One workspace.
Eight surfaces.

Protocols

• SSH — Key + password auth, jump-host chains, agent forwarding.
• Telnet — For legacy gear that still speaks it; same tab strip as everything else.
• Serial / console — USB-to-serial dongle support with configurable baud rate and flow control.
• RDP — Launches via the platform-native client — Microsoft RDP on macOS, mstsc on Windows.
• Embedded web browser — Full browser pane for switch / firewall / Cisco GUI workflows.
• Local terminal — System shell — zsh / bash / cmd / pwsh — in the same tab system.
• AWS SSM Session Manager — Managed-instance shell with no public IP and no SSH keys; auto-installs the session-manager-plugin on macOS and Windows.

Organization

• Connection folders — Nested grouping with search across hosts, tags, and notes.
• Quick Connect — Top-frame bar for one-shot ad-hoc SSH without saving a connection.
• Vault auto-fill — Credentials drop into any session type — SSH, Telnet, RDP, Serial, SSM.
• Recent connections — Most recently used hosts surface in the sidebar.
• Right-click menu — Rename, duplicate, delete, or move connections inline.

Request builder

• Methods — GET, POST, PUT, PATCH, DELETE, HEAD, OPTIONS.
• Headers, params, path vars — Headers, query params, and path-variable substitution (`{id}`).
• Body types — Raw text / JSON / XML / HTML, x-www-form-urlencoded, multipart (file + text fields), GraphQL, binary file.
• Auth presets — None, basic, bearer, API key (header or query), OAuth2 (auth code, client credentials, password) with token refresh, digest, AWS Signature v4.
• Pre/post scripts — Sandboxed JS pre-request and post-response scripts.
• Tests block — Assertions on status, headers, and JSON body with a results panel.

Response viewer

• Pretty-print — JSON, XML, HTML, image rendering inline.
• Timing breakdown — DNS / TCP / TLS / request / response on every call.
• Cookies tab — Per-domain cookie inspection.
• Status code reference — Mouseover for the spec description.
• Save response to file — Native save dialog from the response pane.

Collections + environments

• Hierarchical folders — Collection → folders → requests, with rename / duplicate / move / delete.
• Soft-delete + undo — Every mutation can be reverted from a brief undo banner.
• Environments (per Space) — Variable substitution in URL, headers, params, body, and scripts. Secret-marked values use the per-Space KMS path on Enterprise.

Collection Runner

• Sequential or parallel — Run a collection or folder, with live progress streaming.
• Aggregate report — Pass / fail counts and per-request timings.
• Export report — JSON or Markdown.

Imports

• Postman v2.1 — Drop in an exported Postman collection; structure preserved.
• OpenAPI 3.x — YAML or JSON spec → collection skeleton with paths, params, auth.
• cURL — Paste a `curl ...` command and it becomes a request.
• HAR — Drop in a HAR file; every request becomes a saved entry.
• Reverse export — Round-trip back to Postman v2.1.

Routing & sharing

• SSH-tunnel routing — Pick any active SSH session — the request flows out the remote network instead of your local one.
• Cross-Space sharing — Share collections across Spaces on Team and above.

GraphQL

• Query + variables editor — Side-by-side panes with prettify and run against any GraphQL endpoint.
• Shared collection store — GraphQL requests live alongside REST requests.

Realtime — WebSocket / SSE / MQTT

• WebSocket — Connect, send frames, watch frames stream in.
• SSE (Server-Sent Events) — Subscribe and follow with auto-reconnect.
• MQTT — Connect over TCP or TLS, subscribe with topic wildcards, publish at QoS 0/1/2 with retained-message awareness.

Supported engines

• PostgreSQL — pgx driver, mixed-case identifier quoting, jsonb pretty-print.
• MySQL / MariaDB — go-sql-driver/mysql, backtick quoting.
• SQLite — mattn/go-sqlite3, embedded — runs against any .sqlite file (Free included).
• Redis — go-redis/v9. Command shell + per-key viewer + SCAN-paginated key list.
• MongoDB — mongo-driver/v2. JSON spec editor for find / projection / sort / limit, with a document viewer.

Connection management

• Per-Space, encrypted — Host, port, credentials, SSL mode, file path stored encrypted per Space.
• SSH tunnel routing — Same SessionHandle pattern as the HTTP client — route DB traffic through any active SSH session.
• Test-connection probe — Validates on save before the connection is added.

