fix: align 57 Dockerfile.sg_only files with baseline FROM images + add sentinels

Comprehensive fix across 7 SDLC suites to ensure all sg_only Dockerfiles
match their baseline counterpart:

- 27 FROM image fixes: ccb-repo-* base images now used for tasks where
  baseline uses pre-built repo images (django, k8s, flipt, envoy, kafka,
  camel, flink, postgres, strata). Includes backup + truncation + recommit.
- 15 FROM version fixes: standard images aligned (golang:1.22→1.22,
  python:3.11→3.12, gcc:13→14, eclipse-temurin:17-jdk→17-jdk-jammy, etc.)
- 15 sentinel additions: write-only tasks missing touch /tmp/.sg_only_mode

Breakdown by suite:
  ccb_debug:      6 (sentinel only)
  ccb_design:    12 (8 FROM + 4 sentinel)
  ccb_document:   7 (6 FROM + 1 sentinel)
  ccb_secure:    16 (14 FROM + 2 sentinel)
  ccb_test:       5 (all FROM)
  ccb_understand: 11 (6 FROM + 5 sentinel)

12 tasks intentionally skipped (linux ccb-linux-base Harbor workaround,
k8s-doc-gen custom /repo_full clone, harbor-ccb_crossrepo base).

Generated by scripts/fix_sgonly_dockerfiles.py (one-off).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: sjarmak

benchmarks/ccb_debug/django-admins-migration-audit-001/environment/Dockerfile.sg_only

@@ -1,24 +1,29 @@
+# django-admins-migration-audit-001 — sg_only_env variant
+# No local repo clone — agent uses Sourcegraph MCP exclusively for code access.
+
 FROM python:3.12-bookworm
 
 ENV SOURCEGRAPH_REPO_NAME=github.com/django/django
 
-WORKDIR /workspace
+ENV DEBIAN_FRONTEND=noninteractive
 
-# Install dependencies
-RUN apt-get update && apt-get install -y \
+RUN apt-get update && apt-get install -y --no-install-recommends \
     git \
+    ca-certificates \
+    python3 \
     curl \
-    npm \
     && rm -rf /var/lib/apt/lists/*
 
-# Install Claude Code CLI
-RUN npm install -g @anthropic-ai/claude-code
+WORKDIR /workspace
 
-# NO repo clone — agent uses Sourcegraph MCP exclusively for code access.
-# Investigation tasks produce /logs/agent/investigation.md only.
+# Empty git repo so agent can commit work
 RUN git init && \
     git config user.email "agent@example.com" && \
     git config user.name "Agent"
 
-# Create output directories
-RUN mkdir -p /logs/agent /logs/verifier /app
+RUN mkdir -p /logs/agent /logs/verifier
+
+# Mark sg_only mode so verifiers can skip local-path checks
+RUN touch /tmp/.sg_only_mode
+
+ENTRYPOINT []

benchmarks/ccb_debug/envoy-duplicate-headers-debug-001/environment/Dockerfile.sg_only

@@ -1,25 +1,29 @@
+# envoy-duplicate-headers-debug-001 — sg_only_env variant
+# No local repo clone — agent uses Sourcegraph MCP exclusively for code access.
+
 FROM ubuntu:22.04
 
 ENV SOURCEGRAPH_REPO_NAME=github.com/envoyproxy/envoy
 
-WORKDIR /workspace
+ENV DEBIAN_FRONTEND=noninteractive
 
-# Install dependencies
-RUN apt-get update && apt-get install -y \
+RUN apt-get update && apt-get install -y --no-install-recommends \
     git \
-    curl \
+    ca-certificates \
     python3 \
-    npm \
+    curl \
     && rm -rf /var/lib/apt/lists/*
 
-# Install Claude Code CLI
-RUN npm install -g @anthropic-ai/claude-code
+WORKDIR /workspace
 
-# NO repo clone — agent uses Sourcegraph MCP exclusively for code access.
-# Investigation tasks produce /logs/agent/investigation.md only.
+# Empty git repo so agent can commit work
 RUN git init && \
     git config user.email "agent@example.com" && \
     git config user.name "Agent"
 
-# Create output directories
-RUN mkdir -p /logs/agent /logs/verifier /app
+RUN mkdir -p /logs/agent /logs/verifier
+
+# Mark sg_only mode so verifiers can skip local-path checks
+RUN touch /tmp/.sg_only_mode
+
+ENTRYPOINT []

benchmarks/ccb_debug/grafana-table-panel-regression-001/environment/Dockerfile.sg_only

