@cantinasecurity/apex-cli 0.1.6 → 0.1.10

package/.claude/skills/apex-cli/SKILL.md

@@ -28,7 +28,7 @@ If the Apex MCP server is not configured, fall back to the local CLI:
 - Prefer scripted commands over the interactive shell.
 - Use `--non-interactive` and `--no-open` for automation-friendly CLI calls.
 - Use `--json` whenever structured output is helpful.
-- `apex credits` reports standard credits and audit scan entitlements when Bedrock returns both balances.
+- `apex credits` reports standard credits plus audit and fix review scan entitlements when Bedrock returns those balances.
 - Work from the target repository directory so Apex can resolve `.apex/workspace.json`.
 - `apex scan` scans the current working directory by default; pass `--repo` only when the user asks to scan explicit alternate roots.
 - `apex-doctor` reports whether Apex will use remote materialization or a local snapshot upload for each selected source.
@@ -37,7 +37,8 @@ If the Apex MCP server is not configured, fall back to the local CLI:
 - PR scans use `--mode pr --pr <number>` in CLI calls, or `mode: "pr"` with `pullRequests` in MCP. They require one provider-backed GitHub repository.
 - `apex-workspace-use` accepts a workspace name, prefix, or ID.
 - Use `sourceMode: "remote"` only when the user explicitly wants to forbid local snapshot fallbacks.
-- Finding comments, feedback, and fix review scan starts currently require `CANTINA_AUTH_TOKEN` in the MCP server environment because those writes go through the Cantina web-app routes instead of the Apex CLI bearer-token routes.
+- When checking a scan that is not the workspace binding's latest scan, pass `scanId` to `apex-status`; use `apex scans` or `apex-scans` first if you need to discover scan IDs.
+- Finding comments, feedback, and fix review scan starts use the same Apex device-login credentials as read tools. If a write tool reports missing auth, re-run `apex-auth-status` and complete `apex-auth-start` / `apex-auth-wait` instead of asking for browser cookies or auth tokens.
 - Invalid finding feedback requires `dismissalReason`; valid feedback can include `suggestedSeverity`, including `extreme`.
 - Fix PR callback feedback requires valid feedback with `labels: ["fixed"]` and `fixPrUrls`; start the fix review scan with `apex-finding-fix-review` after saving that feedback.
 - Finding identifiers such as `KERN2-25` resolve against the selected or latest scan for the current workspace binding. Pass an explicit `scanId` when needed, or use the finding UUID directly.
@@ -46,7 +47,7 @@ If the Apex MCP server is not configured, fall back to the local CLI:
 
 - Start a scan for the current repository or directory: run `apex-doctor`, bind a workspace if needed, then call `apex-scan`.
 - Start a PR scan: call `apex-scan` with `mode: "pr"` and `pullRequests`.
-- Check an active scan: call `apex-status`, then `apex-findings` when the scan completes.
+- Check an active scan: call `apex-status`, passing `scanId` when the scan is not the latest binding, then `apex-findings` when the scan completes.
 - Export findings for review: call `apex-export-findings` with `format` set to `markdown`, `json`, or `gitlab-sast`.
 - Leave review feedback: call `apex-finding-comment` to add a note, or `apex-finding-feedback` with `status` set to `valid` or `invalid`.
 - Add a Fix PR and run fix review: call `apex-finding-feedback` with `status: "valid"`, `labels: ["fixed"]`, and `fixPrUrls`, then call `apex-finding-fix-review`.

package/.claude-plugin/marketplace.json

@@ -6,7 +6,7 @@
   },
   "metadata": {
     "description": "Cantina agent plugins for security review workflows.",
-    "version": "0.1.6"
+    "version": "0.1.10"
   },
   "plugins": [
     {
@@ -14,10 +14,10 @@
       "source": {
         "source": "npm",
         "package": "@cantinasecurity/apex-cli",
-        "version": "0.1.6"
+        "version": "0.1.10"
       },
       "description": "Run Apex security scans and review findings from Claude Code.",
-      "version": "0.1.6",
+      "version": "0.1.10",
       "author": {
         "name": "Cantina",
         "email": "support@cantina.xyz"

package/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "apex-cli",
-  "version": "0.1.6",
+  "version": "0.1.10",
   "description": "Run Apex security scans and review findings from Claude Code.",
   "author": {
     "name": "Cantina",

package/.codex-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "apex-cli",
-  "version": "0.1.6",
+  "version": "0.1.10",
   "description": "Run Apex security scans and review findings from Codex.",
   "author": {
     "name": "Cantina",

package/.mcp.claude.json

@@ -5,7 +5,7 @@
       "args": [
         "-y",
         "-p",
-        "@cantinasecurity/apex-cli@0.1.6",
+        "@cantinasecurity/apex-cli@0.1.10",
         "apex-mcp"
       ]
     }

package/.mcp.codex.json

@@ -4,7 +4,7 @@
     "args": [
       "-y",
       "-p",
-      "@cantinasecurity/apex-cli@0.1.6",
+      "@cantinasecurity/apex-cli@0.1.10",
       "apex-mcp"
     ]
   }

package/MARKETPLACE.md

@@ -13,7 +13,7 @@ This package is prepared as both a Claude Code plugin and a Codex plugin. The pu
 The plugin MCP configs launch the pinned npm CLI package with:
 
 ```bash
-npx -y -p @cantinasecurity/apex-cli@0.1.6 apex-mcp
+npx -y -p @cantinasecurity/apex-cli@0.1.10 apex-mcp
 ```
 
 That keeps marketplace installs independent of a user's global `apex` install.

package/README.md

@@ -19,15 +19,17 @@ apex setup
 
 `apex setup` is the lowest-friction path for agent clients. It:
 
-- registers Apex as an MCP server in any installed Codex and Claude Code CLIs
+- registers Apex as an MCP server in any installed Codex CLI, Claude Code, and GitHub Copilot CLI clients
 - installs the Codex skill into `$CODEX_HOME/skills/apex-cli`
 - installs the Claude project skill into `.claude/skills/apex-cli` in the current repository
+- installs the GitHub Copilot CLI skill into `$COPILOT_HOME/skills/apex-cli` or `~/.copilot/skills/apex-cli`
 
