fix(auth): restore BRANCH context to PROFILE entity ensuring location-based permission overrides

Author: beyondnetPeru

architecture/blueprints-es/database-design-er.md

@@ -27,14 +27,18 @@ Ruta de Resolución: `Inquilino -> Sistema -> Rol -> Plantilla -> Permiso de Per
 ```mermaid
 erDiagram
     TENANT ||--o{ SYSTEM_SUITE : "posee"
+    TENANT ||--o{ BRANCH : "opera"
     SYSTEM_SUITE ||--o{ ROLE : "define"
     SYSTEM_SUITE ||--o{ FUNCTIONAL_MODULE : "contiene"
     
     ROLE ||--o{ PERMISSION_TEMPLATE : "gobierna"
     PERMISSION_TEMPLATE ||--o{ PROFILE_PERMISSION : "materializado"
     
+    USER ||--o{ PROFILE : "actúa_como"
+    BRANCH ||--o{ PROFILE : "contexto_de"
+    PROFILE ||--o{ PROFILE_PERMISSION : "autoridad_efectiva"
+    
     FUNCTIONAL_MODULE ||--o{ FUNCTIONAL_SUBMODULE : "contiene"
-    FUNCTIONAL_SUBMODULE ||--o{ FUNCTIONAL_OPTION : "provee"
     FUNCTIONAL_OPTION ||--o{ ACTION : "ejecuta"
     
     ACTION ||--o{ PERMISSION_TEMPLATE : "acción_autorizada"
@@ -62,6 +66,14 @@ erDiagram
         uniqueidentifier OptionId FK "Exclusive Arc"
     }
     
+    PROFILE {
+        uniqueidentifier ProfileId PK, FK
+        uniqueidentifier TenantId FK "RLS"
+        uniqueidentifier UserId FK
+        uniqueidentifier RoleId FK
+        uniqueidentifier BranchId FK "Contexto de Sucursal"
+    }
+    
     PROFILE_PERMISSION {
         uniqueidentifier ProfileId PK, FK
         uniqueidentifier TemplateId PK, FK

architecture/blueprints/database-design-er.md

@@ -27,14 +27,18 @@ Full Resolution Path: `Tenant -> System -> Role -> Template -> ProfilePermission
 ```mermaid
 erDiagram
     TENANT ||--o{ SYSTEM_SUITE : "owns"
+    TENANT ||--o{ BRANCH : "operates"
     SYSTEM_SUITE ||--o{ ROLE : "defines"
     SYSTEM_SUITE ||--o{ FUNCTIONAL_MODULE : "contains"
     
     ROLE ||--o{ PERMISSION_TEMPLATE : "governs"
     PERMISSION_TEMPLATE ||--o{ PROFILE_PERMISSION : "materialized"
     
+    USER ||--o{ PROFILE : "acts_as"
+    BRANCH ||--o{ PROFILE : "context_of"
+    PROFILE ||--o{ PROFILE_PERMISSION : "effective_authority"
+    
     FUNCTIONAL_MODULE ||--o{ FUNCTIONAL_SUBMODULE : "contains"
-    FUNCTIONAL_SUBMODULE ||--o{ FUNCTIONAL_OPTION : "provides"
     FUNCTIONAL_OPTION ||--o{ ACTION : "executes"
     
     ACTION ||--o{ PERMISSION_TEMPLATE : "authorized_action"
@@ -62,6 +66,14 @@ erDiagram
         uniqueidentifier OptionId FK "Exclusive Arc"
     }
     
