refactor: simplify mapping schema and add guidance generation to /onboard

[vmrh21]

Summary

Simplified component-repository-mappings.json

The old schema had deeply nested objects with lots of prose-only fields that the workflow never actually read. The new schema is flat and focused on what the workflow needs:

Before:

{
  "ComponentName": {
    "container_to_repo_mapping": { "container": "repo" },
    "repositories": {
      "org/repo": {
        "github_url": "...", "default_branch": "main",
        "active_release_branches": [...], "branch_strategy": "...",
        "repo_type": "upstream", "subcomponent": "...",
        "cve_fix_workflow": { "primary_target": "...", "backport_targets": "..." },
        "build_location": "..."
      }
    }
  }
}

After:

{
  "ComponentName": {
    "repos": [
      {
        "url": "https://github.com/org/repo",
        "type": "upstream|midstream|downstream",
        "default_branch": "main",
        "active_branches": ["rhoai-3.4"],
        "containers": ["rhoai/odh-container-rhel9"],
        "subcomponent": "optional"
      }
    ]
  }
}

Removed fields: branch_strategy, cve_fix_workflow, protected_branches, repository_type, monorepo_packages — none of these were read by the workflow commands.

Containers now live on the repo that builds them instead of a separate top-level mapping.

File size: ~30KB → ~20KB.

/onboard now generates .cve-fix/examples.md

Added Step 5 to the onboard command: after collecting repo info, it analyzes recent CVE-related merged PRs in each repo and generates a .cve-fix/examples.md file covering:

• Title and branch naming conventions
• Files that change together
• Co-upgrade patterns
• PR description requirements
• Don'ts (from rejected/closed PRs)

The guidance file is included in the same onboarding PR alongside the mapping update. Repos with <3 CVE PRs get a placeholder noting they should run /guidance.update after more CVE fixes accumulate.

Test plan

• Run /cve.find llm-d — verify it reads new schema correctly
• Run /cve.fix — verify it reads repos[].containers and repos[].active_branches
• Run /onboard — verify it writes new schema format and generates examples.md

🤖 Generated with Claude Code

[coderabbitai]

Warning

Rate limit exceeded

@vmrh21 has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 3 minutes and 49 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 3 minutes and 49 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: fd9584fc-7046-4efe-8c54-7e46fbb031be

📥 Commits

Reviewing files that changed from the base of the PR and between d3170e2 and 894193c.

📒 Files selected for processing (3)

• workflows/cve-fixer/.claude/commands/cve.find.md
• workflows/cve-fixer/.claude/commands/cve.fix.md
• workflows/cve-fixer/.claude/commands/onboard.md

Walkthrough

Onboarding and PR automation docs were revised to request repo-specific container image names, generate per-repo .cve-fix/examples.md guidance, simplify Jira/MCP validation, and migrate repository mapping data from a component-keyed schema to a top-level repos array with normalized repo metadata.

Changes

Cohort / File(s)	Summary
Onboarding command workflows/cve-fixer/.claude/commands/onboard.md	Rewrote interactive onboarding: ask for repo-specific container image names, generate/commit per-repo .cve-fix/examples.md, consolidate outputs into one PR, simplify Jira validation to use MCP when available, and shorten interactive usage text.
Repository mappings workflows/cve-fixer/component-repository-mappings.json	Replaced component-keyed schema and nested container_to_repo_mapping/repositories with a flattened repos array per component. Repo entries now use url, type, default_branch, active_branches, optional containers/subcomponent, and removed legacy fields. Updated metadata.last_updated.
CVE PR generation workflows/cve-fixer/.claude/commands/cve.fix.md	Adjusted PR creation guidance and command behavior: require Jira IDs (plain or markdown-linked), set --base, generated --title/--body, add <!-- cve-fixer-workflow --> marker to PR body, and attempt PR creation first with --label "cve-fixer-automated" then retry without the label if it fails.

