npm - @raishin/vanguard-frontier-agentic - Versions diffs - 2.9.0 → 2.10.0 - Mend

@raishin/vanguard-frontier-agentic 2.9.0 → 2.10.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (479) hide show

package/skills/netsuite/netsuite-suitefoundation-skill/references/least-privilege.md ADDED Viewed

@@ -0,0 +1,63 @@
+# Least-privilege NetSuite posture for NetSuite SuiteFoundation Agent
+## Execution tier
+**T0 — Static Review**
+Rationale: `execution_tier: "static-review"` declared in `metadata.json`. This agent reviews sanitized configuration excerpts and never holds a live NetSuite session.
+## Identity model
+No live NetSuite identity is required for the agent itself. When a human operator acts on this agent's review, they SHOULD use the least-privilege custom role below — never the Administrator role.
+## Recommended custom role
+- **Custom role name:** NetSuite SuiteFoundation Reviewer (custom)
+- **Copy from standard role:** Accountant (NetSuite guidance: start from a copy of a standard role, then remove unneeded permissions).
+- **Modules in scope:** Core Administration, Basic Customization, Saved Searches, Custom Fields and Lists
+- **Two-Factor Authentication required:** Yes
+### Minimal permissions
+- **Lists** (View) — Read saved searches, custom lists, and segment definitions
+- **Transactions** (View) — Inspect transaction form layouts and default settings
+- **Reports** (View) — Review saved search scheduling and dashboard portlets
+- **Setup** (View) — Inspect subsidiary hierarchy, base currency, and custom field definitions
+- **Custom Record Types** (View) — Review custom record form and sublist configuration
+## Forbidden
+- Administrator role
+- Full permissions to any module
+- Edit or Create level on any live record type
+- Access Token Management permission
+- OAuth 2.0 Authorized Applications Management permission
+## Blast-radius bound
+Even if fully compromised, this agent cannot mutate a NetSuite account: it has no live session, no API tokens, and no SDF deploy rights. It can only produce review text.
+## Refusal triggers
+- Input contains credentials, tokens, consumer keys, client secrets, or any authentication material — stop and instruct sanitization
+- Request involves mutating, deploying, or activating any NetSuite configuration in a live or production account
+- Request asks the agent to log in, connect, or authenticate to any NetSuite environment
+- Claim that the Administrator role should be used for integration or review purposes — refuse and cite least-privilege principle (evidence-matrix row 7a, 7b)
+- Request to assert status of the AI Specialist or AI Professional certifications as available — those are coming soon; only AI Foundations Associate (N16765GC10) is available (evidence-matrix row 1b)
+## Escalation path
+Route all live-account changes to `netsuite-live-org-mutation-guard-agent` with a named human decision owner and a structured case capsule.
+## Role creation steps
+1. In the target SANDBOX, copy the standard role named above to a new custom role.
+2. Remove every permission not listed under Minimal permissions.
+3. Add only the listed permissions at the stated access level.
+4. Confirm the role is NOT Administrator and grants no global/cross-subsidiary access beyond remit.
+5. Enable 2FA enforcement if the role touches privileged permissions.
+6. Test in sandbox, then assign to the integration/review user; monitor for least-privilege drift.
+## Companion skill
+`netsuite-suitefoundation-skill` — NetSuite SuiteFoundation Skill

package/skills/netsuite/netsuite-suitefoundation-skill/references/official-sources.md ADDED Viewed

@@ -0,0 +1,11 @@
+# Official Sources
+Oracle NetSuite certification and platform help URLs verified in evidence-matrix
+Verified 2026-06-09 against official Oracle/NetSuite documentation:
+- https://education.oracle.com/oracle-netsuite-suitefoundation-specialist/pexam_N16300GC10
+- https://www.netsuite.com/portal/services/training/suite-training/netsuite-certification.shtml
+- https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_N285436.html
+- https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_N295396.html
+- https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_1532968056.html

package/skills/netsuite/netsuite-suitefoundation-skill/references/release-drift.md ADDED Viewed

@@ -0,0 +1,11 @@
+# Release Drift
+SuiteFoundation topics affected by NetSuite release cadence (form defaults, saved search engine updates)
+NetSuite releases biannually. Content verified 2026-06-09.
+Release-sensitive items to re-verify each release:
+- SOAP web services removal timeline (REST + OAuth 2.0 recommended for new integrations from 2026.1; new SOAP integrations blocked at 2027.1).
+- Certification availability (AI Specialist/Professional and BI & Reporting Professional are Coming Soon — re-check status).
+- AI Connector / MCP permission names and role restrictions.

package/skills/netsuite/netsuite-suitefoundation-skill/references/safety-checklist.md ADDED Viewed

