adminfront 조직 통계오류 보정. Kratos Projection용 통계테이블 구조 추가

2026-05-11 13:01:55 +09:00
parent 9a64a16cb9
commit 843b4100ad
36 changed files with 2022 additions and 169 deletions
--- a/backend/internal/handler/admin_handler.go
+++ b/backend/internal/handler/admin_handler.go
@@ -18,12 +18,14 @@ type adminHydraClientLister interface {
 }

 type AdminHandler struct {
-	Keto           service.KetoService
-	KetoOutbox     repository.KetoOutboxRepository
-	RPUsageQueries domain.RPUsageQueryRepository
-	TenantRepo     repository.TenantRepository
-	Hydra          adminHydraClientLister
-	AuditRepo      domain.AuditRepository
+	Keto                 service.KetoService
+	KetoOutbox           repository.KetoOutboxRepository
+	RPUsageQueries       domain.RPUsageQueryRepository
+	TenantRepo           repository.TenantRepository
+	Hydra                adminHydraClientLister
+	AuditRepo            domain.AuditRepository
+	UserProjectionRepo   repository.UserProjectionRepository
+	UserProjectionSyncer service.UserProjectionReconciler
 }

 func NewAdminHandler(keto service.KetoService, ketoOutbox repository.KetoOutboxRepository) *AdminHandler {
@@ -107,6 +109,50 @@ func (h *AdminHandler) CheckAuth(c *fiber.Ctx) error {
 	return c.Status(fiber.StatusOK).JSON(fiber.Map{"status": "ok"})
 }

+func requireSuperAdminProfile(c *fiber.Ctx) error {
+	profile, _ := c.Locals("user_profile").(*domain.UserProfileResponse)
+	if profile == nil || domain.NormalizeRole(profile.Role) != domain.RoleSuperAdmin {
+		return c.Status(fiber.StatusForbidden).JSON(fiber.Map{"error": "forbidden: super_admin required"})
+	}
+	return nil
+}
+
+func (h *AdminHandler) GetUserProjectionStatus(c *fiber.Ctx) error {
+	if err := requireSuperAdminProfile(c); err != nil {
+		return err
+	}
+	if h == nil || h.UserProjectionRepo == nil {
+		return c.Status(fiber.StatusServiceUnavailable).JSON(fiber.Map{"error": "user projection service unavailable"})
+	}
+	status, err := h.UserProjectionRepo.GetStatus(c.Context())
+	if err != nil {
+		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
+	}
+	return c.JSON(status)
+}
+
+func (h *AdminHandler) ReconcileUserProjection(c *fiber.Ctx) error {
+	if err := requireSuperAdminProfile(c); err != nil {
+		return err
+	}
+	if h == nil || h.UserProjectionSyncer == nil {
+		return c.Status(fiber.StatusServiceUnavailable).JSON(fiber.Map{"error": "user projection sync service unavailable"})
+	}
+	count, err := h.UserProjectionSyncer.Reconcile(c.Context())
+	if err != nil {
+		return c.Status(fiber.StatusServiceUnavailable).JSON(fiber.Map{"error": err.Error()})
+	}
+	return c.JSON(fiber.Map{
+		"status":      "success",
+		"syncedUsers": count,
+		"updatedAt":   time.Now().UTC().Format(time.RFC3339),
+	})
+}
+
+func (h *AdminHandler) ResetUserProjection(c *fiber.Ctx) error {
+	return h.ReconcileUserProjection(c)
+}
+
 // GetSystemStats returns runtime statistics for monitoring
 func (h *AdminHandler) GetSystemStats(c *fiber.Ctx) error {
 	var m runtime.MemStats
--- a/backend/internal/handler/admin_handler_test.go
+++ b/backend/internal/handler/admin_handler_test.go
@@ -5,6 +5,7 @@ import (
 	"baron-sso-backend/internal/service"
 	"context"
 	"encoding/json"
+	"errors"
 	"net/http"
 	"net/http/httptest"
 	"testing"
@@ -65,6 +66,41 @@ func (f *fakeOverviewAuditRepo) CountEventsSince(ctx context.Context, since time
 	return f.count, nil
 }

+type fakeAdminUserProjectionRepo struct {
+	status domain.UserProjectionStatus
+}
+
+func (f *fakeAdminUserProjectionRepo) IsReady(ctx context.Context) (bool, error) {
+	return f.status.Ready, nil
+}
+
+func (f *fakeAdminUserProjectionRepo) CountTenantMembers(ctx context.Context, tenants []domain.Tenant) (map[string]int64, error) {
+	return nil, nil
+}
+
+func (f *fakeAdminUserProjectionRepo) ReplaceAllFromKratos(ctx context.Context, users []domain.User) error {
+	return nil
+}
+
+func (f *fakeAdminUserProjectionRepo) MarkFailed(ctx context.Context, syncErr error) error {
+	return nil
+}
+
+func (f *fakeAdminUserProjectionRepo) GetStatus(ctx context.Context) (domain.UserProjectionStatus, error) {
+	return f.status, nil
+}
+
+type fakeAdminUserProjectionSyncer struct {
+	count int
+	err   error
+	calls int
+}
+
+func (f *fakeAdminUserProjectionSyncer) Reconcile(ctx context.Context) (int, error) {
+	f.calls++
+	return f.count, f.err
+}
+
 func TestAdminHandler_GetRPUsageDaily(t *testing.T) {
 	repo := &fakeRPUsageQueryRepo{
 		items: []domain.RPUsageDailyMetric{
@@ -111,6 +147,96 @@ func TestAdminHandler_GetRPUsageDaily(t *testing.T) {
 	require.Equal(t, uint64(12), body.Items[0].LoginRequests)
 }

