docs(decisions): promote QSEC-05 (session timeout recommendation) to a decision (#156)

Security-lane parallel to PR #128's Architect-lane sweep. QSEC-05's
tentative direction — "documentation-only recommendation in
SECURITY.md §Recommended consumer settings" — has been de-facto
shipped: SECURITY.md §9 carries the SESSION_COOKIE_AGE = 60 * 60 * 8
example with a # QSEC-05 provenance comment. Promote.

QSEC-01 (rate limiting), QSEC-02 (audit logging via LogEntry),
QSEC-03 (CSP defaults), and QSEC-04 (SRI on the bundle) stay open
— none has shipped the surface their tentative direction describes.

Tier 1 — docs/agents/{decisions,open-questions}.md only.

Co-authored-by: Martin Castro Laminrs <mcastro@laminr.ai>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: 3 people