Merge remote-tracking branch 'origin/ralph/gapfill-codereview'

# Conflicts:
#	configs/selected_benchmark_tasks.json

Author: LoCoBench Bot

.beads/issues.jsonl

@@ -25,7 +25,7 @@ RUN git clone --filter=blob:none --no-checkout https://github.com/calcom/cal.com
     git config user.name "Agent"
 
 # Inject defects into the codebase
-COPY inject_defects.sh /tmp/inject_defects.sh
+COPY environment/inject_defects.sh /tmp/inject_defects.sh
 RUN chmod +x /tmp/inject_defects.sh && /tmp/inject_defects.sh && rm /tmp/inject_defects.sh
 
 # Create directories for verifier (tests uploaded at runtime by Harbor verifier)

benchmarks/ccb_codereview/cr-calcom-001/environment/Dockerfile

@@ -0,0 +1,34 @@
+FROM ubuntu:22.04
+
+# Install common tools (python3 needed for inject_defects.sh)
+RUN apt-get update && apt-get install -y \
+    git \
+    curl \
+    python3 \
+    ripgrep \
+    && rm -rf /var/lib/apt/lists/*
+
+# Install Node.js (for Claude Code CLI)
+RUN if ! command -v node &> /dev/null; then \
+    curl -fsSL https://deb.nodesource.com/setup_20.x | bash - && \
+    apt-get install -y nodejs; \
+    fi
+
+# Install Claude Code CLI
+RUN npm install -g @anthropic-ai/claude-code
+
+# Clone envoyproxy/envoy at pinned v1.33.0 tag (sparse checkout for relevant files)
+RUN git clone --filter=blob:none --no-checkout https://github.com/envoyproxy/envoy.git /workspace && \
+    cd /workspace && \
+    git checkout v1.33.0 && \
+    git config user.email "agent@example.com" && \
+    git config user.name "Agent"
+
+# Inject defects into the codebase
+COPY inject_defects.sh /tmp/inject_defects.sh
+RUN chmod +x /tmp/inject_defects.sh && /tmp/inject_defects.sh && rm /tmp/inject_defects.sh
+
+# Create directories for verifier (tests uploaded at runtime by Harbor verifier)
+RUN mkdir -p /workspace/tests /logs/verifier
+
+WORKDIR /workspace

