fix(fusion_helpdesk): auto-grant reporter admin to system admins + doc backfill

The customer-followup ship left two papercuts that hid 51 historical
tickets from the entech owner:

1. group_reporter_admin had zero members on install — the new XML record
   created the group but never granted it. Extend base.group_system's
   implied_ids so every system administrator transparently inherits the
   admin view of the embedded inbox on install / upgrade. (4, id) tuple
   is additive — never replaces base's existing implications.

2. Tickets created before this feature shipped had NULL
   x_fc_client_label and NULL partner_email, so the scope filter
   excluded them all. The reporter identity was still recoverable from
   the description HTML's diag block. Backfill recipe is captured in
   CLAUDE.md so future deployments can apply the same one-shot UPDATE
   without re-deriving the regex.

Bumps fusion_helpdesk to 19.0.1.5.0. Verified live on entech: all six
base.group_system members now return True for
has_group('fusion_helpdesk.group_reporter_admin').

CLAUDE.md

@@ -181,20 +181,51 @@ referenced but never imported) that broke every inbox endpoint. Run
 `docker exec odoo-modsdev-app python3 -m pyflakes <file>` after editing controllers — it
 catches undefined names instantly.
 
-### STATUS (handoff 2026-05-27 — continuing from office)
-- **Merged to `main`** as squash commit `6c15a7b1`, pushed to GitHub + Gitea. Feature
-  branch `feat/helpdesk-customer-followup` deleted (local + remote). Pull `main` at the
-  office to get the latest.
+### Two non-obvious gotchas the first ship hit (fixed 2026-05-27 afternoon)
+1. **`group_reporter_admin` had zero members on install** — `res.groups` doesn't auto-grant
+   to the deployment admin, so the "All (deployment)" toggle never appeared and admins were
+   stuck with the per-user `partner_email` filter. Fix lives in
+   `fusion_helpdesk/security/fusion_helpdesk_groups.xml`: extend `base.group_system.implied_ids`
+   with `(4, ref('fusion_helpdesk.group_reporter_admin'))`. The (4, id) tuple is additive — it
+   never replaces base's existing implied groups. Verified live: all six entech
+   `base.group_system` members now return True for
+   `has_group('fusion_helpdesk.group_reporter_admin')` after the upgrade.
+2. **Historical tickets had NULL `x_fc_client_label` + NULL `partner_email`** — anything
+   created before the customer-followup ship was invisible in "My Tickets" because the scope
+   filter requires both fields. The reporter identity was preserved only in the description
+   HTML (the diag block's "User" row). Backfill recipe (50 ENTECH + 1 WESTIN, all in one
+   transaction):
+   ```sql
+   UPDATE helpdesk_ticket
+   SET x_fc_client_label = substring(name from '^\[([A-Z]+)\]'),
+       partner_email = lower(substring(
+         substring(description from 'User</td><td[^>]*><code>([^<]+)</code>')
+         from ', ([^)]+)\)')),
+       partner_name = regexp_replace(
+         substring(description from 'User</td><td[^>]*><code>([^<]+)</code>'),
+         ' \(#\d+, [^)]+\)$', '')
+   WHERE name ~ '^\[[A-Z]+\]'
+     AND description ~ 'User</td>'
+     AND x_fc_client_label IS NULL;
+   ```
+   Safe: SQL UPDATE bypasses the central `helpdesk.ticket.create` override, so no duplicate
+   ack emails. Per-deployment label inferred from the `[XXX]` name prefix the old code was
+   already adding. Note: users whose `login != email` (e.g. uid=2 on entech has login
+   `gsinghpal@outlook.com` and email `gs@nexasystems.ca`) get tagged with their *login* in
+   backfill — they won't see their old tickets in "Mine", only in "All". New tickets are
+   tagged with the profile email (`user.email` first, `user.login` fallback).
+
+### STATUS (handoff 2026-05-27 afternoon)
+- **Merged to `main`** as squash commit `6c15a7b1` (initial ship). Today's followup is the
+  group/backfill fix described above — committed separately.
 - **Deployed live**: nexa `fusion_helpdesk_central` **19.0.1.1.0**; entech `fusion_helpdesk`
-  **19.0.1.4.1**. Both services healthy.
+  **19.0.1.5.0** (bumped from 19.0.1.4.1 for the implied_ids fix). Both services healthy.
+- **Historical entech tickets backfilled** on nexa (51 rows: 50 ENTECH + 1 WESTIN).
 - **Smoke-tested live end-to-end** (entech→nexa): partner resolved + follower + `ENTECH`
   label, branded ack email queued, support reply visible in thread, inbox scope finds own
-  ticket, no cross-deployment leak.
-- **Bug fixed this session**: `_norm_email` NameError that broke "My Tickets" AND the "New"
-  ticket submit path — `_norm_email` added to `fusion_helpdesk/utils.py`, imported in the
-  controller, regression test added, deployed to entech.
-- **ONLY thing left = browser confirmation.** Hard-refresh entech (DevTools → Empty Cache
-  and Hard Reload), open the systray helpdesk dialog: **My Tickets** should load, and the
-  **New** tab should file a ticket. Both share the now-fixed `_identity()` path, and the
-  systray unread badge calls it too. If anything still errors, the traceback is in
-  `/var/log/odoo/odoo-server.log` on entech (LXC 111 / pve-worker5).
+  ticket, no cross-deployment leak. The "Mine" view for non-admins and the "All" view for
+  the entech owner both populate as expected.
+- **Browser confirmation**: hard-refresh entech (DevTools → Empty Cache and Hard Reload),
+  open the systray helpdesk dialog. The Mine/All toggle appears for the owner; "All" shows
+  all 50 ENTECH tickets, "Mine" shows the count matching the owner's profile email.
+  Tracebacks live in `/var/log/odoo/odoo-server.log` on entech (LXC 111 / pve-worker5).

fusion_helpdesk/__manifest__.py

@@ -3,7 +3,7 @@
 # License OPL-1 (Odoo Proprietary License v1.0)
 {
     'name': 'Fusion Helpdesk Reporter',
-    'version': '19.0.1.4.1',
+    'version': '19.0.1.5.0',
     'category': 'Productivity',
     'summary': 'One-click in-app bug reporting & feature requesting — '
                'auto-creates a helpdesk.ticket on a central Odoo Helpdesk.',

fusion_helpdesk/security/fusion_helpdesk_groups.xml

@@ -15,4 +15,18 @@
         <field name="name">Helpdesk Reporter Admin</field>
         <field name="comment">Can view all tickets filed from this deployment in the in-app helpdesk inbox.</field>
     </record>
+
+    <!--
+        Auto-grant this group to every Odoo system administrator
+        (base.group_system) so the owner of the deployment can immediately
+        see the "All (deployment)" toggle on a fresh install. Without this
+        the group has zero members on install and nobody can use the admin
+        view until an admin manually adds themselves — which is exactly the
+        regression that hid 51 historical tickets from the entech owner.
+        Uses tuple (4, id) so we extend, never replace, base.group_system's
+        existing implied_ids.
+    -->
+    <record id="base.group_system" model="res.groups">
+        <field name="implied_ids" eval="[(4, ref('fusion_helpdesk.group_reporter_admin'))]"/>
+    </record>
 </odoo>