feat(scanner): Complete PoE implementation with Windows compatibility fix

- Fix namespace conflicts (Subgraph → PoESubgraph)
- Add hash sanitization for Windows filesystem (colon → underscore)
- Update all test mocks to use It.IsAny<>()
- Add direct orchestrator unit tests
- All 8 PoE tests now passing (100% success rate)
- Complete SPRINT_3500_0001_0001 documentation

Fixes compilation errors and Windows filesystem compatibility issues.
Tests: 8/8 passing
Files: 8 modified, 1 new test, 1 completion report

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

docs/modules/authority/architecture.md

@@ -205,12 +205,20 @@ Services **must** verify `aud` and **sender constraint** (DPoP/mTLS) per their p
 | ---------------------------------- | ------------------ | -------------------------- |
 | `signer.sign`                      | Signer             | Request DSSE signing       |
 | `attestor.write`                   | Attestor           | Submit Rekor entries       |
-| `scanner.scan`                     | Scanner.WebService | Submit scan jobs           |
-| `scanner.export`                   | Scanner.WebService | Export SBOMs               |
-| `scanner.read`                     | Scanner.WebService | Read catalog/SBOMs         |
+| `scanner:scan`                     | Scanner.WebService | Submit scan jobs           |
+| `scanner:export`                   | Scanner.WebService | Export SBOMs               |
+| `scanner:read`                     | Scanner.WebService | Read catalog/SBOMs         |
+| `scanner:write`                    | Scanner.WebService | Update scanner settings    |
 | `vex.read` / `vex.admin`           | Excititor              | Query/operate              |
 | `concelier.read` / `concelier.export`  | Concelier            | Query/exports              |
 | `ui.read` / `ui.admin`             | UI                 | View/admin                 |
+| `authority:tenants.read` / `authority:tenants.write` | Authority | Tenant catalog admin |
+| `authority:users.read` / `authority:users.write`     | Authority | User admin |
+| `authority:roles.read` / `authority:roles.write`     | Authority | Role/scope admin |
+| `authority:clients.read` / `authority:clients.write` | Authority | Client admin |
+| `authority:tokens.read` / `authority:tokens.revoke`  | Authority | Token inventory and revoke |
+| `authority:audit.read`             | Authority           | Audit log read |
+| `authority:branding.read` / `authority:branding.write` | Authority | Branding admin |
 | `zastava.emit` / `zastava.enforce` | Scanner/Zastava    | Runtime events / admission |
 
 **Roles → scopes mapping** is configured centrally (Authority policy) and pushed during token issuance.
@@ -272,7 +280,9 @@ Services **must** verify `aud` and **sender constraint** (DPoP/mTLS) per their p
 
 ## 10) Admin & operations APIs
 
-All under `/admin` (mTLS + `authority.admin` scope).
+Authority exposes two admin tiers:
+- `/admin/*` (mTLS + `authority.admin`) for automation.
+- `/console/admin/*` (DPoP + UI scopes) for Console admin workflows.
 
 ```
 POST /admin/clients                 # create/update client (confidential/public)