The missing Linux administrator command

See every shell. Attach to any.
Type into them.

Linux ships ps, ss, lsof, who — none of them answer the obvious operator question: what is each shell doing right now, and can I jump in? tap does. Your sessions if you're you, every session on the host if you're root. Remote and AI access via hop →

Install Commands

What you actually do with it

Pick a session. Attach. Type. Or just look at what every shell is doing.

tap(no args)

Live-refreshing picker of every session you can see, with a side panel showing the highlighted session's current screen. Arrow keys to navigate, Enter to attach, q to leave. The tmux-style session switcher Unix has been missing for the shells the user didn't open in tmux.

tap connect N

Attach to pty N like it's your own terminal. Live output to your screen, your keystrokes injected into the session. Detach with Ctrl-T — single keystroke, no tmux overlap. From the picker, Ctrl-T returns you to the menu; q in the menu exits.

tap list

Enumerate active sessions with sticky opener identity, current writer (sudo/setpriv visible inline), byte counters, age, and idle time. Scriptable companion for the picker.

Terminal — pick a session, attach, type into it
$ tap # live-refreshing picker, arrow keys to select, Enter to attach ┌── tap — terminal session picker ────────────────────────────┐ │ pty user comm out (b/ev) age │ │ 3 alice(1000) bash 12384/421 82s │ │ ▶ 4 alice(1000) vim 2891/14 12s │ │ 5 bob(1001) psql 830/9 4s │ └─────────────────────────────────────────────────────────────┘ 3 session(s) — ↑/↓ select Enter=connect q=quit # Enter on alice's vim session — bidirectional from here on: [tap connect pty=4 — Ctrl-T to detach] 1 # Project plan 2 3 ## Next sprint # your keystrokes go straight into alice's vim. detach, pick another session.

The capability Unix forgot to ship

Decades of admin tools, none of them answer the live-shell question.

What you have today

Linux ships ps for processes, ss and netstat for sockets, lsof for open files, who and w for logged-in users. Each answers one slice of "what's happening on this host." None of them answers the most obvious operator question: what is each shell doing right now, and can I get into one?

What you've been doing instead

screen and tmux work — but only for sessions you set up inside them ahead of time. They're invisible to a third party joining late. SSH'd-in sessions stay opaque. strace-on-bash works but is brittle, root-only, and breaks when the user reaches for tab completion. Audit logs land hours later and are usually incomplete.

What tap does

Every active TTY/PTY on the host, live, by default — including sessions that started before tap was installed (seeded from /proc at daemon start). Attach to any of them. Type into them. Or just look. Same authority model Unix already has: you see your own; root sees everything.

  • Every shell — including ones screen/tmux can't see
  • Attach live — type into any session you're allowed to see
  • Snapshot any session — full SGR-aware screen grab
  • Pre-existing sessions seeded from /proc at startup
  • Identity follows the opener — sudo can't sneak past it
Terminal — what other tools tell you vs. what tap does
# who alice pts/3 2026-04-29 09:41 (10.0.0.42) bob pts/4 2026-04-29 11:02 (10.0.0.18) # tells you who, not what. # ps -t pts/3 -o pid,comm 3214 bash 3812 vim # tells you the program, not the screen. # tap snapshot 3 snapshot pty=3 (24x80) ┌──────────────────────────────────────────────────┐ │alice@web-prod:~$ vim notes.md │ │ 3 ## Next sprint — payments hardening │ │ 4 - rotate signing keys before EOM │ └──────────────────────────────────────────────────┘ # the actual screen. followed by `tap connect 3` to type into it.

Install

One curl. Linux-only — eBPF needs a Linux kernel.

$ curl -fsSL https://tap.keik.ai/install.sh | bash

The installer drops the daemon under systemd and the tap CLI in /usr/local/bin. Nothing to configure — tap works the moment install finishes.

Your shells, or all shells if you're root

The same authority model Unix has had since 1969. No new ACLs, no key management.

The rule

Root sees and acts on every session. Non-root users see and act on only the sessions they opened. The kernel tells the daemon who's connecting (SO_PEERCRED on the local socket) — there's no key management, no on-the-wire claim a client could lie about.

Sticky opener identity

Every session remembers who opened it. sudo in the middle of a session doesn't change ownership for tap's purposes — alice's session is alice's session even when she's running root commands inside it. So a user can't escape their scope by escalating mid-session, and root can still see exactly when the privilege transition happened.

Same denial wording

Probing a pty you can't see returns the same error as probing one that doesn't exist. So a non-root user can't enumerate other users' sessions by trying every pty number.

Terminal — same daemon, two callers
# root sees every session root# tap list 2 active session(s): pty=3 user=alice(1000) comm=vim ... pty=4 user=bob(1001) comm=psql ... # alice sees only her own alice$ tap list 1 active session(s): pty=3 user=alice(1000) comm=vim ... # probing bob's pty: same error as one that doesn't exist alice$ tap snapshot 4 error: no active session with pty_index=4

Linux only

tap rides Linux's pty subsystem via eBPF. macOS and Windows are out of scope for the daemon. Want to drive tap from another machine? Pair it with hop for authenticated remote and AI-driven access from any client OS.

Install Remote / AI →