Run the entire Ony stack on your own infrastructure under AGPL-3.0. Your data, your phone line, your signing keys, your servers. Nothing phones home, and there is no paywalled core. Install the package, bring up the stack, wire your agent.
Install the connector, bring up the stack, and point your agent at it. Sensible defaults out of the box, full configuration when you need it.
# install the connector
$ pip install ony
# enroll this phone as a device
$ ony enroll
[ony] device decision_key issued
[ony] enrolled, ready to gateThe package ships the ony console script. Enrollment issues a per-device key so verdicts can be verified locally.
# clone and start the stack
$ git clone https://github.com/ony-ai/ony
$ cd ony
$ docker compose up -d
[ony] daemon, dashboard, telephony
[ony] stack healthy on :8088The provided compose file brings up the daemon, the dashboard, and the telephony bridge together. Set your SignalWire credentials in the environment first.
# install the PreToolUse hook
$ ony hooks claude --install
[ony] hook wired into Claude Code
# then, inside your session
> /ony on
[ony] gating high-risk actionsThe PreToolUse hook is the pre-execution gate. Type /ony awayinstead to be called for every actionable step.
Four legible pieces with a clear trust boundary. The server is authoritative, the connector verifies, and you run every one of them.
The ony Python package, installed with pip. A typer CLI built on websockets, rich, and httpx that talks to the daemon over a WebSocket agent channel and verifies every signed verdict before honoring it.
Owns session state and the approval cache, classifies risk server-side from its own taxonomy, signs verdicts per device, and appends every decision to the hash-chained audit log.
Enroll and revoke devices, review decision history with attribution, and verify the audit chain. Enrollment hands a device its decision_key so it can check signatures locally.
Calls go out through SignalWire. On self-host you bring your own number and your own keys, and usage is billed pass-through by your provider, not by Ony.
claude -p --resumewith the decision as the next prompt.Self-host means self-host. There is no hidden control plane, no metered core, and nothing that calls back to us.
Strong copyleft keeps the source open, with a hosted option for teams that cannot take on copyleft obligations.
Ony Cloud is the commercial hosted option. The same product, fully managed, with dedicated numbers per organization, team seats and roles, and managed key storage. No AGPL obligations to reason about, no ops to run.
The roadmap is in the open. Issues, discussions, and ADRs live in the repo, and new agent connectors are welcome.
File a bug, propose a feature, or talk through a design on GitHub. The architecture review and ADRs are in the repo, so context is one click away.
Pick up a good-first-issue or fix something you hit yourself. The contract shapes are settled in the ADRs, so changes stay grounded and easy to review.
Every agent event normalizes into one AgentEvent shape, so the model is agent-agnostic. Adding support for a new coding agent is mostly mapping its events.
The whole stack is on GitHub under AGPL-3.0. Bring it up with one command and own every part of the loop.