feat(plating-sec): SO confirm gate + fix _administrator typo + Python sweep

Phase G of permissions overhaul.

G2: sale.order.action_confirm now requires group_fp_sales_manager
(spec Section 2.B). Sales Reps can save drafts but cannot move SOs
to 'sale' state. UserError raised with clear message if attempted.

G3: Fixed audit-finding-11 typo bug in 2 files. The original code
checked has_group('fusion_plating.group_fusion_plating_administrator'),
an xmlid that has NEVER existed - so the gate always returned False
and only the Manager-side check actually fired. Fixed both:
  - fusion_plating_invoicing/models/res_partner.py:34
  - fusion_plating_configurator/wizard/fp_direct_order_wizard.py:467
Both now check has_group('fusion_plating.group_fp_manager') which
transitively includes Owner via implied_ids.

G4: Swept all Python has_group() calls to reference new group xmlids.
Backward-compat keeps old refs working today (Phase A's implied_ids),
but the sweep ensures correctness after the 30-day rollback window
deletes old groups. Replacements:
  group_fusion_plating_operator    -> group_fp_technician
  group_fusion_plating_supervisor  -> group_fp_shop_manager_v2
  group_fusion_plating_manager     -> group_fp_manager
  group_fusion_plating_admin       -> group_fp_owner
  group_fusion_plating_cgp_officer -> group_fp_quality_manager
  group_fusion_plating_cgp_designated_official -> group_fp_owner
  group_fp_estimator               -> group_fp_sales_rep
  group_fp_accounting              -> group_fp_manager
  group_fp_receiving               -> group_fp_shop_manager_v2
  group_fp_shop_manager (legacy)   -> group_fp_manager

G1: test_sales_manager_gate.py covers the new confirm gate (SR
blocked, SMg allowed, Manager allowed via diamond implication).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

fusion_plating/fusion_plating_configurator/__manifest__.py

@@ -5,7 +5,7 @@
 
 {
     'name': 'Fusion Plating — Configurator',
-    'version': '19.0.21.8.3',
+    'version': '19.0.21.8.4',
     'category': 'Manufacturing/Plating',
     'summary': 'Quotation configurator with part catalog, coating configs, and formula-based pricing engine.',
     'description': """

fusion_plating/fusion_plating_configurator/models/fp_serial.py

@@ -212,7 +212,7 @@ class FpSerial(models.Model):
         correction is needed (e.g. wrong serial marked shipped). Audit
         trail preserved via chatter; never silently rewrites history."""
         for rec in self:
-            if not self.env.user.has_group('fusion_plating.group_fusion_plating_manager'):
+            if not self.env.user.has_group('fusion_plating.group_fp_manager'):
                 from odoo.exceptions import UserError
                 raise UserError(_(
                     'Only the Plating Manager group can reopen a terminal '

fusion_plating/fusion_plating_configurator/models/sale_order.py

@@ -3,7 +3,8 @@
 # License OPL-1 (Odoo Proprietary License v1.0)
 # Part of the Fusion Plating product family.
 
-from odoo import api, fields, models
+from odoo import _, api, fields, models
+from odoo.exceptions import UserError
 
 
 class SaleOrder(models.Model):
@@ -835,6 +836,17 @@ class SaleOrder(models.Model):
     # Auto-assigned once at confirm so every confirmed line has one; still
     # editable afterwards (clearable, overridable to match a customer scheme).
     def action_confirm(self):
+        # Phase G of permissions overhaul: only Sales Manager+ can confirm
+        # Sale Orders. Sales Rep can save drafts but cannot move them to
+        # 'sale' state. The has_group() check resolves True for Sales Manager,
+        # Manager (implies Sales Manager via diamond), Quality Manager
+        # (implies Manager), and Owner (implies Quality Manager) — see
+        # spec Section 2.B.
+        if not self.env.user.has_group('fusion_plating.group_fp_sales_manager'):
+            raise UserError(_(
+                'Only Sales Manager or higher can confirm Sale Orders. '
+                'Please ask a Sales Manager to confirm this quote.'
+            ))
         res = super().action_confirm()
         Sequence = self.env['ir.sequence']
         for so in self:

fusion_plating/fusion_plating_configurator/wizard/fp_direct_order_wizard.py

@@ -458,14 +458,13 @@ class FpDirectOrderWizard(models.Model):
         # Resolved through commercial_partner so a hold on the company
         # blocks every child-contact entry too.
         commercial = self.partner_id.commercial_partner_id
-        # Bypass: Plating Manager OR Plating Administrator. Both checked
-        # because Odoo's implied_ids cascade (Administrator → Manager)
-        # doesn't always propagate to existing users on upgrade. See
-        # CLAUDE.md "Implied group cascade" rule.
-        can_override = (
-            self.env.user.has_group('fusion_plating.group_fusion_plating_manager')
-            or self.env.user.has_group('fusion_plating.group_fusion_plating_administrator')
-        )
+        # Bypass: Plating Manager (or anything above — Quality Manager,
+        # Owner — via the Phase A implied_ids diamond). Phase G fix:
+        # old code also checked 'group_fusion_plating_administrator',
+        # an xmlid that never existed and always returned False
+        # (audit-finding-11). The Manager check alone is now correct
+        # because Manager → Quality Manager → Owner via Phase A.
+        can_override = self.env.user.has_group('fusion_plating.group_fp_manager')
         if (getattr(commercial, 'x_fc_account_hold', False)
                 and not self.env.context.get('fp_skip_account_hold')
                 and not can_override):