feat: US-013 - Starter tasks: Category B vulnerability remediation (2 tasks)

- CCX-vuln-remed-011: CVE-2024-47764 (cookie npm package), nodejs-web-stack fixture
  - Oracle: sg-benchmarks/expressjs-express package.json (cookie ^0.7.1 runtime dep)
  - eval.sh: file_set_match + keyword_presence
  - Validity gate: VALID (gold=1.0, empty=0.0)

- CCX-vuln-remed-014: Missing auth middleware audit, grafana-observability fixture
  - Oracle: sg-benchmarks/grafana-loki pkg/dataobj/explorer/service.go
  - eval.sh: file_set_match + provenance
  - Validity gate: VALID (gold=1.0, empty=0.0)

- Both tasks in benchmarks/ccb_mcp_security/, registered in selected_mcp_unique_tasks.json

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: sjarmak

benchmarks/ccb_mcp_security/ccx-vuln-remed-011/environment/Dockerfile

@@ -0,0 +1,26 @@
+FROM ubuntu:22.04
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+# Base tools
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    git \
+    ca-certificates \
+    curl \
+    python3 \
+    && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /workspace
+
+# Clone local checkout repos (baseline config: agent has local access to these)
+RUN git clone --depth 1 --branch v22.13.0 https://github.com/nodejs/node /workspace/node
+
+# Initialize git identity for agent commits
+RUN git config --global user.email "agent@example.com" && \
+    git config --global user.name "Agent" && \
+    git config --global safe.directory '*'
+
+# Create log directories
+RUN mkdir -p /logs/agent /logs/verifier
+
+ENTRYPOINT []

benchmarks/ccb_mcp_security/ccx-vuln-remed-011/environment/Dockerfile.sg_only

@@ -0,0 +1,29 @@
+# CCX-vuln-remed-011 — sg_only variant
+# No local repo clone — agent uses Sourcegraph MCP exclusively for code access.
+
+FROM ubuntu:22.04
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    git \
+    ca-certificates \
+    python3 \
+    curl \
+    && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /workspace
+
+# Empty workspace — agent discovers code via MCP tools only
+RUN git init && \
+    git config user.email "agent@example.com" && \
+    git config user.name "Agent" && \
+    git config --global safe.directory '*'
+
+# Create log directories
+RUN mkdir -p /logs/agent /logs/verifier
+
+# Mark sg_only mode — verifiers and eval scripts check this flag
+RUN touch /tmp/.sg_only_mode
+
+ENTRYPOINT []

benchmarks/ccb_mcp_security/ccx-vuln-remed-011/instruction.md

@@ -0,0 +1,60 @@
+# CVE Remediation: Vulnerable `cookie` Package Dependency
+
+## Your Task
+
+Your security team has raised an alert about **CVE-2024-47764**, which affects the
+`cookie` npm package in versions prior to `0.7.0`. An attacker can exploit this
+vulnerability to send a crafted HTTP request that bypasses cookie security controls.
+
+You need to identify all `package.json` files across your Node.js web stack repos
+that declare **`cookie` as a direct runtime dependency** (listed under
+`"dependencies"`, not `"devDependencies"`).
+
+For each match, report:
+- The repository (`org/repo-name`)
+- The file path within the repository
+- The version constraint declared for `cookie`
+
+## Context
+
+You are doing a security audit of your Node.js web stack, which spans multiple repos
+across different organizations. The stack includes the runtime, the web framework, a
+utility library, and a database ORM.
+
+This is a cross-org audit: you need to check all repos in the stack — not just the
+one cloned locally — to ensure no vulnerable dependency slips through.
+
+## Available Resources
+
+The local `/workspace/` directory contains: `nodejs/node`.
+
+**Note:** Additional repositories are accessible via Sourcegraph MCP tools:
+- `sg-benchmarks/expressjs-express` (web-framework)
+- `sg-benchmarks/lodash` (utility-library)
+- `sg-benchmarks/prisma-prisma` (database-orm)
+
+## Output Format
+
+Create a file at `/workspace/answer.json` with your findings:
+
+```json
+{
+  "files": [
+    {
+      "repo": "org/repo-name",
+      "path": "relative/path/to/package.json",
+      "version": "the-version-constraint"
+    }
+  ],
+  "text": "Narrative explanation citing the repos and version constraints found."
+}
+```
+
+Include only entries where `cookie` appears under `"dependencies"` (not `"devDependencies"`
+or `"scripts"`). Your answer is evaluated against a closed-world oracle — completeness matters.
+
+## Evaluation
+
+Your answer will be scored on:
+- **File recall and precision**: Did you find all package.json files that declare `cookie` as a runtime dependency?
+- **Keyword presence**: Does your answer include the exact version constraint found?

