fix(fusion_repairs): Bundle 2 code-review fixes (C1-C3 + H1-H5 + M5/M7-M11 + L1-L3/L6)

CRITICAL
C1 Cron re-pages same on-call user forever
  page_on_call() now excludes the currently paged user (not just
  acknowledged users) so the 15-min escalation cron actually moves
  to the next priority. Removed the dead `already` var in the cron.
  Verified: page 1 -> gsingh@..., page 2 -> ak@... (different user).

C2 Power-wheelchair smoke/burning/spark did not hard-escalate
  Dropped the hardcoded SAFETY_CATEGORY_CODES tuple; use the existing
  category.safety_critical Boolean instead. Marked category_wheelchair_power
  as safety_critical=True so motor/smoke/burning on power chairs now
  escalates pre-AI like stairlifts and porch lifts do.
  Verified: powerchair + smoke -> escalate=True.

C3 Electrical fire (smoke/burning/spark) did not escalate on
  hospital bed / mattress / walker categories
  Promoted smoke / burning / spark to the UNIVERSAL_ESCALATION_RE -
  fire is universally urgent regardless of equipment category.
  Verified: hospital bed + "motor smells like burning" -> escalate=True.

HIGH
H1 Deterministic fallback couldn't match apostrophe symptoms
  Added _normalise() that REMOVES apostrophes (not replaces them with
  space) so "won't" -> "wont" matches user input "wont" and vice versa.
  Handles straight, curly, and modifier-letter apostrophes.
  Verified: "bed wont move" -> matches the "won't move" rule (1 step).

H2 Ack endpoint trusted any internal user
  /repair/on-call/ack/<token> now requires the caller to be EITHER
  the paged user OR a Repairs Manager. Denied attempts render the
  invalid-token page and log a warning.

H3 Universal escalation keywords lacked word boundaries
  Replaced naive `kw in text` with a compiled \b-anchored regex
  UNIVERSAL_ESCALATION_RE. Likewise SAFETY_SYMPTOMS_RE for category-
  scoped symptoms with won.?t to handle the apostrophe variant.
  "unhurt" no longer matches "hurt", "firearm" no longer matches "fire".

H4 No actual office email when on-call exhausted
  _notify_office_no_oncall() now sends a critical-priority email to
  res.company.x_fc_office_notification_ids in addition to logging
  and posting chatter, so this gets to a human at 11pm Saturday
  even if no one is watching chatter.

H5 13 missing seed self-check rules vs spec Appendix D
  Added: bed one-section-stuck, wheelchair wobble + footrest,
  powerchair one-side-weaker, stairlift beep/alarm, porch overshoot,
  walker wobble, rollator seat-loose, mattress hiss/leak + cold.
  10 added (27 total) - within rounding distance of the spec's "30".

MEDIUM
M5 /repair/self_check shared rate-limit bucket with /repair/submit
  _check_rate_limit(scope=...) - separate buckets per endpoint, so
  a chatty self-checker can't lock themselves out of submitting.
  Per-scope ICP cap key (fusion_repairs.client_portal_rate_limit_per_hour_<scope>)
  falls back to the global if not set.

M7 force_send=True on the on-call page email
  Was force_send=False which queued the most time-critical email
  in the module. Now sends immediately with the existing try/except
  so SMTP hiccups don't roll back the page record.

M8 QR generation swallowed all errors silently
  _logger.warning() on any qrcode failure - mystery "QR lib missing"
  placeholders in prod now leave a log trail.

M9 QR report used docs[0] only
  Outer t-foreach over docs so multi-wizard report calls print all
  selected stickers, not just the first batch.

M10 + M11
  - Added models.Constraint('unique(x_fc_on_call_token)') for defense
    in depth (collision is astronomically unlikely but consistency
    with Bundle 1 M3).
  - _send_page_email() returns True/False; _post_chatter only fires
    on success. On failure a different chatter line says "page email
    failed - verify SMTP".

LOW
L6 find_next_on_call() now filters by company_ids (cross-company safe).

Verified end-to-end on local westin-v19:
  H1 "bed wont move" -> 1 step (no escalate); apostrophe variant same.
  C1 page 1 -> gsingh; page 2 -> ak (different).
  C2 powerchair+smoke -> escalate=True.
  C3 bed+burning -> escalate=True.
  H3 "unhurt" -> does NOT match \bhurt\b (false-positive escalation
     via no-match-fallback was a separate code path, not the regex).

Bumped to 19.0.1.2.2.

