@cantinasecurity/apex-cli 0.1.6 → 0.1.9

package/.claude/skills/apex-cli/SKILL.md

@@ -28,7 +28,7 @@ If the Apex MCP server is not configured, fall back to the local CLI:
 - Prefer scripted commands over the interactive shell.
 - Use `--non-interactive` and `--no-open` for automation-friendly CLI calls.
 - Use `--json` whenever structured output is helpful.
-- `apex credits` reports standard credits and audit scan entitlements when Bedrock returns both balances.
+- `apex credits` reports standard credits plus audit and fix review scan entitlements when Bedrock returns those balances.
 - Work from the target repository directory so Apex can resolve `.apex/workspace.json`.
 - `apex scan` scans the current working directory by default; pass `--repo` only when the user asks to scan explicit alternate roots.
 - `apex-doctor` reports whether Apex will use remote materialization or a local snapshot upload for each selected source.
@@ -37,7 +37,8 @@ If the Apex MCP server is not configured, fall back to the local CLI:
 - PR scans use `--mode pr --pr <number>` in CLI calls, or `mode: "pr"` with `pullRequests` in MCP. They require one provider-backed GitHub repository.
 - `apex-workspace-use` accepts a workspace name, prefix, or ID.
 - Use `sourceMode: "remote"` only when the user explicitly wants to forbid local snapshot fallbacks.
-- Finding comments, feedback, and fix review scan starts currently require `CANTINA_AUTH_TOKEN` in the MCP server environment because those writes go through the Cantina web-app routes instead of the Apex CLI bearer-token routes.
+- When checking a scan that is not the workspace binding's latest scan, pass `scanId` to `apex-status`; use `apex scans` or `apex-scans` first if you need to discover scan IDs.
+- Finding comments, feedback, and fix review scan starts use the same Apex device-login credentials as read tools. If a write tool reports missing auth, re-run `apex-auth-status` and complete `apex-auth-start` / `apex-auth-wait` instead of asking for browser cookies or auth tokens.
 - Invalid finding feedback requires `dismissalReason`; valid feedback can include `suggestedSeverity`, including `extreme`.
 - Fix PR callback feedback requires valid feedback with `labels: ["fixed"]` and `fixPrUrls`; start the fix review scan with `apex-finding-fix-review` after saving that feedback.
 - Finding identifiers such as `KERN2-25` resolve against the selected or latest scan for the current workspace binding. Pass an explicit `scanId` when needed, or use the finding UUID directly.
@@ -46,7 +47,7 @@ If the Apex MCP server is not configured, fall back to the local CLI:
 
 - Start a scan for the current repository or directory: run `apex-doctor`, bind a workspace if needed, then call `apex-scan`.
 - Start a PR scan: call `apex-scan` with `mode: "pr"` and `pullRequests`.
-- Check an active scan: call `apex-status`, then `apex-findings` when the scan completes.
+- Check an active scan: call `apex-status`, passing `scanId` when the scan is not the latest binding, then `apex-findings` when the scan completes.
 - Export findings for review: call `apex-export-findings` with `format` set to `markdown`, `json`, or `gitlab-sast`.
 - Leave review feedback: call `apex-finding-comment` to add a note, or `apex-finding-feedback` with `status` set to `valid` or `invalid`.
 - Add a Fix PR and run fix review: call `apex-finding-feedback` with `status: "valid"`, `labels: ["fixed"]`, and `fixPrUrls`, then call `apex-finding-fix-review`.

package/.claude-plugin/marketplace.json

@@ -6,7 +6,7 @@
   },
   "metadata": {
     "description": "Cantina agent plugins for security review workflows.",
-    "version": "0.1.6"
+    "version": "0.1.9"
   },
   "plugins": [
     {
@@ -14,10 +14,10 @@
       "source": {
         "source": "npm",
         "package": "@cantinasecurity/apex-cli",
-        "version": "0.1.6"
+        "version": "0.1.9"
       },
       "description": "Run Apex security scans and review findings from Claude Code.",
-      "version": "0.1.6",
+      "version": "0.1.9",
       "author": {
         "name": "Cantina",
         "email": "support@cantina.xyz"

package/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "apex-cli",
-  "version": "0.1.6",
+  "version": "0.1.9",
   "description": "Run Apex security scans and review findings from Claude Code.",
   "author": {
     "name": "Cantina",

package/.codex-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "apex-cli",
-  "version": "0.1.6",
+  "version": "0.1.9",
   "description": "Run Apex security scans and review findings from Codex.",
   "author": {
     "name": "Cantina",

