Add scheduled reports + app-only cert auth; fix tenant-wide user-access audit

Feature work:
- Certificate (app-only) auth per profile: cert store, context/Graph client
  factories, automated app-registration provisioning (delegated + application
  permissions, admin consent), and a SessionManager seam that resolves the auth
  model per profile.
- Scheduled reports: repositories, hosted service/runner/coordinator, report
  pages, and email delivery (app-only Mail.Send).
- Tenant-wide user-access audit when no site is selected.

Audit fixes:
- Site enumeration: app-only discovery used Graph getAllSites (needs Graph
  Sites.Read.All the cert app lacks) and silently returned empty. Switched to
  the admin-host CSOM TenantSiteEnumerator, matching the scheduler; both auth
  models now share one enumeration path.
- Group expansion: the scan records a SharePoint group as a single principal, so
  user-centric audits found nothing for group-granted access. Resolve group
  membership (shared by audit + scheduler) and attribute it to the target user.
- M365 group claims: the resolver only recognized AAD security groups
  (c:0t.c|). Group-connected/Teams sites grant via the M365 group claim
  (c:0o.c|…|<guid>[_o]); now expanded too, resolving owners for the "_o" claim.
- Provision Directory.Read.All as an application permission so M365/AAD group
  expansion works under the cert identity.

Also: ignore data/appcerts/ (encrypted certificate key material).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Infrastructure/Auth/AppOnlyCertStore.cs

@@ -0,0 +1,70 @@
+using System.Security.Cryptography.X509Certificates;
+using Microsoft.AspNetCore.DataProtection;
+
+namespace SharepointToolbox.Web.Infrastructure.Auth;
+
+/// <summary>
+/// File-backed <see cref="IAppOnlyCertStore"/>. Each profile's certificate is
+/// re-exported password-less, encrypted with ASP.NET Core Data Protection, and
+/// written to {certsFolder}/{profileId}.bin. The uploaded PFX password is consumed
+/// at save time and never persisted.
+/// </summary>
+public class AppOnlyCertStore : IAppOnlyCertStore
+{
+    private const string Purpose = "SharepointToolbox.AppOnlyCert.v1";
+
+    private readonly string _certsFolder;
+    private readonly IDataProtector _protector;
+
+    public AppOnlyCertStore(string certsFolder, IDataProtectionProvider dataProtection)
+    {
+        _certsFolder = certsFolder;
+        _protector   = dataProtection.CreateProtector(Purpose);
+        Directory.CreateDirectory(_certsFolder);
+    }
+
+    private string PathFor(string profileId) => Path.Combine(_certsFolder, $"{profileId}.bin");
+
+    public async Task<string> SaveAsync(string profileId, byte[] pfxBytes, string? password, CancellationToken ct = default)
+    {
+        // Open the uploaded PFX (Exportable so we can re-emit a password-less copy that
+        // the loader can open later without prompting). EphemeralKeySet keeps the key
+        // out of the Windows certificate store during this transient operation.
+        using var cert = X509CertificateLoader.LoadPkcs12(
+            pfxBytes, password,
+            X509KeyStorageFlags.Exportable | X509KeyStorageFlags.EphemeralKeySet);
+
+        if (!cert.HasPrivateKey)
+            throw new InvalidOperationException("The uploaded certificate has no private key. Export the PFX with its key.");
+
+        var passwordless = cert.Export(X509ContentType.Pkcs12);
+        var protectedBytes = _protector.Protect(passwordless);
+
+        Directory.CreateDirectory(_certsFolder);
+        var tmp = PathFor(profileId) + ".tmp";
+        await File.WriteAllBytesAsync(tmp, protectedBytes, ct);
+        File.Move(tmp, PathFor(profileId), overwrite: true);
+
+        return cert.Thumbprint;
+    }
+
+    public async Task<X509Certificate2?> LoadAsync(string profileId, CancellationToken ct = default)
+    {
+        var path = PathFor(profileId);
+        if (!File.Exists(path)) return null;
+
+        var protectedBytes = await File.ReadAllBytesAsync(path, ct);
+        var pfx = _protector.Unprotect(protectedBytes);
+        return X509CertificateLoader.LoadPkcs12(
+            pfx, password: null,
+            X509KeyStorageFlags.Exportable | X509KeyStorageFlags.EphemeralKeySet);
+    }
+
+    public bool Exists(string profileId) => File.Exists(PathFor(profileId));
+
+    public void Delete(string profileId)
+    {
+        var path = PathFor(profileId);
+        if (File.Exists(path)) File.Delete(path);
+    }
+}