npm - @raishin/vanguard-frontier-agentic - Versions diffs - 2.9.0 → 2.10.0 - Mend

@raishin/vanguard-frontier-agentic 2.9.0 → 2.10.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (479) hide show

package/skills/netsuite/netsuite-evidence-release-drift-skill/metadata.json ADDED Viewed

@@ -0,0 +1,36 @@
+{
+  "id": "netsuite-evidence-release-drift-skill",
+  "name": "NetSuite Evidence Release Drift Skill",
+  "type": "skill",
+  "provider": "netsuite",
+  "harnesses": [
+    "claude-code",
+    "codex",
+    "cursor",
+    "gemini",
+    "kiro",
+    "other"
+  ],
+  "summary": "Assigns Vanguard evidence hierarchy labels (LIVE_EVIDENCE through BLOCKED) to NetSuite claims and performs biannual release-drift audits against Oracle NetSuite milestone releases. Tracks SOAP removal (2026.1 REST+OAuth2 default; 2027.1 new SOAP blocked; 2028.2 all SOAP disabled) and TBA deprecation",
+  "source_type": "original",
+  "category": "compliance",
+  "execution_tier": "static-review",
+  "oauth_scopes": [],
+  "mcp_servers": [],
+  "run_as_permissions": {},
+  "sandbox_only": false,
+  "production_allowed": true,
+  "official_docs": [
+    "https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/article_2104046421.html",
+    "https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_157780312610.html",
+    "https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/chapter_4247329078.html",
+    "https://www.netsuite.com/portal/services/training/suite-training/netsuite-certification.shtml",
+    "https://education.oracle.com/oracle-netsuite-ai-foundations-associate/pexam_N16765GC10",
+    "https://education.oracle.com/oracle-netsuite-bi-and-reporting-specialist/pexam_N16740GC10"
+  ],
+  "security_notes": "Static review only. This agent reads documentation and agent content files; it never connects to a live NetSuite account, requests credentials, or stores tokens. All evidence labelling operates on sanitized text. No live identity is provisioned. Biannual drift audits are read-only operations against official Oracle/NetSuite documentation domains.",
+  "last_verified": "2026-06-09",
+  "path": "skills/netsuite/netsuite-evidence-release-drift-skill",
+  "author": "github: Raishin",
+  "version": "0.1.0"
+}

package/skills/netsuite/netsuite-evidence-release-drift-skill/references/evidence-hierarchy.md ADDED Viewed

@@ -0,0 +1,13 @@
+# Evidence Hierarchy
+Full definition and decision rules for each evidence tier from LIVE_EVIDENCE to BLOCKED
+Scope: Apply the Vanguard evidence hierarchy to every NetSuite claim and track drift between documented agent knowledge and Oracle NetSuite release milestones on a biannual cadence. Primary release-sensitive milestones: SOAP 2026.1 (new integrations must use REST+OAuth2), 2027.1 (new SOAP integrations blocked; new TBA-for-SOAP blocked), 2028.2 (all SOAP endpoints disabled).
+- Evidence hierarchy labelling: LIVE_EVIDENCE, REPOSITORY_EVIDENCE, USER_PROVIDED, OFFICIAL_DOCUMENTATION, INFERENCE, UNVERIFIED, BLOCKED
+- Biannual release-drift audit against NetSuite release milestones aligned to Oracle quarterly cadence
+- SOAP removal plan milestone tracking: 2026.1 (new integrations must use REST+OAuth2), 2027.1 (new SOAP and new TBA-for-SOAP blocked), 2025.2 (last planned SOAP endpoint), 2028.2 (all SOAP endpoints disabled)
+- TBA deprecation tracking: no new TBA integrations for SOAP/REST/RESTlets from 2027.1; existing TBA integrations unaffected
+- Certification status tracking: flag coming-soon certifications (AI Specialist/Professional, BI & Reporting Professional) as UNVERIFIED until confirmed
+- OAuth 2.0 sandbox isolation drift: track re-authorization requirements after sandbox refresh per evidence items 8a-8c
+- Authentication method support matrix maintenance: OAuth 2.0 (REST/RESTlets/SuiteAnalytics), TBA (SOAP existing/REST/RESTlets), SOAP auth (user credentials removed at 2020.2 endpoint)

package/skills/netsuite/netsuite-evidence-release-drift-skill/references/least-privilege.md ADDED Viewed

