A phone call before your AI coding agent (Claude Code, Codex) does something it can't undo.
Project description
Ony
A phone call before your AI coding agent does something it can't undo.
Website · Documentation · Source
Ony connects Claude Code, Codex, and other coding agents to you by phone for the moments that matter: a production deploy, a destructive command, a force-push, a schema change. The agent keeps working on the safe stuff; when it hits something risky, Ony calls you, you press a key (or enter a PIN), and the decision is delivered back to the agent, signed and verified.
Risk is classified server-side (the agent's own hint is never trusted), every verdict is signed and verified on your device, and the whole flow fails closed: if a decision can't be reached or verified, the action is never silently allowed. Learn more at ony.ai.
This package is the local connector: a small CLI plus hook that runs on your machine. The risk policy, phone calls, and decisions are handled by the Ony service, which you can self-host (AGPL-3.0) or use as a managed cloud.
Install
pip install ony
Quick start
ony enroll --url https://your-ony-host --email you@example.com # register this machine
ony hooks install --project /path/to/your/repo # wire Claude Code (/ony skill + hooks)
ony daemon # hold the connection; cache decisions
In a Claude Code session:
/ony away # phone me for every actionable step (remote control)
/ony on # phone me only for high-risk steps (default)
/ony off # step out of the way
Now work normally. When the agent reaches a risky tool call, Ony places a real call to your verified number; press 1 to approve / 2 to deny (high/medium-risk actions also ask for your 6-digit authenticator code). The verdict is HMAC-signed per device and verified by the connector before it is honored. An unsigned or tampered decision fails closed to the normal prompt.
How it gates
The connector classifies each tool call to a candidate action type; the server is authoritative for the actual risk and policy. Strictly passive reads (Read/Grep/Glob/…) pass ungated; everything else is treated as actionable, so unknown tools fail safe rather than open.
Codex
# add clients/codex/hooks.json to your Codex config (calls `ony hooks codex`), or for the richer
# bidirectional path:
ony hooks codex-app-server # bridge a `codex app-server` approval channel to Ony (experimental)
Privacy
Lifecycle telemetry forwards only event metadata (session id, event type), never your prompts, code,
or transcripts. The device token + per-device decision key are stored owner-only under ~/.ony.
License
AGPL-3.0-or-later. Source: https://github.com/ony-ai/ony
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file ony-0.1.0.tar.gz.
File metadata
- Download URL: ony-0.1.0.tar.gz
- Upload date:
- Size: 31.6 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.4
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
40f0014fa0e9161d80df301a32a540beb887decc0641b8cdda00f8c42eaa0e5e
|
|
| MD5 |
4a5c36985b24a39dfaefd67f2a6e60dc
|
|
| BLAKE2b-256 |
f3c3624e7ef9ade14df795c60e1e9101b1ba76cd90fc6ea4df41e0d8d1ece35f
|
File details
Details for the file ony-0.1.0-py3-none-any.whl.
File metadata
- Download URL: ony-0.1.0-py3-none-any.whl
- Upload date:
- Size: 34.5 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.4
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
075110d328eaf7f78172a7ea347b0b7c270c0f58d9ffdbae3f95ba7777423ac9
|
|
| MD5 |
ec8c3512e61ab92d2b1a5a82d35a8952
|
|
| BLAKE2b-256 |
ffcc171dd7f9c0cedde9287754ace117f38f4c729f912b0a7842998bb52bb4fc
|