Features
Everything Servonaut can do — from SSH management to multi-cloud server lifecycle, AI log analysis, and an MCP surface your agent can call.
Interactive TUI
Servonaut's interface is built with Textual, a Python framework for rich terminal applications. You get full mouse support, keyboard shortcuts, searchable lists, and modal overlays — all in your terminal.
Keyboard shortcuts
Shortcuts are screen-specific. The footer always shows the keys available in the current context; the tables below cover the two screens you'll spend the most time on. Press ? from any screen for the in-app reference.
Instance list (the main screen)
| Key | Action |
|---|---|
| Enter / O | Open the actions menu for the selected instance |
| S | SSH into the selected instance |
| T | SCP file transfer overlay |
| B | Browse remote files |
| C | Run a remote command |
| L | Open the log viewer |
| A | AI analysis of the selected instance |
| M | Open Server Memory for the row |
| K | Manage the SSH key reference |
| V | Verify SSH connectivity |
| Y | Copy the selected row |
| R | Refresh the instance list |
| / | Focus the search / filter input |
Log viewer
| Key | Action |
|---|---|
| A | Analyze the current log with AI |
| / | Search within the log |
| Esc | Close the viewer |
Global
| Key | Action |
|---|---|
| Tab | Cycle between panels |
| ? | Show the shortcut help overlay |
| Q | Quit Servonaut |
| Esc | Close the current overlay / cancel |
SSH & SCP
SSH sessions
Select any server from the list and press S to open an SSH session. Servonaut spawns your configured terminal emulator with the correct SSH command, including your key file and any ProxyJump settings.
Set ssh.terminal in your config to specify your preferred terminal.
Use "auto" to let Servonaut detect it.
SCP file transfer
Press T to open the SCP overlay. You can upload files to the remote server or download files from it. Supports glob patterns for batch transfers.
Bastion / jump host support
Set ssh.proxy_jump in your config to route all SSH connections through a bastion host.
Servonaut generates the correct -J user@bastion argument automatically.
AWS integration
EC2 instance management
If AWS CLI credentials are configured, Servonaut auto-discovers all running EC2 instances across your configured regions on startup. Instances appear alongside custom servers in the same TUI list, tagged with their region, instance type, and AWS tags.
Your AWS credentials need at minimum: ec2:DescribeInstances for EC2 discovery.
CloudTrail event explorer
Open the CloudTrail explorer from the instance actions menu to browse, filter, and inspect API call events for your AWS account. Useful for auditing, incident investigation, and spotting unusual activity.
Required IAM permission: cloudtrail:LookupEvents
CloudWatch log analysis
Servonaut can pull CloudWatch log groups and streams and display them in the built-in log viewer. AI analysis works on CloudWatch logs the same way as SSH-fetched logs.
Required IAM permissions: logs:DescribeLogGroups, logs:DescribeLogStreams, logs:GetLogEvents
WAF / IP-ban management
Open the IP-ban manager from the instance actions menu. When a log analysis (or manual review) identifies a malicious IP, you can block it through one of three backends — pick whichever your environment already uses:
- AWS WAF — adds the IP to an existing WAF IP set referenced by your web ACL (fastest, no EC2 round-trip required).
- Security Groups — tracks the banned IP via a tagged ingress entry on the instance's security group; unban removes it again.
- Network ACLs (NACLs) — adds an explicit DENY rule to the subnet NACL, blocking the IP at the VPC level.
Required IAM permissions vary by backend — at a minimum your credentials need the matching wafv2:*, ec2:*SecurityGroup*, or ec2:*NetworkAcl* actions for the strategy you enable.
CloudWatch log analysis, CloudTrail lookup, and IP-ban management are also exposed as MCP tools — an AI agent can rank abusive IPs from WAF/ALB logs, audit CloudTrail, and ban an IP through the same typed, audited tool surface.
OVH Cloud
OVH Cloud is a first-class provider — Public Cloud, VPS, and dedicated servers all merge into the unified instance list with a provider: ovh tag.
The dedicated OVH → ⚙ Manage sidebar entry opens a per-provider screen with a state-aware lifecycle toolbar (Create / Start / Stop / Reboot / Delete) that routes to the right API based on whether the row is Cloud, VPS, or dedicated.
The redesigned create wizard is region-first: pick a region, and the flavor and image pickers refilter to only what's actually deployable there. Flavor pricing is fetched live from the OVH catalog API, and regions / flavors with no deployable offers are hidden from the picker so you can't pick a dead combination.
In the TUI
- OVH Manager screen — table of all OVH instances with bulk lifecycle actions and a state-aware toolbar.
- SSH Keys — project-level SSH key registry (the wizard injects from this set on create).
- DNS zones, IP management, block storage, snapshots, billing & invoices — browse from the OVH sidebar.
Via MCP
The MCP surface exposes lifecycle (create, start, stop, reboot, delete) plus read access to monitoring, IPs, firewall rules, SSH keys, snapshots, DNS records, billing summary, and invoices. Mutations beyond instance lifecycle (editing DNS records, swapping a failover IP, attaching block storage, downloading invoice PDFs) currently live in the TUI only.
Setup, full CLI reference, and MCP tool list: OVH Cloud docs.
