fix: switch TAC-based sg_only Dockerfiles from ubuntu base to TAC base image

Both bustub-hyperloglog-impl-001 and openhands-search-file-test-001 used
ubuntu:22.04 as their sg_only base image. The verifier for these tasks
runs /utils/eval.py via the python_default binary, both of which are only
present in the TAC base image — so the MCP verifier always crashed with
"Evaluator failed" and scored 0.

Root cause of MCP scoring 0.00 (while baseline scored >0):
  bustub:    BL=0.17 -> MCP=0.00  (sde-implement-hyperloglog-image missing)
  openhands: BL=0.40 -> MCP=0.00  (sde-write-a-unit-test-*-image missing)

Fix: change FROM to the same TAC base image used in the baseline Dockerfile,
then add sg_only-specific layers:
  - Truncate source files (agent must use Sourcegraph MCP)
  - Recommit truncated state (prevents git history leaking code)
  - Add clone manifest (clone-at-verify strategy for verifier)
  - Add sg_only mode markers (/tmp/.sg_only_mode, /tmp/.sg_only_workdir)
  - Keep TAC env vars (TAC_SERVER_HOSTNAME, DECRYPTION_KEY)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: sjarmak

benchmarks/ccb_feature/bustub-hyperloglog-impl-001/environment/Dockerfile.sg_only

@@ -1,34 +1,35 @@
-# bustub-hyperloglog-impl-001 — sg_only_env variant
-# No local repo clone — agent uses Sourcegraph MCP exclusively for code access.
+# bustub-hyperloglog-impl-001 — sg_only_env variant (TAC base + v2 clone-at-verify)
+# Source files truncated — agent uses Sourcegraph MCP for code access.
+# Verifier clones mirror at verification time to restore source.
 
-FROM ubuntu:22.04
+FROM ghcr.io/theagentcompany/sde-implement-hyperloglog-image:1.0.0
 
 ENV SOURCEGRAPH_REPO_NAME=sg-evals/bustub--d5f79431
 
-ENV DEBIAN_FRONTEND=noninteractive
+# TAC environment variables (required by /utils/init.sh and /utils/eval.py)
+ENV TAC_SERVER_HOSTNAME=localhost
+ENV DECRYPTION_KEY="theagentcompany is all you need"
 
-RUN apt-get update && apt-get install -y --no-install-recommends \
-    git \
-    ca-certificates \
-    python3 \
-    curl \
-    && rm -rf /var/lib/apt/lists/*
+RUN mkdir -p /logs
 
 WORKDIR /workspace
 
-# Empty git repo so agent can commit work
-RUN git init && \
-    git config user.email "agent@example.com" && \
-    git config user.name "Agent"
-
-RUN mkdir -p /logs/agent /logs/verifier
-
-# Mark sg_only mode so verifiers can skip local-path checks
-RUN touch /tmp/.sg_only_mode
-
-# Clone manifest for verifier repo restoration
+# Truncate C/C++ source files so agent cannot read them locally.
+# TAC config files and build artifacts are left intact.
+RUN find /workspace -type f \( -name "*.cpp" -o -name "*.cc" -o -name "*.cxx" -o -name "*.c" \
+    -o -name "*.h" -o -name "*.hh" -o -name "*.hpp" -o -name "*.hxx" \) \
+    ! -path "*/.git/*" -exec truncate -s 0 {} \; || true
+# Recommit truncated state so git history cannot recover full files.
+RUN cd /workspace && git config user.email "agent@example.com" && \
+    git config user.name "Agent" && \
+    git add -A && git commit -m "sg_only truncation" --allow-empty --quiet || true
+
+# Clone manifest for verifier (clone-at-verify strategy)
 RUN echo '{"workdir":"/workspace","repos":[{"mirror":"sg-evals/bustub--d5f79431","target_dir":"."}]}' > /tmp/.sg_only_clone_manifest.json
 
+# Mark sg_only mode
+RUN touch /tmp/.sg_only_mode && echo '/workspace' > /tmp/.sg_only_workdir
+
 # Pre-create claude user and set ownership at build time.
 RUN (adduser --disabled-password --gecos '' claude 2>/dev/null || true) && \
     for d in /workspace /app /testbed /logs; do [ -d "$d" ] && chown -R claude:claude "$d"; done || true

benchmarks/ccb_test/openhands-search-file-test-001/environment/Dockerfile.sg_only

@@ -1,30 +1,34 @@
-# openhands-search-file-test-001 — sg_only_env variant
-# No local repo clone — agent uses Sourcegraph MCP exclusively for code access.
+# openhands-search-file-test-001 — sg_only_env variant (TAC base + v2 clone-at-verify)
+# Source files truncated — agent uses Sourcegraph MCP for code access.
+# Verifier clones mirror at verification time to restore source.
 
-FROM ubuntu:22.04
+FROM ghcr.io/theagentcompany/sde-write-a-unit-test-for-search_file-function-image:1.0.0
 
 ENV SOURCEGRAPH_REPO_NAME=sg-evals/OpenHands--latest
 
-ENV DEBIAN_FRONTEND=noninteractive
+# TAC environment variables (required by /utils/init.sh and /utils/eval.py)
+ENV TAC_SERVER_HOSTNAME=localhost
+ENV DECRYPTION_KEY="theagentcompany is all you need"
 
-RUN apt-get update && apt-get install -y --no-install-recommends \
-    git \
-    ca-certificates \
-    python3 \
-    curl \
-    && rm -rf /var/lib/apt/lists/*
+RUN mkdir -p /logs
 
 WORKDIR /workspace
 
-# Empty git repo so agent can commit work
-RUN git init && \
-    git config user.email "agent@example.com" && \
-    git config user.name "Agent"
-
-RUN mkdir -p /logs/agent /logs/verifier
-
-# Mark sg_only mode so verifiers can skip local-path checks
-RUN touch /tmp/.sg_only_mode
+# Truncate OpenHands Python source files so agent cannot read them locally.
+# TAC config files, utils, and verifier infrastructure are left intact.
+RUN find /workspace/openhands -type f -name "*.py" ! -path "*/.git/*" \
+    -exec truncate -s 0 {} \; 2>/dev/null || true
+# Recommit truncated state so git history cannot recover full files.
+RUN cd /workspace/openhands && git config user.email "agent@example.com" && \
+    git config user.name "Agent" && \
+    git add -A && git commit -m "sg_only truncation" --allow-empty --quiet 2>/dev/null || true
+
+# Clone manifest for verifier (clone-at-verify strategy)
+# OpenHands repo lives at /workspace/openhands in the TAC image
+RUN echo '{"workdir":"/workspace","repos":[{"mirror":"sg-evals/OpenHands--latest","target_dir":"openhands"}]}' > /tmp/.sg_only_clone_manifest.json
+
+# Mark sg_only mode
+RUN touch /tmp/.sg_only_mode && echo '/workspace' > /tmp/.sg_only_workdir
 
 # Pre-create claude user and set ownership at build time.
 RUN (adduser --disabled-password --gecos '' claude 2>/dev/null || true) && \