diff --git a/CLAUDE.md b/CLAUDE.md
index 3d6588f4..bedaf02a 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -13,7 +13,7 @@
 4. **HTTP routes**: `type="jsonrpc"` — NOT `type="json"` (deprecated).
 5. **res.config.settings**: Only boolean/integer/float/char/selection/many2one/datetime. NO Date fields.
    **`config_parameter=` Boolean fields don't round-trip `False` as a string.** Odoo's `set_values()` calls `IrConfigParameter.set_param(key, value)`, and `set_param` deletes the row when `value` is falsy (False / None / empty). So writing `False` to a Boolean config field means the param no longer exists in `ir_config_parameter`; a subsequent `get_param(key)` returns the *default* (Python `False`), not `'False'`. Test like `self.assertFalse(ICP.get_param('...'))` — never `assertEqual(..., 'False')`. (Integer/Float/Char go through `repr(value)` / strip, so they DO persist as strings — `'90'`, `'0'`, etc.) Source: `odoo/addons/base/models/res_config.py::set_values` and `ir_config_parameter.py::set_param`.
-6. **res.groups**: NO `users` field, NO `category_id` field.
+6. **res.groups**: NO `users` field, NO `category_id` field. **The Odoo 19 replacement for `category_id` is `res.groups.privilege`.** To make a module's groups appear as application-access dropdowns on the user form (Settings → Users → *Application Accesses*) instead of only in developer mode: define an `ir.module.category`, a `res.groups.privilege` (with `category_id` → that category), and set each group's `privilege_id` → that privilege. Groups under one privilege that form an `implied_ids` chain render as a single role dropdown; a standalone group in its own privilege renders as a separate row under the same category header. Verified in `fusion_clock/security/security.xml`; mirrors `fusion_plating`/`fusion_tasks`.
    **res.users**: field was renamed `groups_id` → `group_ids` (also `all_group_ids` for implied). The plural form is gone; using `groups_id` raises `ValueError: Invalid field 'groups_id' in 'res.users'`.
    **`ir.ui.view`**: same rename — view-level visibility gating uses `group_ids`, not `groups_id`. A record like `<field name="groups_id" eval="[(4, ref('base.group_system'))]"/>` on an `ir.ui.view` raises `ValueError: Invalid field 'groups_id' in 'ir.ui.view'` at module install. (The XML *attribute* `groups="base.group_system"` on form elements like `<page>`, `<button>`, `<field>` is unrelated and still works.)
    **`ir.rule` `groups` field is additive, not restrictive.** A rule with `groups=[some_group]` applies ONLY to users in that group — it does NOT restrict non-members. So `domain_force=[(1,'=',1)]` + `groups=[base.group_system]` does NOT mean "only admins see rows"; it means "admins see all rows (and the rule is silent on everyone else)". Non-admins are gated by the ACL (`ir.model.access.csv`), not the rule. To truly restrict by group at the rule layer, pair a global rule (`groups=[]`, `domain_force=[(0,'=',1)]` = block-all baseline) with a group-scoped allow rule. Default to letting the ACL do the gating; use rules for row-level filters that ACLs cannot express.
diff --git a/fusion_clock/__manifest__.py b/fusion_clock/__manifest__.py
index 804fbc05..417a762a 100644
--- a/fusion_clock/__manifest__.py
+++ b/fusion_clock/__manifest__.py
@@ -5,7 +5,7 @@
 
 {
     'name': 'Fusion Clock',
-    'version': '19.0.3.5.6',
+    'version': '19.0.3.6.0',
     'category': 'Human Resources/Attendances',
     'summary': 'Complete Employee T&A with Geofencing, Shifts, Penalties, Overtime, Kiosk, Dashboard & Payroll Export',
     'description': """
diff --git a/fusion_clock/controllers/clock_kiosk.py b/fusion_clock/controllers/clock_kiosk.py
index 30ca2fcb..efe4264e 100644
--- a/fusion_clock/controllers/clock_kiosk.py
+++ b/fusion_clock/controllers/clock_kiosk.py
@@ -10,6 +10,12 @@ from odoo.addons.fusion_clock.models.tz_utils import get_local_today
 _logger = logging.getLogger(__name__)
 
 
+def _is_kiosk_operator(user):
+    """Kiosk surfaces accept a full Clock Manager OR a dedicated Kiosk Operator."""
+    return (user.has_group('fusion_clock.group_fusion_clock_manager')
+            or user.has_group('fusion_clock.group_fusion_clock_kiosk_app'))
+
+
 class FusionClockKiosk(http.Controller):
     """Kiosk mode controller for shared-device clock-in/out."""
 
