@cantinasecurity/apex-cli 0.1.10 → 0.1.11

package/.claude/skills/apex-cli/SKILL.md

@@ -7,6 +7,8 @@ description: Use when a user wants to run Apex scans, inspect findings, export r
 
 This skill is bundled with Apex CLI and can be installed into the current repository with `apex setup claude`.
 
+`apex setup claude` configures the MCP server with client attribution so Apex can distinguish Claude MCP usage from direct CLI usage. Users can inspect or disable anonymous local usage telemetry with `apex telemetry status` and `apex telemetry disable`.
+
 ## Instructions
 
 Use Apex through the MCP server when the `apex-*` tools are available.
@@ -39,6 +41,7 @@ If the Apex MCP server is not configured, fall back to the local CLI:
 - Use `sourceMode: "remote"` only when the user explicitly wants to forbid local snapshot fallbacks.
 - When checking a scan that is not the workspace binding's latest scan, pass `scanId` to `apex-status`; use `apex scans` or `apex-scans` first if you need to discover scan IDs.
 - Finding comments, feedback, and fix review scan starts use the same Apex device-login credentials as read tools. If a write tool reports missing auth, re-run `apex-auth-status` and complete `apex-auth-start` / `apex-auth-wait` instead of asking for browser cookies or auth tokens.
+- Anonymous telemetry records only sanitized command/tool metadata such as command names, enum modes, counts, durations, success/failure categories, CLI version, and client integration. It must not include raw repository paths, scan IDs, finding IDs, comments, file paths, PR URLs, or tokens.
 - Invalid finding feedback requires `dismissalReason`; valid feedback can include `suggestedSeverity`, including `extreme`.
 - Fix PR callback feedback requires valid feedback with `labels: ["fixed"]` and `fixPrUrls`; start the fix review scan with `apex-finding-fix-review` after saving that feedback.
 - Finding identifiers such as `KERN2-25` resolve against the selected or latest scan for the current workspace binding. Pass an explicit `scanId` when needed, or use the finding UUID directly.

package/.claude-plugin/marketplace.json

@@ -6,7 +6,7 @@
   },
   "metadata": {
     "description": "Cantina agent plugins for security review workflows.",
-    "version": "0.1.10"
+    "version": "0.1.11"
   },
   "plugins": [
     {
@@ -14,10 +14,10 @@
       "source": {
         "source": "npm",
         "package": "@cantinasecurity/apex-cli",
-        "version": "0.1.10"
+        "version": "0.1.11"
       },
       "description": "Run Apex security scans and review findings from Claude Code.",
-      "version": "0.1.10",
+      "version": "0.1.11",
       "author": {
         "name": "Cantina",
         "email": "support@cantina.xyz"

package/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "apex-cli",
-  "version": "0.1.10",
+  "version": "0.1.11",
   "description": "Run Apex security scans and review findings from Claude Code.",
   "author": {
     "name": "Cantina",

package/.codex-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "apex-cli",
-  "version": "0.1.10",
+  "version": "0.1.11",
   "description": "Run Apex security scans and review findings from Codex.",
   "author": {
     "name": "Cantina",

package/.mcp.claude.json

@@ -5,9 +5,13 @@
       "args": [
         "-y",
         "-p",
-        "@cantinasecurity/apex-cli@0.1.10",
+        "@cantinasecurity/apex-cli@0.1.11",
         "apex-mcp"
-      ]
+      ],
+      "env": {
+        "APEX_MCP_CLIENT": "claude",
+        "APEX_CLIENT_INTEGRATION": "claude"
+      }
     }
   }
 }

package/.mcp.codex.json

@@ -4,8 +4,12 @@
     "args": [
       "-y",
       "-p",
-      "@cantinasecurity/apex-cli@0.1.10",
+      "@cantinasecurity/apex-cli@0.1.11",
       "apex-mcp"
-    ]
+    ],
+    "env": {
+      "APEX_MCP_CLIENT": "codex",
+      "APEX_CLIENT_INTEGRATION": "codex"
+    }
   }
 }

package/MARKETPLACE.md

@@ -13,7 +13,7 @@ This package is prepared as both a Claude Code plugin and a Codex plugin. The pu
 The plugin MCP configs launch the pinned npm CLI package with:
 
 ```bash
-npx -y -p @cantinasecurity/apex-cli@0.1.10 apex-mcp
+npx -y -p @cantinasecurity/apex-cli@0.1.11 apex-mcp
 ```
 
