feat: add Dockerfile.artifact_only for all 12 MCP-unique tasks

sjarmak · claude · sjarmak · commit a31d90cd0653 · 2026-02-21T01:43:41.000Z
All ccb_mcp_* tasks are write-only (verifier scores answer.json via
oracle_checks.py). Each Dockerfile.artifact_only clones the same repos
as the original Dockerfile and adds the /tmp/.artifact_only_mode
sentinel. No /repo_full backup needed since verification has no
source-code dependency.

Covers 6 suites: crossorg (2), crossrepo_tracing (3), incident (1),
onboarding (3), platform (1), security (2).

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/benchmarks/ccb_mcp_crossorg/ccx-crossorg-061/environment/Dockerfile.artifact_only b/benchmarks/ccb_mcp_crossorg/ccx-crossorg-061/environment/Dockerfile.artifact_only
@@ -0,0 +1,39 @@
+# ccx-crossorg-061 — artifact_only variant
+# Repos cloned for baseline agent to read locally.
+# MCP agent deletes source files at runtime via agent startup script.
+# Verifier (oracle_checks.py) scores answer.json only — no repo restore needed.
+
+FROM ubuntu:22.04
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+# Base tools
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    git \
+    ca-certificates \
+    curl \
+    python3 \
+    golang-go \
+    && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /workspace
+
+# Clone local checkout repos (baseline config: agent has local access to these)
+RUN git clone --depth 1 --branch v1.32.0 https://github.com/kubernetes/kubernetes /workspace/kubernetes
+RUN git clone --depth 1 --branch v11.4.0 https://github.com/grafana/grafana /workspace/grafana
+RUN git clone --depth 1 --branch v3.5.17 https://github.com/etcd-io/etcd /workspace/etcd
+
+# Initialize git identity for agent commits
+RUN git config --global user.email "agent@example.com" && \
+    git config --global user.name "Agent" && \
+    git config --global safe.directory '*'
+
+# Create log directories
+RUN mkdir -p /logs/agent /logs/verifier
+
+# --- artifact_only mode ---
+# Sentinel flag for artifact-based verification.
+# Source stays readable for baseline agent; MCP agent deletes at runtime.
+RUN touch /tmp/.artifact_only_mode
+
+ENTRYPOINT []
diff --git a/benchmarks/ccb_mcp_crossorg/ccx-crossorg-066/environment/Dockerfile.artifact_only b/benchmarks/ccb_mcp_crossorg/ccx-crossorg-066/environment/Dockerfile.artifact_only
@@ -0,0 +1,39 @@
+# ccx-crossorg-066 — artifact_only variant
+# Repos cloned for baseline agent to read locally.
+# MCP agent deletes source files at runtime via agent startup script.
+# Verifier (oracle_checks.py) scores answer.json only — no repo restore needed.
+
+FROM ubuntu:22.04
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+# Base tools
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    git \
+    ca-certificates \
+    curl \
+    python3 \
+    golang-go \
+    && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /workspace
+
+# Clone local checkout repos (baseline config: agent has local access to these)
+RUN git clone --depth 1 --branch v1.32.0 https://github.com/kubernetes/kubernetes /workspace/kubernetes
+RUN git clone --depth 1 --branch v11.4.0 https://github.com/grafana/grafana /workspace/grafana
+RUN git clone --depth 1 --branch v3.5.17 https://github.com/etcd-io/etcd /workspace/etcd
+
+# Initialize git identity for agent commits
+RUN git config --global user.email "agent@example.com" && \
+    git config --global user.name "Agent" && \
+    git config --global safe.directory '*'
+
+# Create log directories
+RUN mkdir -p /logs/agent /logs/verifier
+
+# --- artifact_only mode ---
+# Sentinel flag for artifact-based verification.
+# Source stays readable for baseline agent; MCP agent deletes at runtime.
+RUN touch /tmp/.artifact_only_mode
+
+ENTRYPOINT []
diff --git a/benchmarks/ccb_mcp_crossrepo_tracing/ccx-config-trace-010/environment/Dockerfile.artifact_only b/benchmarks/ccb_mcp_crossrepo_tracing/ccx-config-trace-010/environment/Dockerfile.artifact_only
@@ -0,0 +1,39 @@
+# ccx-config-trace-010 — artifact_only variant
+# Repos cloned for baseline agent to read locally.
