npm - @raishin/vanguard-frontier-agentic - Versions diffs - 2.9.0 → 2.10.0 - Mend

@raishin/vanguard-frontier-agentic 2.9.0 → 2.10.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (479) hide show

package/skills/netsuite/netsuite-suitecloud-developer-skill/SKILL.md ADDED Viewed

@@ -0,0 +1,86 @@
+---
+name: netsuite-suitecloud-developer-skill
+description: "Static-review flashlight for NetSuite SuiteCloud Development Framework projects and SuiteScript 2.x code. Adapts the Oracle netsuite-suitescript-upgrade upstream skill (UPL-1.0, Copyright (c) 2019, 2023 Oracle and/or its affiliates) with Vanguard-specific CI gate thresholds and CHANGELOG conventions. Reviews SDF object XML, deployment manifests, SuiteScript entry points, custom record definitions, and SuiteApp packaging. TRIGGER when: user asks to review SDF project structure, audit SuiteScript 2.x code, assess SuiteScript 1.0 or 2.0 upgrade readiness, review a Suitelet or RESTlet design, inspect custom record definitions, review SuiteApp manifest configuration, or score SuiteScript migration complexity. Trigger phrases: SDF review, SuiteScript upgrade, SuiteScript 2.1, custom record design, Suitelet review, SuiteApp packaging, SDF manifest. DO NOT TRIGGER when: the question is about SDF DevOps release pipeline or CI/CD (use netsuite-sdf-devops-release-agent), OWASP SuiteScript security review (use netsuite-suitescript-secure-code-review-agent), OAuth 2.0 or TBA auth for Suitelets/RESTlets (use netsuite-sso-oauth-tba-agent), or role and permission SoD design for script run-as (use netsuite-identity-access-role-permission-agent)."
+license: UPL-1.0
+allowed-tools: Read Grep Glob
+metadata:
+  author: "github: Raishin"
+  version: "0.1.0"
+  updated: "2026-06-09"
+  category: platform
+  lifecycle: experimental
+  execution_tier: static-review
+  mcp_servers: []
+  oauth_scopes: []
+  run_as_permissions:
+    required: []
+    denied: []
+---
+# NetSuite SuiteCloud Developer Skill
+## Purpose
+SDF project structure, SuiteScript 2.x code quality and upgrade posture, custom record and field design, Suitelet and RESTlet patterns, and SuiteApp packaging. Adapts Oracle's netsuite-suitescript-upgrade skill (UPL-1.0) with Vanguard-specific release gate thresholds and CHANGELOG conventions. T0 static review — no NetSuite account connection required; output is a draft for human review.
+## When This Skill Owns the Task
+- User needs to review or audit a SuiteCloud Development Framework project structure
+- User needs SuiteScript 1.0 or 2.0 upgrade readiness assessment and complexity scoring
+- User is designing or reviewing a Suitelet, RESTlet, or custom record definition
+- User needs to validate SuiteApp manifest and packaging configuration
+- User needs CI gate recommendations for SuiteScript upgrade enforcement
+## Recommended Workflow
+1. Step 1 — Gather inputs: sanitized SDF object XML or SuiteScript excerpt, API version declared, script type, NetSuite release version target
+2. Step 2 — Identify SuiteScript API version in use; flag 1.0 as Critical upgrade-required, 2.0 as High upgrade-recommended, 2.1 as current baseline
+3. Step 3 — Apply upstream netsuite-suitescript-upgrade 7-factor migration complexity matrix; emit complexity score and upgrade priority
+4. Step 4 — Review SDF object definitions: manifest structure, deployment configurations, custom record/field schemas, run-as permission alignment
+5. Step 5 — Review Suitelet/RESTlet design: entry-point patterns, authentication configuration, input validation patterns
+6. Step 6 — Rate all findings Critical/High/Medium/Low/Unknown; produce structured finding table with evidence labels [FACT], [ASSUMPTION], [INFERENCE]
+7. Step 7 — Emit T0 static review output with CI gate recommendations; flag unconverted 1.0 code as deployment blocker; route escalations per boundary rules
+## Evidence Hierarchy
+LIVE_EVIDENCE > REPOSITORY_EVIDENCE > USER_PROVIDED > OFFICIAL_DOCUMENTATION > INFERENCE > UNVERIFIED > BLOCKED
+## Safety Checklist
+- No credentials, tokens, hardcoded org IDs, or secrets present in inputs — refuse and instruct user to redact if found
+- SuiteScript 1.0 usage flagged as Critical upgrade-required finding
+- Upstream attribution included when adapting netsuite-suitescript-upgrade material: Copyright (c) 2019, 2023 Oracle and/or its affiliates, UPL-1.0
+- Custom run-as role recommendation never uses Administrator role
+- All official_docs URLs traceable to evidence-matrix.md
+## Rules — Hard-Stop Constraints
+- Static review only; never connect to a live NetSuite account or invoke APIs/SuiteScript/SDF.
+- Never request or accept credentials, tokens, or secrets.
+- Never depend on the Administrator role; recommend least-privilege custom roles (note 2FA).
+- Prefer OAuth 2.0 (REST/RESTlets/SuiteAnalytics Connect) over SOAP; treat SOAP as a migration risk.
+- Never claim a Coming-Soon certification is available.
+## Refusal Triggers
+- Request includes credentials, tokens, secrets, hardcoded org IDs, or API keys — refuse and instruct user to redact
+- Request asks agent to use the Administrator role or roles with full permissions for script execution
+- Request asks agent to push SDF project, execute deployment commands, or mutate a NetSuite account
+- User claims SuiteCloud Developer Professional is a confirmed available exam without citing the official exam page — mark status UNVERIFIED per evidence-matrix row 1f
+- Request requires live execution of SuiteScript or SDF CLI commands
+## T0 Contract
+No account connection, no OAuth, no secrets. Output is draft review text for a human owner.
+## Security Notes
+Static review only — never executes SDF CLI commands, never pushes to a NetSuite account, never requests or stores credentials, tokens, or org IDs. Works exclusively from sanitized SDF object XML and SuiteScript excerpts. SuiteScript 1.0 usage flagged as Critical. Adapted from oracle/netsuite-suitecloud-sdk netsuite-suitescript-upgrade skill (UPL-1.0, Copyright (c) 2019, 2023 Oracle and/or its affiliates). Never recommends Administrator role for script run-as configuration. All run-as roles must follow least-privilege and 2FA requirements.
+## Reference File Index
+- [official-sources.md](references/official-sources.md) — Confirmed Oracle/NetSuite official documentation URLs for SDF, SuiteScript, and SuiteApps
+- [safety-checklist.md](references/safety-checklist.md) — Pre-review checklist: redaction verification, API version flags, run-as permission checks
+- [least-privilege.md](references/least-privilege.md) — Custom role design for SuiteCloud developer reviewers — permissions, 2FA triggers, forbidden roles
+- [release-drift.md](references/release-drift.md) — SuiteScript version support lifecycle and upgrade timeline notes
+- [sdf-object-reference.md](references/sdf-object-reference.md) — SDF object type reference and required XML field documentation

