fix: eliminate 30-min chown timeout on large-repo Docker overlay2

The runtime setup in claude_baseline_agent.py did unconditional
`chown -R claude:claude /workspace /app /testbed` which walked 350K+
files on overlay2, taking 30+ minutes and causing agent timeouts.

Replace with stat-based ownership probe (2ms when dirs already owned
by claude) with bounded maxdepth-1 fallback for mismatched dirs.

Also demonstrate clone-as-claude Dockerfile pattern on ccx-domain-071:
create claude user first, USER claude, then git clone — eliminates the
chown -R layer that duplicated all repo data in overlay2 (2.6GB→1.31GB).

Update _CHOWN_OPTIMIZATION comment in generate_sgonly_dockerfiles.py
to document that sg_only/artifact Dockerfiles (empty workspace) are
fine, but baseline Dockerfiles should use clone-as-claude instead.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: sjarmak

agents/claude_baseline_agent.py

@@ -1074,13 +1074,28 @@ def create_run_agent_commands(self, instruction: str) -> list[ExecInput]:
 
                 # The outer command:
                 # 1. Creates claude user
-                # 2. Writes system prompt and wrapper script from base64
-                # 3. Runs wrapper script as claude user (or root in hybrid SG modes)
-                # 4. Fixes permissions after run
+                # 2. Probes writability; only chowns if needed (avoids 30+ min
+                #    no-op stat() walk on large repos in Docker overlay2)
+                # 3. Writes system prompt and wrapper script from base64
+                # 4. Runs wrapper script as claude user (or root in hybrid SG modes)
+                # 5. Fixes permissions after run
                 setup_cmds = (
                     "id -u claude &>/dev/null || adduser -D -s /bin/bash claude 2>/dev/null || adduser --disabled-password --gecos '' claude 2>/dev/null || true && "
                     "chown -R claude:claude /logs 2>/dev/null || true && "
-                    "chown -R claude:claude /workspace /app /testbed 2>/dev/null || true"
+                    # Probe ownership via stat (not touch — touch succeeds as root).
+                    # If every existing workdir is already owned by claude, skip the
+                    # expensive recursive chown that can take 30+ min on overlay2.
+                    "{ _ok=1; for d in /workspace /app /testbed; do "
+                    "[ -d \"$d\" ] || continue; "
+                    "[ \"$(stat -c %U \"$d\" 2>/dev/null)\" = claude ] || _ok=0; "
+                    "done; [ \"$_ok\" = 1 ]; } && "
+                    "echo 'chown-skip: dirs already owned by claude' || "
+                    "{ echo 'chown-fix: running bounded ownership repair'; "
+                    "for d in /workspace /app /testbed; do "
+                    "[ -d \"$d\" ] || continue; "
+                    "chown claude:claude \"$d\" 2>/dev/null; "
+                    "find \"$d\" -maxdepth 1 -not -user claude -exec chown claude:claude {} + 2>/dev/null; "
+                    "done; true; }"
                 )
 
                 file_cmds = ""

benchmarks/ccb_mcp_domain/ccx-domain-071/environment/Dockerfile

@@ -11,9 +11,16 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     default-jdk \
     && rm -rf /var/lib/apt/lists/*
 
+# Create claude user BEFORE cloning so files are owned correctly from the
+# start.  This avoids a post-clone chown -R layer that doubles image size
+# and takes 15-30 min on overlay2 (copy-on-write duplicates every inode).
+RUN adduser --disabled-password --gecos '' claude 2>/dev/null || true
+RUN mkdir -p /workspace /logs/agent /logs/verifier && \
+    chown -R claude:claude /workspace /logs
+
+# Clone as claude — files land claude-owned, no separate chown layer needed.
+USER claude
 WORKDIR /workspace
-
-# Clone local checkout repos (baseline config: agent has local access to these)
 RUN git clone --depth 1 https://github.com/sg-evals/kafka--0753c489 /workspace/kafka--0753c489
 RUN git clone --depth 1 https://github.com/sg-evals/flink--0cc95fcc /workspace/flink--0cc95fcc
 RUN git clone --depth 1 https://github.com/sg-evals/camel--1006f047 /workspace/camel--1006f047
@@ -23,12 +30,7 @@ RUN git config --global user.email "agent@example.com" && \
     git config --global user.name "Agent" && \
     git config --global safe.directory '*'
 
-# Create log directories
-RUN mkdir -p /logs/agent /logs/verifier
-
-# Pre-create claude user and set ownership at build time so Harbor's
-# runtime chown is a no-op (avoids 15-30 min delay on large repos).
-RUN (adduser --disabled-password --gecos '' claude 2>/dev/null || true) && \
-    for d in /workspace /app /testbed /logs; do [ -d "$d" ] && chown -R claude:claude "$d"; done || true
+# Switch back to root for Harbor's runtime setup
+USER root
 
 ENTRYPOINT []

scripts/generate_sgonly_dockerfiles.py

@@ -127,12 +127,15 @@
 
 
 # Block injected before ENTRYPOINT to pre-create the claude user and set
-# ownership at build time.  Harbor's runtime ``chown -R claude:claude /workspace``
-# then becomes a near-instant no-op (files already owned by claude), saving
-# 15-30 min on large-repo images (e.g. Firefox 5.4 GB workspace).
+# ownership at build time.  The agent's runtime setup (claude_baseline_agent.py)
+# probes ownership via stat and skips chown if dirs are already claude-owned.
+#
+# NOTE: For sg_only/artifact Dockerfiles this is fine (workspace is empty).
+# For BASELINE Dockerfiles with git clones, prefer the clone-as-claude pattern
+# instead: create claude user first, USER claude, then git clone.  This avoids
+# a chown -R layer that doubles image size on Docker overlay2.
 _CHOWN_OPTIMIZATION = """\
-# Pre-create claude user and set ownership at build time so Harbor's
-# runtime chown is a no-op (avoids 15-30 min delay on large repos).
+# Pre-create claude user and set ownership at build time.
 RUN (adduser --disabled-password --gecos '' claude 2>/dev/null || true) && \\
     for d in /workspace /app /testbed /logs; do [ -d "$d" ] && chown -R claude:claude "$d"; done || true
 """