feat: add subcomponent field for repo chain scoping

Add subcomponent field to repos in Model as a Service, llm-d, and
AI Evaluations so cve.fix can identify which upstream/midstream/downstream
repos belong to the same container chain.

- cve.fix Step 3 now uses subcomponent to scope PRs to the affected
  container's chain only; falls back to all component repos (with
  scan-based filtering) when subcomponent is not defined
- Add missing AI Evaluations container mappings (eval-hub, garak)
  and ragas repo chain (upstream/midstream/downstream)

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>

Author: vmrh21

workflows/cve-fixer/.claude/commands/cve.fix.md

@@ -122,19 +122,19 @@ Summary:
 
    If a `CONTAINER` was extracted in Step 1:
    - Look up `CONTAINER` in `container_to_repo_mapping` for the component
-   - This gives the **primary repo** (e.g., `opendatahub-io/llm-d-routing-sidecar`)
-   - From the `repositories` section, collect all repos that share the same logical chain as the primary repo:
-     - The primary repo itself
-     - Any repo with the same name but different org (upstream/midstream/downstream)
-   - **This ensures only the repos relevant to that specific container get PRs** — not every repo under the component
+   - This gives the **primary repo** (e.g., `opendatahub-io/workload-variant-autoscaler`)
+   - Check if the primary repo has a `subcomponent` field in the `repositories` section
+     - **If `subcomponent` is defined**: collect all repos in the component with the same `subcomponent` value — this is the chain (upstream + midstream + downstream)
+     - **If `subcomponent` is not defined**: process ALL repositories in the component (safe fallback — the CVE scan in Step 5 will filter out repos where the CVE doesn't exist)
+   - **This ensures only the repos relevant to that specific container get PRs** — not repos belonging to other subcomponents
 
-   Example: `rhoai/odh-llm-d-routing-sidecar-rhel9` maps to `red-hat-data-services/llm-d-routing-sidecar`.
-   Only process repos in the routing-sidecar chain — not inference-scheduler or batch-gateway repos.
+   Example: `rhoai/odh-workload-variant-autoscaler-controller-rhel9` → primary repo `opendatahub-io/workload-variant-autoscaler` → `subcomponent: autoscaler` → only process `llm-d/llm-d-workload-variant-autoscaler`, `opendatahub-io/workload-variant-autoscaler`, `red-hat-data-services/workload-variant-autoscaler`.
 
    **3.2: Fallback — use all repos**
 
    If no `CONTAINER` was extracted (summary doesn't match expected pattern):
-   - Fall back to processing ALL repositories listed under the component
+   - Process ALL repositories listed under the component
+   - The CVE scan in Step 5 acts as the safety net — it will skip repos where the CVE doesn't exist
    - Log a warning: "⚠️ Could not extract container from summary — processing all component repos"
 
