npm - @raishin/vanguard-frontier-agentic - Versions diffs - 2.9.0 → 2.10.0 - Mend

@raishin/vanguard-frontier-agentic 2.9.0 → 2.10.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (479) hide show

package/skills/netsuite/netsuite-saved-searches-workbook-skill/references/least-privilege.md ADDED Viewed

@@ -0,0 +1,65 @@
+# Least-privilege NetSuite posture for NetSuite Saved Searches Workbook Agent
+## Execution tier
+**T0 — Static Review**
+Rationale: `execution_tier: "static-review"` declared in `metadata.json`. This agent reviews sanitized configuration excerpts and never holds a live NetSuite session.
+## Identity model
+No live NetSuite identity is required for the agent itself. When a human operator acts on this agent's review, they SHOULD use the least-privilege custom role below — never the Administrator role.
+## Recommended custom role
+- **Custom role name:** NetSuite Search Workbook Reviewer (custom)
+- **Copy from standard role:** Reports Only (NetSuite guidance: start from a copy of a standard role, then remove unneeded permissions).
+- **Modules in scope:** Reports, Analytics, SuiteAnalytics Workbook
+- **Two-Factor Authentication required:** Yes
+### Minimal permissions
+- **Saved Searches** (View) — Read saved search definitions and criteria without modification
+- **SuiteAnalytics Workbook** (View) — Inspect workbook dataset, pivot, and chart configurations
+- **Reports** (View) — Cross-reference saved searches used as report data sources
+- **Employees** (View) — Validate employee record searches for PII exposure risk
+- **Contacts** (View) — Validate contact searches for PII exposure risk
+- **Transactions** (View) — Inspect transaction search joins and results for data leakage
+## Forbidden
+- Administrator role
+- Edit or Create on Saved Searches for review-only sessions
+- Full permissions to any module
+- Access Token Management permission
+- Publish Search with write intent
+## Blast-radius bound
+Even if fully compromised, this agent cannot mutate a NetSuite account: it has no live session, no API tokens, and no SDF deploy rights. It can only produce review text.
+## Refusal triggers
+- Any credentials, session tokens, API keys, or OAuth secrets included in the request
+- Request to execute, run, preview, or schedule a search against a live NetSuite account
+- Request to share or publish a search or workbook
+- Request to assume Administrator role or equivalent full-permission role
+- Request involving raw unmasked PII fields without prior sanitization acknowledgment
+- Coming-soon certification claimed as currently available for this domain
+## Escalation path
+Route all live-account changes to `netsuite-live-org-mutation-guard-agent` with a named human decision owner and a structured case capsule.
+## Role creation steps
+1. In the target SANDBOX, copy the standard role named above to a new custom role.
+2. Remove every permission not listed under Minimal permissions.
+3. Add only the listed permissions at the stated access level.
+4. Confirm the role is NOT Administrator and grants no global/cross-subsidiary access beyond remit.
+5. Enable 2FA enforcement if the role touches privileged permissions.
+6. Test in sandbox, then assign to the integration/review user; monitor for least-privilege drift.
+## Companion skill
+`netsuite-saved-searches-workbook-skill` — NetSuite Saved Searches Workbook Skill

package/skills/netsuite/netsuite-saved-searches-workbook-skill/references/official-sources.md ADDED Viewed

@@ -0,0 +1,10 @@
+# Official Sources
+Oracle/NetSuite saved search and SuiteAnalytics documentation URLs
+Verified 2026-06-09 against official Oracle/NetSuite documentation:
+- https://www.netsuite.com/portal/services/training/suite-training/netsuite-certification.shtml
+- https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_N295396.html
+- https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_N285436.html
+- https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/article_1011040638.html

package/skills/netsuite/netsuite-saved-searches-workbook-skill/references/pii-field-catalog.md ADDED Viewed

@@ -0,0 +1,14 @@
+# Pii Field Catalog
+Catalog of NetSuite record fields that constitute PII for export risk assessment
+Scope: Saved search and SuiteAnalytics Workbook mechanics: criteria syntax, results columns, join paths, formula fields, scheduling, and data-export risk including PII exposure and cross-subsidiary leakage. Does NOT cover high-level report layout or KPI design — route those to netsuite-bi-reporting-agent.
+- Saved search criteria: filter conditions, join types, formula criteria, and condition ordering
+- Results columns: field selection, formula columns, summary types, sort and group configuration
+- SuiteAnalytics Workbook: table, pivot, and chart definitions; dataset joins and formula fields
+- PII-in-export detection: identifying personal data fields (email, phone, address, SSN, credit card) in search results or workbook exports
+- Cross-subsidiary leakage: verifying subsidiary and owned-by-subsidiary filters are present and correctly set
+- Saved search access controls: who can view, edit, or subscribe to a search; public vs. private scope
+- Scheduled search delivery: recipient roles, email delivery risk, and data sensitivity of scheduled output
+- Search performance: excessive join depth, missing indexes, unbounded date ranges

package/skills/netsuite/netsuite-saved-searches-workbook-skill/references/release-drift.md ADDED Viewed

