feat(pres_mgmt): auto-expand auth for all presenter/POC roles on sign-in

A person signing in via a single email link previously only got auth for
that one event_presenter_id or event_session_id. Presenters/POCs in
multiple sessions had to click a separate link per role.

On sign-in, expand_auth_for_person() queries Dexie for all presenter
records and POC sessions this person holds in the event and pre-populates
auth__kv.presenter, auth__kv.presentation, and auth__kv.session for all
of them. Runs as fire-and-forget — benign no-op on cold cache since
person_id matching in auth checks provides fallback coverage.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

src/routes/events/[event_id]/sign_in_out.svelte

@@ -33,6 +33,7 @@ import {
     events_trig_kv
 } from '$lib/stores/ae_events_stores';
 import { events_auth_loc } from '$lib/stores/ae_events_stores__auth.svelte';
+import { db_events } from '$lib/ae_events/db_events';
 import { LogIn, X } from '@lucide/svelte';
 onMount(() => {
     console.log('Browser environment detected.');
@@ -100,6 +101,43 @@ onMount(() => {
     }
 });
 
+// Grants auth for every presenter record and POC session this person holds in the event.
+// WHY: presenters and POCs can appear in multiple sessions/presentations. Clicking a single
+// sign-in link only grants auth for that specific presenter_id/session_id. This scan
+// pre-populates auth__kv for all their other roles so they don't have to click each link.
+// Runs against Dexie cache — benign no-op if cache is cold; person_id matching in auth
+// checks provides fallback coverage for navigation until cache warms.
+async function expand_auth_for_person(person_id: string, event_id: string) {
+    try {
+        const [presenter_li, session_li] = await Promise.all([
+            db_events.presenter
+                .where('person_id').equals(person_id)
+                .filter(p => p.event_id === event_id)
+                .toArray(),
+            db_events.session
+                .where('poc_person_id').equals(person_id)
+                .filter(s => s.event_id === event_id)
+                .toArray()
+        ]);
+        for (const p of presenter_li) {
+            if (p.event_presenter_id) {
+                events_auth_loc.current.auth__kv.presenter[p.event_presenter_id] = true;
+                events_auth_loc.current.auth__kv.presentation[p.event_presentation_id] = true;
+                // 'read' matches what presenter_sign_in sets — truthy, but signals read-only session access
+                events_auth_loc.current.auth__kv.session[p.event_session_id] = 'read';
+            }
+        }
+        for (const s of session_li) {
+            if (s.event_session_id) {
+                events_auth_loc.current.auth__kv.session[s.event_session_id] = true;
+            }
+        }
+        console.log(`expand_auth_for_person: ${presenter_li.length} presenter(s), ${session_li.length} POC session(s) auto-granted`);
+    } catch (e) {
+        console.warn('expand_auth_for_person: Dexie lookup failed', e);
+    }
+}
+
 // For session point of contact (moderator, chair, LCI Champions).
 function session_sign_in() {
     console.log('Session sign in with URL values');
@@ -125,6 +163,8 @@ function session_sign_in() {
     // Setting again here... just because for now.
     // $events_slct.event_presentation_id = $events_sess.auth__person.presentation_id;
     // $events_slct.event_presenter_id = $events_sess.auth__person.presenter_id;
+
+    void expand_auth_for_person($events_sess.auth__person.id, data.params.event_id);
 }
 
 // For presenters within a session presentation.
@@ -167,6 +207,8 @@ function presenter_sign_in() {
         $events_sess.auth__person.presentation_id;
     events_auth_loc.current.auth__person.presenter_id =
         $events_sess.auth__person.presenter_id;
+
+    void expand_auth_for_person($events_sess.auth__person.id, data.params.event_id);
 }
 
 function sign_out() {