fix: add python3 to kafka/flipt sg_only Dockerfiles, switch envoy to bookworm

- CSB_REPO_BASE_MAP entries for ccb-repo-kafka-0753c489 and
  ccb-repo-flipt-3d5a345f were missing python3, causing
  sgonly_verifier_wrapper.sh to fail (needs python3 for JSON parsing).
- envoy-routeconfig-dep-chain-001 main Dockerfile switched from
  golang:1.23-alpine to golang:1.23-bookworm for OpenHands compat
  (apt-get not available on Alpine). sg_only variant was already fixed
  in c6310bb but main Dockerfile was missed.
- Regenerated all 404 Dockerfile.sg_only + artifact variants.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: sjarmak

benchmarks/csb_org_compliance/ccx-compliance-182/environment/Dockerfile.artifact_only

@@ -1,10 +1,11 @@
-# CCX-compliance-182 — artifact_only variant
+# ccx-compliance-182 — artifact_only variant
 # No local repo clone — agent uses Sourcegraph MCP exclusively for code access.
 # Agent produces answer.json artifact; verifier scores the artifact.
 
 FROM ubuntu:22.04
 
 ENV DEBIAN_FRONTEND=noninteractive
+ENV SOURCEGRAPH_REPOS="sg-evals/api--v0.32.0,sg-evals/client-go--v0.32.0,sg-evals/etcd-io-etcd,sg-evals/kubernetes--v1.32.0"
 
 RUN apt-get update && apt-get install -y --no-install-recommends \
     git \

benchmarks/csb_org_compliance/ccx-compliance-182/environment/Dockerfile.sg_only

@@ -1,10 +1,11 @@
-# CCX-compliance-182 — sg_only variant
-# No local repo clone — agent uses Sourcegraph MCP exclusively for code access.
-# The verifier clones mirror repos at verification time (no /repo_full/ backup).
+# ccx-compliance-182 — sg_only_env variant (v2: clone-at-verify)
+# Empty workspace — agent uses Sourcegraph MCP for code access.
+# Verifier clones mirror(s) at verification time via clone manifest.
 
 FROM ubuntu:22.04
 
 ENV DEBIAN_FRONTEND=noninteractive
+ENV SOURCEGRAPH_REPOS="sg-evals/api--v0.32.0,sg-evals/client-go--v0.32.0,sg-evals/etcd-io-etcd,sg-evals/kubernetes--v1.32.0"
 
 RUN apt-get update && apt-get install -y --no-install-recommends \
     git \
@@ -15,23 +16,21 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
 
 WORKDIR /workspace
 
-# Empty workspace — agent discovers code via MCP tools only
+# Empty git repo so agent can commit work
 RUN git init && \
     git config user.email "agent@example.com" && \
-    git config user.name "Agent" && \
-    git config --global safe.directory '*'
+    git config user.name "Agent"
 
-# Create log directories
 RUN mkdir -p /logs/agent /logs/verifier
 
-# Mark sg_only mode — verifiers and eval scripts check this flag
+# Clone manifest for verifier (clone-at-verify strategy)
+RUN echo '{"workdir":"/workspace","repos":[{"mirror":"sg-evals/kubernetes--v1.32.0","target_dir":"kubernetes--v1.32.0"},{"mirror":"sg-evals/client-go--v0.32.0","target_dir":"client-go--v0.32.0"},{"mirror":"sg-evals/api--v0.32.0","target_dir":"api--v0.32.0"},{"mirror":"sg-evals/etcd-io-etcd","target_dir":"etcd-io-etcd"}]}' > /tmp/.sg_only_clone_manifest.json
+
+# Mark sg_only mode
 RUN touch /tmp/.sg_only_mode
 
-# Pre-create claude user and set ownership at build time so Harbor's
-# runtime chown is a no-op (avoids 15-30 min delay on large repos).
+# Pre-create claude user and set ownership at build time.
 RUN (adduser --disabled-password --gecos '' claude 2>/dev/null || true) && \
     for d in /workspace /app /testbed /logs; do [ -d "$d" ] && chown -R claude:claude "$d"; done || true
 
-ENV SOURCEGRAPH_REPOS=sg-evals/kubernetes--v1.32.0,sg-evals/api--v0.32.0,sg-evals/client-go--v0.32.0
-
 ENTRYPOINT []

benchmarks/csb_org_compliance/ccx-compliance-183/environment/Dockerfile.artifact_only

@@ -1,10 +1,11 @@
-# CCX-compliance-183 — artifact_only variant
+# ccx-compliance-183 — artifact_only variant
 # No local repo clone — agent uses Sourcegraph MCP exclusively for code access.
 # Agent produces answer.json artifact; verifier scores the artifact.
 