@@ -0,0 +1,11 @@
+# Release Drift
+NetSuite release notes affecting saved search engine and SuiteAnalytics Workbook
+NetSuite releases biannually. Content verified 2026-06-09.
+Release-sensitive items to re-verify each release:
+- SOAP web services removal timeline (REST + OAuth 2.0 recommended for new integrations from 2026.1; new SOAP integrations blocked at 2027.1).
+- Certification availability (AI Specialist/Professional and BI & Reporting Professional are Coming Soon — re-check status).
+- AI Connector / MCP permission names and role restrictions.

package/skills/netsuite/netsuite-saved-searches-workbook-skill/references/safety-checklist.md ADDED Viewed

@@ -0,0 +1,18 @@
+# Safety Checklist
+PII-in-export and cross-subsidiary leakage refusal gates
+- No live NetSuite connection, credentials, or session tokens used at any point
+- PII-in-export flagged as High by default when personal data fields appear in results columns
+- Cross-subsidiary leakage flagged as High when subsidiary filter is absent in OneWorld context
+- All field internal IDs from user-supplied configuration only; lookups marked [INFERENCE] if not confirmed
+- Scheduling and delivery risks escalated to netsuite-data-governance-privacy-agent when external recipients involved
+## Refusal triggers
+- Any credentials, session tokens, API keys, or OAuth secrets included in the request
+- Request to execute, run, preview, or schedule a search against a live NetSuite account
+- Request to share or publish a search or workbook
+- Request to assume Administrator role or equivalent full-permission role
+- Request involving raw unmasked PII fields without prior sanitization acknowledgment
+- Coming-soon certification claimed as currently available for this domain

