Add delete_user_alias action

[c1-dev-bot]

Summary

Adds a new delete_user_alias connector action that removes an email alias from a Google Workspace user account. This enables offboarding automations to clean up aliases that Google Workspace automatically creates when a user's primary email is changed via change_user_primary_email.

Changes

• pkg/client/client.go: Added UserAliasService field and DeleteUserAlias method that calls UsersAliasesService.Delete(userKey, alias)
• pkg/connector/connector.go: Initialize UserAliasService with admin.directory.user.alias write scope (upgraded from readonly)
• pkg/connector/user_actions.go: Added delete_user_alias action schema (accepts user_id and alias args) and handler with:
  • Email validation on the alias argument
  • 404 treated as idempotent success (alias already removed)
  • 403 error with helpful scope/permission messaging
• pkg/connector/user_actions_test.go: 6 tests covering success, idempotent 404, missing args, invalid email, and nil service

Scope change

The connector's alias scope is upgraded from admin.directory.user.alias.readonly to admin.directory.user.alias (write). The getService helper's scope upgrade mechanism means existing deployments with only the readonly scope will automatically attempt the write scope.

Fixes: CXH-1554

---

Automated PR Notice

This PR was automatically created by c1-dev-bot as a potential implementation.

This code requires:

• Human review of the implementation approach
• Manual testing to verify correctness
• Approval from the appropriate team before merging

[linear-code]

CXH-1554

[github-actions]

🟡 Suggestion: The alias argument is user-provided input included verbatim in the error message via %s. While mail.ParseAddress validates it's a valid email address, consider that this string also flows into the generic error at line 810 (fmt.Errorf("...failed to delete alias %s for user %s: %w", alias, userId, err)). This is consistent with other handlers in this file, so low risk, but worth noting that user-supplied values appear in error strings.

[github-actions]

Connector PR Review: Add delete_user_alias action

Blocking Issues: 0 | Suggestions: 2 | Threads Resolved: 0
Review mode: full
View review run

Review Summary

This PR adds a new delete_user_alias connector action with proper input validation, idempotent 404 handling, and graceful degradation when the alias service scope is unavailable. The implementation follows established patterns from other action handlers in the file. No blocking issues found. Two documentation suggestions below — the new scope and action should be reflected in docs/connector.mdx.

Security Issues

None found.

Correctness Issues

None found.

Suggestions

• docs/connector.mdx (D2): The new delete_user_alias action is not listed in the connector actions table. Add it alongside the existing actions.
• docs/connector.mdx (D3): The new admin.directory.user.alias (write) scope is not listed in the READ/WRITE scopes section. Existing deployments that want to use this action will need to add this scope.

Prompt for AI agents

Verify each finding against the current code and only fix it if needed.

## Suggestions

In `docs/connector.mdx`:
- Around the connector actions table (line 28): Add a row for the new `delete_user_alias` action with fields `user_id` (string, required) and `alias` (string, required), and description "Deletes an email alias from a Google Workspace user account".
- Around the READ/WRITE scopes section (after line 226): Add `https://www.googleapis.com/auth/admin.directory.user.alias` scope with purpose "(Write) To delete email aliases from user accounts via the delete_user_alias action."

[github-actions]

No blocking issues found.