How to run an AI agent overnight and stay in control from your phone

To run an AI agent like Claude Code overnight, leave it running unattended but keep a human gate on the dangerous steps. Reads and safe commands run on their own, anything risky pauses and pings your phone for a yes or no, and you keep a kill switch to end the session if it goes off the rails. That is the difference between leaving an agent on a long leash and letting it run with no leash at all.

Why "fully autonomous overnight" is the wrong goal

You hand the agent a backlog, go to sleep, and wake up to finished work. The trap is the part in the middle where the agent hits a decision it should not make alone. A migration that drops a column. A git push --force to main. A command that spends real money. If the agent barrels through those, you wake up to a cleanup job instead of finished work.

The opposite failure is just as bad. Make the agent ask about everything and it stalls on the first prompt, sitting idle for hours waiting for a tap you never see. What you want sits between the two: an agent that runs on its own for the safe, boring majority of the night and reaches you only for the few moments that actually need a human.

Step 1: connect the agent with the hook

Pushary gates at the tool level using the agent's hook system. Install the CLI hook once and it sits between the agent and any tool call, so it can allow, deny, or pause a step before it runs.

npx @pushary/agent-hooks setup

That writes the hook into Claude Code's config (Codex, Gemini CLI, Cursor, and Hermes work the same way). The quickstart covers each agent. Once it is wired in, every tool call passes through your policy before it executes. One limit up front: Claude Desktop has no hooks, so its paste-one-URL connector can notify and ask but cannot block a tool. Enforced gating is a CLI thing.

Step 2: set the policy so reads run and risk pauses

This is the part that makes overnight actually work. A policy decides which tool calls run silently and which ones stop to ask. Pushary policies match on the command arguments, not just the tool name, so git status and git push --force are treated as the different things they are.

A proven read-only floor is auto-approved by default. Commands like cd, ls, cat, grep, git status, git log, and git diff run without interrupting anyone, because they read and never write. That floor was decided from 1,721 real production questions, filtered down to the commands that were read-only every single time. Everything outside it can be set to ask. The full behavior is in the policies docs, and the writeup lives on the permission policy page.

Step 3: route the risky moments to your phone

When the agent hits a gated step, it pauses and sends a push with what it wants to do. You approve or deny from the lock screen with the app closed, and the agent continues or stops based on your answer. This is how you control Claude Code from your phone without sitting at the terminal, and the same mechanism powers Claude Code notifications for any moment the agent wants your attention.

Deny is not a dead end. You can send a reason back with the denial, so instead of guessing why it was blocked, the agent gets your instruction and corrects. "Don't touch the prod database, use the staging branch" turns a stop into a redirect.

One iOS caveat: the cross-origin deep link from a notification into the home-screen app is broken, so iOS uses a pending-questions inbox inside the app instead of a tap-through link. You still answer from your phone, you just open the app to the queue rather than tapping straight from the banner.

Step 4: keep a kill switch and a budget

Approvals handle the known risky steps. The kill switch handles the unknown ones, where the agent gets stuck in a loop or starts down a path you did not anticipate. From your phone you can end a running session outright. If something looks wrong at 3am, you kill it and deal with it in the morning instead of letting it run for five more hours. See the kill switch page and docs.

The cost guard is the automatic version of the same idea. It tracks session cost from the agent's transcript and can kill the session when it crosses a daily budget you set. You do not have to be awake to stop a runaway. The budget stops it for you.

Step 5: read the receipt in the morning

Every action the agent took overnight, whether auto-approved by the floor, approved by you, or blocked, lands in the audit trail. You get a per-session receipt with what ran, what changed, and the answer source for every approval. The morning review is a structured record, not archaeology through a terminal scrollback. The audit log docs cover export and digests.

Common questions

Can I run Claude Code overnight safely?

Yes, if you keep the gates. Leave it running unattended, auto-approve a proven read-only set of commands so it makes progress on its own, and route writes, pushes, deletes, and anything that spends money to your phone for a yes or no. Add a kill switch and a cost budget so a bad run ends instead of running for hours.

What happens if the agent asks while I'm asleep?

It waits. A gated step pauses the agent until you answer, so it does not proceed on a risky action without you. If you never wake up to answer, the step stays blocked rather than running unsupervised. The safe, read-only work continues in the meantime.

Does this work with agents other than Claude Code?

Yes. The CLI hook supports Claude Code, Codex, Gemini CLI, Cursor, and Hermes, and the human-in-the-loop flow is the same across them.

The setup holds whether you run one agent overnight or a fleet. Reads run, risk pauses, you hold the kill switch. See pricing for the agent plans, or start with the Claude Code guide.