@@ -0,0 +1,17 @@
+# Safety Checklist
+Pre-submission sanitization checklist for configuration exports
+- No live NetSuite connection — all inputs are sanitized configuration excerpts
+- No credentials, tokens, or consumer keys in submitted inputs
+- Role recommendations never include the Administrator role
+- 2FA designation verified for any role with sensitive financial or access-management permissions
+- Public saved searches checked for PII field exposure before approving
+## Refusal triggers
+- Input contains credentials, tokens, consumer keys, client secrets, or any authentication material — stop and instruct sanitization
+- Request involves mutating, deploying, or activating any NetSuite configuration in a live or production account
+- Request asks the agent to log in, connect, or authenticate to any NetSuite environment
+- Claim that the Administrator role should be used for integration or review purposes — refuse and cite least-privilege principle (evidence-matrix row 7a, 7b)
+- Request to assert status of the AI Specialist or AI Professional certifications as available — those are coming soon; only AI Foundations Associate (N16765GC10) is available (evidence-matrix row 1b)

package/skills/netsuite/netsuite-suitefoundation-skill/references/suitefoundation-domain-map.md ADDED Viewed

@@ -0,0 +1,14 @@
+# Suitefoundation Domain Map
+Mapping of SuiteFoundation exam domains to configuration review areas
+Scope: Validates SuiteFoundation-level configurations and design decisions covering the foundational platform layer that all Consultant & Administrator track certifications require as a prerequisite. Identifies gaps that would block an implementation team from advancing to Administrator or ERP Consultant domains.
+- Record type configuration review — standard and custom record form layouts, sublists, and field-level settings
+- Transaction form design — header fields, line-item columns, printing templates, preferred form defaults
+- Saved search construction — criteria, results columns, summary types, scheduling, public/private sharing posture
+- Dashboard portlet and KPI configuration — layout, drill-down links, refresh settings, access controls
+- List and segment management — custom lists, custom segments, record-level segment assignment rules
+- Basic custom field review — field type, source list, validation, show/hide scripting, search/report enablement
+- Native role and permission baseline review — standard role derivation, access level settings, two-factor authentication designation
+- Multi-subsidiary structure review — parent/child hierarchy, inter-company preferences, base currency assignment

package/skills/netsuite/netsuite-suitescript-secure-code-review-skill/SKILL.md ADDED Viewed

