Skip to content
Product

From tool call to phone call, automatically.

Ony sits between your coding agent and the actions it cannot undo. It detects the risky tool call, re-derives the real risk on the server, calls your phone, and delivers a signed verdict back to the agent. No terminal scraping, no keystroke injection.

Start freeSee the trust model
01Detect02Classify03Call04Decide05Sign06Deliver
End to end

Every step, accounted for.

Six automatic stages. The trust boundary stays on the server and your device the whole way through. You show up only for the decision.

01

Detect

A PreToolUse hook intercepts every tool call before it runs. Reads and ordinary edits pass straight through. A deploy, a force-push, a schema change, or a secret access gets held for classification.

02

Classify

The server re-derives the real risk from its own action taxonomy. The agent's own hint is never trusted. Anything the taxonomy does not recognize fails closed to critical.

03

Call

Ony places a real phone call through your telephony provider. You hear the action and its risk, never the raw command or your secrets.

04

Decide

Press 1 to approve, 2 to deny. High-risk actions add a 6-digit code, so an overheard call alone cannot authorize a deploy.

05

Sign

The verdict is HMAC-signed per device and bound to the exact request. The local connector verifies the signature before honoring it. Forged or replayed approvals are rejected.

06

Deliver and audit

The decision reaches the agent by cached flag or session resume, never keystroke injection, and lands in a keyed, hash-chained, append-only log the dashboard can verify.

Integrations

Wired into the agents you already run.

Real event surfaces, not a wrapper. Ony binds to the hook and app-server interfaces the agents already expose, then normalizes every event into one model.

Claude Code

Hooks plus pause-resume delivery

  • PreToolUse is the primary pre-execution blocking gate.
  • Notification (permission_prompt / idle_prompt) flags a blockage.
  • Stop and SubagentStop track lifecycle.
  • Delivery by daemon-cached flag or claude -p --resume.
PreToolUse hook event
# stdin to: ony hooks claude
{
  "hook_event_name": "PreToolUse",
  "tool_name": "Bash",
  "tool_input": { "command": "terraform apply" }
}

[ony] gated: production deploy (critical)
[ony] decision pending, calling you _

OpenAI Codex

App-server over ndjson JSON-RPC

  • Connects to the Codex app-server, not a forked binary.
  • Newline-delimited (ndjson) JSON-RPC, not Content-Length framing.
  • Approval requests are answered with a signed decision.
  • Same risk taxonomy, same audit chain as every agent.
app-server, ndjson JSON-RPC
# request from the app-server
{"method":"item/commandExecution/requestApproval",
 "params":{"command":"rm -rf build"}}

# signed response from ony
{"result":{"decision":"approved",
 "sig":"hmac:…"}}
[ony] signature verified, resuming
Control

Three modes, set per session.

The /ony command is a Claude Code skill. Type it in the session to change how much Ony gates, right now, without restarting the agent.

Gate high-risk only
/ony on

The default. Safe tool calls run ungated at full speed. Only high-risk, irreversible actions ring your phone.

Remote control
/ony away

Call me for every actionable step. Drive the agent from your keypad while you are away from the terminal.

Step aside
/ony off

Hand control back to the agent's normal approval flow. Ony stays out of the way until you turn it on again.

Also available:/ony herepoint decisions at this device,/ony statusshow the current mode and bound session.
Decision delivery

Pause then resume, never keystroke injection.

Claude Code has no official mid-turn input channel, so Ony does not pretend one exists. A decision becomes the next turn, two ways.

Cached approve/deny flag

The daemon caches the verdict against the session id and the tool name. The next time the PreToolUse hook fires for that exact call, it consults the cache and lets the action proceed or denies it. The agent never pauses on a keystroke that was injected from outside.

Resume as a new turn

For headless flows, claude -p --resume SESSION_IDstarts a fresh turn with the decision as the next prompt. It is an ordinary continuation, not a hijacked terminal, so it works in CI and across parallel sessions.

Never the terminal, never the PTY.

Ony does not scrape terminal output or inject PTY keystrokes. Handoffs bind to the stable agent_session_id, not the per-resume session id, so a decision always lands on the work it was made for, even after a resume.

Dashboard

See every decision, prove every one.

A single console for the devices that approve, the decisions they made, and the tamper-evident record that proves nothing was rewritten after the fact.

Devices

Enroll a phone with a decision_key, see what is active, and revoke instantly. Each device verifies signatures independently.

Decisions

Full history with approver attribution. See which device approved, when, and against which exact request.

Audit

One-click hash-chain verification. Rewrite a single event and the chain breaks, end to end, in plain view.

Enrollment

A decision_key binds a phone to your org. Per-device HMAC keys never leave the trust boundary.

Audit chain

prod-api, last 4 decisions

verified

terraform apply

approved, +6-digit code

9f3c…a1

git push --force

denied

2b7e…c4

DROP TABLE sessions

denied

5d10…7f

alembic upgrade head

approved

e8a2…3d

Chain intact, no event rewritten

4 / 4

Wire it to your agent.
Get your first call in minutes.

Install the connector, point it at Claude Code or Codex, and enroll your phone. Open source and self-hostable, or fully managed on Ony Cloud.

View on GitHubGet Ony Cloud
$ pip install ony && ony enroll