feat: eliminate clone+backup+truncate from sg_only Dockerfiles (v2 clone-at-verify)

Replace the /repo_full/ backup pattern with clone-at-verify: build-requiring
Dockerfile.sg_only files now embed a JSON clone manifest instead of cloning,
backing up to /repo_full/, and truncating. The verifier wrapper reads the
manifest and clones mirrors with --depth 1 at verification time.

Key changes:
- scripts/sgonly_verifier_wrapper.sh: clone from manifest, legacy /repo_full/ fallback
- scripts/generate_sgonly_dockerfiles.py: CCB_REPO_BASE_MAP, extract_clone_layout(),
  generate_build_requiring() v2 with SWE-bench/code-review/multi-repo variants
- 190 Dockerfile.sg_only regenerated (128 build-requiring, 62 write-only)
- 128 verifier wrappers updated with v2 clone-at-verify logic

This eliminates ~100MB-2GB /repo_full/ backup per image and ~60% build time.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: sjarmak

benchmarks/ccb_build/bustub-hyperloglog-impl-001/environment/Dockerfile.sg_only

@@ -1,29 +1,29 @@
 # bustub-hyperloglog-impl-001 — sg_only_env variant
-# Source files truncated so agent must use Sourcegraph MCP for code access.
-# Verifier wrapper restores full repo before running tests.
+# No local repo clone — agent uses Sourcegraph MCP exclusively for code access.
 
-# TAC Task Wrapper: sde-implement-hyperloglog
-FROM ghcr.io/theagentcompany/sde-implement-hyperloglog-image:1.0.0
+FROM ubuntu:22.04
 
 ENV SOURCEGRAPH_REPO_NAME=sg-benchmarks/bustub--d5f79431
 
-# Create logs directory for Harbor compatibility
-RUN mkdir -p /logs /workspace
+ENV DEBIAN_FRONTEND=noninteractive
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    git \
+    ca-certificates \
+    python3 \
+    curl \
+    && rm -rf /var/lib/apt/lists/*
 
-# Set working directory
 WORKDIR /workspace
 
-# Environment variables
-ENV TAC_SERVER_HOSTNAME=localhost
-ENV DECRYPTION_KEY="theagentcompany is all you need"
+# Empty git repo so agent can commit work
+RUN git init && \
+    git config user.email "agent@example.com" && \
+    git config user.name "Agent"
+
+RUN mkdir -p /logs/agent /logs/verifier
 
+# Mark sg_only mode so verifiers can skip local-path checks
+RUN touch /tmp/.sg_only_mode
 
-# --- sg_only_env: back up full repo, then truncate source ---
-RUN cp -a /workspace /repo_full
-RUN find /workspace -type f \( -name "*.py" -o -name "*.pyx" -o -name "*.pyi" -o -name "*.js" -o -name "*.ts" -o -name "*.jsx" -o -name "*.tsx" -o -name "*.mjs" -o -name "*.cjs" -o -name "*.mts" -o -name "*.cts" -o -name "*.go" -o -name "*.java" -o -name "*.kt" -o -name "*.scala" -o -name "*.groovy" -o -name "*.clj" -o -name "*.c" -o -name "*.cc" -o -name "*.cpp" -o -name "*.cxx" -o -name "*.h" -o -name "*.hh" -o -name "*.hpp" -o -name "*.hxx" -o -name "*.rs" -o -name "*.rb" -o -name "*.cs" -o -name "*.fs" -o -name "*.swift" -o -name "*.m" -o -name "*.mm" -o -name "*.vue" -o -name "*.svelte" -o -name "*.sh" -o -name "*.bash" -o -name "*.zsh" -o -name "*.lua" -o -name "*.proto" -o -name "*.thrift" -o -name "*.avsc" -o -name "*.fbs" -o -name "*.yaml" -o -name "*.yml" -o -name "*.toml" -o -name "*.json" -o -name "*.xml" -o -name "*.ini" -o -name "*.cfg" -o -name "*.md" -o -name "*.rst" -o -name "*.txt" -o -name "*.adoc" -o -name "*.cmake" -o -name "*.bzl" -o -name "*.bazel" -o -name "*.sql" -o -name "*.erl" -o -name "*.ex" -o -name "*.exs" -o -name "*.php" -o -name "*.pl" -o -name "*.pm" -o -name "*.r" -o -name "*.R" \) ! -path "*/.git/*" ! -path "*/node_modules/*" ! -path "*/__pycache__/*" ! -path "*/vendor/*" -exec truncate -s 0 {} \;
-# Recommit truncated state so git history cannot recover full files.
-# Without this, `git show HEAD:<file>` or `git checkout HEAD -- <file>`
-# would bypass truncation by reading from the pre-truncation commit.
-RUN cd /workspace && git config user.email "agent@example.com" && git config user.name "Agent" && git add -A && git commit -m "sg_only truncation" --allow-empty --quiet
-RUN touch /tmp/.sg_only_mode && echo '/workspace' > /tmp/.sg_only_workdir
-CMD ["bash"]
+ENTRYPOINT []

