npm - @raishin/vanguard-frontier-agentic - Versions diffs - 2.9.0 → 2.10.0 - Mend

@raishin/vanguard-frontier-agentic 2.9.0 → 2.10.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (479) hide show

package/skills/netsuite/netsuite-oneworld-multisubsidiary-skill/SKILL.md ADDED Viewed

@@ -0,0 +1,85 @@
+---
+name: netsuite-oneworld-multisubsidiary-skill
+description: "Flashlight skill for reviewing NetSuite OneWorld multi-entity configurations: subsidiary hierarchies, intercompany account boundaries, cross-subsidiary visibility restrictions, multi-currency settings, and tax-jurisdiction nexus alignment. T0 static review — no live account connection required. TRIGGER when: user asks to review subsidiary structure, audit intercompany accounts, check cross-subsidiary role scoping, validate tax nexus coverage, assess consolidation configuration, or diagnose OneWorld hierarchy issues. Trigger phrases: subsidiary hierarchy, intercompany elimination, cross-subsidiary access, multi-currency consolidation, tax nexus, due-to due-from, legal entity registration, OneWorld configuration. DO NOT TRIGGER when: the user needs authentication or OAuth/TBA token review (use netsuite-sso-oauth-tba-skill), role/permission assignment analysis beyond subsidiary scoping (use netsuite-identity-access-role-permission-skill), SOX audit evidence generation (use netsuite-audit-controls-sox-skill), or SDF deployment of subsidiary changes (use netsuite-sdf-devops-release-skill)."
+allowed-tools: Read Grep Glob
+metadata:
+  author: "github: Raishin"
+  version: "0.1.0"
+  updated: "2026-06-09"
+  category: compliance
+  lifecycle: experimental
+  execution_tier: static-review
+  mcp_servers: []
+  oauth_scopes: []
+  run_as_permissions:
+    required: []
+    denied: []
+---
+# NetSuite OneWorld Multi-Subsidiary Skill
+## Purpose
+Audits OneWorld multi-subsidiary configurations for boundary integrity, intercompany elimination correctness, currency/tax-jurisdiction alignment, and cross-subsidiary role scoping. Identifies misconfigured subsidiary access, missing intercompany accounts, and jurisdiction gaps. T0 static review — no NetSuite account connection required; output is a draft for human review.
+## When This Skill Owns the Task
+- Reviewing a multi-subsidiary NetSuite setup for structural completeness and intercompany correctness
+- Auditing cross-subsidiary role scoping to verify users cannot see data outside their legal entity
+- Validating tax nexus and jurisdiction alignment for a new country or subsidiary
+- Diagnosing consolidation discrepancies caused by missing intercompany elimination accounts
+- Assessing multi-currency configuration and exchange-rate type assignments across subsidiaries
+## Recommended Workflow
+1. Step 1 — Gather inputs: request subsidiary hierarchy export, intercompany account mapping, role restriction excerpts, tax nexus config, and currency settings
+2. Step 2 — Map the hierarchy: identify parent/child subsidiary relationships, legal-entity registrations, base currencies, and countries; flag any subsidiary missing a country or currency assignment
+3. Step 3 — Review intercompany boundaries: verify each intercompany transaction type has a matching due-to/due-from account pair and an elimination journal entry; flag gaps as High
+4. Step 4 — Audit cross-subsidiary visibility: review role configurations for subsidiary restrictions; flag any role granting broader access than the user's legal entity as High
+5. Step 5 — Assess tax jurisdiction coverage: map each subsidiary's country to its configured nexus; flag missing nexus registrations as High
+6. Step 6 — Review multi-currency settings: verify exchange-rate types and revaluation rules per subsidiary; flag currency mismatches as Medium or High depending on consolidation impact
+7. Step 7 — Emit structured findings report: verdict, Critical/High/Medium/Low findings table, safe next actions, and escalation triggers
+## Evidence Hierarchy
+LIVE_EVIDENCE > REPOSITORY_EVIDENCE > USER_PROVIDED > OFFICIAL_DOCUMENTATION > INFERENCE > UNVERIFIED > BLOCKED
+## Safety Checklist
+- No live NetSuite credentials, tokens, or session cookies accepted — reject and ask for sanitized exports
+- Tax registration numbers (VAT/GST IDs) must be redacted before submission
+- No live mutations recommended — all changes must go through netsuite-live-org-mutation-guard-agent
+- All findings labeled [FACT], [ASSUMPTION], or [INFERENCE] with source config reference
+- Cross-subsidiary data exposure findings escalated as Critical minimum
+## Rules — Hard-Stop Constraints
+- Static review only; never connect to a live NetSuite account or invoke APIs/SuiteScript/SDF.
+- Never request or accept credentials, tokens, or secrets.
+- Never depend on the Administrator role; recommend least-privilege custom roles (note 2FA).
+- Prefer OAuth 2.0 (REST/RESTlets/SuiteAnalytics Connect) over SOAP; treat SOAP as a migration risk.
+- Never claim a Coming-Soon certification is available.
+## Refusal Triggers
+- Request provides live NetSuite credentials, session tokens, TBA tokens, OAuth client secrets, or admin passwords — refuse immediately, do not log or echo
+- Request asks the agent to use the Administrator role or any role with full account permissions
+- Request asks the agent to directly create, edit, or delete subsidiaries, legal entities, or intercompany accounts in a live account
+- Request provides unredacted tax registration numbers, VAT/GST IDs, or legal-entity bank account data — flag and ask for redacted version
+- Request claims a coming-soon NetSuite certification (AI Specialist, AI Professional, BI & Reporting Professional) is currently available
+## T0 Contract
+No account connection, no OAuth, no secrets. Output is draft review text for a human owner.
+## Security Notes
+Static review only. This agent never requests, stores, echoes, or logs NetSuite credentials, OAuth tokens, TBA tokens, client secrets, or session cookies. Tax registration numbers and legal-entity bank data must be redacted before submission. All live-mutation paths are hard-routed to netsuite-live-org-mutation-guard-agent. No org connection is established at any point.
+## Reference File Index
+- [official-sources.md](references/official-sources.md) — Oracle NetSuite OneWorld and multi-currency documentation URLs
+- [safety-checklist.md](references/safety-checklist.md) — Pre-review sanitization steps for subsidiary and tax configuration exports
+- [least-privilege.md](references/least-privilege.md) — Custom reviewer role specification for OneWorld configurations
+- [release-drift.md](references/release-drift.md) — OneWorld feature changes by release that may affect subsidiary or intercompany behavior
+- [intercompany-patterns.md](references/intercompany-patterns.md) — Reference patterns for intercompany account pairing and elimination journal configurations

