@valentinkolb/cloud 0.4.0 → 0.5.1

package/src/services/index.ts

@@ -1,12 +1,27 @@
+// biome-ignore-all assist/source/organizeImports: Preserve grouped service barrel exports.
 export { ipa } from "./ipa";
 export { accounts } from "./accounts";
 export { accountsAppService } from "./accounts";
 export { providers } from "./providers";
 export { authFlows } from "./auth-flows";
-export { toPgTextArray, toPgUuidArray, escapeLikePattern } from "./postgres";
+export { toPgTextArray, toPgUuidArray, escapeLikePattern, isUniqueViolation } from "./postgres";
 
 export { logger, logging } from "./logging";
 export type { LogEntry } from "./logging";
+export { audit } from "./audit";
+export type { AuditActionGroup, AuditActor, AuditEvent, AuditListFilter, AuditOutcome, AuditRecordParams, AuditTarget } from "./audit";
+
+export {
+  GATEWAY_TELEMETRY_TENANT,
+  buildGatewayRouteSnapshot,
+  gatewayTelemetryTopic,
+  latestGatewayRouteSnapshot,
+  listGatewayRouteSnapshots,
+  publishGatewayRouteSnapshot,
+  publishRequestTelemetry,
+  removeGatewayRouteSnapshot,
+} from "./gateway";
+export type { GatewayRouteSnapshot, GatewayRouteSnapshotInput, GatewayRouteWarning, GatewayTelemetryEvent } from "./gateway";
 
 export { notifications } from "./notifications";
 export type {
@@ -16,8 +31,25 @@ export type {
   SendToUserParams,
   NotificationMessage,
 } from "./notifications";
+export { announcements } from "./announcements";
+export type { AnnouncementsService } from "./announcements";
 
 export { session } from "./session";
+export { serviceAccounts } from "./service-accounts";
+export type { ServiceAccount, ServiceAccountKind, ServiceAccountStatus } from "./service-accounts";
+export { serviceAccountCredentials } from "./service-account-credentials";
+export type {
+  AuthenticatedServiceAccountCredential,
+  ServiceAccountCredential,
+  ServiceAccountCredentialKind,
+  ServiceAccountCredentialOverview,
+  ServiceAccountCredentialOwner,
+  ServiceAccountCredentialStatus,
+} from "./service-account-credentials";
+export { oauthTokens } from "./oauth-tokens";
+export type { AuthenticatedOAuthToken } from "./oauth-tokens";
+export { webauthn } from "./webauthn";
+export type { WebAuthnRp } from "./webauthn";
 
 export { accountLifecycle } from "./account-lifecycle";
 export type { AccountLifecycleService } from "./account-lifecycle";
@@ -32,11 +64,21 @@ export type { SettingDef, SettingKind, SettingOption } from "./settings/defaults
 export { renderTemplate } from "./settings/templates";
 export { settingsService } from "./settings/app";
 export type { SettingsService } from "./settings/app";
+export { decryptSecret, encryptSecret, secrets } from "./secrets";
 
 // Typed async API + cache-aside primitives.
 export { coreSettings, createSettingsAPI } from "./settings/api";
 export type { SettingsAPI } from "./settings/api";
-export { readKey as settingsReadKey, writeKey as settingsWriteKey, deleteKey as settingsDeleteKey, bulkRead as settingsBulkRead, allKnownKeys as settingsAllKnownKeys } from "./settings/store";
+export {
+  readKey as settingsReadKey,
+  writeKey as settingsWriteKey,
+  deleteKey as settingsDeleteKey,
+  bulkRead as settingsBulkRead,
+  allKnownKeys as settingsAllKnownKeys,
+  listLegacyKeys as settingsListLegacyKeys,
+  deleteLegacyKeys as settingsDeleteLegacyKeys,
+} from "./settings/store";
+export type { LegacySettingRow } from "./settings/store";
 export { loadSnapshot as loadSettingsSnapshot } from "./settings/snapshot";
 
 export { weatherService } from "./weather";

