fix: OpenHands MCP proxy — block deepsearch, retry on 5xx, rerun config

Three fixes for OpenHands MCP integration issues found in the 30-task rerun:

1. Block deepsearch/deepsearch_read tool calls in the auth proxy. OpenHands'
   MCP client has a ~30s internal HTTP timeout that kills long-running
   deepsearch requests, crashing the agent (cilium-ebpf scored 0.0 vs 0.95
   baseline). The proxy now intercepts these calls and returns a helpful
   JSON-RPC error directing the agent to use keyword_search/nls_search.

2. Add retry logic (2 retries with 2s delay) for upstream 5xx errors and
   connection failures. CCX-dep-trace-258 got a 503 Service Unavailable
   mid-execution, crashing the agent.

3. Add rerun config (openhands_mcp_rerun2.json) for 11 tasks that need
   re-execution: 5 stuck builds, 1 DaytonaError, 4 no-MCP (code race
   condition where early tasks launched before fix was on disk), 1 proxy
   503 crash.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: sjarmak

agents/harnesses/openhands/sg_auth_proxy.py

@@ -8,6 +8,10 @@
 Runs as a background daemon inside the container. OpenHands SHTTP config
 points at http://localhost:<port> with no api_key; this proxy adds auth.
 
+Deepsearch filtering: deepsearch/deepsearch_read tool calls are intercepted
+and rejected with a helpful error because OpenHands' MCP client has a ~30s
+internal HTTP timeout that kills long-running deepsearch requests.
+
 Usage:
     SG_MCP_URL=https://sourcegraph.sourcegraph.com/.api/mcp \
     SG_MCP_TOKEN=sgp_... \
@@ -17,46 +21,130 @@
 """
 
 import argparse
+import json
 import os
 import sys
+import time
 from http.server import HTTPServer, BaseHTTPRequestHandler
 import urllib.request
 import urllib.error
 
 SG_URL = os.environ.get("SG_MCP_URL", "https://sourcegraph.sourcegraph.com/.api/mcp")
 SG_TOKEN = os.environ.get("SG_MCP_TOKEN", "")
 
+# Tools that require long-running async calls and will hit OpenHands' ~30s
+# internal HTTP timeout, crashing the agent.
+_BLOCKED_TOOLS = {"deepsearch", "deepsearch_read"}
+
+# Max retries for upstream 5xx errors
+_MAX_RETRIES = 2
+_RETRY_DELAY = 2  # seconds
 
-class ProxyHandler(BaseHTTPRequestHandler):
-    def do_POST(self):
-        content_length = int(self.headers.get("Content-Length", 0))
-        body = self.rfile.read(content_length) if content_length else b""
 
-        # Forward headers, replacing auth
+def _is_blocked_tool_call(body: bytes) -> tuple[bool, str]:
+    """Check if a JSON-RPC request is calling a blocked tool."""
+    try:
+        req = json.loads(body)
+        if req.get("method") == "tools/call":
+            tool_name = req.get("params", {}).get("name", "")
+            if tool_name in _BLOCKED_TOOLS:
+                return True, tool_name
+    except (json.JSONDecodeError, AttributeError):
+        pass
+    return False, ""
+
+
+def _make_tool_error_response(body: bytes, tool_name: str) -> bytes:
+    """Return a JSON-RPC error response for a blocked tool call."""
+    try:
+        req = json.loads(body)
+        req_id = req.get("id")
+    except (json.JSONDecodeError, AttributeError):
+        req_id = None
+    resp = {
+        "jsonrpc": "2.0",
+        "id": req_id,
+        "result": {
+            "content": [
+                {
+                    "type": "text",
+                    "text": (
+                        f"Error: '{tool_name}' is unavailable in this environment "
+                        f"due to timeout constraints. Use 'keyword_search' or "
+                        f"'nls_search' instead for code discovery."
+                    ),
+                }
+            ],
+            "isError": True,
+        },
+    }
+    return json.dumps(resp).encode()
+
+
+def _forward_request(url, body, headers, method, retries=_MAX_RETRIES):
+    """Forward a request to upstream with retry on 5xx errors."""
+    req = urllib.request.Request(url, data=body, headers=headers, method=method)
+    last_exc = None
+    for attempt in range(retries + 1):
+        try:
+            with urllib.request.urlopen(req, timeout=300) as resp:
+                resp_body = resp.read()
+                return resp.status, resp.getheaders(), resp_body
+        except urllib.error.HTTPError as e:
+            if e.code >= 500 and attempt < retries:
+                last_exc = e
+                time.sleep(_RETRY_DELAY)
+                continue
+            raise
+        except (urllib.error.URLError, TimeoutError) as e:
+            if attempt < retries:
+                last_exc = e
+                time.sleep(_RETRY_DELAY)
+                continue
+            raise
+    raise last_exc
+
+
+class ProxyHandler(BaseHTTPRequestHandler):
+    def _build_fwd_headers(self):
         fwd_headers = {}
         for key, val in self.headers.items():
             lower = key.lower()
             if lower in ("host", "authorization", "s", "x-session-api-key"):
                 continue
             fwd_headers[key] = val
-
         if SG_TOKEN:
             fwd_headers["Authorization"] = f"token {SG_TOKEN}"
         fwd_headers["Host"] = urllib.request.urlparse(SG_URL).netloc
+        return fwd_headers
 
