Gabriel Radureau
bbfa50c3eb
First two of an expected family of dolibarr-* skills: - dolibarr/: platform reference — DOLAPIKEY auth, the voir_tous ACL trap, endpoint catalogue, the dol-curl.sh wrapper, .env credentials layout (gitignored, mode 600). Every future workflow skill depends on this one. - dolibarr-invoice-audit/: first workflow — list KissMetrics invoices, audit one invoice end-to-end (JSON facts + PDF mandatory-mention checklist against the French legal corpus), audit the KissMetrics thirdparty record. Live captures in examples/ include real audit findings to surface to the Arcodange × KissMetrics cohort review: PDFs are missing capital social, L.441-10 penalties, 40 € indemnity, L.123-22 / R.123-237; KissMetrics thirdparty has no EIN (idprof1..6 all empty); static/config/company.json holds placeholder values and a wrong forme juridique (claims SAS, the real Dolibarr is SARL). .gitignore hardened with *.credentials, secrets/, *.key, and an explicit .claude/skills/**/.env pattern. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
dolibarr — one-time setup
Skill body: SKILL.md. This README is the human-facing setup checklist.
1. Create .env (mode 600, never committed)
cat > .claude/skills/dolibarr/.env <<'EOF'
DOLIBARR_URL=https://erp.arcodange.lab
DOLIBARR_API_KEY=<get from Dolibarr UI: Users → ai_agent → API key>
DOLIBARR_USER=ai_agent
DOLIBARR_PASSWORD=<the ai_agent password, only needed for occasional UI login>
EOF
chmod 600 .claude/skills/dolibarr/.env
Verify it's gitignored:
git check-ignore .claude/skills/dolibarr/.env # should print the path
2. Grant ai_agent the four voir_tous permission flags
ai_agent is read-only by design. But Dolibarr's per-record ACL silently filters out invoices and thirdparties unless the voir_tous (see-all) flags are ticked. Without them, /invoices returns [] and /thirdparties returns 404 — looks like an empty database.
In the Dolibarr UI (https://erp.arcodange.lab/ → Setup → Users & Groups → ai_agent → Permissions), tick:
- Tiers → Lire les tiers
- Tiers → Voir tous les tiers (et pas seulement ceux liés à l'utilisateur courant)
- Factures → Lire les factures
- Factures → Voir toutes les factures (et pas seulement celles liées à l'utilisateur courant)
Save. Future modules used by dolibarr-* sibling skills (Paiements, Produits, …) need the same treatment.
3. Quick-start test
./.claude/skills/dolibarr/scripts/dol-curl.sh /users/info | jq -r .login
# → ai_agent
./.claude/skills/dolibarr/scripts/dol-curl.sh /status
# → {"success":{"code":200,"dolibarr_version":"22.0.4",...}}
./.claude/skills/dolibarr/scripts/dol-curl.sh /thirdparties/1 | jq '{ref, country_code, town}'
# → {"ref":"KissMetrics","country_code":"US","town":"St. Petersburg"}
If the third one returns HTTP 403 Access not allowed for login ai_agent on this thirdparty, the voir_tous flags from step 2 are missing.
4. Rotating the API key
If the key leaks: Dolibarr UI → Users → ai_agent → API key → Generate new → copy the new value into .env. No other change needed; every dolibarr-* skill picks it up via dol-curl.sh.
Pointers
- Full skill body, endpoint catalogue, gotchas: SKILL.md.
- First workflow skill that depends on this one: ../dolibarr-invoice-audit/SKILL.md.