@@ -17,7 +23,7 @@ class FusionClockKiosk(http.Controller):
     def kiosk_page(self, **kw):
         """Kiosk clock-in/out page for shared tablets."""
         user = request.env.user
-        if not user.has_group('fusion_clock.group_fusion_clock_manager'):
+        if not _is_kiosk_operator(user):
             return request.redirect('/my')
 
         ICP = request.env['ir.config_parameter'].sudo()
@@ -34,7 +40,7 @@ class FusionClockKiosk(http.Controller):
     def kiosk_search(self, query='', **kw):
         """Search employees for kiosk identification."""
         user = request.env.user
-        if not user.has_group('fusion_clock.group_fusion_clock_manager'):
+        if not _is_kiosk_operator(user):
             return {'error': 'Access denied.'}
 
         employees = request.env['hr.employee'].sudo().search([
@@ -55,7 +61,7 @@ class FusionClockKiosk(http.Controller):
     def kiosk_verify_pin(self, employee_id=0, pin='', **kw):
         """Verify employee PIN for kiosk mode."""
         user = request.env.user
-        if not user.has_group('fusion_clock.group_fusion_clock_manager'):
+        if not _is_kiosk_operator(user):
             return {'error': 'Access denied.'}
 
         employee = request.env['hr.employee'].sudo().browse(employee_id)
@@ -75,7 +81,7 @@ class FusionClockKiosk(http.Controller):
     def kiosk_clock(self, employee_id=0, latitude=0, longitude=0, **kw):
         """Perform clock action from kiosk on behalf of an employee."""
         user = request.env.user
-        if not user.has_group('fusion_clock.group_fusion_clock_manager'):
+        if not _is_kiosk_operator(user):
             return {'error': 'Access denied.'}
 
         employee = request.env['hr.employee'].sudo().browse(employee_id)
diff --git a/fusion_clock/controllers/clock_nfc_kiosk.py b/fusion_clock/controllers/clock_nfc_kiosk.py
index ae18ebc9..8699e1de 100644
--- a/fusion_clock/controllers/clock_nfc_kiosk.py
+++ b/fusion_clock/controllers/clock_nfc_kiosk.py
@@ -2,6 +2,7 @@
 # Copyright 2026 Nexa Systems Inc.
 # License OPL-1 (Odoo Proprietary License v1.0)
 
+import json
 import logging
 import re
 import time
@@ -44,6 +45,12 @@ def _strip_data_url_prefix(b64):
     return b64.encode('ascii', errors='ignore') if isinstance(b64, str) else b64
 
 
+def _is_kiosk_operator(user):
+    """Kiosk surfaces accept a full Clock Manager OR a dedicated Kiosk Operator."""
+    return (user.has_group('fusion_clock.group_fusion_clock_manager')
+            or user.has_group('fusion_clock.group_fusion_clock_kiosk_app'))
+
+
 class FusionClockNfcKiosk(http.Controller):
     """NFC tap-to-clock kiosk controller. Reuses FusionClockAPI helpers."""
 
@@ -66,14 +73,14 @@ class FusionClockNfcKiosk(http.Controller):
     def nfc_kiosk_page(self, **kw):
         """Render the NFC kiosk page for a wall-mounted tablet."""
         user = request.env.user
-        if not user.has_group('fusion_clock.group_fusion_clock_manager'):
+        if not _is_kiosk_operator(user):
             return request.redirect('/my')
 
         ICP = request.env['ir.config_parameter'].sudo()
         if ICP.get_param('fusion_clock.enable_nfc_kiosk', 'False') != 'True':
             return request.redirect('/my')
 
-        company = request.env.company
+        company = request.env.company.sudo()
         location = company.x_fclk_nfc_kiosk_location_id
         company_logo_url = (
             '/web/image/res.company/%s/logo' % company.id if company.logo else ''
@@ -89,6 +96,42 @@ class FusionClockNfcKiosk(http.Controller):
         }
         return request.render('fusion_clock.nfc_kiosk_page', values)
 