package/.mcp.claude.json

@@ -5,7 +5,7 @@
       "args": [
         "-y",
         "-p",
-        "@cantinasecurity/apex-cli@0.1.6",
+        "@cantinasecurity/apex-cli@0.1.9",
         "apex-mcp"
       ]
     }

package/.mcp.codex.json

@@ -4,7 +4,7 @@
     "args": [
       "-y",
       "-p",
-      "@cantinasecurity/apex-cli@0.1.6",
+      "@cantinasecurity/apex-cli@0.1.9",
       "apex-mcp"
     ]
   }

package/MARKETPLACE.md

@@ -13,7 +13,7 @@ This package is prepared as both a Claude Code plugin and a Codex plugin. The pu
 The plugin MCP configs launch the pinned npm CLI package with:
 
 ```bash
-npx -y -p @cantinasecurity/apex-cli@0.1.6 apex-mcp
+npx -y -p @cantinasecurity/apex-cli@0.1.9 apex-mcp
 ```
 
 That keeps marketplace installs independent of a user's global `apex` install.

package/README.md

@@ -109,7 +109,7 @@ Supported shell commands:
 - `/export [scan-id]`
 - `/workspaces`
 - `/cancel-scan [scan-id]`
-- `/status`
+- `/status [scan-id]`
 - `/doctor`
 - `/update`
 - `/logout`
@@ -142,7 +142,7 @@ Supported shell commands:
 - `apex workspace`
 - `apex workspace use <workspace-name|workspace-prefix|workspace-id>`
 - `apex cancel-scan [scan-id]`
-- `apex status`
+- `apex status [--scan <scan-id>]`
 - `apex doctor`
 - `apex login`
 - `apex logout`
@@ -156,7 +156,7 @@ Helpful workspace flags:
 - `--company <id-or-handle>` to choose the Apex company when more than one is available
 - `--workspace-name <name>` to set the Apex workspace name for this directory
 
-`apex credits` shows standard scan credits plus audit scan entitlements when the server returns them.
+`apex credits` shows standard scan credits plus audit and fix review scan entitlements when the server returns them.
 
 ## Finding Review Feedback
 
@@ -174,7 +174,7 @@ Finding review collaboration now has explicit write commands:
 
 Identifiers such as `KERN2-25` are resolved against the selected or latest scan for the current workspace binding. Pass `--scan <scan-id>` when you need a specific scan, or pass the finding UUID directly to skip workspace-based resolution.
 
-Finding comments, valid/invalid feedback, and fix review scan starts currently require a Cantina web session token in `CANTINA_AUTH_TOKEN`. Set it to the value of your logged-in `auth_token` cookie before using the write commands or the corresponding MCP tools.
+Finding comments, valid/invalid feedback, and fix review scan starts use the same Apex login credentials as read commands. In MCP clients, `apex-auth-start` followed by `apex-auth-wait` is enough to authenticate these write tools.
 
 Invalid feedback requires a dismissal reason. Valid feedback can include `--suggested-severity extreme|critical|high|medium|low|informational`.
 
@@ -185,10 +185,7 @@ Fix review scans use a two-step callback flow for agents that create a PR outsid
 
 The matching MCP flow is `apex-finding-feedback` with `status: "valid"`, `labels: ["fixed"]`, and `fixPrUrls`, followed by `apex-finding-fix-review`.
 
-This is intentionally documented as a separate auth requirement because the current Apex read APIs and finding review write APIs do not accept the same credentials:
-
-- read operations such as `apex findings`, `apex export findings`, and `apex-findings` use the Apex CLI device-login bearer token
-- finding comments and feedback currently go through the Cantina web-app routes and require `CANTINA_AUTH_TOKEN`
+The matching CLI and MCP flows intentionally use the same device-login session so agents should not ask users to paste browser cookies or auth tokens.
 
 ## Local Source Scans
 
@@ -300,7 +297,7 @@ The npm package also includes marketplace-ready plugin artifacts:
 - `.claude-plugin/plugin.json` and `.mcp.claude.json` for Claude Code plugin installs
 - `.claude-plugin/marketplace.json` for a Claude marketplace entry backed by the public npm package
 
-These plugin installs launch the pinned npm package with `npx -y -p @cantinasecurity/apex-cli@0.1.6 apex-mcp`, so users do not need to install `apex` globally before enabling the plugin.
+These plugin installs launch the pinned npm package with `npx -y -p @cantinasecurity/apex-cli@0.1.9 apex-mcp`, so users do not need to install `apex` globally before enabling the plugin.
 