package/skills/netsuite/netsuite-sdf-devops-release-skill/SKILL.md ADDED Viewed

@@ -0,0 +1,87 @@
+---
+name: netsuite-sdf-devops-release-skill
+description: "Static review flashlight for SuiteCloud Development Framework project structure, deployment controls, and environment promotion governance. Validates manifest.xml completeness, deploy.xml ordering, customrole permission XML against the 684-code SDF catalog, required documentation artifacts, and SuiteScript version gates. TRIGGER when: user asks to review an SDF project, validate a manifest.xml or deploy.xml, check deployment configuration, review environment promotion from sandbox to production, verify SuiteCloud release process, check for SuiteScript 1.0 code before deployment, confirm documentation artifacts are present, or audit SDF customrole permissions in a deployment object. Trigger phrases: sdf project structure, validate manifest xml, deploy xml review, sandbox to production netsuite, suitecloud deployment, sdf customdeploy, netsuite release pipeline, sdf environment promotion, suitescript version gate, architecture md missing. DO NOT TRIGGER when: the question is specifically about role SoD or permission design outside of a deployment context (use netsuite-identity-access-role-permission-skill); when the request is about OAuth 2.0 or TBA authentication mechanics (use netsuite-sso-oauth-tba-skill); when SuiteScript OWASP code security is the primary subject (use netsuite-suitescript-secure-code-review-skill); or when the user needs to execute a deployment in a live account (escalate to netsuite-live-org-mutation-guard-agent)."
+license: UPL-1.0
+allowed-tools: Read Grep Glob
+metadata:
+  author: "github: Raishin"
+  version: "0.1.0"
+  updated: "2026-06-09"
+  category: devsecops
+  lifecycle: experimental
+  execution_tier: static-review
+  mcp_servers: []
+  oauth_scopes: []
+  run_as_permissions:
+    required: []
+    denied: []
+---
+# NetSuite SDF DevOps Release Skill
+## Purpose
+SDF project structure correctness, deployment configuration review, and environment promotion governance. Validates manifest.xml completeness, deploy.xml ordering, customrole permission XML against the SDF permission catalog, and pre/post-deployment documentation requirements (README, ARCHITECTURE, CHANGELOG). Flags SuiteScript 1.0 unconverted code as a deployment blocker. T0 static review — no NetSuite account connection required; output is a draft for human review.
+## When This Skill Owns the Task
+- SDF project manifest.xml or deploy.xml needs review before a promotion is attempted
+- Environment promotion path from sandbox to production requires governance documentation
+- Customrole permission XML in a deployment object needs least-privilege validation
+- Documentation artifacts (README.md, ARCHITECTURE.md, CHANGELOG.md) need a completeness gate check
+- SuiteScript version risk (1.0 files present) needs to be assessed before a release
+## Recommended Workflow
+1. Step 1 — Collect sanitized SDF project excerpts (manifest.xml, deploy.xml, selected object XML); confirm no credentials or token values are present
+2. Step 2 — Validate manifest.xml: check project ID, publisher ID, object list completeness, and missing dependency declarations
+3. Step 3 — Validate deploy.xml: check object ordering for dependency correctness; flag circular dependencies or missing prerequisite objects
+4. Step 4 — Cross-reference customrole permkey/permlevel entries against the netsuite-sdf-roles-and-permissions 684-code catalog; flag Administrator-level grants as Critical
+5. Step 5 — Check documentation artifact inventory: README.md, ARCHITECTURE.md, CHANGELOG.md present and not stale; flag absence as a release block
+6. Step 6 — Scan for SuiteScript 1.0 files in the project; flag as High-severity deployment risk; reference upgrade path
+7. Step 7 — Verify environment promotion evidence (sandbox test results documented); flag direct-to-production as High; emit structured release-readiness report
+## Evidence Hierarchy
+LIVE_EVIDENCE > REPOSITORY_EVIDENCE > USER_PROVIDED > OFFICIAL_DOCUMENTATION > INFERENCE > UNVERIFIED > BLOCKED
+## Safety Checklist
+- No credentials, tokens, or client secrets in the submitted SDF project excerpts
+- All permission-level findings cite the netsuite-sdf-roles-and-permissions catalog or evidence rows 7a–7b
+- Documentation gate checks are applied before any release-ready verdict is issued
+- Live deployment execution is never recommended — routed to netsuite-live-org-mutation-guard-agent
+- Secrets and PII redaction gate is applied to all documentation artifact reviews
+## Rules — Hard-Stop Constraints
+- Static review only; never connect to a live NetSuite account or invoke APIs/SuiteScript/SDF.
+- Never request or accept credentials, tokens, or secrets.
+- Never depend on the Administrator role; recommend least-privilege custom roles (note 2FA).
+- Prefer OAuth 2.0 (REST/RESTlets/SuiteAnalytics Connect) over SOAP; treat SOAP as a migration risk.
+- Never claim a Coming-Soon certification is available.
+## Refusal Triggers
+- Request includes or asks for account credentials, tokens, client secrets, or deployment passwords
+- Request asks the agent to execute, trigger, or approve a live deployment — escalate to netsuite-live-org-mutation-guard-agent
+- Request asks the agent to act as or use Administrator role
+- Request asks to bypass documentation gate (deploy without README/ARCHITECTURE/CHANGELOG) — document the risk, do not approve bypass
+- Coming-soon cert (AI Specialist, AI Professional) claimed as available for deployment context
+- Scope creep: SuiteScript OWASP security review routes to netsuite-suitescript-secure-code-review-agent
+## T0 Contract
+No account connection, no OAuth, no secrets. Output is draft review text for a human owner.
+## Security Notes
+Static review only — works from sanitized SDF project excerpts and never requests credentials, tokens, deployment passwords, or user PII. Does not execute or approve deployments. Every permission-level finding cites the Oracle SDF permission catalog or official evidence. Secrets and PII redaction gate is applied to all documentation artifact reviews before release-readiness verdict.
+## Reference File Index
+- [official-sources.md](references/official-sources.md) — Oracle SuiteCloud Development Framework documentation URLs
+- [safety-checklist.md](references/safety-checklist.md) — Pre-submission checklist for sanitizing SDF project excerpts before analysis
+- [least-privilege.md](references/least-privilege.md) — SDF release reviewer role design: minimal permissions for deployment review
+- [release-drift.md](references/release-drift.md) — SuiteScript version risk tracker and SOAP deprecation timeline for deployment context
+- [sdf-documentation-gates.md](references/sdf-documentation-gates.md) — Required documentation artifact standards: README, ARCHITECTURE, CHANGELOG completeness criteria

package/skills/netsuite/netsuite-sdf-devops-release-skill/metadata.json ADDED Viewed

@@ -0,0 +1,35 @@
+{
+  "id": "netsuite-sdf-devops-release-skill",
+  "name": "NetSuite SDF DevOps Release Skill",
+  "type": "skill",
+  "provider": "netsuite",
+  "harnesses": [
+    "claude-code",
+    "codex",
+    "cursor",
+    "gemini",
+    "kiro",
+    "other"
+  ],
+  "summary": "Static review flashlight for SuiteCloud Development Framework project structure, deployment controls, and environment promotion governance. Validates manifest.xml completeness, deploy.xml ordering, customrole permission XML against the 684-code SDF catalog, required documentation artifacts, and Suit",
+  "source_type": "adapted",
+  "category": "devsecops",
+  "execution_tier": "static-review",
+  "oauth_scopes": [],
+  "mcp_servers": [],
+  "run_as_permissions": {},
+  "sandbox_only": false,
+  "production_allowed": true,
+  "official_docs": [
+    "https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/article_4123813814.html",
+    "https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_N285436.html",
+    "https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_N295396.html",
+    "https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/article_2104046421.html"
+  ],
+  "security_notes": "Static review only — works from sanitized SDF project excerpts and never requests credentials, tokens, deployment passwords, or user PII. Does not execute or approve deployments. Every permission-level finding cites the Oracle SDF permission catalog or official evidence. Secrets and PII redaction gate is applied to all documentation artifact reviews before release-readiness verdict.",
+  "last_verified": "2026-06-09",
+  "path": "skills/netsuite/netsuite-sdf-devops-release-skill",
+  "author": "github: Raishin",
+  "version": "0.1.0",
+  "source_attribution": "Portions derived from oracle/netsuite-suitecloud-sdk packages/agent-skills/netsuite-sdf-project-documentation (UPL-1.0; Copyright (c) 2019, 2023 Oracle and/or its affiliates; https://oss.oracle.com/licenses/upl). Vanguard additions: CI gate threshold definitions for documentation staleness, catalog metadata schema alignment for auto-populating agent manifest fields, CHANGELOG.md convention alignment with Vanguard docs/_data/catalog.yml Liquid variable standards, release-block decision rules, and integration with the netsuite-sdf-roles-and-permissions permission catalog for deployment object validation."
+}

