sourcegraph
diff --git a/‎.beads/backup/backup_state.json‎
Lines changed: 2 additions & 2 deletions b/‎.beads/backup/backup_state.json‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎agents/harnesses/openhands/agent.py‎
Lines changed: 21 additions & 0 deletions b/‎agents/harnesses/openhands/agent.py‎
Lines changed: 21 additions & 0 deletions
diff --git a/‎benchmarks/csb_org_crossorg/ccx-crossorg-218/environment/Dockerfile.sg_only‎
Lines changed: 8 additions & 3 deletions b/‎benchmarks/csb_org_crossorg/ccx-crossorg-218/environment/Dockerfile.sg_only‎
Lines changed: 8 additions & 3 deletions
diff --git a/‎benchmarks/csb_org_crossorg/ccx-crossorg-218/instruction_mcp.md‎
Lines changed: 118 additions & 0 deletions b/‎benchmarks/csb_org_crossorg/ccx-crossorg-218/instruction_mcp.md‎
Lines changed: 118 additions & 0 deletions
diff --git a/‎benchmarks/csb_org_crossorg/ccx-crossorg-219/environment/Dockerfile.sg_only‎
Lines changed: 8 additions & 3 deletions b/‎benchmarks/csb_org_crossorg/ccx-crossorg-219/environment/Dockerfile.sg_only‎
Lines changed: 8 additions & 3 deletions
diff --git a/‎benchmarks/csb_org_crossorg/ccx-crossorg-219/instruction_mcp.md‎
Lines changed: 119 additions & 0 deletions b/‎benchmarks/csb_org_crossorg/ccx-crossorg-219/instruction_mcp.md‎
Lines changed: 119 additions & 0 deletions
diff --git a/‎benchmarks/csb_org_security/ccx-vuln-remed-169/environment/Dockerfile.sg_only‎
Lines changed: 8 additions & 3 deletions b/‎benchmarks/csb_org_security/ccx-vuln-remed-169/environment/Dockerfile.sg_only‎
Lines changed: 8 additions & 3 deletions
@@ -1,7 +1,7 @@
 {
-  "last_dolt_commit": "va5omkih1c4t5cg9s4v3h2kpqigekalh",
+  "last_dolt_commit": "dd0594s1h4afs6fr5t7ajnag90emfg0s",
   "last_event_id": 0,
-  "timestamp": "2026-03-11T18:24:16.353711768Z",
+  "timestamp": "2026-03-11T20:01:24.898819257Z",
   "counts": {
     "issues": 27,
     "events": 84,
 
@@ -152,6 +152,27 @@ def create_run_agent_commands(self, instruction: str):
             env=env,
         ))
 
+        # Block local search tools in MCP mode so the agent is forced to use
+        # Sourcegraph MCP tools (keyword_search, read_file, etc.) instead of
+        # grep/find on truncated local files.  Wrappers go in /opt/mcp_blockers/
+        # and PATH is prepended in the agent's env.  Verifiers run as separate
+        # processes with the original PATH and are unaffected.
+        if mcp_type in ("sourcegraph_full", "sourcegraph_base", "sourcegraph_isolated"):
+            blocked_cmds = "grep rg ag ack find fd tree"
+            blocker_script = (
+                "mkdir -p /opt/mcp_blockers && "
+                + " && ".join(
+                    f"printf '#!/bin/sh\\necho \"ERROR: {cmd} is disabled in MCP mode."
+                    f" Use Sourcegraph MCP tools (keyword_search, read_file, list_files)"
+                    f" instead.\" >&2\\nexit 1\\n' > /opt/mcp_blockers/{cmd}"
+                    f" && chmod +x /opt/mcp_blockers/{cmd}"
+                    for cmd in blocked_cmds.split()
+                )
+            )
+            exec_inputs.append(ExecInput(command=blocker_script, env=env))
+            # Prepend blocker dir to PATH so agent hits wrappers first
+            env["PATH"] = "/opt/mcp_blockers:" + env.get("PATH", "/usr/local/bin:/usr/bin:/bin")
+
         # Build a Python launcher script that reads the task from file,
         # runs openhands.core.main, pipes output to a log file, and cleans up
         # orphan daemons. Everything stays in Python — no shell quoting at all.
 
