npm - @raishin/vanguard-frontier-agentic - Versions diffs - 2.10.0 → 2.11.0 - Mend

@raishin/vanguard-frontier-agentic 2.10.0 → 2.11.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (816) hide show

package/skills/microsoft/d365-sales-revenue-operations/SKILL.md ADDED Viewed

@@ -0,0 +1,59 @@
+---
+name: d365-sales-revenue-operations
+description: Review and advise on Dynamics 365 Sales revenue operations — pipeline and opportunity management, sales forecasting, lead qualification, sales accelerator configuration, CRM data hygiene, and sales insights. Detects pipeline trust gaps, forecast inaccuracy, CRM hygiene failures, and revenue leakage patterns. Refuses to approve live production forecast configuration or sales-process changes without live-guard escalation. Static review and advisory only.
+allowed-tools: Read Grep Glob
+metadata:
+  author: "github: Raishin"
+  version: "0.1.0"
+  updated: "2026-06-16"
+  category: operational
+---
+# D365 Sales Revenue Operations
+## Purpose
+Act as the Dynamics 365 Sales revenue operations reviewer who treats every untrusted pipeline number, misconfigured forecast, stale CRM record, and underutilized sales accelerator sequence as a potential revenue leakage or forecast credibility risk until proven otherwise.
+## When to use
+Use this skill for:
+- Opportunity pipeline health review (stages, close dates, probabilities, stale opportunities)
+- Sales forecasting configuration and accuracy review (forecast categories, quotas, rollup hierarchy, premium AI forecasting)
+- Lead qualification process and lead-to-opportunity conversion rate analysis
+- Sales accelerator configuration review (sequences, assignment rules, work list prioritization)
+- CRM data hygiene assessment (duplicate records, missing fields, inactive records, data enrichment gaps)
+- Sales insights and Copilot for Sales feature adoption review
+- Sales process design review (business process flows, stage gates, close criteria)
+- Revenue leakage identification (dropped opportunities, stale pipeline, forecast category miscategorization)
+- Seller productivity analysis (activity completion rates, sequence adherence, response times)
+## Lean operating rules
+- Prefer current Microsoft Learn documentation for Dynamics 365 Sales service behavior. Use the per-skill facts and sources in `references/official-sources.md` for grounding.
+- Separate confirmed facts from inference. If pipeline state was not shown or exported, say so explicitly.
+- Challenge stale opportunities, vague close dates, inflated probabilities, misconfigured forecast categories, and sequences without completion criteria.
+- Keep recommendations scoped, reversible, and explicit about blockers or unknowns.
+- Load references only when needed; do not pull all deep guidance into short answers.
+- Never ask for credentials, tenant IDs, environment URLs, connection strings, or customer data.
+- Production forecast configuration and sales-process changes are live-guard gated — escalate to a qualified Dynamics 365 Sales administrator.
+## References
+Load these only when needed:
+- [Workflow and output contract](references/workflow-and-output.md) — use when executing the full pipeline or forecast review, or formatting the final answer.
+- [Safety checklist](references/safety-checklist.md) — use before any recommendation involving production forecast configuration, sales-process changes, or bulk data operations.
+- [Official sources](references/official-sources.md) — use when grounding Dynamics 365 Sales service behavior, forecasting, or sales accelerator features.
+- [Revenue Operations Domain Guide](references/revenue-operations-domain-guide.md) — use for domain-specific failure modes, safe review workflow, verification targets, and pushback criteria.
+## Response minimum
+Return, at minimum:
+- the scoped target and evidence level,
+- the main pipeline risks, forecast inaccuracies, or CRM hygiene gaps,
+- the safest next actions,
+- validation or rollback notes where relevant,
+- the assumptions or blockers that prevent stronger conclusions.

package/skills/microsoft/d365-sales-revenue-operations/metadata.json ADDED Viewed

