Skip to main content
SysNav
// FEATURES

One terminal that thinks,
routes, and repairs.

A deeper tour of what makes SysNav different from every "AI terminal" shipped in the last 18 months.

// TWO MODES

The diagnostic / execution split.

Ask is safe. Agent is powerful. The separation is the whole point.

ask mode · read-onlySysNav · v2.2.0
ask❯ which pods restarted in the last hour and why?
reading kube-state-metrics + events across 3 clusters…
4 restarts · all on payments-ns · OOMKilled (exit 137)
correlated with deploy sha:b12c4 at 14:02
→ memory limit (2Gi) ≪ working set (3.4Gi avg)
 
agent mode · write-capableSysNav · v2.2.0
agent❯ bump payments memory 2Gi → 4Gi
plan: kubectl patch deploy/payments --patch=...
awaiting your approval before applying…
+ resources.limits.memory: 2Gi → 4Gi
✓ approved & applied · recorded in audit log
 
// CAPABILITIES IN DEPTH

Nine reasons you'll never go back to iTerm.

Grounded reasoning

The AI reads YOUR logs, YOUR configs, YOUR runbooks — not a generic training set. Context is indexed locally and redacted before transmission.

Approval-gated execution

Agent never runs blind: every mutating change surfaces as a plan you can reject, edit, or approve, and nothing runs until you say so — you always see the exact command first.

Model Context Protocol (MCP)

Connect local (stdio) or remote (HTTP/SSE) MCP servers so Sidekick can use external tools — project trackers, SaaS connectors, and more. No bridge needed.

Multi-host inspection

Ask across the hosts you're connected to in one query — logs and metrics, time-aligned, in plain English.

Destructive-command gate

rm -rf /, mkfs, dd, and other destructive commands are blocked in Ask mode and require explicit approval in Agent mode.

Tamper-evident audit

Every command, approval, and AI context is recorded in an append-only, SHA-256 hash-chained log. Exportable, with an optional mirror to your own S3 bucket.

Model routing

Runs on Claude (Sonnet) with an OpenAI fallback. Bring-your-own-key — use your own Anthropic API key — is available on Pro; additional providers are on the roadmap.

Works offline

SSH, tmux, and SFTP work without a connection. AI features need the cloud and resume the moment you're back online.

Secret scanning

Keys, tokens, and credentials scrubbed locally before prompts leave your machine. Runs on-device, before any token is sent.

// ENCRYPTED VAULT

Your secrets, sealed on your device.

A zero-knowledge store for the keys and credentials you already juggle — free on every plan.

Encrypted secrets vault

Keep SSH keys, server credentials, and snippets in a local vault sealed with AES-256-GCM. Unlocked by a passphrase only you know, and auto-locks when you step away.

Zero-knowledge sync

Your vault follows you between machines. Only ciphertext leaves the device — the server never sees your passphrase, your keys, or plaintext.

One-time recovery kit

A recovery phrase, shown once and stored nowhere, restores your vault if you forget the passphrase. End-to-end means there is no backdoor.

// WHAT IT UNLOCKS

Three scenarios SysNav was built for.

INCIDENT TRIAGE

Multi-host root-cause in one query.

Ask mode correlates logs, metrics, and deploy history across every host you're connected to, so you can find the broken pod without opening four dashboards.

SAFE EXECUTION

Nothing destructive runs without your say-so.

Every mutating change goes through a reviewable plan and waits for your explicit approval. Destructive commands are blocked outright in Ask mode, and the whole session is recorded in a tamper-evident audit log.

ONBOARDING

New hires ask the terminal, not Slack.

Your runbooks, team conventions, and cluster topology are indexed locally. New engineers get on-call-ready answers without interrupting the on-call.