feat: curate oracle definitions for all 20 new MCP-unique tasks

Phase 3 of MCP-unique expansion. For each of the 20 new tasks:
- Created oracle_answer.json with verified files, symbols, chains, and text
- Updated task_spec.json with populated oracle fields and evaluation checks
- All oracles verified via Sourcegraph MCP queries against pinned repo versions

Coverage: 5 Kafka tasks (dep-trace, vuln-remed, migration, incident, onboard),
7 Envoy tasks (TLS, v2 API, conn pool, access logging, xDS, cross-org, HTTP filter),
2 Rust tasks (type inference), 3 Kubernetes tasks (watch events, CRD client),
3 cross-repo chain tasks (domain lineage, agentic correctness).

Also fixes sg-benchmarks -> sg-evals in 4 repo set fixture files.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: sjarmak

benchmarks/ccb_mcp_compliance/ccx-compliance-052/tests/oracle_answer.json

@@ -0,0 +1,45 @@
+{
+  "files": [
+    {"repo": "sg-evals/envoy--v1.31.2", "path": "source/common/access_log/access_log_impl.h"},
+    {"repo": "sg-evals/envoy--v1.31.2", "path": "source/common/access_log/access_log_impl.cc"},
+    {"repo": "sg-evals/envoy--v1.31.2", "path": "source/extensions/access_loggers/file/config.cc"},
+    {"repo": "sg-evals/envoy--v1.31.2", "path": "source/extensions/access_loggers/grpc/http_grpc_access_log_impl.h"},
+    {"repo": "sg-evals/envoy--v1.31.2", "path": "source/extensions/access_loggers/grpc/tcp_grpc_access_log_impl.h"},
+    {"repo": "sg-evals/envoy--v1.31.2", "path": "source/extensions/access_loggers/open_telemetry/access_log_impl.h"},
+    {"repo": "sg-evals/envoy--v1.31.2", "path": "source/extensions/access_loggers/fluentd/fluentd_access_log_impl.h"},
+    {"repo": "sg-evals/envoy--v1.31.2", "path": "source/extensions/access_loggers/stream/config.cc"},
+    {"repo": "sg-evals/envoy--v1.31.2", "path": "source/extensions/access_loggers/common/access_log_base.h"},
+    {"repo": "sg-evals/envoy--v1.31.2", "path": "source/extensions/access_loggers/common/file_access_log_impl.h"},
+    {"repo": "sg-evals/envoy--v1.31.2", "path": "source/extensions/access_loggers/filters/cel/cel.h"},
+    {"repo": "sg-evals/data-plane-api--84e84367", "path": "envoy/extensions/access_loggers/file/v3/file.proto"},
+    {"repo": "sg-evals/data-plane-api--84e84367", "path": "envoy/extensions/access_loggers/grpc/v3/als.proto"},
+    {"repo": "sg-evals/data-plane-api--84e84367", "path": "envoy/extensions/access_loggers/open_telemetry/v3/logs_service.proto"},
+    {"repo": "sg-evals/data-plane-api--84e84367", "path": "envoy/extensions/access_loggers/fluentd/v3/fluentd.proto"},
+    {"repo": "sg-evals/data-plane-api--84e84367", "path": "envoy/extensions/access_loggers/stream/v3/stream.proto"}
+  ],
+  "symbols": [
+    {"repo": "sg-evals/envoy--v1.31.2", "path": "source/common/access_log/access_log_impl.h", "symbol": "AccessLogFactory", "kind": "class"},
+    {"repo": "sg-evals/envoy--v1.31.2", "path": "source/extensions/access_loggers/common/access_log_base.h", "symbol": "ImplBase", "kind": "class"},
+    {"repo": "sg-evals/envoy--v1.31.2", "path": "source/extensions/access_loggers/common/file_access_log_impl.h", "symbol": "FileAccessLog", "kind": "class"},
+    {"repo": "sg-evals/envoy--v1.31.2", "path": "source/extensions/access_loggers/file/config.cc", "symbol": "FileAccessLogFactory", "kind": "class"},