@@ -0,0 +1,86 @@
+---
+name: netsuite-suitescript-secure-code-review-skill
+description: "Flashlight skill for static security review of SuiteScript 2.x code against OWASP Top 10 (2021) pitfall patterns (OSCP-001 through OSCP-048), extended with Vanguard severity taxonomy mapping and CI pipeline gate recommendations. Adapted from Oracle netsuite-owasp-secure-coding (UPL-1.0). T0 static review — no live account connection required. TRIGGER when: user submits SuiteScript 2.x code for security review, asks about SuiteQL injection prevention, output encoding in Suitelets or RESTlets, CSRF in SuiteScript, file upload security, RESTlet hardening, DOM XSS in client scripts, postMessage origin validation, or AI prompt-injection in SuiteScript. Trigger phrases: SuiteScript security review, OWASP SuiteScript, SuiteQL injection, XSS in Suitelet, RESTlet hardening, CSRF token SuiteScript, file upload SuiteScript, OSCP vulnerability, secure coding SuiteScript. DO NOT TRIGGER when: request is for SuiteScript 1.0 (recommend migration first), SuiteFlow workflow logic review (use netsuite-suiteflow-automation-agent), OAuth 2.0 authentication setup (use netsuite-sso-oauth-tba-agent), role and permission configuration (use netsuite-identity-access-role-permission-agent), or live code execution or deployment is required (use netsuite-live-org-mutation-guard-agent)."
+license: UPL-1.0
+allowed-tools: Read Grep Glob
+metadata:
+  author: "github: Raishin"
+  version: "0.1.0"
+  updated: "2026-06-09"
+  category: security
+  lifecycle: experimental
+  execution_tier: static-review
+  mcp_servers: []
+  oauth_scopes: []
+  run_as_permissions:
+    required: []
+    denied: []
+---
+# NetSuite SuiteScript Secure Code Review Skill
+## Purpose
+Reviews SuiteScript 2.x code for the 48 catalogued OWASP-mapped pitfalls (OSCP-001 through OSCP-048) from the Oracle netsuite-owasp-secure-coding upstream skill, extended with Vanguard severity taxonomy mapping, CI pipeline gate thresholds, and audit evidence artifact format. Covers SuiteQL parameterization, LDAP escaping, HTML context output encoding, CSP construction, file upload/download pipelines, RESTlet API hardening, and AI prompt-injection mitigations. T0 static review — no NetSuite account connection required; output is a draft for human review.
+## When This Skill Owns the Task
+- Developer submits SuiteScript 2.x code for pre-deployment security review
+- CI pipeline gate triggers security scan on a pull request containing SuiteScript changes
+- Security team needs OWASP-mapped findings report for a SuiteScript codebase audit
+- Compliance team needs audit evidence artifacts for a SuiteScript change-management workflow
+## Recommended Workflow
+1. Step 1 — Collect sanitized inputs: request SuiteScript 2.x source files (no credentials), script type declaration, external input surface list, and custom module paths
+2. Step 2 — Injection surface mapping: identify all points where external input enters SuiteQL queries, LDAP calls, or dynamic string construction; map to OSCP injection pitfall IDs
+3. Step 3 — Output encoding review: check all Suitelet and RESTlet response construction for correct HTML context encoding across body, attribute, JavaScript, CSS, and URL contexts
+4. Step 4 — CSP and CSRF review: verify Content-Security-Policy header presence in RESTlet/Suitelet responses; verify CSRF token presence in state-changing operations
+5. Step 5 — File and API hardening: review file upload MIME validation, path traversal controls, RESTlet authentication enforcement, and error response sanitization
+6. Step 6 — Client-side and AI safety: check for DOM XSS patterns (innerHTML, document.write), postMessage origin validation gaps, and AI prompt-injection mitigations
+7. Step 7 — Emit findings report: each finding maps to an OSCP pitfall ID (or [VANGUARD-EXTENDED]), rated Critical / High / Medium / Low with CI gate recommendation (block / warn / allow) and remediation guidance
+## Evidence Hierarchy
+LIVE_EVIDENCE > REPOSITORY_EVIDENCE > USER_PROVIDED > OFFICIAL_DOCUMENTATION > INFERENCE > UNVERIFIED > BLOCKED
+## Safety Checklist
+- No live NetSuite connection — all inputs are sanitized source code files
+- No hardcoded credentials, API keys, consumer keys, or OAuth secrets in submitted code — refuse and instruct sanitization if found
+- Administrator role is never recommended as a script run-as or deployment role
+- Every finding maps to an OSCP pitfall ID or is explicitly labeled [VANGUARD-EXTENDED]
+- CI gate recommendation (block / warn / allow) accompanies every finding
+- AI prompt-injection risks are flagged separately and escalated to netsuite-ai-foundations-agent
+## Rules — Hard-Stop Constraints
+- Static review only; never connect to a live NetSuite account or invoke APIs/SuiteScript/SDF.
+- Never request or accept credentials, tokens, or secrets.
+- Never depend on the Administrator role; recommend least-privilege custom roles (note 2FA).
+- Prefer OAuth 2.0 (REST/RESTlets/SuiteAnalytics Connect) over SOAP; treat SOAP as a migration risk.
+- Never claim a Coming-Soon certification is available.
+## Refusal Triggers
+- Submitted code contains hardcoded credentials, API keys, consumer keys, OAuth client secrets, or passwords — stop and instruct sanitization before resubmitting
+- Request involves executing, deploying, or activating any SuiteScript in a live or production account — route to netsuite-live-org-mutation-guard-agent
+- Request asks the agent to log in, connect, or authenticate to any NetSuite environment
+- Claim that the Administrator role is an appropriate run-as or deployment role for SuiteScript — refuse and cite least-privilege principle (evidence-matrix rows 7a, 7b)
+- Request to assert status of AI Specialist or AI Professional certifications as available — those are COMING SOON; only AI Foundations Associate (N16765GC10) is available (evidence-matrix row 1b)
+## T0 Contract
+No account connection, no OAuth, no secrets. Output is draft review text for a human owner.
+## Security Notes
+Static review only — works exclusively from sanitized SuiteScript source code; never requests or accepts credentials, tokens, consumer keys, client secrets, or any authentication material embedded in code. Does not execute, deploy, or connect to any NetSuite account. Refuses code submissions containing hardcoded secrets. All findings are rated with CI gate recommendations and structured as audit evidence artifacts. Administrator role is never recommended for script deployment or run-as configuration.
+## Reference File Index
+- [official-sources.md](references/official-sources.md) — Oracle netsuite-owasp-secure-coding upstream skill URL and NetSuite developer documentation URLs verified in evidence-matrix
+- [safety-checklist.md](references/safety-checklist.md) — Pre-submission sanitization checklist for SuiteScript code files
+- [least-privilege.md](references/least-privilege.md) — Custom role construction guidance for SuiteScript security reviewer posture derived from Developer standard role
+- [release-drift.md](references/release-drift.md) — NetSuite release cadence notes for SuiteScript API changes and OWASP catalog updates
+- [oscp-vanguard-severity-map.md](references/oscp-vanguard-severity-map.md) — Mapping of OSCP-001 through OSCP-048 pitfall IDs to Vanguard severity taxonomy and CI gate recommendations

package/skills/netsuite/netsuite-suitescript-secure-code-review-skill/metadata.json ADDED Viewed

