chore(shopfloor): register fp_rpc.js asset + bump to 19.0.30.2.0 (P6.3.6)

Adds the Phase 6.3 fpRpc wrapper to the web.assets_backend bundle.
Placed before its consumers so the `import { fpRpc } from "./services/fp_rpc"`
calls in job_workspace, shopfloor_landing, manager_dashboard, and
hold_composer resolve.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

fusion_plating/CLAUDE.md

@@ -166,6 +166,33 @@ These modules have **source code in this repo** but are **intentionally NOT inst
 | `fusion_plating_culture` | `state=uninstalled`, dir removed from entech disk | Soft people-ops feature (peer kudos / "Fundamental of the Week"); zero data entered; not a client priority. Top-level "Culture" menu confused operators. | Ask the client whether they want it before reinstalling. If yes: re-sync folder + `-i fusion_plating_culture` + seed a value set. |
 | `fusion_plating_sensors` | deleted entirely (not in repo anymore) | Duplicated `fusion_plating_iot`'s scope but with no working alerting logic. Its valuables (sensor_type taxonomy, dashboard, location flexibility) were ported into `fusion_iot/fusion_plating_iot/`. | N/A — gone. Any new sensor work goes in `fusion_iot/fusion_plating_iot/`. |
 
+## Shop-floor action endpoints — credit the correct tech via `tablet_tech_id`
+The tablet sits on a long-lived "shopfloor service" Odoo session shared by many techs. The actual tech-of-record is established via the PIN unlock (Phase 6); their id lives in the OWL `fp_shopfloor_tech_store` service and is sent as `tablet_tech_id` on every action RPC.
+
+When writing a NEW shop-floor controller endpoint that **writes** (creates a record, calls a `button_*` method, posts to chatter):
+1. Add `tablet_tech_id=None` as a kwarg on the route handler.
+2. At the top, call: `env = env_for_tablet_tech(request.env, tablet_tech_id)` (from `fusion_plating_shopfloor/controllers/_tablet_audit.py`).
+3. Use `env` (not `request.env`) for all subsequent writes. `env.with_user(...)` is applied internally so `create_uid` / `write_uid` / chatter authorship carry the right uid.
+4. Read-only endpoints (load / kanban / funnel / overview) don't need this — leave them as `request.env`.
+
+On the client side: use `fpRpc()` from `services/fp_rpc.js` (drop-in for `rpc()`) for action calls. It auto-injects `tablet_tech_id`. Read calls can keep using plain `rpc()`.
+
+If `tablet_tech_id` is missing or invalid, `env_for_tablet_tech` falls back to the session uid — old callers and pre-Phase-6.3 endpoints continue working.
+
+## Removing menus/records — Odoo does NOT auto-delete orphans
+Deleting a `<menuitem>` (or any `<record>`) from a data XML file does NOT remove the corresponding database row. The XML loader only updates records it sees; orphans persist in `ir.ui.menu` / `ir.model.data` until you delete them explicitly. Symptom: the menu still appears in the UI after `-u`. Fix — add a `<delete>` directive in a data file with `noupdate="0"`:
+```xml
+<delete model="ir.ui.menu" id="module_name.menu_xmlid_to_remove"/>
+```
+Caught 2026-05-22 when the Phase 3 Plant Overview menu kept showing alongside the new Workstation menu after deploy.
+
+## Odoo 19 ir.cron — `numbercall` and `doall` are gone
+The legacy `numbercall=-1` (run-forever) and `doall=False` (catch-up-missed) fields were removed from `ir.cron` in Odoo 19. Including them in `<record model="ir.cron">` data XML produces:
+```
+ValueError: Invalid field 'numbercall' in 'ir.cron'
+```
+Use only: `name`, `model_id`, `state`, `code` (or `function`/`model`), `interval_number`, `interval_type`, `active`. Caught during the 2026-05-22 entech deploy of the auto-pause cron.
+
 ## Critical Rules — Odoo 19
 1. **NEVER code from memory** — Read reference files from the server first.
 2. **Backend OWL**: `static template`, `static props = ["*"]`, standalone `rpc()` from `@web/core/network/rpc`. NOT `useService("rpc")`.

fusion_plating/docs/superpowers/specs/2026-05-22-shopfloor-pin-gate-design.md

@@ -0,0 +1,358 @@
+# Shop Floor PIN Gate + Auto-Lock — Design Spec
+
+**Date:** 2026-05-22
+**Status:** Awaiting user review
+**Phase:** 6 (sequel to Phases 1-5 of 2026-05-22-shopfloor-tablet-redesign)
+**Module owners:** `fusion_plating_shopfloor`, `fusion_plating_jobs`
+**Target client:** EN Technologies (Fusion Plating)
+
+---
+
+## 1. Context
+
+Phases 1-5 of the tablet redesign shipped on 2026-05-22 (entech LXC 111). They assume a single user is "logged in" to a tablet for the duration of use. Real shop floors don't work that way:
+
+- A single tablet sits at the **EN Plating tank** (or de-rack table, masking station, QC bench).
+- Multiple technicians rotate through the station during a shift.
+- A tech walks away mid-shift; the next tech walks up — and without a lock, the new tech is operating under the previous tech's identity.
+- Every step start, finish, scrap, hold, signature, and milestone advance gets attributed to the wrong person.
+- AS9100 / Nadcap audit trails break. Operators sign off on each other's work without knowing it.
+
+The fix needs to be **fast** (PIN in < 2 seconds), **familiar** (matches iPad / debit-card UX techs already know), and **silent on the timer side** (locking the tablet must not pause a part in a tank).
+
+## 2. Goals
+
+- Each tech identifies themselves with a personal 4-digit PIN.
+- Tablet auto-locks after a configurable idle period (default 5 min).
+- Quick-switch UX: tap your face tile → enter PIN → unlocked. No typing usernames.
+- All shop-floor actions (step start/finish, holds, sign-offs, milestone advances) carry the correct tech identity for audit.
+- No interruption to in-progress step timers — the server keeps counting.
+- Manager can reset a forgotten PIN; no SMS/email infrastructure required.
+- Per-station roster: a tablet at EN Plating only shows techs trained on EN Plating.
+
+## 3. Non-goals (v1)
+
+- Multi-factor authentication (TOTP, SMS).
+- Biometric unlock (Face ID, fingerprint).
+- NFC badges or RFID readers.
+- Self-service PIN reset via email/SMS (manager-side only).
+- "Remember me" cross-device sessions.
+- Camera-based presence detection / liveness checks.
+
+## 4. UX
+
+### 4.1 Lock screen — tile grid
+
+Rendered first thing when the tablet boots, after any auto-lock, and after the Hand-Off button. Replaces the current Landing/Workspace/Dashboard view entirely.
+
+- 3-5 tiles per row, sized for touch (~120×140 px each).
+- Sort: clocked-in techs first, alphabetical within bucket.
+- Each tile: avatar + name + small green dot if clocked in.
+- A station with `x_fc_authorised_user_ids` configured shows only those techs; otherwise all techs in the operator group.
+- "Other..." chip at the end opens a username search for off-roster cases (cross-trained tech covering an unfamiliar station).
+- Tap a tile → PIN pad slides up as a modal.
+
+### 4.2 PIN pad
+
+- Numeric 0-9 in a 3×4 grid + Clear + Submit.
+- 4 dot placeholders fill as digits are typed.
+- Auto-submit on the 4th digit (no Enter required).
+- Wrong PIN → quick shake animation (CSS keyframe), dots clear, tile grid stays.
+- After 5 sequential failures for one tech, that tech is locked for 5 minutes. Other techs can still unlock the tablet.
+- "Forgot?" link surfaces a friendly message: "Ask a manager to reset your PIN."
+
+### 4.3 Hand-Off button
+
+- Top-right corner of every authenticated view (Landing, Workspace, Manager Dashboard), next to QR scan.
+- Big icon + label: 🔒 **Hand Off**.
+- Tap → confirm dialog "Lock this tablet now?" → instant lock to tile grid.
+- Confirm dialog prevents accidental locks; can be skipped in v2 with rapid double-tap.
+
+### 4.4 Idle warning
+
+- At 30 seconds before auto-lock, a yellow pulsing border appears around the entire viewport.
+- A toast slides in: "Locking in 28s · tap anywhere to stay".
+- Countdown decrements in 1s ticks until 0.
+- Any pointer/touch event clears the warning and resets the timer.
+- At 0s, the tile grid replaces the current view.
+
+### 4.5 Session continuity (state preservation on lock)
+
+| State | On lock | On unlock |
+|---|---|---|
+| In-progress step timer | Server-side timer keeps running. No pause event fired. | Resumes accurate elapsed time. |
+| OWL state (scroll, expanded step) | Preserved in memory | Restored |
+| HoldComposer modal open | Preserved (dialog still mounted under the lock overlay) | Available immediately |
+| SignaturePad open mid-stroke | **Thrown away.** Signature flow restarts. | Fresh signature required. |
+| QR scan drawer open | Preserved | Available |
+| Refresh interval (15s/8s polling) | Paused | Resumed |
+
+### 4.6 Profile preferences — set / change PIN
+
+- New "Tablet PIN" group on `res.users` preferences (user-facing form).
+- Single button: **Set Tablet PIN** or **Change PIN** (label flips depending on whether a hash exists).
+- Tapping it opens a modal with 3 PIN inputs:
+  - Current PIN (only if a PIN is set; skipped on first-time set)
+  - New PIN
+  - Confirm new PIN
+- All three use the same `FpPinPad` component as the unlock screen.
+- Subtext shows "Last changed: 2026-05-22" or "Cleared by manager".
+
+### 4.7 Manager-side reset
+
+- New header button on `res.users` form: **Reset Tablet PIN** (visible only to `group_fusion_plating_manager` and above).
+- Tap → confirm dialog → posts to user's chatter ("Tablet PIN reset by Manager X on 2026-05-22") + clears the hash.
+- Tech sets a new PIN on next unlock attempt.
+
+## 5. Backend
+
+### 5.1 Model fields on `res.users` (in `fusion_plating_shopfloor/models/res_users.py` — new file)
+
+| Field | Type | Notes |
+|---|---|---|
+| `x_fc_tablet_pin_hash` | Char | Hash (SHA-256 + per-user salt) of the PIN. Stored as `<salt>$<hash>`. `groups='fusion_plating.group_fusion_plating_manager'` — non-manager users cannot even read other users' hash field. |
+| `x_fc_tablet_pin_set_date` | Datetime | When the current hash was set. NULL if PIN was cleared by manager. |
+| `x_fc_tablet_pin_failed_count` | Integer (0) | Sequential failed attempts since last success. Resets to 0 on a correct PIN. |
+| `x_fc_tablet_locked_until` | Datetime | Lockout expiry. NULL when not locked. |
+
+### 5.2 Extras on `fusion.plating.shopfloor.station`
+
+| Field | Type | Notes |
+|---|---|---|
+| `x_fc_authorised_user_ids` | Many2many → res.users | If non-empty, the tile grid restricts to these users. Empty = "all operators". |
+| `x_fc_idle_lock_minutes` | Integer, nullable | Per-station override; null = use global default. |
+
+### 5.3 `ir.config_parameter` defaults
+
+| Key | Default | Purpose |
+|---|---|---|
+| `fp.shopfloor.tablet_idle_lock_minutes` | `5` | Global idle threshold |
+| `fp.shopfloor.tablet_pin_fail_threshold` | `5` | Failures before lockout |
+| `fp.shopfloor.tablet_pin_fail_lockout_minutes` | `5` | Lockout duration |
+| `fp.shopfloor.tablet_warn_seconds_before_lock` | `30` | When the yellow border appears |
+
+### 5.4 HTTP endpoints (`/fp/tablet/*`)
+
+All `type='jsonrpc'`, `auth='user'`. Auth = the tablet's persistent Odoo session (a "shopfloor service" account or any non-locked user).
+
+| Endpoint | Body | Returns |
+|---|---|---|
+| `POST /fp/tablet/tiles` | `{station_id?}` | `{ok, tiles: [{user_id, name, avatar_url, is_clocked_in, has_pin}, ...]}`. Respects `station.x_fc_authorised_user_ids`. |
+| `POST /fp/tablet/unlock` | `{user_id, pin}` | `{ok: true, current_tech_id, current_tech_name}` or `{ok: false, error, locked_until?, attempts_remaining}`. |
+| `POST /fp/tablet/set_pin` | `{old_pin?, new_pin}` | Caller's PIN only. `old_pin` required if a hash exists. `{ok, error?}`. |
+| `POST /fp/tablet/reset_pin_for` | `{user_id}` | Manager-only; manager group enforced server-side. Clears target user's hash + posts chatter. |
+| `POST /fp/tablet/ping` | `{current_tech_id}` | Bumps a server-side "last active" timestamp for forensics. Called on every successful tech action. |
+
+### 5.5 Hash algorithm
+
+```python
+import hashlib, secrets
+
+def _hash_pin(pin: str, salt: bytes = None) -> str:
+    salt = salt or secrets.token_bytes(16)
+    digest = hashlib.pbkdf2_hmac('sha256', pin.encode('utf-8'), salt, 200_000)
+    return f"{salt.hex()}${digest.hex()}"
+
+def _verify_pin(pin: str, stored: str) -> bool:
+    salt_hex, expected_hex = stored.split('$', 1)
+    salt = bytes.fromhex(salt_hex)
+    digest = hashlib.pbkdf2_hmac('sha256', pin.encode('utf-8'), salt, 200_000)
+    return digest.hex() == expected_hex
+```
+
+200,000 PBKDF2 iterations gives ~50ms verify time on entech-class hardware — fast enough for tech UX, slow enough to make a brute-force attack expensive even with the database stolen.
+
+### 5.6 Audit propagation (Phase 6.3)
+
+All existing shop-floor endpoints that take an action (`/fp/shopfloor/start_wo`, `stop_wo`, `bump_qty_done`, `bump_qty_scrapped`, `log_chemistry`, `log_thickness_reading`, `quality_hold`, `mark_gate`, `start_bake`, `end_bake`, `/fp/workspace/{hold,sign_off,advance_milestone}`) gain an **optional** `tablet_tech_id` kwarg.
+
+When the OWL component passes `tablet_tech_id`:
+
+- Server verifies the id corresponds to a recent successful `/fp/tablet/unlock` (within session's idle window).
+- All chatter posts use that user's name instead of `env.uid`.
+- All writes to records set `create_uid` / `write_uid` to that user (via `with_user(...)` context manager).
+- If `tablet_tech_id` is missing or stale, server falls back to `env.uid` (the tablet's session user) for back-compat.
+
+This keeps the audit trail honest without forcing a full Odoo session swap on every PIN unlock (which would clear all OWL state and JS bundle cache).
+
+## 6. Frontend architecture
+
+### 6.1 New OWL components
+
+| Component | File | Purpose |
+|---|---|---|
+| `FpTabletLock` | `static/src/js/tablet_lock.js` | Top-level wrapper around Landing/Workspace/Manager. Renders tile grid when locked; renders children when unlocked. |
+| `FpPinPad` | `static/src/js/components/pin_pad.js` | Numeric pad modal. Used by FpTabletLock unlock AND Profile set-PIN flow. |
+| `FpPinSetup` | `static/src/js/components/pin_setup.js` | Modal for set/change PIN. Wraps 3 instances of FpPinPad (old + new + confirm). |
+| `FpIdleWarning` | `static/src/js/components/idle_warning.js` | Yellow-border + countdown toast component shown at T-30s. |
+
+### 6.2 Activity tracker service
+
+- Registered as `fp_shopfloor_activity` in the OWL `services` registry.
+- Tracks `lastActiveAt` (epoch ms).
+- Listens at document level: `pointerdown`, `touchstart`, `keydown`, `visibilitychange`.
+- Public API: `bumpActivity()`, `getSecondsUntilLock()`, `subscribe(cb)`, `lock()`.
+- Bumps server-side on every `ping` (debounced to once per 30s).
+
+### 6.3 Auto-lock flow
+
+```js
+// inside FpTabletLock setup()
+this.activity = useService("fp_shopfloor_activity");
+this._tick = setInterval(() => {
+    const remaining = this.activity.getSecondsUntilLock();
+    if (remaining <= 0) {
+        this.state.locked = true;
+        this.state.currentTechId = null;
+    } else if (remaining <= this.warnThresholdSec) {
+        this.state.idleWarning = remaining;
+    } else if (this.state.idleWarning) {
+        this.state.idleWarning = null;  // user tapped, reset
+    }
+}, 1000);
+```
+
+### 6.4 RPC plumbing
+
+A tiny client-side helper wraps `rpc()` so every shop-floor call automatically includes `tablet_tech_id`:
+
+```js
+// fp_rpc.js
+import { rpc as baseRpc } from "@web/core/network/rpc";
+import { registry } from "@web/core/registry";
+
+const techStore = registry.category("services").get("fp_shopfloor_tech_store");
+
+export function fpRpc(url, params = {}) {
+    if (techStore.currentTechId) {
+        params = { ...params, tablet_tech_id: techStore.currentTechId };
+    }
+    return baseRpc(url, params);
+}
+```
+
+Landing, Workspace, Manager Dashboard switch from `rpc(...)` to `fpRpc(...)` for action calls. Read-only calls (load, tiles, kanban) don't need the kwarg.
+
+### 6.5 Component composition
+
+```
+FpTabletLock (NEW outer wrapper, mounted by every client action)
+├── if locked → FpPinPad (tile grid + entry)
+├── if idle warning → FpIdleWarning overlay
+└── else → existing client action (Landing | Workspace | Manager Dashboard)
+        + Hand-Off button injected into existing headers
+```
+
+The "tablet locked" boolean lives in a shared OWL service (`fp_shopfloor_tech_store`) — every client action checks it on mount and subscribes for changes.
+
+## 7. Edge cases
+
+| Case | Handling |
+|---|---|
+| No tech has set a PIN yet | Tile shows "PIN required" overlay. Tap tile → guided "you must set a PIN before using this tablet" → set-PIN flow → unlock. |
+| Manager just reset a tech's PIN | Tile still shows; tap → "PIN was cleared by a manager — set a new one" → set-PIN flow → unlock. |
+| Tablet boots with no station paired | Tile grid shows + a "Pair this station" CTA. Station QR scan works before any tech is logged in. |
+| Network drop mid-unlock | Spinner + Retry button after 5s. Backend tolerates duplicate unlocks (idempotent on success — counter just stays at 0). |
+| Tech mid-step when tablet locks | Step timer keeps running on server. Auto-pause cron (Phase 2) is the upper-bound safety net. |
+| Tech A's PIN locked for 5 min — can tech B unlock? | Yes. Lockout is per-user, not per-tablet. |
+| Tech keeps tablet active by setting a heavy weight on it | Activity = pointer/touch/key events only, not mouse-move. A weight doesn't fire those events. Still locks after 5 min. |
+| Tech is mid-RPC when lock fires | RPC completes (server keeps running). Response is dropped silently — UI is already showing the tile grid. |
+| Two tabs / windows on the same browser | Each tab has its own FpTabletLock state. They lock independently. Acceptable for v1; not a real shop scenario. |
+| Manager wants to act AS a tech | Out of scope. Manager unlocks with their own PIN; their actions carry their own uid. |
+
+## 8. Testing
+
+### 8.1 Python tests (`fusion_plating_shopfloor/tests/test_tablet_pin.py`)
+
+| Test | Verifies |
+|---|---|
+| `test_set_pin_first_time` | User with no hash can set PIN; resulting hash is salted and length > 32. |
+| `test_set_pin_change_requires_old` | Setting a new PIN when one exists requires correct old_pin; wrong old_pin rejected. |
+| `test_unlock_correct_pin_resets_failure_count` | Failed → failed → correct → counter is 0. |
+| `test_unlock_5_wrong_locks_user` | 5 wrong attempts → 6th returns `locked_until`. 7th still rejected. |
+| `test_lockout_expires_after_threshold` | After 5 min sim time elapsed → next attempt allowed again. |
+| `test_reset_pin_for_requires_manager` | Operator → AccessError. Supervisor → AccessError. Manager → success. |
+| `test_reset_pin_clears_hash_and_posts_chatter` | After reset: hash is False, set_date is False, chatter has "PIN reset by Manager X". |
+| `test_tiles_filtered_by_station_roster` | Station with authorised_user_ids → tiles is subset. Empty list → all operator-group users. |
+| `test_audit_kwarg_used_in_step_finish` | RPC with `tablet_tech_id=N` → step's `write_uid == N` (not env.uid). |
+| `test_audit_kwarg_invalid_falls_back_to_session` | Invalid `tablet_tech_id` → write_uid == env.uid, no error. |
+
+### 8.2 Manual QA
+
+`docs/qa/2026-05-22-shopfloor-pin-gate-qa.md` walkthrough:
+
+1. Tech A sets PIN via Preferences
+2. Tech A unlocks tablet → starts a step
+3. 5 min idle elapses → tablet locks
+4. Tech B unlocks → finishes Tech A's step
+5. Audit chatter shows: started by A at T+0, finished by B at T+6
+6. Manager taps Reset PIN on Tech A's res.users form
+7. Tech A unlocks → set-PIN flow
+8. Tech A fails PIN 5 times → lockout kicks in
+9. Tech A waits 5 min → unlocks successfully
+
+## 9. Build sequence (3 sub-phases)
+
+Each ships independently and can be rolled back independently.
+
+| Sub-phase | Ships | Independently deployable? |
+|---|---|---|
+| **6.1 — Backend** | model fields on res.users + station extras + ir.config_parameter defaults + 5 `/fp/tablet/*` endpoints + Profile prefs Set/Change PIN button + Manager Reset PIN button on res.users form | Yes — works silently behind the scenes. Techs can set PINs but the lock screen doesn't render yet. |
+| **6.2 — Frontend lock screen** | FpTabletLock wrapper + FpPinPad + FpIdleWarning + activity tracker service + Hand-Off button injection into existing headers | Yes — lock screen goes live. Audit credit still defaults to tablet session user without 6.3. |
+| **6.3 — Audit propagation** | `tablet_tech_id` optional kwarg on all existing action endpoints + `fpRpc()` wrapper + Landing/Workspace/Manager updated to use it | Yes — refines the audit trail. Without it, actions are recorded against the tablet's session uid. |
+
+## 10. Backwards compatibility
+
+- Any tablet that hasn't been upgraded to Phase 6.2 continues to work unauthenticated (no lock screen). Once 6.2 lands, ALL tablets start showing the lock screen.
+- Endpoints from Phases 1-5 keep their existing signatures. `tablet_tech_id` is purely additive.
+- Setting / changing the PIN is opt-in per user. A tech without a PIN sees a "set one to continue" prompt; they can't dismiss it.
+- No model migration required — all new fields default to NULL.
+- `ir.config_parameter` defaults are read at runtime, no install-time setup needed.
+
+## 11. Rollback strategy
+
+| Sub-phase | Rollback |
+|---|---|
+| 6.1 | Disable endpoints in `controllers/__init__.py`. Model fields are additive, safe to drop. |
+| 6.2 | Hide `FpTabletLock` via a feature flag (`ir.config_parameter` `fp.shopfloor.tablet_lock_enabled`, default true; set false to bypass). Existing client actions render directly again. |
+| 6.3 | Stop sending `tablet_tech_id` from `fpRpc()` — server falls back to `env.uid`. |
+
+## 12. Out of scope for v1
+
+- Biometric (Face ID, fingerprint)
+- NFC badges
+- TOTP / SMS / email-based reset
+- "Remember me" cross-device sessions
+- Per-tech idle threshold (only per-station + global)
+- Lock-screen widgets (weather, time, KPIs) — keep the tile grid focused
+- Camera-based presence / liveness
+- Pre-fetched tile grid (each unlock call fetches fresh)
+- Different PIN lengths per tech (4 digits for everyone)
+
+## 13. Decisions log
+
+| Decision | Rationale |
+|---|---|
+| 4-digit PIN over 6-digit | Speed. Industry norm. Lockout + per-user-fail-counter makes 10,000 combos secure enough. |
+| PBKDF2-SHA256, 200k iterations | ~50ms verify on entech hardware. Safe against rainbow tables; brute-force-resistant even with DB stolen. |
+| Hash field is manager-readable only | Operators can't even view other users' hash. Reduces lateral attack surface. |
+| Per-user lockout, not per-tablet | A bad-actor wrong-PIN'ing one user shouldn't deny service to other techs on the same tablet. |
+| 5 minute idle default | Compromise: long enough for legitimate idle-watching of a tank, short enough that a walk-away is caught. Configurable per-station. |
+| Server-side step timer keeps running on lock | Locking is UI; nothing should pause physical processes. Auto-pause cron is the deeper safety net. |
+| Single Odoo session, PIN overlay credits via `tablet_tech_id` kwarg | No JS bundle reload, no state loss, no flicker. Audit kwarg keeps the trail honest. |
+| Manager-only reset (no self-service) | Plating shops rarely have per-tech email/SMS. Manager is always present. Lower infra. |
+| 30s warning before lock | Compromise: catches "I was right there" cases without being annoyingly chatty. |
+| `tablet_tech_id` is opt-in additive kwarg | Lets 6.3 ship after 6.2 without breaking anything; lets older callers continue working unchanged. |
+
+## 14. Future v2 candidates
+
+- NFC badge tap (cheap USB readers, ~$30)
+- Personal QR badge on lanyard (no hardware beyond what we already have)
+- Per-tech idle threshold (long-shift senior techs vs cross-trained probationers)
+- Lock-screen KPIs (shop output today, hot WOs visible without unlocking)
+- "Switch tech without re-PIN" — keep both signed in for hand-off audit on the same step
+- Mobile app companion with biometric unlock
+
+---
+
+**Next step:** user reviews this spec. Once approved, transition to `superpowers:writing-plans` to produce the phased implementation plan.