benchmarks/ccb_build/camel-fix-protocol-feat-001/environment/Dockerfile.sg_only

@@ -1,22 +1,42 @@
-# camel-fix-protocol-feat-001 — sg_only_env variant
-# Source files truncated so agent must use Sourcegraph MCP for code access.
-# Verifier wrapper restores full repo before running tests.
+# camel-fix-protocol-feat-001 — sg_only_env variant (v2: clone-at-verify)
+# Empty workspace — agent uses Sourcegraph MCP for code access.
+# Verifier clones mirror at verification time via clone manifest.
 
-FROM ccb-repo-camel-1006f047
+FROM eclipse-temurin:17-jdk
 
 ENV SOURCEGRAPH_REPO_NAME=sg-benchmarks/camel--1006f047
 
-# --- sg_only_env: back up full repo, then truncate source ---
-RUN cp -a /workspace /repo_full
-RUN find /workspace -type f \( \
-    -name "*.java" -o -name "*.xml" -o -name "*.yaml" -o -name "*.yml" \
-    -o -name "*.json" -o -name "*.properties" -o -name "*.sh" -o -name "*.md" \
-    -o -name "*.txt" -o -name "*.toml" -o -name "*.gradle" -o -name "*.kt" \
-    -o -name "*.scala" -o -name "*.groovy" -o -name "*.py" \
-    \) ! -path "*/.git/*" -exec truncate -s 0 {} \;
-# Recommit truncated state so git history cannot recover full files.
-RUN cd /workspace && git add -A && git commit -m "sg_only truncation" --allow-empty --quiet
-RUN touch /tmp/.sg_only_mode && echo '/workspace' > /tmp/.sg_only_workdir
+ENV DEBIAN_FRONTEND=noninteractive
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    git \
+    curl \
+    python3 \
+    python3-pip \
+    ca-certificates \
+    && rm -rf /var/lib/apt/lists/*
 
 WORKDIR /workspace
+
+# Empty git repo so agent can commit work
+RUN git init && \
+    git config user.email "agent@example.com" && \
+    git config user.name "Agent"
+
+RUN mkdir -p /logs/agent /logs/verifier
+
+# Clone manifest for verifier (clone-at-verify strategy)
+RUN echo '{
+  "workdir": "/workspace",
+  "repos": [
+    {
+      "mirror": "sg-benchmarks/camel--1006f047",
+      "target_dir": "."
+    }
+  ]
+}' > /tmp/.sg_only_clone_manifest.json
+
+# Mark sg_only mode
+RUN touch /tmp/.sg_only_mode
+
 ENTRYPOINT []

benchmarks/ccb_build/camel-fix-protocol-feat-001/tests/sgonly_verifier_wrapper.sh