 That keeps marketplace installs independent of a user's global `apex` install.

package/README.md

@@ -149,6 +149,7 @@ Supported shell commands:
 - `apex login`
 - `apex logout`
 - `apex setup [all|codex|claude|copilot]`
+- `apex telemetry [status|enable|disable]`
 - `apex update`
 - `apex connect github`
 - `apex connect gitlab`
@@ -221,18 +222,24 @@ If Apex is installed globally, prefer:
 apex setup
 ```
 
-That registers Apex for installed Codex CLI, Claude Code, and GitHub Copilot CLI clients automatically.
+That registers Apex for installed Codex CLI, Claude Code, and GitHub Copilot CLI clients automatically. Codex and Claude registrations also set `APEX_MCP_CLIENT` and `APEX_CLIENT_INTEGRATION` so Apex can distinguish agent-driven MCP usage from direct CLI usage.
 
 If you want to wire clients manually instead, Apex ships a stable `apex-mcp` binary. For Codex:
 
 ```bash
-codex mcp add apex -- apex-mcp
+codex mcp add apex \
+  --env APEX_MCP_CLIENT=codex \
+  --env APEX_CLIENT_INTEGRATION=codex \
+  -- apex-mcp
 ```
 
 For Claude Code:
 
 ```bash
-claude mcp add --scope user apex -- apex-mcp
+claude mcp add --scope user \
+  -e APEX_MCP_CLIENT=claude \
+  -e APEX_CLIENT_INTEGRATION=claude \
+  apex -- apex-mcp
 ```
 
 For GitHub Copilot CLI:
@@ -247,7 +254,11 @@ For any other MCP client, configure it to launch:
 {
   "mcpServers": {
     "apex": {
-      "command": "apex-mcp"
+      "command": "apex-mcp",
+      "env": {
+        "APEX_MCP_CLIENT": "custom-mcp-client",
+        "APEX_CLIENT_INTEGRATION": "custom-mcp-client"
+      }
     }
   }
 }
@@ -259,7 +270,11 @@ From a local checkout during development, prefer the repo-local binary so the MC
 {
   "mcpServers": {
     "apex": {
-      "command": "/path/to/apex-cli/bin/apex-mcp"
+      "command": "/path/to/apex-cli/bin/apex-mcp",
+      "env": {
+        "APEX_MCP_CLIENT": "local-dev",
+        "APEX_CLIENT_INTEGRATION": "local-dev"
+      }
     }
   }
 }
@@ -273,7 +288,11 @@ If you need to launch through `pnpm`, use `--silent`:
     "apex": {
       "command": "pnpm",
       "args": ["--silent", "mcp"],
-      "cwd": "/path/to/apex-cli"
+      "cwd": "/path/to/apex-cli",
+      "env": {
+        "APEX_MCP_CLIENT": "local-dev",
+        "APEX_CLIENT_INTEGRATION": "local-dev"
+      }
     }
   }
 }
@@ -297,6 +316,60 @@ For Codex-style clients, the packaged skill can be installed with `apex setup co
 
 For Claude Code, the packaged project skill can be installed into the current repository with `apex setup claude`. The repo-local source lives at `.claude/skills/apex-cli/SKILL.md`. Anthropic documents project skills as filesystem directories under `.claude/skills/<name>/SKILL.md`, and the Claude Agent SDK uses the same location when the `Skill` tool is enabled.
 
+## Usage Telemetry
+
+Apex CLI emits first-party, privacy-preserving usage telemetry so Cantina can understand how people use the direct CLI, the interactive shell, and MCP tools in Codex, Claude, GitHub Copilot CLI, or other clients.
+
+Telemetry is enabled by default and can be disabled locally:
+
+```bash
+apex telemetry status
+apex telemetry disable
+apex telemetry enable
+```
+
+Environment opt-outs override local config:
+
+```bash
+APEX_TELEMETRY_DISABLED=1 apex scan
+# also honored: APEX_DISABLE_TELEMETRY=1 or DO_NOT_TRACK=1
+```
+
+Telemetry records lifecycle events such as command/tool start and completion, duration, success/failure category, CLI version, Node/platform basics, anonymous install/session IDs, and sanitized command metadata. It also adds attribution headers to Apex API requests, including surface (`cli`, `interactive_shell`, or `mcp`), client integration, invocation ID, command/tool name, and CLI version.
+
+Telemetry does not send raw cwd paths, repository URLs, finding IDs, scan IDs, PR URLs, comments, file paths, tokens, or raw flag values. Sensitive inputs are reduced to booleans, counts, enum values, or length buckets.
+
+Telemetry event posts do not include bearer tokens. The telemetry endpoint is `POST /api/cli/v1/telemetry/events` with a batch payload:
+
+```json
+{
+  "events": [
+    {
+      "schemaVersion": 1,