package/skills/netsuite/netsuite-sdf-devops-release-skill/references/least-privilege.md ADDED Viewed

@@ -0,0 +1,64 @@
+# Least-privilege NetSuite posture for NetSuite SDF DevOps Release Agent
+## Execution tier
+**T0 — Static Review**
+Rationale: `execution_tier: "static-review"` declared in `metadata.json`. This agent reviews sanitized configuration excerpts and never holds a live NetSuite session.
+## Identity model
+No live NetSuite identity is required for the agent itself. When a human operator acts on this agent's review, they SHOULD use the least-privilege custom role below — never the Administrator role.
+## Recommended custom role
+- **Custom role name:** NetSuite SDF Release Reviewer (custom)
+- **Copy from standard role:** Developer (standard NetSuite role — SuiteCloud access, no financial transaction entry) (NetSuite guidance: start from a copy of a standard role, then remove unneeded permissions).
+- **Modules in scope:** SuiteCloud, Setup
+- **Two-Factor Authentication required:** Yes
+### Minimal permissions
+- **SuiteCloud Development Framework** (View) — Required to read SDF project configurations, manifests, and deploy objects
+- **Script Deployments** (View) — Required to inspect script deployment records and target environments
+- **Roles and Groups** (View) — Required to verify customrole permission XML in deployment objects
+- **SuiteScript** (View) — Required to examine script file versions and entry point configurations
+- **Custom Records** (View) — Required to inspect custom object definitions included in SDF deployments
+## Forbidden
+- Administrator role
+- Edit or Full on Script Deployments
+- Edit or Full on SuiteCloud Development Framework
+- Any financial transaction permission
+- Deploy to Production permission
+## Blast-radius bound
+Even if fully compromised, this agent cannot mutate a NetSuite account: it has no live session, no API tokens, and no SDF deploy rights. It can only produce review text.
+## Refusal triggers
+- Request includes or asks for account credentials, tokens, client secrets, or deployment passwords
+- Request asks the agent to execute, trigger, or approve a live deployment — escalate to netsuite-live-org-mutation-guard-agent
+- Request asks the agent to act as or use Administrator role
+- Request asks to bypass documentation gate (deploy without README/ARCHITECTURE/CHANGELOG) — document the risk, do not approve bypass
+- Coming-soon cert (AI Specialist, AI Professional) claimed as available for deployment context
+- Scope creep: SuiteScript OWASP security review routes to netsuite-suitescript-secure-code-review-agent
+## Escalation path
+Route all live-account changes to `netsuite-live-org-mutation-guard-agent` with a named human decision owner and a structured case capsule.
+## Role creation steps
+1. In the target SANDBOX, copy the standard role named above to a new custom role.
+2. Remove every permission not listed under Minimal permissions.
+3. Add only the listed permissions at the stated access level.
+4. Confirm the role is NOT Administrator and grants no global/cross-subsidiary access beyond remit.
+5. Enable 2FA enforcement if the role touches privileged permissions.
+6. Test in sandbox, then assign to the integration/review user; monitor for least-privilege drift.
+## Companion skill
+`netsuite-sdf-devops-release-skill` — NetSuite SDF DevOps Release Skill

package/skills/netsuite/netsuite-sdf-devops-release-skill/references/official-sources.md ADDED Viewed

@@ -0,0 +1,10 @@
+# Official Sources
+Oracle SuiteCloud Development Framework documentation URLs
+Verified 2026-06-09 against official Oracle/NetSuite documentation:
+- https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/article_4123813814.html
+- https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_N285436.html
+- https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_N295396.html
+- https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/article_2104046421.html

package/skills/netsuite/netsuite-sdf-devops-release-skill/references/release-drift.md ADDED Viewed

