add dolibarr api skills for read-only inspection

First two of an expected family of dolibarr-* skills: - dolibarr/: platform reference — DOLAPIKEY auth, the voir_tous ACL trap, endpoint catalogue, the dol-curl.sh wrapper, .env credentials layout (gitignored, mode 600). Every future workflow skill depends on this one. - dolibarr-invoice-audit/: first workflow — list KissMetrics invoices, audit one invoice end-to-end (JSON facts + PDF mandatory-mention checklist against the French legal corpus), audit the KissMetrics thirdparty record. Live captures in examples/ include real audit findings to surface to the Arcodange × KissMetrics cohort review: PDFs are missing capital social, L.441-10 penalties, 40 € indemnity, L.123-22 / R.123-237; KissMetrics thirdparty has no EIN (idprof1..6 all empty); static/config/company.json holds placeholder values and a wrong forme juridique (claims SAS, the real Dolibarr is SARL). .gitignore hardened with *.credentials, secrets/, *.key, and an explicit .claude/skills/**/.env pattern. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-28 18:43:39 +02:00
parent e90ac2df80
commit bbfa50c3eb
18 changed files with 2811 additions and 1 deletions
--- a/.claude/skills/dolibarr/README.md
+++ b/.claude/skills/dolibarr/README.md
@@ -0,0 +1,56 @@
+# dolibarr — one-time setup
+
+Skill body: [SKILL.md](SKILL.md). This README is the human-facing setup checklist.
+
+## 1. Create `.env` (mode 600, never committed)
+
+```bash
+cat > .claude/skills/dolibarr/.env <<'EOF'
+DOLIBARR_URL=https://erp.arcodange.lab
+DOLIBARR_API_KEY=<get from Dolibarr UI: Users → ai_agent → API key>
+DOLIBARR_USER=ai_agent
+DOLIBARR_PASSWORD=<the ai_agent password, only needed for occasional UI login>
+EOF
+chmod 600 .claude/skills/dolibarr/.env
+```
+
+Verify it's gitignored:
+
+```bash
+git check-ignore .claude/skills/dolibarr/.env   # should print the path
+```
+
+## 2. Grant `ai_agent` the four `voir_tous` permission flags
+
+`ai_agent` is read-only by design. But Dolibarr's per-record ACL silently filters out invoices and thirdparties unless the `voir_tous` (see-all) flags are ticked. Without them, `/invoices` returns `[]` and `/thirdparties` returns 404 — looks like an empty database.
+
+In the Dolibarr UI (https://erp.arcodange.lab/ → **Setup → Users & Groups → `ai_agent` → Permissions**), tick:
+
+- [ ] **Tiers** → Lire les tiers
+- [ ] **Tiers** → Voir tous les tiers (et pas seulement ceux liés à l'utilisateur courant)
+- [ ] **Factures** → Lire les factures
+- [ ] **Factures** → Voir toutes les factures (et pas seulement celles liées à l'utilisateur courant)
+
+Save. Future modules used by `dolibarr-*` sibling skills (Paiements, Produits, …) need the same treatment.
+
+## 3. Quick-start test
+
+```bash
+./.claude/skills/dolibarr/scripts/dol-curl.sh /users/info | jq -r .login
+# → ai_agent
+./.claude/skills/dolibarr/scripts/dol-curl.sh /status
+# → {"success":{"code":200,"dolibarr_version":"22.0.4",...}}
+./.claude/skills/dolibarr/scripts/dol-curl.sh /thirdparties/1 | jq '{ref, country_code, town}'
+# → {"ref":"KissMetrics","country_code":"US","town":"St. Petersburg"}
+```
+
+If the third one returns HTTP 403 `Access not allowed for login ai_agent on this thirdparty`, the `voir_tous` flags from step 2 are missing.
+
+## 4. Rotating the API key
+
+If the key leaks: Dolibarr UI → Users → `ai_agent` → API key → **Generate new** → copy the new value into `.env`. No other change needed; every `dolibarr-*` skill picks it up via `dol-curl.sh`.
+
+## Pointers
+
+- Full skill body, endpoint catalogue, gotchas: [SKILL.md](SKILL.md).
+- First workflow skill that depends on this one: [../dolibarr-invoice-audit/SKILL.md](../dolibarr-invoice-audit/SKILL.md).