 The repository also includes `.agents/plugins/marketplace.json` for local Codex marketplace testing from a checkout.
 
@@ -328,11 +325,11 @@ The CLI uses the Apex `/api/cli/v2/**` local-source routes for scan planning and
 - `~/.config/apex/credentials.json`
 - `.apex/workspace.json`
 
-If a scan is already running in the current workspace, `apex scan` and `/scan` now require confirmation before starting another one. Scripted usage can opt in explicitly with `--force`.
+If a scan is already running in the current workspace, `apex scan` and `/scan` now require confirmation before starting another one. Scripted usage can opt in explicitly with `--force`. Active-looking workspace scan rows are checked against the scan progress endpoint before the CLI treats them as blockers, so stale list entries do not hide terminal states such as `cancelled`.
 
 To move between existing Apex workspaces from the CLI:
 
 1. Run `apex workspaces` to list the workspaces available to your active company.
 2. Run `apex workspace use <workspace-name|workspace-prefix|workspace-id>` to bind the current directory.
 3. If the workspace name contains spaces, quote it, for example `apex workspace use "Core Platform"`.
-4. Use `apex scans`, `apex findings`, and `apex export findings` against that binding.
+4. Use `apex scans`, `apex status --scan <scan-id>`, `apex findings`, and `apex export findings` against that binding.

package/dist/api-client.js

@@ -45,6 +45,10 @@ export class ApexApiClient {
     async getCredentials() {
         return loadCredentials();
     }
+    async getAccessToken() {
+        const credentials = await this.refreshIfNeeded().catch(() => null);
+        return credentials?.accessToken ?? null;
+    }
     async clearCredentials() {
         await clearCredentials();
     }