@@ -0,0 +1,11 @@
+# Release Drift
+SuiteScript version risk tracker and SOAP deprecation timeline for deployment context
+NetSuite releases biannually. Content verified 2026-06-09.
+Release-sensitive items to re-verify each release:
+- SOAP web services removal timeline (REST + OAuth 2.0 recommended for new integrations from 2026.1; new SOAP integrations blocked at 2027.1).
+- Certification availability (AI Specialist/Professional and BI & Reporting Professional are Coming Soon — re-check status).
+- AI Connector / MCP permission names and role restrictions.

package/skills/netsuite/netsuite-sdf-devops-release-skill/references/safety-checklist.md ADDED Viewed

@@ -0,0 +1,18 @@
+# Safety Checklist
+Pre-submission checklist for sanitizing SDF project excerpts before analysis
+- No credentials, tokens, or client secrets in the submitted SDF project excerpts
+- All permission-level findings cite the netsuite-sdf-roles-and-permissions catalog or evidence rows 7a–7b
+- Documentation gate checks are applied before any release-ready verdict is issued
+- Live deployment execution is never recommended — routed to netsuite-live-org-mutation-guard-agent
+- Secrets and PII redaction gate is applied to all documentation artifact reviews
+## Refusal triggers
+- Request includes or asks for account credentials, tokens, client secrets, or deployment passwords
+- Request asks the agent to execute, trigger, or approve a live deployment — escalate to netsuite-live-org-mutation-guard-agent
+- Request asks the agent to act as or use Administrator role
+- Request asks to bypass documentation gate (deploy without README/ARCHITECTURE/CHANGELOG) — document the risk, do not approve bypass
+- Coming-soon cert (AI Specialist, AI Professional) claimed as available for deployment context
+- Scope creep: SuiteScript OWASP security review routes to netsuite-suitescript-secure-code-review-agent

package/skills/netsuite/netsuite-sdf-devops-release-skill/references/sdf-documentation-gates.md ADDED Viewed

@@ -0,0 +1,13 @@
+# Sdf Documentation Gates
+Required documentation artifact standards: README, ARCHITECTURE, CHANGELOG completeness criteria
+Scope: SDF project structure correctness, deployment configuration review, and environment promotion governance. Validates manifest.xml completeness, deploy.xml ordering, customrole permission XML against the SDF permission catalog, and pre/post-deployment documentation requirements (README, ARCHITECTURE, CHANGELOG). Flags SuiteScript 1.0 unconverted code as a deployment blocker.
+- SDF project structure: validate standard directory layout (FileCabinet/, Objects/, SuiteScripts/, Templates/), manifest.xml completeness, and object XML well-formedness
+- Deployment configuration review: validate deploy.xml ordering, dependency declarations, and customdeploy tag correctness for the target environment
+- Permission XML validation in deployment objects: cross-reference customrole permkey/permlevel against the 684-code SDF permission catalog (upstream dependency netsuite-sdf-roles-and-permissions)
+- Environment promotion governance: confirm sandbox → staging → production promotion path is documented; flag direct-to-production deployments without sandbox evidence
+- Documentation gate: verify required artifacts (README.md, ARCHITECTURE.md, CHANGELOG.md) exist and are not stale; confirm secrets and PII are redacted from generated docs
+- SuiteScript version gate: flag SuiteScript 1.0 code in the project as a deployment blocker (migration urgency per upgrade path conventions)
+- Audit evidence artifacts: confirm deployment records include change ticket reference, approver, rollback plan, and target environment documentation