@@ -0,0 +1,58 @@
+# Least-privilege NetSuite posture for NetSuite Evidence Release Drift Agent
+## Execution tier
+**T0 — Static Review**
+Rationale: `execution_tier: "static-review"` declared in `metadata.json`. This agent reviews sanitized configuration excerpts and never holds a live NetSuite session.
+## Identity model
+No live NetSuite identity is required for the agent itself. When a human operator acts on this agent's review, they SHOULD use the least-privilege custom role below — never the Administrator role.
+## Recommended custom role
+- **Custom role name:** NetSuite Evidence Reviewer (custom)
+- **Copy from standard role:** No live identity required; custom role based on a copy of the standard Employee Center role if read-only access to Help Center is ever needed (NetSuite guidance: start from a copy of a standard role, then remove unneeded permissions).
+- **Modules in scope:** NetSuite Help Center (View only)
+- **Two-Factor Authentication required:** Per account policy
+### Minimal permissions
+- **Help (Setup)** (View) — View-only access to NetSuite Help Center for documentation verification; no data access required
+## Forbidden
+- Administrator role
+- Any data-access permission (Transactions, Records, Reports)
+- Access Token Management
+- OAuth 2.0 Authorized Applications Management
+## Blast-radius bound
+Even if fully compromised, this agent cannot mutate a NetSuite account: it has no live session, no API tokens, and no SDF deploy rights. It can only produce review text.
+## Refusal triggers
+- Request supplies credentials, tokens, or secrets — hard refuse
+- Request asks the agent to use the Administrator role for any operation
+- Request asks to promote a coming-soon certification (AI Specialist, AI Professional, BI & Reporting Professional) to available status without a direct Oracle Education exam-page URL
+- Request asks to label a claim as OFFICIAL_DOCUMENTATION using a non-Oracle/NetSuite source (third-party blogs, Reddit, partner sites) — must remain UNVERIFIED
+- Request asks to suppress or delete an UNVERIFIED or BLOCKED label to pass a validation gate
+## Escalation path
+Route all live-account changes to `netsuite-live-org-mutation-guard-agent` with a named human decision owner and a structured case capsule.
+## Role creation steps
+1. In the target SANDBOX, copy the standard role named above to a new custom role.
+2. Remove every permission not listed under Minimal permissions.
+3. Add only the listed permissions at the stated access level.
+4. Confirm the role is NOT Administrator and grants no global/cross-subsidiary access beyond remit.
+5. Enable 2FA enforcement if the role touches privileged permissions.
+6. Test in sandbox, then assign to the integration/review user; monitor for least-privilege drift.
+## Companion skill
+`netsuite-evidence-release-drift-skill` — NetSuite Evidence Release Drift Skill

package/skills/netsuite/netsuite-evidence-release-drift-skill/references/official-sources.md ADDED Viewed

@@ -0,0 +1,12 @@
+# Official Sources
+Full source index of Oracle/NetSuite official documentation URLs for all 47 evidence items in the evidence matrix
+Verified 2026-06-09 against official Oracle/NetSuite documentation:
+- https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/article_2104046421.html
+- https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_157780312610.html
+- https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/chapter_4247329078.html
+- https://www.netsuite.com/portal/services/training/suite-training/netsuite-certification.shtml
+- https://education.oracle.com/oracle-netsuite-ai-foundations-associate/pexam_N16765GC10
+- https://education.oracle.com/oracle-netsuite-bi-and-reporting-specialist/pexam_N16740GC10

package/skills/netsuite/netsuite-evidence-release-drift-skill/references/release-drift.md ADDED Viewed

@@ -0,0 +1,11 @@
+# Release Drift
+SOAP removal timeline (2026.1, 2027.1, 2025.2 endpoint, 2028.2), TBA deprecation milestones, certification track status, and biannual audit schedule
+NetSuite releases biannually. Content verified 2026-06-09.
+Release-sensitive items to re-verify each release:
+- SOAP web services removal timeline (REST + OAuth 2.0 recommended for new integrations from 2026.1; new SOAP integrations blocked at 2027.1).
+- Certification availability (AI Specialist/Professional and BI & Reporting Professional are Coming Soon — re-check status).
+- AI Connector / MCP permission names and role restrictions.

package/skills/netsuite/netsuite-evidence-release-drift-skill/references/safety-checklist.md ADDED Viewed

@@ -0,0 +1,18 @@
+# Safety Checklist
+Per-claim evidence labelling decision tree and promotion/demotion criteria
+- No credentials, tokens, or secrets are referenced in any claim being labelled
+- No third-party non-Oracle/NetSuite source is used to assign OFFICIAL_DOCUMENTATION label
+- Coming-soon certifications are never promoted to available without a direct Oracle Education exam-page URL
+- SOAP removal timeline milestones (2026.1, 2027.1, 2028.2) are treated as OFFICIAL_DOCUMENTATION immutable until an Oracle docs change is confirmed
+- OAuth 2.0 NOT supported for SOAP (evidence item 3d) is never relabelled or softened
+- Every UNVERIFIED label includes a stated promotion path (what evidence is needed)
+## Refusal triggers
+- Request supplies credentials, tokens, or secrets — hard refuse
+- Request asks the agent to use the Administrator role for any operation
+- Request asks to promote a coming-soon certification (AI Specialist, AI Professional, BI & Reporting Professional) to available status without a direct Oracle Education exam-page URL
+- Request asks to label a claim as OFFICIAL_DOCUMENTATION using a non-Oracle/NetSuite source (third-party blogs, Reddit, partner sites) — must remain UNVERIFIED
+- Request asks to suppress or delete an UNVERIFIED or BLOCKED label to pass a validation gate

package/skills/netsuite/netsuite-financial-foundations-skill/SKILL.md ADDED Viewed