@@ -1,9 +1,11 @@
-# ccx-crossorg-218 — sg_only_env variant
-# No local repo clone — agent uses Sourcegraph MCP exclusively for code access.
+# ccx-crossorg-218 — sg_only_env variant (v2: clone-at-verify)
+# Empty workspace — agent uses Sourcegraph MCP for code access.
+# Verifier clones mirror(s) at verification time via clone manifest.
 
 FROM ubuntu:22.04
 
 ENV DEBIAN_FRONTEND=noninteractive
+ENV SOURCEGRAPH_REPOS="sg-evals/scikit-learn--cb7e82dd"
 
 RUN apt-get update && apt-get install -y --no-install-recommends \
     git \
@@ -21,7 +23,10 @@ RUN git init && \
 
 RUN mkdir -p /logs/agent /logs/verifier
 
-# Mark sg_only mode so verifiers can skip local-path checks
+# Clone manifest for verifier (clone-at-verify strategy)
+RUN echo '{"workdir":"/workspace","repos":[{"mirror":"sg-evals/scikit-learn--cb7e82dd","target_dir":"scikit-learn--cb7e82dd"}]}' > /tmp/.sg_only_clone_manifest.json
+
+# Mark sg_only mode
 RUN touch /tmp/.sg_only_mode
 
 # Pre-create claude user and set ownership at build time.
 
@@ -0,0 +1,118 @@
+# IMPORTANT: Source Code Access
+
+**Local source files are not present.** Your workspace does not contain source code. You **MUST** use Sourcegraph MCP tools to discover, read, and understand code before making any changes.
+
+**Target Repositories (version-pinned mirrors):**
+
+- `github.com/sg-evals/scikit-learn--cb7e82dd` — use `repo:^github.com/sg-evals/scikit-learn--cb7e82dd$` filter
+
+Scope ALL keyword_search/nls_search queries to these repos.
+Use the repo name as the `repo` parameter for read_file/go_to_definition/find_references.
+
+
+## Required Workflow
+
+1. **Search first** — Use MCP tools to find relevant files and understand existing patterns
+2. **Read remotely** — Use `sg_read_file` to read full file contents from Sourcegraph
+3. **Edit locally** — Use Edit, Write, and Bash to create or modify files in your working directory
+4. **Verify locally** — Run tests with Bash to check your changes
+
+## Tool Selection
+
+| Goal | Tool |
+|------|------|
+| Exact symbol/string | `sg_keyword_search` |
+| Concepts/semantic search | `sg_nls_search` |
+| Trace usage/callers | `sg_find_references` |
+| See implementation | `sg_go_to_definition` |
+| Read full file | `sg_read_file` |
+| Browse structure | `sg_list_files` |
+| Find repos | `sg_list_repos` |
+| Search commits | `sg_commit_search` |
+| Track changes | `sg_diff_search` |
+| Compare versions | `sg_compare_revisions` |
+
+**Decision logic:**
+1. Know the exact symbol? → `sg_keyword_search`
+2. Know the concept, not the name? → `sg_nls_search`
+3. Need definition of a symbol? → `sg_go_to_definition`
+4. Need all callers/references? → `sg_find_references`
+5. Need full file content? → `sg_read_file`
+
+## Scoping (Always Do This)
+
+```
+repo:^github.com/ORG/REPO$           # Exact repo (preferred)
+repo:github.com/ORG/                 # All repos in org
+file:.*\.ts$                         # TypeScript only
+file:src/api/                        # Specific directory
+```
+
+Start narrow. Expand only if results are empty.
+
+## Efficiency Rules
+
+- Chain searches logically: search → read → references → definition
+- Don't re-search for the same pattern; use results from prior calls
+- Prefer `sg_keyword_search` over `sg_nls_search` when you have exact terms
+- Read 2-3 related files before synthesising, rather than one at a time
+- Don't read 20+ remote files without writing code — once you understand the pattern, start implementing
+
+## If Stuck
+
+If MCP search returns no results:
+1. Broaden the search query (synonyms, partial identifiers)
+2. Try `sg_nls_search` for semantic matching
+3. Use `sg_list_files` to browse the directory structure
+4. Use `sg_list_repos` to verify the repository name
+
+---
+
+**Sourcegraph Repositories:** `github.com/sg-evals/scikit-learn--cb7e82dd`
+
+# Structured Logging Pattern in Python ML Repos
+
+## Your Task
+
+Find Python source files in scikit-learn/scikit-learn that implement structured logging and warning mechanisms: the ConvergenceWarning usage, the sklearn check_is_fitted warning, and the verbose parameter logging across estimators.
+
+## Context
+
+You are working on a codebase task involving repos from the crossorg domain.
+
+## Available Resources
+
+No local repositories are pre-checked out.
+
+
+## Output Format
+
+Use the published task contract:
+
+- `TASK_WORKDIR=/workspace`
+- `TASK_REPO_ROOT=/workspace`
+- `TASK_OUTPUT=/workspace/answer.json`
+
+Create a file at `TASK_OUTPUT` (`/workspace/answer.json`) with your findings in the following structure:
+
+```json
+{
+  "files": [
+    {"repo": "org/repo-name", "path": "relative/path/to/file.go"}
+  ],
+  "symbols": [
+    {"repo": "org/repo-name", "path": "relative/path/to/file.go", "symbol": "SymbolName"}
+  ],
+  "chain": [
+    {"repo": "org/repo-name", "path": "relative/path/to/file.go", "symbol": "FunctionName"}
+  ],
+  "text": "Narrative explanation of your findings, citing repos and file paths."
+}
+```
+
+Include only the fields relevant to this task. Your answer is evaluated against a closed-world oracle — completeness matters.
+
+## Evaluation
+
+Your answer will be scored on:
+- **File recall and precision**: Did you find all relevant files?
@@ -1,9 +1,11 @@
-# ccx-crossorg-219 — sg_only_env variant
-# No local repo clone — agent uses Sourcegraph MCP exclusively for code access.
+# ccx-crossorg-219 — sg_only_env variant (v2: clone-at-verify)
+# Empty workspace — agent uses Sourcegraph MCP for code access.
+# Verifier clones mirror(s) at verification time via clone manifest.
 
