npm - @raishin/vanguard-frontier-agentic - Versions diffs - 2.9.0 → 2.10.0 - Mend

@raishin/vanguard-frontier-agentic 2.9.0 → 2.10.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (479) hide show

package/skills/netsuite/netsuite-audit-controls-sox-skill/metadata.json ADDED Viewed

@@ -0,0 +1,36 @@
+{
+  "id": "netsuite-audit-controls-sox-skill",
+  "name": "NetSuite Audit Controls SOX Skill",
+  "type": "skill",
+  "provider": "netsuite",
+  "harnesses": [
+    "claude-code",
+    "codex",
+    "cursor",
+    "gemini",
+    "kiro",
+    "other"
+  ],
+  "summary": "Flashlight skill for reviewing NetSuite financial governance and SOX internal control configurations. T0 static review — no live account connection required. TRIGGER when: user asks to review segregation of duties, SoD conflicts, posting period controls, period-close procedures, revenue recognition ",
+  "source_type": "original",
+  "category": "compliance",
+  "execution_tier": "static-review",
+  "oauth_scopes": [],
+  "mcp_servers": [],
+  "run_as_permissions": {},
+  "sandbox_only": false,
+  "production_allowed": true,
+  "official_docs": [
+    "https://www.netsuite.com/portal/services/training/suite-training/netsuite-certification.shtml",
+    "https://education.oracle.com/oracle-netsuite-accounting-professional/pexam_N16301GC10",
+    "https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_N285436.html",
+    "https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_N295396.html",
+    "https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_1532968056.html",
+    "https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_1515446005.html"
+  ],
+  "security_notes": "Static review only — works exclusively from sanitized configuration excerpts; never requests or accepts credentials, tokens, session IDs, consumer keys, or any authentication material. Does not connect to, query, or mutate any NetSuite account in any environment. Role recommendations explicitly exclude the Administrator role. 2FA designation requirements are surfaced for roles with Manage Accounting Periods or sensitive access-management permissions. SOX evidence artifacts are generated as draft documents for human reviewer sign-off only.",
+  "last_verified": "2026-06-09",
+  "path": "skills/netsuite/netsuite-audit-controls-sox-skill",
+  "author": "github: Raishin",
+  "version": "0.1.0"
+}

package/skills/netsuite/netsuite-audit-controls-sox-skill/references/least-privilege.md ADDED Viewed

@@ -0,0 +1,66 @@
+# Least-privilege NetSuite posture for NetSuite Audit Controls SOX Agent
+## Execution tier
+**T0 — Static Review**
+Rationale: `execution_tier: "static-review"` declared in `metadata.json`. This agent reviews sanitized configuration excerpts and never holds a live NetSuite session.
+## Identity model
+No live NetSuite identity is required for the agent itself. When a human operator acts on this agent's review, they SHOULD use the least-privilege custom role below — never the Administrator role.
+## Recommended custom role
+- **Custom role name:** NetSuite Audit Controls SOX Reviewer (custom)
+- **Copy from standard role:** Accountant (NetSuite guidance: start from a copy of a standard role, then remove unneeded permissions).
+- **Modules in scope:** Financial Management, Accounting, Revenue Recognition, Approval Workflows, Audit Logging
+- **Two-Factor Authentication required:** Yes
+### Minimal permissions
+- **Manage Accounting Periods** (View) — Inspect posting period lock/unlock status and close calendar without modifying period state
+- **Journal Entries** (View) — Review journal entry records and approval chain history for SOX walkthrough
+- **Vendor Bills** (View) — Inspect AP approval workflow coverage and SoD separation between invoice entry and payment
+- **Revenue Recognition** (View) — Review recognition schedules, deferral accounts, and ASC 606 arrangement allocation
+- **Audit Trail (System Notes)** (View) — Verify field-history tracking completeness across financial transaction types
+- **Workflow** (View) — Inspect approval workflow definitions and step configurations for SOX control evidence
+## Forbidden
+- Administrator role
+- Manage Accounting Periods at Edit or Full level
+- Full access to Journal Entries
+- Access Token Management permission
+- OAuth 2.0 Authorized Applications Management permission
+- View Unencrypted Credit Cards
+- View Unencrypted ACH Account Numbers
+## Blast-radius bound
+Even if fully compromised, this agent cannot mutate a NetSuite account: it has no live session, no API tokens, and no SDF deploy rights. It can only produce review text.
+## Refusal triggers
+- Input contains credentials, tokens, consumer keys, client secrets, or any authentication material — stop and instruct sanitization
+- Request involves mutating, deploying, activating, or unlocking any NetSuite configuration in a live or production account — route to netsuite-live-org-mutation-guard-agent
+- Request asks the agent to log in, connect, or authenticate to any NetSuite environment
+- Claim that the Administrator role should be used for integration, review, or period-close operations — refuse and cite least-privilege principle (evidence-matrix rows 7a, 7b)
+- Request to assert status of the AI Specialist or AI Professional certifications as available — those are coming soon; only AI Foundations Associate (N16765GC10) is available (evidence-matrix row 1b)
+## Escalation path
+Route all live-account changes to `netsuite-live-org-mutation-guard-agent` with a named human decision owner and a structured case capsule.
+## Role creation steps
+1. In the target SANDBOX, copy the standard role named above to a new custom role.
+2. Remove every permission not listed under Minimal permissions.
+3. Add only the listed permissions at the stated access level.
+4. Confirm the role is NOT Administrator and grants no global/cross-subsidiary access beyond remit.
+5. Enable 2FA enforcement if the role touches privileged permissions.
+6. Test in sandbox, then assign to the integration/review user; monitor for least-privilege drift.
+## Companion skill
+`netsuite-audit-controls-sox-skill` — NetSuite Audit Controls SOX Skill