@@ -0,0 +1,85 @@
+---
+name: netsuite-financial-foundations-skill
+description: "Flashlight skill for reviewing NetSuite Accounts Payable, Accounts Receivable, and core accounting configurations aligned to the Financial User (N16599GC10) and Accounting Professional (N16301GC10) certifications. T0 static review — no live account connection required. TRIGGER when: user asks to review AP setup, AR configuration, vendor record defaults, customer invoicing templates, payment terms, chart of accounts structure, accounting preferences, bank account record setup, or period-end reconciliation procedures in NetSuite. Trigger phrases: review AP configuration, check AR setup, audit chart of accounts, validate payment terms, inspect bank account record, period-end reconciliation, accounting preferences review, vendor record defaults. DO NOT TRIGGER when: request involves SOX controls, SoD conflicts, or posting period lock enforcement (escalate to netsuite-audit-controls-sox-agent); multi-subsidiary consolidation (use netsuite-oneworld-multisubsidiary-agent); SuiteFlow workflow mechanics (use netsuite-suiteflow-automation-agent); SuiteScript code review (use netsuite-suitescript-secure-code-review-agent); or live account mutation is required (use netsuite-live-org-mutation-guard-agent)."
+allowed-tools: Read Grep Glob
+metadata:
+  author: "github: Raishin"
+  version: "0.1.0"
+  updated: "2026-06-09"
+  category: finance
+  lifecycle: experimental
+  execution_tier: static-review
+  mcp_servers: []
+  oauth_scopes: []
+  run_as_permissions:
+    required: []
+    denied: []
+---
+# NetSuite Financial Foundations Skill
+## Purpose
+Validates AP and AR configuration, accounting setup, and period-end reconciliation procedures against Financial User (N16599GC10) and Accounting Professional (N16301GC10) certification standards. Escalates close-impacting control gaps to netsuite-audit-controls-sox-agent for SOX-level review. T0 static review — no NetSuite account connection required; output is a draft for human review.
+## When This Skill Owns the Task
+- User submits AP or AR configuration exports for review against Financial User or Accounting Professional standards
+- Finance team needs chart of accounts structure validated for account type correctness and sub-account hierarchy
+- Implementation team needs accounting preferences and bank account records reviewed before go-live
+- CoE architect needs period-end reconciliation procedures checked for completeness and procedural gaps
+## Recommended Workflow
+1. Step 1 — Collect sanitized inputs: request AP setup, AR setup, chart of accounts export, accounting preferences screenshot, and bank account record details (masked account numbers)
+2. Step 2 — AP review: validate vendor record defaults, payment term configurations, bill approval defaults, and 1099 vendor flag setup
+3. Step 3 — AR review: validate customer record defaults, invoicing template configurations, payment method mappings, and collections workflow design
+4. Step 4 — Chart of accounts audit: verify account type correctness, sub-account hierarchy, inter-company account presence, and segment assignments
+5. Step 5 — Accounting preferences check: confirm base currency, fiscal year start, accounting method, and tax configuration defaults
+6. Step 6 — Period-end reconciliation review: validate AP aging tie-out procedure, AR aging tie-out, bank reconciliation workflow, and subledger-to-GL checklist coverage
+7. Step 7 — Emit findings report: rated Critical / High / Medium / Low with [FACT] / [INFERENCE] / [ASSUMPTION] labels; escalate SOX-impacting findings to netsuite-audit-controls-sox-agent
+## Evidence Hierarchy
+LIVE_EVIDENCE > REPOSITORY_EVIDENCE > USER_PROVIDED > OFFICIAL_DOCUMENTATION > INFERENCE > UNVERIFIED > BLOCKED
+## Safety Checklist
+- No live NetSuite connection — all inputs are sanitized configuration excerpts
+- No credentials, tokens, vendor bank account numbers, credit card numbers, or payment tokens in submitted inputs
+- Role recommendations never include the Administrator role
+- 2FA designation verified for roles with View Unencrypted ACH or Credit Card permissions
+- SOX-impacting findings (SoD conflicts, posting period violations) are escalated to netsuite-audit-controls-sox-agent, not resolved unilaterally
+- Bank account numbers are masked before submission; agent refuses unmasked account data
+## Rules — Hard-Stop Constraints
+- Static review only; never connect to a live NetSuite account or invoke APIs/SuiteScript/SDF.
+- Never request or accept credentials, tokens, or secrets.
+- Never depend on the Administrator role; recommend least-privilege custom roles (note 2FA).
+- Prefer OAuth 2.0 (REST/RESTlets/SuiteAnalytics Connect) over SOAP; treat SOAP as a migration risk.
+- Never claim a Coming-Soon certification is available.
+## Refusal Triggers
+- Input contains credentials, tokens, vendor bank account numbers, payment tokens, credit card numbers, or any authentication or financial account material — stop and instruct sanitization
+- Request involves mutating, deploying, or activating any NetSuite configuration in a live or production account — route to netsuite-live-org-mutation-guard-agent
+- Request asks the agent to log in, connect, or authenticate to any NetSuite environment
+- Claim that the Administrator role should be used for AP/AR review or accounting configuration — refuse and cite least-privilege principle (evidence-matrix rows 7a, 7b)
+- Request to assert status of the AI Specialist or AI Professional certifications as available — those are coming soon; only AI Foundations Associate (N16765GC10) is available (evidence-matrix row 1b)
+## T0 Contract
+No account connection, no OAuth, no secrets. Output is draft review text for a human owner.
+## Security Notes
+Static review only — works exclusively from sanitized configuration excerpts; never requests or accepts credentials, tokens, vendor bank account numbers, credit card numbers, payment tokens, or any authentication or financial account material. Does not connect to, query, or mutate any NetSuite account in any environment. Role recommendations explicitly exclude the Administrator role. SOX-impacting findings are escalated to netsuite-audit-controls-sox-agent and never resolved unilaterally.
+## Reference File Index
+- [official-sources.md](references/official-sources.md) — Oracle NetSuite Financial User and Accounting Professional certification URLs verified in evidence-matrix
+- [safety-checklist.md](references/safety-checklist.md) — Pre-submission sanitization checklist for AP/AR configuration and bank account exports
+- [least-privilege.md](references/least-privilege.md) — Custom role construction guidance for financial reviewer posture derived from Accountant standard role
+- [release-drift.md](references/release-drift.md) — NetSuite release cadence notes for AP/AR engine and accounting period changes
+- [financial-foundations-domain-map.md](references/financial-foundations-domain-map.md) — Mapping of Financial User and Accounting Professional exam domains to configuration review areas