 If you only want one client, run:
 
 ```bash
 apex setup codex
 apex setup claude
+apex setup copilot
 ```
 
 If one client is not installed yet, `apex setup` skips it automatically. If you target a client explicitly, its CLI must already be installed.
@@ -109,7 +111,7 @@ Supported shell commands:
 - `/export [scan-id]`
 - `/workspaces`
 - `/cancel-scan [scan-id]`
-- `/status`
+- `/status [scan-id]`
 - `/doctor`
 - `/update`
 - `/logout`
@@ -142,11 +144,11 @@ Supported shell commands:
 - `apex workspace`
 - `apex workspace use <workspace-name|workspace-prefix|workspace-id>`
 - `apex cancel-scan [scan-id]`
-- `apex status`
+- `apex status [--scan <scan-id>]`
 - `apex doctor`
 - `apex login`
 - `apex logout`
-- `apex setup [all|codex|claude]`
+- `apex setup [all|codex|claude|copilot]`
 - `apex update`
 - `apex connect github`
 - `apex connect gitlab`
@@ -156,7 +158,7 @@ Helpful workspace flags:
 - `--company <id-or-handle>` to choose the Apex company when more than one is available
 - `--workspace-name <name>` to set the Apex workspace name for this directory
 
-`apex credits` shows standard scan credits plus audit scan entitlements when the server returns them.
+`apex credits` shows standard scan credits plus audit and fix review scan entitlements when the server returns them.
 
 ## Finding Review Feedback
 
@@ -174,7 +176,7 @@ Finding review collaboration now has explicit write commands:
 
 Identifiers such as `KERN2-25` are resolved against the selected or latest scan for the current workspace binding. Pass `--scan <scan-id>` when you need a specific scan, or pass the finding UUID directly to skip workspace-based resolution.
 
-Finding comments, valid/invalid feedback, and fix review scan starts currently require a Cantina web session token in `CANTINA_AUTH_TOKEN`. Set it to the value of your logged-in `auth_token` cookie before using the write commands or the corresponding MCP tools.
+Finding comments, valid/invalid feedback, and fix review scan starts use the same Apex login credentials as read commands. In MCP clients, `apex-auth-start` followed by `apex-auth-wait` is enough to authenticate these write tools.
 
 Invalid feedback requires a dismissal reason. Valid feedback can include `--suggested-severity extreme|critical|high|medium|low|informational`.
 
@@ -185,10 +187,7 @@ Fix review scans use a two-step callback flow for agents that create a PR outsid
 
 The matching MCP flow is `apex-finding-feedback` with `status: "valid"`, `labels: ["fixed"]`, and `fixPrUrls`, followed by `apex-finding-fix-review`.
 
-This is intentionally documented as a separate auth requirement because the current Apex read APIs and finding review write APIs do not accept the same credentials:
-
-- read operations such as `apex findings`, `apex export findings`, and `apex-findings` use the Apex CLI device-login bearer token
-- finding comments and feedback currently go through the Cantina web-app routes and require `CANTINA_AUTH_TOKEN`
+The matching CLI and MCP flows intentionally use the same device-login session so agents should not ask users to paste browser cookies or auth tokens.
 
 ## Local Source Scans
 
@@ -222,7 +221,7 @@ If Apex is installed globally, prefer:
 apex setup
 ```
 
-That registers Apex for installed Codex and Claude Code clients automatically.
+That registers Apex for installed Codex CLI, Claude Code, and GitHub Copilot CLI clients automatically.
 
 If you want to wire clients manually instead, Apex ships a stable `apex-mcp` binary. For Codex:
 
@@ -236,6 +235,12 @@ For Claude Code:
 claude mcp add --scope user apex -- apex-mcp
 ```
 
