From 8e118a84cd9f87b2a98dd23c1f31d3cb25cb2114 Mon Sep 17 00:00:00 2001
From: Adrian Flores Cortes <adrian.flores2.contractor@bbva.com>
Date: Sat, 24 Jan 2026 22:32:08 -0600
Subject: [PATCH] [TASK-029] security: Add RLS policies for 86 construction
 tables

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 schemas/99-rls-policies.sql | 583 ++++++++++++++++++++++++++++++++++++
 1 file changed, 583 insertions(+)
 create mode 100644 schemas/99-rls-policies.sql

diff --git a/schemas/99-rls-policies.sql b/schemas/99-rls-policies.sql
new file mode 100644
index 0000000..830d429
--- /dev/null
+++ b/schemas/99-rls-policies.sql
@@ -0,0 +1,583 @@
+-- ============================================================================
+-- RLS POLICIES - Row Level Security Policies for ERP Construccion
+-- Version: 1.0.0
+-- Fecha: 2026-01-24
+-- ============================================================================
+-- DESCRIPCION:
+--   Este archivo contiene TODAS las politicas de Row Level Security (RLS)
+--   para las tablas multi-tenant del ERP Construccion.
+--
+-- POLITICA:
+--   Todas las tablas con columna tenant_id deben tener RLS habilitado y
+--   una politica de aislamiento de tenant usando current_setting('app.current_tenant_id').
+--
+-- USO:
+--   SET app.current_tenant_id = 'uuid-del-tenant';
+--   -- Todas las queries automaticamente filtraran por tenant_id
+--
+-- PREREQUISITOS:
+--   Ejecutar DESPUES de todos los DDL de schemas (01-07)
+-- ============================================================================
+
+-- ============================================================================
+-- SCHEMA: construction (24 tablas)
+-- ============================================================================
+
+-- fraccionamientos
+ALTER TABLE construction.fraccionamientos ENABLE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS tenant_isolation_fraccionamientos ON construction.fraccionamientos;
+CREATE POLICY tenant_isolation_fraccionamientos ON construction.fraccionamientos
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- etapas
+ALTER TABLE construction.etapas ENABLE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS tenant_isolation_etapas ON construction.etapas;
+CREATE POLICY tenant_isolation_etapas ON construction.etapas
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- manzanas
+ALTER TABLE construction.manzanas ENABLE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS tenant_isolation_manzanas ON construction.manzanas;
+CREATE POLICY tenant_isolation_manzanas ON construction.manzanas
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- prototipos
+ALTER TABLE construction.prototipos ENABLE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS tenant_isolation_prototipos ON construction.prototipos;
+CREATE POLICY tenant_isolation_prototipos ON construction.prototipos
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- lotes
+ALTER TABLE construction.lotes ENABLE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS tenant_isolation_lotes ON construction.lotes;
+CREATE POLICY tenant_isolation_lotes ON construction.lotes
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- torres
+ALTER TABLE construction.torres ENABLE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS tenant_isolation_torres ON construction.torres;
+CREATE POLICY tenant_isolation_torres ON construction.torres
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- niveles
+ALTER TABLE construction.niveles ENABLE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS tenant_isolation_niveles ON construction.niveles;
+CREATE POLICY tenant_isolation_niveles ON construction.niveles
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- departamentos
+ALTER TABLE construction.departamentos ENABLE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS tenant_isolation_departamentos ON construction.departamentos;
+CREATE POLICY tenant_isolation_departamentos ON construction.departamentos
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- conceptos
+ALTER TABLE construction.conceptos ENABLE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS tenant_isolation_conceptos ON construction.conceptos;
+CREATE POLICY tenant_isolation_conceptos ON construction.conceptos
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- presupuestos
+ALTER TABLE construction.presupuestos ENABLE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS tenant_isolation_presupuestos ON construction.presupuestos;
+CREATE POLICY tenant_isolation_presupuestos ON construction.presupuestos
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- presupuesto_partidas
+ALTER TABLE construction.presupuesto_partidas ENABLE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS tenant_isolation_presupuesto_partidas ON construction.presupuesto_partidas;
+CREATE POLICY tenant_isolation_presupuesto_partidas ON construction.presupuesto_partidas
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- programa_obra