package/skills/netsuite/netsuite-oneworld-multisubsidiary-skill/metadata.json ADDED Viewed

@@ -0,0 +1,33 @@
+{
+  "id": "netsuite-oneworld-multisubsidiary-skill",
+  "name": "NetSuite OneWorld Multi-Subsidiary Skill",
+  "type": "skill",
+  "provider": "netsuite",
+  "harnesses": [
+    "claude-code",
+    "codex",
+    "cursor",
+    "gemini",
+    "kiro",
+    "other"
+  ],
+  "summary": "Flashlight skill for reviewing NetSuite OneWorld multi-entity configurations: subsidiary hierarchies, intercompany account boundaries, cross-subsidiary visibility restrictions, multi-currency settings, and tax-jurisdiction nexus alignment. T0 static review — no live account connection required. TRIG",
+  "source_type": "original",
+  "category": "compliance",
+  "execution_tier": "static-review",
+  "oauth_scopes": [],
+  "mcp_servers": [],
+  "run_as_permissions": {},
+  "sandbox_only": false,
+  "production_allowed": true,
+  "official_docs": [
+    "https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_N285436.html",
+    "https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_N295396.html",
+    "https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_1532968056.html"
+  ],
+  "security_notes": "Static review only. This agent never requests, stores, echoes, or logs NetSuite credentials, OAuth tokens, TBA tokens, client secrets, or session cookies. Tax registration numbers and legal-entity bank data must be redacted before submission. All live-mutation paths are hard-routed to netsuite-live-org-mutation-guard-agent. No org connection is established at any point.",
+  "last_verified": "2026-06-09",
+  "path": "skills/netsuite/netsuite-oneworld-multisubsidiary-skill",
+  "author": "github: Raishin",
+  "version": "0.1.0"
+}

package/skills/netsuite/netsuite-oneworld-multisubsidiary-skill/references/intercompany-patterns.md ADDED Viewed

@@ -0,0 +1,12 @@
+# Intercompany Patterns
+Reference patterns for intercompany account pairing and elimination journal configurations
+Scope: Audits OneWorld multi-subsidiary configurations for boundary integrity, intercompany elimination correctness, currency/tax-jurisdiction alignment, and cross-subsidiary role scoping. Identifies misconfigured subsidiary access, missing intercompany accounts, and jurisdiction gaps.
+- OneWorld subsidiary hierarchy review: parent/child relationships, legal-entity registrations, base-currency assignments, and country/tax-jurisdiction alignment
+- Intercompany boundary review: intercompany account pairings, elimination journal configuration, intercompany transaction type coverage, and due-to/due-from balance symmetry
+- Cross-subsidiary visibility restrictions: role-level subsidiary restrictions, subsidiary-specific record access, and saved-search/report scope scoping
+- Multi-currency configuration: exchange-rate types, revaluation rules, and currency consolidation settings per subsidiary
+- Tax-jurisdiction mapping: nexus configuration, tax registration alignment to subsidiary country, and multi-jurisdiction VAT/GST exposure
+- Legal-entity boundary review: ensuring each legal entity has a corresponding subsidiary with correct country, currency, and tax profile

package/skills/netsuite/netsuite-oneworld-multisubsidiary-skill/references/least-privilege.md ADDED Viewed

