fix: pin SDLC MCP mirrors + propagate SOURCEGRAPH_REPO_NAME from container

sjarmak · claude · sjarmak · commit f40c5d8f77fb · 2026-02-21T18:41:18.000Z
Created 4 new sg-benchmarks mirrors at Dockerfile-pinned versions for
5 at-risk SDLC tasks:
- curl--09e25b9d (8.4.0-DEV) for curl-cve-triage-001, curl-vuln-reachability-001
- vscode--1960 (1.96.0) for vscode-code-review-001
- envoy--v1330 (v1.33.0) for envoy-code-review-001
- kafka--0cd95bc2 (pre-fix SCRAM) for kafka-vuln-reachability-001

Added ENV SOURCEGRAPH_REPO_NAME to each task's Dockerfile.sg_only so
the V5 preamble directs the agent to the correct mirror.

Updated claude_baseline_agent.py to propagate SOURCEGRAPH_REPO_NAME
from the container env (via environment.exec) into _container_env_cache,
matching the existing pattern for LOCOBENCH_PROJECT_ID and
SWEBENCH_REPO_COMMIT. Previously only read from host os.environ.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/agents/claude_baseline_agent.py b/agents/claude_baseline_agent.py
@@ -359,15 +359,15 @@ def _get_repo_display(self) -> str:
            (checked in host env AND _container_env_cache populated by setup())
         4. Fallback: "the codebase"
         """
-        sg_repo_name = os.environ.get("SOURCEGRAPH_REPO_NAME", "")
+        cache = getattr(self, '_container_env_cache', {})
+
+        sg_repo_name = os.environ.get("SOURCEGRAPH_REPO_NAME", "") or cache.get("SOURCEGRAPH_REPO_NAME", "")
         if sg_repo_name:
             # Strip github.com/ prefix if present — templates add it back
             if sg_repo_name.startswith("github.com/"):
                 return sg_repo_name[len("github.com/"):]
             return sg_repo_name
 
-        cache = getattr(self, '_container_env_cache', {})
-
         locobench_prefix = os.environ.get("LOCOBENCH_PROJECT_ID", "") or cache.get("LOCOBENCH_PROJECT_ID", "")
         if locobench_prefix:
             return f"sg-benchmarks/locobench-{locobench_prefix}"
@@ -1037,8 +1037,8 @@ async def setup(self, environment: BaseEnvironment) -> None:
         mcp_type_setup = os.environ.get("BASELINE_MCP_TYPE", "none").lower()
         if mcp_type_setup != "none":
             self._container_env_cache = {}
-            for var_name in ("LOCOBENCH_PROJECT_ID", "SWEBENCH_REPO_COMMIT"):
-                if not os.environ.get("SOURCEGRAPH_REPO_NAME") and not os.environ.get(var_name):
+            for var_name in ("SOURCEGRAPH_REPO_NAME", "LOCOBENCH_PROJECT_ID", "SWEBENCH_REPO_COMMIT"):
+                if not os.environ.get(var_name):
                     try:
                         result = await environment.exec(f'echo ${{{var_name}:-}}')
                         # Filter out bash warning messages (e.g., "bash: cannot set terminal process group")
diff --git a/benchmarks/ccb_secure/curl-cve-triage-001/environment/Dockerfile.sg_only b/benchmarks/ccb_secure/curl-cve-triage-001/environment/Dockerfile.sg_only
@@ -4,6 +4,7 @@
 FROM debian:bookworm-slim
 
 ENV DEBIAN_FRONTEND=noninteractive
+ENV SOURCEGRAPH_REPO_NAME=sg-benchmarks/curl--09e25b9d
 
 RUN apt-get update && apt-get install -y --no-install-recommends \
     git \
diff --git a/benchmarks/ccb_secure/curl-vuln-reachability-001/environment/Dockerfile.sg_only b/benchmarks/ccb_secure/curl-vuln-reachability-001/environment/Dockerfile.sg_only
@@ -4,6 +4,7 @@
 FROM debian:bookworm-slim
 
 ENV DEBIAN_FRONTEND=noninteractive
+ENV SOURCEGRAPH_REPO_NAME=sg-benchmarks/curl--09e25b9d
 
 RUN apt-get update && apt-get install -y --no-install-recommends \
     git \
diff --git a/benchmarks/ccb_secure/kafka-vuln-reachability-001/environment/Dockerfile.sg_only b/benchmarks/ccb_secure/kafka-vuln-reachability-001/environment/Dockerfile.sg_only
@@ -4,6 +4,7 @@
 FROM eclipse-temurin:17-jdk
 
 ENV DEBIAN_FRONTEND=noninteractive
+ENV SOURCEGRAPH_REPO_NAME=sg-benchmarks/kafka--0cd95bc2
 
 RUN apt-get update && apt-get install -y --no-install-recommends \
     git \
diff --git a/benchmarks/ccb_test/envoy-code-review-001/environment/Dockerfile.sg_only b/benchmarks/ccb_test/envoy-code-review-001/environment/Dockerfile.sg_only
@@ -19,6 +19,8 @@ RUN if ! command -v node &> /dev/null; then \
     apt-get install -y --no-install-recommends nodejs; \
     fi
 
+ENV SOURCEGRAPH_REPO_NAME=sg-benchmarks/envoy--v1330
+
 # Clone envoyproxy/envoy at pinned v1.33.0 tag (sparse checkout for relevant files)
 RUN git clone --filter=blob:none --no-checkout https://github.com/envoyproxy/envoy.git /workspace && \
     cd /workspace && \
diff --git a/benchmarks/ccb_test/vscode-code-review-001/environment/Dockerfile.sg_only b/benchmarks/ccb_test/vscode-code-review-001/environment/Dockerfile.sg_only
@@ -19,6 +19,8 @@ RUN if ! command -v node &> /dev/null; then \
     apt-get install -y --no-install-recommends nodejs; \
     fi
 
+ENV SOURCEGRAPH_REPO_NAME=sg-benchmarks/vscode--1960
+
 # Clone microsoft/vscode at pinned 1.96.0 tag (sparse checkout for relevant files)
 RUN git clone --filter=blob:none --no-checkout https://github.com/microsoft/vscode.git /workspace && \
     cd /workspace && \