@@ -0,0 +1,37 @@
+{
+  "id": "netsuite-suitescript-secure-code-review-skill",
+  "name": "NetSuite SuiteScript Secure Code Review Skill",
+  "type": "skill",
+  "provider": "netsuite",
+  "harnesses": [
+    "claude-code",
+    "codex",
+    "cursor",
+    "gemini",
+    "kiro",
+    "other"
+  ],
+  "summary": "Flashlight skill for static security review of SuiteScript 2.x code against OWASP Top 10 (2021) pitfall patterns (OSCP-001 through OSCP-048), extended with Vanguard severity taxonomy mapping and CI pipeline gate recommendations. Adapted from Oracle netsuite-owasp-secure-coding (UPL-1.0). T0 static r",
+  "source_type": "adapted",
+  "category": "security",
+  "execution_tier": "static-review",
+  "oauth_scopes": [],
+  "mcp_servers": [],
+  "run_as_permissions": {},
+  "sandbox_only": false,
+  "production_allowed": true,
+  "official_docs": [
+    "https://education.oracle.com/oracle-netsuite-application-developer-professional/pexam_N16304GC10",
+    "https://www.netsuite.com/portal/services/training/suite-training/netsuite-certification.shtml",
+    "https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_N285436.html",
+    "https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_N295396.html",
+    "https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_1532968056.html",
+    "https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_1515446005.html"
+  ],
+  "security_notes": "Static review only — works exclusively from sanitized SuiteScript source code; never requests or accepts credentials, tokens, consumer keys, client secrets, or any authentication material embedded in code. Does not execute, deploy, or connect to any NetSuite account. Refuses code submissions containing hardcoded secrets. All findings are rated with CI gate recommendations and structured as audit evidence artifacts. Administrator role is never recommended for script deployment or run-as configuration.",
+  "last_verified": "2026-06-09",
+  "path": "skills/netsuite/netsuite-suitescript-secure-code-review-skill",
+  "author": "github: Raishin",
+  "version": "0.1.0",
+  "source_attribution": "Adapted from oracle/netsuite-suitecloud-sdk packages/agent-skills/netsuite-owasp-secure-coding (Universal Permissive License UPL-1.0; Copyright (c) 2019, 2023 Oracle and/or its affiliates). Vanguard-specific additions: (1) mapping of OSCP-001 through OSCP-048 pitfall IDs to Vanguard Critical/High/Medium/Low severity taxonomy, (2) block/warn/allow decision gates for CI pipeline integration, (3) audit evidence artifact reporting format for compliance and change-management workflows."
+}

package/skills/netsuite/netsuite-suitescript-secure-code-review-skill/references/least-privilege.md ADDED Viewed

@@ -0,0 +1,65 @@
+# Least-privilege NetSuite posture for NetSuite SuiteScript Secure Code Review Agent
+## Execution tier
+**T0 — Static Review**
+Rationale: `execution_tier: "static-review"` declared in `metadata.json`. This agent reviews sanitized configuration excerpts and never holds a live NetSuite session.
+## Identity model
+No live NetSuite identity is required for the agent itself. When a human operator acts on this agent's review, they SHOULD use the least-privilege custom role below — never the Administrator role.
+## Recommended custom role
+- **Custom role name:** NetSuite SuiteScript Security Reviewer (custom)
+- **Copy from standard role:** Developer (NetSuite guidance: start from a copy of a standard role, then remove unneeded permissions).
+- **Modules in scope:** SuiteScript, SuiteCloud Development Framework, Custom Records
+- **Two-Factor Authentication required:** Yes
+### Minimal permissions
+- **SuiteScript** (View) — Read script records and deployments for static analysis without execution rights
+- **Script Deployments** (View) — Inspect script deployment configurations and run-as role assignments
+- **Custom Record Types** (View) — Review custom record field definitions accessed by scripts under review
+- **Lists** (View) — Inspect custom module paths and script library references
+- **Setup** (View) — Review feature flags (Server SuiteScript, OAuth 2.0) that affect script execution context
+## Forbidden
+- Administrator role
+- Full permissions to SuiteScript or any module
+- Access Token Management permission
+- OAuth 2.0 Authorized Applications Management permission
+- Edit or Create level on any script deployment record
+- View Unencrypted Credit Cards
+- View Unencrypted ACH Account Numbers
+## Blast-radius bound
+Even if fully compromised, this agent cannot mutate a NetSuite account: it has no live session, no API tokens, and no SDF deploy rights. It can only produce review text.
+## Refusal triggers
+- Submitted code contains hardcoded credentials, API keys, consumer keys, OAuth client secrets, or passwords — stop and instruct sanitization before resubmitting
+- Request involves executing, deploying, or activating any SuiteScript in a live or production account — route to netsuite-live-org-mutation-guard-agent
+- Request asks the agent to log in, connect, or authenticate to any NetSuite environment
+- Claim that the Administrator role is an appropriate run-as or deployment role for SuiteScript — refuse and cite least-privilege principle (evidence-matrix rows 7a, 7b)
+- Request to assert status of AI Specialist or AI Professional certifications as available — those are COMING SOON; only AI Foundations Associate (N16765GC10) is available (evidence-matrix row 1b)
+## Escalation path
+Route all live-account changes to `netsuite-live-org-mutation-guard-agent` with a named human decision owner and a structured case capsule.
+## Role creation steps
+1. In the target SANDBOX, copy the standard role named above to a new custom role.
+2. Remove every permission not listed under Minimal permissions.
+3. Add only the listed permissions at the stated access level.
+4. Confirm the role is NOT Administrator and grants no global/cross-subsidiary access beyond remit.
+5. Enable 2FA enforcement if the role touches privileged permissions.
+6. Test in sandbox, then assign to the integration/review user; monitor for least-privilege drift.
+## Companion skill
+`netsuite-suitescript-secure-code-review-skill` — NetSuite SuiteScript Secure Code Review Skill

package/skills/netsuite/netsuite-suitescript-secure-code-review-skill/references/official-sources.md ADDED Viewed