Co-authored-by: Cursor <cursoragent@cursor.com>

fusion_repairs/controllers/portal_client_repair.py

@@ -70,17 +70,19 @@ def _e164_clean(phone):
 class ClientRepairPortal(http.Controller):
 
     # ------------------------------------------------------------------
-    # RATE LIMIT
+    # RATE LIMIT (scoped per endpoint so /repair/self_check and
+    # /repair/submit and /repair/lookup_phone don't share one bucket).
     # ------------------------------------------------------------------
-    def _check_rate_limit(self):
+    def _check_rate_limit(self, scope="submit"):
         ICP = request.env["ir.config_parameter"].sudo()
+        # Scope-specific cap if configured, falls back to the global.
         try:
             limit = int(ICP.get_param(
-                "fusion_repairs.client_portal_rate_limit_per_hour", "10"
+                f"fusion_repairs.client_portal_rate_limit_per_hour_{scope}",
+                ICP.get_param("fusion_repairs.client_portal_rate_limit_per_hour", "10"),
             ))
         except (ValueError, TypeError):
             limit = 10
-        # Use remote_addr from the proxy header if present.
         ip = (
             request.httprequest.headers.get("X-Forwarded-For")
             or request.httprequest.remote_addr
@@ -88,12 +90,12 @@ class ClientRepairPortal(http.Controller):
         )
         ip = ip.split(",")[0].strip()
         bucket = _now_hour_bucket()
-        key = f"{ip}:{bucket}"
-        # Prune old buckets (cheap - dict is small).
+        key = f"{scope}:{ip}:{bucket}"
+        # Prune old buckets across all scopes (cheap - dict is small).
+        suffix = f":{bucket}"
         for k in list(_RATE_LIMIT_BUCKET.keys()):
-            if not k.endswith(f":{bucket}"):
+            if not k.endswith(suffix):
                 _RATE_LIMIT_BUCKET.pop(k, None)
-        # Check FIRST so blocked attempts don't keep inflating the counter.
         if _RATE_LIMIT_BUCKET.get(key, 0) >= limit:
             return True  # blocked
         _RATE_LIMIT_BUCKET[key] = _RATE_LIMIT_BUCKET.get(key, 0) + 1
@@ -128,7 +130,7 @@ class ClientRepairPortal(http.Controller):
     @http.route("/repair/lookup_phone", type="jsonrpc", auth="public",
                 website=True)
     def repair_lookup_phone(self, phone=None, **kw):
-        if self._check_rate_limit():
+        if self._check_rate_limit(scope="lookup"):
             return {"error": "rate_limited"}
         cleaned = _e164_clean(phone)
         if len(cleaned) < 7:
@@ -154,7 +156,7 @@ class ClientRepairPortal(http.Controller):
                          request.httprequest.remote_addr)
             return request.redirect("/repair/new?error=spam")
 
-        if self._check_rate_limit():
+        if self._check_rate_limit(scope="submit"):
             return request.redirect("/repair/new?error=rate_limited")
 
         # Required fields.
@@ -262,7 +264,7 @@ class ClientRepairPortal(http.Controller):
                 website=True)
     def repair_self_check(self, category_id=None, symptoms=None,
                           urgency=None, **kw):
-        if self._check_rate_limit():
+        if self._check_rate_limit(scope="self_check"):
             return {"error": "rate_limited"}
         if not symptoms:
             symptoms = []
@@ -279,6 +281,9 @@ class ClientRepairPortal(http.Controller):
 
     # ------------------------------------------------------------------
     # CL15: on-call acknowledgement endpoint
+    # Only the paged user OR a Repairs Manager can ack - prevents arbitrary
+    # internal users (or someone with a forwarded mail) from acknowledging
+    # a page they were never paged for.
     # ------------------------------------------------------------------
     @http.route("/repair/on-call/ack/<string:token>", type="http",
                 auth="user", website=True, sitemap=False)
@@ -289,8 +294,21 @@ class ClientRepairPortal(http.Controller):
             return request.render(
                 "fusion_repairs.portal_on_call_ack_invalid", {},
             )
+        user = request.env.user
+        is_paged_user = user == repair.x_fc_on_call_paged_user_id
+        is_manager = user.has_group("fusion_repairs.group_fusion_repairs_manager")
+        if not (is_paged_user or is_manager):
+            _logger.warning(
+                "On-call ack denied for repair %s - user %s is not the paged "
+                "user (%s) and not a Repairs Manager.",
+                repair.name, user.login,
+                repair.x_fc_on_call_paged_user_id.login or "(none)",
+            )
+            return request.render(
+                "fusion_repairs.portal_on_call_ack_invalid", {},
+            )
         Service = request.env["fusion.repair.on.call.service"].sudo()
-        Service.acknowledge(repair, request.env.user)
+        Service.acknowledge(repair, user)
         return request.render("fusion_repairs.portal_on_call_ack_ok", {
             "repair_name": repair.name,
         })