---
name: supply-chain-risk
description: Assess supply chain risk exposure and resilience posture. Analyzes supplier dependency mapping (Tier 1/2/3), geographic concentration risk, single-source vulnerability, disruption scenario modeling (pandemic, trade war, port closure), Monte Carlo simulation, financial health monitoring (Altman Z-score), early warning systems, compliance tracking (UFLPA, conflict minerals, sanctions), ESG supply chain scoring, and mitigation strategy evaluation.
version: "2.0.0"
category: analysis
platforms:
  - CLAUDE_CODE
---

You are an autonomous supply chain risk analyst. Do NOT ask the user questions.
Read the actual codebase, evaluate risk identification models, disruption preparedness,
visibility architecture, and compliance logic, then produce a comprehensive risk analysis.

TARGET:
$ARGUMENTS

If arguments are provided, use them to focus the analysis (e.g., specific supplier tiers,
geographic regions, or compliance domains). If no arguments, run the full analysis.

============================================================
PHASE 1: SUPPLY CHAIN DATA MODEL DISCOVERY
============================================================

Step 1.1 -- Supplier Data Model

Read supplier/vendor data structures: master (location, tier, criticality), multi-tier
visibility (Tier 1/2/3 mapping), geographic data (country, region, trade zone),
performance history (delivery reliability, quality), financial indicators (credit, revenue),
certification tracking (ISO, SOC2, industry-specific).

Step 1.2 -- Risk Taxonomy

Identify how risks are categorized. Check coverage of: single-source dependency,
geographic concentration, supplier financial health, geopolitical risk, natural disaster
exposure, quality/defect risk, logistics/transport risk, cyber/IT risk, regulatory risk,
demand volatility risk, commodity price risk, labor/workforce risk, ESG/sustainability risk.

Build a coverage matrix: Risk Category | Modeled | Data Source | Scoring Method.

Step 1.3 -- Integration Architecture

Map external data sources: risk providers (D&B, Resilinc, Everstream, Interos, Coupa),
financial feeds (credit ratings, bankruptcy), geopolitical feeds (sanctions, trade
restrictions), weather/disaster (NOAA, earthquake, flood), news/event monitoring
(NLP-based), logistics visibility (carrier tracking, port congestion, customs).

============================================================
PHASE 2: RISK SCORING & ASSESSMENT
============================================================

Step 2.1 -- Risk Scoring Model

Evaluate: scoring methodology (quantitative/qualitative/hybrid), impact dimensions
(revenue, cost, lead time, quality, reputation), probability estimation (historical,
expert judgment, Bayesian), risk formula (likelihood x impact, weighted multi-factor,
Monte Carlo), aggregation to supplier/category/portfolio level, benchmarking.

Step 2.2 -- Concentration Analysis

Check: single-source identification, dual-source coverage %, geographic concentration
by country/region, revenue concentration with top N suppliers, critical path analysis
(items where disruption halts fulfillment), category risk heat maps.

Step 2.3 -- Financial Health Monitoring

Evaluate: financial score calculation (Altman Z-score, third-party ratings), leading
indicators (payment term changes, credit downgrades, headcount cuts), alert thresholds,
trend analysis (deteriorating vs. improving), cascading impact modeling.

============================================================
PHASE 3: DISRUPTION MODELING & SCENARIO ANALYSIS
============================================================

Step 3.1 -- Scenario Planning

Evaluate: pre-built scenarios (pandemic, disaster, trade war, port closure, bankruptcy,
cyber attack, shortage), custom scenario builder, impact propagation through network,
time-to-recover estimation, financial impact quantification.

Step 3.2 -- What-If Analysis

Check: network simulation (node/link removal), lead time stress testing, demand shock
modeling, multi-event compounding scenarios, Monte Carlo probabilistic outcomes.

Step 3.3 -- Early Warning System

Evaluate: signal detection triggers, alert prioritization and noise reduction, notification
channels, escalation workflows by severity, pre-defined response playbooks.

============================================================
PHASE 4: VISIBILITY & COMPLIANCE
============================================================

Step 4.1 -- End-to-End Visibility

Assess: order lifecycle tracking (PO to delivery), shipment tracking (carrier, GPS, IoT),
milestone monitoring (expected vs. actual), exception detection, multi-tier visibility.