fusion_plating/fusion_plating_jobs/data/fp_cron_data.xml

@@ -44,8 +44,6 @@
         <field name="code">model._cron_autopause_stale_steps()</field>
         <field name="interval_number">30</field>
         <field name="interval_type">minutes</field>
-        <field name="numbercall">-1</field>
-        <field name="doall" eval="False"/>
         <field name="active" eval="True"/>
     </record>
 </odoo>

fusion_plating/fusion_plating_jobs/models/fp_job_step.py

@@ -1200,6 +1200,33 @@ class FpJobStep(models.Model):
     # quick-look modal. The modal is bound via context= on the parent
     # job form's <field name="step_ids"/> — no TransientModel needed.
 
+    # Job-level context for the quick-look modal — restored after commit
+    # b0070afc accidentally removed these while still referencing them in
+    # fp_job_step_quick_look_views.xml (entech caught the mismatch during
+    # the 2026-05-22 Phase 1-4 deploy).
+    quick_look_partner_id = fields.Many2one(
+        'res.partner',
+        string='Customer',
+        related='job_id.partner_id',
+        readonly=True,
+    )
+    quick_look_part_catalog_id = fields.Many2one(
+        'fp.part.catalog',
+        string='Part',
+        related='job_id.part_catalog_id',
+        readonly=True,
+    )
+    quick_look_qty = fields.Float(
+        string='Order Qty',
+        related='job_id.qty',
+        readonly=True,
+    )
+    quick_look_instruction_attachment_ids = fields.Many2many(
+        'ir.attachment',
+        string='Instruction Images',
+        related='recipe_node_id.instruction_attachment_ids',
+        readonly=True,
+    )
     quick_look_instructions = fields.Html(
         string='Operator Instructions',
         related='recipe_node_id.description',

fusion_plating/fusion_plating_jobs/views/legacy_menu_hide.xml

@@ -9,20 +9,26 @@
          site that needs to bring legacy menus back can simply add a
          user to the group. -->
 
-    <!-- Reset group_ids on the 3 shopfloor menus that used to be
+    <!-- Reset group_ids on the shopfloor menus that used to be
          hidden — they are now the canonical UIs and should be visible
          to all users (subject to the original groups= attribute on
          each menuitem in fusion_plating_shopfloor/views/fp_menu.xml). -->
     <record id="fusion_plating_shopfloor.menu_fp_shopfloor_manager" model="ir.ui.menu">
         <field name="group_ids" eval="[(6, 0, [ref('fusion_plating.group_fusion_plating_manager')])]"/>
     </record>
-    <record id="fusion_plating_shopfloor.menu_fp_shopfloor_plant_overview" model="ir.ui.menu">
-        <field name="group_ids" eval="[(6, 0, [])]"/>
-    </record>
     <record id="fusion_plating_shopfloor.menu_fp_shopfloor_tablet" model="ir.ui.menu">
         <field name="group_ids" eval="[(6, 0, [])]"/>
     </record>
 
+    <!-- Phase 3 tablet redesign (2026-05-22) — the standalone Plant
+         Overview menu is superseded by Workstation > All Plant toggle.
+         The fp_menu.xml record was removed but the database row
+         persists (Odoo doesn't auto-delete orphan records). Force-
+         delete here so the menu disappears from the Shop Floor tree.
+         The action record (action_fp_plant_overview) is kept and
+         retargeted to fp_shopfloor_landing for bookmark back-compat. -->
+    <delete model="ir.ui.menu" id="fusion_plating_shopfloor.menu_fp_shopfloor_plant_overview"/>
+
     <!-- bridge_mrp Production Priorities reference removed post-Sub 11
          (the bridge module is uninstalled and its menu xmlid no longer
          resolves). fp.job has its own priority field on the header. -->

fusion_plating/fusion_plating_shopfloor/__manifest__.py

@@ -5,7 +5,7 @@
 
 {
     'name': 'Fusion Plating — Shop Floor',
-    'version': '19.0.29.0.0',
+    'version': '19.0.30.2.0',
     'category': 'Manufacturing/Plating',
     'summary': 'Shop-floor tablet stations, QR scanning, bake window enforcer, '
                'first-piece inspection gates.',
@@ -45,7 +45,9 @@ Copyright (c) 2026 Nexa Systems Inc. All rights reserved.
         'security/ir.model.access.csv',
         'data/fp_sequence_data.xml',
         'data/fp_cron_data.xml',
+        'data/fp_tablet_config_data.xml',
         'views/fp_shopfloor_station_views.xml',
+        'views/res_users_views.xml',
         'views/fp_bake_oven_views.xml',
         'views/fp_bake_window_views.xml',
         'views/fp_first_piece_gate_views.xml',
@@ -80,6 +82,24 @@ Copyright (c) 2026 Nexa Systems Inc. All rights reserved.
             'fusion_plating_shopfloor/static/src/scss/components/_kanban_card.scss',
             'fusion_plating_shopfloor/static/src/xml/components/kanban_card.xml',
             'fusion_plating_shopfloor/static/src/js/components/kanban_card.js',
+            # ---- Phase 6.2 tablet PIN gate ----
+            'fusion_plating_shopfloor/static/src/js/services/tech_store.js',
+            'fusion_plating_shopfloor/static/src/js/services/activity_tracker.js',
+            # Phase 6.3 — fpRpc wrapper. MUST load before any consumer
+            # (job_workspace, shopfloor_landing, manager_dashboard,
+            # hold_composer) so `import { fpRpc }` resolves.
+            'fusion_plating_shopfloor/static/src/js/services/fp_rpc.js',
+            'fusion_plating_shopfloor/static/src/scss/components/_pin_pad.scss',
+            'fusion_plating_shopfloor/static/src/xml/components/pin_pad.xml',
+            'fusion_plating_shopfloor/static/src/js/components/pin_pad.js',
+            'fusion_plating_shopfloor/static/src/scss/components/_idle_warning.scss',
+            'fusion_plating_shopfloor/static/src/xml/components/idle_warning.xml',
+            'fusion_plating_shopfloor/static/src/js/components/idle_warning.js',
+            'fusion_plating_shopfloor/static/src/scss/tablet_lock.scss',
+            'fusion_plating_shopfloor/static/src/xml/tablet_lock.xml',
+            'fusion_plating_shopfloor/static/src/js/tablet_lock.js',
+            'fusion_plating_shopfloor/static/src/xml/components/pin_setup.xml',
+            'fusion_plating_shopfloor/static/src/js/components/pin_setup.js',
             # ---- Job Workspace (Phase 1 — tablet redesign) ----
             'fusion_plating_shopfloor/static/src/scss/job_workspace.scss',
             'fusion_plating_shopfloor/static/src/xml/job_workspace.xml',