package/skills/netsuite/netsuite-audit-controls-sox-skill/references/official-sources.md ADDED Viewed

@@ -0,0 +1,12 @@
+# Official Sources
+Oracle NetSuite certification and financial governance help URLs verified in evidence-matrix
+Verified 2026-06-09 against official Oracle/NetSuite documentation:
+- https://www.netsuite.com/portal/services/training/suite-training/netsuite-certification.shtml
+- https://education.oracle.com/oracle-netsuite-accounting-professional/pexam_N16301GC10
+- https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_N285436.html
+- https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_N295396.html
+- https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_1532968056.html
+- https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_1515446005.html

package/skills/netsuite/netsuite-audit-controls-sox-skill/references/release-drift.md ADDED Viewed

@@ -0,0 +1,11 @@
+# Release Drift
+NetSuite release cadence notes for posting period engine and approval workflow changes
+NetSuite releases biannually. Content verified 2026-06-09.
+Release-sensitive items to re-verify each release:
+- SOAP web services removal timeline (REST + OAuth 2.0 recommended for new integrations from 2026.1; new SOAP integrations blocked at 2027.1).
+- Certification availability (AI Specialist/Professional and BI & Reporting Professional are Coming Soon — re-check status).
+- AI Connector / MCP permission names and role restrictions.

package/skills/netsuite/netsuite-audit-controls-sox-skill/references/safety-checklist.md ADDED Viewed

@@ -0,0 +1,18 @@
+# Safety Checklist
+Pre-submission sanitization checklist for role exports and financial configuration excerpts
+- No live NetSuite connection — all inputs are sanitized configuration excerpts
+- No credentials, tokens, consumer keys, or client secrets in submitted inputs
+- Role recommendations never include the Administrator role
+- 2FA designation verified for roles with Manage Accounting Periods or Access Token Management permissions
+- All SoD findings cite specific permission overlaps from submitted role exports, not from inference alone
+- Approval workflow bypass conditions (e.g., auto-approve for low amounts) are flagged and rated
+## Refusal triggers
+- Input contains credentials, tokens, consumer keys, client secrets, or any authentication material — stop and instruct sanitization
+- Request involves mutating, deploying, activating, or unlocking any NetSuite configuration in a live or production account — route to netsuite-live-org-mutation-guard-agent
+- Request asks the agent to log in, connect, or authenticate to any NetSuite environment
+- Claim that the Administrator role should be used for integration, review, or period-close operations — refuse and cite least-privilege principle (evidence-matrix rows 7a, 7b)
+- Request to assert status of the AI Specialist or AI Professional certifications as available — those are coming soon; only AI Foundations Associate (N16765GC10) is available (evidence-matrix row 1b)

package/skills/netsuite/netsuite-audit-controls-sox-skill/references/sox-control-map.md ADDED Viewed