package/skills/netsuite/netsuite-financial-foundations-skill/metadata.json ADDED Viewed

@@ -0,0 +1,36 @@
+{
+  "id": "netsuite-financial-foundations-skill",
+  "name": "NetSuite Financial Foundations Skill",
+  "type": "skill",
+  "provider": "netsuite",
+  "harnesses": [
+    "claude-code",
+    "codex",
+    "cursor",
+    "gemini",
+    "kiro",
+    "other"
+  ],
+  "summary": "Flashlight skill for reviewing NetSuite Accounts Payable, Accounts Receivable, and core accounting configurations aligned to the Financial User (N16599GC10) and Accounting Professional (N16301GC10) certifications. T0 static review — no live account connection required. TRIGGER when: user asks to rev",
+  "source_type": "original",
+  "category": "finance",
+  "execution_tier": "static-review",
+  "oauth_scopes": [],
+  "mcp_servers": [],
+  "run_as_permissions": {},
+  "sandbox_only": false,
+  "production_allowed": true,
+  "official_docs": [
+    "https://education.oracle.com/oracle-netsuite-financial-user/pexam_N16599GC10",
+    "https://education.oracle.com/oracle-netsuite-accounting-professional/pexam_N16301GC10",
+    "https://www.netsuite.com/portal/services/training/suite-training/netsuite-certification.shtml",
+    "https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_N285436.html",
+    "https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_N295396.html",
+    "https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_1515446005.html"
+  ],
+  "security_notes": "Static review only — works exclusively from sanitized configuration excerpts; never requests or accepts credentials, tokens, vendor bank account numbers, credit card numbers, payment tokens, or any authentication or financial account material. Does not connect to, query, or mutate any NetSuite account in any environment. Role recommendations explicitly exclude the Administrator role. SOX-impacting findings are escalated to netsuite-audit-controls-sox-agent and never resolved unilaterally.",
+  "last_verified": "2026-06-09",
+  "path": "skills/netsuite/netsuite-financial-foundations-skill",
+  "author": "github: Raishin",
+  "version": "0.1.0"
+}

package/skills/netsuite/netsuite-financial-foundations-skill/references/financial-foundations-domain-map.md ADDED Viewed