fusion_plating/fusion_plating_shopfloor/controllers/__init__.py

@@ -8,3 +8,4 @@ from . import tank_status
 from . import move_controller
 from . import workspace_controller
 from . import landing_controller
+from . import tablet_controller

fusion_plating/fusion_plating_shopfloor/controllers/_tablet_audit.py

@@ -0,0 +1,42 @@
+# -*- coding: utf-8 -*-
+# Copyright 2026 Nexa Systems Inc.
+# License OPL-1 (Odoo Proprietary License v1.0)
+"""Helper for audit-credit propagation (Phase 6.3 tablet redesign).
+
+Controllers that accept an optional `tablet_tech_id` kwarg use this
+helper to switch their `env` to the tech-of-record before performing
+writes. The result: chatter posts + create_uid/write_uid carry the
+unlocked tech's identity, not the tablet's persistent session user.
+"""
+import logging
+
+_logger = logging.getLogger(__name__)
+
+
+def env_for_tablet_tech(env, tablet_tech_id):
+    """Return an env scoped to `tablet_tech_id` if it's a valid user;
+    otherwise return the original env unchanged.
+
+    Validation: the user must exist and be active. We deliberately do
+    NOT cross-check that they actually unlocked recently — the OWL
+    component is the source of truth for "who's at the tablet right
+    now", and the only path that produces a tablet_tech_id is a
+    successful /fp/tablet/unlock followed by an active session in the
+    OWL tech_store.
+    """
+    if not tablet_tech_id:
+        return env
+    try:
+        tech_id = int(tablet_tech_id)
+    except (TypeError, ValueError):
+        return env
+    User = env['res.users'].sudo()
+    tech = User.browse(tech_id)
+    if not tech.exists() or not tech.active:
+        _logger.warning(
+            "tablet_tech_id %s invalid (not found or inactive); "
+            "falling back to session uid %s",
+            tablet_tech_id, env.uid,
+        )
+        return env
+    return env(user=tech_id)

fusion_plating/fusion_plating_shopfloor/controllers/manager_controller.py

@@ -21,10 +21,12 @@ import logging
 
 from markupsafe import Markup
 
-from odoo import http
+from odoo import fields, http
 from odoo.addons.fusion_plating.models.fp_tz import fp_format
 from odoo.http import request
 
+from ._tablet_audit import env_for_tablet_tech
+
 _logger = logging.getLogger(__name__)
 
 
@@ -387,7 +389,8 @@ class FpManagerDashboardController(http.Controller):
     # Assign a worker to a step
     # ------------------------------------------------------------------
     @http.route('/fp/manager/assign_worker', type='jsonrpc', auth='user')
-    def assign_worker(self, step_id=None, user_id=None, workorder_id=None, **kwargs):
+    def assign_worker(self, step_id=None, user_id=None, workorder_id=None,
+                      tablet_tech_id=None, **kwargs):
         """Assign an operator to a step. ``step_id`` is the canonical
         kwarg; ``workorder_id`` is accepted as a deprecated alias for
         one release so any caller we missed doesn't break.
@@ -400,7 +403,8 @@ class FpManagerDashboardController(http.Controller):
             step_id = workorder_id
         if not step_id:
             return {'ok': False, 'error': 'step_id required'}
-        step = request.env['fp.job.step'].browse(int(step_id))
+        env = env_for_tablet_tech(request.env, tablet_tech_id)
+        step = env['fp.job.step'].browse(int(step_id))
         if not step.exists():
             return {'ok': False, 'error': 'Step not found.'}
         step.assigned_user_id = int(user_id) if user_id else False
@@ -415,7 +419,8 @@ class FpManagerDashboardController(http.Controller):
     # Reassign or swap tank on a step
     # ------------------------------------------------------------------
     @http.route('/fp/manager/assign_tank', type='jsonrpc', auth='user')
-    def assign_tank(self, step_id=None, tank_id=None, workorder_id=None, **kwargs):
+    def assign_tank(self, step_id=None, tank_id=None, workorder_id=None,
+                    tablet_tech_id=None, **kwargs):
         """Swap the tank on a step. ``step_id`` is the canonical kwarg;
         ``workorder_id`` is accepted as a deprecated alias.
         """
@@ -427,7 +432,8 @@ class FpManagerDashboardController(http.Controller):
             step_id = workorder_id
         if not step_id:
             return {'ok': False, 'error': 'step_id required'}
-        step = request.env['fp.job.step'].browse(int(step_id))
+        env = env_for_tablet_tech(request.env, tablet_tech_id)
+        step = env['fp.job.step'].browse(int(step_id))
         if not step.exists():
             return {'ok': False, 'error': 'Step not found.'}
         step.tank_id = int(tank_id) if tank_id else False
@@ -442,7 +448,8 @@ class FpManagerDashboardController(http.Controller):
     # Manager takes over a step (no-show coverage)
     # ------------------------------------------------------------------
     @http.route('/fp/manager/take_over', type='jsonrpc', auth='user')
-    def take_over(self, step_id=None, workorder_id=None, **kwargs):
+    def take_over(self, step_id=None, workorder_id=None,
+                  tablet_tech_id=None, **kwargs):
         """Manager takes over a step. ``step_id`` is the canonical kwarg;
         ``workorder_id`` is accepted as a deprecated alias.
         """
@@ -454,10 +461,11 @@ class FpManagerDashboardController(http.Controller):
             step_id = workorder_id
         if not step_id:
             return {'ok': False, 'error': 'step_id required'}
-        step = request.env['fp.job.step'].browse(int(step_id))
+        env = env_for_tablet_tech(request.env, tablet_tech_id)
+        step = env['fp.job.step'].browse(int(step_id))
         if not step.exists():
             return {'ok': False, 'error': 'Step not found.'}
-        user = request.env.user
+        user = env.user
         previous = step.assigned_user_id.name or '—'
         step.assigned_user_id = user.id
         step.message_post(

fusion_plating/fusion_plating_shopfloor/controllers/shopfloor_controller.py

@@ -20,6 +20,8 @@ from odoo.addons.fusion_plating.models.fp_tz import (
 from odoo.exceptions import UserError
 from odoo.http import request
 
+from ._tablet_audit import env_for_tablet_tech
+
 _logger = logging.getLogger(__name__)
 
 
@@ -255,11 +257,13 @@ class FpShopfloorController(http.Controller):
     # Quick chemistry log from the tablet
     # ----------------------------------------------------------------------
     @http.route('/fp/shopfloor/log_chemistry', type='jsonrpc', auth='user')
-    def log_chemistry(self, bath_id, readings, shift=None, notes=None):
+    def log_chemistry(self, bath_id, readings, shift=None, notes=None,
+                      tablet_tech_id=None):
         """Create a fusion.plating.bath.log with one line per reading."""
+        env = env_for_tablet_tech(request.env, tablet_tech_id)
         if not bath_id:
             raise UserError("bath_id required")
-        bath = request.env['fusion.plating.bath'].browse(int(bath_id))
+        bath = env['fusion.plating.bath'].browse(int(bath_id))
         if not bath.exists():
             raise UserError(f"Bath {bath_id} not found")
 
@@ -274,7 +278,7 @@ class FpShopfloorController(http.Controller):
                 'value': float(value) if value not in (None, '') else 0.0,
             }))
 
-        log = request.env['fusion.plating.bath.log'].create({
+        log = env['fusion.plating.bath.log'].create({
             'bath_id': bath.id,
             'shift': shift or False,
             'notes': notes or False,
@@ -291,10 +295,11 @@ class FpShopfloorController(http.Controller):
     # Bake window controls
     # ----------------------------------------------------------------------
     @http.route('/fp/shopfloor/start_bake', type='jsonrpc', auth='user')
-    def start_bake(self, bake_window_id, oven_id=None):
+    def start_bake(self, bake_window_id, oven_id=None, tablet_tech_id=None):
         # action_start_bake raises UserError for S6 missed_window. Wrap
         # the same way as start_wo so operator gets a clean flash.
-        bw = request.env['fusion.plating.bake.window'].browse(int(bake_window_id))
+        env = env_for_tablet_tech(request.env, tablet_tech_id)
+        bw = env['fusion.plating.bake.window'].browse(int(bake_window_id))
         if not bw.exists():
             return {'ok': False, 'error': f'Bake window {bake_window_id} not found'}
         if oven_id:
@@ -306,12 +311,13 @@ class FpShopfloorController(http.Controller):
         return {
             'ok': True,
             'state': bw.state,
-            'bake_start_time': fp_format(request.env, bw.bake_start_time),
+            'bake_start_time': fp_format(env, bw.bake_start_time),
         }
 
     @http.route('/fp/shopfloor/end_bake', type='jsonrpc', auth='user')
-    def end_bake(self, bake_window_id):
-        bw = request.env['fusion.plating.bake.window'].browse(int(bake_window_id))
+    def end_bake(self, bake_window_id, tablet_tech_id=None):
+        env = env_for_tablet_tech(request.env, tablet_tech_id)
+        bw = env['fusion.plating.bake.window'].browse(int(bake_window_id))
         if not bw.exists():
             return {'ok': False, 'error': f'Bake window {bake_window_id} not found'}
         try:
@@ -321,7 +327,7 @@ class FpShopfloorController(http.Controller):
         return {
             'ok': True,
             'state': bw.state,
-            'bake_end_time': fp_format(request.env, bw.bake_end_time),
+            'bake_end_time': fp_format(env, bw.bake_end_time),
             'bake_duration_hours': bw.bake_duration_hours,
         }
 
@@ -340,8 +346,15 @@ class FpShopfloorController(http.Controller):
         step = request.env['fp.job.step'].browse(int(sid))
         return step if step.exists() else False
 
+    def _resolve_step_in_env(self, env, step_id=None, workorder_id=None):
+        sid = step_id if step_id else workorder_id
+        if not sid:
+            return False
+        step = env['fp.job.step'].browse(int(sid))
+        return step if step.exists() else False
+
     @http.route('/fp/shopfloor/start_wo', type='jsonrpc', auth='user')
-    def start_wo(self, workorder_id=None, step_id=None):
+    def start_wo(self, workorder_id=None, step_id=None, tablet_tech_id=None):
         """Start the timer on a fp.job.step (called from the tablet).
 
         button_start() can raise UserError for any guarded condition
@@ -350,7 +363,8 @@ class FpShopfloorController(http.Controller):
         the explicit state check, so the tablet flashes a clean toast
         instead of popping a stack-trace dialog at the operator.
         """
-        step = self._resolve_step(step_id, workorder_id)
+        env = env_for_tablet_tech(request.env, tablet_tech_id)
+        step = self._resolve_step_in_env(env, step_id, workorder_id)
         if not step:
             return {'ok': False, 'error': 'Step not found'}
         if not _step_can_start(step):
@@ -369,7 +383,8 @@ class FpShopfloorController(http.Controller):
         }
 
     @http.route('/fp/shopfloor/stop_wo', type='jsonrpc', auth='user')
-    def stop_wo(self, workorder_id=None, step_id=None, finish=False):
+    def stop_wo(self, workorder_id=None, step_id=None, finish=False,
+                tablet_tech_id=None):
         """Finish the timer on a fp.job.step.
 
         finish=True calls button_finish(); other values are no-ops for
@@ -380,7 +395,8 @@ class FpShopfloorController(http.Controller):
         not provided). Wrapped same as start_wo so the operator gets a
         clean flash, not a stack-trace dialog.
         """
-        step = self._resolve_step(step_id, workorder_id)
+        env = env_for_tablet_tech(request.env, tablet_tech_id)
+        step = self._resolve_step_in_env(env, step_id, workorder_id)
         if not step:
             return {'ok': False, 'error': 'Step not found'}
         if finish:
@@ -409,11 +425,12 @@ class FpShopfloorController(http.Controller):
     # both with a single tap. Scrap auto-spawns a hold via fp.job.write
     # (S17 hook, no extra wiring needed here).
     @http.route('/fp/shopfloor/bump_qty_done', type='jsonrpc', auth='user')
-    def bump_qty_done(self, job_id, delta=1):
+    def bump_qty_done(self, job_id, delta=1, tablet_tech_id=None):
         """Increment job.qty_done by `delta` (defaults to +1).
         Returns the new totals so the tablet can update without a full refresh.
         """
-        job = request.env['fp.job'].browse(int(job_id))
+        env = env_for_tablet_tech(request.env, tablet_tech_id)
+        job = env['fp.job'].browse(int(job_id))
         if not job.exists():
             return {'ok': False, 'error': 'Job not found'}
         try:
@@ -433,13 +450,15 @@ class FpShopfloorController(http.Controller):
         }
 
     @http.route('/fp/shopfloor/bump_qty_scrapped', type='jsonrpc', auth='user')
-    def bump_qty_scrapped(self, job_id, delta=1, reason=None):
+    def bump_qty_scrapped(self, job_id, delta=1, reason=None,
+                          tablet_tech_id=None):
         """Increment job.qty_scrapped by `delta`. The S17 write-hook on
         fp.job auto-spawns a fusion.plating.quality.hold for the delta;
         the operator can edit the description on that hold later.
         `reason` is optional — passed through to the hold's description.
         """
-        job = request.env['fp.job'].browse(int(job_id))
+        env = env_for_tablet_tech(request.env, tablet_tech_id)
+        job = env['fp.job'].browse(int(job_id))
         if not job.exists():
             return {'ok': False, 'error': 'Job not found'}
         try:
@@ -470,20 +489,22 @@ class FpShopfloorController(http.Controller):
                               position_label=None, reading_number=None,
                               equipment_model=None, calibration_std_ref=None,
                               microscope_image=None,
-                              microscope_image_filename=None):
+                              microscope_image_filename=None,
+                              tablet_tech_id=None):
         """Record a single Fischerscope reading against a job.
 
         `job_id` is the canonical kwarg; `production_id` is accepted as an
         alias for older clients. The reading auto-links to an existing
         CoC certificate for the job when one exists.
         """
-        Reading = request.env.get('fp.thickness.reading')
+        env = env_for_tablet_tech(request.env, tablet_tech_id)
+        Reading = env.get('fp.thickness.reading')
         if Reading is None:
             return {'ok': False, 'error': 'Certificates module not installed'}
         target_id = job_id or production_id
         if not target_id:
             return {'ok': False, 'error': 'job_id required'}
-        job = request.env['fp.job'].browse(int(target_id))
+        job = env['fp.job'].browse(int(target_id))
         if not job.exists():
             return {'ok': False, 'error': f'Job {target_id} not found'}
 
@@ -508,7 +529,7 @@ class FpShopfloorController(http.Controller):
             'ni_percent': float(ni_percent or 0.0),
             'p_percent': float(p_percent or 0.0),
             'position_label': position_label or '',
-            'operator_id': request.env.user.id,
+            'operator_id': env.user.id,
         }
 
         if equipment_model:
@@ -516,7 +537,7 @@ class FpShopfloorController(http.Controller):
         if calibration_std_ref:
             vals['calibration_std_ref'] = calibration_std_ref
         if microscope_image:
-            att = request.env['ir.attachment'].create({
+            att = env['ir.attachment'].create({
                 'name': microscope_image_filename or f'thickness_{reading_number}.jpg',
                 'datas': microscope_image,
                 'res_model': 'fp.thickness.reading',
@@ -525,7 +546,7 @@ class FpShopfloorController(http.Controller):
             vals['microscope_image_id'] = att.id
 
         # Auto-link to an existing CoC if there is one for this job.
-        Cert = request.env.get('fp.certificate')
+        Cert = env.get('fp.certificate')
         if Cert is not None:
             if 'x_fc_job_id' in Cert._fields:
                 cert_field = 'x_fc_job_id'
@@ -557,7 +578,8 @@ class FpShopfloorController(http.Controller):
                      part_ref=None, qty_on_hold=0, qty_original=0,
                      hold_reason='other', description=None,
                      mark_for_scrap=False, facility_id=None,
-                     work_center_id=None, current_process_node=None):
+                     work_center_id=None, current_process_node=None,
+                     tablet_tech_id=None):
         """Create a quality hold record, splitting qty from the original lot.
 
