HuxHux
v0.9Public Beta — 14-day free Pro trial

The terminal and opsof the AI era.

Continuously crafting the finest terminal and ops experience of our time.

macOS14+iPad / iPhone17+HarmonyOS5.0.3+

Swipe horizontally — Hux's multi-pane workflow

Hux — AI assistant helping diagnose k3s install, live This Mac monitoring on the right
Hux — NeoVim editing markdown, with a CPU / memory / temp / disk / process dashboard at the bottom
Hux — Claude Code terminal session and Hux browser side by side

/ Feature Overview

8 capabilities, one app, AI-driven.

Privacy and security first.

Data sync is end-to-end encrypted, zero-knowledge to the server.

01

Terminal

GPU rendering · full modern terminal · native tmux integration

02

Hosts

Groups · multi-cloud import · SFTP · monitoring · port forwarding

03

Notes

Note / Snippet / Manifest built for ops

04

Containers

Docker · Podman · Colima multi-runtime

05

Kubernetes

Multi-cluster · exec / cp / logs · CRD · Events

06

Database

MySQL · PG · smart completion · direct over SSH tunnel

07

MFA

TOTP / HOTP · QR import · SSH autofill

08

Security

Local encryption · E2E sync · zero-knowledge server

/ 01 · Terminal

More than GPU rendering — AI pairs with you in the terminal.

Cross-platform GPU rendering, on par with Ghostty/Kitty. Smooth scrolling out of the box, every setting visual. AI is built in as a native capability — every step is visible, controllable and replayable.

Terminal deep dive
prod-east-01 · 1 tab · 3 panes
terminalzsh
kubectl get pods -n payments
NAME STATUS
api-fk2m9 Running
api-x4p2v Running
worker-7vn8m CrashLoop
@hux diagnose worker
monitor2s
CPU58%
Mem71%
Disk42 MB/s
Net120 MB/s
docker · 14
systemd · 146
AI · pairthinking

analyzed 2.4s

Redis egress blocked by NetworkPolicy

kubectl_logsdone
describedone
networkpolicyrunning
patch.yaml generated

/ 02 · Hosts

Every connection, managed in one place.

Group ownership, multi-field search, five clouds with a single click. Password or public key (ED25519 / RSA / ECDSA), credentials encrypted locally.

Hosts documentation
Hosts · all groups
Search · name / IP / description
All32Production12Staging5Workers8Personal3Homelab4

prod-east-01

10.0.12.5

ProductionOnline

prod-east-02

10.0.12.6

ProductionOnline

stage-api-01

10.20.1.3

StagingOnline

worker-7vn8m

10.0.40.18

WorkersOffline

homelab-pi

192.168.1.42

HomelabOnline

/ 03 · Notes

An executable knowledge base built for engineering ops.

Three content kinds, each with a purpose — Markdown for runbooks and postmortems, Snippet for reusable commands, docker-compose / k8s YAML auto-detected as Manifest. Edit a Snippet once and every reference updates instantly. Workspace / Notebook / Section lets personal drafts evolve into team knowledge. Version history protects every iteration.

Notes documentation
New note · pick a kind
MD

Note

Markdown writing + live preview

# Incident Runbook## 1. Status board- prod-east-01 status- redis · CPU redline
CODE

Snippet

Reusable code / command fragments

limit_req_zone $binary_remote_addr zone=login:10m rate=5r/s;
YAML

Manifest

Config files · format auto-detected

Detected · docker-compose
services: api: image: ghcr.io/...

/ 04 · Containers

Local Containers, remote containers — one place.

5 engines (Docker · OrbStack · Podman · Colima · Rancher Desktop) auto-detected locally; remote SSH hosts collected over the tunnel. Full container lifecycle — list / start-stop / create / logs follow / exec PTY / inspect, plus Compose project ops and three resource kinds (images · networks · volumes) with full-scope Prune.

