fix: ensure member counts are accurate by syncing membership relations in all user management actions

backend/internal/handler/user_handler.go

@@ -374,7 +374,19 @@ func (h *UserHandler) CreateUser(c *fiber.Ctx) error {
 
 			// [Keto] Sync relations via Outbox
 			if h.KetoOutboxRepo != nil {
+				// 1. Role based relations
 				h.syncKetoRole(ctx, u.ID, role, "", "", tID)
+
+				// 2. Direct membership to the Tenant (for accurate counting)
+				if tID != nil && *tID != "" {
+					_ = h.KetoOutboxRepo.Create(ctx, &domain.KetoOutbox{
+						Namespace: "Tenant",
+						Object:    *tID,
+						Relation:  "members",
+						Subject:   "User:" + u.ID,
+						Action:    domain.KetoOutboxActionCreate,
+					})
+				}
 			}
 		}(localUser, role, localUser.TenantID)
 	}
@@ -528,7 +540,15 @@ func (h *UserHandler) BulkCreateUsers(c *fiber.Ctx) error {
 			identity, _ := h.KratosAdmin.GetIdentity(c.Context(), identityID)
 			if identity != nil {
 				localUser := h.mapToLocalUser(*identity)
+				
+				// [Fix] Override with current loop data to ensure accuracy
+				localUser.CompanyCode = compCode
+				if tItem.ID != "" {
+					localUser.TenantID = &tItem.ID
+				}
+
 				_ = h.UserRepo.Update(context.Background(), localUser)
+				
 				if h.KetoOutboxRepo != nil {
 					// 1. Sync Role based relationship
 					h.syncKetoRole(context.Background(), localUser.ID, role, "", "", localUser.TenantID)
@@ -792,11 +812,28 @@ func (h *UserHandler) BulkUpdateUsers(c *fiber.Ctx) error {
 		// Sync to local DB
 		if h.UserRepo != nil {
 			localUser := h.mapToLocalUser(*identity)
+			oldRole := extractTraitString(identity.Traits, "grade")
+			oldTenantID := extractTraitString(identity.Traits, "tenant_id")
+
 			if req.Role != nil { localUser.Role = *req.Role }
 			if req.Status != nil { localUser.Status = *req.Status }
 			if req.CompanyCode != nil { localUser.CompanyCode = *req.CompanyCode }
 			if req.Department != nil { localUser.Department = *req.Department }
+			
+			// Resolve TenantID if changing companyCode
+			if req.CompanyCode != nil && h.TenantService != nil {
+				if tenant, err := h.TenantService.GetTenantBySlug(c.Context(), *req.CompanyCode); err == nil && tenant != nil {
+					localUser.TenantID = &tenant.ID
+				}
+			}
+
 			_ = h.UserRepo.Update(c.Context(), localUser)
+
+			// [Keto Sync]
+			if h.KetoOutboxRepo != nil {
+				h.syncKetoRole(c.Context(), localUser.ID, 
+					localUser.Role, oldRole, oldTenantID, localUser.TenantID)
+			}
 		}
 
 		results = append(results, map[string]any{"id": id, "success": true})
@@ -1170,6 +1207,11 @@ func (h *UserHandler) mapToLocalUser(identity service.KratosIdentity) *domain.Us
 }
 
 func (h *UserHandler) syncKetoRole(ctx context.Context, userID, newRole, oldRole, oldTenantID string, newTenantID *string) {
+	if h.KetoOutboxRepo == nil {
+		return
+	}
+
+	// 1. Handle Role Changes
 	// Remove old roles
 	if oldRole == domain.RoleSuperAdmin {
 		_ = h.KetoOutboxRepo.Create(ctx, &domain.KetoOutbox{
@@ -1207,6 +1249,35 @@ func (h *UserHandler) syncKetoRole(ctx context.Context, userID, newRole, oldRole
 			Action:    domain.KetoOutboxActionCreate,
 		})
 	}
+
+	// 2. Handle Tenant Membership (for count)
+	newTID := ""
+	if newTenantID != nil {
+		newTID = *newTenantID
+	}
+
+	if oldTenantID != newTID {
+		// Remove from old tenant
+		if oldTenantID != "" {
+			_ = h.KetoOutboxRepo.Create(ctx, &domain.KetoOutbox{
+				Namespace: "Tenant",
+				Object:    oldTenantID,
+				Relation:  "members",
+				Subject:   "User:" + userID,
+				Action:    domain.KetoOutboxActionDelete,
+			})
+		}
+		// Add to new tenant
+		if newTID != "" {
+			_ = h.KetoOutboxRepo.Create(ctx, &domain.KetoOutbox{
+				Namespace: "Tenant",
+				Object:    newTID,
+				Relation:  "members",
+				Subject:   "User:" + userID,
+				Action:    domain.KetoOutboxActionCreate,
+			})
+		}
+	}
 }
 
 func extractTraitString(traits map[string]interface{}, key string) string {