Repair live watchlist frontdoor routing

docs/modules/attestor/architecture.md

@@ -927,11 +927,13 @@ The Attestor provides proactive monitoring for signing identities appearing in t
 
 ### Scope Hierarchy
 
-| Scope | Visibility | Who Can Create |
-|-------|------------|----------------|
-| `tenant` | Owning tenant only | Tenant admins |
-| `global` | All tenants | Platform admins |
-| `system` | All tenants (read-only) | System bootstrap |
+| Scope | Visibility | Who Can Create |
+|-------|------------|----------------|
+| `tenant` | Owning tenant only | Operators with `trust:write` |
+| `global` | All tenants | Platform admins with `trust:admin` |
+| `system` | All tenants (read-only) | System bootstrap |
+
+Authorization for the live watchlist surface follows the canonical trust scope family (`trust:read`, `trust:write`, `trust:admin`). The service still accepts legacy `watchlist:*` aliases for backward compatibility, but new clients and UI sessions should rely on the trust scopes.
 
 ### Event Flow
 

docs/modules/attestor/guides/identity-watchlist.md

@@ -52,10 +52,12 @@ A watchlist entry defines an identity pattern to monitor and alert configuration
 
 | Scope | Description | Who Can Create |
 |-------|-------------|----------------|
-| `tenant` | Visible only to owning tenant | Any user with `watchlist:write` |
-| `global` | Shared across all tenants | Administrators only |
+| `tenant` | Visible only to owning tenant | Any user with `trust:write` |
+| `global` | Shared across all tenants | Administrators with `trust:admin` |
 | `system` | System-managed entries | System only |
 
+Console and frontdoor watchlist flows use the canonical trust scope family: `trust:read`, `trust:write`, and `trust:admin`. Legacy `watchlist:*` aliases remain accepted for older clients, but new integrations should use the trust scopes.
+
 ## CLI Usage
 
 ### Adding a Watchlist Entry