feat: Portal, Email Inbound, Discuss + module improvements

- Portal: /my/* routes, signup, password reset, portal user support
- Email Inbound: IMAP polling (go-imap/v2), thread matching
- Discuss: mail.channel, long-polling bus, DM, unread count
- Cron: ir.cron runner (goroutine scheduler)
- Bank Import, CSV/Excel Import
- Automation (ir.actions.server)
- Fetchmail service
- HR Payroll model
- Various fixes across account, sale, stock, purchase, crm, hr, project

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

TODO.md

@@ -0,0 +1,62 @@
+# TODO
+
+> Stand: 2026-04-12
+> Offene Punkte → Details in `open.md`
+
+---
+
+## 🔵 Tech Debt
+
+- [ ] Tax-Logik in Sale und Account zusammenführen → gemeinsames `tax`-Package evaluieren
+- [ ] Domain Parser: Edge Cases bei komplexen Python-Expressions dokumentieren
+- [ ] Floating-Point Präzision bei Tax/Reconciliation nochmal evaluieren (aktuell `::float8`)
+- [ ] Report Wizard: Aged Report + General Ledger auch mit Date-Filter versehen
+- [ ] CRM: `message_subscribe` N+1 → Batch INSERT ON CONFLICT
+
+---
+
+## 📋 Offene Features → `open.md`
+
+Alle offenen Feature-Punkte sind in `open.md` dokumentiert:
+
+- **Odoo Community Core (fehlend):** Portal (XL), Discuss (L), Email Inbound (M)
+- **Frontend / UI Zukunft:** UI modernisieren, View-Format JSON-fähig
+
+---
+
+## IDEEN
+    WEITER ENWICKELUNG DER PLATTFORM
+    - ** Ki/ AI Unterstützung Datenbasierter informationen: ** Daten Analyse (Longterm)
+    - ** SSO / SAML / LADP / WEBDAV**: technologien der verbesserung der plattform
+---
+
+## ✅ Erledigt (Referenz)
+
+### Infrastruktur
+- [x] ORM-Kern (read_group, record rules, domain operators, _inherits, compute, onchange, constraints)
+- [x] JSON-RPC Dispatch (call_kw, call_button, action/run, model/get_definitions)
+- [x] View Inheritance (XPath), get_views, alle View-Typen (list/form/search/kanban/pivot/graph/calendar/activity/dashboard)
+- [x] Session-Persistenz (PostgreSQL), Multi-Company Switcher
+- [x] CSV + XLSX Export, Generic CSV Import, Bank-Statement Import
+- [x] HTML + PDF Reports, Binary Field Serving, SMTP Email
+- [x] Automated Actions Engine (ir.actions.server)
+- [x] Post-Setup Wizard, Database Manager
+- [x] Mail/Chatter (Follower-Notify, Attachments, Thread)
+
+### Security (alle Audits abgeschlossen)
+- [x] ACL Seeds für alle ~167 Models + fail-closed checkAccess
+- [x] CSRF Token (crypto/rand, persisted in DB)
+- [x] SQL Injection Fixes (sanitizeOrderBy, domain rebaseParams)
+- [x] Auth Bypass Fix, Rate Limiting, Session Throttling
+- [x] XSS Fixes (HTML-Escaping in Reports, Emails, Setup Wizard)
+- [x] State Guards (orm.StateGuard), Field-Level ACL
+- [x] Full Codebase Review: 55 Findings gefunden, 48+ gefixt
+
+### Business-Module (alle auf 95%)
+- [x] Account: Reconciliation, Tax, Assets, Budget, Analytics, EDI/UBL, Reports, Partial Payments, Deferred Rev/Exp, Move Templates, Refund Wizard
+- [x] Sale: SO→Invoice→Payment, Templates, Margin, Pricelists, Options, Discount Wizard, Quotation Email, Print/PDF
+- [x] Stock: Quant Reservation, FIFO, Routes, Lot/Serial, Batch, Barcode, Backorder, Forecast, Intrastat, Split Picking
+- [x] Purchase: PO→Bill, 3-Way Match, Agreements, Blanket Orders, Supplier Info, Vendor Lead Time, RFQ Email, Print/PDF
+- [x] CRM: Pipeline, Activities, Scoring, Merge, Dashboard KPIs, Stage Onchange, Team Members, Follower Subscribe
+- [x] HR: Leave Management, Contracts (Lifecycle+Renewal+Cron), Attendance, Expenses→Journal Entry, Payroll Basis, Org Chart, Skills
+- [x] Project: Milestones, Timesheets, Recurrence, Checklists, Sharing, Critical Path, Budget, Workload, Gantt Computes