+    @http.route('/fusion_clock/kiosk/nfc/manifest.webmanifest', type='http', auth='public')
+    def nfc_kiosk_manifest(self, **kw):
+        """Web App Manifest so the NFC kiosk installs as a full-screen home-screen app.
+
+        On a wall tablet, 'Install' (Chrome) / 'Add to Home Screen' (Safari) then
+        launches the kiosk standalone -- no address bar or browser tabs, like Odoo's
+        own PWA. Public so the icon/splash can load without a session.
+        """
+        company = request.env.company.sudo()
+        # Square icons via Odoo's on-the-fly resizer (placeholder if the company has no logo).
+        icon_192 = '/web/image/res.company/%s/logo/192x192' % company.id
+        icon_512 = '/web/image/res.company/%s/logo/512x512' % company.id
+        manifest = {
+            'name': 'Fusion Clock Kiosk',
+            'short_name': 'Clock Kiosk',
+            'description': 'Tap-to-clock NFC kiosk',
+            'start_url': '/fusion_clock/kiosk/nfc',
+            'scope': '/',
+            'display': 'fullscreen',
+            'display_override': ['fullscreen', 'standalone'],
+            'background_color': '#0e1116',
+            'theme_color': '#0e1116',
+            'orientation': 'any',
+            'icons': [
+                {'src': icon_192, 'sizes': '192x192', 'type': 'image/png'},
+                {'src': icon_512, 'sizes': '512x512', 'type': 'image/png'},
+            ],
+        }
+        return request.make_response(
+            json.dumps(manifest),
+            headers=[
+                ('Content-Type', 'application/manifest+json; charset=utf-8'),
+                ('Cache-Control', 'public, max-age=3600'),
+            ],
+        )
+
     @staticmethod
     def _check_enroll_password(env, supplied):
         """Verify the enroll-mode password. Empty config = always-allow for managers."""
@@ -101,7 +144,7 @@ class FusionClockNfcKiosk(http.Controller):
     def nfc_enroll(self, employee_id=0, card_uid='', enroll_password='', **kw):
         """Bind an NFC card UID to an employee. Manager-gated, password-gated."""
         user = request.env.user
-        if not user.has_group('fusion_clock.group_fusion_clock_manager'):
+        if not _is_kiosk_operator(user):
             return {'error': 'access_denied'}
 
         if not self._check_enroll_password(request.env, enroll_password):
@@ -146,7 +189,7 @@ class FusionClockNfcKiosk(http.Controller):
     def nfc_tap(self, card_uid='', photo_b64='', **kw):
         """Toggle attendance state for the employee owning this card UID."""
         user = request.env.user
-        if not user.has_group('fusion_clock.group_fusion_clock_manager'):
+        if not _is_kiosk_operator(user):
             return {'error': 'access_denied'}
 
         ICP = request.env['ir.config_parameter'].sudo()
@@ -165,7 +208,7 @@ class FusionClockNfcKiosk(http.Controller):
             return {'error': 'photo_required', 'message': 'Camera unavailable. Ask IT to check the kiosk.'}
         photo_bytes = _strip_data_url_prefix(photo_b64) if photo_b64 else b''
 
-        company = request.env.company
+        company = request.env.company.sudo()
         location = company.x_fclk_nfc_kiosk_location_id
         if not location:
             return {'error': 'no_location_configured'}
diff --git a/fusion_clock/security/security.xml b/fusion_clock/security/security.xml
index 017aa1e2..4dfc9647 100644
--- a/fusion_clock/security/security.xml
+++ b/fusion_clock/security/security.xml
@@ -1,25 +1,66 @@
 <?xml version="1.0" encoding="utf-8"?>
 <odoo>
 
+    <!-- ================================================================
+         App category + privileges (Odoo 19) so Fusion Clock roles appear
+         as selectable application-access dropdowns on the user form,
+         exactly like the other Fusion apps (no developer mode needed).
+         Odoo 19 dropped res.groups.category_id; groups link to a
+         res.groups.privilege, which carries the category_id.
+         ================================================================ -->
+    <record id="module_category_fusion_clock" model="ir.module.category">
+        <field name="name">Fusion Clock</field>
+        <field name="sequence">45</field>
+    </record>
+
+    <!-- Main role hierarchy (User &lt; Team Lead &lt; Manager) -> one dropdown -->
+    <record id="res_groups_privilege_fusion_clock" model="res.groups.privilege">
+        <field name="name">Fusion Clock</field>
+        <field name="sequence">45</field>
+        <field name="category_id" ref="module_category_fusion_clock"/>
+    </record>
+
+    <!-- Standalone kiosk-operator role -> its own row under the same header -->
+    <record id="res_groups_privilege_fusion_clock_kiosk" model="res.groups.privilege">
+        <field name="name">Fusion Clock Kiosk</field>
+        <field name="sequence">46</field>
+        <field name="category_id" ref="module_category_fusion_clock"/>
+    </record>
+
     <!-- Groups -->
     <record id="group_fusion_clock_user" model="res.groups">
-        <field name="name">Fusion Clock / User</field>
+        <field name="name">User</field>
+        <field name="privilege_id" ref="res_groups_privilege_fusion_clock"/>
         <field name="implied_ids" eval="[(4, ref('base.group_user'))]"/>
         <field name="comment">Can clock in/out and view own attendance</field>
     </record>
 