Sequence Diagram(s)

sequenceDiagram
  participant User
  participant OnboardScript as Onboard Script
  participant MCP
  participant GitHub as GitHub/Git
  participant RepoStore as Component Mappings

  User->>OnboardScript: provide repo URLs and repo-specific container image names
  OnboardScript->>MCP: validate Jira credentials / query MCP (if available)
  MCP-->>OnboardScript: validation result (found / 0 results / unavailable)
  OnboardScript->>RepoStore: generate updated `repos` array and `.cve-fix/examples.md` files
  OnboardScript->>GitHub: create single PR with mapping + examples
  GitHub-->>OnboardScript: try create PR with label -> if fails, retry without label
  GitHub-->>User: PR created (includes generated files and PR body marker)

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main changes: schema simplification and guidance generation feature addition in the onboard command.
Description check	✅ Passed	The description is well-structured, directly related to the changeset, and provides clear before/after examples of the schema changes and explains the new guidance generation feature.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@workflows/cve-fixer/.claude/commands/onboard.md`:
- Line 244: Replace the hardcoded co-author line "Co-Authored-By: Claude Sonnet
4.6 (1M context) <noreply@anthropic.com>" with a version-agnostic value or
template variable (e.g., CO_AUTHOR or a templated string) so the attribution
doesn't become stale; update the onboarding artifact that emits the string in
workflows/cve-fixer/.claude/commands/onboard.md to use the generic attribution
(for example "Co-Authored-By: Claude Sonnet <noreply@anthropic.com>") or pull
the version from a parameter so future version changes don't require code edits.
- Around line 231-237: The current transformation that builds EXAMPLES_DIR from
REPO_FULL uses tr '/' '-' which can collide (e.g., org/repo-name vs
org-repo/name); change the separator logic that sets EXAMPLES_DIR (the line that
computes EXAMPLES_DIR from REPO_FULL and the use of tr '/' '-') to replace '/'
with a double-underscore (e.g., use a substitution that maps '/' -> '__' so
EXAMPLES_DIR becomes "workflows/cve-fixer/.cve-fix/$(echo \"$REPO_FULL\" |
<replace '/' with '__'>)" ), preserving the rest of the loop (mkdir -p, echo to
examples.md, git add) unchanged.

In `@workflows/cve-fixer/component-repository-mappings.json`:
- Line 7: Several repository entries in component-repository-mappings.json have
"type": "unknown", which breaks routing for the CVE fix workflow; locate each
object with "type": "unknown" and replace it with the correct canonical role
("upstream", "midstream", or "downstream") for that repository, using the repo's
role in your org (or upstream project) as the source of truth; update all
occurrences (e.g., the entry currently showing "type": "unknown") and run the
repository mapping validation step (or add a simple schema check) to ensure no
"unknown" values remain so the workflow can route fixes correctly.
- Around line 1-24: The new schema flattened repositories into
components.*.repos[], so update code and docs that reference the old
container_to_repo_mapping and repositories objects: in
workflows/cve-fixer/.claude/commands/cve.find.md replace the jq query
`$c.container_to_repo_mapping | to_entries[]` and any
`$c.repositories[.value].subcomponent` lookups with queries that iterate over
`$c.components[] .repos[]` and, for each repo, iterate its `.containers[]` to
build container→repo mappings (use `.default_branch`, `.type` or `.repo_type`
field mapping and any `.branch_strategy` now on the repo object); in
workflows/cve-fixer/.claude/commands/cve.fix.md update Step 3.1 and the example
usages that still reference `container_to_repo_mapping`/`repositories` to the
same components[].repos[] traversal; and in workflows/cve-fixer/README.md
replace schema examples and docs (instances of `container_to_repo_mapping`,
`repositories`, `branch_strategy`, `repo_type`) with the new repos array
structure and field names so the commands’ jq queries match the new schema.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: bf4991ab-1bce-4d09-a053-1a6ff42a3897

📥 Commits

Reviewing files that changed from the base of the PR and between d2ab1c9 and 81f15ce.

📒 Files selected for processing (2)

• workflows/cve-fixer/.claude/commands/onboard.md
• workflows/cve-fixer/component-repository-mappings.json

[coderabbitai]

🧹 Nitpick | 🔵 Trivial

Consider alternative separator to avoid potential directory collisions.

