fix: harden spp_alerts module for public release

Address 78 findings from staff engineer and UX expert reviews:

Security:
- Remove user browse record from safe_eval domain context (SE-1)
- Add _check_company_auto and check_company on rule_id (SE-20)
- Add domain filter validation constraint on save (SE-21)

Bug fixes:
- Fix priority ordering: add priority_sequence stored computed field
  so alerts sort critical > high > medium > low (SE-22)
- Add state guard on action_acknowledge (only active alerts) (SE-5)
- Add state guard on action_resolve (already-resolved raises) (SE-5)
- Remove resolution_notes required attribute that blocked form saves

Models:
- Add mail.thread on alert rules with tracking on key fields (SE-24)
- Add res_name computed field for source record display name (UX-5)
- Add action_view_source, action_view_related_alerts methods
- Add model_name related field for domain widget (SE-R2-8)
- Add alert_count computed field with action_view_alerts (UX-14)
- Extract _domain_eval_context helper to remove duplication
- Fix _prepare_alert_vals to conditionally include threshold_value
- Use named placeholders in translation strings

Views:
- Add kanban view with state grouping, progressbar, dropdown actions
- Add stat buttons: View Source, Related Alerts on alert form
- Add stat button: alert count on rule form
- Add resolution guidance banner on Resolution tab
- Add domain widget for rule filter configuration
- Add chatter on rule form
- Add named groups throughout for downstream extensibility
- Fix group-by to use <group name="groupby"> (Odoo 19)
- Fix Resolve button visibility for resolve-from-active flow
- Add hotkeys, sample data, decorations, optional columns
- Use fully qualified group references in all views

Tests:
- Replace skipTest guards with env.ref for vocab codes
- Add 29 new tests (104 total, ~99% model coverage)
- Fix 2 tests broken by new domain validation constraint

Description:
- Rewrite DESCRIPTION.md to match actual implementation
- Rename ACL entry IDs to follow access_{model}_{group} convention
- Remove empty assets from manifest

Author: gonzalesedwin1123

spp_alerts/README.rst

@@ -23,22 +23,26 @@ OpenSPP Alerts
 |badge1| |badge2| |badge3|
 
 Generic alert engine for threshold monitoring, expiry tracking, and
-deadline management. Provides base models and state machine for alert
-lifecycle tracking. Consumer modules (like ``spp_drims``) extend these
-models and implement evaluation logic to generate alerts based on
-domain-specific conditions.
+deadline management. Evaluates configurable rules on a daily schedule or
+on-demand and generates alerts when conditions are met. Consumer modules
+(like ``spp_drims``) extend these models to add domain-specific fields.
 
 Key Capabilities
 ~~~~~~~~~~~~~~~~
 
-- Track alert lifecycle through state machine: active → acknowledged →
-  resolved
-- Record resolution details including user, timestamp, and notes
-- Classify alerts by type using ``spp.vocabulary`` codes (threshold,
-  expiry, deadline, manual, system)
-- Prioritize alerts as low, medium, high, or critical
-- Send mail notifications via ``mail.thread`` integration
-- Auto-generate alert references in ALR-YYYY-NNNNN format
+- Define alert rules with threshold or date conditions against any model
+- Evaluate rules via daily cron or "Run Now" button
+- Compare numeric fields using 5 operators: <, <=, >, >=, =
+- Check date/datetime fields against a days-before window
+- Prevent duplicates: skip records with existing active/acknowledged
+  alerts
+- Filter monitored records using a visual domain builder
+- Track alert lifecycle: active → acknowledged → resolved
+- Record resolution details: user, timestamp, and notes
+- Navigate from alert to source record via stat button
+- Classify alerts by type using ``spp.vocabulary`` codes
+- Prioritize as low, medium, high, or critical
+- Auto-generate references in ``ALR-YYYY-NNNNN`` format
 
 Key Models
 ~~~~~~~~~~
@@ -47,10 +51,10 @@ Key Models
 | Model              | Description                                     |
 +====================+=================================================+
 | ``spp.alert``      | Alert instance with state tracking and          |
-|                    | resolution workflow                             |
+|                    | resolution audit                                |
 +--------------------+-------------------------------------------------+
-| ``spp.alert.rule`` | Rule configuration for monitoring criteria and  |
-|                    | thresholds                                      |
+| ``spp.alert.rule`` | Rule configuration with evaluation engine and   |
+|                    | scheduling                                      |
 +--------------------+-------------------------------------------------+
 
