네이버 계정 정합성 맞춤

2026-06-15 19:54:09 +09:00
parent 8e9d015443
commit 4d468cd39f
97 changed files with 5837 additions and 2031 deletions
--- a/backend/internal/service/worksmobile_sync_service_test.go
+++ b/backend/internal/service/worksmobile_sync_service_test.go
@@ -160,9 +160,11 @@ func TestWorksmobileSyncServiceEnqueuesUserCredentialBatchID(t *testing.T) {
 	require.True(t, ok)
 	require.Equal(t, "ADMIN", request.PasswordConfig.PasswordCreationType)
 	require.Equal(t, "InputPass1!", request.PasswordConfig.Password)
+	require.NotNil(t, request.PasswordConfig.ChangePasswordAtNextLogin)
+	require.True(t, *request.PasswordConfig.ChangePasswordAtNextLogin)
 }

-func TestWorksmobileSyncServiceDoesNotAutoGenerateInitialPassword(t *testing.T) {
+func TestWorksmobileSyncServiceAutoGeneratesAdminInitialPassword(t *testing.T) {
 	t.Setenv("SAMAN_DOMAIN_ID", "1001")
 	rootID := "root-tenant"
 	tenantID := "saman-tenant"
@@ -198,10 +200,14 @@ func TestWorksmobileSyncServiceDoesNotAutoGenerateInitialPassword(t *testing.T)

 	require.NoError(t, err)
 	require.NotNil(t, item)
-	require.NotContains(t, outboxRepo.created[0].Payload, "initialPassword")
+	initialPassword := stringValue(outboxRepo.created[0].Payload["initialPassword"])
+	require.NotEmpty(t, initialPassword)
 	request, ok := outboxRepo.created[0].Payload["request"].(WorksmobileUserPayload)
 	require.True(t, ok)
-	require.Empty(t, request.PasswordConfig.Password)
+	require.Equal(t, "ADMIN", request.PasswordConfig.PasswordCreationType)
+	require.Equal(t, initialPassword, request.PasswordConfig.Password)
+	require.NotNil(t, request.PasswordConfig.ChangePasswordAtNextLogin)
+	require.True(t, *request.PasswordConfig.ChangePasswordAtNextLogin)
 }

 func TestWorksmobileSyncServiceCreatesDistinctUserSyncHistoryJobs(t *testing.T) {
@@ -286,6 +292,48 @@ func TestWorksmobileSyncServiceCreatesDistinctAutomaticUserSyncHistoryJobs(t *te
 	require.NotEqual(t, outboxRepo.created[0].DedupeKey, outboxRepo.created[1].DedupeKey)
 }

+func TestWorksmobileSyncServiceUserUpdateIsUpdateOnlyWithoutInitialPassword(t *testing.T) {
+	t.Setenv("SAMAN_DOMAIN_ID", "1001")
+	rootID := "root-tenant"
+	tenantID := "saman-tenant"
+	root := domain.Tenant{
+		ID:   rootID,
+		Slug: HanmacFamilyTenantSlug,
+		Name: "Hanmac Family",
+	}
+	tenant := domain.Tenant{
+		ID:       tenantID,
+		Slug:     "saman",
+		Name:     "Saman",
+		Type:     domain.TenantTypeCompany,
+		ParentID: &rootID,
+		Domains:  []domain.TenantDomain{{Domain: "samaneng.com"}},
+	}
+	target := domain.User{
+		ID:       "target-user",
+		Email:    "target@samaneng.com",
+		Name:     "Target",
+		Status:   domain.UserStatusActive,
+		TenantID: &tenantID,
+	}
+	outboxRepo := &fakeWorksmobileOutboxRepo{}
+	service := NewWorksmobileSyncService(
+		&fakeWorksmobileTenantService{tenants: map[string]domain.Tenant{rootID: root, tenantID: tenant}, list: []domain.Tenant{root, tenant}},
+		&fakeWorksmobileUserRepo{byID: map[string]domain.User{target.ID: target}, byTenant: []domain.User{target}},
+		outboxRepo,
+		nil,
+	)
+
+	require.NoError(t, service.EnqueueUserUpdateIfInScope(context.Background(), target))
+
+	require.Len(t, outboxRepo.created, 1)
+	require.Equal(t, "update_only", outboxRepo.created[0].Payload["provisioningMode"])
+	require.NotContains(t, outboxRepo.created[0].Payload, "initialPassword")
+	request, ok := outboxRepo.created[0].Payload["request"].(WorksmobileUserPayload)
+	require.True(t, ok)
+	require.True(t, request.PasswordConfig.IsZero())
+}
+
 func TestWorksmobileSyncServiceEnqueuesUserPasswordResetCredentialBatch(t *testing.T) {
 	t.Setenv("SAMAN_DOMAIN_ID", "1001")
 	rootID := "root-tenant"
@@ -333,6 +381,49 @@ func TestWorksmobileSyncServiceEnqueuesUserPasswordResetCredentialBatch(t *testi
 	require.NotEmpty(t, outboxRepo.created[0].Payload["initialPassword"])
 }

