diff --git a/documentation/TODO__Agents.md b/documentation/TODO__Agents.md
index da99e229..e94c6b9e 100644
--- a/documentation/TODO__Agents.md
+++ b/documentation/TODO__Agents.md
@@ -77,6 +77,40 @@ guessing defaults.
 
 ## 🚧 Upcoming High Priority
 
+### ~~[IDAA] Random "Access Denied" — Root Cause Review & Fixes~~ ✅ Resolved (2026-05-19)
+
+All known root causes fixed across 10+ commits to `src/routes/idaa/(idaa)/+layout.svelte`.
+Deploying as of 2026-05-19. Monitor for further member reports.
+
+#### All fixes applied
+- [x] Access Denied on iframe reload (sessionStorage URL preservation) — `2855e091f`
+- [x] TTL cache bypassed when `$ae_loc` auth flags reset — `2855e091f`
+- [x] "Verification Unavailable" screen distinct from "Access Denied" — `2855e091f`
+- [x] "Try Again" without page reload (`retry_count` pattern) — `2855e091f`
+- [x] Novi TTL extended to 45 minutes (from 5) — `2855e091f` + manual edit
+- [x] 12 s AbortController hard timeout on Novi fetch — `e921ca973`
+- [x] Network/AbortError gets 3 s grace + one retry — `e921ca973`
+- [x] Clear Cache & Reload added to Access Denied state (iframe mode) — `2855e091f`
+- [x] `VERIFY_TIMEOUT_MS` 8 s → 35 s (was firing mid-retry, causing premature Reset clicks) — `53fd5e7de`
+- [x] `sessionStorage` try-catch (iOS Safari Private Browsing throws on access) — `53fd5e7de`
+- [x] Appshell stores guarded behind `account_id` — `8850db89c`
+- [x] Recovery meetings over-filtering bug (API `default_qry_str`) — `76e21b08f`
+- [x] A→Z sort in recovery meetings API revalidation path — `c0386f27b`
+- [x] `events.event` IDB content version bump (stale cache) — previous commit
+
+#### Root layout SWR verified safe:
+The root `+layout.ts` builds `ae_loc_init` as a plain site-config object (no `authenticated_access`,
+`trusted_access`, or `access_type` fields). The root layout sync effect
+`$ae_loc = { ...current_loc, ...ae_acct.loc }` therefore cannot overwrite Novi-set auth flags.
+Confirmed safe — this is NOT a cause of Access Denied.
+
+#### Remaining architectural note:
+The long-term fix for the coarse `$ae_loc` reactivity (Svelte 4 store) causing Effect 2 to
+re-run on unrelated writes is tracked under **[Stores] Svelte 4 → Svelte 5 State Migration**
+below. The TTL + `verify_in_flight` guards are the current mitigation.
+
+---
+
 ### [Stores] Svelte 4 → Svelte 5 State Migration (prerequisite for Phase 2c)
 The app uses `svelte-persisted-store` (Svelte 4 store contract) for all core persisted state
 (`ae_loc`, `idaa_loc`, `ae_api`, `ae_sess`, etc.). In Svelte 5 `$effect`, reading **any field**