 Configuration
@@ -59,40 +63,44 @@ Configuration
 After installing:
 
 1. Navigate to **Settings > Technical > Alerts > Alert Rules**
-2. Create rules specifying alert type, priority, threshold values, and
-   days before deadline
-3. Consumer modules implement checking logic (e.g., cron jobs or event
-   handlers) to evaluate rules and create alerts
+2. Create rules: select model, rule type (threshold/date), and
+   conditions
+3. The daily cron "Alerts: Evaluate Alert Rules" is active by default
 
 UI Location
 ~~~~~~~~~~~
 
 - **Menu**: Settings > Technical > Alerts > Alerts
 - **Configuration**: Settings > Technical > Alerts > Alert Rules
-- **Form Tabs**: Details, Resolution (alerts); Thresholds (rules)
+- **Views**: List, kanban (grouped by state), and form
+- **Alert form tabs**: Details, Resolution
+- **Rule form**: Description above tabs; Evaluation tab with settings +
+  domain builder
 
 Security
 ~~~~~~~~
 
-=================================== ====================================
-Group                               Access
-=================================== ====================================
-``spp_alerts.group_alerts_viewer``  Read alerts
-``spp_alerts.group_alerts_officer`` Read/Write/Create (no delete) alerts
-``spp_alerts.group_alerts_manager`` Full CRUD on alerts and rules
-=================================== ====================================
++-------------------------------------+----------------------------+-----------+
+| Group                               | Alerts                     | Rules     |
++=====================================+============================+===========+
+| ``spp_alerts.group_alerts_viewer``  | Read                       | Read      |
++-------------------------------------+----------------------------+-----------+
+| ``spp_alerts.group_alerts_officer`` | Read/Write/Create (no      | Read      |
+|                                     | delete)                    |           |
++-------------------------------------+----------------------------+-----------+
+| ``spp_alerts.group_alerts_manager`` | Full CRUD                  | Full CRUD |
++-------------------------------------+----------------------------+-----------+
 
 Extension Points
 ~~~~~~~~~~~~~~~~
 
-- Inherit ``spp.alert`` to add domain-specific fields (e.g., stock
-  levels, document references)
-- Inherit ``spp.alert.rule`` to add custom threshold or evaluation
-  criteria
-- Override ``action_acknowledge()`` or ``action_resolve()`` to add
-  custom workflow steps
-- Consumer modules implement alert checking via cron jobs or event
-  handlers that evaluate rules and call ``create()`` on ``spp.alert``
+- Inherit ``spp.alert`` to add domain-specific fields
+- Inherit ``spp.alert.rule`` to add custom evaluation criteria
+- Override ``_evaluate_threshold()`` or ``_evaluate_date()`` for custom
+  logic
+- Override ``action_acknowledge()`` or ``action_resolve()`` for custom
+  workflows
+- Rules can be configured via UI without code
 
 Dependencies
 ~~~~~~~~~~~~

spp_alerts/__manifest__.py

@@ -32,7 +32,6 @@
         "views/alert_rule_views.xml",
         "views/menus.xml",
     ],
-    "assets": {},
     "application": False,
     "installable": True,
     "auto_install": False,

spp_alerts/models/alert.py

@@ -6,6 +6,13 @@
 
 _logger = logging.getLogger(__name__)
 
+PRIORITY_SEQUENCE = {
+    "low": 1,
+    "medium": 2,
+    "high": 3,
+    "critical": 4,
+}
+
 
 class Alert(models.Model):
     """Generic alert model for monitoring thresholds, expiries, and deadlines.
@@ -25,8 +32,9 @@ class Alert(models.Model):
     _name = "spp.alert"
     _description = "Alert"
     _inherit = ["mail.thread"]
-    _order = "priority desc, create_date desc"
+    _order = "priority_sequence desc, create_date desc"
     _rec_name = "reference"
+    _check_company_auto = True
 
     reference = fields.Char(
         string="Reference",
@@ -47,6 +55,8 @@ class Alert(models.Model):
         help="Type of alert from alert types vocabulary",
     )
 
+    # Named `alert_type` (not `alert_type_code`) for concise domain filtering.
+    # Use `alert_type_id` for the vocabulary record, `alert_type` for the code string.
     alert_type = fields.Char(
         related="alert_type_id.code",
         store=True,
@@ -69,6 +79,16 @@ class Alert(models.Model):
         help="Priority level of the alert",
     )
 
