Instead of checking membership across all groups in novi_idaa_group_guid_li
(site config), pass the single g_uuid from the URL param. Each Novi iframe
page supplies the group relevant to that specific meeting, so checking just
that one group is both more precise and avoids unnecessary Novi API calls.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Previously, IDAA iframe access relied on trusting URL params (uuid, email,
full_name) passed from Novi — any 36-char string granted authenticated access
with no actual verification.
The (idaa)/+layout.svelte now performs an async Novi API call on every UUID
load to verify the UUID exists, fetches name/email directly from Novi (cannot
be spoofed via URL), and sets $idaa_loc.novi_verified on success.
All-or-nothing: if novi_idaa_api_key is absent or the call fails, access denied.
- ae_idaa_stores.ts: add novi_verified boolean field to idaa_loc
- (idaa)/+layout.svelte: async UUID verification with spinner to prevent
Access Denied flash; permission upgrade-only strategy preserved
- video_conferences/+page.svelte: skip duplicate Novi member details call if
layout already verified ($idaa_loc.novi_verified check)
- iframe HTML files: remove browser-side Novi API fetch and email/full_name
params; pass only uuid; add README/START/STOP/WARNING comments for client
staff; fix iframe-before-script DOM ordering bug
- documentation: CLIENT__IDAA_and_customized_mods.md updated with full
verification flow, site_cfg_json fields, permission table, access gate
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Refactor Jitsi reports to use SvelteKit streaming with a skeleton loader.
- Add conference lifecycle event listeners (left, close) to video conference page.
- Implement manual Novi data re-sync and improve initialization robustness.
- Fix skeleton visibility by using standard Tailwind colors.
- Updated ae_types.ts with missing IDAA-specific fields for Archives and Events (topic_name, archive_on, contact_li_json, etc.) using snake_case.
- Refactored bulletin board post filter to safely handle null archive_on dates.
- Fixed missing 'data' prop assignment in bulletin board list component to resolve type error.
- Corrected core_func.download_export__obj_type method name in recovery meetings export.
- Hardened safety checks for contact_li_json in recovery meetings view logic to prevent null property access.
- Mapped Jitsi meeting event data to internal snake_case variables and fixed input type assignments.
- Updated project documentation (TODO, GEMINI.md, .ae_brief) to reflect IDAA hardening progress.
- Unified Person and User logic into ae_core__* counterparts and marked legacy files.
- Renamed Activity Log to ae_core__activity_log.ts for naming consistency.
- Updated all core function imports across the identity, logs, and video conference modules.
- Fixed missing 'prefix' field in Person form payload and corrected return types in Activity Log.
- Updated project TODO to reflect completed core module refinements.