benchmarks/ccb_codereview/cr-envoy-001/environment/Dockerfile

@@ -0,0 +1,177 @@
+#!/bin/bash
+# Inject defects into the Envoy proxy codebase for code review benchmarking
+# Each defect simulates a realistic bug that an AI code reviewer should catch
+# 6 defects across 4 files, 3 require cross-file reasoning
+
+set -e
+cd /workspace
+
+# ── Defect 1: Return Continue instead of StopIteration when delay is active ──
+# Cross-file: fault_filter returns Continue, but postDelayInjection() later calls
+# continueDecoding() via filter_manager.cc — the stream has already moved past
+# this filter, causing undefined behavior or assertion failure
+python3 -c "
+path = 'source/extensions/filters/http/fault/fault_filter.cc'
+with open(path) as f:
+    content = f.read()
+
+old = '''  if (maybeSetupDelay(headers)) {
+    return Http::FilterHeadersStatus::StopIteration;
+  }'''
+
+new = '''  if (maybeSetupDelay(headers)) {
+    return Http::FilterHeadersStatus::Continue;
+  }'''
+
+content = content.replace(old, new)
+with open(path, 'w') as f:
+    f.write(content)
+print('INJECTED defect-1: fault filter returns Continue instead of StopIteration when delay active')
+"
+
+# ── Defect 2: Invert header matching logic in HeaderUtility::matchHeaders ──
+# Cross-file: This utility is called by fault_filter (line 130), RBAC, ratelimit,
+# and other filters. Inverting it causes header-based fault injection to match
+# on the WRONG requests (those NOT matching the configured headers)
+python3 -c "
+path = 'source/common/http/header_utility.cc'
+with open(path) as f:
+    content = f.read()
+
+old = '''  if (!config_headers.empty()) {
+    for (const HeaderDataPtr& cfg_header_data : config_headers) {
+      if (!cfg_header_data->matchesHeaders(request_headers)) {
+        return false;
+      }
+    }
+  }
+
+  return true;'''
+
+new = '''  if (!config_headers.empty()) {
+    for (const HeaderDataPtr& cfg_header_data : config_headers) {
+      if (cfg_header_data->matchesHeaders(request_headers)) {
+        return false;
+      }
+    }
+  }
+
+  return true;'''
+
+content = content.replace(old, new)
+with open(path, 'w') as f:
+    f.write(content)
+print('INJECTED defect-2: inverted header matching logic in matchHeaders')
+"
+
+# ── Defect 3: Remove route cache clearing from ext_authz onComplete ──
+# When ext_authz modifies request headers (adding auth headers, removing
+# sensitive headers), the route cache must be cleared so downstream filters
+# and the router see the updated route. Without this, stale routes are used.
+python3 -c "
+path = 'source/extensions/filters/http/ext_authz/ext_authz.cc'
+with open(path) as f:
+    content = f.read()
+
+old = '''    // Any changes to request headers or query parameters can affect how the request is going to be
+    // routed. If we are changing the headers we also need to clear the route
+    // cache.
+    if (config_->clearRouteCache() &&
+        (!response->headers_to_set.empty() || !response->headers_to_append.empty() ||
+         !response->headers_to_remove.empty() || !response->query_parameters_to_set.empty() ||
+         !response->query_parameters_to_remove.empty())) {
+      ENVOY_STREAM_LOG(debug, \"ext_authz is clearing route cache\", *decoder_callbacks_);
+      decoder_callbacks_->downstreamCallbacks()->clearRouteCache();
+    }'''
+
+new = '''    // Any changes to request headers or query parameters can affect how the request is going to be
+    // routed. Route cache clearing handled by downstream filters.'''
+
+content = content.replace(old, new)
+with open(path, 'w') as f:
+    f.write(content)
+print('INJECTED defect-3: removed route cache clearing from ext_authz onComplete')
+"
+
+# ── Defect 4: Invert required response header check in filter_manager ──
+# Cross-file: filter_manager calls HeaderUtility::checkRequiredResponseHeaders()
+# (defined in header_utility.cc). Inverting the status check sends 502 for all
+# valid responses and lets responses missing :status through
+python3 -c "
+path = 'source/common/http/filter_manager.cc'
+with open(path) as f:
+    content = f.read()
+
+old = '''  const auto status = HeaderUtility::checkRequiredResponseHeaders(headers);
+  if (!status.ok()) {
+    // If the check failed, then we reply with BadGateway, and stop the further processing.
+    sendLocalReply('''
+
+new = '''  const auto status = HeaderUtility::checkRequiredResponseHeaders(headers);
+  if (status.ok()) {
+    // If the check failed, then we reply with BadGateway, and stop the further processing.
+    sendLocalReply('''
+
+content = content.replace(old, new)
+with open(path, 'w') as f:
+    f.write(content)
+print('INJECTED defect-4: inverted required response header check in filter_manager')
+"
+
+# ── Defect 5: Invert rate limit check causing active_faults gauge leak ──
+# In postDelayInjection, the gauge should be decremented when NO rate limit
+# is configured (fault is done). Inverting this causes the gauge to be
+# decremented when rate limit IS active (double-dec with onDestroy) and
+# NOT decremented when it's not (leak), eventually exhausting max_active_faults
+python3 -c "
+path = 'source/extensions/filters/http/fault/fault_filter.cc'
+with open(path) as f:
+    content = f.read()
+
+old = '''    ASSERT(fault_active_);
+    ASSERT(delay_timer_ == nullptr);
+    if (!isResponseRateLimitConfigured()) {
+      config_->stats().active_faults_.dec();
+      fault_active_ = false;
+    }'''
+
+new = '''    ASSERT(fault_active_);
+    ASSERT(delay_timer_ == nullptr);
+    if (isResponseRateLimitConfigured()) {
+      config_->stats().active_faults_.dec();
+      fault_active_ = false;
+    }'''
+
+content = content.replace(old, new)
+with open(path, 'w') as f:
+    f.write(content)
+print('INJECTED defect-5: inverted rate limit check causes active_faults gauge leak')
+"
+
+# ── Defect 6: Remove isRemovableHeader guard from ext_authz header removal ──
+# ext_authz removes headers based on the external auth response. Without the
+# isRemovableHeader check, :-prefixed pseudo-headers and Host can be removed,
+# making the request malformed and causing 400 errors or protocol violations
+python3 -c "
+path = 'source/extensions/filters/http/ext_authz/ext_authz.cc'
+with open(path) as f:
+    content = f.read()
+
+old = '''      // We don't allow removing any :-prefixed headers, nor Host, as removing them would make the
+      // request malformed. checkDecoderHeaderMutation also performs this check, however, so only
+      // perform this check explicitly if decoder header mutation rules is empty.
+      if (!config_->hasDecoderHeaderMutationRules() &&
+          !Http::HeaderUtility::isRemovableHeader(key)) {
+        ENVOY_STREAM_LOG(trace, \"Ignoring invalid header removal '{}'.\", *decoder_callbacks_, key);
+        continue;
+      }'''
+
+new = '''      // Header mutation rules handle validation if configured.'''
+
+content = content.replace(old, new)
+with open(path, 'w') as f:
+    f.write(content)
+print('INJECTED defect-6: removed isRemovableHeader guard from ext_authz header removal')
+"
+
+echo "All 6 defects injected successfully"

