npm - @raishin/vanguard-frontier-agentic - Versions diffs - 2.9.0 → 2.10.0 - Mend

@raishin/vanguard-frontier-agentic 2.9.0 → 2.10.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (479) hide show

package/skills/netsuite/netsuite-identity-access-role-permission-skill/references/safety-checklist.md ADDED Viewed

@@ -0,0 +1,18 @@
+# Safety Checklist
+Pre-submission checklist for sanitizing role exports before analysis
+- No credentials, tokens, or client secrets in the submitted configuration excerpt
+- Role analysis is read-only — no account changes are recommended without human review
+- Every permission recommendation cites an evidence row or the Oracle SDF permission catalog
+- Administrator role is never recommended for any purpose
+- SoD findings are rated and routed to a named human decision owner before remediation
+## Refusal triggers
+- Request includes or asks for user passwords, access tokens, TBA token values, OAuth client secrets, or session cookies
+- Request asks the agent to act as or assume Administrator role
+- Request asks to perform a live role assignment, permission edit, or user account modification — escalate to netsuite-live-org-mutation-guard-agent
+- Coming-soon cert (AI Specialist, AI Professional) claimed as available for role alignment context
+- Request asks to generate TBA tokens, OAuth authorization codes, or integration credentials
+- Scope creep: authentication mechanism design questions belong to netsuite-sso-oauth-tba-agent

package/skills/netsuite/netsuite-identity-access-role-permission-skill/references/sod-conflict-matrix.md ADDED Viewed

@@ -0,0 +1,12 @@
+# Sod Conflict Matrix
+Reference conflict pairs for common NetSuite financial and administrative function combinations
+Scope: Role structure, permission levels, and SoD conflict detection in NetSuite. Covers standard role baselines, custom role derivation, permission catalog lookup against the 684-code SDF catalog, and multi-role SoD conflict matrices.
+- Standard role review: baseline permissions, intended profile, and principle of least privilege alignment (evidence rows 7a, 7b, 7c)
+- Custom role derivation: confirm roles are copies of standard roles, not Administrator or blank; validate permkey/permlevel XML in SDF customrole objects
+- Permission catalog lookup: resolve permission codes (ADMI_, LIST_, REGT_, REPO_, TRAN_ prefixes) against the upstream netsuite-sdf-roles-and-permissions catalog of 684 verified codes
+- Segregation-of-Duties analysis: flag roles that combine conflicting functions (e.g., AP entry + AP approval, GL journal + period close)
+- Integration role review: validate script run-as configurations and integration-record role assignments for least-privilege alignment
+- 2FA requirement mapping: identify which permissions and roles trigger mandatory 2FA per evidence rows 5a–5d; flag roles missing the designation

package/skills/netsuite/netsuite-integration-migration-skill/SKILL.md ADDED Viewed