package/src/services/ipa/effective-groups.test.ts

@@ -0,0 +1,33 @@
+import { describe, expect, test } from "bun:test";
+import { buildEffectiveIpaGroupsByUid } from "./effective-groups";
+
+describe("buildEffectiveIpaGroupsByUid", () => {
+  test("includes direct and inherited parent groups", () => {
+    const effective = buildEffectiveIpaGroupsByUid([
+      { cn: "base-sync", users: [], groups: ["team"] },
+      { cn: "base-realm", users: [], groups: ["base-sync"] },
+      { cn: "team", users: ["eva"], groups: [] },
+    ]);
+
+    expect(effective.get("eva")).toEqual(["base-realm", "base-sync", "team"]);
+  });
+
+  test("keeps transit groups available even when callers hide them from display", () => {
+    const effective = buildEffectiveIpaGroupsByUid([
+      { cn: "base-realm", users: [], groups: ["excluded-transit"] },
+      { cn: "excluded-transit", users: [], groups: ["team"] },
+      { cn: "team", users: ["eva"], groups: [] },
+    ]);
+
+    expect(effective.get("eva")).toEqual(["base-realm", "excluded-transit", "team"]);
+  });
+
+  test("terminates on cyclic group nesting", () => {
+    const effective = buildEffectiveIpaGroupsByUid([
+      { cn: "a", users: ["eva"], groups: ["b"] },
+      { cn: "b", users: [], groups: ["a"] },
+    ]);
+
+    expect(effective.get("eva")).toEqual(["a", "b"]);
+  });
+});

package/src/services/ipa/effective-groups.ts

@@ -0,0 +1,70 @@
+export type IpaGroupMembership = {
+  cn: string;
+  users: string[];
+  groups: string[];
+};
+
+const sorted = (values: Iterable<string>): string[] => [...values].sort((a, b) => a.localeCompare(b));
+
+/**
+ * Build effective IPA group membership from authoritative group records.
+ * A group contains direct users and child groups; user effective membership is
+ * direct groups plus every parent group reached through group nesting.
+ */
+export const buildEffectiveIpaGroupsByUid = (groups: IpaGroupMembership[]): Map<string, string[]> => {
+  const groupNames = new Set(groups.map((group) => group.cn).filter(Boolean));
+  const childToParents = new Map<string, Set<string>>();
+  const directGroupsByUid = new Map<string, Set<string>>();
+
+  for (const group of groups) {
+    if (!group.cn) continue;
+
+    for (const uid of group.users) {
+      if (!uid) continue;
+      const directGroups = directGroupsByUid.get(uid) ?? new Set<string>();
+      directGroups.add(group.cn);
+      directGroupsByUid.set(uid, directGroups);
+    }
+
+    for (const child of group.groups) {
+      if (!child || !groupNames.has(child)) continue;
+      const parents = childToParents.get(child) ?? new Set<string>();
+      parents.add(group.cn);
+      childToParents.set(child, parents);
+    }
+  }
+
+  const memo = new Map<string, Set<string>>();
+  const resolveGroupClosure = (groupName: string, visiting = new Set<string>()): Set<string> => {
+    const cached = memo.get(groupName);
+    if (cached) return cached;
+
+    const closure = new Set<string>([groupName]);
+    if (visiting.has(groupName)) return closure;
+
+    const nextVisiting = new Set(visiting);
+    nextVisiting.add(groupName);
+
+    for (const parent of childToParents.get(groupName) ?? []) {
+      for (const inherited of resolveGroupClosure(parent, nextVisiting)) {
+        closure.add(inherited);
+      }
+    }
+
+    memo.set(groupName, closure);
+    return closure;
+  };
+
+  const effectiveByUid = new Map<string, string[]>();
+  for (const [uid, directGroups] of directGroupsByUid) {
+    const effective = new Set<string>();
+    for (const groupName of directGroups) {
+      for (const inherited of resolveGroupClosure(groupName)) {
+        effective.add(inherited);
+      }
+    }
+    effectiveByUid.set(uid, sorted(effective));
+  }
+
+  return effectiveByUid;
+};

