fix(plating-perms): address final-reviewer critical + important issues

Pre-deploy fixes for Phase 1 permissions overhaul branch (catches by
final-reviewer subagent + main session).

CRITICAL FIXES:

C1: groups_id -> group_ids (Odoo 19 field rename). Affected ~30 sites
    across 4 model files, 1 view, 7 test files. Documented project
    gotcha (feedback_odoo19_groups_id_renamed.md) that the implementer
    subagents missed because they don't see user memory.

C2: action_fp_resolve_plating_landing server action now calls
    env['ir.actions.act_window'].sudo()._fp_resolve_landing_for_current_user()
    instead of the old inline priority chain. Phase E's role-based
    dispatch was previously dead code.

C3: New migrations/19.0.21.1.0/post-migrate.py triggers
    _fp_post_init_role_migration(env) on -u. post_init_hook only fires
    on INSTALL in Odoo 19, not UPGRADE -- so Phase H's preview creation
    wouldn't have auto-fired on entech without this script. Module
    version bumped to 19.0.21.1.0 to match the migration directory.

C4: Team kanban template rewritten for Odoo 19 (<t t-name='card'> with
    semantic <aside>/<main>) instead of legacy <t t-name='kanban-box'>.
    Previous template threw 'Missing card template' at render.

IMPORTANT FIXES:

I1: SO state=sent Confirm button (id='action_confirm') now also gated
    to group_fp_sales_manager. Previously only the state=draft button
    was gated; Sales Reps could send-and-confirm via the secondary path.

I2: Designated Officials picker domain uses all_group_ids (transitive)
    instead of group_ids (explicit only). Owner users now correctly
    appear as eligible CGP DO candidates via the implied_ids chain.

I3: test_menu_visibility.py compliance hub xmlid corrected to
    fusion_plating.menu_fp_compliance_hub (was
    fusion_plating_compliance.menu_fp_compliance_hub which doesn't exist
    -- the hub menu is defined in core's fp_menu.xml). Tests were
    silently skipTest-ing.

I4: _inverse_plating_role chatter audit reads old role from DB via SQL
    (bypasses cache) so 'old -> new' displays actual values, and
    short-circuits no-op writes.

I5: _FP_ROLE_MAPPING_RULES reordered: cgp_designated_official fires
    BEFORE admin/uid_1_or_2 so admin+DO users keep the capability_delta
    marker that triggers res.company.x_fc_cgp_designated_official_id
    auto-set during migration.

I6: _cron_purge_expired_migrations skips groups with active users
    instead of unlink-ing unconditionally. Defense against rollback
    safety being bypassed by manual role assignments post-migration.

CLAUDE.md updated with 3 new durable rules (13b kanban card template,
13c group_ids vs all_group_ids, 13d post_init_hook only on install).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

fusion_plating/fusion_plating/tests/test_acl_migration.py

@@ -14,7 +14,7 @@ class TestAclMigration(TransactionCase):
                 'login': f'fp_test_{login}',
                 'name': f'FP Test {login.title()}',
                 'email': f'fp_test_{login}@example.com',
-                'groups_id': [(6, 0, [self.env.ref(group_xmlid).id])],
+                'group_ids': [(6, 0, [self.env.ref(group_xmlid).id])],
             })
 
         self.u_tech = make('tech', 'fusion_plating.group_fp_technician')

fusion_plating/fusion_plating/tests/test_landing_resolver.py

@@ -38,7 +38,7 @@ class TestLandingResolver(TransactionCase):
                 'login': f'land_{name}',
                 'name': f'Land {name}',
                 'email': f'land_{name}@example.com',
-                'groups_id': [(6, 0, [self.env.ref(xmlid).id])],
+                'group_ids': [(6, 0, [self.env.ref(xmlid).id])],
             })
 
         self.u_tech = mk('tech', 'fusion_plating.group_fp_technician')