@@ -0,0 +1,64 @@
+# Least-privilege NetSuite posture for NetSuite OneWorld Multi-Subsidiary Agent
+## Execution tier
+**T0 — Static Review**
+Rationale: `execution_tier: "static-review"` declared in `metadata.json`. This agent reviews sanitized configuration excerpts and never holds a live NetSuite session.
+## Identity model
+No live NetSuite identity is required for the agent itself. When a human operator acts on this agent's review, they SHOULD use the least-privilege custom role below — never the Administrator role.
+## Recommended custom role
+- **Custom role name:** NetSuite OneWorld Reviewer (custom)
+- **Copy from standard role:** Accountant (standard role — copy and restrict) (NetSuite guidance: start from a copy of a standard role, then remove unneeded permissions).
+- **Modules in scope:** General Ledger, Multi-Currency, Tax, OneWorld
+- **Two-Factor Authentication required:** Yes
+### Minimal permissions
+- **Subsidiaries** (View) — Required to inspect subsidiary hierarchy and configuration
+- **Intercompany Journal Entries** (View) — Required to review intercompany elimination account coverage
+- **Currency** (View) — Required to review base-currency assignments and exchange-rate types
+- **Tax Schedules** (View) — Required to review nexus and tax-jurisdiction configurations
+- **General Ledger** (View) — Required to review intercompany due-to/due-from account pairings
+- **Roles** (View) — Required to review cross-subsidiary role restrictions
+## Forbidden
+- Administrator role
+- Full access to any transaction entry type
+- Access Token Management permission
+- OAuth 2.0 Authorized Applications Management permission
+- Edit or Create level on Subsidiaries or Intercompany records
+## Blast-radius bound
+Even if fully compromised, this agent cannot mutate a NetSuite account: it has no live session, no API tokens, and no SDF deploy rights. It can only produce review text.
+## Refusal triggers
+- Request provides live NetSuite credentials, session tokens, TBA tokens, OAuth client secrets, or admin passwords — refuse immediately, do not log or echo
+- Request asks the agent to use the Administrator role or any role with full account permissions
+- Request asks the agent to directly create, edit, or delete subsidiaries, legal entities, or intercompany accounts in a live account
+- Request provides unredacted tax registration numbers, VAT/GST IDs, or legal-entity bank account data — flag and ask for redacted version
+- Request claims a coming-soon NetSuite certification (AI Specialist, AI Professional, BI & Reporting Professional) is currently available
+## Escalation path
+Route all live-account changes to `netsuite-live-org-mutation-guard-agent` with a named human decision owner and a structured case capsule.
+## Role creation steps
+1. In the target SANDBOX, copy the standard role named above to a new custom role.
+2. Remove every permission not listed under Minimal permissions.
+3. Add only the listed permissions at the stated access level.
+4. Confirm the role is NOT Administrator and grants no global/cross-subsidiary access beyond remit.
+5. Enable 2FA enforcement if the role touches privileged permissions.
+6. Test in sandbox, then assign to the integration/review user; monitor for least-privilege drift.
+## Companion skill
+`netsuite-oneworld-multisubsidiary-skill` — NetSuite OneWorld Multi-Subsidiary Skill

package/skills/netsuite/netsuite-oneworld-multisubsidiary-skill/references/official-sources.md ADDED Viewed

@@ -0,0 +1,9 @@
+# Official Sources
+Oracle NetSuite OneWorld and multi-currency documentation URLs
+Verified 2026-06-09 against official Oracle/NetSuite documentation:
+- https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_N285436.html
+- https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_N295396.html
+- https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_1532968056.html

package/skills/netsuite/netsuite-oneworld-multisubsidiary-skill/references/release-drift.md ADDED Viewed

@@ -0,0 +1,11 @@
+# Release Drift
+OneWorld feature changes by release that may affect subsidiary or intercompany behavior
+NetSuite releases biannually. Content verified 2026-06-09.
+Release-sensitive items to re-verify each release:
+- SOAP web services removal timeline (REST + OAuth 2.0 recommended for new integrations from 2026.1; new SOAP integrations blocked at 2027.1).
+- Certification availability (AI Specialist/Professional and BI & Reporting Professional are Coming Soon — re-check status).
+- AI Connector / MCP permission names and role restrictions.

package/skills/netsuite/netsuite-oneworld-multisubsidiary-skill/references/safety-checklist.md ADDED Viewed