Containers documentation
This Mac · containers

LOCAL

This Mac

Docker · OrbStack

REMOTE

prod-east-01

stage-02

homelab-pi

Search · name / image
+ New container
flatstack
Auto-refresh 2s
payments4 services
api-1ghcr.io/payments/api:v2.4.1

12%

184 MBstoprestart
worker-1ghcr.io/payments/worker

22%

312 MBstoprestart
redisredis:7.4

1.2%

48 MBstoprestart
pgpostgres:16start
logging2 services
lokigrafana/loki:3.1

5%

220 MBstoprestart
promtailgrafana/promtail:3.1start
standalone3 services
14 containers · 3 projects

/ 05 · Kubernetes

Full power of Lens / k9s / Headlamp.

40+ resource kinds covered — workloads / network / storage / RBAC / CRD. Cluster Overview surfaces health in 6 panels; full pod ops — logs follow · exec PTY · cp · port-forward · scale. Create any resource via YAML apply, with one-click rollback in Rollout history. Private clusters reached over SSH tunnel — no public API exposure needed.

Kubernetes documentation
kubeconfig · multi-cluster

Clusters

prod-east

12 nodes · SSH tunnel

stage-eu

6 nodes · direct

edge-lab

3 nodes · SSH tunnel

+ Add cluster

prod-east · details

API server
https://10.0.0.1:6443
context
prod-east-admin
connection mode
SSH tunnel via bastion.corp
namespaces
12 (default payments)
status
connected · v1.30.4

Network topology

Hux
SSH tunnel
bastion.corp
TCP 6443
kube-apiserver

Private clusters need no public API · secure direct connect via SSH port forwarding

/ 06 · Database

MySQL / PostgreSQL / SQLite, a Full SQL Workbench.

On par with Sequel Ace / TablePlus: schema-aware completion, AI natural-language query generation, double-click cell editing + marked-row delete in the result grid, schema tree (db / tables / views / indexes), multi-query tabs + history + CRUD snippet templates, CSV export. Multi-connection + SSL/TLS, remote instances attached transparently over SSH tunnel.

Database documentation
Database · connections

Connections

prod-mysql

MySQL 8 · via SSH

stage-pg

PostgreSQL 16 · direct

local-cache

SQLite · file://

+ Add connection

prod-mysql · details

driver
MySQL 8.4.0
host
10.0.4.5:3306
user
payments
database
payments
SSH tunnel
bastion.corp:22 → 10.0.4.5:3306
TLS
Preferred
Local mapping
127.0.0.1:54321 (transparent to sqlx)

Network topology

Hux
SSH 22
bastion.corp
TCP 3306
MySQL

sqlx connects to 127.0.0.1:54321 · SSH tunnel is fully transparent to the SQL layer

/ 07 · MFA

Built-in TOTP / HOTP — no Authenticator needed.

Full RFC 6238 / RFC 4226, SHA-1/256/512 + custom digits/period. otpauth:// URI one-tap import, countdown progress + next-code preview. Secrets field-level encrypted with AES-256-GCM, Master Key sealed in Apple Keychain, synced across devices over E2EE.

MFA documentation
TOTP · HOTPRFC 6238 / 4226SHA-1 / 256 / 512otpauth:// one-tap importEnte-style next codeAES-256-GCM field-levelCross-device E2EE sync
MFA · live countdown
Search · issuer / account
1Hz refresh · next-code preview

  • GitHub

    cooper@example.com

    482 193

    next 517 820

    Copied

  • AWS

    iam-admin

    734 219

    next 048 651

    copy

  • Cloudflare

    russell@hux.app

    918 047

    next 273 405

    copy

  • 1Password

    admin

    295 716

    next 482 109

    copy
Copied · 200ms feedback< 5s progress bar turns red

/ 08 · Security

Cryptographic guarantees, not lip service.

Field-level encryption, Master Key sealed in hardware Keychain / HUKS, Zero-knowledge cross-device sync, SSH host-fingerprint verification, log redaction, mandatory read-only cloud credentials, and SSH/SFTP/cloud APIs/AI all direct — never via Hux servers. Auditable commits, sync protocol spec published.