+      "event": "apex.invocation.completed",
+      "cliVersion": "0.1.11",
+      "invocation": {
+        "surface": "mcp",
+        "command": "apex-scan",
+        "mcpTool": "apex-scan",
+        "metadata": {
+          "mode": "pr",
+          "pullRequestCount": 1,
+          "cwdProvided": true
+        }
+      },
+      "client": {
+        "integration": "codex"
+      },
+      "outcome": {
+        "success": true,
+        "durationMs": 1234
+      }
+    }
+  ]
+}
+```
+
 ## Plugin And Marketplace Packaging
 
 The npm package also includes marketplace-ready plugin artifacts:
@@ -305,7 +378,7 @@ The npm package also includes marketplace-ready plugin artifacts:
 - `.claude-plugin/plugin.json` and `.mcp.claude.json` for Claude Code plugin installs
 - `.claude-plugin/marketplace.json` for a Claude marketplace entry backed by the public npm package
 
-These plugin installs launch the pinned npm package with `npx -y -p @cantinasecurity/apex-cli@0.1.10 apex-mcp`, so users do not need to install `apex` globally before enabling the plugin.
+These plugin installs launch the pinned npm package with `npx -y -p @cantinasecurity/apex-cli@0.1.11 apex-mcp`, so users do not need to install `apex` globally before enabling the plugin.
 
 The repository also includes `.agents/plugins/marketplace.json` for local Codex marketplace testing from a checkout.
 

package/dist/apex.js

@@ -1,12 +1,12 @@
 import { ApexApiClient, formatApiError } from "./api-client.js";
 import { parseArgs } from "./args.js";
-import { commandCancelScan, commandConnect, commandCredits, commandDoctor, commandExportFindings, commandFindingComment, commandFindingFeedback, commandFindingFixReview, commandFindings, commandLogin, commandLogout, commandScan, commandScans, commandSetup, commandStatus, commandUpdate, commandWorkspace, commandWorkspaceUse, commandWorkspaces, } from "./commands.js";
+import { commandCancelScan, commandConnect, commandCredits, commandDoctor, commandExportFindings, commandFindingComment, commandFindingFeedback, commandFindingFixReview, commandFindings, commandLogin, commandLogout, commandScan, commandScans, commandSetup, commandStatus, commandTelemetry, commandUpdate, commandWorkspace, commandWorkspaceUse, commandWorkspaces, } from "./commands.js";
 import { CLI_HELP_TEXT } from "./help.js";
 import { runMcpServer } from "./mcp.js";
 import { runInteractiveShell } from "./shell.js";
+import { createCliTelemetryInvocation, emitInvocationCompleted, emitInvocationStarted, withTelemetryContext, } from "./telemetry.js";
 import { maybePromptForUpdate } from "./update.js";
-async function main() {
-    const parsed = parseArgs(process.argv.slice(2));
+async function dispatch(parsed) {
     if (parsed.flags.help === true || parsed.command === "help") {
         process.stdout.write(CLI_HELP_TEXT);
         return;
@@ -45,6 +45,9 @@ async function main() {
         case "setup":
             await commandSetup(cwd, parsed.flags, parsed.subcommand);
             return;
+        case "telemetry":
+            await commandTelemetry(parsed.flags, parsed.subcommand);
+            return;
         case "doctor":
             await commandDoctor(client, cwd, parsed.flags);
             return;
@@ -117,6 +120,21 @@ async function main() {
             throw new Error(`Unknown command: ${parsed.command}`);
     }
 }
+async function main() {
+    const parsed = parseArgs(process.argv.slice(2));
+    const invocation = createCliTelemetryInvocation(parsed);
+    emitInvocationStarted(invocation);
+    await withTelemetryContext(invocation, async () => {
+        try {
+            await dispatch(parsed);
+            emitInvocationCompleted(invocation);
+        }
+        catch (error) {
+            emitInvocationCompleted(invocation, error);
+            throw error;
+        }
+    });
+}
 function getFlagValue(value) {
     return typeof value === "string" && value.trim().length > 0 ? value.trim() : null;
 }

package/dist/api-client.js

@@ -1,4 +1,5 @@
 import { clearCredentials, loadConfig, loadCredentials, saveCredentials } from "./config.js";