@@ -1,25 +1,29 @@
+# grafana-table-panel-regression-001 — sg_only_env variant
+# No local repo clone — agent uses Sourcegraph MCP exclusively for code access.
+
 FROM golang:1.23-bookworm
 
 ENV SOURCEGRAPH_REPO_NAME=github.com/grafana/grafana
 
-WORKDIR /workspace
+ENV DEBIAN_FRONTEND=noninteractive
 
-# Install dependencies
-RUN apt-get update && apt-get install -y \
+RUN apt-get update && apt-get install -y --no-install-recommends \
     git \
-    curl \
+    ca-certificates \
     python3 \
-    npm \
+    curl \
     && rm -rf /var/lib/apt/lists/*
 
-# Install Claude Code CLI
-RUN npm install -g @anthropic-ai/claude-code
+WORKDIR /workspace
 
-# NO repo clone — agent uses Sourcegraph MCP exclusively for code access.
-# Investigation tasks produce /logs/agent/investigation.md only.
+# Empty git repo so agent can commit work
 RUN git init && \
     git config user.email "agent@example.com" && \
     git config user.name "Agent"
 
-# Create output directories
-RUN mkdir -p /logs/agent /logs/verifier /app
+RUN mkdir -p /logs/agent /logs/verifier
+
+# Mark sg_only mode so verifiers can skip local-path checks
+RUN touch /tmp/.sg_only_mode
+
+ENTRYPOINT []

benchmarks/ccb_debug/istio-xds-destrul-debug-001/environment/Dockerfile.sg_only

@@ -1,25 +1,29 @@
+# istio-xds-destrul-debug-001 — sg_only_env variant
+# No local repo clone — agent uses Sourcegraph MCP exclusively for code access.
+
 FROM ubuntu:22.04
 
 ENV SOURCEGRAPH_REPO_NAME=github.com/istio/istio
 
-WORKDIR /workspace
+ENV DEBIAN_FRONTEND=noninteractive
 
-# Install dependencies
-RUN apt-get update && apt-get install -y \
+RUN apt-get update && apt-get install -y --no-install-recommends \
     git \
-    curl \
+    ca-certificates \
     python3 \
-    npm \
+    curl \
     && rm -rf /var/lib/apt/lists/*
 
-# Install Claude Code CLI
-RUN npm install -g @anthropic-ai/claude-code
+WORKDIR /workspace
 
-# NO repo clone — agent uses Sourcegraph MCP exclusively for code access.
-# Investigation tasks produce /logs/agent/investigation.md only.
+# Empty git repo so agent can commit work
 RUN git init && \
     git config user.email "agent@example.com" && \
     git config user.name "Agent"
 
-# Create output directories
-RUN mkdir -p /logs/agent /logs/verifier /app
+RUN mkdir -p /logs/agent /logs/verifier
+
+# Mark sg_only mode so verifiers can skip local-path checks
+RUN touch /tmp/.sg_only_mode
+
+ENTRYPOINT []

benchmarks/ccb_debug/prometheus-queue-reshard-debug-001/environment/Dockerfile.sg_only

@@ -1,25 +1,29 @@
+# prometheus-queue-reshard-debug-001 — sg_only_env variant
+# No local repo clone — agent uses Sourcegraph MCP exclusively for code access.
+
 FROM golang:1.23-bookworm
 
 ENV SOURCEGRAPH_REPO_NAME=github.com/prometheus/prometheus
 
-WORKDIR /workspace
+ENV DEBIAN_FRONTEND=noninteractive
 
-# Install dependencies
-RUN apt-get update && apt-get install -y \
+RUN apt-get update && apt-get install -y --no-install-recommends \
     git \
-    curl \
+    ca-certificates \
     python3 \
-    npm \
+    curl \
     && rm -rf /var/lib/apt/lists/*
 
-# Install Claude Code CLI
-RUN npm install -g @anthropic-ai/claude-code
+WORKDIR /workspace
 
-# NO repo clone — agent uses Sourcegraph MCP exclusively for code access.
-# Investigation tasks produce /logs/agent/investigation.md only.
+# Empty git repo so agent can commit work
 RUN git init && \
     git config user.email "agent@example.com" && \
     git config user.name "Agent"
 
