2nd/10_Wiki/Topics/AI_and_ML/Supply-Chain.md

id, title, category, status, canonical_id, aliases, duplicate_of, source_trust_level, confidence_score, verification_status, tags, raw_sources, last_reinforced, github_commit, tech_stack

id	title	category	status	canonical_id	aliases	duplicate_of	source_trust_level	confidence_score	verification_status	tags	raw_sources	last_reinforced	github_commit	tech_stack
wiki-2026-0508-supply-chain	Supply Chain	10_Wiki/Topics	verified	self	SCM Supply Chain Management 공급망	none	A	0.9	applied	supply-chain logistics security sbom ai-optimization		2026-05-10	pending	language framework python ortools

Supply Chain

매 한 줄

"매 supply chain 의 end-to-end network — raw material부터 end customer까지의 flow". 매 2026 supply chain 의 두 축: AI-driven optimization (demand forecast, route, inventory) 와 security (SBOM, supply chain attack defense). 매 SolarWinds·xz-utils 사건 이후 software supply chain 의 first-class 보안 concern.

매 핵심

매 5 components

• Plan: demand forecast, capacity planning, S&OP.
• Source: supplier selection, contract, procurement.
• Make: production, quality, scheduling.
• Deliver: warehousing, transportation, last-mile.
• Return: reverse logistics, recycling, RMA.

매 AI 적용 영역

• Demand forecasting: Transformer-based time series (TimesFM, Chronos), LSTM 의 retire.
• Route optimization: OR-Tools VRP + RL hybrid.
• Inventory: (s,S) policy + safety stock dynamic adjustment.
• Anomaly detection: shipment delay prediction, fraud.
• Supplier risk: graph neural network on supplier dependency graph.

매 software supply chain security

• SBOM (Software Bill of Materials): SPDX, CycloneDX format.
• Sigstore: keyless signing, transparency log.
• SLSA (Supply-chain Levels for Software Artifacts): level 1-4 framework.
• Attack surface: dependency confusion, typosquatting, malicious maintainer.

매 응용

1. E-commerce: Amazon FBA — AI demand forecast → DC pre-positioning.
2. Manufacturing: Toyota JIT 의 AI evolve — predictive lead time.
3. Software security: GitHub Dependabot + Sigstore + SLSA Level 3.

💻 패턴

1. Demand forecast (Chronos)

from chronos import ChronosPipeline
import torch
import pandas as pd

pipe = ChronosPipeline.from_pretrained(
    "amazon/chronos-bolt-base", torch_dtype=torch.bfloat16
)

# historical daily sales
ts = pd.read_csv("sales.csv")["units"].values
context = torch.tensor(ts[-365:])

forecast = pipe.predict(context, prediction_length=30, num_samples=100)
median = forecast.median(dim=1).values  # 30-day median forecast
p90 = forecast.quantile(0.9, dim=1)  # safety stock upper bound

2. VRP (Vehicle Routing Problem)

from ortools.constraint_solver import pywrapcp, routing_enums_pb2

def solve_vrp(distance_matrix, num_vehicles, depot):
    manager = pywrapcp.RoutingIndexManager(
        len(distance_matrix), num_vehicles, depot
    )
    routing = pywrapcp.RoutingModel(manager)

    def dist_cb(i, j):
        return distance_matrix[manager.IndexToNode(i)][manager.IndexToNode(j)]

    transit_idx = routing.RegisterTransitCallback(dist_cb)
    routing.SetArcCostEvaluatorOfAllVehicles(transit_idx)

    params = pywrapcp.DefaultRoutingSearchParameters()
    params.first_solution_strategy = routing_enums_pb2.FirstSolutionStrategy.PATH_CHEAPEST_ARC
    return routing.SolveWithParameters(params)

3. (s,S) inventory policy

import numpy as np

def reorder(stock, s, S, demand_forecast, lead_time_days):
    # s = reorder point, S = order-up-to level
    expected_demand_during_lead = demand_forecast.mean() * lead_time_days
    safety = 1.65 * demand_forecast.std() * np.sqrt(lead_time_days)
    s_dynamic = expected_demand_during_lead + safety
    if stock <= s_dynamic:
        return S - stock
    return 0

4. SBOM generation (CycloneDX)

# Python project
pip install cyclonedx-bom
cyclonedx-py -o sbom.json --format json

# Node project
npx @cyclonedx/cyclonedx-npm --output-file sbom.json

# Container
syft packages docker:myimage:latest -o cyclonedx-json > sbom.json

5. Sigstore keyless signing

# Sign artifact (uses OIDC identity, no long-lived keys)
cosign sign-blob --yes ./release.tar.gz \
  --output-signature release.sig \
  --output-certificate release.crt

# Verify
cosign verify-blob ./release.tar.gz \
  --signature release.sig \
  --certificate release.crt \
  --certificate-identity user@example.com \
  --certificate-oidc-issuer https://github.com/login/oauth

6. SLSA provenance (GitHub Actions)

name: build
on: [push]
permissions:
  id-token: write
  contents: read
jobs:
  build:
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
    with:
      base64-subjects: ${{ needs.hash.outputs.digests }}

7. Supplier risk GNN

import torch
from torch_geometric.nn import GraphSAGE

# nodes = suppliers, edges = dependency
model = GraphSAGE(in_channels=16, hidden_channels=64,
                  num_layers=3, out_channels=2)  # risk score

# message passing: tier-1 supplier 의 risk → tier-2 propagation
risk_scores = model(node_features, edge_index)

매 결정 기준

상황	Approach
Demand forecast (long horizon)	Chronos / TimesFM
Route opt (small, hard)	OR-Tools exact
Route opt (large, soft)	RL + heuristic
SBOM	CycloneDX (broader) or SPDX
Signing	Sigstore (keyless, modern)

기본값: Chronos forecast + OR-Tools VRP + CycloneDX SBOM + Sigstore.

🔗 Graph

• 부모: Operations-Research
• 변형: SBOM · SLSA · Sigstore

🤖 LLM 활용

언제: Demand pattern 의 explain, anomaly 의 root-cause analysis, SBOM 의 vulnerability summary. 언제 X: Real-time route decision (latency), exact optimization (LLM 의 hallucinate cost).

❌ 안티패턴

• Forecast 없는 inventory: 매 lead time × demand 의 rough-cut estimate → stockout 의 cycle.
• SBOM 의 build 후 generation: 매 reproducibility 의 lose. Build 시 generate.
• Long-lived signing keys: 매 leak 의 catastrophic. Sigstore keyless 의 use.
• Dependency 의 pin without lock: 매 supply-chain attack vector. lockfile + hash check.
• Tier-1 supplier 의 only monitor: 매 cascade failure 의 ignore. Multi-tier visibility.

🧪 검증 / 중복

• Verified (CSCMP definitions, NIST SSDF SP800-218, SLSA spec v1.0).
• 신뢰도 A.

🕓 Changelog

날짜	변경
2026-05-08	Phase 1
2026-05-10	Manual cleanup — supply chain (logistics + software security) full canonical