fix: align vuln-remed-011 express version with SG mirror and improve explore-042-ds provenance guidance

- ccx-vuln-remed-011: update express clone from 4.19.2 to 4.21.1 (CVE-2024-47764
  patch release with cookie ^0.7.1). Both Dockerfile and Dockerfile.artifact_only
  updated so baseline and MCP agents see the same code version.
- ccx-vuln-remed-011 instruction: update "Available Resources" to reflect 4.21.1.
- ccx-explore-042-ds instruction: add explicit provenance guidance — narrative must
  use org/repo format for repo names and slash notation for file paths (not Python
  module dot notation) to pass the substring provenance oracle check.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: sjarmak

benchmarks/ccb_mcp_onboarding/ccx-explore-042-ds/instruction.md

@@ -53,6 +53,7 @@ Create a file at `/workspace/answer.json` with your findings:
 
 **Important**: Use exact repo identifiers as they appear in Sourcegraph. The oracle expects `repo` values of `numpy/numpy` (array layer), `pandas-dev/pandas` (data structure layer), and `scipy/scipy` (scientific computation layer). The `repo` field must match these exactly.
 **Note**: Sourcegraph MCP tools return repo names with a `github.com/` prefix (e.g., `github.com/sg-benchmarks/kubernetes-client-go`). Strip this prefix in your answer — use `sg-benchmarks/kubernetes-client-go`, NOT `github.com/sg-benchmarks/kubernetes-client-go`.
+**Provenance**: Your `text` narrative is evaluated for completeness. It must include repository names verbatim in `org/repo` format (e.g., `numpy/numpy`, `pandas-dev/pandas`, `scipy/scipy`) and file paths using slash notation (e.g., `numpy/_core/fromnumeric.py`), not Python module dot notation.
 
 The `chain` should contain at least 3 steps representing the 3 layers described above.
 

benchmarks/ccb_mcp_security/ccx-vuln-remed-011/environment/Dockerfile

@@ -14,7 +14,7 @@ WORKDIR /workspace
 
 # Clone local checkout repos (baseline config: agent has local access to these)
 RUN git clone --depth 1 --branch v22.13.0 https://github.com/nodejs/node /workspace/node
-RUN git clone --depth 1 --branch 4.19.2 https://github.com/expressjs/express /workspace/express
+RUN git clone --depth 1 --branch 4.21.1 https://github.com/expressjs/express /workspace/express
 
 # Initialize git identity for agent commits
 RUN git config --global user.email "agent@example.com" && \

benchmarks/ccb_mcp_security/ccx-vuln-remed-011/environment/Dockerfile.artifact_only

@@ -19,7 +19,7 @@ WORKDIR /workspace
 
 # Clone local checkout repos (baseline config: agent has local access to these)
 RUN git clone --depth 1 --branch v22.13.0 https://github.com/nodejs/node /workspace/node
-RUN git clone --depth 1 --branch 4.19.2 https://github.com/expressjs/express /workspace/express
+RUN git clone --depth 1 --branch 4.21.1 https://github.com/expressjs/express /workspace/express
 
 # Initialize git identity for agent commits
 RUN git config --global user.email "agent@example.com" && \

benchmarks/ccb_mcp_security/ccx-vuln-remed-011/instruction.md

@@ -28,7 +28,7 @@ one cloned locally — to ensure no vulnerable dependency slips through.
 
 The local `/workspace/` directory contains all repositories:
 - `nodejs/node` at v22.13.0 → `/workspace/node`
-- `expressjs/express` at 9de5890 → `/workspace/express`
+- `expressjs/express` at 4.21.1 → `/workspace/express`
 
 ## Output Format