package/dist/commands.js

@@ -3,11 +3,11 @@ import { logout } from "./auth.js";
 import { ApiError } from "./api-client.js";
 import { openInBrowser } from "./browser.js";
 import { loadConfig, saveConfig } from "./config.js";
-import { createFindingComment, fetchScanExport, fetchScanFindings, isFindingUuid, normalizeFindingRef, requireCantinaAuthToken, resolveFindingSelection, resolveScanSelection, startFindingFixReviewScan, submitFindingFeedback, } from "./findings.js";
+import { createFindingComment, fetchScanExport, fetchScanFindings, isFindingUuid, normalizeFindingRef, resolveFindingSelection, resolveScanSelection, startFindingFixReviewScan, submitFindingFeedback, } from "./findings.js";
 import { prepareExplicitScanSources, supportsLegacyRemoteFlow, } from "./local-source-scan.js";
 import { logLine, printJson, withLoadingIndicator } from "./output.js";
 import { confirm } from "./prompt.js";
-import { cancelScan, fetchWorkspaceScans, findMostRelevantActiveScan, getScanDisplayLabel, getScanDisplayId, getTrackedScanId, isActiveScanStatus, matchesScanId, selectDefaultScanToCancel, } from "./scan.js";
+import { cancelScan, fetchScanProgress, fetchWorkspaceScans, findMostRelevantActiveScan, getScanDisplayLabel, getScanDisplayId, getTrackedScanId, isActiveScanStatus, matchesScanId, selectDefaultScanToCancel, } from "./scan.js";
 import { chooseCompany, createWorkspaceBinding, ensureAuthenticated, remediateMissingConnections, resolveWorkspaceSelection, resolveWorkspaceSelectionLegacy, resolveWorkspaceAllowingMissingConnections, selectWorkspaceTarget, } from "./session.js";
 import { createWorkspaceBindingFromSummary, fetchCompanyCredits, fetchCompanyWorkspaces, findWorkspaceByRef, } from "./workspaces.js";
 import { loadWorkspaceBinding, saveWorkspaceBinding } from "./workspace-binding.js";
@@ -81,6 +81,29 @@ function formatAuditScanBalance(scanBalance) {
     }
     return `Audit scans: ${detailParts.join(", ")}`;
 }
+function formatFixReviewScanBalance(scanBalance) {
+    const purchased = getOptionalCount(scanBalance.fixReviewPurchased);
+    const used = getOptionalCount(scanBalance.fixReviewUsed);
+    const remaining = getOptionalCount(scanBalance.fixReviewRemaining);
+    const available = getOptionalCount(scanBalance.fixReviewAvailable) ??
+        remaining ??
+        (purchased !== null && used !== null ? Math.max(0, purchased - used) : null);
+    if (purchased === null && used === null && available === null) {
+        return null;
+    }
+    const detailParts = [];
+    if (purchased !== null) {
+        detailParts.push(`${purchased} purchased`);
+    }
+    if (used !== null) {
+        detailParts.push(`${used} used`);
+    }
+    if (available !== null) {
+        const detailSuffix = detailParts.length ? ` (${detailParts.join(", ")})` : "";
+        return `Fix review scans: ${available} available${detailSuffix}`;
+    }
+    return `Fix review scans: ${detailParts.join(", ")}`;
+}
 function normalizeRequestedScanMode(value) {
     if (value === "ultra" || value === "audit") {
         return "audit";
@@ -450,6 +473,14 @@ export async function commandCredits(client, cwd, flags) {
     if (redeemableAuditScans && redeemableAuditScans > 0) {
         logLine(`Redeemable audit scans from standard credits: ${redeemableAuditScans}`, flags);
     }
+    const fixReviewBalance = formatFixReviewScanBalance(payload.scanBalance);
+    if (fixReviewBalance) {
+        logLine(fixReviewBalance, flags);
+    }
+    const redeemableFixReviewScans = getOptionalCount(payload.scanBalance.fixReviewRedeemableFromCredits);
+    if (redeemableFixReviewScans && redeemableFixReviewScans > 0) {
+        logLine(`Redeemable fix review scans from standard credits: ${redeemableFixReviewScans}`, flags);
+    }
     logLine(`Scans enabled: ${payload.scansEnabled ? "yes" : "no"}`, flags);
     return payload;
 }
@@ -507,24 +538,26 @@ export async function commandDoctor(client, cwd, flags) {
 export async function commandStatus(client, cwd, flags) {
     await ensureAuthenticated(client, flags);
     const binding = await requireWorkspaceBinding(cwd);
-    if (!binding.lastScanId) {
+    const requestedScanId = getFlagString(flags, "scan");
+    const scanId = requestedScanId ?? binding.lastScanId;
+    if (!scanId) {
         throw new Error("No scan has been started from this directory yet. Run `apex scan` first.");
     }
-    const progress = await withLoadingIndicator("Loading scan status...", flags, () => client.request(`/api/cli/v1/scans/${binding.lastScanId}/progress`));
+    const progress = await withLoadingIndicator("Loading scan status...", flags, () => fetchScanProgress(client, scanId));
     if (isJsonMode(flags)) {
-        printJson({ binding, progress });
-        return { binding, progress };
+        printJson({ binding, scanId, progress });
+        return { binding, scanId, progress };
     }
     logLine(`Workspace: ${binding.workspaceName}`, flags);
-    logLine(`Scan: ${binding.lastScanId}`, flags);
+    logLine(`Scan: ${scanId}`, flags);
     logLine(`Status: ${progress.progress?.status ?? "unknown"}`, flags);
     if (typeof progress.progress?.progressPct === "number") {
         logLine(`Progress: ${progress.progress.progressPct}%`, flags);
     }
-    if (binding.lastScanUrl) {
+    if (binding.lastScanUrl && (!requestedScanId || requestedScanId === binding.lastScanId)) {
         logLine(`View: ${binding.lastScanUrl}`, flags);
     }
-    return { binding, progress };
+    return { binding, scanId, progress };
 }
 export async function commandConnect(client, cwd, flags, provider) {
     const me = await ensureAuthenticated(client, flags);
@@ -923,7 +956,6 @@ export async function commandFindingComment(client, cwd, flags, requestedFinding
     if (!trimmedContent) {
         throw new Error("Usage: apex findings comment <finding-id|finding-identifier> --content \"<markdown>\"");
     }
-    requireCantinaAuthToken();
     const currentBinding = await loadWorkspaceBinding(cwd);
     const needsWorkspaceResolution = !isFindingUuid(findingRef);
     const binding = needsWorkspaceResolution
@@ -998,7 +1030,6 @@ export async function commandFindingFeedback(client, cwd, flags, params) {
     if (fixPrUrls.length > 0 && labels?.[0] !== "fixed") {
         throw new Error("Fix PR URLs require the fixed feedback label.");
     }
-    requireCantinaAuthToken();
     const currentBinding = await loadWorkspaceBinding(cwd);
     const needsWorkspaceResolution = !isFindingUuid(findingRef);
     const binding = needsWorkspaceResolution
@@ -1063,7 +1094,6 @@ export async function commandFindingFeedback(client, cwd, flags, params) {
 }
 export async function commandFindingFixReview(client, cwd, flags, requestedFindingRef) {
     const findingRef = normalizeFindingRefInput(requestedFindingRef);
-    requireCantinaAuthToken();
     const currentBinding = await loadWorkspaceBinding(cwd);
     const needsWorkspaceResolution = !isFindingUuid(findingRef);
     const binding = needsWorkspaceResolution

