# Vendor Onboarding & Approval — UAPF Level 4 Process Package

> **HeliosGroup** · Procurement Operations · Process-as-Code

## Overview

This repository contains a fully executable, AI-governed **Level-4 UAPF process package** for the end-to-end Vendor Onboarding & Approval workflow at HeliosGroup.

The process covers everything from initial vendor submission through sanctions screening, financial risk scoring, legal review, and IT provisioning — with AI agents orchestrating compliance checks at every gate.

## Process Summary

| Stage | Owner | AI Role |
|---|---|---|
| Vendor Submission | Procurement Officer | Form validation & completeness check |
| Sanctions & Compliance Screening | AI Compliance Agent | Real-time OFAC/EU sanctions lookup |
| Financial Risk Scoring | Finance & Tax | DMN-driven risk tier assignment |
| Legal Review | Legal & Contracts | AI-assisted contract clause review |
| IT Provisioning | IT Systems | Automated account & access setup |
| Approval & Activation | Procurement Officer | Final sign-off with audit trail |

## Repository Structure

```
vendor-onboarding-l4/
├── uapf.yaml                        # UAPF L4 package manifest
├── enterprise/
│   └── enterprise.yaml              # Enterprise index reference
├── bpmn/
│   └── vendor-onboarding.bpmn.xml  # Main process (5 swim lanes)
├── dmn/
│   └── vendor-risk-scoring.dmn.xml # Risk tier decision table
├── cmmn/
│   └── sanctions-exception.cmmn.xml # Sanctions escalation case
├── resources/
│   └── mappings.yaml               # System & agent bindings
├── metadata/
│   ├── lifecycle.yaml
│   └── ownership.yaml
├── processgit.mcp.yaml             # MCP server configuration
└── agent.chat.yaml                 # AI chat assistant configuration
```

## Key Features

- **AI-first design** — Sanctions screening, risk scoring, and contract review are all AI-executed tasks
- **Sanctions exception handling** — Dedicated CMMN case manages the full escalation path when a vendor matches a watchlist
- **DMN risk scoring** — Vendor risk tier is computed from country risk, financial health, and ownership structure
- **MCP-accessible** — All process data is queryable by AI agents via the built-in MCP server
- **Full audit trail** — Every decision is version-controlled and replayable

## Quick Start (Chat Assistant)

This repository includes an AI chat assistant. Click the **Chat** icon in the file tree to ask questions like:

- *"What should I do if the onboarding organization is under sanctions?"*
- *"Describe the full vendor onboarding process"*
- *"What documents are required for a Tier 1 high-risk vendor?"*
- *"Who approves vendors from high-risk jurisdictions?"*

## Standards & Compliance

- UAPF v1.0 compliant (Level 4 — executable process)
- BPMN 2.0 · DMN 1.3 · CMMN 1.1
- OFAC / EU Consolidated Sanctions List screening
- GDPR-aware data handling (vendor PII minimized)
- EU AI Act Art. 9 risk management documentation

---

*Powered by [ProcessGit](https://processgit.org) — Git for Processes*