@@ -0,0 +1,12 @@
+# Financial Foundations Domain Map
+Mapping of Financial User and Accounting Professional exam domains to configuration review areas
+Scope: Validates AP and AR configuration, accounting setup, and period-end reconciliation procedures against Financial User (N16599GC10) and Accounting Professional (N16301GC10) certification standards. Escalates close-impacting control gaps to netsuite-audit-controls-sox-agent for SOX-level review.
+- Accounts Payable configuration — vendor record setup, payment terms, bill approval defaults, 1099 vendor flags, payment method mapping
+- Accounts Receivable configuration — customer record setup, invoicing templates, payment terms, dunning and collections workflow design, cash application rules
+- Chart of accounts structure — account type correctness, sub-account hierarchy, inter-company and elimination account mapping, account segment assignment
+- Accounting preferences — base currency, fiscal year start, accounting method (accrual vs. cash), tax configuration defaults
+- Bank account record setup — account type, currency, GL account mapping, bank reconciliation statement format
+- Period-end reconciliation procedures — AP aging tie-out, AR aging tie-out, bank reconciliation workflow, subledger-to-GL reconciliation checklist

package/skills/netsuite/netsuite-financial-foundations-skill/references/least-privilege.md ADDED Viewed

@@ -0,0 +1,65 @@
+# Least-privilege NetSuite posture for NetSuite Financial Foundations Agent
+## Execution tier
+**T0 — Static Review**
+Rationale: `execution_tier: "static-review"` declared in `metadata.json`. This agent reviews sanitized configuration excerpts and never holds a live NetSuite session.
+## Identity model
+No live NetSuite identity is required for the agent itself. When a human operator acts on this agent's review, they SHOULD use the least-privilege custom role below — never the Administrator role.
+## Recommended custom role
+- **Custom role name:** NetSuite Financial Foundations Reviewer (custom)
+- **Copy from standard role:** Accountant (NetSuite guidance: start from a copy of a standard role, then remove unneeded permissions).
+- **Modules in scope:** Accounts Payable, Accounts Receivable, Financial Management, Banking
+- **Two-Factor Authentication required:** Yes
+### Minimal permissions
+- **Vendors** (View) — Inspect AP vendor record defaults and payment term configuration
+- **Customers** (View) — Inspect AR customer record defaults, invoicing templates, and payment method mapping
+- **Accounting Lists** (View) — Review chart of accounts structure, account types, and sub-account hierarchy
+- **Accounting Preferences** (View) — Inspect base currency, fiscal year, accounting method, and tax defaults
+- **Bank Accounts** (View) — Review bank account record type, currency, and GL mapping (masked account numbers only)
+- **Reconcile Account Statement** (View) — Inspect bank reconciliation configuration and statement format settings
+## Forbidden
+- Administrator role
+- View Unencrypted Credit Cards
+- View Unencrypted ACH Account Numbers
+- Access Token Management permission
+- OAuth 2.0 Authorized Applications Management permission
+- Edit or Full level on any live financial record type
+## Blast-radius bound
+Even if fully compromised, this agent cannot mutate a NetSuite account: it has no live session, no API tokens, and no SDF deploy rights. It can only produce review text.
+## Refusal triggers
+- Input contains credentials, tokens, vendor bank account numbers, payment tokens, credit card numbers, or any authentication or financial account material — stop and instruct sanitization
+- Request involves mutating, deploying, or activating any NetSuite configuration in a live or production account — route to netsuite-live-org-mutation-guard-agent
+- Request asks the agent to log in, connect, or authenticate to any NetSuite environment
+- Claim that the Administrator role should be used for AP/AR review or accounting configuration — refuse and cite least-privilege principle (evidence-matrix rows 7a, 7b)
+- Request to assert status of the AI Specialist or AI Professional certifications as available — those are coming soon; only AI Foundations Associate (N16765GC10) is available (evidence-matrix row 1b)
+## Escalation path
+Route all live-account changes to `netsuite-live-org-mutation-guard-agent` with a named human decision owner and a structured case capsule.
+## Role creation steps
+1. In the target SANDBOX, copy the standard role named above to a new custom role.
+2. Remove every permission not listed under Minimal permissions.
+3. Add only the listed permissions at the stated access level.
+4. Confirm the role is NOT Administrator and grants no global/cross-subsidiary access beyond remit.
+5. Enable 2FA enforcement if the role touches privileged permissions.
+6. Test in sandbox, then assign to the integration/review user; monitor for least-privilege drift.
+## Companion skill
+`netsuite-financial-foundations-skill` — NetSuite Financial Foundations Skill

package/skills/netsuite/netsuite-financial-foundations-skill/references/official-sources.md ADDED Viewed

@@ -0,0 +1,12 @@
+# Official Sources
+Oracle NetSuite Financial User and Accounting Professional certification URLs verified in evidence-matrix
+Verified 2026-06-09 against official Oracle/NetSuite documentation:
+- https://education.oracle.com/oracle-netsuite-financial-user/pexam_N16599GC10
+- https://education.oracle.com/oracle-netsuite-accounting-professional/pexam_N16301GC10
+- https://www.netsuite.com/portal/services/training/suite-training/netsuite-certification.shtml
+- https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_N285436.html
+- https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_N295396.html
+- https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_1515446005.html

package/skills/netsuite/netsuite-financial-foundations-skill/references/release-drift.md ADDED Viewed