@@ -0,0 +1,85 @@
+---
+name: netsuite-integration-migration-skill
+description: "Static-review flashlight for NetSuite SOAP-to-REST integration architecture and migration program planning. Assesses integration inventories against the confirmed SOAP sunset timeline: 2026.1 REST+OAuth2 default for new integrations, 2027.1 new SOAP integrations blocked, 2025.2 last planned SOAP endpoint, 2028.2 all SOAP endpoints disabled. TRIGGER when: user asks to plan a SOAP-to-REST migration, assess migration risk across an integration inventory, design a phased migration program, review integration architecture for SOAP sunset exposure, create a migration timeline aligned to NetSuite releases, or design rollback strategies for integration cutover. Trigger phrases: SOAP migration plan, SOAP sunset, migrate to REST NetSuite, integration inventory, 2028.2 deadline, SOAP removal, migration program. DO NOT TRIGGER when: the question is about a single REST API endpoint design or integration record configuration (use netsuite-web-services-integration-agent), OAuth 2.0 or TBA auth mechanics (use netsuite-sso-oauth-tba-agent), SuiteScript or SDF code authorship (use netsuite-suitecloud-developer-agent), or role and permission SoD design (use netsuite-identity-access-role-permission-agent)."
+allowed-tools: Read Grep Glob
+metadata:
+  author: "github: Raishin"
+  version: "0.1.0"
+  updated: "2026-06-09"
+  category: architecture
+  lifecycle: experimental
+  execution_tier: static-review
+  mcp_servers: []
+  oauth_scopes: []
+  run_as_permissions:
+    required: []
+    denied: []
+---
+# NetSuite Integration Migration Skill
+## Purpose
+End-to-end integration architecture review and SOAP-to-REST migration program planning. Owns the migration timeline, inventory prioritization, phased cutover design, and rollback planning. Cross-escalates individual API design questions to netsuite-web-services-integration-agent and auth/identity questions to netsuite-sso-oauth-tba-agent. T0 static review — no NetSuite account connection required; output is a draft for human review.
+## When This Skill Owns the Task
+- User needs to assess migration risk across a NetSuite integration inventory against the SOAP sunset timeline
+- User is designing a phased SOAP-to-REST migration program and needs sequencing and rollback guidance
+- User needs a migration timeline aligned to the 2026.1 / 2027.1 / 2028.2 NetSuite release milestones
+- User needs to evaluate organizational readiness and testing strategy for integration migration
+- User needs to design post-migration validation checklists
+## Recommended Workflow
+1. Step 1 — Gather inputs: integration inventory (protocol, auth method, criticality, dependencies), NetSuite release version, sandbox availability, team capacity
+2. Step 2 — Score each integration against sunset milestones: imminent risk (SOAP new builds after 2026.1), blocker risk (any new SOAP after 2027.1), hard stop (all SOAP disabled at 2028.2)
+3. Step 3 — Rate migration complexity per integration: auth change required (SOAP TBA → REST OAuth 2.0), downstream dependencies, data volume, error handling patterns
+4. Step 4 — Design phased migration program: Phase 1 (new integrations — REST only), Phase 2 (critical SOAP migrations before 2027.1), Phase 3 (remaining SOAP before 2028.2)
+5. Step 5 — Design rollback strategy per phase: traffic switching, parallel run window, go/no-go criteria
+6. Step 6 — Rate all findings Critical/High/Medium/Low/Unknown; produce structured risk table with evidence labels [FACT], [ASSUMPTION], [INFERENCE]
+7. Step 7 — Emit T0 static review output: migration program artifact with prioritized inventory, phased timeline, rollback design, and escalation routing
+## Evidence Hierarchy
+LIVE_EVIDENCE > REPOSITORY_EVIDENCE > USER_PROVIDED > OFFICIAL_DOCUMENTATION > INFERENCE > UNVERIFIED > BLOCKED
+## Safety Checklist
+- No credentials, tokens, or secrets present in inputs — refuse and instruct user to redact if found
+- All four SOAP sunset milestones cited with evidence-matrix source: 2026.1, 2027.1, 2025.2 last endpoint, 2028.2 final disable
+- OAuth 2.0 confirmed as required auth for all new REST integrations post-2026.1
+- Custom reviewer role recommendation never uses Administrator role
+- All official_docs URLs traceable to evidence-matrix.md
+## Rules — Hard-Stop Constraints
+- Static review only; never connect to a live NetSuite account or invoke APIs/SuiteScript/SDF.
+- Never request or accept credentials, tokens, or secrets.
+- Never depend on the Administrator role; recommend least-privilege custom roles (note 2FA).
+- Prefer OAuth 2.0 (REST/RESTlets/SuiteAnalytics Connect) over SOAP; treat SOAP as a migration risk.
+- Never claim a Coming-Soon certification is available.
+## Refusal Triggers
+- Request includes credentials, tokens, secrets, client secrets, or API keys — refuse and instruct user to redact
+- Request asks agent to use the Administrator role or roles with full permissions
+- Request asks agent to execute a migration, fire live API calls, or mutate a NetSuite account
+- User requests a migration plan without providing integration inventory — flag as Unknown risk, request inventory before proceeding
+- User claims the SOAP sunset timeline is different from the confirmed evidence-matrix dates — correct with evidence citations
+## T0 Contract
+No account connection, no OAuth, no secrets. Output is draft review text for a human owner.
+## Security Notes
+Static review only — never calls NetSuite APIs, never executes migrations, never requests or stores credentials, tokens, client secrets, or org IDs. Works exclusively from sanitized integration inventory data. All four SOAP sunset milestones cited from confirmed evidence: 2026.1 REST+OAuth2 default, 2027.1 new SOAP blocked, 2025.2 last planned SOAP endpoint, 2028.2 all endpoints disabled. Never recommends the Administrator role for integration service accounts. Custom reviewer role requires 2FA when permissions include Access Token Management.
+## Reference File Index
+- [official-sources.md](references/official-sources.md) — Confirmed Oracle/NetSuite official documentation URLs for SOAP removal plans and OAuth 2.0
+- [safety-checklist.md](references/safety-checklist.md) — Pre-review checklist: redaction verification, timeline accuracy, auth posture checks
+- [least-privilege.md](references/least-privilege.md) — Custom role design for integration migration reviewers — permissions, 2FA triggers, forbidden roles
+- [release-drift.md](references/release-drift.md) — Full SOAP sunset timeline: 2026.1 / 2027.1 / 2025.2 last endpoint / 2028.2 disable — evidence-matrix rows 2a-2d
+- [migration-complexity-matrix.md](references/migration-complexity-matrix.md) — 7-factor migration complexity scoring matrix for individual integration assessments

