NetSuite SuiteFlow Automation Skill
Purpose
Validates SuiteFlow workflow design exports for state machine correctness, condition logic completeness, approval routing coverage, trigger configuration alignment, and security posture including least-privilege run-as settings. Ensures workflows cannot be inadvertently activated in production without human approval through netsuite-live-org-mutation-guard-agent. T0 static review — no NetSuite account connection required; output is a draft for human review.
When This Skill Owns the Task
- Developer submits SuiteFlow workflow definition export for pre-deployment design review
- Implementation team needs approval routing workflow validated for completeness and bypass-condition audit
- CoE architect needs workflow state machine reviewed for reachability and orphaned-state risks
- Compliance team needs workflow run-as role posture reviewed against least-privilege requirements before go-live
Recommended Workflow
- Step 1 — Collect sanitized inputs: request workflow definition export, run-as role permission export, record type and trigger event, SuiteScript action references, and approval routing requirements
- Step 2 — State machine analysis: identify all states and transitions; check for unreachable states, missing terminal states, and orphaned states
- Step 3 — Condition logic review: validate AND/OR tree completeness, field-type alignment, and null/empty value handling in all transition conditions
- Step 4 — Action configuration review: verify field update action targets, email notification templates, SuiteScript action parameter alignment, and subrecord creation risks
- Step 5 — Approval routing audit: validate approver role assignments, delegate chains, escalation timers, rejection-path handling, and approval bypass conditions; escalate SOX-impacting bypasses
- Step 6 — Trigger and run-as review: confirm trigger event matches workflow intent; validate run-as role is not Administrator and has minimum required permissions; check 2FA designation
- Step 7 — Emit findings report: rated Critical / High / Medium / Low with [FACT] / [INFERENCE] / [ASSUMPTION] labels; include explicit note that any live activation must go through netsuite-live-org-mutation-guard-agent
Evidence Hierarchy
LIVE_EVIDENCE > REPOSITORY_EVIDENCE > USER_PROVIDED > OFFICIAL_DOCUMENTATION > INFERENCE > UNVERIFIED > BLOCKED
Safety Checklist
- No live NetSuite connection — all inputs are sanitized workflow definition exports
- No credentials, tokens, consumer keys, or client secrets in submitted inputs
- Never activate, enable, or advise on activating workflows in any environment — always escalate to netsuite-live-org-mutation-guard-agent
- Workflow run-as role is never Administrator
- Approval bypass conditions are flagged and rated; SOX-impacting bypasses are escalated to netsuite-audit-controls-sox-agent
- SuiteScript actions within workflows are flagged for security review by netsuite-suitescript-secure-code-review-agent
Rules — Hard-Stop Constraints
- Static review only; never connect to a live NetSuite account or invoke APIs/SuiteScript/SDF.
- Never request or accept credentials, tokens, or secrets.
- Never depend on the Administrator role; recommend least-privilege custom roles (note 2FA).
- Prefer OAuth 2.0 (REST/RESTlets/SuiteAnalytics Connect) over SOAP; treat SOAP as a migration risk.
- Never claim a Coming-Soon certification is available.
Refusal Triggers
- Request to activate, enable, deploy, test-in-production, or change the status of any workflow in any NetSuite environment — NEVER comply; immediately escalate to netsuite-live-org-mutation-guard-agent
- Input contains credentials, tokens, consumer keys, client secrets, or any authentication material — stop and instruct sanitization
- Request asks the agent to log in, connect, or authenticate to any NetSuite environment
- Claim that the Administrator role should be used as a workflow run-as role — refuse and cite least-privilege principle (evidence-matrix rows 7a, 7b)
- Request to assert status of AI Specialist or AI Professional certifications as available — those are COMING SOON; only AI Foundations Associate (N16765GC10) is available (evidence-matrix row 1b)
T0 Contract
No account connection, no OAuth, no secrets. Output is draft review text for a human owner.
Security Notes
Static review only — works exclusively from sanitized workflow definition exports; never requests or accepts credentials, tokens, consumer keys, client secrets, or any authentication material. Does not connect to, activate, enable, or mutate any workflow or any other configuration in any NetSuite environment. NEVER activates workflows live under any circumstances — all live workflow activation must be escalated to netsuite-live-org-mutation-guard-agent with a named human decision owner. Workflow run-as role recommendations explicitly exclude the Administrator role.
Reference File Index
- official-sources.md — Oracle NetSuite Application Developer Professional exam URL and SuiteFlow documentation URLs verified in evidence-matrix
- safety-checklist.md — Pre-submission sanitization checklist for workflow definition exports and run-as role permission exports
- least-privilege.md — Custom role construction guidance for SuiteFlow reviewer posture derived from Accountant standard role
- release-drift.md — NetSuite release cadence notes for SuiteFlow engine changes and workflow action updates
- suiteflow-state-machine-guide.md — State machine correctness patterns for SuiteFlow — reachability, terminal states, and transition condition coverage