+    {"repo": "sg-evals/envoy--v1.31.2", "path": "source/extensions/access_loggers/grpc/http_grpc_access_log_impl.h", "symbol": "HttpGrpcAccessLog", "kind": "class"},
+    {"repo": "sg-evals/envoy--v1.31.2", "path": "source/extensions/access_loggers/grpc/tcp_grpc_access_log_impl.h", "symbol": "TcpGrpcAccessLog", "kind": "class"},
+    {"repo": "sg-evals/envoy--v1.31.2", "path": "source/extensions/access_loggers/open_telemetry/access_log_impl.h", "symbol": "AccessLog", "kind": "class"},
+    {"repo": "sg-evals/envoy--v1.31.2", "path": "source/extensions/access_loggers/fluentd/fluentd_access_log_impl.h", "symbol": "FluentdAccessLog", "kind": "class"},
+    {"repo": "sg-evals/envoy--v1.31.2", "path": "source/extensions/access_loggers/filters/cel/cel.h", "symbol": "CELAccessLogExtensionFilter", "kind": "class"},
+    {"repo": "sg-evals/data-plane-api--84e84367", "path": "envoy/extensions/access_loggers/file/v3/file.proto", "symbol": "FileAccessLog", "kind": "class"},
+    {"repo": "sg-evals/data-plane-api--84e84367", "path": "envoy/extensions/access_loggers/grpc/v3/als.proto", "symbol": "HttpGrpcAccessLogConfig", "kind": "class"}
+  ],
+  "text": "Found access logging infrastructure across sg-evals/envoy--v1.31.2 and sg-evals/data-plane-api--84e84367. Core infrastructure: access_log_impl.h/cc defines filter implementations (StatusCodeFilter, DurationFilter, ResponseFlagFilter, GrpcStatusFilter, etc.) and AccessLogFactory. Extension base class ImplBase (access_log_base.h) handles filter evaluation before delegating to emitLog(). Logger implementations: (1) File (file/config.cc, FileAccessLogFactory) — supports text AND JSON (json_format, typed_json_format, log_format with json). (2) Stdout/Stderr (stream/config.cc, StdoutAccessLogFactory/StderrAccessLogFactory) — supports JSON via SubstitutionFormatString log_format. (3) HTTP gRPC (grpc/http_grpc_access_log_impl.h, HttpGrpcAccessLog) — sends protobuf HTTPAccessLogEntry over ALS stream, not text/JSON. (4) TCP gRPC (grpc/tcp_grpc_access_log_impl.h, TcpGrpcAccessLog) — sends TCPAccessLogEntry, not text/JSON. (5) OpenTelemetry (open_telemetry/access_log_impl.h) — structured via OTel AnyValue/KeyValueList protos, not JSON. (6) Fluentd (fluentd/fluentd_access_log_impl.h, FluentdAccessLog) — supports JSON (record field is google.protobuf.Struct, converted to msgpack). (7) CEL filter (filters/cel/cel.h, CELAccessLogExtensionFilter) — access log filter, not a sink. Proto definitions in data-plane-api: file.proto (FileAccessLog), als.proto (HttpGrpcAccessLogConfig, TcpGrpcAccessLogConfig), logs_service.proto (OpenTelemetryAccessLogConfig), fluentd.proto (FluentdAccessLogConfig), stream.proto (StdoutAccessLog, StderrAccessLog).",
+  "_metadata": {
+    "oracle_type": "file_set_match",
+    "discovery_method": "sourcegraph_keyword_search",
+    "queries": [
+      "repo:^github.com/sg-evals/envoy--v1.31.2$ file:source/extensions/access_loggers/ AccessLog",
+      "repo:^github.com/sg-evals/envoy--v1.31.2$ file:source/common/access_log/ AccessLog",
+      "repo:^github.com/sg-evals/data-plane-api--84e84367$ file:envoy/extensions/access_loggers/"
+    ],
+    "verified_at": "2026-02-23",
+    "pinned_version": "v1.31.2 (envoy), 84e84367 (data-plane-api)"
+  }
+}