+ALTER TABLE construction.programa_obra ENABLE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS tenant_isolation_programa_obra ON construction.programa_obra;
+CREATE POLICY tenant_isolation_programa_obra ON construction.programa_obra
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- programa_actividades
+ALTER TABLE construction.programa_actividades ENABLE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS tenant_isolation_programa_actividades ON construction.programa_actividades;
+CREATE POLICY tenant_isolation_programa_actividades ON construction.programa_actividades
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- avances_obra
+ALTER TABLE construction.avances_obra ENABLE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS tenant_isolation_avances_obra ON construction.avances_obra;
+CREATE POLICY tenant_isolation_avances_obra ON construction.avances_obra
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- fotos_avance
+ALTER TABLE construction.fotos_avance ENABLE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS tenant_isolation_fotos_avance ON construction.fotos_avance;
+CREATE POLICY tenant_isolation_fotos_avance ON construction.fotos_avance
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- bitacora_obra
+ALTER TABLE construction.bitacora_obra ENABLE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS tenant_isolation_bitacora_obra ON construction.bitacora_obra;
+CREATE POLICY tenant_isolation_bitacora_obra ON construction.bitacora_obra
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- checklists
+ALTER TABLE construction.checklists ENABLE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS tenant_isolation_checklists ON construction.checklists;
+CREATE POLICY tenant_isolation_checklists ON construction.checklists
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- checklist_items
+ALTER TABLE construction.checklist_items ENABLE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS tenant_isolation_checklist_items ON construction.checklist_items;
+CREATE POLICY tenant_isolation_checklist_items ON construction.checklist_items
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- inspecciones
+ALTER TABLE construction.inspecciones ENABLE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS tenant_isolation_inspecciones ON construction.inspecciones;
+CREATE POLICY tenant_isolation_inspecciones ON construction.inspecciones
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- inspeccion_resultados
+ALTER TABLE construction.inspeccion_resultados ENABLE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS tenant_isolation_inspeccion_resultados ON construction.inspeccion_resultados;
+CREATE POLICY tenant_isolation_inspeccion_resultados ON construction.inspeccion_resultados
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- tickets_postventa
+ALTER TABLE construction.tickets_postventa ENABLE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS tenant_isolation_tickets_postventa ON construction.tickets_postventa;
+CREATE POLICY tenant_isolation_tickets_postventa ON construction.tickets_postventa
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- subcontratistas
+ALTER TABLE construction.subcontratistas ENABLE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS tenant_isolation_subcontratistas ON construction.subcontratistas;
+CREATE POLICY tenant_isolation_subcontratistas ON construction.subcontratistas
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- contratos
+ALTER TABLE construction.contratos ENABLE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS tenant_isolation_contratos ON construction.contratos;
+CREATE POLICY tenant_isolation_contratos ON construction.contratos
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- contrato_partidas
+ALTER TABLE construction.contrato_partidas ENABLE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS tenant_isolation_contrato_partidas ON construction.contrato_partidas;
+CREATE POLICY tenant_isolation_contrato_partidas ON construction.contrato_partidas
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- ============================================================================
+-- SCHEMA: hr (3 tablas)
+-- ============================================================================
+
+-- employees
+ALTER TABLE hr.employees ENABLE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS tenant_isolation_employees ON hr.employees;
+CREATE POLICY tenant_isolation_employees ON hr.employees
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- puestos
+ALTER TABLE hr.puestos ENABLE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS tenant_isolation_puestos ON hr.puestos;
+CREATE POLICY tenant_isolation_puestos ON hr.puestos
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- employee_fraccionamientos
+ALTER TABLE hr.employee_fraccionamientos ENABLE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS tenant_isolation_employee_fraccionamientos ON hr.employee_fraccionamientos;
+CREATE POLICY tenant_isolation_employee_fraccionamientos ON hr.employee_fraccionamientos
