feat: scaffold 8 new MCP-unique benchmark tasks (12 → 20 total)

Add tasks for 4 categories: Migration (C), Incident (D), Compliance (F),
Platform (J). Each task has oracle-curated answer files verified via
Sourcegraph queries (gold=1.0, empty=0.0 for all 8).

New tasks:
- CCX-migration-025: numpy.distutils deprecation across python-ml-stack
- CCX-migration-027: Express req.host deprecation in nodejs-web-stack
- CCX-incident-034: Loki client retry/timeout config in grafana-observability
- CCX-incident-037: etcd DialTimeout across kubernetes-ecosystem
- CCX-compliance-051: TLS enforcement across prometheus-monitoring
- CCX-compliance-057-ds: audit logging evidence bundle (Deep Search variant)
- CCX-platform-094: CODEOWNERS infrastructure in grafana-observability
- CCX-platform-100: deprecated API fields in kubernetes pkg/apis/

New suites: ccb_mcp_migration, ccb_mcp_compliance
New repo set: prometheus-monitoring (prometheus, alertmanager, client_golang)
Note: SG mirrors for version pinning still needed (tracked in beads).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: sjarmak

benchmarks/ccb_mcp_compliance/ccx-compliance-051/environment/Dockerfile

@@ -0,0 +1,27 @@
+FROM ubuntu:22.04
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+# Base tools
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    git \
+    ca-certificates \
+    curl \
+    python3 \
+    golang-go \
+    && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /workspace
+
+# Clone fixture repo (baseline has full local access)
+RUN git clone --depth 1 --branch v3.2.1 https://github.com/prometheus/prometheus /workspace/prometheus
+
+# Initialize git identity for agent commits
+RUN git config --global user.email "agent@example.com" && \
+    git config --global user.name "Agent" && \
+    git config --global safe.directory '*'
+
+# Create log directories
+RUN mkdir -p /logs/agent /logs/verifier
+
+ENTRYPOINT []

benchmarks/ccb_mcp_compliance/ccx-compliance-051/environment/Dockerfile.sg_only

@@ -0,0 +1,30 @@
+# CCX-compliance-051 — sg_only variant
+# No local repo clone — agent uses Sourcegraph MCP exclusively for code access.
+# The verifier restores the full repo from /repo_full/ before scoring.
+
+FROM ubuntu:22.04
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    git \
+    ca-certificates \
+    python3 \
+    curl \
+    && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /workspace
+
+# Empty workspace — agent discovers code via MCP tools only
+RUN git init && \
+    git config user.email "agent@example.com" && \
+    git config user.name "Agent" && \
+    git config --global safe.directory '*'
+
+# Create log directories
+RUN mkdir -p /logs/agent /logs/verifier
+
+# Mark sg_only mode — verifiers and eval scripts check this flag
+RUN touch /tmp/.sg_only_mode
+
+ENTRYPOINT []

