Updated to do list for bug fixes related to IDAA. And possibly other areas.

documentation/TODO__Agents.md

@@ -109,6 +109,23 @@ suddenly jumps to 0 errors, verify it's not because a bad `.d.ts` replaced a pac
   Run `npx svelte-check 2>&1 | grep ModalProps` to get the current list.
   Fix pattern: replace `children` prop binding with Svelte snippet syntax per flowbite-svelte docs.
 
+- [ ] **[IDAA] Do not cache IDAA data in IDB when access is denied (2026-04-19)**
+  If a user is not authenticated or receives an access-denied response, the frontend must
+  **not** pre-fetch or cache any IDAA content (Posts, Archives, Events/Recovery Meetings)
+  into the local browser IndexedDB (Dexie). Storing private IDAA data in IDB on an
+  unauthenticated device is a privacy violation — the data would persist in the browser
+  even after the session ends, accessible to the next person who opens DevTools.
+
+  **Fix pattern:**
+  - All IDAA SWR load functions (`load_ae_obj_li__*` in `ae_idaa/`, `ae_posts/`, and the
+    IDAA-specific event queries) must gate on a successful auth check before calling
+    `_refresh_*_background` or writing to IDB.
+  - If the API returns a 401/403, do not write to Dexie — return/throw early.
+  - On explicit logout or Novi auth invalidation, purge IDAA tables from IDB
+    (`db_idaa`, `db_posts`, and any IDAA event records in `db_events`).
+  - Audit all `+page.ts` / `+layout.ts` files under `src/routes/idaa/` to confirm
+    no eager prefetch runs before the auth guard resolves.
+
 - [ ] **[IDAA] Make `contact_li_json_ext` searchable — Recovery Meeting contact search (2026-04-08)**
   Members cannot search for meetings by contact name or email. `contact_li_json` data is not
   included in `default_qry_str` and MariaDB cannot substring-search a JSON longtext directly.