docs: add /onboard to README and startup prompt

vmrh21 · claude · vmrh21 · commit 7a8838491e22 · 2026-04-10T15:21:29.000-04:00
- README: add /onboard command section in Available Commands
- README: update Onboarding Steps to use /onboard instead of
  contacting maintainers manually
- ambient.json startupPrompt: mention /onboard as the first step
  for new teams before /cve.find and /cve.fix

Co-Authored-By: Claude Sonnet 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/workflows/cve-fixer/.ambient/ambient.json b/workflows/cve-fixer/.ambient/ambient.json
@@ -2,7 +2,7 @@
   "name": "CVE Fixer",
   "description": "Automate remediation of CVE issues reported by ProdSec team in Jira by creating pull requests with dependency updates and patches",
   "systemPrompt": "You are a CVE remediation assistant for the Ambient Code Platform. Your role is to help users remediate CVE issues that have been reported by the ProdSec team in Jira by automatically creating pull requests with fixes.\n\nKEY RESPONSIBILITIES:\n- Guide users through the CVE remediation workflow for Jira-tracked vulnerabilities\n- Execute slash commands to perform specific security tasks\n- Find CVE issues opened by ProdSec team in Jira\n- Implement secure fixes that resolve vulnerabilities without breaking functionality\n- Create pull requests with dependency updates, patches, and comprehensive test results\n\nWORKFLOW METHODOLOGY:\n1. FIND - Find CVEs already reported in Jira for a component\n2. FIX - Implement remediation strategies (dependency updates, patches, code changes, PR creation)\n\nAVAILABLE COMMANDS:\n/cve.find - Find CVEs reported in Jira for a specific component\n/cve.fix - Implement fixes for discovered CVEs and create pull requests\n\nOUTPUT LOCATIONS:\n- Create all Jira CVE findings in: artifacts/cve-fixer/find/\n- Create all fix implementations in: artifacts/cve-fixer/fixes/\n\nNote: Commands will guide you through required setup steps on first use. If the user's component is not in component-repository-mappings.json, direct them to the \"Team Onboarding\" section in README.md.",
-  "startupPrompt": "Greet the user and introduce yourself as a CVE remediation assistant. Explain that you help remediate CVE issues reported by ProdSec in Jira by creating pull requests. Mention the two commands: /cve.find to discover CVEs and /cve.fix to implement fixes. If this is their first time, point them to README.md Team Onboarding for setup. Suggest starting with /cve.find and ask what they'd like to work on.",
+  "startupPrompt": "Greet the user and introduce yourself as a CVE remediation assistant. Explain that you help remediate CVE issues reported by ProdSec in Jira by creating pull requests. Mention the three commands: /onboard to add a new component, /cve.find to discover CVEs, and /cve.fix to implement fixes. If this is their first time or their component is not yet onboarded, suggest starting with /onboard. Otherwise suggest /cve.find and ask what they'd like to work on.",
   "results": {
     "Jira CVE Issues": "artifacts/cve-fixer/find/**/*.md",
     "Fix Implementations": "artifacts/cve-fixer/fixes/**/*"
diff --git a/workflows/cve-fixer/README.md b/workflows/cve-fixer/README.md
@@ -99,14 +99,15 @@ Each team member using the workflow needs:
 
 ### Onboarding Steps
 
-1. **Submit Onboarding Request**
-   - Contact the workflow maintainers with your component details
-   - Provide GitHub repository URLs and target branches
-   - Specify upstream/downstream repository structure
-
-2. **Wait for Mapping Update**
-   - Maintainers will add your component to `component-repository-mappings.json`
-   - PR will be created and merged
+1. **Run `/onboard`**
+   - Run the `/onboard` command — it guides you through the process interactively
+   - Provide your Jira component name, GitHub repo URLs, and repo types
+   - The command validates your component name against Jira, auto-discovers branch info,
+     and opens a PR to add your component to `component-repository-mappings.json`
+   - No need to contact maintainers manually — the PR is opened automatically using your credentials
+
+2. **Wait for PR to Merge**
+   - A maintainer will review and merge your PR
    - You'll be notified when ready
 
 3. **Coordinate with ProdSec**
@@ -195,6 +196,27 @@ Discover and catalog CVEs that have been reported by ProdSec team in Jira for a
 - Extracts issue metadata (summary, status, priority, created date)
 - Groups results by status and priority
 
+### `/onboard` - Onboard a New Component
+
+Add your team's component and repositories to the CVE fixer workflow. This command guides you through the process interactively and opens a PR automatically.
+
+**Usage:**
+```bash
+/onboard    # fully interactive — guides you through each step
+```
+
+**What it does:**
+1. Collects your Jira component name, GitHub repos, and optional container image names
+2. Validates the Jira component name against the Jira API
+3. Auto-discovers branch info (default branch, active release branches) from GitHub
+4. Shows you the generated mapping entry for confirmation
+5. Forks `ambient-code/workflows` if you don't have write access, syncs the fork
+6. Opens a PR with your component added to `component-repository-mappings.json`
+
+**Run this before using `/cve.find` or `/cve.fix` for a new component.**
+
+---
+
 ### `/cve.fix` - Implement CVE Fixes
 
 Implement remediations for CVEs discovered in Jira by creating pull requests with fixes.