benchmarks/ccb_mcp_compliance/ccx-compliance-051/instruction.md

@@ -0,0 +1,50 @@
+# Security Compliance Audit: TLS Configuration Across Prometheus Stack
+
+## Your Task
+
+For a security audit, prove that TLS is enforced on all external interfaces of the Prometheus monitoring stack. Find all Go source files in `prometheus/prometheus` that define, load, validate, or apply TLS configuration for: scrape targets, remote write/read endpoints, the web server, tracing exporters, and service discovery plugins.
+
+**NOTE**: The canonical TLS config struct is defined in the `prometheus-common` library (available on Sourcegraph as `sourcegraph-testing/prometheus-common`). Include this definition file in your answer.
+
+## Specific Files to Find
+
+1. **TLS struct definition and factory function** (in prometheus-common)
+2. **Config embedding** — where TLS is wired into scrape/remote/tracing configs
+3. **Server-side TLS** — web server TLS setup
+4. **Client-side TLS** — outbound connections: remote write, tracing, scrape, service discovery
+5. **TLS validation** — promtool config validation
+
+## Context
+
+You are performing a compliance audit of the Prometheus monitoring stack. The goal is to verify that TLS is enforced on all external-facing interfaces. This requires tracing TLS configuration from its definition in the shared `prometheus-common` library through its embedding in Prometheus's own config, its application on the web server (server-side), its use in outbound connections (client-side), and its validation by the `promtool` CLI.
+
+## Available Resources
+
+The local `/workspace/` directory contains:
+- `prometheus/prometheus` at v3.2.1 → `/workspace/prometheus`
+
+## Output Format
+
+Create a file at `/workspace/answer.json` with your findings in the following structure:
+
+```json
+{
+  "files": [
+    {"repo": "prometheus/prometheus", "path": "relative/path/to/file.go"},
+    {"repo": "sourcegraph-testing/prometheus-common", "path": "relative/path/to/file.go"}
+  ],
+  "text": "Narrative explanation of the TLS architecture across the Prometheus stack."
+}
+```
+
+**Important**: Use `"prometheus/prometheus"` or `"sourcegraph-testing/prometheus-common"` for repo names. Strip `github.com/` prefix.
+**Note**: Sourcegraph MCP tools return repo names with a `github.com/` prefix (e.g., `github.com/prometheus/prometheus`). Strip this prefix in your answer.
+
+Include only the `files` field. Your answer is evaluated against a closed-world oracle — completeness matters.
+
+## Evaluation
+
+Your answer will be scored on:
+- **File recall and precision**: Did you find all relevant TLS configuration files across both repos?
+- **Keyword presence**: Does your answer reference key TLS identifiers (TLSConfig, NewTLSConfig, ServeMultiple)?
+- **Provenance**: Does your answer cite the correct repos and key file paths?

benchmarks/ccb_mcp_compliance/ccx-compliance-051/task.toml

@@ -0,0 +1,28 @@
+version = "1.0"
+
+[metadata]
+name = "CCX-compliance-051"
+description = "Security Compliance Audit: TLS Configuration Across Prometheus Stack"
+license = "Apache-2.0"
+
+[task]
+id = "CCX-compliance-051"
+repo = "prometheus/prometheus"
+category = "compliance-tls-enforcement"
+language = "go"
+difficulty = "hard"
+time_limit_sec = 900
+mcp_suite = "ccb_mcp_compliance"
+use_case_id = 51
+repo_set_id = "prometheus-monitoring"
+mcp_unique = true
+
+[verification]
+type = "test"
+command = "bash /tests/eval.sh"
+
+reward_type = "score"
+description = "Security Compliance Audit: TLS Configuration Across Prometheus Stack"
+
+[environment]
+build_timeout_sec = 600.0

benchmarks/ccb_mcp_compliance/ccx-compliance-051/tests/eval.sh

@@ -0,0 +1,68 @@
+#!/bin/bash
+# eval.sh — MCP-unique benchmark evaluator for CCX-compliance-051
+# Exit-code-first (SWE-Factory pattern):
+#   exit 0 — agent produced useful output (composite score > 0)
+#   exit 1 — total failure (composite score == 0 or missing answer)
+#
+# Writes /logs/verifier/reward.txt with the composite score [0.0, 1.0]
+
+set -euo pipefail
+
+TASK_ID="CCX-compliance-051"
+ANSWER_PATH="/workspace/answer.json"
+TASK_SPEC_PATH="/tests/task_spec.json"
+ORACLE_CHECKS="/tests/oracle_checks.py"
+REWARD_PATH="/logs/verifier/reward.txt"
+
+mkdir -p /logs/verifier
+
+echo "=== $TASK_ID evaluator ==="
+echo "Task spec: $TASK_SPEC_PATH"
+echo "Answer:    $ANSWER_PATH"
+echo ""
+
+# sg_only mode guard: restore full repo if verifier wrapper exists
+if [ -f /tmp/.sg_only_mode ] && [ -f /tests/sgonly_verifier_wrapper.sh ]; then
+    echo "sg_only mode: sourcing verifier wrapper..."
+    source /tests/sgonly_verifier_wrapper.sh
+fi
+
+# Verify answer file exists
+if [ ! -f "$ANSWER_PATH" ]; then
+    echo "ERROR: answer.json not found at $ANSWER_PATH"
+    echo "0.0" > "$REWARD_PATH"
+    exit 1
+fi
+
+# Validate answer is valid JSON
+if ! python3 -c "import json; json.load(open('$ANSWER_PATH'))" 2>/dev/null; then
+    echo "ERROR: answer.json is not valid JSON"
+    echo "0.0" > "$REWARD_PATH"
+    exit 1
+fi
+
+echo "answer.json found and valid JSON"
+
+# Run oracle checks
+if [ ! -f "$ORACLE_CHECKS" ]; then
+    echo "ERROR: oracle_checks.py not found at $ORACLE_CHECKS"
+    echo "0.0" > "$REWARD_PATH"
+    exit 1
+fi
+
+echo "Running oracle checks..."
+SCORE=$(python3 "$ORACLE_CHECKS" --answer "$ANSWER_PATH" --spec "$TASK_SPEC_PATH" --verbose 2>&1 | tee /dev/stderr | tail -1) || true
+
+# Validate score is a number
+if ! echo "$SCORE" | python3 -c "import sys; float(sys.stdin.read().strip())" 2>/dev/null; then
+    echo "ERROR: oracle_checks.py did not return a valid score: $SCORE"
+    echo "0.0" > "$REWARD_PATH"
+    exit 1
+fi
+
+echo ""
+echo "Composite score: $SCORE"
+echo "$SCORE" > "$REWARD_PATH"
+
+# Exit based on score (SWE-Factory exit-code-first pattern)
+python3 -c "import sys; sys.exit(0 if float('$SCORE') > 0 else 1)"

