() / "aaronai" / "conversations.db")
 SETTINGS_PATH = Path.home() / "aaronai" / "settings.json"
 WATCHER_LOG = str(Path.home() / "aaronai" / "watcher.log")
@@ -382,7 +381,7 @@ async def logout(request: Request, response: Response):
 @app.get("/auth/check")
 async def check_auth(request: Request):
     token = get_session(request)
-    if not token or token not in SESSIONS:
+    if not token or not session_exists(token):
         return JSONResponse({"authenticated": False})
     return JSONResponse({"authenticated": True})