fix(plating-perms): address final-reviewer critical + important issues

Pre-deploy fixes for Phase 1 permissions overhaul branch (catches by
final-reviewer subagent + main session).

CRITICAL FIXES:

C1: groups_id -> group_ids (Odoo 19 field rename). Affected ~30 sites
    across 4 model files, 1 view, 7 test files. Documented project
    gotcha (feedback_odoo19_groups_id_renamed.md) that the implementer
    subagents missed because they don't see user memory.

C2: action_fp_resolve_plating_landing server action now calls
    env['ir.actions.act_window'].sudo()._fp_resolve_landing_for_current_user()
    instead of the old inline priority chain. Phase E's role-based
    dispatch was previously dead code.

C3: New migrations/19.0.21.1.0/post-migrate.py triggers
    _fp_post_init_role_migration(env) on -u. post_init_hook only fires
    on INSTALL in Odoo 19, not UPGRADE -- so Phase H's preview creation
    wouldn't have auto-fired on entech without this script. Module
    version bumped to 19.0.21.1.0 to match the migration directory.

C4: Team kanban template rewritten for Odoo 19 (<t t-name='card'> with
    semantic <aside>/<main>) instead of legacy <t t-name='kanban-box'>.
    Previous template threw 'Missing card template' at render.

IMPORTANT FIXES:

I1: SO state=sent Confirm button (id='action_confirm') now also gated
    to group_fp_sales_manager. Previously only the state=draft button
    was gated; Sales Reps could send-and-confirm via the secondary path.

I2: Designated Officials picker domain uses all_group_ids (transitive)
    instead of group_ids (explicit only). Owner users now correctly
    appear as eligible CGP DO candidates via the implied_ids chain.

I3: test_menu_visibility.py compliance hub xmlid corrected to
    fusion_plating.menu_fp_compliance_hub (was
    fusion_plating_compliance.menu_fp_compliance_hub which doesn't exist
    -- the hub menu is defined in core's fp_menu.xml). Tests were
    silently skipTest-ing.

I4: _inverse_plating_role chatter audit reads old role from DB via SQL
    (bypasses cache) so 'old -> new' displays actual values, and
    short-circuits no-op writes.

I5: _FP_ROLE_MAPPING_RULES reordered: cgp_designated_official fires
    BEFORE admin/uid_1_or_2 so admin+DO users keep the capability_delta
    marker that triggers res.company.x_fc_cgp_designated_official_id
    auto-set during migration.

I6: _cron_purge_expired_migrations skips groups with active users
    instead of unlink-ing unconditionally. Defense against rollback
    safety being bypassed by manual role assignments post-migration.

CLAUDE.md updated with 3 new durable rules (13b kanban card template,
13c group_ids vs all_group_ids, 13d post_init_hook only on install).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

fusion_plating/fusion_plating/views/fp_team_views.xml

@@ -23,22 +23,20 @@
                     <field name="login_date"/>
                     <field name="name"/>
                     <templates>
-                        <t t-name="kanban-box">
-                            <div t-attf-class="oe_kanban_card oe_kanban_global_click">
-                                <div class="o_kanban_image">
-                                    <img t-att-src="kanban_image('res.users', 'image_128', record.id.raw_value)"
-                                         alt="Photo"/>
+                        <t t-name="card" class="flex-row align-items-center">
+                            <aside class="o_kanban_aside_full">
+                                <field name="image_128" widget="image"
+                                       options="{'preview_image': 'image_128', 'img_class': 'rounded'}"/>
+                            </aside>
+                            <main class="ms-2">
+                                <field name="name" class="fw-bolder fs-5"/>
+                                <div t-if="record.email.raw_value" class="text-muted small">
+                                    <field name="email"/>
                                 </div>
-                                <div class="oe_kanban_details">
-                                    <strong><field name="name"/></strong>
-                                    <div t-if="record.email.raw_value">
-                                        <field name="email"/>
-                                    </div>
-                                    <div t-if="record.login_date.raw_value" class="text-muted">
-                                        Last seen: <field name="login_date" widget="date"/>
-                                    </div>
+                                <div t-if="record.login_date.raw_value" class="text-muted small">
+                                    Last seen: <field name="login_date" widget="date"/>
                                 </div>
-                            </div>
+                            </main>
                         </t>
                     </templates>
                 </kanban>

fusion_plating/fusion_plating/views/res_company_views.xml

@@ -12,9 +12,9 @@
                           groups="fusion_plating.group_fp_owner">
                         <group>
                             <field name="x_fc_cgp_designated_official_id"
-                                   domain="[('groups_id', 'in', [ref('fusion_plating.group_fp_quality_manager'), ref('fusion_plating.group_fp_owner')])]"/>
+                                   domain="[('all_group_ids', 'in', [ref('fusion_plating.group_fp_quality_manager'), ref('fusion_plating.group_fp_owner')])]"/>
                             <field name="x_fc_nadcap_authority_user_id"
-                                   domain="[('groups_id', 'in', [ref('fusion_plating.group_fp_quality_manager'), ref('fusion_plating.group_fp_owner')])]"/>
+                                   domain="[('all_group_ids', 'in', [ref('fusion_plating.group_fp_quality_manager'), ref('fusion_plating.group_fp_owner')])]"/>
                         </group>
                     </page>
                 </xpath>