@@ -0,0 +1,30 @@
+{
+  "id": "d365-sales-revenue-operations",
+  "name": "D365 Sales Revenue Operations",
+  "type": "skill",
+  "provider": "microsoft",
+  "harnesses": [
+    "codex",
+    "claude-code",
+    "cursor",
+    "gemini",
+    "kiro",
+    "other"
+  ],
+  "summary": "Review and advise on Dynamics 365 Sales revenue operations including pipeline and opportunity management, sales forecasting accuracy, lead qualification processes, sales accelerator configuration, CRM data hygiene, and sales insights adoption. Detects pipeline trust gaps, forecast inaccuracies, CRM data quality failures, seller productivity gaps, and revenue leakage patterns. Requires live-guard escalation before production forecast-configuration and sales-process changes.",
+  "source_type": "original",
+  "official_docs": [
+    "https://learn.microsoft.com/dynamics365/sales/opportunity-management-overview",
+    "https://learn.microsoft.com/dynamics365/sales/project-accurate-revenue-sales-forecasting",
+    "https://learn.microsoft.com/dynamics365/sales/enable-configure-sales-accelerator",
+    "https://learn.microsoft.com/dynamics365/sales/configure-predictive-opportunity-scoring",
+    "https://learn.microsoft.com/dynamics365/sales/overview"
+  ],
+  "security_notes": "Never approve production forecast configuration changes or bulk sales-process modifications without documented business owner sign-off and live-guard escalation to a qualified Dynamics 365 Sales administrator. Do not recommend bulk opportunity updates, pipeline purges, or forecast category resets without an explicit rollback plan. Do not ask for credentials, tenant IDs, environment URLs, connection strings, or customer data. Treat every stale pipeline record, uncategorized forecast item, and unvalidated quota assignment as a potential revenue leakage risk until reviewed.",
+  "last_verified": "2026-06-16",
+  "path": "skills/microsoft/d365-sales-revenue-operations",
+  "author": "github: Raishin",
+  "version": "0.1.0",
+  "category": "operational",
+  "companion_agents": ["d365-sales-revenue-operations-agent"]
+}

package/skills/microsoft/d365-sales-revenue-operations/references/official-sources.md ADDED Viewed

@@ -0,0 +1,47 @@
+# Official sources
+Use this reference only when you need source grounding for Dynamics 365 Sales revenue operations, pipeline management, forecasting, or sales accelerator behavior.
+## Microsoft Learn documentation
+Use these as starting points, not as proof of the user's live environment state:
+- https://learn.microsoft.com/dynamics365/sales/opportunity-management-overview
+- https://learn.microsoft.com/dynamics365/sales/project-accurate-revenue-sales-forecasting
+- https://learn.microsoft.com/dynamics365/sales/configure-forecast
+- https://learn.microsoft.com/dynamics365/sales/enable-configure-sales-accelerator
+- https://learn.microsoft.com/dynamics365/sales/configure-predictive-opportunity-scoring
+- https://learn.microsoft.com/dynamics365/sales/use-opportunity-pipeline-view
+- https://learn.microsoft.com/dynamics365/sales/configure-predictive-lead-scoring
+- https://learn.microsoft.com/dynamics365/sales/create-and-activate-a-sequence
+- https://learn.microsoft.com/dynamics365/sales/overview
+- https://learn.microsoft.com/dynamics365/sales/digital-selling-sales-accelerator
+## Grounding rule
+Official documentation explains Dynamics 365 Sales service behavior. It does not prove the user's current pipeline state, forecast configuration, sales process design, or CRM data quality. Prefer exported pipeline views, forecast snapshots, and sales reports as evidence over inference.
+## Service facts (verified 2026-06-16)
+Pipeline and opportunity management:
+- Dynamics 365 Sales uses a role-based opportunity model: leads qualify into opportunities, which progress through configurable sales stages with business process flows.
+- The pipeline view provides a Kanban-style board for managing opportunities by stage, with drag-and-drop stage progression and deal metrics per stage.
+- Predictive opportunity scoring uses AI to score opportunities 0–100 on conversion likelihood, based on historical patterns and CRM activity signals.
+- The Sales Opportunity Agent (preview in 2026 wave 1) provides AI-generated research summaries and recommended next actions for each opportunity.
+Forecasting:
+- Dynamics 365 Sales forecasting aggregates opportunity revenue by forecast category (Pipeline, Best Case, Committed, Won, Lost) across a configurable hierarchy (user, territory, or custom).
+- Forecast columns map to opportunity fields; adjustments by sellers and managers are tracked separately from system rollup.
+- Premium forecasting adds AI-based predictive forecast columns that augment seller-submitted values with machine-learned estimates.
+- Forecasts are most accurate when opportunities have current close dates, realistic probabilities, and correctly assigned forecast categories.
+Sales accelerator:
+- The sales accelerator provides a prioritized work list of leads and opportunities with AI-driven suggestions for the next best action.
+- Sequences define ordered activity steps (email, phone call, task) that guide sellers through a repeatable sales motion for a given scenario.
+- Assignment rules automatically route leads and opportunities to sellers based on configurable criteria.
+- Sales Enterprise license includes 1,500 sequence-connected records per month; higher volumes require Sales Premium.
+CRM data hygiene:
+- Stale opportunities (no activity for 30+ days, close dates in the past, probability not updated) are the primary driver of pipeline mistrust and forecast inaccuracy.
+- Duplicate detection rules in Dynamics 365 can be configured to flag duplicate leads and contacts on creation or import.
+- Data enrichment integrations (LinkedIn Sales Navigator, ZoomInfo) can supplement missing contact and account data.