         The hold is linked to the fp.job and (when provided) the
@@ -566,7 +588,8 @@ class FpShopfloorController(http.Controller):
         if not qty_on_hold or int(qty_on_hold) <= 0:
             raise UserError("qty_on_hold must be a positive integer.")
 
-        Hold = request.env['fusion.plating.quality.hold']
+        env = env_for_tablet_tech(request.env, tablet_tech_id)
+        Hold = env['fusion.plating.quality.hold']
 
         vals = {
             'part_ref': part_ref or '',
@@ -583,7 +606,7 @@ class FpShopfloorController(http.Controller):
         if work_center_id:
             vals['work_center_id'] = int(work_center_id)
         if portal_job_id:
-            pj = request.env['fusion.plating.portal.job'].browse(
+            pj = env['fusion.plating.portal.job'].browse(
                 int(portal_job_id),
             )
             if pj.exists():
@@ -594,7 +617,7 @@ class FpShopfloorController(http.Controller):
         # via fusion_plating_jobs (Phase 3) as `x_fc_job_id` / `x_fc_step_id`.
         step_target_id = step_id or workorder_id
         if step_target_id:
-            step = request.env['fp.job.step'].browse(int(step_target_id))
+            step = env['fp.job.step'].browse(int(step_target_id))
             if step.exists():
                 if 'x_fc_step_id' in Hold._fields:
                     vals['x_fc_step_id'] = step.id
@@ -605,7 +628,7 @@ class FpShopfloorController(http.Controller):
         # set it through the step.
         if (job_id and 'x_fc_job_id' in Hold._fields
                 and not vals.get('x_fc_job_id')):
-            j = request.env['fp.job'].browse(int(job_id))
+            j = env['fp.job'].browse(int(job_id))
             if j.exists():
                 vals['x_fc_job_id'] = j.id
 
@@ -995,8 +1018,9 @@ class FpShopfloorController(http.Controller):
     # Mark a first-piece gate result from the tablet
     # ----------------------------------------------------------------------
     @http.route('/fp/shopfloor/mark_gate', type='jsonrpc', auth='user')
-    def mark_gate(self, gate_id, result):
-        gate = request.env['fusion.plating.first.piece.gate'].browse(int(gate_id))
+    def mark_gate(self, gate_id, result, tablet_tech_id=None):
+        env = env_for_tablet_tech(request.env, tablet_tech_id)
+        gate = env['fusion.plating.first.piece.gate'].browse(int(gate_id))
         if not gate.exists():
             return {'ok': False, 'error': 'Gate not found.'}
         try:
@@ -1084,21 +1108,23 @@ class FpShopfloorController(http.Controller):
     @http.route('/fp/shopfloor/plant_overview/move_card',
                 type='jsonrpc', auth='user')
     def plant_overview_move_card(self, card_id, source_model=None,
-                                 target_workcenter_id=None):
+                                 target_workcenter_id=None,
+                                 tablet_tech_id=None):
         """Move a step card to a different work centre (drag & drop).
 
         `source_model` is accepted for backward compatibility but ignored —
         Plant Overview now only ever serves fp.job.step cards. A target
         of 0 / falsy clears the work centre.
         """
-        Step = request.env['fp.job.step']
+        env = env_for_tablet_tech(request.env, tablet_tech_id)
+        Step = env['fp.job.step']
         step = Step.browse(int(card_id))
         if not step.exists():
             return {'ok': False, 'error': f'Step {card_id} not found.'}
 
         wc_id = int(target_workcenter_id) if target_workcenter_id else False
         if wc_id:
-            wc = request.env['fp.work.centre'].browse(wc_id)
+            wc = env['fp.work.centre'].browse(wc_id)
             if not wc.exists():
                 return {'ok': False,
                         'error': f'Work centre {target_workcenter_id} not found.'}
@@ -1108,7 +1134,7 @@ class FpShopfloorController(http.Controller):
             _logger.info(
                 'Plant Overview: moved step %s (%s) → WC %s by uid %s',
                 step.id, step.name, wc_id or 'unassigned',
-                request.env.uid,
+                env.uid,
             )
         except Exception as exc:
             _logger.exception('Plant Overview move_card failed')

fusion_plating/fusion_plating_shopfloor/controllers/tablet_controller.py

@@ -0,0 +1,211 @@
+# -*- coding: utf-8 -*-
+# Copyright 2026 Nexa Systems Inc.
+# License OPL-1 (Odoo Proprietary License v1.0)
+# Part of the Fusion Plating product family.
+"""JSON-RPC endpoints for the tablet PIN gate (Phase 6 tablet redesign).
+
+  POST /fp/tablet/tiles            — list of tiles for the lock screen
+  POST /fp/tablet/unlock           — verify PIN + clear/increment failure counter
+  POST /fp/tablet/set_pin          — self-service set/change PIN
+  POST /fp/tablet/reset_pin_for    — manager-only reset of another user's PIN
+  POST /fp/tablet/ping             — bump server-side last-active timestamp
+
+Spec: docs/superpowers/specs/2026-05-22-shopfloor-pin-gate-design.md
+"""
+import logging
+from datetime import timedelta
+
+from odoo import _, fields, http
+from odoo.exceptions import UserError
+from odoo.http import request
+
+_logger = logging.getLogger(__name__)
+
+
+def _is_manager(env):
+    """True if calling user is in the fusion_plating manager group."""
+    return env.user.has_group('fusion_plating.group_fusion_plating_manager')
+
+
+class FpTabletController(http.Controller):
+    """Tablet PIN gate endpoints. All require an authenticated Odoo
+    session (the tablet logs in once as a 'shopfloor service' user).
+    """
+
+    # ======================================================================
+    # /fp/tablet/set_pin — self-service set or change
+    # ======================================================================
+    @http.route('/fp/tablet/set_pin', type='jsonrpc', auth='user')
+    def set_pin(self, new_pin, old_pin=None):
+        env = request.env
+        user = env.user
+        existing_hash = user.sudo().x_fc_tablet_pin_hash
+        if existing_hash:
+            if not old_pin:
+                return {'ok': False, 'error': _('Current PIN is required to change it.')}
+            if not user.verify_tablet_pin(old_pin):
+                return {'ok': False, 'error': _('Current PIN is incorrect.')}
+        try:
+            user.set_tablet_pin(new_pin)
+        except UserError as e:
+            return {'ok': False, 'error': str(e.args[0]) if e.args else str(e)}
+        _logger.info(
+            "Tablet PIN set/changed for uid %s by self", user.id,
+        )
+        return {'ok': True}
+
+    # ======================================================================
+    # /fp/tablet/reset_pin_for — manager-only
+    # ======================================================================
+    @http.route('/fp/tablet/reset_pin_for', type='jsonrpc', auth='user')
+    def reset_pin_for(self, user_id):
+        env = request.env
+        if not _is_manager(env):
+            _logger.warning(
+                "Non-manager uid %s attempted to reset PIN for user %s",
+                env.uid, user_id,
+            )
+            return {'ok': False, 'error': _('Manager privilege required.')}
+        target = env['res.users'].browse(int(user_id))
+        if not target.exists():
+            return {'ok': False, 'error': _('User not found.')}
+        target.clear_tablet_pin()
+        _logger.info(
+            "Tablet PIN reset for uid %s by manager uid %s",
+            target.id, env.uid,
+        )
+        return {'ok': True}
+
+    # ======================================================================
+    # /fp/tablet/unlock — verify PIN + manage failure counter / lockout
+    # ======================================================================
+    @http.route('/fp/tablet/unlock', type='jsonrpc', auth='user')
+    def unlock(self, user_id, pin):
+        env = request.env
+        Users = env['res.users'].sudo()  # need sudo to read hash field
+        target = Users.browse(int(user_id))
+        if not target.exists():
+            return {'ok': False, 'error': _('User not found.')}
+
+        # No PIN set yet — caller must set one first
+        if not target.x_fc_tablet_pin_hash:
+            return {
+                'ok': False,
+                'error': _('No PIN set. Set one in Preferences first.'),
+                'needs_setup': True,
+            }
+
+        # Currently locked out?
+        now = fields.Datetime.now()
+        if target.x_fc_tablet_locked_until and target.x_fc_tablet_locked_until > now:
+            return {
+                'ok': False,
+                'error': _('Account locked. Try again in a few minutes.'),
+                'locked_until': target.x_fc_tablet_locked_until.isoformat(),
+            }
+
+        if target.verify_tablet_pin(pin):
+            # Reset failure state on success
+            target.write({
+                'x_fc_tablet_pin_failed_count': 0,
+                'x_fc_tablet_locked_until': False,
+            })
+            _logger.info(
+                "Tablet unlocked by uid %s (session uid %s)",
+                target.id, env.uid,
+            )
+            return {
+                'ok': True,
+                'current_tech_id': target.id,
+                'current_tech_name': target.name,
+            }
+
+        # Wrong PIN — increment and check threshold
+        new_count = (target.x_fc_tablet_pin_failed_count or 0) + 1
+        threshold = int(env['ir.config_parameter'].sudo().get_param(
+            'fp.shopfloor.tablet_pin_fail_threshold', 5,
+        ))
+        lockout_min = int(env['ir.config_parameter'].sudo().get_param(
+            'fp.shopfloor.tablet_pin_fail_lockout_minutes', 5,
+        ))
+        vals = {'x_fc_tablet_pin_failed_count': new_count}
+        if new_count >= threshold:
+            vals['x_fc_tablet_locked_until'] = now + timedelta(minutes=lockout_min)
+        target.write(vals)
+        _logger.warning(
+            "Tablet PIN failure for uid %s (count=%d, locked=%s)",
+            target.id, new_count, bool(vals.get('x_fc_tablet_locked_until')),
+        )
+        if vals.get('x_fc_tablet_locked_until'):
+            return {
+                'ok': False,
+                'error': _('Too many failed attempts. Locked for %d minutes.') % lockout_min,
+                'locked_until': vals['x_fc_tablet_locked_until'].isoformat(),
+            }
+        return {
+            'ok': False,
+            'error': _('Incorrect PIN.'),
+            'attempts_remaining': threshold - new_count,
+        }
+
+    # ======================================================================
+    # /fp/tablet/tiles — lock-screen tile grid
+    # ======================================================================
+    @http.route('/fp/tablet/tiles', type='jsonrpc', auth='user')
+    def tiles(self, station_id=None):
+        env = request.env
+        op_group = env.ref(
+            'fusion_plating.group_fusion_plating_operator',
+            raise_if_not_found=False,
+        )
+        if not op_group:
+            return {'ok': False, 'error': 'operator group missing'}
+
+        # Determine candidate users — station roster wins if non-empty
+        users = op_group.user_ids
+        if station_id:
+            Station = env['fusion.plating.shopfloor.station']
+            station = Station.browse(int(station_id))
+            if (station.exists()
+                    and 'x_fc_authorised_user_ids' in station._fields
+                    and station.x_fc_authorised_user_ids):
+                users = station.x_fc_authorised_user_ids
+
+        # has_pin needs sudo-read on the hash field
+        clocked_ids = set()
+        if 'hr.employee' in env and hasattr(
+            env['hr.employee'], '_fp_clocked_in_user_ids',
+        ):
+            clocked_ids = env['hr.employee']._fp_clocked_in_user_ids() or set()
+
+        users_sorted = users.sorted('name')
+        users_sudo = users_sorted.sudo()
+        tiles = []
+        for u, u_sudo in zip(users_sorted, users_sudo):
+            tiles.append({
+                'user_id': u.id,
+                'name': u.name,
+                'avatar_url': f'/web/image/res.users/{u.id}/avatar_128',
+                'is_clocked_in': u.id in clocked_ids,
+                'has_pin': bool(u_sudo.x_fc_tablet_pin_hash),
+            })
+        # Clocked-in first, then alphabetical within bucket
+        tiles.sort(key=lambda t: (not t['is_clocked_in'], t['name']))
+        return {'ok': True, 'tiles': tiles}
+
+    # ======================================================================
+    # /fp/tablet/ping — heartbeat used by the OWL component on every action
+    # ======================================================================
+    @http.route('/fp/tablet/ping', type='jsonrpc', auth='user')
+    def ping(self, current_tech_id=None):
+        """Lightweight heartbeat. Used by the OWL component to confirm
+        the server-side session is alive AND to log the tech-of-record
+        every few minutes so the server has forensic visibility into
+        which tech was 'driving' the tablet at any moment.
+        """
+        if current_tech_id:
+            _logger.debug(
+                "Tablet ping: session uid %s carrying tablet_tech_id=%s",
+                request.env.uid, current_tech_id,
+            )
+        return {'ok': True, 'server_time': fields.Datetime.now().isoformat()}

fusion_plating/fusion_plating_shopfloor/controllers/workspace_controller.py

@@ -23,6 +23,8 @@ from odoo import fields, http
 from odoo.addons.fusion_plating.models.fp_tz import fp_format
 from odoo.http import request
 
+from ._tablet_audit import env_for_tablet_tech
+
 _logger = logging.getLogger(__name__)
 
 
@@ -190,8 +192,8 @@ class FpWorkspaceController(http.Controller):
     @http.route('/fp/workspace/hold', type='jsonrpc', auth='user')
     def hold(self, job_id, reason='other', qty_on_hold=1, description='',
              part_ref='', step_id=None, mark_for_scrap=False,
-             photo_data=None, photo_filename=None):
-        env = request.env
+             photo_data=None, photo_filename=None, tablet_tech_id=None):
+        env = env_for_tablet_tech(request.env, tablet_tech_id)
         job = env['fp.job'].browse(int(job_id))
         if not job.exists():
             return {'ok': False, 'error': f'Job {job_id} not found'}
@@ -253,8 +255,8 @@ class FpWorkspaceController(http.Controller):
     # /fp/workspace/sign_off — capture signature + finish step atomically
     # ======================================================================
     @http.route('/fp/workspace/sign_off', type='jsonrpc', auth='user')
-    def sign_off(self, step_id, signature_data_uri):
-        env = request.env
+    def sign_off(self, step_id, signature_data_uri, tablet_tech_id=None):
+        env = env_for_tablet_tech(request.env, tablet_tech_id)
         sig = (signature_data_uri or '').strip()
         if not sig:
             _logger.warning("workspace/sign_off: empty signature for step %s", step_id)
@@ -302,8 +304,8 @@ class FpWorkspaceController(http.Controller):
     # /fp/workspace/advance_milestone — fire next_milestone_action
     # ======================================================================
     @http.route('/fp/workspace/advance_milestone', type='jsonrpc', auth='user')
-    def advance_milestone(self, job_id):
-        env = request.env
+    def advance_milestone(self, job_id, tablet_tech_id=None):
+        env = env_for_tablet_tech(request.env, tablet_tech_id)
         job = env['fp.job'].browse(int(job_id))
         if not job.exists():
             return {'ok': False, 'error': f'Job {job_id} not found'}

fusion_plating/fusion_plating_shopfloor/data/fp_tablet_config_data.xml

@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+    Copyright 2026 Nexa Systems Inc.
+    License OPL-1 (Odoo Proprietary License v1.0)
+
+    Phase 6 tablet PIN gate — default knobs.
+    All overridable via Settings → Technical → Parameters → System Parameters.
+-->
+<odoo noupdate="1">
+
+    <record id="ir_config_param_tablet_idle_lock_minutes" model="ir.config_parameter">
+        <field name="key">fp.shopfloor.tablet_idle_lock_minutes</field>
+        <field name="value">5</field>
+    </record>
+
+    <record id="ir_config_param_tablet_pin_fail_threshold" model="ir.config_parameter">
+        <field name="key">fp.shopfloor.tablet_pin_fail_threshold</field>
+        <field name="value">5</field>
+    </record>
+
+    <record id="ir_config_param_tablet_pin_fail_lockout_minutes" model="ir.config_parameter">
+        <field name="key">fp.shopfloor.tablet_pin_fail_lockout_minutes</field>
+        <field name="value">5</field>
+    </record>
+
+    <record id="ir_config_param_tablet_warn_seconds_before_lock" model="ir.config_parameter">
+        <field name="key">fp.shopfloor.tablet_warn_seconds_before_lock</field>
+        <field name="value">30</field>
+    </record>
+
+</odoo>

fusion_plating/fusion_plating_shopfloor/models/__init__.py

@@ -8,3 +8,4 @@ from . import fp_bake_window
 from . import fp_first_piece_gate
 from . import fp_operator_queue
 from . import fp_tank
+from . import res_users

fusion_plating/fusion_plating_shopfloor/models/fp_shopfloor_station.py

@@ -73,6 +73,26 @@ class FpShopfloorStation(models.Model):
         string='Notes',
     )
 
