fix(security): stop cross-user offline data leak on shared devices (#1176)

Closes BLOCKER B4 — three reinforcing paths could serve one account's
cached data to the next user on a shared device:

- The Workbox 'api-data' cache keyed trip/user-scoped GETs by URL only
  (cookie-blind). Changed to NetworkOnly; offline reads come from the
  per-user IndexedDB cache via the repo layer instead.
- IndexedDB had no per-user scoping. The Dexie connection is now scoped
  per user (trek-offline-u<id>) behind a Proxy so the ~19 importers keep a
  stable binding; login opens the user DB, logout deletes it and returns
  to the anonymous DB.
- logout() was fire-and-forget and racy: background flush/syncAll could
  re-seed the DB after the wipe. It is now async and ordered — close an
  auth gate, unregister sync triggers, disconnect, clear caches, delete
  the user DB — and flush()/syncAll() bail when the gate is closed.

client/src/sync/authGate.ts

@@ -0,0 +1,18 @@
+/**
+ * Auth gate — a single boolean the sync layer checks before touching the
+ * offline DB. It lets logout disable all background sync (flush / syncAll /
+ * periodic triggers) *before* awaiting the DB swap, so an in-flight loop can't
+ * re-seed the database after the user has logged out.
+ *
+ * Kept separate from authStore to avoid an import cycle
+ * (authStore → tripSyncManager → authStore).
+ */
+let _authed = false
+
+export function setAuthed(value: boolean): void {
+  _authed = value
+}
+
+export function isAuthed(): boolean {
+  return _authed
+}