fix: update cve.fix.md to use new simplified mapping schema

- Step 3.1: look up container in repos[].containers[] (not container_to_repo_mapping)
- Step 3.2: iterate .components[X].repos[] (not repositories object)
- Example JSON updated from old nested structure to new flat repos[] array

Co-Authored-By: Claude <noreply@anthropic.com>

Author: vmrh21

workflows/cve-fixer/.claude/commands/cve.fix.md

@@ -132,22 +132,21 @@ Summary:
    **3.1: Use container to scope repos (preferred)**
 
    If a `CONTAINER` was extracted in Step 1:
-   - Look up `CONTAINER` in `container_to_repo_mapping` for the component
-   - **If container not found in mapping**:
+   - Search all repos in `.components[COMPONENT].repos[]` for one whose `.containers[]` includes `CONTAINER`
+   - **If container not found**:
      - Log a warning: "⚠️ Container [CONTAINER] not in mapping — may be a new container not yet registered. Processing all component repos."
      - Fall back to processing all repos in the component (scan in Step 5 filters irrelevant ones)
-   - **If container found**: gives the **primary repo** (e.g., `opendatahub-io/workload-variant-autoscaler`)
-   - Check if the primary repo has a `subcomponent` field in the `repositories` section
+   - **If container found**: note which repo it belongs to, read its `subcomponent` field
      - **If `subcomponent` is defined**: collect all repos in the component with the same `subcomponent` value — this is the chain (upstream + midstream + downstream)
-     - **If `subcomponent` is not defined**: process ALL repositories in the component (safe fallback — the CVE scan in Step 5 will filter out repos where the CVE doesn't exist)
+     - **If `subcomponent` is not defined**: process ALL repos in the component (safe fallback — the CVE scan in Step 5 will filter out repos where the CVE doesn't exist)
    - **This ensures only the repos relevant to that specific container get PRs** — not repos belonging to other subcomponents
 
-   Example: `rhoai/odh-workload-variant-autoscaler-controller-rhel9` → primary repo `opendatahub-io/workload-variant-autoscaler` → `subcomponent: autoscaler` → only process `llm-d/llm-d-workload-variant-autoscaler`, `opendatahub-io/workload-variant-autoscaler`, `red-hat-data-services/workload-variant-autoscaler`.
+   Example: `rhoai/odh-workload-variant-autoscaler-controller-rhel9` found in repo with `subcomponent: autoscaler` → only process `llm-d/llm-d-workload-variant-autoscaler`, `opendatahub-io/workload-variant-autoscaler`, `red-hat-data-services/workload-variant-autoscaler`.
 
    **3.2: Fallback — use all repos**
 
    If no `CONTAINER` was extracted (summary doesn't match expected pattern):
-   - Process ALL repositories listed under the component
+   - Process all entries in `.components[COMPONENT].repos[]`
    - The CVE scan in Step 5 acts as the safety net — it will skip repos where the CVE doesn't exist
    - Log a warning: "⚠️ Could not extract container from summary — processing all component repos"
 
@@ -1485,37 +1484,31 @@ After completing this phase:
   - Filter the repository list to only those that contain the CVE
 - **Multi-Repository Support**: A single component can map to MULTIPLE repositories
   - Common pattern: an **upstream** repo (e.g., `opendatahub-io/models-as-a-service`) and one or more **downstream** repos (e.g., `red-hat-data-services/models-as-a-service`)
-  - Each repository has its own `default_branch`, `cve_fix_workflow`, and `repo_type`
-  - The `repo_type` field can be `"upstream"` or `"downstream"` to indicate the relationship
-  - When fixing CVEs, iterate through ALL repositories for the component and apply fixes to each one independently
-  - Downstream repos often track different branches (e.g., `rhoai-3.0`) than upstream (`main`)
-  - Each repository gets its own clone directory, feature branch, verification, test run, and PR
-- **Mapping File Structure**:
+  - Each repo entry has its own `default_branch`, `active_branches`, and `type`
+  - The `type` field is `"upstream"`, `"midstream"`, or `"downstream"`
+  - When fixing CVEs, iterate through ALL repos for the component and apply fixes to each one independently
+  - Downstream repos often track different branches (e.g., `rhoai-3.4`) than upstream (`main`)
+  - Each repo gets its own clone directory, feature branch, verification, test run, and PR
+- **Mapping File Structure** (simplified schema):
   ```json
   {
     "components": {
       "Component Name": {
-        "container_to_repo_mapping": { ... },
-        "repositories": {
-          "org/repo-upstream": {
+        "repos": [
+          {
+            "url": "https://github.com/org/upstream-repo",
+            "type": "upstream",
             "default_branch": "main",
-            "active_release_branches": [...],
-            "cve_fix_workflow": {
-              "primary_target": "main",
-              "backport_targets": "..."
-            },
-            "repo_type": "upstream"
+            "active_branches": ["release-0.6"],
+            "containers": ["rhoai/odh-container-rhel9"]
           },
-          "org/repo-downstream": {
-            "default_branch": "rhoai-3.0",
-            "active_release_branches": ["rhoai-3.0"],
-            "cve_fix_workflow": {
-              "primary_target": "rhoai-3.0",
-              "backport_targets": "rhoai-3.0"
-            },
-            "repo_type": "downstream"
+          {
+            "url": "https://github.com/org/downstream-repo",
+            "type": "downstream",
+            "default_branch": "main",
+            "active_branches": ["rhoai-3.4", "rhoai-3.4-ea.2"]
           }
-        }
+        ]
       }
     }
   }