Fix SEC-12: reduce default token expiry to 7 days

- Change default_expiry from 720h (30 days) to 168h (7 days)
  in dist/mcias.conf.example and dist/mcias.conf.docker.example
- Update man page, ARCHITECTURE.md, and config.go comment
- Max ceiling validation remains at 30 days (unchanged)

Security: Shorter default token lifetime reduces the window of
exposure if a token is leaked. 7 days balances convenience and
security for a personal SSO. The 30-day max ceiling is preserved
so operators can still override if needed.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

dist/mcias.conf.example

@@ -69,8 +69,8 @@ issuer = "https://auth.example.com"
 
 # OPTIONAL. Default token expiry for interactive (human) logins.
 # Go duration string: "h" hours, "m" minutes, "s" seconds.
-# Default: 720h (30 days). Reduce for higher-security deployments.
-default_expiry = "720h"
+# Default: 168h (7 days). The maximum allowed value is 720h (30 days).
+default_expiry = "168h"
 
 # OPTIONAL. Expiry for admin tokens (tokens with the "admin" role).
 # Should be shorter than default_expiry to limit the blast radius of