arg-dashboard 0.1.19__tar.gz

arg_dashboard-0.1.19/.devcontainer/Dockerfile

@@ -0,0 +1,103 @@
+FROM node:20
+
+ARG TZ
+ENV TZ="$TZ"
+
+ARG CLAUDE_CODE_VERSION=latest
+
+# Install basic development tools and iptables/ipset
+RUN apt-get update && apt-get install -y --no-install-recommends \
+  less \
+  git \
+  procps \
+  sudo \
+  fzf \
+  zsh \
+  man-db \
+  unzip \
+  gnupg2 \
+  gh \
+  iptables \
+  ipset \
+  iproute2 \
+  dnsutils \
+  aggregate \
+  jq \
+  nano \
+  vim \
+  && apt-get clean && rm -rf /var/lib/apt/lists/*
+
+# Ensure default node user has access to /usr/local/share
+RUN mkdir -p /usr/local/share/npm-global && \
+  chown -R node:node /usr/local/share
+
+ARG USERNAME=node
+
+# Persist bash history.
+RUN SNIPPET="export PROMPT_COMMAND='history -a' && export HISTFILE=/commandhistory/.bash_history" \
+  && mkdir /commandhistory \
+  && touch /commandhistory/.bash_history \
+  && chown -R $USERNAME /commandhistory
+
+# Set `DEVCONTAINER` environment variable to help with orientation
+ENV DEVCONTAINER=true
+
+# Create workspace and config directories and set permissions
+RUN mkdir -p /workspace /home/node/.claude /home/node/.local/mcp-servers /home/node/.config/claude /home/node/.pixi && \
+  chown -R node:node /workspace /home/node/.claude /home/node/.local /home/node/.config /home/node/.pixi
+
+WORKDIR /workspace
+
+ARG GIT_DELTA_VERSION=0.18.2
+RUN ARCH=$(dpkg --print-architecture) && \
+  wget "https://github.com/dandavison/delta/releases/download/${GIT_DELTA_VERSION}/git-delta_${GIT_DELTA_VERSION}_${ARCH}.deb" && \
+  sudo dpkg -i "git-delta_${GIT_DELTA_VERSION}_${ARCH}.deb" && \
+  rm "git-delta_${GIT_DELTA_VERSION}_${ARCH}.deb"
+
+# Set up non-root user
+USER node
+
+# Install global packages
+ENV NPM_CONFIG_PREFIX=/usr/local/share/npm-global
+ENV PATH=$PATH:/usr/local/share/npm-global/bin
+
+# Set the default shell to zsh rather than sh
+ENV SHELL=/bin/zsh
+
+# Set the default editor and visual
+ENV EDITOR=nano
+ENV VISUAL=nano
+
+# # Default powerline10k theme
+# ARG ZSH_IN_DOCKER_VERSION=1.2.0
+# RUN sh -c "$(wget -O- https://github.com/deluan/zsh-in-docker/releases/download/v${ZSH_IN_DOCKER_VERSION}/zsh-in-docker.sh)" -- \
+#   -p git \
+#   -p fzf \
+#   -a "source /usr/share/doc/fzf/examples/key-bindings.zsh" \
+#   -a "source /usr/share/doc/fzf/examples/completion.zsh" \
+#   -a "export PROMPT_COMMAND='history -a' && export HISTFILE=/commandhistory/.bash_history" \
+#   -x
+
+# Install Claude
+RUN npm install -g @anthropic-ai/claude-code@${CLAUDE_CODE_VERSION}
+
+
+# Copy and set up firewall script
+COPY init-firewall.sh /usr/local/bin/
+USER root
+RUN chmod +x /usr/local/bin/init-firewall.sh && \
+  echo "node ALL=(root) NOPASSWD: /usr/local/bin/init-firewall.sh" > /etc/sudoers.d/node-firewall && \
+  chmod 0440 /etc/sudoers.d/node-firewall
+USER node
+
+# Install pixi (conda-based package manager for MCP servers)
+RUN curl -fsSL https://pixi.sh/install.sh | bash
+
+# Install uv (Python package manager for pyproject.toml-based MCP servers)
+RUN curl -LsSf https://astral.sh/uv/install.sh | bash
+
+# Update PATH to include pixi, uv, and local binaries
+ENV PATH="/home/node/.pixi/bin:/home/node/.cargo/bin:/home/node/.local/bin:${PATH}"
+
+RUN echo 'eval "$(pixi/bin/pixi completion -s bash)"' >> /home/node/.bashrc
+RUN echo 'eval "$(pixi/bin/pixi completion -s zsh)"' >> /home/node/.zshrc

arg_dashboard-0.1.19/.devcontainer/README.md

@@ -0,0 +1,135 @@
+# MCP Devcontainer Setup with Pixi
+
+This devcontainer configuration sets up MCP (Model Context Protocol) servers using pixi for dependency management.
