feat: improve Worksmobile tenant sync handling

backend/internal/repository/main_test.go

@@ -63,7 +63,7 @@ func TestMain(m *testing.M) {
 	}
 
 	// Auto-migrate
-	err = db.AutoMigrate(&domain.Tenant{}, &domain.TenantDomain{}, &domain.User{}, &domain.UserLoginID{}, &domain.UserProjectionState{}, &domain.ClientConsent{}, &domain.RPUserMetadata{}, &domain.RPUsageEvent{}, &domain.KetoOutbox{})
+	err = db.AutoMigrate(&domain.Tenant{}, &domain.TenantDomain{}, &domain.User{}, &domain.UserLoginID{}, &domain.UserProjectionState{}, &domain.ClientConsent{}, &domain.RPUserMetadata{}, &domain.RPUsageEvent{}, &domain.KetoOutbox{}, &domain.WorksmobileOutbox{})
 	if err != nil {
 		log.Fatalf("failed to migrate database: %s", err)
 	}

backend/internal/repository/worksmobile_outbox_repository.go

@@ -14,10 +14,11 @@ type WorksmobileOutboxRepository interface {
 	ListRecent(ctx context.Context, limit int) ([]domain.WorksmobileOutbox, error)
 	ListCredentialBatchJobs(ctx context.Context, tenantRootID, credentialBatchID string) ([]domain.WorksmobileOutbox, error)
 	UpdatePayload(ctx context.Context, id string, payload domain.JSONMap) error
+	DeletePendingByTenantRoot(ctx context.Context, tenantRootID string) (int64, error)
 	ListReady(ctx context.Context, limit int) ([]domain.WorksmobileOutbox, error)
 	FindByID(ctx context.Context, id string) (*domain.WorksmobileOutbox, error)
 	MarkRetry(ctx context.Context, id string) error
-	MarkProcessing(ctx context.Context, id string) error
+	MarkProcessing(ctx context.Context, id string) (bool, error)
 	MarkProcessed(ctx context.Context, id string) error
 	MarkFailed(ctx context.Context, id string, message string, nextAttemptAt time.Time) error
 }
@@ -76,16 +77,88 @@ func (r *worksmobileOutboxRepository) UpdatePayload(ctx context.Context, id stri
 	}).Error
 }
 
+func (r *worksmobileOutboxRepository) DeletePendingByTenantRoot(ctx context.Context, tenantRootID string) (int64, error) {
+	result := r.db.WithContext(ctx).
+		Where("status = ? AND payload ->> 'tenantRootId' = ?", domain.WorksmobileOutboxStatusPending, tenantRootID).
+		Delete(&domain.WorksmobileOutbox{})
+	return result.RowsAffected, result.Error
+}
+
 func (r *worksmobileOutboxRepository) ListReady(ctx context.Context, limit int) ([]domain.WorksmobileOutbox, error) {
 	if limit <= 0 || limit > 100 {
 		limit = 20
 	}
 	var rows []domain.WorksmobileOutbox
-	err := r.db.WithContext(ctx).
-		Where("status = ? AND (next_attempt_at IS NULL OR next_attempt_at <= ?)", domain.WorksmobileOutboxStatusPending, time.Now()).
-		Order("created_at asc").
-		Limit(limit).
-		Find(&rows).Error
+	err := r.db.WithContext(ctx).Raw(`
+WITH RECURSIVE candidates AS (
+	SELECT
+		*,
+		NULLIF(payload #>> '{request,orgUnitExternalKey}', '') AS org_external_key,
+		CASE
+			WHEN payload #>> '{request,parentOrgUnitId}' LIKE 'externalKey:%'
+			THEN NULLIF(substr(payload #>> '{request,parentOrgUnitId}', length('externalKey:') + 1), '')
+			ELSE ''
+		END AS parent_external_key
+	FROM worksmobile_outboxes
+	WHERE status = ? AND (next_attempt_at IS NULL OR next_attempt_at <= ?)
+),
+ready AS (
+	SELECT candidates.*
+	FROM candidates
+	WHERE NOT (
+		candidates.resource_type = ?
+		AND candidates.action = ?
+		AND candidates.parent_external_key <> ''
+		AND EXISTS (
+			SELECT 1
+			FROM worksmobile_outboxes parent_job
+			WHERE parent_job.resource_type = ?
+			  AND parent_job.action = ?
+			  AND parent_job.status <> ?
+			  AND NULLIF(parent_job.payload #>> '{request,orgUnitExternalKey}', '') = candidates.parent_external_key
+		)
+	)
+),
+org_depth AS (
+	SELECT id, org_external_key, parent_external_key, 0 AS depth
+	FROM ready
+	UNION ALL
+	SELECT child.id, child.org_external_key, child.parent_external_key, parent.depth + 1
+	FROM ready child
+	JOIN org_depth parent ON child.parent_external_key = parent.org_external_key
+	WHERE child.resource_type = ? AND child.action = ? AND parent.depth < 64
+)
+SELECT ready.*
+FROM ready
+LEFT JOIN LATERAL (
+	SELECT max(depth) AS dependency_depth
+	FROM org_depth
+	WHERE org_depth.id = ready.id
+) AS depth_rank ON true
+ORDER BY
+	CASE
+		WHEN ready.resource_type = ? AND ready.action = ? THEN 0
+		WHEN ready.resource_type = ? THEN 1
+		ELSE 2
+	END ASC,
+	COALESCE(depth_rank.dependency_depth, 0) ASC,
+	ready.created_at ASC
+LIMIT ?
+`,
+		domain.WorksmobileOutboxStatusPending,
+		time.Now(),
+		domain.WorksmobileResourceOrgUnit,
+		domain.WorksmobileActionUpsert,
+		domain.WorksmobileResourceOrgUnit,
+		domain.WorksmobileActionUpsert,
+		domain.WorksmobileOutboxStatusProcessed,
+		domain.WorksmobileResourceOrgUnit,
+		domain.WorksmobileActionUpsert,
+		domain.WorksmobileResourceOrgUnit,
+		domain.WorksmobileActionUpsert,
+		domain.WorksmobileResourceUser,
+		limit,
+	).Scan(&rows).Error
 	return rows, err
 }
 
