fix(idaa): exempt trusted_access users from IDB purge and BB load gate

Case 1 purge in the layout was firing for manager/trusted users (no UUID), causing a loop: db_events.event cleared → liveQuery updates → refetch → store write → Effect 2 re-runs → clear again. BB $effect was also blocking managers since novi_verified is always false for non-Novi auth paths. Both now check trusted_access before gating/purging. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-19 18:12:02 -04:00
parent 1381b81bf0
commit 4d5081582f
2 changed files with 8 additions and 2 deletions
--- a/src/routes/idaa/(idaa)/+layout.svelte
+++ b/src/routes/idaa/(idaa)/+layout.svelte
@@ -148,7 +148,13 @@ $effect(() => {
                novi_verifying = false;
                return;
            }
-            // Case 1: no UUID, no cached session — non-Novi path, deny normally.
+            // Case 3: no UUID, no cached Novi session, but user has trusted/manager access.
+            // They are legitimately authenticated via a non-Novi path — do NOT purge.
+            if ($ae_loc.trusted_access) {
+                novi_verifying = false;
+                return;
+            }
+            // Case 1: no UUID, no cached session, no elevated access — anonymous user.
            // Purge any IDAA data that may have been cached from a previous session.
            $idaa_loc.novi_verified = false;
            novi_verifying = false;
--- a/src/routes/idaa/(idaa)/bb/+page.svelte
+++ b/src/routes/idaa/(idaa)/bb/+page.svelte
@@ -119,7 +119,7 @@ let lq__post_obj_li = $derived.by(() => {
 // link prefetch (hover), causing private IDAA data to be written to IDB before auth runs.
 // $effect only runs post-mount, after the layout has completed Novi verification.
 $effect(() => {
-    if (!$idaa_loc.novi_verified) return;
+    if (!$idaa_loc.novi_verified && !$ae_loc.trusted_access) return;
    untrack(() => {
        posts_func.load_ae_obj_li__post({
            api_cfg: $ae_api,