+func TestAdminHandler_UserProjectionStatusRequiresSuperAdmin(t *testing.T) {
+	h := &AdminHandler{
+		UserProjectionRepo: &fakeAdminUserProjectionRepo{
+			status: domain.UserProjectionStatus{Name: domain.UserProjectionNameKratos, Status: domain.UserProjectionStatusReady, Ready: true},
+		},
+	}
+	app := fiber.New()
+	app.Use(func(c *fiber.Ctx) error {
+		c.Locals("user_profile", &domain.UserProfileResponse{ID: "tenant-admin", Role: domain.RoleTenantAdmin})
+		return c.Next()
+	})
+	app.Get("/api/v1/admin/projections/users", h.GetUserProjectionStatus)
+
+	req := httptest.NewRequest(http.MethodGet, "/api/v1/admin/projections/users", nil)
+	resp, err := app.Test(req)
+	require.NoError(t, err)
+	require.Equal(t, http.StatusForbidden, resp.StatusCode)
+}
+
+func TestAdminHandler_UserProjectionStatusReturnsProjectionStateForSuperAdmin(t *testing.T) {
+	syncedAt := time.Date(2026, 5, 11, 3, 0, 0, 0, time.UTC)
+	h := &AdminHandler{
+		UserProjectionRepo: &fakeAdminUserProjectionRepo{
+			status: domain.UserProjectionStatus{
+				Name:           domain.UserProjectionNameKratos,
+				Status:         domain.UserProjectionStatusReady,
+				Ready:          true,
+				LastSyncedAt:   &syncedAt,
+				ProjectedUsers: 152,
+			},
+		},
+	}
+	app := fiber.New()
+	app.Use(func(c *fiber.Ctx) error {
+		c.Locals("user_profile", &domain.UserProfileResponse{ID: "super", Role: domain.RoleSuperAdmin})
+		return c.Next()
+	})
+	app.Get("/api/v1/admin/projections/users", h.GetUserProjectionStatus)
+
+	req := httptest.NewRequest(http.MethodGet, "/api/v1/admin/projections/users", nil)
+	resp, err := app.Test(req)
+	require.NoError(t, err)
+	require.Equal(t, http.StatusOK, resp.StatusCode)
+
+	var body domain.UserProjectionStatus
+	require.NoError(t, json.NewDecoder(resp.Body).Decode(&body))
+	require.Equal(t, domain.UserProjectionNameKratos, body.Name)
+	require.Equal(t, domain.UserProjectionStatusReady, body.Status)
+	require.True(t, body.Ready)
+	require.Equal(t, int64(152), body.ProjectedUsers)
+}
+
+func TestAdminHandler_ReconcileUserProjectionRequiresSuperAdminAndRunsSyncer(t *testing.T) {
+	syncer := &fakeAdminUserProjectionSyncer{count: 4}
+	h := &AdminHandler{UserProjectionSyncer: syncer}
+	app := fiber.New()
+	app.Use(func(c *fiber.Ctx) error {
+		c.Locals("user_profile", &domain.UserProfileResponse{ID: "super", Role: domain.RoleSuperAdmin})
+		return c.Next()
+	})
+	app.Post("/api/v1/admin/projections/users/reconcile", h.ReconcileUserProjection)
+
+	req := httptest.NewRequest(http.MethodPost, "/api/v1/admin/projections/users/reconcile", nil)
+	resp, err := app.Test(req)
+	require.NoError(t, err)
+	require.Equal(t, http.StatusOK, resp.StatusCode)
+	require.Equal(t, 1, syncer.calls)
+
+	var body map[string]any
+	require.NoError(t, json.NewDecoder(resp.Body).Decode(&body))
+	require.Equal(t, "success", body["status"])
+	require.Equal(t, float64(4), body["syncedUsers"])
+}
+
+func TestAdminHandler_ReconcileUserProjectionReturnsServiceUnavailableOnSyncFailure(t *testing.T) {
+	syncer := &fakeAdminUserProjectionSyncer{err: errors.New("kratos down")}
+	h := &AdminHandler{UserProjectionSyncer: syncer}
+	app := fiber.New()
+	app.Use(func(c *fiber.Ctx) error {
+		c.Locals("user_profile", &domain.UserProfileResponse{ID: "super", Role: domain.RoleSuperAdmin})
+		return c.Next()
+	})
+	app.Post("/api/v1/admin/projections/users/reconcile", h.ReconcileUserProjection)
+
+	req := httptest.NewRequest(http.MethodPost, "/api/v1/admin/projections/users/reconcile", nil)
+	resp, err := app.Test(req)
+	require.NoError(t, err)
+	require.Equal(t, http.StatusServiceUnavailable, resp.StatusCode)
+}
+
 func TestAdminHandler_GetRPUsageDailyChecksTenantPermission(t *testing.T) {
 	repo := &fakeRPUsageQueryRepo{}
 	keto := &fakeAdminKeto{allowed: true}
--- a/backend/internal/handler/auth_handler.go
+++ b/backend/internal/handler/auth_handler.go
@@ -100,6 +100,7 @@ type AuthHandler struct {
 	KetoService        service.KetoService
 	KetoOutboxRepo     repository.KetoOutboxRepository
 	UserRepo           repository.UserRepository
+	UserProjectionRepo repository.UserProjectionRepository
 	ConsentRepo        repository.ClientConsentRepository
 	RPUserMetadataRepo repository.RPUserMetadataRepository
 	RPUsageSink        domain.RPUsageEventSink
@@ -856,6 +857,7 @@ func (h *AuthHandler) Signup(c *fiber.Ctx) error {

 			if err := h.UserRepo.Update(ctx, u); err != nil {
 				slog.Error("[Signup] Failed to sync user to Read-Model (Local DB)", "email", u.Email, "error", err)
+				markUserProjectionFailed(ctx, h.UserProjectionRepo, err)
 			} else {
 				slog.Debug("[Signup] Synced user to Read-Model", "email", u.Email)

@@ -865,6 +867,7 @@ func (h *AuthHandler) Signup(c *fiber.Ctx) error {
 				}
 				if err := h.UserRepo.UpdateUserLoginIDs(ctx, u.ID, ids); err != nil {
 					slog.Error("[Signup] Failed to update user login IDs", "userID", u.ID, "error", err)
+					markUserProjectionFailed(ctx, h.UserProjectionRepo, err)
 				}

 				// [Keto] Sync user-tenant relationship via Outbox
@@ -7242,6 +7245,115 @@ func (h *AuthHandler) mapKratosIdentityToProfile(identityID string, traits map[s
 	return profile
 }

