feat(skills,cli): promote-to-prod replay (ADR-0003 capstone) + supplier payment fix #23

Merged

arcodange merged 1 commits from claude/dolibarr-promote into main 2026-06-29 23:49:23 +02:00

Conversation 0 Commits 1 Files Changed 10 +229 -9

arcodange commented 2026-06-29 23:49:11 +02:00

Owner

Copy Link

The human-gated path that carries a reviewed sandbox change to prod — the ADR-0003 capstone.

How it works

A manifest is a JSON array of write ops with symbolic refs (@tp1) instead of ids, so the same file replays on sandbox or prod (an invoice references @tp1, the thirdparty created earlier in the run).

piece	role
promote-plan.sh <manifest>	human-readable review of the change-set
promote-apply.sh <manifest> --target sandbox|prod	replay it, resolving each @ref to the id created during the run
dol-prod-write.sh	the only prod-write path — key from env only (DOLIBARR_PROD_WRITE_KEY, never stored), every write refused unless ARCO_PROMOTE_CONFIRM=I-UNDERSTAND-THIS-WRITES-PROD
bin/arcodange promote {plan|apply}	CLI wiring

The create scripts gained a DOL_WRITE override so promote-apply reuses them per target.

Proven live

plan:                      renders the 3-op change-set for review
apply --target sandbox:    @tp1→18, invoice(socid=@tp1)→24, payment(invoice=@inv1)→10   ✓ refs resolved
apply --target prod (no confirm):  dol-prod-write REFUSED POST /thirdparties before sending   ✓ gate holds

Also fixed supplier payments (they need payment_mode_id + closepaidinvoices, not paymentid) — now works end-to-end via the script.

The full safe write path is now closed

rehearse in sandbox (V9) → promote plan (review) → promote apply --target sandbox (dry) → you run --target prod with your prod key + the confirm flag. The agent never holds a prod-write credential.

Limitation (documented): a manifest references entities it creates (@ref); pre-existing prod entities need business-key resolution — a follow-up. Self-contained change-sets replay cleanly today.

🤖 Generated with Claude Code

The human-gated path that carries a **reviewed sandbox change to prod** — the ADR-0003 capstone. ## How it works A **manifest** is a JSON array of write ops with **symbolic refs** (`@tp1`) instead of ids, so the *same* file replays on sandbox or prod (an invoice references `@tp1`, the thirdparty created earlier in the run). | piece | role | |---|---| | `promote-plan.sh <manifest>` | human-readable review of the change-set | | `promote-apply.sh <manifest> --target sandbox\|prod` | replay it, resolving each `@ref` to the id created during the run | | `dol-prod-write.sh` | the **only** prod-write path — key from **env only** (`DOLIBARR_PROD_WRITE_KEY`, never stored), every write refused unless `ARCO_PROMOTE_CONFIRM=I-UNDERSTAND-THIS-WRITES-PROD` | | `bin/arcodange promote {plan\|apply}` | CLI wiring | The create scripts gained a `DOL_WRITE` override so `promote-apply` reuses them per target. ## Proven live ``` plan: renders the 3-op change-set for review apply --target sandbox: @tp1→18, invoice(socid=@tp1)→24, payment(invoice=@inv1)→10 ✓ refs resolved apply --target prod (no confirm): dol-prod-write REFUSED POST /thirdparties before sending ✓ gate holds ``` Also fixed **supplier payments** (they need `payment_mode_id` + `closepaidinvoices`, not `paymentid`) — now works end-to-end via the script. ## The full safe write path is now closed rehearse in sandbox (V9) → `promote plan` (review) → `promote apply --target sandbox` (dry) → **you** run `--target prod` with your prod key + the confirm flag. The agent never holds a prod-write credential. **Limitation (documented):** a manifest references entities it *creates* (`@ref`); pre-existing prod entities need business-key resolution — a follow-up. Self-contained change-sets replay cleanly today. 🤖 Generated with [Claude Code](https://claude.com/claude-code)

arcodange added 1 commit 2026-06-29 23:49:13 +02:00

feat(skills,cli): promote-to-prod replay (ADR-0003 capstone) + supplier payment fix ... 00d86b47a3

The human-gated path that carries a reviewed sandbox change to prod.

- promote-plan.sh: render a manifest (JSON array of write ops with symbolic @refs
  instead of ids — portable sandbox->prod) as a human-readable change-set.
- promote-apply.sh <manifest> --target sandbox|prod: replay it, resolving each
  @ref to the id actually created during the run (dependent ops wire up). sandbox
  rehearses via dol-write.sh; prod via dol-prod-write.sh.
- dol-prod-write.sh: the ONLY prod-write path. Prod key read from the ENVIRONMENT
  only (DOLIBARR_PROD_WRITE_KEY, never a stored .env); every write refused unless
  ARCO_PROMOTE_CONFIRM=I-UNDERSTAND-THIS-WRITES-PROD.
- create scripts take a DOL_WRITE override so promote-apply reuses them per target.
- bin/arcodange: `promote {plan|apply}` group + example manifest.
- payment-record.sh: fixed supplier payments (payment_mode_id + closepaidinvoices).

Proven live: plan renders; apply --target sandbox replays a 3-op chain with refs
resolved (@tp1->id, invoice socid=@tp1, payment invoice=@inv1); --target prod
without the confirm flag is REFUSED before sending. Supplier payment now works
end-to-end via the script.

Limitation (documented): manifests reference entities they create (@ref);
pre-existing prod entities need business-key resolution (follow-up).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

arcodange merged commit 7949ab34f8 into main 2026-06-29 23:49:23 +02:00

arcodange deleted branch claude/dolibarr-promote 2026-06-29 23:49:23 +02:00

arcodange referenced this issue from a commit 2026-06-29 23:49:24 +02:00

Merge pull request 'feat(skills,cli): promote-to-prod replay (ADR-0003 capstone) + supplier payment fix' (#23) from claude/dolibarr-promote into main

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

No items

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

arcodange

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: arcodange-org/erp#23