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- ============================================================================
+-- SCHEMA: hse (34 tablas)
+-- ============================================================================
+
+-- incidentes
+ALTER TABLE hse.incidentes ENABLE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS tenant_isolation_incidentes ON hse.incidentes;
+CREATE POLICY tenant_isolation_incidentes ON hse.incidentes
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- capacitaciones
+ALTER TABLE hse.capacitaciones ENABLE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS tenant_isolation_capacitaciones ON hse.capacitaciones;
+CREATE POLICY tenant_isolation_capacitaciones ON hse.capacitaciones
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- capacitacion_matriz
+ALTER TABLE hse.capacitacion_matriz ENABLE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS tenant_isolation_capacitacion_matriz ON hse.capacitacion_matriz;
+CREATE POLICY tenant_isolation_capacitacion_matriz ON hse.capacitacion_matriz
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- instructores
+ALTER TABLE hse.instructores ENABLE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS tenant_isolation_instructores ON hse.instructores;
+CREATE POLICY tenant_isolation_instructores ON hse.instructores
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- capacitacion_sesiones
+ALTER TABLE hse.capacitacion_sesiones ENABLE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS tenant_isolation_capacitacion_sesiones ON hse.capacitacion_sesiones;
+CREATE POLICY tenant_isolation_capacitacion_sesiones ON hse.capacitacion_sesiones
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- constancias_dc3
+ALTER TABLE hse.constancias_dc3 ENABLE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS tenant_isolation_constancias_dc3 ON hse.constancias_dc3;
+CREATE POLICY tenant_isolation_constancias_dc3 ON hse.constancias_dc3
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- tipos_inspeccion
+ALTER TABLE hse.tipos_inspeccion ENABLE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS tenant_isolation_tipos_inspeccion ON hse.tipos_inspeccion;
+CREATE POLICY tenant_isolation_tipos_inspeccion ON hse.tipos_inspeccion
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- programa_inspecciones
+ALTER TABLE hse.programa_inspecciones ENABLE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS tenant_isolation_programa_inspecciones ON hse.programa_inspecciones;
+CREATE POLICY tenant_isolation_programa_inspecciones ON hse.programa_inspecciones
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- hse.inspecciones (different from construction.inspecciones)
+ALTER TABLE hse.inspecciones ENABLE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS tenant_isolation_hse_inspecciones ON hse.inspecciones;
+CREATE POLICY tenant_isolation_hse_inspecciones ON hse.inspecciones
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- hallazgos
+ALTER TABLE hse.hallazgos ENABLE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS tenant_isolation_hallazgos ON hse.hallazgos;
+CREATE POLICY tenant_isolation_hallazgos ON hse.hallazgos
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- epp_catalogo
+ALTER TABLE hse.epp_catalogo ENABLE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS tenant_isolation_epp_catalogo ON hse.epp_catalogo;
+CREATE POLICY tenant_isolation_epp_catalogo ON hse.epp_catalogo
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- epp_matriz_puesto
+ALTER TABLE hse.epp_matriz_puesto ENABLE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS tenant_isolation_epp_matriz_puesto ON hse.epp_matriz_puesto;
+CREATE POLICY tenant_isolation_epp_matriz_puesto ON hse.epp_matriz_puesto
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- epp_asignaciones
+ALTER TABLE hse.epp_asignaciones ENABLE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS tenant_isolation_epp_asignaciones ON hse.epp_asignaciones;
+CREATE POLICY tenant_isolation_epp_asignaciones ON hse.epp_asignaciones
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- epp_inventario
+ALTER TABLE hse.epp_inventario ENABLE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS tenant_isolation_epp_inventario ON hse.epp_inventario;
+CREATE POLICY tenant_isolation_epp_inventario ON hse.epp_inventario
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- epp_movimientos
+ALTER TABLE hse.epp_movimientos ENABLE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS tenant_isolation_epp_movimientos ON hse.epp_movimientos;
+CREATE POLICY tenant_isolation_epp_movimientos ON hse.epp_movimientos
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- cumplimiento_obra
+ALTER TABLE hse.cumplimiento_obra ENABLE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS tenant_isolation_cumplimiento_obra ON hse.cumplimiento_obra;
+CREATE POLICY tenant_isolation_cumplimiento_obra ON hse.cumplimiento_obra
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- comision_seguridad
