Merge remote-tracking branch 'origin/ralph/gapfill-onboarding'

# Conflicts:
#	configs/selected_benchmark_tasks.json

Author: LoCoBench Bot

benchmarks/ccb_onboarding/onboard-handoff-001/environment/Dockerfile

@@ -0,0 +1,18 @@
+FROM ubuntu:22.04
+
+# Install dependencies
+RUN apt-get update && apt-get install -y \
+    git \
+    python3 \
+    python3-pip \
+    && rm -rf /var/lib/apt/lists/*
+
+# Clone Envoy at pinned commit (v1.32.1 stable release)
+RUN git clone https://github.com/envoyproxy/envoy.git /workspace \
+    && cd /workspace \
+    && git checkout v1.32.1
+
+WORKDIR /workspace
+
+# Create logs directory for output
+RUN mkdir -p /logs/agent

benchmarks/ccb_onboarding/onboard-handoff-001/instruction.md

@@ -0,0 +1,69 @@
+# Team Handoff: Envoy ext_authz Filter
+
+You are taking over ownership of the **ext_authz HTTP filter** from a departing team member. Your task is to produce a comprehensive handoff document that will help you (and future maintainers) understand this component.
+
+## Context
+
+The ext_authz filter is one of Envoy's authorization extensions. Your predecessor maintained it for the past year but is moving to a different project. You need to quickly build a working mental model of this component.
+
+## Your Task
+
+Explore the Envoy codebase and produce a handoff document at `/logs/agent/onboarding.md` covering the following sections:
+
+### 1. Purpose
+What does the ext_authz filter do? What problems does it solve? When would someone use it?
+
+### 2. Dependencies
+- **Upstream dependencies**: What other Envoy components or libraries does ext_authz depend on?
+- **Downstream consumers**: What uses or integrates with ext_authz? How is it configured in Envoy's filter chain?
+
+### 3. Key Files
+List the most important source files for this filter. For each file, explain its role (e.g., "configuration parsing", "request handling", "gRPC client implementation").
+
+### 4. Failure Modes
+What can go wrong? What are common failure scenarios? How does the filter handle errors (e.g., authorization service unavailable, timeout, network failure)?
+
+### 5. Testing
+How is this filter tested? Where are the tests located? Are there integration tests, unit tests, or both?
+
+### 6. Debugging
+If something goes wrong with ext_authz in production, how would you debug it? What logs, metrics, or traces would you look at?
+
+## Output Format
+
+Write your findings to `/logs/agent/onboarding.md` using the following structure:
+
+```markdown
+# ext_authz Filter Handoff Document
+
+## 1. Purpose
+[Your findings here]
+
+## 2. Dependencies
+### Upstream Dependencies
+[What ext_authz depends on]
+
+### Downstream Consumers
+[What depends on ext_authz]
+
+## 3. Key Files
+- **path/to/file.cc**: [Role/responsibility]
+- **path/to/file.h**: [Role/responsibility]
+...
+
+## 4. Failure Modes
+[Failure scenarios and error handling]
+
+## 5. Testing
+[Test locations, test types, how to run tests]
+
+## 6. Debugging
+[Debugging strategies, observability]
+```
+
+## Guidelines
+
+- Be specific. Reference actual file paths, class names, function names.
+- Focus on understanding the **system's behavior**, not just describing the code.
+- This is analysis only — do not modify any code.
+- Use MCP tools (list_files, nls_search, read_file, find_references) to explore the codebase efficiently.

benchmarks/ccb_onboarding/onboard-handoff-001/task.toml

@@ -0,0 +1,19 @@
+[task]
+name = "onboard-handoff-001"
+category = "team_handoff"
+language = "cpp"
+difficulty = "hard"
+time_limit_sec = 1800
+environment = "docker"
+
+[task.metadata]
+description = "Team handoff for Envoy ext_authz filter ownership"
+repo = "envoyproxy/envoy"
+target_component = "ext_authz HTTP filter"
+output_path = "/logs/agent/onboarding.md"
+
+[task.metadata.mcp_benefit]
+context_complexity = 0.9
+cross_file_deps = 0.8
+semantic_search_potential = 0.85
+tool_chain_weight = 0.7

