feat(routing): serve public landing at / and move authed index to /home

Stripe's compliance crawler fetches the apex URL without executing JS and
declined live-mode review when `https://resolutionflow.com/` returned the
empty SPA shell that redirected to /landing client-side. Restructure the
router so / serves LandingPage directly:

- `/` → new `PublicLanding` wrapper (LandingPage for anon; Navigate to
  /home for authed users so there's no marketing-frame flicker).
- Authed tree converted to a path-less layout route with absolute child
  paths. QuickStartPage moves to `/home`; all other children
  (`/trees`, `/pilot`, `/admin/*`, `/account/*`, etc.) keep their URLs.
- `/landing` kept as a one-release stale-bookmark redirect to /.
- `ProtectedRoute` unauth redirect flipped /landing → /; `state.from`
  preserved for post-login return.

Reference updates:
- Post-login / post-onboarding destinations → /home: OAuthCallbackPage
  (incl. `?welcome=teammate` query), WelcomeStep1/2/3 dismiss-rest,
  AssistantChatPage post-escalate, WelcomeRouter completion/dismiss
  redirects, VerifyEmailPage's three "Go to dashboard" links.
- Authed chrome → /home: TopBar logo, AppLayout mobile nav + drawer
  logo, CommandPalette Dashboard entry.
- Dashboard onboarding → /home: NextStepCard `ran_session.ctaPath`,
  SetupChecklist `ran_session.path`, SessionHistoryPage empty-state CTA.
- Public back-links → /: TermsPage, PrivacyPage, PoliciesPage,
  ContactPage, PromotionsPage, PublicTemplatesPage (header + footer).
  SharedSessionPage's `to="/"` left as-is — now correctly lands anon
  visitors on the public landing.

Crawlability:
- New `frontend/public/robots.txt` allowlisting public pages and
  disallowing the authed app.
- New `frontend/public/sitemap.xml` for /, /pricing, /contact-sales,
  /contact, /templates, /terms, /privacy, /policies, /promotions.
- `PageMeta` gains an `og:url` (defaults to `window.location.href`) and
  flips `twitter:card` to `summary_large_image` when an `ogImage` is
  passed.

Tests:
- `AppLayout.test.tsx` updated to mount at `/home`.
- New `ProtectedRoute.test.tsx` asserts unauthenticated `/home`
  redirects to `/` (not `/landing`) and preserves origin in `state.from`.

If Stripe's crawler still cannot see the site after this (zero-JS
crawler), the documented next escalation is server-side prerendering of
public routes via `vite-plugin-ssg`. Out of scope here.

Plan: docs/plans/2026-05-13-public-landing-routing-refactor.md

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

frontend/src/router.tsx

@@ -7,6 +7,7 @@ import { RouteError } from '@/components/common/RouteError'
 import { ErrorBoundary } from '@/components/common/ErrorBoundary'
 import { PageLoader } from '@/components/common/PageLoader'
 import { lazyWithRetry } from '@/lib/lazyWithRetry'
+import { useAuthStore } from '@/store/authStore'
 
 const sentryCreateBrowserRouter = Sentry.wrapCreateBrowserRouterV7(createBrowserRouter)
 import {
@@ -118,10 +119,27 @@ function page(Component: React.LazyExoticComponent<React.ComponentType>) {
   )
 }
 