benchmarks/ccb_mcp_compliance/ccx-compliance-052/tests/task_spec.json

@@ -13,23 +13,62 @@
   "artifacts": {
     "repo_set_id": "envoy-service-mesh",
     "oracle": {
-      "required_files": [],
-      "required_symbols": [],
+      "required_files": [
+        {"repo": "sg-evals/envoy--v1.31.2", "path": "source/common/access_log/access_log_impl.h"},
+        {"repo": "sg-evals/envoy--v1.31.2", "path": "source/common/access_log/access_log_impl.cc"},
+        {"repo": "sg-evals/envoy--v1.31.2", "path": "source/extensions/access_loggers/file/config.cc"},
+        {"repo": "sg-evals/envoy--v1.31.2", "path": "source/extensions/access_loggers/grpc/http_grpc_access_log_impl.h"},
+        {"repo": "sg-evals/envoy--v1.31.2", "path": "source/extensions/access_loggers/grpc/tcp_grpc_access_log_impl.h"},
+        {"repo": "sg-evals/envoy--v1.31.2", "path": "source/extensions/access_loggers/open_telemetry/access_log_impl.h"},
+        {"repo": "sg-evals/envoy--v1.31.2", "path": "source/extensions/access_loggers/fluentd/fluentd_access_log_impl.h"},
+        {"repo": "sg-evals/envoy--v1.31.2", "path": "source/extensions/access_loggers/stream/config.cc"},
+        {"repo": "sg-evals/envoy--v1.31.2", "path": "source/extensions/access_loggers/common/access_log_base.h"},
+        {"repo": "sg-evals/envoy--v1.31.2", "path": "source/extensions/access_loggers/common/file_access_log_impl.h"},
+        {"repo": "sg-evals/envoy--v1.31.2", "path": "source/extensions/access_loggers/filters/cel/cel.h"},
+        {"repo": "sg-evals/data-plane-api--84e84367", "path": "envoy/extensions/access_loggers/file/v3/file.proto"},
+        {"repo": "sg-evals/data-plane-api--84e84367", "path": "envoy/extensions/access_loggers/grpc/v3/als.proto"},
+        {"repo": "sg-evals/data-plane-api--84e84367", "path": "envoy/extensions/access_loggers/open_telemetry/v3/logs_service.proto"},
+        {"repo": "sg-evals/data-plane-api--84e84367", "path": "envoy/extensions/access_loggers/fluentd/v3/fluentd.proto"},
+        {"repo": "sg-evals/data-plane-api--84e84367", "path": "envoy/extensions/access_loggers/stream/v3/stream.proto"}
+      ],
+      "required_symbols": [
+        {"repo": "sg-evals/envoy--v1.31.2", "path": "source/common/access_log/access_log_impl.h", "symbol": "AccessLogFactory", "kind": "class"},
+        {"repo": "sg-evals/envoy--v1.31.2", "path": "source/extensions/access_loggers/common/access_log_base.h", "symbol": "ImplBase", "kind": "class"},
+        {"repo": "sg-evals/envoy--v1.31.2", "path": "source/extensions/access_loggers/common/file_access_log_impl.h", "symbol": "FileAccessLog", "kind": "class"},
+        {"repo": "sg-evals/envoy--v1.31.2", "path": "source/extensions/access_loggers/file/config.cc", "symbol": "FileAccessLogFactory", "kind": "class"},
+        {"repo": "sg-evals/envoy--v1.31.2", "path": "source/extensions/access_loggers/grpc/http_grpc_access_log_impl.h", "symbol": "HttpGrpcAccessLog", "kind": "class"},
+        {"repo": "sg-evals/envoy--v1.31.2", "path": "source/extensions/access_loggers/grpc/tcp_grpc_access_log_impl.h", "symbol": "TcpGrpcAccessLog", "kind": "class"},
+        {"repo": "sg-evals/envoy--v1.31.2", "path": "source/extensions/access_loggers/open_telemetry/access_log_impl.h", "symbol": "AccessLog", "kind": "class"},
+        {"repo": "sg-evals/envoy--v1.31.2", "path": "source/extensions/access_loggers/fluentd/fluentd_access_log_impl.h", "symbol": "FluentdAccessLog", "kind": "class"},
+        {"repo": "sg-evals/envoy--v1.31.2", "path": "source/extensions/access_loggers/filters/cel/cel.h", "symbol": "CELAccessLogExtensionFilter", "kind": "class"},
+        {"repo": "sg-evals/data-plane-api--84e84367", "path": "envoy/extensions/access_loggers/file/v3/file.proto", "symbol": "FileAccessLog", "kind": "class"},
+        {"repo": "sg-evals/data-plane-api--84e84367", "path": "envoy/extensions/access_loggers/grpc/v3/als.proto", "symbol": "HttpGrpcAccessLogConfig", "kind": "class"}
+      ],
       "required_references": [],
       "dependency_chains": []
     }
   },
   "evaluation": {
     "modes": ["deterministic"],
     "checks": [
-  {
-    "type": "file_set_match",
-    "params": {
-      "search_pattern": "",
-      "file_filter": ""
-    }
-  }
-],
+      {
+        "type": "file_set_match",
+        "params": {
+          "search_pattern": "AccessLog",
+          "file_filter": "access_loggers/"
+        }
+      },
+      {
+        "type": "symbol_resolution",
+        "params": {}
+      },
+      {
+        "type": "keyword_presence",
+        "params": {
+          "required_keywords": ["FileAccessLog", "HttpGrpcAccessLog", "TcpGrpcAccessLog", "FluentdAccessLog", "OpenTelemetry", "json_format", "CELAccessLogExtensionFilter"]
+        }
+      }
+    ],
     "eval_script": "/tests/eval.sh",
     "pass_exit_code": 0
   },