@@ -0,0 +1,12 @@
+# Official Sources
+Oracle netsuite-owasp-secure-coding upstream skill URL and NetSuite developer documentation URLs verified in evidence-matrix
+Verified 2026-06-09 against official Oracle/NetSuite documentation:
+- https://education.oracle.com/oracle-netsuite-application-developer-professional/pexam_N16304GC10
+- https://www.netsuite.com/portal/services/training/suite-training/netsuite-certification.shtml
+- https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_N285436.html
+- https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_N295396.html
+- https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_1532968056.html
+- https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_1515446005.html

package/skills/netsuite/netsuite-suitescript-secure-code-review-skill/references/oscp-vanguard-severity-map.md ADDED Viewed

@@ -0,0 +1,14 @@
+# Oscp Vanguard Severity Map
+Mapping of OSCP-001 through OSCP-048 pitfall IDs to Vanguard severity taxonomy and CI gate recommendations
+Scope: Reviews SuiteScript 2.x code for the 48 catalogued OWASP-mapped pitfalls (OSCP-001 through OSCP-048) from the Oracle netsuite-owasp-secure-coding upstream skill, extended with Vanguard severity taxonomy mapping, CI pipeline gate thresholds, and audit evidence artifact format. Covers SuiteQL parameterization, LDAP escaping, HTML context output encoding, CSP construction, file upload/download pipelines, RESTlet API hardening, and AI prompt-injection mitigations.
+- SuiteQL injection review — parameterized query usage, dynamic string concatenation in N/query or N/search calls, ROWNUM limit enforcement, NVL wrapping for null safety
+- Output encoding for five HTML contexts — HTML body, HTML attribute, JavaScript, CSS, and URL encoding correctness in SuiteScript Suitelet and RESTlet responses
+- CSP construction review — Content-Security-Policy header presence and policy strength in RESTlet and Suitelet responses
+- File upload and download pipeline security — MIME type validation, path traversal prevention, size limits, server-side validation in file cabinet operations
+- RESTlet API hardening — authentication enforcement, input validation, error response sanitization, rate-limiting awareness
+- CSRF prevention — token presence and validation in state-changing SuiteScript operations
+- DOM XSS and postMessage origin validation — client-side SuiteScript patterns using document.write, innerHTML, or postMessage without origin checks
+- AI prompt-injection mitigations — SuiteScript code that passes user-controlled input to AI APIs without sanitization or boundary enforcement

package/skills/netsuite/netsuite-suitescript-secure-code-review-skill/references/release-drift.md ADDED Viewed

@@ -0,0 +1,11 @@
+# Release Drift
+NetSuite release cadence notes for SuiteScript API changes and OWASP catalog updates
+NetSuite releases biannually. Content verified 2026-06-09.
+Release-sensitive items to re-verify each release:
+- SOAP web services removal timeline (REST + OAuth 2.0 recommended for new integrations from 2026.1; new SOAP integrations blocked at 2027.1).
+- Certification availability (AI Specialist/Professional and BI & Reporting Professional are Coming Soon — re-check status).
+- AI Connector / MCP permission names and role restrictions.

package/skills/netsuite/netsuite-suitescript-secure-code-review-skill/references/safety-checklist.md ADDED Viewed

@@ -0,0 +1,18 @@
+# Safety Checklist
+Pre-submission sanitization checklist for SuiteScript code files
+- No live NetSuite connection — all inputs are sanitized source code files
+- No hardcoded credentials, API keys, consumer keys, or OAuth secrets in submitted code — refuse and instruct sanitization if found
+- Administrator role is never recommended as a script run-as or deployment role
+- Every finding maps to an OSCP pitfall ID or is explicitly labeled [VANGUARD-EXTENDED]
+- CI gate recommendation (block / warn / allow) accompanies every finding
+- AI prompt-injection risks are flagged separately and escalated to netsuite-ai-foundations-agent
+## Refusal triggers
+- Submitted code contains hardcoded credentials, API keys, consumer keys, OAuth client secrets, or passwords — stop and instruct sanitization before resubmitting
+- Request involves executing, deploying, or activating any SuiteScript in a live or production account — route to netsuite-live-org-mutation-guard-agent
+- Request asks the agent to log in, connect, or authenticate to any NetSuite environment
+- Claim that the Administrator role is an appropriate run-as or deployment role for SuiteScript — refuse and cite least-privilege principle (evidence-matrix rows 7a, 7b)
+- Request to assert status of AI Specialist or AI Professional certifications as available — those are COMING SOON; only AI Foundations Associate (N16765GC10) is available (evidence-matrix row 1b)

package/skills/netsuite/netsuite-web-services-integration-skill/SKILL.md ADDED Viewed

