feat(skills,cli): dolibarr-sandbox-checkpoint — manage the sandbox iso-prod checkpoint

A skill + CLI group to drive the ADR-0003 sandbox lifecycle, instead of the manual kubectl/deno/.env dance: arcodange sandbox checkpoint status # liveness + is the write agent armed? arcodange sandbox checkpoint refresh --yes # re-seed iso-prod (DESTRUCTIVE, gated) arcodange sandbox checkpoint provision # re-create ai_agent_sandbox (Playwright) + relink arcodange sandbox checkpoint relink-env # rewrite write skill .env from the key + verify - refresh wraps ops/sandbox/sandbox-lifecycle.sh; requires --yes (it wipes the agent too, since iso-prod overwrites llx_user). --db-only skips the documents sync. - provision runs test/provisionSandbox.ts (you do the admin login — PROD creds, iso-prod) then auto-relinks; relink-env writes .env mode 600 and verifies via GET /users/info. - scripts resolve the repo root from ARCO_ROOT (set by bin/arcodange) or their own path, so they work via the CLI or standalone. Tested: status reports armed/not-armed correctly; refresh refuses without --yes (exit 3); relink-env errors with no key (exit 1); help/usage wired. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-06-30 07:19:59 +02:00
parent d31e995acd
commit 275a59b478
6 changed files with 224 additions and 1 deletions
--- a/.claude/skills/dolibarr-sandbox-checkpoint/scripts/checkpoint-refresh.sh
+++ b/.claude/skills/dolibarr-sandbox-checkpoint/scripts/checkpoint-refresh.sh
@@ -0,0 +1,40 @@
+#!/usr/bin/env bash
+# Re-seed erp-sandbox to a clean iso-prod checkpoint (ADR-0003). Wraps
+# ops/sandbox/sandbox-lifecycle.sh.
+#
+# DESTRUCTIVE: wipes ALL sandbox data — including the ai_agent_sandbox write user
+# and its API key (iso-prod overwrites llx_user with prod's). After it completes
+# you MUST re-provision:  arcodange sandbox checkpoint provision
+#
+#   checkpoint-refresh.sh --yes            # db re-seed + documents (logo) sync
+#   checkpoint-refresh.sh --yes --db-only  # db re-seed only (skip documents)
+set -euo pipefail
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+ROOT="${ARCO_ROOT:-$(cd "${SCRIPT_DIR}/../../../.." && pwd)}"
+LIFECYCLE="${ROOT}/ops/sandbox/sandbox-lifecycle.sh"
+[[ -f "${LIFECYCLE}" ]] || { echo "checkpoint-refresh: missing ${LIFECYCLE}" >&2; exit 1; }
+
+MODE="refresh"; YES=0
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --yes) YES=1; shift ;;
+    --db-only) MODE="refresh-from-prod"; shift ;;
+    *) echo "checkpoint-refresh: unknown arg '$1'" >&2; exit 2 ;;
+  esac
+done
+
+if [[ "${YES}" != "1" ]]; then
+  cat >&2 <<EOF
+checkpoint-refresh: this WIPES all erp-sandbox data and re-seeds iso-prod from prod.
+  - the ai_agent_sandbox write user + its key are wiped → you re-provision after
+  - prod is read ONLY (structural guarantee, ADR-0003); only the sandbox is written
+Re-run with --yes to proceed. Then: arcodange sandbox checkpoint provision
+EOF
+  exit 3
+fi
+
+echo ">>> re-seeding erp-sandbox (${MODE}) — ~2-3 min (scale-down, pg_dump prod, restore, scale-up)"
+bash "${LIFECYCLE}" "${MODE}"
+echo
+echo ">>> iso-prod checkpoint restored. The write agent was wiped — bring it back with:"
+echo "      arcodange sandbox checkpoint provision"