@@ -0,0 +1,13 @@
+# Sox Control Map
+Mapping of SOX Section 302/404 control objectives to NetSuite configuration review areas
+Scope: Validates that NetSuite financial control configurations meet SOX audit requirements: SoD conflicts across AP/AR/GL roles, posting period lock-down rules, multi-step journal entry approval chains, ASC 606 / VSOE revenue recognition setup, and audit trail integrity for all financial transactions.
+- Segregation of duties review — role permission overlap analysis across AP, AR, GL, payroll, and cash management functions
+- Posting period controls — lock/unlock sequencing, who holds Manage Accounting Periods permission, close calendar review
+- Period-close checklist compliance — reconciliation sign-off sequence, pending transaction review, subledger-to-GL tie-out
+- Revenue recognition configuration — deferred revenue schedule design, recognition method, ASC 606 arrangement allocation, VSOE evidence
+- Approval workflow coverage — multi-step approval chains for journal entries, vendor bills, purchase orders, expense reports, and check runs
+- Audit trail integrity — system notes coverage per transaction type, login audit log retention, field-history tracking for sensitive fields
+- Financial control evidence artifacts — generating findings reports suitable for external audit or SOX walkthrough documentation

package/skills/netsuite/netsuite-bi-reporting-skill/SKILL.md ADDED Viewed

@@ -0,0 +1,87 @@
+---
+name: netsuite-bi-reporting-skill
+description: "Reviews and designs NetSuite reports, dashboards, and KPI definitions against BI & Reporting Associate/Specialist standards. Validates data-source scoping, period and subsidiary filters, KPI formula correctness, and financial narrative accuracy. TRIGGER when: user asks to review or design a NetSuite report, dashboard, KPI meter, financial narrative, chart, pivot, or executive summary; phrases include 'build a dashboard', 'review my report', 'create a KPI', 'why does this report show X', 'configure a portlet', 'financial narrative for the board', 'budget vs actual report'. DO NOT TRIGGER when: the request is about saved search criteria or column configuration (use netsuite-saved-searches-workbook-skill), SuiteAnalytics Workbook pivot/table mechanics (use netsuite-saved-searches-workbook-skill), or live execution of queries against a connected NetSuite org."
+license: UPL-1.0
+allowed-tools: Read Grep Glob
+metadata:
+  author: "github: Raishin"
+  version: "0.1.0"
+  updated: "2026-06-09"
+  category: data
+  lifecycle: experimental
+  execution_tier: static-review
+  mcp_servers: []
+  oauth_scopes: []
+  run_as_permissions:
+    required: []
+    denied: []
+---
+# NetSuite BI Reporting Skill
+## Purpose
+Report and dashboard architecture, KPI configuration, and data-source correctness in NetSuite. Does NOT cover saved search criteria syntax or SuiteAnalytics Workbook mechanics — route those to netsuite-saved-searches-workbook-agent. T0 static review — no NetSuite account connection required; output is a draft for human review.
+## When This Skill Owns the Task
+- User asks to review or create a NetSuite report, dashboard, or KPI definition
+- User needs to validate data-source scoping including subsidiary, period, or currency filters
+- User requests a financial narrative, variance commentary, or board-level summary
+- User asks why a report shows unexpected results and provides configuration details
+- User needs to review report access controls or dashboard sharing settings
+## Recommended Workflow
+1. Step 1 — Gather the report or dashboard configuration excerpt, including type, data source, filters, columns, and KPI formula if applicable.
+2. Step 2 — Identify the intended audience and use case; confirm subsidiary and period scope are explicitly set.
+3. Step 3 — Review data-source correctness: verify the report type matches analytical intent (e.g., Summary vs. Detail vs. Financial Statement).
+4. Step 4 — Validate KPI definitions: formula accuracy, comparison period alignment, and threshold calibration against user-supplied benchmarks.
+5. Step 5 — Assess access controls: confirm report visibility is scoped to intended roles with View-only grants for consumers.
+6. Step 6 — Generate findings labeled [FACT] / [ASSUMPTION] / [INFERENCE]; rate each Critical / High / Medium / Low / Unknown.
+7. Step 7 — Produce a review artifact with findings, recommendations, and escalation pointers for cross-domain issues.
+## Evidence Hierarchy
+LIVE_EVIDENCE > REPOSITORY_EVIDENCE > USER_PROVIDED > OFFICIAL_DOCUMENTATION > INFERENCE > UNVERIFIED > BLOCKED
+## Safety Checklist
+- No live NetSuite connection, credentials, or session tokens used at any point
+- BI & Reporting Professional certification NOT claimed as available — status is UNVERIFIED
+- All KPI formulas and thresholds derived from user-supplied configuration only, never fabricated
+- PII-in-report concerns escalated to netsuite-saved-searches-workbook-agent
+- SOX-evidenced reporting findings escalated to netsuite-audit-controls-sox-agent
+## Rules — Hard-Stop Constraints
+- Static review only; never connect to a live NetSuite account or invoke APIs/SuiteScript/SDF.
+- Never request or accept credentials, tokens, or secrets.
+- Never depend on the Administrator role; recommend least-privilege custom roles (note 2FA).
+- Prefer OAuth 2.0 (REST/RESTlets/SuiteAnalytics Connect) over SOAP; treat SOAP as a migration risk.
+- Never claim a Coming-Soon certification is available.
+## Refusal Triggers
+- Any credentials, session tokens, API keys, or OAuth secrets included in the request
+- Request to log in to, connect to, or execute queries against a live NetSuite account
+- Request to deploy, publish, schedule, or share a report or dashboard
+- Claim that BI & Reporting Professional certification is currently available — status is UNVERIFIED
+- Request to assume Administrator role or equivalent full-permission role
+- Request involving raw customer PII in report data without explicit sanitization
+## T0 Contract
+No account connection, no OAuth, no secrets. Output is draft review text for a human owner.
+## Security Notes
+Static review only — never connects to, queries, or mutates any NetSuite account. No credentials, session tokens, or API keys are requested or processed. All review output is a draft artifact requiring human validation before any dashboard or report is published or shared.
+## Reference File Index
+- [official-sources.md](references/official-sources.md) — Oracle/NetSuite BI & Reporting certification and documentation URLs
+- [safety-checklist.md](references/safety-checklist.md) — Pre-review safety gates and refusal conditions
+- [least-privilege.md](references/least-privilege.md) — Custom role definition and permission rationale for report review
+- [release-drift.md](references/release-drift.md) — NetSuite release notes affecting report engine, KPI meters, and dashboard portlets
+- [kpi-formula-reference.md](references/kpi-formula-reference.md) — Validated KPI formula patterns and common misconfiguration catalog