@@ -0,0 +1,17 @@
+# Safety Checklist
+Pre-review sanitization steps for subsidiary and tax configuration exports
+- No live NetSuite credentials, tokens, or session cookies accepted — reject and ask for sanitized exports
+- Tax registration numbers (VAT/GST IDs) must be redacted before submission
+- No live mutations recommended — all changes must go through netsuite-live-org-mutation-guard-agent
+- All findings labeled [FACT], [ASSUMPTION], or [INFERENCE] with source config reference
+- Cross-subsidiary data exposure findings escalated as Critical minimum
+## Refusal triggers
+- Request provides live NetSuite credentials, session tokens, TBA tokens, OAuth client secrets, or admin passwords — refuse immediately, do not log or echo
+- Request asks the agent to use the Administrator role or any role with full account permissions
+- Request asks the agent to directly create, edit, or delete subsidiaries, legal entities, or intercompany accounts in a live account
+- Request provides unredacted tax registration numbers, VAT/GST IDs, or legal-entity bank account data — flag and ask for redacted version
+- Request claims a coming-soon NetSuite certification (AI Specialist, AI Professional, BI & Reporting Professional) is currently available

package/skills/netsuite/netsuite-sandbox-nonproduction-governance-skill/SKILL.md ADDED Viewed

@@ -0,0 +1,85 @@
+---
+name: netsuite-sandbox-nonproduction-governance-skill
+description: "Static-review flashlight for NetSuite sandbox, Release Preview, and non-production environment governance. Enforces the confirmed isolation facts: OAuth 2.0 authorized apps and client credentials flow setup in production are NOT copied to sandbox or Release Preview (and are cleared on each sandbox refresh); TBA tokens created in production are NOT copied to sandbox or Release Preview. Enforces that sandbox success does not equal production readiness without explicit re-authorization. TRIGGER when: user asks about sandbox governance, OAuth app re-authorization after sandbox refresh, TBA token management across environments, Release Preview usage policies, environment isolation between production and sandbox, sandbox-to-production promotion readiness, or sandbox refresh impact on integration testing. Trigger phrases: sandbox refresh, OAuth re-authorize sandbox, Release Preview isolation, sandbox governance, non-production environment, sandbox success production readiness, TBA token sandbox. DO NOT TRIGGER when: the question is about OAuth 2.0 or TBA auth flow mechanics (use netsuite-sso-oauth-tba-agent), integration API endpoint design (use netsuite-web-services-integration-agent), SDF release pipeline automation (use netsuite-sdf-devops-release-agent), or role and permission SoD design (use netsuite-identity-access-role-permission-agent)."
+allowed-tools: Read Grep Glob
+metadata:
+  author: "github: Raishin"
+  version: "0.1.0"
+  updated: "2026-06-09"
+  category: operational
+  lifecycle: experimental
+  execution_tier: static-review
+  mcp_servers: []
+  oauth_scopes: []
+  run_as_permissions:
+    required: []
+    denied: []
+---
+# NetSuite Sandbox and Non-Production Governance Skill
+## Purpose
+Sandbox and non-production environment separation, OAuth 2.0 app re-authorization requirements per environment, TBA token isolation, sandbox refresh cycles, and Release Preview usage governance. Enforces the principle that authorized applications and tokens are not copied between environments and must be explicitly re-authorized after each sandbox refresh. T0 static review — no NetSuite account connection required; output is a draft for human review.
+## When This Skill Owns the Task
+- User needs to review or design OAuth 2.0 re-authorization procedures for sandbox and Release Preview environments
+- User is planning a sandbox refresh and needs to assess impact on active OAuth apps and TBA tokens
+- User needs to assess whether their sandbox test results are sufficient evidence of production readiness
+- User needs to establish environment separation policies between production, sandbox, and Release Preview
+- User needs to design a sandbox-to-production promotion checklist that includes OAuth and TBA re-authorization steps
+## Recommended Workflow
+1. Step 1 — Gather inputs: environment inventory, OAuth 2.0 re-authorization processes, sandbox refresh schedule, TBA token management procedures, integration test suite scope
+2. Step 2 — Verify environment separation: confirm distinct OAuth 2.0 authorized apps, client credentials flow setups, and TBA tokens per environment; flag any assumption that production config copies to sandbox
+3. Step 3 — Assess post-refresh re-authorization coverage: identify which OAuth apps and TBA tokens require explicit re-authorization or re-creation after each sandbox refresh
+4. Step 4 — Evaluate sandbox-to-production promotion readiness checklist: verify OAuth re-authorization step is present before smoke-test; flag its absence as High governance gap
+5. Step 5 — Review Release Preview governance: confirm it is not used for production-equivalent load testing or treated as production fallback without explicit re-authorization
+6. Step 6 — Rate all governance gaps Critical/High/Medium/Low/Unknown; produce structured finding table with evidence labels [FACT], [ASSUMPTION], [INFERENCE]
+7. Step 7 — Emit T0 static review output: governance gap report with re-authorization checklist, sandbox refresh impact assessment, and escalation routing
+## Evidence Hierarchy
+LIVE_EVIDENCE > REPOSITORY_EVIDENCE > USER_PROVIDED > OFFICIAL_DOCUMENTATION > INFERENCE > UNVERIFIED > BLOCKED
+## Safety Checklist
+- No credentials, tokens, or secrets present in inputs — refuse and instruct user to redact if found
+- Core isolation fact enforced: OAuth 2.0 authorized apps and client credentials flow NOT copied to sandbox/Release Preview; TBA tokens NOT copied (evidence-matrix rows 8a-8d)
+- Sandbox success != production readiness principle enforced — re-authorization step required in promotion checklist
+- Custom reviewer role recommendation never uses Administrator role
+- All official_docs URLs traceable to evidence-matrix.md
+## Rules — Hard-Stop Constraints
+- Static review only; never connect to a live NetSuite account or invoke APIs/SuiteScript/SDF.
+- Never request or accept credentials, tokens, or secrets.
+- Never depend on the Administrator role; recommend least-privilege custom roles (note 2FA).
+- Prefer OAuth 2.0 (REST/RESTlets/SuiteAnalytics Connect) over SOAP; treat SOAP as a migration risk.
+- Never claim a Coming-Soon certification is available.
+## Refusal Triggers
+- Request includes credentials, tokens, secrets, client secrets, or API keys — refuse and instruct user to redact
+- Request asks agent to use the Administrator role or roles with full permissions
+- Request asks agent to access a live NetSuite account, execute environment changes, or mutate any account
+- User asserts that OAuth 2.0 authorized apps are automatically copied to sandbox — correct this with evidence-matrix row 8a citation
+- User asserts that sandbox success proves production readiness without explicit re-authorization step — flag as governance gap
+## T0 Contract
+No account connection, no OAuth, no secrets. Output is draft review text for a human owner.
+## Security Notes
+Static review only — never accesses live NetSuite accounts, never executes environment changes, never requests or stores credentials, tokens, client secrets, or org IDs. Works exclusively from sanitized environment documentation. Enforces confirmed isolation facts: OAuth 2.0 authorized apps and client credentials flow setup are NOT copied to sandbox or Release Preview (cleared on refresh); TBA tokens are NOT copied. Enforces that sandbox success does not equal production readiness. Never recommends Administrator role for sandbox governance roles. Custom reviewer role requires 2FA when permissions include OAuth 2.0 Authorized Applications Management or Access Token Management.
+## Reference File Index
+- [official-sources.md](references/official-sources.md) — Confirmed Oracle/NetSuite official documentation URLs for OAuth 2.0 environment isolation and sandbox governance
+- [safety-checklist.md](references/safety-checklist.md) — Pre-review checklist: redaction verification, environment isolation facts, re-authorization coverage checks
+- [least-privilege.md](references/least-privilege.md) — Custom role design for sandbox governance reviewers — permissions, 2FA triggers, forbidden roles
+- [release-drift.md](references/release-drift.md) — Environment-specific OAuth 2.0 and TBA isolation facts — evidence-matrix rows 8a-8d
+- [sandbox-promotion-checklist.md](references/sandbox-promotion-checklist.md) — Sandbox-to-production promotion checklist including OAuth re-authorization and smoke-test steps