     <record id="group_fusion_clock_team_lead" model="res.groups">
-        <field name="name">Fusion Clock / Team Lead</field>
+        <field name="name">Team Lead</field>
+        <field name="privilege_id" ref="res_groups_privilege_fusion_clock"/>
         <field name="implied_ids" eval="[(4, ref('group_fusion_clock_user'))]"/>
         <field name="comment">Can view direct reports attendance (read-only)</field>
     </record>
 
     <record id="group_fusion_clock_manager" model="res.groups">
-        <field name="name">Fusion Clock / Manager</field>
+        <field name="name">Manager</field>
+        <field name="privilege_id" ref="res_groups_privilege_fusion_clock"/>
         <field name="implied_ids" eval="[(4, ref('group_fusion_clock_team_lead'))]"/>
         <field name="comment">Can manage locations, view all attendance, generate reports</field>
     </record>
 
+    <!-- Dedicated kiosk-operator permission: can run the shared clock kiosk
+         (NFC tap / PIN) WITHOUT full Clock Manager access. Gates the
+         "Fusion Clock Kiosk" app menu and is accepted by the kiosk controllers.
+         Implies only base.group_user, so it does NOT reveal the full Fusion
+         Clock app (which is gated to group_fusion_clock_user). -->
+    <record id="group_fusion_clock_kiosk_app" model="res.groups">
+        <field name="name">Kiosk Operator</field>
+        <field name="privilege_id" ref="res_groups_privilege_fusion_clock_kiosk"/>
+        <field name="implied_ids" eval="[(4, ref('base.group_user'))]"/>
+        <field name="comment">Can open and operate the shared clock kiosk (NFC tap / PIN) without full Clock Manager access. Intended for shared wall-tablet accounts.</field>
+    </record>
+
     <!-- Auto-assign admin to Manager group -->
     <function model="res.users" name="write">
         <value eval="[ref('base.user_admin')]"/>
diff --git a/fusion_clock/views/clock_menus.xml b/fusion_clock/views/clock_menus.xml
index 7f487d13..1ad5bd87 100644
--- a/fusion_clock/views/clock_menus.xml
+++ b/fusion_clock/views/clock_menus.xml
@@ -8,6 +8,22 @@
               sequence="45"
               groups="group_fusion_clock_user"/>
 
+    <!-- Dedicated kiosk app: a separate top-level icon (same artwork) that opens
+         the NFC kiosk. Gated to Kiosk Operator so shared tablet accounts see ONLY
+         this app, not the full Fusion Clock backend. -->
+    <record id="action_fusion_clock_kiosk_nfc" model="ir.actions.act_url">
+        <field name="name">Fusion Clock Kiosk</field>
+        <field name="url">/fusion_clock/kiosk/nfc</field>
+        <field name="target">self</field>
+    </record>
+
+    <menuitem id="menu_fusion_clock_kiosk_app_root"
+              name="Fusion Clock Kiosk"
+              web_icon="fusion_clock,static/description/icon.png"
+              action="action_fusion_clock_kiosk_nfc"
+              sequence="46"
+              groups="group_fusion_clock_kiosk_app"/>
+
     <!-- Dashboard -->
     <menuitem id="menu_fusion_clock_dashboard"
               name="Dashboard"
diff --git a/fusion_clock/views/kiosk_nfc_templates.xml b/fusion_clock/views/kiosk_nfc_templates.xml
index 1421a3da..eab268ce 100644
--- a/fusion_clock/views/kiosk_nfc_templates.xml
+++ b/fusion_clock/views/kiosk_nfc_templates.xml
@@ -7,6 +7,13 @@
             <t t-set="no_footer" t-value="True"/>
             <t t-set="head">
                 <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no"/>
+                <!-- Installable full-screen kiosk app (Chrome "Install" / Safari "Add to Home Screen") -->
+                <link rel="manifest" href="/fusion_clock/kiosk/nfc/manifest.webmanifest"/>
+                <meta name="mobile-web-app-capable" content="yes"/>
+                <meta name="apple-mobile-web-app-capable" content="yes"/>
+                <meta name="apple-mobile-web-app-status-bar-style" content="black-translucent"/>
+                <meta name="apple-mobile-web-app-title" content="Fusion Clock Kiosk"/>
+                <link rel="apple-touch-icon" href="/fusion_clock/static/description/icon.png"/>
             </t>
 
             <div id="nfc_kiosk_root" class="nfc-kiosk"