+For GitHub Copilot CLI:
+
+```bash
+copilot mcp add apex --type stdio --tools "*" -- apex-mcp
+```
+
 For any other MCP client, configure it to launch:
 
 ```json
@@ -288,7 +293,7 @@ The MCP server exposes Apex-specific tools for:
 
 For repository-scoped operations, pass `cwd` explicitly so the server can resolve the right `.apex/workspace.json` binding and repository roots.
 
-For Codex-style clients, the packaged skill can be installed with `apex setup codex`. The repo-local source lives at `skills/apex-cli/SKILL.md`.
+For Codex-style clients, the packaged skill can be installed with `apex setup codex`. For GitHub Copilot CLI, the same skill is installed into `~/.copilot/skills/apex-cli` with `apex setup copilot`. The repo-local source lives at `skills/apex-cli/SKILL.md`.
 
 For Claude Code, the packaged project skill can be installed into the current repository with `apex setup claude`. The repo-local source lives at `.claude/skills/apex-cli/SKILL.md`. Anthropic documents project skills as filesystem directories under `.claude/skills/<name>/SKILL.md`, and the Claude Agent SDK uses the same location when the `Skill` tool is enabled.
 
@@ -300,7 +305,7 @@ The npm package also includes marketplace-ready plugin artifacts:
 - `.claude-plugin/plugin.json` and `.mcp.claude.json` for Claude Code plugin installs
 - `.claude-plugin/marketplace.json` for a Claude marketplace entry backed by the public npm package
 
-These plugin installs launch the pinned npm package with `npx -y -p @cantinasecurity/apex-cli@0.1.6 apex-mcp`, so users do not need to install `apex` globally before enabling the plugin.
+These plugin installs launch the pinned npm package with `npx -y -p @cantinasecurity/apex-cli@0.1.10 apex-mcp`, so users do not need to install `apex` globally before enabling the plugin.
 
 The repository also includes `.agents/plugins/marketplace.json` for local Codex marketplace testing from a checkout.
 
@@ -328,11 +333,11 @@ The CLI uses the Apex `/api/cli/v2/**` local-source routes for scan planning and
 - `~/.config/apex/credentials.json`
 - `.apex/workspace.json`
 
-If a scan is already running in the current workspace, `apex scan` and `/scan` now require confirmation before starting another one. Scripted usage can opt in explicitly with `--force`.
+If a scan is already running in the current workspace, `apex scan` and `/scan` now require confirmation before starting another one. Scripted usage can opt in explicitly with `--force`. Active-looking workspace scan rows are checked against the scan progress endpoint before the CLI treats them as blockers, so stale list entries do not hide terminal states such as `cancelled`.
 
 To move between existing Apex workspaces from the CLI:
 
 1. Run `apex workspaces` to list the workspaces available to your active company.
 2. Run `apex workspace use <workspace-name|workspace-prefix|workspace-id>` to bind the current directory.
 3. If the workspace name contains spaces, quote it, for example `apex workspace use "Core Platform"`.
-4. Use `apex scans`, `apex findings`, and `apex export findings` against that binding.
+4. Use `apex scans`, `apex status --scan <scan-id>`, `apex findings`, and `apex export findings` against that binding.

package/dist/api-client.js

@@ -45,6 +45,10 @@ export class ApexApiClient {
     async getCredentials() {
         return loadCredentials();
     }
+    async getAccessToken() {
+        const credentials = await this.refreshIfNeeded().catch(() => null);
+        return credentials?.accessToken ?? null;
+    }
     async clearCredentials() {
         await clearCredentials();
     }

package/dist/commands.js

@@ -3,11 +3,11 @@ import { logout } from "./auth.js";
 import { ApiError } from "./api-client.js";
 import { openInBrowser } from "./browser.js";
 import { loadConfig, saveConfig } from "./config.js";
-import { createFindingComment, fetchScanExport, fetchScanFindings, isFindingUuid, normalizeFindingRef, requireCantinaAuthToken, resolveFindingSelection, resolveScanSelection, startFindingFixReviewScan, submitFindingFeedback, } from "./findings.js";
+import { createFindingComment, fetchScanExport, fetchScanFindings, isFindingUuid, normalizeFindingRef, resolveFindingSelection, resolveScanSelection, startFindingFixReviewScan, submitFindingFeedback, } from "./findings.js";
 import { prepareExplicitScanSources, supportsLegacyRemoteFlow, } from "./local-source-scan.js";
 import { logLine, printJson, withLoadingIndicator } from "./output.js";
 import { confirm } from "./prompt.js";
-import { cancelScan, fetchWorkspaceScans, findMostRelevantActiveScan, getScanDisplayLabel, getScanDisplayId, getTrackedScanId, isActiveScanStatus, matchesScanId, selectDefaultScanToCancel, } from "./scan.js";
+import { cancelScan, fetchScanProgress, fetchWorkspaceScans, findMostRelevantActiveScan, getScanDisplayLabel, getScanDisplayId, getTrackedScanId, isActiveScanStatus, matchesScanId, selectDefaultScanToCancel, } from "./scan.js";
 import { chooseCompany, createWorkspaceBinding, ensureAuthenticated, remediateMissingConnections, resolveWorkspaceSelection, resolveWorkspaceSelectionLegacy, resolveWorkspaceAllowingMissingConnections, selectWorkspaceTarget, } from "./session.js";
 import { createWorkspaceBindingFromSummary, fetchCompanyCredits, fetchCompanyWorkspaces, findWorkspaceByRef, } from "./workspaces.js";
 import { loadWorkspaceBinding, saveWorkspaceBinding } from "./workspace-binding.js";
@@ -81,6 +81,29 @@ function formatAuditScanBalance(scanBalance) {
     }
     return `Audit scans: ${detailParts.join(", ")}`;
 }
+function formatFixReviewScanBalance(scanBalance) {
+    const purchased = getOptionalCount(scanBalance.fixReviewPurchased);
+    const used = getOptionalCount(scanBalance.fixReviewUsed);
+    const remaining = getOptionalCount(scanBalance.fixReviewRemaining);
+    const available = getOptionalCount(scanBalance.fixReviewAvailable) ??
+        remaining ??
+        (purchased !== null && used !== null ? Math.max(0, purchased - used) : null);
+    if (purchased === null && used === null && available === null) {
+        return null;
+    }
+    const detailParts = [];
+    if (purchased !== null) {
+        detailParts.push(`${purchased} purchased`);
+    }
+    if (used !== null) {
+        detailParts.push(`${used} used`);
+    }
+    if (available !== null) {
+        const detailSuffix = detailParts.length ? ` (${detailParts.join(", ")})` : "";
+        return `Fix review scans: ${available} available${detailSuffix}`;
+    }
+    return `Fix review scans: ${detailParts.join(", ")}`;
+}