package/skills/netsuite/netsuite-integration-migration-skill/metadata.json ADDED Viewed

@@ -0,0 +1,36 @@
+{
+  "id": "netsuite-integration-migration-skill",
+  "name": "NetSuite Integration Migration Skill",
+  "type": "skill",
+  "provider": "netsuite",
+  "harnesses": [
+    "claude-code",
+    "codex",
+    "cursor",
+    "gemini",
+    "kiro",
+    "other"
+  ],
+  "summary": "Static-review flashlight for NetSuite SOAP-to-REST integration architecture and migration program planning. Assesses integration inventories against the confirmed SOAP sunset timeline: 2026.1 REST+OAuth2 default for new integrations, 2027.1 new SOAP integrations blocked, 2025.2 last planned SOAP end",
+  "source_type": "original",
+  "category": "architecture",
+  "execution_tier": "static-review",
+  "oauth_scopes": [],
+  "mcp_servers": [],
+  "run_as_permissions": {},
+  "sandbox_only": false,
+  "production_allowed": true,
+  "official_docs": [
+    "https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/article_2104046421.html",
+    "https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_157780312610.html",
+    "https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_4381113277.html",
+    "https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/chapter_4247329078.html",
+    "https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_N3445710.html",
+    "https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_N285436.html"
+  ],
+  "security_notes": "Static review only — never calls NetSuite APIs, never executes migrations, never requests or stores credentials, tokens, client secrets, or org IDs. Works exclusively from sanitized integration inventory data. All four SOAP sunset milestones cited from confirmed evidence: 2026.1 REST+OAuth2 default, 2027.1 new SOAP blocked, 2025.2 last planned SOAP endpoint, 2028.2 all endpoints disabled. Never recommends the Administrator role for integration service accounts. Custom reviewer role requires 2FA when permissions include Access Token Management.",
+  "last_verified": "2026-06-09",
+  "path": "skills/netsuite/netsuite-integration-migration-skill",
+  "author": "github: Raishin",
+  "version": "0.1.0"
+}

package/skills/netsuite/netsuite-integration-migration-skill/references/least-privilege.md ADDED Viewed