@@ -0,0 +1,11 @@
+# Release Drift
+NetSuite release cadence notes for AP/AR engine and accounting period changes
+NetSuite releases biannually. Content verified 2026-06-09.
+Release-sensitive items to re-verify each release:
+- SOAP web services removal timeline (REST + OAuth 2.0 recommended for new integrations from 2026.1; new SOAP integrations blocked at 2027.1).
+- Certification availability (AI Specialist/Professional and BI & Reporting Professional are Coming Soon — re-check status).
+- AI Connector / MCP permission names and role restrictions.

package/skills/netsuite/netsuite-financial-foundations-skill/references/safety-checklist.md ADDED Viewed

@@ -0,0 +1,18 @@
+# Safety Checklist
+Pre-submission sanitization checklist for AP/AR configuration and bank account exports
+- No live NetSuite connection — all inputs are sanitized configuration excerpts
+- No credentials, tokens, vendor bank account numbers, credit card numbers, or payment tokens in submitted inputs
+- Role recommendations never include the Administrator role
+- 2FA designation verified for roles with View Unencrypted ACH or Credit Card permissions
+- SOX-impacting findings (SoD conflicts, posting period violations) are escalated to netsuite-audit-controls-sox-agent, not resolved unilaterally
+- Bank account numbers are masked before submission; agent refuses unmasked account data
+## Refusal triggers
+- Input contains credentials, tokens, vendor bank account numbers, payment tokens, credit card numbers, or any authentication or financial account material — stop and instruct sanitization
+- Request involves mutating, deploying, or activating any NetSuite configuration in a live or production account — route to netsuite-live-org-mutation-guard-agent
+- Request asks the agent to log in, connect, or authenticate to any NetSuite environment
+- Claim that the Administrator role should be used for AP/AR review or accounting configuration — refuse and cite least-privilege principle (evidence-matrix rows 7a, 7b)
+- Request to assert status of the AI Specialist or AI Professional certifications as available — those are coming soon; only AI Foundations Associate (N16765GC10) is available (evidence-matrix row 1b)

package/skills/netsuite/netsuite-identity-access-role-permission-skill/SKILL.md ADDED Viewed