-        req = urllib.request.Request(
-            SG_URL, data=body, headers=fwd_headers, method="POST"
-        )
+    def do_POST(self):
+        content_length = int(self.headers.get("Content-Length", 0))
+        body = self.rfile.read(content_length) if content_length else b""
+
+        # Block deepsearch tools that will timeout
+        blocked, tool_name = _is_blocked_tool_call(body)
+        if blocked:
+            error_body = _make_tool_error_response(body, tool_name)
+            self.send_response(200)
+            self.send_header("Content-Type", "application/json")
+            self.send_header("Content-Length", str(len(error_body)))
+            self.end_headers()
+            self.wfile.write(error_body)
+            return
+
+        fwd_headers = self._build_fwd_headers()
 
         try:
-            with urllib.request.urlopen(req, timeout=300) as resp:
-                resp_body = resp.read()
-                self.send_response(resp.status)
-                for key, val in resp.getheaders():
-                    if key.lower() not in ("transfer-encoding", "connection"):
-                        self.send_header(key, val)
-                self.end_headers()
-                self.wfile.write(resp_body)
+            status, resp_headers, resp_body = _forward_request(
+                SG_URL, body, fwd_headers, "POST"
+            )
+            self.send_response(status)
+            for key, val in resp_headers:
+                if key.lower() not in ("transfer-encoding", "connection"):
+                    self.send_header(key, val)
+            self.end_headers()
+            self.wfile.write(resp_body)
         except urllib.error.HTTPError as e:
             self.send_response(e.code)
             self.send_header("Content-Type", "application/json")
@@ -70,29 +158,18 @@ def do_POST(self):
             self.wfile.write(str(e).encode())
 
     def do_GET(self):
-        # MCP streamable HTTP also uses GET for SSE streams
-        fwd_headers = {}
-        for key, val in self.headers.items():
-            lower = key.lower()
-            if lower in ("host", "authorization", "s", "x-session-api-key"):
-                continue
-            fwd_headers[key] = val
-
-        if SG_TOKEN:
-            fwd_headers["Authorization"] = f"token {SG_TOKEN}"
-        fwd_headers["Host"] = urllib.request.urlparse(SG_URL).netloc
-
-        req = urllib.request.Request(SG_URL, headers=fwd_headers, method="GET")
+        fwd_headers = self._build_fwd_headers()
 
         try:
-            with urllib.request.urlopen(req, timeout=300) as resp:
-                resp_body = resp.read()
-                self.send_response(resp.status)
-                for key, val in resp.getheaders():
-                    if key.lower() not in ("transfer-encoding", "connection"):
-                        self.send_header(key, val)
-                self.end_headers()
-                self.wfile.write(resp_body)
+            status, resp_headers, resp_body = _forward_request(
+                SG_URL, None, fwd_headers, "GET"
+            )
+            self.send_response(status)
+            for key, val in resp_headers:
+                if key.lower() not in ("transfer-encoding", "connection"):
+                    self.send_header(key, val)
+            self.end_headers()
+            self.wfile.write(resp_body)
         except urllib.error.HTTPError as e:
             self.send_response(e.code)
             self.end_headers()
@@ -120,6 +197,8 @@ def main():
         f.write(str(port))
 
     print(f"SG auth proxy listening on 127.0.0.1:{port} -> {SG_URL}", flush=True)
+    if _BLOCKED_TOOLS:
+        print(f"  Blocked tools: {', '.join(sorted(_BLOCKED_TOOLS))}", flush=True)
     server.serve_forever()
 
