Wire auto-elevate ownership across all SharePoint operations

The "Auto-elevate ownership when permission scan is denied" setting was
dead code: the toggle was persisted but never read, the audit flow never
passed its onAccessDenied callback, and EnrichException wrapped every CSOM
error (including ServerUnauthorizedAccessException) into a generic
InvalidOperationException so the access-denied catch could never match.

Centralize elevation instead of per-call-site callbacks:

- Throw typed SharePointAccessDeniedException from EnrichException on
  access-denied, preserving the failing site URL and enriched diagnostic.
- Add scoped IElevationCoordinator that catches it, and when AutoTakeOwnership
  is enabled takes site-collection admin via the tenant admin endpoint and
  retries the operation once. Per-site dedupe prevents loops; admin-host
  denials are not treated as ownership issues. Retry is safe because each
  wrapped operation closure re-issues its own CSOM loads.
- Wrap all site-scoped operations (Storage, Permissions, Duplicates, Search,
  VersionCleanup, FolderStructure, BulkMembers, FileTransfer, Templates) and
  the UserAccessAudit per-site scan in the coordinator.
- Drop the unused onAccessDenied parameter from IUserAccessAuditService.

Elevation still requires SharePoint tenant admin rights on the signed-in
account; the coordinator surfaces a clear message when that is missing.

Also keeps the prior StorageService change that avoids admin-gated
folder.StorageMetrics (403 for delegated non-admin tokens).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Services/UserAccessAuditService.cs

@@ -6,15 +6,17 @@ namespace SharepointToolbox.Web.Services;
 public class UserAccessAuditService : IUserAccessAuditService
 {
     private readonly IPermissionsService _permissionsService;
+    private readonly IElevationCoordinator _elevation;
 
     private static readonly HashSet<string> HighPrivilegeLevels = new(StringComparer.OrdinalIgnoreCase)
     {
         "Full Control", "Site Collection Administrator"
     };
 
-    public UserAccessAuditService(IPermissionsService permissionsService)
+    public UserAccessAuditService(IPermissionsService permissionsService, IElevationCoordinator elevation)
     {
         _permissionsService = permissionsService;
+        _elevation = elevation;
     }
 
     public async Task<IReadOnlyList<UserAccessEntry>> AuditUsersAsync(
@@ -24,8 +26,7 @@ public class UserAccessAuditService : IUserAccessAuditService
         IReadOnlyList<SiteInfo> sites,
         ScanOptions options,
         IProgress<OperationProgress> progress,
-        CancellationToken ct,
-        Func<string, CancellationToken, Task<bool>>? onAccessDenied = null)
+        CancellationToken ct)
     {
         var targets = targetUserLogins
             .Select(l => l.Trim().ToLowerInvariant())
@@ -50,19 +51,13 @@ public class UserAccessAuditService : IUserAccessAuditService
                 Name = site.Title
             };
 
-            var ctx = await sessionManager.GetOrCreateContextAsync(profile, ct);
-            IReadOnlyList<PermissionEntry> permEntries;
-            try
+            // Auto-elevates site-collection admin ownership and retries when a scan is denied,
+            // if the AutoTakeOwnership setting is enabled (otherwise the access-denied propagates).
+            var permEntries = await _elevation.RunAsync(async c =>
             {
-                permEntries = await _permissionsService.ScanSiteAsync(ctx, options, progress, ct);
-            }
-            catch (Microsoft.SharePoint.Client.ServerUnauthorizedAccessException) when (onAccessDenied != null)
-            {
-                var elevated = await onAccessDenied(site.Url, ct);
-                if (!elevated) throw;
-                var retryCtx = await sessionManager.GetOrCreateContextAsync(profile, ct);
-                permEntries = await _permissionsService.ScanSiteAsync(retryCtx, options, progress, ct);
-            }
+                var ctx = await sessionManager.GetOrCreateContextAsync(profile, c);
+                return await _permissionsService.ScanSiteAsync(ctx, options, progress, c);
+            }, ct);
 
             allEntries.AddRange(TransformEntries(permEntries, targets, site));
         }