package/skills/netsuite/netsuite-bi-reporting-skill/metadata.json ADDED Viewed

@@ -0,0 +1,36 @@
+{
+  "id": "netsuite-bi-reporting-skill",
+  "name": "NetSuite BI Reporting Skill",
+  "type": "skill",
+  "provider": "netsuite",
+  "harnesses": [
+    "claude-code",
+    "codex",
+    "cursor",
+    "gemini",
+    "kiro",
+    "other"
+  ],
+  "summary": "Reviews and designs NetSuite reports, dashboards, and KPI definitions against BI & Reporting Associate/Specialist standards. Validates data-source scoping, period and subsidiary filters, KPI formula correctness, and financial narrative accuracy. TRIGGER when: user asks to review or design a NetSuite",
+  "source_type": "adapted",
+  "category": "data",
+  "execution_tier": "static-review",
+  "oauth_scopes": [],
+  "mcp_servers": [],
+  "run_as_permissions": {},
+  "sandbox_only": false,
+  "production_allowed": true,
+  "official_docs": [
+    "https://education.oracle.com/oracle-netsuite-bi-and-reporting-associate/pexam_N16724GC10",
+    "https://education.oracle.com/oracle-netsuite-bi-and-reporting-specialist/pexam_N16740GC10",
+    "https://www.netsuite.com/portal/services/training/suite-training/netsuite-certification.shtml",
+    "https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_N295396.html",
+    "https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_N285436.html"
+  ],
+  "security_notes": "Static review only — never connects to, queries, or mutates any NetSuite account. No credentials, session tokens, or API keys are requested or processed. All review output is a draft artifact requiring human validation before any dashboard or report is published or shared.",
+  "last_verified": "2026-06-09",
+  "path": "skills/netsuite/netsuite-bi-reporting-skill",
+  "author": "github: Raishin",
+  "version": "0.1.0",
+  "source_attribution": "Adapted from oracle/netsuite-suitecloud-sdk packages/agent-skills/netsuite-finance-analyst (UPL-1.0, Copyright (c) 2019, 2023 Oracle and/or its affiliates). Vanguard additions: refusal-by-default on unverified cert status, [FACT]/[ASSUMPTION]/[INFERENCE] evidence labeling, BI-specific scope boundary separating this agent from netsuite-saved-searches-workbook-agent, least-privilege role design, and Vanguard harness routing integration."
+}

package/skills/netsuite/netsuite-bi-reporting-skill/references/kpi-formula-reference.md ADDED Viewed

@@ -0,0 +1,14 @@
+# Kpi Formula Reference
+Validated KPI formula patterns and common misconfiguration catalog
+Scope: Report and dashboard architecture, KPI configuration, and data-source correctness in NetSuite. Does NOT cover saved search criteria syntax or SuiteAnalytics Workbook mechanics — route those to netsuite-saved-searches-workbook-agent.
+- Financial and operational report design (standard and custom report types)
+- Dashboard layout review: portlets, KPI meters, trend graphs, reminder portlets
+- KPI definition correctness: formula, period comparison, threshold calibration
+- Data-source scoping: subsidiary filter, accounting period, currency consolidation
+- Financial narrative generation aligned to variance review and board/CFO reporting
+- Report access control review: who can view/edit/share reports and dashboards
+- Month/quarter/year-end close report sequencing and completeness
+- Budget-vs-actual and forecast accuracy review in report context

package/skills/netsuite/netsuite-bi-reporting-skill/references/least-privilege.md ADDED Viewed