fusion_plating/fusion_plating/tests/test_menu_visibility.py

@@ -12,14 +12,14 @@ class TestMenuVisibility(TransactionCase):
             return Users.create({
                 'login': f'menu_{name}', 'name': f'Menu Test {name}',
                 'email': f'menu_{name}@example.com',
-                'groups_id': [(6, 0, [self.env.ref(xmlid).id])] if xmlid else [(6, 0, [])],
+                'group_ids': [(6, 0, [self.env.ref(xmlid).id])] if xmlid else [(6, 0, [])],
             })
         # "No" user has only base.group_user — no plating group
         no_user = Users.create({
             'login': 'menu_no', 'name': 'Menu Test no',
             'email': 'menu_no@example.com',
         })
-        no_user.write({'groups_id': [(6, 0, [self.env.ref('base.group_user').id])]})
+        no_user.write({'group_ids': [(6, 0, [self.env.ref('base.group_user').id])]})
         self.u_no = no_user
         self.u_tech = mk('tech', 'fusion_plating.group_fp_technician')
         self.u_sr = mk('sr', 'fusion_plating.group_fp_sales_rep')
@@ -73,13 +73,13 @@ class TestMenuVisibility(TransactionCase):
         self.assertTrue(result)
 
     def test_manager_does_not_see_compliance(self):
-        result = self._visible(self.u_mgr, 'fusion_plating_compliance.menu_fp_compliance_hub')
+        result = self._visible(self.u_mgr, 'fusion_plating.menu_fp_compliance_hub')
         if result is None:
             self.skipTest('Compliance hub not found')
         self.assertFalse(result, 'Manager must not see Compliance hub')
 
     def test_qm_sees_compliance(self):
-        result = self._visible(self.u_qm, 'fusion_plating_compliance.menu_fp_compliance_hub')
+        result = self._visible(self.u_qm, 'fusion_plating.menu_fp_compliance_hub')
         if result is None:
             self.skipTest('Compliance hub not found')
         self.assertTrue(result)

fusion_plating/fusion_plating/tests/test_migration_workflow.py

@@ -12,14 +12,14 @@ class TestMigrationWorkflow(TransactionCase):
         self.owner = Users.create({
             'login': 'mig_owner', 'name': 'Mig Owner',
             'email': 'mig_owner@example.com',
-            'groups_id': [(6, 0, [self.env.ref('fusion_plating.group_fp_owner').id])],
+            'group_ids': [(6, 0, [self.env.ref('fusion_plating.group_fp_owner').id])],
         })
 
     def test_only_owner_can_approve(self):
         non_owner = self.env['res.users'].with_context(no_reset_password=True).create({
             'login': 'mig_nonowner', 'name': 'Non Owner',
             'email': 'mig_nonowner@example.com',
-            'groups_id': [(6, 0, [self.env.ref('fusion_plating.group_fp_manager').id])],
+            'group_ids': [(6, 0, [self.env.ref('fusion_plating.group_fp_manager').id])],
         })
         preview = self.env['fp.migration.preview'].create({})
         preview._fp_build_lines()
@@ -52,7 +52,7 @@ class TestMigrationWorkflow(TransactionCase):
         u = self.env['res.users'].with_context(no_reset_password=True).create({
             'login': 'mig_rb', 'name': 'RB',
             'email': 'mig_rb@example.com',
-            'groups_id': [(6, 0, [old_mgr.id])],
+            'group_ids': [(6, 0, [old_mgr.id])],
         })
         before_ids = sorted(u.groups_id.ids)
         preview = self.env['fp.migration.preview'].create({})
@@ -74,7 +74,7 @@ class TestMigrationWorkflow(TransactionCase):
         u = self.env['res.users'].with_context(no_reset_password=True).create({
             'login': 'mig_est', 'name': 'Est',
             'email': 'mig_est@example.com',
-            'groups_id': [(6, 0, [est.id])],
+            'group_ids': [(6, 0, [est.id])],
         })
         preview = self.env['fp.migration.preview'].create({})
         preview._fp_build_lines()

fusion_plating/fusion_plating/tests/test_quality_split.py

@@ -13,12 +13,12 @@ class TestQualitySplit(TransactionCase):
         self.u_mgr = Users.create({
             'login': 'qsplit_mgr', 'name': 'QSplit Mgr',
             'email': 'qsplit_mgr@example.com',
-            'groups_id': [(6, 0, [self.env.ref('fusion_plating.group_fp_manager').id])],
+            'group_ids': [(6, 0, [self.env.ref('fusion_plating.group_fp_manager').id])],
         })
         self.u_qm = Users.create({
             'login': 'qsplit_qm', 'name': 'QSplit QM',
             'email': 'qsplit_qm@example.com',
-            'groups_id': [(6, 0, [self.env.ref('fusion_plating.group_fp_quality_manager').id])],
+            'group_ids': [(6, 0, [self.env.ref('fusion_plating.group_fp_quality_manager').id])],
         })
 