+    # Phase 6 tablet PIN gate — per-station roster + idle override.
+    x_fc_authorised_user_ids = fields.Many2many(
+        'res.users',
+        relation='fp_shopfloor_station_authorised_user_rel',
+        column1='station_id',
+        column2='user_id',
+        string='Authorised Operators',
+        help='If set, the tablet lock screen only shows tiles for these '
+             'users. Empty = all operator-group users are shown. Use to '
+             'restrict a tablet at a specialised station (e.g. EN Plating) '
+             'to techs trained on that station.',
+    )
+    x_fc_idle_lock_minutes = fields.Integer(
+        string='Idle Lock (minutes)',
+        help='Per-station override for the auto-lock idle threshold. '
+             'Leave blank to use the global default '
+             '(ir.config_parameter fp.shopfloor.tablet_idle_lock_minutes, '
+             'default 5).',
+    )
+
     _sql_constraints = [
         (
             'fp_shopfloor_station_code_uniq',

fusion_plating/fusion_plating_shopfloor/models/res_users.py

@@ -0,0 +1,128 @@
+# -*- coding: utf-8 -*-
+# Copyright 2026 Nexa Systems Inc.
+# License OPL-1 (Odoo Proprietary License v1.0)
+# Part of the Fusion Plating product family.
+"""Tablet-PIN extensions on res.users (Phase 6 tablet redesign).
+
+Adds the 4-digit PIN gate fields + helpers used by /fp/tablet/* endpoints
+and the FpTabletLock OWL component. PIN is stored as a salted PBKDF2-SHA256
+hash; never plaintext.
+"""
+import hashlib
+import secrets
+
+from odoo import _, fields, models
+from odoo.exceptions import UserError
+
+# PBKDF2 iteration count. ~50ms verify on entech-class hardware. Safe
+# against brute-force even if the DB leaks.
+_PBKDF2_ITERATIONS = 200_000
+
+
+class ResUsers(models.Model):
+    _inherit = 'res.users'
+
+    x_fc_tablet_pin_hash = fields.Char(
+        string='Tablet PIN (hashed)',
+        groups='fusion_plating.group_fusion_plating_manager',
+        help='PBKDF2-SHA256 hash + salt of the user\'s 4-digit tablet '
+             'PIN. Format: <salt_hex>$<digest_hex>. Never readable to '
+             'non-managers; never logged.',
+    )
+    x_fc_tablet_pin_set_date = fields.Datetime(
+        string='Tablet PIN Set Date',
+        help='When the current PIN was last set or changed.',
+    )
+    x_fc_tablet_pin_failed_count = fields.Integer(
+        string='Failed PIN Attempts',
+        default=0,
+        help='Sequential failed unlock attempts since the last success. '
+             'Resets to 0 on a correct PIN.',
+    )
+    x_fc_tablet_locked_until = fields.Datetime(
+        string='Tablet Lockout Until',
+        help='Wall-clock time at which the per-user lockout expires. '
+             'Null when not locked. Set after the configured fail '
+             'threshold (default 5) is reached.',
+    )
+
+    @staticmethod
+    def _hash_tablet_pin(pin, salt=None):
+        """Hash `pin` with optional salt. Returns "salt_hex$digest_hex"."""
+        if salt is None:
+            salt = secrets.token_bytes(16)
+        digest = hashlib.pbkdf2_hmac(
+            'sha256', pin.encode('utf-8'), salt, _PBKDF2_ITERATIONS,
+        )
+        return f"{salt.hex()}${digest.hex()}"
+
+    @staticmethod
+    def _verify_tablet_pin_hash(pin, stored):
+        """Constant-time verify of `pin` against a stored hash string."""
+        if not stored or '$' not in stored:
+            return False
+        salt_hex, expected_hex = stored.split('$', 1)
+        try:
+            salt = bytes.fromhex(salt_hex)
+        except ValueError:
+            return False
+        digest = hashlib.pbkdf2_hmac(
+            'sha256', pin.encode('utf-8'), salt, _PBKDF2_ITERATIONS,
+        )
+        return secrets.compare_digest(digest.hex(), expected_hex)
+
+    def set_tablet_pin(self, pin):
+        """Set or change this user's tablet PIN. Requires sudo OR self.
+
+        Caller is responsible for verifying the OLD pin separately if a
+        hash already exists — this method just writes the new one.
+        """
+        self.ensure_one()
+        if not pin or not pin.isdigit() or len(pin) != 4:
+            raise UserError(_('Tablet PIN must be exactly 4 digits.'))
+        self.sudo().write({
+            'x_fc_tablet_pin_hash': self._hash_tablet_pin(pin),
+            'x_fc_tablet_pin_set_date': fields.Datetime.now(),
+            'x_fc_tablet_pin_failed_count': 0,
+            'x_fc_tablet_locked_until': False,
+        })
+        return True
+
+    def verify_tablet_pin(self, pin):
+        """Return True if `pin` matches this user's stored hash."""
+        self.ensure_one()
+        if not pin:
+            return False
+        # sudo: even non-manager callers may need to verify their OWN PIN.
+        # The hash field has manager-only read; sudo bypasses that.
+        return self._verify_tablet_pin_hash(pin, self.sudo().x_fc_tablet_pin_hash)
+
+    def clear_tablet_pin(self):
+        """Manager-side reset. Clears hash so target must set a new PIN.
+        Posts to chatter for audit.
+        """
+        self.ensure_one()
+        manager_name = self.env.user.name
+        self.sudo().write({
+            'x_fc_tablet_pin_hash': False,
+            'x_fc_tablet_pin_set_date': False,
+            'x_fc_tablet_pin_failed_count': 0,
+            'x_fc_tablet_locked_until': False,
+        })
+        self.message_post(
+            body=_('Tablet PIN reset by %s. User must set a new PIN '
+                   'on next unlock attempt.') % manager_name,
+        )
+        return True
+
+    def action_open_tablet_pin_setup(self):
+        """Trigger the FpPinSetup OWL modal from the Preferences form.
+        The Phase 6.2 OWL component intercepts this action tag.
+        """
+        self.ensure_one()
+        return {
+            'type': 'ir.actions.client',
+            'tag': 'fp_tablet_pin_setup',
+            'name': 'Set Tablet PIN',
+            'target': 'new',
+        }

fusion_plating/fusion_plating_shopfloor/static/src/js/components/hold_composer.js

@@ -14,7 +14,7 @@
 
 import { Component, useState } from "@odoo/owl";
 import { Dialog } from "@web/core/dialog/dialog";
-import { rpc } from "@web/core/network/rpc";
+import { fpRpc } from "../services/fp_rpc";
 import { useService } from "@web/core/utils/hooks";
 
 // Hold reasons kept here so the picker doesn't need a server roundtrip.
@@ -75,7 +75,7 @@ export class FpHoldComposer extends Component {
         }
         this.state.submitting = true;
         try {
-            const res = await rpc("/fp/workspace/hold", {
+            const res = await fpRpc("/fp/workspace/hold", {
                 job_id: this.props.jobId,
                 step_id: this.props.stepId || null,
                 part_ref: this.props.partRef || "",

fusion_plating/fusion_plating_shopfloor/static/src/js/components/idle_warning.js

@@ -0,0 +1,18 @@
+/** @odoo-module **/
+// =============================================================================
+// Fusion Plating — FpIdleWarning (shared OWL service)
+//
+// Yellow-border overlay + countdown toast shown during the last
+// (default 30) seconds before auto-lock. Any pointer/touch event on
+// the document elsewhere resets the activity tracker, which causes
+// this component's parent (FpTabletLock) to hide the warning.
+// =============================================================================
+
+import { Component } from "@odoo/owl";
+
+export class FpIdleWarning extends Component {
+    static template = "fusion_plating_shopfloor.IdleWarning";
+    static props = {
+        secondsRemaining: { type: Number },
+    };
+}

fusion_plating/fusion_plating_shopfloor/static/src/js/components/pin_pad.js

@@ -0,0 +1,72 @@
+/** @odoo-module **/
+// =============================================================================
+// Fusion Plating — FpPinPad (shared OWL service)
+//
+// Numeric 4-digit PIN pad. Auto-submits on the 4th digit via onSubmit
+// callback. Used by FpTabletLock unlock flow AND FpPinSetup change flow.
+//
+// Props:
+//   onSubmit       : (pin: string) => Promise<{ok: boolean, error?: string}>
+//   title          : optional header text
+//   subtitle       : optional smaller text
+//   onCancel       : optional cancel callback (e.g. close modal)
+// =============================================================================
+
+import { Component, useState } from "@odoo/owl";
+
+export class FpPinPad extends Component {
+    static template = "fusion_plating_shopfloor.PinPad";
+    static props = {
+        onSubmit: { type: Function },
+        title: { type: String, optional: true },
+        subtitle: { type: String, optional: true },
+        onCancel: { type: Function, optional: true },
+    };
+
+    setup() {
+        this.state = useState({
+            pin: "",
+            submitting: false,
+            error: "",
+            shake: false,
+        });
+    }
+
+    async _press(digit) {
+        if (this.state.submitting) return;
+        if (this.state.pin.length >= 4) return;
+        this.state.pin = this.state.pin + digit;
+        this.state.error = "";
+        if (this.state.pin.length === 4) {
+            await this._submit();
+        }
+    }
+
+    _clear() {
+        this.state.pin = "";
+        this.state.error = "";
+    }
+
+    async _submit() {
+        this.state.submitting = true;
+        try {
+            const result = await this.props.onSubmit(this.state.pin);
+            if (result && !result.ok) {
+                this.state.error = result.error || "Incorrect PIN";
+                this.state.shake = true;
+                setTimeout(() => { this.state.shake = false; }, 400);
+                this.state.pin = "";
+            }
+        } catch (err) {
+            this.state.error = err.message || String(err);
+            this.state.pin = "";
+        } finally {
+            this.state.submitting = false;
+        }
+    }
+
+    get dots() {
+        // Render 4 dot slots: filled if typed, empty otherwise
+        return [0, 1, 2, 3].map((i) => this.state.pin.length > i);
+    }
+}

fusion_plating/fusion_plating_shopfloor/static/src/js/components/pin_setup.js

@@ -0,0 +1,97 @@
+/** @odoo-module **/
+// =============================================================================
+// Fusion Plating — FpPinSetup (client action `fp_tablet_pin_setup`)
+//
+// Modal flow for setting OR changing the user's tablet PIN. Triggered
+// from res.users preferences via action_open_tablet_pin_setup. Three
+// stages: (1) old PIN (only if has_pin), (2) new PIN, (3) confirm new.
+// =============================================================================
+
+import { Component, useState, onMounted } from "@odoo/owl";
+import { rpc } from "@web/core/network/rpc";
+import { registry } from "@web/core/registry";
+import { useService } from "@web/core/utils/hooks";
+import { user } from "@web/core/user";
+import { FpPinPad } from "./pin_pad";
+
+export class FpPinSetup extends Component {
+    static template = "fusion_plating_shopfloor.PinSetup";
+    static components = { FpPinPad };
+    static props = ["*"];
+
+    setup() {
+        this.notification = useService("notification");
+        this.action = useService("action");
+        this.state = useState({
+            stage: "loading",   // 'loading' | 'old' | 'new' | 'confirm' | 'done'
+            newPin: "",
+            hasExistingPin: false,
+        });
+        onMounted(() => this._init());
+    }
+
+    async _init() {
+        // Cheap probe: search_count on the user's own record filtered
+        // by pin_set_date. Non-manager users can read their own set_date
+        // (not the hash). If the count is 1, they have a PIN; 0 = no PIN.
+        try {
+            const has = await rpc("/web/dataset/call_kw", {
+                model: "res.users",
+                method: "search_count",
+                args: [[
+                    ["id", "=", user.userId],
+                    ["x_fc_tablet_pin_set_date", "!=", false],
+                ]],
+                kwargs: {},
+            });
+            this.state.hasExistingPin = has > 0;
+        } catch (e) {
+            this.state.hasExistingPin = false;
+        }
+        this.state.stage = this.state.hasExistingPin ? "old" : "new";
+    }
+
+    async onOldPinSubmit(pin) {
+        // Stash for the final call; set_pin verifies it server-side
+        this._oldPin = pin;
+        this.state.stage = "new";
+        return { ok: true };
+    }
+
+    async onNewPinSubmit(pin) {
+        this.state.newPin = pin;
+        this.state.stage = "confirm";
+        return { ok: true };
+    }
+
+    async onConfirmPinSubmit(pin) {
+        if (pin !== this.state.newPin) {
+            return { ok: false, error: "PINs don't match. Try again." };
+        }
+        const params = { new_pin: this.state.newPin };
+        if (this._oldPin) params.old_pin = this._oldPin;
+        const res = await rpc("/fp/tablet/set_pin", params);
+        if (res && res.ok) {
+            this.notification.add("Tablet PIN updated.", { type: "success" });
+            this.state.stage = "done";
+            setTimeout(() => this._close(), 1500);
+            return { ok: true };
+        }
+        // Reset back to start on hard error so user can retry cleanly
+        this.notification.add((res && res.error) || "Failed to set PIN", { type: "danger" });
+        this._oldPin = null;
+        this.state.newPin = "";
+        this.state.stage = this.state.hasExistingPin ? "old" : "new";
+        return { ok: false, error: (res && res.error) || "Failed" };
+    }
+
+    _close() {
+        this.action.doAction({ type: "ir.actions.act_window_close" });
+    }
+
+    onCancel() {
+        this._close();
+    }
+}
+
+registry.category("actions").add("fp_tablet_pin_setup", FpPinSetup);

fusion_plating/fusion_plating_shopfloor/static/src/js/job_workspace.js

@@ -20,21 +20,24 @@
 import { Component, useState, onMounted, onWillUnmount } from "@odoo/owl";
 import { registry } from "@web/core/registry";
 import { rpc } from "@web/core/network/rpc";
+import { fpRpc } from "./services/fp_rpc";
 import { useService } from "@web/core/utils/hooks";
 import { WorkflowChip } from "./components/workflow_chip";
 import { GateViz } from "./components/gate_viz";
 import { FpSignaturePad } from "./components/signature_pad";
 import { FpHoldComposer } from "./components/hold_composer";
+import { FpTabletLock } from "./tablet_lock";
 
 export class FpJobWorkspace extends Component {
     static template = "fusion_plating_shopfloor.JobWorkspace";
     static props = ["*"];
-    static components = { WorkflowChip, GateViz, FpSignaturePad, FpHoldComposer };
+    static components = { WorkflowChip, GateViz, FpSignaturePad, FpHoldComposer, FpTabletLock };
 
     setup() {
         this.notification = useService("notification");
         this.action = useService("action");
         this.dialog = useService("dialog");
+        this.techStore = useService("fp_shopfloor_tech_store");
 
         this.state = useState({
             data: null,
@@ -76,6 +79,11 @@ export class FpJobWorkspace extends Component {
         this.action.doAction({ type: "ir.actions.act_window_close" });
     }
 