+func (h *AuthHandler) mapKratosTraitsToLocalUser(identityID string, traits map[string]interface{}, existing *domain.User) *domain.User {
+	now := time.Now()
+	localUser := &domain.User{
+		ID:        identityID,
+		Status:    domain.UserStatusActive,
+		CreatedAt: now,
+		UpdatedAt: now,
+		Metadata:  make(domain.JSONMap),
+	}
+	if existing != nil {
+		copied := *existing
+		localUser = &copied
+		localUser.UpdatedAt = now
+		if localUser.Metadata == nil {
+			localUser.Metadata = make(domain.JSONMap)
+		}
+	}
+
+	if email := extractTraitString(traits, "email"); email != "" {
+		localUser.Email = email
+	}
+	if name := extractTraitString(traits, "name"); name != "" {
+		localUser.Name = name
+	}
+	if phone := extractTraitString(traits, "phone_number"); phone != "" {
+		localUser.Phone = phone
+	}
+	if department := extractTraitString(traits, "department"); department != "" {
+		localUser.Department = department
+	}
+	if position := extractTraitString(traits, "position"); position != "" {
+		localUser.Position = position
+	}
+	if jobTitle := extractTraitString(traits, "jobTitle"); jobTitle != "" {
+		localUser.JobTitle = jobTitle
+	}
+	if affType := extractTraitString(traits, "affiliationType"); affType != "" {
+		localUser.AffiliationType = affType
+	}
+
+	companyCode := extractTraitString(traits, "companyCode")
+	if companyCode == "" {
+		companyCode = extractTraitString(traits, "company_code")
+	}
+	if companyCode != "" {
+		localUser.CompanyCode = companyCode
+	}
+	if companyCodes := extractTraitStringArray(traits, "companyCodes"); len(companyCodes) > 0 {
+		localUser.CompanyCodes = pq.StringArray(companyCodes)
+	}
+	if tenantID := extractTraitString(traits, "tenant_id"); tenantID != "" {
+		localUser.TenantID = &tenantID
+	}
+	if relyingPartyID := extractTraitString(traits, "relying_party_id"); relyingPartyID != "" {
+		localUser.RelyingPartyID = &relyingPartyID
+	}
+
+	role := extractTraitString(traits, "grade")
+	if role == "" {
+		role = extractTraitString(traits, "role")
+	}
+	role = domain.NormalizeRole(role)
+	if role == "" {
+		role = domain.RoleUser
+	}
+	localUser.Role = role
+	if localUser.Status == "" {
+		localUser.Status = domain.UserStatusActive
+	}
+	if localUser.CreatedAt.IsZero() {
+		localUser.CreatedAt = now
+	}
+
+	coreTraits := map[string]bool{
+		"email": true, "name": true, "phone_number": true,
+		"grade": true, "companyCode": true, "company_code": true,
+		"companyCodes": true, "department": true,
+		"position": true, "jobTitle": true,
+		"affiliationType": true, "role": true,
+		"tenant_id": true, "relying_party_id": true,
+		"custom_login_ids": true, "id": true,
+	}
+	metadata := make(domain.JSONMap)
+	for k, v := range traits {
+		if !coreTraits[k] {
+			metadata[k] = v
+		}
+	}
+	localUser.Metadata = metadata
+
+	return localUser
+}
+
+func (h *AuthHandler) syncUpdatedKratosUserReadModel(ctx context.Context, identityID string, traits map[string]interface{}) error {
+	if h == nil || h.UserRepo == nil {
+		return nil
+	}
+
+	var existing *domain.User
+	if current, err := h.UserRepo.FindByID(ctx, identityID); err == nil {
+		existing = current
+	} else {
+		slog.Warn("[UpdateMe] Failed to load existing local user before read-model sync", "userID", identityID, "error", err)
+	}
+
+	localUser := h.mapKratosTraitsToLocalUser(identityID, traits, existing)
+	return h.UserRepo.Update(ctx, localUser)
+}
+
 func (h *AuthHandler) applySessionInfoFromWhoami(profile *domain.UserProfileResponse, authenticatedAt, usedIdentifier string) *domain.UserProfileResponse {
 	if profile == nil {
 		return nil
@@ -7374,9 +7486,10 @@ func (h *AuthHandler) UpdateMe(c *fiber.Ctx) error {
 	// [New] Local DB Sync - Sync synchronously to ensure immediate consistency
 	if h.UserRepo != nil {
 		ctx := context.Background()
-		// Also update local User record (read-model)
-		// We can fetch updated identity or just map current traits
-		// Since mapKratosIdentityToProfile is for UI, let's just use UpdateUserLoginIDs first
+		if err := h.syncUpdatedKratosUserReadModel(ctx, identityID, traits); err != nil {
+			slog.Error("[UpdateMe] Failed to sync local user read-model", "userID", identityID, "error", err)
+			markUserProjectionFailed(ctx, h.UserProjectionRepo, err)
+		}
 		if err := h.UserRepo.UpdateUserLoginIDs(ctx, identityID, loginIDRecords); err != nil {
 			slog.Error("[UpdateMe] Failed to update user login IDs", "userID", identityID, "error", err)
 		}
--- a/backend/internal/handler/auth_handler_profile_cache_test.go
+++ b/backend/internal/handler/auth_handler_profile_cache_test.go
@@ -3,6 +3,7 @@ package handler
 import (
 	"baron-sso-backend/internal/domain"
 	"bytes"
+	"context"
 	"encoding/json"
 	"net/http"
 	"net/http/httptest"
@@ -12,6 +13,23 @@ import (
 	"github.com/stretchr/testify/require"
 )