package/src/services/ipa/profile.ts

@@ -1,8 +1,9 @@
 /**
  * Centralized profile calculation for IPA-backed users.
  *
- * The calculation uses the local mirrored IPA group tree only and treats
- * `auth.groups.id` as the canonical group identity.
+ * Full sync writes `auth.ipa_user_effective_groups` from FreeIPA group_find.
+ * Local group mutations keep that projection as source of truth; the local
+ * display mirror is only a bootstrap fallback before the first full sync.
  */
 
 import { sql } from "bun";
@@ -37,6 +38,17 @@ export const getAllUserGroups = async (userId: string): Promise<string[]> => {
   return rows.map((row) => row.name as string);
 };
 
+export const getEffectiveUserGroups = async (userId: string): Promise<string[]> => {
+  const rows: DbRow[] = await sql`
+    SELECT group_name
+    FROM auth.ipa_user_effective_groups
+    WHERE user_id = ${userId}::uuid
+    ORDER BY group_name
+  `;
+
+  return rows.map((row) => row.group_name as string);
+};
+
 /**
  * Calculate canonical IPA profile from effective group names. Reads
  * `freeipa.groups.base_ipa_realm` from settings (cache-aside).
@@ -54,11 +66,41 @@ export const calculateIpaProfileFromLocalDb = async (userId: string): Promise<"u
   return calculateIpaProfile(groups);
 };
 
+export const calculateIpaProfileFromEffectiveProjection = async (userId: string): Promise<"user" | "guest"> => {
+  const groups = await getEffectiveUserGroups(userId);
+  return calculateIpaProfile(groups);
+};
+
+const rebuildEffectiveProjectionFromLocalMirror = async (userId: string): Promise<string[]> => {
+  const groups = await getAllUserGroups(userId);
+  await sql`
+    DELETE FROM auth.ipa_user_effective_groups
+    WHERE user_id = ${userId}::uuid
+  `;
+
+  for (const group of groups) {
+    await sql`
+      INSERT INTO auth.ipa_user_effective_groups (user_id, group_name)
+      VALUES (${userId}::uuid, ${group})
+      ON CONFLICT DO NOTHING
+    `;
+  }
+
+  return groups;
+};
+
+const getEffectiveUserGroupsWithMirrorFallback = async (userId: string): Promise<string[]> => {
+  const projectedGroups = await getEffectiveUserGroups(userId);
+  if (projectedGroups.length > 0) return projectedGroups;
+  return rebuildEffectiveProjectionFromLocalMirror(userId);
+};
+
 /**
  * Update one IPA-backed user's canonical profile projection.
  */
 export const updateUserIpaProfile = async (userId: string): Promise<void> => {
-  const profile = await calculateIpaProfileFromLocalDb(userId);
+  const groups = await getEffectiveUserGroupsWithMirrorFallback(userId);
+  const profile = await calculateIpaProfile(groups);
   await sql`
     UPDATE auth.users
     SET provider = 'ipa',

package/src/services/ipa/search.ts

@@ -63,11 +63,9 @@ export const search = async (query: string, options: SearchOptions): Promise<{ u
       SELECT u.id, u.uid, u.provider, u.profile, u.given_name, u.sn, u.display_name, u.mail,
         EXISTS(
           SELECT 1
-          FROM auth.user_groups_v2 ug_admin
-          JOIN auth.groups g_admin ON g_admin.id = ug_admin.group_id
-          WHERE ug_admin.user_id = u.id
-            AND g_admin.provider = 'ipa'
-            AND g_admin.name = ANY(${toPgTextArray(groupsAdmin)}::text[])
+          FROM auth.ipa_user_effective_groups eg
+          WHERE eg.user_id = u.id
+            AND eg.group_name = ANY(${toPgTextArray(groupsAdmin)}::text[])
         ) AS effective_admin
       FROM auth.users u
       WHERE u.provider = 'ipa'