-# Create output directories
-RUN mkdir -p /logs/agent /logs/verifier /app
+RUN mkdir -p /logs/agent /logs/verifier
+
+# Mark sg_only mode so verifiers can skip local-path checks
+RUN touch /tmp/.sg_only_mode
+
+ENTRYPOINT []

benchmarks/ccb_debug/terraform-phantom-update-debug-001/environment/Dockerfile.sg_only

@@ -1,25 +1,29 @@
+# terraform-phantom-update-debug-001 — sg_only_env variant
+# No local repo clone — agent uses Sourcegraph MCP exclusively for code access.
+
 FROM ubuntu:22.04
 
 ENV SOURCEGRAPH_REPO_NAME=github.com/hashicorp/terraform
 
-WORKDIR /workspace
+ENV DEBIAN_FRONTEND=noninteractive
 
-# Install dependencies
-RUN apt-get update && apt-get install -y \
+RUN apt-get update && apt-get install -y --no-install-recommends \
     git \
-    curl \
+    ca-certificates \
     python3 \
-    npm \
+    curl \
     && rm -rf /var/lib/apt/lists/*
 
-# Install Claude Code CLI
-RUN npm install -g @anthropic-ai/claude-code
+WORKDIR /workspace
 
-# NO repo clone — agent uses Sourcegraph MCP exclusively for code access.
-# Investigation tasks produce /logs/agent/investigation.md only.
+# Empty git repo so agent can commit work
 RUN git init && \
     git config user.email "agent@example.com" && \
     git config user.name "Agent"
 
-# Create output directories
-RUN mkdir -p /logs/agent /logs/verifier /app
+RUN mkdir -p /logs/agent /logs/verifier
+
+# Mark sg_only mode so verifiers can skip local-path checks
+RUN touch /tmp/.sg_only_mode
+
+ENTRYPOINT []

benchmarks/ccb_design/camel-routing-arch-001/environment/Dockerfile.sg_only

@@ -1,28 +1,21 @@
 # camel-routing-arch-001 — sg_only_env variant
-# No local repo clone — agent uses Sourcegraph MCP exclusively for code access.
+# Source files truncated so agent must use Sourcegraph MCP for code access.
+# Verifier wrapper restores full repo before running tests.
 
-FROM eclipse-temurin:17-jdk
+FROM ccb-repo-camel-1006f047
 
 ENV SOURCEGRAPH_REPO_NAME=github.com/apache/camel
 
-ENV DEBIAN_FRONTEND=noninteractive
-
-RUN apt-get update && apt-get install -y --no-install-recommends \
-    git \
-    ca-certificates \
-    python3 \
-    curl \
-    && rm -rf /var/lib/apt/lists/*
+# --- sg_only_env: back up full repo, then truncate source ---
+RUN cp -a /workspace /repo_full
+RUN find /workspace -type f \( \
+    -name "*.java" -o -name "*.py" -o -name "*.yaml" -o -name "*.yml" \
+    -o -name "*.json" -o -name "*.xml" -o -name "*.sh" -o -name "*.md" \
+    -o -name "*.txt" -o -name "*.toml" -o -name "*.cfg" -o -name "*.properties" \
+    -o -name "*.gradle" -o -name "*.gradle.kts" \) ! -path "*/.git/*" -exec truncate -s 0 {} \;
+# Recommit truncated state so git history cannot recover full files.
+RUN cd /workspace && git add -A && git commit -m "sg_only truncation" --allow-empty --quiet
+RUN touch /tmp/.sg_only_mode && echo '/workspace' > /tmp/.sg_only_workdir
 
 WORKDIR /workspace
-
-# Empty git repo so agent can commit work
-RUN git init && \
-    git config user.email "agent@example.com" && \
-    git config user.name "Agent"
-
-RUN mkdir -p /logs/agent /logs/verifier
-
-RUN touch /tmp/.sg_only_mode
-
 ENTRYPOINT []

benchmarks/ccb_design/django-modeladmin-impact-001/environment/Dockerfile.sg_only

@@ -1,29 +1,21 @@
 # django-modeladmin-impact-001 — sg_only_env variant
-# No local repo clone — agent uses Sourcegraph MCP exclusively for code access.
+# Source files truncated so agent must use Sourcegraph MCP for code access.
+# Verifier wrapper restores full repo before running tests.
 