+type recordingUpdateMeUserRepo struct {
+	MockUserRepoForHandler
+	updated  *domain.User
+	loginIDs []domain.UserLoginID
+}
+
+func (r *recordingUpdateMeUserRepo) Update(ctx context.Context, user *domain.User) error {
+	copied := *user
+	r.updated = &copied
+	return nil
+}
+
+func (r *recordingUpdateMeUserRepo) UpdateUserLoginIDs(ctx context.Context, userID string, loginIDs []domain.UserLoginID) error {
+	r.loginIDs = append([]domain.UserLoginID(nil), loginIDs...)
+	return nil
+}
+
 func TestUpdateMe_InvalidatesProfileCacheForTokenSession(t *testing.T) {
 	token := "token-abc"
 	identityID := "user-1"
@@ -107,3 +125,91 @@ func TestUpdateMe_InvalidatesProfileCacheForTokenSession(t *testing.T) {
 	require.NoError(t, json.NewDecoder(getResp2.Body).Decode(&profile2))
 	require.Equal(t, "New Dept", profile2["department"])
 }
+
+func TestUpdateMe_SyncsLocalReadModelFields(t *testing.T) {
+	token := "token-sync"
+	identityID := "user-sync"
+	traits := map[string]interface{}{
+		"email":           "sync@example.com",
+		"name":            "Old Name",
+		"phone_number":    "+821012345678",
+		"department":      "Old Dept",
+		"affiliationType": "employee",
+		"companyCode":     "saman",
+		"tenant_id":       "11111111-1111-1111-1111-111111111111",
+		"role":            domain.RoleUser,
+	}
+
+	transport := roundTripFunc(func(r *http.Request) (*http.Response, error) {
+		switch {
+		case r.URL.Host == "kratos.test" &&
+			r.URL.Path == "/sessions/whoami" &&
+			r.Method == http.MethodGet:
+			if r.Header.Get("X-Session-Token") != token {
+				return httpResponse(r, http.StatusUnauthorized, `{"error":"invalid token"}`), nil
+			}
+			return httpJSONAny(r, http.StatusOK, map[string]interface{}{
+				"identity": map[string]interface{}{
+					"id":     identityID,
+					"traits": traits,
+				},
+			}), nil
+
+		case r.URL.Host == "kratos.test" &&
+			r.URL.Path == "/admin/identities/"+identityID &&
+			r.Method == http.MethodPut:
+			var payload struct {
+				Traits map[string]interface{} `json:"traits"`
+			}
+			if err := json.NewDecoder(r.Body).Decode(&payload); err != nil {
+				return httpResponse(r, http.StatusBadRequest, `{"error":"invalid body"}`), nil
+			}
+			for k, v := range payload.Traits {
+				traits[k] = v
+			}
+			return httpResponse(r, http.StatusOK, `{"ok":true}`), nil
+		}
+
+		return httpResponse(r, http.StatusNotFound, "not found"), nil
+	})
+	setDefaultHTTPClientForTest(t, transport)
+	t.Setenv("KRATOS_PUBLIC_URL", "http://kratos.test")
+	t.Setenv("KRATOS_ADMIN_URL", "http://kratos.test")
+
+	redis := &mockRedisRepo{data: map[string]string{
+		"verify_update_phone:" + identityID + ":+821087654321": "verified",
+	}}
+	userRepo := &recordingUpdateMeUserRepo{}
+	h := &AuthHandler{
+		RedisService: redis,
+		UserRepo:     userRepo,
+	}
+	app := fiber.New()
+	app.Put("/api/v1/user/me", h.UpdateMe)
+
+	updateBody, _ := json.Marshal(map[string]interface{}{
+		"name":       "New Name",
+		"phone":      "01087654321",
+		"department": "New Dept",
+	})
+	updateReq := httptest.NewRequest(
+		http.MethodPut,
+		"/api/v1/user/me",
+		bytes.NewReader(updateBody),
+	)
+	updateReq.Header.Set("Content-Type", "application/json")
+	updateReq.Header.Set("Authorization", "Bearer "+token)
+	updateResp, err := app.Test(updateReq, -1)
+	require.NoError(t, err)
+	require.Equal(t, http.StatusOK, updateResp.StatusCode)
+
+	require.NotNil(t, userRepo.updated)
+	require.Equal(t, identityID, userRepo.updated.ID)
+	require.Equal(t, "sync@example.com", userRepo.updated.Email)
+	require.Equal(t, "New Name", userRepo.updated.Name)
+	require.Equal(t, "+821087654321", userRepo.updated.Phone)
+	require.Equal(t, "New Dept", userRepo.updated.Department)
+	require.Equal(t, "saman", userRepo.updated.CompanyCode)
+	require.NotNil(t, userRepo.updated.TenantID)
+	require.Equal(t, "11111111-1111-1111-1111-111111111111", *userRepo.updated.TenantID)
+}
--- a/backend/internal/handler/tenant_handler.go
+++ b/backend/internal/handler/tenant_handler.go
@@ -20,14 +20,15 @@ import (
 )

 type TenantHandler struct {
-	DB          *gorm.DB
-	Service     service.TenantService
-	UserRepo    repository.UserRepository
-	Keto        service.KetoService
-	KetoOutbox  repository.KetoOutboxRepository
-	KratosAdmin service.KratosAdminService
-	SharedLink  service.SharedLinkService
-	Worksmobile service.WorksmobileSyncer
+	DB                 *gorm.DB
+	Service            service.TenantService
+	UserRepo           repository.UserRepository
+	UserProjectionRepo repository.UserProjectionRepository
+	Keto               service.KetoService
+	KetoOutbox         repository.KetoOutboxRepository
+	KratosAdmin        service.KratosAdminService
+	SharedLink         service.SharedLinkService
+	Worksmobile        service.WorksmobileSyncer
 }

 func seedTenantDeleteError(c *fiber.Ctx) error {
@@ -47,15 +48,16 @@ func seedTenantSlugsForDeleteGuard() []string {
 	return result
 }

-func NewTenantHandler(db *gorm.DB, svc service.TenantService, userRepo repository.UserRepository, keto service.KetoService, outbox repository.KetoOutboxRepository, kratos service.KratosAdminService, sharedLink service.SharedLinkService) *TenantHandler {
+func NewTenantHandler(db *gorm.DB, svc service.TenantService, userRepo repository.UserRepository, userProjectionRepo repository.UserProjectionRepository, keto service.KetoService, outbox repository.KetoOutboxRepository, kratos service.KratosAdminService, sharedLink service.SharedLinkService) *TenantHandler {
 	return &TenantHandler{
-		DB:          db,
-		Service:     svc,
-		UserRepo:    userRepo,
-		Keto:        keto,
-		KetoOutbox:  outbox,
-		KratosAdmin: kratos,
-		SharedLink:  sharedLink,
+		DB:                 db,
+		Service:            svc,
+		UserRepo:           userRepo,
+		UserProjectionRepo: userProjectionRepo,
+		Keto:               keto,
+		KetoOutbox:         outbox,
+		KratosAdmin:        kratos,
+		SharedLink:         sharedLink,
 	}
 }

@@ -251,31 +253,15 @@ func (h *TenantHandler) ListTenants(c *fiber.Ctx) error {
 		}
 	}

-	// Fetch member counts for all tenants in one query using IDs
-	tenantIDs := make([]string, 0, len(tenants))
-	slugs := make([]string, 0, len(tenants))
-	for _, t := range tenants {
-		tenantIDs = append(tenantIDs, t.ID)
-		slugs = append(slugs, t.Slug)
+	memberCounts, err := h.countTenantMembersFromProjection(c.Context(), tenants)
+	if err != nil {
+		return errorJSON(c, fiber.StatusServiceUnavailable, err.Error())
 	}