    **3.3: For each target repo, gather:**

workflows/cve-fixer/component-repository-mappings.json

@@ -60,7 +60,8 @@
           },
           "build_location": "maas-api/",
           "notes": "Upstream repository. Contains maas-api Go application. Builds using Dockerfile.konflux for Red Hat builds.",
-          "repo_type": "upstream"
+          "repo_type": "upstream",
+          "subcomponent": "maas-api"
         },
         "red-hat-data-services/models-as-a-service": {
           "github_url": "https://github.com/red-hat-data-services/models-as-a-service",
@@ -78,7 +79,8 @@
           },
           "build_location": "maas-api/",
           "notes": "Downstream Red Hat release repository for maas-api. Fixes from upstream should be backported to rhoai-3.0 branch.",
-          "repo_type": "downstream"
+          "repo_type": "downstream",
+          "subcomponent": "maas-api"
         }
       }
     },
@@ -394,7 +396,8 @@
           "cve_fix_workflow": {
             "primary_target": "main",
             "backport_targets": "release-0.5, release-0.6"
-          }
+          },
+          "subcomponent": "inference-scheduler"
         },
         "opendatahub-io/llm-d-inference-scheduler": {
           "github_url": "https://github.com/opendatahub-io/llm-d-inference-scheduler",
@@ -410,7 +413,8 @@
           "cve_fix_workflow": {
             "primary_target": "main",
             "backport_targets": "release-0.2, release-0.3.1, release-v0.4, stable-2.x"
-          }
+          },
+          "subcomponent": "inference-scheduler"
         },
         "red-hat-data-services/llm-d-inference-scheduler": {
           "github_url": "https://github.com/red-hat-data-services/llm-d-inference-scheduler",
@@ -426,7 +430,8 @@
           "cve_fix_workflow": {
             "primary_target": "main",
             "backport_targets": "rhoai-3.3, rhoai-3.4, rhoai-3.4-ea.1, rhoai-3.4-ea.2"
-          }
+          },
+          "subcomponent": "inference-scheduler"
         },
         "red-hat-data-services/llm-d-routing-sidecar": {
           "github_url": "https://github.com/red-hat-data-services/llm-d-routing-sidecar",
@@ -442,7 +447,8 @@
           "cve_fix_workflow": {
             "primary_target": "main",
             "backport_targets": "rhoai-2.25, rhoai-3.0, rhoai-3.2"
-          }
+          },
+          "subcomponent": "routing-sidecar"
         },
         "llm-d-incubation/batch-gateway": {
           "github_url": "https://github.com/llm-d-incubation/batch-gateway",
@@ -453,7 +459,8 @@
           "cve_fix_workflow": {
             "primary_target": "main",
             "backport_targets": "None"
-          }
+          },
+          "subcomponent": "batch-gateway"
         },
         "opendatahub-io/batch-gateway": {
           "github_url": "https://github.com/opendatahub-io/batch-gateway",
@@ -466,7 +473,8 @@
           "cve_fix_workflow": {
             "primary_target": "main",
             "backport_targets": "release-v0.5"
-          }
+          },
+          "subcomponent": "batch-gateway"
         },
         "red-hat-data-services/batch-gateway": {
           "github_url": "https://github.com/red-hat-data-services/batch-gateway",
@@ -481,7 +489,8 @@
           "cve_fix_workflow": {
             "primary_target": "main",
             "backport_targets": "rhoai-3.4, rhoai-3.4-ea.1, rhoai-3.4-ea.2"
-          }
+          },
+          "subcomponent": "batch-gateway"
         },
         "llm-d/llm-d-workload-variant-autoscaler": {
           "github_url": "https://github.com/llm-d/llm-d-workload-variant-autoscaler",
@@ -494,7 +503,8 @@
           "cve_fix_workflow": {
             "primary_target": "main",
             "backport_targets": "release-0.4.2"
-          }
+          },
+          "subcomponent": "autoscaler"
         },
         "opendatahub-io/workload-variant-autoscaler": {
           "github_url": "https://github.com/opendatahub-io/workload-variant-autoscaler",
@@ -507,7 +517,8 @@
           "cve_fix_workflow": {
             "primary_target": "main",
             "backport_targets": "release-v0.5"
-          }
+          },