package/skills/netsuite/netsuite-sandbox-nonproduction-governance-skill/metadata.json ADDED Viewed

@@ -0,0 +1,37 @@
+{
+  "id": "netsuite-sandbox-nonproduction-governance-skill",
+  "name": "NetSuite Sandbox and Non-Production Governance Skill",
+  "type": "skill",
+  "provider": "netsuite",
+  "harnesses": [
+    "claude-code",
+    "codex",
+    "cursor",
+    "gemini",
+    "kiro",
+    "other"
+  ],
+  "summary": "Static-review flashlight for NetSuite sandbox, Release Preview, and non-production environment governance. Enforces the confirmed isolation facts: OAuth 2.0 authorized apps and client credentials flow setup in production are NOT copied to sandbox or Release Preview (and are cleared on each sandbox r",
+  "source_type": "original",
+  "category": "operational",
+  "execution_tier": "static-review",
+  "oauth_scopes": [],
+  "mcp_servers": [],
+  "run_as_permissions": {},
+  "sandbox_only": false,
+  "production_allowed": true,
+  "official_docs": [
+    "https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_157771979135.html",
+    "https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_162686838198.html",
+    "https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_4254801119.html",
+    "https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_1532968056.html",
+    "https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_1515446005.html",
+    "https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_N285436.html",
+    "https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_N295396.html"
+  ],
+  "security_notes": "Static review only — never accesses live NetSuite accounts, never executes environment changes, never requests or stores credentials, tokens, client secrets, or org IDs. Works exclusively from sanitized environment documentation. Enforces confirmed isolation facts: OAuth 2.0 authorized apps and client credentials flow setup are NOT copied to sandbox or Release Preview (cleared on refresh); TBA tokens are NOT copied. Enforces that sandbox success does not equal production readiness. Never recommends Administrator role for sandbox governance roles. Custom reviewer role requires 2FA when permissions include OAuth 2.0 Authorized Applications Management or Access Token Management.",
+  "last_verified": "2026-06-09",
+  "path": "skills/netsuite/netsuite-sandbox-nonproduction-governance-skill",
+  "author": "github: Raishin",
+  "version": "0.1.0"
+}

package/skills/netsuite/netsuite-sandbox-nonproduction-governance-skill/references/least-privilege.md ADDED Viewed