package/src/services/ipa/service-account.ts

@@ -0,0 +1,15 @@
+import type { MutationResult } from "../../contracts/shared";
+import { providers } from "../providers";
+import { getFreeIpaConfig } from "../freeipa-config";
+
+export const getServiceIpaSession = async (): Promise<MutationResult<string>> => {
+  if (!(await getFreeIpaConfig()).enabled) {
+    return { ok: false, error: "FreeIPA is disabled.", status: 400 };
+  }
+
+  try {
+    return { ok: true, data: await providers.ipa.auth.getServiceSession() };
+  } catch {
+    return { ok: false, error: "Internal FreeIPA service session unavailable.", status: 500 };
+  }
+};

package/src/services/ipa/sync-planning.test.ts

@@ -0,0 +1,32 @@
+import { describe, expect, test } from "bun:test";
+import { selectStaleLocalIpaRows } from "./sync-planning";
+
+describe("selectStaleLocalIpaRows", () => {
+  test("keeps unchanged active IPA users out of stale transitions", () => {
+    const stale = selectStaleLocalIpaRows({
+      localRows: [{ uid: "eva", mail: "eva@example.test" }],
+      activeRemoteUsers: [{ uid: "eva", mail: "eva@example.test" }],
+    });
+
+    expect(stale).toEqual([]);
+  });
+
+  test("keeps UID-renamed IPA users out of stale transitions when mail still matches", () => {
+    const stale = selectStaleLocalIpaRows({
+      localRows: [{ uid: "old-eva", mail: "eva@example.test" }],
+      activeRemoteUsers: [{ uid: "new-eva", mail: "eva@example.test" }],
+    });
+
+    expect(stale).toEqual([]);
+  });
+
+  test("returns IPA users with no active UID or mail match as stale", () => {
+    const local = { uid: "old-eva", mail: "old-eva@example.test" };
+    const stale = selectStaleLocalIpaRows({
+      localRows: [local],
+      activeRemoteUsers: [{ uid: "new-eva", mail: "eva@example.test" }],
+    });
+
+    expect(stale).toEqual([local]);
+  });
+});

package/src/services/ipa/sync-planning.ts

@@ -0,0 +1,22 @@
+export type IpaIdentity = {
+  uid: string;
+  mail: string | null;
+};
+
+export const selectStaleLocalIpaRows = <T extends IpaIdentity>(params: {
+  localRows: T[];
+  activeRemoteUsers: IpaIdentity[];
+}): T[] => {
+  const activeUids = new Set(params.activeRemoteUsers.map((user) => user.uid));
+  const activeMails = new Set(
+    params.activeRemoteUsers
+      .map((user) => user.mail)
+      .filter((mail): mail is string => Boolean(mail)),
+  );
+
+  return params.localRows.filter((row) => {
+    if (activeUids.has(row.uid)) return false;
+    if (row.mail && activeMails.has(row.mail)) return false;
+    return true;
+  });
+};

package/src/services/ipa/sync.ts

@@ -1,6 +1,7 @@
 import { sql } from "bun";
 import { applyIpaAccountTransitionPolicy } from "../accounts/switching";
 import {
+  calculateIpaProfileFromGroupNames,
   parseIpaAccountTransitionPolicy,
   parseIpaMatchMode,
 } from "../account-model";
@@ -10,9 +11,12 @@ import * as settings from "../settings";
 import { session } from "../session";
 import { freeipa } from "../../server/services";
 import { getFreeIpaConfig } from "../freeipa-config";
-import { calculateIpaProfile, calculateIpaProfileFromLocalDb } from "./profile";
+import { buildEffectiveIpaGroupsByUid } from "./effective-groups";
+import { calculateIpaProfileFromEffectiveProjection, getEffectiveUserGroups } from "./profile";
+import { selectStaleLocalIpaRows } from "./sync-planning";
 
 type DbRow = Record<string, unknown>;
+type LocalIpaRow = DbRow & { uid: string; mail: string | null };
 
 const log = logger("auth:ipa:sync");
 