@@ -0,0 +1,85 @@
+---
+name: netsuite-web-services-integration-skill
+description: "Static-review flashlight for NetSuite SuiteTalk REST/SOAP API design, integration record configuration, and OAuth 2.0 authentication posture. Reviews REST record endpoints, RESTlet definitions, integration record settings, and authentication method selection against Oracle's documented posture. TRIGGER when: user asks to design or review a NetSuite REST integration, review a RESTlet, configure an integration record, choose between OAuth 2.0 and TBA for a new integration, review SOAP API usage, assess migration risk for an existing SOAP integration, or configure SuiteAnalytics Connect authentication. Trigger phrases: SuiteTalk REST, SuiteTalk SOAP, integration record, RESTlet, OAuth 2.0 NetSuite, REST API design NetSuite, SOAP migration risk. DO NOT TRIGGER when: the question is about the SOAP-to-REST migration program end-to-end (use netsuite-integration-migration-agent), OAuth 2.0 / TBA / SSO / SAML deep auth mechanics (use netsuite-sso-oauth-tba-agent), SuiteScript code authorship or SDF deployment (use netsuite-suitecloud-developer-agent), or role and permission SoD design (use netsuite-identity-access-role-permission-agent)."
+allowed-tools: Read Grep Glob
+metadata:
+  author: "github: Raishin"
+  version: "0.1.0"
+  updated: "2026-06-09"
+  category: platform
+  lifecycle: experimental
+  execution_tier: static-review
+  mcp_servers: []
+  oauth_scopes: []
+  run_as_permissions:
+    required: []
+    denied: []
+---
+# NetSuite Web Services Integration Skill
+## Purpose
+SuiteTalk REST/SOAP API design and integration record configuration review. Flags SOAP usage as migration risk, validates OAuth 2.0 for REST/RESTlets/SuiteAnalytics Connect, and refuses to review active SOAP-only integrations without escalation to netsuite-integration-migration-agent. T0 static review — no NetSuite account connection required; output is a draft for human review.
+## When This Skill Owns the Task
+- User needs to design or review a new NetSuite REST web services integration
+- User is reviewing an existing SOAP integration and needs migration risk assessment
+- User needs to configure OAuth 2.0 for a RESTlet or SuiteAnalytics Connect data source
+- User needs to review integration record settings and OAuth grant configuration
+- User is choosing between OAuth 2.0 and TBA for a new or existing integration
+## Recommended Workflow
+1. Step 1 — Gather inputs: sanitized integration record configuration, API endpoint list, authentication method, NetSuite release version, and whether this is new or existing
+2. Step 2 — Classify integration type: REST record API, RESTlet, SuiteAnalytics Connect, or SOAP; flag SOAP immediately as migration risk
+3. Step 3 — Review authentication posture: confirm OAuth 2.0 for REST/RESTlet/SuiteAnalytics Connect; flag TBA for SOAP as valid only for existing integrations until 2027.1; refuse user credentials for RESTlets (deprecated 2021) and SOAP 2020.2+
+4. Step 4 — Review integration record configuration: application ID, OAuth grant types, token scopes, and least-privilege permission alignment
+5. Step 5 — Rate findings Critical/High/Medium/Low/Unknown; produce structured finding table with evidence labels [FACT], [ASSUMPTION], [INFERENCE]
+6. Step 6 — Produce recommended action list with escalation routing (migration → netsuite-integration-migration-agent; auth mechanics → netsuite-sso-oauth-tba-agent)
+7. Step 7 — Emit T0 static review output: no live API calls, no org credentials, human review required before any configuration change
+## Evidence Hierarchy
+LIVE_EVIDENCE > REPOSITORY_EVIDENCE > USER_PROVIDED > OFFICIAL_DOCUMENTATION > INFERENCE > UNVERIFIED > BLOCKED
+## Safety Checklist
+- No credentials, tokens, or secrets present in inputs — refuse and instruct user to redact if found
+- SOAP usage flagged as migration risk with confirmed timeline cited (2026.1 / 2027.1 / 2028.2)
+- OAuth 2.0 not stated as supported for SOAP (confirmed NOT supported)
+- Custom role recommendation never uses Administrator role
+- All official_docs URLs traceable to evidence-matrix.md
+## Rules — Hard-Stop Constraints
+- Static review only; never connect to a live NetSuite account or invoke APIs/SuiteScript/SDF.
+- Never request or accept credentials, tokens, or secrets.
+- Never depend on the Administrator role; recommend least-privilege custom roles (note 2FA).
+- Prefer OAuth 2.0 (REST/RESTlets/SuiteAnalytics Connect) over SOAP; treat SOAP as a migration risk.
+- Never claim a Coming-Soon certification is available.
+## Refusal Triggers
+- Request includes credentials, tokens, secrets, client secrets, or API keys — refuse and instruct user to redact
+- Request asks agent to use the Administrator role or roles with full permissions
+- Request asks agent to fire live API calls or mutate a NetSuite account
+- User claims Web Services Developer Professional is a confirmed available exam without citing the official exam page — mark status UNVERIFIED per evidence-matrix row 1f
+- Request requires evaluating SOAP integration as a long-term strategy without flagging migration risk
+## T0 Contract
+No account connection, no OAuth, no secrets. Output is draft review text for a human owner.
+## Security Notes
+Static review only — never calls NetSuite APIs, never requests or stores credentials, tokens, client secrets, or org IDs. Works exclusively from sanitized configuration excerpts. SOAP usage is flagged as a migration risk citing the confirmed sunset timeline. OAuth 2.0 is confirmed NOT supported for SOAP; only for REST, RESTlets, and SuiteAnalytics Connect. Never recommends the Administrator role. Custom reviewer role requires 2FA when permissions include Access Token Management or OAuth 2.0 Authorized Applications Management.
+## Reference File Index
+- [official-sources.md](references/official-sources.md) — Confirmed Oracle/NetSuite official documentation URLs for REST, SOAP, OAuth 2.0, and TBA
+- [safety-checklist.md](references/safety-checklist.md) — Pre-review checklist: redaction verification, SOAP risk flags, auth posture checks
+- [least-privilege.md](references/least-privilege.md) — Custom role design for integration record reviewers — permissions, 2FA triggers, forbidden roles
+- [release-drift.md](references/release-drift.md) — SOAP sunset timeline: 2026.1 REST+OAuth2 default, 2027.1 new SOAP blocked, 2028.2 all endpoints disabled
+- [auth-posture-matrix.md](references/auth-posture-matrix.md) — Matrix of supported authentication methods by integration type: REST, RESTlet, SOAP, SuiteAnalytics Connect