benchmarks/ccb_mcp_security/ccx-vuln-remed-011/task.toml

@@ -0,0 +1,28 @@
+version = "1.0"
+
+[metadata]
+name = "CCX-vuln-remed-011"
+description = "CVE remediation: find package.json files declaring vulnerable cookie dependency"
+license = "Apache-2.0"
+
+[task]
+id = "CCX-vuln-remed-011"
+repo = "nodejs/node"
+category = "vuln-remediation"
+language = "javascript"
+difficulty = "medium"
+time_limit_sec = 900
+mcp_suite = "ccb_mcp_security"
+use_case_id = 11
+repo_set_id = "nodejs-web-stack"
+mcp_unique = true
+
+[verification]
+type = "eval"
+command = "bash /tests/eval.sh"
+
+reward_type = "score"
+description = "CVE remediation: find package.json files declaring vulnerable cookie dependency"
+
+[environment]
+build_timeout_sec = 600.0

benchmarks/ccb_mcp_security/ccx-vuln-remed-011/tests/__pycache__/oracle_checks.cpython-310.pyc

@@ -0,0 +1,68 @@
+#!/bin/bash
+# eval.sh — MCP-unique benchmark evaluator for CCX-vuln-remed-011
+# Exit-code-first (SWE-Factory pattern):
+#   exit 0 — agent produced useful output (composite score > 0)
+#   exit 1 — total failure (composite score == 0 or missing answer)
+#
+# Writes /logs/verifier/reward.txt with the composite score [0.0, 1.0]
+
+set -euo pipefail
+
+TASK_ID="CCX-vuln-remed-011"
+ANSWER_PATH="/workspace/answer.json"
+TASK_SPEC_PATH="/tests/task_spec.json"
+ORACLE_CHECKS="/tests/oracle_checks.py"
+REWARD_PATH="/logs/verifier/reward.txt"
+
+mkdir -p /logs/verifier
+
+echo "=== CCX-vuln-remed-011 evaluator ==="
+echo "Task spec: $TASK_SPEC_PATH"
+echo "Answer:    $ANSWER_PATH"
+echo ""
+
+# sg_only mode guard: restore full repo if verifier wrapper exists
+if [ -f /tmp/.sg_only_mode ] && [ -f /tests/sgonly_verifier_wrapper.sh ]; then
+    echo "sg_only mode: sourcing verifier wrapper..."
+    source /tests/sgonly_verifier_wrapper.sh
+fi
+
+# Verify answer file exists
+if [ ! -f "$ANSWER_PATH" ]; then
+    echo "ERROR: answer.json not found at $ANSWER_PATH"
+    echo "0.0" > "$REWARD_PATH"
+    exit 1
+fi
+
+# Validate answer is valid JSON
+if ! python3 -c "import json; json.load(open('$ANSWER_PATH'))" 2>/dev/null; then
+    echo "ERROR: answer.json is not valid JSON"
+    echo "0.0" > "$REWARD_PATH"
+    exit 1
+fi
+
+echo "answer.json found and valid JSON"
+
+# Run oracle checks
+if [ ! -f "$ORACLE_CHECKS" ]; then
+    echo "ERROR: oracle_checks.py not found at $ORACLE_CHECKS"
+    echo "0.0" > "$REWARD_PATH"
+    exit 1
+fi
+
+echo "Running oracle checks..."
+SCORE=$(python3 "$ORACLE_CHECKS" --answer "$ANSWER_PATH" --spec "$TASK_SPEC_PATH" --verbose 2>&1 | tee /dev/stderr | tail -1)
+
+# Validate score is a number
+if ! echo "$SCORE" | python3 -c "import sys; float(sys.stdin.read().strip())" 2>/dev/null; then
+    echo "ERROR: oracle_checks.py did not return a valid score: $SCORE"
+    echo "0.0" > "$REWARD_PATH"
+    exit 1
+fi
+
+echo ""
+echo "Composite score: $SCORE"
+echo "$SCORE" > "$REWARD_PATH"
+
+# Exit based on score (SWE-Factory exit-code-first pattern)
+python3 -c "import sys; sys.exit(0 if float('$SCORE') > 0 else 1)"

benchmarks/ccb_mcp_security/ccx-vuln-remed-011/tests/eval.sh

@@ -0,0 +1,13 @@
+{
+  "files": [
+    {"repo": "sg-benchmarks/expressjs-express", "path": "package.json", "version": "^0.7.1"}
+  ],
+  "text": "Found 1 package.json file across the nodejs-web-stack repos that declares cookie as a direct runtime dependency: sg-benchmarks/expressjs-express package.json specifies \"cookie\": \"^0.7.1\" under dependencies. The lodash and prisma repos do not declare the cookie package as a runtime dependency. The nodejs/node repository does not declare cookie as a top-level package dependency.",
+  "_metadata": {
+    "oracle_type": "file_set_match",
+    "discovery_method": "sourcegraph_keyword_search",
+    "query": "repo:^github.com/sg-benchmarks/expressjs-express$ file:package.json \"cookie\"",
+    "version": "^0.7.1",
+    "cve": "CVE-2024-47764"
+  }
+}