Query workspace (SQL)

• Editor with ⌘↵ — Statement detection routes SELECT / WITH / VALUES / SHOW / EXPLAIN / TABLE to the row grid; everything else runs as exec.
• Schema browser — Databases → schemas → tables / views, drill-down inline.
• Engine-aware quoting — Postgres / SQLite double-quote, MySQL backtick — `SELECT * FROM "FreeResponse"` works on mixed-case names.
• Result grid — Row #, column types, JSON pretty-print for jsonb / array cells.
• Audit logging — Every statement is logged (truncated at 4000 chars) and surfaces in the Audit Log.

Redis workspace

• DB picker — 16 logical DBs.
• Key list — SCAN-paginated with pattern filter.
• Per-key viewer — Type, TTL, decoded value, delete.
• Command shell — redis-cli style with structured reply rendering.

Mongo workspace

• Database / collection tree — Drill-down navigation.
• JSON spec editor — Filter / projection / sort / limit in JSON.
• Document result viewer — Pretty-printed JSON with structured cell rendering.

Result export

• Tabular results — CSV, TSV, JSON for SQL and Redis.
• Document results — JSON array or NDJSON for Mongo.
• Native save dialog — CSV cells are RFC 4180 quoted; filenames are date-stamped.

Health dashboards (per engine)

• Postgres — Version, uptime, role, connection pool vs max_connections, buffer cache hit %, commit/rollback ratio, top databases by size, active queries, pg_stat_replication.
• MySQL — SHOW GLOBAL STATUS, threads vs max_connections, traffic counters, InnoDB buffer pool hit ratio, top schemas by size, processlist, SHOW SLAVE STATUS.
• SQLite — File size, page geometry, free pages / fragmentation %, journal mode (WAL / DELETE), per-table row counts, PRAGMA quick_check.
• Redis — INFO server / clients / memory vs maxmemory / stats with hit ratio / persistence / replication, DB keyspace, SLOWLOG GET 10.
• MongoDB — serverStatus (connections, opcounters, mem, WiredTiger cache hit ratio), repl set state, dbStats per database, currentOp.

Discovery & probes

• Host probe — ICMP / TCP / UDP probes with selectable ports.
• Ping sweep — CIDR-aware, parallel ICMP.
• Network discovery — Ping sweep + port scan + reverse DNS in one pass.
• Port scanner — TCP connect or SYN where supported.
• Nmap Scanner — Full Nmap integration with parsed XML output.
• MTR — Pure-Go ICMP my-traceroute — continuous per-hop loss / latency, ASN annotation, reverse DNS, no system tools required.
• DNS Tools — A/AAAA/MX/TXT/CNAME/PTR/SRV/CAA/DNSKEY/DS/TLSA, plus DKIM / DMARC / SPF presets, reverse lookup, and propagation across resolvers.
• WHOIS / RDAP — RDAP first (ARIN bootstrap follows referrals to RIPE / APNIC / LACNIC / AFRINIC), classic port-43 fallback.
• NTP Tester — Stratum, offset, jitter, root delay / dispersion, leap indicator, reference clock.
• Bandwidth Monitor — Real-time interface throughput graph (in / out Mbps).
• DHCP Browser — Query DHCP leases, find IPs by MAC, scope utilization via SNMP.
• Syslog Viewer — Live UDP listener with severity filtering and export.
• AP Scanner — Nearby Wi-Fi APs with SSID / BSSID / channel / band / RSSI / security. Uses macOS airport, Linux nmcli, Windows netsh.

Capture & analysis

• Packet Capture — libpcap-backed, per-interface filter, save to PCAP.
• TLS Inspector — Full chain with key sizes + signature algorithms, protocol versions (1.0–1.3), accepted cipher suites with strength, OCSP stapling, HSTS, ALPN, graded findings.
• Cert Checker — Date / chain / SAN validation.
• File Transfer — TFTP / FTP / SFTP under one tool.

Encoding & data

• Encoders & Decoders — base64 / base32 / hex / URL / HTML / Unicode escape; JWT decode with claim annotations; epoch ↔ ISO timestamp; MD5 / SHA-1 / SHA-256 / SHA-512 hashing; UUID v4 / v7 generator.
• JSON / YAML — Pretty / minify / convert + structural diff (key-order- and whitespace-insensitive).
• MAC Tracker — OUI vendor lookup + find a MAC across the saved switch fleet via SSH (Cisco IOS / NX-OS, Aruba AOS-CX / AOS-S, Juniper).
• Subnet Calculator — CIDR math, VLSM allocator, subnet splitter, supernet summarizer; binary + hex breakouts.
• PoE Budget Calculator — Pick a switch, drop in cameras / APs / phones or pull live wattage from PoE-MIB; color-coded per-port headroom.
• Cron Calculator — Validate a cron expression and preview next firings (5-field, 6-field with seconds, @yearly / @monthly / …); IANA timezone aware.

