From 63c58b5bb3d7849e8f59dcbcc06febb611451d6f Mon Sep 17 00:00:00 2001
From: Aaron Nelson <aaron@aaronnelson.studio>
Date: Tue, 5 May 2026 23:29:38 +0000
Subject: [PATCH] Extend session lifetime to 365 days

Single-user personal app threat model is theft-of-device, not
stolen-cookie. 30-day idle re-prompts created friction without
proportional security benefit. Server TTL and client max-age
remain in sync via shared constant.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 scripts/api.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/api.py b/scripts/api.py
index ae66ff5..5fdeb3e 100644
--- a/scripts/api.py
+++ b/scripts/api.py
@@ -132,7 +132,7 @@ When making factual claims about Aaron — his history, credentials, locations,
 # Auth configuration
 import os
 SESSION_PASSWORD = os.getenv("AARON_AI_PASSWORD", "changeme")
-SESSION_MAX_AGE_SECONDS = 60 * 60 * 24 * 30
+SESSION_MAX_AGE_SECONDS = 60 * 60 * 24 * 365
 SESSIONS_DB = str(Path.home() / "aaronai" / "sessions.db")
 
 def _init_sessions():