Installation
This page installs the agent-rigger command-line tool. Pick one of the three methods below; Homebrew is the recommended one. Then check the usage prerequisites and verify the result.
Every method gives you two commands for the same tool: agent-rigger and the shorter
rigger.
Homebrew (recommended)
Section titled “Homebrew (recommended)”On macOS and Linux, install from the official tap:
brew tap agent-rigger/tapbrew install agent-riggerThis installs a version-stamped binary and the rigger alias. The formula ships native
binaries for macOS (arm64 and x64) and Linux (arm64 and x64). Homebrew is not available
on Windows; use the release binary below instead.
To upgrade later, brew upgrade agent-rigger.
Prebuilt release binary
Section titled “Prebuilt release binary”Each tagged release attaches a standalone binary for five targets, plus a
SHA256SUMS.txt checksum file, to the GitHub release. The assets are named:
agent-rigger-darwin-arm64— macOS, Apple Siliconagent-rigger-darwin-x64— macOS, Intelagent-rigger-linux-arm64— Linux, arm64agent-rigger-linux-x64— Linux, x64agent-rigger-windows-x64.exe— Windows, x64
Download the one for your platform (this example uses macOS Apple Silicon), verify its
checksum, make it executable, and put it on your PATH:
base="https://github.com/agent-rigger/agent-rigger/releases/latest/download"curl -fLO "$base/agent-rigger-darwin-arm64"curl -fLO "$base/SHA256SUMS.txt"
# verify the download against the published checksumshasum -a 256 -c SHA256SUMS.txt --ignore-missing
chmod +x agent-rigger-darwin-arm64mv agent-rigger-darwin-arm64 /usr/local/bin/agent-riggerln -sf /usr/local/bin/agent-rigger /usr/local/bin/riggerThe release binaries are not code-signed. On macOS, a binary downloaded this way may be
quarantined by Gatekeeper; if it is refused on first run, clear the attribute with
xattr -d com.apple.quarantine /usr/local/bin/agent-rigger.
From source
Section titled “From source”Building from source needs Bun 1.3 or newer. Clone the repository, install dependencies, and build the standalone binary:
git clone https://github.com/agent-rigger/agent-rigger.gitcd agent-riggerbun installbun run buildThe compiled binary lands at packages/cli/dist/agent-rigger. Run it directly, or put
both names on your PATH:
./packages/cli/dist/agent-rigger --versionln -sf "$PWD/packages/cli/dist/agent-rigger" /usr/local/bin/agent-riggerln -sf "$PWD/packages/cli/dist/agent-rigger" /usr/local/bin/riggerVersion reported: a from-source build derives its version from git. bun run build
injects git describe --tags --always --dirty (leading v stripped), so a build inside
the cloned repo reports something like 0.1.2-5-gabc123 — the last tag, commits since,
and short SHA — with a -dirty suffix when the working tree has uncommitted changes. The
0.0.0 sentinel appears only when git is unavailable, for example a source tree extracted
from a tarball with no .git. The release build in CI stamps the exact tag instead.
Usage prerequisites
Section titled “Usage prerequisites”agent-rigger relies on a few external tools. It runs without all of them, but with fewer guarantees.
- git — required. Catalogs are git repositories; the tool fetches them with git. Without git, it cannot read any catalog.
- gitleaks and/or trivy — recommended. These are the scanners that inspect fetched catalog content for leaked secrets and misconfigurations before it is written to disk. If neither is installed, the tool cannot scan and falls back to warn-only mode: it installs anyway and prints a warning, rather than blocking every install. That means unscanned content reaches your machine, so installing at least one scanner is what makes the security check real. The trade-offs are laid out in trust and security.
- An assistant — required in practice. agent-rigger configures Claude Code or opencode; install at least one, or there is nothing for it to configure.
Verify the install
Section titled “Verify the install”Two commands confirm a working setup. First, the version:
rigger --versionA Homebrew or release install prints the released version; a from-source build prints its
git-derived version (0.0.0 only when built with no git available — see the note above).
Then run doctor, which reports whether git and the
scanners are present and which scan mode you are in:
rigger doctorA machine with the scanners installed reports full-scan mode:
--- rigger doctor ---
✓ git (/opt/homebrew/bin/git)✓ glab (/opt/homebrew/bin/glab)✓ gitleaks (/opt/homebrew/bin/gitleaks)✓ trivy (/opt/homebrew/bin/trivy)
mode : full scan
Installed state is healthy — no findings.Without gitleaks or trivy, the mode line instead reads
mode : warn-only (external content not scanned — install gitleaks or trivy).
- Walk through your first rig in about ten minutes.
- Understand what agent-rigger is for.