-	idCounts, _ := h.UserRepo.CountByTenantIDs(c.Context(), tenantIDs)
-	slugCounts, _ := h.UserRepo.CountByCompanyCodes(c.Context(), slugs)
-
 	items := make([]tenantSummary, 0, len(tenants))
 	for _, t := range tenants {
 		summary := mapTenantSummary(t)
-
-		// Combine counts from both ID and Slug (Max to avoid double counting if some have one or the other)
-		idCount := idCounts[t.ID]
-		slugCount := slugCounts[strings.ToLower(t.Slug)]
-
-		if idCount > slugCount {
-			summary.MemberCount = idCount
-		} else {
-			summary.MemberCount = slugCount
-		}
-
+		summary.MemberCount = memberCounts[t.ID]
 		items = append(items, summary)
 	}

@@ -939,19 +925,13 @@ func (h *TenantHandler) GetTenant(c *fiber.Ctx) error {
 		return errorJSON(c, fiber.StatusInternalServerError, err.Error())
 	}

-	idCounts, _ := h.UserRepo.CountByTenantIDs(c.Context(), []string{tenant.ID})
-	slugCounts, _ := h.UserRepo.CountByCompanyCodes(c.Context(), []string{tenant.Slug})
-
-	idCount := idCounts[tenant.ID]
-	slugCount := slugCounts[strings.ToLower(tenant.Slug)]
-
-	count := idCount
-	if slugCount > idCount {
-		count = slugCount
+	memberCounts, err := h.countTenantMembersFromProjection(c.Context(), []domain.Tenant{tenant})
+	if err != nil {
+		return errorJSON(c, fiber.StatusServiceUnavailable, err.Error())
 	}

 	summary := mapTenantSummary(tenant)
-	summary.MemberCount = count
+	summary.MemberCount = memberCounts[tenant.ID]

 	return c.JSON(summary)
 }
@@ -1595,6 +1575,27 @@ func mapTenantSummary(t domain.Tenant) tenantSummary {
 	}
 }

+func (h *TenantHandler) countTenantMembersFromProjection(ctx context.Context, tenants []domain.Tenant) (map[string]int64, error) {
+	counts := make(map[string]int64, len(tenants))
+	for _, tenant := range tenants {
+		counts[tenant.ID] = 0
+	}
+	if len(tenants) == 0 {
+		return counts, nil
+	}
+	if h.UserProjectionRepo == nil {
+		return nil, errors.New("user projection is not configured")
+	}
+	ready, err := h.UserProjectionRepo.IsReady(ctx)
+	if err != nil {
+		return nil, fmt.Errorf("user projection status unavailable: %w", err)
+	}
+	if !ready {
+		return nil, errors.New("user projection is not ready")
+	}
+	return h.UserProjectionRepo.CountTenantMembers(ctx, tenants)
+}
+
 func normalizeTenantStatus(value string) string {
 	value = strings.ToLower(strings.TrimSpace(value))
 	if value == "" {
--- a/backend/internal/handler/tenant_handler_test.go
+++ b/backend/internal/handler/tenant_handler_test.go
@@ -6,6 +6,7 @@ import (
 	"bytes"
 	"context"
 	"encoding/json"
+	"errors"
 	"io"
 	"mime/multipart"
 	"net/http"
@@ -16,6 +17,7 @@ import (
 	"github.com/gofiber/fiber/v2"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/mock"
+	"github.com/stretchr/testify/require"
 	"gorm.io/gorm"
 )

@@ -101,11 +103,15 @@ func (m *MockTenantService) ProvisionTenantByDomain(ctx context.Context, domainN

 type MockUserRepoForHandler struct {
 	mock.Mock
+	deletedIDs []string
 }

 func (m *MockUserRepoForHandler) Create(ctx context.Context, user *domain.User) error { return nil }
 func (m *MockUserRepoForHandler) Update(ctx context.Context, user *domain.User) error { return nil }
-func (m *MockUserRepoForHandler) Delete(ctx context.Context, id string) error         { return nil }
+func (m *MockUserRepoForHandler) Delete(ctx context.Context, id string) error {
+	m.deletedIDs = append(m.deletedIDs, id)
+	return nil
+}
 func (m *MockUserRepoForHandler) FindByEmail(ctx context.Context, email string) (*domain.User, error) {
 	return nil, nil
 }
@@ -174,6 +180,38 @@ func (m *MockUserRepoForHandler) FindTenantIDByLoginID(ctx context.Context, logi
 	return "", nil
 }

+type MockUserProjectionRepoForHandler struct {
+	mock.Mock
+}
+
+func (m *MockUserProjectionRepoForHandler) IsReady(ctx context.Context) (bool, error) {
+	args := m.Called(ctx)
+	return args.Bool(0), args.Error(1)
+}
+
+func (m *MockUserProjectionRepoForHandler) GetStatus(ctx context.Context) (domain.UserProjectionStatus, error) {
+	args := m.Called(ctx)
+	return args.Get(0).(domain.UserProjectionStatus), args.Error(1)
+}
+
+func (m *MockUserProjectionRepoForHandler) CountTenantMembers(ctx context.Context, tenants []domain.Tenant) (map[string]int64, error) {
+	args := m.Called(ctx, tenants)
+	if args.Get(0) == nil {
+		return nil, args.Error(1)
+	}
+	return args.Get(0).(map[string]int64), args.Error(1)
+}
+
+func (m *MockUserProjectionRepoForHandler) ReplaceAllFromKratos(ctx context.Context, users []domain.User) error {
+	args := m.Called(ctx, users)
+	return args.Error(0)
+}
+
+func (m *MockUserProjectionRepoForHandler) MarkFailed(ctx context.Context, syncErr error) error {
+	args := m.Called(ctx, syncErr)
+	return args.Error(0)
+}
+
 func TestTenantHandler_CreateTenant(t *testing.T) {
 	app := fiber.New()
 	mockSvc := new(MockTenantService)
@@ -202,14 +240,84 @@ func TestTenantHandler_CreateTenant(t *testing.T) {
 	assert.Equal(t, "t1", got["id"])
 }