+import { getTelemetryRequestHeaders } from "./telemetry.js";
 export class ApiError extends Error {
     status;
     body;
@@ -84,7 +85,11 @@ export class ApexApiClient {
     async request(path, options = {}) {
         const baseUrl = await this.getBaseUrl();
         const headers = new Headers(options.headers ?? {});
+        const telemetryHeaders = await getTelemetryRequestHeaders();
         let credentials = options.auth === false ? null : await this.refreshIfNeeded().catch(() => null);
+        for (const [key, value] of Object.entries(telemetryHeaders)) {
+            headers.set(key, value);
+        }
         if (options.json !== undefined) {
             headers.set("Content-Type", "application/json");
         }

package/dist/commands.js

@@ -12,6 +12,7 @@ import { chooseCompany, createWorkspaceBinding, ensureAuthenticated, remediateMi
 import { createWorkspaceBindingFromSummary, fetchCompanyCredits, fetchCompanyWorkspaces, findWorkspaceByRef, } from "./workspaces.js";
 import { loadWorkspaceBinding, saveWorkspaceBinding } from "./workspace-binding.js";
 import { commandSetup as runCliSetup } from "./setup.js";
+import { getTelemetryStatus, setTelemetryEnabled, } from "./telemetry.js";
 import { commandUpdate as runCliUpdate } from "./update.js";
 import { mkdir, writeFile } from "node:fs/promises";
 import path from "node:path";
@@ -496,6 +497,41 @@ export async function commandUpdate(flags) {
 export async function commandSetup(cwd, flags, target) {
     return runCliSetup(cwd, flags, target);
 }
+function formatTelemetryDisabledBy(disabledBy) {
+    if (!disabledBy)
+        return "not disabled";
+    if (disabledBy === "config")
+        return "local config";
+    return disabledBy.replace(/^env:/, "environment variable ");
+}
+export async function commandTelemetry(flags, target) {
+    let payload;
+    switch (target ?? "status") {
+        case "status":
+            payload = await getTelemetryStatus("cli");
+            break;
+        case "enable":
+            payload = await setTelemetryEnabled(true);
+            break;
+        case "disable":
+            payload = await setTelemetryEnabled(false);
+            break;
+        default:
+            throw new Error("Usage: apex telemetry [status|enable|disable]");
+    }
+    if (isJsonMode(flags)) {
+        printJson(payload);
+        return payload;
+    }
+    logLine(`Telemetry: ${payload.enabled ? "enabled" : "disabled"}`, flags);
+    logLine(`Disabled by: ${formatTelemetryDisabledBy(payload.disabledBy)}`, flags);
+    logLine(`Endpoint: ${payload.endpointPath}`, flags);
+    logLine(`Client integration: ${payload.client.integration}`, flags);
+    if (payload.installId) {
+        logLine(`Install ID: ${payload.installId}`, flags);
+    }
+    return payload;
+}
 export async function commandDoctor(client, cwd, flags) {
     const me = await ensureAuthenticated(client, flags);
     try {

package/dist/config.js

@@ -32,12 +32,16 @@ export async function loadConfig() {
             version: 1,
             baseUrl: DEFAULT_BASE_URL,
             defaultCompanyId: null,
+            telemetryDisabled: config?.telemetryDisabled ?? null,
+            telemetryInstallId: config?.telemetryInstallId ?? null,
         };
     }
     return {
         version: 1,
         baseUrl: config.baseUrl,
         defaultCompanyId: config.defaultCompanyId ?? null,
+        telemetryDisabled: config.telemetryDisabled ?? null,
+        telemetryInstallId: config.telemetryInstallId ?? null,
     };
 }
 export async function saveConfig(config) {

package/dist/help.js

@@ -23,6 +23,8 @@ export const CLI_HELP_TEXT = `Usage:
   apex mcp                          Start the Apex MCP server over stdio
   apex setup [all|codex|claude|copilot]
                                     Configure Apex for Codex, Claude Code, and GitHub Copilot CLI
+  apex telemetry [status|enable|disable]
+                                    Show or change local anonymous usage telemetry settings
   apex update                       Update the local Apex CLI install
   apex connect github               Open the GitHub connection flow