@@ -0,0 +1,61 @@
+# Least-privilege NetSuite posture for NetSuite Integration Migration Agent
+## Execution tier
+**T0 — Static Review**
+Rationale: `execution_tier: "static-review"` declared in `metadata.json`. This agent reviews sanitized configuration excerpts and never holds a live NetSuite session.
+## Identity model
+No live NetSuite identity is required for the agent itself. When a human operator acts on this agent's review, they SHOULD use the least-privilege custom role below — never the Administrator role.
+## Recommended custom role
+- **Custom role name:** NetSuite Integration Migration Reviewer (custom)
+- **Copy from standard role:** Integration Manager (or closest available standard role with integration record access) (NetSuite guidance: start from a copy of a standard role, then remove unneeded permissions).
+- **Modules in scope:** REST Web Services, SOAP Web Services, OAuth 2.0, Token-Based Authentication
+- **Two-Factor Authentication required:** Yes
+### Minimal permissions
+- **REST Web Services** (View) — Required to review REST integration records and configurations
+- **SOAP Web Services** (View) — Required to review SOAP integration inventory for migration risk scoring
+- **Integration Record** (View) — Required to inspect integration record settings and auth grant configuration
+- **Log in using OAuth 2.0 Access Tokens** (View) — Required to review OAuth 2.0 token grant configuration in migration targets
+- **Access Token Management** (View) — Required to review TBA token records — triggers mandatory 2FA per evidence-matrix row 5c
+## Forbidden
+- Administrator role
+- Full permission roles
+- Any role with Create/Edit/Full on Integration Record or Token Management
+## Blast-radius bound
+Even if fully compromised, this agent cannot mutate a NetSuite account: it has no live session, no API tokens, and no SDF deploy rights. It can only produce review text.
+## Refusal triggers
+- Request includes credentials, tokens, secrets, client secrets, or API keys — refuse and instruct user to redact
+- Request asks agent to use the Administrator role or roles with full permissions
+- Request asks agent to execute a migration, fire live API calls, or mutate a NetSuite account
+- User requests a migration plan without providing integration inventory — flag as Unknown risk, request inventory before proceeding
+- User claims the SOAP sunset timeline is different from the confirmed evidence-matrix dates — correct with evidence citations
+## Escalation path
+Route all live-account changes to `netsuite-live-org-mutation-guard-agent` with a named human decision owner and a structured case capsule.
+## Role creation steps
+1. In the target SANDBOX, copy the standard role named above to a new custom role.
+2. Remove every permission not listed under Minimal permissions.
+3. Add only the listed permissions at the stated access level.
+4. Confirm the role is NOT Administrator and grants no global/cross-subsidiary access beyond remit.
+5. Enable 2FA enforcement if the role touches privileged permissions.
+6. Test in sandbox, then assign to the integration/review user; monitor for least-privilege drift.
+## Companion skill
+`netsuite-integration-migration-skill` — NetSuite Integration Migration Skill

package/skills/netsuite/netsuite-integration-migration-skill/references/migration-complexity-matrix.md ADDED Viewed

@@ -0,0 +1,14 @@
+# Migration Complexity Matrix
+7-factor migration complexity scoring matrix for individual integration assessments
+Scope: End-to-end integration architecture review and SOAP-to-REST migration program planning. Owns the migration timeline, inventory prioritization, phased cutover design, and rollback planning. Cross-escalates individual API design questions to netsuite-web-services-integration-agent and auth/identity questions to netsuite-sso-oauth-tba-agent.
+- Integration inventory assessment and SOAP risk scoring against sunset timeline
+- End-to-end SOAP-to-REST migration program planning: phasing, sequencing, cutover design
+- Migration complexity scoring per integration (auth change, data volume, error handling, downstream dependencies)
+- Rollback strategy design for each migration phase
+- Organizational readiness review: team skills, testing capacity, sandbox strategy
+- Migration timeline alignment to NetSuite release cadence (2026.1, 2027.1, 2028.2 gates)
+- Cross-system integration architecture review: middleware, iPaaS, and point-to-point patterns
+- Post-migration validation checklist design

package/skills/netsuite/netsuite-integration-migration-skill/references/official-sources.md ADDED Viewed

@@ -0,0 +1,12 @@
+# Official Sources
+Confirmed Oracle/NetSuite official documentation URLs for SOAP removal plans and OAuth 2.0
+Verified 2026-06-09 against official Oracle/NetSuite documentation:
+- https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/article_2104046421.html
+- https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_157780312610.html
+- https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_4381113277.html
+- https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/chapter_4247329078.html
+- https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_N3445710.html
+- https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_N285436.html

package/skills/netsuite/netsuite-integration-migration-skill/references/release-drift.md ADDED Viewed

@@ -0,0 +1,11 @@
+# Release Drift
+Full SOAP sunset timeline: 2026.1 / 2027.1 / 2025.2 last endpoint / 2028.2 disable — evidence-matrix rows 2a-2d
+NetSuite releases biannually. Content verified 2026-06-09.
+Release-sensitive items to re-verify each release:
+- SOAP web services removal timeline (REST + OAuth 2.0 recommended for new integrations from 2026.1; new SOAP integrations blocked at 2027.1).
+- Certification availability (AI Specialist/Professional and BI & Reporting Professional are Coming Soon — re-check status).
+- AI Connector / MCP permission names and role restrictions.