+ALTER TABLE hse.comision_seguridad ENABLE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS tenant_isolation_comision_seguridad ON hse.comision_seguridad;
+CREATE POLICY tenant_isolation_comision_seguridad ON hse.comision_seguridad
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- programa_seguridad
+ALTER TABLE hse.programa_seguridad ENABLE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS tenant_isolation_programa_seguridad ON hse.programa_seguridad;
+CREATE POLICY tenant_isolation_programa_seguridad ON hse.programa_seguridad
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- documentos_stps
+ALTER TABLE hse.documentos_stps ENABLE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS tenant_isolation_documentos_stps ON hse.documentos_stps;
+CREATE POLICY tenant_isolation_documentos_stps ON hse.documentos_stps
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- auditorias
+ALTER TABLE hse.auditorias ENABLE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS tenant_isolation_auditorias ON hse.auditorias;
+CREATE POLICY tenant_isolation_auditorias ON hse.auditorias
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- residuos_generacion
+ALTER TABLE hse.residuos_generacion ENABLE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS tenant_isolation_residuos_generacion ON hse.residuos_generacion;
+CREATE POLICY tenant_isolation_residuos_generacion ON hse.residuos_generacion
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- almacen_temporal
+ALTER TABLE hse.almacen_temporal ENABLE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS tenant_isolation_almacen_temporal ON hse.almacen_temporal;
+CREATE POLICY tenant_isolation_almacen_temporal ON hse.almacen_temporal
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- proveedores_ambientales
+ALTER TABLE hse.proveedores_ambientales ENABLE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS tenant_isolation_proveedores_ambientales ON hse.proveedores_ambientales;
+CREATE POLICY tenant_isolation_proveedores_ambientales ON hse.proveedores_ambientales
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- manifiestos_residuos
+ALTER TABLE hse.manifiestos_residuos ENABLE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS tenant_isolation_manifiestos_residuos ON hse.manifiestos_residuos;
+CREATE POLICY tenant_isolation_manifiestos_residuos ON hse.manifiestos_residuos
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- impacto_ambiental
+ALTER TABLE hse.impacto_ambiental ENABLE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS tenant_isolation_impacto_ambiental ON hse.impacto_ambiental;
+CREATE POLICY tenant_isolation_impacto_ambiental ON hse.impacto_ambiental
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- quejas_ambientales
+ALTER TABLE hse.quejas_ambientales ENABLE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS tenant_isolation_quejas_ambientales ON hse.quejas_ambientales;
+CREATE POLICY tenant_isolation_quejas_ambientales ON hse.quejas_ambientales
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- tipos_permiso_trabajo
+ALTER TABLE hse.tipos_permiso_trabajo ENABLE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS tenant_isolation_tipos_permiso_trabajo ON hse.tipos_permiso_trabajo;
+CREATE POLICY tenant_isolation_tipos_permiso_trabajo ON hse.tipos_permiso_trabajo
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- permisos_trabajo
+ALTER TABLE hse.permisos_trabajo ENABLE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS tenant_isolation_permisos_trabajo ON hse.permisos_trabajo;
+CREATE POLICY tenant_isolation_permisos_trabajo ON hse.permisos_trabajo
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- indicadores_config
+ALTER TABLE hse.indicadores_config ENABLE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS tenant_isolation_indicadores_config ON hse.indicadores_config;
+CREATE POLICY tenant_isolation_indicadores_config ON hse.indicadores_config
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- indicadores_valores
+ALTER TABLE hse.indicadores_valores ENABLE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS tenant_isolation_indicadores_valores ON hse.indicadores_valores;
+CREATE POLICY tenant_isolation_indicadores_valores ON hse.indicadores_valores
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- horas_trabajadas
+ALTER TABLE hse.horas_trabajadas ENABLE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS tenant_isolation_horas_trabajadas ON hse.horas_trabajadas;
+CREATE POLICY tenant_isolation_horas_trabajadas ON hse.horas_trabajadas
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- dias_sin_accidente
+ALTER TABLE hse.dias_sin_accidente ENABLE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS tenant_isolation_dias_sin_accidente ON hse.dias_sin_accidente;
+CREATE POLICY tenant_isolation_dias_sin_accidente ON hse.dias_sin_accidente
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- reportes_programados
+ALTER TABLE hse.reportes_programados ENABLE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS tenant_isolation_reportes_programados ON hse.reportes_programados;