package/skills/microsoft/d365-sales-revenue-operations/references/revenue-operations-domain-guide.md ADDED Viewed

@@ -0,0 +1,71 @@
+# Revenue Operations Domain Guide
+Use this reference for Dynamics 365 Sales revenue operations failure modes, safe review workflow, verification targets, and pushback criteria.
+## What people get wrong
+The lazy story is:
+> If opportunities are in the pipeline and sellers are active, forecasting will be accurate.
+Wrong. CRM pipeline accuracy depends entirely on data discipline: close dates must be current, forecast categories must be correctly assigned, and probabilities must reflect real deal health rather than defaults. A pipeline full of stale, never-touched opportunities produces confident but meaningless forecast numbers.
+Common bad assumptions:
+- The default opportunity probability from the sales stage is accurate enough for forecasting.
+- Sellers updating their own forecast adjustments is a reliable substitute for a structured forecast review cadence.
+- A high pipeline volume means the forecast is healthy.
+- Sales accelerator sequences are in use just because they are configured.
+- CRM data hygiene is a reporting problem, not a forecasting problem.
+- Predictive opportunity scoring replaces the need for a human pipeline review.
+## Revenue operations failure modes
+- Opportunities remain open past their close date with no update, inflating pipeline and distorting forecast-period accuracy.
+- Forecast categories (Pipeline, Best Case, Committed) are not consistently defined and trained across the team, leading to sellers submitting "Committed" with very different conviction levels.
+- Premium AI forecasting is enabled but not calibrated to the organization's historical win patterns, producing AI predictions that diverge from manager expectations.
+- Sales accelerator sequences are configured for one scenario type but applied broadly, creating irrelevant activity suggestions that sellers ignore.
+- Lead scoring models are trained on insufficient historical data, producing scores that do not correlate with actual conversion rates.
+- Duplicate accounts and contacts degrade relationship intelligence and cause Copilot for Sales to surface stale or incorrect context during customer interactions.
+- Seller activity data is sparse because sellers work through email or phone outside of Dynamics 365, leaving the CRM without signal for AI models.
+## High-risk revenue leakage patterns
+- Opportunities stalled in mid-funnel stages (Develop, Propose) for longer than the average sales cycle with no recent seller activity.
+- Opportunities closing in the current quarter with no activity recorded in the last 14 days.
+- Leads assigned to sellers with a response time exceeding 24 hours (research shows response rates drop sharply after the first hour).
+- Forecast category "Committed" applied to opportunities with predictive scores below 40 (high overcommit risk).
+- Sequences with step completion rates below 50% (sellers are skipping steps or disengaging).
+- Accounts with no contact activity in 90+ days in expansion or renewal pipeline.
+## Minimum safe review workflow
+1. Confirm the scope: teams, territories, fiscal period, and primary concern (pipeline trust, forecast accuracy, hygiene, seller productivity).
+2. Export or review the opportunity pipeline view filtered by close date, stage, and last activity date.
+3. Review the forecast grid for the current period — compare Pipeline, Best Case, and Committed columns against quota.
+4. Check sales accelerator work list metrics — step completion rates, skip rates, and overdue activities.
+5. Review predictive opportunity scores distribution — flag high-value opportunities with low scores.
+6. Identify the top three pipeline hygiene gaps (stale close dates, missing required fields, duplicate records).
+7. Provide a minimum-safe-action recommendation scoped to the highest-severity findings.
+8. Require live-guard escalation for any production configuration change.
+## Verification targets
+- Pipeline currency: percentage of open opportunities with a close date in the past or with no activity in 30+ days
+- Forecast category discipline: percentage of "Committed" opportunities with predictive score above 60
+- Sequence health: step completion rate, skip rate, overdue activity count
+- Lead responsiveness: median lead response time by seller and team
+- CRM data completeness: required field completion rate on opportunity and contact records
+- Predictive scoring adoption: percentage of opportunities with a score assigned and viewed by the seller
+- Copilot for Sales usage: percentage of sellers using AI-generated summaries, email drafts, and meeting briefs
+## When to push back
+Push back if the user asks to:
+- accept a pipeline report as accurate without confirming close dates and last activity dates are current
+- approve a committed forecast number from a seller without reviewing the underlying opportunity evidence
+- bulk-update close dates or forecast categories in production without a documented review and rollback plan
+- treat sales accelerator sequence configuration as complete without validating step completion rates
+- make production forecast configuration changes (column definitions, hierarchy changes, quota resets) without live-guard escalation and explicit human approval
+- use predictive scores as the sole basis for opportunity go/no-go decisions without human judgment

package/skills/microsoft/d365-sales-revenue-operations/references/safety-checklist.md ADDED Viewed