@@ -0,0 +1,64 @@
+# Least-privilege NetSuite posture for NetSuite BI Reporting Agent
+## Execution tier
+**T0 — Static Review**
+Rationale: `execution_tier: "static-review"` declared in `metadata.json`. This agent reviews sanitized configuration excerpts and never holds a live NetSuite session.
+## Identity model
+No live NetSuite identity is required for the agent itself. When a human operator acts on this agent's review, they SHOULD use the least-privilege custom role below — never the Administrator role.
+## Recommended custom role
+- **Custom role name:** NetSuite BI Reporting Reviewer (custom)
+- **Copy from standard role:** Reports Only (NetSuite guidance: start from a copy of a standard role, then remove unneeded permissions).
+- **Modules in scope:** Reports, Analytics, Financial Statements, Dashboards
+- **Two-Factor Authentication required:** Yes
+### Minimal permissions
+- **Reports** (View) — Read saved report definitions without modification
+- **Saved Searches** (View) — Inspect saved searches used as report data sources
+- **Dashboards** (View) — Review dashboard layout and portlet configuration
+- **Publish Search** (View) — Verify shared report access settings
+- **General Ledger** (View) — Validate GL-backed KPI data sources
+- **Financial Statements** (View) — Review income statement and balance sheet report definitions
+## Forbidden
+- Administrator role
+- Full permissions to any module
+- Edit or Create on Reports for review-only sessions
+- Access Token Management permission
+## Blast-radius bound
+Even if fully compromised, this agent cannot mutate a NetSuite account: it has no live session, no API tokens, and no SDF deploy rights. It can only produce review text.
+## Refusal triggers
+- Any credentials, session tokens, API keys, or OAuth secrets included in the request
+- Request to log in to, connect to, or execute queries against a live NetSuite account
+- Request to deploy, publish, schedule, or share a report or dashboard
+- Claim that BI & Reporting Professional certification is currently available — status is UNVERIFIED
+- Request to assume Administrator role or equivalent full-permission role
+- Request involving raw customer PII in report data without explicit sanitization
+## Escalation path
+Route all live-account changes to `netsuite-live-org-mutation-guard-agent` with a named human decision owner and a structured case capsule.
+## Role creation steps
+1. In the target SANDBOX, copy the standard role named above to a new custom role.
+2. Remove every permission not listed under Minimal permissions.
+3. Add only the listed permissions at the stated access level.
+4. Confirm the role is NOT Administrator and grants no global/cross-subsidiary access beyond remit.
+5. Enable 2FA enforcement if the role touches privileged permissions.
+6. Test in sandbox, then assign to the integration/review user; monitor for least-privilege drift.
+## Companion skill
+`netsuite-bi-reporting-skill` — NetSuite BI Reporting Skill

package/skills/netsuite/netsuite-bi-reporting-skill/references/official-sources.md ADDED Viewed

@@ -0,0 +1,11 @@
+# Official Sources
+Oracle/NetSuite BI & Reporting certification and documentation URLs
+Verified 2026-06-09 against official Oracle/NetSuite documentation:
+- https://education.oracle.com/oracle-netsuite-bi-and-reporting-associate/pexam_N16724GC10
+- https://education.oracle.com/oracle-netsuite-bi-and-reporting-specialist/pexam_N16740GC10
+- https://www.netsuite.com/portal/services/training/suite-training/netsuite-certification.shtml
+- https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_N295396.html
+- https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_N285436.html

package/skills/netsuite/netsuite-bi-reporting-skill/references/release-drift.md ADDED Viewed

@@ -0,0 +1,11 @@
+# Release Drift
+NetSuite release notes affecting report engine, KPI meters, and dashboard portlets
+NetSuite releases biannually. Content verified 2026-06-09.
+Release-sensitive items to re-verify each release:
+- SOAP web services removal timeline (REST + OAuth 2.0 recommended for new integrations from 2026.1; new SOAP integrations blocked at 2027.1).
+- Certification availability (AI Specialist/Professional and BI & Reporting Professional are Coming Soon — re-check status).
+- AI Connector / MCP permission names and role restrictions.

package/skills/netsuite/netsuite-bi-reporting-skill/references/safety-checklist.md ADDED Viewed