+    PROFILE {
+        uniqueidentifier ProfileId PK, FK
+        uniqueidentifier TenantId FK "RLS"
+        uniqueidentifier UserId FK
+        uniqueidentifier RoleId FK
+        uniqueidentifier BranchId FK "Location Context"
+    }
+    
     PROFILE_PERMISSION {
         uniqueidentifier ProfileId PK, FK
         uniqueidentifier TemplateId PK, FK

architecture/blueprints/er-export-formats.md

@@ -16,6 +16,13 @@ Table TENANT {
   Name nvarchar
 }
 
+Table BRANCH {
+  BranchId uniqueidentifier [pk]
+  TenantId uniqueidentifier [note: 'RLS']
+  Name nvarchar
+  Code nvarchar
+}
+
 Table USER {
   UserId uniqueidentifier [pk]
   TenantId uniqueidentifier
@@ -50,6 +57,7 @@ Table PROFILE {
   TenantId uniqueidentifier
   UserId uniqueidentifier
   RoleId uniqueidentifier
+  BranchId uniqueidentifier [note: 'Branch Context']
 }
 
 Table PROFILE_PERMISSION {
@@ -92,6 +100,7 @@ Table ACTION {
 
 // Relationships
 Ref: USER.TenantId > TENANT.TenantId
+Ref: BRANCH.TenantId > TENANT.TenantId
 Ref: SYSTEM_SUITE.TenantId > TENANT.TenantId
 Ref: ROLE.SuiteId > SYSTEM_SUITE.SuiteId
 Ref: ROLE.TenantId > TENANT.TenantId
@@ -105,6 +114,7 @@ Ref: PERMISSION_TEMPLATE.OptionId > FUNCTIONAL_OPTION.OptionId
 Ref: PROFILE.TenantId > TENANT.TenantId
 Ref: PROFILE.UserId > USER.UserId
 Ref: PROFILE.RoleId > ROLE.RoleId
+Ref: PROFILE.BranchId > BRANCH.BranchId
 Ref: PROFILE_PERMISSION.ProfileId > PROFILE.ProfileId
 Ref: PROFILE_PERMISSION.TemplateId > PERMISSION_TEMPLATE.TemplateId
 Ref: FUNCTIONAL_MODULE.SuiteId > SYSTEM_SUITE.SuiteId
@@ -136,6 +146,28 @@ CREATE TABLE ACTION (
     )
 );
 
+CREATE TABLE ROLE (
+    RoleId UNIQUEIDENTIFIER PRIMARY KEY,
+    SuiteId UNIQUEIDENTIFIER REFERENCES SYSTEM_SUITE(SuiteId),
+    TenantId UNIQUEIDENTIFIER REFERENCES TENANT(TenantId),
+    Name NVARCHAR(255)
+);
+
+CREATE TABLE BRANCH (
+    BranchId UNIQUEIDENTIFIER PRIMARY KEY,
+    TenantId UNIQUEIDENTIFIER REFERENCES TENANT(TenantId),
+    Name NVARCHAR(255),
+    Code NVARCHAR(50)
+);
+
+CREATE TABLE PROFILE (
+    ProfileId UNIQUEIDENTIFIER PRIMARY KEY,
+    TenantId UNIQUEIDENTIFIER REFERENCES TENANT(TenantId),
+    UserId UNIQUEIDENTIFIER REFERENCES USER(UserId),
+    RoleId UNIQUEIDENTIFIER REFERENCES ROLE(RoleId),
+    BranchId UNIQUEIDENTIFIER REFERENCES BRANCH(BranchId)
+);
+
 CREATE TABLE PERMISSION_TEMPLATE (
     TemplateId UNIQUEIDENTIFIER PRIMARY KEY,
     RoleId UNIQUEIDENTIFIER REFERENCES ROLE(RoleId),
@@ -152,4 +184,13 @@ CREATE TABLE PERMISSION_TEMPLATE (
          CASE WHEN OptionId IS NULL THEN 0 ELSE 1 END) = 1
     )
 );
+
+CREATE TABLE PROFILE_PERMISSION (
+    ProfileId UNIQUEIDENTIFIER REFERENCES PROFILE(ProfileId),
+    TemplateId UNIQUEIDENTIFIER REFERENCES PERMISSION_TEMPLATE(TemplateId),
+    IsAllowed BIT DEFAULT 1,
+    IsDenied BIT DEFAULT 0,
+    IsActive BIT DEFAULT 1,
+    PRIMARY KEY (ProfileId, TemplateId)
+);
 ```