Add scheduled reports + app-only cert auth; fix tenant-wide user-access audit

Feature work:
- Certificate (app-only) auth per profile: cert store, context/Graph client
  factories, automated app-registration provisioning (delegated + application
  permissions, admin consent), and a SessionManager seam that resolves the auth
  model per profile.
- Scheduled reports: repositories, hosted service/runner/coordinator, report
  pages, and email delivery (app-only Mail.Send).
- Tenant-wide user-access audit when no site is selected.

Audit fixes:
- Site enumeration: app-only discovery used Graph getAllSites (needs Graph
  Sites.Read.All the cert app lacks) and silently returned empty. Switched to
  the admin-host CSOM TenantSiteEnumerator, matching the scheduler; both auth
  models now share one enumeration path.
- Group expansion: the scan records a SharePoint group as a single principal, so
  user-centric audits found nothing for group-granted access. Resolve group
  membership (shared by audit + scheduler) and attribute it to the target user.
- M365 group claims: the resolver only recognized AAD security groups
  (c:0t.c|). Group-connected/Teams sites grant via the M365 group claim
  (c:0o.c|…|<guid>[_o]); now expanded too, resolving owners for the "_o" claim.
- Provision Directory.Read.All as an application permission so M365/AAD group
  expansion works under the cert identity.

Also: ignore data/appcerts/ (encrypted certificate key material).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Infrastructure/Auth/SessionManager.cs

@@ -7,23 +7,31 @@ using SharepointToolbox.Web.Services.Session;
 namespace SharepointToolbox.Web.Infrastructure.Auth;
 
 /// <summary>
-/// Delegated session manager using OAuth2 refresh tokens.
-/// Tokens come from ISessionCredentialStore (ProtectedSessionStorage — browser-side only).
-/// Caches access tokens in-memory per scope for the duration of the Blazor circuit.
+/// Session manager that resolves the auth model per profile. When a profile is configured
+/// for certificate auth (<see cref="IAppOnlyContextFactory.IsConfigured"/>), contexts are
+/// built app-only via the stored certificate and no interactive sign-in is required.
+/// Otherwise it falls back to the delegated OAuth2 refresh-token flow, whose access tokens
+/// come from ISessionCredentialStore (ProtectedSessionStorage — browser-side only) and are
+/// cached in-memory per scope for the duration of the Blazor circuit.
 /// Scoped per Blazor circuit.
 /// </summary>
 public class SessionManager : ISessionManager
 {
     private readonly ISessionCredentialStore _credentialStore;
     private readonly ITokenRefreshService _tokenRefresh;
+    private readonly IAppOnlyContextFactory _appOnly;
     private readonly Dictionary<string, ClientContext> _contexts = new();
     private readonly Dictionary<string, (string Token, DateTimeOffset ExpiresAt)> _accessTokenCache = new();
     private readonly SemaphoreSlim _lock = new(1, 1);
 
-    public SessionManager(ISessionCredentialStore credentialStore, ITokenRefreshService tokenRefresh)
+    public SessionManager(
+        ISessionCredentialStore credentialStore,
+        ITokenRefreshService tokenRefresh,
+        IAppOnlyContextFactory appOnly)
     {
         _credentialStore = credentialStore;
         _tokenRefresh    = tokenRefresh;
+        _appOnly         = appOnly;
     }
 
     public bool IsAuthenticated(string tenantUrl) => _contexts.ContainsKey(NormalizeUrl(tenantUrl));
@@ -62,6 +70,24 @@ public class SessionManager : ISessionManager
         var key     = NormalizeUrl(profile.TenantUrl);
         var spScope = NormalizeScopeUrl(profile.TenantUrl) + "/.default";
 
+        // Certificate-configured profiles authenticate app-only: no interactive sign-in,
+        // no session tokens. Build the context through the cert factory and cache it under
+        // the same key so report services see an ordinary authenticated ClientContext.
+        if (_appOnly.IsConfigured(profile))
+        {
+            await _lock.WaitAsync(ct);
+            try
+            {
+                if (_contexts.TryGetValue(key, out var existingCert))
+                    return existingCert;
+
+                var certCtx = await _appOnly.CreateContextAsync(profile, profile.TenantUrl, ct);
+                _contexts[key] = certCtx;
+                return certCtx;
+            }
+            finally { _lock.Release(); }
+        }
+
         await _lock.WaitAsync(ct);
         try
         {
@@ -90,16 +116,7 @@ public class SessionManager : ISessionManager
 
     public async Task<ClientContext> GetOrCreateContextAsync(string siteUrl, TenantProfile profile, CancellationToken ct = default)
     {
-        var profileForSite = new TenantProfile
-        {
-            Id         = profile.Id,
-            Name       = profile.Name,
-            TenantUrl  = siteUrl,
-            TenantId   = profile.TenantId,
-            ClientId   = profile.ClientId,
-            ClientLogo = profile.ClientLogo,
-        };
-        return await GetOrCreateContextAsync(profileForSite, ct);
+        return await GetOrCreateContextAsync(profile.CloneForSite(siteUrl), ct);
     }
 
     public async Task ClearSessionAsync(string tenantUrl)