+          "subcomponent": "autoscaler"
         },
         "red-hat-data-services/workload-variant-autoscaler": {
           "github_url": "https://github.com/red-hat-data-services/workload-variant-autoscaler",
@@ -522,14 +533,18 @@
           "cve_fix_workflow": {
             "primary_target": "main",
             "backport_targets": "rhoai-3.4, rhoai-3.4-ea.1, rhoai-3.4-ea.2"
-          }
+          },
+          "subcomponent": "autoscaler"
         }
       }
     },
     "AI Evaluations": {
       "container_to_repo_mapping": {
         "rhoai/odh-ta-lmes-driver-rhel9": "opendatahub-io/trustyai-service-operator",
-        "rhoai/odh-ta-lmes-job-rhel9": "opendatahub-io/lm-evaluation-harness"
+        "rhoai/odh-ta-lmes-job-rhel9": "opendatahub-io/lm-evaluation-harness",
+        "rhoai/odh-trustyai-ragas-lls-provider-dsp-rhel9": "opendatahub-io/llama-stack-provider-ragas",
+        "rhoai/odh-eval-hub-rhel9": "opendatahub-io/eval-hub",
+        "rhoai/odh-trustyai-garak-lls-provider-dsp-rhel9": "opendatahub-io/llama-stack-provider-trustyai-garak"
       },
       "repositories": {
         "eval-hub/eval-hub": {
@@ -541,7 +556,8 @@
           "cve_fix_workflow": {
             "primary_target": "main",
             "backport_targets": "None"
-          }
+          },
+          "subcomponent": "eval-hub"
         },
         "eval-hub/eval-hub-sdk": {
           "github_url": "https://github.com/eval-hub/eval-hub-sdk",
@@ -553,7 +569,8 @@
           "cve_fix_workflow": {
             "primary_target": "main",
             "backport_targets": "None"
-          }
+          },
+          "subcomponent": "eval-hub-sdk"
         },
         "eval-hub/eval-hub-contrib": {
           "github_url": "https://github.com/eval-hub/eval-hub-contrib",
@@ -565,7 +582,8 @@
           "cve_fix_workflow": {
             "primary_target": "main",
             "backport_targets": "None"
-          }
+          },
+          "subcomponent": "eval-hub-contrib"
         },
         "trustyai-explainability/llama-stack-provider-trustyai-garak": {
           "github_url": "https://github.com/trustyai-explainability/llama-stack-provider-trustyai-garak",
@@ -576,7 +594,8 @@
           "cve_fix_workflow": {
             "primary_target": "main",
             "backport_targets": "None"
-          }
+          },
+          "subcomponent": "trustyai-garak"
         },
         "trustyai-explainability/trustyai-service-operator": {
           "github_url": "https://github.com/trustyai-explainability/trustyai-service-operator",
@@ -590,7 +609,8 @@
           "cve_fix_workflow": {
             "primary_target": "main",
             "backport_targets": "release/1.37.0, release/1.38.0"
-          }
+          },
+          "subcomponent": "lm-evaluation-harness"
         },
         "opendatahub-io/eval-hub": {
           "github_url": "https://github.com/opendatahub-io/eval-hub",
@@ -604,7 +624,8 @@
           "cve_fix_workflow": {
             "primary_target": "main",
             "backport_targets": "release/odh-3.4, stable"
-          }
+          },
+          "subcomponent": "eval-hub"
         },
         "opendatahub-io/lm-evaluation-harness": {
           "github_url": "https://github.com/opendatahub-io/lm-evaluation-harness",
@@ -620,7 +641,8 @@
           "cve_fix_workflow": {
             "primary_target": "main",
             "backport_targets": "release/odh-3.3, release/odh-3.4, release/odh-3.4-ea2, release/odh-3.5"
-          }
+          },
+          "subcomponent": "lm-evaluation-harness"
         },
         "opendatahub-io/llama-stack-provider-trustyai-garak": {
           "github_url": "https://github.com/opendatahub-io/llama-stack-provider-trustyai-garak",
@@ -634,7 +656,8 @@
           "cve_fix_workflow": {
             "primary_target": "main",
             "backport_targets": "release/odh-3.4, stable"
-          }
+          },
+          "subcomponent": "trustyai-garak"
         },
         "opendatahub-io/trustyai-service-operator": {
           "github_url": "https://github.com/opendatahub-io/trustyai-service-operator",
@@ -649,7 +672,8 @@
