tap on its own is for one machine. Install hop alongside it and the same session-management commands work across every Linux host you operate — from your laptop, your phone, or an AI agent acting on your behalf. List shells across the fleet. Attach to one. Lock it. Quarantine it. Send a message. Same operations, just with a host name in front.
tap manages shells on a host. hop connects you to hosts. Together: shell management for your fleet.
Manages every shell on the machine it's installed on. You run it on the host you're standing on (or SSH'd into) and you operate against that host's sessions. No network involved.
Lets you reach your hosts from anywhere — laptop, phone, another server, AI agent — without setting up VPNs, port forwards, or static IPs. Your hosts and your devices recognize each other; the connection just works.
tap's commands gain a host argument. hop <host> tap list shows that host's shells from your laptop. hop <host> tap connect 4 drops you into a shell on the other side of the world. Multiply by every host on your fleet.
The same scenarios as local tap, except now they work across every machine you run.
PagerDuty fires at 2am. Open your laptop on the kitchen counter, list shells across the affected hosts, see who else is already on the box, jump in next to them. No VPN dance, no jumphost.
Pull up the picker for any host with a host name. The same keystrokes — Enter, lock, kill, quarantine — work everywhere. You don't learn a new tool per environment.
An engineer in another timezone is stuck on a staging server. From your machine, attach to their shell, type a hint, send them an admin message. Like sitting next to them, except one of you is in Berlin.
Suspicious activity on a production host. Watch the live shell from your laptop. If you decide to act, quarantine them — same one-key flow as local — without ever needing to be physically on the host.
Install hop on the host first, then tap. tap recognizes hop and wires itself in automatically.
One curl. Sets up the host so it's reachable from your other devices and prints an invite token for first-time pairing.
curl -fsSL https://hop.keikai.ai/install-daemon.sh | bashOne curl. Detects hop and registers itself. Now tap is reachable from anywhere your hop is.
curl -fsSL https://tap.keikai.ai/install.sh | bashRedeem the invite from your laptop, give the host a name, and run any tap command against it.
hop connect <invite-token>
hop <host> tapThe same "your shells, or all shells if you're the admin" rule, just keyed on who you are to hop instead of who you are to that host's Unix.
If you're the admin of the fleet (the person who set up the host, or someone you've explicitly given that role to), you see every shell on every host you can reach. Same as being root locally — just from your laptop.
If a teammate has access only as a regular user, they see only the shells they themselves opened on that host. They can manage their own work; they can't peek at anyone else's. You set the role when you invite them.
If a session isn't yours to see, tap responds the same way as if it didn't exist. So a curious peer can't just probe pty numbers to find out what other people are running.
Full visibility. List, attach, lock, quarantine, kill, message — every shell on every host you can reach.
Same operations, scoped to your own sessions. Useful for self-management or for letting a teammate manage their own work without giving them the keys to the box.
Anywhere a person can drive tap remotely, an AI agent can too. Same operations, same permissions, same audit.
List sessions across your fleet. Snapshot any of them. Subscribe to a live stream and summarize what's happening on a shell. Decide whether to alert you, lock the session, or quarantine it. Whatever a human admin can do, an agent with the same role can do.
An overnight watcher that scans for unusual command patterns and pages you only when something's worth waking up for. A code-review companion that pulls up the most recent shell session of an SRE for context. An onboarding bot that watches new hires' first session on prod and intervenes before rm -rf ever lands.
An agent gets a role just like a person does. Give it the admin role and it sees everything. Pin it to a single user and it sees only that user's shells — useful for self-audit agents the user runs against their own activity.
Two single-curl installs. Bring up hop on your hosts first, then tap. Pair from your laptop, and the picker works for the whole fleet.