+func TestTenantHandler_ListTenantsUsesReadyUserProjectionCountsWithoutKratos(t *testing.T) {
+	app := fiber.New()
+	mockSvc := new(MockTenantService)
+	mockProjection := new(MockUserProjectionRepoForHandler)
+
+	h := &TenantHandler{
+		Service:            mockSvc,
+		UserProjectionRepo: mockProjection,
+	}
+
+	app.Use(func(c *fiber.Ctx) error {
+		c.Locals("user_profile", &domain.UserProfileResponse{
+			Role: "super_admin",
+		})
+		return c.Next()
+	})
+	app.Get("/tenants", h.ListTenants)
+
+	tenants := []domain.Tenant{
+		{ID: "00000000-0000-0000-0000-000000000001", Name: "Saman", Slug: "saman"},
+	}
+	mockSvc.On("ListTenants", mock.Anything, 10, 0, "").Return(tenants, int64(1), nil).Once()
+	mockProjection.On("IsReady", mock.Anything).Return(true, nil).Once()
+	mockProjection.On("CountTenantMembers", mock.Anything, tenants).
+		Return(map[string]int64{"00000000-0000-0000-0000-000000000001": 2}, nil).Once()
+
+	req := httptest.NewRequest("GET", "/tenants?limit=10&offset=0", nil)
+	resp, _ := app.Test(req)
+
+	require.Equal(t, http.StatusOK, resp.StatusCode)
+
+	var res tenantListResponse
+	json.NewDecoder(resp.Body).Decode(&res)
+
+	require.Len(t, res.Items, 1)
+	assert.Equal(t, int64(2), res.Items[0].MemberCount)
+	mockProjection.AssertExpectations(t)
+}
+
+func TestTenantHandler_ListTenantsRejectsStatsWhenUserProjectionIsNotReady(t *testing.T) {
+	app := fiber.New()
+	mockSvc := new(MockTenantService)
+	mockProjection := new(MockUserProjectionRepoForHandler)
+
+	h := &TenantHandler{
+		Service:            mockSvc,
+		UserProjectionRepo: mockProjection,
+	}
+
+	app.Use(func(c *fiber.Ctx) error {
+		c.Locals("user_profile", &domain.UserProfileResponse{
+			Role: "super_admin",
+		})
+		return c.Next()
+	})
+	app.Get("/tenants", h.ListTenants)
+
+	tenants := []domain.Tenant{
+		{ID: "00000000-0000-0000-0000-000000000001", Name: "Saman", Slug: "saman"},
+	}
+	mockSvc.On("ListTenants", mock.Anything, 10, 0, "").Return(tenants, int64(1), nil).Once()
+	mockProjection.On("IsReady", mock.Anything).Return(false, nil).Once()
+
+	req := httptest.NewRequest("GET", "/tenants?limit=10&offset=0", nil)
+	resp, _ := app.Test(req)
+
+	assert.Equal(t, http.StatusServiceUnavailable, resp.StatusCode)
+	mockProjection.AssertNotCalled(t, "CountTenantMembers", mock.Anything, mock.Anything)
+}
+
 func TestTenantHandler_ListTenants(t *testing.T) {
 	app := fiber.New()
 	mockSvc := new(MockTenantService)
-	mockUserRepo := new(MockUserRepoForHandler)
+	mockProjection := new(MockUserProjectionRepoForHandler)

 	h := &TenantHandler{
-		Service:  mockSvc,
-		UserRepo: mockUserRepo,
+		Service:            mockSvc,
+		UserProjectionRepo: mockProjection,
 	}

 	app.Use(func(c *fiber.Ctx) error {
@@ -226,11 +334,9 @@ func TestTenantHandler_ListTenants(t *testing.T) {

 	// Mocking for the new allTenants check in ListTenants
 	mockSvc.On("ListTenants", mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(tenants, int64(2), nil).Maybe()
-
-	mockUserRepo.On("CountByCompanyCodes", mock.Anything, mock.Anything).
-		Return(map[string]int64{"slug-a": 5, "slug-b": 10}, nil).Maybe()
-	mockUserRepo.On("CountByTenantIDs", mock.Anything, mock.Anything).
-		Return(map[string]int64{}, nil).Maybe()
+	mockProjection.On("IsReady", mock.Anything).Return(true, nil).Once()
+	mockProjection.On("CountTenantMembers", mock.Anything, tenants).
+		Return(map[string]int64{"t1": 5, "t2": 10}, nil).Once()

 	req := httptest.NewRequest("GET", "/tenants?limit=10&offset=0", nil)
 	resp, _ := app.Test(req)
@@ -253,6 +359,84 @@ func TestTenantHandler_ListTenants(t *testing.T) {
 	}
 }

+func TestTenantHandler_ListTenantsReturnsServiceUnavailableWhenProjectionStatusFails(t *testing.T) {
+	app := fiber.New()
+	mockSvc := new(MockTenantService)
+	mockProjection := new(MockUserProjectionRepoForHandler)
+
+	h := &TenantHandler{
+		Service:            mockSvc,
+		UserProjectionRepo: mockProjection,
+	}
+
+	app.Use(func(c *fiber.Ctx) error {
+		c.Locals("user_profile", &domain.UserProfileResponse{
+			Role: "super_admin",
+		})
+		return c.Next()
+	})
+	app.Get("/tenants", h.ListTenants)
+
+	tenants := []domain.Tenant{
+		{ID: "t1", Name: "Tenant A", Slug: "slug-a"},
+	}
+	mockSvc.On("ListTenants", mock.Anything, 10, 0, "").Return(tenants, int64(1), nil).Once()
+	mockProjection.On("IsReady", mock.Anything).Return(false, errors.New("projection state query failed")).Once()
+
+	req := httptest.NewRequest("GET", "/tenants?limit=10&offset=0", nil)
+	resp, _ := app.Test(req)
+
+	assert.Equal(t, http.StatusServiceUnavailable, resp.StatusCode)
+	mockProjection.AssertExpectations(t)
+}
+
+func TestTenantHandler_ListTenantsUsesProjectionCountsWhenAvailable(t *testing.T) {
+	app := fiber.New()
+	mockSvc := new(MockTenantService)
+	mockUserRepo := new(MockUserRepoForHandler)
+	mockProjection := new(MockUserProjectionRepoForHandler)
+
+	h := &TenantHandler{
+		Service:            mockSvc,
+		UserRepo:           mockUserRepo,
+		UserProjectionRepo: mockProjection,
+	}
+
+	app.Use(func(c *fiber.Ctx) error {
+		c.Locals("user_profile", &domain.UserProfileResponse{
+			Role: "super_admin",
+		})
+		return c.Next()
+	})
+	app.Get("/tenants", h.ListTenants)
+
+	tenants := []domain.Tenant{
+		{ID: "00000000-0000-0000-0000-000000000001", Name: "Saman", Slug: "saman"},
+	}
+
+	mockSvc.On("ListTenants", mock.Anything, 10, 0, "").Return(tenants, int64(1), nil).Once()
+	mockProjection.On("IsReady", mock.Anything).Return(true, nil).Once()
+	mockProjection.On("CountTenantMembers", mock.Anything, tenants).
+		Return(map[string]int64{"00000000-0000-0000-0000-000000000001": 2}, nil).Once()
+
+	mockUserRepo.On("CountByCompanyCodes", mock.Anything, []string{"saman"}).
+		Return(map[string]int64{"saman": 152}, nil).Maybe()
+	mockUserRepo.On("CountByTenantIDs", mock.Anything, []string{"00000000-0000-0000-0000-000000000001"}).
+		Return(map[string]int64{"00000000-0000-0000-0000-000000000001": 152}, nil).Maybe()
+
+	req := httptest.NewRequest("GET", "/tenants?limit=10&offset=0", nil)
+	resp, _ := app.Test(req)
+
+	assert.Equal(t, http.StatusOK, resp.StatusCode)
+
+	var res tenantListResponse
+	json.NewDecoder(resp.Body).Decode(&res)
+
+	assert.Len(t, res.Items, 1)
+	assert.Equal(t, int64(2), res.Items[0].MemberCount)
+	mockProjection.AssertExpectations(t)
+}
+
 func TestTenantHandler_ExportTenantsCSV(t *testing.T) {
 	app := fiber.New()
 	mockSvc := new(MockTenantService)
--- a/backend/internal/handler/user_handler.go
+++ b/backend/internal/handler/user_handler.go
@@ -28,15 +28,16 @@ type OryProviderAPI interface {
 }

