docs: capture IDAA IDB audit results and layout security model

- TODO__Agents.md: mark IDAA IDB caching item complete (audited 2026-04-28);
  all protection layers confirmed in place, no code changes needed
- GUIDE__SvelteKit2_Svelte5_DexieJS.md: add "SvelteKit Layout Hierarchy:
  Security and Execution Order" section explaining execution order, auth-gate
  consequences, pre-gate risks in +page.ts/+layout.ts, and the reactivity-guard
  vs auth-guard distinction for IDAA $effect blocks
- BOOTSTRAP__AI_Agent_Quickstart.md: add Mistake #7 — treating $effect blocks
  as auth bypass risks vs understanding the real layout hierarchy

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

documentation/TODO__Agents.md

@@ -118,22 +118,16 @@ suddenly jumps to 0 errors, verify it's not because a bad `.d.ts` replaced a pac
   Run `npx svelte-check 2>&1 | grep ModalProps` to get the current list.
   Fix pattern: replace `children` prop binding with Svelte snippet syntax per flowbite-svelte docs.
 
-- [ ] **[IDAA] Do not cache IDAA data in IDB when access is denied (2026-04-19)**
-  If a user is not authenticated or receives an access-denied response, the frontend must
-  **not** pre-fetch or cache any IDAA content (Posts, Archives, Events/Recovery Meetings)
-  into the local browser IndexedDB (Dexie). Storing private IDAA data in IDB on an
-  unauthenticated device is a privacy violation — the data would persist in the browser
-  even after the session ends, accessible to the next person who opens DevTools.
-
-  **Fix pattern:**
-  - All IDAA SWR load functions (`load_ae_obj_li__*` in `ae_idaa/`, `ae_posts/`, and the
-    IDAA-specific event queries) must gate on a successful auth check before calling
-    `_refresh_*_background` or writing to IDB.
-  - If the API returns a 401/403, do not write to Dexie — return/throw early.
-  - On explicit logout or Novi auth invalidation, purge IDAA tables from IDB
-    (`db_idaa`, `db_posts`, and any IDAA event records in `db_events`).
-  - Audit all `+page.ts` / `+layout.ts` files under `src/routes/idaa/` to confirm
-    no eager prefetch runs before the auth guard resolves.
+- [x] **[IDAA] Do not cache IDAA data in IDB when access is denied (2026-04-19, audited 2026-04-28)**
+  Full audit confirmed all protection layers are in place. No code changes required.
+  - All `+page.ts` / `+layout.ts` under `src/routes/idaa/` are clean — no SWR loads run before auth resolves.
+  - All `$effect` SWR calls in IDAA `+page.svelte` files are gated on `$idaa_loc.novi_verified || $ae_loc.trusted_access`.
+  - `(idaa)/+layout.svelte` purges `db_posts`, `db_archives`, `db_events` on auth failure, no-UUID/no-session, and inconsistent state.
+  - `sign_out()` calls `indexedDB.deleteDatabase()` on all IDAA databases.
+  - API 401/403 responses fail-fast in `api_get_object.ts` (throw before any IDB write).
+  - `idaa_trig` is in-memory `writable()` only — cannot carry stale trigger state across sessions.
+  - `$effect` auth guards in IDAA page components are reactivity guards (prevent spurious SWR calls on coarse `$ae_loc` writes), NOT auth-bypass guards. SvelteKit layout hierarchy already prevents child components from mounting when `(idaa)/+layout.svelte` blocks rendering.
+  - Doc: SvelteKit layout hierarchy security model captured in `GUIDE__SvelteKit2_Svelte5_DexieJS.md` and `BOOTSTRAP__AI_Agent_Quickstart.md` (Mistake #7).
 
 - [ ] **[IDAA] Make `contact_li_json_ext` searchable — Recovery Meeting contact search (2026-04-08)**
   Members cannot search for meetings by contact name or email. `contact_li_json` data is not