Tesla scope-change investigation — confirm hypothesis #1

Slack thread 1778826664.977249. Artem asked to run 3 experiments to confirm whether Tesla 401 errors are caused by a scope change on Tesla side (vs deprecated endpoint vs instance suspension vs cred-level). Experiments: A. SQL — find ProviderGrant table, count Tesla grants, check updatedAt/clientId/allowedGroups per workspace. B. Manual curl — POST /v1/auth/token with clientId/clientSecret from ProviderGrant; decode JWT claims (scope, amr, scoped_instance_relationships, exp); then GET /v2/groups + /v2/telemetry/history with the token. Look for WWW-Authenticate / X-Tesla-Error-Code / body hints. C. Datadog — env:production service:tesla-grid-services-client @error.error.statusCode:401 → Top List grouped by @meta.workspaceId. All workspaces vs subset tells us systemic (1/2) vs instance-level (3/6). Do NOT regenerate Tesla clientSecret. Report which hypothesis (1/2/3/6) is confirmed.