@@ -0,0 +1,37 @@
+# Safety checklist
+Use this reference before any recommendation involving production forecast configuration changes, bulk opportunity updates, sales-process modifications, or CRM data operations in Dynamics 365 Sales.
+## Non-negotiables
+- Never ask users to paste credentials, tenant IDs, environment URLs, client secrets, certificates, or customer personally identifiable information into chat.
+- Use exported pipeline reports, forecast snapshots, or sanitized user-provided evidence for live-state claims; otherwise use documentation and label the evidence level.
+- Do not invent opportunity counts, forecast numbers, quota values, conversion rates, or live environment state.
+- Require explicit human approval before recommending any production forecast configuration change, bulk opportunity update, sales-process modification, or assignment rule change.
+- Use current official Microsoft Learn documentation for Dynamics 365 Sales service behavior.
+- Keep remediation scoped, reversible, and explicit about rollback paths.
+- Production forecast configuration and sales-process changes are live-guard gated. Always escalate to a qualified Dynamics 365 Sales administrator with environment access before execution.
+## Stress checks
+- What opportunity data changes could corrupt an in-progress forecast period's committed numbers?
+- What bulk pipeline updates could permanently delete activity history or stage history?
+- What sequence changes could interrupt active seller engagements mid-sequence?
+- What forecast column or category reconfigurations would invalidate historical trend comparisons?
+- What assignment rule changes could orphan leads or opportunities with no assigned seller?
+- What quota changes during an active forecast period would invalidate attainment tracking?
+## Evidence labels
+Use `live evidence`, `report evidence`, `user-provided evidence`, `documentation-based`, or `inference`. Documentation alone never proves the user's live pipeline state, forecast configuration, or CRM data quality.
+## Live-guard gate
+The following actions require explicit human confirmation and are out of scope for automated execution:
+- Modifying forecast configuration (columns, hierarchy, date ranges) in a production environment
+- Bulk-updating opportunity stage, close date, probability, or forecast category in production
+- Activating, deactivating, or modifying sequences connected to live seller work lists
+- Changing assignment rules that route production leads and opportunities
+- Deleting or merging records (opportunities, leads, accounts, contacts) in production
+- Modifying sales business process flows that govern stage progression in production

package/skills/microsoft/d365-sales-revenue-operations/references/workflow-and-output.md ADDED Viewed

@@ -0,0 +1,67 @@
+# Workflow and output contract
+Use this reference only when performing the full pipeline review, forecast accuracy assessment, sales accelerator audit, or CRM hygiene review, or when formatting the final answer.
+## Review domains
+Check these areas before giving a verdict:
+- Pipeline health: opportunity stage distribution, stale records, past-due close dates, probability accuracy, win/loss patterns
+- Forecast configuration: forecast columns, category mapping, rollup hierarchy, quota assignment, AI predictive columns
+- Lead process: lead qualification criteria, lead scoring configuration, lead-to-opportunity conversion rates, disqualification tracking
+- Sales accelerator: sequence coverage of key sales scenarios, assignment rule accuracy, work list prioritization signals
+- CRM data hygiene: duplicate detection rules, required field completion rates, data enrichment coverage, inactive record policies
+- Sales insights: predictive scoring adoption, Copilot for Sales usage, conversation intelligence coverage
+- Seller productivity: sequence adherence rates, activity completion against plan, response time to leads
+## Safe workflow
+1. **Frame scope**
+   - Teams or territories in scope:
+   - Sales process domains (e.g., new business, renewal, expansion, channel):
+   - Business concern (pipeline trust / forecast accuracy / hygiene / seller productivity / revenue leakage):
+   - Required outcome (point-in-time review / ongoing advisory / configuration recommendation):
+   - Explicit non-goals:
+2. **Collect evidence**
+   - Prefer exported pipeline snapshots, forecast reports, sales accelerator usage reports, and activity history exports.
+   - Otherwise inspect sanitized user-provided evidence, configuration screenshots, or official Dynamics 365 Sales documentation.
+   - Label each finding as `live evidence`, `report evidence`, `user-provided evidence`, `documentation-based`, or `inference`.
+3. **Stress-test risk**
+   - What opportunities have no recent activity and a past close date?
+   - What forecast categories are misconfigured or inconsistently applied across the team?
+   - What sequences have low completion rates, signaling seller friction or poor sequence design?
+   - What lead sources show low conversion rates that could indicate qualification gap or poor lead quality?
+   - What evidence is missing that would change the verdict?
+4. **Recommend the smallest safe action**
+   - Prefer targeted hygiene fixes, sequence refinement, and forecast category clarification over bulk pipeline updates.
+   - If the safest action is to gather evidence first (export pipeline report, run forecast comparison), say that plainly.
+   - Production forecast configuration and sales-process changes require live-guard escalation. Do not recommend live changes without explicit human approval.
+## Output contract
+Return this structure:
+```markdown
+# D365 Sales Revenue Operations Review: <scope>
+## Executive verdict
+- Status: HEALTHY / AT RISK / NEEDS ATTENTION / NEEDS EVIDENCE
+- Biggest risk:
+- Evidence level:
+## Scope and assumptions
+- Confirmed:
+- Unknown:
+- Out of scope:
+## Findings
+| Severity | Finding | Evidence | Why it matters | Minimum safe action |
+|---|---|---|---|---|
+## Recommended actions
+1. <action> — owner: <owner>, validation: <check>, rollback: <rollback>
+## Validation
+- Reports or checks to run:
+- Expected result:
+## Residual risk
+- <risk or explicit none>
+```

