perf: pre-create claude user + chown at Docker build time

Adds `adduser claude` and `chown -R claude:claude` to all Dockerfiles
at build time so Harbor's runtime chown is a near-instant no-op.
Saves 15-30 min per large-repo task (Firefox 5.4GB, Chromium, LLVM, etc).

Covers /workspace, /app, /testbed, /logs with existence checks.
Updated generator script, both J2 templates, and regenerated all 516
Dockerfiles (255 sg_only, 85 artifact_only, 85 artifact_baseline, 81 base).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: sjarmak

benchmarks/ccb_build/bustub-hyperloglog-impl-001/environment/Dockerfile.sg_only

@@ -1,36 +1,32 @@
 # bustub-hyperloglog-impl-001 — sg_only_env variant
-# Uses TAC base image (provides /utils/eval.py, python_default) with workspace truncated.
-# Agent uses Sourcegraph MCP exclusively for code access.
+# No local repo clone — agent uses Sourcegraph MCP exclusively for code access.
 
-FROM ghcr.io/theagentcompany/sde-implement-hyperloglog-image:1.0.0
+FROM ubuntu:22.04
 
-ENV SOURCEGRAPH_REPO_NAME=sg-evals/bustub--d5f79431
+ENV DEBIAN_FRONTEND=noninteractive
 
-# TAC environment variables (needed by verifier)
-ENV TAC_SERVER_HOSTNAME=localhost
-ENV DECRYPTION_KEY="theagentcompany is all you need"
-
-# Create logs directory for Harbor compatibility
-RUN mkdir -p /logs/agent /logs/verifier /workspace
-
-# Truncate workspace — agent must use MCP to discover code
-RUN find /workspace -type f -name '*.py' -o -name '*.cpp' -o -name '*.h' -o -name '*.c' \
-        -o -name '*.java' -o -name '*.js' -o -name '*.ts' -o -name '*.go' -o -name '*.rs' \
-        -o -name '*.rb' -o -name '*.sh' -o -name '*.md' -o -name '*.txt' -o -name '*.json' \
-        -o -name '*.yaml' -o -name '*.yml' -o -name '*.toml' -o -name '*.cfg' -o -name '*.ini' \
-    | while read f; do : > "$f"; done 2>/dev/null || true
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    git \
+    ca-certificates \
+    python3 \
+    curl \
+    && rm -rf /var/lib/apt/lists/*
 
 WORKDIR /workspace
 
 # Empty git repo so agent can commit work
-RUN git init 2>/dev/null || (git config --global init.defaultBranch main && git init) && \
+RUN git init && \
     git config user.email "agent@example.com" && \
     git config user.name "Agent"
 
+RUN mkdir -p /logs/agent /logs/verifier
+
 # Mark sg_only mode so verifiers can skip local-path checks
 RUN touch /tmp/.sg_only_mode
 
-# Clone manifest for sgonly_verifier_wrapper.sh to restore repo at verify time
-RUN echo '{"repos":[{"mirror":"sg-evals/bustub--d5f79431","dest":"/workspace"}]}' > /tmp/.sg_only_clone_manifest.json
+# Pre-create claude user and set ownership at build time so Harbor's
+# runtime chown is a no-op (avoids 15-30 min delay on large repos).
+RUN (adduser --disabled-password --gecos '' claude 2>/dev/null || true) && \
+    for d in /workspace /app /testbed /logs; do [ -d "$d" ] && chown -R claude:claude "$d"; done || true
 
 ENTRYPOINT []

benchmarks/ccb_build/bustub-hyperloglog-impl-001/tests/sgonly_verifier_wrapper.sh