@@ -0,0 +1,60 @@
+# Least-privilege NetSuite posture for NetSuite Sandbox and Non-Production Governance Agent
+## Execution tier
+**T0 — Static Review**
+Rationale: `execution_tier: "static-review"` declared in `metadata.json`. This agent reviews sanitized configuration excerpts and never holds a live NetSuite session.
+## Identity model
+No live NetSuite identity is required for the agent itself. When a human operator acts on this agent's review, they SHOULD use the least-privilege custom role below — never the Administrator role.
+## Recommended custom role
+- **Custom role name:** NetSuite Sandbox Governance Reviewer (custom)
+- **Copy from standard role:** Administrator Professional (copy; restrict to non-production environment management scope only) (NetSuite guidance: start from a copy of a standard role, then remove unneeded permissions).
+- **Modules in scope:** OAuth 2.0, Token-Based Authentication, Setup and Administration
+- **Two-Factor Authentication required:** Yes
+### Minimal permissions
+- **OAuth 2.0 Authorized Applications Management** (View) — Required to review authorized application re-authorization status per environment — triggers mandatory 2FA per evidence-matrix row 5c
+- **Access Token Management** (View) — Required to review TBA token records per environment — triggers mandatory 2FA per evidence-matrix row 5c
+- **Setup** (View) — Required to review environment configuration settings
+- **Integration Record** (View) — Required to review integration record configuration in sandbox vs. production
+## Forbidden
+- Administrator role
+- Full permission roles
+- Any role with Edit/Full on OAuth 2.0 Authorized Applications Management or Access Token Management
+## Blast-radius bound
+Even if fully compromised, this agent cannot mutate a NetSuite account: it has no live session, no API tokens, and no SDF deploy rights. It can only produce review text.
+## Refusal triggers
+- Request includes credentials, tokens, secrets, client secrets, or API keys — refuse and instruct user to redact
+- Request asks agent to use the Administrator role or roles with full permissions
+- Request asks agent to access a live NetSuite account, execute environment changes, or mutate any account
+- User asserts that OAuth 2.0 authorized apps are automatically copied to sandbox — correct this with evidence-matrix row 8a citation
+- User asserts that sandbox success proves production readiness without explicit re-authorization step — flag as governance gap
+## Escalation path
+Route all live-account changes to `netsuite-live-org-mutation-guard-agent` with a named human decision owner and a structured case capsule.
+## Role creation steps
+1. In the target SANDBOX, copy the standard role named above to a new custom role.
+2. Remove every permission not listed under Minimal permissions.
+3. Add only the listed permissions at the stated access level.
+4. Confirm the role is NOT Administrator and grants no global/cross-subsidiary access beyond remit.
+5. Enable 2FA enforcement if the role touches privileged permissions.
+6. Test in sandbox, then assign to the integration/review user; monitor for least-privilege drift.
+## Companion skill
+`netsuite-sandbox-nonproduction-governance-skill` — NetSuite Sandbox and Non-Production Governance Skill

package/skills/netsuite/netsuite-sandbox-nonproduction-governance-skill/references/official-sources.md ADDED Viewed

@@ -0,0 +1,13 @@
+# Official Sources
+Confirmed Oracle/NetSuite official documentation URLs for OAuth 2.0 environment isolation and sandbox governance
+Verified 2026-06-09 against official Oracle/NetSuite documentation:
+- https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_157771979135.html
+- https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_162686838198.html
+- https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_4254801119.html
+- https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_1532968056.html
+- https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_1515446005.html
+- https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_N285436.html
+- https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_N295396.html

package/skills/netsuite/netsuite-sandbox-nonproduction-governance-skill/references/release-drift.md ADDED Viewed

@@ -0,0 +1,11 @@
+# Release Drift
+Environment-specific OAuth 2.0 and TBA isolation facts — evidence-matrix rows 8a-8d
+NetSuite releases biannually. Content verified 2026-06-09.
+Release-sensitive items to re-verify each release:
+- SOAP web services removal timeline (REST + OAuth 2.0 recommended for new integrations from 2026.1; new SOAP integrations blocked at 2027.1).
+- Certification availability (AI Specialist/Professional and BI & Reporting Professional are Coming Soon — re-check status).
+- AI Connector / MCP permission names and role restrictions.