           "cve_fix_workflow": {
             "primary_target": "main",
             "backport_targets": "release/odh-3.3, release/odh-3.4, release/odh-3.4-ea2"
-          }
+          },
+          "subcomponent": "lm-evaluation-harness"
         },
         "red-hat-data-services/eval-hub": {
           "github_url": "https://github.com/red-hat-data-services/eval-hub",
@@ -664,7 +688,8 @@
           "cve_fix_workflow": {
             "primary_target": "main",
             "backport_targets": "rhoai-3.4, rhoai-3.4-ea.1, rhoai-3.4-ea.2"
-          }
+          },
+          "subcomponent": "eval-hub"
         },
         "red-hat-data-services/lm-evaluation-harness": {
           "github_url": "https://github.com/red-hat-data-services/lm-evaluation-harness",
@@ -680,7 +705,8 @@
           "cve_fix_workflow": {
             "primary_target": "main",
             "backport_targets": "rhoai-3.3, rhoai-3.4, rhoai-3.4-ea.1, rhoai-3.4-ea.2"
-          }
+          },
+          "subcomponent": "lm-evaluation-harness"
         },
         "red-hat-data-services/llama-stack-provider-trustyai-garak": {
           "github_url": "https://github.com/red-hat-data-services/llama-stack-provider-trustyai-garak",
@@ -696,7 +722,8 @@
           "cve_fix_workflow": {
             "primary_target": "main",
             "backport_targets": "rhoai-3.3, rhoai-3.4, rhoai-3.4-ea.1, rhoai-3.4-ea.2"
-          }
+          },
+          "subcomponent": "trustyai-garak"
         },
         "red-hat-data-services/trustyai-service-operator": {
           "github_url": "https://github.com/red-hat-data-services/trustyai-service-operator",
@@ -709,6 +736,55 @@
           ],
           "branch_strategy": "Fork of midstream. RHOAI release branches follow pattern rhoai-X.Y.",
           "repo_type": "downstream",
+          "cve_fix_workflow": {
+            "primary_target": "main",
+            "backport_targets": "rhoai-3.3, rhoai-3.4, rhoai-3.4-ea.1, rhoai-3.4-ea.2"
+          },
+          "subcomponent": "lm-evaluation-harness"
+        },
+        "trustyai-explainability/llama-stack-provider-ragas": {
+          "github_url": "https://github.com/trustyai-explainability/llama-stack-provider-ragas",
+          "default_branch": "main",
+          "active_release_branches": [
+            "release/0.4.x",
+            "release/0.5.x"
+          ],
+          "branch_strategy": "Fix in main. Release branches follow pattern release/X.Y.x.",
+          "repo_type": "upstream",
+          "subcomponent": "trustyai-ragas",
+          "cve_fix_workflow": {
+            "primary_target": "main",
+            "backport_targets": "release/0.4.x, release/0.5.x"
+          }
+        },
+        "opendatahub-io/llama-stack-provider-ragas": {
+          "github_url": "https://github.com/opendatahub-io/llama-stack-provider-ragas",
+          "default_branch": "main",
+          "active_release_branches": [
+            "release/odh-3.3",
+            "release/odh-3.4-ea2",
+            "stable"
+          ],
+          "branch_strategy": "Fork of upstream trustyai-explainability/llama-stack-provider-ragas. Release branches follow pattern release/odh-X.Y.",
+          "repo_type": "midstream",
+          "subcomponent": "trustyai-ragas",
+          "cve_fix_workflow": {
+            "primary_target": "main",
+            "backport_targets": "release/odh-3.3, release/odh-3.4-ea2, stable"
+          }
+        },
+        "red-hat-data-services/llama-stack-provider-ragas": {
+          "github_url": "https://github.com/red-hat-data-services/llama-stack-provider-ragas",
+          "default_branch": "main",
+          "active_release_branches": [
+            "rhoai-3.3",
+            "rhoai-3.4",
+            "rhoai-3.4-ea.1",
+            "rhoai-3.4-ea.2"
+          ],
+          "branch_strategy": "Fork of midstream. RHOAI release branches follow pattern rhoai-X.Y.",
+          "repo_type": "downstream",
+          "subcomponent": "trustyai-ragas",
           "cve_fix_workflow": {
             "primary_target": "main",
             "backport_targets": "rhoai-3.3, rhoai-3.4, rhoai-3.4-ea.1, rhoai-3.4-ea.2"