@@ -1,21 +1,28 @@
 #!/bin/bash
-# SG-only verifier wrapper: restore truncated source files from backup
+# SG-only verifier wrapper: restore full repo + overlay agent changes
 #
 # Source this at the TOP of test.sh for build-requiring tasks that use
-# sg_only_env mode. It detects /tmp/.sg_only_mode and restores truncated
-# (0-byte) source files from /repo_full/ while preserving agent changes.
+# sg_only_env mode. It detects /tmp/.sg_only_mode and:
 #
-# Key insight: the sg_only Dockerfile truncates source files to 0 bytes.
-# Agent-written files are non-zero. So restoring only 0-byte files from
-# /repo_full/ recovers the full codebase without touching agent work.
-# This avoids the expensive delete+copy cycle on large repos (e.g. 9GB
-# ProtonMail monorepo with 135K node_modules entries).
+# PRIMARY PATH (clone manifest):
+#   1. Reads clone manifest from /tmp/.sg_only_clone_manifest.json
+#   2. Backs up agent-written files (non-empty, non-git, non-test)
+#   3. Clones each mirror repo with --depth 1
+#   4. Re-runs inject_defects.sh if specified in manifest
+#   5. Overlays agent changes on top
+#
+# LEGACY FALLBACK (pre-v2 images):
+#   If manifest is missing but /repo_full/ exists, restores from /repo_full/
+#   as before. This ensures unregenerated images still work during rollout.
 #
 # For non-sg_only runs, this script is a no-op.
 #
 # Usage in test.sh:
 #   #!/bin/bash
-#   [ -f /tmp/.sg_only_mode ] && [ -f /tests/sgonly_verifier_wrapper.sh ] && source /tests/sgonly_verifier_wrapper.sh
+#   # Source the sg_only wrapper (no-op if not in sg_only mode)
+#   if [ -f /tests/sgonly_verifier_wrapper.sh ]; then
+#       source /tests/sgonly_verifier_wrapper.sh
+#   fi
 #   # ... rest of test.sh as normal ...
 
 if [ ! -f /tmp/.sg_only_mode ]; then
@@ -25,6 +32,130 @@ fi
 
 echo "[sg_only_verifier] Detected sg_only mode, restoring full repo..."
 