+func TestWorksmobileSyncServicePasswordResetAllowsExcludedPrimaryTenant(t *testing.T) {
+	t.Setenv("SAMAN_DOMAIN_ID", "1001")
+	rootID := "root-tenant"
+	excludedOrgID := "excluded-org"
+	root := domain.Tenant{
+		ID:   rootID,
+		Slug: HanmacFamilyTenantSlug,
+		Name: "Hanmac Family",
+	}
+	excludedOrg := domain.Tenant{
+		ID:       excludedOrgID,
+		Slug:     "excluded-team",
+		Name:     "Excluded Team",
+		Type:     domain.TenantTypeOrganization,
+		ParentID: &rootID,
+		Config:   domain.JSONMap{"worksmobileExcluded": true},
+	}
+	target := domain.User{
+		ID:       "target-user",
+		Email:    "target@samaneng.com",
+		Name:     "Target",
+		Status:   domain.UserStatusActive,
+		TenantID: &excludedOrgID,
+	}
+	outboxRepo := &fakeWorksmobileOutboxRepo{}
+	service := NewWorksmobileSyncService(
+		&fakeWorksmobileTenantService{tenants: map[string]domain.Tenant{rootID: root, excludedOrgID: excludedOrg}, list: []domain.Tenant{root, excludedOrg}},
+		&fakeWorksmobileUserRepo{byID: map[string]domain.User{target.ID: target}, byTenant: []domain.User{target}},
+		outboxRepo,
+		nil,
+	)
+
+	item, err := service.EnqueueUserPasswordReset(context.Background(), rootID, target.ID, "reset-batch-1")
+
+	require.NoError(t, err)
+	require.NotNil(t, item)
+	require.Len(t, outboxRepo.created, 1)
+	require.Equal(t, domain.WorksmobileActionPasswordReset, outboxRepo.created[0].Action)
+	require.Equal(t, "target@samaneng.com", outboxRepo.created[0].Payload["loginEmail"])
+	require.Equal(t, "Target", outboxRepo.created[0].Payload["displayName"])
+	require.Empty(t, outboxRepo.created[0].Payload["primaryLeafOrgName"])
+}
+
 func TestWorksmobileSyncServiceFiltersInitialPasswordsByCredentialBatchID(t *testing.T) {
 	rootID := "root-tenant"
 	root := domain.Tenant{
@@ -1650,6 +1741,69 @@ func TestWorksmobileSyncServiceKeepsCompanyUsersInComparisonScope(t *testing.T)
 	require.ElementsMatch(t, []string{companyID, userGroupID}, userRepo.requestedTenantIDs)
 }