+
+**Platform:** Linux-64 only (works on all Docker hosts, including Apple Silicon via Rosetta)
+
+## Quick Start
+
+1. Copy the `.devcontainer` folder to your project
+2. Open in VS Code and select "Reopen in Container"
+3. MCP servers will be installed automatically via `postCreateCommand`
+
+## Configuration
+
+### Choosing an Environment
+
+Set `MCP_ENV` before building the container to choose which servers to install:
+
+```bash
+# In devcontainer.json, modify containerEnv:
+"containerEnv": {
+  "MCP_ENV": "research"  # Options: minimal, default, research, full
+}
+```
+
+**Available environments:**
+- `minimal` - Just filesystem server
+- `default` - filesystem, memory, fetch
+- `research` - filesystem, arxiv, fetch
+- `full` - All servers
+
+### Adding New Servers
+
+#### Option 1: Add to pixi.toml (recommended for PyPI/conda packages)
+
+Edit `.devcontainer/mcp-setup/pixi.toml`:
+
+```toml
+[feature.my-new-server]
+[feature.my-new-server.pypi-dependencies]
+my-new-mcp-server = "*"
+
+# Or from git:
+[feature.another-server]
+[feature.another-server.pypi-dependencies]
+another-server = { git = "https://github.com/user/repo.git" }
+```
+
+Then add the feature to an environment:
+
+```toml
+[environments]
+default = { features = ["filesystem", "memory", "fetch", "my-new-server"], solve-group = "default" }
+```
+
+And update `generate-config.sh` to include the new server mapping.
+
+#### Option 2: Clone from git (supports both pixi.toml and pyproject.toml)
+
+Add to `.devcontainer/mcp-setup/servers.txt`:
+
+```
+my-server|git-clone|https://github.com/user/my-mcp-server.git|
+```
+
+The setup automatically detects and handles:
+- **pixi.toml**: Creates isolated conda environment via `pixi install`
+- **pyproject.toml**: Installs in shared pixi environment via `pixi run pip install -e`
+  - Uses pixi's Python (includes development headers)
+  - Avoids missing `Python.h` compilation errors
+  - Better binary compatibility via conda-forge packages
+
+### Using the MCP Servers
+
+After installation, the MCP config is at:
+```
+~/.config/claude/mcp_servers.json
+```
+
+Wrapper scripts are at:
+```
+~/.local/mcp-servers/wrappers/
+```
+
+### Testing
+
+Run the test script to verify all servers are working:
+
+```bash
+bash .devcontainer/mcp-setup/test-servers.sh
+```
+
+### Regenerating Config
+
+If you modify the setup, regenerate the config:
+
+```bash
+cd ~/.local/mcp-servers
+bash /workspace/.devcontainer/mcp-setup/generate-config.sh default
+```
+
+## File Structure
+
+```
+.devcontainer/
+├── devcontainer.json      # VS Code devcontainer config
+├── Dockerfile             # Container image with pixi
+└── mcp-setup/
+    ├── pixi.toml          # MCP server dependencies
+    ├── install.sh         # Main installation script
+    ├── generate-config.sh # Generates Claude MCP config
+    ├── test-servers.sh    # Tests installed servers
+    └── servers.txt        # Git repos to clone
+```
+
+## Troubleshooting
+
+### Servers not found
+
+1. Check that pixi installed correctly: `pixi --version`
+2. Verify the environment: `cd ~/.local/mcp-servers && pixi info`
+3. Check wrapper scripts exist: `ls ~/.local/mcp-servers/wrappers/`
+
+### Permission issues
+
+The setup runs as the `vscode` user. All installations go to user-writable directories:
