feat(skills,cli): dolibarr-sandbox-checkpoint — manage the sandbox iso-prod checkpoint

A skill + CLI group to drive the ADR-0003 sandbox lifecycle, instead of the manual
kubectl/deno/.env dance:

  arcodange sandbox checkpoint status       # liveness + is the write agent armed?
  arcodange sandbox checkpoint refresh --yes # re-seed iso-prod (DESTRUCTIVE, gated)
  arcodange sandbox checkpoint provision     # re-create ai_agent_sandbox (Playwright) + relink
  arcodange sandbox checkpoint relink-env    # rewrite write skill .env from the key + verify

- refresh wraps ops/sandbox/sandbox-lifecycle.sh; requires --yes (it wipes the agent
  too, since iso-prod overwrites llx_user). --db-only skips the documents sync.
- provision runs test/provisionSandbox.ts (you do the admin login — PROD creds,
  iso-prod) then auto-relinks; relink-env writes .env mode 600 and verifies via
  GET /users/info.
- scripts resolve the repo root from ARCO_ROOT (set by bin/arcodange) or their own
  path, so they work via the CLI or standalone.

Tested: status reports armed/not-armed correctly; refresh refuses without --yes
(exit 3); relink-env errors with no key (exit 1); help/usage wired.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

bin/arcodange

@@ -89,6 +89,7 @@ COMMANDS
     creditnote                                     Create an avoir — customer or supplier (kind)
     accounts                                       List bank accounts (id/label) to pick account_id
     write                <METHOD> <path> [body]    Raw host-guarded write
+    checkpoint           status|refresh|provision|relink-env   Manage the iso-prod checkpoint
 
   promote                            Replay a reviewed change-set sandbox -> prod (ADR-0003)
     plan                 <manifest.json>           Human-readable review of the change-set
@@ -288,6 +289,30 @@ EOF
       creditnote) exec "${SKILLS}/dolibarr-sandbox-write/scripts/creditnote-create.sh" "$@" ;;
       accounts)   exec "${SKILLS}/dolibarr-sandbox-write/scripts/bank-accounts.sh"     "$@" ;;
       write)      exec "${SKILLS}/dolibarr-sandbox-write/scripts/dol-write.sh"          "$@" ;;
+      checkpoint)
+        export ARCO_ROOT="${SROOT}"
+        csub="${1:-status}"; shift || true
+        case "${csub}" in
+          status)     exec "${SKILLS}/dolibarr-sandbox-checkpoint/scripts/checkpoint-status.sh"     "$@" ;;
+          refresh)    exec "${SKILLS}/dolibarr-sandbox-checkpoint/scripts/checkpoint-refresh.sh"    "$@" ;;
+          provision)  exec "${SKILLS}/dolibarr-sandbox-checkpoint/scripts/checkpoint-provision.sh"  "$@" ;;
+          relink-env) exec "${SKILLS}/dolibarr-sandbox-checkpoint/scripts/checkpoint-relink-env.sh" "$@" ;;
+          help|-h|--help)
+            cat <<'EOF'
+arcodange sandbox checkpoint — manage the erp-sandbox iso-prod checkpoint (ADR-0003).
+
+  status                      Liveness + whether the write agent is armed (key authenticates)
+  refresh --yes [--db-only]   Re-seed iso-prod from prod (DESTRUCTIVE; wipes the agent too)
+  provision                   Re-create ai_agent_sandbox (Playwright; you log in) + relink .env
+  relink-env                  Rewrite the write skill .env from test/.ai_agent_sandbox.key + verify
+
+Typical reset:   arcodange sandbox checkpoint refresh --yes   then   ... provision
+(provision opens a browser for the admin login — use the PROD admin creds, iso-prod — and auto-relinks the .env)
+EOF
+            ;;
+          *) echo "arcodange sandbox checkpoint: unknown '${csub}' (try 'arcodange sandbox checkpoint help')" >&2; exit 2 ;;
+        esac
+        ;;
       help|-h|--help)
         cat <<'EOF'
 arcodange sandbox — WRITE operations against erp-sandbox (rehearsal ONLY).
@@ -303,9 +328,11 @@ Each subcommand reads a JSON object on stdin (or a file path arg).
   creditnote   avoir (credit note) referencing a source invoice
                echo '{"socid":42,"source_invoice":19,"validate":true,"lines":[...]}' | arcodange sandbox creditnote
   write        raw host-guarded write   arcodange sandbox write POST /thirdparties '{"name":".."}'
+  checkpoint   manage the iso-prod checkpoint (status|refresh|provision|relink-env)
+               arcodange sandbox checkpoint status
 
 Needs .claude/skills/dolibarr-sandbox-write/.env (DOLIBARR_SANDBOX_URL + _API_KEY).
-See dolibarr-sandbox-write/SKILL.md.
+See dolibarr-sandbox-write/SKILL.md and dolibarr-sandbox-checkpoint/SKILL.md.
 EOF
         ;;
       *) echo "arcodange sandbox: unknown subcommand '${sub}' (try 'arcodange sandbox help')" >&2; exit 2 ;;