fix(idaa): fix Novi UUID verification — stuck spinner, repeat calls, impersonation

Critical bugs fixed:
- $derived(() => {}) stored the function itself; uuid/api_key were always
  undefined so verification never fired. Fixed to $derived.by(() => {}).
- novi_verifying pre-initialized to true (flash prevention) was also used as
  the concurrency guard — guard saw it as in-flight and exited immediately,
  leaving the spinner stuck forever. Split into separate verify_in_flight flag.
- $idaa_loc reads in dedupe snapshot (outside untrack) subscribed the effect
  to idaa_loc writes, causing needless re-runs post-verification.
- Rate limit was not UUID-aware: 429 on one UUID blocked impersonation
  (new UUID). TTL and rate-limit guards now both bypass when UUID changes.

Also includes: store defaults for novi_verified_ts + novi_rate_limited_until,
docs update, iframe template g_uuid param (prior agent changes).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

src/lib/stores/ae_idaa_stores.ts

@@ -21,6 +21,12 @@ const idaa_local_data_struct: key_val = {
     // True after a successful Novi API verification (UUID confirmed to be a real Novi member).
     // False on load, on verification failure, or for non-Novi sign-in paths.
     novi_verified: false,
+    // Timestamp (ms since epoch) when the last successful verification occurred.
+    // Used to cache verification results and avoid repeated Novi API calls.
+    novi_verified_ts: null,
+    // If set to a ms timestamp, verification attempts should be skipped until this time.
+    // Used to honor rate-limits and Retry-After behavior.
+    novi_rate_limited_until: null,
     // Populated from $ae_loc.site_cfg_json at IDAA layout mount — not managed here.
     // See routes/idaa/(idaa)/+layout.svelte for the override logic.
     novi_admin_li: [],