package/skills/netsuite/netsuite-suitecloud-developer-skill/metadata.json ADDED Viewed

@@ -0,0 +1,37 @@
+{
+  "id": "netsuite-suitecloud-developer-skill",
+  "name": "NetSuite SuiteCloud Developer Skill",
+  "type": "skill",
+  "provider": "netsuite",
+  "harnesses": [
+    "claude-code",
+    "codex",
+    "cursor",
+    "gemini",
+    "kiro",
+    "other"
+  ],
+  "summary": "Static-review flashlight for NetSuite SuiteCloud Development Framework projects and SuiteScript 2.x code. Adapts the Oracle netsuite-suitescript-upgrade upstream skill (UPL-1.0, Copyright (c) 2019, 2023 Oracle and/or its affiliates) with Vanguard-specific CI gate thresholds and CHANGELOG conventions",
+  "source_type": "adapted",
+  "category": "platform",
+  "execution_tier": "static-review",
+  "oauth_scopes": [],
+  "mcp_servers": [],
+  "run_as_permissions": {},
+  "sandbox_only": false,
+  "production_allowed": true,
+  "official_docs": [
+    "https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/article_4123813814.html",
+    "https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_N285436.html",
+    "https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_N295396.html",
+    "https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_1532968056.html",
+    "https://www.netsuite.com/portal/services/training/suite-training/netsuite-certification.shtml",
+    "https://education.oracle.com/oracle-netsuite-application-developer-professional/pexam_N16304GC10"
+  ],
+  "security_notes": "Static review only — never executes SDF CLI commands, never pushes to a NetSuite account, never requests or stores credentials, tokens, or org IDs. Works exclusively from sanitized SDF object XML and SuiteScript excerpts. SuiteScript 1.0 usage flagged as Critical. Adapted from oracle/netsuite-suitecloud-sdk netsuite-suitescript-upgrade skill (UPL-1.0, Copyright (c) 2019, 2023 Oracle and/or its affiliates). Never recommends Administrator role for script run-as configuration. All run-as roles must follow least-privilege and 2FA requirements.",
+  "last_verified": "2026-06-09",
+  "path": "skills/netsuite/netsuite-suitecloud-developer-skill",
+  "author": "github: Raishin",
+  "version": "0.1.0",
+  "source_attribution": "Adapted from oracle/netsuite-suitecloud-sdk packages/agent-skills/netsuite-suitescript-upgrade (UPL-1.0, Copyright (c) 2019, 2023 Oracle and/or its affiliates; https://oss.oracle.com/licenses/upl). Vanguard additions: (1) CI gate thresholds mapping SuiteScript complexity scores to deployment-block vs. human-review-escalation decisions; (2) CHANGELOG.md output format aligned to Vanguard netsuite-sdf-project-documentation conventions; (3) boundary routing to netsuite-sdf-devops-release-agent and netsuite-suitescript-secure-code-review-agent not present upstream."
+}

package/skills/netsuite/netsuite-suitecloud-developer-skill/references/least-privilege.md ADDED Viewed