+- `~/.local/mcp-servers/`
+- `~/.config/claude/`
+- `~/.pixi/`
+
+### Dependency conflicts
+
+If servers have conflicting dependencies, consider:
+1. Using separate pixi environments per server
+2. Installing conflicting servers via `servers.txt` with their own pixi.toml

arg_dashboard-0.1.19/.devcontainer/devcontainer.json

@@ -0,0 +1,110 @@
+{
+  "name": "Claude Code Sandbox",
+  "build": {
+    "dockerfile": "Dockerfile",
+    "args": {
+      "TZ": "${localEnv:TZ:America/Los_Angeles}",
+      "CLAUDE_CODE_VERSION": "latest",
+      "GIT_DELTA_VERSION": "0.18.2",
+      "ZSH_IN_DOCKER_VERSION": "1.2.0"
+    },
+    // "context": "..",
+    "options": ["--platform=linux/amd64"]
+  },
+  "runArgs": [
+    "--cap-add=NET_ADMIN",
+    "--cap-add=NET_RAW",
+    "--platform=linux/amd64"
+  ],
+  // "runArgs": ["--cap-add=NET_ADMIN", "--cap-add=NET_RAW"],
+  "features": {
+    "ghcr.io/devcontainers/features/common-utils:2": {
+      "installZsh": true,
+      "configureZshAsDefaultShell": true,
+      "installOhMyZsh": true
+    }
+  },
+  "customizations": {
+    "vscode": {
+      "extensions": [
+        "anthropic.claude-code",
+        "dbaeumer.vscode-eslint",
+        "esbenp.prettier-vscode",
+        "eamodio.gitlens",
+        "be5invis.toml",
+        "ms-vscode.cpptools-",
+        "ms-toolsai.jupyter-",
+        "reditorsupport.r-syntax",
+        "dnut.rewrap-revived",
+        "ms-vscode.vscode-speech",
+        "njpwerner.autodocst",
+        "samuelcolvin.jinjah",
+        "ms-vscode.cpptools",
+        "ms-vscode.cmake-tools",
+        "vadimcn.vscode-lldb",
+        "streetsidesoftware.code-spell-checker",
+        "howardzuo.vscode-favorites",
+        "mhutchie.git-graph",
+        "github.vscode-github-actions",
+        "github.vscode-pull-request-github",
+        // "ms-python.isort",
+        "ms-toolsai.jupyter",
+        "ms-toolsai.vscode-jupyter-cell-tags",
+        "ms-toolsai.jupyter-renderers",
+        "james-yu.latex-workshop",
+        "sumneko.lua",
+        "yzhang.markdown-all-in-one",
+        "takumii.markdownt",
+        "webfreak.debug",
+        "ms-python.vscode-pylance",
+        "ms-python.python",
+        "ms-python.debugpy",
+        "ms-python.vscode-python-envs",
+        "quarto.quarto",
+        "reditorsupport.r",
+        "mechatroner.rainbow-csv",
+        "redhat.vscode-yaml",
+        "charliermarsh.ruff", 
+        "tamasfe.even-better-toml"
+      ],
+      "settings": {
+        "editor.formatOnSave": true,
+        "editor.defaultFormatter": "esbenp.prettier-vscode",
+        "editor.codeActionsOnSave": {
+          "source.fixAll.eslint": "explicit"
+        },
+        "terminal.integrated.defaultProfile.linux": "zsh",
+        "terminal.integrated.profiles.linux": {
+          "bash": {
+            "path": "bash",
+            "icon": "terminal-bash"
+          },
+          "zsh": {
+            "path": "zsh"
+          }
+        }
+      }
+    }
+  },
+  // "postCreateCommand": "pixi config set --local run-post-link-scripts insecure && /workspace/.devcontainer/mcp-setup/install.sh",
+  "postCreateCommand": "/workspace/.devcontainer/mcp-setup/install.sh",
+  "remoteUser": "node",
+  "mounts": [