   apex connect gitlab               Open the GitLab connection flow
@@ -66,6 +68,7 @@ Tips:
   Invalid finding feedback requires --dismissal-reason.
   Fix review scans require valid feedback with --label fixed and at least one --fix-pr-url, then apex findings fix-review.
   Finding identifiers such as KERN2-25 resolve against the selected scan; pass --scan or use the finding UUID directly when needed.
+  Anonymous usage telemetry helps Apex understand CLI, MCP, Codex, Claude, and Copilot usage. Disable it with apex telemetry disable or APEX_TELEMETRY_DISABLED=1.
   Quote workspace names that contain spaces:
     apex workspace use "Core Platform"
 `;
@@ -90,6 +93,8 @@ Commands:
   /cancel-scan [scan-id]  Cancel a running or most recent scan
   /status [scan-id]       Show progress for the most recent or selected scan
   /doctor                 Validate auth, repos, connections, and workspace binding
+  /telemetry [status|enable|disable]
+                          Show or change local anonymous usage telemetry settings
   /update                 Update the local Apex CLI install and exit the shell
   /logout                 Sign out locally and exit the shell
   /repos                  List detected repositories
@@ -112,5 +117,6 @@ Tips:
   Invalid finding feedback requires a dismissal reason.
   Fix review scans require fixed valid feedback with a Fix PR URL. Use scripted CLI or MCP for attaching Fix PR URLs.
   Use scripted CLI flags for advanced feedback options such as suggested severity or dismissal reason.
+  Anonymous usage telemetry can be disabled with /telemetry disable or APEX_TELEMETRY_DISABLED=1.
   Quote workspace names that contain spaces: /workspace use "Core Platform"
 `;

package/dist/mcp.js

@@ -6,6 +6,7 @@ import { getMe, logout, startDeviceLogin, waitForDeviceLoginApproval } from "./a
 import { ApexApiClient, formatApiError } from "./api-client.js";
 import { commandCancelScan, commandConnect, commandCredits, commandDoctor, commandExportFindings, commandFindingComment, commandFindingFeedback, commandFindingFixReview, commandFindings, commandScan, commandScans, commandStatus, commandWorkspace, commandWorkspaceUse, commandWorkspaces, } from "./commands.js";
 import { CLI_HELP_TEXT } from "./help.js";
+import { createMcpServerTelemetryInvocation, createMcpTelemetryInvocation, emitInvocationCompleted, emitInvocationStarted, emitMcpServerStarted, withTelemetryContext, } from "./telemetry.js";
 import { APEX_CLI_VERSION } from "./version.js";
 const MCP_WORKFLOW_GUIDE = `Use Apex through these tools instead of shelling out to the CLI.
 
@@ -139,14 +140,20 @@ function errorResult(toolName, error) {
         isError: true,
     };
 }
-async function runTool(toolName, action, summary) {
-    try {
-        const value = await action();
-        return successResult(summary(value), value);
-    }
-    catch (error) {
-        return errorResult(toolName, error);
-    }
+async function runTool(toolName, action, summary, input = {}) {
+    const invocation = createMcpTelemetryInvocation(toolName, input);
+    emitInvocationStarted(invocation);
+    return withTelemetryContext(invocation, async () => {
+        try {
+            const value = await action();
+            emitInvocationCompleted(invocation);
+            return successResult(summary(value), value);
+        }
+        catch (error) {
+            emitInvocationCompleted(invocation, error);
+            return errorResult(toolName, error);
+        }
+    });
 }
 async function requireAuthenticated(client) {
     const me = await getMe(client);
@@ -235,7 +242,7 @@ function registerTools(server) {
             return "Device login expired before approval.";
         }
         return "Device login is still pending.";
-    }));
+    }, { deviceCode, intervalSeconds, expiresAt, timeoutSeconds }));
     server.registerTool("apex-logout", {
         title: "Log Out Of Apex",
         description: "Clear the locally stored Apex session.",
@@ -268,7 +275,13 @@ function registerTools(server) {
             cwd: targetCwd,
             ...payload,
         };
-    }, (value) => `Apex doctor completed for ${String(value.cwd)}.`));