Using tr '/' '-' means org/repo-name becomes org-repo-name, but a theoretical repo org-repo/name would produce the same directory. While GitHub naming rules make this unlikely, using __ as separator (e.g., org__repo-name) would be unambiguous.

💡 Optional: Use double-underscore separator

-     EXAMPLES_DIR="workflows/cve-fixer/.cve-fix/$(echo "$REPO_FULL" | tr '/' '-')"
+     EXAMPLES_DIR="workflows/cve-fixer/.cve-fix/$(echo "$REPO_FULL" | sed 's|/|__|')"

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	for i in "${!REPO_URLS[@]}"; do
	REPO_FULL=$(echo "${REPO_URLS[$i]}" | sed 's|https://github.com/||')
	EXAMPLES_DIR="workflows/cve-fixer/.cve-fix/$(echo "$REPO_FULL" | tr '/' '-')"
	mkdir -p "$EXAMPLES_DIR"
	echo "${GENERATED_EXAMPLES[$i]}" > "${EXAMPLES_DIR}/examples.md"
	git add "${EXAMPLES_DIR}/examples.md"
	done
	for i in "${!REPO_URLS[@]}"; do
	REPO_FULL=$(echo "${REPO_URLS[$i]}" | sed 's|https://github.com/||')
	EXAMPLES_DIR="workflows/cve-fixer/.cve-fix/$(echo "$REPO_FULL" | sed 's|/|__|')"
	mkdir -p "$EXAMPLES_DIR"
	echo "${GENERATED_EXAMPLES[$i]}" > "${EXAMPLES_DIR}/examples.md"
	git add "${EXAMPLES_DIR}/examples.md"
	done

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@workflows/cve-fixer/.claude/commands/onboard.md` around lines 231 - 237, The
current transformation that builds EXAMPLES_DIR from REPO_FULL uses tr '/' '-'
which can collide (e.g., org/repo-name vs org-repo/name); change the separator
logic that sets EXAMPLES_DIR (the line that computes EXAMPLES_DIR from REPO_FULL
and the use of tr '/' '-') to replace '/' with a double-underscore (e.g., use a
substitution that maps '/' -> '__' so EXAMPLES_DIR becomes
"workflows/cve-fixer/.cve-fix/$(echo \"$REPO_FULL\" | <replace '/' with '__'>)"
), preserving the rest of the loop (mkdir -p, echo to examples.md, git add)
unchanged.

[coderabbitai]

Actionable comments posted: 3

♻️ Duplicate comments (1)

workflows/cve-fixer/.claude/commands/cve.fix.md (1)

98-167: ⚠️ Potential issue | 🔴 Critical

Old-schema references in the same file will break under the new mapping.

This PR flattens the mapping to repos[] with fields url, type, active_branches, containers, subcomponent, but Steps 2–3 in this file still reference the removed keys:

• Line 98: default_branch, github_url, active_release_branches
• Line 99: Branch strategy and CVE fix workflow
• Line 135: lookup in container_to_repo_mapping
• Lines 140–141: repositories section / .repositories[.value].subcomponent semantics
• Lines 156–167: reads active_release_branches into ACTIVE_RELEASE_BRANCHES
• Lines 1487–1521 (Notes / example JSON): describes the old schema shape (container_to_repo_mapping, repositories{...}, cve_fix_workflow, repo_type).

Net effect at runtime: container_to_repo_mapping lookups always miss (falls back to "all component repos"), and active_release_branches resolves empty, so TARGET_BRANCHES collapses to just default_branch — backports across active_branches silently stop happening. This is a functional regression, not just stale docs.

Please update these sections to the new schema ($c.repos[], .type, .url, .containers[], .active_branches, .subcomponent) and refresh the example JSON in the Notes section to match component-repository-mappings.json.

