Tools that have been security-reviewed and are pre-approved for agent use. Check this list before installing anything. If a tool is not listed, request approval in Discord #admin.
Python Packages (pip)
| Package |
Install |
Purpose |
Reviewed |
Notes |
| mkdocs-material |
pip install mkdocs-material |
Documentation site generation |
2026-03-15 |
Includes mkdocs core, pymdownx, mermaid support |
| websockify |
pip install websockify |
noVNC proxy (WebSocket to VNC) |
2026-03-15 |
Used on Mac Mini M4 for noVNC |
TTS engines (Mac Mini, run-the-docs Claude Code series)
Reviewed 2026-06-07 — see security review. All confirmed local-inference, no telemetry, no exfiltration in audited paths; commercial-use OK. Install per the review's hash-locked plan (chatterbox --no-deps, or two isolated venvs — transformers==5.2.0 vs 4.57.3 cannot coexist), and run offline (HF_HUB_OFFLINE=1) after the first-run weight download. Never enable the Qwen DashScope cloud path; never pass remote reference-audio URLs.
| Package |
Install |
Purpose |
Reviewed |
Notes |
| chatterbox-tts |
pip install --no-deps "chatterbox-tts==0.1.7" |
Multilingual zero-shot local TTS narration (Resemble AI) |
2026-06-07 |
MIT, commercial-use OK. --no-deps to avoid the transformers==5.2.0/diffusers==0.29.0 clash with qwen-tts. Embeds benign Perth watermark (attribution only, no exfil, no commercial block). Run offline after weight download. |
| resemble-perth |
pip install "resemble-perth>=1.0.0" |
Imperceptible audio watermark used by chatterbox-tts |
2026-06-07 |
MIT. Checkpoint bundled in wheel. Pure local inference, zero network calls. |
| qwen-tts |
pip install "qwen-tts==0.1.1" |
Qwen3-TTS local TTS / voice clone (Alibaba, import qwen_tts) |
2026-06-07 |
Apache-2.0, commercial-use OK. No watermark. DO NOT use the DashScope cloud path; voice-clone refs = local paths only. Official QwenLM package (not a wrapper). |
| s3tokenizer |
pip install s3tokenizer |
Speech tokenizer backbone for chatterbox-tts |
2026-06-07 |
Apache-2.0. Downloads ONNX from modelscope.cn with SHA256 verification. No telemetry. |
| conformer |
pip install "conformer==0.3.2" |
Conformer module (chatterbox sub-dep) |
2026-06-07 |
MIT (lucidrains). Pure PyTorch, no network. |
| diffusers |
pip install "diffusers==0.29.0" |
Diffusion components (chatterbox sub-dep) |
2026-06-07 |
Apache-2.0 (HuggingFace). HF model hub only, no telemetry. |
| omegaconf |
pip install omegaconf |
Config loading (chatterbox sub-dep) |
2026-06-07 |
BSD-3-Clause. No network. |
| pykakasi |
pip install "pykakasi==2.3.0" |
Japanese kana/kanji conversion (chatterbox sub-dep) |
2026-06-07 |
GPL-3.0 — copyleft applies to code redistribution only, NOT to generated audio. Local-only, no network. |
| spacy-pkuseg |
pip install spacy-pkuseg |
Chinese word segmentation (chatterbox sub-dep) |
2026-06-07 |
MIT (Explosion). Model downloads from GitHub releases. No telemetry. |
| pyloudnorm |
pip install pyloudnorm |
Loudness normalization (chatterbox sub-dep) |
2026-06-07 |
MIT. Pure DSP, no network. |
| einops |
pip install einops |
Tensor ops (qwen/chatterbox sub-dep) |
2026-06-07 |
MIT. No network. |
Not yet approved — needs its own review: uv (Astral) and uv-managed CPython 3.12 are used on the Mac Mini to build the TTS venvs (brew python@3.12 ships a broken pyexpat). They are not covered by the TTS review above; file a separate security review before listing them here.