 FROM ubuntu:22.04
 
 ENV DEBIAN_FRONTEND=noninteractive
+ENV SOURCEGRAPH_REPOS="sg-evals/prometheus--ba14bc4,sg-evals/grafana--26d36ec"
 
 RUN apt-get update && apt-get install -y --no-install-recommends \
     git \
@@ -21,7 +23,10 @@ RUN git init && \
 
 RUN mkdir -p /logs/agent /logs/verifier
 
-# Mark sg_only mode so verifiers can skip local-path checks
+# Clone manifest for verifier (clone-at-verify strategy)
+RUN echo '{"workdir":"/workspace","repos":[{"mirror":"sg-evals/prometheus--ba14bc4","target_dir":"prometheus--ba14bc4"},{"mirror":"sg-evals/grafana--26d36ec","target_dir":"grafana--26d36ec"}]}' > /tmp/.sg_only_clone_manifest.json
+
+# Mark sg_only mode
 RUN touch /tmp/.sg_only_mode
 
 # Pre-create claude user and set ownership at build time.
 
@@ -0,0 +1,119 @@
+# IMPORTANT: Source Code Access
+
+**Local source files are not present.** Your workspace does not contain source code. You **MUST** use Sourcegraph MCP tools to discover, read, and understand code before making any changes.
+
+**Target Repositories (version-pinned mirrors):**
+
+- `github.com/sg-evals/prometheus--ba14bc4` — use `repo:^github.com/sg-evals/prometheus--ba14bc4$` filter
+- `github.com/sg-evals/grafana--26d36ec` — use `repo:^github.com/sg-evals/grafana--26d36ec$` filter
+
+Scope ALL keyword_search/nls_search queries to these repos.
+Use the repo name as the `repo` parameter for read_file/go_to_definition/find_references.
+
+
+## Required Workflow
+
+1. **Search first** — Use MCP tools to find relevant files and understand existing patterns
+2. **Read remotely** — Use `sg_read_file` to read full file contents from Sourcegraph
+3. **Edit locally** — Use Edit, Write, and Bash to create or modify files in your working directory
+4. **Verify locally** — Run tests with Bash to check your changes
+
+## Tool Selection
+
+| Goal | Tool |
+|------|------|
+| Exact symbol/string | `sg_keyword_search` |
+| Concepts/semantic search | `sg_nls_search` |
+| Trace usage/callers | `sg_find_references` |
+| See implementation | `sg_go_to_definition` |
+| Read full file | `sg_read_file` |
+| Browse structure | `sg_list_files` |
+| Find repos | `sg_list_repos` |
+| Search commits | `sg_commit_search` |
+| Track changes | `sg_diff_search` |
+| Compare versions | `sg_compare_revisions` |
+
+**Decision logic:**
+1. Know the exact symbol? → `sg_keyword_search`
+2. Know the concept, not the name? → `sg_nls_search`
+3. Need definition of a symbol? → `sg_go_to_definition`
+4. Need all callers/references? → `sg_find_references`
+5. Need full file content? → `sg_read_file`
+
+## Scoping (Always Do This)
+
+```
+repo:^github.com/ORG/REPO$           # Exact repo (preferred)
+repo:github.com/ORG/                 # All repos in org
+file:.*\.ts$                         # TypeScript only
+file:src/api/                        # Specific directory
+```
+
+Start narrow. Expand only if results are empty.
+
+## Efficiency Rules
+
+- Chain searches logically: search → read → references → definition
+- Don't re-search for the same pattern; use results from prior calls
