feat(plating-quality): split Manager vs Quality Manager permissions

Phase C of permissions overhaul (spec Section 2.C).

Manager keeps reactive Quality (NCR/Hold/Check/Cert/RMA — already gated
via Phase B sweep). QM gains exclusive write/create/unlink on strategic
Quality records:

- fusion.plating.capa: Manager → read-only (1,0,0,0); QM → full
- fusion.plating.audit: same split (if model present)
- fp.approved.vendor.list: same split (if model present)
- fusion.plating.customer.spec: same split
- Doc Control models: same split

Plus FAIR/Nadcap cert restriction via two new ir.rule records on
fp.certificate:
- Manager: write/create/unlink on certs where cert_type NOT in
  ('fair', 'nadcap')
- QM: write/create/unlink on all certs (overrides via OR within group)
- Read access unchanged for both (perm_read=False on the rules)

Tests in fusion_plating/tests/test_quality_split.py verify each side
of the split. Models that may not exist on all DBs (audit, AVL) use
skipTest gracefully.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

fusion_plating/fusion_plating_certificates/__manifest__.py

@@ -5,7 +5,7 @@
 
 {
     'name': 'Fusion Plating — Certificates',
-    'version': '19.0.7.9.1',
+    'version': '19.0.7.9.2',
     'category': 'Manufacturing/Plating',
     'summary': 'Certificate registry for CoC, thickness reports, and quality documents.',
     'description': """
@@ -32,6 +32,7 @@ Includes Fischerscope thickness measurement data capture.
     ],
     'data': [
         'security/ir.model.access.csv',
+        'security/fp_cert_security.xml',
         'data/fp_certificate_sequence_data.xml',
         'views/res_config_settings_views.xml',
         'views/fp_certificate_views.xml',

fusion_plating/fusion_plating_certificates/security/fp_cert_security.xml

@@ -0,0 +1,26 @@
+<?xml version="1.0" encoding="utf-8"?>
+<odoo>
+    <data noupdate="0">
+        <record id="rule_fp_certificate_fair_nadcap_qm_only" model="ir.rule">
+            <field name="name">FP Certificate: FAIR/Nadcap edit restricted to Quality Manager</field>
+            <field name="model_id" ref="model_fp_certificate"/>
+            <field name="domain_force">[('cert_type', 'not in', ('fair', 'nadcap'))]</field>
+            <field name="groups" eval="[(4, ref('fusion_plating.group_fp_manager'))]"/>
+            <field name="perm_read" eval="False"/>
+            <field name="perm_write" eval="True"/>
+            <field name="perm_create" eval="True"/>
+            <field name="perm_unlink" eval="True"/>
+        </record>
+
+        <record id="rule_fp_certificate_all_qm" model="ir.rule">
+            <field name="name">FP Certificate: QM has full access to all certs</field>
+            <field name="model_id" ref="model_fp_certificate"/>
+            <field name="domain_force">[(1, '=', 1)]</field>
+            <field name="groups" eval="[(4, ref('fusion_plating.group_fp_quality_manager'))]"/>
+            <field name="perm_read" eval="False"/>
+            <field name="perm_write" eval="True"/>
+            <field name="perm_create" eval="True"/>
+            <field name="perm_unlink" eval="True"/>
+        </record>
+    </data>
+</odoo>