@@ -148,7 +152,7 @@ const transformSyncUser = (raw: Record<string, unknown>): SyncUser => {
  * `excludedGroupsSet` is hoisted to the caller so we don't re-read settings
  * once per group.
  */
-const transformSyncGroup = (raw: Record<string, unknown>, excludedGroupsSet: Set<string>): SyncGroup => ({
+const transformSyncGroup = (raw: Record<string, unknown>, excludedGroupsSet: Set<string> = new Set()): SyncGroup => ({
   cn: freeipa.util.str(raw.cn),
   description: freeipa.util.str(raw.description) || null,
   gidnumber: freeipa.util.num(raw.gidnumber),
@@ -224,15 +228,13 @@ export const syncFromIpa = async (): Promise<void> => {
   ]);
 
   const allRawUsers = readIpaList({ response: usersRes, entity: "users" });
-
-  const users = allRawUsers
-    .filter((raw) => {
-      const groups = (raw.memberof_group as string[]) ?? [];
-      return config.groupsBaseSync.some((g) => groups.includes(g));
-    })
-    .map(transformSyncUser);
-
+  const allUsers = allRawUsers.map(transformSyncUser);
   const allRawGroups = readIpaList({ response: groupsRes, entity: "groups" });
+  const effectiveGroupsByUid = buildEffectiveIpaGroupsByUid(allRawGroups.map((raw) => transformSyncGroup(raw)));
+  const users = allUsers.filter((user) => {
+    const effectiveGroups = effectiveGroupsByUid.get(user.uid) ?? [];
+    return config.groupsBaseSync.some((group) => effectiveGroups.includes(group));
+  });
   const groups = allRawGroups.map((raw) => transformSyncGroup(raw, excludedGroupsSet)).filter((g) => !excludedGroupsSet.has(g.cn));
 
   const activeUsers = users.filter((u) => !isExpired(u));
@@ -241,7 +243,7 @@ export const syncFromIpa = async (): Promise<void> => {
   // stale/transition branch so their local mirror is either demoted or deleted per policy,
   // and their sessions are revoked. Treating expired users as in-scope would leave a stale
   // unexpired local row plus live sessions.
-  const inScopeUids = new Set(activeUsers.map((u) => u.uid));
+  const remoteGroupCns = new Set(allRawGroups.map((raw) => freeipa.util.str(raw.cn)).filter(Boolean));
   const groupCns = new Set(groups.map((g) => g.cn));
   const matchMode = parseIpaMatchMode(await settings.get<string | null>("freeipa.user_match_mode"));
   const transitionPolicy = parseIpaAccountTransitionPolicy(
@@ -269,7 +271,7 @@ export const syncFromIpa = async (): Promise<void> => {
   if (activeUsers.length === 0 && localIpaUsers > 0) {
     throw new Error(`Refusing IPA sync: remote active users list is empty while local has ${localIpaUsers} IPA users`);
   }
-  if (groupCns.size === 0 && localGroups > 0) {
+  if (remoteGroupCns.size === 0 && localGroups > 0) {
     throw new Error(`Refusing IPA sync: remote groups list is empty while local has ${localGroups} groups`);
   }
 