package/skills/netsuite/netsuite-sandbox-nonproduction-governance-skill/references/safety-checklist.md ADDED Viewed

@@ -0,0 +1,17 @@
+# Safety Checklist
+Pre-review checklist: redaction verification, environment isolation facts, re-authorization coverage checks
+- No credentials, tokens, or secrets present in inputs — refuse and instruct user to redact if found
+- Core isolation fact enforced: OAuth 2.0 authorized apps and client credentials flow NOT copied to sandbox/Release Preview; TBA tokens NOT copied (evidence-matrix rows 8a-8d)
+- Sandbox success != production readiness principle enforced — re-authorization step required in promotion checklist
+- Custom reviewer role recommendation never uses Administrator role
+- All official_docs URLs traceable to evidence-matrix.md
+## Refusal triggers
+- Request includes credentials, tokens, secrets, client secrets, or API keys — refuse and instruct user to redact
+- Request asks agent to use the Administrator role or roles with full permissions
+- Request asks agent to access a live NetSuite account, execute environment changes, or mutate any account
+- User asserts that OAuth 2.0 authorized apps are automatically copied to sandbox — correct this with evidence-matrix row 8a citation
+- User asserts that sandbox success proves production readiness without explicit re-authorization step — flag as governance gap

package/skills/netsuite/netsuite-sandbox-nonproduction-governance-skill/references/sandbox-promotion-checklist.md ADDED Viewed

@@ -0,0 +1,14 @@
+# Sandbox Promotion Checklist
+Sandbox-to-production promotion checklist including OAuth re-authorization and smoke-test steps
+Scope: Sandbox and non-production environment separation, OAuth 2.0 app re-authorization requirements per environment, TBA token isolation, sandbox refresh cycles, and Release Preview usage governance. Enforces the principle that authorized applications and tokens are not copied between environments and must be explicitly re-authorized after each sandbox refresh.
+- Sandbox environment separation and governance policy review
+- Release Preview account usage governance and change-risk assessment
+- OAuth 2.0 authorized application re-authorization procedures per environment and post-refresh
+- OAuth 2.0 client credentials flow re-authorization governance across environments
+- TBA token lifecycle and isolation governance across production, sandbox, and Release Preview
+- Sandbox refresh cycle planning and impact on active integration test coverage
+- Sandbox-to-production promotion readiness checklist design
+- Environment-specific role and permission configuration review

package/skills/netsuite/netsuite-saved-searches-workbook-skill/SKILL.md ADDED Viewed

