0b92294586
Code-review findings on Phase A (Tablet PIN Session Redesign): I1: Security XML comment now honestly describes the kiosk as Internal User + explicit reads, not 'near-zero ACL'. base.group_user is kept (required for auth='user' HTTP routes to function) but the comment no longer overstates how locked-down the kiosk is. I2: New ir.rule scopes the kiosk's ir.config_parameter read to keys matching 'fp.tablet.%' or 'fp.shopfloor.%'. Combined with the existing model-level read ACL, kiosk can no longer enumerate third-party secrets (e.g. fusion_tasks.vapid_private_key) or arbitrary API keys stored in ICP. I3: post-migrate docstring now advises sysadmins to unlink the plaintext ICP password row after kiosk tablets are paired, to minimise plaintext-in-backups risk. Rotation procedure documented. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>