package/skills/netsuite/netsuite-web-services-integration-skill/metadata.json ADDED Viewed

@@ -0,0 +1,38 @@
+{
+  "id": "netsuite-web-services-integration-skill",
+  "name": "NetSuite Web Services Integration Skill",
+  "type": "skill",
+  "provider": "netsuite",
+  "harnesses": [
+    "claude-code",
+    "codex",
+    "cursor",
+    "gemini",
+    "kiro",
+    "other"
+  ],
+  "summary": "Static-review flashlight for NetSuite SuiteTalk REST/SOAP API design, integration record configuration, and OAuth 2.0 authentication posture. Reviews REST record endpoints, RESTlet definitions, integration record settings, and authentication method selection against Oracle's documented posture. TRIG",
+  "source_type": "original",
+  "category": "platform",
+  "execution_tier": "static-review",
+  "oauth_scopes": [],
+  "mcp_servers": [],
+  "run_as_permissions": {},
+  "sandbox_only": false,
+  "production_allowed": true,
+  "official_docs": [
+    "https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/article_2104046421.html",
+    "https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_157780312610.html",
+    "https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_158263562006.html",
+    "https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/article_1011040638.html",
+    "https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_4381113277.html",
+    "https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/chapter_4247329078.html",
+    "https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_N3445710.html",
+    "https://www.netsuite.com/portal/services/training/suite-training/netsuite-certification.shtml"
+  ],
+  "security_notes": "Static review only — never calls NetSuite APIs, never requests or stores credentials, tokens, client secrets, or org IDs. Works exclusively from sanitized configuration excerpts. SOAP usage is flagged as a migration risk citing the confirmed sunset timeline. OAuth 2.0 is confirmed NOT supported for SOAP; only for REST, RESTlets, and SuiteAnalytics Connect. Never recommends the Administrator role. Custom reviewer role requires 2FA when permissions include Access Token Management or OAuth 2.0 Authorized Applications Management.",
+  "last_verified": "2026-06-09",
+  "path": "skills/netsuite/netsuite-web-services-integration-skill",
+  "author": "github: Raishin",
+  "version": "0.1.0"
+}

package/skills/netsuite/netsuite-web-services-integration-skill/references/auth-posture-matrix.md ADDED Viewed

@@ -0,0 +1,14 @@
+# Auth Posture Matrix
+Matrix of supported authentication methods by integration type: REST, RESTlet, SOAP, SuiteAnalytics Connect
+Scope: SuiteTalk REST/SOAP API design and integration record configuration review. Flags SOAP usage as migration risk, validates OAuth 2.0 for REST/RESTlets/SuiteAnalytics Connect, and refuses to review active SOAP-only integrations without escalation to netsuite-integration-migration-agent.
+- SuiteTalk REST record API endpoint design and request/response patterns
+- SuiteTalk SOAP WSDL usage review and migration-risk flagging
+- Integration record configuration (application ID, OAuth scopes, token grants)
+- RESTlet design and authentication configuration
+- OAuth 2.0 scope selection for REST and RESTlet integrations
+- SuiteAnalytics Connect OAuth 2.0 configuration review
+- REST API versioning strategy and endpoint selection
+- Integration record least-privilege permission review

package/skills/netsuite/netsuite-web-services-integration-skill/references/least-privilege.md ADDED Viewed

