namespace SharepointToolbox.Web.Services.Auth;

public interface IAppRegistrationService
{
    /// <summary>
    /// Creates an Entra ID app registration in the target tenant using a delegated admin token
    /// (requires Application.ReadWrite.All + DelegatedPermissionGrant.ReadWrite.All +
    /// AppRoleAssignment.ReadWrite.All scope). Grants org-wide admin consent for SharePoint + Graph
    /// delegated permissions (fallback sign-in flow).
    ///
    /// When <paramref name="appOnlyCert"/> is supplied, the registration is also provisioned for
    /// certificate (app-only) auth: the public certificate is attached as a sign-in credential,
    /// SharePoint + Graph <em>application</em> permissions are requested, and admin consent for
    /// those app roles is granted. This lets technicians operate under the app identity without an
    /// interactive sign-in. Returns the new app's client ID (appId).
    /// </summary>
    Task<string> CreateAsync(
        string adminAccessToken,
        string tenantName,
        string redirectUri,
        CertProvisioningResult? appOnlyCert = null,
        CancellationToken ct = default);
}