@@ -0,0 +1,61 @@
+# Least-privilege NetSuite posture for NetSuite SuiteCloud Developer Agent
+## Execution tier
+**T0 — Static Review**
+Rationale: `execution_tier: "static-review"` declared in `metadata.json`. This agent reviews sanitized configuration excerpts and never holds a live NetSuite session.
+## Identity model
+No live NetSuite identity is required for the agent itself. When a human operator acts on this agent's review, they SHOULD use the least-privilege custom role below — never the Administrator role.
+## Recommended custom role
+- **Custom role name:** NetSuite SuiteCloud Developer Reviewer (custom)
+- **Copy from standard role:** Developer (or closest available standard role with SuiteScript and SDF access) (NetSuite guidance: start from a copy of a standard role, then remove unneeded permissions).
+- **Modules in scope:** Server SuiteScript, Client SuiteScript, SuiteCloud Development Framework, Custom Records
+- **Two-Factor Authentication required:** Yes
+### Minimal permissions
+- **SuiteScript** (View) — Required to review SuiteScript file configurations and deployment records
+- **SuiteCloud Development Framework** (View) — Required to inspect SDF project configurations and object definitions
+- **Custom Record Types** (View) — Required to review custom record and field definitions
+- **Script Deployments** (View) — Required to review script deployment configuration and run-as settings
+- **SuiteApps** (View) — Required to inspect SuiteApp manifest and packaging configuration
+## Forbidden
+- Administrator role
+- Full permission roles
+- Any role with Create/Edit/Full on Script Deployments or SuiteApps
+## Blast-radius bound
+Even if fully compromised, this agent cannot mutate a NetSuite account: it has no live session, no API tokens, and no SDF deploy rights. It can only produce review text.
+## Refusal triggers
+- Request includes credentials, tokens, secrets, hardcoded org IDs, or API keys — refuse and instruct user to redact
+- Request asks agent to use the Administrator role or roles with full permissions for script execution
+- Request asks agent to push SDF project, execute deployment commands, or mutate a NetSuite account
+- User claims SuiteCloud Developer Professional is a confirmed available exam without citing the official exam page — mark status UNVERIFIED per evidence-matrix row 1f
+- Request requires live execution of SuiteScript or SDF CLI commands
+## Escalation path
+Route all live-account changes to `netsuite-live-org-mutation-guard-agent` with a named human decision owner and a structured case capsule.
+## Role creation steps
+1. In the target SANDBOX, copy the standard role named above to a new custom role.
+2. Remove every permission not listed under Minimal permissions.
+3. Add only the listed permissions at the stated access level.
+4. Confirm the role is NOT Administrator and grants no global/cross-subsidiary access beyond remit.
+5. Enable 2FA enforcement if the role touches privileged permissions.
+6. Test in sandbox, then assign to the integration/review user; monitor for least-privilege drift.
+## Companion skill
+`netsuite-suitecloud-developer-skill` — NetSuite SuiteCloud Developer Skill

package/skills/netsuite/netsuite-suitecloud-developer-skill/references/official-sources.md ADDED Viewed

@@ -0,0 +1,12 @@
+# Official Sources
+Confirmed Oracle/NetSuite official documentation URLs for SDF, SuiteScript, and SuiteApps
+Verified 2026-06-09 against official Oracle/NetSuite documentation:
+- https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/article_4123813814.html
+- https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_N285436.html
+- https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_N295396.html
+- https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_1532968056.html
+- https://www.netsuite.com/portal/services/training/suite-training/netsuite-certification.shtml
+- https://education.oracle.com/oracle-netsuite-application-developer-professional/pexam_N16304GC10

package/skills/netsuite/netsuite-suitecloud-developer-skill/references/release-drift.md ADDED Viewed

@@ -0,0 +1,11 @@
+# Release Drift
+SuiteScript version support lifecycle and upgrade timeline notes
+NetSuite releases biannually. Content verified 2026-06-09.
+Release-sensitive items to re-verify each release:
+- SOAP web services removal timeline (REST + OAuth 2.0 recommended for new integrations from 2026.1; new SOAP integrations blocked at 2027.1).
+- Certification availability (AI Specialist/Professional and BI & Reporting Professional are Coming Soon — re-check status).
+- AI Connector / MCP permission names and role restrictions.

package/skills/netsuite/netsuite-suitecloud-developer-skill/references/safety-checklist.md ADDED Viewed

@@ -0,0 +1,17 @@
+# Safety Checklist
+Pre-review checklist: redaction verification, API version flags, run-as permission checks
+- No credentials, tokens, hardcoded org IDs, or secrets present in inputs — refuse and instruct user to redact if found
+- SuiteScript 1.0 usage flagged as Critical upgrade-required finding
+- Upstream attribution included when adapting netsuite-suitescript-upgrade material: Copyright (c) 2019, 2023 Oracle and/or its affiliates, UPL-1.0
+- Custom run-as role recommendation never uses Administrator role
+- All official_docs URLs traceable to evidence-matrix.md
+## Refusal triggers
+- Request includes credentials, tokens, secrets, hardcoded org IDs, or API keys — refuse and instruct user to redact
+- Request asks agent to use the Administrator role or roles with full permissions for script execution
+- Request asks agent to push SDF project, execute deployment commands, or mutate a NetSuite account
+- User claims SuiteCloud Developer Professional is a confirmed available exam without citing the official exam page — mark status UNVERIFIED per evidence-matrix row 1f
+- Request requires live execution of SuiteScript or SDF CLI commands

package/skills/netsuite/netsuite-suitecloud-developer-skill/references/sdf-object-reference.md ADDED Viewed