@@ -1,21 +1,28 @@
 #!/bin/bash
-# SG-only verifier wrapper: restore truncated source files from backup
+# SG-only verifier wrapper: restore full repo + overlay agent changes
 #
 # Source this at the TOP of test.sh for build-requiring tasks that use
-# sg_only_env mode. It detects /tmp/.sg_only_mode and restores truncated
-# (0-byte) source files from /repo_full/ while preserving agent changes.
+# sg_only_env mode. It detects /tmp/.sg_only_mode and:
 #
-# Key insight: the sg_only Dockerfile truncates source files to 0 bytes.
-# Agent-written files are non-zero. So restoring only 0-byte files from
-# /repo_full/ recovers the full codebase without touching agent work.
-# This avoids the expensive delete+copy cycle on large repos (e.g. 9GB
-# ProtonMail monorepo with 135K node_modules entries).
+# PRIMARY PATH (clone manifest):
+#   1. Reads clone manifest from /tmp/.sg_only_clone_manifest.json
+#   2. Backs up agent-written files (non-empty, non-git, non-test)
+#   3. Clones each mirror repo with --depth 1
+#   4. Re-runs inject_defects.sh if specified in manifest
+#   5. Overlays agent changes on top
+#
+# LEGACY FALLBACK (pre-v2 images):
+#   If manifest is missing but /repo_full/ exists, restores from /repo_full/
+#   as before. This ensures unregenerated images still work during rollout.
 #
 # For non-sg_only runs, this script is a no-op.
 #
 # Usage in test.sh:
 #   #!/bin/bash
-#   [ -f /tmp/.sg_only_mode ] && [ -f /tests/sgonly_verifier_wrapper.sh ] && source /tests/sgonly_verifier_wrapper.sh
+#   # Source the sg_only wrapper (no-op if not in sg_only mode)
+#   if [ -f /tests/sgonly_verifier_wrapper.sh ]; then
+#       source /tests/sgonly_verifier_wrapper.sh
+#   fi
 #   # ... rest of test.sh as normal ...
 
 if [ ! -f /tmp/.sg_only_mode ]; then
@@ -25,6 +32,130 @@ fi
 
 echo "[sg_only_verifier] Detected sg_only mode, restoring full repo..."
 
+# ---------------------------------------------------------------------------
+# Helper: back up agent-written files from a directory
+# ---------------------------------------------------------------------------
+backup_agent_files() {
+    local srcdir="$1"
+    if [ ! -d "$srcdir" ]; then
+        return
+    fi
+    cd "$srcdir"
+    mkdir -p /tmp/agent_work
+    find . -type f -size +0 \
+        ! -path './.git/*' \
+        ! -path './tests/*' \
+        ! -path './.claude/*' \
+        -print0 | while IFS= read -r -d '' f; do
+        mkdir -p "/tmp/agent_work/$(dirname "$f")"
+        cp "$f" "/tmp/agent_work/$f"
+    done
+    echo "[sg_only_verifier] Backed up agent-written files from $srcdir"
+}
+
+# ---------------------------------------------------------------------------
+# Helper: overlay agent-written files back onto a directory
+# ---------------------------------------------------------------------------
+overlay_agent_files() {
+    local targetdir="$1"
+    if [ ! -d /tmp/agent_work ]; then
+        return
+    fi
+    cd /tmp/agent_work
+    find . -type f -print0 | while IFS= read -r -d '' f; do
+        local target="${targetdir}/${f#./}"
+        mkdir -p "$(dirname "$target")"
+        cp "$f" "$target"
+    done
+    echo "[sg_only_verifier] Overlaid agent changes onto $targetdir"
+}
+
+# ---------------------------------------------------------------------------
+# PRIMARY PATH: clone manifest
+# ---------------------------------------------------------------------------
+MANIFEST="/tmp/.sg_only_clone_manifest.json"
+
+if [ -f "$MANIFEST" ]; then
+    echo "[sg_only_verifier] Found clone manifest, using clone-at-verify strategy"
+
+    # Parse manifest with python3 (always available in our images)
+    WORKDIR=$(python3 -c "import json; m=json.load(open('$MANIFEST')); print(m.get('workdir', '/workspace'))")
+    echo "[sg_only_verifier] Working directory: $WORKDIR"
+
+    # 1. Back up agent-written files
+    backup_agent_files "$WORKDIR"
+
+    # 2. Clone each mirror repo
+    REPO_COUNT=$(python3 -c "import json; m=json.load(open('$MANIFEST')); print(len(m.get('repos', [])))")
+    for i in $(seq 0 $((REPO_COUNT - 1))); do
+        MIRROR=$(python3 -c "import json; m=json.load(open('$MANIFEST')); print(m['repos'][$i]['mirror'])")
+        TARGET_DIR=$(python3 -c "import json; m=json.load(open('$MANIFEST')); print(m['repos'][$i].get('target_dir', '.'))")
+        CLONE_URL="https://github.com/${MIRROR}.git"
+
+        if [ "$TARGET_DIR" = "." ]; then
+            CLONE_TARGET="$WORKDIR"
+        else
+            CLONE_TARGET="${WORKDIR}/${TARGET_DIR}"
+        fi
+
+        echo "[sg_only_verifier] Cloning $MIRROR -> $CLONE_TARGET"
+
+        # Remove existing directory contents (truncated files) but preserve .git
+        # for target_dir="." we need to be careful with the working directory
+        if [ "$TARGET_DIR" = "." ]; then
+            # For root workspace: remove everything except .git, then clone into temp and move
+            TMPCLONE=$(mktemp -d)
+            if git clone --depth 1 "$CLONE_URL" "$TMPCLONE" 2>/dev/null; then
+                # Remove old files (except .git and tests)
+                find "$CLONE_TARGET" -mindepth 1 -maxdepth 1 \
+                    ! -name '.git' ! -name 'tests' ! -name '.claude' \
+                    -exec rm -rf {} + 2>/dev/null || true
+                # Copy cloned files (except .git)
+                cd "$TMPCLONE"
+                find . -mindepth 1 -maxdepth 1 ! -name '.git' -exec cp -a {} "$CLONE_TARGET/" \;
+                cd /
+                rm -rf "$TMPCLONE"
+                echo "[sg_only_verifier] Restored $MIRROR to $CLONE_TARGET"
+            else
+                echo "[sg_only_verifier] WARNING: Failed to clone $CLONE_URL"
+                rm -rf "$TMPCLONE"
+            fi
+        else
+            # For subdirectory: remove and re-clone
+            rm -rf "$CLONE_TARGET"
+            if git clone --depth 1 "$CLONE_URL" "$CLONE_TARGET" 2>/dev/null; then
+                echo "[sg_only_verifier] Restored $MIRROR to $CLONE_TARGET"
+            else
+                echo "[sg_only_verifier] WARNING: Failed to clone $CLONE_URL"
+            fi
+        fi
+    done
+
+    # 3. Re-run inject_defects if specified
+    INJECT_SCRIPT=$(python3 -c "import json; m=json.load(open('$MANIFEST')); print(m.get('inject_defects', ''))")
+    if [ -n "$INJECT_SCRIPT" ] && [ -f "$INJECT_SCRIPT" ]; then
+        echo "[sg_only_verifier] Running defect injection: $INJECT_SCRIPT"
+        cd "$WORKDIR"
+        chmod +x "$INJECT_SCRIPT"
+        bash "$INJECT_SCRIPT"
+        echo "[sg_only_verifier] Defect injection complete"
+    fi
+
+    # 4. Overlay agent changes
+    overlay_agent_files "$WORKDIR"
+
+    # Return to working directory
+    cd "$WORKDIR"
+    echo "[sg_only_verifier] Clone-at-verify restore complete, proceeding with tests"
+
+    return 0 2>/dev/null || exit 0
+fi
+
+# ---------------------------------------------------------------------------
+# LEGACY FALLBACK: /repo_full/ restore (for pre-v2 images)
+# ---------------------------------------------------------------------------
+echo "[sg_only_verifier] No clone manifest found, trying legacy /repo_full/ restore..."
+
 # Read the working directory
 WORKDIR="$(cat /tmp/.sg_only_workdir 2>/dev/null || echo '/app')"
 echo "[sg_only_verifier] Working directory: $WORKDIR"
@@ -34,18 +165,16 @@ if [ ! -d /repo_full ]; then
     return 0 2>/dev/null || exit 0
 fi
 
