Tools that have been security-reviewed and are pre-approved for agent use. Check this list before installing anything. If a tool is not listed, request approval in Discord #admin.
Python Packages (pip)
| Package |
Install |
Purpose |
Reviewed |
Notes |
| mkdocs-material |
pip install mkdocs-material |
Documentation site generation |
2026-03-15 |
Includes mkdocs core, pymdownx, mermaid support |
| websockify |
pip install websockify |
noVNC proxy (WebSocket to VNC) |
2026-03-15 |
Used on Mac Mini M4 for noVNC |
Node.js Packages (npm/npx)
| Package |
Install |
Purpose |
Reviewed |
Notes |
| wrangler |
npx wrangler |
Cloudflare Workers/Pages CLI |
2026-03-14 |
Deploy workers, pages, D1, KV |
Homebrew (macOS only)
| Package |
Install |
Purpose |
Reviewed |
Notes |
| xcodegen |
brew install xcodegen |
Generate .xcodeproj from project.yml |
Pre-existing |
All iOS apps depend on this |
| displayplacer |
brew install displayplacer |
Display resolution management |
2026-03-15 |
Used for VNC display debugging |
| gh |
brew install gh |
GitHub CLI |
Pre-existing |
Core tool for all agents |
| Tool |
Purpose |
Notes |
| git |
Version control |
Pre-installed |
| python3 |
Scripting, MkDocs |
Pre-installed on macOS |
| node/npm |
JavaScript runtime |
Pre-installed via Homebrew |
| docker |
Container runtime |
On Dell, Pi-E, Volt-E |
| kubectl |
Kubernetes CLI |
On Dell |
| tailscale |
Mesh networking |
On all hosts |
| ssh/scp |
Remote access |
On all hosts |
| curl/wget |
HTTP requests |
On all hosts |
GitHub Actions (SHA-pinned)
| Action |
SHA |
Version |
Purpose |
| actions/checkout |
de0fac2e4500dabe0009e67214ff5f5447ce83dd |
v6 |
Checkout repo |
| actions/setup-python |
a309ff8b426b58ec0e2a45f0f869d46889d02405 |
v6 |
Python setup |
| actions/setup-node |
53b83947a5a98c8d113130e565377fae1a50d02f |
v6 |
Node.js setup |
| actions/github-script |
ed597411d8f924073f98dfc5c65a23a2325f34cd |
v8 |
GitHub API scripting |
| googleapis/release-please-action |
c3fc4de07084f75a2b61a5b933069bda6edf3d5c |
v4 |
Release management |
| cloudflare/wrangler-action |
da0e0dfe58b7a431659754fdf3f186c529afbe65 |
v3 |
CF deployments |
MCP Servers (approved for Claude Code)
See mcp-servers.md for the full list. All MCP servers listed there are approved.
- Agent posts to Discord #admin: "Need
tool-name for task. Package source: npm/pip/brew. Purpose: why."
- Codi-E or human reviews:
- Author/maintainer trust (age, stars, contributors)
- Source code audit (network calls, permissions, data exfil)
- Compare to official alternatives
- Check if broad permissions needed (filesystem, network, admin)
- If approved → add to this file via PR
- If rejected → find alternative or build our own
- NEVER install an unapproved tool — this is a security boundary
What Agents Must Do
Before installing ANY package:
1. Check this file (approved-tools.md)
2. Listed? → Install
3. Not listed? → Post to #admin, wait for approval
4. NEVER skip this check