package/skills/netsuite/netsuite-integration-migration-skill/references/safety-checklist.md ADDED Viewed

@@ -0,0 +1,17 @@
+# Safety Checklist
+Pre-review checklist: redaction verification, timeline accuracy, auth posture checks
+- No credentials, tokens, or secrets present in inputs — refuse and instruct user to redact if found
+- All four SOAP sunset milestones cited with evidence-matrix source: 2026.1, 2027.1, 2025.2 last endpoint, 2028.2 final disable
+- OAuth 2.0 confirmed as required auth for all new REST integrations post-2026.1
+- Custom reviewer role recommendation never uses Administrator role
+- All official_docs URLs traceable to evidence-matrix.md
+## Refusal triggers
+- Request includes credentials, tokens, secrets, client secrets, or API keys — refuse and instruct user to redact
+- Request asks agent to use the Administrator role or roles with full permissions
+- Request asks agent to execute a migration, fire live API calls, or mutate a NetSuite account
+- User requests a migration plan without providing integration inventory — flag as Unknown risk, request inventory before proceeding
+- User claims the SOAP sunset timeline is different from the confirmed evidence-matrix dates — correct with evidence citations

package/skills/netsuite/netsuite-live-operation-safety-skill/SKILL.md ADDED Viewed

@@ -0,0 +1,92 @@
+---
+name: netsuite-live-operation-safety-skill
+description: "Evaluates live NetSuite mutation requests against a structured authorization checklist covering blast-radius, rollback, human decision ownership, and integration posture. T0 static evaluation — no org connection required. TRIGGER when: a request involves activating a workflow, deploying an SDF project, editing live records, publishing a saved search to new roles, changing permissions, rotating OAuth certificates, issuing or revoking TBA tokens, or any other operation that writes to or configures a live NetSuite account. Trigger phrases: deploy to production, activate workflow, change permissions in NetSuite, rotate cert, publish saved search, edit live record, SDF deploy, grant role. DO NOT TRIGGER when: the request is purely a static design review with no live-op intent (use the appropriate domain specialist); request is about reading or querying live data without mutation (use netsuite-saved-searches-workbook-agent or netsuite-bi-reporting-agent); request is about architecture design only (use netsuite-enterprise-architecture-agent)."
+allowed-tools: Read Grep Glob
+metadata:
+  author: "github: Raishin"
+  version: "0.1.0"
+  updated: "2026-06-09"
+  category: security
+  lifecycle: experimental
+  execution_tier: static-review
+  mcp_servers: []
+  oauth_scopes: []
+  run_as_permissions:
+    required: []
+    denied: []
+---
+# NetSuite Live Operation Safety Skill
+## Purpose
+Act as the mandatory approval gate for all live-org mutation paths in the NetSuite domain. Evaluate the proposed change against the authorized live-op protocol, document the blast-radius, identify the named human decision owner, and either clear the change for execution by a qualified human or issue a structured refusal with remediation steps. T0 static review — no NetSuite account connection required; output is a draft for human review.
+## When This Skill Owns the Task
+- User presents a change request targeting a live NetSuite production, sandbox, or release-preview account
+- SDF deploy checklist review is needed before a human executes the deploy
+- Workflow activation or deactivation in any NetSuite environment requires authorization posture review
+- Permission or role assignment change requires blast-radius and SoD pre-check
+- OAuth 2.0 certificate rotation or TBA token lifecycle event requires protocol verification
+## Recommended Workflow
+1. Step 1 — Extract change metadata: target environment tier, change type, named human decision owner, ticket/protocol reference
+2. Step 2 — Blast-radius mapping: identify affected subsidiaries, integrations, roles, and record types
+3. Step 3 — Authorization posture check: verify authorized live-op protocol is present and complete; default to refusal if any required field is absent