package/skills/netsuite/netsuite-sso-oauth-tba-skill/SKILL.md ADDED Viewed

@@ -0,0 +1,86 @@
+---
+name: netsuite-sso-oauth-tba-skill
+description: "Static review of NetSuite OAuth 2.0, TBA, and SSO/SAML configurations. Validates OAuth scope (REST/RESTlets only, not SOAP), TBA fallback timeline, SAML correctness, deprecated NLAuth, and sandbox re-authorization. Trigger: OAuth 2.0, TBA, SSO/SAML, token auth, RESTlet auth, SuiteAnalytics Connect auth, sandbox re-auth, SOAP auth migration. Escalate: role design (use identity-access-role-permission), SDF deploy (use sdf-devops-release), SuiteScript security (use suitescript-secure-code-review), live token ops (use live-org-mutation-guard), AI Connector auth (use ai-connector-mcp)."
+allowed-tools: Read Grep Glob
+metadata:
+  author: "github: Raishin"
+  version: "0.1.0"
+  updated: "2026-06-09"
+  category: security
+  lifecycle: experimental
+  execution_tier: static-review
+  mcp_servers: []
+  oauth_scopes: []
+  run_as_permissions:
+    required: []
+    denied: []
+---
+# NetSuite SSO OAuth TBA Skill
+## Purpose
+Authentication mechanism design and correctness in NetSuite integrations: OAuth 2.0 applicability scope (REST/RESTlets/SuiteAnalytics Connect only; NOT SOAP), TBA use-cases and sunset timeline, SSO/SAML integration, deprecated NLAuth/Passport patterns, and per-environment re-authorization requirements for sandbox and Release Preview. T0 static review — no NetSuite account connection required; output is a draft for human review.
+## When This Skill Owns the Task
+- An integration record's authentication type needs validation against OAuth 2.0 and TBA support scope
+- A SOAP-based integration with TBA needs a migration-risk assessment against the 2026.1/2027.1/2028.2 deprecation timeline
+- OAuth 2.0 sandbox or Release Preview re-authorization gaps need to be identified and documented
+- SSO/SAML setup needs review for correct configuration and 2FA designation of required permissions
+- Deprecated NLAuth or Passport credential usage needs to be detected and remediation planned
+## Recommended Workflow
+1. Step 1 — Collect sanitized integration record configuration; confirm no token values, client secrets, or SAML assertions are present
+2. Step 2 — Identify the authentication type (OAuth 2.0, TBA, NLAuth/Passport, SSO/SAML) and the transport protocol (REST, RESTlet, SuiteAnalytics Connect, SOAP)
+3. Step 3 — Apply protocol-to-auth compatibility matrix: OAuth 2.0 supported for REST/RESTlets/SuiteAnalytics Connect (evidence 3a–3c); not supported for SOAP (evidence 3d); flag mismatches as Critical
+4. Step 4 — Apply SOAP deprecation timeline to any SOAP + TBA integrations: assess urgency by release version (evidence 2a–2d); flag missing migration plan
+5. Step 5 — Check for deprecated credential patterns (NLAuth on RESTlets, Passport on SOAP 2020.2+); flag as Critical if found on active integrations (evidence 4b, 4c)
+6. Step 6 — Verify sandbox and Release Preview re-authorization documentation; flag any assumption that OAuth 2.0 apps or TBA tokens carry over from production (evidence 8a–8d)
+7. Step 7 — Rate every finding Critical / High / Medium / Low / Unknown; emit structured report with migration guidance and escalation triggers
+## Evidence Hierarchy
+LIVE_EVIDENCE > REPOSITORY_EVIDENCE > USER_PROVIDED > OFFICIAL_DOCUMENTATION > INFERENCE > UNVERIFIED > BLOCKED
+## Safety Checklist
+- No access tokens, refresh tokens, client secrets, TBA token values, or SAML assertions in the submitted configuration
+- All OAuth 2.0 applicability claims cite evidence rows 3a–3d
+- All SOAP deprecation timeline claims cite evidence rows 2a–2d verbatim
+- No live token generation or account authorization is recommended without explicit human approval and netsuite-live-org-mutation-guard-agent routing
+- Administrator role is never recommended for integration authentication
+## Rules — Hard-Stop Constraints
+- Static review only; never connect to a live NetSuite account or invoke APIs/SuiteScript/SDF.
+- Never request or accept credentials, tokens, or secrets.
+- Never depend on the Administrator role; recommend least-privilege custom roles (note 2FA).
+- Prefer OAuth 2.0 (REST/RESTlets/SuiteAnalytics Connect) over SOAP; treat SOAP as a migration risk.
+- Never claim a Coming-Soon certification is available.
+## Refusal Triggers
+- Request includes or asks for access tokens, refresh tokens, client secrets, TBA token values, SAML assertions, or session cookies
+- Request asks the agent to generate OAuth 2.0 authorization codes, client credentials, or TBA token pairs
+- Request asks the agent to perform a live sandbox refresh, authorize an OAuth application in a live account, or create TBA tokens
+- Request asks to act as or use Administrator role
+- Coming-soon cert (AI Specialist, AI Professional) claimed as available for authentication context
+- Scope creep: role and permission questions route to netsuite-identity-access-role-permission-agent
+## T0 Contract
+No account connection, no OAuth, no secrets. Output is draft review text for a human owner.
+## Security Notes
+Static review only — works from sanitized configuration excerpts and never requests or handles credentials, access tokens, refresh tokens, client secrets, TBA token pairs, SAML assertions, or session cookies. Does not perform live authorizations, token generations, or sandbox refreshes. Every authentication-mechanism claim cites official Oracle documentation evidence.
+## Reference File Index
+- [official-sources.md](references/official-sources.md) — Oracle/NetSuite official documentation URLs for OAuth 2.0, TBA, SSO, and deprecation timeline
+- [safety-checklist.md](references/safety-checklist.md) — Pre-submission checklist for sanitizing integration configuration before analysis
+- [least-privilege.md](references/least-privilege.md) — Auth reviewer role design: minimal permissions for configuration review without credential exposure
+- [release-drift.md](references/release-drift.md) — SOAP and TBA deprecation milestone tracker: 2026.1, 2027.1, 2028.2 key dates
+- [auth-compatibility-matrix.md](references/auth-compatibility-matrix.md) — Protocol-to-auth-method compatibility matrix (REST/RESTlet/SuiteAnalytics/SOAP vs OAuth 2.0/TBA/NLAuth)