+    }, (value) => `Apex doctor completed for ${String(value.cwd)}.`, {
+        cwd,
+        company,
+        workspaceName,
+        repoPaths,
+        sourceMode,
+    }));
     server.registerTool("apex-credits", {
         title: "Get Apex Credits",
         description: "Show scan credits plus audit and fix review scan entitlements for the active or selected company.",
@@ -287,7 +300,10 @@ function registerTools(server) {
             cwd: targetCwd,
             ...payload,
         };
-    }, (value) => `Fetched Apex credits for ${String(value.cwd)}.`));
+    }, (value) => `Fetched Apex credits for ${String(value.cwd)}.`, {
+        cwd,
+        company,
+    }));
     server.registerTool("apex-workspace", {
         title: "Get Current Apex Workspace Binding",
         description: "Show the current Apex workspace bound to a directory, if any.",
@@ -301,7 +317,9 @@ function registerTools(server) {
             cwd: targetCwd,
             ...payload,
         };
-    }, (value) => `Loaded workspace binding for ${String(value.cwd)}.`));
+    }, (value) => `Loaded workspace binding for ${String(value.cwd)}.`, {
+        cwd,
+    }));
     server.registerTool("apex-workspaces", {
         title: "List Apex Workspaces",
         description: "List workspaces available to the active or selected company.",
@@ -320,7 +338,10 @@ function registerTools(server) {
             cwd: targetCwd,
             ...payload,
         };
-    }, (value) => `Listed Apex workspaces for ${String(value.cwd)}.`));
+    }, (value) => `Listed Apex workspaces for ${String(value.cwd)}.`, {
+        cwd,
+        company,
+    }));
     server.registerTool("apex-workspace-use", {
         title: "Bind Directory To Apex Workspace",
         description: "Bind a directory to an existing Apex workspace by id, prefix, or name.",
@@ -340,7 +361,11 @@ function registerTools(server) {
             cwd: targetCwd,
             ...payload,
         };
-    }, (value) => `Bound ${String(value.cwd)} to an Apex workspace.`));
+    }, (value) => `Bound ${String(value.cwd)} to an Apex workspace.`, {
+        cwd,
+        company,
+        workspaceRef,
+    }));
     server.registerTool("apex-scan", {
         title: "Start Apex Scan",
         description: "Start a new Apex scan for the provided cwd by default. Pass repoPaths only to scan explicit alternate local roots. Use mode audit for audit scans and mode pr for GitHub pull request scans.",
@@ -378,7 +403,16 @@ function registerTools(server) {
             cwd: targetCwd,
             ...payload,
         };
-    }, (value) => `Started an Apex scan for ${String(value.cwd)}.`));
+    }, (value) => `Started an Apex scan for ${String(value.cwd)}.`, {
+        cwd,
+        company,
+        workspaceName,
+        repoPaths,
+        mode,
+        pullRequests,
+        sourceMode,
+        force,
+    }));
     server.registerTool("apex-status", {
         title: "Get Apex Scan Status",
         description: "Show progress for the most recent or selected Apex scan in a directory.",
@@ -395,7 +429,10 @@ function registerTools(server) {
             cwd: targetCwd,
             ...payload,
         };
-    }, (value) => `Fetched scan status for ${String(value.cwd)}.`));
+    }, (value) => `Fetched scan status for ${String(value.cwd)}.`, {
+        cwd,
+        scanId,
+    }));
     server.registerTool("apex-scans", {
         title: "List Apex Scans",
         description: "List scans for the Apex workspace bound to a directory.",
@@ -411,7 +448,9 @@ function registerTools(server) {
             cwd: targetCwd,
             ...payload,
         };
-    }, (value) => `Listed scans for ${String(value.cwd)}.`));
+    }, (value) => `Listed scans for ${String(value.cwd)}.`, {
+        cwd,
+    }));
     server.registerTool("apex-cancel-scan", {
         title: "Cancel Apex Scan",
         description: "Cancel a running Apex scan in the bound workspace.",
@@ -428,7 +467,10 @@ function registerTools(server) {
             cwd: targetCwd,
             ...payload,
         };
-    }, (value) => `Cancelled the selected Apex scan for ${String(value.cwd)}.`));