+func TestWorksmobileSyncServiceGetComparisonUsesIdentityMirrorWhenReady(t *testing.T) {
+	rootID := "root-tenant"
+	companyID := "company-tenant"
+	root := domain.Tenant{
+		ID:   rootID,
+		Slug: HanmacFamilyTenantSlug,
+		Name: "한맥가족",
+	}
+	company := domain.Tenant{
+		ID:       companyID,
+		Name:     "계열사",
+		Type:     domain.TenantTypeCompany,
+		ParentID: &rootID,
+	}
+	userRepo := &fakeWorksmobileUserRepo{byTenant: []domain.User{{
+		ID:       "local-only-user",
+		Email:    "local-only@example.com",
+		Name:     "Local Only",
+		TenantID: &companyID,
+		Status:   domain.UserStatusActive,
+	}}}
+	service := NewWorksmobileSyncService(
+		&fakeWorksmobileTenantService{tenants: map[string]domain.Tenant{rootID: root, companyID: company}, list: []domain.Tenant{root, company}},
+		userRepo,
+		&fakeWorksmobileOutboxRepo{},
+		&fakeWorksmobileDirectoryClient{users: []WorksmobileRemoteUser{{
+			ID:               "works-user",
+			ExternalID:       "mirror-user",
+			Email:            "mirror@example.com",
+			DisplayName:      "Mirror User",
+			PrimaryOrgUnitID: "externalKey:" + companyID,
+		}}},
+	)
+	service.SetIdentityMirror(&fakeWorksmobileIdentityMirror{
+		status: domain.IdentityCacheStatus{
+			Status:        "ready",
+			RedisReady:    true,
+			MirrorVersion: "kratos-full-pagination-v1",
+			ObservedCount: 1,
+		},
+		identities: []KratosIdentity{{
+			ID:    "mirror-user",
+			State: "active",
+			Traits: map[string]any{
+				"email":           "mirror@example.com",
+				"name":            "Mirror User",
+				"tenant_id":       companyID,
+				"role":            domain.RoleUser,
+				"affiliationType": "internal",
+			},
+		}},
+	})
+
+	comparison, err := service.GetComparison(context.Background(), rootID, true)
+
+	require.NoError(t, err)
+	require.Empty(t, userRepo.requestedTenantIDs)
+	require.Len(t, comparison.Users, 1)
+	require.Equal(t, "matched", comparison.Users[0].Status)
+	require.Equal(t, "mirror-user", comparison.Users[0].BaronID)
+	require.Equal(t, "mirror-user", comparison.Users[0].ExternalKey)
+}
+
 func TestWorksmobileSyncServiceSkipsArchivedUsersInComparison(t *testing.T) {
 	rootID := "root-tenant"
 	companyID := "company-tenant"
@@ -1898,6 +2052,7 @@ func TestWorksmobileSyncServiceRejectsExcludedOrgUnitSync(t *testing.T) {
 }

 func TestWorksmobileSyncServiceSkipsExcludedTenantAndUserEventSync(t *testing.T) {
+	t.Setenv("SAMAN_DOMAIN_ID", "1001")
 	rootID := "root-tenant"
 	excludedCompanyID := "excluded-company"
 	excludedOrgID := "excluded-org"
@@ -1944,12 +2099,26 @@ func TestWorksmobileSyncServiceSkipsExcludedTenantAndUserEventSync(t *testing.T)
 	require.NoError(t, service.EnqueueUserUpsertIfInScope(context.Background(), user))
 	item, err := service.EnqueueUserSync(context.Background(), rootID, user.ID, "", "")

-	require.Nil(t, item)
-	require.ErrorContains(t, err, "excluded from Worksmobile sync")
-	require.Empty(t, outboxRepo.created)
+	require.NoError(t, err)
+	require.NotNil(t, item)
+	require.Len(t, outboxRepo.created, 1)
+	require.Equal(t, domain.WorksmobileResourceUser, outboxRepo.created[0].ResourceType)
+	require.Equal(t, user.ID, outboxRepo.created[0].ResourceID)
+	require.Equal(t, domain.WorksmobileActionUpsert, outboxRepo.created[0].Action)
+	require.Empty(t, outboxRepo.created[0].Status)
+	require.Empty(t, outboxRepo.created[0].LastError)
+	require.Equal(t, rootID, outboxRepo.created[0].Payload["tenantRootId"])
+	require.Equal(t, user.Email, outboxRepo.created[0].Payload["loginEmail"])
+	require.Equal(t, user.Name, outboxRepo.created[0].Payload["displayName"])
+	require.Empty(t, outboxRepo.created[0].Payload["primaryLeafOrgName"])
+	request, ok := outboxRepo.created[0].Payload["request"].(WorksmobileUserPayload)
+	require.True(t, ok)
+	require.Empty(t, request.Organizations)
 }