+/**
+ * Public `/` wrapper — sends authenticated users to /home before LandingPage
+ * mounts, so they never see marketing-frame flicker.
+ */
+// eslint-disable-next-line react-refresh/only-export-components -- router.tsx exports a router instance, not a component
+function PublicLanding() {
+  const isAuthed = useAuthStore((s) => s.isAuthenticated)
+  if (isAuthed) return <Navigate to="/home" replace />
+  return page(LandingPage)
+}
+
 export const router = sentryCreateBrowserRouter([
+  {
+    path: '/',
+    element: <PublicLanding />,
+    errorElement: <RouteError />,
+  },
+  // Stale-bookmark redirect — keep one release, delete in a follow-up.
   {
     path: '/landing',
-    element: page(LandingPage),
+    element: <Navigate to="/" replace />,
     errorElement: <RouteError />,
   },
   {
@@ -229,7 +247,6 @@ export const router = sentryCreateBrowserRouter([
     errorElement: <RouteError />,
   },
   {
-    path: '/',
     element: (
       <ProtectedRoute>
         <AppLayout />
@@ -237,56 +254,56 @@ export const router = sentryCreateBrowserRouter([
     ),
     errorElement: <RouteError />,
     children: [
-      { index: true, element: page(QuickStartPage) },
-      { path: 'trees', element: page(TreeLibraryPage) },
-      { path: 'my-trees', element: page(MyTreesPage) },
-      { path: 'trees/new', element: page(TreeEditorPage) },
-      { path: 'trees/:id/edit', element: page(TreeEditorPage) },
-      { path: 'flows/new', element: page(ProceduralEditorPage) },
-      { path: 'flows/:id/edit', element: page(ProceduralEditorPage) },
-      { path: 'flows/:id/navigate', element: page(ProceduralNavigationPage) },
-      { path: 'flows/:id/maintenance', element: page(MaintenanceFlowDetailPage) },
-      { path: 'flows/:id/batches/:batchId', element: page(BatchStatusPage) },
-      { path: 'trees/:id/navigate', element: page(TreeNavigationPage) },
-      { path: 'sessions', element: page(SessionHistoryPage) },
-      { path: 'sessions/:id', element: page(SessionDetailPage) },
-      { path: 'tickets', element: page(TicketsPage) },
-      { path: 'shares', element: page(MySharesPage) },
-      { path: 'analytics', element: page(TeamAnalyticsPage) },
-      { path: 'analytics/me', element: page(MyAnalyticsPage) },
-      { path: 'feedback', element: page(FeedbackPage) },
-      { path: 'step-library', element: page(StepLibraryPage) },
-      { path: 'scripts', element: page(ScriptLibraryPage) },
-      { path: 'scripts/manage', element: page(ScriptManagePage) },
-      { path: 'script-builder', element: page(ScriptBuilderPage) },
-      { path: 'network-diagrams', element: page(NetworkDiagramsPage) },
-      { path: 'network-diagrams/new', element: page(DiagramEditorPage) },
-      { path: 'network-diagrams/:id', element: page(DiagramEditorPage) },
-      { path: 'kb-accelerator', element: page(KBAcceleratorPage) },
+      { path: '/home', element: page(QuickStartPage) },
+      { path: '/trees', element: page(TreeLibraryPage) },
+      { path: '/my-trees', element: page(MyTreesPage) },
+      { path: '/trees/new', element: page(TreeEditorPage) },
+      { path: '/trees/:id/edit', element: page(TreeEditorPage) },
+      { path: '/flows/new', element: page(ProceduralEditorPage) },
+      { path: '/flows/:id/edit', element: page(ProceduralEditorPage) },
+      { path: '/flows/:id/navigate', element: page(ProceduralNavigationPage) },
+      { path: '/flows/:id/maintenance', element: page(MaintenanceFlowDetailPage) },
+      { path: '/flows/:id/batches/:batchId', element: page(BatchStatusPage) },
+      { path: '/trees/:id/navigate', element: page(TreeNavigationPage) },
+      { path: '/sessions', element: page(SessionHistoryPage) },
+      { path: '/sessions/:id', element: page(SessionDetailPage) },
+      { path: '/tickets', element: page(TicketsPage) },
+      { path: '/shares', element: page(MySharesPage) },
+      { path: '/analytics', element: page(TeamAnalyticsPage) },
+      { path: '/analytics/me', element: page(MyAnalyticsPage) },
+      { path: '/feedback', element: page(FeedbackPage) },
+      { path: '/step-library', element: page(StepLibraryPage) },
+      { path: '/scripts', element: page(ScriptLibraryPage) },
+      { path: '/scripts/manage', element: page(ScriptManagePage) },
+      { path: '/script-builder', element: page(ScriptBuilderPage) },
+      { path: '/network-diagrams', element: page(NetworkDiagramsPage) },
+      { path: '/network-diagrams/new', element: page(DiagramEditorPage) },
+      { path: '/network-diagrams/:id', element: page(DiagramEditorPage) },
+      { path: '/kb-accelerator', element: page(KBAcceleratorPage) },
       // Phase 1 — FlowPilot migration. The unified chat-primary surface lives at
       // /pilot; /assistant permanently redirects. FlowPilotSessionPage (old
       // guided surface) is no longer mounted.
-      { path: 'pilot', element: page(AssistantChatPage) },
-      { path: 'pilot/:sessionId', element: page(AssistantChatPage) },
-      { path: 'assistant', element: <Navigate to="/pilot" replace /> },
-      { path: 'assistant/:sessionId', element: <AssistantSessionRedirect /> },
-      { path: 'flow-assist', element: page(FlowAssistPage) },
-      { path: 'escalations', element: page(EscalationQueuePage) },
-      { path: 'queue', element: page(SessionQueuePage) },
-      { path: 'review-queue', element: page(ReviewQueuePage) },
-      { path: 'analytics/flowpilot', element: page(FlowPilotAnalyticsPage) },
-      { path: 'dev/branching', element: page(DevBranchingPage) },
-      { path: 'guides', element: page(GuidesHubPage) },
-      { path: 'guides/:slug', element: page(GuideDetailPage) },
+      { path: '/pilot', element: page(AssistantChatPage) },
+      { path: '/pilot/:sessionId', element: page(AssistantChatPage) },
+      { path: '/assistant', element: <Navigate to="/pilot" replace /> },
+      { path: '/assistant/:sessionId', element: <AssistantSessionRedirect /> },
+      { path: '/flow-assist', element: page(FlowAssistPage) },
+      { path: '/escalations', element: page(EscalationQueuePage) },
+      { path: '/queue', element: page(SessionQueuePage) },
+      { path: '/review-queue', element: page(ReviewQueuePage) },
+      { path: '/analytics/flowpilot', element: page(FlowPilotAnalyticsPage) },
+      { path: '/dev/branching', element: page(DevBranchingPage) },
+      { path: '/guides', element: page(GuidesHubPage) },
+      { path: '/guides/:slug', element: page(GuideDetailPage) },
       // Welcome wizard (Phase 2). Mounted inside AppLayout so the email-
       // verification banner persists above each step.
-      { path: 'welcome', element: page(WelcomeRouter) },
-      { path: 'welcome/step-1', element: page(WelcomeStep1) },
-      { path: 'welcome/step-2', element: page(WelcomeStep2) },
-      { path: 'welcome/step-3', element: page(WelcomeStep3) },
+      { path: '/welcome', element: page(WelcomeRouter) },
+      { path: '/welcome/step-1', element: page(WelcomeStep1) },
+      { path: '/welcome/step-2', element: page(WelcomeStep2) },
+      { path: '/welcome/step-3', element: page(WelcomeStep3) },
       // Admin routes
       {
-        path: 'admin',
+        path: '/admin',
         element: (
           <ErrorBoundary>
             <Suspense fallback={<PageLoader />}>
@@ -315,7 +332,7 @@ export const router = sentryCreateBrowserRouter([
       },
       // Account routes
       {
-        path: 'account',
+        path: '/account',
         element: (
           <ErrorBoundary>
             <Suspense fallback={<PageLoader />}>