# Data Model — Remove Legacy Tenant Graph Options

## Summary
This feature is a behavioral refactor only. It changes **how Graph credentials/options are sourced** (provider connection only) and adds a CI guardrail. No schema changes are included.

## Entities (existing)

### Tenant (`app/Models/Tenant.php`)
- **Relevant fields (legacy)**: `app_client_id`, `app_client_secret`, `tenant_id`, `external_id`
- **Relevant method (deprecated)**: `graphOptions(): array`
- **Planned behavior**: `graphOptions()` remains but throws (kill-switch) to prevent legacy use.

### ProviderConnection (`app/Models/ProviderConnection.php`)
- **Used by**: `ProviderConnectionResolver::resolveDefault($tenant, 'microsoft')`
- **Key fields**: `tenant_id`, `provider`, `is_default`, `status`, `entra_tenant_id`

### ProviderCredential (`app/Models/ProviderCredential.php`)
- **Used by**: `CredentialManager::getClientCredentials($connection)` via `ProviderGateway::graphOptions()`
- **Expected payload**: `['client_id' => string, 'client_secret' => string]`

## Relationships (existing)
- `Tenant::providerConnections()` → hasMany `ProviderConnection`
- `ProviderConnection::credential()` → hasOne/hasMany `ProviderCredential` (via relationship method in model)

## Validation / Constraints
- Provider connection resolution must fail deterministically when:
  - No default connection exists for tenant/provider
  - Multiple defaults exist
  - Connection is disabled / needs consent
  - Missing `entra_tenant_id`
  - Missing/invalid credential payload

(These rules are currently enforced by `ProviderConnectionResolver`.)

## State Transitions
- None added by this feature.

## Out of Scope
- Dropping / migrating tenant credential columns.
- Changing provider resolution semantics.