 

configs/openhands_mcp_rerun2.json

@@ -0,0 +1,107 @@
+{
+  "metadata": {
+    "name": "openhands_mcp_rerun2",
+    "description": "11-task MCP rerun: 5 stuck builds, 1 DaytonaError, 4 no-MCP (old code race), 1 proxy 503 crash",
+    "parent": "openhands_mcp_rerun.json",
+    "reason": {
+      "stuck_build": [
+        "kafka-batch-accumulator-refac-001",
+        "servo-scrollend-event-feat-001",
+        "django-select-for-update-fix-001",
+        "pytorch-relu-gelu-fusion-fix-001",
+        "pytorch-release-210-fix-001"
+      ],
+      "daytona_error": [
+        "envoy-routeconfig-dep-chain-001"
+      ],
+      "no_mcp_old_code": [
+        "terraform-plan-null-unknown-fix-001",
+        "ccx-migration-027",
+        "CCX-crossorg-121",
+        "CCX-crossorg-132"
+      ],
+      "proxy_503_crash": [
+        "CCX-dep-trace-258"
+      ]
+    }
+  },
+  "tasks": [
+    {
+      "task_id": "kafka-batch-accumulator-refac-001",
+      "benchmark": "csb_sdlc_refactor",
+      "task_dir": "csb_sdlc_refactor/kafka-batch-accumulator-refac-001",
+      "language": "java",
+      "execution_env": "daytona"
+    },
+    {
+      "task_id": "servo-scrollend-event-feat-001",
+      "benchmark": "csb_sdlc_feature",
+      "task_dir": "csb_sdlc_feature/servo-scrollend-event-feat-001",
+      "language": "rust",
+      "execution_env": "daytona"
+    },
+    {
+      "task_id": "django-select-for-update-fix-001",
+      "benchmark": "csb_sdlc_fix",
+      "task_dir": "csb_sdlc_fix/django-select-for-update-fix-001",
+      "language": "python",
+      "execution_env": "daytona"
+    },
+    {
+      "task_id": "pytorch-relu-gelu-fusion-fix-001",
+      "benchmark": "csb_sdlc_fix",
+      "task_dir": "csb_sdlc_fix/pytorch-relu-gelu-fusion-fix-001",
+      "language": "cpp",
+      "execution_env": "daytona"
+    },
+    {
+      "task_id": "pytorch-release-210-fix-001",
+      "benchmark": "csb_sdlc_fix",
+      "task_dir": "csb_sdlc_fix/pytorch-release-210-fix-001",
+      "language": "cpp",
+      "execution_env": "daytona"
+    },
+    {
+      "task_id": "envoy-routeconfig-dep-chain-001",
+      "benchmark": "csb_sdlc_design",
+      "task_dir": "csb_sdlc_design/envoy-routeconfig-dep-chain-001",
+      "language": "go",
+      "execution_env": "daytona"
+    },
+    {
+      "task_id": "terraform-plan-null-unknown-fix-001",
+      "benchmark": "csb_sdlc_fix",
+      "task_dir": "csb_sdlc_fix/terraform-plan-null-unknown-fix-001",
+      "language": "go",
+      "execution_env": "daytona"
+    },
+    {
+      "task_id": "ccx-migration-027",
+      "benchmark": "csb_org_migration",
+      "task_dir": "csb_org_migration/ccx-migration-027",
+      "language": "javascript",
+      "execution_env": "daytona"
+    },
+    {
+      "task_id": "CCX-crossorg-121",
+      "benchmark": "csb_org_crossorg",
+      "task_dir": "csb_org_crossorg/ccx-crossorg-121",
+      "language": "cpp",
+      "execution_env": "daytona"
+    },
+    {
+      "task_id": "CCX-crossorg-132",
+      "benchmark": "csb_org_crossorg",
+      "task_dir": "csb_org_crossorg/ccx-crossorg-132",
+      "language": "rust",
+      "execution_env": "daytona"
+    },
+    {
+      "task_id": "CCX-dep-trace-258",
+      "benchmark": "csb_org_crossrepo",
+      "task_dir": "csb_org_crossrepo/ccx-dep-trace-258",
+      "language": "go",
+      "execution_env": "daytona"
+    }
+  ]
+}