@cantinasecurity/apex-cli 0.1.4 → 0.1.6

package/.claude-plugin/marketplace.json

@@ -0,0 +1,42 @@
+{
+  "name": "cantina-tools",
+  "owner": {
+    "name": "Cantina",
+    "email": "support@cantina.xyz"
+  },
+  "metadata": {
+    "description": "Cantina agent plugins for security review workflows.",
+    "version": "0.1.6"
+  },
+  "plugins": [
+    {
+      "name": "apex-cli",
+      "source": {
+        "source": "npm",
+        "package": "@cantinasecurity/apex-cli",
+        "version": "0.1.6"
+      },
+      "description": "Run Apex security scans and review findings from Claude Code.",
+      "version": "0.1.6",
+      "author": {
+        "name": "Cantina",
+        "email": "support@cantina.xyz"
+      },
+      "homepage": "https://cantina.xyz",
+      "keywords": [
+        "apex",
+        "cantina",
+        "security",
+        "mcp",
+        "code-review",
+        "findings"
+      ],
+      "category": "Developer Tools",
+      "tags": [
+        "security",
+        "mcp",
+        "code-review"
+      ]
+    }
+  ]
+}

package/.claude-plugin/plugin.json

@@ -0,0 +1,21 @@
+{
+  "name": "apex-cli",
+  "version": "0.1.6",
+  "description": "Run Apex security scans and review findings from Claude Code.",
+  "author": {
+    "name": "Cantina",
+    "email": "support@cantina.xyz",
+    "url": "https://cantina.xyz"
+  },
+  "homepage": "https://cantina.xyz",
+  "keywords": [
+    "apex",
+    "cantina",
+    "security",
+    "mcp",
+    "code-review",
+    "findings"
+  ],
+  "skills": "./.claude/skills/",
+  "mcpServers": "./.mcp.claude.json"
+}

package/.codex-plugin/plugin.json

@@ -0,0 +1,40 @@
+{
+  "name": "apex-cli",
+  "version": "0.1.6",
+  "description": "Run Apex security scans and review findings from Codex.",
+  "author": {
+    "name": "Cantina",
+    "email": "support@cantina.xyz",
+    "url": "https://cantina.xyz"
+  },
+  "homepage": "https://cantina.xyz",
+  "keywords": [
+    "apex",
+    "cantina",
+    "security",
+    "mcp",
+    "code-review",
+    "findings"
+  ],
+  "skills": "./skills/",
+  "mcpServers": "./.mcp.codex.json",
+  "interface": {
+    "displayName": "Apex CLI",
+    "shortDescription": "Start Apex scans and review findings from Codex.",
+    "longDescription": "Adds Apex MCP tools and skills for authentication, workspace binding, scans, finding export, finding comments, valid/invalid feedback, and fix review scans.",
+    "developerName": "Cantina",
+    "category": "Developer Tools",
+    "capabilities": [
+      "Read",
+      "Write"
+    ],
+    "websiteURL": "https://cantina.xyz",
+    "privacyPolicyURL": "https://cantina.xyz/privacy-policy",
+    "termsOfServiceURL": "https://cantina.xyz/terms/general",
+    "defaultPrompt": [
+      "Use Apex to scan this repository.",
+      "Use Apex to review findings for the latest scan.",
+      "Use Apex to start a PR scan for this pull request."
+    ]
+  }
+}

package/.mcp.claude.json

@@ -0,0 +1,13 @@
+{
+  "mcpServers": {
+    "apex": {
+      "command": "npx",
+      "args": [
+        "-y",
+        "-p",
+        "@cantinasecurity/apex-cli@0.1.6",
+        "apex-mcp"
+      ]
+    }
+  }
+}

package/.mcp.codex.json

@@ -0,0 +1,11 @@
+{
+  "apex": {
+    "command": "npx",
+    "args": [
+      "-y",
+      "-p",
+      "@cantinasecurity/apex-cli@0.1.6",
+      "apex-mcp"
+    ]
+  }
+}