@@ -0,0 +1,18 @@
+# Safety Checklist
+Pre-review safety gates and refusal conditions
+- No live NetSuite connection, credentials, or session tokens used at any point
+- BI & Reporting Professional certification NOT claimed as available — status is UNVERIFIED
+- All KPI formulas and thresholds derived from user-supplied configuration only, never fabricated
+- PII-in-report concerns escalated to netsuite-saved-searches-workbook-agent
+- SOX-evidenced reporting findings escalated to netsuite-audit-controls-sox-agent
+## Refusal triggers
+- Any credentials, session tokens, API keys, or OAuth secrets included in the request
+- Request to log in to, connect to, or execute queries against a live NetSuite account
+- Request to deploy, publish, schedule, or share a report or dashboard
+- Claim that BI & Reporting Professional certification is currently available — status is UNVERIFIED
+- Request to assume Administrator role or equivalent full-permission role
+- Request involving raw customer PII in report data without explicit sanitization

package/skills/netsuite/netsuite-data-governance-privacy-skill/SKILL.md ADDED Viewed

@@ -0,0 +1,85 @@
+---
+name: netsuite-data-governance-privacy-skill
+description: "Flashlight skill for auditing PII exposure paths, data retention and purge policies, field-level access restrictions, privacy controls, and export configurations in NetSuite. T0 static review — no live account connection or actual personal data required. TRIGGER when: user asks to review PII field access, audit data retention settings, check field-level security on sensitive records, assess privacy controls, identify PII in saved searches, review export control permissions, or evaluate GDPR/CCPA readiness of a NetSuite configuration. Trigger phrases: PII exposure, field-level security, data retention policy, GDPR compliance, personal data access, export controls, consent tracking, sensitive field access. DO NOT TRIGGER when: the user needs role and permission architecture review beyond PII fields (use netsuite-identity-access-role-permission-skill), SOX audit trail review (use netsuite-audit-controls-sox-skill), integration data-flow security (use netsuite-integration-migration-skill), subsidiary data segregation (use netsuite-oneworld-multisubsidiary-skill), or SuiteScript code PII handling review (use netsuite-suitescript-secure-code-review-skill)."
+allowed-tools: Read Grep Glob
+metadata:
+  author: "github: Raishin"
+  version: "0.1.0"
+  updated: "2026-06-09"
+  category: compliance
+  lifecycle: experimental
+  execution_tier: static-review
+  mcp_servers: []
+  oauth_scopes: []
+  run_as_permissions:
+    required: []
+    denied: []
+---
+# NetSuite Data Governance & Privacy Skill
+## Purpose
+Audits NetSuite configurations for PII field exposure, data retention and purge policy coverage, field-level access restrictions on sensitive records, export control enforcement for cross-border data flows, and privacy-relevant saved search and report scoping. T0 static review — no NetSuite account connection required; output is a draft for human review.
+## When This Skill Owns the Task
+- Auditing which roles and saved searches expose PII fields on employee, customer, contact, or vendor records
+- Reviewing data retention and purge policy coverage for GDPR, CCPA, or other regulatory requirements
+- Assessing field-level access restrictions on sensitive fields such as SSN, bank account numbers, and credit card data
+- Identifying PII exposed in scheduled reports or saved searches distributed to external partners or vendor-center roles
+- Reviewing export control configurations to assess mass-export and CSV-export permission scoping on PII records
+## Recommended Workflow
+1. Step 1 — Gather inputs: request role configuration excerpts for PII-bearing records, saved search audience configs, data retention policy, and export control permission settings
+2. Step 2 — Map PII fields: identify all PII-bearing fields on employee, customer, contact, and vendor records based on provided configuration; flag any field with no field-level security as a finding
+3. Step 3 — Review field-level access: for each PII field, assess which roles have View access and whether that access is operationally justified; flag over-broad access as High
+4. Step 4 — Audit saved searches and reports: identify any search or report including PII fields distributed to roles or audiences beyond operational need; flag as High or Critical
+5. Step 5 — Assess data retention coverage: map configured retention periods to regulatory requirements; flag missing or zero retention configuration as Critical
+6. Step 6 — Review export controls: assess mass-update, CSV-export, and file-cabinet-access permissions on PII records; flag roles with export capability and no documented justification as High
+7. Step 7 — Emit structured findings report: verdict, Critical/High/Medium/Low findings table, safe next actions, and escalation triggers
+## Evidence Hierarchy
+LIVE_EVIDENCE > REPOSITORY_EVIDENCE > USER_PROVIDED > OFFICIAL_DOCUMENTATION > INFERENCE > UNVERIFIED > BLOCKED
+## Safety Checklist
+- No actual personal data (real names, SSNs, emails, phone numbers, bank data) accepted — reject and ask for sanitized or synthetic examples
+- No live NetSuite credentials, tokens, or session cookies accepted
+- View Unencrypted Credit Cards and View Unencrypted ACH Account Numbers permissions are never recommended for any reviewer role
+- All findings labeled [FACT], [ASSUMPTION], or [INFERENCE] with source config reference
+- Any PII exposure to roles with no operational need rated High minimum; exposure to external parties rated Critical
+## Rules — Hard-Stop Constraints
+- Static review only; never connect to a live NetSuite account or invoke APIs/SuiteScript/SDF.
+- Never request or accept credentials, tokens, or secrets.
+- Never depend on the Administrator role; recommend least-privilege custom roles (note 2FA).
+- Prefer OAuth 2.0 (REST/RESTlets/SuiteAnalytics Connect) over SOAP; treat SOAP as a migration risk.
+- Never claim a Coming-Soon certification is available.
+## Refusal Triggers
+- Request provides actual personal data (real names, SSNs, email addresses, phone numbers, bank account numbers, or healthcare data) — refuse immediately, do not log or echo, ask for sanitized version
+- Request provides live NetSuite credentials, session tokens, TBA tokens, OAuth client secrets, or admin passwords — refuse immediately
+- Request asks the agent to use the Administrator role or any role with full account permissions
+- Request asks the agent to directly create, edit, or delete field-security configurations, retention policies, or consent records in a live account
+- Request claims a coming-soon NetSuite certification (AI Specialist, AI Professional, BI & Reporting Professional) is currently available
+## T0 Contract
+No account connection, no OAuth, no secrets. Output is draft review text for a human owner.
+## Security Notes
+Static review only. This agent never accepts, stores, echoes, or processes actual personal data. All inputs containing real PII are refused. No live NetSuite credentials, OAuth tokens, TBA tokens, or session cookies are accepted. All live-mutation paths are hard-routed to netsuite-live-org-mutation-guard-agent. No org connection is established at any point.
+## Reference File Index
+- [official-sources.md](references/official-sources.md) — Oracle NetSuite roles, permissions, and field-security documentation URLs
+- [safety-checklist.md](references/safety-checklist.md) — Pre-review sanitization requirements for PII-bearing configuration exports
+- [least-privilege.md](references/least-privilege.md) — Custom reviewer role specification for data governance review
+- [release-drift.md](references/release-drift.md) — NetSuite privacy and data retention feature changes by release
+- [pii-field-catalog.md](references/pii-field-catalog.md) — Reference catalog of standard NetSuite PII-bearing fields across employee, customer, contact, and vendor record types

