Add scheduled reports + app-only cert auth; fix tenant-wide user-access audit

Feature work:
- Certificate (app-only) auth per profile: cert store, context/Graph client
  factories, automated app-registration provisioning (delegated + application
  permissions, admin consent), and a SessionManager seam that resolves the auth
  model per profile.
- Scheduled reports: repositories, hosted service/runner/coordinator, report
  pages, and email delivery (app-only Mail.Send).
- Tenant-wide user-access audit when no site is selected.

Audit fixes:
- Site enumeration: app-only discovery used Graph getAllSites (needs Graph
  Sites.Read.All the cert app lacks) and silently returned empty. Switched to
  the admin-host CSOM TenantSiteEnumerator, matching the scheduler; both auth
  models now share one enumeration path.
- Group expansion: the scan records a SharePoint group as a single principal, so
  user-centric audits found nothing for group-granted access. Resolve group
  membership (shared by audit + scheduler) and attribute it to the target user.
- M365 group claims: the resolver only recognized AAD security groups
  (c:0t.c|). Group-connected/Teams sites grant via the M365 group claim
  (c:0o.c|…|<guid>[_o]); now expanded too, resolving owners for the "_o" claim.
- Provision Directory.Read.All as an application permission so M365/AAD group
  expansion works under the cert identity.

Also: ignore data/appcerts/ (encrypted certificate key material).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Core/Models/TenantProfile.cs

@@ -15,4 +15,41 @@ public class TenantProfile
     public string ClientId { get; set; } = string.Empty;
 
     public LogoData? ClientLogo { get; set; }
+
+    // ── Certificate (app-only) credentials ──────────────────────────────────────
+    // Opt-in per client by an admin. When enabled, certificate auth drives BOTH the
+    // interactive session (technicians never sign in to SharePoint per profile) AND
+    // the background report scheduler — all operations run under the app identity.
+    // When disabled, the app falls back to the delegated refresh-token sign-in flow.
+    // SharePoint CSOM app-only requires a certificate (Sites.FullControl.All
+    // application permission, admin-consented). The certificate itself is NOT stored
+    // here — it lives DataProtection-encrypted on disk (see AppOnlyCertStore); this
+    // class only carries the metadata needed to load and display it.
+
+    /// <summary>When true, this client uses certificate (app-only) auth for interactive and scheduled work.</summary>
+    public bool AppOnlyEnabled { get; set; }
+
+    /// <summary>Client (application) ID of the app-registration used for certificate auth. May differ from <see cref="ClientId"/>.</summary>
+    public string AppOnlyClientId { get; set; } = string.Empty;
+
+    /// <summary>Thumbprint of the stored certificate — display/verification only; the key material is stored separately.</summary>
+    public string AppOnlyCertThumbprint { get; set; } = string.Empty;
+
+    /// <summary>
+    /// Clones this profile pointed at a different site/admin URL, preserving every other
+    /// field (notably the certificate metadata) so the auth model is resolved identically
+    /// for the derived URL. Use instead of hand-building partial copies.
+    /// </summary>
+    public TenantProfile CloneForSite(string siteUrl) => new()
+    {
+        Id                    = Id,
+        Name                  = Name,
+        TenantUrl             = siteUrl,
+        TenantId              = TenantId,
+        ClientId              = ClientId,
+        ClientLogo            = ClientLogo,
+        AppOnlyEnabled        = AppOnlyEnabled,
+        AppOnlyClientId       = AppOnlyClientId,
+        AppOnlyCertThumbprint = AppOnlyCertThumbprint,
+    };
 }