@@ -106,11 +179,12 @@ func (r *worksmobileOutboxRepository) MarkRetry(ctx context.Context, id string)
 	}).Error
 }
 
-func (r *worksmobileOutboxRepository) MarkProcessing(ctx context.Context, id string) error {
-	return r.db.WithContext(ctx).Model(&domain.WorksmobileOutbox{}).Where("id = ? AND status = ?", id, domain.WorksmobileOutboxStatusPending).Updates(map[string]any{
+func (r *worksmobileOutboxRepository) MarkProcessing(ctx context.Context, id string) (bool, error) {
+	result := r.db.WithContext(ctx).Model(&domain.WorksmobileOutbox{}).Where("id = ? AND status = ?", id, domain.WorksmobileOutboxStatusPending).Updates(map[string]any{
 		"status":     domain.WorksmobileOutboxStatusProcessing,
 		"updated_at": time.Now(),
-	}).Error
+	})
+	return result.RowsAffected > 0, result.Error
 }
 
 func (r *worksmobileOutboxRepository) MarkProcessed(ctx context.Context, id string) error {

backend/internal/repository/worksmobile_outbox_repository_test.go

@@ -0,0 +1,125 @@
+package repository
+
+import (
+	"baron-sso-backend/internal/domain"
+	"context"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestWorksmobileOutboxRepositoryDeletePendingByTenantRoot(t *testing.T) {
+	repo := NewWorksmobileOutboxRepository(testDB)
+	ctx := context.Background()
+
+	require.NoError(t, testDB.Exec("DELETE FROM worksmobile_outboxes").Error)
+
+	rows := []domain.WorksmobileOutbox{
+		{
+			ID:           "00000000-0000-0000-0000-000000000101",
+			ResourceType: domain.WorksmobileResourceUser,
+			ResourceID:   "user-pending",
+			Action:       domain.WorksmobileActionUpsert,
+			Status:       domain.WorksmobileOutboxStatusPending,
+			DedupeKey:    "pending-root",
+			Payload:      domain.JSONMap{"tenantRootId": "root-1"},
+		},
+		{
+			ID:           "00000000-0000-0000-0000-000000000102",
+			ResourceType: domain.WorksmobileResourceUser,
+			ResourceID:   "user-other-root",
+			Action:       domain.WorksmobileActionUpsert,
+			Status:       domain.WorksmobileOutboxStatusPending,
+			DedupeKey:    "pending-other-root",
+			Payload:      domain.JSONMap{"tenantRootId": "root-2"},
+		},
+		{
+			ID:           "00000000-0000-0000-0000-000000000103",
+			ResourceType: domain.WorksmobileResourceUser,
+			ResourceID:   "user-failed",
+			Action:       domain.WorksmobileActionUpsert,
+			Status:       domain.WorksmobileOutboxStatusFailed,
+			DedupeKey:    "failed-root",
+			Payload:      domain.JSONMap{"tenantRootId": "root-1"},
+		},
+		{
+			ID:           "00000000-0000-0000-0000-000000000104",
+			ResourceType: domain.WorksmobileResourceOrgUnit,
+			ResourceID:   "org-processed",
+			Action:       domain.WorksmobileActionUpsert,
