feat(fusion_clock): kiosk app + Kiosk Operator role, full-screen PWA, app-integrated permissions

- PWA manifest on the NFC kiosk page so it installs as a full-screen
  home-screen app (Chrome "Install" / Safari "Add to Home Screen").
- Dedicated "Kiosk Operator" permission + gated "Fusion Clock Kiosk"
  top-level app (act_url -> /fusion_clock/kiosk/nfc). Kiosk controllers
  accept Manager OR Kiosk Operator; all kiosk data ops already run sudo.
- Fix 403: read the company kiosk location via sudo on page-load and tap
  (Kiosk Operator has no fusion.clock.location ACL).
- Odoo 19 permissions UX: ir.module.category + res.groups.privilege so
  User/Team Lead/Manager and Kiosk Operator appear as application-access
  dropdowns on the user form (no developer mode). Short group display names.
- Docs: note res.groups.privilege as the Odoo 19 category_id replacement.

Deployed live to entech (odoo-entech / LXC 111 on pve-worker5). v19.0.3.6.0.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

fusion_clock/security/security.xml

@@ -1,25 +1,66 @@
 <?xml version="1.0" encoding="utf-8"?>
 <odoo>
 
+    <!-- ================================================================
+         App category + privileges (Odoo 19) so Fusion Clock roles appear
+         as selectable application-access dropdowns on the user form,
+         exactly like the other Fusion apps (no developer mode needed).
+         Odoo 19 dropped res.groups.category_id; groups link to a
+         res.groups.privilege, which carries the category_id.
+         ================================================================ -->
+    <record id="module_category_fusion_clock" model="ir.module.category">
+        <field name="name">Fusion Clock</field>
+        <field name="sequence">45</field>
+    </record>
+
+    <!-- Main role hierarchy (User &lt; Team Lead &lt; Manager) -> one dropdown -->
+    <record id="res_groups_privilege_fusion_clock" model="res.groups.privilege">
+        <field name="name">Fusion Clock</field>
+        <field name="sequence">45</field>
+        <field name="category_id" ref="module_category_fusion_clock"/>
+    </record>
+
+    <!-- Standalone kiosk-operator role -> its own row under the same header -->
+    <record id="res_groups_privilege_fusion_clock_kiosk" model="res.groups.privilege">
+        <field name="name">Fusion Clock Kiosk</field>
+        <field name="sequence">46</field>
+        <field name="category_id" ref="module_category_fusion_clock"/>
+    </record>
+
     <!-- Groups -->
     <record id="group_fusion_clock_user" model="res.groups">
-        <field name="name">Fusion Clock / User</field>
+        <field name="name">User</field>
+        <field name="privilege_id" ref="res_groups_privilege_fusion_clock"/>
         <field name="implied_ids" eval="[(4, ref('base.group_user'))]"/>
         <field name="comment">Can clock in/out and view own attendance</field>
     </record>
 
     <record id="group_fusion_clock_team_lead" model="res.groups">
-        <field name="name">Fusion Clock / Team Lead</field>
+        <field name="name">Team Lead</field>
+        <field name="privilege_id" ref="res_groups_privilege_fusion_clock"/>
         <field name="implied_ids" eval="[(4, ref('group_fusion_clock_user'))]"/>
         <field name="comment">Can view direct reports attendance (read-only)</field>
     </record>
 
     <record id="group_fusion_clock_manager" model="res.groups">
-        <field name="name">Fusion Clock / Manager</field>
+        <field name="name">Manager</field>
+        <field name="privilege_id" ref="res_groups_privilege_fusion_clock"/>
         <field name="implied_ids" eval="[(4, ref('group_fusion_clock_team_lead'))]"/>
         <field name="comment">Can manage locations, view all attendance, generate reports</field>
     </record>
 
+    <!-- Dedicated kiosk-operator permission: can run the shared clock kiosk
+         (NFC tap / PIN) WITHOUT full Clock Manager access. Gates the
+         "Fusion Clock Kiosk" app menu and is accepted by the kiosk controllers.
+         Implies only base.group_user, so it does NOT reveal the full Fusion
+         Clock app (which is gated to group_fusion_clock_user). -->
+    <record id="group_fusion_clock_kiosk_app" model="res.groups">
+        <field name="name">Kiosk Operator</field>
+        <field name="privilege_id" ref="res_groups_privilege_fusion_clock_kiosk"/>
+        <field name="implied_ids" eval="[(4, ref('base.group_user'))]"/>
+        <field name="comment">Can open and operate the shared clock kiosk (NFC tap / PIN) without full Clock Manager access. Intended for shared wall-tablet accounts.</field>
+    </record>
+
     <!-- Auto-assign admin to Manager group -->
     <function model="res.users" name="write">
         <value eval="[ref('base.user_admin')]"/>