feat: add MCP infrastructure for 3 new ccb_fix tasks

sjarmak · claude · sjarmak · commit c9214e1fca35 · 2026-02-26T15:57:42.000Z
Generates Dockerfile.sg_only for all 3 tasks, adds mirror mappings to
inject_sg_repo_env.py, fixes clone manifest mirror names, and registers
pending mirrors in instance_to_mirror.json. Mirrors at pre-fix commits
(envoy--1ae957c1, envoy--5160151e, terraform--abd6b9ef) still need to
be created on sg-evals before MCP runs can proceed.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/benchmarks/ccb_fix/envoy-dfp-host-leak-fix-001/environment/Dockerfile.sg_only b/benchmarks/ccb_fix/envoy-dfp-host-leak-fix-001/environment/Dockerfile.sg_only
@@ -0,0 +1,43 @@
+# envoy-dfp-host-leak-fix-001 — sg_only_env variant (v2: clone-at-verify)
+# Empty workspace — agent uses Sourcegraph MCP for code access.
+# Verifier clones mirror(s) at verification time via clone manifest.
+
+FROM ubuntu:22.04
+
+ENV SOURCEGRAPH_REPO_NAME=sg-evals/envoy--5160151e
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    git \
+    ca-certificates \
+    python3 \
+    curl \
+    && rm -rf /var/lib/apt/lists/*
+
+# Install Node.js (needed by verifier)
+RUN if ! command -v node > /dev/null 2>&1; then \
+    curl -fsSL https://deb.nodesource.com/setup_20.x | bash - && \
+    apt-get install -y --no-install-recommends nodejs; \
+    fi
+
+WORKDIR /workspace
+
+# Empty git repo so agent can commit work
+RUN git init && \
+    git config user.email "agent@example.com" && \
+    git config user.name "Agent"
+
+RUN mkdir -p /logs/agent /logs/verifier
+
+# Clone manifest for verifier (clone-at-verify strategy)
+RUN echo '{"workdir":"/workspace","repos":[{"mirror":"sg-evals/envoy--5160151e","target_dir":"."}]}' > /tmp/.sg_only_clone_manifest.json
+
+# Mark sg_only mode
+RUN touch /tmp/.sg_only_mode
+
+# Pre-create claude user and set ownership at build time.
+RUN (adduser --disabled-password --gecos '' claude 2>/dev/null || true) && \
+    for d in /workspace /app /testbed /logs; do [ -d "$d" ] && chown -R claude:claude "$d"; done || true
+
+ENTRYPOINT []
diff --git a/benchmarks/ccb_fix/envoy-udp-proxy-cds-fix-001/environment/Dockerfile.sg_only b/benchmarks/ccb_fix/envoy-udp-proxy-cds-fix-001/environment/Dockerfile.sg_only
@@ -0,0 +1,43 @@
+# envoy-udp-proxy-cds-fix-001 — sg_only_env variant (v2: clone-at-verify)
+# Empty workspace — agent uses Sourcegraph MCP for code access.
+# Verifier clones mirror(s) at verification time via clone manifest.
+
+FROM ubuntu:22.04
+
+ENV SOURCEGRAPH_REPO_NAME=sg-evals/envoy--1ae957c1
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    git \
+    ca-certificates \
+    python3 \
+    curl \
+    && rm -rf /var/lib/apt/lists/*
+
+# Install Node.js (needed by verifier)
+RUN if ! command -v node > /dev/null 2>&1; then \
+    curl -fsSL https://deb.nodesource.com/setup_20.x | bash - && \
+    apt-get install -y --no-install-recommends nodejs; \
+    fi
+
+WORKDIR /workspace
+
+# Empty git repo so agent can commit work
+RUN git init && \
+    git config user.email "agent@example.com" && \
+    git config user.name "Agent"
+
+RUN mkdir -p /logs/agent /logs/verifier
+
+# Clone manifest for verifier (clone-at-verify strategy)
+RUN echo '{"workdir":"/workspace","repos":[{"mirror":"sg-evals/envoy--1ae957c1","target_dir":"."}]}' > /tmp/.sg_only_clone_manifest.json
+
+# Mark sg_only mode
+RUN touch /tmp/.sg_only_mode
+
+# Pre-create claude user and set ownership at build time.
+RUN (adduser --disabled-password --gecos '' claude 2>/dev/null || true) && \
+    for d in /workspace /app /testbed /logs; do [ -d "$d" ] && chown -R claude:claude "$d"; done || true
+
+ENTRYPOINT []
diff --git a/benchmarks/ccb_fix/terraform-plan-null-unknown-fix-001/environment/Dockerfile.sg_only b/benchmarks/ccb_fix/terraform-plan-null-unknown-fix-001/environment/Dockerfile.sg_only
@@ -0,0 +1,43 @@
+# terraform-plan-null-unknown-fix-001 — sg_only_env variant (v2: clone-at-verify)
+# Empty workspace — agent uses Sourcegraph MCP for code access.
