feat: add site-admin account creation mode for GHES

[c1-dev-bot]

Summary

• Adds account-creation-mode config option (invitation default, or site_admin_create) and site-admin-token secret config option
• When mode is site_admin_create, CreateAccount calls the GHES site-admin POST /admin/users endpoint via AdminService.CreateUser using a separate site-admin PAT, bypassing the email invitation flow entirely
• Returns a SuccessResult with the created user resource (immediately active, no invitation acceptance needed)
• Adjusts Metadata account creation schema: in site_admin_create mode, github_username becomes required and email becomes optional (matches GHES behavior under LDAP/SAML/CAS auth)
• Handles "user already exists" errors gracefully via AlreadyExistsResult

This unblocks SSO/LDAP-enforced GHES customers (e.g., environments with ~100 orgs where email-based org invitations are disallowed by enterprise policy) from using ConductorOne for account provisioning.

Fixes: CXH-1594

Test plan

• Verify existing invitation-based account creation still works (default mode)
• Test account-creation-mode=site_admin_create with site-admin-token against a GHES instance
• Test that missing github_username in site_admin_create mode returns a clear error
• Test that missing site-admin-token when mode is site_admin_create fails at startup
• Test "user already exists" case returns AlreadyExistsResult
• Verify connector validates account-creation-mode values at startup

---

Automated PR Notice

This PR was automatically created by c1-dev-bot as a potential implementation.

This code requires:

• Human review of the implementation approach
• Manual testing to verify correctness
• Approval from the appropriate team before merging

[linear-code]

CXH-1594

[github-actions]

🟡 Suggestion: instanceURL is stored on the struct and passed through InvitationBuilderParams, but no method on invitationResourceType ever reads it. Consider removing it to avoid dead code (R2).

[github-actions]

Connector PR Review: feat: add site-admin account creation mode for GHES

Blocking Issues: 0 | Suggestions: 2 | Threads Resolved: 0
Review mode: full
View review run

Review Summary

This PR adds a site_admin_create account creation mode for GHES environments where email-based org invitations are disallowed. The implementation is clean: config validation happens at startup, the CreateAccount dispatch is straightforward, and idempotency is handled correctly for the "already exists" case. The control flow refactor in NewLambdaConnector (early return to if/else) correctly ensures site-admin setup applies to both PAT and GitHub App auth paths. No security or correctness issues found.

Security Issues

None found.

Correctness Issues

None found.

Suggestions

• pkg/connector/invitation.go:101 — instanceURL field is stored on invitationResourceType but never read by any method; dead code.
• docs/connector.mdx — Does not document the new account-creation-mode or site-admin-token configuration fields, and the account provisioning description only mentions invitation-based flow (D3/D4).

Prompt for AI agents

Verify each finding against the current code and only fix it if needed.

## Suggestions

In `pkg/connector/invitation.go`:
- Around line 101: The `instanceURL` field on `invitationResourceType` is never read by any
  method. Remove it from the struct definition (line 101), from `InvitationBuilderParams`
  (line 633), and from the `InvitationBuilder` constructor (line 643). Also remove the
  `instanceURL` argument from the `InvitationBuilder` call site in `connector.go` (line 144).

In `docs/connector.mdx`:
- Around line 26: The account provisioning description says "New accounts will send an
  invitation to the account owner" without mentioning the alternative site-admin creation
  mode. Update to note that GHES instances can use `account-creation-mode=site_admin_create`
  with a `site-admin-token` to create accounts directly. Document both new config fields
  in the credentials/configuration section.

[github-actions]

No blocking issues found.