+# MCP agent deletes source files at runtime via agent startup script.
+# Verifier (oracle_checks.py) scores answer.json only — no repo restore needed.
+
+FROM ubuntu:22.04
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+# Base tools
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    git \
+    ca-certificates \
+    curl \
+    python3 \
+    golang-go \
+    && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /workspace
+
+# Clone local checkout repos (baseline config: agent has local access to these)
+RUN git clone --depth 1 --branch v1.32.0 https://github.com/kubernetes/kubernetes /workspace/kubernetes
+RUN git clone https://github.com/kubernetes/client-go /workspace/client-go --no-checkout && \
+    cd /workspace/client-go && git fetch --depth 1 origin 8020fc4fcf89965904a5f43689f169d6e01d1e80 && git checkout FETCH_HEAD
+
+# Initialize git identity for agent commits
+RUN git config --global user.email "agent@example.com" && \
+    git config --global user.name "Agent" && \
+    git config --global safe.directory '*'
+
+# Create log directories
+RUN mkdir -p /logs/agent /logs/verifier
+
+# --- artifact_only mode ---
+# Sentinel flag for artifact-based verification.
+# Source stays readable for baseline agent; MCP agent deletes at runtime.
+RUN touch /tmp/.artifact_only_mode
+
+ENTRYPOINT []
diff --git a/benchmarks/ccb_mcp_crossrepo_tracing/ccx-dep-trace-001/environment/Dockerfile.artifact_only b/benchmarks/ccb_mcp_crossrepo_tracing/ccx-dep-trace-001/environment/Dockerfile.artifact_only
@@ -0,0 +1,39 @@
+# ccx-dep-trace-001 — artifact_only variant
+# Repos cloned for baseline agent to read locally.
+# MCP agent deletes source files at runtime via agent startup script.
+# Verifier (oracle_checks.py) scores answer.json only — no repo restore needed.
+
+FROM ubuntu:22.04
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+# Base tools
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    git \
+    ca-certificates \
+    curl \
+    python3 \
+    golang-go \
+    && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /workspace
+
+# Clone local checkout repos (baseline config: agent has local access to these)
+RUN git clone --depth 1 --branch v1.32.0 https://github.com/kubernetes/kubernetes /workspace/kubernetes
+RUN git clone https://github.com/kubernetes/client-go /workspace/client-go --no-checkout && \
+    cd /workspace/client-go && git fetch --depth 1 origin 8020fc4fcf89965904a5f43689f169d6e01d1e80 && git checkout FETCH_HEAD
+
+# Initialize git identity for agent commits
+RUN git config --global user.email "agent@example.com" && \
+    git config --global user.name "Agent" && \
+    git config --global safe.directory '*'
+
+# Create log directories
+RUN mkdir -p /logs/agent /logs/verifier
+
+# --- artifact_only mode ---
+# Sentinel flag for artifact-based verification.
+# Source stays readable for baseline agent; MCP agent deletes at runtime.
+RUN touch /tmp/.artifact_only_mode
+
+ENTRYPOINT []
diff --git a/benchmarks/ccb_mcp_crossrepo_tracing/ccx-dep-trace-004/environment/Dockerfile.artifact_only b/benchmarks/ccb_mcp_crossrepo_tracing/ccx-dep-trace-004/environment/Dockerfile.artifact_only
@@ -0,0 +1,39 @@
+# ccx-dep-trace-004 — artifact_only variant
+# Repos cloned for baseline agent to read locally.
+# MCP agent deletes source files at runtime via agent startup script.
+# Verifier (oracle_checks.py) scores answer.json only — no repo restore needed.
