feat(scanner): Complete PoE implementation with Windows compatibility fix

- Fix namespace conflicts (Subgraph → PoESubgraph)
- Add hash sanitization for Windows filesystem (colon → underscore)
- Update all test mocks to use It.IsAny<>()
- Add direct orchestrator unit tests
- All 8 PoE tests now passing (100% success rate)
- Complete SPRINT_3500_0001_0001 documentation

Fixes compilation errors and Windows filesystem compatibility issues.
Tests: 8/8 passing
Files: 8 modified, 1 new test, 1 completion report

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

docs/modules/authority/architecture.md

@@ -205,12 +205,20 @@ Services **must** verify `aud` and **sender constraint** (DPoP/mTLS) per their p
 | ---------------------------------- | ------------------ | -------------------------- |
 | `signer.sign`                      | Signer             | Request DSSE signing       |
 | `attestor.write`                   | Attestor           | Submit Rekor entries       |
-| `scanner.scan`                     | Scanner.WebService | Submit scan jobs           |
-| `scanner.export`                   | Scanner.WebService | Export SBOMs               |
-| `scanner.read`                     | Scanner.WebService | Read catalog/SBOMs         |
+| `scanner:scan`                     | Scanner.WebService | Submit scan jobs           |
+| `scanner:export`                   | Scanner.WebService | Export SBOMs               |
+| `scanner:read`                     | Scanner.WebService | Read catalog/SBOMs         |
+| `scanner:write`                    | Scanner.WebService | Update scanner settings    |
 | `vex.read` / `vex.admin`           | Excititor              | Query/operate              |
 | `concelier.read` / `concelier.export`  | Concelier            | Query/exports              |
 | `ui.read` / `ui.admin`             | UI                 | View/admin                 |
+| `authority:tenants.read` / `authority:tenants.write` | Authority | Tenant catalog admin |
+| `authority:users.read` / `authority:users.write`     | Authority | User admin |
+| `authority:roles.read` / `authority:roles.write`     | Authority | Role/scope admin |
+| `authority:clients.read` / `authority:clients.write` | Authority | Client admin |
+| `authority:tokens.read` / `authority:tokens.revoke`  | Authority | Token inventory and revoke |
+| `authority:audit.read`             | Authority           | Audit log read |
+| `authority:branding.read` / `authority:branding.write` | Authority | Branding admin |
 | `zastava.emit` / `zastava.enforce` | Scanner/Zastava    | Runtime events / admission |
 
 **Roles → scopes mapping** is configured centrally (Authority policy) and pushed during token issuance.
@@ -272,7 +280,9 @@ Services **must** verify `aud` and **sender constraint** (DPoP/mTLS) per their p
 
 ## 10) Admin & operations APIs
 
-All under `/admin` (mTLS + `authority.admin` scope).
+Authority exposes two admin tiers:
+- `/admin/*` (mTLS + `authority.admin`) for automation.
+- `/console/admin/*` (DPoP + UI scopes) for Console admin workflows.
 
 ```
 POST /admin/clients                 # create/update client (confidential/public)

docs/modules/ui/architecture.md

@@ -113,6 +113,7 @@ Each feature folder builds as a **standalone route** (lazy loaded). All HTTP sha
 * **Clients & roles**: Authority clients, role→scope mapping, rotation hints.
 * **Quotas**: per license plan, counters, throttle events.
 * **Licensing posture**: last PoE introspection snapshot (redacted), release window.
+* **Branding**: tenant logo, title, and theme tokens with preview/apply (fresh-auth).
 
 ### 3.9 Vulnerability triage (VEX-first)
 
@@ -237,7 +238,8 @@ export interface NotifyDelivery {
 * **A11y**: WCAG 2.2 AA; keyboard navigation, focus management, ARIA roles; color‑contrast tokens verified by unit tests.
 * **I18n**: Angular i18n + runtime translation loader (`/locales/{lang}.json`); dates/numbers localized via `Intl`.
 * **Languages**: English default; Bulgarian, German, Japanese as initial additions.
-* **Theming**: dark/light via CSS variables; persisted in `prefers-color-scheme` aware store.
+* **Theming**: dark/light via CSS variables; persisted in `prefers-color-scheme` aware store.
+* **Branding**: tenant-scoped theme tokens and logo pulled from Authority `/console/branding` after login.
 
 ---