diff --git a/supabase/migrations/20251029014018_639026e5-191a-4b2c-9cfc-0dfccdd0bdd4.sql b/supabase/migrations/20251029014018_639026e5-191a-4b2c-9cfc-0dfccdd0bdd4.sql
new file mode 100644
index 00000000..43197623
--- /dev/null
+++ b/supabase/migrations/20251029014018_639026e5-191a-4b2c-9cfc-0dfccdd0bdd4.sql
@@ -0,0 +1,316 @@
+-- Phase 2: Optimize remaining RLS policies missed in first pass
+-- Fixes 49 additional policies across versioning, historical, preference, and granular permission tables
+-- Pattern: auth.uid() → (SELECT auth.uid())
+-- Pattern: is_moderator(auth.uid()) → is_moderator((SELECT auth.uid()))
+
+-- ============================================================================
+-- CORE RELATIONAL TABLES
+-- ============================================================================
+
+DROP POLICY IF EXISTS "Moderators can manage ride technical specifications" ON public.ride_technical_specifications;
+DROP POLICY IF EXISTS "Moderators can manage ride coaster statistics" ON public.ride_coaster_statistics;
+DROP POLICY IF EXISTS "Moderators can manage ride name history" ON public.ride_name_history;
+DROP POLICY IF EXISTS "Moderators can manage ride model technical specifications" ON public.ride_model_technical_specifications;
+
+CREATE POLICY "Moderators can manage ride technical specifications"
+ON public.ride_technical_specifications FOR ALL
+TO authenticated
+USING (is_moderator((SELECT auth.uid())));
+
+CREATE POLICY "Moderators can manage ride coaster statistics"
+ON public.ride_coaster_statistics FOR ALL
+TO authenticated  
+USING (is_moderator((SELECT auth.uid())));
+
+CREATE POLICY "Moderators can manage ride name history"
+ON public.ride_name_history FOR ALL
+TO authenticated
+USING (is_moderator((SELECT auth.uid())));
+
+CREATE POLICY "Moderators can manage ride model technical specifications"
+ON public.ride_model_technical_specifications FOR ALL
+TO authenticated
+USING (is_moderator((SELECT auth.uid())));
+
+-- ============================================================================
+-- USER/SYSTEM TABLES
+-- ============================================================================
+
+DROP POLICY IF EXISTS "Moderators can read all preferences" ON public.user_preferences;
+DROP POLICY IF EXISTS "Moderators can read analytics" ON public.entity_page_views;
+DROP POLICY IF EXISTS "Service role only access" ON public.request_metadata;
+DROP POLICY IF EXISTS "Moderators can view metadata with MFA" ON public.request_metadata;
+DROP POLICY IF EXISTS "Superusers can manage settings with MFA" ON public.admin_settings;
+
+CREATE POLICY "Moderators can read all preferences"
+ON public.user_preferences FOR SELECT
+TO authenticated
+USING (is_moderator((SELECT auth.uid())));
+
+CREATE POLICY "Moderators can read analytics"
+ON public.entity_page_views FOR SELECT
+TO authenticated
+USING (is_moderator((SELECT auth.uid())));
+
+CREATE POLICY "Service role only access"
+ON public.request_metadata FOR ALL
+TO service_role
+USING (auth.role() = 'service_role');
+
+CREATE POLICY "Moderators can view metadata with MFA"
+ON public.request_metadata FOR SELECT
+TO authenticated
+USING (is_moderator((SELECT auth.uid())) AND has_aal2());
+
+CREATE POLICY "Superusers can manage settings with MFA"
+ON public.admin_settings FOR ALL
+TO authenticated
+USING (is_superuser((SELECT auth.uid())) AND has_aal2());
+
+-- ============================================================================
+-- HISTORICAL/VERSIONING TABLES
+-- ============================================================================
+
+DROP POLICY IF EXISTS "Moderators manage historical parks" ON public.historical_parks;
+DROP POLICY IF EXISTS "Moderators manage historical rides" ON public.historical_rides;
+DROP POLICY IF EXISTS "Moderators manage location history" ON public.park_location_history;
+DROP POLICY IF EXISTS "Moderators view location history" ON public.park_location_history;
+DROP POLICY IF EXISTS "Moderators can view all archived versions" ON public.entity_versions_archive;
+DROP POLICY IF EXISTS "Moderators can view all company versions" ON public.company_versions;
+DROP POLICY IF EXISTS "Moderators can view all park versions" ON public.park_versions;
+DROP POLICY IF EXISTS "Moderators can view all ride versions" ON public.ride_versions;
+DROP POLICY IF EXISTS "Moderators can view all ride model versions" ON public.ride_model_versions;
+
+CREATE POLICY "Moderators manage historical parks"
+ON public.historical_parks FOR ALL
+TO authenticated
+USING (is_moderator((SELECT auth.uid())));
+
+CREATE POLICY "Moderators manage historical rides"
+ON public.historical_rides FOR ALL