package/skills/microsoft/d365-security-sod-governance/SKILL.md ADDED Viewed

@@ -0,0 +1,57 @@
+---
+name: d365-security-sod-governance
+description: Review Dynamics 365 Finance & Operations security role design, duty and privilege assignments, segregation of duties (SoD) conflict rules, user-role assignments, and audit evidence for least-privilege compliance. Enforces SoD conflict detection, security reports review, role layering analysis, and privileged access controls. Refuses to approve role changes that introduce SoD conflicts or bypass audit controls. Production role changes are live-guard gated and require escalation.
+allowed-tools: Read Grep Glob
+metadata:
+  author: "github: Raishin"
+  version: "0.1.0"
+  updated: "2026-06-16"
+  category: compliance
+---
+# D365 Security & SoD Governance
+## Purpose
+Act as the Dynamics 365 Finance & Operations security reviewer who treats every broad role assignment, SoD conflict, and unresolved override as a future audit finding or fraud vector until proven otherwise.
+## When to use
+Use this skill for:
+- Security role design review (roles, duties, privileges, permissions, entry points)
+- Segregation of duties rule setup, conflict identification, and resolution
+- User-role assignment compliance and SoD conflict override review
+- Privileged access and system administrator role usage analysis
+- Security reports review (user role assignments, security duty assignments, security role access)
+- Task recorder security diagnostics and privilege separation validation
+- Extensible data security (XDS) policy review
+- Audit evidence gathering and internal control posture review
+## Lean operating rules
+- Prefer current Microsoft Learn documentation for Dynamics 365 Finance & Operations service behavior. Use the per-skill facts and sources in `references/official-sources.md` for grounding.
+- Separate confirmed facts from inference. If state was not queried or shown, say so explicitly.
+- Challenge broad access, unresolved SoD overrides, system administrator role misuse, and role changes made without evidence.
+- Keep answers scoped, reversible, least-privilege, and explicit about blockers or unknowns.
+- Load references only when needed; do not pull all deep guidance into short answers.
+- Never ask for credentials, tenant IDs, environment URLs, connection strings, or customer data.
+## References
+Load these only when needed:
+- [Workflow and output contract](references/workflow-and-output.md) — use when executing the full SoD or security review, or formatting the final answer.
+- [Safety checklist](references/safety-checklist.md) — use before any recommendation involving production role changes, SoD override approval, or privileged access.
+- [Official sources](references/official-sources.md) — use when grounding D365 F&O security or SoD service behavior.
+- [SoD and Role Design Guide](references/sod-role-design-guide.md) — use for domain-specific failure modes, safe review workflow, verification targets, and pushback criteria.
+## Response minimum
+Return, at minimum:
+- the scoped target and evidence level,
+- the main SoD conflicts, role design risks, or control gaps,
+- the safest next actions,
+- validation or rollback notes where relevant,
+- the assumptions or blockers that prevent stronger conclusions.

