Add scheduled reports + app-only cert auth; fix tenant-wide user-access audit

Feature work:
- Certificate (app-only) auth per profile: cert store, context/Graph client
  factories, automated app-registration provisioning (delegated + application
  permissions, admin consent), and a SessionManager seam that resolves the auth
  model per profile.
- Scheduled reports: repositories, hosted service/runner/coordinator, report
  pages, and email delivery (app-only Mail.Send).
- Tenant-wide user-access audit when no site is selected.

Audit fixes:
- Site enumeration: app-only discovery used Graph getAllSites (needs Graph
  Sites.Read.All the cert app lacks) and silently returned empty. Switched to
  the admin-host CSOM TenantSiteEnumerator, matching the scheduler; both auth
  models now share one enumeration path.
- Group expansion: the scan records a SharePoint group as a single principal, so
  user-centric audits found nothing for group-granted access. Resolve group
  membership (shared by audit + scheduler) and attribute it to the target user.
- M365 group claims: the resolver only recognized AAD security groups
  (c:0t.c|). Group-connected/Teams sites grant via the M365 group claim
  (c:0o.c|…|<guid>[_o]); now expanded too, resolving owners for the "_o" claim.
- Provision Directory.Read.All as an application permission so M365/AAD group
  expansion works under the cert identity.

Also: ignore data/appcerts/ (encrypted certificate key material).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Services/SiteDiscoveryService.cs

@@ -1,31 +1,38 @@
-using Microsoft.Online.SharePoint.TenantAdministration;
-using Microsoft.SharePoint.Client;
 using SharepointToolbox.Web.Core.Helpers;
 using SharepointToolbox.Web.Core.Models;
+using SharepointToolbox.Web.Infrastructure.Auth;
 using SharepointToolbox.Web.Services.Session;
 
 namespace SharepointToolbox.Web.Services;
 
 /// <summary>
-/// Delegated CSOM implementation of <see cref="ISiteDiscoveryService"/>.
+/// Enumerates every site collection in a tenant via the SharePoint tenant-admin endpoint
+/// (<c>Tenant.GetSitePropertiesFromSharePointByFilters</c>), paging through all results.
+/// The auth model only changes how the admin-host context is built:
 ///
-/// Enumerates every site collection via the SharePoint tenant admin endpoint
-/// (<c>Tenant.GetSitePropertiesFromSharePointByFilters</c>), paging through all
-/// results. Requires the signed-in user to be a SharePoint administrator.
+/// • Certificate (app-only) profiles build the admin context through the cert factory — the
+///   same path the background report scheduler uses (<see cref="Services.Reports"/>), which
+///   relies only on the SharePoint <c>Sites.FullControl.All</c> application permission the cert
+///   app already holds. (The earlier Graph <c>/sites/getAllSites</c> path was dropped: it needs
+///   a separate Graph <c>Sites.Read.All</c> grant the cert app is not provisioned with, so it
+///   returned empty/403 and tenant-wide audits silently fell back to the root site alone.)
+/// • Delegated profiles build the admin context through the session manager; this requires the
+///   signed-in user to be a SharePoint administrator.
 ///
-/// The Graph <c>/sites?search=*</c> endpoint was deliberately abandoned: it ranks
-/// by relevance and is capped server-side, so it silently dropped sites and
-/// returned varying counts run-to-run. <c>/sites/getAllSites</c> is app-only and
-/// 403s on a delegated user token. The tenant admin enumeration is the only path
-/// that returns the complete, stable set under the app's delegated auth model.
+/// The Graph <c>/sites?search=*</c> endpoint was deliberately abandoned for both: it ranks by
+/// relevance and is capped server-side, silently dropping sites and returning varying counts.
 /// </summary>
 public class SiteDiscoveryService : ISiteDiscoveryService
 {
     private readonly ISessionManager _sessionManager;
+    private readonly IAppOnlyContextFactory _appOnly;
 
-    public SiteDiscoveryService(ISessionManager sessionManager)
+    public SiteDiscoveryService(
+        ISessionManager sessionManager,
+        IAppOnlyContextFactory appOnly)
     {
         _sessionManager = sessionManager;
+        _appOnly        = appOnly;
     }
 
     public async Task<IReadOnlyList<SiteInfo>> SearchSitesAsync(
@@ -35,103 +42,19 @@ public class SiteDiscoveryService : ISiteDiscoveryService
     {
         ArgumentException.ThrowIfNullOrEmpty(profile.TenantUrl);
 