benchmarks/ccb_mcp_compliance/ccx-compliance-053/tests/oracle_answer.json

@@ -0,0 +1,32 @@
+{
+  "files": [
+    {"repo": "sg-evals/kafka--0753c489", "path": "metadata/src/main/java/org/apache/kafka/metadata/authorizer/StandardAuthorizerData.java"},
+    {"repo": "sg-evals/kafka--0753c489", "path": "metadata/src/main/java/org/apache/kafka/metadata/authorizer/StandardAuthorizer.java"},
+    {"repo": "sg-evals/kafka--0753c489", "path": "clients/src/main/java/org/apache/kafka/server/authorizer/Action.java"},
+    {"repo": "sg-evals/kafka--0753c489", "path": "clients/src/main/java/org/apache/kafka/server/authorizer/Authorizer.java"}
+  ],
+  "symbols": [
+    {"repo": "sg-evals/kafka--0753c489", "path": "metadata/src/main/java/org/apache/kafka/metadata/authorizer/StandardAuthorizerData.java", "symbol": "StandardAuthorizerData"},
+    {"repo": "sg-evals/kafka--0753c489", "path": "metadata/src/main/java/org/apache/kafka/metadata/authorizer/StandardAuthorizerData.java", "symbol": "logAuditMessage"},
+    {"repo": "sg-evals/kafka--0753c489", "path": "metadata/src/main/java/org/apache/kafka/metadata/authorizer/StandardAuthorizerData.java", "symbol": "buildAuditMessage"},
+    {"repo": "sg-evals/kafka--0753c489", "path": "metadata/src/main/java/org/apache/kafka/metadata/authorizer/StandardAuthorizerData.java", "symbol": "auditLog"},
+    {"repo": "sg-evals/kafka--0753c489", "path": "metadata/src/main/java/org/apache/kafka/metadata/authorizer/StandardAuthorizer.java", "symbol": "StandardAuthorizer"},
+    {"repo": "sg-evals/kafka--0753c489", "path": "clients/src/main/java/org/apache/kafka/server/authorizer/Action.java", "symbol": "logIfAllowed"},
+    {"repo": "sg-evals/kafka--0753c489", "path": "clients/src/main/java/org/apache/kafka/server/authorizer/Action.java", "symbol": "logIfDenied"}
+  ],
+  "text": "Kafka's ACL-based authorization audit logging is concentrated in the StandardAuthorizer subsystem within the metadata module. The architecture has four key files:\n\n1. **StandardAuthorizerData** (metadata/src/main/java/.../StandardAuthorizerData.java): The primary audit log producer. Contains a dedicated `auditLog` Logger field initialized via `auditLogger()` which returns `LoggerFactory.getLogger(\"kafka.authorizer.logger\")`. The `authorize()` method calls `logAuditMessage()` after every authorization decision. `logAuditMessage()` switches on ALLOWED/DENIED: for ALLOWED, it logs at debug level (if `logIfAllowed` is set) or trace level; for DENIED, it logs at info level (if `logIfDenied` is set) or trace level. The `buildAuditMessage()` method constructs the audit string: \"Principal = {principal} is Allowed/Denied operation = {op} from host = {host} on resource = {resource} for request = {apiKey} with resourceRefCount = {count} based on rule {rule}\".\n\n2. **StandardAuthorizer** (metadata/src/main/java/.../StandardAuthorizer.java): The built-in Authorizer implementation that stores ACLs in the metadata log. Its `authorize()` method delegates to `StandardAuthorizerData.authorize()` which triggers the audit logging, and also records authorization metrics via an inner `AuthorizerMetrics` class tracking allowed/denied rates.\n\n3. **Action** (clients/src/main/java/.../Action.java): Defines the `logIfAllowed` and `logIfDenied` boolean fields that control whether a given authorization action should be included in audit logs. These flags distinguish between actual access grants/denials and metadata-only operations (e.g., describing authorized operations).\n\n4. **Authorizer** (clients/src/main/java/.../Authorizer.java): The pluggable authorizer interface. Its Javadoc notes that custom implementations should override `authorizeByResourceType()` to integrate with audit logging (the default implementation cannot).",
+  "_metadata": {
+    "oracle_type": "file_set_match",
+    "discovery_method": "sourcegraph_keyword_search",
+    "queries": [
+      "repo:^github.com/sg-evals/kafka--0753c489$ audit file:.*.java$",
+      "repo:^github.com/sg-evals/kafka--0753c489$ AuditLog",
+      "repo:^github.com/sg-evals/kafka--0753c489$ authorization log file:.*.java$",
+      "repo:^github.com/sg-evals/kafka--0753c489$ file:authorizer log",
+      "repo:^github.com/sg-evals/kafka--0753c489$ \"kafka.authorizer.logger\"",
+      "repo:^github.com/sg-evals/kafka--0753c489$ \"logAudit\" OR \"auditLog\" file:.*.java$"
+    ],
+    "verified_at": "2026-02-23",
+    "pinned_version": "0753c489"
+  }
+}

