feat(skills,cli): promote-to-prod replay (ADR-0003 capstone) + supplier payment fix

The human-gated path that carries a reviewed sandbox change to prod.

- promote-plan.sh: render a manifest (JSON array of write ops with symbolic @refs
  instead of ids — portable sandbox->prod) as a human-readable change-set.
- promote-apply.sh <manifest> --target sandbox|prod: replay it, resolving each
  @ref to the id actually created during the run (dependent ops wire up). sandbox
  rehearses via dol-write.sh; prod via dol-prod-write.sh.
- dol-prod-write.sh: the ONLY prod-write path. Prod key read from the ENVIRONMENT
  only (DOLIBARR_PROD_WRITE_KEY, never a stored .env); every write refused unless
  ARCO_PROMOTE_CONFIRM=I-UNDERSTAND-THIS-WRITES-PROD.
- create scripts take a DOL_WRITE override so promote-apply reuses them per target.
- bin/arcodange: `promote {plan|apply}` group + example manifest.
- payment-record.sh: fixed supplier payments (payment_mode_id + closepaidinvoices).

Proven live: plan renders; apply --target sandbox replays a 3-op chain with refs
resolved (@tp1->id, invoice socid=@tp1, payment invoice=@inv1); --target prod
without the confirm flag is REFUSED before sending. Supplier payment now works
end-to-end via the script.

Limitation (documented): manifests reference entities they create (@ref);
pre-existing prod entities need business-key resolution (follow-up).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

bin/arcodange

@@ -89,6 +89,10 @@ COMMANDS
     creditnote                                     Create an avoir (credit note) of a source invoice
     write                <METHOD> <path> [body]    Raw host-guarded write
 
+  promote                            Replay a reviewed change-set sandbox -> prod (ADR-0003)
+    plan                 <manifest.json>           Human-readable review of the change-set
+    apply                <manifest.json> [--target sandbox|prod]   Replay it (prod is key+confirm gated)
+
   whoami                                          GET /users/info — confirm auth
   ping                                            GET /status     — liveness + Dolibarr version
   curl                   <path>                   Raw read-only curl through dol-curl.sh
@@ -306,6 +310,31 @@ EOF
     esac
     ;;
 
+  promote)
+    sub="${1:-help}"; shift || true
+    case "${sub}" in
+      plan)  exec "${SKILLS}/dolibarr-sandbox-write/scripts/promote-plan.sh"  "$@" ;;
+      apply) exec "${SKILLS}/dolibarr-sandbox-write/scripts/promote-apply.sh" "$@" ;;
+      help|-h|--help)
+        cat <<'EOF'
+arcodange promote — replay a reviewed sandbox change-set onto a target.
+
+A manifest is a JSON array of write ops with symbolic refs (@name) instead of
+ids, so the same file replays on sandbox or prod (an invoice refs @tp1, its
+just-created thirdparty). See dolibarr-sandbox-write/examples/promote-manifest.json.
+
+  plan   <manifest.json>                    Human-readable review of the change-set
+  apply  <manifest.json> [--target sandbox|prod]
+                                            Replay it (sandbox = rehearse; prod = real)
+
+PROD apply is gated: requires DOLIBARR_PROD_WRITE_KEY + ARCO_PROMOTE_CONFIRM=
+I-UNDERSTAND-THIS-WRITES-PROD in the environment (the prod key is never stored).
+EOF
+        ;;
+      *) echo "arcodange promote: unknown subcommand '${sub}' (try 'arcodange promote help')" >&2; exit 2 ;;
+    esac
+    ;;
+
   whoami)
     exec "${DOLC}" /users/info
     ;;