fix: remove component-specific example and simplify branch targeting

- Remove llm-d specific example from Step 3.3 — workflow should be
  component-agnostic and read all repos/branches from the mapping file
- Simplify branch logic: create PRs against default_branch + ALL
  active_release_branches for every repo, regardless of repo_type
  (mapping file is the source of truth, not repo_type heuristics)

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>

Author: vmrh21

workflows/cve-fixer/.claude/commands/cve.fix.md

@@ -142,42 +142,23 @@ Summary:
 
    **3.3: For each target repo, determine target branches:**
 
-   The branches to fix depend on `repo_type`:
-
-   - **`upstream` or `midstream`**: target `default_branch` only (e.g., `main`)
-     - Fixes flow forward from there — no backports needed at this level
-   - **`downstream`**: target `default_branch` AND every branch in `active_release_branches`
-     - Each branch gets its own separate PR — never combine multiple branches in one PR
-     - If `active_release_branches` is empty, target `default_branch` only
+   Read `default_branch` and `active_release_branches` directly from the mapping file entry.
+   Create a PR against `default_branch` plus every branch in `active_release_branches`.
+   This applies to all repo types — the mapping file is the source of truth for which branches need fixing.
 
    ```bash
-   # Determine target branches per repo — deduplicate to avoid processing DEFAULT_BRANCH twice
-   if [ "$REPO_TYPE" = "downstream" ]; then
-     ALL_BRANCHES=("$DEFAULT_BRANCH" "${ACTIVE_RELEASE_BRANCHES[@]}")
-     TARGET_BRANCHES=($(printf '%s\n' "${ALL_BRANCHES[@]}" | awk '!seen[$0]++'))
-   else
-     TARGET_BRANCHES=("$DEFAULT_BRANCH")
-   fi
+   # Target branches = default_branch + active_release_branches, deduplicated
+   ALL_BRANCHES=("$DEFAULT_BRANCH" "${ACTIVE_RELEASE_BRANCHES[@]}")
+   TARGET_BRANCHES=($(printf '%s\n' "${ALL_BRANCHES[@]}" | awk '!seen[$0]++'))
    ```
 
-   **Example for llm-d inference-scheduler:**
-   ```
-   upstream  llm-d/llm-d-inference-scheduler          → PR against: main
-   midstream opendatahub-io/llm-d-inference-scheduler  → PR against: main
-   downstream red-hat-data-services/llm-d-inference-scheduler → PRs against:
-     - main
-     - rhoai-3.3
-     - rhoai-3.4
-     - rhoai-3.4-ea.1
-     - rhoai-3.4-ea.2
-   ```
+   Each branch gets its own separate PR — never combine multiple branches in one PR.
+   If `active_release_branches` is empty in the mapping, only `default_branch` is targeted.
 
    **Multi-repo + multi-branch strategy**:
-   - Fix upstream repos first, then midstream, then downstream
-   - For downstream: Steps 4 through 11 repeat for EACH branch independently
+   - Steps 4 through 11 repeat for EACH repo and EACH branch independently
    - Each branch produces its own fix branch including the target branch name to avoid collisions:
      `fix/cve-YYYY-XXXXX-<package>-<target-branch>-attempt-1`
-     e.g. `fix/cve-2025-66418-urllib3-rhoai-3.4-attempt-1`
    - Never combine fixes for multiple branches into a single PR
 
 4. **Clone or Use Existing Repository**