@@ -0,0 +1,86 @@
+---
+name: netsuite-identity-access-role-permission-skill
+description: "Static review flashlight for NetSuite role configurations, permission assignments, and Segregation-of-Duties design. Validates custom roles against standard baselines, resolves permission codes from the 684-code SDF catalog, and flags SoD conflicts and over-permissioned roles. TRIGGER when: user asks to review a NetSuite role, check permissions on a role, audit segregation of duties, validate a custom role, analyze SDF customrole XML, check who has Administrator access, review run-as configuration for a script or integration, map permissions to least privilege, or assess 2FA role designations. Trigger phrases: review netsuite role, check role permissions, segregation of duties netsuite, custom role from standard, sdf customrole xml, least privilege role, who has administrator, run-as role, 2fa role designation. DO NOT TRIGGER when: the question is about OAuth 2.0, TBA, SSO, or SAML configuration (use netsuite-sso-oauth-tba-skill); when SDF project structure or deployment pipeline is the subject (use netsuite-sdf-devops-release-skill); when the request is to write SuiteScript or review code security (use netsuite-suitescript-secure-code-review-skill); or when the user needs a live role assignment executed in a NetSuite account (escalate to netsuite-live-org-mutation-guard-agent)."
+license: UPL-1.0
+allowed-tools: Read Grep Glob
+metadata:
+  author: "github: Raishin"
+  version: "0.1.0"
+  updated: "2026-06-09"
+  category: security
+  lifecycle: experimental
+  execution_tier: static-review
+  mcp_servers: []
+  oauth_scopes: []
+  run_as_permissions:
+    required: []
+    denied: []
+---
+# NetSuite Identity Access Role Permission Skill
+## Purpose
+Role structure, permission levels, and SoD conflict detection in NetSuite. Covers standard role baselines, custom role derivation, permission catalog lookup against the 684-code SDF catalog, and multi-role SoD conflict matrices. T0 static review — no NetSuite account connection required; output is a draft for human review.
+## When This Skill Owns the Task
+- User needs a role configuration reviewed for over-permission or SoD conflicts
+- SDF customrole XML export needs permission-level validation against the 684-code catalog
+- Custom role derivation from a standard role must be verified
+- Integration record or script run-as role needs least-privilege assessment
+- 2FA designation coverage for privileged roles needs an audit
+## Recommended Workflow
+1. Step 1 — Collect sanitized role export or SDF customrole XML; confirm no credentials or token values are present
+2. Step 2 — Identify the standard role baseline the custom role was copied from; flag if copied from Administrator or created blank
+3. Step 3 — Resolve each permkey against the netsuite-sdf-roles-and-permissions catalog (684 codes); label unknowns [UNVERIFIED]
+4. Step 4 — Apply SoD conflict matrix: flag any role combining initiating and approving functions on the same transaction type
+5. Step 5 — Map permissions triggering mandatory 2FA (evidence 5c); flag any such role missing 2FA designation
+6. Step 6 — Rate every finding Critical / High / Medium / Low / Unknown; emit structured report with remediation guidance and escalation triggers
+## Evidence Hierarchy
+LIVE_EVIDENCE > REPOSITORY_EVIDENCE > USER_PROVIDED > OFFICIAL_DOCUMENTATION > INFERENCE > UNVERIFIED > BLOCKED
+## Safety Checklist
+- No credentials, tokens, or client secrets in the submitted configuration excerpt
+- Role analysis is read-only — no account changes are recommended without human review
+- Every permission recommendation cites an evidence row or the Oracle SDF permission catalog
+- Administrator role is never recommended for any purpose
+- SoD findings are rated and routed to a named human decision owner before remediation
+## Rules — Hard-Stop Constraints
+- Static review only; never connect to a live NetSuite account or invoke APIs/SuiteScript/SDF.
+- Never request or accept credentials, tokens, or secrets.
+- Never depend on the Administrator role; recommend least-privilege custom roles (note 2FA).
+- Prefer OAuth 2.0 (REST/RESTlets/SuiteAnalytics Connect) over SOAP; treat SOAP as a migration risk.
+- Never claim a Coming-Soon certification is available.
+## Refusal Triggers
+- Request includes or asks for user passwords, access tokens, TBA token values, OAuth client secrets, or session cookies
+- Request asks the agent to act as or assume Administrator role
+- Request asks to perform a live role assignment, permission edit, or user account modification — escalate to netsuite-live-org-mutation-guard-agent
+- Coming-soon cert (AI Specialist, AI Professional) claimed as available for role alignment context
+- Request asks to generate TBA tokens, OAuth authorization codes, or integration credentials
+- Scope creep: authentication mechanism design questions belong to netsuite-sso-oauth-tba-agent
+## T0 Contract
+No account connection, no OAuth, no secrets. Output is draft review text for a human owner.
+## Security Notes
+Static review only — works from sanitized configuration excerpts and never requests credentials, tokens, client secrets, or user PII. Never assumes or recommends Administrator role. Every permission recommendation cites official evidence. Does not perform live role assignments or account mutations.
+## Reference File Index
+- [official-sources.md](references/official-sources.md) — Oracle/NetSuite official documentation URLs for roles, permissions, and 2FA requirements
+- [safety-checklist.md](references/safety-checklist.md) — Pre-submission checklist for sanitizing role exports before analysis
+- [least-privilege.md](references/least-privilege.md) — Custom role design guide: standard role baselines, permkey conventions, SoD matrix
+- [release-drift.md](references/release-drift.md) — Tracks SOAP/TBA deprecation milestones relevant to integration-record role design
+- [sod-conflict-matrix.md](references/sod-conflict-matrix.md) — Reference conflict pairs for common NetSuite financial and administrative function combinations

package/skills/netsuite/netsuite-identity-access-role-permission-skill/metadata.json ADDED Viewed

@@ -0,0 +1,36 @@
+{
+  "id": "netsuite-identity-access-role-permission-skill",
+  "name": "NetSuite Identity Access Role Permission Skill",
+  "type": "skill",
+  "provider": "netsuite",
+  "harnesses": [
+    "claude-code",
+    "codex",
+    "cursor",
+    "gemini",
+    "kiro",
+    "other"
+  ],
+  "summary": "Static review flashlight for NetSuite role configurations, permission assignments, and Segregation-of-Duties design. Validates custom roles against standard baselines, resolves permission codes from the 684-code SDF catalog, and flags SoD conflicts and over-permissioned roles. TRIGGER when: user ask",
+  "source_type": "adapted",
+  "category": "security",
+  "execution_tier": "static-review",
+  "oauth_scopes": [],
+  "mcp_servers": [],
+  "run_as_permissions": {},
+  "sandbox_only": false,
+  "production_allowed": true,
+  "official_docs": [
+    "https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_N285436.html",
+    "https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_N295396.html",
+    "https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_1532968056.html",
+    "https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_N328126.html",
+    "https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_1515446005.html"
+  ],
+  "security_notes": "Static review only — works from sanitized configuration excerpts and never requests credentials, tokens, client secrets, or user PII. Never assumes or recommends Administrator role. Every permission recommendation cites official evidence. Does not perform live role assignments or account mutations.",
+  "last_verified": "2026-06-09",
+  "path": "skills/netsuite/netsuite-identity-access-role-permission-skill",
+  "author": "github: Raishin",
+  "version": "0.1.0",
+  "source_attribution": "Portions derived from oracle/netsuite-suitecloud-sdk packages/agent-skills/netsuite-sdf-roles-and-permissions (UPL-1.0; Copyright (c) 2019, 2023 Oracle and/or its affiliates; https://oss.oracle.com/licenses/upl). Vanguard additions: cross-agent RBAC context for the Vanguard harness routing layer, SSO/SAML role-mapping guidance, zero-trust attestation logging requirements, SoD conflict matrix, and severity rating taxonomy."
+}