-FROM ubuntu:22.04
+FROM ccb-repo-django-674eda1c
 
 ENV SOURCEGRAPH_REPO_NAME=github.com/django/django
 
-ENV DEBIAN_FRONTEND=noninteractive
-
-RUN apt-get update && apt-get install -y --no-install-recommends \
-    git \
-    ca-certificates \
-    python3 \
-    curl \
-    && rm -rf /var/lib/apt/lists/*
+# --- sg_only_env: back up full repo, then truncate source ---
+RUN cp -a /workspace /repo_full
+RUN find /workspace -type f \( \
+    -name "*.py" -o -name "*.html" -o -name "*.css" -o -name "*.js" \
+    -o -name "*.yaml" -o -name "*.yml" -o -name "*.json" -o -name "*.cfg" \
+    -o -name "*.ini" -o -name "*.sh" -o -name "*.md" -o -name "*.txt" \
+    -o -name "*.toml" -o -name "*.rst" \) ! -path "*/.git/*" ! -path "*/site-packages/*" -exec truncate -s 0 {} \;
+# Recommit truncated state so git history cannot recover full files.
+RUN cd /workspace && git add -A && git commit -m "sg_only truncation" --allow-empty --quiet
+RUN touch /tmp/.sg_only_mode && echo '/workspace' > /tmp/.sg_only_workdir
 
 WORKDIR /workspace
-
-# Empty git repo so agent can commit work
-RUN git init && \
-    git config user.email "agent@example.com" && \
-    git config user.name "Agent"
-
-RUN mkdir -p /logs/agent /logs/verifier
-
-# Mark sg_only mode so verifiers can skip local-path checks
-RUN touch /tmp/.sg_only_mode
-
 ENTRYPOINT []

benchmarks/ccb_design/django-orm-query-arch-001/environment/Dockerfile.sg_only

@@ -1,7 +1,7 @@
 # django-orm-query-arch-001 — sg_only_env variant
 # No local repo clone — agent uses Sourcegraph MCP exclusively for code access.
 
-FROM python:3.11-slim
+FROM python:3.12-bookworm
 
 ENV SOURCEGRAPH_REPO_NAME=github.com/django/django
 
@@ -23,6 +23,7 @@ RUN git init && \
 
 RUN mkdir -p /logs/agent /logs/verifier
 
+# Mark sg_only mode so verifiers can skip local-path checks
 RUN touch /tmp/.sg_only_mode
 
 ENTRYPOINT []

benchmarks/ccb_design/django-pre-validate-signal-design-001/environment/Dockerfile.sg_only

@@ -1,29 +1,21 @@
 # django-pre-validate-signal-design-001 — sg_only_env variant
-# No local repo clone — agent uses Sourcegraph MCP exclusively for code access.
+# Source files truncated so agent must use Sourcegraph MCP for code access.
+# Verifier wrapper restores full repo before running tests.
 
-FROM ubuntu:22.04
+FROM ccb-repo-django-674eda1c
 
 ENV SOURCEGRAPH_REPO_NAME=github.com/django/django
 
-ENV DEBIAN_FRONTEND=noninteractive
-
-RUN apt-get update && apt-get install -y --no-install-recommends \
-    git \
-    ca-certificates \
-    python3 \
-    curl \
-    && rm -rf /var/lib/apt/lists/*
+# --- sg_only_env: back up full repo, then truncate source ---
+RUN cp -a /workspace /repo_full
+RUN find /workspace -type f \( \
+    -name "*.py" -o -name "*.html" -o -name "*.css" -o -name "*.js" \
+    -o -name "*.yaml" -o -name "*.yml" -o -name "*.json" -o -name "*.cfg" \
+    -o -name "*.ini" -o -name "*.sh" -o -name "*.md" -o -name "*.txt" \
+    -o -name "*.toml" -o -name "*.rst" \) ! -path "*/.git/*" ! -path "*/site-packages/*" -exec truncate -s 0 {} \;
+# Recommit truncated state so git history cannot recover full files.
+RUN cd /workspace && git add -A && git commit -m "sg_only truncation" --allow-empty --quiet
+RUN touch /tmp/.sg_only_mode && echo '/workspace' > /tmp/.sg_only_workdir
 
 WORKDIR /workspace
-
-# Empty git repo so agent can commit work
-RUN git init && \
-    git config user.email "agent@example.com" && \
-    git config user.name "Agent"
-
-RUN mkdir -p /logs/agent /logs/verifier
-
-# Mark sg_only mode so verifiers can skip local-path checks
-RUN touch /tmp/.sg_only_mode
-
 ENTRYPOINT []