package/skills/netsuite/netsuite-data-governance-privacy-skill/metadata.json ADDED Viewed

@@ -0,0 +1,34 @@
+{
+  "id": "netsuite-data-governance-privacy-skill",
+  "name": "NetSuite Data Governance & Privacy Skill",
+  "type": "skill",
+  "provider": "netsuite",
+  "harnesses": [
+    "claude-code",
+    "codex",
+    "cursor",
+    "gemini",
+    "kiro",
+    "other"
+  ],
+  "summary": "Flashlight skill for auditing PII exposure paths, data retention and purge policies, field-level access restrictions, privacy controls, and export configurations in NetSuite. T0 static review — no live account connection or actual personal data required. TRIGGER when: user asks to review PII field a",
+  "source_type": "original",
+  "category": "compliance",
+  "execution_tier": "static-review",
+  "oauth_scopes": [],
+  "mcp_servers": [],
+  "run_as_permissions": {},
+  "sandbox_only": false,
+  "production_allowed": true,
+  "official_docs": [
+    "https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_N285436.html",
+    "https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_N295396.html",
+    "https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_1515446005.html",
+    "https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_1532968056.html"
+  ],
+  "security_notes": "Static review only. This agent never accepts, stores, echoes, or processes actual personal data. All inputs containing real PII are refused. No live NetSuite credentials, OAuth tokens, TBA tokens, or session cookies are accepted. All live-mutation paths are hard-routed to netsuite-live-org-mutation-guard-agent. No org connection is established at any point.",
+  "last_verified": "2026-06-09",
+  "path": "skills/netsuite/netsuite-data-governance-privacy-skill",
+  "author": "github: Raishin",
+  "version": "0.1.0"
+}

package/skills/netsuite/netsuite-data-governance-privacy-skill/references/least-privilege.md ADDED Viewed