benchmarks/ccb_mcp_compliance/ccx-compliance-051/tests/oracle_answer.json

@@ -0,0 +1,24 @@
+{
+  "files": [
+    {"repo": "sourcegraph-testing/prometheus-common", "path": "config/http_config.go"},
+    {"repo": "prometheus/prometheus", "path": "config/config.go"},
+    {"repo": "prometheus/prometheus", "path": "cmd/prometheus/main.go"},
+    {"repo": "prometheus/prometheus", "path": "cmd/promtool/main.go"},
+    {"repo": "prometheus/prometheus", "path": "web/web.go"},
+    {"repo": "prometheus/prometheus", "path": "tracing/tracing.go"},
+    {"repo": "prometheus/prometheus", "path": "storage/remote/client.go"},
+    {"repo": "prometheus/prometheus", "path": "scrape/scrape.go"},
+    {"repo": "prometheus/prometheus", "path": "storage/remote/write.go"},
+    {"repo": "prometheus/prometheus", "path": "storage/remote/storage.go"},
+    {"repo": "prometheus/prometheus", "path": "discovery/triton/triton.go"},
+    {"repo": "prometheus/prometheus", "path": "discovery/openstack/openstack.go"}
+  ],
+  "text": "The Prometheus TLS architecture spans 12 files across 2 repos, organized in 5 layers:\n\n1. **Definition** (prometheus-common): config/http_config.go defines the canonical TLSConfig struct and NewTLSConfig() factory function that creates tls.Config from user settings.\n\n2. **Configuration** (prometheus/prometheus): config/config.go embeds TLSConfig into ScrapeConfig, RemoteWriteConfig, RemoteReadConfig, and TracingConfig, making TLS configurable for all external interfaces.\n\n3. **Validation** (prometheus/prometheus): cmd/promtool/main.go validates TLS settings as part of config validation, ensuring certificates and keys are valid before deployment.\n\n4. **Server-side TLS** (prometheus/prometheus): web/web.go applies TLS via ServeMultiple() for the Prometheus HTTP server, and cmd/prometheus/main.go wires the TLS config into the web handler.\n\n5. **Client-side TLS** (prometheus/prometheus): storage/remote/client.go, storage/remote/write.go, and storage/remote/storage.go apply TLS for remote write/read connections. scrape/scrape.go uses TLS for scrape target connections. tracing/tracing.go configures TLS for OTLP tracing exporters. discovery/triton/triton.go and discovery/openstack/openstack.go apply TLS for service discovery HTTP clients.",
+  "_metadata": {
+    "oracle_type": "file_set_match",
+    "discovery_method": "sourcegraph_keyword_search",
+    "query": "repo:^github.com/prometheus/prometheus$ TLSConfig",
+    "verified_at": "2026-02-21",
+    "pinned_version": "v3.2.1"
+  }
+}