package/MARKETPLACE.md

@@ -0,0 +1,71 @@
+# Apex CLI Marketplace Publishing
+
+This package is prepared as both a Claude Code plugin and a Codex plugin. The published npm package includes:
+
+- `.claude-plugin/plugin.json`
+- `.claude-plugin/marketplace.json`
+- `.codex-plugin/plugin.json`
+- `.mcp.claude.json`
+- `.mcp.codex.json`
+- `skills/apex-cli/SKILL.md`
+- `.claude/skills/apex-cli/SKILL.md`
+
+The plugin MCP configs launch the pinned npm CLI package with:
+
+```bash
+npx -y -p @cantinasecurity/apex-cli@0.1.6 apex-mcp
+```
+
+That keeps marketplace installs independent of a user's global `apex` install.
+
+## Local Validation
+
+Validate the Claude plugin and marketplace from the repo root:
+
+```bash
+claude plugin validate .
+claude plugin marketplace add ./ --scope local
+claude plugin install apex-cli@cantina-tools --scope local
+```
+
+Validate the Codex plugin through the repo marketplace:
+
+```bash
+codex plugin marketplace add ./
+```
+
+Then open the Codex plugin directory and install `apex-cli` from `Cantina Tools`.
+
+## Official Claude Plugin Directory
+
+For the Claude Code / Cowork plugin directory:
+
+1. Run `claude plugin validate .`.
+2. Submit either a public GitHub repository or a zip archive that contains this plugin package.
+3. Use the Claude plugin submission form.
+4. Attach the approved listing URL to APEX-161.
+
+The current repository is private. If Anthropic requires source inspection through a public GitHub URL, publish either this repo or a dedicated public plugin package repo before submission.
+
+## Anthropic Connectors Directory
+
+The Anthropic Connectors Directory is for remote MCP servers, desktop extensions, and MCP Apps. This package currently ships a local stdio MCP server. A Connectors Directory submission still needs a hosted remote MCP endpoint with:
+
+- HTTPS transport
+- OAuth 2.0 authentication for authenticated use
+- tool annotations, including titles and read/write hints
+- public docs, privacy policy, support contact, and reviewer test account
+- security, data handling, and launch-readiness checklist answers
+
+Do not submit the local `apex-mcp` stdio server as a remote connector until that hosted endpoint exists.
+
+## OpenAI / Codex Public Distribution
+
+The package includes a Codex plugin manifest and local marketplace catalog for development and testing. OpenAI's self-serve Codex Plugin Directory publishing is not generally available yet. Public OpenAI distribution currently requires the Apps SDK review path for an app/remote MCP integration, which needs:
+
+- a hosted app or remote MCP server
+- MCP Inspector and ChatGPT Developer Mode testing
+- org owner or admin submission
+- app icon, category, legal entity, privacy policy, terms, support contact, and risk profile
+
+Attach the OpenAI submission or approved listing URL to APEX-161 when that review path is complete.

package/README.md

@@ -292,6 +292,34 @@ For Codex-style clients, the packaged skill can be installed with `apex setup co
 
 For Claude Code, the packaged project skill can be installed into the current repository with `apex setup claude`. The repo-local source lives at `.claude/skills/apex-cli/SKILL.md`. Anthropic documents project skills as filesystem directories under `.claude/skills/<name>/SKILL.md`, and the Claude Agent SDK uses the same location when the `Skill` tool is enabled.
 
+## Plugin And Marketplace Packaging
+
+The npm package also includes marketplace-ready plugin artifacts:
+
+- `.codex-plugin/plugin.json` and `.mcp.codex.json` for Codex plugin installs
+- `.claude-plugin/plugin.json` and `.mcp.claude.json` for Claude Code plugin installs
+- `.claude-plugin/marketplace.json` for a Claude marketplace entry backed by the public npm package
+
+These plugin installs launch the pinned npm package with `npx -y -p @cantinasecurity/apex-cli@0.1.6 apex-mcp`, so users do not need to install `apex` globally before enabling the plugin.
+
+The repository also includes `.agents/plugins/marketplace.json` for local Codex marketplace testing from a checkout.
+
+For local Claude validation:
+
+```bash
+claude plugin validate .
+claude plugin marketplace add ./ --scope local
+claude plugin install apex-cli@cantina-tools --scope local
+```
+
+For local Codex validation, add this repo as a local marketplace, then install `apex-cli` from the `Cantina Tools` marketplace in the Codex plugin directory:
+
+```bash
+codex plugin marketplace add ./
+```
+
+See `MARKETPLACE.md` for the official Claude, Anthropic Connectors Directory, and OpenAI/Codex submission checklist. The local stdio MCP server is plugin-ready, but remote marketplace submissions still require the external review steps documented there.
+
 ## Development Notes
 
 The CLI uses the Apex `/api/cli/v2/**` local-source routes for scan planning and snapshot uploads, with legacy `/api/cli/v1/**` routes still used for provider-backed flows such as audit scans. Local state is stored under:

package/dist/args.js

@@ -41,6 +41,12 @@ export function isJsonMode(flags) {
 export function isNonInteractive(flags) {
     return flags["non-interactive"] === true;
 }
+export function canPromptInteractively(flags) {
+    return (!isJsonMode(flags) &&
+        !isNonInteractive(flags) &&
+        process.stdin.isTTY === true &&
+        process.stdout.isTTY === true);
+}
 export function getFlagString(flags, key) {
     const value = flags[key];
     return typeof value === "string" && value.trim().length > 0 ? value.trim() : null;

