feat(plating-sec): SO confirm gate + fix _administrator typo + Python sweep

Phase G of permissions overhaul.

G2: sale.order.action_confirm now requires group_fp_sales_manager
(spec Section 2.B). Sales Reps can save drafts but cannot move SOs
to 'sale' state. UserError raised with clear message if attempted.

G3: Fixed audit-finding-11 typo bug in 2 files. The original code
checked has_group('fusion_plating.group_fusion_plating_administrator'),
an xmlid that has NEVER existed - so the gate always returned False
and only the Manager-side check actually fired. Fixed both:
  - fusion_plating_invoicing/models/res_partner.py:34
  - fusion_plating_configurator/wizard/fp_direct_order_wizard.py:467
Both now check has_group('fusion_plating.group_fp_manager') which
transitively includes Owner via implied_ids.

G4: Swept all Python has_group() calls to reference new group xmlids.
Backward-compat keeps old refs working today (Phase A's implied_ids),
but the sweep ensures correctness after the 30-day rollback window
deletes old groups. Replacements:
  group_fusion_plating_operator    -> group_fp_technician
  group_fusion_plating_supervisor  -> group_fp_shop_manager_v2
  group_fusion_plating_manager     -> group_fp_manager
  group_fusion_plating_admin       -> group_fp_owner
  group_fusion_plating_cgp_officer -> group_fp_quality_manager
  group_fusion_plating_cgp_designated_official -> group_fp_owner
  group_fp_estimator               -> group_fp_sales_rep
  group_fp_accounting              -> group_fp_manager
  group_fp_receiving               -> group_fp_shop_manager_v2
  group_fp_shop_manager (legacy)   -> group_fp_manager

G1: test_sales_manager_gate.py covers the new confirm gate (SR
blocked, SMg allowed, Manager allowed via diamond implication).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

fusion_plating/fusion_plating_invoicing/__manifest__.py

@@ -5,7 +5,7 @@
 
 {
     'name': 'Fusion Plating — Invoicing',
-    'version': '19.0.3.6.2',
+    'version': '19.0.3.6.3',
     'category': 'Manufacturing/Plating',
     'summary': 'Invoice strategy engine with deposit, progress billing, net terms, COD/prepay, and account holds.',
     'description': """

fusion_plating/fusion_plating_invoicing/models/res_partner.py

@@ -29,10 +29,12 @@ class ResPartner(models.Model):
         See CLAUDE.md "Implied group cascade" rule.
         """
         user = self.env.user
-        return (
-            user.has_group('fusion_plating.group_fusion_plating_manager')
-            or user.has_group('fusion_plating.group_fusion_plating_administrator')
-        )
+        # Phase G: fixed audit-finding-11 — old code referenced
+        # 'fusion_plating.group_fusion_plating_administrator', an xmlid
+        # that never existed, so the gate always returned False. Replaced
+        # with group_fp_manager which transitively implies Owner via
+        # implied_ids in Phase A's diamond hierarchy.
+        return user.has_group('fusion_plating.group_fp_manager')
     x_fc_account_hold_reason = fields.Text(string='Hold Reason')
     x_fc_account_hold_date = fields.Datetime(
         string='Hold Date', help='When the hold was placed.',