fix(l1): confine L1 techs to their surface + accessible rail nav labels

Two regressions surfaced by running the L1 e2e suite against current main
(which carries PR #174's /home routing migration):

1. L1 post-login redirect keyed off `pathname === '/'`, but the authed index
   moved to /home in #174 — so L1 users landed on the engineer dashboard
   instead of /l1. Replace the ad-hoc '/' and /pilot|/assistant checks with a
   single allowlist: l1_tech users may only reach /l1*, /guides, /account,
   /change-password; everything else (incl. /home, /pilot, /trees/*,
   /escalations) bounces to /l1. Runs before the requiredRole check so L1
   users never trip the engineer-route role logic.

2. Rail nav Links exposed only the truncated shortLabel as their accessible
   name (title= is not an accessible-name source when visible text exists), so
   the "L1 Workspace" coverage-engineer link was unreachable by role+name. Add
   aria-label={item.label} for an accurate accessible name on every rail link.

Fixes all 3 failing cases in e2e/l1-workspace.spec.ts. tsc + eslint clean.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

frontend/src/components/layout/ProtectedRoute.tsx

@@ -30,6 +30,24 @@ export function ProtectedRoute({ requiredRole, children }: ProtectedRouteProps)
     return <Navigate to="/change-password" replace />
   }
 
+  // L1 techs are confined to their focused surface. The sidebar only exposes
+  // /l1*, /guides, and /account for them, so any other authed path (the engineer
+  // dashboard at /home, /pilot, /trees/*, /escalations, …) bounces to /l1. This
+  // also covers post-login landing: auth sends users to /home, which is not in
+  // the allowlist, so l1_tech users end up on /l1. Engineer-only AI surfaces
+  // (/pilot, /assistant) would 403 at POST /api/v1/ai-sessions anyway — this
+  // turns that backend error into a clean redirect. Runs before the requiredRole
+  // check so L1 users never trip the engineer-route role logic.
+  if (effectiveRole === 'l1_tech') {
+    const L1_ALLOWED_PREFIXES = ['/l1', '/guides', '/account', '/change-password']
+    const allowed = L1_ALLOWED_PREFIXES.some(
+      (p) => location.pathname === p || location.pathname.startsWith(p + '/'),
+    )
+    if (!allowed) {
+      return <Navigate to="/l1" replace />
+    }
+  }
+
   if (requiredRole) {
     const ROLE_HIERARCHY: Record<EffectiveRole, number> = {
       super_admin: 5,
@@ -43,23 +61,6 @@ export function ProtectedRoute({ requiredRole, children }: ProtectedRouteProps)
     }
   }
 
-  // L1 users landing on / (e.g. post-login) get redirected to their workspace.
-  // Does not fire when already on /l1 or any other path, preventing loops.
-  if (effectiveRole === 'l1_tech' && location.pathname === '/') {
-    return <Navigate to="/l1" replace />
-  }
-
-  // L1 users hitting engineer-only AI surfaces (Pilot / Assistant) get pushed
-  // back to /l1 — POST /api/v1/ai-sessions rejects them with 403 anyway, so
-  // this just turns a backend error into a clean route-level redirect.
-  if (
-    effectiveRole === 'l1_tech' &&
-    (location.pathname.startsWith('/pilot') ||
-      location.pathname.startsWith('/assistant'))
-  ) {
-    return <Navigate to="/l1" replace />
-  }
-
   return <>{children}</>
 }
 

frontend/src/components/layout/Sidebar.tsx

@@ -256,6 +256,7 @@ export function Sidebar() {
               : 'text-text-rail-label hover:text-foreground'
           )}
           title={item.label}
+          aria-label={item.label}
         >
           <span className="relative">
             <Icon size={24} strokeWidth={1.6} className={active ? 'opacity-100' : 'opacity-60 group-hover:opacity-85'} />