-# Restore truncated files: find 0-byte files and bulk-copy originals from
-# backup using tar pipe (orders of magnitude faster than individual cp on
-# repos with 100K+ truncated files like ProtonMail's node_modules).
-# Agent-written files are non-zero and will not be touched.
-cd "$WORKDIR"
-find . -type f -size 0 \
-    ! -path './.git/*' ! -path './tests/*' ! -path './.claude/*' \
-    ! -path './node_modules/*' ! -path './__pycache__/*' ! -path './vendor/*' \
-    -print0 | (cd /repo_full && tar --null -T - -cf - 2>/dev/null) \
-    | tar xf - -C "$WORKDIR/" 2>/dev/null
-echo "[sg_only_verifier] Restored truncated files from /repo_full/"
+# 1. Find files the agent wrote (non-empty, non-git, non-test files)
+backup_agent_files "$WORKDIR"
+
+# 2. Restore full repo from backup
+rsync -a --delete /repo_full/ "$WORKDIR/"
+echo "[sg_only_verifier] Restored full repo from /repo_full/"
+
+# 3. Overlay agent's changes
+overlay_agent_files "$WORKDIR"
 
 # Return to working directory
 cd "$WORKDIR"
-echo "[sg_only_verifier] Restore complete, proceeding with tests"
+echo "[sg_only_verifier] Legacy restore complete, proceeding with tests"

benchmarks/ccb_build/cgen-deps-install-001/environment/Dockerfile.sg_only

@@ -1,32 +1,41 @@
-# cgen-deps-install-001 — sg_only_env variant
-# Source files truncated so agent must use Sourcegraph MCP for code access.
-# Verifier wrapper restores full repo before running tests.
+# cgen-deps-install-001 — sg_only_env variant (v2: clone-at-verify)
+# Empty workspace — agent uses Sourcegraph MCP for code access.
+# Verifier clones mirror(s) at verification time via clone manifest.
 