+# ---------------------------------------------------------------------------
+# Helper: back up agent-written files from a directory
+# ---------------------------------------------------------------------------
+backup_agent_files() {
+    local srcdir="$1"
+    if [ ! -d "$srcdir" ]; then
+        return
+    fi
+    cd "$srcdir"
+    mkdir -p /tmp/agent_work
+    find . -type f -size +0 \
+        ! -path './.git/*' \
+        ! -path './tests/*' \
+        ! -path './.claude/*' \
+        -print0 | while IFS= read -r -d '' f; do
+        mkdir -p "/tmp/agent_work/$(dirname "$f")"
+        cp "$f" "/tmp/agent_work/$f"
+    done
+    echo "[sg_only_verifier] Backed up agent-written files from $srcdir"
+}
+
+# ---------------------------------------------------------------------------
+# Helper: overlay agent-written files back onto a directory
+# ---------------------------------------------------------------------------
+overlay_agent_files() {
+    local targetdir="$1"
+    if [ ! -d /tmp/agent_work ]; then
+        return
+    fi
+    cd /tmp/agent_work
+    find . -type f -print0 | while IFS= read -r -d '' f; do
+        local target="${targetdir}/${f#./}"
+        mkdir -p "$(dirname "$target")"
+        cp "$f" "$target"
+    done
+    echo "[sg_only_verifier] Overlaid agent changes onto $targetdir"
+}
+
+# ---------------------------------------------------------------------------
+# PRIMARY PATH: clone manifest
+# ---------------------------------------------------------------------------
+MANIFEST="/tmp/.sg_only_clone_manifest.json"
+
+if [ -f "$MANIFEST" ]; then
+    echo "[sg_only_verifier] Found clone manifest, using clone-at-verify strategy"
+
+    # Parse manifest with python3 (always available in our images)
+    WORKDIR=$(python3 -c "import json; m=json.load(open('$MANIFEST')); print(m.get('workdir', '/workspace'))")
+    echo "[sg_only_verifier] Working directory: $WORKDIR"
+
+    # 1. Back up agent-written files
+    backup_agent_files "$WORKDIR"
+
+    # 2. Clone each mirror repo
+    REPO_COUNT=$(python3 -c "import json; m=json.load(open('$MANIFEST')); print(len(m.get('repos', [])))")
+    for i in $(seq 0 $((REPO_COUNT - 1))); do
+        MIRROR=$(python3 -c "import json; m=json.load(open('$MANIFEST')); print(m['repos'][$i]['mirror'])")
+        TARGET_DIR=$(python3 -c "import json; m=json.load(open('$MANIFEST')); print(m['repos'][$i].get('target_dir', '.'))")
+        CLONE_URL="https://github.com/${MIRROR}.git"
+
+        if [ "$TARGET_DIR" = "." ]; then
+            CLONE_TARGET="$WORKDIR"
+        else
+            CLONE_TARGET="${WORKDIR}/${TARGET_DIR}"
+        fi
+
+        echo "[sg_only_verifier] Cloning $MIRROR -> $CLONE_TARGET"
+
+        # Remove existing directory contents (truncated files) but preserve .git
+        # for target_dir="." we need to be careful with the working directory
+        if [ "$TARGET_DIR" = "." ]; then
+            # For root workspace: remove everything except .git, then clone into temp and move
+            TMPCLONE=$(mktemp -d)
+            if git clone --depth 1 "$CLONE_URL" "$TMPCLONE" 2>/dev/null; then
+                # Remove old files (except .git and tests)
+                find "$CLONE_TARGET" -mindepth 1 -maxdepth 1 \
+                    ! -name '.git' ! -name 'tests' ! -name '.claude' \
+                    -exec rm -rf {} + 2>/dev/null || true
+                # Copy cloned files (except .git)
+                cd "$TMPCLONE"
+                find . -mindepth 1 -maxdepth 1 ! -name '.git' -exec cp -a {} "$CLONE_TARGET/" \;
+                cd /
+                rm -rf "$TMPCLONE"
+                echo "[sg_only_verifier] Restored $MIRROR to $CLONE_TARGET"
+            else
+                echo "[sg_only_verifier] WARNING: Failed to clone $CLONE_URL"
+                rm -rf "$TMPCLONE"
+            fi
+        else
+            # For subdirectory: remove and re-clone
+            rm -rf "$CLONE_TARGET"
+            if git clone --depth 1 "$CLONE_URL" "$CLONE_TARGET" 2>/dev/null; then
+                echo "[sg_only_verifier] Restored $MIRROR to $CLONE_TARGET"
+            else
+                echo "[sg_only_verifier] WARNING: Failed to clone $CLONE_URL"
+            fi
+        fi
+    done
+
+    # 3. Re-run inject_defects if specified
+    INJECT_SCRIPT=$(python3 -c "import json; m=json.load(open('$MANIFEST')); print(m.get('inject_defects', ''))")
+    if [ -n "$INJECT_SCRIPT" ] && [ -f "$INJECT_SCRIPT" ]; then
+        echo "[sg_only_verifier] Running defect injection: $INJECT_SCRIPT"
+        cd "$WORKDIR"
+        chmod +x "$INJECT_SCRIPT"
+        bash "$INJECT_SCRIPT"
+        echo "[sg_only_verifier] Defect injection complete"
+    fi
+
+    # 4. Overlay agent changes
+    overlay_agent_files "$WORKDIR"
+
+    # Return to working directory
+    cd "$WORKDIR"
+    echo "[sg_only_verifier] Clone-at-verify restore complete, proceeding with tests"
+
+    return 0 2>/dev/null || exit 0
+fi
+
+# ---------------------------------------------------------------------------
+# LEGACY FALLBACK: /repo_full/ restore (for pre-v2 images)
+# ---------------------------------------------------------------------------
+echo "[sg_only_verifier] No clone manifest found, trying legacy /repo_full/ restore..."
+
 # Read the working directory
 WORKDIR="$(cat /tmp/.sg_only_workdir 2>/dev/null || echo '/app')"
 echo "[sg_only_verifier] Working directory: $WORKDIR"
@@ -34,18 +165,16 @@ if [ ! -d /repo_full ]; then
     return 0 2>/dev/null || exit 0
 fi
 
-# Restore truncated files: find 0-byte files and bulk-copy originals from
-# backup using tar pipe (orders of magnitude faster than individual cp on
-# repos with 100K+ truncated files like ProtonMail's node_modules).
-# Agent-written files are non-zero and will not be touched.
-cd "$WORKDIR"
-find . -type f -size 0 \
-    ! -path './.git/*' ! -path './tests/*' ! -path './.claude/*' \
-    ! -path './node_modules/*' ! -path './__pycache__/*' ! -path './vendor/*' \
-    -print0 | (cd /repo_full && tar --null -T - -cf - 2>/dev/null) \
-    | tar xf - -C "$WORKDIR/" 2>/dev/null
-echo "[sg_only_verifier] Restored truncated files from /repo_full/"
+# 1. Find files the agent wrote (non-empty, non-git, non-test files)
+backup_agent_files "$WORKDIR"
+
+# 2. Restore full repo from backup
+rsync -a --delete /repo_full/ "$WORKDIR/"
+echo "[sg_only_verifier] Restored full repo from /repo_full/"
+
+# 3. Overlay agent's changes
+overlay_agent_files "$WORKDIR"
 
