feat(fusion_login_audit): add _fc_build_event_vals context helper

Single helper builds vals for fusion.login.audit rows from the live
HTTP request, or falls back to ip=''internal'' + geo_lookup_state=''internal''
when there is no request. Parses UA into browser/os/device_type via the
bundled user_agents library. Never reads credential[''password'']. Tests
cover: no-request fallback, UA parsing on a Chrome/Windows UA, and the
regression that no password value leaks into the vals dict.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

fusion_login_audit/tests/test_login_audit.py

@@ -41,3 +41,48 @@ class TestFusionLoginAuditModel(TransactionCase):
             'geo_lookup_state': 'internal',
         })
         self.assertEqual(rec.geo_lookup_state, 'internal')
+
+    def test_build_event_vals_with_no_request(self):
+        """Without a live request, geo_lookup_state is 'internal'."""
+        ResUsers = self.env['res.users']
+        vals = ResUsers._fc_build_event_vals(
+            result='success',
+            attempted_login='cron@example.com',
+        )
+        self.assertEqual(vals['result'], 'success')
+        self.assertEqual(vals['attempted_login'], 'cron@example.com')
+        self.assertEqual(vals['ip_address'], 'internal')
+        self.assertEqual(vals['user_agent_raw'], '<no-request>')
+        self.assertEqual(vals['geo_lookup_state'], 'internal')
+        self.assertEqual(vals['database'], self.env.cr.dbname)
+
+    def test_build_event_vals_parses_user_agent(self):
+        """Parser fills browser/os/device_type from a stub UA dict."""
+        ResUsers = self.env['res.users']
+        vals = ResUsers._fc_build_event_vals(
+            result='success',
+            attempted_login='ua@example.com',
+            _override_ip='203.0.113.5',
+            _override_ua='Mozilla/5.0 (Windows NT 10.0; Win64; x64) '
+                         'AppleWebKit/537.36 Chrome/140.0 Safari/537.36',
+        )
+        self.assertEqual(vals['ip_address'], '203.0.113.5')
+        self.assertIn('Chrome', vals['browser'])
+        self.assertIn('Windows', vals['os'])
+        self.assertEqual(vals['device_type'], 'desktop')
+        self.assertEqual(vals['geo_lookup_state'], 'pending')
+
+    def test_build_event_vals_strips_password(self):
+        """If a credential dict sneaks in, no password leaks into vals."""
+        ResUsers = self.env['res.users']
+        vals = ResUsers._fc_build_event_vals(
+            result='failure',
+            attempted_login='leak@example.com',
+            failure_reason='bad_password',
+            _credential={'login': 'leak@example.com',
+                         'password': 'super-secret-pw',
+                         'type': 'password'},
+        )
+        serialized = repr(vals)
+        self.assertNotIn('super-secret-pw', serialized)
+        self.assertEqual(vals['failure_reason'], 'bad_password')