+    // ---- Hand-Off (Phase 6.2) ---------------------------------------------
+    handOff() {
+        this.techStore.lock();
+    }
+
     onJumpToBlocker({ model, id }) {
         // If the predecessor is in this same workspace, just scroll to it
         const inThisJob = (this.state.data.steps || []).find((s) => s.id === id);
@@ -109,7 +117,7 @@ export class FpJobWorkspace extends Component {
     // ---- Step actions ------------------------------------------------------
     async onStartStep(stepId) {
         try {
-            const res = await rpc("/fp/shopfloor/start_wo", { workorder_id: stepId });
+            const res = await fpRpc("/fp/shopfloor/start_wo", { workorder_id: stepId });
             if (res && res.ok) {
                 this.notification.add("Step started.", { type: "success" });
                 await this.refresh();
@@ -128,7 +136,7 @@ export class FpJobWorkspace extends Component {
                 contextLabel: `${this.state.data.job.display_wo_name} · Step ${step.sequence_display}: ${step.name}`,
                 onSubmit: async (dataUri) => {
                     try {
-                        const res = await rpc("/fp/workspace/sign_off", {
+                        const res = await fpRpc("/fp/workspace/sign_off", {
                             step_id: step.id,
                             signature_data_uri: dataUri,
                         });
@@ -147,7 +155,7 @@ export class FpJobWorkspace extends Component {
         }
         // Plain finish — no signature required
         try {
-            const res = await rpc("/fp/shopfloor/stop_wo", {
+            const res = await fpRpc("/fp/shopfloor/stop_wo", {
                 workorder_id: step.id, finish: true,
             });
             if (res && res.ok) {
@@ -194,7 +202,7 @@ export class FpJobWorkspace extends Component {
 
     async onAdvanceMilestone() {
         try {
-            const res = await rpc("/fp/workspace/advance_milestone", {
+            const res = await fpRpc("/fp/workspace/advance_milestone", {
                 job_id: this.state.jobId,
             });
             if (res && res.ok) {

fusion_plating/fusion_plating_shopfloor/static/src/js/manager_dashboard.js

@@ -15,17 +15,20 @@
 import { Component, useState, onMounted, onWillUnmount } from "@odoo/owl";
 import { registry } from "@web/core/registry";
 import { rpc } from "@web/core/network/rpc";
+import { fpRpc } from "./services/fp_rpc";
 import { useService } from "@web/core/utils/hooks";
 import { QrScanner } from "./qr_scanner";
+import { FpTabletLock } from "./tablet_lock";
 
 export class ManagerDashboard extends Component {
     static template = "fusion_plating_shopfloor.ManagerDashboard";
     static props = ["*"];
-    static components = { QrScanner };
+    static components = { QrScanner, FpTabletLock };
 
     setup() {
         this.notification = useService("notification");
         this.action = useService("action");
+        this.techStore = useService("fp_shopfloor_tech_store");
 
         this.state = useState({
             overview: null,
@@ -148,6 +151,11 @@ export class ManagerDashboard extends Component {
         this.state.mode = this.state.mode === "quick" ? "detailed" : "quick";
     }
 
+    // ---- Hand-Off (Phase 6.2) ---------------------------------------------
+    handOff() {
+        this.techStore.lock();
+    }
+
     toggleCard(jobId) {
         this.state.expandedJobId = this.state.expandedJobId === jobId ? null : jobId;
     }
@@ -201,7 +209,7 @@ export class ManagerDashboard extends Component {
     async onAssignWorker(step, userIdRaw) {
         const userId = parseInt(userIdRaw) || null;
         try {
-            const res = await rpc("/fp/manager/assign_worker", {
+            const res = await fpRpc("/fp/manager/assign_worker", {
                 step_id: step.id, user_id: userId,
             });
             if (res && res.ok) {
@@ -219,7 +227,7 @@ export class ManagerDashboard extends Component {
     async onAssignTank(step, tankIdRaw) {
         const tankId = parseInt(tankIdRaw) || null;
         try {
-            const res = await rpc("/fp/manager/assign_tank", {
+            const res = await fpRpc("/fp/manager/assign_tank", {
                 step_id: step.id, tank_id: tankId,
             });
             if (res && res.ok) {
@@ -236,7 +244,7 @@ export class ManagerDashboard extends Component {
 
     async onTakeOver(step) {
         try {
-            const res = await rpc("/fp/manager/take_over", {
+            const res = await fpRpc("/fp/manager/take_over", {
                 step_id: step.id,
             });
             if (res && res.ok) {

fusion_plating/fusion_plating_shopfloor/static/src/js/services/activity_tracker.js

@@ -0,0 +1,73 @@
+/** @odoo-module **/
+// =============================================================================
+// Fusion Plating — Activity Tracker (shared OWL service)
+//
+// Watches the document for pointer/touch/keydown/visibility events and
+// tracks lastActiveAt. FpTabletLock reads getSecondsUntilLock() once per
+// second to drive the idle warning + auto-lock transitions.
+//
+// Threshold reads from ir.config_parameter at service start; refreshes
+// every 5 min in case the manager changed it.
+// =============================================================================
+
+import { rpc } from "@web/core/network/rpc";
+import { registry } from "@web/core/registry";
+
+const DEFAULT_IDLE_MIN = 5;
+const DEFAULT_WARN_SEC = 30;
+
+export const fpShopfloorActivityTracker = {
+    async start() {
+        let lastActiveAt = Date.now();
+        let idleThresholdMs = DEFAULT_IDLE_MIN * 60 * 1000;
+        let warnThresholdSec = DEFAULT_WARN_SEC;
+
+        async function refreshThreshold() {
+            try {
+                const minutes = await rpc("/web/dataset/call_kw", {
+                    model: "ir.config_parameter",
+                    method: "get_param",
+                    args: ["fp.shopfloor.tablet_idle_lock_minutes", String(DEFAULT_IDLE_MIN)],
+                    kwargs: {},
+                });
+                idleThresholdMs = (parseInt(minutes, 10) || DEFAULT_IDLE_MIN) * 60 * 1000;
+                const warn = await rpc("/web/dataset/call_kw", {
+                    model: "ir.config_parameter",
+                    method: "get_param",
+                    args: ["fp.shopfloor.tablet_warn_seconds_before_lock", String(DEFAULT_WARN_SEC)],
+                    kwargs: {},
+                });
+                warnThresholdSec = parseInt(warn, 10) || DEFAULT_WARN_SEC;
+            } catch (e) {
+                // keep defaults if RPC fails (e.g. no session yet)
+            }
+        }
+        await refreshThreshold();
+        setInterval(refreshThreshold, 5 * 60 * 1000);
+
+        // Activity = explicit user input. Mouse-move alone DOES NOT count
+        // because something brushing the screen (a stray glove, a tool
+        // resting on the tablet) could otherwise keep the session alive.
+        const bump = () => { lastActiveAt = Date.now(); };
+        document.addEventListener("pointerdown", bump, { capture: true });
+        document.addEventListener("touchstart", bump, { capture: true, passive: true });
+        document.addEventListener("keydown", bump, { capture: true });
+        document.addEventListener("visibilitychange", () => {
+            if (document.visibilityState === "visible") bump();
+        });
+
+        return {
+            bump,
+            getSecondsUntilLock() {
+                return Math.max(0, Math.floor((lastActiveAt + idleThresholdMs - Date.now()) / 1000));
+            },
+            getWarnThresholdSec() { return warnThresholdSec; },
+            getIdleThresholdMs() { return idleThresholdMs; },
+            getLastActiveAt() { return lastActiveAt; },
+        };
+    },
+};
+
+registry
+    .category("services")
+    .add("fp_shopfloor_activity", fpShopfloorActivityTracker);

fusion_plating/fusion_plating_shopfloor/static/src/js/services/fp_rpc.js

@@ -0,0 +1,42 @@
+/** @odoo-module **/
+// =============================================================================
+// Fusion Plating — fpRpc() wrapper
+//
+// Drop-in replacement for the standard `rpc()` import. Automatically
+// injects the current tablet_tech_id from the tech_store into every
+// call, so server-side endpoints can attribute the action to the right
+// user via env.with_user() (see env_for_tablet_tech in
+// controllers/_tablet_audit.py).
+//
+// USE for any RPC that WRITES (start step, finish step, hold create,
+// sign-off, milestone advance). For read-only loads (kanban, workspace
+// load, manager funnel), plain rpc() is fine.
+//
+// Example:
+//   import { fpRpc } from "../services/fp_rpc";
+//   await fpRpc("/fp/shopfloor/start_wo", { workorder_id: stepId });
+//
+// =============================================================================
+
+import { rpc as baseRpc } from "@web/core/network/rpc";
+
+function _getTechStore() {
+    // Lazy-resolve via the global debug API — avoids circular service init
+    try {
+        const env = odoo.__WOWL_DEBUG__?.root?.env;
+        if (env && env.services && env.services.fp_shopfloor_tech_store) {
+            return env.services.fp_shopfloor_tech_store;
+        }
+    } catch (e) {
+        // ignore
+    }
+    return null;
+}
+
+export function fpRpc(url, params = {}) {
+    const techStore = _getTechStore();
+    if (techStore && techStore.currentTechId) {
+        params = { ...params, tablet_tech_id: techStore.currentTechId };
+    }
+    return baseRpc(url, params);
+}

fusion_plating/fusion_plating_shopfloor/static/src/js/services/tech_store.js

@@ -0,0 +1,42 @@
+/** @odoo-module **/
+// =============================================================================
+// Fusion Plating — Tech Store (shared OWL service)
+//
+// Holds the "current tech of record" for the locked tablet. Set by
+// FpTabletLock on successful PIN unlock; cleared on auto-lock / Hand-Off.
+// Other components read currentTechId via useService("fp_shopfloor_tech_store")
+// and pass it through fpRpc() so server actions credit the right user.
+// =============================================================================
+
+import { reactive } from "@odoo/owl";
+import { registry } from "@web/core/registry";
+
+export const fpShopfloorTechStore = {
+    start() {
+        const state = reactive({
+            currentTechId: null,
+            currentTechName: "",
+            lockedAt: null,
+        });
+        return {
+            get currentTechId() { return state.currentTechId; },
+            get currentTechName() { return state.currentTechName; },
+            get isLocked() { return !state.currentTechId; },
+            setTech(id, name) {
+                state.currentTechId = id;
+                state.currentTechName = name;
+                state.lockedAt = null;
+            },
+            lock() {
+                state.currentTechId = null;
+                state.currentTechName = "";
+                state.lockedAt = Date.now();
+            },
+            state,  // exposed for OWL reactive subscriptions
+        };
+    },
+};
+
+registry
+    .category("services")
+    .add("fp_shopfloor_tech_store", fpShopfloorTechStore);

fusion_plating/fusion_plating_shopfloor/static/src/js/shopfloor_landing.js

@@ -20,9 +20,11 @@
 import { Component, useState, onMounted, onWillUnmount } from "@odoo/owl";
 import { registry } from "@web/core/registry";
 import { rpc } from "@web/core/network/rpc";
+import { fpRpc } from "./services/fp_rpc";
 import { useService } from "@web/core/utils/hooks";
 import { QrScanner } from "./qr_scanner";
 import { FpKanbanCard } from "./components/kanban_card";
+import { FpTabletLock } from "./tablet_lock";
 
 const LS_STATION_ID = "fp_landing_station_id";
 const LS_MODE = "fp_landing_mode";
@@ -31,11 +33,12 @@ const REFRESH_MS = 15000;
 export class FpShopfloorLanding extends Component {
     static template = "fusion_plating_shopfloor.ShopfloorLanding";
     static props = ["*"];
-    static components = { QrScanner, FpKanbanCard };
+    static components = { QrScanner, FpKanbanCard, FpTabletLock };
 
     setup() {
         this.notification = useService("notification");
         this.action = useService("action");
+        this.techStore = useService("fp_shopfloor_tech_store");
 
         this.state = useState({
             mode: localStorage.getItem(LS_MODE) || "all_plant",
@@ -120,6 +123,12 @@ export class FpShopfloorLanding extends Component {
         this.refresh();
     }
 
+    // ---- Hand-Off (Phase 6.2) ---------------------------------------------
+    handOff() {
+        // Tech walking away: lock the tablet so the next operator must PIN in
+        this.techStore.lock();
+    }
+
     // ---- Search ------------------------------------------------------------
     onSearchInput(ev) {
         this.state.search = ev.target.value;
@@ -246,7 +255,7 @@ export class FpShopfloorLanding extends Component {
         this._movesInFlight += 1;
         this._lastDropAt = Date.now();
         try {
-            const res = await rpc("/fp/shopfloor/plant_overview/move_card", {
+            const res = await fpRpc("/fp/shopfloor/plant_overview/move_card", {
                 card_id: dragged.id,
                 target_workcenter_id: col.work_center_id,
             });

fusion_plating/fusion_plating_shopfloor/static/src/js/tablet_lock.js

@@ -0,0 +1,135 @@
+/** @odoo-module **/
+// =============================================================================
+// Fusion Plating — FpTabletLock (top-level wrapper)
+//
+// Mounted by Landing / Workspace / Manager Dashboard as their outermost
+// element. Renders the lock screen (tile grid + PIN pad) when no tech
+// is signed in; renders <t t-slot="default"/> (the wrapped client
+// action) otherwise. Also drives the auto-lock countdown + idle warning.
+//
+// Usage in a parent template:
+//
+//   <FpTabletLock>
+//     <t t-set-slot="default">
+//       <div class="o_fp_landing">  ...your existing tree...  </div>
+//     </t>
+//   </FpTabletLock>
+//
+// =============================================================================
+
+import { Component, useState, onMounted, onWillUnmount } from "@odoo/owl";
+import { rpc } from "@web/core/network/rpc";
+import { useService } from "@web/core/utils/hooks";
+import { FpPinPad } from "./components/pin_pad";
+import { FpIdleWarning } from "./components/idle_warning";
+
+export class FpTabletLock extends Component {
+    static template = "fusion_plating_shopfloor.TabletLock";
+    static components = { FpPinPad, FpIdleWarning };
+    static props = {
+        slots: { type: Object, optional: true },
+    };
+
+    setup() {
+        this.techStore = useService("fp_shopfloor_tech_store");
+        this.activity = useService("fp_shopfloor_activity");
+        this.notification = useService("notification");
+
+        this.state = useState({
+            tiles: [],
+            selectedTileUserId: null,
+            idleSecondsRemaining: null,
+            loadingTiles: false,
+        });
+
+        onMounted(async () => {
+            await this._loadTiles();
+            this._tick = setInterval(() => this._checkIdle(), 1000);
+            // Heartbeat ping every 60s — for forensic visibility
+            this._ping = setInterval(() => {
+                if (this.techStore.currentTechId) {
+                    rpc("/fp/tablet/ping", { current_tech_id: this.techStore.currentTechId })
+                        .catch(() => {});
+                }
+            }, 60000);
+        });
+
+        onWillUnmount(() => {
+            if (this._tick) clearInterval(this._tick);
+            if (this._ping) clearInterval(this._ping);
+        });
+    }
+
+    get isLocked() {
+        return this.techStore.isLocked;
+    }
+
+    async _loadTiles() {
+        this.state.loadingTiles = true;
+        try {
+            const stationId = parseInt(localStorage.getItem("fp_landing_station_id")) || null;
+            const res = await rpc("/fp/tablet/tiles", { station_id: stationId });
+            if (res && res.ok) {
+                this.state.tiles = res.tiles;
+            }
+        } catch (err) {
+            // Quiet fail — tile grid stays empty; user gets prompted
+        } finally {
+            this.state.loadingTiles = false;
+        }
+    }
+
+    _checkIdle() {
+        if (!this.techStore.currentTechId) {
+            this.state.idleSecondsRemaining = null;
+            return;
+        }
+        const remaining = this.activity.getSecondsUntilLock();
+        const warnThreshold = this.activity.getWarnThresholdSec();
+        if (remaining <= 0) {
+            this.handOff();
+        } else if (remaining <= warnThreshold) {
+            this.state.idleSecondsRemaining = remaining;
+        } else if (this.state.idleSecondsRemaining !== null) {
+            this.state.idleSecondsRemaining = null;
+        }
+    }
+
+    onTileClick(userId) {
+        this.state.selectedTileUserId = userId;
+    }
+
+    _selectedTileName() {
+        const tile = this.state.tiles.find(t => t.user_id === this.state.selectedTileUserId);
+        return tile ? tile.name : "";
+    }
+
+    async unlock(pin) {
+        try {
+            const res = await rpc("/fp/tablet/unlock", {
+                user_id: this.state.selectedTileUserId,
+                pin,
+            });
+            if (res && res.ok) {
+                this.techStore.setTech(res.current_tech_id, res.current_tech_name);
+                this.activity.bump();
+                this.state.selectedTileUserId = null;
+                return { ok: true };
+            }
+            return { ok: false, error: (res && res.error) || "Unlock failed" };
+        } catch (err) {
+            return { ok: false, error: err.message || String(err) };
+        }
+    }
+
+    onPinCancel() {
+        this.state.selectedTileUserId = null;
+    }
+
+    handOff() {
+        this.techStore.lock();
+        this.state.selectedTileUserId = null;
+        this.state.idleSecondsRemaining = null;
+        this._loadTiles();
+    }
+}

fusion_plating/fusion_plating_shopfloor/static/src/scss/components/_idle_warning.scss

