fix: curl-security-review-001 MCP verifier — wrong mirror URL in clone manifest

The Dockerfile.sg_only clone manifest had "sg-evals/curl/curl" (invalid 3-segment
GitHub path) instead of "sg-evals/curl--09e25b9d" (the actual mirror). This caused
the clone-at-verify step to fail, inject_defects.sh to crash on the empty workspace,
and set -e to propagate the failure — killing test.sh before writing reward.txt.

Every MCP run hit RewardFileNotFoundError. Validated fix: MCP rerun scores 0.51.

Also added defensive error handling around inject_defects.sh in the verifier wrapper
so future clone failures degrade gracefully instead of crashing.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: sjarmak

benchmarks/ccb_test/curl-security-review-001/environment/Dockerfile.sg_only

@@ -36,7 +36,7 @@ RUN chmod +x /tmp/inject_defects.sh
 RUN mkdir -p /workspace/tests /logs/verifier /logs/agent
 
 # Clone manifest for verifier (clone-at-verify strategy)
-RUN echo '{"workdir":"/workspace","repos":[{"mirror":"sg-evals/curl/curl","target_dir":"."}],"inject_defects":"/tmp/inject_defects.sh"}' > /tmp/.sg_only_clone_manifest.json
+RUN echo '{"workdir":"/workspace","repos":[{"mirror":"sg-evals/curl--09e25b9d","target_dir":"."}],"inject_defects":"/tmp/inject_defects.sh"}' > /tmp/.sg_only_clone_manifest.json
 
 # Mark sg_only mode
 RUN touch /tmp/.sg_only_mode

benchmarks/ccb_test/curl-security-review-001/tests/sgonly_verifier_wrapper.sh

@@ -151,8 +151,11 @@ if [ -f "$MANIFEST" ]; then
         echo "[sg_only_verifier] Running defect injection: $INJECT_SCRIPT"
         cd "$WORKDIR"
         chmod +x "$INJECT_SCRIPT"
-        bash "$INJECT_SCRIPT"
-        echo "[sg_only_verifier] Defect injection complete"
+        if bash "$INJECT_SCRIPT"; then
+            echo "[sg_only_verifier] Defect injection complete"
+        else
+            echo "[sg_only_verifier] WARNING: Defect injection failed (exit $?) — scoring will proceed with degraded accuracy"
+        fi
     fi
 
     # 4. Overlay agent changes