fix(idaa): strip API calls from all +page.ts/+layout.ts, gate loading in $effect

SvelteKit load functions fire during link prefetch before Novi auth completes; `if (browser)` guards do not prevent this. Moving all IDAA data fetching into $effect hooks gated on `novi_verified || trusted_access` closes the IDB pre-population race across archives, bb/[post_id], and recovery_meetings/[event_id]. Also documents the Auth-Before-Cache rule and per-route status in AE__Permissions_and_Security.md. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-19 18:49:47 -04:00
parent dea599bd9c
commit b8e6bcaf03
8 changed files with 152 additions and 167 deletions
--- a/src/routes/idaa/(idaa)/archives/+layout.ts
+++ b/src/routes/idaa/(idaa)/archives/+layout.ts
@@ -1,12 +1,10 @@
 /** @type {import('./$types').LayoutLoad} */
-// console.log(`IDAA BB - [account_id] +layout.ts start`);

-// import { error } from '@sveltejs/kit';
-import { browser } from '$app/environment';
-import { archives_func } from '$lib/ae_archives/ae_archives_functions';
+// Data loading for IDAA Archives has been moved to the $effect in +page.svelte
+// (gated on novi_verified / trusted_access). +layout.ts runs before layout effects and
+// fires during SvelteKit link prefetch, making it unsafe for private IDAA content.

-export async function load({ fetch, params, parent }) {
-    // route
+export async function load({ parent }) {
    const log_lvl: number = 0;

    const data = await parent();
@@ -21,40 +19,10 @@ export async function load({ fetch, params, parent }) {
        );
        ae_acct = {
            api: data.ae_api || {},
-            slct: {
-                account_id: account_id
-            }
+            slct: { account_id: account_id }
        };
    }

-    if (browser) {
-        const load_archive_obj_li = archives_func.load_ae_obj_li__archive({
-            api_cfg: ae_acct.api,
-            for_obj_type: 'account',
-            for_obj_id: account_id,
-            inc_content_li: false,
-            enabled: 'enabled',
-            hidden: 'not_hidden',
-            limit: 29,
-            order_by_li: {
-                priority: 'DESC',
-                sort: 'DESC',
-                updated_on: 'DESC',
-                created_on: 'DESC',
-                name: 'ASC'
-            },
-            params: params,
-            try_cache: true,
-            log_lvl: log_lvl
-        });
-        if (log_lvl) {
-            console.log(`load_archive_obj_li = `, load_archive_obj_li);
-        }
-        ae_acct.slct.archive_obj_li = load_archive_obj_li;
-    }
-
-    // WARNING: Precaution against shared data between sites and sessions.
    data[account_id] = ae_acct;
-
    return data;
 }