+    "source=claude-code-bashhistory-${devcontainerId},target=/commandhistory,type=volume",
+    "source=claude-code-config-${devcontainerId},target=/home/node/.claude,type=volume"
+  ],
+  "containerEnv": {
+    "NODE_OPTIONS": "--max-old-space-size=4096",
+    "CLAUDE_CONFIG_DIR": "/home/node/.claude",
+    "POWERLEVEL9K_DISABLE_GITSTATUS": "true",
+    "PIXI_HOME": "/home/node/.pixi",
+    "MCP_SERVERS_DIR": "/home/node/.local/mcp-servers"
+  },
+  "remoteEnv": {
+    "PATH": "${containerEnv:PATH}:/home/node/.pixi/bin:/home/node/.cargo/bin:/home/node/.local/bin"
+  },
+  "workspaceMount": "source=${localWorkspaceFolder},target=/workspace,type=bind,consistency=delegated",
+  "workspaceFolder": "/workspace",
+  "postStartCommand": "sudo /usr/local/bin/init-firewall.sh",
+  "waitFor": "postStartCommand"
+}

arg_dashboard-0.1.19/.devcontainer/init-firewall.sh

@@ -0,0 +1,157 @@
+#!/bin/bash
+# set -euo pipefail  # Exit on error, undefined vars, and pipeline failures
+# IFS=$'\n\t'       # Stricter word splitting
+
+# =============================================================================
+# FIREWALL DISABLED
+# =============================================================================
+# The IP-based whitelist approach is incompatible with Claude Code's WebSearch
+# and WebFetch tools, which need general internet access.
+#
+# Docker/devcontainer already provides sufficient compartmentalization:
+# - Claude can only access mounted paths (/workspace, /commandhistory, ~/.claude)
+# - No access to host filesystem, other containers, or host processes
+#
+# To re-enable the firewall, uncomment the code below.
+# =============================================================================
+
+echo "Firewall disabled - relying on Docker container isolation"
+exit 0
+
+# # 1. Extract Docker DNS info BEFORE any flushing
+# DOCKER_DNS_RULES=$(iptables-save -t nat | grep "127\.0\.0\.11" || true)
+#
+# # Flush existing rules and delete existing ipsets
+# iptables -F
+# iptables -X
+# iptables -t nat -F
+# iptables -t nat -X
+# iptables -t mangle -F
+# iptables -t mangle -X
+# ipset destroy allowed-domains 2>/dev/null || true
+#
+# # 2. Selectively restore ONLY internal Docker DNS resolution
+# if [ -n "$DOCKER_DNS_RULES" ]; then
+#     echo "Restoring Docker DNS rules..."
+#     iptables -t nat -N DOCKER_OUTPUT 2>/dev/null || true
+#     iptables -t nat -N DOCKER_POSTROUTING 2>/dev/null || true
+#     echo "$DOCKER_DNS_RULES" | xargs -L 1 iptables -t nat
+# else
+#     echo "No Docker DNS rules to restore"
+# fi
+#
+# # First allow DNS and localhost before any restrictions
+# # Allow outbound DNS
+# iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
+# # Allow inbound DNS responses
+# iptables -A INPUT -p udp --sport 53 -j ACCEPT
+# # Allow outbound SSH
+# iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT
+# # Allow inbound SSH responses
+# iptables -A INPUT -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
+# # Allow localhost
+# iptables -A INPUT -i lo -j ACCEPT
+# iptables -A OUTPUT -o lo -j ACCEPT
+#
+# # Create ipset with CIDR support
+# ipset create allowed-domains hash:net
+#
+# # Fetch GitHub meta information and aggregate + add their IP ranges
+# echo "Fetching GitHub IP ranges..."