package/skills/microsoft/d365-security-sod-governance/metadata.json ADDED Viewed

@@ -0,0 +1,30 @@
+{
+  "id": "d365-security-sod-governance",
+  "name": "D365 Security & SoD Governance",
+  "type": "skill",
+  "provider": "microsoft",
+  "harnesses": [
+    "codex",
+    "claude-code",
+    "cursor",
+    "gemini",
+    "kiro",
+    "other"
+  ],
+  "summary": "Review Dynamics 365 Finance & Operations security role design, duty and privilege assignments, segregation of duties (SoD) conflict rules, user-role assignments, privileged access usage, and audit evidence for least-privilege compliance. Detects SoD conflicts, reviews security reports, enforces least privilege across roles and duties, and requires live-guard escalation before production role changes.",
+  "source_type": "original",
+  "official_docs": [
+    "https://learn.microsoft.com/dynamics365/fin-ops-core/dev-itpro/sysadmin/role-based-security",
+    "https://learn.microsoft.com/dynamics365/fin-ops-core/fin-ops/sysadmin/set-up-segregation-duties",
+    "https://learn.microsoft.com/dynamics365/fin-ops-core/fin-ops/sysadmin/identify-resolve-conflicts-segregation-duties",
+    "https://learn.microsoft.com/dynamics365/fin-ops-core/fin-ops/sysadmin/roles-violating-sod",
+    "https://learn.microsoft.com/dynamics365/guidance/implementation-guide/security-strategy-product-oa"
+  ],
+  "security_notes": "Never approve role changes that introduce SoD conflicts or remove audit controls without documented evidence and owner sign-off. Production role assignment changes are live-guard gated and must be escalated to a human administrator. SoD override approvals must include a documented business justification and compensating control. Do not accept system administrator role assignments as a workaround for missing duty design. Do not ask for credentials, tenant IDs, environment URLs, or customer data. Treat every unresolved SoD conflict and every broad privilege assignment as a risk until proven mitigated.",
+  "last_verified": "2026-06-16",
+  "path": "skills/microsoft/d365-security-sod-governance",
+  "author": "github: Raishin",
+  "version": "0.1.0",
+  "category": "compliance",
+  "companion_agents": ["d365-security-sod-governance-agent"]
+}

package/skills/microsoft/d365-security-sod-governance/references/official-sources.md ADDED Viewed

@@ -0,0 +1,43 @@
+# Official sources
+Use this reference only when you need source grounding for Dynamics 365 Finance & Operations security and SoD behavior, or the detailed source list.
+## Microsoft Learn documentation
+Use these as starting points, not as proof of the user's live environment state:
+- https://learn.microsoft.com/dynamics365/fin-ops-core/dev-itpro/sysadmin/role-based-security
+- https://learn.microsoft.com/dynamics365/fin-ops-core/fin-ops/sysadmin/set-up-segregation-duties
+- https://learn.microsoft.com/dynamics365/fin-ops-core/fin-ops/sysadmin/identify-resolve-conflicts-segregation-duties
+- https://learn.microsoft.com/dynamics365/fin-ops-core/fin-ops/sysadmin/roles-violating-sod
+- https://learn.microsoft.com/dynamics365/guidance/implementation-guide/security-strategy-product-oa
+- https://learn.microsoft.com/dynamics365/fin-ops-core/dev-itpro/sysadmin/tasks/security-diagstics-task-recordings
+- https://learn.microsoft.com/dynamics365/fin-ops-core/fin-ops/sysadmin/usg-security-tasks-detailed
+- https://learn.microsoft.com/training/modules/plan-implement-security-finance-operations/
+## Grounding rule
+Official documentation explains Dynamics 365 F&O service behavior. It does not prove the user's current environment configuration, role assignments, SoD rule set, overrides, or compliance posture. Prefer read-only evidence from the environment (e.g., exported security reports, role assignment exports, conflict logs) over inference.
+## Service facts (verified 2026-06-16)
+Security model structure:
+- The D365 Finance & Operations security model is role-based: **Roles** contain **Duties**; **Duties** contain **Privileges**; **Privileges** contain **Permissions** to entry points (menu items, forms, services, tables).
+- About 100 standard security roles ship out of the box. Microsoft recommends duplicating and modifying these rather than creating fully custom roles from scratch.
+- Users with no role assignment have no access. Users assigned to a role in a specific legal entity are restricted to that legal entity scope.
+SoD behavior:
+- SoD rules define pairs of duties that the same user or role must not hold simultaneously. Severity levels (warning/error) and mitigation descriptions are configurable per rule.
+- When a role is saved or a user-role assignment is made, the system enforces existing SoD rules. Compliance must be explicitly validated after creating or modifying a rule via **System administration > Security > Segregation of duties > Validate duties and roles**.
+- Conflicts appear in **Segregation of duties unresolved conflicts**. Administrators must explicitly **Deny** or **Allow** (override) each conflict, and overrides require a documented reason.
+- The **Roles violating segregation of duties** view shows all roles with active violations and violation counts.
+Security reports:
+1. User role assignments report — all users and their assigned roles.
+2. Role to user assignment report — per-role user list with restrictions.
+3. Security role access report — effective permissions per role across subroles, duties, and privileges.
+4. Security duty assignments report — duties per role; use to audit SoD across role combinations.
+Review implications:
+- Do not approve role changes from intent alone. Require role definition review, SoD rule validation output, last-conflict log, and explicit business owner sign-off.
+- Documentation cannot prove the user's actual role assignments, SoD rule set, or override history.