package/dist/commands.js

@@ -1,4 +1,4 @@
-import { getFlagList, getFlagString, isJsonMode, isNonInteractive } from "./args.js";
+import { canPromptInteractively, getFlagList, getFlagString, isJsonMode, } from "./args.js";
 import { logout } from "./auth.js";
 import { ApiError } from "./api-client.js";
 import { openInBrowser } from "./browser.js";
@@ -341,7 +341,7 @@ async function maybePersistFindingSelectionBinding(params) {
     return nextBinding;
 }
 function canPromptForConfirmation(flags) {
-    return !isNonInteractive(flags) && process.stdin.isTTY && process.stdout.isTTY;
+    return canPromptInteractively(flags);
 }
 async function findFallbackActiveScan(client, binding) {
     if (!binding?.lastScanId) {
@@ -572,7 +572,7 @@ export async function commandScan(client, cwd, flags) {
             throw new Error("Workspace resolution did not return a workspaceId.");
         }
         if (legacyResolve.missing.length > 0) {
-            if (isNonInteractive(flags)) {
+            if (!canPromptInteractively(flags)) {
                 throw new Error(`PR scans require connected provider access for ${formatMissingProviderConnections(legacyResolve.missing)}. Re-run interactively or pre-connect providers.`);
             }
             await remediateMissingConnections(legacyResolve.missing, flags);

package/dist/session.js

@@ -1,5 +1,5 @@
 import path from "node:path";
-import { getFlagList, getFlagString, isJsonMode, isNonInteractive } from "./args.js";
+import { canPromptInteractively, getFlagList, getFlagString, isJsonMode, } from "./args.js";
 import { login } from "./auth.js";
 import { ApiError } from "./api-client.js";
 import { openInBrowser } from "./browser.js";
@@ -37,10 +37,13 @@ export async function chooseCompany(me, flags, binding) {
             throw new Error(`Unknown company: ${requested}`);
         }
     }
+    if (me.companies.length === 0) {
+        throw new Error("No Apex companies are available for this account.");
+    }
     if (me.companies.length === 1) {
         return me.companies[0];
     }
-    if (isNonInteractive(flags)) {
+    if (!canPromptInteractively(flags)) {
         throw new Error("Multiple companies available. Re-run with --company <id-or-handle>.");
     }
     const selected = await chooseOne("Select the Apex company to use for this directory:", me.companies.map((company) => ({
@@ -60,12 +63,21 @@ async function chooseWorkspaceName(cwd, flags, binding) {
         return binding.workspaceName;
     }
     const suggested = path.basename(cwd);
-    if (isNonInteractive(flags)) {
+    if (!canPromptInteractively(flags)) {
         return suggested;
     }
     const chosen = await promptText("Workspace name to use in Apex for this directory (press Enter to use the current folder name)", suggested);
     return chosen.trim().length > 0 ? chosen.trim() : suggested;
 }
+function selectBindingForWorkspaceName(flags, binding, workspaceName) {
+    const explicit = getFlagString(flags, "workspace-name");
+    if (!explicit || !binding) {
+        return binding;
+    }
+    return binding.workspaceName.trim().toLowerCase() === workspaceName.trim().toLowerCase()
+        ? binding
+        : null;
+}
 function getSourceMode(flags) {
     const value = getFlagString(flags, "source-mode");
     return value === "remote" || value === "local" ? value : "auto";
@@ -127,9 +139,10 @@ export async function resolveWorkspace(client, cwd, me, flags) {
     return resolveWorkspaceSelection(client, selection);
 }
 export async function selectWorkspaceTarget(cwd, me, flags) {
-    const binding = await loadWorkspaceBinding(cwd);
-    const company = await chooseCompany(me, flags, binding);
-    const workspaceName = await chooseWorkspaceName(cwd, flags, binding);
+    const loadedBinding = await loadWorkspaceBinding(cwd);
+    const company = await chooseCompany(me, flags, loadedBinding);
+    const workspaceName = await chooseWorkspaceName(cwd, flags, loadedBinding);
+    const binding = selectBindingForWorkspaceName(flags, loadedBinding, workspaceName);
     const sourceSelection = getFlagList(flags, "repo");
     const discovered = await discoverSources(cwd, sourceSelection);
     if (discovered.sources.length === 0) {
@@ -218,7 +231,7 @@ export async function remediateMissingConnections(missing, flags) {
     if (missing.length === 0) {
         return;
     }
-    if (isNonInteractive(flags)) {
+    if (!canPromptInteractively(flags)) {
         throw new Error("Missing provider connections. Re-run interactively or pre-connect providers.");
     }
     for (const item of missing) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cantinasecurity/apex-cli",
-  "version": "0.1.4",
+  "version": "0.1.6",
   "description": "Standalone CLI and MCP server for Apex.",
   "private": false,
   "type": "module",
@@ -12,10 +12,15 @@
     "apex-mcp": "./pkg-bin/apex-mcp.js"
   },
   "files": [
+    ".claude-plugin",
+    ".codex-plugin",
+    ".mcp.claude.json",
+    ".mcp.codex.json",
     "dist",
     "pkg-bin",
     "skills",
     ".claude/skills",
+    "MARKETPLACE.md",
     "README.md"
   ],
   "engines": {