@@ -0,0 +1,66 @@
+# Least-privilege NetSuite posture for NetSuite Data Governance & Privacy Agent
+## Execution tier
+**T0 — Static Review**
+Rationale: `execution_tier: "static-review"` declared in `metadata.json`. This agent reviews sanitized configuration excerpts and never holds a live NetSuite session.
+## Identity model
+No live NetSuite identity is required for the agent itself. When a human operator acts on this agent's review, they SHOULD use the least-privilege custom role below — never the Administrator role.
+## Recommended custom role
+- **Custom role name:** NetSuite Data Governance Reviewer (custom)
+- **Copy from standard role:** Full Access (standard role — copy and heavily restrict to View-only on configuration objects) (NetSuite guidance: start from a copy of a standard role, then remove unneeded permissions).
+- **Modules in scope:** CRM, HR / Employees, Saved Searches
+- **Two-Factor Authentication required:** Yes
+### Minimal permissions
+- **Employee Record** (View) — Required to inspect PII field visibility on employee records
+- **Customer** (View) — Required to inspect PII field visibility on customer records
+- **Contact** (View) — Required to inspect PII field visibility on contact records
+- **Saved Searches** (View) — Required to review saved search audience and PII field exposure
+- **Custom Fields** (View) — Required to review custom PII field configurations and field-level security settings
+- **Roles** (View) — Required to review role field-access configurations for PII records
+## Forbidden
+- Administrator role
+- View Unencrypted Credit Cards permission
+- View Unencrypted ACH Account Numbers permission
+- Access Token Management permission
+- Edit or Create level on any PII-bearing record type
+- Mass Update permission
+- CSV Export on employee or customer records without documented justification
+## Blast-radius bound
+Even if fully compromised, this agent cannot mutate a NetSuite account: it has no live session, no API tokens, and no SDF deploy rights. It can only produce review text.
+## Refusal triggers
+- Request provides actual personal data (real names, SSNs, email addresses, phone numbers, bank account numbers, or healthcare data) — refuse immediately, do not log or echo, ask for sanitized version
+- Request provides live NetSuite credentials, session tokens, TBA tokens, OAuth client secrets, or admin passwords — refuse immediately
+- Request asks the agent to use the Administrator role or any role with full account permissions
+- Request asks the agent to directly create, edit, or delete field-security configurations, retention policies, or consent records in a live account
+- Request claims a coming-soon NetSuite certification (AI Specialist, AI Professional, BI & Reporting Professional) is currently available
+## Escalation path
+Route all live-account changes to `netsuite-live-org-mutation-guard-agent` with a named human decision owner and a structured case capsule.
+## Role creation steps
+1. In the target SANDBOX, copy the standard role named above to a new custom role.
+2. Remove every permission not listed under Minimal permissions.
+3. Add only the listed permissions at the stated access level.
+4. Confirm the role is NOT Administrator and grants no global/cross-subsidiary access beyond remit.
+5. Enable 2FA enforcement if the role touches privileged permissions.
+6. Test in sandbox, then assign to the integration/review user; monitor for least-privilege drift.
+## Companion skill
+`netsuite-data-governance-privacy-skill` — NetSuite Data Governance & Privacy Skill

package/skills/netsuite/netsuite-data-governance-privacy-skill/references/official-sources.md ADDED Viewed

@@ -0,0 +1,10 @@
+# Official Sources
+Oracle NetSuite roles, permissions, and field-security documentation URLs
+Verified 2026-06-09 against official Oracle/NetSuite documentation:
+- https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_N285436.html
+- https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_N295396.html
+- https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_1515446005.html
+- https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_1532968056.html

package/skills/netsuite/netsuite-data-governance-privacy-skill/references/pii-field-catalog.md ADDED Viewed

@@ -0,0 +1,12 @@
+# Pii Field Catalog
+Reference catalog of standard NetSuite PII-bearing fields across employee, customer, contact, and vendor record types
+Scope: Audits NetSuite configurations for PII field exposure, data retention and purge policy coverage, field-level access restrictions on sensitive records, export control enforcement for cross-border data flows, and privacy-relevant saved search and report scoping.
+- PII field identification and exposure path review: which records carry PII fields (employee, customer, vendor, contact) and which roles/searches expose them
+- Field-level access restrictions: review of field-level security configurations limiting view/edit on sensitive fields such as SSN, bank account, credit card, and date-of-birth
+- Data retention and purge policy review: assessment of NetSuite data retention settings, archival schedules, and compliance with configured retention periods
+- Privacy controls: review of consent tracking configurations, do-not-contact flags, and marketing opt-out field coverage
+- Saved search and scheduled report PII scoping: identification of searches or reports that expose PII to roles or audiences beyond operational need
+- Export control review: assessment of configurations governing data export to external systems, file cabinet access restrictions, and mass-export permission scoping