feat(graph): add resource permission listing and output mode aliases

src/graph/app.js

@@ -198,3 +198,60 @@ export async function listAppGrants(client, appId) {
 
   return Array.isArray(grantsResult?.value) ? grantsResult.value : [];
 }
+
+/**
+ * List available delegated scopes and app roles for a resource app.
+ *
+ * @param { Object } client
+ * @param { Object } options
+ * @param { string } [options.appId]
+ * @param { string } [options.displayName]
+ * @returns { Promise<Array> }
+ */
+export async function listResourcePermissions(client, options = {}) {
+  const { appId, displayName } = options;
+  if (!appId && !displayName) {
+    throw new Error("appId or displayName is required");
+  }
+
+  let request = client
+    .api("/servicePrincipals")
+    .select("appId,displayName,oauth2PermissionScopes,appRoles");
+
+  if (appId) {
+    request = request.filter(`appId eq '${appId}'`);
+  } else {
+    request = request.filter(`displayName eq '${displayName}'`);
+  }
+
+  const result = await request.get();
+  const servicePrincipals = Array.isArray(result?.value) ? result.value : [];
+  const rows = [];
+
+  for (const sp of servicePrincipals) {
+    for (const scope of sp?.oauth2PermissionScopes ?? []) {
+      rows.push({
+        permissionType: "Scope",
+        permissionId: scope.id ?? null,
+        permissionValue: scope.value ?? null,
+        permissionDisplayName:
+          scope.adminConsentDisplayName ??
+          scope.userConsentDisplayName ??
+          null,
+        isEnabled: scope.isEnabled ?? null,
+      });
+    }
+
+    for (const role of sp?.appRoles ?? []) {
+      rows.push({
+        permissionType: "Role",
+        permissionId: role.id ?? null,
+        permissionValue: role.value ?? null,
+        permissionDisplayName: role.displayName ?? null,
+        isEnabled: role.isEnabled ?? null,
+      });
+    }
+  }
+
+  return rows;
+}