fix(fusion_repairs): Bundle 4 review - lock cert editing + drop flex in PDF

H1+H2: Field technicians had perm_create=1 perm_write=1 on inspection
certs (could forge or edit issued certs). Reduced to read-only - the
visit-report wizard already sudos when creating new certs from a tech
visit. Added rule_inspection_cert_readonly for the dispatcher group so
even dispatchers cannot edit already-issued certs; only the manager can
revoke/correct. Sealed audit trail.

H3: Replaced display:flex / gap (which wkhtmltopdf 0.12 renders as a
vertical stack) with inline-block + margin in the certificate PDF.
Footer uses float left/right for the cert-number / inspector signature
line so the layout survives wkhtmltopdf rendering.

Bumped to 19.0.1.4.1.

Co-authored-by: Cursor <cursoragent@cursor.com>

fusion_repairs/security/security.xml

@@ -138,6 +138,19 @@
         <field name="global" eval="True"/>
     </record>
 
+    <!-- Inspection certs: only manager can edit AFTER issue (everyone else read-only).
+         Visit-report wizard uses sudo() to create new certs from a tech visit. -->
+    <record id="rule_inspection_cert_readonly" model="ir.rule">
+        <field name="name">Inspection Certificate: Read-only for non-managers</field>
+        <field name="model_id" ref="model_fusion_repair_inspection_certificate"/>
+        <field name="domain_force">[(1, '=', 1)]</field>
+        <field name="groups" eval="[(4, ref('group_fusion_repairs_dispatcher'))]"/>
+        <field name="perm_read" eval="True"/>
+        <field name="perm_write" eval="False"/>
+        <field name="perm_create" eval="False"/>
+        <field name="perm_unlink" eval="False"/>
+    </record>
+
     <!-- Sales Rep Portal: sees only repair orders they submitted -->
     <record id="rule_repair_order_sales_rep_portal" model="ir.rule">
         <field name="name">Repair Order: Sales Rep Portal - Own Repairs</field>