feat(19-01): add AppRegistrationService with rollback, model, and interface

- AppRegistrationResult discriminated result (Success/Failure/FallbackRequired)
- TenantProfile.AppId nullable string for storing registered app ID
- IAppRegistrationService interface (IsGlobalAdminAsync, RegisterAsync, RemoveAsync, ClearMsalSessionAsync)
- AppRegistrationService: sequential registration with rollback, transitiveMemberOf admin check, MSAL eviction

SharepointToolbox/Services/IAppRegistrationService.cs

@@ -0,0 +1,35 @@
+using SharepointToolbox.Core.Models;
+
+namespace SharepointToolbox.Services;
+
+/// <summary>
+/// Manages Azure AD app registration and removal for a target tenant.
+/// </summary>
+public interface IAppRegistrationService
+{
+    /// <summary>
+    /// Returns true if the currently-authenticated user has the Global Administrator
+    /// directory role (checked via transitiveMemberOf for nested-group coverage).
+    /// Returns false on any failure, including 403, rather than throwing.
+    /// </summary>
+    Task<bool> IsGlobalAdminAsync(string clientId, CancellationToken ct);
+
+    /// <summary>
+    /// Creates an Azure AD Application + ServicePrincipal + OAuth2PermissionGrants
+    /// atomically. On any intermediate failure the Application is deleted before
+    /// returning a Failure result (best-effort rollback).
+    /// </summary>
+    Task<AppRegistrationResult> RegisterAsync(string clientId, string tenantDisplayName, CancellationToken ct);
+
+    /// <summary>
+    /// Deletes the registered application by its appId.
+    /// Logs a warning on failure but does not throw.
+    /// </summary>
+    Task RemoveAsync(string clientId, string appId, CancellationToken ct);
+
+    /// <summary>
+    /// Clears the live SessionManager context, evicts all in-memory MSAL accounts,
+    /// and unregisters the persistent token cache for the given clientId.
+    /// </summary>
+    Task ClearMsalSessionAsync(string clientId, string tenantUrl);
+}