feat: add Tesorio as built-in SCIM service provider

[c1-dev-bot]

Summary

Adds Tesorio as a built-in SCIM 2.0 service provider configuration. Tesorio is an accounts-receivable / cash flow / collections automation platform that exposes a standard SCIM 2.0 server for user and group management.

Changes

• Added tesorio.yaml service provider config with standard SCIM 2.0 field mappings
• User sync: id, userName, name.givenName/familyName, emails, active
• Group sync: Permission Groups via SCIM Groups with member tracking
• Group membership provisioning: add/remove members via standard SCIM PATCH operations
• Bearer token authentication (apiKey auth type with Bearer prefix)
• Updated CLI flag description and README to include Tesorio

Usage

baton-scim --api-key=SCIM_BEARER_TOKEN --service-provider=tesorio -p

Notes

• The apiEndpoint defaults to https://app.tesorio.com/scim/v2/ — this may need adjustment based on the actual Tesorio SCIM server URL provided during setup. Users can override by using --scim-config-file with a custom YAML config.
• Tesorio's SCIM server supports Create/Update/Deactivate/Group Push per their Okta OIN listing, but user create/deactivate is not yet supported by the baton-scim framework (users are sync-only). Group membership provisioning is fully supported.
• No roles section is configured since Tesorio's RBAC is managed through Permission Groups (SCIM Groups), not individual role assignments.

Fixes: CXH-1706

Test plan

• go build ./cmd/baton-scim/ passes
• go test ./... passes (config test now correctly validates 5 providers)
• Manual testing with a Tesorio SCIM endpoint and bearer token
• Verify group membership provisioning (add/remove) works with Tesorio's SCIM PATCH implementation

---

Automated PR Notice

This PR was automatically created by c1-dev-bot as a potential implementation.

This code requires:

• Human review of the implementation approach
• Manual testing to verify correctness
• Approval from the appropriate team before merging

[linear-code]

CXH-1706

[github-actions]

Connector PR Review: feat: add Tesorio as built-in SCIM service provider

Blocking Issues: 0 | Suggestions: 0 | Threads Resolved: 0
Review mode: full
View review run

Review Summary

This PR adds a new tesorio.yaml service provider configuration with standard SCIM 2.0 field mappings for users and groups, Bearer token auth, pagination, and group membership provisioning. The config follows the same structure and conventions as the existing Slack and Postman providers. README and CLI description were updated accordingly. No issues found.

Security Issues

None found.

Correctness Issues

None found.

Suggestions

None.

[github-actions]

No blocking issues found.