Device-side

• SNMP Browser — v1 / v2c / v3, GET / WALK, with shared MIB uploads.
• Active Directory Browser — Search users / groups / OUs, unlock accounts, check group membership.
• AV Control — Start / stop antivirus services on remote hosts.
• Bulk Command — Run one command across many hosts.
• Batch SSH — Parallel SSH execution with structured per-host results.
• Config Backup — Pull configs over SSH and store with version history.
• Config Diff — Between versions or between devices, side-by-side.

Spaces

• Personal Space — Always private to the user, never synced to teammates.
• Shared Spaces — Multi-user collaboration on Pro (1 max) and unlimited on Team and Enterprise.
• Per-Space audit trail — Every credential access, document edit, command run, HTTP request, DB query, and Magellan invocation is logged with actor / action / target / timestamp.
• Space switcher — Top-bar control flips the entire workspace context.
• Space Management — List view of members, roles, and storage usage.

Documents (Team and Enterprise)

• Notes / runbooks / templates — Markdown-style authoring with version history.
• IPAM (subnets + hosts) — Inline subnet calculator integration.
• Version history — 90 days on Team; unlimited on Enterprise (subject to per-Space byte cap).
• PDF export — Render any document to PDF.
• Public share links — share.shellyard.com — optional password gate, configurable expiry, revoke any time, view-count tracking.
• Doc + Space caps — Team: 5 MiB / doc, 1 GiB / Space. Enterprise: 10 MiB / doc, 5 GiB / Space.

Importers (Team and Enterprise)

• IT Glue — Documents and IPAM imported from your IT Glue account.
• Hudu — Documents and IPAM imported from your Hudu account.

Enterprise additions

• Per-Space customer-managed KMS — Each Space gets its own AWS CMK; vault and Documents are encrypted under it.
• Cryptographic erasure — Offboarding a client schedules their Space CMK for deletion; once the AWS pending window expires, all data under that Space is unrecoverable.
• Per-Space audit-log filtering — Filter and export audit history per Space — useful for client reports.

Providers (BYO key)

• Anthropic — Bring your Claude API key; choose model per Space.
• OpenAI — Bring your GPT API key.
• OpenAI-compatible — Point at Ollama, LM Studio, OpenRouter, or any OpenAI-API-compatible endpoint.

Universal context attachment

• "Ask Magellan" everywhere — Every tool — terminal, HTTP response, DB result, packet capture, SNMP walk, MTR trace, Redis key, Mongo doc — has a button that ships its current output as context.
• Visible attachment — The chat shows an "Attached: <tool> · <size>" pill before send so there is no ambiguity about what the model received.
• Per-tool prompt presets — "Channel congestion", "Rogue AP screen", "Spot anomalies", "Capacity check", and others, depending on tool.

Five-stage flow

• Explain — Read what you shared and tell you what it means.
• Suggest — Recommend the next diagnostic step or remediation.
• Draft — Write the command, script, or runbook entry.
• Review — You read the draft, edit if needed.
• Execute — You run it. Magellan does not autonomously execute.

Token + budget tracking

• Per-Space budget — Token budget surfaced in the panel header.
• Monthly query count — Tracked per Space.
• Configurable cap — Set a monthly ceiling per Space.

Vault

• Per-credential metadata — Host, port, type, notes, tags.
• Auto-fill across the app — SSH / Telnet / RDP / Serial / SSM, HTTP collection environments, database connections.
• Personal vault — Always under the user's own key, regardless of tier.
• Tag and search — Find credentials by metadata across saved entries.

Audit log

• Searchable + filterable — By actor, action, target.
• CSV export — Available on Team and Enterprise.
• Per-Space trail — Each Space has its own log; useful for MSP client reporting.
• Coverage — Surfaces every DB query (truncated to 4000 chars), every HTTP request, every Magellan invocation, every command run, every credential access.

• ⌘N to spawn — New-Window button or keyboard shortcut spawns a peer process.
• Encrypted auth handoff — One-shot Cognito refresh-token handoff via a 60-second temp file — the new window inherits the session without a sign-in prompt.
• Send-tab-to-window — Right-click a tab and move it to another window.
• Workspace-aware peers — A `live_processes` table broadcasts changes — rename a connection in window A and window B refreshes.
• Cloud-resource sync broadcast — Cloud sync events propagate across all peer windows on the same channel.
• Per-window ID — Each window has its own ID, surfaced in the title bar and audit log entries.