From a53b03265d03e8cc223df1a942b7f485a8e9c3ab Mon Sep 17 00:00:00 2001
From: gsinghpal <gur_preet.singh@outlook.com>
Date: Sun, 24 May 2026 00:47:54 -0400
Subject: [PATCH] feat(plating-sec): add 8 consolidated role groups + mark old
 groups deprecated

Phase A of permissions overhaul (see docs/superpowers/specs/2026-05-23-*).
New groups (technician/sales_rep/shop_manager_v2/sales_manager/manager/
quality_manager/owner) defined in fp_security_v2.xml with implied_ids
chains that include old groups for backward-compat during 30-day rollback
window. Old groups display as [DEPRECATED] in user form.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 fusion_plating/fusion_plating/__manifest__.py |  1 +
 .../fusion_plating/security/fp_security.xml   |  8 +-
 .../security/fp_security_v2.xml               | 85 +++++++++++++++++++
 .../security/fp_cgp_security.xml              |  4 +-
 .../security/fp_configurator_security.xml     |  4 +-
 .../security/fp_invoicing_security.xml        |  2 +-
 .../security/legacy_groups.xml                |  2 +-
 .../security/fp_receiving_security.xml        |  2 +-
 8 files changed, 97 insertions(+), 11 deletions(-)
 create mode 100644 fusion_plating/fusion_plating/security/fp_security_v2.xml