package/skills/netsuite/netsuite-sso-oauth-tba-skill/metadata.json ADDED Viewed

@@ -0,0 +1,41 @@
+{
+  "id": "netsuite-sso-oauth-tba-skill",
+  "name": "NetSuite SSO OAuth TBA Skill",
+  "type": "skill",
+  "provider": "netsuite",
+  "harnesses": [
+    "claude-code",
+    "codex",
+    "cursor",
+    "gemini",
+    "kiro",
+    "other"
+  ],
+  "summary": "Static review flashlight for NetSuite authentication mechanism configurations. Validates OAuth 2.0 applicability scope (REST/RESTlets/SuiteAnalytics Connect only; explicitly NOT SOAP), TBA fallback posture and sunset timeline, SSO/SAML setup correctness, deprecated NLAuth/Passport patterns, and per-",
+  "source_type": "original",
+  "category": "security",
+  "execution_tier": "static-review",
+  "oauth_scopes": [],
+  "mcp_servers": [],
+  "run_as_permissions": {},
+  "sandbox_only": false,
+  "production_allowed": true,
+  "official_docs": [
+    "https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_157780312610.html",
+    "https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_158263562006.html",
+    "https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/article_1011040638.html",
+    "https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_4381113277.html",
+    "https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/chapter_4247329078.html",
+    "https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/article_2104046421.html",
+    "https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_N2971402.html",
+    "https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_N3445710.html",
+    "https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_157771979135.html",
+    "https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_162686838198.html",
+    "https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_1515446005.html"
+  ],
+  "security_notes": "Static review only — works from sanitized configuration excerpts and never requests or handles credentials, access tokens, refresh tokens, client secrets, TBA token pairs, SAML assertions, or session cookies. Does not perform live authorizations, token generations, or sandbox refreshes. Every authentication-mechanism claim cites official Oracle documentation evidence.",
+  "last_verified": "2026-06-09",
+  "path": "skills/netsuite/netsuite-sso-oauth-tba-skill",
+  "author": "github: Raishin",
+  "version": "0.1.0"
+}

package/skills/netsuite/netsuite-sso-oauth-tba-skill/references/auth-compatibility-matrix.md ADDED Viewed

@@ -0,0 +1,12 @@
+# Auth Compatibility Matrix
+Protocol-to-auth-method compatibility matrix (REST/RESTlet/SuiteAnalytics/SOAP vs OAuth 2.0/TBA/NLAuth)
+Scope: Authentication mechanism design and correctness in NetSuite integrations: OAuth 2.0 applicability scope (REST/RESTlets/SuiteAnalytics Connect only; NOT SOAP), TBA use-cases and sunset timeline, SSO/SAML integration, deprecated NLAuth/Passport patterns, and per-environment re-authorization requirements for sandbox and Release Preview.
+- OAuth 2.0 review: Authorization Code flow and Client Credentials flow for REST web services (evidence 3a), RESTlets (evidence 3b), and SuiteAnalytics Connect (evidence 3c); flag OAuth 2.0 applied to SOAP (not supported, evidence 3d)
+- TBA review: verify TBA is used only for scenarios where OAuth 2.0 is not yet available; apply 2027.1 new-TBA-block timeline (evidence 4d); confirm SOAP endpoint is 2020.2 or later for TBA (evidence 4c)
+- Deprecated authentication patterns: NLAuth / Passport request-level credentials flagged as deprecated for RESTlets (evidence 4b) and SOAP endpoints 2020.2+ (evidence 4c)
+- SSO/SAML review: validate integration setup, role mapping, and that required 2FA permissions for SSO setup are designated (evidence 5c)
+- Sandbox and Release Preview re-authorization: confirm OAuth 2.0 authorized applications are not assumed to carry over from production (evidence 8a, 8b, 8c); confirm TBA tokens must be recreated in non-production environments (evidence 8d)
+- SOAP deprecation risk: apply the four-milestone timeline (2026.1 recommendation, 2027.1 new-SOAP block, 2025.2 last planned endpoint, 2028.2 full sunset) to flag at-risk SOAP + TBA integrations (evidence 2a–2d)

package/skills/netsuite/netsuite-sso-oauth-tba-skill/references/least-privilege.md ADDED Viewed

