fix: re-run security oracle with working SG search (F1 0.0 → 0.667)

sjarmak · claude · sjarmak · commit dfe1bde72cf0 · 2026-03-02T00:50:50.000Z
User-Agent fix enables SG API calls. Agent now discovers express repo
via Sourcegraph, achieving recall=1.0 on ccx-vuln-remed-011.
Overall pilot: mean F1=0.727, kappa=0.380.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/benchmarks/ccb_mcp_security/ccx-vuln-remed-011/tests/oracle_answer_agent.json b/benchmarks/ccb_mcp_security/ccx-vuln-remed-011/tests/oracle_answer_agent.json
@@ -1,15 +1,24 @@
 {
-  "files": [],
-  "text": "No package.json files in the sg-evals/node--v22.13.0 repository declare 'cookie' as a direct runtime dependency under 'dependencies'. All 397 package.json files were searched using grep for the pattern '\"cookie\":'. The only occurrence of the word 'cookie' in any package.json is within script name strings (e.g., 'test:cookies') in deps/undici/src/package.json, which is not a dependency declaration. The result is an empty file set.",
+  "files": [
+    {
+      "repo": "sg-evals/expressjs-express",
+      "path": "package.json"
+    },
+    {
+      "repo": "sg-evals/express--4.21.1",
+      "path": "package.json"
+    }
+  ],
+  "text": "Searched across all available local and Sourcegraph-indexed repositories for package.json files declaring 'cookie' as a direct runtime dependency (under 'dependencies', not 'devDependencies'). The sg-evals/expressjs-express and sg-evals/express--4.21.1 repos both have 'cookie': '0.7.1' at line 35 of their package.json, which falls within the 'dependencies' block (starting line 29) and before the 'devDependencies' block (starting line 62). The sg-evals/node--v22.13.0 repo has no package.json files listing 'cookie' under dependencies \u2014 the only cookie mention is in the scripts section of deps/undici/src/package.json. Other repos found (vscode, cal.com) are not Node.js web stack repos relevant to this task.",
   "_metadata": {
     "generator": "context_retrieval_agent",
     "model": "claude-sonnet-4-6",
     "backend": "hybrid",
-    "input_tokens": 126299,
-    "output_tokens": 2713,
-    "tool_calls": 21,
-    "elapsed_sec": 45.8,
-    "cost_usd": 0.4196,
-    "timestamp": "2026-03-01T23:36:25.638481+00:00"
+    "input_tokens": 251178,
+    "output_tokens": 3989,
+    "tool_calls": 41,
+    "elapsed_sec": 79.8,
+    "cost_usd": 0.8134,
+    "timestamp": "2026-03-02T00:50:26.465823+00:00"
   }
 }
