feat(test): split env config — .env (prod) vs .env.sandbox (sandbox)

provisionSandbox.ts now loads its own .env.sandbox (via @std/dotenv loadSync)
instead of the shared .env, so prod (main.ts → .env) and sandbox
(provisionSandbox.ts → .env.sandbox) configs don't collide. .gitignore widened
to .env* (keeping .env.example tracked). .env.example rewritten to document the
two-file convention + the per-env kubectl secret sources, including the caveat
that a prod-seeded sandbox uses PROD's admin password.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

test/.env.example

@@ -1,19 +1,27 @@
-# --- Production / default target (main.ts) ---
+# Copy this template to one of:
+#   .env           — production target, loaded by main.ts
+#   .env.sandbox   — sandbox target,    loaded by provisionSandbox.ts
+# Both are gitignored. Never commit real secret values.
+
+# --- Target ---
+# prod:    https://erp.arcodange.lab          (.env)
+# sandbox: https://erp-sandbox.arcodange.lab  (.env.sandbox)
 DOLIBARR_ADDRESS=https://erp.arcodange.lab
-DOLI_DB_PASSWORD=
+
 DOLI_ADMIN_LOGIN=admin
 DOLI_ADMIN_PASSWORD=""
+DOLI_DB_PASSWORD=""
 ROOT_FOLDER=$HOME/erp
 
-# --- Sandbox provisioning (provisionSandbox.ts) ---
+# Populate the passwords from the cluster secrets, e.g. (prod shown):
-# Point at the sandbox and reuse the DOLI_ADMIN_* vars above for the admin login.
+#   DOLI_ADMIN_PASSWORD  <- kubectl get secret secretkv -n erp -o jsonpath='{.data.DOLI_ADMIN_PASSWORD}' | base64 -d
-# Populate from the erp-sandbox namespace secrets (see "Provision the sandbox" in
+#   DOLI_DB_PASSWORD     <- kubectl get secret vso-db-credentials -n erp -o jsonpath='{.data.password}' | base64 -d
-# README.md):
-#   DOLI_ADMIN_PASSWORD  <- secret `secretkv`        (-n erp-sandbox)
-#   DOLI_DB_PASSWORD     <- secret `vso-db-credentials` (-n erp-sandbox)
-# Override DOLIBARR_ADDRESS to the sandbox when running provisionSandbox.ts:
-#   DOLIBARR_ADDRESS=https://erp-sandbox.arcodange.lab
 #
-# Optional: fix the new user's password (otherwise one is generated and only the
+# NOTE for a sandbox SEEDED from prod (ops/sandbox/sandbox-lifecycle.sh): the seed
-# API key is emitted). Never commit a real value here.
+# clones prod's admin password into the sandbox, so .env.sandbox's
+# DOLI_ADMIN_PASSWORD must be PROD's admin password (-n erp), not the sandbox
+# secretkv. The DB password is the sandbox's own (-n erp-sandbox).
+
+# Optional: fix the provisioned user's password (else one is generated and only
+# the API key is emitted to .ai_agent_sandbox.key).
 # AI_AGENT_SANDBOX_PASSWORD=""

test/.gitignore

@@ -1,5 +1,6 @@
-# Secrets — never commit. The root .gitignore already covers .env and *.key;
+# Secrets — never commit. Covers .env (prod, main.ts) and .env.sandbox
-# this is defense-in-depth for the provisioning POC.
+# (sandbox, provisionSandbox.ts), plus any generated *.key.
-.env
+.env*
+!.env.example
 .ai_agent_sandbox.key
 *.key

test/provisionSandbox.ts

@@ -1,4 +1,6 @@
-import "load_dotenv";
+import { loadSync } from "jsr:@std/dotenv";
+// Sandbox provisioning loads its OWN .env.sandbox; prod config stays in .env (main.ts).
+loadSync({ envPath: ".env.sandbox", export: true });
 import { chromium } from "playwright";
 import path from "node:path";
 import login from "./scripts/login.ts";