 function normalizeRequestedScanMode(value) {
     if (value === "ultra" || value === "audit") {
         return "audit";
@@ -450,6 +473,14 @@ export async function commandCredits(client, cwd, flags) {
     if (redeemableAuditScans && redeemableAuditScans > 0) {
         logLine(`Redeemable audit scans from standard credits: ${redeemableAuditScans}`, flags);
     }
+    const fixReviewBalance = formatFixReviewScanBalance(payload.scanBalance);
+    if (fixReviewBalance) {
+        logLine(fixReviewBalance, flags);
+    }
+    const redeemableFixReviewScans = getOptionalCount(payload.scanBalance.fixReviewRedeemableFromCredits);
+    if (redeemableFixReviewScans && redeemableFixReviewScans > 0) {
+        logLine(`Redeemable fix review scans from standard credits: ${redeemableFixReviewScans}`, flags);
+    }
     logLine(`Scans enabled: ${payload.scansEnabled ? "yes" : "no"}`, flags);
     return payload;
 }
@@ -507,24 +538,26 @@ export async function commandDoctor(client, cwd, flags) {
 export async function commandStatus(client, cwd, flags) {
     await ensureAuthenticated(client, flags);
     const binding = await requireWorkspaceBinding(cwd);
-    if (!binding.lastScanId) {
+    const requestedScanId = getFlagString(flags, "scan");
+    const scanId = requestedScanId ?? binding.lastScanId;
+    if (!scanId) {
         throw new Error("No scan has been started from this directory yet. Run `apex scan` first.");
     }
-    const progress = await withLoadingIndicator("Loading scan status...", flags, () => client.request(`/api/cli/v1/scans/${binding.lastScanId}/progress`));
+    const progress = await withLoadingIndicator("Loading scan status...", flags, () => fetchScanProgress(client, scanId));
     if (isJsonMode(flags)) {
-        printJson({ binding, progress });
-        return { binding, progress };
+        printJson({ binding, scanId, progress });
+        return { binding, scanId, progress };
     }
     logLine(`Workspace: ${binding.workspaceName}`, flags);
-    logLine(`Scan: ${binding.lastScanId}`, flags);
+    logLine(`Scan: ${scanId}`, flags);
     logLine(`Status: ${progress.progress?.status ?? "unknown"}`, flags);
     if (typeof progress.progress?.progressPct === "number") {
         logLine(`Progress: ${progress.progress.progressPct}%`, flags);
     }
-    if (binding.lastScanUrl) {
+    if (binding.lastScanUrl && (!requestedScanId || requestedScanId === binding.lastScanId)) {
         logLine(`View: ${binding.lastScanUrl}`, flags);
     }
-    return { binding, progress };
+    return { binding, scanId, progress };
 }
 export async function commandConnect(client, cwd, flags, provider) {
     const me = await ensureAuthenticated(client, flags);
@@ -923,7 +956,6 @@ export async function commandFindingComment(client, cwd, flags, requestedFinding
     if (!trimmedContent) {
         throw new Error("Usage: apex findings comment <finding-id|finding-identifier> --content \"<markdown>\"");
     }
-    requireCantinaAuthToken();
     const currentBinding = await loadWorkspaceBinding(cwd);
     const needsWorkspaceResolution = !isFindingUuid(findingRef);
     const binding = needsWorkspaceResolution
@@ -998,7 +1030,6 @@ export async function commandFindingFeedback(client, cwd, flags, params) {
     if (fixPrUrls.length > 0 && labels?.[0] !== "fixed") {
         throw new Error("Fix PR URLs require the fixed feedback label.");
     }
-    requireCantinaAuthToken();
     const currentBinding = await loadWorkspaceBinding(cwd);
     const needsWorkspaceResolution = !isFindingUuid(findingRef);
     const binding = needsWorkspaceResolution
@@ -1063,7 +1094,6 @@ export async function commandFindingFeedback(client, cwd, flags, params) {
 }
 export async function commandFindingFixReview(client, cwd, flags, requestedFindingRef) {
     const findingRef = normalizeFindingRefInput(requestedFindingRef);
-    requireCantinaAuthToken();
     const currentBinding = await loadWorkspaceBinding(cwd);
     const needsWorkspaceResolution = !isFindingUuid(findingRef);
     const binding = needsWorkspaceResolution

package/dist/findings.js

@@ -2,7 +2,7 @@ import { fetchWorkspaceScans, getScanDisplayId, matchesScanId, } from "./scan.js
 import { ApiError } from "./api-client.js";
 const FINDING_UUID_PATTERN = /^[0-9a-f]{8}-[0-9a-f]{4}-[1-8][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i;
 const CANTINA_AUTH_TOKEN_ENV = "CANTINA_AUTH_TOKEN";
-const CANTINA_AUTH_TOKEN_ERROR = "Finding comments, feedback, and fix review scans currently require `CANTINA_AUTH_TOKEN` from a logged-in Cantina/Apex browser session. Export `CANTINA_AUTH_TOKEN` and retry.";
+const FINDING_WRITE_AUTH_ERROR = "Finding comments, feedback, and fix review scans require Apex authentication. Run `apex login` or use MCP `apex-auth-start` followed by `apex-auth-wait`, then retry.";
 function parsePositiveInt(value) {
     if (!value)
         return null;
@@ -32,11 +32,8 @@ function normalizeCantinaAuthToken(value) {
     }
     return token.length > 0 ? token : null;
 }
-export function requireCantinaAuthToken() {
+export function getCantinaAuthToken() {
     const token = normalizeCantinaAuthToken(process.env[CANTINA_AUTH_TOKEN_ENV]);
-    if (!token) {
-        throw new Error(CANTINA_AUTH_TOKEN_ERROR);
-    }
     return token;
 }
 export function isFindingUuid(value) {
@@ -63,22 +60,68 @@ function matchesFindingRef(finding, findingRef) {
         .some((value) => value.trim().toLowerCase() === normalizedRef);
 }
 async function requestFindingAppRoute(client, path, options = {}) {
-    const token = requireCantinaAuthToken();
     const baseUrl = await client.getBaseUrl();
-    const headers = new Headers(options.headers ?? {});
-    // These routes still authenticate through the web app cookie, not Apex CLI bearer auth.
-    headers.set("Cookie", `auth_token=${token}`);
-    headers.set("Accept", "application/json");
-    if (options.json !== undefined) {
-        headers.set("Content-Type", "application/json");
-    }
-    const response = await fetch(new URL(path, baseUrl), {
-        ...options,
-        headers,
-        body: options.json !== undefined ? JSON.stringify(options.json) : options.body,
-    });
-    const body = await parseWebRouteResponse(response);
+    const accessToken = await client.getAccessToken();
+    const legacyCookieToken = getCantinaAuthToken();
+    let attemptedBearerAuth = false;
+    if (!accessToken && !legacyCookieToken) {
+        throw new Error(FINDING_WRITE_AUTH_ERROR);
+    }
+    const send = async (auth) => {
+        const headers = new Headers(options.headers ?? {});