benchmarks/ccb_codereview/cr-envoy-001/environment/inject_defects.sh

@@ -0,0 +1,76 @@
+# Code Review: Envoy Proxy HTTP Filter Chain
+
+- **Repository**: envoyproxy/envoy
+- **Difficulty**: hard
+- **Category**: code-review
+- **Task Type**: repo-clone
+
+## Description
+
+You are reviewing a recently merged pull request that modifies Envoy's HTTP filter chain. The PR touches the fault injection filter, external authorization filter, header utility functions, and the core filter manager. The stated goal was to add observability improvements and fix edge cases in filter chain iteration, but several defects were introduced during the merge — both functional bugs and cross-component interaction errors.
+
+Your task is to **find the defects, fix them in the code, and produce a structured review report**.
+
+## Context
+
+The changes span four core areas of Envoy's HTTP filter infrastructure:
+
+1. **`source/extensions/filters/http/fault/fault_filter.cc`** — Fault injection filter: intercepts requests to inject delays and aborts based on configuration. Returns `StopIteration` to pause the filter chain during delay, then calls `continueDecoding()` when the timer fires. Manages an `active_faults_` gauge for tracking in-flight faults.
+
+2. **`source/extensions/filters/http/ext_authz/ext_authz.cc`** — External authorization filter: sends requests to an external auth service, then modifies request headers based on the response. Clears the route cache when headers change so downstream filters see the updated route.
+
+3. **`source/common/http/header_utility.cc`** — Header matching and validation utilities: provides `matchHeaders()` used by fault filter and RBAC, `checkRequiredResponseHeaders()` used by filter manager, and `isRemovableHeader()` used by ext_authz.
+
+4. **`source/common/http/filter_manager.cc`** — Core filter chain orchestrator: iterates decoder/encoder filter chains, handles `StopIteration` vs `Continue` return values, checks required response headers after encoding, and manages the `decoder_filter_chain_aborted_` flag for local reply short-circuiting.
+
+## Task
+
+YOU MUST IMPLEMENT CODE CHANGES to complete this task.
+
+Review the files listed above for the following types of defects:
+
+- **Functional bugs**: Logic errors that cause incorrect behavior (e.g., inverted conditions, wrong return values, missing state updates).
+- **Cross-file interaction bugs**: Defects where a change in one file breaks assumptions in another file (e.g., header matching logic change affects which requests fault filter intercepts).
+- **Resource management bugs**: Gauge leaks, missing cleanup, or double-counting of active resources.
+
+For each defect you find:
+
+1. **Fix the code** by editing the affected file in `/workspace/`.
+2. **Record the defect** in your review report.
+
+### Expected Output
+
+After completing your review, write a JSON file at `/workspace/review.json` containing an array of defect objects:
+
+```json
+[
+  {
+    "file": "source/extensions/filters/http/fault/fault_filter.cc",
+    "line": 155,
+    "severity": "critical",
+    "description": "Brief description of what is wrong and why",
+    "fix_applied": true
+  }
+]
+```
+
+Each entry must include:
+- `file` — Relative path from repository root
+- `line` — Approximate line number where the defect occurs
+- `severity` — One of: `critical`, `high`, `medium`, `low`
+- `description` — What the defect is and what impact it has
+- `fix_applied` — Boolean indicating whether you committed a fix
+
+## Scoring
+
+Your submission is scored on two equally weighted components:
+
+1. **Detection score (50%)**: F1 score (harmonic mean of precision and recall) of your reported defects matched against the ground truth. A reported defect matches if it identifies the correct file and a related issue.
+2. **Fix score (50%)**: Proportion of defects where you both identified the issue and applied a correct code fix (verified by checking for expected code patterns in the modified files).
+
+**Final score** = 0.5 × detection_F1 + 0.5 × fix_score
+
+## Testing
+
+- **Time limit**: 1200 seconds
+- Run `bash /workspace/tests/test.sh` to verify your changes

benchmarks/ccb_codereview/cr-envoy-001/instruction.md

@@ -0,0 +1,51 @@
+version = "1.0"
+[metadata]
+name = "cr-envoy-001"
+description = "Review an Envoy proxy PR for injected defects in the HTTP filter chain spanning fault injection, external authorization, header utilities, and filter manager"
+license = "Apache-2.0"
+
+[task]
+id = "cr-envoy-001"
+repo = "envoy"
+category = "code-review"
+language = "cpp"
+difficulty = "hard"
+time_limit_sec = 1200
+
+[verification]
+type = "test"
+command = "bash /tests/test.sh"
+
+reward_type = "checklist"
+description = "F1 score for defect detection plus fix correctness"
+[environment]
+build_timeout_sec = 1800.0
+
+[environment.setup_scripts]
+mcp_config = """#!/bin/bash
+# Setup Sourcegraph MCP if credentials provided
+if [ -n "$SOURCEGRAPH_ACCESS_TOKEN" ] && [ -n "$SOURCEGRAPH_URL" ]; then
+  echo "Setting up Sourcegraph MCP configuration..."
+  mkdir -p /root/.config/claude
+
+  cat > /root/.config/claude/mcp.json << 'EOF'
+{
+  "mcpServers": {
+    "sourcegraph": {
+      "command": "npx",
+      "args": ["-y", "@sourcegraph/mcp-server"],
+      "env": {
+        "SRC_ACCESS_TOKEN": "$SOURCEGRAPH_ACCESS_TOKEN",
+        "SOURCEGRAPH_URL": "$SOURCEGRAPH_URL"
+      }
+    }
+  }
+}
+EOF
+
+  echo "PASS MCP configuration created"
+else
+  echo "No Sourcegraph credentials provided, MCP disabled"
+fi
+exit 0
+"""