fix(idaa): purge IDB when has_cached_session but $ae_loc has no auth

Closes a gap where $ae_loc could be reset externally (sign-out) while
$idaa_loc retained novi_verified within TTL, causing Case 2 to return
early and skip the IDB purge even though the render gate shows Access Denied.
Now Case 2 only preserves the session when $ae_loc also reflects active auth;
inconsistent state falls through to Case 1 (purge).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

src/routes/idaa/(idaa)/+layout.svelte

@@ -145,8 +145,16 @@ $effect(() => {
                 now - $idaa_loc.novi_verified_ts < ttl_ms;
             if (has_cached_session) {
                 // Case 2: internal navigation — keep the verified session, nothing to do.
-                novi_verifying = false;
-                return;
+                // BUT: only if $ae_loc also reflects active auth. If $ae_loc was reset
+                // externally (e.g., sign-out) while $idaa_loc retained novi_verified (within TTL),
+                // the state is inconsistent — fall through to Case 1 and purge.
+                if ($ae_loc.trusted_access || $ae_loc.authenticated_access) {
+                    novi_verifying = false;
+                    return;
+                }
+                // Inconsistent state — $idaa_loc says verified but $ae_loc has no auth.
+                // Fall through to Case 1 below to purge stale IDB data.
+                console.warn('IDAA Layout: has_cached_session but no auth in $ae_loc — purging (inconsistent state).');
             }
             // Case 3: no UUID, no cached Novi session, but user has trusted/manager access.
             // They are legitimately authenticated via a non-Novi path — do NOT purge.