benchmarks/ccb_mcp_compliance/ccx-compliance-053/tests/task_spec.json

@@ -13,23 +13,50 @@
   "artifacts": {
     "repo_set_id": "apache-kafka-ecosystem",
     "oracle": {
-      "required_files": [],
-      "required_symbols": [],
+      "required_files": [
+        {"repo": "sg-evals/kafka--0753c489", "path": "metadata/src/main/java/org/apache/kafka/metadata/authorizer/StandardAuthorizerData.java"},
+        {"repo": "sg-evals/kafka--0753c489", "path": "metadata/src/main/java/org/apache/kafka/metadata/authorizer/StandardAuthorizer.java"},
+        {"repo": "sg-evals/kafka--0753c489", "path": "clients/src/main/java/org/apache/kafka/server/authorizer/Action.java"},
+        {"repo": "sg-evals/kafka--0753c489", "path": "clients/src/main/java/org/apache/kafka/server/authorizer/Authorizer.java"}
+      ],
+      "required_symbols": [
+        {"repo": "sg-evals/kafka--0753c489", "path": "metadata/src/main/java/org/apache/kafka/metadata/authorizer/StandardAuthorizerData.java", "symbol": "StandardAuthorizerData"},
+        {"repo": "sg-evals/kafka--0753c489", "path": "metadata/src/main/java/org/apache/kafka/metadata/authorizer/StandardAuthorizerData.java", "symbol": "logAuditMessage"},
+        {"repo": "sg-evals/kafka--0753c489", "path": "metadata/src/main/java/org/apache/kafka/metadata/authorizer/StandardAuthorizerData.java", "symbol": "buildAuditMessage"},
+        {"repo": "sg-evals/kafka--0753c489", "path": "metadata/src/main/java/org/apache/kafka/metadata/authorizer/StandardAuthorizerData.java", "symbol": "auditLog"},
+        {"repo": "sg-evals/kafka--0753c489", "path": "metadata/src/main/java/org/apache/kafka/metadata/authorizer/StandardAuthorizer.java", "symbol": "StandardAuthorizer"},
+        {"repo": "sg-evals/kafka--0753c489", "path": "clients/src/main/java/org/apache/kafka/server/authorizer/Action.java", "symbol": "logIfAllowed"},
+        {"repo": "sg-evals/kafka--0753c489", "path": "clients/src/main/java/org/apache/kafka/server/authorizer/Action.java", "symbol": "logIfDenied"}
+      ],
       "required_references": [],
       "dependency_chains": []
     }
   },
   "evaluation": {
     "modes": ["deterministic"],
     "checks": [
-  {
-    "type": "file_set_match",
-    "params": {
-      "search_pattern": "",
-      "file_filter": ""
-    }
-  }
-],
+      {
+        "type": "file_set_match",
+        "params": {}
+      },
+      {
+        "type": "symbol_resolution",
+        "params": {}
+      },
+      {
+        "type": "keyword_presence",
+        "params": {
+          "required_keywords": ["StandardAuthorizerData", "logAuditMessage", "auditLog", "kafka.authorizer.logger", "logIfAllowed", "logIfDenied"]
+        }
+      },
+      {
+        "type": "provenance",
+        "params": {
+          "must_cite_repos": ["sg-evals/kafka--0753c489"],
+          "must_cite_paths": ["metadata/src/main/java/org/apache/kafka/metadata/authorizer/StandardAuthorizerData.java", "clients/src/main/java/org/apache/kafka/server/authorizer/Action.java"]
+        }
+      }
+    ],
     "eval_script": "/tests/eval.sh",
     "pass_exit_code": 0
   },