package/dist/findings.js

@@ -2,7 +2,7 @@ import { fetchWorkspaceScans, getScanDisplayId, matchesScanId, } from "./scan.js
 import { ApiError } from "./api-client.js";
 const FINDING_UUID_PATTERN = /^[0-9a-f]{8}-[0-9a-f]{4}-[1-8][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i;
 const CANTINA_AUTH_TOKEN_ENV = "CANTINA_AUTH_TOKEN";
-const CANTINA_AUTH_TOKEN_ERROR = "Finding comments, feedback, and fix review scans currently require `CANTINA_AUTH_TOKEN` from a logged-in Cantina/Apex browser session. Export `CANTINA_AUTH_TOKEN` and retry.";
+const FINDING_WRITE_AUTH_ERROR = "Finding comments, feedback, and fix review scans require Apex authentication. Run `apex login` or use MCP `apex-auth-start` followed by `apex-auth-wait`, then retry.";
 function parsePositiveInt(value) {
     if (!value)
         return null;
@@ -32,11 +32,8 @@ function normalizeCantinaAuthToken(value) {
     }
     return token.length > 0 ? token : null;
 }
-export function requireCantinaAuthToken() {
+export function getCantinaAuthToken() {
     const token = normalizeCantinaAuthToken(process.env[CANTINA_AUTH_TOKEN_ENV]);
-    if (!token) {
-        throw new Error(CANTINA_AUTH_TOKEN_ERROR);
-    }
     return token;
 }
 export function isFindingUuid(value) {
@@ -63,22 +60,68 @@ function matchesFindingRef(finding, findingRef) {
         .some((value) => value.trim().toLowerCase() === normalizedRef);
 }
 async function requestFindingAppRoute(client, path, options = {}) {
-    const token = requireCantinaAuthToken();
     const baseUrl = await client.getBaseUrl();
-    const headers = new Headers(options.headers ?? {});
-    // These routes still authenticate through the web app cookie, not Apex CLI bearer auth.
-    headers.set("Cookie", `auth_token=${token}`);
-    headers.set("Accept", "application/json");
-    if (options.json !== undefined) {
-        headers.set("Content-Type", "application/json");
-    }
-    const response = await fetch(new URL(path, baseUrl), {
-        ...options,
-        headers,
-        body: options.json !== undefined ? JSON.stringify(options.json) : options.body,
-    });
-    const body = await parseWebRouteResponse(response);
+    const accessToken = await client.getAccessToken();
+    const legacyCookieToken = getCantinaAuthToken();
+    let attemptedBearerAuth = false;
+    if (!accessToken && !legacyCookieToken) {
+        throw new Error(FINDING_WRITE_AUTH_ERROR);
+    }
+    const send = async (auth) => {
+        const headers = new Headers(options.headers ?? {});
+        headers.set("Accept", "application/json");
+        if (options.json !== undefined) {
+            headers.set("Content-Type", "application/json");
+        }
+        if (auth.type === "bearer") {
+            headers.set("Authorization", `Bearer ${auth.token}`);
+        }
+        else {
+            headers.set("Cookie", `auth_token=${auth.token}`);
+        }
+        return fetch(new URL(path, baseUrl), {
+            ...options,
+            headers,
+            body: options.json !== undefined ? JSON.stringify(options.json) : options.body,
+        });
+    };
+    const sendAndParse = async (auth) => {
+        if (auth.type === "bearer") {
+            attemptedBearerAuth = true;
+        }
+        const response = await send(auth);
+        const body = await parseWebRouteResponse(response);
+        return { response, body };
+    };
+    const primaryAuth = accessToken
+        ? { type: "bearer", token: accessToken }
+        : { type: "cookie", token: legacyCookieToken };
+    let { response, body } = await sendAndParse(primaryAuth);
+    if (!response.ok && response.status === 401 && primaryAuth.type === "bearer") {
+        const refreshedToken = await client
+            .refreshSession()
+            .then((credentials) => credentials?.accessToken ?? null)
+            .catch(() => null);
+        if (refreshedToken) {
+            ({ response, body } = await sendAndParse({
+                type: "bearer",
+                token: refreshedToken,
+            }));
+        }
+    }
+    if (!response.ok && response.status === 401 && primaryAuth.type === "bearer" && legacyCookieToken) {
+        ({ response, body } = await sendAndParse({
+            type: "cookie",
+            token: legacyCookieToken,
+        }));
+    }
     if (!response.ok) {
+        if (response.status === 401) {
+            if (attemptedBearerAuth) {
+                await client.clearCredentials();
+            }
+            throw new Error(FINDING_WRITE_AUTH_ERROR);
+        }
         throw new ApiError(`Request failed with ${response.status}`, response.status, body);
     }
     return body;