#!/bin/bash
# Confirm old schema identifiers remain in cve.fix.md and related commands/docs.
rg -nP '\b(container_to_repo_mapping|active_release_branches|github_url|cve_fix_workflow|repo_type)\b' \
  workflows/cve-fixer

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@workflows/cve-fixer/.claude/commands/cve.fix.md` around lines 98 - 167, The
document still references the old mapping schema (container_to_repo_mapping,
github_url, default_branch, active_release_branches, repositories,
cve_fix_workflow, repo_type) causing runtime mismatches; update Steps 2–3 and
all lookups to use the new flattened schema $c.repos[] and its fields (.url,
.type, .containers[], .subcomponent, .active_branches) — change the container
lookup to search each repo's .containers[], derive target branches from
.active_branches + the primary branch (e.g., .active_branches + default branch
stored on the repo entry), replace references to repositories[...].subcomponent
with repo .subcomponent logic, and refresh the example JSON/Notes to reflect the
new repos[] shape so TARGET_BRANCHES calculation and container mappings work
with the new keys.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@workflows/cve-fixer/.claude/commands/cve.fix.md`:
- Around line 1246-1256: The comment is wrong and stderr is being swallowed;
change the flow to test for the label before attempting the first gh pr create
and stop redirecting stderr: use something like gh label view
"cve-fixer-automated" (or equivalent) to detect if the label exists and then
call gh pr create --base <target-branch> --title "Security: Fix CVE-YYYY-XXXXX
(<package-name>)" --body "$PR_BODY" --label "cve-fixer-automated" when present,
otherwise call gh pr create without --label; remove the 2>/dev/null so real
errors from gh (auth/network/validation) are not masked, and update the inline
note to state that --label causes gh to fail if the label is missing rather than
silently succeeding.

In `@workflows/cve-fixer/.claude/commands/onboard.md`:
- Line 324: The current line writes generated markdown with echo which can
mangle backslashes and leading hyphens; change the writing to a safe method such
as using printf '%s\n' to write "${GENERATED_EXAMPLES[$i]}" into
"${EXAMPLES_DIR}/examples.md" (or use a here-doc) so code fences, regex
backslashes and HTML comments are preserved; update the write operation that
references GENERATED_EXAMPLES and EXAMPLES_DIR in this onboarding script
accordingly.
- Around line 319-326: The onboarding script writes per-repo examples into
WORKFLOWS_DIR via EXAMPLES_DIR="workflows/cve-fixer/.cve-fix/$(echo "$REPO_FULL"
| tr '/' '-')" (variables: REPO_URLS, REPO_FULL, EXAMPLES_DIR,
GENERATED_EXAMPLES) but the fixer expects ${REPO_DIR}/.cve-fix inside each
cloned target repo (cve.fix.md Step 4.5), so pick one fix and apply it
consistently: either (A) change the fixer (Step 4.5) to also check
workflows/cve-fixer/.cve-fix/<sanitized-repo>/ after cloning (add lookup for
that path alongside ${REPO_DIR}/.cve-fix), or (B) change the onboard loop to
create and push examples.md directly into each target repo root at
.cve-fix/examples.md (open PRs against the target repos instead of committing to
the workflows repo) so the files appear at ${REPO_DIR}/.cve-fix when cloned;
implement the chosen option across both scripts and ensure references to
EXAMPLES_DIR/REPO_FULL and lookup for ${REPO_DIR}/.cve-fix are updated to match.

---

Duplicate comments:
In `@workflows/cve-fixer/.claude/commands/cve.fix.md`:
- Around line 98-167: The document still references the old mapping schema
(container_to_repo_mapping, github_url, default_branch, active_release_branches,
repositories, cve_fix_workflow, repo_type) causing runtime mismatches; update
Steps 2–3 and all lookups to use the new flattened schema $c.repos[] and its
fields (.url, .type, .containers[], .subcomponent, .active_branches) — change
the container lookup to search each repo's .containers[], derive target branches
from .active_branches + the primary branch (e.g., .active_branches + default
branch stored on the repo entry), replace references to
repositories[...].subcomponent with repo .subcomponent logic, and refresh the
example JSON/Notes to reflect the new repos[] shape so TARGET_BRANCHES
calculation and container mappings work with the new keys.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 6f245f9e-6d42-4fac-83cb-97cafbb0dded

📥 Commits

Reviewing files that changed from the base of the PR and between 81f15ce and d3170e2.

