fix(backend): force keto outbox sync on explicit tenant assignment to self-heal missing relations

backend/internal/handler/user_handler.go

@@ -1282,6 +1282,18 @@ func (h *UserHandler) UpdateUser(c *fiber.Ctx) error {
 					}
 				}
 			}
+
+			// [Self-Healing] If the UI explicitly assigned the tenant, force a Keto relation sync.
+			// This fixes issues where local DB had the tenant, but Keto failed to create the relation previously.
+			if req.CompanyCode != nil && h.KetoOutboxRepo != nil && updatedLocalUser.TenantID != nil {
+				_ = h.KetoOutboxRepo.Create(bgCtx, &domain.KetoOutbox{
+					Namespace: "Tenant",
+					Object:    *updatedLocalUser.TenantID,
+					Relation:  "members",
+					Subject:   "User:" + updatedLocalUser.ID,
+					Action:    domain.KetoOutboxActionCreate,
+				})
+			}
 		}()
 	}