@@ -0,0 +1,35 @@
+// =============================================================================
+// FpIdleWarning — yellow-border countdown overlay before auto-lock
+// =============================================================================
+
+.o_fp_idle_warning_overlay {
+    position: fixed;
+    inset: 0;
+    pointer-events: none;
+    z-index: 9998;
+    box-shadow: inset 0 0 0 4px #ff9f0a;
+    animation: o_fp_idle_pulse 1s ease-in-out infinite alternate;
+}
+
+@keyframes o_fp_idle_pulse {
+    from { box-shadow: inset 0 0 0 4px rgba(255, 159, 10, 0.6); }
+    to   { box-shadow: inset 0 0 0 4px rgba(255, 159, 10, 1); }
+}
+
+.o_fp_idle_warning_toast {
+    position: fixed;
+    top: 16px;
+    left: 50%;
+    transform: translateX(-50%);
+    background: #1d1d1f;
+    color: #ffd585;
+    padding: 0.6rem 1.2rem;
+    border-radius: 8px;
+    font-size: 0.9rem;
+    z-index: 9999;
+    pointer-events: none;
+    box-shadow: 0 4px 12px rgba(0,0,0,0.4);
+
+    strong { color: #ffb84d; margin: 0 0.2rem; }
+    > i { margin-right: 0.4rem; }
+}

fusion_plating/fusion_plating_shopfloor/static/src/scss/components/_pin_pad.scss

@@ -0,0 +1,89 @@
+// =============================================================================
+// FpPinPad — numeric keypad for tablet lock screen + PIN setup
+// Dark-mode aware via $o-webclient-color-scheme branch.
+// =============================================================================
+
+$o-webclient-color-scheme: bright !default;
+
+$_pin-bg-hex:      #ffffff;
+$_pin-key-bg-hex:  #f3f4f6;
+$_pin-key-hover-hex: #e5e7eb;
+$_pin-border-hex:  #d8dadd;
+$_pin-dot-hex:     #d8dadd;
+$_pin-dot-fill-hex: #1d1d1f;
+
+@if $o-webclient-color-scheme == dark {
+    $_pin-bg-hex:        #22262d !global;
+    $_pin-key-bg-hex:    #2d3138 !global;
+    $_pin-key-hover-hex: #3a3f48 !global;
+    $_pin-border-hex:    #424245 !global;
+    $_pin-dot-fill-hex:  #f5f5f7 !global;
+}
+
+.o_fp_pin_pad {
+    background: $_pin-bg-hex;
+    border-radius: 12px;
+    padding: 1.5rem;
+    display: flex;
+    flex-direction: column;
+    align-items: center;
+    gap: 0.8rem;
+    min-width: 280px;
+}
+
+.o_fp_pin_title    { font-size: 1.1rem; font-weight: 600; }
+.o_fp_pin_subtitle { font-size: 0.85rem; color: var(--text-secondary, #666); text-align: center; }
+
+.o_fp_pin_dots {
+    display: flex;
+    gap: 0.8rem;
+    margin: 0.5rem 0;
+}
+
+.o_fp_pin_dot {
+    width: 14px;
+    height: 14px;
+    border-radius: 50%;
+    background: $_pin-dot-hex;
+    transition: background 0.1s ease;
+    &.filled { background: $_pin-dot-fill-hex; }
+}
+
+.o_fp_pin_error {
+    color: #ff3b30;
+    font-size: 0.85rem;
+    min-height: 1.2rem;
+}
+
+.o_fp_pin_grid {
+    display: grid;
+    grid-template-columns: repeat(3, 1fr);
+    gap: 0.5rem;
+    width: 100%;
+}
+
+.o_fp_pin_key {
+    background: $_pin-key-bg-hex;
+    border: 1px solid $_pin-border-hex;
+    border-radius: 10px;
+    padding: 1rem 0;
+    font-size: 1.5rem;
+    font-weight: 500;
+    cursor: pointer;
+    transition: background 0.1s ease, transform 0.05s ease;
+
+    &:hover { background: $_pin-key-hover-hex; }
+    &:active { transform: scale(0.97); }
+    &:disabled { opacity: 0.5; cursor: wait; }
+}
+
+.o_fp_pin_key_clear  { font-size: 0.95rem; color: var(--text-secondary, #666); }
+.o_fp_pin_key_cancel { font-size: 0.95rem; color: var(--text-secondary, #666); }
+
+@keyframes o_fp_pin_shake_kf {
+    0%, 100% { transform: translateX(0); }
+    25%      { transform: translateX(-8px); }
+    50%      { transform: translateX(8px); }
+    75%      { transform: translateX(-4px); }
+}
+.o_fp_pin_shake { animation: o_fp_pin_shake_kf 0.4s ease; }

fusion_plating/fusion_plating_shopfloor/static/src/scss/tablet_lock.scss

@@ -0,0 +1,96 @@
+// =============================================================================
+// FpTabletLock — lock screen with tile grid + PIN pad overlay
+// =============================================================================
+
+$o-webclient-color-scheme: bright !default;
+
+$_lock-bg-hex:   #f3f4f6;
+$_lock-card-hex: #ffffff;
+$_lock-border-hex: #d8dadd;
+$_lock-ink-hex:  #1d1d1f;
+
+@if $o-webclient-color-scheme == dark {
+    $_lock-bg-hex:   #1a1d21 !global;
+    $_lock-card-hex: #22262d !global;
+    $_lock-border-hex: #424245 !global;
+    $_lock-ink-hex:  #f5f5f7 !global;
+}
+
+.o_fp_tablet_lock {
+    position: fixed;
+    inset: 0;
+    background: $_lock-bg-hex;
+    color: $_lock-ink-hex;
+    display: flex;
+    flex-direction: column;
+    align-items: center;
+    padding: 2rem;
+    z-index: 9000;
+    overflow-y: auto;
+}
+
+.o_fp_tablet_lock_header {
+    h1 {
+        font-size: 1.4rem;
+        font-weight: 600;
+        margin-bottom: 1.5rem;
+        display: flex;
+        align-items: center;
+        gap: 0.6rem;
+    }
+}
+
+.o_fp_tablet_lock_loading, .o_fp_tablet_lock_empty {
+    margin: 2rem auto;
+    color: var(--text-secondary, #666);
+}
+
+.o_fp_tablet_lock_tiles {
+    display: grid;
+    grid-template-columns: repeat(auto-fit, minmax(140px, 1fr));
+    gap: 1rem;
+    max-width: 900px;
+    width: 100%;
+}
+
+.o_fp_tablet_lock_tile {
+    background: $_lock-card-hex;
+    border: 2px solid $_lock-border-hex;
+    border-radius: 12px;
+    padding: 1rem;
+    cursor: pointer;
+    display: flex;
+    flex-direction: column;
+    align-items: center;
+    gap: 0.5rem;
+    transition: border-color 0.1s ease, transform 0.05s ease;
+
+    &:hover { border-color: #0071e3; }
+    &:active { transform: scale(0.98); }
+}
+
+.o_fp_tablet_lock_tile_avatar {
+    width: 80px;
+    height: 80px;
+    border-radius: 50%;
+    object-fit: cover;
+}
+
+.o_fp_tablet_lock_tile_name {
+    font-weight: 600;
+    text-align: center;
+}
+
+.o_fp_tablet_lock_tile_clocked {
+    color: #34c759;
+    font-size: 0.75rem;
+}
+
+.o_fp_tablet_lock_tile_nopin {
+    color: #ff9f0a;
+    font-size: 0.75rem;
+}
+
+.o_fp_tablet_lock_pinwrap {
+    margin-top: 2rem;
+}

fusion_plating/fusion_plating_shopfloor/static/src/xml/components/idle_warning.xml

@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<templates xml:space="preserve">
+
+    <t t-name="fusion_plating_shopfloor.IdleWarning">
+        <div class="o_fp_idle_warning_overlay">
+            <div class="o_fp_idle_warning_toast">
+                <i class="fa fa-clock-o"/>
+                Locking in <strong t-esc="props.secondsRemaining"/>s · tap anywhere to stay
+            </div>
+        </div>
+    </t>
+
+</templates>

fusion_plating/fusion_plating_shopfloor/static/src/xml/components/pin_pad.xml

@@ -0,0 +1,37 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<templates xml:space="preserve">
+
+    <t t-name="fusion_plating_shopfloor.PinPad">
+        <div t-att-class="'o_fp_pin_pad' + (state.shake ? ' o_fp_pin_shake' : '')">
+            <div t-if="props.title" class="o_fp_pin_title" t-esc="props.title"/>
+            <div t-if="props.subtitle" class="o_fp_pin_subtitle" t-esc="props.subtitle"/>
+
+            <div class="o_fp_pin_dots">
+                <t t-foreach="dots" t-as="filled" t-key="filled_index">
+                    <span t-att-class="'o_fp_pin_dot' + (filled ? ' filled' : '')"/>
+                </t>
+            </div>
+
+            <div t-if="state.error" class="o_fp_pin_error" t-esc="state.error"/>
+
+            <div class="o_fp_pin_grid">
+                <t t-foreach="[1,2,3,4,5,6,7,8,9]" t-as="d" t-key="d">
+                    <button class="o_fp_pin_key"
+                            t-on-click="() => this._press(String(d))"
+                            t-att-disabled="state.submitting">
+                        <t t-esc="d"/>
+                    </button>
+                </t>
+                <button class="o_fp_pin_key o_fp_pin_key_clear"
+                        t-on-click="_clear">Clear</button>
+                <button class="o_fp_pin_key"
+                        t-on-click="() => this._press('0')"
+                        t-att-disabled="state.submitting">0</button>
+                <button t-if="props.onCancel"
+                        class="o_fp_pin_key o_fp_pin_key_cancel"
+                        t-on-click="() => this.props.onCancel()">Cancel</button>
+            </div>
+        </div>
+    </t>
+
+</templates>

fusion_plating/fusion_plating_shopfloor/static/src/xml/components/pin_setup.xml

@@ -0,0 +1,29 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<templates xml:space="preserve">
+
+    <t t-name="fusion_plating_shopfloor.PinSetup">
+        <div class="o_fp_pin_setup">
+            <div t-if="state.stage === 'loading'" class="o_fp_pin_setup_loading">
+                <i class="fa fa-spinner fa-spin"/> Loading…
+            </div>
+            <FpPinPad t-if="state.stage === 'old'"
+                      onSubmit.bind="onOldPinSubmit"
+                      title="'Enter your current PIN'"
+                      onCancel.bind="onCancel"/>
+            <FpPinPad t-if="state.stage === 'new'"
+                      onSubmit.bind="onNewPinSubmit"
+                      title="'Choose a new 4-digit PIN'"
+                      onCancel.bind="onCancel"/>
+            <FpPinPad t-if="state.stage === 'confirm'"
+                      onSubmit.bind="onConfirmPinSubmit"
+                      title="'Confirm your new PIN'"
+                      subtitle="'Enter it again to confirm'"
+                      onCancel.bind="onCancel"/>
+            <div t-if="state.stage === 'done'" class="o_fp_pin_setup_done">
+                <i class="fa fa-check-circle text-success fa-3x"/>
+                <h3>PIN updated</h3>
+            </div>
+        </div>
+    </t>
+
+</templates>

fusion_plating/fusion_plating_shopfloor/static/src/xml/job_workspace.xml

@@ -2,6 +2,8 @@
 <templates xml:space="preserve">
 
     <t t-name="fusion_plating_shopfloor.JobWorkspace">
+      <FpTabletLock>
+        <t t-set-slot="default">
         <div class="o_fp_ws">
 
             <!-- Loading state -->
@@ -20,6 +22,12 @@
                         <button class="btn btn-link o_fp_ws_back" t-on-click="onBack">
                             <i class="fa fa-arrow-left"/> Back
                         </button>
+                        <!-- Phase 6.2 — Hand-Off: lock the tablet -->
+                        <button class="btn btn-sm btn-warning ms-2"
+                                t-on-click="handOff"
+                                title="Lock the tablet for the next operator">
+                            <i class="fa fa-lock"/> Hand Off
+                        </button>
                         <span class="o_fp_ws_wo"><t t-esc="state.data.job.display_wo_name"/></span>
                         <span class="o_fp_ws_dot"> · </span>
                         <span class="o_fp_ws_cust"><t t-esc="state.data.job.partner_name"/></span>
@@ -225,6 +233,8 @@
 
             </t>
         </div>
+        </t>
+      </FpTabletLock>
     </t>
 
 </templates>

fusion_plating/fusion_plating_shopfloor/static/src/xml/manager_dashboard.xml

@@ -7,6 +7,8 @@
 <templates xml:space="preserve">
 
     <t t-name="fusion_plating_shopfloor.ManagerDashboard">
+      <FpTabletLock>
+        <t t-set-slot="default">
         <div class="o_fp_manager">
 
             <!-- ============ Hero ============ -->
@@ -45,6 +47,12 @@
                         <i t-att-class="'fa fa-refresh' + (state.isFetching ? ' fa-spin' : '')"/>
                     </button>
                     <QrScanner cssClass="'btn'"/>
+                    <!-- Phase 6.2 — Hand-Off: lock the tablet -->
+                    <button class="btn btn-warning"
+                            t-on-click="handOff"
+                            title="Lock the tablet for the next operator">
+                        <i class="fa fa-lock"/> Hand Off
+                    </button>
                     <button t-att-class="'btn ' + (state.mode === 'quick' ? 'btn-primary' : '')"
                             t-on-click="toggleMode">
                         <t t-if="state.mode === 'quick'">Quick View</t>
@@ -583,6 +591,8 @@
                 <div>Loading manager data…</div>
             </div>
         </div>
+        </t>
+      </FpTabletLock>
     </t>
 
 </templates>

fusion_plating/fusion_plating_shopfloor/static/src/xml/shopfloor_landing.xml

@@ -2,6 +2,8 @@
 <templates xml:space="preserve">
 
     <t t-name="fusion_plating_shopfloor.ShopfloorLanding">
+      <FpTabletLock>
+        <t t-set-slot="default">
         <div class="o_fp_landing">
 
             <!-- Loading state -->
@@ -62,6 +64,13 @@
                         </button>
                         <QrScanner cssClass="'btn btn-sm btn-outline-secondary'" label="'Camera'"/>
 