@@ -279,20 +281,65 @@ export const syncFromIpa = async (): Promise<void> => {
     WHERE provider = 'ipa'
     ORDER BY uid
   `;
-  const staleLocalUsers = localIpaRows.filter((row) => !inScopeUids.has(row.uid as string));
+  const currentProfileByUid = new Map(
+    localIpaRows.map((row) => [row.uid as string, row.profile as "user" | "guest"]),
+  );
+  let profileDriftCount = 0;
+  const profileDriftSamples: string[] = [];
+  let profilesPromoted = 0;
+  let profilesDemoted = 0;
+  for (const user of activeUsers) {
+    const effectiveGroups = effectiveGroupsByUid.get(user.uid) ?? [];
+    const graphProfile = calculateIpaProfileFromGroupNames(effectiveGroups, config.groupsBaseIpaRealm);
+    const userSideProfile = calculateIpaProfileFromGroupNames(user.memberofGroup, config.groupsBaseIpaRealm);
+    if (graphProfile !== userSideProfile) {
+      profileDriftCount += 1;
+      if (profileDriftSamples.length < 10) profileDriftSamples.push(user.uid);
+    }
+
+    const previousProfile = currentProfileByUid.get(user.uid);
+    if (previousProfile === "guest" && graphProfile === "user") profilesPromoted += 1;
+    if (previousProfile === "user" && graphProfile === "guest") profilesDemoted += 1;
+  }
+
+  const localIpaIdentityRows: LocalIpaRow[] = localIpaRows.map((row) => ({
+    ...row,
+    uid: row.uid as string,
+    mail: (row.mail as string | null) ?? null,
+  }));
+  const staleLocalUsers = selectStaleLocalIpaRows({
+    localRows: localIpaIdentityRows,
+    activeRemoteUsers: activeUsers.map((user) => ({ uid: user.uid, mail: user.mail })),
+  });
   const staleLimit = Math.max(10, Math.ceil(Math.max(localIpaUsers, 1) * 0.2));
   if (staleLocalUsers.length > staleLimit) {
     throw new Error(
       `Refusing IPA sync: ${staleLocalUsers.length} local IPA users disappeared from sync scope (limit ${staleLimit})`,
     );
   }
+  if (profilesDemoted > staleLimit) {
+    throw new Error(
+      `Refusing IPA sync: ${profilesDemoted} IPA users would be downgraded from user to guest (limit ${staleLimit})`,
+    );
+  }
+  if (profilesDemoted > 0) {
+    log.warn("IPA sync will downgrade user profiles", { profilesDemoted, limit: staleLimit });
+  }
+  if (profileDriftCount > 0) {
+    log.warn("IPA user memberOf drift detected; using group graph projection", {
+      profileDriftCount,
+      sampleUids: profileDriftSamples,
+    });
+  }
 
   const staleDemotedUsers: Array<{ id: string; uid: string }> = [];
+  let effectiveGroupsRebuilt = 0;
   await sql.begin(async (tx) => {
     // 1. Upsert active IPA users
     //    Match order: mail (existing IPA user, handles UID renames) → mail (guest promotion) → uid (new or unchanged)
     for (const u of activeUsers) {
-      const profile = await calculateIpaProfile(u.memberofGroup);
+      const effectiveGroups = effectiveGroupsByUid.get(u.uid) ?? [];
+      const profile = calculateIpaProfileFromGroupNames(effectiveGroups, config.groupsBaseIpaRealm);
       const provider = "ipa";
 
       if (u.mail) {
@@ -473,6 +520,23 @@ export const syncFromIpa = async (): Promise<void> => {
     const userIdRows: DbRow[] = await tx`SELECT id, uid FROM auth.users WHERE provider = 'ipa'`;
     const uidToId = new Map<string, string>(userIdRows.map((r) => [r.uid as string, r.id as string]));
 
+    await tx`
+      DELETE FROM auth.ipa_user_effective_groups
+      WHERE user_id IN (SELECT id FROM auth.users WHERE provider = 'ipa')
+    `;
+    const effectiveGroupRows: { user_id: string; group_name: string }[] = [];
+    for (const [uid, groupNames] of effectiveGroupsByUid) {
+      const userId = uidToId.get(uid);
+      if (!userId) continue;
+      for (const groupName of groupNames) {
+        effectiveGroupRows.push({ user_id: userId, group_name: groupName });
+      }
+    }
+    if (effectiveGroupRows.length > 0) {
+      await tx`INSERT INTO auth.ipa_user_effective_groups ${sql(effectiveGroupRows, "user_id", "group_name")} ON CONFLICT DO NOTHING`;
+    }
+    effectiveGroupsRebuilt = effectiveGroupRows.length;
+
     // Bulk INSERT helper. Bun's `sql(rows)` only generates valid VALUES
     // syntax when fed an array of OBJECTS (it derives the column list from
     // object keys). Passing array-of-arrays produces broken SQL like
@@ -541,6 +605,11 @@ export const syncFromIpa = async (): Promise<void> => {
     skippedLocalMailConflicts,
     skippedLocalUidConflicts,
     staleUsersDemoted: staleDemotedUsers.length,
+    scopeTransitions: staleDemotedUsers.length,
+    profileDriftCount,
+    profilesPromoted,
+    profilesDemoted,
+    effectiveGroupsRebuilt,
     upsertedUsersByUid,
     insertedUsersByUid,
     updatedUsersByUid,
@@ -566,8 +635,9 @@ export type SyncUserOutcome =
 