@@ -0,0 +1,14 @@
+# Sdf Object Reference
+SDF object type reference and required XML field documentation
+Scope: SDF project structure, SuiteScript 2.x code quality and upgrade posture, custom record and field design, Suitelet and RESTlet patterns, and SuiteApp packaging. Adapts Oracle's netsuite-suitescript-upgrade skill (UPL-1.0) with Vanguard-specific release gate thresholds and CHANGELOG conventions.
+- SuiteCloud Development Framework (SDF) project structure and object XML review
+- SuiteScript 2.x (2.0 and 2.1) code pattern and quality review
+- SuiteScript 1.0/2.0 → 2.1 upgrade analysis and migration complexity scoring
+- Custom record, custom field, and custom list definition review
+- Suitelet and RESTlet script design review (authentication and entry-point patterns)
+- SuiteApp packaging, manifest configuration, and dependency declarations
+- Script deployment configuration and run-as permission review
+- UIF SPA scaffolding design (in conjunction with netsuite-uif-spa-reference upstream dependency)

package/skills/netsuite/netsuite-suiteflow-automation-skill/SKILL.md ADDED Viewed

@@ -0,0 +1,85 @@
+---
+name: netsuite-suiteflow-automation-skill
+description: "Flashlight skill for static review of SuiteFlow workflow designs in NetSuite — state machine correctness, condition logic, approval routing, action configuration, trigger alignment, and run-as role least-privilege posture. T0 static review — no live account connection required. TRIGGER when: user submits a SuiteFlow workflow definition for review, asks about workflow state machine design, condition logic coverage, approval routing configuration, workflow action correctness, trigger event alignment, or run-as role permissions for a workflow. Trigger phrases: SuiteFlow review, workflow state machine, approval routing workflow, workflow condition logic, workflow action review, trigger configuration workflow, workflow run-as role, SuiteFlow design. DO NOT TRIGGER when: request involves activating, enabling, or changing workflow status in any environment (escalate to netsuite-live-org-mutation-guard-agent — NEVER activate workflows live); SuiteScript code security within workflow-called scripts (use netsuite-suitescript-secure-code-review-agent); SOX approval control design (use netsuite-audit-controls-sox-agent); SDF deployment pipeline for workflows (use netsuite-sdf-devops-release-agent); or OAuth/TBA authentication setup (use netsuite-sso-oauth-tba-agent)."
+allowed-tools: Read Grep Glob
+metadata:
+  author: "github: Raishin"
+  version: "0.1.0"
+  updated: "2026-06-09"
+  category: platform
+  lifecycle: experimental
+  execution_tier: static-review
+  mcp_servers: []
+  oauth_scopes: []
+  run_as_permissions:
+    required: []
+    denied: []
+---
+# NetSuite SuiteFlow Automation Skill
+## Purpose
+Validates SuiteFlow workflow design exports for state machine correctness, condition logic completeness, approval routing coverage, trigger configuration alignment, and security posture including least-privilege run-as settings. Ensures workflows cannot be inadvertently activated in production without human approval through netsuite-live-org-mutation-guard-agent. T0 static review — no NetSuite account connection required; output is a draft for human review.
+## When This Skill Owns the Task
+- Developer submits SuiteFlow workflow definition export for pre-deployment design review
+- Implementation team needs approval routing workflow validated for completeness and bypass-condition audit
+- CoE architect needs workflow state machine reviewed for reachability and orphaned-state risks
+- Compliance team needs workflow run-as role posture reviewed against least-privilege requirements before go-live
+## Recommended Workflow
+1. Step 1 — Collect sanitized inputs: request workflow definition export, run-as role permission export, record type and trigger event, SuiteScript action references, and approval routing requirements
+2. Step 2 — State machine analysis: identify all states and transitions; check for unreachable states, missing terminal states, and orphaned states
+3. Step 3 — Condition logic review: validate AND/OR tree completeness, field-type alignment, and null/empty value handling in all transition conditions
+4. Step 4 — Action configuration review: verify field update action targets, email notification templates, SuiteScript action parameter alignment, and subrecord creation risks
+5. Step 5 — Approval routing audit: validate approver role assignments, delegate chains, escalation timers, rejection-path handling, and approval bypass conditions; escalate SOX-impacting bypasses
+6. Step 6 — Trigger and run-as review: confirm trigger event matches workflow intent; validate run-as role is not Administrator and has minimum required permissions; check 2FA designation
+7. Step 7 — Emit findings report: rated Critical / High / Medium / Low with [FACT] / [INFERENCE] / [ASSUMPTION] labels; include explicit note that any live activation must go through netsuite-live-org-mutation-guard-agent
+## Evidence Hierarchy
+LIVE_EVIDENCE > REPOSITORY_EVIDENCE > USER_PROVIDED > OFFICIAL_DOCUMENTATION > INFERENCE > UNVERIFIED > BLOCKED
+## Safety Checklist
+- No live NetSuite connection — all inputs are sanitized workflow definition exports
+- No credentials, tokens, consumer keys, or client secrets in submitted inputs
+- Never activate, enable, or advise on activating workflows in any environment — always escalate to netsuite-live-org-mutation-guard-agent
+- Workflow run-as role is never Administrator
+- Approval bypass conditions are flagged and rated; SOX-impacting bypasses are escalated to netsuite-audit-controls-sox-agent
+- SuiteScript actions within workflows are flagged for security review by netsuite-suitescript-secure-code-review-agent
+## Rules — Hard-Stop Constraints
+- Static review only; never connect to a live NetSuite account or invoke APIs/SuiteScript/SDF.
+- Never request or accept credentials, tokens, or secrets.
+- Never depend on the Administrator role; recommend least-privilege custom roles (note 2FA).
+- Prefer OAuth 2.0 (REST/RESTlets/SuiteAnalytics Connect) over SOAP; treat SOAP as a migration risk.
+- Never claim a Coming-Soon certification is available.
+## Refusal Triggers
+- Request to activate, enable, deploy, test-in-production, or change the status of any workflow in any NetSuite environment — NEVER comply; immediately escalate to netsuite-live-org-mutation-guard-agent
+- Input contains credentials, tokens, consumer keys, client secrets, or any authentication material — stop and instruct sanitization
+- Request asks the agent to log in, connect, or authenticate to any NetSuite environment
+- Claim that the Administrator role should be used as a workflow run-as role — refuse and cite least-privilege principle (evidence-matrix rows 7a, 7b)
+- Request to assert status of AI Specialist or AI Professional certifications as available — those are COMING SOON; only AI Foundations Associate (N16765GC10) is available (evidence-matrix row 1b)
+## T0 Contract
+No account connection, no OAuth, no secrets. Output is draft review text for a human owner.
+## Security Notes
+Static review only — works exclusively from sanitized workflow definition exports; never requests or accepts credentials, tokens, consumer keys, client secrets, or any authentication material. Does not connect to, activate, enable, or mutate any workflow or any other configuration in any NetSuite environment. NEVER activates workflows live under any circumstances — all live workflow activation must be escalated to netsuite-live-org-mutation-guard-agent with a named human decision owner. Workflow run-as role recommendations explicitly exclude the Administrator role.
+## Reference File Index
+- [official-sources.md](references/official-sources.md) — Oracle NetSuite Application Developer Professional exam URL and SuiteFlow documentation URLs verified in evidence-matrix
+- [safety-checklist.md](references/safety-checklist.md) — Pre-submission sanitization checklist for workflow definition exports and run-as role permission exports
+- [least-privilege.md](references/least-privilege.md) — Custom role construction guidance for SuiteFlow reviewer posture derived from Accountant standard role
+- [release-drift.md](references/release-drift.md) — NetSuite release cadence notes for SuiteFlow engine changes and workflow action updates
+- [suiteflow-state-machine-guide.md](references/suiteflow-state-machine-guide.md) — State machine correctness patterns for SuiteFlow — reachability, terminal states, and transition condition coverage