-func TestCompareWorksmobileUsersIgnoresManagerChange(t *testing.T) {
+func TestCompareWorksmobileUsersMarksManagerChangeNeedsUpdate(t *testing.T) {
+	t.Setenv("SAMAN_DOMAIN_ID", "1001")
+	rootID := "tenant-saman"
 	tenantID := "tenant-leaf"
 	user := domain.User{
 		ID:       "user-manager",
@@ -1977,20 +2146,37 @@ func TestCompareWorksmobileUsersIgnoresManagerChange(t *testing.T) {
 			DisplayName:             user.Name,
 			PrimaryOrgUnitID:        "externalKey:" + tenantID,
 			PrimaryOrgUnitIsManager: &remoteManager,
+			Organizations: []WorksmobileUserOrganization{
+				{
+					DomainID: 1001,
+					Email:    user.Email,
+					Primary:  true,
+					OrgUnits: []WorksmobileUserOrgUnit{
+						{
+							OrgUnitID: "externalKey:" + tenantID,
+							Primary:   true,
+							IsManager: &remoteManager,
+						},
+					},
+				},
+			},
 		}},
 		true,
 		map[string]domain.Tenant{
-			tenantID: {ID: tenantID, Name: "Leaf", Type: domain.TenantTypeOrganization},
+			rootID:   {ID: rootID, Slug: "saman", Name: "삼안", Type: domain.TenantTypeCompany, Domains: []domain.TenantDomain{{Domain: "samaneng.com"}}},
+			tenantID: {ID: tenantID, Name: "Leaf", Type: domain.TenantTypeOrganization, ParentID: &rootID},
 		},
 	)

 	require.Len(t, items, 1)
-	require.Equal(t, "matched", items[0].Status)
+	require.Equal(t, "needs_update", items[0].Status)
 }

-func TestCompareWorksmobileUsersIgnoresSecondaryManagerChange(t *testing.T) {
-	primaryTenantID := "tenant-company"
-	secondaryTenantID := "tenant-gpdtdc-leaf"
+func TestCompareWorksmobileUsersMarksSecondaryManagerChangeNeedsUpdate(t *testing.T) {
+	t.Setenv("SAMAN_DOMAIN_ID", "1001")
+	rootID := "tenant-saman"
+	primaryTenantID := "tenant-primary"
+	secondaryTenantID := "tenant-secondary"
 	user := domain.User{
 		ID:       "user-secondary-manager",
 		Email:    "secondary-manager@samaneng.com",
@@ -2026,19 +2212,39 @@ func TestCompareWorksmobileUsersIgnoresSecondaryManagerChange(t *testing.T) {
 				"externalKey:" + primaryTenantID:   &remotePrimaryManager,
 				"externalKey:" + secondaryTenantID: &remoteSecondaryManager,
 			},
+			Organizations: []WorksmobileUserOrganization{
+				{
+					DomainID: 1001,
+					Email:    user.Email,
+					Primary:  true,
+					OrgUnits: []WorksmobileUserOrgUnit{
+						{
+							OrgUnitID: "externalKey:" + primaryTenantID,
+							Primary:   true,
+							IsManager: &remotePrimaryManager,
+						},
+						{
+							OrgUnitID: "externalKey:" + secondaryTenantID,
+							Primary:   false,
+							IsManager: &remoteSecondaryManager,
+						},
+					},
+				},
+			},
 		}},
 		true,
 		map[string]domain.Tenant{
-			primaryTenantID:   {ID: primaryTenantID, Name: "Company", Type: domain.TenantTypeCompany},
-			secondaryTenantID: {ID: secondaryTenantID, Name: "GPDTDC Leaf", Type: domain.TenantTypeOrganization},
+			rootID:            {ID: rootID, Slug: "saman", Name: "삼안", Type: domain.TenantTypeCompany, Domains: []domain.TenantDomain{{Domain: "samaneng.com"}}},
+			primaryTenantID:   {ID: primaryTenantID, Name: "Primary", Type: domain.TenantTypeOrganization, ParentID: &rootID},
+			secondaryTenantID: {ID: secondaryTenantID, Name: "Secondary", Type: domain.TenantTypeOrganization, ParentID: &rootID},
 		},
 	)

 	require.Len(t, items, 1)
-	require.Equal(t, "matched", items[0].Status)
+	require.Equal(t, "needs_update", items[0].Status)
 }

-func TestCompareWorksmobileUsersIgnoresMissingSecondaryOrganization(t *testing.T) {
+func TestCompareWorksmobileUsersMarksMissingSecondaryOrganizationNeedsUpdate(t *testing.T) {
 	t.Setenv("SAMAN_DOMAIN_ID", "1001")
 	t.Setenv("GPDTDC_DOMAIN_ID", "1003")
 	rootID := "tenant-root"
@@ -2097,10 +2303,336 @@ func TestCompareWorksmobileUsersIgnoresMissingSecondaryOrganization(t *testing.T
 		},
 	)