Node.js Packages (npm/npx)
| Package |
Install |
Purpose |
Reviewed |
Notes |
| wrangler |
npx wrangler |
Cloudflare Workers/Pages CLI |
2026-03-14 |
Deploy workers, pages, D1, KV |
Homebrew (macOS only)
| Package |
Install |
Purpose |
Reviewed |
Notes |
| xcodegen |
brew install xcodegen |
Generate .xcodeproj from project.yml |
Pre-existing |
All iOS apps depend on this |
| displayplacer |
brew install displayplacer |
Display resolution management |
2026-03-15 |
Used for VNC display debugging |
| gh |
brew install gh |
GitHub CLI |
Pre-existing |
Core tool for all agents |
| bw |
brew install bitwarden-cli (or GitHub release, checksum-verified) |
Bitwarden personal-vault CLI |
2026-05-25 (Pre-existing — Ops-E v0 uses since 2026-05-23) |
Bitwarden Inc., open-source. Reads personal-vault items via bw login --apikey + bw unlock --passwordenv BW_PASSWORD --raw. Used by encrypt-secret.yml, rotate-discord-webhook-url.yml, delete-discord-webhook.yml in dashecorp/rig-gitops. Requires master password in BW_PASSWORD GHA secret — see decisions/2026-05-25-ops-e-v0-bws-vs-rotation.md for the BWS-migration option that obviates that requirement. |
| bws |
brew install bws (or GitHub release, checksum-verified) |
Bitwarden Secrets Manager CLI |
2026-05-25 |
Separate product from bw personal-vault CLI; same vendor (Bitwarden Inc.), same open-source Rust client base. Authenticates via BWS_ACCESS_TOKEN env var only — no master password required. Stateless per invocation. Used by the Ops-E v0 BWS migration path (see decisions/2026-05-25-ops-e-v0-bws-vs-rotation.md). |
| asciinema |
brew install asciinema |
Record a live terminal session (e.g. a real Claude Code run) to a local .cast |
2026-06-06 |
v3.2.0, homebrew/core (SHA256-verified bottle). Rust; no browser/server in the record path. No telemetry; upload/auth are explicit opt-in and MUST NOT be used. Never type/show secrets during capture — .cast is plaintext JSON, grep it for secrets before sharing. Pin version; re-review before bump. See security review. |
| agg |
brew install agg |
Render an asciinema .cast to an animated GIF (then ffmpeg → MP4) |
2026-06-06 |
v1.9.0, homebrew/core (SHA256-verified bottle). Rust; local-only rendering (gifski/resvg). No network when rendering from a local .cast (the only supported use); agg --input <URL> has an outbound fetch path — do not use it. No telemetry. Pin version; re-review before bump. See security review. |
| ffmpeg |
brew install ffmpeg |
Audio/video transcode, mux, and compositing — TTS narration muxing, asciinema+agg → MP4, 4:5/Ken-Burns video assembly |
Pre-existing (2026-06-07 documented) |
Long-standing dependency of the /dashecorp-video and /run-the-docs pipelines (the final encoder for asciinema+agg recordings). Install from homebrew-core only; pin the reviewed version (8.1.1) and re-review before a major bump. |
| vhs |
brew install vhs |
Scripted synthetic terminal demos (.tape → GIF/MP4/WebM) |
2026-06-06 (APPROVE-WITH-CONDITIONS) |
MIT, homebrew/core. HIGH-RISK: .tape files execute arbitrary shell; go-rod auto-downloads a ~600 MB Chromium from Google/NPM/Playwright CDNs. Author tapes in-house only; pre-stage/pin Chromium + block CDN egress; keep the default sandbox (never VHS_NO_SANDBOX); never --publish/VHS_PUBLISH; never vhs serve. Not for recording live sessions — use asciinema+agg. See security review. |
| Tool |
Purpose |
Notes |
| git |
Version control |
Pre-installed |
| python3 |
Scripting, MkDocs |
Pre-installed on macOS |
| node/npm |
JavaScript runtime |
Pre-installed via Homebrew |
| docker |
Container runtime |
On Dell, Pi-E, Volt-E |
| kubectl |
Kubernetes CLI |
On Dell |
| tailscale |
Mesh networking |
On all hosts |
| ssh/scp |
Remote access |
On all hosts |
| curl/wget |
HTTP requests |
On all hosts |
| tmux |
Terminal multiplexer — drives the interactive claude TUI for the claude-tmux provider in the rig agent image, and is the recorder backbone of the run-the-docs Claude Code series |
Reviewed 2026-06-15. BSD-2-Clause (OpenBSD project, ~20 yrs maintained). apt install tmux (Debian main) baked into dashecorp/rig-agent-runtime Dockerfile.base; brew install tmux (homebrew-core) on the Mac Mini. Local PTY/terminal multiplexing only (libevent + ncurses) — no network, telemetry, auto-update, or remote-fetch in any code path. Pin via the distro package; re-review before a major bump. |
GitHub Actions (SHA-pinned)
| Action |
SHA |
Version |
Purpose |
| actions/checkout |
de0fac2e4500dabe0009e67214ff5f5447ce83dd |
v6 |
Checkout repo |
| actions/setup-python |
a309ff8b426b58ec0e2a45f0f869d46889d02405 |
v6 |
Python setup |
| actions/setup-node |
53b83947a5a98c8d113130e565377fae1a50d02f |
v6 |
Node.js setup |
| actions/github-script |
ed597411d8f924073f98dfc5c65a23a2325f34cd |
v8 |
GitHub API scripting |
| googleapis/release-please-action |
c3fc4de07084f75a2b61a5b933069bda6edf3d5c |
v4 |
Release management |
| cloudflare/wrangler-action |
da0e0dfe58b7a431659754fdf3f186c529afbe65 |
v3 |
CF deployments |
MCP Servers (approved for Claude Code)
See mcp-servers.md for the full list. All MCP servers listed there are approved.
- Agent posts to Discord #admin: "Need
tool-name for task. Package source: npm/pip/brew. Purpose: why."
- Codi-E or human reviews:
- Author/maintainer trust (age, stars, contributors)
- Source code audit (network calls, permissions, data exfil)
- Compare to official alternatives
- Check if broad permissions needed (filesystem, network, admin)
- If approved → add to this file via PR
- If rejected → find alternative or build our own
- NEVER install an unapproved tool — this is a security boundary
What Agents Must Do
Before installing ANY package:
1. Check this file (approved-tools.md)
2. Listed? → Install
3. Not listed? → Post to #admin, wait for approval
4. NEVER skip this check