From 4d5081582f322559305065e6486979db6dd0229d Mon Sep 17 00:00:00 2001
From: Scott Idem <stidem@gmail.com>
Date: Sun, 19 Apr 2026 18:12:02 -0400
Subject: [PATCH] fix(idaa): exempt trusted_access users from IDB purge and BB
 load gate
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Case 1 purge in the layout was firing for manager/trusted users (no UUID),
causing a loop: db_events.event cleared → liveQuery updates → refetch →
store write → Effect 2 re-runs → clear again.

BB $effect was also blocking managers since novi_verified is always false
for non-Novi auth paths.

Both now check trusted_access before gating/purging.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 src/routes/idaa/(idaa)/+layout.svelte  | 8 +++++++-
 src/routes/idaa/(idaa)/bb/+page.svelte | 2 +-
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/src/routes/idaa/(idaa)/+layout.svelte b/src/routes/idaa/(idaa)/+layout.svelte
index ad302c55..e2216906 100644
--- a/src/routes/idaa/(idaa)/+layout.svelte
+++ b/src/routes/idaa/(idaa)/+layout.svelte
@@ -148,7 +148,13 @@ $effect(() => {
                 novi_verifying = false;
                 return;
             }
-            // Case 1: no UUID, no cached session — non-Novi path, deny normally.
+            // Case 3: no UUID, no cached Novi session, but user has trusted/manager access.
+            // They are legitimately authenticated via a non-Novi path — do NOT purge.
+            if ($ae_loc.trusted_access) {
+                novi_verifying = false;
+                return;
+            }
+            // Case 1: no UUID, no cached session, no elevated access — anonymous user.
             // Purge any IDAA data that may have been cached from a previous session.
             $idaa_loc.novi_verified = false;
             novi_verifying = false;
diff --git a/src/routes/idaa/(idaa)/bb/+page.svelte b/src/routes/idaa/(idaa)/bb/+page.svelte
index a5224ef9..d3a8a14c 100644
--- a/src/routes/idaa/(idaa)/bb/+page.svelte
+++ b/src/routes/idaa/(idaa)/bb/+page.svelte
@@ -119,7 +119,7 @@ let lq__post_obj_li = $derived.by(() => {
 // link prefetch (hover), causing private IDAA data to be written to IDB before auth runs.
 // $effect only runs post-mount, after the layout has completed Novi verification.
 $effect(() => {
-    if (!$idaa_loc.novi_verified) return;
+    if (!$idaa_loc.novi_verified && !$ae_loc.trusted_access) return;
     untrack(() => {
         posts_func.load_ae_obj_li__post({
             api_cfg: $ae_api,