+
+FROM ubuntu:22.04
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+# Base tools
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    git \
+    ca-certificates \
+    curl \
+    python3 \
+    golang-go \
+    && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /workspace
+
+# Clone local checkout repos (baseline config: agent has local access to these)
+RUN git clone --depth 1 --branch v11.4.0 https://github.com/grafana/grafana /workspace/grafana
+RUN git clone https://github.com/grafana/loki /workspace/loki --no-checkout && \
+    cd /workspace/loki && git fetch --depth 1 origin a3af38d4da899032d3ee46a30932d072d37e1b9c && git checkout FETCH_HEAD
+
+# Initialize git identity for agent commits
+RUN git config --global user.email "agent@example.com" && \
+    git config --global user.name "Agent" && \
+    git config --global safe.directory '*'
+
+# Create log directories
+RUN mkdir -p /logs/agent /logs/verifier
+
+# --- artifact_only mode ---
+# Sentinel flag for artifact-based verification.
+# Source stays readable for baseline agent; MCP agent deletes at runtime.
+RUN touch /tmp/.artifact_only_mode
+
+ENTRYPOINT []
diff --git a/benchmarks/ccb_mcp_incident/ccx-incident-031/environment/Dockerfile.artifact_only b/benchmarks/ccb_mcp_incident/ccx-incident-031/environment/Dockerfile.artifact_only
@@ -0,0 +1,37 @@
+# ccx-incident-031 — artifact_only variant
+# Repos cloned for baseline agent to read locally.
+# MCP agent deletes source files at runtime via agent startup script.
+# Verifier (oracle_checks.py) scores answer.json only — no repo restore needed.
+
+FROM ubuntu:22.04
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+# Base tools
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    git \
+    ca-certificates \
+    curl \
+    python3 \
+    && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /workspace
+
+# Clone local checkout repos (baseline config: agent has local access to these)
+RUN git clone --depth 1 --branch v1.32.0 https://github.com/kubernetes/kubernetes /workspace/kubernetes
+RUN git clone --depth 1 --branch v3.5.17 https://github.com/etcd-io/etcd /workspace/etcd
+
+# Initialize git identity for agent commits
+RUN git config --global user.email "agent@example.com" && \
+    git config --global user.name "Agent" && \
+    git config --global safe.directory '*'
+
+# Create log directories
+RUN mkdir -p /logs/agent /logs/verifier
+
+# --- artifact_only mode ---
+# Sentinel flag for artifact-based verification.
+# Source stays readable for baseline agent; MCP agent deletes at runtime.
+RUN touch /tmp/.artifact_only_mode
+
+ENTRYPOINT []
diff --git a/benchmarks/ccb_mcp_onboarding/ccx-explore-042-ds/environment/Dockerfile.artifact_only b/benchmarks/ccb_mcp_onboarding/ccx-explore-042-ds/environment/Dockerfile.artifact_only
@@ -0,0 +1,40 @@
+# ccx-explore-042-ds — artifact_only variant
+# Repos cloned for baseline agent to read locally.
+# MCP agent deletes source files at runtime via agent startup script.
+# Verifier (oracle_checks.py) scores answer.json only — no repo restore needed.
+
+FROM ubuntu:22.04
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+# Base tools
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    git \
+    ca-certificates \
+    curl \
+    python3 \
+    python3-pip \
+    && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /workspace
+
+# Clone local checkout repos (baseline config: agent has local access to these)
+RUN git clone --depth 1 --branch 1.6.1 https://github.com/scikit-learn/scikit-learn /workspace/scikit-learn
+RUN git clone --depth 1 --branch v2.2.2 https://github.com/numpy/numpy /workspace/numpy
+RUN git clone --depth 1 --branch v2.2.3 https://github.com/pandas-dev/pandas /workspace/pandas
+RUN git clone --depth 1 --branch v1.15.1 https://github.com/scipy/scipy /workspace/scipy
+
+# Initialize git identity for agent commits
+RUN git config --global user.email "agent@example.com" && \
+    git config --global user.name "Agent" && \
+    git config --global safe.directory '*'
+
+# Create log directories
+RUN mkdir -p /logs/agent /logs/verifier
+
+# --- artifact_only mode ---
+# Sentinel flag for artifact-based verification.
+# Source stays readable for baseline agent; MCP agent deletes at runtime.