+	require.Len(t, items, 1)
+	require.Equal(t, "needs_update", items[0].Status)
+}
+
+func TestCompareWorksmobileUsersIgnoresOrganizationEmailWhenMembershipMatches(t *testing.T) {
+	t.Setenv("SAMAN_DOMAIN_ID", "1001")
+	rootID := "tenant-root"
+	companyID := "tenant-saman"
+	tenantID := "tenant-leaf"
+	user := domain.User{
+		ID:       "user-org-email",
+		Email:    "org-email@samaneng.com",
+		Name:     "Org Email User",
+		TenantID: &tenantID,
+		Status:   domain.UserStatusActive,
+		Metadata: domain.JSONMap{
+			"additionalAppointments": []any{
+				map[string]any{"tenantId": tenantID},
+			},
+		},
+	}
+
+	items := compareWorksmobileUsers(
+		[]domain.User{user},
+		[]WorksmobileRemoteUser{{
+			ID:          "works-user-org-email",
+			ExternalID:  user.ID,
+			Email:       user.Email,
+			DisplayName: user.Name,
+			Organizations: []WorksmobileUserOrganization{
+				{
+					DomainID: 1001,
+					Primary:  true,
+					OrgUnits: []WorksmobileUserOrgUnit{
+						{
+							OrgUnitID: "externalKey:" + tenantID,
+							Primary:   true,
+						},
+					},
+				},
+			},
+		}},
+		true,
+		map[string]domain.Tenant{
+			rootID:    {ID: rootID, Slug: HanmacFamilyTenantSlug, Name: "한맥가족", Type: domain.TenantTypeCompanyGroup},
+			companyID: {ID: companyID, Slug: "saman", Name: "삼안", Type: domain.TenantTypeCompany, ParentID: &rootID, Domains: []domain.TenantDomain{{Domain: "samaneng.com"}}},
+			tenantID:  {ID: tenantID, Slug: "leaf", Name: "Leaf", Type: domain.TenantTypeOrganization, ParentID: &companyID},
+		},
+	)
+
 	require.Len(t, items, 1)
 	require.Equal(t, "matched", items[0].Status)
 }