@@ -0,0 +1,86 @@
+---
+name: netsuite-saved-searches-workbook-skill
+description: "Reviews NetSuite saved search criteria, results column configuration, SuiteAnalytics Workbook pivot and chart design, PII-in-export exposure, and cross-subsidiary data leakage risk. TRIGGER when: user asks to review or build a saved search, configure search criteria or results columns, design a SuiteAnalytics Workbook, troubleshoot search results, check for PII in exported data, or validate cross-subsidiary filtering; phrases include 'saved search criteria', 'search results columns', 'SuiteAnalytics workbook', 'pivot table in NetSuite', 'scheduled search', 'PII in search export', 'cross-subsidiary filter'. DO NOT TRIGGER when: the request is about high-level report layout or KPI meters (use netsuite-bi-reporting-skill), SuiteScript code driving the search (use netsuite-suitecloud-developer-skill), or when the user needs to execute a live query against a connected org."
+allowed-tools: Read Grep Glob
+metadata:
+  author: "github: Raishin"
+  version: "0.1.0"
+  updated: "2026-06-09"
+  category: data
+  lifecycle: experimental
+  execution_tier: static-review
+  mcp_servers: []
+  oauth_scopes: []
+  run_as_permissions:
+    required: []
+    denied: []
+---
+# NetSuite Saved Searches Workbook Skill
+## Purpose
+Saved search and SuiteAnalytics Workbook mechanics: criteria syntax, results columns, join paths, formula fields, scheduling, and data-export risk including PII exposure and cross-subsidiary leakage. Does NOT cover high-level report layout or KPI design — route those to netsuite-bi-reporting-agent. T0 static review — no NetSuite account connection required; output is a draft for human review.
+## When This Skill Owns the Task
+- User asks to review or create a NetSuite saved search or SuiteAnalytics Workbook
+- User needs to validate search criteria syntax, join paths, or formula fields
+- User asks to check for PII fields in search results or scheduled export recipients
+- User needs to verify cross-subsidiary filters are correctly scoped in a OneWorld account
+- User asks about search scheduling, delivery settings, or public vs. private access controls
+## Recommended Workflow
+1. Step 1 — Gather the saved search or workbook configuration: type, all criteria conditions, results columns, summary type, and access setting.
+2. Step 2 — Identify the record type and confirm subsidiary scope; flag if cross-subsidiary risk applies.
+3. Step 3 — Scan results columns for PII fields (email, phone, address, SSN, credit card, date of birth); flag any as a default High finding.
+4. Step 4 — Review criteria completeness: verify required filters (date range bounds, subsidiary, transaction status) are present and correctly joined.
+5. Step 5 — Assess scheduling and delivery: confirm recipient roles, data sensitivity of output, and whether external email delivery is appropriate.
+6. Step 6 — Generate findings labeled [FACT] / [ASSUMPTION] / [INFERENCE]; rate each Critical / High / Medium / Low / Unknown.
+7. Step 7 — Produce a review artifact with findings, recommendations, and escalation pointers for cross-domain issues.
+## Evidence Hierarchy
+LIVE_EVIDENCE > REPOSITORY_EVIDENCE > USER_PROVIDED > OFFICIAL_DOCUMENTATION > INFERENCE > UNVERIFIED > BLOCKED
+## Safety Checklist
+- No live NetSuite connection, credentials, or session tokens used at any point
+- PII-in-export flagged as High by default when personal data fields appear in results columns
+- Cross-subsidiary leakage flagged as High when subsidiary filter is absent in OneWorld context
+- All field internal IDs from user-supplied configuration only; lookups marked [INFERENCE] if not confirmed
+- Scheduling and delivery risks escalated to netsuite-data-governance-privacy-agent when external recipients involved
+## Rules — Hard-Stop Constraints
+- Static review only; never connect to a live NetSuite account or invoke APIs/SuiteScript/SDF.
+- Never request or accept credentials, tokens, or secrets.
+- Never depend on the Administrator role; recommend least-privilege custom roles (note 2FA).
+- Prefer OAuth 2.0 (REST/RESTlets/SuiteAnalytics Connect) over SOAP; treat SOAP as a migration risk.
+- Never claim a Coming-Soon certification is available.
+## Refusal Triggers
+- Any credentials, session tokens, API keys, or OAuth secrets included in the request
+- Request to execute, run, preview, or schedule a search against a live NetSuite account
+- Request to share or publish a search or workbook
+- Request to assume Administrator role or equivalent full-permission role
+- Request involving raw unmasked PII fields without prior sanitization acknowledgment
+- Coming-soon certification claimed as currently available for this domain
+## T0 Contract
+No account connection, no OAuth, no secrets. Output is draft review text for a human owner.
+## Security Notes
+Static review only — never executes, schedules, or shares any saved search or workbook in any NetSuite account. No credentials, session tokens, or API keys are requested or processed. PII-in-export findings are treated as High severity by default and escalated to the data governance agent when external delivery is involved.
+## Reference File Index
+- [official-sources.md](references/official-sources.md) — Oracle/NetSuite saved search and SuiteAnalytics documentation URLs
+- [safety-checklist.md](references/safety-checklist.md) — PII-in-export and cross-subsidiary leakage refusal gates
+- [least-privilege.md](references/least-privilege.md) — Custom role definition and permission rationale for search review
+- [release-drift.md](references/release-drift.md) — NetSuite release notes affecting saved search engine and SuiteAnalytics Workbook
+- [pii-field-catalog.md](references/pii-field-catalog.md) — Catalog of NetSuite record fields that constitute PII for export risk assessment

package/skills/netsuite/netsuite-saved-searches-workbook-skill/metadata.json ADDED Viewed

@@ -0,0 +1,34 @@
+{
+  "id": "netsuite-saved-searches-workbook-skill",
+  "name": "NetSuite Saved Searches Workbook Skill",
+  "type": "skill",
+  "provider": "netsuite",
+  "harnesses": [
+    "claude-code",
+    "codex",
+    "cursor",
+    "gemini",
+    "kiro",
+    "other"
+  ],
+  "summary": "Reviews NetSuite saved search criteria, results column configuration, SuiteAnalytics Workbook pivot and chart design, PII-in-export exposure, and cross-subsidiary data leakage risk. TRIGGER when: user asks to review or build a saved search, configure search criteria or results columns, design a Suit",
+  "source_type": "original",
+  "category": "data",
+  "execution_tier": "static-review",
+  "oauth_scopes": [],
+  "mcp_servers": [],
+  "run_as_permissions": {},
+  "sandbox_only": false,
+  "production_allowed": true,
+  "official_docs": [
+    "https://www.netsuite.com/portal/services/training/suite-training/netsuite-certification.shtml",
+    "https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_N295396.html",
+    "https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_N285436.html",
+    "https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/article_1011040638.html"
+  ],
+  "security_notes": "Static review only — never executes, schedules, or shares any saved search or workbook in any NetSuite account. No credentials, session tokens, or API keys are requested or processed. PII-in-export findings are treated as High severity by default and escalated to the data governance agent when external delivery is involved.",
+  "last_verified": "2026-06-09",
+  "path": "skills/netsuite/netsuite-saved-searches-workbook-skill",
+  "author": "github: Raishin",
+  "version": "0.1.0"
+}