+# gh_ranges=$(curl -s https://api.github.com/meta)
+# if [ -z "$gh_ranges" ]; then
+#     echo "ERROR: Failed to fetch GitHub IP ranges"
+#     exit 1
+# fi
+#
+# if ! echo "$gh_ranges" | jq -e '.web and .api and .git' >/dev/null; then
+#     echo "ERROR: GitHub API response missing required fields"
+#     exit 1
+# fi
+#
+# echo "Processing GitHub IPs..."
+# while read -r cidr; do
+#     if [[ ! "$cidr" =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/[0-9]{1,2}$ ]]; then
+#         echo "ERROR: Invalid CIDR range from GitHub meta: $cidr"
+#         exit 1
+#     fi
+#     echo "Adding GitHub range $cidr"
+#     ipset add allowed-domains "$cidr"
+# done < <(echo "$gh_ranges" | jq -r '(.web + .api + .git)[]' | aggregate -q)
+#
+# # Resolve and add other allowed domains
+# for domain in \
+#     "registry.npmjs.org" \
+#     "api.anthropic.com" \
+#     "sentry.io" \
+#     "statsig.anthropic.com" \
+#     "statsig.com" \
+#     "marketplace.visualstudio.com" \
+#     "vscode.blob.core.windows.net" \
+#     "update.code.visualstudio.com" \
+#     "conda.anaconda.org" \
+#     "repo.anaconda.com" \
+#     "pypi.org" \
+#     "files.pythonhosted.org"; do
+#     echo "Resolving $domain..."
+#     ips=$(dig +noall +answer A "$domain" | awk '$4 == "A" {print $5}')
+#     if [ -z "$ips" ]; then
+#         echo "ERROR: Failed to resolve $domain"
+#         exit 1
+#     fi
+#
+#     while read -r ip; do
+#         if [[ ! "$ip" =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
+#             echo "ERROR: Invalid IP from DNS for $domain: $ip"
+#             exit 1
+#         fi
+#         echo "Adding $ip for $domain"
+#         ipset add allowed-domains "$ip"
+#     done < <(echo "$ips")
+# done
+#
+# # Get host IP from default route
+# HOST_IP=$(ip route | grep default | cut -d" " -f3)
+# if [ -z "$HOST_IP" ]; then
+#     echo "ERROR: Failed to detect host IP"
+#     exit 1
+# fi
+#
+# HOST_NETWORK=$(echo "$HOST_IP" | sed "s/\.[0-9]*$/.0\/24/")
+# echo "Host network detected as: $HOST_NETWORK"
+#
+# # Set up remaining iptables rules
+# iptables -A INPUT -s "$HOST_NETWORK" -j ACCEPT
+# iptables -A OUTPUT -d "$HOST_NETWORK" -j ACCEPT
+#
+# # Set default policies to DROP first
+# iptables -P INPUT DROP
+# iptables -P FORWARD DROP
+# iptables -P OUTPUT DROP
+#
+# # First allow established connections for already approved traffic
+# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+# iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+#
+# # Then allow only specific outbound traffic to allowed domains
+# iptables -A OUTPUT -m set --match-set allowed-domains dst -j ACCEPT
+#
+# # Explicitly REJECT all other outbound traffic for immediate feedback
+# iptables -A OUTPUT -j REJECT --reject-with icmp-admin-prohibited
+#
+# echo "Firewall configuration complete"
+# echo "Verifying firewall rules..."
+# if curl --connect-timeout 5 https://example.com >/dev/null 2>&1; then
+#     echo "ERROR: Firewall verification failed - was able to reach https://example.com"
+#     exit 1
+# else
+#     echo "Firewall verification passed - unable to reach https://example.com as expected"
+# fi
+#
+# # Verify GitHub API access
+# if ! curl --connect-timeout 5 https://api.github.com/zen >/dev/null 2>&1; then
+#     echo "ERROR: Firewall verification failed - unable to reach https://api.github.com"
+#     exit 1
+# else
+#     echo "Firewall verification passed - able to reach https://api.github.com as expected"
+# fi