fix(bootstrap): validate access_key server-side, prevent stale cache bypass

When a URL access_key is present, skip the Dexie cache fast-path in
lookup_site_domain entirely — the key must be validated against the API.
Previously, a stale cached entry with a previously-valid key would be
returned immediately, allowing access even after the key changed or
was revoked in the URL.

Also: add site_domain_access_key to properties_to_save__site_domain
so domain-level keys are persisted to Dexie for cache validation;
remove shadow access_key re-declaration in +layout.ts.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

documentation/GUIDE__AE_API_V3_for_Frontend.md

@@ -46,10 +46,9 @@ When the frontend first loads and doesn't know the `account_id`, it performs a "
 
 > **Access Key Support**
 >
-> Some client deployments restrict their domain to authenticated sessions via an access key set in the URL (e.g. `https://client.example.com/?key=abc123`).
+> Some client deployments restrict their domain via an access key passed in the browser URL (e.g. `?key=abc123`). The frontend reads this param and forwards it as `access_key` in the POST body.
 >
 > **How to pass the key:**
-> Read the `key` query param from the browser URL. If present and non-empty, include it as `access_key` in the POST body:
 > ```json
 > {
 >   "and": [
@@ -58,24 +57,23 @@ When the frontend first loads and doesn't know the `account_id`, it performs a "
 >   ]
 > }
 > ```
-> If `key` is absent, empty, or falsy — omit `access_key` from the payload entirely (do not send `"access_key": ""`).
+> If `key` is absent, empty, or falsy — **omit `access_key` from the payload entirely**. Do not send `"access_key": ""`.
 >
 > **Server behavior:**
-> - `v_site_domain.site_access_key` (site-level) takes priority. If set, all domains under that site require it.
-> - `v_site_domain.site_domain_access_key` (domain-level) is used only when `site_access_key` is not set.
-> - A domain is **public** only when **both** key columns are NULL/empty — no `access_key` needed.
-> - Falsy `access_key` values (empty string, etc.) are ignored server-side as a safety net.
-> - A successful match returns `200` with the matching record. No match returns `200` with an empty list `[]`.
-> - Do **not** use `access_code_kv_json` for this — that field is consumed by UI features and is unrelated to access control.
+> - `site_access_key` (site-level key) takes priority. If set, all domains under that site require it.
+> - `site_domain_access_key` (domain-level key) is used as fallback when `site_access_key` is not set.
+> - A domain is **public** only when **both** key columns are NULL/empty.
+> - Falsy `access_key` values are ignored server-side as a safety net.
+> - Match → `200` with the record. No match → `200` with empty list `[]`.
+> - Do **not** use `access_code_kv_json` for this — that field is for UI features only.
 >
-> **Examples:**
 > | Browser URL | `access_key` in payload | Result |
 > |---|---|---|
-> | `https://dev-demo.oneskyit.com` | *(omit)* | ✅ Returns record (public domain) |
+> | `https://dev-demo.oneskyit.com` | *(omit)* | ✅ Returns record (public) |
 > | `https://client.example.com/?key=correct` | `"correct"` | ✅ Returns record |
-> | `https://client.example.com/` | *(omit)* | ❌ Empty list (key required) |
-> | `https://client.example.com/?key=wrong` | `"wrong"` | ❌ Empty list (wrong key) |
-> | `https://client.example.com/?key=` | *(omit — strip empty)* | ❌ Empty list (key required) |
+> | `https://client.example.com/` | *(omit)* | ❌ Empty (key required) |
+> | `https://client.example.com/?key=wrong` | `"wrong"` | ❌ Empty (wrong key) |
+> | `https://client.example.com/?key=` | *(omit — strip empty)* | ❌ Empty (key required) |
 >
 ---