feat(plating-sec): SO confirm gate + fix _administrator typo + Python sweep

Phase G of permissions overhaul.

G2: sale.order.action_confirm now requires group_fp_sales_manager
(spec Section 2.B). Sales Reps can save drafts but cannot move SOs
to 'sale' state. UserError raised with clear message if attempted.

G3: Fixed audit-finding-11 typo bug in 2 files. The original code
checked has_group('fusion_plating.group_fusion_plating_administrator'),
an xmlid that has NEVER existed - so the gate always returned False
and only the Manager-side check actually fired. Fixed both:
  - fusion_plating_invoicing/models/res_partner.py:34
  - fusion_plating_configurator/wizard/fp_direct_order_wizard.py:467
Both now check has_group('fusion_plating.group_fp_manager') which
transitively includes Owner via implied_ids.

G4: Swept all Python has_group() calls to reference new group xmlids.
Backward-compat keeps old refs working today (Phase A's implied_ids),
but the sweep ensures correctness after the 30-day rollback window
deletes old groups. Replacements:
  group_fusion_plating_operator    -> group_fp_technician
  group_fusion_plating_supervisor  -> group_fp_shop_manager_v2
  group_fusion_plating_manager     -> group_fp_manager
  group_fusion_plating_admin       -> group_fp_owner
  group_fusion_plating_cgp_officer -> group_fp_quality_manager
  group_fusion_plating_cgp_designated_official -> group_fp_owner
  group_fp_estimator               -> group_fp_sales_rep
  group_fp_accounting              -> group_fp_manager
  group_fp_receiving               -> group_fp_shop_manager_v2
  group_fp_shop_manager (legacy)   -> group_fp_manager

G1: test_sales_manager_gate.py covers the new confirm gate (SR
blocked, SMg allowed, Manager allowed via diamond implication).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

fusion_plating/fusion_plating_quality/__manifest__.py

@@ -5,7 +5,7 @@
 
 {
     'name': 'Fusion Plating — Quality (QMS)',
-    'version': '19.0.6.6.5',
+    'version': '19.0.6.6.6',
     'category': 'Manufacturing/Plating',
     'summary': 'Native QMS for plating shops: NCR, CAPA, calibration, AVL, FAIR, '
                'internal audits, customer specs, document control. CE + EE compatible.',

fusion_plating/fusion_plating_quality/models/fp_contract_review.py

@@ -371,7 +371,7 @@ class FpContractReview(models.Model):
     def action_reopen(self):
         """Clear all sign-off data and revert to draft. Manager only."""
         self.ensure_one()
-        if not self.env.user.has_group('fusion_plating.group_fusion_plating_manager'):
+        if not self.env.user.has_group('fusion_plating.group_fp_manager'):
             raise UserError(_(
                 'Only a Plating Manager can re-open a signed Contract Review.'
             ))
@@ -541,7 +541,7 @@ class FpContractReview(models.Model):
         waiting on a designated signer who is away.
         """
         self.ensure_one()
-        if self.env.user.has_group('fusion_plating.group_fusion_plating_manager'):
+        if self.env.user.has_group('fusion_plating.group_fp_manager'):
             return
         allowed = self.company_id._fp_get_qa_signers(section)
         if self.env.user not in allowed: