One terminal that thinks,
routes, and repairs.
A deeper tour of what makes SysNav different from every "AI terminal" shipped in the last 18 months.
The diagnostic / execution split.
Ask is safe. Agent is powerful. The separation is the whole point.
Nine reasons you'll never go back to iTerm.
Grounded reasoning
The AI reads YOUR logs, YOUR configs, YOUR runbooks — not a generic training set. Context is indexed locally and redacted before transmission.
Approval-gated execution
Agent never runs blind: every mutating change surfaces as a plan you can reject, edit, or approve, and nothing runs until you say so — you always see the exact command first.
Model Context Protocol (MCP)
Connect local (stdio) or remote (HTTP/SSE) MCP servers so Sidekick can use external tools — project trackers, SaaS connectors, and more. No bridge needed.
Multi-host inspection
Ask across the hosts you're connected to in one query — logs and metrics, time-aligned, in plain English.
Destructive-command gate
rm -rf /, mkfs, dd, and other destructive commands are blocked in Ask mode and require explicit approval in Agent mode.
Tamper-evident audit
Every command, approval, and AI context is recorded in an append-only, SHA-256 hash-chained log. Exportable, with an optional mirror to your own S3 bucket.
Model routing
Runs on Claude (Sonnet) with an OpenAI fallback. Bring-your-own-key — use your own Anthropic API key — is available on Pro; additional providers are on the roadmap.
Works offline
SSH, tmux, and SFTP work without a connection. AI features need the cloud and resume the moment you're back online.
Secret scanning
Keys, tokens, and credentials scrubbed locally before prompts leave your machine. Runs on-device, before any token is sent.
Your secrets, sealed on your device.
A zero-knowledge store for the keys and credentials you already juggle — free on every plan.
Encrypted secrets vault
Keep SSH keys, server credentials, and snippets in a local vault sealed with AES-256-GCM. Unlocked by a passphrase only you know, and auto-locks when you step away.
Zero-knowledge sync
Your vault follows you between machines. Only ciphertext leaves the device — the server never sees your passphrase, your keys, or plaintext.
One-time recovery kit
A recovery phrase, shown once and stored nowhere, restores your vault if you forget the passphrase. End-to-end means there is no backdoor.
Three scenarios SysNav was built for.
Multi-host root-cause in one query.
Ask mode correlates logs, metrics, and deploy history across every host you're connected to, so you can find the broken pod without opening four dashboards.
Nothing destructive runs without your say-so.
Every mutating change goes through a reviewable plan and waits for your explicit approval. Destructive commands are blocked outright in Ask mode, and the whole session is recorded in a tamper-evident audit log.
New hires ask the terminal, not Slack.
Your runbooks, team conventions, and cluster topology are indexed locally. New engineers get on-call-ready answers without interrupting the on-call.