+TO authenticated
+USING (is_moderator((SELECT auth.uid())));
+
+CREATE POLICY "Moderators manage location history"
+ON public.park_location_history FOR ALL
+TO authenticated
+USING (is_moderator((SELECT auth.uid())));
+
+CREATE POLICY "Moderators view location history"
+ON public.park_location_history FOR SELECT
+TO authenticated
+USING (is_moderator((SELECT auth.uid())));
+
+CREATE POLICY "Moderators can view all archived versions"
+ON public.entity_versions_archive FOR SELECT
+TO authenticated
+USING (is_moderator((SELECT auth.uid())));
+
+CREATE POLICY "Moderators can view all company versions"
+ON public.company_versions FOR SELECT
+TO authenticated
+USING (is_moderator((SELECT auth.uid())));
+
+CREATE POLICY "Moderators can view all park versions"
+ON public.park_versions FOR SELECT
+TO authenticated
+USING (is_moderator((SELECT auth.uid())));
+
+CREATE POLICY "Moderators can view all ride versions"
+ON public.ride_versions FOR SELECT
+TO authenticated
+USING (is_moderator((SELECT auth.uid())));
+
+CREATE POLICY "Moderators can view all ride model versions"
+ON public.ride_model_versions FOR SELECT
+TO authenticated
+USING (is_moderator((SELECT auth.uid())));
+
+-- ============================================================================
+-- GRANULAR UPDATE/VIEW POLICIES
+-- ============================================================================
+
+DROP POLICY IF EXISTS "Moderators can update photo submission items" ON public.photo_submission_items;
+DROP POLICY IF EXISTS "Moderators can view all photo submission items" ON public.photo_submission_items;
+DROP POLICY IF EXISTS "Moderators can update photo submissions" ON public.photo_submissions;
+DROP POLICY IF EXISTS "Moderators can view all photo submissions" ON public.photo_submissions;
+DROP POLICY IF EXISTS "Moderators can update profiles for banning" ON public.profiles;
+DROP POLICY IF EXISTS "Moderators can view all profiles" ON public.profiles;
+DROP POLICY IF EXISTS "Moderators can update reports" ON public.reports;
+DROP POLICY IF EXISTS "Moderators can update reports with MFA" ON public.reports;
+DROP POLICY IF EXISTS "Moderators can view all reports" ON public.reports;
+DROP POLICY IF EXISTS "Moderators can update review status" ON public.reviews;
+DROP POLICY IF EXISTS "Moderators can update ride model submissions" ON public.ride_model_submissions;
+DROP POLICY IF EXISTS "Moderators can view all ride model submissions" ON public.ride_model_submissions;
+DROP POLICY IF EXISTS "Moderators can update ride submissions" ON public.ride_submissions;
+DROP POLICY IF EXISTS "Moderators can view all ride submissions" ON public.ride_submissions;
+DROP POLICY IF EXISTS "Moderators can update submission items" ON public.submission_items;
+DROP POLICY IF EXISTS "Moderators can update submission items with MFA" ON public.submission_items;
+DROP POLICY IF EXISTS "Moderators can update timeline submissions" ON public.timeline_event_submissions;
+DROP POLICY IF EXISTS "Moderators can view all timeline submissions" ON public.timeline_event_submissions;
+
+CREATE POLICY "Moderators can update photo submission items"
+ON public.photo_submission_items FOR UPDATE
+TO authenticated
+USING (is_moderator((SELECT auth.uid())));
+
+CREATE POLICY "Moderators can view all photo submission items"
+ON public.photo_submission_items FOR SELECT
+TO authenticated
+USING (is_moderator((SELECT auth.uid())));
+
+CREATE POLICY "Moderators can update photo submissions"
+ON public.photo_submissions FOR UPDATE
+TO authenticated
+USING (is_moderator((SELECT auth.uid())));
+
+CREATE POLICY "Moderators can view all photo submissions"
+ON public.photo_submissions FOR SELECT
+TO authenticated
+USING (is_moderator((SELECT auth.uid())));
+
+CREATE POLICY "Moderators can update profiles for banning"
+ON public.profiles FOR UPDATE
+TO authenticated
+USING (is_moderator((SELECT auth.uid())));
+
+CREATE POLICY "Moderators can view all profiles"
+ON public.profiles FOR SELECT
+TO authenticated
+USING (is_moderator((SELECT auth.uid())));
+
+CREATE POLICY "Moderators can update reports"
+ON public.reports FOR UPDATE
+TO authenticated
+USING (is_moderator((SELECT auth.uid())));
+
+CREATE POLICY "Moderators can update reports with MFA"
+ON public.reports FOR UPDATE
+TO authenticated
+USING (is_moderator((SELECT auth.uid())) AND has_aal2());
+
+CREATE POLICY "Moderators can view all reports"
+ON public.reports FOR SELECT
+TO authenticated
+USING (is_moderator((SELECT auth.uid())));
+
+CREATE POLICY "Moderators can update review status"
+ON public.reviews FOR UPDATE
+TO authenticated
+USING (is_moderator((SELECT auth.uid())));