+    priority_sequence = fields.Integer(
+        string="Priority Sequence",
+        compute="_compute_priority_sequence",
+        store=True,
+        help="Numeric ordering of priority for consistent sorting (low=1, medium=2, high=3, critical=4)",
+    )
+
+    # Alert states differ from the standard approval workflow states (draft/pending/approved)
+    # because the alert lifecycle is fundamentally different: alerts are raised, acknowledged,
+    # and resolved — there is no approval decision involved.
     state = fields.Selection(
         [
             ("active", "Active"),
@@ -102,6 +122,7 @@ class Alert(models.Model):
         index=True,
         readonly=True,
         ondelete="set null",
+        check_company=True,
         help="Alert rule that generated this alert (empty for manually created alerts)",
     )
 
@@ -120,6 +141,12 @@ class Alert(models.Model):
         help="Record that triggered this alert",
     )
 
+    res_name = fields.Char(
+        string="Source Record Name",
+        compute="_compute_res_name",
+        help="Display name of the record that triggered this alert",
+    )
+
     # Metrics for threshold and deadline tracking
     current_value = fields.Float(
         string="Current Value",
@@ -164,6 +191,28 @@ class Alert(models.Model):
         help="Company this alert belongs to",
     )
 
+    @api.depends("priority")
+    def _compute_priority_sequence(self):
+        """Compute numeric priority sequence for consistent ordering."""
+        for record in self:
+            record.priority_sequence = PRIORITY_SEQUENCE.get(record.priority, 0)
+
+    def _compute_res_name(self):
+        """Compute the display name of the source record.
+
+        Handles missing models or deleted records gracefully by returning an
+        empty string rather than raising an error.
+        """
+        for record in self:
+            if not record.res_model or not record.res_id:
+                record.res_name = ""
+                continue
+            try:
+                source = self.env[record.res_model].browse(record.res_id)
+                record.res_name = source.display_name if source.exists() else ""
+            except (KeyError, AttributeError):
+                record.res_name = ""
+
     @api.model_create_multi
     def create(self, vals_list):
         """Override create to auto-generate reference from sequence."""
@@ -180,7 +229,13 @@ def action_acknowledge(self):
 
         This is typically the first step in addressing an alert - acknowledging
         that it has been seen and is being investigated.
+
+        Raises:
+            UserError: If the alert is not in the active state.
         """
+        for record in self:
+            if record.state != "active":
+                raise UserError(_("Only active alerts can be acknowledged."))
         self.write({"state": "acknowledged"})
         return True
 
@@ -194,9 +249,13 @@ def action_resolve(self, notes=None):
             bool: True on success
 
         Raises:
-            UserError: If resolution notes are not provided.
+            UserError: If the alert is already resolved or resolution notes are missing.
         """
+        # Fail-fast: if any record in the batch lacks resolution notes, none are resolved.
+        # This prevents partial resolution of related alert batches.
         for record in self:
+            if record.state == "resolved":
+                raise UserError(_("Alert '%s' is already resolved.", record.reference))
             resolution = notes or record.resolution_notes
             if not resolution:
                 raise UserError(_("Please provide resolution notes before resolving the alert."))
@@ -210,3 +269,38 @@ def action_resolve(self, notes=None):
             vals["resolution_notes"] = notes
         self.write(vals)
         return True
+
+    def action_view_related_alerts(self):
+        """Return an action to view other alerts from the same rule.
+
+        Returns:
+            dict: An ir.actions.act_window action dict, or False if no rule is set.
+        """
+        self.ensure_one()
+        if not self.rule_id:
+            return False
+        return {
+            "type": "ir.actions.act_window",
+            "name": _("Related Alerts"),
+            "res_model": "spp.alert",
+            "view_mode": "list,form",
+            "domain": [("rule_id", "=", self.rule_id.id), ("id", "!=", self.id)],
+            "context": {"search_default_filter_active": 1},
+        }
+
+    def action_view_source(self):
+        """Return an action to open the source record in a form view.
+
+        Returns:
+            dict: An ir.actions.act_window action dict, or False if no source is set.
+        """
+        self.ensure_one()
+        if not self.res_model or not self.res_id:
+            return False
+        return {
+            "type": "ir.actions.act_window",
+            "res_model": self.res_model,
+            "res_id": self.res_id,
+            "view_mode": "form",
+            "target": "current",
+        }