+    }, (value) => `Cancelled the selected Apex scan for ${String(value.cwd)}.`, {
+        cwd,
+        scanId,
+    }));
     server.registerTool("apex-findings", {
         title: "List Apex Findings",
         description: "List findings for the latest or selected Apex scan in a directory.",
@@ -449,7 +491,11 @@ function registerTools(server) {
             cwd: targetCwd,
             ...payload,
         };
-    }, (value) => `Fetched Apex findings for ${String(value.cwd)}.`));
+    }, (value) => `Fetched Apex findings for ${String(value.cwd)}.`, {
+        cwd,
+        scanId,
+        limit,
+    }));
     server.registerTool("apex-finding-comment", {
         title: "Add Apex Finding Comment",
         description: "Add a comment or note to an Apex finding using the current Apex login.",
@@ -470,7 +516,13 @@ function registerTools(server) {
             cwd: targetCwd,
             ...payload,
         };
-    }, (value) => `Added a finding comment for ${String(value.findingRef)}.`));
+    }, (value) => `Added a finding comment for ${String(value.findingRef)}.`, {
+        cwd,
+        findingRef,
+        content,
+        parentCommentId,
+        scanId,
+    }));
     server.registerTool("apex-finding-feedback", {
         title: "Leave Apex Finding Feedback",
         description: "Leave valid or invalid feedback on an Apex finding using the current Apex login. To attach a fix PR, send status valid with label fixed and fixPrUrls.",
@@ -508,7 +560,17 @@ function registerTools(server) {
             ...payload,
         };
     }, (value) => `Submitted ${String((value.feedback?.feedbackType ??
-        "finding"))} feedback for ${String(value.findingRef)}.`));
+        "finding"))} feedback for ${String(value.findingRef)}.`, {
+        cwd,
+        findingRef,
+        status,
+        comment,
+        labels,
+        fixPrUrls,
+        suggestedSeverity,
+        dismissalReason,
+        scanId,
+    }));
     server.registerTool("apex-finding-fix-review", {
         title: "Start Apex Finding Fix Review Scan",
         description: "Start a fix review scan for a finding after fixed feedback with one or more Fix PR URLs has been saved.",
@@ -527,7 +589,11 @@ function registerTools(server) {
             cwd: targetCwd,
             ...payload,
         };
-    }, (value) => `Started fix review scan for ${String(value.findingRef)}.`));
+    }, (value) => `Started fix review scan for ${String(value.findingRef)}.`, {
+        cwd,
+        findingRef,
+        scanId,
+    }));
     server.registerTool("apex-export-findings", {
         title: "Export Apex Findings",
         description: "Export findings for the latest or selected Apex scan to a file on disk.",
@@ -556,7 +622,12 @@ function registerTools(server) {
             scan: payload.scan,
             outputPath: payload.outputPath,
         };
-    }, (value) => `Exported Apex findings for ${String(value.cwd)}.`));
+    }, (value) => `Exported Apex findings for ${String(value.cwd)}.`, {
+        cwd,
+        scanId,
+        format,
+        output,
+    }));
     server.registerTool("apex-connect-provider", {
         title: "Get Apex Provider Connection URL",
         description: "Return the browser URL a user needs to connect GitHub or GitLab access for Apex. This tool never opens a browser.",
@@ -576,16 +647,22 @@ function registerTools(server) {
             cwd: targetCwd,
             ...payload,
         };
-    }, (value) => `Fetched the ${String(value.provider)} connection URL.`));
+    }, (value) => `Fetched the ${String(value.provider)} connection URL.`, {
+        cwd,
+        company,
+        provider,
+    }));
 }
 export async function runMcpServer() {
     const server = new McpServer({
         name: "apex-cli",
         version: APEX_CLI_VERSION,
     });
+    const invocation = createMcpServerTelemetryInvocation();
     registerResources(server);
     registerTools(server);
     const transport = new StdioServerTransport();
+    emitMcpServerStarted(invocation);
     await server.connect(transport);
 }
 export const testing = {