fix(l1): resolve PR #193 frontend review findings (2a,2b,3,4,5,7)

Mounts L1EscalationsSection on EscalationQueuePage (Finding 2a — it was never
rendered) and renders the correct fields: step.question ?? step.text, timeAgo,
and the session problem_text (Finding 2b). ProposalDetail gates the /pilot link
on source_session_id and shows an L1-source block for l1_session_id-sourced
proposals (Finding 3 — was a broken /pilot/null link). Collapses the three
near-identical intake handlers into one runIntake: "Use this flow" now passes
near_miss.flow_id (Finding 4 — it previously re-suggested forever) and a
navigate guard prevents /l1/walk/undefined; out_of_scope gains a "Walk it
ad-hoc" button (Finding 5). Aligns L1-category permissions to owner+admin:
usePermissions.canManageAccount includes account admins, User.account_role TS
type gains 'admin', and a new ProtectedRoute requireAccountManager guard fronts
the route (Finding 7). Drops the unused NextNodeRequest.acknowledged field.

tsc -b + eslint + vite build clean.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

frontend/src/hooks/usePermissions.ts

@@ -88,7 +88,13 @@ export function usePermissions() {
     // Management permissions
     canManageCategories: hasMinimumRole(user, 'owner'),
     canManageGlobalCategories: effectiveRole === 'super_admin',
-    canManageAccount: effectiveRole === 'super_admin' || effectiveRole === 'owner',
+    // Mirrors backend User.can_manage_account (super_admin OR owner OR admin).
+    // account_role 'admin' isn't in the effectiveRole hierarchy, so check it
+    // directly — otherwise account admins map to 'viewer' and are wrongly excluded.
+    canManageAccount:
+      effectiveRole === 'super_admin' ||
+      effectiveRole === 'owner' ||
+      user?.account_role === 'admin',
 
     canManageScriptTemplate: (template: { created_by: string | null; team_id?: string | null }) => {
       if (!user) return false