fix(l1): resolve PR #193 backend review findings (1,4,5,6,7,8,9,10)

Server-assigns a uuid4 id to every AI-generated node (Finding 1 showstopper:
nodes had no id but the advance protocol keys on node_id, so ai_build walks
never advanced past question 1). Replaces the hidden {"node_type":"meta"}
walked_path convention with real category/problem_text/pending_node columns on
l1_walk_sessions (migration 61dda4f615c6) — fixes junk proposals + off-by-one
depth cap (Findings 8,9), and pending_node replays the served node on re-mount
(no duplicate paid LLM call). Intake honors explicit flow_id and adhoc=True
(Findings 4,5); flow_proposals.l1_session_id FK -> CASCADE (Finding 6 time
bomb); L1 category GET is owner+admin like PATCH and require_account_owner_or_admin
delegates to User.can_manage_account (Finding 7); escalate falls back to default
recipients + filters deleted_at + warns when empty (Finding 10). Cleanups: dead
ticket_ref removed, IntakeResponse per-outcome validator, unused acknowledged
dropped, escalations partial index, restored a deleted audit assertion.

Full Phase 2A backend set: 110 passed / 0 failed.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

backend/app/models/l1_walk_session.py

@@ -8,8 +8,7 @@ import uuid
 from datetime import datetime, timezone
 from typing import Any, Optional, TYPE_CHECKING
 
-import sqlalchemy as sa
-from sqlalchemy import String, Text, DateTime, Boolean, ForeignKey, CheckConstraint
+from sqlalchemy import String, Text, DateTime, Boolean, ForeignKey, CheckConstraint, Index
 from sqlalchemy import text as sa_text
 from sqlalchemy.orm import Mapped, mapped_column, relationship
 from sqlalchemy.dialects.postgresql import UUID, JSONB
@@ -59,6 +58,12 @@ class L1WalkSession(Base):
             "OR (session_kind IN ('adhoc', 'ai_build') AND flow_id IS NULL AND flow_proposal_id IS NULL)",
             name="ck_l1_walk_sessions_target_consistency",
         ),
+        # Partial index backing GET /l1/escalations (the engineer handoff queue).
+        Index(
+            "ix_l1_walk_sessions_escalated",
+            "account_id", sa_text("last_step_at DESC"),
+            postgresql_where=sa_text("status = 'escalated'"),
+        ),
     )
 
     id: Mapped[uuid.UUID] = mapped_column(
@@ -86,6 +91,14 @@ class L1WalkSession(Base):
 
     # ── Session kind + target ──
     session_kind: Mapped[str] = mapped_column(String(20), nullable=False)
+    # AI-build context (ai_build sessions only). Persisted at intake so /next-node
+    # never has to re-fetch the ticket or scan walked_path to recover them — they
+    # are immutable for the life of the session. Replaces the former hidden
+    # ``{"node_type":"meta"}`` walked_path entry (deleted: it leaked into every
+    # consumer that forgot to skip it — junk proposals, off-by-one depth cap,
+    # blank escalation rows).
+    category: Mapped[Optional[str]] = mapped_column(String(100), nullable=True)
+    problem_text: Mapped[Optional[str]] = mapped_column(Text(), nullable=True)
     flow_id: Mapped[Optional[uuid.UUID]] = mapped_column(
         UUID(as_uuid=True),
         ForeignKey("trees.id", ondelete="SET NULL"),
@@ -99,6 +112,12 @@ class L1WalkSession(Base):
 
     # ── Navigation state ──
     current_node_id: Mapped[Optional[str]] = mapped_column(String(100), nullable=True)
+    # The node served to the tech but not yet answered (ai_build only). Replayed on
+    # the next /next-node call with node_id=None so a refresh / StrictMode double-mount
+    # doesn't fire a fresh paid LLM call (and possibly swap the question mid-answer).
+    pending_node: Mapped[Optional[dict[str, Any]]] = mapped_column(
+        JSONB(), nullable=True,
+    )
     walked_path: Mapped[list[dict[str, Any]]] = mapped_column(
         JSONB(), nullable=False, server_default=sa_text("'[]'::jsonb"),
     )