 FROM ubuntu:22.04
 
 ENV DEBIAN_FRONTEND=noninteractive
+ENV SOURCEGRAPH_REPOS="sg-evals/api--v0.32.0,sg-evals/client-go--v0.32.0,sg-evals/etcd-io-etcd,sg-evals/kubernetes--v1.32.0"
 
 RUN apt-get update && apt-get install -y --no-install-recommends \
     git \

benchmarks/csb_org_compliance/ccx-compliance-183/environment/Dockerfile.sg_only

@@ -1,10 +1,11 @@
-# CCX-compliance-183 — sg_only variant
-# No local repo clone — agent uses Sourcegraph MCP exclusively for code access.
-# The verifier clones mirror repos at verification time (no /repo_full/ backup).
+# ccx-compliance-183 — sg_only_env variant (v2: clone-at-verify)
+# Empty workspace — agent uses Sourcegraph MCP for code access.
+# Verifier clones mirror(s) at verification time via clone manifest.
 
 FROM ubuntu:22.04
 
 ENV DEBIAN_FRONTEND=noninteractive
+ENV SOURCEGRAPH_REPOS="sg-evals/api--v0.32.0,sg-evals/client-go--v0.32.0,sg-evals/etcd-io-etcd,sg-evals/kubernetes--v1.32.0"
 
 RUN apt-get update && apt-get install -y --no-install-recommends \
     git \
@@ -15,20 +16,20 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
 
 WORKDIR /workspace
 
-# Empty workspace — agent discovers code via MCP tools only
+# Empty git repo so agent can commit work
 RUN git init && \
     git config user.email "agent@example.com" && \
-    git config user.name "Agent" && \
-    git config --global safe.directory '*'
+    git config user.name "Agent"
 
-# Create log directories
 RUN mkdir -p /logs/agent /logs/verifier
 
-# Mark sg_only mode — verifiers and eval scripts check this flag
+# Clone manifest for verifier (clone-at-verify strategy)
+RUN echo '{"workdir":"/workspace","repos":[{"mirror":"sg-evals/kubernetes--v1.32.0","target_dir":"kubernetes--v1.32.0"},{"mirror":"sg-evals/client-go--v0.32.0","target_dir":"client-go--v0.32.0"},{"mirror":"sg-evals/api--v0.32.0","target_dir":"api--v0.32.0"},{"mirror":"sg-evals/etcd-io-etcd","target_dir":"etcd-io-etcd"}]}' > /tmp/.sg_only_clone_manifest.json
+
+# Mark sg_only mode
 RUN touch /tmp/.sg_only_mode
 
-# Pre-create claude user and set ownership at build time so Harbor's
-# runtime chown is a no-op (avoids 15-30 min delay on large repos).
+# Pre-create claude user and set ownership at build time.
 RUN (adduser --disabled-password --gecos '' claude 2>/dev/null || true) && \
     for d in /workspace /app /testbed /logs; do [ -d "$d" ] && chown -R claude:claude "$d"; done || true
 

benchmarks/csb_org_compliance/ccx-compliance-184/environment/Dockerfile.artifact_only

@@ -1,10 +1,11 @@
-# CCX-compliance-184 — artifact_only variant
+# ccx-compliance-184 — artifact_only variant
 # No local repo clone — agent uses Sourcegraph MCP exclusively for code access.
 # Agent produces answer.json artifact; verifier scores the artifact.
 
 FROM ubuntu:22.04
 
 ENV DEBIAN_FRONTEND=noninteractive
+ENV SOURCEGRAPH_REPOS="sg-evals/api--v0.32.0,sg-evals/client-go--v0.32.0,sg-evals/etcd-io-etcd,sg-evals/kubernetes--v1.32.0"
 
 RUN apt-get update && apt-get install -y --no-install-recommends \
     git \

benchmarks/csb_org_compliance/ccx-compliance-184/environment/Dockerfile.sg_only

@@ -1,10 +1,11 @@
-# CCX-compliance-184 — sg_only variant
-# No local repo clone — agent uses Sourcegraph MCP exclusively for code access.
-# The verifier clones mirror repos at verification time (no /repo_full/ backup).
+# ccx-compliance-184 — sg_only_env variant (v2: clone-at-verify)
+# Empty workspace — agent uses Sourcegraph MCP for code access.
+# Verifier clones mirror(s) at verification time via clone manifest.
 
 FROM ubuntu:22.04
 
 ENV DEBIAN_FRONTEND=noninteractive
+ENV SOURCEGRAPH_REPOS="sg-evals/api--v0.32.0,sg-evals/client-go--v0.32.0,sg-evals/etcd-io-etcd,sg-evals/kubernetes--v1.32.0"
 
 RUN apt-get update && apt-get install -y --no-install-recommends \
     git \
@@ -15,20 +16,20 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
 
 WORKDIR /workspace
 
-# Empty workspace — agent discovers code via MCP tools only
+# Empty git repo so agent can commit work
 RUN git init && \
     git config user.email "agent@example.com" && \
-    git config user.name "Agent" && \
-    git config --global safe.directory '*'
+    git config user.name "Agent"
 