 /**
  * Reconcile a local IPA mirror row after discovering the remote user is no
- * longer in sync scope (expired or removed from base-sync groups). Applies the
- * configured account-transition policy and revokes all sessions for the user.
+ * longer valid because the IPA account is expired. Full sync also uses this
+ * transition policy for graph-derived out-of-scope users; single-user sync does
+ * not demote based on FreeIPA user-side memberOf data.
  */
 const reconcileOutOfScopeUser = async (params: {
   userId: string;
@@ -632,12 +702,13 @@ const reconcileOutOfScopeUser = async (params: {
  * Called on login to ensure time-sensitive data is up-to-date.
  *
  * IMPORTANT: Only syncs user attributes (name, mail, expiry, aliases).
- * Does NOT sync group memberships - those are only synced via periodic syncFromIpa().
- * Realm is calculated from LOCAL DB group memberships (optimistically updated by mutations).
+ * Does NOT sync group memberships. Scope/profile come from the last full-sync
+ * effective group projection; user-side memberOf drift is logged but never used
+ * for destructive transitions here.
  *
  * Returns a typed outcome so callers (notably `authFlows.ipa.login`) can decide
- * whether to grant a session. Non-`synced` outcomes reconcile local mirror state
- * where possible (expired / out_of_scope → transition policy + session revocation).
+ * whether to grant a session. Expired users are reconciled immediately; group
+ * scope changes are handled by full sync.
  */
 export const syncUser = async (username: string): Promise<SyncUserOutcome> => {
   const config = await getFreeIpaConfig();
@@ -697,29 +768,30 @@ export const syncUser = async (username: string): Promise<SyncUserOutcome> => {
     return { status: "expired", userId: existingUserId };
   }
 
-  const inSyncGroups = config.groupsBaseSync.some((g) => user.memberofGroup.includes(g));
-  if (!inSyncGroups) {
-    log.warn("User not in sync groups during single-user sync", { username });
-    if (existingUserId) {
-      await reconcileOutOfScopeUser({
-        userId: existingUserId,
-        uid: user.uid,
-        mail: (existingRow?.mail as string | null) ?? user.mail,
-        displayName: (existingRow?.display_name as string | null) ?? user.displayName,
-        previousProfile,
-        reason: "sync_out_of_scope_demoted",
-        meta: { reason: "missing_from_ipa_sync_scope" },
-      });
-    }
-    return { status: "out_of_scope", userId: existingUserId };
-  }
-
   if (!existingUserId) {
     log.warn("User not found in local DB during single-user sync", { username });
     return { status: "not_found_local" };
   }
 
-  const profile = await calculateIpaProfileFromLocalDb(existingUserId);
+  const effectiveGroups = await getEffectiveUserGroups(existingUserId);
+  const inSyncGroups = config.groupsBaseSync.some((g) => effectiveGroups.includes(g));
+  if (!inSyncGroups) {
+    log.warn("User not in projected sync groups during single-user sync", {
+      username,
+      reason: "missing_from_last_full_sync_projection",
+    });
+    return { status: "out_of_scope", userId: existingUserId };
+  }
+
+  const profile = await calculateIpaProfileFromEffectiveProjection(existingUserId);
+  const userSideProfile = calculateIpaProfileFromGroupNames(user.memberofGroup, config.groupsBaseIpaRealm);
+  if (profile !== userSideProfile) {
+    log.warn("IPA user memberOf drift detected during single-user sync", {
+      username,
+      projectedProfile: profile,
+      userSideProfile,
+    });
+  }
   const provider = "ipa";
 
   // Update user attributes only (no group sync!)