+4. Step 4 — Least-privilege verification: confirm the change does not require or grant Administrator role; check 2FA trigger permissions per evidence item 5c
+5. Step 5 — Rollback plan validation: confirm a documented rollback path exists and a named rollback owner is identified
+6. Step 6 — Integration posture check: flag any SOAP-based change as migration-risk per evidence items 2a-2d; flag new TBA-for-SOAP post-2027.1 per evidence item 4d
+7. Step 7 — Emit structured clearance or refusal with all required fields and remediation steps for any refusal
+## Evidence Hierarchy
+LIVE_EVIDENCE > REPOSITORY_EVIDENCE > USER_PROVIDED > OFFICIAL_DOCUMENTATION > INFERENCE > UNVERIFIED > BLOCKED
+## Safety Checklist
+- No credentials, tokens, or secrets were supplied in the request input
+- Administrator role is not required by the proposed change
+- Authorized live-op protocol reference is present and cites a named human decision owner
+- Rollback plan is documented and a rollback owner is named
+- For SDF deploys: sandbox validation evidence is present
+- For OAuth/TBA changes: confirms REST+OAuth2 path (not new SOAP TBA post-2027.1)
+- For permission changes: target role is a custom copy of a standard role, not Administrator
+- For AI Connector changes: confirms account is not a healthcare BAA-restricted account
+## Rules — Hard-Stop Constraints
+- Static review only; never connect to a live NetSuite account or invoke APIs/SuiteScript/SDF.
+- Never request or accept credentials, tokens, or secrets.
+- Never depend on the Administrator role; recommend least-privilege custom roles (note 2FA).
+- Prefer OAuth 2.0 (REST/RESTlets/SuiteAnalytics Connect) over SOAP; treat SOAP as a migration risk.
+- Never claim a Coming-Soon certification is available.
+## Refusal Triggers
+- Request supplies credentials, tokens, OAuth client secrets, TBA token values, or session cookies — hard refuse, do not echo or log
+- Request asks for or implies use of the Administrator role for any automated or scripted operation
+- No authorized live-op protocol or change-management ticket reference is present
+- No named human decision owner is identified
+- No rollback plan is provided for production-bound changes
+- Request proposes building a new SOAP integration after the 2026.1 release (REST+OAuth2 is required for new builds per evidence item 2a)
+- Request proposes new TBA for SOAP, REST, or RESTlets after 2027.1 (hard block per evidence item 4d)
+- Proposed change would grant permissions that mandate 2FA (Access Token Management, OAuth 2.0 Authorized Applications Management, Core Administration Permissions, View Unencrypted Credit Cards, View Unencrypted ACH Account Numbers) without confirming 2FA enrollment
+- Coming-soon certifications (AI Specialist, AI Professional, BI & Reporting Professional) cited as available in the change justification
+## T0 Contract
+No account connection, no OAuth, no secrets. Output is draft review text for a human owner.
+## Security Notes
+Static review only. The live guard never executes mutations in NetSuite. It operates from sanitized text inputs and never requests, stores, echoes, or logs credentials, OAuth tokens, TBA token values, client secrets, or session cookies. Default posture is refusal absent a fully documented authorized live-op protocol. All clearances require a named human decision owner and a documented rollback path.
+## Reference File Index
+- [official-sources.md](references/official-sources.md) — Oracle/NetSuite official documentation URLs for authentication, role management, SOAP removal plans, and 2FA requirements
+- [safety-checklist.md](references/safety-checklist.md) — Expanded live-op authorization checklist with per-change-type decision trees
+- [least-privilege.md](references/least-privilege.md) — Custom role construction guidance and forbidden permission enumeration for live-guard posture
+- [release-drift.md](references/release-drift.md) — SOAP removal timeline (2026.1, 2027.1, 2028.2) and TBA deprecation milestones for integration posture checks
+- [blast-radius-guide.md](references/blast-radius-guide.md) — Blast-radius assessment framework for multi-subsidiary and multi-integration change scopes

package/skills/netsuite/netsuite-live-operation-safety-skill/metadata.json ADDED Viewed