diff --git a/fusion_plating/fusion_plating/__manifest__.py b/fusion_plating/fusion_plating/__manifest__.py
index c7fb68d2..e413ac3a 100644
--- a/fusion_plating/fusion_plating/__manifest__.py
+++ b/fusion_plating/fusion_plating/__manifest__.py
@@ -80,6 +80,7 @@ Copyright (c) 2026 Nexa Systems Inc. All rights reserved.
     ],
     'data': [
         'security/fp_security.xml',
+        'security/fp_security_v2.xml',
         'security/ir.model.access.csv',
         'data/fp_landing_data.xml',
         'data/fp_sequence_data.xml',
diff --git a/fusion_plating/fusion_plating/security/fp_security.xml b/fusion_plating/fusion_plating/security/fp_security.xml
index 750718fb..d95db8df 100644
--- a/fusion_plating/fusion_plating/security/fp_security.xml
+++ b/fusion_plating/fusion_plating/security/fp_security.xml
@@ -32,7 +32,7 @@
     <!-- Reads most reference data, writes chemistry logs.                  -->
     <!-- ================================================================== -->
     <record id="group_fusion_plating_operator" model="res.groups">
-        <field name="name">Operator</field>
+        <field name="name">[DEPRECATED] Operator</field>
         <field name="sequence">10</field>
         <field name="privilege_id" ref="res_groups_privilege_fusion_plating"/>
         <field name="implied_ids" eval="[(4, ref('base.group_user'))]"/>
@@ -43,7 +43,7 @@
     <!-- Can manage baths, schedule jobs, review logs.                      -->
     <!-- ================================================================== -->
     <record id="group_fusion_plating_supervisor" model="res.groups">
-        <field name="name">Supervisor</field>
+        <field name="name">[DEPRECATED] Supervisor</field>
         <field name="sequence">20</field>
         <field name="privilege_id" ref="res_groups_privilege_fusion_plating"/>
         <field name="implied_ids" eval="[(4, ref('group_fusion_plating_operator'))]"/>
@@ -54,7 +54,7 @@
     <!-- Full CRUD on configuration objects.                                -->
     <!-- ================================================================== -->
     <record id="group_fusion_plating_manager" model="res.groups">
-        <field name="name">Manager</field>
+        <field name="name">[DEPRECATED] Manager</field>
         <field name="sequence">30</field>
         <field name="privilege_id" ref="res_groups_privilege_fusion_plating"/>
         <field name="implied_ids" eval="[(4, ref('group_fusion_plating_supervisor'))]"/>
@@ -65,7 +65,7 @@
     <!-- Everything a Manager can do, plus system-level settings.           -->
     <!-- ================================================================== -->
     <record id="group_fusion_plating_admin" model="res.groups">
-        <field name="name">Administrator</field>
+        <field name="name">[DEPRECATED] Administrator</field>
         <field name="sequence">40</field>
         <field name="privilege_id" ref="res_groups_privilege_fusion_plating"/>
         <field name="implied_ids" eval="[(4, ref('group_fusion_plating_manager'))]"/>
diff --git a/fusion_plating/fusion_plating/security/fp_security_v2.xml b/fusion_plating/fusion_plating/security/fp_security_v2.xml
new file mode 100644
index 00000000..59bea7c1
--- /dev/null
+++ b/fusion_plating/fusion_plating/security/fp_security_v2.xml
@@ -0,0 +1,85 @@
+<?xml version="1.0" encoding="utf-8"?>
+<odoo>
+    <data noupdate="0">
+        <!-- Phase 1 Permissions Overhaul: 8 consolidated roles -->
+        <!-- See docs/superpowers/specs/2026-05-23-permissions-overhaul-design.md -->
+
+        <record id="group_fp_technician" model="res.groups">
+            <field name="name">Technician</field>
+            <field name="sequence">10</field>
+            <field name="privilege_id" ref="fusion_plating.res_groups_privilege_fusion_plating"/>
+            <field name="implied_ids" eval="[
+                (4, ref('base.group_user')),
+                (4, ref('fusion_plating.group_fusion_plating_operator')),
+            ]"/>
+        </record>
+
+        <record id="group_fp_sales_rep" model="res.groups">
+            <field name="name">Sales Representative</field>
+            <field name="sequence">20</field>
+            <field name="privilege_id" ref="fusion_plating.res_groups_privilege_fusion_plating"/>
+            <field name="implied_ids" eval="[
+                (4, ref('base.group_user')),
+                (4, ref('fusion_plating_configurator.group_fp_estimator')),
+            ]"/>
+        </record>
+
+        <record id="group_fp_shop_manager_v2" model="res.groups">
+            <field name="name">Shop Manager</field>
+            <field name="sequence">30</field>
+            <field name="privilege_id" ref="fusion_plating.res_groups_privilege_fusion_plating"/>
+            <field name="implied_ids" eval="[
+                (4, ref('group_fp_technician')),
+                (4, ref('fusion_plating.group_fusion_plating_supervisor')),
+                (4, ref('fusion_plating_receiving.group_fp_receiving')),
+            ]"/>
+        </record>
+
+        <record id="group_fp_sales_manager" model="res.groups">
+            <field name="name">Sales Manager</field>
+            <field name="sequence">40</field>
+            <field name="privilege_id" ref="fusion_plating.res_groups_privilege_fusion_plating"/>
+            <field name="implied_ids" eval="[
+                (4, ref('group_fp_sales_rep')),
+            ]"/>
+        </record>
+
+        <record id="group_fp_manager" model="res.groups">
+            <field name="name">Manager</field>
+            <field name="sequence">50</field>
+            <field name="privilege_id" ref="fusion_plating.res_groups_privilege_fusion_plating"/>
+            <field name="implied_ids" eval="[
+                (4, ref('group_fp_shop_manager_v2')),
+                (4, ref('group_fp_sales_manager')),
+                (4, ref('fusion_plating.group_fusion_plating_manager')),
+                (4, ref('fusion_plating_invoicing.group_fp_accounting')),
+            ]"/>
+        </record>
+
+        <record id="group_fp_quality_manager" model="res.groups">
+            <field name="name">Quality Manager</field>
+            <field name="sequence">60</field>
+            <field name="privilege_id" ref="fusion_plating.res_groups_privilege_fusion_plating"/>
+            <field name="implied_ids" eval="[
+                (4, ref('group_fp_manager')),
+                (4, ref('fusion_plating_cgp.group_fusion_plating_cgp_officer')),
+            ]"/>
+        </record>
+
+        <record id="group_fp_owner" model="res.groups">
+            <field name="name">Owner</field>
+            <field name="sequence">70</field>
+            <field name="privilege_id" ref="fusion_plating.res_groups_privilege_fusion_plating"/>
+            <field name="implied_ids" eval="[
+                (4, ref('group_fp_quality_manager')),
+                (4, ref('fusion_plating.group_fusion_plating_admin')),
+                (4, ref('fusion_plating_cgp.group_fusion_plating_cgp_designated_official')),
+                (4, ref('base.group_system')),
+            ]"/>
+            <field name="user_ids" eval="[
+                (4, ref('base.user_root')),
+                (4, ref('base.user_admin')),
+            ]"/>
+        </record>
+    </data>
+</odoo>
diff --git a/fusion_plating/fusion_plating_cgp/security/fp_cgp_security.xml b/fusion_plating/fusion_plating_cgp/security/fp_cgp_security.xml
index 2b2c5504..9e811560 100644
--- a/fusion_plating/fusion_plating_cgp/security/fp_cgp_security.xml
+++ b/fusion_plating/fusion_plating_cgp/security/fp_cgp_security.xml
@@ -17,7 +17,7 @@
 