+        headers.set("Accept", "application/json");
+        if (options.json !== undefined) {
+            headers.set("Content-Type", "application/json");
+        }
+        if (auth.type === "bearer") {
+            headers.set("Authorization", `Bearer ${auth.token}`);
+        }
+        else {
+            headers.set("Cookie", `auth_token=${auth.token}`);
+        }
+        return fetch(new URL(path, baseUrl), {
+            ...options,
+            headers,
+            body: options.json !== undefined ? JSON.stringify(options.json) : options.body,
+        });
+    };
+    const sendAndParse = async (auth) => {
+        if (auth.type === "bearer") {
+            attemptedBearerAuth = true;
+        }
+        const response = await send(auth);
+        const body = await parseWebRouteResponse(response);
+        return { response, body };
+    };
+    const primaryAuth = accessToken
+        ? { type: "bearer", token: accessToken }
+        : { type: "cookie", token: legacyCookieToken };
+    let { response, body } = await sendAndParse(primaryAuth);
+    if (!response.ok && response.status === 401 && primaryAuth.type === "bearer") {
+        const refreshedToken = await client
+            .refreshSession()
+            .then((credentials) => credentials?.accessToken ?? null)
+            .catch(() => null);
+        if (refreshedToken) {
+            ({ response, body } = await sendAndParse({
+                type: "bearer",
+                token: refreshedToken,
+            }));
+        }
+    }
+    if (!response.ok && response.status === 401 && primaryAuth.type === "bearer" && legacyCookieToken) {
+        ({ response, body } = await sendAndParse({
+            type: "cookie",
+            token: legacyCookieToken,
+        }));
+    }
     if (!response.ok) {
+        if (response.status === 401) {
+            if (attemptedBearerAuth) {
+                await client.clearCredentials();
+            }
+            throw new Error(FINDING_WRITE_AUTH_ERROR);
+        }
         throw new ApiError(`Request failed with ${response.status}`, response.status, body);
     }
     return body;

package/dist/help.js

@@ -1,6 +1,6 @@
 export const CLI_HELP_TEXT = `Usage:
   apex                              Open the interactive Apex shell
-  apex credits                      Show scan credits and audit scan entitlements for the active company
+  apex credits                      Show scan credits plus audit and fix review scan entitlements for the active company
   apex scan                         Create or resolve a workspace for this directory and start a scan
   apex scans                        List scans for the current workspace binding
   apex findings                     List findings for the latest or selected scan
@@ -16,12 +16,13 @@ export const CLI_HELP_TEXT = `Usage:
   apex workspace use <workspace-name|workspace-prefix|workspace-id>
                                     Bind this directory to an existing Apex workspace
   apex cancel-scan [scan-id]        Cancel a running scan
-  apex status                       Show the latest scan progress for this directory
+  apex status                       Show progress for the latest or selected scan
   apex doctor                       Validate auth, repos, connections, and workspace binding
   apex login                        Sign in to Apex
   apex logout                       Sign out locally
   apex mcp                          Start the Apex MCP server over stdio
-  apex setup [all|codex|claude]     Configure Apex for Codex and Claude Code
+  apex setup [all|codex|claude|copilot]
+                                    Configure Apex for Codex, Claude Code, and GitHub Copilot CLI
   apex update                       Update the local Apex CLI install
   apex connect github               Open the GitHub connection flow
   apex connect gitlab               Open the GitLab connection flow
@@ -29,7 +30,7 @@ export const CLI_HELP_TEXT = `Usage:
 Flags:
   --company <id-or-handle>          Choose the Apex company to use
   --workspace-name <name>           Set the Apex workspace name for this directory
-  --scan <scan-id>                  Select a specific scan for findings or export
+  --scan <scan-id>                  Select a specific scan for status, findings, or export
   --status valid|invalid            Set the finding feedback status explicitly
   --content <markdown>              Supply comment content for apex findings comment
   --comment <markdown>              Supply rationale for apex findings feedback
@@ -61,7 +62,7 @@ Tips:
   PR scans require --mode pr and at least one --pr selection for a GitHub repository.
   audit is the current scan mode for audit scans; ultra remains accepted as a legacy alias.
   apex workspace use accepts a workspace name, prefix, or ID.
-  Finding comments, feedback, and fix review scans currently require CANTINA_AUTH_TOKEN from a logged-in Cantina/Apex browser session.
+  Finding comments, feedback, and fix review scans use the same Apex login credentials as other CLI commands.
   Invalid finding feedback requires --dismissal-reason.
   Fix review scans require valid feedback with --label fixed and at least one --fix-pr-url, then apex findings fix-review.
   Finding identifiers such as KERN2-25 resolve against the selected scan; pass --scan or use the finding UUID directly when needed.
@@ -71,7 +72,7 @@ Tips:
 export const SHELL_HELP_TEXT = `Press Tab to autocomplete commands and common arguments.
 
 Commands:
-  /credits                Show scan credits and audit scan entitlements for the active company
+  /credits                Show scan credits plus audit and fix review scan entitlements for the active company
   /scan [standard|audit]  Start a new Apex scan for this workspace
   /scan pr <pr-number>    Start a PR scan for this workspace
   /scans                  List scans for this workspace
@@ -87,7 +88,7 @@ Commands:
   /export [scan-id]       Export findings for the latest or selected scan
   /workspaces             List accessible workspaces for the active company
   /cancel-scan [scan-id]  Cancel a running or most recent scan
-  /status                 Show progress for the most recent scan
+  /status [scan-id]       Show progress for the most recent or selected scan
   /doctor                 Validate auth, repos, connections, and workspace binding
   /update                 Update the local Apex CLI install and exit the shell
   /logout                 Sign out locally and exit the shell
@@ -107,7 +108,7 @@ Tips:
   PR scans require a GitHub PR number and provider-backed repository access.
   audit is the current scan mode for audit scans; ultra remains accepted as a legacy alias.
   /workspace use accepts a workspace name, prefix, or ID.
-  /findings comment, /findings feedback, and /findings fix-review require CANTINA_AUTH_TOKEN in the shell environment.
+  /findings comment, /findings feedback, and /findings fix-review use the current Apex login.
   Invalid finding feedback requires a dismissal reason.
   Fix review scans require fixed valid feedback with a Fix PR URL. Use scripted CLI or MCP for attaching Fix PR URLs.
   Use scripted CLI flags for advanced feedback options such as suggested severity or dismissal reason.

package/dist/mcp.js

@@ -22,6 +22,7 @@ Suggested workflow:
 Notes:
 - Pass cwd explicitly for repository-specific operations.
 - Tool calls are always non-interactive and never auto-open a browser.
+- Finding write tools use the same Apex device-login credentials as read tools.
 - Use mode "audit" for audit scans; "ultra" remains accepted as a legacy alias. Use mode "pr" for GitHub pull request scans.
 - Doctor reports whether Apex will use remote materialization or a local snapshot upload for each source.`;
 const WORKSPACE_BINDING_ERROR = "This directory is not bound to an Apex workspace yet. Run `apex workspaces` to list workspace names, prefixes, and IDs, then bind one with `apex workspace use \"<workspace name>\"`, or run `apex scan` to create or resolve one automatically.";
@@ -270,7 +271,7 @@ function registerTools(server) {
     }, (value) => `Apex doctor completed for ${String(value.cwd)}.`));
     server.registerTool("apex-credits", {
         title: "Get Apex Credits",
-        description: "Show scan credits and audit scan entitlements for the active or selected company.",
+        description: "Show scan credits plus audit and fix review scan entitlements for the active or selected company.",
         inputSchema: {
             cwd: z.string().optional(),
             company: z.string().optional(),
@@ -380,15 +381,16 @@ function registerTools(server) {
     }, (value) => `Started an Apex scan for ${String(value.cwd)}.`));
     server.registerTool("apex-status", {
         title: "Get Apex Scan Status",
-        description: "Show progress for the most recent Apex scan in a directory.",
+        description: "Show progress for the most recent or selected Apex scan in a directory.",
         inputSchema: {
             cwd: z.string().optional(),
+            scanId: z.string().optional(),
         },
-    }, async ({ cwd }) => runTool("apex-status", async () => {
+    }, async ({ cwd, scanId }) => runTool("apex-status", async () => {
         const client = new ApexApiClient();
         await requireAuthenticated(client);
         const targetCwd = resolveCwd(cwd);
-        const payload = await commandStatus(client, targetCwd, buildFlags({}));
+        const payload = await commandStatus(client, targetCwd, buildFlags({ scanId }));
         return {
             cwd: targetCwd,
             ...payload,
@@ -450,7 +452,7 @@ function registerTools(server) {
     }, (value) => `Fetched Apex findings for ${String(value.cwd)}.`));
     server.registerTool("apex-finding-comment", {
         title: "Add Apex Finding Comment",
-        description: "Add a comment or note to an Apex finding. Requires CANTINA_AUTH_TOKEN in the MCP server environment.",
+        description: "Add a comment or note to an Apex finding using the current Apex login.",
         inputSchema: {
             cwd: z.string().optional(),
             findingRef: z.string(),
@@ -471,7 +473,7 @@ function registerTools(server) {
     }, (value) => `Added a finding comment for ${String(value.findingRef)}.`));
     server.registerTool("apex-finding-feedback", {
         title: "Leave Apex Finding Feedback",
-        description: "Leave valid or invalid feedback on an Apex finding. To attach a fix PR, send status valid with label fixed and fixPrUrls. Requires CANTINA_AUTH_TOKEN in the MCP server environment.",
+        description: "Leave valid or invalid feedback on an Apex finding using the current Apex login. To attach a fix PR, send status valid with label fixed and fixPrUrls.",
         inputSchema: {
             cwd: z.string().optional(),
             findingRef: z.string(),
@@ -509,7 +511,7 @@ function registerTools(server) {
         "finding"))} feedback for ${String(value.findingRef)}.`));
     server.registerTool("apex-finding-fix-review", {
         title: "Start Apex Finding Fix Review Scan",
-        description: "Start a fix review scan for a finding after fixed feedback with one or more Fix PR URLs has been saved. Requires CANTINA_AUTH_TOKEN in the MCP server environment.",
+        description: "Start a fix review scan for a finding after fixed feedback with one or more Fix PR URLs has been saved.",
         inputSchema: {
             cwd: z.string().optional(),
             findingRef: z.string(),

package/dist/scan.js

@@ -121,6 +121,33 @@ export function normalizeWorkspaceScans(payload) {
 export function isActiveScanStatus(status) {
     return status ? ACTIVE_SCAN_STATUSES.has(status.trim().toLowerCase()) : false;
 }
+function mergeScanProgress(scan, progress) {
+    const status = readString(progress.progress?.status) ?? scan.status;
+    const startedAt = progress.progress?.startedAt ?? scan.startedAt;
+    const finishedAt = !isActiveScanStatus(status) && !scan.finishedAt
+        ? scan.updatedAt
+        : scan.finishedAt;
+    return {
+        ...scan,
+        kernelScanId: progress.kernelScanId ?? scan.kernelScanId,
+        status,
+        startedAt,
+        finishedAt,
+    };
+}
+async function reconcileActiveScanStatus(client, scan) {
+    if (!isActiveScanStatus(scan.status)) {
+        return scan;
+    }
+    let progress;
+    try {
+        progress = await fetchScanProgress(client, getScanDisplayId(scan));
+    }
+    catch {
+        return scan;
+    }
+    return mergeScanProgress(scan, progress);
+}
 export function findMostRelevantActiveScan(scans) {
     return scans.find((scan) => isActiveScanStatus(scan.status)) ?? null;
 }
@@ -148,7 +175,11 @@ export async function fetchWorkspaceScans(client, workspaceId) {
         { path: `/api/workspaces/${encodedWorkspaceId}/scans` },
         { path: `/api/scans?workspaceId=${encodedWorkspaceId}` },
     ]);
-    return normalizeWorkspaceScans(payload);
+    const scans = normalizeWorkspaceScans(payload);
+    return Promise.all(scans.map((scan) => reconcileActiveScanStatus(client, scan)));
+}