package/skills/netsuite/netsuite-suiteflow-automation-skill/metadata.json ADDED Viewed

@@ -0,0 +1,36 @@
+{
+  "id": "netsuite-suiteflow-automation-skill",
+  "name": "NetSuite SuiteFlow Automation Skill",
+  "type": "skill",
+  "provider": "netsuite",
+  "harnesses": [
+    "claude-code",
+    "codex",
+    "cursor",
+    "gemini",
+    "kiro",
+    "other"
+  ],
+  "summary": "Flashlight skill for static review of SuiteFlow workflow designs in NetSuite — state machine correctness, condition logic, approval routing, action configuration, trigger alignment, and run-as role least-privilege posture. T0 static review — no live account connection required. TRIGGER when: user su",
+  "source_type": "original",
+  "category": "platform",
+  "execution_tier": "static-review",
+  "oauth_scopes": [],
+  "mcp_servers": [],
+  "run_as_permissions": {},
+  "sandbox_only": false,
+  "production_allowed": true,
+  "official_docs": [
+    "https://education.oracle.com/oracle-netsuite-application-developer-professional/pexam_N16304GC10",
+    "https://www.netsuite.com/portal/services/training/suite-training/netsuite-certification.shtml",
+    "https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_N285436.html",
+    "https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_N295396.html",
+    "https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_1532968056.html",
+    "https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_1515446005.html"
+  ],
+  "security_notes": "Static review only — works exclusively from sanitized workflow definition exports; never requests or accepts credentials, tokens, consumer keys, client secrets, or any authentication material. Does not connect to, activate, enable, or mutate any workflow or any other configuration in any NetSuite environment. NEVER activates workflows live under any circumstances — all live workflow activation must be escalated to netsuite-live-org-mutation-guard-agent with a named human decision owner. Workflow run-as role recommendations explicitly exclude the Administrator role.",
+  "last_verified": "2026-06-09",
+  "path": "skills/netsuite/netsuite-suiteflow-automation-skill",
+  "author": "github: Raishin",
+  "version": "0.1.0"
+}

package/skills/netsuite/netsuite-suiteflow-automation-skill/references/least-privilege.md ADDED Viewed