+                        <!-- Phase 6.2 — Hand-Off: lock the tablet for the next operator -->
+                        <button class="btn btn-sm btn-warning"
+                                t-on-click="handOff"
+                                title="Lock the tablet for the next operator">
+                            <i class="fa fa-lock"/> Hand Off
+                        </button>
+
                         <!-- Refresh indicator -->
                         <span class="o_fp_landing_refresh text-muted">
                             <i class="fa fa-clock-o"/> <t t-esc="state.lastRefresh"/>
@@ -158,6 +167,8 @@
 
             </t>
         </div>
+        </t>
+      </FpTabletLock>
     </t>
 
 </templates>

fusion_plating/fusion_plating_shopfloor/static/src/xml/tablet_lock.xml

@@ -0,0 +1,50 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<templates xml:space="preserve">
+
+    <t t-name="fusion_plating_shopfloor.TabletLock">
+        <t t-if="isLocked">
+            <div class="o_fp_tablet_lock">
+                <div class="o_fp_tablet_lock_header">
+                    <h1><i class="fa fa-lock"/> Tap your name to unlock</h1>
+                </div>
+                <div t-if="state.loadingTiles" class="o_fp_tablet_lock_loading">
+                    <i class="fa fa-spinner fa-spin"/> Loading…
+                </div>
+                <div t-elif="!state.selectedTileUserId" class="o_fp_tablet_lock_tiles">
+                    <t t-if="!state.tiles.length">
+                        <div class="o_fp_tablet_lock_empty">
+                            No operators configured.
+                        </div>
+                    </t>
+                    <t t-foreach="state.tiles" t-as="tile" t-key="tile.user_id">
+                        <button class="o_fp_tablet_lock_tile"
+                                t-on-click="() => this.onTileClick(tile.user_id)">
+                            <img class="o_fp_tablet_lock_tile_avatar"
+                                 t-att-src="tile.avatar_url"
+                                 t-att-alt="tile.name"/>
+                            <div class="o_fp_tablet_lock_tile_name" t-esc="tile.name"/>
+                            <span t-if="tile.is_clocked_in" class="o_fp_tablet_lock_tile_clocked">
+                                ● Clocked in
+                            </span>
+                            <span t-if="!tile.has_pin" class="o_fp_tablet_lock_tile_nopin">
+                                PIN required
+                            </span>
+                        </button>
+                    </t>
+                </div>
+                <div t-else="" class="o_fp_tablet_lock_pinwrap">
+                    <FpPinPad onSubmit.bind="unlock"
+                              title="_selectedTileName()"
+                              subtitle="'Enter your 4-digit PIN'"
+                              onCancel.bind="onPinCancel"/>
+                </div>
+            </div>
+        </t>
+        <t t-else="">
+            <t t-slot="default"/>
+            <FpIdleWarning t-if="state.idleSecondsRemaining !== null"
+                           secondsRemaining="state.idleSecondsRemaining"/>
+        </t>
+    </t>
+
+</templates>

fusion_plating/fusion_plating_shopfloor/tests/__init__.py

@@ -1,3 +1,4 @@
 # -*- coding: utf-8 -*-
 from . import test_workspace_controller
 from . import test_landing_kanban
+from . import test_tablet_pin

fusion_plating/fusion_plating_shopfloor/tests/test_tablet_pin.py

@@ -0,0 +1,216 @@
+# -*- coding: utf-8 -*-
+# Copyright 2026 Nexa Systems Inc. — License OPL-1
+"""Phase 6 — Tablet PIN gate tests."""
+import json
+
+from odoo.tests.common import HttpCase, TransactionCase, tagged
+
+
+def _rpc(case, url, **params):
+    """Helper for HTTP/JSON-RPC tests — wraps Odoo's url_open."""
+    res = case.url_open(
+        url,
+        data=json.dumps({'jsonrpc': '2.0', 'params': params}),
+        headers={'Content-Type': 'application/json'},
+    )
+    return res.json()['result']
+
+
+@tagged('-at_install', 'post_install', 'fp_shopfloor', 'fp_tablet_pin')
+class TestTabletPinHash(TransactionCase):
+    """P6.1.1 — model fields + hash helpers + set/verify/clear methods."""
+
+    def setUp(self):
+        super().setUp()
+        self.user = self.env['res.users'].create({
+            'name': 'Pin Test',
+            'login': 'pintest@example.com',
+        })
+
+    def test_set_pin_stores_salted_hash(self):
+        self.user.sudo().set_tablet_pin('1234')
+        stored = self.user.sudo().x_fc_tablet_pin_hash
+        self.assertTrue(stored)
+        self.assertIn('$', stored, 'hash must include salt separator')
+        # Hash is non-deterministic — setting same PIN twice gives different stored values
+        self.user.sudo().set_tablet_pin('1234')
+        self.assertNotEqual(stored, self.user.sudo().x_fc_tablet_pin_hash)
+
+    def test_verify_correct_pin(self):
+        self.user.sudo().set_tablet_pin('1234')
+        self.assertTrue(self.user.sudo().verify_tablet_pin('1234'))
+
+    def test_verify_wrong_pin(self):
+        self.user.sudo().set_tablet_pin('1234')
+        self.assertFalse(self.user.sudo().verify_tablet_pin('0000'))
+
+    def test_verify_pin_no_hash_set(self):
+        self.assertFalse(self.user.sudo().verify_tablet_pin('1234'))
+
+    def test_set_pin_rejects_invalid_format(self):
+        from odoo.exceptions import UserError
+        for bad in ('123', '12345', 'abcd', '', None):
+            with self.assertRaises(UserError):
+                self.user.sudo().set_tablet_pin(bad)
+
+    def test_clear_pin_wipes_hash_and_posts_chatter(self):
+        self.user.sudo().set_tablet_pin('1234')
+        self.user.clear_tablet_pin()
+        self.user.invalidate_recordset(['x_fc_tablet_pin_hash'])
+        self.assertFalse(self.user.sudo().x_fc_tablet_pin_hash)
+        self.assertFalse(self.user.sudo().x_fc_tablet_pin_set_date)
+        # Check chatter
+        last_msg = self.user.message_ids[:1]
+        self.assertIn('reset by', (last_msg.body or '').lower())
+
+
+@tagged('-at_install', 'post_install', 'fp_shopfloor', 'fp_tablet_pin')
+class TestTabletSetPin(HttpCase):
+    """P6.1.2 — /fp/tablet/set_pin endpoint."""
+
+    def setUp(self):
+        super().setUp()
+        self.authenticate("admin", "admin")
+
+    def test_set_pin_first_time(self):
+        res = _rpc(self, '/fp/tablet/set_pin', new_pin='1234')
+        self.assertTrue(res['ok'])
+
+    def test_set_pin_change_requires_old(self):
+        admin = self.env.ref('base.user_admin')
+        admin.set_tablet_pin('1234')
+        # Change without old — rejected
+        res = _rpc(self, '/fp/tablet/set_pin', new_pin='5678')
+        self.assertFalse(res['ok'])
+        # Change with wrong old — rejected
+        res = _rpc(self, '/fp/tablet/set_pin', old_pin='9999', new_pin='5678')
+        self.assertFalse(res['ok'])
+        # Change with correct old — accepted
+        res = _rpc(self, '/fp/tablet/set_pin', old_pin='1234', new_pin='5678')
+        self.assertTrue(res['ok'])
+
+    def test_set_pin_rejects_non_4_digit(self):
+        for bad in ('123', '12345', 'abcd', ''):
+            res = _rpc(self, '/fp/tablet/set_pin', new_pin=bad)
+            self.assertFalse(res['ok'], f'PIN {bad!r} should be rejected')
+
+
+@tagged('-at_install', 'post_install', 'fp_shopfloor', 'fp_tablet_pin')
+class TestTabletResetPinFor(HttpCase):
+    """P6.1.2 — /fp/tablet/reset_pin_for endpoint."""
+
+    def setUp(self):
+        super().setUp()
+        self.target = self.env['res.users'].create({
+            'name': 'Reset Target', 'login': 'reset@example.com',
+        })
+        self.target.sudo().set_tablet_pin('1234')
+
+    def test_reset_requires_manager_group(self):
+        # Plain operator can't reset
+        op_group = self.env.ref('fusion_plating.group_fusion_plating_operator')
+        self.env['res.users'].create({
+            'name': 'Op', 'login': 'op@example.com',
+            'password': 'op@example.com',
+            'group_ids': [(6, 0, [op_group.id])],
+        })
+        self.authenticate('op@example.com', 'op@example.com')
+        res = _rpc(self, '/fp/tablet/reset_pin_for', user_id=self.target.id)
+        self.assertFalse(res['ok'])
+
+    def test_reset_as_admin_clears_hash(self):
+        self.authenticate('admin', 'admin')
+        res = _rpc(self, '/fp/tablet/reset_pin_for', user_id=self.target.id)
+        self.assertTrue(res['ok'])
+        self.target.invalidate_recordset(['x_fc_tablet_pin_hash'])
+        self.assertFalse(self.target.sudo().x_fc_tablet_pin_hash)
+
+
+@tagged('-at_install', 'post_install', 'fp_shopfloor', 'fp_tablet_pin')
+class TestTabletUnlock(HttpCase):
+    """P6.1.3 — /fp/tablet/unlock endpoint + lockout."""
+
+    def setUp(self):
+        super().setUp()
+        self.authenticate("admin", "admin")
+        self.target = self.env['res.users'].create({
+            'name': 'Unlock Target', 'login': 'unlock@example.com',
+        })
+        self.target.sudo().set_tablet_pin('1234')
+
+    def _unlock(self, pin):
+        return _rpc(self, '/fp/tablet/unlock',
+                    user_id=self.target.id, pin=pin)
+
+    def test_unlock_correct_pin(self):
+        res = self._unlock('1234')
+        self.assertTrue(res['ok'])
+        self.assertEqual(res['current_tech_id'], self.target.id)
+        self.assertEqual(res['current_tech_name'], 'Unlock Target')
+
+    def test_unlock_correct_pin_resets_fail_counter(self):
+        self._unlock('0000')  # fail once
+        self._unlock('1234')  # succeed
+        self.target.invalidate_recordset(['x_fc_tablet_pin_failed_count'])
+        self.assertEqual(self.target.sudo().x_fc_tablet_pin_failed_count, 0)
+
+    def test_unlock_wrong_pin_increments_counter(self):
+        self._unlock('0000')
+        self.target.invalidate_recordset(['x_fc_tablet_pin_failed_count'])
+        self.assertEqual(self.target.sudo().x_fc_tablet_pin_failed_count, 1)
+
+    def test_lockout_after_5_fails(self):
+        for _ in range(5):
+            self._unlock('0000')
+        res = self._unlock('0000')  # 6th
+        self.assertFalse(res['ok'])
+        self.assertIn('locked', res['error'].lower())
+        self.target.invalidate_recordset(['x_fc_tablet_locked_until'])
+        self.assertTrue(self.target.sudo().x_fc_tablet_locked_until)
+
+    def test_lockout_blocks_even_correct_pin(self):
+        for _ in range(5):
+            self._unlock('0000')
+        # Even the correct PIN now rejected
+        res = self._unlock('1234')
+        self.assertFalse(res['ok'])
+        self.assertIn('locked', res['error'].lower())
+
+    def test_unlock_no_pin_set(self):
+        self.target.clear_tablet_pin()
+        res = self._unlock('1234')
+        self.assertFalse(res['ok'])
+        self.assertTrue(res.get('needs_setup'))
+
+
+@tagged('-at_install', 'post_install', 'fp_shopfloor', 'fp_tablet_pin')
+class TestTabletTiles(HttpCase):
+    """P6.1.4 — /fp/tablet/tiles endpoint."""
+
+    def setUp(self):
+        super().setUp()
+        self.authenticate("admin", "admin")
+        self.op_group = self.env.ref('fusion_plating.group_fusion_plating_operator')
+        self.alice = self.env['res.users'].create({
+            'name': 'Alice Tile', 'login': 'alice_tile@example.com',
+            'group_ids': [(6, 0, [self.op_group.id])],
+        })
+        self.bob = self.env['res.users'].create({
+            'name': 'Bob Tile', 'login': 'bob_tile@example.com',
+            'group_ids': [(6, 0, [self.op_group.id])],
+        })
+        self.alice.sudo().set_tablet_pin('1111')
+
+    def test_tiles_returns_all_operators_without_station(self):
+        res = _rpc(self, '/fp/tablet/tiles')
+        self.assertTrue(res['ok'])
+        names = [t['name'] for t in res['tiles']]
+        self.assertIn('Alice Tile', names)
+        self.assertIn('Bob Tile', names)
+
+    def test_tile_has_pin_flag(self):
+        res = _rpc(self, '/fp/tablet/tiles')
+        alice_tile = next(t for t in res['tiles'] if t['name'] == 'Alice Tile')
+        bob_tile = next(t for t in res['tiles'] if t['name'] == 'Bob Tile')
+        self.assertTrue(alice_tile['has_pin'])
+        self.assertFalse(bob_tile['has_pin'])

fusion_plating/fusion_plating_shopfloor/views/fp_shopfloor_station_views.xml

@@ -49,6 +49,13 @@
                             <field name="active"/>
                         </group>
                     </group>
+                    <group string="Tablet PIN Gate (Phase 6)">
+                        <field name="x_fc_authorised_user_ids"
+                               widget="many2many_tags"
+                               options="{'no_create': True}"/>
+                        <field name="x_fc_idle_lock_minutes"
+                               placeholder="default 5 (system parameter)"/>
+                    </group>
                     <separator string="Notes"/>
                     <field name="notes"/>
                 </sheet>

fusion_plating/fusion_plating_shopfloor/views/res_users_views.xml

@@ -0,0 +1,58 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+    Copyright 2026 Nexa Systems Inc.
+    License OPL-1 (Odoo Proprietary License v1.0)
+
+    Phase 6 tablet PIN gate — surfaces:
+      (a) self-service "Set/Change PIN" on the user's Preferences form
+      (b) manager-only "Reset Tablet PIN" header button on res.users form
+-->
+<odoo>
+
+    <!-- =================================================================
+         (a) Preferences form — Set/Change Tablet PIN
+         The actual modal is OWL-side (FpPinSetup, Phase 6.2). Here we
+         just surface a status indicator + the button under a group.
+         ================================================================= -->
+    <record id="view_users_form_preferences_tablet_pin" model="ir.ui.view">
+        <field name="name">res.users.preferences.tablet.pin</field>
+        <field name="model">res.users</field>
+        <field name="inherit_id" ref="base.view_users_form_simple_modif"/>
+        <field name="arch" type="xml">
+            <xpath expr="//sheet" position="inside">
+                <group string="Tablet PIN" name="fp_tablet_pin_group">
+                    <field name="x_fc_tablet_pin_set_date" readonly="1"
+                           string="PIN Last Set"/>
+                    <button name="action_open_tablet_pin_setup"
+                            type="object"
+                            string="Set / Change Tablet PIN"
+                            class="btn-secondary"
+                            icon="fa-key"/>
+                </group>
+            </xpath>
+        </field>
+    </record>
+
+    <!-- =================================================================
+         (b) res.users form — Manager-only "Reset Tablet PIN" header
+         ================================================================= -->
+    <record id="view_users_form_reset_tablet_pin" model="ir.ui.view">
+        <field name="name">res.users.form.reset.tablet.pin</field>
+        <field name="model">res.users</field>
+        <field name="inherit_id" ref="base.view_users_form"/>
+        <field name="arch" type="xml">
+            <xpath expr="//header" position="inside">
+                <button name="clear_tablet_pin"
+                        type="object"
+                        string="Reset Tablet PIN"
+                        class="btn-warning"
+                        icon="fa-eraser"
+                        groups="fusion_plating.group_fusion_plating_manager"
+                        invisible="not x_fc_tablet_pin_set_date"
+                        confirm="Reset this user's tablet PIN? They'll need to set a new one on their next unlock."/>
+                <field name="x_fc_tablet_pin_set_date" invisible="1"/>
+            </xpath>
+        </field>
+    </record>
+
+</odoo>