docs: mark completed items in SECURITY-REVIEW and CODE_REVIEW

Mark items as completed:
- SECURITY-REVIEW `#22`: Missing Max Length on Input Fields
- SECURITY-REVIEW `#25`: Magic Numbers Without Constants
- CODE_REVIEW `#9`: Path Construction in email.py

All changes have been implemented and tested.

Author: seapagan

CODE_REVIEW.md

@@ -247,6 +247,10 @@ hash_to_verify = str(user_do.password) if user_do else DUMMY_PASSWORD_HASH
 
 ### 9. `app/managers/email.py:39` - Path Construction
 
+> [!NOTE]
+> ✅ **Done**: Changed from string-based `".."` to explicit `Path.parent.parent`
+> for better clarity and maintainability.
+
 **Issue:** Awkward `".."` string in path construction:
 
 ```python

SECURITY-REVIEW.md

@@ -371,6 +371,11 @@
 
 ### 22. Missing Max Length on Input Fields
 
+> [!NOTE]
+> ✅ **Done**: Added `max_length` constraints to all user request schemas
+> (UserRegisterRequest, UserLoginRequest, UserEditRequest, UserChangePasswordRequest).
+> Values now match database constraints: password=128, first_name=30, last_name=50.
+
 **Location**: `app/schemas/request/user.py:38-39, 57-59`
 
 - **Issue**: User registration/edit fields lack maximum length validation:
@@ -407,6 +412,11 @@
 
 ### 25. Magic Numbers Without Constants
 
+> [!NOTE]
+> ✅ **Done**: Extracted hardcoded token expiry values to module-level constants
+> (REFRESH_TOKEN_EXPIRE_MINUTES, VERIFY_TOKEN_EXPIRE_MINUTES,
+> RESET_TOKEN_EXPIRE_MINUTES) for better maintainability.
+
 **Location**: `app/managers/auth.py:85, 114, 144`
 
 - **Issue**: Hardcoded expiry times scattered throughout: