fix: clone repo into /repo_full/ for sg_only verifier hallucination check

Instead of skipping the hallucination path check in sg_only mode (which would
miss genuine fabrications), clone the K8s repo into /repo_full/ in the
Dockerfile.sg_only. The sgonly_verifier_wrapper.sh restores it to /workspace
before the verifier runs, so path existence checks work correctly.

Reverts the sg_only skip approach from previous commit — the hallucination
check now runs unconditionally. The agent still sees an empty /workspace
and must use MCP exclusively.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: sjarmak

benchmarks/ccb_document/k8s-apiserver-doc-gen-001/environment/Dockerfile.sg_only

@@ -12,6 +12,12 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     curl \
     && rm -rf /var/lib/apt/lists/*
 
+# Clone repo into /repo_full/ for verifier hallucination check only
+# Agent does NOT have access — workspace is empty, agent uses MCP
+RUN mkdir -p /repo_full && cd /repo_full && \
+    git clone --filter=blob:none --no-checkout https://github.com/kubernetes/kubernetes.git . && \
+    git checkout 8c9c67c000104450cfc5a5f48053a9a84b73cf93
+
 WORKDIR /workspace
 
 # Empty git repo so agent can commit work
@@ -21,6 +27,6 @@ RUN git init && \
 
 RUN mkdir -p /logs/agent /logs/verifier
 
-RUN touch /tmp/.sg_only_mode
+RUN touch /tmp/.sg_only_mode && echo '/workspace' > /tmp/.sg_only_workdir
 
 ENTRYPOINT []

benchmarks/ccb_document/k8s-apiserver-doc-gen-001/tests/test.sh

@@ -96,13 +96,11 @@ base = (
 )
 
 # Hallucination penalty: invalid path mentions only.
-# In sg_only mode, /workspace has no repo — skip path existence check
-sg_only = Path('/tmp/.sg_only_mode').exists()
 penalty = 0.0
 path_candidates = set(re.findall(r"(?:staging/src|pkg|cmd|api)/[A-Za-z0-9_./-]+\.go", text))
 invalid = 0
 for p in path_candidates:
-    if not sg_only and not Path('/workspace', p).exists():
+    if not Path('/workspace', p).exists():
         invalid += 1
 if path_candidates:
     invalid_ratio = invalid / len(path_candidates)

benchmarks/ccb_document/k8s-applyconfig-doc-gen-001/environment/Dockerfile.sg_only

@@ -12,6 +12,12 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     curl \
     && rm -rf /var/lib/apt/lists/*
 
+# Clone repo into /repo_full/ for verifier hallucination check only
+# Agent does NOT have access — workspace is empty, agent uses MCP
+RUN mkdir -p /repo_full && cd /repo_full && \
+    git clone --filter=blob:none --no-checkout https://github.com/kubernetes/kubernetes.git . && \
+    git checkout 8c9c67c000104450cfc5a5f48053a9a84b73cf93
+
 WORKDIR /workspace
 
 # Empty git repo so agent can commit work
@@ -21,6 +27,6 @@ RUN git init && \
 
 RUN mkdir -p /logs/agent /logs/verifier
 
-RUN touch /tmp/.sg_only_mode
+RUN touch /tmp/.sg_only_mode && echo '/workspace' > /tmp/.sg_only_workdir
 
 ENTRYPOINT []

benchmarks/ccb_document/k8s-applyconfig-doc-gen-001/tests/test.sh

@@ -96,13 +96,11 @@ base = (
 )
 
 # Hallucination penalty: invalid path mentions only.
-# In sg_only mode, /workspace has no repo — skip path existence check
-sg_only = Path('/tmp/.sg_only_mode').exists()
 penalty = 0.0
 path_candidates = set(re.findall(r"(?:staging/src|pkg|cmd|api)/[A-Za-z0-9_./-]+\.go", text))
 invalid = 0
 for p in path_candidates:
-    if not sg_only and not Path('/workspace', p).exists():
+    if not Path('/workspace', p).exists():
         invalid += 1
 if path_candidates:
     invalid_ratio = invalid / len(path_candidates)

benchmarks/ccb_document/k8s-clientgo-doc-gen-001/environment/Dockerfile.sg_only

@@ -12,6 +12,12 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     curl \
     && rm -rf /var/lib/apt/lists/*
 
+# Clone repo into /repo_full/ for verifier hallucination check only
+# Agent does NOT have access — workspace is empty, agent uses MCP
+RUN mkdir -p /repo_full && cd /repo_full && \
+    git clone --filter=blob:none --no-checkout https://github.com/kubernetes/kubernetes.git . && \
+    git checkout 8c9c67c000104450cfc5a5f48053a9a84b73cf93
+
 WORKDIR /workspace
 