package/skills/microsoft/d365-security-sod-governance/references/safety-checklist.md ADDED Viewed

@@ -0,0 +1,36 @@
+# Safety checklist
+Use this reference before any recommendation involving production role changes, SoD conflict override approvals, privileged access grants, or compliance-impacting security configuration changes in Dynamics 365 Finance & Operations.
+## Non-negotiables
+- Never ask users to paste credentials, tenant IDs, environment URLs, client secrets, certificates, or customer personally identifiable information into chat.
+- Use exported security reports or sanitized user-provided evidence for live-state claims; otherwise use documentation and label the evidence level.
+- Do not invent role names, duty names, privilege counts, SoD rule configurations, or live environment state.
+- Require explicit human approval before recommending any production role assignment change, SoD override, or security configuration mutation.
+- Use current official Microsoft Learn documentation for D365 Finance & Operations security behavior.
+- Keep remediation least-privilege, reversible, and scoped to the domain in question.
+- Production role changes are live-guard gated. Always escalate to a qualified D365 system administrator with environment access before execution.
+## Stress checks
+- What duty pairs could enable fraud or bypass an internal control?
+- What system administrator or super-user assignments exist without documented justification?
+- What SoD override is in place without a compensating detective control?
+- What role change breaks an existing compliance posture or audit trail?
+- What rollback path exists if a role assignment removes required access for a business process?
+- What audit evidence is missing that regulators or internal auditors would expect?
+## Evidence labels
+Use `live evidence`, `report evidence`, `user-provided evidence`, `documentation-based`, or `inference`. Documentation alone never proves the user's live D365 role configuration, SoD rule set, or override history.
+## Live-guard gate
+The following actions require explicit human confirmation and are out of scope for automated execution:
+- Assigning or removing security roles in the production environment
+- Approving or denying SoD conflict overrides in production
+- Creating, modifying, or deleting SoD rules in production
+- Modifying system administrator role membership in any environment
+- Changing legal entity scoping on role assignments

package/skills/microsoft/d365-security-sod-governance/references/sod-role-design-guide.md ADDED Viewed

@@ -0,0 +1,72 @@
+# SoD and Role Design Guide
+Use this reference for Dynamics 365 Finance & Operations SoD rule design, security role layering, common failure modes, safe review workflow, verification targets, and pushback criteria.
+## What people get wrong
+The lazy story is:
+> Assign the standard roles and SoD is automatically handled.
+Wrong. Standard roles reduce but do not eliminate SoD conflicts. Combinations of standard roles can still violate SoD rules. Custom roles created by duplicating standard roles inherit all duties and may accumulate excess privileges over time. Administrator-approved overrides without compensating controls create silent fraud vectors.
+Common bad assumptions:
+- Standard roles are always SoD-compliant in combination.
+- SoD rules are automatically enforced on existing assignments when a new rule is created.
+- Approving an SoD override once covers that user permanently without review.
+- Legal entity restrictions fully substitute for duty segregation.
+- The system administrator role is a safe temporary workaround during go-live.
+## SoD failure modes
+- A user is assigned multiple roles that individually comply but collectively violate a SoD rule (e.g., Accounts Payable Clerk + Accounts Payable Manager in the same legal entity).
+- SoD rules are created after role assignments, so existing conflicts are not automatically validated.
+- Override approvals accumulate without a periodic review cycle, creating undetected long-term SoD violations.
+- Custom roles built from duplicated standard roles are not compared against updated standard role duties after platform updates.
+- Break-glass or implementation team accounts retain system administrator access after go-live.
+- Privilege separation validation shows high overlap percentages that are not investigated before production deployment.
+## High-risk SoD duty pairs (examples from procure-to-pay and record-to-report)
+- Maintain vendor information + Process vendor payments (vendor master + payment disbursement)
+- Acknowledge goods receipt + Process vendor payments (goods receipt + payment)
+- Maintain customer information + Apply customer payments (customer master + cash receipts)
+- Post journals + Approve journals (journal entry + approval)
+- Create purchase orders + Approve purchase orders (PO creation + approval)
+- Maintain fixed assets + Post fixed asset transactions (asset master + depreciation posting)
+These pairs represent the highest-risk SoD scenarios per SOX and IFRS internal control guidance. Verify that SoD rules covering these pairs exist and are enforced.
+## Minimum safe review workflow
+1. Confirm the scope: legal entities, business process domains, and compliance drivers.
+2. Run and review the **Security duty assignments report** to map all duties per role in scope.
+3. Run **Validate duties and roles** under SoD rules to identify role-level violations.
+4. Run **Verify compliance of user-role assignments** to identify user-level conflicts.
+5. Review the **Roles violating segregation of duties** view for active violations and counts.
+6. Review override history in **Segregation of duties conflicts** for documented justifications and compensating controls.
+7. Review system administrator role membership and verify no production users hold it without documented justification.
+8. Provide a minimum-safe-action recommendation scoped to the highest-severity findings.
+9. Require live-guard escalation for any production change.
+## Verification targets
+- SoD rule set: duty pairs defined, severity levels, mitigation descriptions
+- Role compliance: roles passing validate duties and roles check
+- User compliance: user-role assignments passing verify compliance check
+- Override log: documented reason for every allowed conflict
+- System admin membership: documented, time-bound, break-glass only
+- Security reports: evidence of periodic review by compliance or audit team
+- Privilege separation validation: overlap percentage reviewed and accepted with justification
+## When to push back
+Push back if the user asks to:
+- approve a role change that introduces a high-severity SoD conflict without compensating controls
+- accept system administrator role assignment as a permanent user access solution
+- rely on legal entity restrictions alone as SoD mitigations
+- approve SoD overrides in bulk without individual justification
+- skip SoD validation after creating or modifying rules
+- make production role changes without live-guard escalation and explicit human approval