+CREATE POLICY tenant_isolation_reportes_programados ON hse.reportes_programados
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- alertas_indicadores
+ALTER TABLE hse.alertas_indicadores ENABLE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS tenant_isolation_alertas_indicadores ON hse.alertas_indicadores;
+CREATE POLICY tenant_isolation_alertas_indicadores ON hse.alertas_indicadores
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- ============================================================================
+-- SCHEMA: estimates (8 tablas)
+-- ============================================================================
+
+-- estimaciones
+ALTER TABLE estimates.estimaciones ENABLE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS tenant_isolation_estimaciones ON estimates.estimaciones;
+CREATE POLICY tenant_isolation_estimaciones ON estimates.estimaciones
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- estimacion_conceptos
+ALTER TABLE estimates.estimacion_conceptos ENABLE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS tenant_isolation_estimacion_conceptos ON estimates.estimacion_conceptos;
+CREATE POLICY tenant_isolation_estimacion_conceptos ON estimates.estimacion_conceptos
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- generadores
+ALTER TABLE estimates.generadores ENABLE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS tenant_isolation_generadores ON estimates.generadores;
+CREATE POLICY tenant_isolation_generadores ON estimates.generadores
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- anticipos
+ALTER TABLE estimates.anticipos ENABLE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS tenant_isolation_anticipos ON estimates.anticipos;
+CREATE POLICY tenant_isolation_anticipos ON estimates.anticipos
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- amortizaciones
+ALTER TABLE estimates.amortizaciones ENABLE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS tenant_isolation_amortizaciones ON estimates.amortizaciones;
+CREATE POLICY tenant_isolation_amortizaciones ON estimates.amortizaciones
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- retenciones
+ALTER TABLE estimates.retenciones ENABLE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS tenant_isolation_retenciones ON estimates.retenciones;
+CREATE POLICY tenant_isolation_retenciones ON estimates.retenciones
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- fondo_garantia
+ALTER TABLE estimates.fondo_garantia ENABLE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS tenant_isolation_fondo_garantia ON estimates.fondo_garantia;
+CREATE POLICY tenant_isolation_fondo_garantia ON estimates.fondo_garantia
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- estimacion_workflow
+ALTER TABLE estimates.estimacion_workflow ENABLE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS tenant_isolation_estimacion_workflow ON estimates.estimacion_workflow;
+CREATE POLICY tenant_isolation_estimacion_workflow ON estimates.estimacion_workflow
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- ============================================================================
+-- SCHEMA: infonavit (8 tablas)
+-- ============================================================================
+
+-- registro_infonavit
+ALTER TABLE infonavit.registro_infonavit ENABLE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS tenant_isolation_registro_infonavit ON infonavit.registro_infonavit;
+CREATE POLICY tenant_isolation_registro_infonavit ON infonavit.registro_infonavit
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- oferta_vivienda
+ALTER TABLE infonavit.oferta_vivienda ENABLE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS tenant_isolation_oferta_vivienda ON infonavit.oferta_vivienda;
+CREATE POLICY tenant_isolation_oferta_vivienda ON infonavit.oferta_vivienda
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- derechohabientes
+ALTER TABLE infonavit.derechohabientes ENABLE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS tenant_isolation_derechohabientes ON infonavit.derechohabientes;
+CREATE POLICY tenant_isolation_derechohabientes ON infonavit.derechohabientes
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- asignacion_vivienda
+ALTER TABLE infonavit.asignacion_vivienda ENABLE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS tenant_isolation_asignacion_vivienda ON infonavit.asignacion_vivienda;
+CREATE POLICY tenant_isolation_asignacion_vivienda ON infonavit.asignacion_vivienda
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- actas
+ALTER TABLE infonavit.actas ENABLE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS tenant_isolation_actas ON infonavit.actas;
+CREATE POLICY tenant_isolation_actas ON infonavit.actas
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- acta_viviendas
+ALTER TABLE infonavit.acta_viviendas ENABLE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS tenant_isolation_acta_viviendas ON infonavit.acta_viviendas;