benchmarks/ccb_onboarding/onboard-handoff-001/tests/ground_truth.json

@@ -0,0 +1,158 @@
+{
+  "weights": {
+    "required_findings": 0.25,
+    "file_references": 0.30,
+    "causal_chain": 0.30,
+    "negative_checks": 0.15
+  },
+  "required_findings": [
+    {
+      "id": "purpose_authz",
+      "patterns": ["external authorization", "ext_?authz", "authorization service", "delegat(e|ing) auth"],
+      "weight": 1.0,
+      "description": "Identifies that ext_authz delegates authorization decisions to an external service",
+      "section": "purpose"
+    },
+    {
+      "id": "purpose_grpc_http",
+      "patterns": ["gRPC", "HTTP.*protocol", "protocol.*service"],
+      "weight": 1.0,
+      "description": "Mentions that ext_authz supports gRPC or HTTP protocol for authz service",
+      "section": "purpose"
+    },
+    {
+      "id": "upstream_grpc_async",
+      "patterns": ["Grpc::AsyncClient", "AsyncClient", "grpc.*client"],
+      "weight": 1.0,
+      "description": "Identifies gRPC async client as upstream dependency",
+      "section": "dependencies"
+    },
+    {
+      "id": "upstream_http_filter_chain",
+      "patterns": ["http.*filter.*chain", "StreamDecoderFilter", "filter.*interface"],
+      "weight": 1.0,
+      "description": "Identifies HTTP filter chain/interface dependency",
+      "section": "dependencies"
+    },
+    {
+      "id": "failure_mode_timeout",
+      "patterns": ["timeout", "request.*timeout", "TTL"],
+      "weight": 1.0,
+      "description": "Mentions timeout as a failure mode",
+      "section": "failure_modes"
+    },
+    {
+      "id": "failure_mode_unavailable",
+      "patterns": ["service.*unavailable", "connection.*fail", "network.*error"],
+      "weight": 1.0,
+      "description": "Mentions service unavailability as failure mode",
+      "section": "failure_modes"
+    },
+    {
+      "id": "testing_integration",
+      "patterns": ["integration.*test", "ext_authz.*integration", "test/integration"],
+      "weight": 1.0,
+      "description": "Identifies integration tests for ext_authz",
+      "section": "testing"
+    }
+  ],
+  "file_references": [
+    {
+      "id": "file_ext_authz_h",
+      "patterns": ["source/extensions/filters/http/ext_authz/ext_authz\\.h"],
+      "weight": 1.5,
+      "description": "Main header file for ext_authz filter",
+      "section": "key_files"
+    },
+    {
+      "id": "file_ext_authz_cc",
+      "patterns": ["source/extensions/filters/http/ext_authz/ext_authz\\.cc"],
+      "weight": 1.5,
+      "description": "Main implementation file for ext_authz filter",
+      "section": "key_files"
+    },
+    {
+      "id": "file_config",
+      "patterns": ["source/extensions/filters/http/ext_authz/config\\.(h|cc)", "source/extensions/filters/http/ext_authz/config\\.h", "source/extensions/filters/http/ext_authz/config\\.cc"],
+      "weight": 1.0,
+      "description": "Configuration parsing for ext_authz",
+      "section": "key_files"
+    },
+    {
+      "id": "file_ext_authz_grpc",
+      "patterns": ["source/extensions/filters/http/ext_authz/ext_authz_grpc"],
+      "weight": 1.0,
+      "description": "gRPC client implementation for ext_authz",
+      "section": "key_files"
+    },
+    {
+      "id": "file_ext_authz_http",
+      "patterns": ["source/extensions/filters/http/ext_authz/ext_authz_http"],
+      "weight": 1.0,
+      "description": "HTTP client implementation for ext_authz",
+      "section": "key_files"
+    },
+    {
+      "id": "test_integration",
+      "patterns": ["test/integration/filters/ext_authz.*test\\.cc", "test/integration.*ext_authz"],
+      "weight": 1.0,
+      "description": "Integration test files",
+      "section": "testing"
+    },
+    {
+      "id": "test_unit",
+      "patterns": ["test/extensions/filters/http/ext_authz/.*test\\.cc", "test.*ext_authz.*test"],
+      "weight": 1.0,
+      "description": "Unit test files",
+      "section": "testing"
+    }
+  ],
+  "causal_chain": [
+    {
+      "id": "chain_request_flow",
+      "patterns": ["decodeHeaders", "check", "authorization service"],
+      "weight": 1.5,
+      "description": "Describes request flow from filter decoding to authorization service call",
+      "section": "purpose"
+    },
+    {
+      "id": "chain_failure_handling",
+      "patterns": ["timeout|failure|error", "fail.*mode", "deny|allow"],
+      "weight": 1.5,
+      "description": "Describes failure handling chain: error detection -> failure mode policy -> response generation",
+      "section": "failure_modes"
+    },
+    {
+      "id": "chain_config_bootstrap",
+      "patterns": ["bootstrap|envoy\\.yaml|config", "http_filters", "ext_authz"],
+      "weight": 1.0,
+      "description": "Describes configuration flow from bootstrap to filter chain to ext_authz config",
+      "section": "dependencies"
+    },
+    {
+      "id": "chain_authz_response",
+      "patterns": ["CheckResponse|authorization.*response", "ok|success", "continue"],
+      "weight": 1.0,
+      "description": "Describes successful authorization response flow",
+      "section": "purpose"
+    }
+  ],
+  "negative_checks": [
+    {
+      "id": "neg_wrong_location",
+      "patterns": ["source/common/http/ext_authz"],
+      "weight": 1.0,
+      "description": "Incorrect location (ext_authz is in extensions/, not common/)",
+      "section": "key_files",
+      "should_not_match": true
+    },
+    {
+      "id": "neg_single_protocol",
+      "patterns": ["ext_authz (only supports|is limited to) (gRPC|HTTP)(?!.*and)"],
+      "weight": 1.0,
+      "description": "Incorrectly claims ext_authz only supports one protocol (it supports both gRPC and HTTP)",
+      "section": "purpose",
+      "should_not_match": true
+    }
+  ]
+}