feat: Claude CLI OAuth token expiry warning

New GET /auth/status endpoint reads ~/.claude/.credentials.json and
returns hours remaining + warning flag. UI shows a dismissible amber
banner when < 24h remain, turning red if expired. Checked on page load
and every 30 minutes.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

cortex/static/style.css

@@ -898,6 +898,41 @@
             font-weight: 600;
         }
 
+        /* ── Auth warning banner ─────────────────────────────────── */
+        #auth-banner {
+            display: none;
+            align-items: center;
+            gap: 10px;
+            padding: 8px 20px;
+            background: rgba(160, 100, 0, 0.18);
+            border-bottom: 1px solid rgba(200, 140, 20, 0.45);
+            font-size: 0.82rem;
+            color: #c9a84c;
+        }
+
+        #auth-banner.show { display: flex; }
+        #auth-banner.expired {
+            background: rgba(120, 20, 20, 0.25);
+            border-color: rgba(200, 60, 60, 0.45);
+            color: var(--error-text);
+        }
+
+        #auth-banner-msg { flex: 1; }
+
+        #auth-banner-close {
+            background: none;
+            border: 1px solid currentColor;
+            border-radius: 4px;
+            color: inherit;
+            font-size: 0.7rem;
+            padding: 2px 7px;
+            cursor: pointer;
+            opacity: 0.7;
+            flex-shrink: 0;
+        }
+
+        #auth-banner-close:hover { opacity: 1; }
+
         /* ── Mobile responsive ───────────────────────────────────── */
         @media (max-width: 520px) {
             header { padding: 8px 12px; gap: 8px; }