+# Verifier clones mirror(s) at verification time via clone manifest.
+
+FROM ubuntu:22.04
+
+ENV SOURCEGRAPH_REPO_NAME=sg-evals/terraform--abd6b9ef
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    git \
+    ca-certificates \
+    python3 \
+    curl \
+    && rm -rf /var/lib/apt/lists/*
+
+# Install Node.js (needed by verifier)
+RUN if ! command -v node > /dev/null 2>&1; then \
+    curl -fsSL https://deb.nodesource.com/setup_20.x | bash - && \
+    apt-get install -y --no-install-recommends nodejs; \
+    fi
+
+WORKDIR /workspace
+
+# Empty git repo so agent can commit work
+RUN git init && \
+    git config user.email "agent@example.com" && \
+    git config user.name "Agent"
+
+RUN mkdir -p /logs/agent /logs/verifier
+
+# Clone manifest for verifier (clone-at-verify strategy)
+RUN echo '{"workdir":"/workspace","repos":[{"mirror":"sg-evals/terraform--abd6b9ef","target_dir":"."}]}' > /tmp/.sg_only_clone_manifest.json
+
+# Mark sg_only mode
+RUN touch /tmp/.sg_only_mode
+
+# Pre-create claude user and set ownership at build time.
+RUN (adduser --disabled-password --gecos '' claude 2>/dev/null || true) && \
+    for d in /workspace /app /testbed /logs; do [ -d "$d" ] && chown -R claude:claude "$d"; done || true
+
+ENTRYPOINT []
diff --git a/configs/instance_to_mirror.json b/configs/instance_to_mirror.json
@@ -618,6 +618,22 @@
         "tag": "v1.31.0",
         "indexed": true,
         "used_by": ["envoy-migration-doc-gen-001"]
+      },
+      "pre_fix_udp_cds": {
+        "repo": "envoyproxy/envoy",
+        "mirror_name": "sg-evals/envoy--1ae957c1",
+        "commit": "1ae957c1f92b8e0b0322ab702c67612aa618d214",
+        "indexed": false,
+        "pending_creation": true,
+        "used_by": ["envoy-udp-proxy-cds-fix-001"]
+      },
+      "pre_fix_dfp_leak": {
+        "repo": "envoyproxy/envoy",
+        "mirror_name": "sg-evals/envoy--5160151e",
+        "commit": "5160151e14837c6f352b9d0b3a9f55119a9317e8",
+        "indexed": false,
+        "pending_creation": true,
+        "used_by": ["envoy-dfp-host-leak-fix-001"]
       }
     },
     "terraform": {
@@ -636,6 +652,14 @@
         "tag": "v1.10.0",
         "indexed": true,
         "used_by": ["terraform-arch-doc-gen-001"]
+      },
+      "pre_fix_plan_null_unknown": {
+        "repo": "hashicorp/terraform",
+        "mirror_name": "sg-evals/terraform--abd6b9ef",
+        "commit": "abd6b9ef1ba5e98ed273f59f667d3b9f2077a87b",
+        "indexed": false,
+        "pending_creation": true,
+        "used_by": ["terraform-plan-null-unknown-fix-001"]
       }
     }
   },
diff --git a/scripts/inject_sg_repo_env.py b/scripts/inject_sg_repo_env.py
@@ -86,6 +86,9 @@
     "curl-cve-triage-001": "sg-evals/curl--09e25b9d",
     "curl-security-review-001": "sg-evals/curl--09e25b9d",
     "curl-vuln-reachability-001": "sg-evals/curl--09e25b9d",
+    # --- envoy ---
+    "envoy-udp-proxy-cds-fix-001": "sg-evals/envoy--1ae957c1",
+    "envoy-dfp-host-leak-fix-001": "sg-evals/envoy--5160151e",
     # --- django ---
     "django-admins-migration-audit-001": "sg-evals/django--e295033",
     "django-audit-trail-implement-001": "sg-evals/django--674eda1c",
@@ -246,6 +249,7 @@
     "terraform-phantom-update-debug-001": "sg-evals/terraform--9658f9df",
     "terraform-plan-pipeline-qa-001": "sg-evals/terraform--24236f4f",
     "terraform-state-backend-handoff-001": "sg-evals/terraform--v1.9.0",
+    "terraform-plan-null-unknown-fix-001": "sg-evals/terraform--abd6b9ef",
     # --- test suites ---
     "test-coverage-gap-001": "sg-evals/envoy--1d0ba73a",
     "test-coverage-gap-002": "sg-evals/kafka--e678b4b",