@@ -0,0 +1,61 @@
+# Least-privilege NetSuite posture for NetSuite Web Services Integration Agent
+## Execution tier
+**T0 — Static Review**
+Rationale: `execution_tier: "static-review"` declared in `metadata.json`. This agent reviews sanitized configuration excerpts and never holds a live NetSuite session.
+## Identity model
+No live NetSuite identity is required for the agent itself. When a human operator acts on this agent's review, they SHOULD use the least-privilege custom role below — never the Administrator role.
+## Recommended custom role
+- **Custom role name:** NetSuite Web Services Integration Reviewer (custom)
+- **Copy from standard role:** Integration Manager (or closest available standard role with web services access) (NetSuite guidance: start from a copy of a standard role, then remove unneeded permissions).
+- **Modules in scope:** REST Web Services, SOAP Web Services, OAuth 2.0, Token-Based Authentication
+- **Two-Factor Authentication required:** Yes
+### Minimal permissions
+- **REST Web Services** (View) — Required to review REST integration record configurations
+- **SOAP Web Services** (View) — Required to review SOAP configuration for migration-risk assessment
+- **Integration Record** (View) — Required to inspect integration record settings and OAuth grant configuration
+- **Log in using OAuth 2.0 Access Tokens** (View) — Required to review OAuth 2.0 token grant configuration
+- **Access Token Management** (View) — Required to review TBA token records — triggers mandatory 2FA per evidence-matrix row 5c
+## Forbidden
+- Administrator role
+- Full permission roles
+- Any role with Create/Edit/Full on Integration Record or Token Management
+## Blast-radius bound
+Even if fully compromised, this agent cannot mutate a NetSuite account: it has no live session, no API tokens, and no SDF deploy rights. It can only produce review text.
+## Refusal triggers
+- Request includes credentials, tokens, secrets, client secrets, or API keys — refuse and instruct user to redact
+- Request asks agent to use the Administrator role or roles with full permissions
+- Request asks agent to fire live API calls or mutate a NetSuite account
+- User claims Web Services Developer Professional is a confirmed available exam without citing the official exam page — mark status UNVERIFIED per evidence-matrix row 1f
+- Request requires evaluating SOAP integration as a long-term strategy without flagging migration risk
+## Escalation path
+Route all live-account changes to `netsuite-live-org-mutation-guard-agent` with a named human decision owner and a structured case capsule.
+## Role creation steps
+1. In the target SANDBOX, copy the standard role named above to a new custom role.
+2. Remove every permission not listed under Minimal permissions.
+3. Add only the listed permissions at the stated access level.
+4. Confirm the role is NOT Administrator and grants no global/cross-subsidiary access beyond remit.
+5. Enable 2FA enforcement if the role touches privileged permissions.
+6. Test in sandbox, then assign to the integration/review user; monitor for least-privilege drift.
+## Companion skill
+`netsuite-web-services-integration-skill` — NetSuite Web Services Integration Skill

package/skills/netsuite/netsuite-web-services-integration-skill/references/official-sources.md ADDED Viewed

@@ -0,0 +1,14 @@
+# Official Sources
+Confirmed Oracle/NetSuite official documentation URLs for REST, SOAP, OAuth 2.0, and TBA
+Verified 2026-06-09 against official Oracle/NetSuite documentation:
+- https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/article_2104046421.html
+- https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_157780312610.html
+- https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_158263562006.html
+- https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/article_1011040638.html
+- https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_4381113277.html
+- https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/chapter_4247329078.html
+- https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_N3445710.html
+- https://www.netsuite.com/portal/services/training/suite-training/netsuite-certification.shtml

package/skills/netsuite/netsuite-web-services-integration-skill/references/release-drift.md ADDED Viewed

@@ -0,0 +1,11 @@
+# Release Drift
+SOAP sunset timeline: 2026.1 REST+OAuth2 default, 2027.1 new SOAP blocked, 2028.2 all endpoints disabled
+NetSuite releases biannually. Content verified 2026-06-09.
+Release-sensitive items to re-verify each release:
+- SOAP web services removal timeline (REST + OAuth 2.0 recommended for new integrations from 2026.1; new SOAP integrations blocked at 2027.1).
+- Certification availability (AI Specialist/Professional and BI & Reporting Professional are Coming Soon — re-check status).
+- AI Connector / MCP permission names and role restrictions.

package/skills/netsuite/netsuite-web-services-integration-skill/references/safety-checklist.md ADDED Viewed

@@ -0,0 +1,17 @@
+# Safety Checklist
+Pre-review checklist: redaction verification, SOAP risk flags, auth posture checks
+- No credentials, tokens, or secrets present in inputs — refuse and instruct user to redact if found
+- SOAP usage flagged as migration risk with confirmed timeline cited (2026.1 / 2027.1 / 2028.2)
+- OAuth 2.0 not stated as supported for SOAP (confirmed NOT supported)
+- Custom role recommendation never uses Administrator role
+- All official_docs URLs traceable to evidence-matrix.md
+## Refusal triggers
+- Request includes credentials, tokens, secrets, client secrets, or API keys — refuse and instruct user to redact
+- Request asks agent to use the Administrator role or roles with full permissions
+- Request asks agent to fire live API calls or mutate a NetSuite account
+- User claims Web Services Developer Professional is a confirmed available exam without citing the official exam page — mark status UNVERIFIED per evidence-matrix row 1f
+- Request requires evaluating SOAP integration as a long-term strategy without flagging migration risk