     # CAPA: Manager read-only, QM full

fusion_plating/fusion_plating/tests/test_sales_manager_gate.py

@@ -11,12 +11,12 @@ class TestSalesManagerGate(TransactionCase):
         self.u_sr = Users.create({
             'login': 'gate_sr', 'name': 'Gate SR',
             'email': 'gate_sr@example.com',
-            'groups_id': [(6, 0, [self.env.ref('fusion_plating.group_fp_sales_rep').id])],
+            'group_ids': [(6, 0, [self.env.ref('fusion_plating.group_fp_sales_rep').id])],
         })
         self.u_smg = Users.create({
             'login': 'gate_smg', 'name': 'Gate SMg',
             'email': 'gate_smg@example.com',
-            'groups_id': [(6, 0, [self.env.ref('fusion_plating.group_fp_sales_manager').id])],
+            'group_ids': [(6, 0, [self.env.ref('fusion_plating.group_fp_sales_manager').id])],
         })
         partner = self.env['res.partner'].create({'name': 'Gate Test Customer'})
         product = self.env['product.product'].create({'name': 'Gate Test Product'})
@@ -40,7 +40,7 @@ class TestSalesManagerGate(TransactionCase):
         u_mgr = self.env['res.users'].with_context(no_reset_password=True).create({
             'login': 'gate_mgr', 'name': 'Gate Mgr',
             'email': 'gate_mgr@example.com',
-            'groups_id': [(6, 0, [self.env.ref('fusion_plating.group_fp_manager').id])],
+            'group_ids': [(6, 0, [self.env.ref('fusion_plating.group_fp_manager').id])],
         })
         self.so.with_user(u_mgr).action_confirm()
         self.assertEqual(self.so.state, 'sale')

fusion_plating/fusion_plating/tests/test_team_page.py

@@ -12,12 +12,12 @@ class TestTeamPage(TransactionCase):
         self.owner = Users.create({
             'login': 'team_owner', 'name': 'Team Owner',
             'email': 'team_owner@example.com',
-            'groups_id': [(6, 0, [self.env.ref('fusion_plating.group_fp_owner').id])],
+            'group_ids': [(6, 0, [self.env.ref('fusion_plating.group_fp_owner').id])],
         })
         self.target = Users.create({
             'login': 'team_target', 'name': 'Team Target',
             'email': 'team_target@example.com',
-            'groups_id': [(6, 0, [self.env.ref('fusion_plating.group_fp_technician').id])],
+            'group_ids': [(6, 0, [self.env.ref('fusion_plating.group_fp_technician').id])],
         })
 
     def test_compute_returns_technician(self):
@@ -25,7 +25,7 @@ class TestTeamPage(TransactionCase):
 
     def test_compute_picks_highest_role(self):
         # Add Manager group on top of Technician
-        self.target.write({'groups_id': [(4, self.env.ref('fusion_plating.group_fp_manager').id)]})
+        self.target.write({'group_ids': [(4, self.env.ref('fusion_plating.group_fp_manager').id)]})
         self.target.invalidate_recordset(['x_fc_plating_role'])
         self.assertEqual(self.target.x_fc_plating_role, 'manager')
 
@@ -88,7 +88,7 @@ class TestTeamPage(TransactionCase):
         mgr = self.env['res.users'].with_context(no_reset_password=True).create({
             'login': 'team_mgr', 'name': 'Team Mgr',
             'email': 'team_mgr@example.com',
-            'groups_id': [(6, 0, [self.env.ref('fusion_plating.group_fp_manager').id])],
+            'group_ids': [(6, 0, [self.env.ref('fusion_plating.group_fp_manager').id])],
         })
         visible = self.env['ir.ui.menu'].with_user(mgr).search_count([('id', '=', menu.id)])
         self.assertFalse(visible, 'Manager must not see Team menu (Owner-only)')