📒 Files selected for processing (3)

• workflows/cve-fixer/.claude/commands/cve.fix.md
• workflows/cve-fixer/.claude/commands/onboard.md
• workflows/cve-fixer/component-repository-mappings.json

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Comment contradicts the code path.

The inline note says "--label silently fails if the label doesn't exist," but the whole reason a fallback gh pr create without --label exists is that gh pr create --label <missing> returns non-zero and aborts PR creation. If it truly silently failed, the fallback wouldn't be needed. Also, 2>/dev/null on the first call swallows every stderr (auth errors, network, validation), so the fallback can retry for unrelated reasons and mask real failures.

Suggested wording + stderr handling

-       PR_URL=$(gh pr create \
-         --base <target-branch> \
-         --title "Security: Fix CVE-YYYY-XXXXX (<package-name>)" \
-         --body "$PR_BODY" \
-         --label "cve-fixer-automated" 2>/dev/null || \
-         gh pr create \
-         --base <target-branch> \
-         --title "Security: Fix CVE-YYYY-XXXXX (<package-name>)" \
-         --body "$PR_BODY")
-       # Note: --label silently fails if the label doesn't exist in the repo.
-       # The fallback without --label ensures PR is always created.
+       # `gh pr create --label <name>` fails (non-zero, no PR created) when the
+       # label does not exist in the repo. Retry once without --label so the PR
+       # is still created. Keep stderr visible so unrelated failures surface.
+       PR_URL=$(gh pr create \
+         --base <target-branch> \
+         --title "Security: Fix CVE-YYYY-XXXXX (<package-name>)" \
+         --body "$PR_BODY" \
+         --label "cve-fixer-automated") \
+       || PR_URL=$(gh pr create \
+         --base <target-branch> \
+         --title "Security: Fix CVE-YYYY-XXXXX (<package-name>)" \
+         --body "$PR_BODY")

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	--base <target-branch> \
	--title "Security: Fix CVE-YYYY-XXXXX (<package-name>)" \
	--body "$PR_BODY" \
	--label "cve-fixer-automated" 2>/dev/null || \
	gh pr create \
	--base <target-branch> \
	--title "Security: Fix CVE-YYYY-XXXXX (<package-name>)" \
	--body "$PR_BODY")
	# Note: --label silently fails if the label doesn't exist in the repo.
	# The fallback without --label ensures PR is always created.
	# `gh pr create --label <name>` fails (non-zero, no PR created) when the
	# label does not exist in the repo. Retry once without --label so the PR
	# is still created. Keep stderr visible so unrelated failures surface.
	PR_URL=$(gh pr create \
	--base <target-branch> \
	--title "Security: Fix CVE-YYYY-XXXXX (<package-name>)" \
	--body "$PR_BODY" \
	--label "cve-fixer-automated") \
	|| PR_URL=$(gh pr create \
	--base <target-branch> \
	--title "Security: Fix CVE-YYYY-XXXXX (<package-name>)" \
	--body "$PR_BODY")

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@workflows/cve-fixer/.claude/commands/cve.fix.md` around lines 1246 - 1256,
The comment is wrong and stderr is being swallowed; change the flow to test for
the label before attempting the first gh pr create and stop redirecting stderr:
use something like gh label view "cve-fixer-automated" (or equivalent) to detect
if the label exists and then call gh pr create --base <target-branch> --title
"Security: Fix CVE-YYYY-XXXXX (<package-name>)" --body "$PR_BODY" --label
"cve-fixer-automated" when present, otherwise call gh pr create without --label;
remove the 2>/dev/null so real errors from gh (auth/network/validation) are not
masked, and update the inline note to state that --label causes gh to fail if
the label is missing rather than silently succeeding.

[jwm4]

These changes seem fine.