-# Create log directories
 RUN mkdir -p /logs/agent /logs/verifier
 
-# Mark sg_only mode — verifiers and eval scripts check this flag
+# Clone manifest for verifier (clone-at-verify strategy)
+RUN echo '{"workdir":"/workspace","repos":[{"mirror":"sg-evals/kubernetes--v1.32.0","target_dir":"kubernetes--v1.32.0"},{"mirror":"sg-evals/client-go--v0.32.0","target_dir":"client-go--v0.32.0"},{"mirror":"sg-evals/api--v0.32.0","target_dir":"api--v0.32.0"},{"mirror":"sg-evals/etcd-io-etcd","target_dir":"etcd-io-etcd"}]}' > /tmp/.sg_only_clone_manifest.json
+
+# Mark sg_only mode
 RUN touch /tmp/.sg_only_mode
 
-# Pre-create claude user and set ownership at build time so Harbor's
-# runtime chown is a no-op (avoids 15-30 min delay on large repos).
+# Pre-create claude user and set ownership at build time.
 RUN (adduser --disabled-password --gecos '' claude 2>/dev/null || true) && \
     for d in /workspace /app /testbed /logs; do [ -d "$d" ] && chown -R claude:claude "$d"; done || true
 

benchmarks/csb_org_compliance/ccx-compliance-185/environment/Dockerfile.artifact_only

@@ -1,4 +1,4 @@
-# CCX-compliance-185 — artifact_only variant
+# ccx-compliance-185 — artifact_only variant
 # No local repo clone — agent uses Sourcegraph MCP exclusively for code access.
 # Agent produces answer.json artifact; verifier scores the artifact.
 

benchmarks/csb_org_compliance/ccx-compliance-185/environment/Dockerfile.sg_only

@@ -1,6 +1,5 @@
-# CCX-compliance-185 — sg_only variant
+# ccx-compliance-185 — sg_only_env variant
 # No local repo clone — agent uses Sourcegraph MCP exclusively for code access.
-# The verifier clones mirror repos at verification time (no /repo_full/ backup).
 
 FROM ubuntu:22.04
 
@@ -15,20 +14,17 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
 
 WORKDIR /workspace
 
-# Empty workspace — agent discovers code via MCP tools only
+# Empty git repo so agent can commit work
 RUN git init && \
     git config user.email "agent@example.com" && \
-    git config user.name "Agent" && \
-    git config --global safe.directory '*'
+    git config user.name "Agent"
 
-# Create log directories
 RUN mkdir -p /logs/agent /logs/verifier
 
-# Mark sg_only mode — verifiers and eval scripts check this flag
+# Mark sg_only mode so verifiers can skip local-path checks
 RUN touch /tmp/.sg_only_mode
 
-# Pre-create claude user and set ownership at build time so Harbor's
-# runtime chown is a no-op (avoids 15-30 min delay on large repos).
+# Pre-create claude user and set ownership at build time.
 RUN (adduser --disabled-password --gecos '' claude 2>/dev/null || true) && \
     for d in /workspace /app /testbed /logs; do [ -d "$d" ] && chown -R claude:claude "$d"; done || true
 

benchmarks/csb_org_compliance/ccx-compliance-186/environment/Dockerfile.artifact_only

@@ -1,4 +1,4 @@
-# CCX-compliance-186 — artifact_only variant
+# ccx-compliance-186 — artifact_only variant
 # No local repo clone — agent uses Sourcegraph MCP exclusively for code access.
 # Agent produces answer.json artifact; verifier scores the artifact.
 

benchmarks/csb_org_compliance/ccx-compliance-186/environment/Dockerfile.sg_only

@@ -1,6 +1,5 @@
-# CCX-compliance-186 — sg_only variant
+# ccx-compliance-186 — sg_only_env variant
 # No local repo clone — agent uses Sourcegraph MCP exclusively for code access.
-# The verifier clones mirror repos at verification time (no /repo_full/ backup).
 
 FROM ubuntu:22.04
 
@@ -15,20 +14,17 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
 
 WORKDIR /workspace
 
-# Empty workspace — agent discovers code via MCP tools only
+# Empty git repo so agent can commit work
 RUN git init && \
     git config user.email "agent@example.com" && \
-    git config user.name "Agent" && \
-    git config --global safe.directory '*'
+    git config user.name "Agent"
 
-# Create log directories
 RUN mkdir -p /logs/agent /logs/verifier
 
-# Mark sg_only mode — verifiers and eval scripts check this flag
+# Mark sg_only mode so verifiers can skip local-path checks
 RUN touch /tmp/.sg_only_mode
 
-# Pre-create claude user and set ownership at build time so Harbor's
-# runtime chown is a no-op (avoids 15-30 min delay on large repos).
+# Pre-create claude user and set ownership at build time.
 RUN (adduser --disabled-password --gecos '' claude 2>/dev/null || true) && \
     for d in /workspace /app /testbed /logs; do [ -d "$d" ] && chown -R claude:claude "$d"; done || true