docs: capture IDAA IDB audit results and layout security model

- TODO__Agents.md: mark IDAA IDB caching item complete (audited 2026-04-28);
  all protection layers confirmed in place, no code changes needed
- GUIDE__SvelteKit2_Svelte5_DexieJS.md: add "SvelteKit Layout Hierarchy:
  Security and Execution Order" section explaining execution order, auth-gate
  consequences, pre-gate risks in +page.ts/+layout.ts, and the reactivity-guard
  vs auth-guard distinction for IDAA $effect blocks
- BOOTSTRAP__AI_Agent_Quickstart.md: add Mistake #7 — treating $effect blocks
  as auth bypass risks vs understanding the real layout hierarchy

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

documentation/BOOTSTRAP__AI_Agent_Quickstart.md

@@ -253,6 +253,16 @@ These are real incidents — know them before you start.
 6. **Deleting files with `rm`** — always move to `~/tmp/agents_trash`. A deleted file may
    contain context that's not recoverable from git if it was gitignored.
 
+7. **Treating `$effect` blocks as auth bypass risks** — a `$effect` inside a child
+   component cannot bypass a parent `+layout.svelte` auth gate. Children only mount if
+   the parent calls `{@render children?.()}`. Adding redundant auth guards to `$effect`
+   blocks that can only run after the parent gate already passed is unnecessary — and
+   misleads future readers into thinking the parent gate is not sufficient on its own.
+   The **real** pre-gate risk is `+page.ts` / `+layout.ts`: universal load functions run
+   before any layout mounts and also fire during SvelteKit link prefetch. Keep those files
+   clean of data loads in private modules. See `GUIDE__SvelteKit2_Svelte5_DexieJS.md` →
+   "SvelteKit Layout Hierarchy: Security and Execution Order" for the full explanation.
+
 ---
 
 ## 8. Source Layout (Quick Reference)