 # Empty git repo so agent can commit work
@@ -21,6 +27,6 @@ RUN git init && \
 
 RUN mkdir -p /logs/agent /logs/verifier
 
-RUN touch /tmp/.sg_only_mode
+RUN touch /tmp/.sg_only_mode && echo '/workspace' > /tmp/.sg_only_workdir
 
 ENTRYPOINT []

benchmarks/ccb_document/k8s-clientgo-doc-gen-001/tests/test.sh

@@ -96,13 +96,11 @@ base = (
 )
 
 # Hallucination penalty: invalid path mentions only.
-# In sg_only mode, /workspace has no repo — skip path existence check
-sg_only = Path('/tmp/.sg_only_mode').exists()
 penalty = 0.0
 path_candidates = set(re.findall(r"(?:staging/src|pkg|cmd|api)/[A-Za-z0-9_./-]+\.go", text))
 invalid = 0
 for p in path_candidates:
-    if not sg_only and not Path('/workspace', p).exists():
+    if not Path('/workspace', p).exists():
         invalid += 1
 if path_candidates:
     invalid_ratio = invalid / len(path_candidates)

benchmarks/ccb_document/k8s-controller-mgr-doc-gen-001/environment/Dockerfile.sg_only

@@ -12,6 +12,12 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     curl \
     && rm -rf /var/lib/apt/lists/*
 
+# Clone repo into /repo_full/ for verifier hallucination check only
+# Agent does NOT have access — workspace is empty, agent uses MCP
+RUN mkdir -p /repo_full && cd /repo_full && \
+    git clone --filter=blob:none --no-checkout https://github.com/kubernetes/kubernetes.git . && \
+    git checkout 8c9c67c000104450cfc5a5f48053a9a84b73cf93
+
 WORKDIR /workspace
 
 # Empty git repo so agent can commit work
@@ -21,6 +27,6 @@ RUN git init && \
 
 RUN mkdir -p /logs/agent /logs/verifier
 
-RUN touch /tmp/.sg_only_mode
+RUN touch /tmp/.sg_only_mode && echo '/workspace' > /tmp/.sg_only_workdir
 
 ENTRYPOINT []

benchmarks/ccb_document/k8s-controller-mgr-doc-gen-001/tests/test.sh

@@ -96,13 +96,11 @@ base = (
 )
 
 # Hallucination penalty: invalid path mentions only.
-# In sg_only mode, /workspace has no repo — skip path existence check
-sg_only = Path('/tmp/.sg_only_mode').exists()
 penalty = 0.0
 path_candidates = set(re.findall(r"(?:staging/src|pkg|cmd|api)/[A-Za-z0-9_./-]+\.go", text))
 invalid = 0
 for p in path_candidates:
-    if not sg_only and not Path('/workspace', p).exists():
+    if not Path('/workspace', p).exists():
         invalid += 1
 if path_candidates:
     invalid_ratio = invalid / len(path_candidates)

benchmarks/ccb_document/k8s-fairqueuing-doc-gen-001/environment/Dockerfile.sg_only

@@ -12,6 +12,12 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     curl \
     && rm -rf /var/lib/apt/lists/*
 
+# Clone repo into /repo_full/ for verifier hallucination check only
+# Agent does NOT have access — workspace is empty, agent uses MCP
+RUN mkdir -p /repo_full && cd /repo_full && \
+    git clone --filter=blob:none --no-checkout https://github.com/kubernetes/kubernetes.git . && \
+    git checkout 8c9c67c000104450cfc5a5f48053a9a84b73cf93
+
 WORKDIR /workspace
 
 # Empty git repo so agent can commit work
@@ -21,6 +27,6 @@ RUN git init && \
 
 RUN mkdir -p /logs/agent /logs/verifier
 
-RUN touch /tmp/.sg_only_mode
+RUN touch /tmp/.sg_only_mode && echo '/workspace' > /tmp/.sg_only_workdir
 
 ENTRYPOINT []

benchmarks/ccb_document/k8s-fairqueuing-doc-gen-001/tests/test.sh

@@ -96,13 +96,11 @@ base = (
 )
 
 # Hallucination penalty: invalid path mentions only.
-# In sg_only mode, /workspace has no repo — skip path existence check
-sg_only = Path('/tmp/.sg_only_mode').exists()
 penalty = 0.0
 path_candidates = set(re.findall(r"(?:staging/src|pkg|cmd|api)/[A-Za-z0-9_./-]+\.go", text))
 invalid = 0
 for p in path_candidates:
-    if not sg_only and not Path('/workspace', p).exists():
+    if not Path('/workspace', p).exists():
         invalid += 1
 if path_candidates:
     invalid_ratio = invalid / len(path_candidates)