Privacy whitepaper
AES-256-GCM

Field-level encryption

SSH private keys, passwords, AccessKeys and MFA secrets are each AES-256-GCM encrypted; plaintext fields (hostnames, etc.) stay searchable

Keychain · HUKS

Hardware-backed Master Key

Sealed in Apple Keychain on macOS / iOS and in HUKS on HarmonyOS, device-bound, never written to disk

AES-256-CBC

SQLCipher full-disk encryption

The entire database is AES-256-CBC encrypted; db_key is HKDF-SHA256 derived from the Master Key

PBKDF2-100k

Zero-knowledge cross-device sync

A 6-digit pairing code is PBKDF2-SHA256 derived (100,000 iterations) into sync_key; every change is independently AES-256-GCM encrypted — the server only sees ciphertext

TOFU · SHA-256

SSH host-fingerprint verification

TOFU on first connect records the SHA-256 fingerprint; subsequent mismatches are rejected. known_hosts is per-device and never synced

auto-redact

Log redaction

AI streaming error responses auto-detect and redact any token of length ≥ 20, so providers can't echo your API Key into logs

least-privilege

Read-only cloud credentials

GCP is forced to compute.readonly scope; AWS / Aliyun limited to Describe* / List* — a leaked credential can read metadata at most

client-only

Always direct, never via Hux servers

SSH / SFTP connects straight to hosts, cloud APIs straight to endpoints, AI straight to providers, sync only transmits ciphertext — the server has nothing to decrypt

All of the above is verifiable by packet capture; sync-server is open source (Rust + axum) and the protocol spec is published

/ 09 · Cross-device sync

One account, every device, seamless.

PBKDF2 100k → AES-256-GCM. The server only ever sees ciphertext — guaranteed by cryptography.

Sync and privacy deep dive
6-digit pairing codePBKDF2-SHA256100,000 iterationsAES-256-GCMZero-knowledge serversync-server open sourceSelf-hostable

/ Pairing code

5:00
472903

Valid for 5 minutes. Enter it on another device to establish the sync channel.

Derivation
PBKDF2-SHA256
Iterations
100,000
Cipher
AES-256-GCM
Server visibility
Ciphertext only
Synced
Hosts · keys · notes
Excluded
Known hosts · AI history
Self-host
sync-server open source
End-to-end
PFS + device binding

/ FAQ

Before you buy, the things you're probably wondering.

Didn't find an answer? Email support@hux.app.

Is Hux open source?

+

The Rust core and the cross-device sync server (sync-server) are open source and self-hostable. The client app is closed source and subscription-based.

Will my AI data be uploaded to Hux?

+

No. You bring your own API Key and connect directly to the provider — Hux is not a proxy and stores nothing of your conversations. Enterprise LLM Gateways are supported.

Is the HarmonyOS app feature-complete?

+

It's at parity with the Apple version. SSH, SFTP, monitoring, K8s, Docker, AI, multi-cloud, sync and MFA are all covered.

Does one subscription cover every platform?

+

One Pro subscription covers every platform (macOS / iOS / iPadOS / HarmonyOS) and every device you log into.

Where is the sync server? Is my data safe?

+

End-to-end encrypted: the pairing code is PBKDF2-derived into a sync_key and changes are AES-256-GCM encrypted. The server only stores ciphertext. Self-hostable.

How long is the trial?

+

New accounts get a 14-day Pro trial, no credit card. It downgrades to Free automatically.

/ Native everywhere

One subscription,four platforms.

Hosts

Search

prod-east-01

10.0.1.5

prod-east-02

10.0.1.6

bastion-hk

stage-bj-04

172.16.0.4

iOS · iPhone

prod-east-01

CPU58%
Mem71%
Disk42 MB/s
Net120 MB/s
Docker14
Systemd146
K8s pods42·1⚠

HarmonyOS · foldable

payments · 42 pods

api-fk2m9Running
api-x4p2vRunning
worker-7vn8mCrashLoop
scheduler-9pqRunning
cron-29022Completed

iPadOS · iPad

DevOps Helpersonnet-4-6

thinking

First fetch logs, then check events, correlate with NetworkPolicy

kubectl_logs
kubectl_describe
networkpolicy_check

macOS · 14+

One account · end-to-end encrypted sync

Hosts · keys · notes · AI · cloud credentials · MFA

/ Get started

Ready to evolve your ops terminal?

14 days of Pro free, every feature unlocked.

Start for freeSee pricing