package/skills/netsuite/netsuite-identity-access-role-permission-skill/references/least-privilege.md ADDED Viewed

@@ -0,0 +1,63 @@
+# Least-privilege NetSuite posture for NetSuite Identity Access Role Permission Agent
+## Execution tier
+**T0 — Static Review**
+Rationale: `execution_tier: "static-review"` declared in `metadata.json`. This agent reviews sanitized configuration excerpts and never holds a live NetSuite session.
+## Identity model
+No live NetSuite identity is required for the agent itself. When a human operator acts on this agent's review, they SHOULD use the least-privilege custom role below — never the Administrator role.
+## Recommended custom role
+- **Custom role name:** NetSuite Identity Access Reviewer (custom)
+- **Copy from standard role:** Auditor (standard NetSuite role — read-only, no transaction entry) (NetSuite guidance: start from a copy of a standard role, then remove unneeded permissions).
+- **Modules in scope:** Setup, SuiteCloud
+- **Two-Factor Authentication required:** Yes
+### Minimal permissions
+- **Roles and Groups** (View) — Required to read role definitions and permission lists for analysis
+- **Custom Roles** (View) — Required to inspect custom role configurations and permkey/permlevel assignments
+- **User Management** (View) — Required to review role-to-user assignments (no edit access needed)
+- **SuiteCloud Development Framework** (View) — Required to read SDF customrole XML exports
+- **Audit Trail** (View) — Required to verify role-change history for evidence artifacts
+## Forbidden
+- Administrator role
+- Edit or Full on User Management
+- Edit or Full on Roles and Groups
+- Any permission not listed above
+## Blast-radius bound
+Even if fully compromised, this agent cannot mutate a NetSuite account: it has no live session, no API tokens, and no SDF deploy rights. It can only produce review text.
+## Refusal triggers
+- Request includes or asks for user passwords, access tokens, TBA token values, OAuth client secrets, or session cookies
+- Request asks the agent to act as or assume Administrator role
+- Request asks to perform a live role assignment, permission edit, or user account modification — escalate to netsuite-live-org-mutation-guard-agent
+- Coming-soon cert (AI Specialist, AI Professional) claimed as available for role alignment context
+- Request asks to generate TBA tokens, OAuth authorization codes, or integration credentials
+- Scope creep: authentication mechanism design questions belong to netsuite-sso-oauth-tba-agent
+## Escalation path
+Route all live-account changes to `netsuite-live-org-mutation-guard-agent` with a named human decision owner and a structured case capsule.
+## Role creation steps
+1. In the target SANDBOX, copy the standard role named above to a new custom role.
+2. Remove every permission not listed under Minimal permissions.
+3. Add only the listed permissions at the stated access level.
+4. Confirm the role is NOT Administrator and grants no global/cross-subsidiary access beyond remit.
+5. Enable 2FA enforcement if the role touches privileged permissions.
+6. Test in sandbox, then assign to the integration/review user; monitor for least-privilege drift.
+## Companion skill
+`netsuite-identity-access-role-permission-skill` — NetSuite Identity Access Role Permission Skill

package/skills/netsuite/netsuite-identity-access-role-permission-skill/references/official-sources.md ADDED Viewed

@@ -0,0 +1,11 @@
+# Official Sources
+Oracle/NetSuite official documentation URLs for roles, permissions, and 2FA requirements
+Verified 2026-06-09 against official Oracle/NetSuite documentation:
+- https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_N285436.html
+- https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_N295396.html
+- https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_1532968056.html
+- https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_N328126.html
+- https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_1515446005.html

package/skills/netsuite/netsuite-identity-access-role-permission-skill/references/release-drift.md ADDED Viewed

@@ -0,0 +1,11 @@
+# Release Drift
+Tracks SOAP/TBA deprecation milestones relevant to integration-record role design
+NetSuite releases biannually. Content verified 2026-06-09.
+Release-sensitive items to re-verify each release:
+- SOAP web services removal timeline (REST + OAuth 2.0 recommended for new integrations from 2026.1; new SOAP integrations blocked at 2027.1).
+- Certification availability (AI Specialist/Professional and BI & Reporting Professional are Coming Soon — re-check status).
+- AI Connector / MCP permission names and role restrictions.