fix(core): modern Svelte 5 cleanup — Dexie .get() bug, typed API calls, inline confirms

- person_view.svelte: fix liveQuery using .get() (primary key, never set by V3)
  → .where('person_id').equals().first()
- people/[person_id]: same Dexie .get() fix for lq__person_obj
- person_view.svelte: replace 4x generic api.update_ae_obj → core_func.update_ae_obj__person
  (removes unused api import)
- Replace all browser confirm()/alert() dialogs (9 occurrences, 6 files) with
  inline two-click confirm state pattern (confirm_action = $state<string|null>)
  Affected: users, accounts, contacts, addresses, people, sites
- Bootstrap doc: add Dexie .get() trap to Section 5 and Mistake #8

documentation/BOOTSTRAP__AI_Agent_Quickstart.md

@@ -179,7 +179,7 @@ async function load_ae_obj_id__my_obj({ api_cfg, obj_id }) {
 
 ### ID convention — never use `_id_random` fields
 The V3 API uses random string IDs (e.g. `event_file_id = "aBc123"`). The `*_id_random`
-fields are legacy aliases. Always use the short form:
+fields are legacy aliases. The integer version of the ID is never returned by the API. Always use the short form:
 ```ts
 // ✅ Correct
 event_file_obj.event_file_id
@@ -187,6 +187,7 @@ event_file_obj.event_file_id
 // ❌ Wrong — legacy alias, don't use
 event_file_obj.event_file_id_random
 ```
+The short ".id" is also the randomized string, **not an integer** (autonum).
 
 ### PATCH — only field values in the body
 ```ts
@@ -205,6 +206,23 @@ x-aether-api-key: <PUBLIC_AE_API_SECRET_KEY>
 x-account-id: <account_id>
 ```
 
+### Dexie queries — always use the object ID index, not `.get()`
+All `db_core` (and other module) Dexie tables define their schema with `id` as the first
+field (primary key), followed by the object's string ID (e.g. `person_id`). V3 **never**
+returns `id`, so every record stored in Dexie has `id = undefined`. Calling `.get(value)`
+does a primary key lookup — it will always miss when passed a string object ID.
+
+```ts
+// ❌ Wrong — .get() uses the primary key (id), which V3 never populates:
+liveQuery(() => db_core.person.get(person_id))
+
+// ✅ Correct — use .where() on the indexed object ID field:
+liveQuery(() => db_core.person.where('person_id').equals(person_id).first())
+```
+
+This applies to every table in every module (`db_core`, `db_events`, etc.).
+When looking up a single object by its string ID, always use `.where().equals().first()`.
+
 ---
 
 ## 6. Naming Conventions
@@ -253,7 +271,14 @@ These are real incidents — know them before you start.
 6. **Deleting files with `rm`** — always move to `~/tmp/agents_trash`. A deleted file may
    contain context that's not recoverable from git if it was gitignored.
 
-7. **Treating `$effect` blocks as auth bypass risks** — a `$effect` inside a child
+8. **Dexie `.get()` with a string object ID returns `undefined`** — Dexie `.get(value)`
+   looks up by the table's **primary key**, which is `id` (the first schema field). The V3
+   API never returns `id`, so it is always `undefined` in stored records. Passing a string
+   object ID (e.g. `person_id`) to `.get()` will silently return nothing. Always use
+   `.where('person_id').equals(person_id).first()` instead. This has caused liveQuery
+   blocks to always produce `undefined` even when the record exists in Dexie.
+
+9. **Treating `$effect` blocks as auth bypass risks** — a `$effect` inside a child
    component cannot bypass a parent `+layout.svelte` auth gate. Children only mount if
    the parent calls `{@render children?.()}`. Adding redundant auth guards to `$effect`
    blocks that can only run after the parent gate already passed is unnecessary — and