-        // Site enumeration only exists on the tenant admin endpoint.
-        var adminProfile = new TenantProfile
+        var adminUrl = TenantSiteEnumerator.BuildAdminUrl(profile.TenantUrl);
+
+        // App-only profiles: build the admin-host context through the cert factory (matches the
+        // scheduler), enumerating under the SharePoint app permission the cert already grants.
+        if (_appOnly.IsConfigured(profile))
         {
-            Id         = profile.Id,
-            Name       = profile.Name,
-            TenantUrl  = BuildAdminUrl(profile.TenantUrl),
-            TenantId   = profile.TenantId,
-            ClientId   = profile.ClientId,
-            ClientLogo = profile.ClientLogo,
-        };
-
-        var ctx    = await _sessionManager.GetOrCreateContextAsync(adminProfile, ct);
-        var tenant = new Tenant(ctx);
-
-        var filter = new SPOSitePropertiesEnumerableFilter
-        {
-            IncludeDetail       = false,
-            IncludePersonalSite = PersonalSiteFilter.Exclude,
-            StartIndex          = null,
-            Template            = null,
-        };
-
-        var results = new List<SiteInfo>();
-        SPOSitePropertiesEnumerable page;
-        do
-        {
-            ct.ThrowIfCancellationRequested();
-
-            page = await FetchPageWithColdTokenRetryAsync(ctx, tenant, filter, ct);
-
-            foreach (var sp in page)
-            {
-                var url = sp.Url ?? string.Empty;
-                if (string.IsNullOrEmpty(url)) continue;
-                // Belt-and-braces: PersonalSiteFilter.Exclude already drops OneDrive.
-                if (url.Contains("/personal/", StringComparison.OrdinalIgnoreCase)) continue;
-                var title = string.IsNullOrEmpty(sp.Title) ? url : sp.Title;
-                results.Add(new SiteInfo(url, title));
-            }
-
-            // NextStartIndexFromSharePoint is empty/null once the last page is returned.
-            filter.StartIndex = page.NextStartIndexFromSharePoint;
+            using var adminCtx = await _appOnly.CreateContextAsync(profile, adminUrl, ct);
+            return await TenantSiteEnumerator.EnumerateAsync(adminCtx, ct);
         }
-        while (!string.IsNullOrEmpty(filter.StartIndex));
 
-        return results
-            .GroupBy(s => s.Url, StringComparer.OrdinalIgnoreCase)
-            .Select(g => g.First())
-            .OrderBy(s => s.Title, StringComparer.OrdinalIgnoreCase)
-            .ToList();
-    }
-
-    private const int MaxColdTokenAttempts = 4;
-    private const int BackoffBaseSeconds   = 3;
-
-    // The tenant admin endpoint transiently 403s on a cold delegated token (the same
-    // behaviour the elevation coordinator handles): the first call against the admin
-    // host can be denied while the token warms, then clears within seconds. Retry the
-    // admin query on access-denied with backoff. A genuine lack of SharePoint tenant
-    // administrator rights keeps failing and surfaces the enriched 403 after retries —
-    // elevation cannot self-grant tenant-admin, so there is nothing to auto-correct.
-    //
-    // The request (GetSiteProperties + Load) MUST be re-issued inside the loop: a failed
-    // CSOM ExecuteQuery clears the context's pending-request queue, so retrying the
-    // execute alone would run an empty batch, leave the page uninitialized, and throw
-    // "The collection has not been initialized" on iteration.
-    private static async Task<SPOSitePropertiesEnumerable> FetchPageWithColdTokenRetryAsync(
-        ClientContext ctx, Tenant tenant, SPOSitePropertiesEnumerableFilter filter, CancellationToken ct)
-    {
-        for (int attempt = 1; ; attempt++)
-        {
-            try
-            {
-                var page = tenant.GetSitePropertiesFromSharePointByFilters(filter);
-                ctx.Load(page);
-                await ExecuteQueryRetryHelper.ExecuteQueryRetryAsync(ctx, null, ct);
-                return page;
-            }
-            catch (SharePointAccessDeniedException ex) when (attempt < MaxColdTokenAttempts)
-            {
-                var delay = TimeSpan.FromSeconds(BackoffBaseSeconds * attempt);
-                Serilog.Log.Warning(
-                    "Tenant admin endpoint denied during site discovery (attempt {N}/{Max}); " +
-                    "retrying in {Delay}s. {Err}",
-                    attempt, MaxColdTokenAttempts, delay.TotalSeconds, ex.Message);
-                await Task.Delay(delay, ct);
-            }
-        }
-    }
-
-    // https://contoso.sharepoint.com[/sites/Foo] → https://contoso-admin.sharepoint.com
-    private static string BuildAdminUrl(string tenantUrl)
-    {
-        if (!Uri.TryCreate(tenantUrl, UriKind.Absolute, out var uri))
-            return tenantUrl;
-        var adminHost = uri.Host.Replace(".sharepoint.com", "-admin.sharepoint.com",
-            StringComparison.OrdinalIgnoreCase);
-        return $"{uri.Scheme}://{adminHost}";
+        // Delegated profiles: enumeration only exists on the tenant admin endpoint.
+        var adminProfile = profile.CloneForSite(adminUrl);
+        var ctx = await _sessionManager.GetOrCreateContextAsync(adminProfile, ct);
+        return await TenantSiteEnumerator.EnumerateAsync(ctx, ct);
     }
 }