package/skills/microsoft/d365-security-sod-governance/references/workflow-and-output.md ADDED Viewed

@@ -0,0 +1,67 @@
+# Workflow and output contract
+Use this reference only when performing the full SoD or security review, implementation guidance, audit evidence gathering, or formatting the final answer.
+## Review domains
+Check these areas before giving a verdict:
+- Role structure: role hierarchy, duty composition, privilege assignments, entry point permissions
+- SoD rule set: duty pairs covered, severity levels, missing business-critical rules (e.g., vendor maintenance + payment processing, goods receipt + vendor payment)
+- User-role assignments: users holding conflicting roles, SoD override history with justifications
+- Privileged access: system administrator role usage, super-user accounts, break-glass procedures
+- Legal entity scoping: whether role assignments are appropriately restricted by legal entity
+- Security reports: evidence that reports have been run and reviewed by compliance or audit teams
+- Compensating controls: detective controls in place where SoD preventive controls are overridden
+## Safe workflow
+1. **Frame scope**
+   - Environment / legal entities in scope:
+   - Business process domain (e.g., procure-to-pay, order-to-cash, record-to-report):
+   - Compliance driver (SOX, internal audit, IFRS, FDA, other):
+   - Required outcome (new role design / conflict remediation / audit evidence):
+   - Explicit non-goals:
+2. **Collect evidence**
+   - Prefer exported security reports (duty assignment report, roles violating SoD view, user role assignments report) for current-state claims.
+   - Otherwise inspect sanitized user-provided evidence, role definition exports, or official D365 documentation.
+   - Label each finding as `live evidence`, `report evidence`, `user-provided evidence`, `documentation-based`, or `inference`.
+3. **Stress-test risk**
+   - What duty pairs could enable fraud (e.g., creating a vendor and approving their payment)?
+   - What broad privileges or system administrator assignments exist without justification?
+   - What SoD conflicts are overridden without documented compensating controls?
+   - What evidence is missing that would change the verdict?
+   - What role changes have been made without SoD validation?
+4. **Recommend the smallest safe action**
+   - Prefer duty segregation over role merging, staged role rollout, and SoD rule validation before production deployment.
+   - If the safest action is to stop and gather evidence (run security reports first), say that plainly.
+   - Production role changes require live-guard escalation. Do not recommend live role changes without explicit human approval.
+## Output contract
+Return this structure:
+```markdown
+# D365 SoD & Security Review: <scope>
+## Executive verdict
+- Status: COMPLIANT / COMPLIANT WITH RISKS / NON-COMPLIANT / NEEDS EVIDENCE
+- Biggest risk:
+- Evidence level:
+## Scope and assumptions
+- Confirmed:
+- Unknown:
+- Out of scope:
+## Findings
+| Severity | Finding | Evidence | Why it matters | Minimum safe action |
+|---|---|---|---|---|
+## Recommended actions
+1. <action> — owner: <owner>, validation: <check>, rollback: <rollback>
+## Validation
+- Reports or checks to run:
+- Expected result:
+## Residual risk
+- <risk or explicit none>
+```