feat: add SDLC mode to Daytona curator runner + 32 ground truth files

Refactor daytona_curator_runner.py to support CodeScaleBench SDLC tasks
alongside existing ContextBench calibration mode. Adds --sdlc-all,
--missing-only, --suite, --task-dir flags with dual-mode dispatch.

New _extract_repo_info_for_sandbox() resolves repos via 4 strategies:
git clone URLs, # Repo: comments, # Source: org/repo (commit),
SWEAP FROM tags, and TAC_REPO_MAP (bustub, openhands).

Also adds Strategies 4/4b/5 to _resolve_repos() in
context_retrieval_agent.py for the same patterns.

First batch run completed 32/56 tasks (24 remaining due to timeouts
and VM spindown). Includes handoff for resuming the remaining tasks.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: sjarmak

benchmarks/csb_sdlc_debug/flipt-auth-cookie-regression-prove-001/tests/ground_truth.json

@@ -0,0 +1,67 @@
+{
+  "files": [
+    "internal/server/auth/middleware.go",
+    "internal/server/auth/middleware_test.go",
+    "internal/storage/auth/memory/store.go",
+    "internal/storage/auth/auth.go",
+    "internal/containers/option.go",
+    "cmd/flipt/main.go"
+  ],
+  "symbols": [
+    {
+      "file": "internal/server/auth/middleware.go",
+      "symbol": "UnaryInterceptor",
+      "repo": null
+    },
+    {
+      "file": "internal/server/auth/middleware.go",
+      "symbol": "clientTokenFromMetadata",
+      "repo": null
+    },
+    {
+      "file": "internal/server/auth/middleware.go",
+      "symbol": "cookieFromMetadata",
+      "repo": null
+    },
+    {
+      "file": "internal/server/auth/middleware.go",
+      "symbol": "clientTokenFromAuthorization",
+      "repo": null
+    },
+    {
+      "file": "internal/server/auth/middleware.go",
+      "symbol": "WithServerSkipsAuthentication",
+      "repo": null
+    },
+    {
+      "file": "internal/server/auth/middleware.go",
+      "symbol": "InterceptorOptions",
+      "repo": null
+    },
+    {
+      "file": "internal/server/auth/middleware.go",
+      "symbol": "GetAuthenticationFrom",
+      "repo": null
+    },
+    {
+      "file": "internal/server/auth/middleware.go",
+      "symbol": "Authenticator",
+      "repo": null
+    },
+    {
+      "file": "internal/storage/auth/memory/store.go",
+      "symbol": "NewStore",
+      "repo": null
+    },
+    {
+      "file": "internal/storage/auth/memory/store.go",
+      "symbol": "CreateAuthentication",
+      "repo": null
+    },
+    {
+      "file": "internal/containers/option.go",
+      "symbol": "ApplyAll",
+      "repo": null
+    }
+  ]
+}

benchmarks/csb_sdlc_debug/flipt-auth-cookie-regression-prove-001/tests/ground_truth_meta.json

@@ -0,0 +1,18 @@
+{
+  "has_ground_truth": true,
+  "has_chunk_ground_truth": false,
+  "ground_truth_source": "curator_agent",
+  "ground_truth_confidence": "medium",
+  "task_name": "flipt-auth-cookie-regression-prove-001",
+  "curator_agent_version": "2.0",
+  "model": "claude-opus-4-6",
+  "backend": "hybrid",
+  "timestamp": "2026-03-03T16:26:01Z",
+  "files_count": 6,
+  "edit_files_count": 0,
+  "chunks_count": 0,
+  "symbols_count": 11,
+  "cost_usd": 1.65988845,
+  "elapsed_sec": 538.3,
+  "exploration_notes": "The bug is in internal/server/auth/middleware.go. Before commit 6fe76d02, the UnaryInterceptor only extracted client tokens from the 'authorization' metadata key (expecting 'Bearer <token>' format). It had no cookie fallback and no server skip mechanism. The fix added: (1) clientTokenFromMetadata() which falls back to cookieFromMetadata() when no Authorization header is present, parsing the 'flipt_client_token' cookie from the 'grpcgateway-cookie' metadata key; (2) WithServerSkipsAuthentication("
+}

benchmarks/csb_sdlc_debug/qutebrowser-hsv-color-regression-prove-001/tests/ground_truth.json

@@ -0,0 +1,17 @@
+{
+  "files": [
+    "qutebrowser/config/configtypes.py"
+  ],
+  "symbols": [
+    {
+      "file": "qutebrowser/config/configtypes.py",
+      "symbol": "_parse_value",
+      "repo": null
+    },
+    {
+      "file": "qutebrowser/config/configtypes.py",
+      "symbol": "QtColor",
+      "repo": null
+    }
+  ]
+}

benchmarks/csb_sdlc_debug/qutebrowser-hsv-color-regression-prove-001/tests/ground_truth_meta.json