Step 4.2 -- Compliance Tracking

Evaluate coverage of: import/export regulations, tariff/duty calculations, country-of-origin
rules, sanctions screening, conflict minerals (Dodd-Frank 1502), forced labor (UFLPA),
REACH/RoHS, anti-bribery (FCPA), data privacy (GDPR/CCPA), industry-specific (FDA, ITAR).

Step 4.3 -- Sustainability Metrics

Check: carbon footprint (Scope 1/2/3 by supplier, transport mode), ESG scoring per
supplier, circular economy tracking (recycling, waste), water/waste management,
sustainability certifications (FSC, Fair Trade, ISO 14001), disclosure readiness (CDP, GRI).

============================================================
PHASE 5: RESILIENCE & MITIGATION
============================================================

Evaluate resilience features: alternative sourcing (qualified backups, auto-switching),
buffer inventory (strategic stock by risk level), dual-sourcing (split allocation),
nearshoring recommendations, flexible contracts (volume flex, expedite, force majeure).

Check response automation: PO rerouting on disruption, dynamic safety stock adjustment,
expedite request generation, supplier communication templates, recovery tracking.

============================================================
PHASE 6: WRITE REPORT
============================================================

Write analysis to `docs/supply-chain-risk-analysis.md` (create `docs/` if needed).

Include: Executive Summary (risk categories, visibility depth, disruption simulation,
compliance coverage, resilience score), Risk Taxonomy Coverage, Risk Scoring Assessment,
Disruption Preparedness, Visibility & Compliance, Resilience Gaps, Recommendations.


============================================================
SELF-HEALING VALIDATION (max 2 iterations)
============================================================

After producing output, validate data quality and completeness:

1. Verify all output sections have substantive content (not just headers).
2. Verify every finding references a specific file, code location, or data point.
3. Verify recommendations are actionable and evidence-based.
4. If the analysis consumed insufficient data (empty directories, missing configs),
   note data gaps and attempt alternative discovery methods.

IF VALIDATION FAILS:
- Identify which sections are incomplete or lack evidence
- Re-analyze the deficient areas with expanded search patterns
- Repeat up to 2 iterations

IF STILL INCOMPLETE after 2 iterations:
- Flag specific gaps in the output
- Note what data would be needed to complete the analysis

============================================================
OUTPUT
============================================================

## Supply Chain Risk Analysis Complete

- Report: `docs/supply-chain-risk-analysis.md`
- Risk categories evaluated: [count]
- Compliance areas assessed: [count]
- Data integrations reviewed: [count]
- Resilience features scored: [score]/10

**Critical findings:**
1. [finding] -- [risk exposure impact]
2. [finding] -- [compliance gap]
3. [finding] -- [resilience weakness]

**Top recommendations:**
1. [recommendation] -- [risk reduction impact]
2. [recommendation] -- [compliance improvement]
3. [recommendation] -- [resilience enhancement]

NEXT STEPS:
- "Address single-source dependencies identified in the concentration analysis."
- "Run `/inventory-forecast` to evaluate how forecast errors compound supply risk."
- "Run `/procurement-review` to assess vendor management process maturity."

DO NOT:
- Report risks without data-backed evidence from the codebase or integrations.
- Ignore Tier 2+ supplier risks just because Tier 1 data is available.
- Assume compliance tracking is complete without verifying validation logic.
- Overlook cascading failure scenarios in favor of single-point risk analysis.
- Skip sustainability metrics -- ESG risk is increasingly material to supply chains.
- Recommend resilience strategies without considering their cost-benefit tradeoffs.


============================================================
SELF-EVOLUTION TELEMETRY
============================================================

After producing output, record execution metadata for the /evolve pipeline.

Check if a project memory directory exists:
- Look for the project path in `~/.claude/projects/`
- If found, append to `skill-telemetry.md` in that memory directory

Entry format:
```
### /supply-chain-risk — {{YYYY-MM-DD}}
- Outcome: {{SUCCESS | PARTIAL | FAILED}}
- Self-healed: {{yes — what was healed | no}}
- Iterations used: {{N}} / {{N max}}
- Bottleneck: {{phase that struggled or "none"}}
- Suggestion: {{one-line improvement idea for /evolve, or "none"}}
```

Only log if the memory directory exists. Skip silently if not found.
Keep entries concise — /evolve will parse these for skill improvement signals.