feat: add sliding session timeout with idle and absolute caps

manage.py

@@ -153,6 +153,31 @@ def mfa_compliance_status():
     print("=" * 60)
 
 
+@cli.command("cleanup_sessions")
+def cleanup_sessions():
+    """Clean up expired user sessions.
+
+    Marks sessions as EXPIRED when they have passed their expires_at
+    timestamp.  Safe to run frequently (e.g. every 5 minutes via job_runner).
+
+    Usage:
+        python manage.py cleanup_sessions
+    """
+    from gatehouse_app.services.session_service import SessionService
+
+    print("=" * 60)
+    print("Session Cleanup Job")
+    print("=" * 60)
+
+    from datetime import datetime, timezone
+    print(f"Start time: {datetime.now(timezone.utc).isoformat()}")
+
+    count = SessionService.cleanup_expired_sessions()
+
+    print(f"Expired sessions marked: {count}")
+    print("=" * 60)
+
+
 @cli.command("configure_oauth")
 @click.argument("provider", required=False)
 @click.option("--client-id", default=None, help="OAuth client ID")