@@ -0,0 +1,18 @@
+{
+  "has_ground_truth": true,
+  "has_chunk_ground_truth": false,
+  "ground_truth_source": "curator_agent",
+  "ground_truth_confidence": "medium",
+  "task_name": "qutebrowser-hsv-color-regression-prove-001",
+  "curator_agent_version": "2.0",
+  "model": "claude-opus-4-6",
+  "backend": "hybrid",
+  "timestamp": "2026-03-03T16:23:04Z",
+  "files_count": 1,
+  "edit_files_count": 0,
+  "chunks_count": 0,
+  "symbols_count": 2,
+  "cost_usd": 2.04564375,
+  "elapsed_sec": 362.6,
+  "exploration_notes": "The bug is in QtColor._parse_value() in qutebrowser/config/configtypes.py. Before commit 6b320dc18, _parse_value used a hardcoded multiplier of 255.0 for all color channels including hue, which should use 359.0. The fix added a 'kind' parameter to _parse_value and uses 359.0 when kind=='h'. The regression test at /workspace/regression_test.py extracts _parse_value from the source via AST parsing (avoiding PyQt5 import dependencies) and verifies hue percentages are scaled to 0-359. It passes on t"
+}

benchmarks/csb_sdlc_debug/teleport-ssh-regression-prove-001/tests/ground_truth.json

@@ -0,0 +1,84 @@
+{
+  "files": [
+    "lib/auth/auth.go",
+    "lib/auth/grpcserver.go",
+    "lib/client/weblogin.go",
+    "lib/auth/u2f/authenticate.go",
+    "lib/auth/apiserver.go",
+    "lib/web/apiserver.go",
+    "lib/services/local/users.go",
+    "lib/auth/auth_test.go"
+  ],
+  "symbols": [
+    {
+      "file": "lib/auth/auth.go",
+      "symbol": "U2FAuthenticateChallenge",
+      "repo": null
+    },
+    {
+      "file": "lib/auth/auth.go",
+      "symbol": "U2FSignRequest",
+      "repo": null
+    },
+    {
+      "file": "lib/auth/auth.go",
+      "symbol": "mfaAuthChallenge",
+      "repo": null
+    },
+    {
+      "file": "lib/auth/auth.go",
+      "symbol": "validateMFAAuthResponse",
+      "repo": null
+    },
+    {
+      "file": "lib/auth/auth.go",
+      "symbol": "checkU2F",
+      "repo": null
+    },
+    {
+      "file": "lib/auth/grpcserver.go",
+      "symbol": "DeleteMFADevice",
+      "repo": null
+    },
+    {
+      "file": "lib/auth/grpcserver.go",
+      "symbol": "AddMFADevice",
+      "repo": null
+    },
+    {
+      "file": "lib/auth/grpcserver.go",
+      "symbol": "deleteMFADeviceAuthChallenge",
+      "repo": null
+    },
+    {
+      "file": "lib/client/weblogin.go",
+      "symbol": "SSHAgentU2FLogin",
+      "repo": null
+    },
+    {
+      "file": "lib/auth/u2f/authenticate.go",
+      "symbol": "AuthenticateInit",
+      "repo": null
+    },
+    {
+      "file": "lib/auth/u2f/authenticate.go",
+      "symbol": "AuthenticateSignChallenge",
+      "repo": null
+    },
+    {
+      "file": "lib/auth/u2f/authenticate.go",
+      "symbol": "AuthenticateVerify",
+      "repo": null
+    },
+    {
+      "file": "lib/services/local/users.go",
+      "symbol": "GetMFADevices",
+      "repo": null
+    },
+    {
+      "file": "lib/services/local/users.go",
+      "symbol": "DeleteMFADevice",
+      "repo": null
+    }
+  ]
+}

benchmarks/csb_sdlc_debug/teleport-ssh-regression-prove-001/tests/ground_truth_meta.json

