feat(scanner): Complete PoE implementation with Windows compatibility fix

- Fix namespace conflicts (Subgraph → PoESubgraph)
- Add hash sanitization for Windows filesystem (colon → underscore)
- Update all test mocks to use It.IsAny<>()
- Add direct orchestrator unit tests
- All 8 PoE tests now passing (100% success rate)
- Complete SPRINT_3500_0001_0001 documentation

Fixes compilation errors and Windows filesystem compatibility issues.
Tests: 8/8 passing
Files: 8 modified, 1 new test, 1 completion report

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

src/Authority/StellaOps.Authority/AGENTS.md

@@ -12,6 +12,7 @@ Own the StellaOps Authority host service: ASP.NET minimal API, OpenIddict flows,
 - Use `StellaOps.Cryptography` abstractions for any crypto operations.
 - Every change updates `TASKS.md` and related docs/tests.
 - Coordinate with plugin teams before altering plugin-facing contracts.
+- Keep Console admin endpoints (`/console/admin/*`) DPoP-safe and aligned with `authority:*` scopes.
 
 ## Key Directories
 - `src/Authority/StellaOps.Authority/` — host app
@@ -22,6 +23,8 @@ Own the StellaOps Authority host service: ASP.NET minimal API, OpenIddict flows,
 ## Required Reading
 - `docs/modules/authority/architecture.md`
 - `docs/modules/platform/architecture-overview.md`
+- `docs/architecture/console-admin-rbac.md`
+- `docs/architecture/console-branding.md`
 
 ## Working Agreement
 - 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work.

src/Authority/StellaOps.Authority/StellaOps.Auth.Abstractions/StellaOpsScopes.cs

@@ -379,6 +379,196 @@ public static class StellaOpsScopes
     /// </summary>
     public const string AuthorityTenantsRead = "authority:tenants.read";
 