 type UserHandler struct {
-	KratosAdmin    service.KratosAdminService
-	OryProvider    OryProviderAPI
-	TenantService  service.TenantService
-	KetoService    service.KetoService
-	KetoOutboxRepo repository.KetoOutboxRepository
-	UserRepo       repository.UserRepository
-	UserGroupRepo  repository.UserGroupRepository
-	AuditRepo      domain.AuditRepository
-	Worksmobile    service.WorksmobileSyncer
+	KratosAdmin        service.KratosAdminService
+	OryProvider        OryProviderAPI
+	TenantService      service.TenantService
+	KetoService        service.KetoService
+	KetoOutboxRepo     repository.KetoOutboxRepository
+	UserRepo           repository.UserRepository
+	UserProjectionRepo repository.UserProjectionRepository
+	UserGroupRepo      repository.UserGroupRepository
+	AuditRepo          domain.AuditRepository
+	Worksmobile        service.WorksmobileSyncer
 }

 func NewUserHandler(kratosAdmin service.KratosAdminService, oryProvider OryProviderAPI, tenantService service.TenantService, ketoService service.KetoService, ketoOutboxRepo repository.KetoOutboxRepository, userRepo repository.UserRepository, userGroupRepo repository.UserGroupRepository, auditRepo domain.AuditRepository) *UserHandler {
@@ -265,7 +266,10 @@ func (h *UserHandler) ListUsers(c *fiber.Ctx) error {
 		}
 	}

-	// 1. Try Kratos First
+	if h.KratosAdmin == nil {
+		return errorJSON(c, fiber.StatusServiceUnavailable, "identity provider not available")
+	}
+
 	identities, err := h.KratosAdmin.ListIdentities(c.Context())
 	if err == nil {
 		filtered := make([]service.KratosIdentity, 0, len(identities))
@@ -363,46 +367,8 @@ func (h *UserHandler) ListUsers(c *fiber.Ctx) error {
 		return c.JSON(userListResponse{Items: items, Limit: limit, Offset: offset, Total: total})
 	}

-	// 2. Fallback to Local DB if Kratos is down
-	slog.Warn("Kratos unavailable, falling back to local DB for user list", "error", err)
-
-	// If requester is not Super Admin, we should technically filter by manageable slugs in DB too.
-	// For simplicity in fallback, if tenantSlug is empty we default to their primary company code.
-	if (requesterRole == domain.RoleTenantAdmin || requesterRole == domain.RoleUser || requesterRole == domain.RoleRPAdmin) && tenantSlug == "" {
-		profile, _ := c.Locals("user_profile").(*domain.UserProfileResponse)
-		if profile != nil && profile.CompanyCode != "" {
-			tenantSlug = profile.CompanyCode
-		}
-	}
-
-	// Fetch from UserRepo
-	users, total, err := h.UserRepo.List(c.Context(), offset, limit, search, tenantSlug)
-	if err != nil {
-		return errorJSON(c, fiber.StatusInternalServerError, "failed to fetch users from both kratos and local db")
-	}
-
-	items := make([]userSummary, 0, len(users))
-	for _, u := range users {
-		items = append(items, userSummary{
-			ID:          u.ID,
-			Email:       u.Email,
-			Name:        u.Name,
-			Phone:       u.Phone,
-			Role:        u.Role,
-			Status:      u.Status,
-			CompanyCode: u.CompanyCode,
-			Department:  u.Department,
-			CreatedAt:   u.CreatedAt.Format(time.RFC3339),
-			UpdatedAt:   u.UpdatedAt.Format(time.RFC3339),
-		})
-	}
-
-	return c.JSON(userListResponse{
-		Items:  items,
-		Total:  total,
-		Limit:  limit,
-		Offset: offset,
-	})
+	slog.Warn("Kratos unavailable for user list", "error", err)
+	return errorJSON(c, fiber.StatusServiceUnavailable, "identity provider unavailable")
 }

 func (h *UserHandler) GetUser(c *fiber.Ctx) error {
@@ -632,6 +598,7 @@ func (h *UserHandler) CreateUser(c *fiber.Ctx) error {
 		// Sync to local DB (Synchronous for immediate consistency)
 		if err := h.UserRepo.Update(c.Context(), localUser); err != nil {
 			slog.Error("[UserHandler] Failed to sync new user to local DB", "email", localUser.Email, "error", err)
+			markUserProjectionFailed(c.Context(), h.UserProjectionRepo, err)
 		}
 		if h.Worksmobile != nil {
 			if err := h.Worksmobile.EnqueueUserUpsertIfInScope(c.Context(), *localUser); err != nil {
@@ -645,6 +612,7 @@ func (h *UserHandler) CreateUser(c *fiber.Ctx) error {
 		}
 		if err := h.UserRepo.UpdateUserLoginIDs(c.Context(), localUser.ID, loginIDRecords); err != nil {
 			slog.Error("[UserHandler] Failed to update user login IDs", "userID", localUser.ID, "error", err)
+			markUserProjectionFailed(c.Context(), h.UserProjectionRepo, err)
 		}