+func TestCompareWorksmobileUsersUsesRemoteUserDomainWhenOrganizationDomainIsMissing(t *testing.T) {
+	t.Setenv("SAMAN_DOMAIN_ID", "1001")
+	rootID := "tenant-root"
+	companyID := "tenant-saman"
+	tenantID := "tenant-leaf"
+	user := domain.User{
+		ID:       "user-org-domain",
+		Email:    "org-domain@samaneng.com",
+		Name:     "Org Domain User",
+		TenantID: &tenantID,
+		Status:   domain.UserStatusActive,
+		Metadata: domain.JSONMap{
+			"additionalAppointments": []any{
+				map[string]any{"tenantId": tenantID},
+			},
+		},
+	}
+
+	items := compareWorksmobileUsers(
+		[]domain.User{user},
+		[]WorksmobileRemoteUser{{
+			ID:          "works-user-org-domain",
+			ExternalID:  user.ID,
+			Email:       user.Email,
+			DisplayName: user.Name,
+			DomainID:    1001,
+			Organizations: []WorksmobileUserOrganization{
+				{
+					Primary: true,
+					OrgUnits: []WorksmobileUserOrgUnit{
+						{
+							OrgUnitID: "externalKey:" + tenantID,
+							Primary:   true,
+						},
+					},
+				},
+			},
+		}},
+		true,
+		map[string]domain.Tenant{
+			rootID:    {ID: rootID, Slug: HanmacFamilyTenantSlug, Name: "한맥가족", Type: domain.TenantTypeCompanyGroup},
+			companyID: {ID: companyID, Slug: "saman", Name: "삼안", Type: domain.TenantTypeCompany, ParentID: &rootID, Domains: []domain.TenantDomain{{Domain: "samaneng.com"}}},
+			tenantID:  {ID: tenantID, Slug: "leaf", Name: "Leaf", Type: domain.TenantTypeOrganization, ParentID: &companyID},
+		},
+	)
+
+	require.Len(t, items, 1)
+	require.Equal(t, "matched", items[0].Status)
+}
+
+func TestCompareWorksmobileUsersUsesRemotePrimaryOrgUnitWhenOrganizationPrimaryFlagsAreMissing(t *testing.T) {
+	t.Setenv("SAMAN_DOMAIN_ID", "1001")
+	rootID := "tenant-root"
+	companyID := "tenant-saman"
+	tenantID := "tenant-leaf"
+	user := domain.User{
+		ID:       "user-org-primary",
+		Email:    "org-primary@samaneng.com",
+		Name:     "Org Primary User",
+		TenantID: &tenantID,
+		Status:   domain.UserStatusActive,
+		Metadata: domain.JSONMap{
+			"additionalAppointments": []any{
+				map[string]any{"tenantId": tenantID},
+			},
+		},
+	}
+
+	items := compareWorksmobileUsersWithRemoteGroups(
+		[]domain.User{user},
+		[]WorksmobileRemoteUser{{
+			ID:               "works-user-org-primary",
+			ExternalID:       user.ID,
+			Email:            user.Email,
+			DisplayName:      user.Name,
+			DomainID:         1001,
+			PrimaryOrgUnitID: "works-leaf",
+			Organizations: []WorksmobileUserOrganization{
+				{
+					DomainID: 1001,
+					OrgUnits: []WorksmobileUserOrgUnit{
+						{
+							OrgUnitID: "works-leaf",
+						},
+					},
+				},
+			},
+		}},
+		true,
+		map[string]domain.Tenant{
+			rootID:    {ID: rootID, Slug: HanmacFamilyTenantSlug, Name: "한맥가족", Type: domain.TenantTypeCompanyGroup},
+			companyID: {ID: companyID, Slug: "saman", Name: "삼안", Type: domain.TenantTypeCompany, ParentID: &rootID, Domains: []domain.TenantDomain{{Domain: "samaneng.com"}}},
+			tenantID:  {ID: tenantID, Slug: "leaf", Name: "Leaf", Type: domain.TenantTypeOrganization, ParentID: &companyID},
+		},
+		[]WorksmobileRemoteGroup{{
+			ID:         "works-leaf",
+			ExternalID: tenantID,
+		}},
+	)
+
+	require.Len(t, items, 1)
+	require.Equal(t, "matched", items[0].Status)
+}
+
+func TestCompareWorksmobileUsersMatchesRemoteOrganizationExternalKey(t *testing.T) {
+	t.Setenv("SAMAN_DOMAIN_ID", "1001")
+	rootID := "tenant-root"
+	companyID := "tenant-saman"
+	tenantID := "tenant-leaf"
+	user := domain.User{
+		ID:       "user-org-external-key",
+		Email:    "org-external-key@samaneng.com",
+		Name:     "Org External Key User",
+		TenantID: &tenantID,
+		Status:   domain.UserStatusActive,
+		Metadata: domain.JSONMap{
+			"additionalAppointments": []any{
+				map[string]any{"tenantId": tenantID},
+			},
+		},
+	}
+
+	items := compareWorksmobileUsersWithRemoteGroups(
+		[]domain.User{user},
+		[]WorksmobileRemoteUser{{
+			ID:               "works-user-org-external-key",
+			ExternalID:       user.ID,
+			Email:            user.Email,
+			DisplayName:      user.Name,
+			DomainID:         1001,
+			PrimaryOrgUnitID: "works-leaf",
+			Organizations: []WorksmobileUserOrganization{
+				{
+					DomainID: 1001,
+					Primary:  true,
+					OrgUnits: []WorksmobileUserOrgUnit{
+						{
+							OrgUnitID: "externalKey:" + tenantID,
+							Primary:   true,
+						},
+					},
+				},
+			},
+		}},
+		true,
+		map[string]domain.Tenant{
+			rootID:    {ID: rootID, Slug: HanmacFamilyTenantSlug, Name: "한맥가족", Type: domain.TenantTypeCompanyGroup},