+    /// <summary>
+    /// Scope granting write access to Authority tenant management.
+    /// </summary>
+    public const string AuthorityTenantsWrite = "authority:tenants.write";
+
+    /// <summary>
+    /// Scope granting read-only access to Authority user management.
+    /// </summary>
+    public const string AuthorityUsersRead = "authority:users.read";
+
+    /// <summary>
+    /// Scope granting write access to Authority user management.
+    /// </summary>
+    public const string AuthorityUsersWrite = "authority:users.write";
+
+    /// <summary>
+    /// Scope granting read-only access to Authority role management.
+    /// </summary>
+    public const string AuthorityRolesRead = "authority:roles.read";
+
+    /// <summary>
+    /// Scope granting write access to Authority role management.
+    /// </summary>
+    public const string AuthorityRolesWrite = "authority:roles.write";
+
+    /// <summary>
+    /// Scope granting read-only access to Authority client registrations.
+    /// </summary>
+    public const string AuthorityClientsRead = "authority:clients.read";
+
+    /// <summary>
+    /// Scope granting write access to Authority client registrations.
+    /// </summary>
+    public const string AuthorityClientsWrite = "authority:clients.write";
+
+    /// <summary>
+    /// Scope granting read-only access to Authority token inventory.
+    /// </summary>
+    public const string AuthorityTokensRead = "authority:tokens.read";
+
+    /// <summary>
+    /// Scope granting permission to revoke Authority tokens.
+    /// </summary>
+    public const string AuthorityTokensRevoke = "authority:tokens.revoke";
+
+    /// <summary>
+    /// Scope granting read-only access to Authority branding configuration.
+    /// </summary>
+    public const string AuthorityBrandingRead = "authority:branding.read";
+
+    /// <summary>
+    /// Scope granting write access to Authority branding configuration.
+    /// </summary>
+    public const string AuthorityBrandingWrite = "authority:branding.write";
+
+    /// <summary>
+    /// Scope granting access to Console Admin UI and workflows.
+    /// </summary>
+    public const string UiAdmin = "ui.admin";
+
+    /// <summary>
+    /// Scope granting read-only access to Scanner scan results and metadata.
+    /// </summary>
+    public const string ScannerRead = "scanner:read";
+
+    /// <summary>
+    /// Scope granting permission to trigger Scanner scan operations.
+    /// </summary>
+    public const string ScannerScan = "scanner:scan";
+
+    /// <summary>
+    /// Scope granting permission to export Scanner results (SBOM, reports).
+    /// </summary>
+    public const string ScannerExport = "scanner:export";
+
+    /// <summary>
+    /// Scope granting write access to Scanner configuration.
+    /// </summary>
+    public const string ScannerWrite = "scanner:write";
+
+    /// <summary>
+    /// Scope granting read-only access to Scheduler job state and history.
+    /// </summary>
+    public const string SchedulerRead = "scheduler:read";
+
+    /// <summary>
+    /// Scope granting permission to operate Scheduler jobs (pause, resume, trigger).
+    /// </summary>
+    public const string SchedulerOperate = "scheduler:operate";
+
+    /// <summary>
+    /// Scope granting administrative control over Scheduler configuration.
+    /// </summary>
+    public const string SchedulerAdmin = "scheduler:admin";
+
+    /// <summary>
+    /// Scope granting permission to create attestations.
+    /// </summary>
+    public const string AttestCreate = "attest:create";
+
+    /// <summary>
+    /// Scope granting administrative control over Attestor configuration.
+    /// </summary>
+    public const string AttestAdmin = "attest:admin";
+
+    /// <summary>
+    /// Scope granting read-only access to Signer configuration and key metadata.
+    /// </summary>
+    public const string SignerRead = "signer:read";
+
+    /// <summary>
+    /// Scope granting permission to create signatures.
+    /// </summary>
+    public const string SignerSign = "signer:sign";
+
+    /// <summary>
+    /// Scope granting permission to rotate Signer keys.
+    /// </summary>
+    public const string SignerRotate = "signer:rotate";
+
+    /// <summary>
+    /// Scope granting administrative control over Signer configuration.
+    /// </summary>
+    public const string SignerAdmin = "signer:admin";
+
+    /// <summary>
+    /// Scope granting read-only access to SBOM documents.
+    /// </summary>
+    public const string SbomRead = "sbom:read";
+
+    /// <summary>
+    /// Scope granting permission to create or edit SBOM documents.
+    /// </summary>
+    public const string SbomWrite = "sbom:write";
+
+    /// <summary>
+    /// Scope granting permission to attest SBOM documents.
+    /// </summary>
+    public const string SbomAttest = "sbom:attest";
+
+    /// <summary>
+    /// Scope granting read-only access to Release metadata and workflows.
+    /// </summary>
+    public const string ReleaseRead = "release:read";
+
+    /// <summary>
+    /// Scope granting permission to create or edit Release metadata.
+    /// </summary>
+    public const string ReleaseWrite = "release:write";
+
+    /// <summary>
+    /// Scope granting permission to publish Releases.
+    /// </summary>
+    public const string ReleasePublish = "release:publish";
+
+    /// <summary>
+    /// Scope granting permission to bypass Release policy gates.
+    /// </summary>
+    public const string ReleaseBypass = "release:bypass";
+
+    /// <summary>
+    /// Scope granting read-only access to Zastava webhook observer state.
+    /// </summary>
+    public const string ZastavaRead = "zastava:read";
+
+    /// <summary>
+    /// Scope granting permission to trigger Zastava webhook processing.
+    /// </summary>
+    public const string ZastavaTrigger = "zastava:trigger";
+
+    /// <summary>
+    /// Scope granting administrative control over Zastava configuration.
+    /// </summary>
+    public const string ZastavaAdmin = "zastava:admin";
+
+    /// <summary>
+    /// Scope granting read-only access to exception records.
+    /// </summary>
+    public const string ExceptionsRead = "exceptions:read";
+
+    /// <summary>
+    /// Scope granting permission to create or edit exception records.
+    /// </summary>
+    public const string ExceptionsWrite = "exceptions:write";
+
+    /// <summary>
+    /// Scope granting administrative control over Graph resources.
+    /// </summary>
+    public const string GraphAdmin = "graph:admin";
+
     private static readonly HashSet<string> KnownScopes = new(StringComparer.OrdinalIgnoreCase)
     {
         ConcelierJobsTrigger,
@@ -456,7 +646,45 @@ public static class StellaOpsScopes
         OrchOperate,
         OrchBackfill,
         OrchQuota,
-        AuthorityTenantsRead
+        AuthorityTenantsRead,
+        AuthorityTenantsWrite,
+        AuthorityUsersRead,
+        AuthorityUsersWrite,
+        AuthorityRolesRead,
+        AuthorityRolesWrite,
+        AuthorityClientsRead,
+        AuthorityClientsWrite,
+        AuthorityTokensRead,
+        AuthorityTokensRevoke,
+        AuthorityBrandingRead,
+        AuthorityBrandingWrite,
+        UiAdmin,
+        ScannerRead,
+        ScannerScan,
+        ScannerExport,
+        ScannerWrite,
+        SchedulerRead,
+        SchedulerOperate,
+        SchedulerAdmin,
+        AttestCreate,
+        AttestAdmin,
+        SignerRead,
+        SignerSign,
+        SignerRotate,
+        SignerAdmin,
+        SbomRead,
+        SbomWrite,
+        SbomAttest,
+        ReleaseRead,
+        ReleaseWrite,
+        ReleasePublish,
+        ReleaseBypass,
+        ZastavaRead,
+        ZastavaTrigger,
+        ZastavaAdmin,
+        ExceptionsRead,
+        ExceptionsWrite,
+        GraphAdmin
     };
 
     /// <summary>