package/dist/help.js

@@ -1,6 +1,6 @@
 export const CLI_HELP_TEXT = `Usage:
   apex                              Open the interactive Apex shell
-  apex credits                      Show scan credits and audit scan entitlements for the active company
+  apex credits                      Show scan credits plus audit and fix review scan entitlements for the active company
   apex scan                         Create or resolve a workspace for this directory and start a scan
   apex scans                        List scans for the current workspace binding
   apex findings                     List findings for the latest or selected scan
@@ -16,7 +16,7 @@ export const CLI_HELP_TEXT = `Usage:
   apex workspace use <workspace-name|workspace-prefix|workspace-id>
                                     Bind this directory to an existing Apex workspace
   apex cancel-scan [scan-id]        Cancel a running scan
-  apex status                       Show the latest scan progress for this directory
+  apex status                       Show progress for the latest or selected scan
   apex doctor                       Validate auth, repos, connections, and workspace binding
   apex login                        Sign in to Apex
   apex logout                       Sign out locally
@@ -29,7 +29,7 @@ export const CLI_HELP_TEXT = `Usage:
 Flags:
   --company <id-or-handle>          Choose the Apex company to use
   --workspace-name <name>           Set the Apex workspace name for this directory
-  --scan <scan-id>                  Select a specific scan for findings or export
+  --scan <scan-id>                  Select a specific scan for status, findings, or export
   --status valid|invalid            Set the finding feedback status explicitly
   --content <markdown>              Supply comment content for apex findings comment
   --comment <markdown>              Supply rationale for apex findings feedback
@@ -61,7 +61,7 @@ Tips:
   PR scans require --mode pr and at least one --pr selection for a GitHub repository.
   audit is the current scan mode for audit scans; ultra remains accepted as a legacy alias.
   apex workspace use accepts a workspace name, prefix, or ID.
-  Finding comments, feedback, and fix review scans currently require CANTINA_AUTH_TOKEN from a logged-in Cantina/Apex browser session.
+  Finding comments, feedback, and fix review scans use the same Apex login credentials as other CLI commands.
   Invalid finding feedback requires --dismissal-reason.
   Fix review scans require valid feedback with --label fixed and at least one --fix-pr-url, then apex findings fix-review.
   Finding identifiers such as KERN2-25 resolve against the selected scan; pass --scan or use the finding UUID directly when needed.
@@ -71,7 +71,7 @@ Tips:
 export const SHELL_HELP_TEXT = `Press Tab to autocomplete commands and common arguments.
 
 Commands:
-  /credits                Show scan credits and audit scan entitlements for the active company
+  /credits                Show scan credits plus audit and fix review scan entitlements for the active company
   /scan [standard|audit]  Start a new Apex scan for this workspace
   /scan pr <pr-number>    Start a PR scan for this workspace
   /scans                  List scans for this workspace
@@ -87,7 +87,7 @@ Commands:
   /export [scan-id]       Export findings for the latest or selected scan
   /workspaces             List accessible workspaces for the active company
   /cancel-scan [scan-id]  Cancel a running or most recent scan
-  /status                 Show progress for the most recent scan
+  /status [scan-id]       Show progress for the most recent or selected scan
   /doctor                 Validate auth, repos, connections, and workspace binding
   /update                 Update the local Apex CLI install and exit the shell
   /logout                 Sign out locally and exit the shell
@@ -107,7 +107,7 @@ Tips:
   PR scans require a GitHub PR number and provider-backed repository access.
   audit is the current scan mode for audit scans; ultra remains accepted as a legacy alias.
   /workspace use accepts a workspace name, prefix, or ID.
-  /findings comment, /findings feedback, and /findings fix-review require CANTINA_AUTH_TOKEN in the shell environment.
+  /findings comment, /findings feedback, and /findings fix-review use the current Apex login.
   Invalid finding feedback requires a dismissal reason.
   Fix review scans require fixed valid feedback with a Fix PR URL. Use scripted CLI or MCP for attaching Fix PR URLs.
   Use scripted CLI flags for advanced feedback options such as suggested severity or dismissal reason.