+
+CREATE POLICY "Moderators can update ride model submissions"
+ON public.ride_model_submissions FOR UPDATE
+TO authenticated
+USING (is_moderator((SELECT auth.uid())));
+
+CREATE POLICY "Moderators can view all ride model submissions"
+ON public.ride_model_submissions FOR SELECT
+TO authenticated
+USING (is_moderator((SELECT auth.uid())));
+
+CREATE POLICY "Moderators can update ride submissions"
+ON public.ride_submissions FOR UPDATE
+TO authenticated
+USING (is_moderator((SELECT auth.uid())));
+
+CREATE POLICY "Moderators can view all ride submissions"
+ON public.ride_submissions FOR SELECT
+TO authenticated
+USING (is_moderator((SELECT auth.uid())));
+
+CREATE POLICY "Moderators can update submission items"
+ON public.submission_items FOR UPDATE
+TO authenticated
+USING (is_moderator((SELECT auth.uid())));
+
+CREATE POLICY "Moderators can update submission items with MFA"
+ON public.submission_items FOR UPDATE
+TO authenticated
+USING (is_moderator((SELECT auth.uid())) AND has_aal2());
+
+CREATE POLICY "Moderators can update timeline submissions"
+ON public.timeline_event_submissions FOR UPDATE
+TO authenticated
+USING (is_moderator((SELECT auth.uid())));
+
+CREATE POLICY "Moderators can view all timeline submissions"
+ON public.timeline_event_submissions FOR SELECT
+TO authenticated
+USING (is_moderator((SELECT auth.uid())));
+
+-- ============================================================================
+-- AUDIT & NOTIFICATION TABLES
+-- ============================================================================
+
+DROP POLICY IF EXISTS "Moderators can view all audit logs" ON public.profile_audit_log;
+DROP POLICY IF EXISTS "System can insert audit logs" ON public.profile_audit_log;
+DROP POLICY IF EXISTS "Moderators can view all notification logs" ON public.notification_logs;
+DROP POLICY IF EXISTS "Moderators can view all notification preferences" ON public.user_notification_preferences;
+DROP POLICY IF EXISTS "Moderators can view all review deletions" ON public.review_deletions;
+DROP POLICY IF EXISTS "Moderators can view all submission dependencies" ON public.submission_dependencies;
+DROP POLICY IF EXISTS "Moderators can view test data registry" ON public.test_data_registry;
+
+CREATE POLICY "Moderators can view all audit logs"
+ON public.profile_audit_log FOR SELECT
+TO authenticated
+USING (is_moderator((SELECT auth.uid())));
+
+CREATE POLICY "System can insert audit logs"
+ON public.profile_audit_log FOR INSERT
+TO service_role
+WITH CHECK (auth.role() = 'service_role');
+
+CREATE POLICY "Moderators can view all notification logs"
+ON public.notification_logs FOR SELECT
+TO authenticated
+USING (is_moderator((SELECT auth.uid())));
+
+CREATE POLICY "Moderators can view all notification preferences"
+ON public.user_notification_preferences FOR SELECT
+TO authenticated
+USING (is_moderator((SELECT auth.uid())));
+
+CREATE POLICY "Moderators can view all review deletions"
+ON public.review_deletions FOR SELECT
+TO authenticated
+USING (is_moderator((SELECT auth.uid())));
+
+CREATE POLICY "Moderators can view all submission dependencies"
+ON public.submission_dependencies FOR SELECT
+TO authenticated
+USING (is_moderator((SELECT auth.uid())));
+
+CREATE POLICY "Moderators can view test data registry"
+ON public.test_data_registry FOR SELECT
+TO authenticated
+USING (is_moderator((SELECT auth.uid())));
+
+-- ============================================================================
+-- LEGACY SUBMISSION TABLES
+-- ============================================================================
+
+DROP POLICY IF EXISTS "Moderators manage coaster stats" ON public.ride_coaster_stats;
+DROP POLICY IF EXISTS "Moderators manage model tech specs" ON public.ride_model_technical_specifications;
+DROP POLICY IF EXISTS "Moderators manage name history" ON public.ride_name_history;
+DROP POLICY IF EXISTS "Moderators manage ride tech specs" ON public.ride_technical_specifications;
+
+CREATE POLICY "Moderators manage coaster stats"
+ON public.ride_coaster_stats FOR ALL
+TO authenticated
+USING (is_moderator((SELECT auth.uid())));
+
+CREATE POLICY "Moderators manage model tech specs"
+ON public.ride_model_technical_specifications FOR ALL
+TO authenticated
+USING (is_moderator((SELECT auth.uid())));
+
+CREATE POLICY "Moderators manage name history"
+ON public.ride_name_history FOR ALL
+TO authenticated
+USING (is_moderator((SELECT auth.uid())));
+
+CREATE POLICY "Moderators manage ride tech specs"
+ON public.ride_technical_specifications FOR ALL
+TO authenticated
+USING (is_moderator((SELECT auth.uid())));
\ No newline at end of file