Update Sprint 020: all 6 tasks DONE including critical route redirect fix

Sprint 020 complete: scan ID mismatch, user ID display, feed status text,
route redirect race condition, exception scope mismatch, admin scope bypass.
All verified via Playwright on fresh install.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

docs/implplan/SPRINT_20260316_020_FE_deep_journey_quality_fixes.md

@@ -47,9 +47,38 @@ Task description:
 | 2026-03-16 | Sprint created from deep journey iteration 2. | Developer |
 | 2026-03-16 | J20-T01 DONE: Fixed scanId field mismatch + PascalCase status normalization. | Developer |
 
+### J20-T04 - Fix critical route redirect race condition
+Status: DONE
+Dependency: none
+Owners: Developer
+Task description:
+- PlatformContextUrlSyncService used router.navigateByUrl() to sync query params
+  which re-evaluated canMatch guards during auth session hydration, causing random
+  page redirects across ALL routes.
+- Fixed: replaced with Location.replaceState() which updates browser URL without
+  triggering Angular router navigation (and thus guards).
+
+### J20-T05 - Fix exception scope mismatch (singular vs plural)
+Status: DONE
+Dependency: none
+Owners: Developer
+Task description:
+- Authority issues 'exceptions:read' (plural) but guards checked 'exception:read' (singular).
+- Fixed scope constants and description map to use plural form.
+
+### J20-T06 - Fix admin scope bypass (admin vs ui.admin)
+Status: DONE
+Dependency: none
+Owners: Developer
+Task description:
+- Guards checked for 'admin' scope but token has 'ui.admin'.
+- Fixed: admin bypass in all guards now accepts both 'admin' and 'ui.admin'.
+
 ## Decisions & Risks
 - J20-T01 is a blocking bug — scan submit is a primary user workflow.
 - J20-T02 and J20-T03 are UX polish items.
+- J20-T04 is the MOST CRITICAL fix — route redirects affected every page in the app.
+- J20-T05 and J20-T06 are correctness fixes that enable proper RBAC.
 
 ## Journey Path Record
 **Completed journey depth (iteration 2):**