+export async function fetchScanProgress(client, scanId) {
+    return client.request(`/api/cli/v1/scans/${encodeURIComponent(scanId)}/progress`);
 }
 export async function cancelScan(client, scanId) {
     const encodedScanId = encodeURIComponent(scanId);

package/dist/setup.js

@@ -10,6 +10,7 @@ const PACKAGE_ROOT = path.resolve(path.dirname(fileURLToPath(import.meta.url)),
 const CODEX_SKILL_NAME = "apex-cli";
 const MCP_SERVER_NAME = "apex";
 const execFile = promisify(execFileCallback);
+const SETUP_CLIENTS = ["codex", "claude", "copilot"];
 function quoteShellArg(value) {
     return /[^A-Za-z0-9_./:-]/.test(value)
         ? `'${value.replace(/'/g, `'\\''`)}'`
@@ -73,9 +74,28 @@ function getCodexHome() {
     }
     return path.join(os.homedir(), ".codex");
 }
+function getCopilotHome() {
+    const configured = process.env.COPILOT_HOME?.trim();
+    if (configured) {
+        return configured;
+    }
+    return path.join(os.homedir(), ".copilot");
+}
 function normalizeArgs(value) {
     return Array.isArray(value) ? value.filter((item) => typeof item === "string") : [];
 }
+function normalizeTools(value) {
+    if (Array.isArray(value)) {
+        return value.filter((item) => typeof item === "string");
+    }
+    if (typeof value === "string") {
+        return value
+            .split(",")
+            .map((item) => item.trim())
+            .filter(Boolean);
+    }
+    return [];
+}
 function codexConfigMatches(existing, launch) {
     if (!existing?.transport) {
         return false;
@@ -92,6 +112,17 @@ function claudeConfigMatches(existing, launch) {
         JSON.stringify(normalizeArgs(existing.args)) === JSON.stringify(launch.args) &&
         normalizedEnv === 0);
 }
+function copilotConfigMatches(existing, launch) {
+    const env = existing?.env;
+    const normalizedEnv = env && typeof env === "object" && !Array.isArray(env) ? Object.keys(env).length : 0;
+    const normalizedTools = normalizeTools(existing?.tools);
+    return ((existing?.type === "stdio" || existing?.type === "local") &&
+        existing.command === launch.command &&
+        JSON.stringify(normalizeArgs(existing.args)) === JSON.stringify(launch.args) &&
+        normalizedEnv === 0 &&
+        normalizedTools.length === 1 &&
+        normalizedTools[0] === "*");
+}
 async function writeManagedFile(filePath, content) {
     const current = await readTextFile(filePath);
     if (current === content) {
@@ -127,6 +158,20 @@ async function readClaudeUserMcpConfig() {
         return null;
     }
 }
+async function readCopilotUserMcpConfig() {
+    const configPath = path.join(getCopilotHome(), "mcp-config.json");
+    const raw = await readTextFile(configPath);
+    if (!raw) {
+        return null;
+    }
+    try {
+        const parsed = JSON.parse(raw);
+        return parsed.mcpServers?.[MCP_SERVER_NAME] ?? null;
+    }
+    catch {
+        return null;
+    }
+}
 async function configureCodex(launch) {
     const existing = await readCodexMcpConfig();
     const mcpStatus = existing === null
@@ -197,6 +242,49 @@ async function configureClaude(cwd, launch) {
         },
     ];
 }
+async function configureCopilot(launch) {
+    const existing = await readCopilotUserMcpConfig();
+    const mcpStatus = existing === null
+        ? "installed"
+        : copilotConfigMatches(existing, launch)
+            ? "unchanged"
+            : "updated";
+    if (existing) {
+        await execText("copilot", ["mcp", "remove", MCP_SERVER_NAME]);
+    }
+    await execText("copilot", [
+        "mcp",
+        "add",
+        MCP_SERVER_NAME,
+        "--type",
+        "stdio",
+        "--tools",
+        "*",
+        "--",
+        launch.command,
+        ...launch.args,
+    ]);
+    const skillSource = path.join(PACKAGE_ROOT, "skills", CODEX_SKILL_NAME, "SKILL.md");
+    const skillTarget = path.join(getCopilotHome(), "skills", CODEX_SKILL_NAME, "SKILL.md");
+    const skillContent = await readFile(skillSource, "utf8");
+    const skillStatus = await writeManagedFile(skillTarget, skillContent);
+    return [
+        {
+            client: "copilot",
+            kind: "mcp",
+            status: mcpStatus,
+            path: path.join(getCopilotHome(), "mcp-config.json"),
+            detail: `Registered ${MCP_SERVER_NAME} -> ${launch.label} in GitHub Copilot CLI user config`,
+        },
+        {
+            client: "copilot",
+            kind: "skill",
+            status: skillStatus,
+            path: skillTarget,
+            detail: "Installed the Apex GitHub Copilot CLI skill",
+        },
+    ];
+}
 function summarizeStep(step) {
     const prefix = `${step.client} ${step.kind}`;
     if (step.path) {
@@ -204,29 +292,51 @@ function summarizeStep(step) {
     }
     return `${prefix}: ${step.status}`;
 }
+function isSetupClient(value) {
+    return SETUP_CLIENTS.includes(value);
+}
+function displayClientName(client) {
+    switch (client) {
+        case "codex":
+            return "Codex";
+        case "claude":
+            return "Claude Code";
+        case "copilot":
+            return "GitHub Copilot CLI";
+    }
+}
+function isMissingClientError(error) {
+    return error instanceof Error && /spawn (codex|claude|copilot) ENOENT/i.test(error.message);
+}
+async function configureClient(client, cwd, launch) {
+    switch (client) {
+        case "codex":
+            return configureCodex(launch);
+        case "claude":
+            return configureClaude(cwd, launch);
+        case "copilot":
+            return configureCopilot(launch);
+    }
+}
 export async function commandSetup(cwd, flags, requestedTarget, packageRoot = PACKAGE_ROOT) {
-    if (requestedTarget !== null &&
-        requestedTarget !== "all" &&
-        requestedTarget !== "codex" &&
-        requestedTarget !== "claude") {
-        throw new Error("Usage: apex setup [all|codex|claude]");
+    if (requestedTarget !== null && requestedTarget !== "all" && !isSetupClient(requestedTarget)) {
+        throw new Error("Usage: apex setup [all|codex|claude|copilot]");
     }
     const target = requestedTarget ?? "all";
     const launch = await resolveMcpLaunchSpec(packageRoot);
     const steps = [];
-    const requestedClients = target === "all" ? ["codex", "claude"] : [target];
+    const requestedClients = target === "all" ? [...SETUP_CLIENTS] : [target];
     let configuredClients = 0;
     for (const client of requestedClients) {
         try {
-            const clientSteps = client === "codex" ? await configureCodex(launch) : await configureClaude(cwd, launch);
