diff --git a/docs/plans/2026-06-02-auth-audit-normalization-phase1.md b/docs/plans/2026-06-02-auth-audit-normalization-phase1.md
index d2f5429..b6b6ab1 100644
--- a/docs/plans/2026-06-02-auth-audit-normalization-phase1.md
+++ b/docs/plans/2026-06-02-auth-audit-normalization-phase1.md
@@ -250,8 +250,17 @@ CentralUI blast radius (string keyId + scopes replace int Id + ApprovedApiKeyIds
   audit on no-op update/delete/set-methods); empty `Methods` rejected server-side (prevents unusable key on create + stealth-
   disable via `set-methods ""`); token advisory→stderr. Green: ManagementService 125, CLI 188, + Security/InboundAPI/Host/
   CentralUI unchanged. CentralUI + SQL Server `ApiKey` entity/repo untouched (C3/C5).
-- **C3/C4/C5 — PENDING** (C3 next: CentralUI pages onto the seam — incl. the ApiMethodForm "approved keys ↔ key scopes"
-  inversion via `GetKeysForMethodAsync`/`SetMethodsAsync`).
+- **C3 — DONE + reviewed** (SB commits `107e524` rewire, `d1191fd` review fixes). CentralUI `Admin/ApiKeys.razor`,
+  `Admin/ApiKeyForm.razor`, `Design/ApiMethodForm.razor`, `Dashboard.razor` onto `IInboundApiKeyAdmin`: string keyId,
+  method-NAME scopes replace the `ApprovedApiKeyIds` CSV, one-time token display on create, key Name fixed-after-create
+  (no rename in the lib model). The "approved keys ↔ key scopes" inversion is a pure tested helper
+  `CentralUI/Services/ApiMethodKeyScopeReconciler.cs` (save method entity first, then reconcile each affected key's full
+  scope set fresh; empty-last-scope revoke is blocked with a clear message, never pushes an empty set). Spec PASS,
+  code-review APPROVED after fixes: seam `bool` not-found now surfaced (no silent success), partial-reconcile-failure
+  guidance ("method saved, key scopes partially applied — review on API Keys page"), create validation order, concurrent-
+  edit reconciler test. CentralUI.Tests 595 green; all other suites unchanged. TransportExport + SQL Server entities/repo
+  untouched (C4/C5). (Also removed a stray `Name` artifact file from an accidental redirect — not committed.)
+- **C4/C5 — PENDING** (C4 next: TransportExport excludes API keys — methods-only; then C5 retires the SQL Server entity).
 
 ## Resolved decisions (2026-06-02)
 
diff --git a/docs/plans/2026-06-02-auth-audit-normalization.md.tasks.json b/docs/plans/2026-06-02-auth-audit-normalization.md.tasks.json
index 6013716..29d7fcc 100644
--- a/docs/plans/2026-06-02-auth-audit-normalization.md.tasks.json
+++ b/docs/plans/2026-06-02-auth-audit-normalization.md.tasks.json
@@ -35,7 +35,7 @@
     {"id": 32, "subject": "Task 1.3-L: Extend Auth.ApiKeys admin store (SetScopes/SetEnabled) -> lib 0.1.3 (PUBLISHED)", "status": "completed", "blockedBy": []},
     {"id": 33, "subject": "Task 1.3-C1: ScadaBridge re-pin 0.1.3 + IInboundApiKeyAdmin seam (additive) + baseline reds fixed", "status": "completed", "blockedBy": [32]},
     {"id": 34, "subject": "Task 1.3-C2: ManagementActor + CLI + Commons messages onto seam", "status": "completed", "blockedBy": [33]},
-    {"id": 35, "subject": "Task 1.3-C3: CentralUI pages onto seam (string keyId + scopes)", "status": "pending", "blockedBy": [33]},
+    {"id": 35, "subject": "Task 1.3-C3: CentralUI pages onto seam (string keyId + scopes)", "status": "completed", "blockedBy": [33]},
     {"id": 36, "subject": "Task 1.3-C4: TransportExport exclude API keys (methods-only)", "status": "pending", "blockedBy": [33, 35]},
     {"id": 37, "subject": "Task 1.3-C5 (=E): retire SQL Server ApiKey entity + EF migration + runbook", "status": "pending", "blockedBy": [34, 35, 36]}
   ],