@@ -0,0 +1,18 @@
+{
+  "has_ground_truth": true,
+  "has_chunk_ground_truth": false,
+  "ground_truth_source": "curator_agent",
+  "ground_truth_confidence": "medium",
+  "task_name": "teleport-ssh-regression-prove-001",
+  "curator_agent_version": "2.0",
+  "model": "claude-opus-4-6",
+  "backend": "hybrid",
+  "timestamp": "2026-03-03T16:28:55Z",
+  "files_count": 8,
+  "edit_files_count": 0,
+  "chunks_count": 0,
+  "symbols_count": 14,
+  "cost_usd": 3.1670065999999992,
+  "elapsed_sec": 483.9,
+  "exploration_notes": "Investigation identified three root causes for multi-device U2F authentication issues:\n\n1. **Single-device lock-in for old/web clients** (lib/auth/auth.go:830-884): The `U2FAuthenticateChallenge` struct embeds a single `*u2f.AuthenticateChallenge` for backward compatibility. When JSON-serialized, Go flattens the embedded struct fields to the top level. Old clients (and the web UI via POST /webapi/u2f/signrequest) only read these top-level fields, seeing only 1 device challenge out of N registere"
+}

benchmarks/csb_sdlc_design/django-pre-validate-signal-design-001/tests/ground_truth.json

@@ -0,0 +1,18 @@
+{
+  "files": [
+    "django/db/models/signals.py",
+    "django/db/models/base.py"
+  ],
+  "symbols": [
+    {
+      "file": "django/db/models/signals.py",
+      "symbol": "pre_validate",
+      "repo": null
+    },
+    {
+      "file": "django/db/models/base.py",
+      "symbol": "full_clean",
+      "repo": null
+    }
+  ]
+}

benchmarks/csb_sdlc_design/django-pre-validate-signal-design-001/tests/ground_truth_meta.json

@@ -0,0 +1,18 @@
+{
+  "has_ground_truth": true,
+  "has_chunk_ground_truth": false,
+  "ground_truth_source": "curator_agent",
+  "ground_truth_confidence": "medium",
+  "task_name": "django-pre-validate-signal-design-001",
+  "curator_agent_version": "2.0",
+  "model": "claude-opus-4-6",
+  "backend": "hybrid",
+  "timestamp": "2026-03-03T16:21:54Z",
+  "files_count": 2,
+  "edit_files_count": 0,
+  "chunks_count": 0,
+  "symbols_count": 2,
+  "cost_usd": 0.6277082500000001,
+  "elapsed_sec": 70.6,
+  "exploration_notes": "Added pre_validate signal to Django models. Three changes were made: (1) Defined `pre_validate = ModelSignal(use_caching=True)` in signals.py alongside existing model signals, (2) Added `pre_validate` to the import list in base.py, (3) Dispatched the signal at the top of `full_clean()` before any validation runs, following the exact same pattern as `pre_save` \u2014 using `self._meta.auto_created` guard, `send()` with `sender=self.__class__` and `instance=self`, plus validation-relevant kwargs (exclu"
+}

benchmarks/csb_sdlc_design/django-rate-limit-design-001/tests/ground_truth.json

@@ -0,0 +1,32 @@
+{
+  "files": [
+    "django/middleware/ratelimit.py",
+    "django/middleware/security.py",
+    "django/middleware/clickjacking.py",
+    "django/middleware/common.py",
+    "django/utils/deprecation.py",
+    "django/http/response.py"
+  ],
+  "symbols": [
+    {
+      "file": "django/middleware/ratelimit.py",
+      "symbol": "RateLimitMiddleware",
+      "repo": null
+    },
+    {
+      "file": "django/utils/deprecation.py",
+      "symbol": "MiddlewareMixin",
+      "repo": null
+    },
+    {
+      "file": "django/http/response.py",
+      "symbol": "HttpResponseForbidden",
+      "repo": null
+    },
+    {
+      "file": "django/middleware/security.py",
+      "symbol": "SecurityMiddleware",
+      "repo": null
+    }
+  ]
+}

benchmarks/csb_sdlc_design/django-rate-limit-design-001/tests/ground_truth_meta.json

@@ -0,0 +1,18 @@
+{
+  "has_ground_truth": true,
+  "has_chunk_ground_truth": false,
+  "ground_truth_source": "curator_agent",
+  "ground_truth_confidence": "medium",
+  "task_name": "django-rate-limit-design-001",
+  "curator_agent_version": "2.0",
+  "model": "claude-opus-4-6",
+  "backend": "hybrid",
+  "timestamp": "2026-03-03T16:21:41Z",
+  "files_count": 6,
+  "edit_files_count": 0,
+  "chunks_count": 0,
+  "symbols_count": 4,
+  "cost_usd": 0.5020742499999999,
+  "elapsed_sec": 58.3,
+  "exploration_notes": "Created django/middleware/ratelimit.py with RateLimitMiddleware following the actual Django middleware pattern observed in security.py, clickjacking.py, and common.py. The pattern is: extend MiddlewareMixin, call super().__init__(get_response), read settings in __init__ with getattr defaults, and use process_request to intercept requests (returning a response short-circuits the pipeline). The middleware tracks per-IP request timestamps in a class-level dict, returns HttpResponseForbidden (403) w"
+}