fix(security): stop cross-user offline data leak on shared devices (#1176)

Closes BLOCKER B4 — three reinforcing paths could serve one account's
cached data to the next user on a shared device:

- The Workbox 'api-data' cache keyed trip/user-scoped GETs by URL only
  (cookie-blind). Changed to NetworkOnly; offline reads come from the
  per-user IndexedDB cache via the repo layer instead.
- IndexedDB had no per-user scoping. The Dexie connection is now scoped
  per user (trek-offline-u<id>) behind a Proxy so the ~19 importers keep a
  stable binding; login opens the user DB, logout deletes it and returns
  to the anonymous DB.
- logout() was fire-and-forget and racy: background flush/syncAll could
  re-seed the DB after the wipe. It is now async and ordered — close an
  auth gate, unregister sync triggers, disconnect, clear caches, delete
  the user DB — and flush()/syncAll() bail when the gate is closed.

client/tests/unit/sync/mutationQueue.test.ts

@@ -8,6 +8,7 @@ import { describe, it, expect, beforeEach, afterEach, vi } from 'vitest';
 import 'fake-indexeddb/auto';
 import { server } from '../../helpers/msw/server';
 import { http, HttpResponse } from 'msw';
+import { setAuthed } from '../../../src/sync/authGate';
 import { mutationQueue, generateUUID, nextTempId } from '../../../src/sync/mutationQueue';
 import { offlineDb, clearAll } from '../../../src/db/offlineDb';
 import { placeRepo } from '../../../src/repo/placeRepo';
@@ -16,11 +17,13 @@ import { buildPlace, buildPackingItem } from '../../helpers/factories';
 beforeEach(async () => {
   await clearAll();
   mutationQueue._resetFlushing();
+  setAuthed(true);
   Object.defineProperty(navigator, 'onLine', { value: true, writable: true, configurable: true });
 });
 
 afterEach(() => {
   vi.restoreAllMocks();
+  setAuthed(false);
 });
 
 // ── helpers ──────────────────────────────────────────────────────────────────
@@ -215,6 +218,25 @@ describe('mutationQueue.flush — offline guard', () => {
     const m = await offlineDb.mutationQueue.get(id);
     expect(m!.status).toBe('pending');
   });
+
+  it('does nothing when logged out (auth gate closed)', async () => {
+    setAuthed(false);
+    const id = generateUUID();
+    await mutationQueue.enqueue(makeMutation({ id }));
+
+    let called = false;
+    server.use(
+      http.post('/api/trips/1/places', () => {
+        called = true;
+        return HttpResponse.json({ place: buildPlace({ trip_id: 1 }) });
+      }),
+    );
+
+    await mutationQueue.flush();
+    expect(called).toBe(false);
+    const m = await offlineDb.mutationQueue.get(id);
+    expect(m!.status).toBe('pending');
+  });
 });
 
 // ── pending / pendingCount ────────────────────────────────────────────────────