@@ -0,0 +1,65 @@
+# Least-privilege NetSuite posture for NetSuite SuiteFlow Automation Agent
+## Execution tier
+**T0 — Static Review**
+Rationale: `execution_tier: "static-review"` declared in `metadata.json`. This agent reviews sanitized configuration excerpts and never holds a live NetSuite session.
+## Identity model
+No live NetSuite identity is required for the agent itself. When a human operator acts on this agent's review, they SHOULD use the least-privilege custom role below — never the Administrator role.
+## Recommended custom role
+- **Custom role name:** NetSuite SuiteFlow Reviewer (custom)
+- **Copy from standard role:** Accountant (NetSuite guidance: start from a copy of a standard role, then remove unneeded permissions).
+- **Modules in scope:** Workflow (SuiteFlow), Basic Customization, Core Administration
+- **Two-Factor Authentication required:** Yes
+### Minimal permissions
+- **Workflow** (View) — Read workflow definition records and state/transition configuration without edit rights
+- **Script Deployments** (View) — Inspect SuiteScript action deployment references embedded in workflow steps
+- **Lists** (View) — Review record type and field definitions accessed by workflow conditions and actions
+- **Setup** (View) — Inspect workflow-related feature flags and run-as role configuration
+- **Transactions** (View) — Review transaction record types on which workflows operate, for trigger alignment validation
+## Forbidden
+- Administrator role
+- Workflow at Edit or Full level
+- Ability to activate or enable workflows
+- Access Token Management permission
+- OAuth 2.0 Authorized Applications Management permission
+- View Unencrypted Credit Cards
+- View Unencrypted ACH Account Numbers
+## Blast-radius bound
+Even if fully compromised, this agent cannot mutate a NetSuite account: it has no live session, no API tokens, and no SDF deploy rights. It can only produce review text.
+## Refusal triggers
+- Request to activate, enable, deploy, test-in-production, or change the status of any workflow in any NetSuite environment — NEVER comply; immediately escalate to netsuite-live-org-mutation-guard-agent
+- Input contains credentials, tokens, consumer keys, client secrets, or any authentication material — stop and instruct sanitization
+- Request asks the agent to log in, connect, or authenticate to any NetSuite environment
+- Claim that the Administrator role should be used as a workflow run-as role — refuse and cite least-privilege principle (evidence-matrix rows 7a, 7b)
+- Request to assert status of AI Specialist or AI Professional certifications as available — those are COMING SOON; only AI Foundations Associate (N16765GC10) is available (evidence-matrix row 1b)
+## Escalation path
+Route all live-account changes to `netsuite-live-org-mutation-guard-agent` with a named human decision owner and a structured case capsule.
+## Role creation steps
+1. In the target SANDBOX, copy the standard role named above to a new custom role.
+2. Remove every permission not listed under Minimal permissions.
+3. Add only the listed permissions at the stated access level.
+4. Confirm the role is NOT Administrator and grants no global/cross-subsidiary access beyond remit.
+5. Enable 2FA enforcement if the role touches privileged permissions.
+6. Test in sandbox, then assign to the integration/review user; monitor for least-privilege drift.
+## Companion skill
+`netsuite-suiteflow-automation-skill` — NetSuite SuiteFlow Automation Skill

package/skills/netsuite/netsuite-suiteflow-automation-skill/references/official-sources.md ADDED Viewed

@@ -0,0 +1,12 @@
+# Official Sources
+Oracle NetSuite Application Developer Professional exam URL and SuiteFlow documentation URLs verified in evidence-matrix
+Verified 2026-06-09 against official Oracle/NetSuite documentation:
+- https://education.oracle.com/oracle-netsuite-application-developer-professional/pexam_N16304GC10
+- https://www.netsuite.com/portal/services/training/suite-training/netsuite-certification.shtml
+- https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_N285436.html
+- https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_N295396.html
+- https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_1532968056.html
+- https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_1515446005.html

package/skills/netsuite/netsuite-suiteflow-automation-skill/references/release-drift.md ADDED Viewed

@@ -0,0 +1,11 @@
+# Release Drift
+NetSuite release cadence notes for SuiteFlow engine changes and workflow action updates
+NetSuite releases biannually. Content verified 2026-06-09.
+Release-sensitive items to re-verify each release:
+- SOAP web services removal timeline (REST + OAuth 2.0 recommended for new integrations from 2026.1; new SOAP integrations blocked at 2027.1).
+- Certification availability (AI Specialist/Professional and BI & Reporting Professional are Coming Soon — re-check status).
+- AI Connector / MCP permission names and role restrictions.

package/skills/netsuite/netsuite-suiteflow-automation-skill/references/safety-checklist.md ADDED Viewed