package/dist/mcp.js

@@ -22,6 +22,7 @@ Suggested workflow:
 Notes:
 - Pass cwd explicitly for repository-specific operations.
 - Tool calls are always non-interactive and never auto-open a browser.
+- Finding write tools use the same Apex device-login credentials as read tools.
 - Use mode "audit" for audit scans; "ultra" remains accepted as a legacy alias. Use mode "pr" for GitHub pull request scans.
 - Doctor reports whether Apex will use remote materialization or a local snapshot upload for each source.`;
 const WORKSPACE_BINDING_ERROR = "This directory is not bound to an Apex workspace yet. Run `apex workspaces` to list workspace names, prefixes, and IDs, then bind one with `apex workspace use \"<workspace name>\"`, or run `apex scan` to create or resolve one automatically.";
@@ -270,7 +271,7 @@ function registerTools(server) {
     }, (value) => `Apex doctor completed for ${String(value.cwd)}.`));
     server.registerTool("apex-credits", {
         title: "Get Apex Credits",
-        description: "Show scan credits and audit scan entitlements for the active or selected company.",
+        description: "Show scan credits plus audit and fix review scan entitlements for the active or selected company.",
         inputSchema: {
             cwd: z.string().optional(),
             company: z.string().optional(),
@@ -380,15 +381,16 @@ function registerTools(server) {
     }, (value) => `Started an Apex scan for ${String(value.cwd)}.`));
     server.registerTool("apex-status", {
         title: "Get Apex Scan Status",
-        description: "Show progress for the most recent Apex scan in a directory.",
+        description: "Show progress for the most recent or selected Apex scan in a directory.",
         inputSchema: {
             cwd: z.string().optional(),
+            scanId: z.string().optional(),
         },
-    }, async ({ cwd }) => runTool("apex-status", async () => {
+    }, async ({ cwd, scanId }) => runTool("apex-status", async () => {
         const client = new ApexApiClient();
         await requireAuthenticated(client);
         const targetCwd = resolveCwd(cwd);
-        const payload = await commandStatus(client, targetCwd, buildFlags({}));
+        const payload = await commandStatus(client, targetCwd, buildFlags({ scanId }));
         return {
             cwd: targetCwd,
             ...payload,
@@ -450,7 +452,7 @@ function registerTools(server) {
     }, (value) => `Fetched Apex findings for ${String(value.cwd)}.`));
     server.registerTool("apex-finding-comment", {
         title: "Add Apex Finding Comment",
-        description: "Add a comment or note to an Apex finding. Requires CANTINA_AUTH_TOKEN in the MCP server environment.",
+        description: "Add a comment or note to an Apex finding using the current Apex login.",
         inputSchema: {
             cwd: z.string().optional(),
             findingRef: z.string(),
@@ -471,7 +473,7 @@ function registerTools(server) {
     }, (value) => `Added a finding comment for ${String(value.findingRef)}.`));
     server.registerTool("apex-finding-feedback", {
         title: "Leave Apex Finding Feedback",
-        description: "Leave valid or invalid feedback on an Apex finding. To attach a fix PR, send status valid with label fixed and fixPrUrls. Requires CANTINA_AUTH_TOKEN in the MCP server environment.",
+        description: "Leave valid or invalid feedback on an Apex finding using the current Apex login. To attach a fix PR, send status valid with label fixed and fixPrUrls.",
         inputSchema: {
             cwd: z.string().optional(),
             findingRef: z.string(),
@@ -509,7 +511,7 @@ function registerTools(server) {
         "finding"))} feedback for ${String(value.findingRef)}.`));
     server.registerTool("apex-finding-fix-review", {
         title: "Start Apex Finding Fix Review Scan",
-        description: "Start a fix review scan for a finding after fixed feedback with one or more Fix PR URLs has been saved. Requires CANTINA_AUTH_TOKEN in the MCP server environment.",
+        description: "Start a fix review scan for a finding after fixed feedback with one or more Fix PR URLs has been saved.",
         inputSchema: {
             cwd: z.string().optional(),
             findingRef: z.string(),