 # Return to working directory
 cd "$WORKDIR"
-echo "[sg_only_verifier] Restore complete, proceeding with tests"
+echo "[sg_only_verifier] Legacy restore complete, proceeding with tests"

benchmarks/ccb_build/camel-fix-protocol-feat-001/environment/Dockerfile.sg_only

@@ -4,8 +4,6 @@
 
 FROM eclipse-temurin:17-jdk
 
-ENV SOURCEGRAPH_REPO_NAME=sg-evals/camel--1006f047
-
 ENV DEBIAN_FRONTEND=noninteractive
 
 RUN apt-get update && apt-get install -y --no-install-recommends \
@@ -31,4 +29,9 @@ RUN echo '{"workdir":"/workspace","repos":[{"mirror":"sg-evals/camel--1006f047",
 # Mark sg_only mode
 RUN touch /tmp/.sg_only_mode
 
+# Pre-create claude user and set ownership at build time so Harbor's
+# runtime chown is a no-op (avoids 15-30 min delay on large repos).
+RUN (adduser --disabled-password --gecos '' claude 2>/dev/null || true) && \
+    for d in /workspace /app /testbed /logs; do [ -d "$d" ] && chown -R claude:claude "$d"; done || true
+
 ENTRYPOINT []

benchmarks/ccb_build/cgen-deps-install-001/environment/Dockerfile.sg_only

@@ -4,8 +4,6 @@
 
 FROM ubuntu:22.04
 
-ENV SOURCEGRAPH_REPO_NAME=sg-evals/cgen--dibench
-
 ENV DEBIAN_FRONTEND=noninteractive
 
 RUN apt-get update && apt-get install -y --no-install-recommends \
@@ -30,4 +28,9 @@ RUN echo '{"workdir":"/app/repo","repos":[{"mirror":"sg-evals/cgen--dibench","ta
 # Mark sg_only mode
 RUN touch /tmp/.sg_only_mode
 
+# Pre-create claude user and set ownership at build time so Harbor's
+# runtime chown is a no-op (avoids 15-30 min delay on large repos).
+RUN (adduser --disabled-password --gecos '' claude 2>/dev/null || true) && \
+    for d in /workspace /app /testbed /logs; do [ -d "$d" ] && chown -R claude:claude "$d"; done || true
+
 ENTRYPOINT []

benchmarks/ccb_build/codecoverage-deps-install-001/environment/Dockerfile.sg_only

@@ -4,8 +4,6 @@
 
 FROM ubuntu:22.04
 
-ENV SOURCEGRAPH_REPO_NAME=sg-evals/CodeCoverageSummary--dibench
-
 ENV DEBIAN_FRONTEND=noninteractive
 
 RUN apt-get update && apt-get install -y --no-install-recommends \
@@ -30,4 +28,9 @@ RUN echo '{"workdir":"/app/repo","repos":[{"mirror":"sg-evals/CodeCoverageSummar
 # Mark sg_only mode
 RUN touch /tmp/.sg_only_mode
 
+# Pre-create claude user and set ownership at build time so Harbor's
+# runtime chown is a no-op (avoids 15-30 min delay on large repos).
+RUN (adduser --disabled-password --gecos '' claude 2>/dev/null || true) && \
+    for d in /workspace /app /testbed /logs; do [ -d "$d" ] && chown -R claude:claude "$d"; done || true
+
 ENTRYPOINT []

benchmarks/ccb_build/dotenv-expand-deps-install-001/environment/Dockerfile.sg_only

@@ -4,8 +4,6 @@
 
 FROM ubuntu:22.04
 
-ENV SOURCEGRAPH_REPO_NAME=sg-evals/dotenv-expand--dibench
-
 ENV DEBIAN_FRONTEND=noninteractive
 