@@ -0,0 +1,62 @@
+# Least-privilege NetSuite posture for NetSuite SSO OAuth TBA Agent
+## Execution tier
+**T0 — Static Review**
+Rationale: `execution_tier: "static-review"` declared in `metadata.json`. This agent reviews sanitized configuration excerpts and never holds a live NetSuite session.
+## Identity model
+No live NetSuite identity is required for the agent itself. When a human operator acts on this agent's review, they SHOULD use the least-privilege custom role below — never the Administrator role.
+## Recommended custom role
+- **Custom role name:** NetSuite Auth Configuration Reviewer (custom)
+- **Copy from standard role:** Auditor (standard NetSuite role — read-only, no transaction entry) (NetSuite guidance: start from a copy of a standard role, then remove unneeded permissions).
+- **Modules in scope:** Setup
+- **Two-Factor Authentication required:** Yes
+### Minimal permissions
+- **Integrated Applications** (View) — Required to read OAuth 2.0 integration record settings (no client secret visible at View level)
+- **User Access Tokens** (View) — Required to confirm TBA setup without accessing token values
+- **OAuth 2.0 Authorized Applications Management** (View) — Required to verify authorized application list per environment; triggers mandatory 2FA (evidence 5c)
+- **Single Sign-on** (View) — Required to review SSO/SAML configuration excerpts
+## Forbidden
+- Administrator role
+- Log in using Access Tokens (do not confuse with 'Log in using OAuth 2.0 Access Tokens')
+- Edit or Full on any Setup permission listed above
+- Any transaction or record entry permission
+## Blast-radius bound
+Even if fully compromised, this agent cannot mutate a NetSuite account: it has no live session, no API tokens, and no SDF deploy rights. It can only produce review text.
+## Refusal triggers
+- Request includes or asks for access tokens, refresh tokens, client secrets, TBA token values, SAML assertions, or session cookies
+- Request asks the agent to generate OAuth 2.0 authorization codes, client credentials, or TBA token pairs
+- Request asks the agent to perform a live sandbox refresh, authorize an OAuth application in a live account, or create TBA tokens
+- Request asks to act as or use Administrator role
+- Coming-soon cert (AI Specialist, AI Professional) claimed as available for authentication context
+- Scope creep: role and permission questions route to netsuite-identity-access-role-permission-agent
+## Escalation path
+Route all live-account changes to `netsuite-live-org-mutation-guard-agent` with a named human decision owner and a structured case capsule.
+## Role creation steps
+1. In the target SANDBOX, copy the standard role named above to a new custom role.
+2. Remove every permission not listed under Minimal permissions.
+3. Add only the listed permissions at the stated access level.
+4. Confirm the role is NOT Administrator and grants no global/cross-subsidiary access beyond remit.
+5. Enable 2FA enforcement if the role touches privileged permissions.
+6. Test in sandbox, then assign to the integration/review user; monitor for least-privilege drift.
+## Companion skill
+`netsuite-sso-oauth-tba-skill` — NetSuite SSO OAuth TBA Skill

package/skills/netsuite/netsuite-sso-oauth-tba-skill/references/official-sources.md ADDED Viewed

@@ -0,0 +1,17 @@
+# Official Sources
+Oracle/NetSuite official documentation URLs for OAuth 2.0, TBA, SSO, and deprecation timeline
+Verified 2026-06-09 against official Oracle/NetSuite documentation:
+- https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_157780312610.html
+- https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_158263562006.html
+- https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/article_1011040638.html
+- https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_4381113277.html
+- https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/chapter_4247329078.html
+- https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/article_2104046421.html
+- https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_N2971402.html
+- https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_N3445710.html
+- https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_157771979135.html
+- https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_162686838198.html
+- https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_1515446005.html

package/skills/netsuite/netsuite-sso-oauth-tba-skill/references/release-drift.md ADDED Viewed

@@ -0,0 +1,11 @@
+# Release Drift
+SOAP and TBA deprecation milestone tracker: 2026.1, 2027.1, 2028.2 key dates
+NetSuite releases biannually. Content verified 2026-06-09.
+Release-sensitive items to re-verify each release:
+- SOAP web services removal timeline (REST + OAuth 2.0 recommended for new integrations from 2026.1; new SOAP integrations blocked at 2027.1).
+- Certification availability (AI Specialist/Professional and BI & Reporting Professional are Coming Soon — re-check status).
+- AI Connector / MCP permission names and role restrictions.

package/skills/netsuite/netsuite-sso-oauth-tba-skill/references/safety-checklist.md ADDED Viewed

@@ -0,0 +1,18 @@
+# Safety Checklist
+Pre-submission checklist for sanitizing integration configuration before analysis
+- No access tokens, refresh tokens, client secrets, TBA token values, or SAML assertions in the submitted configuration
+- All OAuth 2.0 applicability claims cite evidence rows 3a–3d
+- All SOAP deprecation timeline claims cite evidence rows 2a–2d verbatim
+- No live token generation or account authorization is recommended without explicit human approval and netsuite-live-org-mutation-guard-agent routing
+- Administrator role is never recommended for integration authentication
+## Refusal triggers
+- Request includes or asks for access tokens, refresh tokens, client secrets, TBA token values, SAML assertions, or session cookies
+- Request asks the agent to generate OAuth 2.0 authorization codes, client credentials, or TBA token pairs
+- Request asks the agent to perform a live sandbox refresh, authorize an OAuth application in a live account, or create TBA tokens
+- Request asks to act as or use Administrator role
+- Coming-soon cert (AI Specialist, AI Professional) claimed as available for authentication context
+- Scope creep: role and permission questions route to netsuite-identity-access-role-permission-agent