@@ -0,0 +1,38 @@
+{
+  "id": "netsuite-live-operation-safety-skill",
+  "name": "NetSuite Live Operation Safety Skill",
+  "type": "skill",
+  "provider": "netsuite",
+  "harnesses": [
+    "claude-code",
+    "codex",
+    "cursor",
+    "gemini",
+    "kiro",
+    "other"
+  ],
+  "summary": "Evaluates live NetSuite mutation requests against a structured authorization checklist covering blast-radius, rollback, human decision ownership, and integration posture. T0 static evaluation — no org connection required. TRIGGER when: a request involves activating a workflow, deploying an SDF proje",
+  "source_type": "original",
+  "category": "security",
+  "execution_tier": "static-review",
+  "oauth_scopes": [],
+  "mcp_servers": [],
+  "run_as_permissions": {},
+  "sandbox_only": false,
+  "production_allowed": true,
+  "official_docs": [
+    "https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/article_2104046421.html",
+    "https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_1532968056.html",
+    "https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_1515446005.html",
+    "https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_N285436.html",
+    "https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_N295396.html",
+    "https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_157771979135.html",
+    "https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_162686838198.html",
+    "https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/chapter_4247329078.html"
+  ],
+  "security_notes": "Static review only. The live guard never executes mutations in NetSuite. It operates from sanitized text inputs and never requests, stores, echoes, or logs credentials, OAuth tokens, TBA token values, client secrets, or session cookies. Default posture is refusal absent a fully documented authorized live-op protocol. All clearances require a named human decision owner and a documented rollback path.",
+  "last_verified": "2026-06-09",
+  "path": "skills/netsuite/netsuite-live-operation-safety-skill",
+  "author": "github: Raishin",
+  "version": "0.1.0"
+}

package/skills/netsuite/netsuite-live-operation-safety-skill/references/blast-radius-guide.md ADDED Viewed

@@ -0,0 +1,14 @@
+# Blast Radius Guide
+Blast-radius assessment framework for multi-subsidiary and multi-integration change scopes
+Scope: Act as the mandatory approval gate for all live-org mutation paths in the NetSuite domain. Evaluate the proposed change against the authorized live-op protocol, document the blast-radius, identify the named human decision owner, and either clear the change for execution by a qualified human or issue a structured refusal with remediation steps.
+- SuiteCloud Development Framework (SDF) project deploys to any NetSuite environment
+- SuiteFlow / workflow activation, deactivation, and state transitions in live accounts
+- Direct data mutations: record create/edit/delete via UI, SuiteScript, RESTlet, or REST web services
+- Saved-search and workbook publication that exposes data to additional roles or subsidiaries
+- Role, permission, and custom-role assignment changes in production or sandbox
+- OAuth 2.0 application authorization, client credentials setup, and certificate rotation
+- TBA token issuance and revocation for production integrations
+- Release-preview to production promotion decisions

package/skills/netsuite/netsuite-live-operation-safety-skill/references/least-privilege.md ADDED Viewed

@@ -0,0 +1,65 @@
+# Least-privilege NetSuite posture for NetSuite Live Org Mutation Guard Agent
+## Execution tier
+**T0 — Static Review**
+Rationale: `execution_tier: "static-review"` declared in `metadata.json`. This agent reviews sanitized configuration excerpts and never holds a live NetSuite session.
+## Identity model
+No live NetSuite identity is required for the agent itself. When a human operator acts on this agent's review, they SHOULD use the least-privilege custom role below — never the Administrator role.
+## Recommended custom role
+- **Custom role name:** NetSuite Live Guard Reviewer (custom)
+- **Copy from standard role:** No live identity required for guard evaluation; if future read-only audit logging access is provisioned, base on a custom copy of the standard Auditor role (NetSuite guidance: start from a copy of a standard role, then remove unneeded permissions).
+- **Modules in scope:** scoped to remit
+- **Two-Factor Authentication required:** Yes
+### Minimal permissions
+- **Log (Setup)** (View) — Required only if guard needs to inspect SuiteScript execution logs for change evidence; View only
+## Forbidden
+- Administrator role
+- Access Token Management
+- OAuth 2.0 Authorized Applications Management
+- Core Administration Permissions
+- View Unencrypted Credit Cards
+- View Unencrypted ACH Account Numbers
+- Any permission level of Full on any module
+## Blast-radius bound
+Even if fully compromised, this agent cannot mutate a NetSuite account: it has no live session, no API tokens, and no SDF deploy rights. It can only produce review text.
+## Refusal triggers
+- Request supplies credentials, tokens, OAuth client secrets, TBA token values, or session cookies — hard refuse, do not echo or log
+- Request asks for or implies use of the Administrator role for any automated or scripted operation
+- No authorized live-op protocol or change-management ticket reference is present
+- No named human decision owner is identified
+- No rollback plan is provided for production-bound changes
+- Request proposes building a new SOAP integration after the 2026.1 release (REST+OAuth2 is required for new builds per evidence item 2a)
+- Request proposes new TBA for SOAP, REST, or RESTlets after 2027.1 (hard block per evidence item 4d)
+- Proposed change would grant permissions that mandate 2FA (Access Token Management, OAuth 2.0 Authorized Applications Management, Core Administration Permissions, View Unencrypted Credit Cards, View Unencrypted ACH Account Numbers) without confirming 2FA enrollment
+- Coming-soon certifications (AI Specialist, AI Professional, BI & Reporting Professional) cited as available in the change justification
+## Escalation path
+Route all live-account changes to `netsuite-live-org-mutation-guard-agent` with a named human decision owner and a structured case capsule.
+## Role creation steps
+1. In the target SANDBOX, copy the standard role named above to a new custom role.
+2. Remove every permission not listed under Minimal permissions.
+3. Add only the listed permissions at the stated access level.
+4. Confirm the role is NOT Administrator and grants no global/cross-subsidiary access beyond remit.
+5. Enable 2FA enforcement if the role touches privileged permissions.
+6. Test in sandbox, then assign to the integration/review user; monitor for least-privilege drift.
+## Companion skill
+`netsuite-live-operation-safety-skill` — NetSuite Live Operation Safety Skill

