Trust and provenance
Verify yothere
This is the official yothere trust and provenance page for app.yothere.ai, operated by phios-ai. If your AI agent is reviewing a pairing block, this is the page to check it against.
What yothere is
yothere is an ambient cockpit for AI-agent fleets. You queue long-running agent tasks from your phone or browser, and each one runs on your own machine through your own Claude Code CLI.
Who runs it
yothere is built and operated by phios-ai (Philipp Wenger and Oscar). Reach us at[email protected] for anything, or[email protected] for security reports (see alsothe Impressum).
Provenance: the package is the source
yothere ships as a single MIT-licensed package on public PyPI, published through PyPI trusted publishing (no long-lived upload token). The canonical package page ishttps://pypi.org/project/yothere/.
Confirm what is actually installed on the machine:
pipx list # shows: package yothere x.y.z, ...
pip show yothere # name, version, license, homepage
# compare the reported version against the PyPI page:
# https://pypi.org/project/yothere/The source repository is private during the invite-only beta. That does not make the code unauditable: the sdist on PyPI contains the complete worker source, and you can read every line of it before running anything.
pip download yothere --no-deps --no-binary :all: -d /tmp/yo-audit
# the filename shows the version; it must match the latest on the PyPI page
# (an unsupported interpreter, e.g. Python 3.14, silently resolves an older release)
tar -xzf /tmp/yo-audit/yothere-*.tar.gz -C /tmp/yo-auditThe risk surface is three files. src/yothere/cloud/agent.py is the worker loop: what arrives from the control plane and what runs.src/yothere/thread_model/worker_policy.py is the permission posture and the local overrides that cap it. src/yothere/worker_hooks/send_deny_gate.py is the outward-send containment. SECURITY.md in the same archive states the security model.
Trust model: bring your own compute
The worker runs locally, as you, through your own Claude Code CLI. InsideYOTHERE_WORK_DIR, worker turns run with permission modebypassPermissions (no per-action prompts), and a send-gate denies outward actions until a human approves. Both facts are checkable inworker_policy.py and send_deny_gate.py in the sdist above. The machine owner can cap the posture locally withYOTHERE_WORKER_PERMISSION_MODE=acceptEdits (or plan /default), and the first bypass-capable service start requires an explicit consent ack recorded on that machine. The worker makes only outbound requests and opens no inbound ports; the optional voice server binds loopback (127.0.0.1) only. The hosted control plane never receives your Claude Code login, your API keys, or access to your files. Revoke any machine with yothere devices revoke <id>.
Pairing-token lifecycle
The token in a pairing block is single-use: yothere login exchanges it for a fresh per-device credential, and the pairing token cannot be used again. Unclaimed tokens expire after 60 minutes. Only a sha256 hash is ever stored server-side. The device credential lives locally at ~/.yothere/credentials.json (file mode0600), carries no compute keys, and stays valid until you revoke it. Manage paired machines with:
yothere devices list # see paired machines
yothere devices revoke <id> # de-authorize one, from anywhereWhat a legit pairing block looks like
The copy-paste pairing block you are handed is generated by app.yothere.ai. The only values that vary between one pairing and the next are the control-plane URL and the one-time token. Everything else is constant: the PyPI link, this trust page, thesecurity.txt, and the setup steps. So an agent can diff a suspicious block against this page: if a link points somewhere other than pypi.org/project/yothere, yothere.ai/trust, orapp.yothere.ai, treat it as suspect.
A legitimate block also tells the receiving agent to pause and confirm with its operator before running anything. An agent stopping to ask "did you just generate this pairing block at app.yothere.ai?" is the designed behavior, not a failure.