 FROM ubuntu:22.04
 
 ENV SOURCEGRAPH_REPO_NAME=sg-benchmarks/cgen--dibench
 
 ENV DEBIAN_FRONTEND=noninteractive
 
-RUN apt-get update -qq && apt-get install -y -qq --no-install-recommends \
-    python3 python3-pip git curl ca-certificates \
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    git \
+    ca-certificates \
+    python3 \
+    curl \
     && rm -rf /var/lib/apt/lists/*
 
-# Python already installed above
-# Copy repo
-COPY repo /app/repo
-
 WORKDIR /app/repo
 
-# --- sg_only_env: back up full repo, then truncate source ---
-RUN cp -a /app/repo /repo_full
-RUN find /app/repo -type f \( -name "*.py" -o -name "*.pyx" -o -name "*.pyi" -o -name "*.js" -o -name "*.ts" -o -name "*.jsx" -o -name "*.tsx" -o -name "*.mjs" -o -name "*.cjs" -o -name "*.mts" -o -name "*.cts" -o -name "*.go" -o -name "*.java" -o -name "*.kt" -o -name "*.scala" -o -name "*.groovy" -o -name "*.clj" -o -name "*.c" -o -name "*.cc" -o -name "*.cpp" -o -name "*.cxx" -o -name "*.h" -o -name "*.hh" -o -name "*.hpp" -o -name "*.hxx" -o -name "*.rs" -o -name "*.rb" -o -name "*.cs" -o -name "*.fs" -o -name "*.swift" -o -name "*.m" -o -name "*.mm" -o -name "*.vue" -o -name "*.svelte" -o -name "*.sh" -o -name "*.bash" -o -name "*.zsh" -o -name "*.lua" -o -name "*.proto" -o -name "*.thrift" -o -name "*.avsc" -o -name "*.fbs" -o -name "*.yaml" -o -name "*.yml" -o -name "*.toml" -o -name "*.json" -o -name "*.xml" -o -name "*.ini" -o -name "*.cfg" -o -name "*.md" -o -name "*.rst" -o -name "*.txt" -o -name "*.adoc" -o -name "*.cmake" -o -name "*.bzl" -o -name "*.bazel" -o -name "*.sql" -o -name "*.erl" -o -name "*.ex" -o -name "*.exs" -o -name "*.php" -o -name "*.pl" -o -name "*.pm" -o -name "*.r" -o -name "*.R" \) ! -path "*/.git/*" ! -path "*/node_modules/*" ! -path "*/__pycache__/*" ! -path "*/vendor/*" -exec truncate -s 0 {} \;
-# Recommit truncated state so git history cannot recover full files.
-# Without this, `git show HEAD:<file>` or `git checkout HEAD -- <file>`
-# would bypass truncation by reading from the pre-truncation commit.
-RUN cd /app/repo && git config user.email "agent@example.com" && git config user.name "Agent" && git add -A && git commit -m "sg_only truncation" --allow-empty --quiet
-RUN touch /tmp/.sg_only_mode && echo '/app/repo' > /tmp/.sg_only_workdir
-
-WORKDIR /app/repo
+# Empty git repo so agent can commit work
+RUN git init && \
+    git config user.email "agent@example.com" && \
+    git config user.name "Agent"
+
+RUN mkdir -p /logs/agent /logs/verifier
+
+# Clone manifest for verifier (clone-at-verify strategy)
+RUN echo '{
+  "workdir": "/app/repo",
+  "repos": [
+    {
+      "mirror": "sg-benchmarks/cgen--dibench",
+      "target_dir": "."
+    }
+  ]
+}' > /tmp/.sg_only_clone_manifest.json
+
+# Mark sg_only mode
+RUN touch /tmp/.sg_only_mode
 
 ENTRYPOINT []