authentik: long-lived authenticated sessions, short-lived anonymous ones

- Adopt UserLoginStage (default-authentication-login) into Terraform
  and pin session_duration=weeks=4 so users stay logged in across
  browser restarts. There is no Brand.session_duration in 2026.2.x;
  UserLoginStage is the only correct lever.
- Cap anonymous Django sessions at 2h via
  AUTHENTIK_SESSIONS__UNAUTHENTICATED_AGE on server + worker pods
  (default is days=1). Bots, healthcheckers, and partial flows now
  get reaped within 2h instead of accumulating for a day.

Implementation note: the env var is injected via server.env /
worker.env rather than authentik.sessions.unauthenticated_age,
because authentik.existingSecret.secretName is set, which makes the
chart skip rendering its own AUTHENTIK_* Secret. authentik.* values
are therefore inert in this stack -- this is documented in
.claude/reference/authentik-state.md so future edits use the right
surface.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

stacks/authentik/modules/authentik/values.yaml

@@ -37,6 +37,15 @@ authentik:
 
 server:
   replicas: 3
+  # Anonymous Django sessions (no completed login: bots, healthcheckers,
+  # partial flows) expire in 2h. Default is days=1. Once login completes,
+  # UserLoginStage.session_duration takes over via request.session.set_expiry.
+  # Injected via server.env (not authentik.sessions.*) because we use
+  # authentik.existingSecret.secretName, which makes the chart skip
+  # rendering the AUTHENTIK_* secret — so the values block doesn't reach env.
+  env:
+    - name: AUTHENTIK_SESSIONS__UNAUTHENTICATED_AGE
+      value: "hours=2"
   strategy:
     type: RollingUpdate
     rollingUpdate:
@@ -70,6 +79,11 @@ global:
 
 worker:
   replicas: 3
+  # Same unauthenticated_age cap as server — both the server (Django session
+  # middleware) and worker (cleanup tasks) need to see the value.
+  env:
+    - name: AUTHENTIK_SESSIONS__UNAUTHENTICATED_AGE
+      value: "hours=2"
   strategy:
     type: RollingUpdate
     rollingUpdate: