Two regressions surfaced by running the L1 e2e suite against current main
(which carries PR #174's /home routing migration):
1. L1 post-login redirect keyed off `pathname === '/'`, but the authed index
moved to /home in #174 — so L1 users landed on the engineer dashboard
instead of /l1. Replace the ad-hoc '/' and /pilot|/assistant checks with a
single allowlist: l1_tech users may only reach /l1*, /guides, /account,
/change-password; everything else (incl. /home, /pilot, /trees/*,
/escalations) bounces to /l1. Runs before the requiredRole check so L1
users never trip the engineer-route role logic.
2. Rail nav Links exposed only the truncated shortLabel as their accessible
name (title= is not an accessible-name source when visible text exists), so
the "L1 Workspace" coverage-engineer link was unreachable by role+name. Add
aria-label={item.label} for an accurate accessible name on every rail link.
Fixes all 3 failing cases in e2e/l1-workspace.spec.ts. tsc + eslint clean.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Michael Chihlas
890cb80bef