feat(shopfloor): post-migrate hook for kiosk password init

Generates a random kiosk password on first deploy, stores in
ir.config_parameter for sysadmin retrieval. Idempotent — re-runs
on subsequent -u leave the password alone.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

fusion_plating/fusion_plating_shopfloor/migrations/19.0.33.0.0/post-migrate.py

@@ -0,0 +1,55 @@
+# -*- coding: utf-8 -*-
+"""Tablet PIN session redesign — generate kiosk password on first deploy.
+
+Runs on every -u (post_init_hook only fires on fresh install per
+CLAUDE.md rule 13d). Idempotent: only writes the password if the
+ir.config_parameter key is absent.
+
+After this hook runs, retrieve the kiosk password via:
+    odoo-shell -d admin -c "print(env['ir.config_parameter'].sudo().get_param(
+        'fp.tablet.kiosk_password'))"
+
+Then sysadmin enters that password ONCE in the tablet browser to log
+the kiosk session in. Browser cookie persists per the configured
+session_db.session_lifetime.
+"""
+import logging
+import secrets
+
+_logger = logging.getLogger(__name__)
+
+
+def migrate(cr, version):
+    from odoo import api, SUPERUSER_ID
+    env = api.Environment(cr, SUPERUSER_ID, {})
+
+    ICP = env['ir.config_parameter'].sudo()
+    KEY = 'fp.tablet.kiosk_password'
+
+    existing = ICP.get_param(KEY)
+    if existing:
+        _logger.info(
+            'fp.tablet.kiosk_password already set; leaving it alone (idempotent)'
+        )
+        return
+
+    new_pwd = secrets.token_urlsafe(32)
+    ICP.set_param(KEY, new_pwd)
+    _logger.info(
+        'fp.tablet.kiosk_password generated; retrieve via odoo-shell '
+        "env['ir.config_parameter'].sudo().get_param('%s')",
+        KEY,
+    )
+
+    # Also write the password onto the user so they can log in via /web/login.
+    user = env.ref(
+        'fusion_plating_shopfloor.user_fp_tablet_kiosk',
+        raise_if_not_found=False,
+    )
+    if user:
+        user.password = new_pwd
+        _logger.info('fp_tablet_kiosk user password set to generated value')
+    else:
+        _logger.warning(
+            'fp_tablet_kiosk user not found via xmlid; password not applied to user record'
+        )