+			companyID: {ID: companyID, Slug: "saman", Name: "삼안", Type: domain.TenantTypeCompany, ParentID: &rootID, Domains: []domain.TenantDomain{{Domain: "samaneng.com"}}},
+			tenantID:  {ID: tenantID, Slug: "leaf", Name: "Leaf", Type: domain.TenantTypeOrganization, ParentID: &companyID},
+		},
+		[]WorksmobileRemoteGroup{{
+			ID:         "works-leaf",
+			ExternalID: tenantID,
+		}},
+	)
+
+	require.Len(t, items, 1)
+	require.Equal(t, "matched", items[0].Status)
+}
+
+func TestCompareWorksmobileUsersMarksMissingPrimaryOrganizationNeedsUpdate(t *testing.T) {
+	t.Setenv("GPDTDC_DOMAIN_ID", "1003")
+	rootID := "tenant-root"
+	gpdtdcID := "tenant-gpdtdc"
+	peopleGrowthID := "tenant-people-growth"
+	user := domain.User{
+		ID:       "user-people-growth",
+		Email:    "people-growth@baroncs.co.kr",
+		Name:     "People Growth User",
+		TenantID: &peopleGrowthID,
+		Status:   domain.UserStatusActive,
+	}
+
+	items := compareWorksmobileUsers(
+		[]domain.User{user},
+		[]WorksmobileRemoteUser{{
+			ID:               "works-user-people-growth",
+			ExternalID:       user.ID,
+			Email:            user.Email,
+			DisplayName:      user.Name,
+			DomainID:         1003,
+			PrimaryOrgUnitID: "externalKey:another-team",
+			Organizations: []WorksmobileUserOrganization{
+				{
+					DomainID: 1003,
+					Email:    user.Email,
+					Primary:  true,
+					OrgUnits: []WorksmobileUserOrgUnit{
+						{
+							OrgUnitID: "externalKey:another-team",
+							Primary:   true,
+						},
+					},
+				},
+			},
+		}},
+		true,
+		map[string]domain.Tenant{
+			rootID:         {ID: rootID, Slug: HanmacFamilyTenantSlug, Name: "한맥가족", Type: domain.TenantTypeCompanyGroup},
+			gpdtdcID:       {ID: gpdtdcID, Slug: "gpdtdc", Name: "총괄기획&기술개발센터", Type: domain.TenantTypeCompanyGroup, ParentID: &rootID},
+			peopleGrowthID: {ID: peopleGrowthID, Slug: "people-growth", Name: "인재성장", Type: domain.TenantTypeOrganization, ParentID: &gpdtdcID},
+		},
+	)
+
+	require.Len(t, items, 1)
+	require.Equal(t, "needs_update", items[0].Status)
+	require.Equal(t, peopleGrowthID, items[0].BaronPrimaryOrgID)
+	require.Equal(t, "externalKey:another-team", items[0].WorksmobilePrimaryOrgID)
+}
+
+func TestCompareWorksmobileUsersMatchesPrimaryOrganizationByWorksmobileResourceID(t *testing.T) {
+	peopleGrowthID := "tenant-people-growth"
+	user := domain.User{
+		ID:       "user-people-growth",
+		Email:    "people-growth@baroncs.co.kr",
+		Name:     "People Growth User",
+		TenantID: &peopleGrowthID,
+		Status:   domain.UserStatusActive,
+	}
+
+	items := compareWorksmobileUsersWithRemoteGroups(
+		[]domain.User{user},
+		[]WorksmobileRemoteUser{{
+			ID:               "works-user-people-growth",
+			ExternalID:       user.ID,
+			Email:            user.Email,
+			DisplayName:      user.Name,
+			PrimaryOrgUnitID: "works-current-people-growth",
+		}},
+		true,
+		map[string]domain.Tenant{
+			peopleGrowthID: {ID: peopleGrowthID, Slug: "people-growth", Name: "인재성장", Type: domain.TenantTypeOrganization},
+		},
+		[]WorksmobileRemoteGroup{{
+			ID:         "works-current-people-growth",
+			ExternalID: peopleGrowthID,
+		}},
+	)
+
+	require.Len(t, items, 1)
+	require.Equal(t, "matched", items[0].Status)
+}
+
+func TestCompareWorksmobileUsersMarksStalePrimaryOrganizationResourceIDNeedsUpdate(t *testing.T) {
+	peopleGrowthID := "tenant-people-growth"
+	user := domain.User{
+		ID:       "user-people-growth",
+		Email:    "people-growth@baroncs.co.kr",
+		Name:     "People Growth User",
+		TenantID: &peopleGrowthID,
+		Status:   domain.UserStatusActive,
+	}
+
+	items := compareWorksmobileUsersWithRemoteGroups(
+		[]domain.User{user},
+		[]WorksmobileRemoteUser{{
+			ID:               "works-user-people-growth",
+			ExternalID:       user.ID,
+			Email:            user.Email,
+			DisplayName:      user.Name,
+			PrimaryOrgUnitID: "works-deleted-people-growth",
+		}},
+		true,
+		map[string]domain.Tenant{
+			peopleGrowthID: {ID: peopleGrowthID, Slug: "people-growth", Name: "인재성장", Type: domain.TenantTypeOrganization},
+		},
+		[]WorksmobileRemoteGroup{{
+			ID:         "works-current-people-growth",
+			ExternalID: peopleGrowthID,
+		}},
+	)
+
+	require.Len(t, items, 1)
+	require.Equal(t, "needs_update", items[0].Status)
+}
+
 func TestCompareWorksmobileUsersMarksPhoneAndEmployeeNumberChangesNeedsUpdate(t *testing.T) {
 	tenantID := "tenant-saman"
 	user := domain.User{
@@ -2167,6 +2699,63 @@ func TestCompareWorksmobileUsersMarksMalformedRemoteKoreanPhoneNeedsUpdate(t *te
 	require.Equal(t, "needs_update", items[0].Status)
 }

