Command-line tool · Apache-2.0

Zensu, from the terminal

A gh-style binary over the Zensu REST API and OAuth2 + PKCE. Manage products, features, and auth from your shell — against the hosted service or any self-hosted deployment. One static binary, zero runtime dependencies.

1
single binary
Go, statically linked
3
platforms
Linux · macOS · Windows
0
runtime deps
no Node, no Python
PKCE
browser auth
OAuth2 loopback flow
Install

Pick your install. One binary either way.

No Go toolchain required for most paths. The CLI ships as a single static executable with zero runtime dependencies — script it in, drop in a prebuilt binary, run it in Docker, or build from source.

Recommended

Install script

One line on Linux, macOS, or Windows — pulls the latest release binary onto your PATH.

# Linux / macOS
curl -fsSL https://zensu.dev/install.sh | sh

# Windows (PowerShell)
irm https://zensu.dev/install.ps1 | iex

Homebrew

Tap and install the cask on macOS or Linux — upgrade later with brew upgrade.

brew install --cask mkitconsulting/tap/zensu

Prebuilt binaries

Grab the archive for your OS/arch from GitHub Releases — tar.gz, zip, and a checksums file.

# github releases
tar -xzf zensu_*_linux_amd64.tar.gz
mv zensu /usr/local/bin/

Docker

Run it straight from the registry — nothing installed on the host at all.

docker run --rm ghcr.io/mkitconsulting/zensu-cli:latest --help

Go toolchain

Already have Go? Install the command from source in one step.

go install github.com/MKITConsulting/zensu-cli/cmd/zensu@latest

From source

Clone the repo and build with the Makefile.

make build     # builds bin/zensu
make install   # installs to $GOBIN

Staying current

Re-run the install script for the newest release, or bump the Go install.

curl -fsSL https://zensu.dev/install.sh | sh
# or: go install …/cmd/zensu@latest
Commands

Everything is a subcommand.

Familiar noun verb ergonomics, just like the GitHub CLI. Typed commands for every resource — products, features, security, roadmaps, tiers, and more.

auth

Browser login or CI token — credentials stay in a 0600 file.

  • zensu auth login
  • zensu auth login --with-token zsk_…
  • zensu auth status
  • zensu auth token
  • zensu auth logout

products

Create and inspect products from the terminal.

  • zensu products list
  • zensu products get <product-id>
  • zensu products create --name "My Product" --type public

features

The core surface — create features and drive status transitions.

  • zensu features list --product <id> --status testing
  • zensu features get <feature-id>
  • zensu features create --product <id> --component <id> --title "Login"
  • zensu features update <feature-id> --title "New title"
  • zensu features status <feature-id> testing

security

Classify features, score the release gate, and read product-wide posture.

  • zensu security classify <feature-id> --classification confidential
  • zensu security score <feature-id>
  • zensu security validate <feature-id>
  • zensu security posture <product-id>

Add --json to most typed commands for raw, scriptable output — pipe it straight into jq or a CI step.

Authentication

Log in once. Or pipe a token.

A real OAuth2 + PKCE flow for humans, an API key for machines — same command, same credential store. Nothing is hard-coded to the hosted service.

Interactive

Browser login

zensu auth login
  • Opens your browser and runs the OAuth2 + PKCE loopback flow.
  • Credentials are written to hosts.json with 0600 permissions.
  • zensu auth status shows who you are and when the token expires.
CI / headless

Token login

zensu auth login --with-token zsk_xxx

# or read the key from stdin
echo "$ZENSU_API_KEY" | zensu auth login --with-token -
  • No browser required — designed for CI jobs and headless agents.
  • zensu auth token prints the bearer token for scripting.
Self-hosted

Point it at any Zensu.

The CLI is a thin client over the REST API and OAuth — so it works against the hosted service or any self-hosted deployment, with one flag or one environment variable.

  • Base URL resolves from --api-url, then ZENSU_API_URL, then your stored host — no SaaS endpoint is baked in.
  • OAuth endpoints auto-discover from the deployment itself, so there's nothing to configure per host.
  • The same binary talks to the hosted service or your own cluster. On-prem is a first-class target, not an afterthought.
Scripting

Built for pipes and pipelines.

Structured output, token login for CI, and honest exit codes — the CLI is as happy in a CI job as it is in your shell.

Most typed commands take --json — structured output you can pipe straight into jq or another tool.

zensu auth login --with-token - reads a key from stdin, so CI logs in with no browser.

Non-zero exit codes on failure, so the CLI slots cleanly into CI gates and shell scripts.

Configuration

Sensible defaults, every override.

Flags beat environment variables beat stored config beat the built-in default — the usual precedence, documented and predictable. Credentials and the selected host live in hosts.json inside the config directory.

API base URL first match wins
--api-url flag ZENSU_API_URL stored host https://api.zensu.dev
Config directory first that resolves
ZENSU_CONFIG_DIR XDG_CONFIG_HOME/zensu ~/.config/zensu

Install the CLI. Drive the lifecycle from your shell.

Apache-2.0, open source. Works against the hosted service or any self-hosted deployment — and scripts cleanly into CI.