 RUN apt-get update && apt-get install -y --no-install-recommends \
@@ -36,4 +34,9 @@ RUN echo '{"workdir":"/app/repo","repos":[{"mirror":"sg-evals/dotenv-expand--dib
 # Mark sg_only mode
 RUN touch /tmp/.sg_only_mode
 
+# Pre-create claude user and set ownership at build time so Harbor's
+# runtime chown is a no-op (avoids 15-30 min delay on large repos).
+RUN (adduser --disabled-password --gecos '' claude 2>/dev/null || true) && \
+    for d in /workspace /app /testbed /logs; do [ -d "$d" ] && chown -R claude:claude "$d"; done || true
+
 ENTRYPOINT []

benchmarks/ccb_build/dotnetkoans-deps-install-001/environment/Dockerfile.sg_only

@@ -4,8 +4,6 @@
 
 FROM ubuntu:22.04
 
-ENV SOURCEGRAPH_REPO_NAME=sg-evals/DotNetKoans--dibench
-
 ENV DEBIAN_FRONTEND=noninteractive
 
 RUN apt-get update && apt-get install -y --no-install-recommends \
@@ -30,4 +28,9 @@ RUN echo '{"workdir":"/app/repo","repos":[{"mirror":"sg-evals/DotNetKoans--diben
 # Mark sg_only mode
 RUN touch /tmp/.sg_only_mode
 
+# Pre-create claude user and set ownership at build time so Harbor's
+# runtime chown is a no-op (avoids 15-30 min delay on large repos).
+RUN (adduser --disabled-password --gecos '' claude 2>/dev/null || true) && \
+    for d in /workspace /app /testbed /logs; do [ -d "$d" ] && chown -R claude:claude "$d"; done || true
+
 ENTRYPOINT []

benchmarks/ccb_build/envoy-grpc-server-impl-001/environment/Dockerfile.sg_only

@@ -4,9 +4,9 @@
 
 FROM ubuntu:22.04
 
-ENV SOURCEGRAPH_REPOS=sg-evals/go-control-plane--71637ad6,sg-evals/istio--2300e245,sg-evals/emissary--3bbdbe0f
-
 ENV DEBIAN_FRONTEND=noninteractive
+ENV SOURCEGRAPH_REPOS="sg-evals/emissary--3bbdbe0f,sg-evals/go-control-plane--71637ad6,sg-evals/istio--2300e245"
+
 RUN apt-get update && apt-get install -y --no-install-recommends \
     git \
     ca-certificates \
@@ -29,4 +29,9 @@ RUN echo '{"workdir":"/workspace","repos":[{"mirror":"sg-evals/go-control-plane-
 # Mark sg_only mode
 RUN touch /tmp/.sg_only_mode
 
+# Pre-create claude user and set ownership at build time so Harbor's
+# runtime chown is a no-op (avoids 15-30 min delay on large repos).
+RUN (adduser --disabled-password --gecos '' claude 2>/dev/null || true) && \
+    for d in /workspace /app /testbed /logs; do [ -d "$d" ] && chown -R claude:claude "$d"; done || true
+
 ENTRYPOINT []

benchmarks/ccb_build/eslint-markdown-deps-install-001/environment/Dockerfile.sg_only

@@ -4,8 +4,6 @@
 
 FROM ubuntu:22.04
 
-ENV SOURCEGRAPH_REPO_NAME=sg-evals/markdown--dibench
-
 ENV DEBIAN_FRONTEND=noninteractive
 
 RUN apt-get update && apt-get install -y --no-install-recommends \
@@ -36,4 +34,9 @@ RUN echo '{"workdir":"/app/repo","repos":[{"mirror":"sg-evals/markdown--dibench"
 # Mark sg_only mode
 RUN touch /tmp/.sg_only_mode
 
+# Pre-create claude user and set ownership at build time so Harbor's
+# runtime chown is a no-op (avoids 15-30 min delay on large repos).
+RUN (adduser --disabled-password --gecos '' claude 2>/dev/null || true) && \
+    for d in /workspace /app /testbed /logs; do [ -d "$d" ] && chown -R claude:claude "$d"; done || true
+
 ENTRYPOINT []