package/skills/netsuite/netsuite-live-operation-safety-skill/references/official-sources.md ADDED Viewed

@@ -0,0 +1,14 @@
+# Official Sources
+Oracle/NetSuite official documentation URLs for authentication, role management, SOAP removal plans, and 2FA requirements
+Verified 2026-06-09 against official Oracle/NetSuite documentation:
+- https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/article_2104046421.html
+- https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_1532968056.html
+- https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_1515446005.html
+- https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_N285436.html
+- https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_N295396.html
+- https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_157771979135.html
+- https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_162686838198.html
+- https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/chapter_4247329078.html

package/skills/netsuite/netsuite-live-operation-safety-skill/references/release-drift.md ADDED Viewed

@@ -0,0 +1,11 @@
+# Release Drift
+SOAP removal timeline (2026.1, 2027.1, 2028.2) and TBA deprecation milestones for integration posture checks
+NetSuite releases biannually. Content verified 2026-06-09.
+Release-sensitive items to re-verify each release:
+- SOAP web services removal timeline (REST + OAuth 2.0 recommended for new integrations from 2026.1; new SOAP integrations blocked at 2027.1).
+- Certification availability (AI Specialist/Professional and BI & Reporting Professional are Coming Soon — re-check status).
+- AI Connector / MCP permission names and role restrictions.

package/skills/netsuite/netsuite-live-operation-safety-skill/references/safety-checklist.md ADDED Viewed

@@ -0,0 +1,24 @@
+# Safety Checklist
+Expanded live-op authorization checklist with per-change-type decision trees
+- No credentials, tokens, or secrets were supplied in the request input
+- Administrator role is not required by the proposed change
+- Authorized live-op protocol reference is present and cites a named human decision owner
+- Rollback plan is documented and a rollback owner is named
+- For SDF deploys: sandbox validation evidence is present
+- For OAuth/TBA changes: confirms REST+OAuth2 path (not new SOAP TBA post-2027.1)
+- For permission changes: target role is a custom copy of a standard role, not Administrator
+- For AI Connector changes: confirms account is not a healthcare BAA-restricted account
+## Refusal triggers
+- Request supplies credentials, tokens, OAuth client secrets, TBA token values, or session cookies — hard refuse, do not echo or log
+- Request asks for or implies use of the Administrator role for any automated or scripted operation
+- No authorized live-op protocol or change-management ticket reference is present
+- No named human decision owner is identified
+- No rollback plan is provided for production-bound changes
+- Request proposes building a new SOAP integration after the 2026.1 release (REST+OAuth2 is required for new builds per evidence item 2a)
+- Request proposes new TBA for SOAP, REST, or RESTlets after 2027.1 (hard block per evidence item 4d)
+- Proposed change would grant permissions that mandate 2FA (Access Token Management, OAuth 2.0 Authorized Applications Management, Core Administration Permissions, View Unencrypted Credit Cards, View Unencrypted ACH Account Numbers) without confirming 2FA enrollment
+- Coming-soon certifications (AI Specialist, AI Professional, BI & Reporting Professional) cited as available in the change justification