     <!-- CGP OFFICER: day-to-day CGP compliance operator -->
     <record id="group_fusion_plating_cgp_officer" model="res.groups">
-        <field name="name">CGP Officer</field>
+        <field name="name">[DEPRECATED] CGP Officer</field>
         <field name="sequence">50</field>
         <field name="privilege_id"
                ref="fusion_plating.res_groups_privilege_fusion_plating"/>
@@ -27,7 +27,7 @@
 
     <!-- CGP DESIGNATED OFFICIAL: legally accountable per PSPC registration -->
     <record id="group_fusion_plating_cgp_designated_official" model="res.groups">
-        <field name="name">CGP Designated Official</field>
+        <field name="name">[DEPRECATED] CGP Designated Official</field>
         <field name="sequence">60</field>
         <field name="privilege_id"
                ref="fusion_plating.res_groups_privilege_fusion_plating"/>
diff --git a/fusion_plating/fusion_plating_configurator/security/fp_configurator_security.xml b/fusion_plating/fusion_plating_configurator/security/fp_configurator_security.xml
index 80ea9434..22d43f9e 100644
--- a/fusion_plating/fusion_plating_configurator/security/fp_configurator_security.xml
+++ b/fusion_plating/fusion_plating_configurator/security/fp_configurator_security.xml
@@ -7,14 +7,14 @@
 <odoo>
 
     <record id="group_fp_estimator" model="res.groups">
-        <field name="name">Estimator</field>
+        <field name="name">[DEPRECATED] Estimator</field>
         <field name="sequence">50</field>
         <field name="privilege_id" ref="fusion_plating.res_groups_privilege_fusion_plating"/>
         <field name="implied_ids" eval="[(4, ref('fusion_plating.group_fusion_plating_supervisor'))]"/>
     </record>
 
     <record id="group_fp_shop_manager" model="res.groups">
-        <field name="name">Shop Manager</field>
+        <field name="name">[DEPRECATED] Shop Manager</field>
         <field name="sequence">60</field>
         <field name="privilege_id" ref="fusion_plating.res_groups_privilege_fusion_plating"/>
         <field name="implied_ids" eval="[
diff --git a/fusion_plating/fusion_plating_invoicing/security/fp_invoicing_security.xml b/fusion_plating/fusion_plating_invoicing/security/fp_invoicing_security.xml
index f9c60e95..92906ada 100644
--- a/fusion_plating/fusion_plating_invoicing/security/fp_invoicing_security.xml
+++ b/fusion_plating/fusion_plating_invoicing/security/fp_invoicing_security.xml
@@ -7,7 +7,7 @@
 <odoo>
 
     <record id="group_fp_accounting" model="res.groups">
-        <field name="name">Accounting</field>
+        <field name="name">[DEPRECATED] Accounting</field>
         <field name="sequence">58</field>
         <field name="privilege_id" ref="fusion_plating.res_groups_privilege_fusion_plating"/>
         <field name="implied_ids" eval="[(4, ref('fusion_plating.group_fusion_plating_supervisor'))]"/>
diff --git a/fusion_plating/fusion_plating_jobs/security/legacy_groups.xml b/fusion_plating/fusion_plating_jobs/security/legacy_groups.xml
index 4c14fd59..47ff5d06 100644
--- a/fusion_plating/fusion_plating_jobs/security/legacy_groups.xml
+++ b/fusion_plating/fusion_plating_jobs/security/legacy_groups.xml
@@ -6,7 +6,7 @@
          admin can manually add themselves via Settings > Users if
          they need to access historical MO/WO data. -->
     <record id="group_fusion_plating_legacy_menus" model="res.groups">
-        <field name="name">Plating Legacy Menus</field>
+        <field name="name">[DEPRECATED] Plating Legacy Menus</field>
         <field name="comment">Internal group to hide legacy MO/WO menus that have been replaced by the native fp.job model. Add a user to this group only if they need to navigate historical mrp.production / mrp.workorder records directly.</field>
     </record>
 </odoo>
diff --git a/fusion_plating/fusion_plating_receiving/security/fp_receiving_security.xml b/fusion_plating/fusion_plating_receiving/security/fp_receiving_security.xml
index 7f2f2ea8..187ab765 100644
--- a/fusion_plating/fusion_plating_receiving/security/fp_receiving_security.xml
+++ b/fusion_plating/fusion_plating_receiving/security/fp_receiving_security.xml
@@ -7,7 +7,7 @@
 <odoo>
 
     <record id="group_fp_receiving" model="res.groups">
-        <field name="name">Receiving</field>
+        <field name="name">[DEPRECATED] Receiving</field>
         <field name="sequence">55</field>
         <field name="privilege_id" ref="fusion_plating.res_groups_privilege_fusion_plating"/>
         <field name="implied_ids" eval="[(4, ref('fusion_plating.group_fusion_plating_operator'))]"/>