+CREATE POLICY tenant_isolation_acta_viviendas ON infonavit.acta_viviendas
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- reportes_infonavit
+ALTER TABLE infonavit.reportes_infonavit ENABLE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS tenant_isolation_reportes_infonavit ON infonavit.reportes_infonavit;
+CREATE POLICY tenant_isolation_reportes_infonavit ON infonavit.reportes_infonavit
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- historico_puntos
+ALTER TABLE infonavit.historico_puntos ENABLE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS tenant_isolation_historico_puntos ON infonavit.historico_puntos;
+CREATE POLICY tenant_isolation_historico_puntos ON infonavit.historico_puntos
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- ============================================================================
+-- SCHEMA: inventory (4 tablas de extension construccion)
+-- ============================================================================
+
+-- almacenes_proyecto
+ALTER TABLE inventory.almacenes_proyecto ENABLE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS tenant_isolation_almacenes_proyecto ON inventory.almacenes_proyecto;
+CREATE POLICY tenant_isolation_almacenes_proyecto ON inventory.almacenes_proyecto
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- requisiciones_obra
+ALTER TABLE inventory.requisiciones_obra ENABLE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS tenant_isolation_requisiciones_obra ON inventory.requisiciones_obra;
+CREATE POLICY tenant_isolation_requisiciones_obra ON inventory.requisiciones_obra
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- requisicion_lineas
+ALTER TABLE inventory.requisicion_lineas ENABLE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS tenant_isolation_requisicion_lineas ON inventory.requisicion_lineas;
+CREATE POLICY tenant_isolation_requisicion_lineas ON inventory.requisicion_lineas
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- consumos_obra
+ALTER TABLE inventory.consumos_obra ENABLE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS tenant_isolation_consumos_obra ON inventory.consumos_obra;
+CREATE POLICY tenant_isolation_consumos_obra ON inventory.consumos_obra
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- ============================================================================
+-- SCHEMA: purchase (5 tablas de extension construccion)
+-- ============================================================================
+
+-- purchase_order_construction
+ALTER TABLE purchase.purchase_order_construction ENABLE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS tenant_isolation_purchase_order_construction ON purchase.purchase_order_construction;
+CREATE POLICY tenant_isolation_purchase_order_construction ON purchase.purchase_order_construction
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- supplier_construction
+ALTER TABLE purchase.supplier_construction ENABLE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS tenant_isolation_supplier_construction ON purchase.supplier_construction;
+CREATE POLICY tenant_isolation_supplier_construction ON purchase.supplier_construction
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- comparativo_cotizaciones
+ALTER TABLE purchase.comparativo_cotizaciones ENABLE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS tenant_isolation_comparativo_cotizaciones ON purchase.comparativo_cotizaciones;
+CREATE POLICY tenant_isolation_comparativo_cotizaciones ON purchase.comparativo_cotizaciones
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- comparativo_proveedores
+ALTER TABLE purchase.comparativo_proveedores ENABLE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS tenant_isolation_comparativo_proveedores ON purchase.comparativo_proveedores;
+CREATE POLICY tenant_isolation_comparativo_proveedores ON purchase.comparativo_proveedores
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- comparativo_productos
+ALTER TABLE purchase.comparativo_productos ENABLE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS tenant_isolation_comparativo_productos ON purchase.comparativo_productos;
+CREATE POLICY tenant_isolation_comparativo_productos ON purchase.comparativo_productos
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- ============================================================================
+-- RESUMEN DE POLITICAS RLS
+-- ============================================================================
+-- Total de tablas con RLS:
+--   - construction: 24 tablas
+--   - hr: 3 tablas
+--   - hse: 34 tablas
+--   - estimates: 8 tablas
+--   - infonavit: 8 tablas
+--   - inventory: 4 tablas
+--   - purchase: 5 tablas
+--   -----------------------
+--   TOTAL: 86 tablas
+-- ============================================================================
+
+-- ============================================================================
+-- FIN DE RLS POLICIES
+-- ============================================================================