+RUN touch /tmp/.artifact_only_mode
+
+ENTRYPOINT []
diff --git a/benchmarks/ccb_mcp_onboarding/ccx-onboard-041/environment/Dockerfile.artifact_only b/benchmarks/ccb_mcp_onboarding/ccx-onboard-041/environment/Dockerfile.artifact_only
@@ -0,0 +1,38 @@
+# ccx-onboard-041 — artifact_only variant
+# Repos cloned for baseline agent to read locally.
+# MCP agent deletes source files at runtime via agent startup script.
+# Verifier (oracle_checks.py) scores answer.json only — no repo restore needed.
+
+FROM ubuntu:22.04
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+# Base tools
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    git \
+    ca-certificates \
+    curl \
+    python3 \
+    python3-pip \
+    && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /workspace
+
+# Clone local checkout repos (baseline config: agent has local access to these)
+RUN git clone --depth 1 --branch 1.6.1 https://github.com/scikit-learn/scikit-learn /workspace/scikit-learn
+RUN git clone --depth 1 --branch v2.2.3 https://github.com/pandas-dev/pandas /workspace/pandas
+
+# Initialize git identity for agent commits
+RUN git config --global user.email "agent@example.com" && \
+    git config --global user.name "Agent" && \
+    git config --global safe.directory '*'
+
+# Create log directories
+RUN mkdir -p /logs/agent /logs/verifier
+
+# --- artifact_only mode ---
+# Sentinel flag for artifact-based verification.
+# Source stays readable for baseline agent; MCP agent deletes at runtime.
+RUN touch /tmp/.artifact_only_mode
+
+ENTRYPOINT []
diff --git a/benchmarks/ccb_mcp_onboarding/ccx-onboard-050-ds/environment/Dockerfile.artifact_only b/benchmarks/ccb_mcp_onboarding/ccx-onboard-050-ds/environment/Dockerfile.artifact_only
@@ -0,0 +1,40 @@
+# ccx-onboard-050-ds — artifact_only variant
+# Repos cloned for baseline agent to read locally.
+# MCP agent deletes source files at runtime via agent startup script.
+# Verifier (oracle_checks.py) scores answer.json only — no repo restore needed.
+
+FROM ubuntu:22.04
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+# Base tools
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    git \
+    ca-certificates \
+    curl \
+    python3 \
+    golang-go \
+    && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /workspace
+
+# Clone local checkout repos (baseline config: agent has local access to these)
+RUN git clone --depth 1 --branch v1.32.0 https://github.com/kubernetes/kubernetes /workspace/kubernetes
+RUN git clone --depth 1 --branch v3.5.17 https://github.com/etcd-io/etcd /workspace/etcd
+RUN git clone https://github.com/kubernetes/client-go /workspace/client-go --no-checkout && \
+    cd /workspace/client-go && git fetch --depth 1 origin 8020fc4fcf89965904a5f43689f169d6e01d1e80 && git checkout FETCH_HEAD
+
+# Initialize git identity for agent commits
+RUN git config --global user.email "agent@example.com" && \
+    git config --global user.name "Agent" && \
+    git config --global safe.directory '*'
+
+# Create log directories
+RUN mkdir -p /logs/agent /logs/verifier
+
+# --- artifact_only mode ---
+# Sentinel flag for artifact-based verification.
+# Source stays readable for baseline agent; MCP agent deletes at runtime.
+RUN touch /tmp/.artifact_only_mode
+
+ENTRYPOINT []
diff --git a/benchmarks/ccb_mcp_platform/ccx-explore-091-ds/environment/Dockerfile.artifact_only b/benchmarks/ccb_mcp_platform/ccx-explore-091-ds/environment/Dockerfile.artifact_only
diff --git a/benchmarks/ccb_mcp_security/ccx-vuln-remed-011/environment/Dockerfile.artifact_only b/benchmarks/ccb_mcp_security/ccx-vuln-remed-011/environment/Dockerfile.artifact_only
diff --git a/benchmarks/ccb_mcp_security/ccx-vuln-remed-014/environment/Dockerfile.artifact_only b/benchmarks/ccb_mcp_security/ccx-vuln-remed-014/environment/Dockerfile.artifact_only
