Yes, I'm fairly certain it's 7 days. Your authz objects have
expires fields you can check to confirm this.
No, it's up to the ACME client to keep track of both the number of pending authorizations and their URLs, which you'll need to disable them or force validation if you run into the limit for some reason (i.e. a bug or an outage). There's no endpoint that you can use to return all pending authorizations either.