feat: create separate PRs per branch for downstream repos in cve.fix

workflows/cve-fixer/.claude/commands/cve.find.md

@@ -33,7 +33,8 @@ Report: artifacts/cve-fixer/find/cve-issues-20260226-145018.md
 1. **Parse Arguments and Flags**
    - Parse the command arguments for the component name, optional subcomponent, and optional flags
    - **Supported flags:**
-     - `--ignore-resolved` — Exclude issues with Jira status "Resolved" from results
+     - `--ignore-resolved` — Exclude issues with status "Resolved" from results
+     - `--ignore-vex` — Exclude issues already closed as "Not a Bug" with a VEX justification
    - The component name is the first argument that is not a flag
    - The subcomponent is the second positional argument that is not a flag (optional)
    - If component is not provided, ask the user to type the component name
@@ -51,62 +52,52 @@ Report: artifacts/cve-fixer/find/cve-issues-20260226-145018.md
    /cve.find "AI Evaluations" trustyai-ragas
    ```
 
-2. **Check JIRA API Token (REQUIRED - User Setup)**
-   - **This is the ONLY thing the user must configure manually before proceeding**
+2. **Verify Jira Access**
 
-   - Check if JIRA_API_TOKEN and JIRA_EMAIL are set:
-     ```bash
-     if [ -z "$JIRA_API_TOKEN" ]; then
-       echo "ERROR: JIRA_API_TOKEN is not set"
-     else
-       echo "JIRA_API_TOKEN is set"
-     fi
-     if [ -z "$JIRA_EMAIL" ]; then
-       echo "ERROR: JIRA_EMAIL is not set"
-     else
-       echo "JIRA_EMAIL is set"
-     fi
-     ```
-
-   - **If JIRA_API_TOKEN or JIRA_EMAIL is NOT set or empty**:
-     - **STOP here and inform the user they need to set up both variables first**
-     - Provide instructions:
-
-       **Step 1: Generate a Jira API Token**
-       - Go to https://id.atlassian.com/manage-profile/security/api-tokens
-       - Click "Create API token"
-       - Give it a name and copy the token
-
-       **Step 2: Export both environment variables**
-         ```bash
-         export JIRA_API_TOKEN="your-token-here"
-         export JIRA_EMAIL="your-email@redhat.com"
-         ```
-         To make it persistent, add to `~/.bashrc` or `~/.zshrc`:
-         ```bash
-         echo 'export JIRA_API_TOKEN="your-token-here"' >> ~/.bashrc
-         echo 'export JIRA_EMAIL="your-email@redhat.com"' >> ~/.bashrc
-         source ~/.bashrc
-         ```
-
-   - **After user sets the variables, verify they're exported correctly** using the check script above
-     - Should output: "JIRA_API_TOKEN is set" and "JIRA_EMAIL is set"
-
-   - **Only proceed to the next steps if both JIRA_API_TOKEN and JIRA_EMAIL are set**
+   Secrets may be injected by the Ambient session, a secrets manager, or an MCP server — do NOT rely solely on bash env var checks. Instead, attempt a lightweight test API call and let the response determine whether credentials are available.
+
+   ```bash
+   JIRA_BASE_URL="https://redhat.atlassian.net"
+   AUTH=$(echo -n "${JIRA_EMAIL}:${JIRA_API_TOKEN}" | base64)
+
+   # Retry once on network failure (curl exit code 000 = timeout/no response)
+   for ATTEMPT in 1 2; do
+     TEST_RESPONSE=$(curl -s -o /dev/null -w "%{http_code}" -X GET \
+       --connect-timeout 10 --max-time 15 \
+       -H "Authorization: Basic ${AUTH}" \
+       -H "Content-Type: application/json" \
+       "${JIRA_BASE_URL}/rest/api/3/myself")
+     [ "$TEST_RESPONSE" != "000" ] && break
+     echo "⚠️ Network timeout on attempt ${ATTEMPT}, retrying..."
+     sleep 3
+   done
+   ```
+
+   - **HTTP 200** → credentials valid, proceed
+   - **HTTP 401** → credentials missing or invalid. Note: `/rest/api/3/myself` returns 401 for all authentication failures — there is no separate 403 for this endpoint. Only now inform the user:
+     - Check if `JIRA_API_TOKEN` and `JIRA_EMAIL` are configured as Ambient session secrets
+     - If not, generate a token at https://id.atlassian.com/manage-profile/security/api-tokens and export:
+
+       ```bash
+       export JIRA_API_TOKEN="your-token-here"
+       export JIRA_EMAIL="your-email@redhat.com"
+       ```
+   - **HTTP 000 after retry** → persistent network issue — inform user and stop
+
+   **Do NOT pre-check env vars with `[ -z "$JIRA_API_TOKEN" ]` and stop.** The variables may be available to the API call even if not visible to the shell check (e.g. Ambient secrets injection).
 
 3. **Query Jira for CVE Issues**
 
-   a. Set up variables:
+   a. Set up variables (AUTH already set from Step 2):
+
    ```bash
    COMPONENT_NAME="[from step 1]"
    JIRA_BASE_URL="https://redhat.atlassian.net"
-   JIRA_EMAIL="${JIRA_EMAIL}"
-   JIRA_API_TOKEN="${JIRA_API_TOKEN}"
-   # Jira Cloud uses Basic Auth: base64(email:api-token)
-   AUTH=$(echo -n "${JIRA_EMAIL}:${JIRA_API_TOKEN}" | base64)
+   # AUTH already constructed in Step 2 — reuse it
    ```
 
    b. Construct JQL query and execute API call:
+
    ```bash
    # Normalize component name with case-insensitive lookup against mapping file
    # Try relative to cwd (workflow root), then repo-relative fallback
@@ -156,6 +147,12 @@ Report: artifacts/cve-fixer/find/cve-issues-20260226-145018.md
      JQL="${JQL} AND status not in (\"Resolved\")"
    fi
 
+   # Append VEX filter if --ignore-vex flag was provided
+   # Excludes issues closed as "Not a Bug" (VEX justified) or "Obsolete" or "Won't Fix"
+   if [ "$IGNORE_VEX" = "true" ]; then
+     JQL="${JQL} AND NOT (status = \"Closed\" AND resolution in (\"Not a Bug\", \"Obsolete\", \"Won't Fix\"))"
+   fi
+
    # URL-encode the JQL query for the GET request
    ENCODED_JQL=$(python3 -c "import urllib.parse; print(urllib.parse.quote('''${JQL}'''))")