Metadata-Version: 2.4
Name: ony
Version: 0.1.0
Summary: A phone call before your AI coding agent (Claude Code, Codex) does something it can't undo.
Project-URL: Homepage, https://ony.ai
Project-URL: Documentation, https://docs.ony.ai
Project-URL: Repository, https://github.com/ony-ai/ony
Project-URL: Issues, https://github.com/ony-ai/ony/issues
Author: Ony.ai
License-Expression: AGPL-3.0-or-later
License-File: LICENSE
Keywords: agent,approval,claude-code,codex,devtools,on-call
Classifier: Development Status :: 4 - Beta
Classifier: Environment :: Console
Classifier: Intended Audience :: Developers
Classifier: License :: OSI Approved :: GNU Affero General Public License v3 or later (AGPLv3+)
Classifier: Operating System :: OS Independent
Classifier: Programming Language :: Python :: 3 :: Only
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Programming Language :: Python :: 3.13
Classifier: Topic :: Software Development :: Quality Assurance
Requires-Python: >=3.10
Requires-Dist: httpx>=0.27
Requires-Dist: rich>=13
Requires-Dist: typer>=0.12
Requires-Dist: websockets>=13
Description-Content-Type: text/markdown

# Ony

**A phone call before your AI coding agent does something it can't undo.**

[Website](https://ony.ai) &middot; [Documentation](https://docs.ony.ai) &middot; [Source](https://github.com/ony-ai/ony)

Ony connects Claude Code, Codex, and other coding agents to you by phone for the moments that matter:
a production deploy, a destructive command, a force-push, a schema change. The agent keeps working on
the safe stuff; when it hits something risky, Ony calls you, you press a key (or enter a PIN), and the
decision is delivered back to the agent, signed and verified.

Risk is classified server-side (the agent's own hint is never trusted), every verdict is signed and
verified on your device, and the whole flow fails closed: if a decision can't be reached or verified,
the action is never silently allowed. Learn more at [ony.ai](https://ony.ai).

This package is the **local connector**: a small CLI plus hook that runs on your machine. The risk
policy, phone calls, and decisions are handled by the Ony service, which you can self-host (AGPL-3.0)
or use as a managed cloud.

## Install

```bash
pip install ony
```

## Quick start

```bash
ony enroll --url https://your-ony-host --email you@example.com   # register this machine
ony hooks install --project /path/to/your/repo                  # wire Claude Code (/ony skill + hooks)
ony daemon                                                       # hold the connection; cache decisions
```

In a Claude Code session:

```
/ony away      # phone me for every actionable step (remote control)
/ony on        # phone me only for high-risk steps (default)
/ony off       # step out of the way
```

Now work normally. When the agent reaches a risky tool call, Ony places a real call to your verified
number; press **1** to approve / **2** to deny (high/medium-risk actions also ask for your 6-digit
authenticator code). The verdict is HMAC-signed per device and verified by the connector before it is
honored. An unsigned or tampered decision fails closed to the normal prompt.

## How it gates

The connector classifies each tool call to a candidate action type; the **server** is authoritative
for the actual risk and policy. Strictly passive reads (Read/Grep/Glob/…) pass ungated; everything
else is treated as actionable, so unknown tools fail safe rather than open.

## Codex

```bash
# add clients/codex/hooks.json to your Codex config (calls `ony hooks codex`), or for the richer
# bidirectional path:
ony hooks codex-app-server     # bridge a `codex app-server` approval channel to Ony (experimental)
```

## Privacy

Lifecycle telemetry forwards only event metadata (session id, event type), never your prompts, code,
or transcripts. The device token + per-device decision key are stored owner-only under `~/.ony`.

## License

AGPL-3.0-or-later. Source: https://github.com/ony-ai/ony