+func TestCompareWorksmobileUsersIgnoresRemotePhoneWhenBaronPhoneIsEmpty(t *testing.T) {
+	tenantID := "tenant-halla"
+	user := domain.User{
+		ID:       "edb8e4f6-3dfd-44d4-a8aa-87332f8b2b38",
+		Email:    "cyhan4@hallasanup.com",
+		Name:     "네이버웍스관리자",
+		TenantID: &tenantID,
+		Status:   domain.UserStatusActive,
+	}
+	items := compareWorksmobileUsers(
+		[]domain.User{user},
+		[]WorksmobileRemoteUser{{
+			ID:          "fe9449d1-1671-44e4-1848-033779dddbaf",
+			ExternalID:  user.ID,
+			Email:       user.Email,
+			DisplayName: user.Name,
+			CellPhone:   "+82 01041585840",
+		}},
+		true,
+		map[string]domain.Tenant{
+			tenantID: {ID: tenantID, Name: "한라산업개발", Type: domain.TenantTypeCompany},
+		},
+	)
+
+	require.Len(t, items, 1)
+	require.Equal(t, "matched", items[0].Status)
+}
+
+func TestCompareWorksmobileUsersTreatsSpacedKoreanCountryCodePhoneAsMatched(t *testing.T) {
+	tenantID := "tenant-saman"
+	user := domain.User{
+		ID:       "user-phone-spaced",
+		Email:    "phone-spaced@samaneng.com",
+		Name:     "Phone Spaced User",
+		Phone:    "+821041585840",
+		TenantID: &tenantID,
+		Status:   domain.UserStatusActive,
+	}
+	items := compareWorksmobileUsers(
+		[]domain.User{user},
+		[]WorksmobileRemoteUser{{
+			ID:          "works-user-phone-spaced",
+			ExternalID:  user.ID,
+			Email:       user.Email,
+			DisplayName: user.Name,
+			CellPhone:   "+82 1041585840",
+		}},
+		true,
+		map[string]domain.Tenant{
+			tenantID: {ID: tenantID, Name: "삼안", Type: domain.TenantTypeCompany},
+		},
+	)
+
+	require.Len(t, items, 1)
+	require.Equal(t, "matched", items[0].Status)
+}
+
 type fakeWorksmobileTenantService struct {
 	tenants map[string]domain.Tenant
 	list    []domain.Tenant
@@ -2229,6 +2818,19 @@ type fakeWorksmobileUserRepo struct {
 	requestedTenantIDs []string
 }

+type fakeWorksmobileIdentityMirror struct {
+	status     domain.IdentityCacheStatus
+	identities []KratosIdentity
+}
+
+func (f *fakeWorksmobileIdentityMirror) GetIdentityCacheStatus(ctx context.Context) (domain.IdentityCacheStatus, error) {
+	return f.status, nil
+}
+
+func (f *fakeWorksmobileIdentityMirror) ListIdentityMirrors(ctx context.Context) ([]KratosIdentity, error) {
+	return f.identities, nil
+}
+
 func (f *fakeWorksmobileUserRepo) Create(ctx context.Context, user *domain.User) error { return nil }
 func (f *fakeWorksmobileUserRepo) Update(ctx context.Context, user *domain.User) error { return nil }
 func (f *fakeWorksmobileUserRepo) FindByEmail(ctx context.Context, email string) (*domain.User, error) {