+- Prefer `sg_keyword_search` over `sg_nls_search` when you have exact terms
+- Read 2-3 related files before synthesising, rather than one at a time
+- Don't read 20+ remote files without writing code — once you understand the pattern, start implementing
+
+## If Stuck
+
+If MCP search returns no results:
+1. Broaden the search query (synonyms, partial identifiers)
+2. Try `sg_nls_search` for semantic matching
+3. Use `sg_list_files` to browse the directory structure
+4. Use `sg_list_repos` to verify the repository name
+
+---
+
+**Sourcegraph Repositories:** `github.com/sg-evals/prometheus--ba14bc4`, `github.com/sg-evals/grafana--26d36ec`
+
+# OpenTelemetry Span Creation Across Monitoring Stack
+
+## Your Task
+
+Find Go source files in prometheus/prometheus and grafana/grafana that create and annotate OpenTelemetry spans: the tracer initialization, the span start/end calls, the span attribute setting, and the span error recording patterns used in both projects.
+
+## Context
+
+You are working on a codebase task involving repos from the crossorg domain.
+
+## Available Resources
+
+No local repositories are pre-checked out.
+
+
+## Output Format
+
+Use the published task contract:
+
+- `TASK_WORKDIR=/workspace`
+- `TASK_REPO_ROOT=/workspace`
+- `TASK_OUTPUT=/workspace/answer.json`
+
+Create a file at `TASK_OUTPUT` (`/workspace/answer.json`) with your findings in the following structure:
+
+```json
+{
+  "files": [
+    {"repo": "org/repo-name", "path": "relative/path/to/file.go"}
+  ],
+  "symbols": [
+    {"repo": "org/repo-name", "path": "relative/path/to/file.go", "symbol": "SymbolName"}
+  ],
+  "chain": [
+    {"repo": "org/repo-name", "path": "relative/path/to/file.go", "symbol": "FunctionName"}
+  ],
+  "text": "Narrative explanation of your findings, citing repos and file paths."
+}
+```
+
+Include only the fields relevant to this task. Your answer is evaluated against a closed-world oracle — completeness matters.
+
+## Evaluation
+
+Your answer will be scored on:
+- **File recall and precision**: Did you find all relevant files?
@@ -1,9 +1,11 @@
-# ccx-vuln-remed-169 — sg_only_env variant
-# No local repo clone — agent uses Sourcegraph MCP exclusively for code access.
+# ccx-vuln-remed-169 — sg_only_env variant (v2: clone-at-verify)
+# Empty workspace — agent uses Sourcegraph MCP for code access.
+# Verifier clones mirror(s) at verification time via clone manifest.
 
 FROM ubuntu:22.04
 
 ENV DEBIAN_FRONTEND=noninteractive
+ENV SOURCEGRAPH_REPOS="sg-evals/node--v22.13.0"
 
 RUN apt-get update && apt-get install -y --no-install-recommends \
     git \
@@ -21,7 +23,10 @@ RUN git init && \
 
 RUN mkdir -p /logs/agent /logs/verifier
 
-# Mark sg_only mode so verifiers can skip local-path checks
+# Clone manifest for verifier (clone-at-verify strategy)
+RUN echo '{"workdir":"/workspace","repos":[{"mirror":"sg-evals/node--v22.13.0","target_dir":"node--v22.13.0"}]}' > /tmp/.sg_only_clone_manifest.json
+
+# Mark sg_only mode
 RUN touch /tmp/.sg_only_mode
 
 # Pre-create claude user and set ownership at build time.