@@ -0,0 +1,18 @@
+# Safety Checklist
+Pre-submission sanitization checklist for workflow definition exports and run-as role permission exports
+- No live NetSuite connection — all inputs are sanitized workflow definition exports
+- No credentials, tokens, consumer keys, or client secrets in submitted inputs
+- Never activate, enable, or advise on activating workflows in any environment — always escalate to netsuite-live-org-mutation-guard-agent
+- Workflow run-as role is never Administrator
+- Approval bypass conditions are flagged and rated; SOX-impacting bypasses are escalated to netsuite-audit-controls-sox-agent
+- SuiteScript actions within workflows are flagged for security review by netsuite-suitescript-secure-code-review-agent
+## Refusal triggers
+- Request to activate, enable, deploy, test-in-production, or change the status of any workflow in any NetSuite environment — NEVER comply; immediately escalate to netsuite-live-org-mutation-guard-agent
+- Input contains credentials, tokens, consumer keys, client secrets, or any authentication material — stop and instruct sanitization
+- Request asks the agent to log in, connect, or authenticate to any NetSuite environment
+- Claim that the Administrator role should be used as a workflow run-as role — refuse and cite least-privilege principle (evidence-matrix rows 7a, 7b)
+- Request to assert status of AI Specialist or AI Professional certifications as available — those are COMING SOON; only AI Foundations Associate (N16765GC10) is available (evidence-matrix row 1b)

package/skills/netsuite/netsuite-suiteflow-automation-skill/references/suiteflow-state-machine-guide.md ADDED Viewed

@@ -0,0 +1,13 @@
+# Suiteflow State Machine Guide
+State machine correctness patterns for SuiteFlow — reachability, terminal states, and transition condition coverage
+Scope: Validates SuiteFlow workflow design exports for state machine correctness, condition logic completeness, approval routing coverage, trigger configuration alignment, and security posture including least-privilege run-as settings. Ensures workflows cannot be inadvertently activated in production without human approval through netsuite-live-org-mutation-guard-agent.
+- State machine design review — state reachability analysis, terminal state coverage, orphaned state detection, transition condition completeness
+- Condition logic review — AND/OR tree correctness, field-type mismatch risks, null and empty value handling in workflow conditions
+- Action configuration review — field update action correctness, email notification template assignments, SuiteScript action parameter mapping, subrecord creation risks
+- Approval routing design — approver role assignments, delegate chain configuration, escalation timer coverage, rejection-path handling, approval bypass condition audit
+- Trigger configuration review — record type alignment, trigger event (before-submit, after-submit, scheduled, button click) appropriateness, schedule parameter validation
+- Run-as role least-privilege posture — workflow run-as role permission scope, 2FA designation requirements, prohibition on Administrator run-as
+- SuiteScript action integration review — parameter passing from workflow context to script, script entry-point alignment with workflow trigger type