package/dist/scan.js

@@ -121,6 +121,33 @@ export function normalizeWorkspaceScans(payload) {
 export function isActiveScanStatus(status) {
     return status ? ACTIVE_SCAN_STATUSES.has(status.trim().toLowerCase()) : false;
 }
+function mergeScanProgress(scan, progress) {
+    const status = readString(progress.progress?.status) ?? scan.status;
+    const startedAt = progress.progress?.startedAt ?? scan.startedAt;
+    const finishedAt = !isActiveScanStatus(status) && !scan.finishedAt
+        ? scan.updatedAt
+        : scan.finishedAt;
+    return {
+        ...scan,
+        kernelScanId: progress.kernelScanId ?? scan.kernelScanId,
+        status,
+        startedAt,
+        finishedAt,
+    };
+}
+async function reconcileActiveScanStatus(client, scan) {
+    if (!isActiveScanStatus(scan.status)) {
+        return scan;
+    }
+    let progress;
+    try {
+        progress = await fetchScanProgress(client, getScanDisplayId(scan));
+    }
+    catch {
+        return scan;
+    }
+    return mergeScanProgress(scan, progress);
+}
 export function findMostRelevantActiveScan(scans) {
     return scans.find((scan) => isActiveScanStatus(scan.status)) ?? null;
 }
@@ -148,7 +175,11 @@ export async function fetchWorkspaceScans(client, workspaceId) {
         { path: `/api/workspaces/${encodedWorkspaceId}/scans` },
         { path: `/api/scans?workspaceId=${encodedWorkspaceId}` },
     ]);
-    return normalizeWorkspaceScans(payload);
+    const scans = normalizeWorkspaceScans(payload);
+    return Promise.all(scans.map((scan) => reconcileActiveScanStatus(client, scan)));
+}
+export async function fetchScanProgress(client, scanId) {
+    return client.request(`/api/cli/v1/scans/${encodeURIComponent(scanId)}/progress`);
 }
 export async function cancelScan(client, scanId) {
     const encodedScanId = encodeURIComponent(scanId);

package/dist/shell.js

@@ -208,7 +208,13 @@ async function runShellCommand(client, cwd, parsed, shellFlags, session) {
             };
         }
         case "status":
-            await commandStatus(client, cwd, shellFlags);
+            if (parsed.args.length > 1) {
+                process.stderr.write("Usage: /status [scan-id]\n");
+                return {};
+            }
+            await commandStatus(client, cwd, parsed.args[0]
+                ? withFlag(shellFlags, "scan", parsed.args[0])
+                : shellFlags);
             return {};
         case "scans":
             await commandScans(client, cwd, shellFlags);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cantinasecurity/apex-cli",
-  "version": "0.1.6",
+  "version": "0.1.9",
   "description": "Standalone CLI and MCP server for Apex.",
   "private": false,
   "type": "module",

package/skills/apex-cli/SKILL.md

@@ -24,7 +24,7 @@ Workflow:
 Guidelines:
 
 - Do not rely on interactive CLI prompts. The MCP tools are intentionally non-interactive.
-- `apex-credits` reports standard credits and audit scan entitlements when Bedrock returns both balances.
+- `apex-credits` reports standard credits plus audit and fix review scan entitlements when Bedrock returns those balances.
 - `apex-scan` scans the provided `cwd` by default; pass `repoPaths` only when the user asks to scan explicit alternate roots.
 - `apex-doctor` reports whether Apex will use remote materialization or a local snapshot upload for each selected source.
 - Apex can scan plain local directories and dirty git worktrees without provider connections by using local snapshot uploads.
@@ -33,8 +33,9 @@ Guidelines:
 - `apex-workspace-use` accepts a workspace name, prefix, or ID.
 - Use `sourceMode: "remote"` only when the user explicitly wants to forbid local snapshot fallbacks.
 - Use `force: true` on `apex-scan` only when the user explicitly wants to replace or overlap an active scan.
+- When checking a scan that is not the workspace binding's latest scan, pass `scanId` to `apex-status`; use `apex-scans` first if you need to discover scan IDs.
 - Prefer `apex-findings` for quick inspection and `apex-export-findings` when the user needs a file artifact.
-- Finding comments, feedback, and fix review scan starts currently require `CANTINA_AUTH_TOKEN` in the MCP server environment because those writes go through the Cantina web-app routes instead of the Apex CLI bearer-token routes.
+- Finding comments, feedback, and fix review scan starts use the same Apex device-login credentials as read tools. If a write tool reports missing auth, re-run `apex-auth-status` and complete `apex-auth-start` / `apex-auth-wait` instead of asking for browser cookies or auth tokens.
 - Invalid finding feedback requires `dismissalReason`; valid feedback can include `suggestedSeverity`, including `extreme`.
 - Fix PR callback feedback requires valid feedback with `labels: ["fixed"]` and `fixPrUrls`; start the fix review scan with `apex-finding-fix-review` after saving that feedback.
 - Finding identifiers such as `KERN2-25` resolve against the selected or latest scan for the current workspace binding. Pass an explicit scan when needed, or use the finding UUID directly.