 		// [Keto] Sync relations via Outbox (Synchronous for accurate counting)
@@ -938,6 +906,7 @@ func (h *UserHandler) BulkCreateUsers(c *fiber.Ctx) error {

 			if err := h.UserRepo.Update(c.Context(), localUser); err != nil {
 				slog.Error("Failed to sync bulk user to local DB", "email", email, "error", err)
+				markUserProjectionFailed(c.Context(), h.UserProjectionRepo, err)
 			}
 			if h.Worksmobile != nil {
 				if err := h.Worksmobile.EnqueueUserUpsertIfInScope(c.Context(), *localUser); err != nil {
@@ -951,6 +920,7 @@ func (h *UserHandler) BulkCreateUsers(c *fiber.Ctx) error {
 			}
 			if err := h.UserRepo.UpdateUserLoginIDs(c.Context(), localUser.ID, loginIDRecords); err != nil {
 				slog.Error("Failed to update user login IDs in bulk", "userID", localUser.ID, "error", err)
+				markUserProjectionFailed(c.Context(), h.UserProjectionRepo, err)
 			}

 			if h.KetoOutboxRepo != nil {
@@ -1769,6 +1739,7 @@ func (h *UserHandler) UpdateUser(c *fiber.Ctx) error {
 		ctx := context.Background() // Use request context if appropriate, but sync must finish
 		if err := h.UserRepo.Update(ctx, updatedLocalUser); err != nil {
 			slog.Error("[UserHandler] Failed to sync updated user to local DB", "userID", updatedLocalUser.ID, "error", err)
+			markUserProjectionFailed(ctx, h.UserProjectionRepo, err)
 		}
 		if h.Worksmobile != nil {
 			if err := h.Worksmobile.EnqueueUserUpsertIfInScope(ctx, *updatedLocalUser); err != nil {
@@ -1779,6 +1750,7 @@ func (h *UserHandler) UpdateUser(c *fiber.Ctx) error {
 		// Update User Login IDs in local DB
 		if err := h.UserRepo.UpdateUserLoginIDs(ctx, updatedLocalUser.ID, loginIDRecords); err != nil {
 			slog.Error("[UserHandler] Failed to update user login IDs", "userID", updatedLocalUser.ID, "error", err)
+			markUserProjectionFailed(ctx, h.UserProjectionRepo, err)
 		}

 		// [Keto Sync] asynchronously as it's less critical for immediate UI count
@@ -1927,6 +1899,13 @@ func (h *UserHandler) DeleteUser(c *fiber.Ctx) error {
 		// Additional cleanup for tenants could be added here if we keep track of user's current tenants
 	}

+	if h.UserRepo != nil {
+		if err := h.UserRepo.Delete(context.Background(), userID); err != nil {
+			slog.Error("[UserHandler] Failed to delete local user read-model", "userID", userID, "error", err)
+			markUserProjectionFailed(context.Background(), h.UserProjectionRepo, err)
+		}
+	}
+
 	return c.SendStatus(fiber.StatusNoContent)
 }

--- a/backend/internal/handler/user_handler_test.go
+++ b/backend/internal/handler/user_handler_test.go
@@ -430,6 +430,35 @@ func TestUserHandler_BulkCreateUsers(t *testing.T) {
 	})
 }

+func TestUserHandler_ListUsersReturnsServiceUnavailableWhenKratosFails(t *testing.T) {
+	app := fiber.New()
+	mockKratos := new(MockKratosAdmin)
+	mockRepo := new(MockUserRepoForHandler)
+
+	h := &UserHandler{
+		KratosAdmin: mockKratos,
+		UserRepo:    mockRepo,
+	}
+
+	app.Use(func(c *fiber.Ctx) error {
+		c.Locals("user_profile", &domain.UserProfileResponse{
+			Role: domain.RoleSuperAdmin,
+		})
+		return c.Next()
+	})
+	app.Get("/users", h.ListUsers)
+
+	mockKratos.On("ListIdentities", mock.Anything).Return([]service.KratosIdentity{}, errors.New("kratos down")).Once()
+
+	req := httptest.NewRequest("GET", "/users?limit=10&offset=0", nil)
+	resp, err := app.Test(req)
+
+	assert.NoError(t, err)
+	assert.Equal(t, http.StatusServiceUnavailable, resp.StatusCode)
+	mockRepo.AssertNotCalled(t, "List", mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything)
+	mockKratos.AssertExpectations(t)
+}
+
 func TestUserHandler_BulkCreateUsers_HanmacEmailPolicy(t *testing.T) {
 	app := fiber.New()
 	mockKratos := new(MockKratosAdmin)
@@ -672,6 +701,27 @@ func TestUserHandler_BulkDeleteUsers(t *testing.T) {
 	})
 }

+func TestUserHandler_DeleteUserDeletesLocalReadModel(t *testing.T) {
+	app := fiber.New()
+	mockKratos := new(MockKratosAdmin)
+	userRepo := new(MockUserRepoForHandler)
+	h := &UserHandler{KratosAdmin: mockKratos, UserRepo: userRepo}
+
+	app.Delete("/users/:id", func(c *fiber.Ctx) error {
+		c.Locals("user_profile", &domain.UserProfileResponse{ID: "admin-1", Role: domain.RoleSuperAdmin})
+		return h.DeleteUser(c)
+	})
+
+	mockKratos.On("DeleteIdentity", mock.Anything, "u-1").Return(nil).Once()
+
+	req := httptest.NewRequest(http.MethodDelete, "/users/u-1", nil)
+	resp, err := app.Test(req)
+	assert.NoError(t, err)
+	assert.Equal(t, http.StatusNoContent, resp.StatusCode)
+	assert.Equal(t, []string{"u-1"}, userRepo.deletedIDs)
+	mockKratos.AssertExpectations(t)
+}
+
 func TestUserHandler_UpdateUser_AdminOnlyField(t *testing.T) {
 	app := fiber.New()
 	mockKratos := new(MockKratosAdmin)
--- a/backend/internal/handler/user_projection_failure.go
+++ b/backend/internal/handler/user_projection_failure.go
@@ -0,0 +1,16 @@
+package handler
+
+import (
+	"baron-sso-backend/internal/repository"
+	"context"
+	"log/slog"
+)
+
+func markUserProjectionFailed(ctx context.Context, repo repository.UserProjectionRepository, syncErr error) {
+	if repo == nil || syncErr == nil {
+		return
+	}
+	if err := repo.MarkFailed(ctx, syncErr); err != nil {
+		slog.Error("Failed to mark user projection as failed", "syncError", syncErr, "error", err)
+	}
+}