package/skills/netsuite/netsuite-suitefoundation-skill/SKILL.md ADDED Viewed

@@ -0,0 +1,83 @@
+---
+name: netsuite-suitefoundation-skill
+description: "Flashlight skill for reviewing NetSuite platform foundation configurations aligned to the SuiteFoundation Specialist certification (N16300GC10). T0 static review — no live account connection required. TRIGGER when: user asks to review record form layouts, saved search criteria or results columns, dashboard portlet configuration, custom field definitions, custom list or segment setup, subsidiary hierarchy, or basic role and permission baselines in NetSuite. Trigger phrases: review my saved search, check my record form, audit our custom fields, validate subsidiary setup, review role permissions, inspect dashboard configuration, SuiteFoundation review. DO NOT TRIGGER when: request involves SuiteScript code analysis (use netsuite-application-developer-agent), OAuth or TBA authentication setup (use netsuite-sso-oauth-tba-agent), financial close controls or posting periods (use netsuite-financial-foundations-agent), SDF project deployment pipeline (use netsuite-sdf-devops-release-agent), or any live account mutation is required."
+allowed-tools: Read Grep Glob
+metadata:
+  author: "github: Raishin"
+  version: "0.1.0"
+  updated: "2026-06-09"
+  category: platform
+  lifecycle: experimental
+  execution_tier: static-review
+  mcp_servers: []
+  oauth_scopes: []
+  run_as_permissions:
+    required: []
+    denied: []
+---
+# NetSuite SuiteFoundation Skill
+## Purpose
+Validates SuiteFoundation-level configurations and design decisions covering the foundational platform layer that all Consultant & Administrator track certifications require as a prerequisite. Identifies gaps that would block an implementation team from advancing to Administrator or ERP Consultant domains. T0 static review — no NetSuite account connection required; output is a draft for human review.
+## When This Skill Owns the Task
+- User submits record form, saved search, or dashboard configuration for review
+- Implementation team needs a SuiteFoundation-aligned audit of basic platform setup
+- CoE architect needs to validate foundational role/permission baselines before going live
+- Fortune-50 enterprise needs evidence artifacts showing basic NetSuite configuration is compliant
+## Recommended Workflow
+1. Step 1 — Collect sanitized inputs: request record form XML or screenshots, saved search definition exports, role permission summaries, and subsidiary hierarchy diagram
+2. Step 2 — Validate record forms: check required fields, sublists, preferred form defaults, and field-level show/hide logic for completeness and naming consistency
+3. Step 3 — Audit saved searches: evaluate criteria correctness, results column selection, PII exposure risk in public searches, and scheduling configuration
+4. Step 4 — Review role baselines: confirm custom roles are derived from standard roles, 2FA designation is set where required, and no role holds Administrator-level permissions
+5. Step 5 — Assess subsidiary and custom field setup: validate intercompany preferences, base currency, segment assignments, and field type / validation correctness
+6. Step 6 — Emit findings report: rated Critical / High / Medium / Low with [FACT] / [INFERENCE] / [ASSUMPTION] labels and safe-next-actions for each finding
+## Evidence Hierarchy
+LIVE_EVIDENCE > REPOSITORY_EVIDENCE > USER_PROVIDED > OFFICIAL_DOCUMENTATION > INFERENCE > UNVERIFIED > BLOCKED
+## Safety Checklist
+- No live NetSuite connection — all inputs are sanitized configuration excerpts
+- No credentials, tokens, or consumer keys in submitted inputs
+- Role recommendations never include the Administrator role
+- 2FA designation verified for any role with sensitive financial or access-management permissions
+- Public saved searches checked for PII field exposure before approving
+## Rules — Hard-Stop Constraints
+- Static review only; never connect to a live NetSuite account or invoke APIs/SuiteScript/SDF.
+- Never request or accept credentials, tokens, or secrets.
+- Never depend on the Administrator role; recommend least-privilege custom roles (note 2FA).
+- Prefer OAuth 2.0 (REST/RESTlets/SuiteAnalytics Connect) over SOAP; treat SOAP as a migration risk.
+- Never claim a Coming-Soon certification is available.
+## Refusal Triggers
+- Input contains credentials, tokens, consumer keys, client secrets, or any authentication material — stop and instruct sanitization
+- Request involves mutating, deploying, or activating any NetSuite configuration in a live or production account
+- Request asks the agent to log in, connect, or authenticate to any NetSuite environment
+- Claim that the Administrator role should be used for integration or review purposes — refuse and cite least-privilege principle (evidence-matrix row 7a, 7b)
+- Request to assert status of the AI Specialist or AI Professional certifications as available — those are coming soon; only AI Foundations Associate (N16765GC10) is available (evidence-matrix row 1b)
+## T0 Contract
+No account connection, no OAuth, no secrets. Output is draft review text for a human owner.
+## Security Notes
+Static review only — works exclusively from sanitized configuration excerpts provided by the user; never requests or accepts credentials, tokens, session IDs, consumer keys, or any authentication material. Does not connect to, query, or mutate any NetSuite account in any environment. Role recommendations explicitly exclude the Administrator role; custom roles are always derived from standard roles with View-only permissions. 2FA designation requirements are surfaced for any role holding sensitive financial or access-management permissions.
+## Reference File Index
+- [official-sources.md](references/official-sources.md) — Oracle NetSuite certification and platform help URLs verified in evidence-matrix
+- [safety-checklist.md](references/safety-checklist.md) — Pre-submission sanitization checklist for configuration exports
+- [least-privilege.md](references/least-privilege.md) — Custom role construction guidance derived from standard roles
+- [release-drift.md](references/release-drift.md) — SuiteFoundation topics affected by NetSuite release cadence (form defaults, saved search engine updates)
+- [suitefoundation-domain-map.md](references/suitefoundation-domain-map.md) — Mapping of SuiteFoundation exam domains to configuration review areas

package/skills/netsuite/netsuite-suitefoundation-skill/metadata.json ADDED Viewed

@@ -0,0 +1,35 @@
+{
+  "id": "netsuite-suitefoundation-skill",
+  "name": "NetSuite SuiteFoundation Skill",
+  "type": "skill",
+  "provider": "netsuite",
+  "harnesses": [
+    "claude-code",
+    "codex",
+    "cursor",
+    "gemini",
+    "kiro",
+    "other"
+  ],
+  "summary": "Flashlight skill for reviewing NetSuite platform foundation configurations aligned to the SuiteFoundation Specialist certification (N16300GC10). T0 static review — no live account connection required. TRIGGER when: user asks to review record form layouts, saved search criteria or results columns, da",
+  "source_type": "original",
+  "category": "platform",
+  "execution_tier": "static-review",
+  "oauth_scopes": [],
+  "mcp_servers": [],
+  "run_as_permissions": {},
+  "sandbox_only": false,
+  "production_allowed": true,
+  "official_docs": [
+    "https://education.oracle.com/oracle-netsuite-suitefoundation-specialist/pexam_N16300GC10",
+    "https://www.netsuite.com/portal/services/training/suite-training/netsuite-certification.shtml",
+    "https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_N285436.html",
+    "https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_N295396.html",
+    "https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_1532968056.html"
+  ],
+  "security_notes": "Static review only — works exclusively from sanitized configuration excerpts provided by the user; never requests or accepts credentials, tokens, session IDs, consumer keys, or any authentication material. Does not connect to, query, or mutate any NetSuite account in any environment. Role recommendations explicitly exclude the Administrator role; custom roles are always derived from standard roles with View-only permissions. 2FA designation requirements are surfaced for any role holding sensitive financial or access-management permissions.",
+  "last_verified": "2026-06-09",
+  "path": "skills/netsuite/netsuite-suitefoundation-skill",
+  "author": "github: Raishin",
+  "version": "0.1.0"
+}