+            const clientSteps = await configureClient(client, cwd, launch);
             steps.push(...clientSteps);
             configuredClients += 1;
         }
         catch (error) {
-            const missingClient = error instanceof Error &&
-                /spawn (codex|claude) ENOENT/i.test(error.message);
+            const missingClient = isMissingClientError(error);
             if (missingClient && target !== "all") {
-                throw new Error(`${client === "codex" ? "Codex" : "Claude Code"} is not installed on this machine. Install it first, then re-run \`apex setup ${client}\`.`);
+                throw new Error(`${displayClientName(client)} is not installed on this machine. Install it first, then re-run \`apex setup ${client}\`.`);
             }
             if (!missingClient) {
                 throw error;
@@ -236,19 +346,19 @@ export async function commandSetup(cwd, flags, requestedTarget, packageRoot = PA
                 kind: "mcp",
                 status: "skipped",
                 path: null,
-                detail: `${client} is not installed on this machine`,
+                detail: `${displayClientName(client)} is not installed on this machine`,
             });
             steps.push({
                 client,
                 kind: "skill",
                 status: "skipped",
                 path: null,
-                detail: `${client} is not installed on this machine`,
+                detail: `${displayClientName(client)} is not installed on this machine`,
             });
         }
     }
     if (configuredClients === 0) {
-        throw new Error("Neither Codex nor Claude Code is installed. Install one of them first, then re-run `apex setup`.");
+        throw new Error("Neither Codex, Claude Code, nor GitHub Copilot CLI is installed. Install one of them first, then re-run `apex setup`.");
     }
     const payload = {
         target,
@@ -271,5 +381,8 @@ export async function commandSetup(cwd, flags, requestedTarget, packageRoot = PA
     if (requestedClients.includes("claude")) {
         logLine("Re-run `apex setup claude` in each repository where you want the Claude project skill.", flags);
     }
+    if (requestedClients.includes("copilot")) {
+        logLine("Restart GitHub Copilot CLI or run `/skills reload` to pick up a newly installed or updated skill.", flags);
+    }
     return payload;
 }

package/dist/shell.js

@@ -208,7 +208,13 @@ async function runShellCommand(client, cwd, parsed, shellFlags, session) {
             };
         }
         case "status":
-            await commandStatus(client, cwd, shellFlags);
+            if (parsed.args.length > 1) {
+                process.stderr.write("Usage: /status [scan-id]\n");
+                return {};
+            }
+            await commandStatus(client, cwd, parsed.args[0]
+                ? withFlag(shellFlags, "scan", parsed.args[0])
+                : shellFlags);
             return {};
         case "scans":
             await commandScans(client, cwd, shellFlags);

package/dist/update.js

@@ -456,7 +456,7 @@ export async function commandUpdate(flags, packageRoot = PACKAGE_ROOT) {
         printJson(payload);
     }
     else {
-        logLine("Apex CLI updated. Re-run `apex` to use the latest version. Re-run `apex setup` to refresh copied Codex or Claude skill files.", flags);
+        logLine("Apex CLI updated. Re-run `apex` to use the latest version. Re-run `apex setup` to refresh copied Codex, Claude Code, or GitHub Copilot CLI skill files.", flags);
     }
     return payload;
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cantinasecurity/apex-cli",
-  "version": "0.1.6",
+  "version": "0.1.10",
   "description": "Standalone CLI and MCP server for Apex.",
   "private": false,
   "type": "module",

package/skills/apex-cli/SKILL.md

@@ -5,7 +5,7 @@ description: Use when a user wants to start Apex scans, inspect findings, bind w
 
 # Apex CLI
 
-This skill is bundled with Apex CLI and can be installed into Codex with `apex setup codex`.
+This skill is bundled with Apex CLI and can be installed into Codex with `apex setup codex` or GitHub Copilot CLI with `apex setup copilot`.
 
 Prefer the Apex MCP tools over running `apex` in the shell when the server is available.
 
@@ -24,7 +24,7 @@ Workflow:
 Guidelines:
 
 - Do not rely on interactive CLI prompts. The MCP tools are intentionally non-interactive.
-- `apex-credits` reports standard credits and audit scan entitlements when Bedrock returns both balances.
+- `apex-credits` reports standard credits plus audit and fix review scan entitlements when Bedrock returns those balances.
 - `apex-scan` scans the provided `cwd` by default; pass `repoPaths` only when the user asks to scan explicit alternate roots.
 - `apex-doctor` reports whether Apex will use remote materialization or a local snapshot upload for each selected source.
 - Apex can scan plain local directories and dirty git worktrees without provider connections by using local snapshot uploads.
@@ -33,8 +33,9 @@ Guidelines:
 - `apex-workspace-use` accepts a workspace name, prefix, or ID.
 - Use `sourceMode: "remote"` only when the user explicitly wants to forbid local snapshot fallbacks.
 - Use `force: true` on `apex-scan` only when the user explicitly wants to replace or overlap an active scan.
+- When checking a scan that is not the workspace binding's latest scan, pass `scanId` to `apex-status`; use `apex-scans` first if you need to discover scan IDs.
 - Prefer `apex-findings` for quick inspection and `apex-export-findings` when the user needs a file artifact.
-- Finding comments, feedback, and fix review scan starts currently require `CANTINA_AUTH_TOKEN` in the MCP server environment because those writes go through the Cantina web-app routes instead of the Apex CLI bearer-token routes.
+- Finding comments, feedback, and fix review scan starts use the same Apex device-login credentials as read tools. If a write tool reports missing auth, re-run `apex-auth-status` and complete `apex-auth-start` / `apex-auth-wait` instead of asking for browser cookies or auth tokens.
 - Invalid finding feedback requires `dismissalReason`; valid feedback can include `suggestedSeverity`, including `extreme`.
 - Fix PR callback feedback requires valid feedback with `labels: ["fixed"]` and `fixPrUrls`; start the fix review scan with `apex-finding-fix-review` after saving that feedback.
 - Finding identifiers such as `KERN2-25` resolve against the selected or latest scan for the current workspace binding. Pass an explicit scan when needed, or use the finding UUID directly.