+			Status:       domain.WorksmobileOutboxStatusProcessed,
+			DedupeKey:    "processed-root",
+			Payload:      domain.JSONMap{"tenantRootId": "root-1"},
+		},
+	}
+	for i := range rows {
+		require.NoError(t, repo.Create(ctx, &rows[i]))
+	}
+
+	deleted, err := repo.DeletePendingByTenantRoot(ctx, "root-1")
+
+	require.NoError(t, err)
+	require.Equal(t, int64(1), deleted)
+	var remaining []domain.WorksmobileOutbox
+	require.NoError(t, testDB.Order("id asc").Find(&remaining).Error)
+	require.Len(t, remaining, 3)
+	require.Equal(t, "00000000-0000-0000-0000-000000000102", remaining[0].ID)
+	require.Equal(t, "00000000-0000-0000-0000-000000000103", remaining[1].ID)
+	require.Equal(t, "00000000-0000-0000-0000-000000000104", remaining[2].ID)
+}
+
+func TestWorksmobileOutboxRepositoryListReadyWaitsForPendingOrgUnitParent(t *testing.T) {
+	repo := NewWorksmobileOutboxRepository(testDB)
+	ctx := context.Background()
+
+	require.NoError(t, testDB.Exec("DELETE FROM worksmobile_outboxes").Error)
+
+	baseTime := time.Date(2026, 6, 2, 15, 21, 0, 0, time.UTC)
+	child := domain.WorksmobileOutbox{
+		ID:           "00000000-0000-0000-0000-000000000201",
+		ResourceType: domain.WorksmobileResourceOrgUnit,
+		ResourceID:   "child-tenant",
+		Action:       domain.WorksmobileActionUpsert,
+		Status:       domain.WorksmobileOutboxStatusPending,
+		DedupeKey:    "orgunit:upsert:child-tenant",
+		Payload: domain.JSONMap{
+			"request": map[string]any{
+				"orgUnitExternalKey": "child-tenant",
+				"parentOrgUnitId":    "externalKey:parent-tenant",
+			},
+		},
+		CreatedAt: baseTime,
+		UpdatedAt: baseTime,
+	}
+	parent := domain.WorksmobileOutbox{
+		ID:           "00000000-0000-0000-0000-000000000202",
+		ResourceType: domain.WorksmobileResourceOrgUnit,
+		ResourceID:   "parent-tenant",
+		Action:       domain.WorksmobileActionUpsert,
+		Status:       domain.WorksmobileOutboxStatusPending,
+		DedupeKey:    "orgunit:upsert:parent-tenant",
+		Payload: domain.JSONMap{
+			"request": map[string]any{
+				"orgUnitExternalKey": "parent-tenant",
+			},
+		},
+		CreatedAt: baseTime.Add(time.Second),
+		UpdatedAt: baseTime.Add(time.Second),
+	}
+	require.NoError(t, testDB.Create(&child).Error)
+	require.NoError(t, testDB.Create(&parent).Error)
+
+	rows, err := repo.ListReady(ctx, 10)
+
+	require.NoError(t, err)
+	require.Len(t, rows, 1)
+	require.Equal(t, "parent-tenant", rows[0].ResourceID)
+
+	require.NoError(t, repo.MarkProcessed(ctx, parent.ID))
+	rows, err = repo.ListReady(ctx, 10)
+
+	require.NoError(t, err)
+	require.Len(t, rows, 1)
+	require.Equal(t, "child-tenant", rows[0].ResourceID)
+}