Hetzner Cloud
Hetzner Cloud is supported end-to-end: list, create, power on / shutdown / reboot, and delete from either the TUI or servonaut hetzner … CLI commands. Auto-registers freshly-created servers into the fleet so run_command, get_logs, etc. work seconds after spin-up — no manual "add server" flow.
- Hetzner Manager screen — full lifecycle toolbar (Create / Power on / Shutdown / Reboot / Delete) with state-aware enable/disable.
- Project SSH key registry — register, list, and delete Hetzner Cloud SSH keys without leaving the TUI.
- Setup wizard — Settings → Hetzner Setup walks you through token + defaults; subsequent edits are API-backed dropdowns (locations, server types, images).
- Disposable-fleet workflow — by default the create flow refuses to spin up a server with no SSH keys, preventing billed unreachable boxes.
Setup, full CLI reference, and MCP tool list: Hetzner Cloud docs.
AI log analysis
With an AI provider configured, press A in the log viewer to send the current log content to your chosen AI model. Servonaut prompts the model to identify:
- Error patterns and root causes
- Security threats (brute force attempts, suspicious IPs, injection attacks)
- Performance bottlenecks
- Actionable remediation steps
Supports four providers: Anthropic (Claude), OpenAI (GPT-4o and others),
Google Gemini, and Ollama — local install or
Ollama Cloud.
Each provider has its own API-key slot in config.json, so they coexist; switch from the chat-panel header without editing config. See AI configuration for setup.
On Solo and Teams plans, the chat panel can route
through the hosted gateway at mcp.servonaut.dev — no personal API key needed.
Each plan comes with a daily AI request allowance; exact numbers are listed on the
pricing page. Free-tier users can still wire up any
supported provider with their own key.
In-TUI bug reports v2.8+
Hit the bug-report shortcut from anywhere in the TUI to open the in-app reporter. It captures the current screen, optionally records the last few interactions, and uploads to POST /api/v1/bug-reports on servonaut.dev — with explicit consent before sending screenshots or session recordings.
Reports are deduplicated server-side and surfaced under /admin/bug-reports for the team to triage.
Server Memory Premium
Server Memory is a privacy-first inventory of every server you manage. Each time the CLI probes a box it builds a small structured snapshot — installed runtimes, listening ports, running services, disk usage, container counts, recent log paths — and uploads it as end-to-end encrypted envelopes. Your account dashboard shows what changed since last week, surfaces anomalies, and (only when you ask) lets a model summarise findings on your behalf. Available on Solo and Teams plans.
Zero-knowledge by default
Snapshots are encrypted in your browser using a passphrase only you know. The browser derives
a key from that passphrase with Argon2id and encrypts the envelope with
libsodium's crypto_secretbox before anything leaves the page
(assets/controllers/memory_keystore_controller.js). The backend
then double-wraps the ciphertext under an app-held AES-256-GCM key
(src/Service/Memory/MemoryServerKeyWrap.php) so a stolen database
dump alone isn't enough to attack the outer layer.
The server never decrypts. It identifies snapshots by a sha256(ciphertext) drift
key (src/Service/Memory/MemoryIngestService.php), so duplicate
submissions short-circuit without the server ever needing to see plaintext.
Full breakdown of what we can and cannot read is on the Server Memory docs page.
Drift & anomaly detection
A timeline on the dashboard shows every probe and the deltas between them — a new listening port, an upgraded runtime, a service that stopped, a container churn spike, a sudden disk-usage jump. Detection rules operate purely on the safe metadata block, so they run without plaintext exposure. Severity (info / low / medium / high) drives how prominent each event is.
Team sharing
On the Teams plan you can share a server's memory with specific teammates by re-wrapping the decryption key on their device — Servonaut never holds the user passphrase. Grants are revocable and audited.
AI summaries — opt-in, redacted before send
"Summarise this server" is the one place plaintext crosses the server-to-provider boundary.
Before the prompt is sent to the model, a regex scrubber replaces IPv4, IPv6, email
addresses, URL hosts, *.local names, and AWS-style
ip-*-*-*-*.compute.internal hostnames with stable placeholders
(src/Service/Memory/PromptRedactor.php). See the
AI summaries section for the full flow.
Export & retention
Snapshots can be exported for offline review or compliance evidence, and older envelopes age out according to plan-level retention. See the Server Memory docs for the current export formats, signing model, and retention windows.
Turning it off
Memory is opt-in. If you decide to stop using it, the disable flow stops new probes and schedules deletion of stored envelopes.
Full feature reference: Server Memory documentation.
Log viewer
The built-in log viewer fetches log files from remote servers over SSH (using tail or cat)
and displays them with syntax highlighting. Features:
- Real-time tail mode (
tail -fequivalent) - Pattern search and highlighting within the viewer
- Quick-jump to configured log paths (from
log_pathsin your config) - Works with both custom servers and AWS EC2 instances
- One-key AI analysis of the current view
Custom server support
Beyond AWS, OVH, and Hetzner, Servonaut treats any SSH-reachable server as a first-class citizen — DigitalOcean Droplets, on-prem bare metal, VMware VMs, Raspberry Pis, anything. All get full SSH, SCP, log viewer, run-command overlay, and AI integration.
Custom servers can be tagged with arbitrary key/value pairs and filtered in the TUI using the / search.