From 61c9a6766d9659aa6e51222fffc0a768a2c14204 Mon Sep 17 00:00:00 2001
From: Scott Idem <stidem@gmail.com>
Date: Sun, 19 Apr 2026 17:43:22 -0400
Subject: [PATCH] fix(idaa): purge IDAA IDB on no-UUID unauthenticated path

The previous purge only fired inside verify_novi_uuid() catch,
which requires a UUID in the URL. Unauthenticated visits without
a UUID (Case 1 in Effect 2) now also clear posts, comments,
archives, and events from IDB.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 src/routes/idaa/(idaa)/+layout.svelte | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/routes/idaa/(idaa)/+layout.svelte b/src/routes/idaa/(idaa)/+layout.svelte
index 7deae7be..7f25572c 100644
--- a/src/routes/idaa/(idaa)/+layout.svelte
+++ b/src/routes/idaa/(idaa)/+layout.svelte
@@ -149,8 +149,14 @@ $effect(() => {
                 return;
             }
             // Case 1: no UUID, no cached session — non-Novi path, deny normally.
+            // Purge any IDAA data that may have been cached from a previous session.
             $idaa_loc.novi_verified = false;
             novi_verifying = false;
+            db_posts.post.clear().catch(() => {});
+            db_posts.comment.clear().catch(() => {});
+            db_archives.archive.clear().catch(() => {});
+            db_archives.content.clear().catch(() => {});
+            db_events.event.clear().catch(() => {});
             return;
         }