@cantinasecurity/apex-cli 0.1.9 → 0.1.10

package/.claude-plugin/marketplace.json

@@ -6,7 +6,7 @@
   },
   "metadata": {
     "description": "Cantina agent plugins for security review workflows.",
-    "version": "0.1.9"
+    "version": "0.1.10"
   },
   "plugins": [
     {
@@ -14,10 +14,10 @@
       "source": {
         "source": "npm",
         "package": "@cantinasecurity/apex-cli",
-        "version": "0.1.9"
+        "version": "0.1.10"
       },
       "description": "Run Apex security scans and review findings from Claude Code.",
-      "version": "0.1.9",
+      "version": "0.1.10",
       "author": {
         "name": "Cantina",
         "email": "support@cantina.xyz"

package/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "apex-cli",
-  "version": "0.1.9",
+  "version": "0.1.10",
   "description": "Run Apex security scans and review findings from Claude Code.",
   "author": {
     "name": "Cantina",

package/.codex-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "apex-cli",
-  "version": "0.1.9",
+  "version": "0.1.10",
   "description": "Run Apex security scans and review findings from Codex.",
   "author": {
     "name": "Cantina",

package/.mcp.claude.json

@@ -5,7 +5,7 @@
       "args": [
         "-y",
         "-p",
-        "@cantinasecurity/apex-cli@0.1.9",
+        "@cantinasecurity/apex-cli@0.1.10",
         "apex-mcp"
       ]
     }

package/.mcp.codex.json

@@ -4,7 +4,7 @@
     "args": [
       "-y",
       "-p",
-      "@cantinasecurity/apex-cli@0.1.9",
+      "@cantinasecurity/apex-cli@0.1.10",
       "apex-mcp"
     ]
   }

package/MARKETPLACE.md

@@ -13,7 +13,7 @@ This package is prepared as both a Claude Code plugin and a Codex plugin. The pu
 The plugin MCP configs launch the pinned npm CLI package with:
 
 ```bash
-npx -y -p @cantinasecurity/apex-cli@0.1.9 apex-mcp
+npx -y -p @cantinasecurity/apex-cli@0.1.10 apex-mcp
 ```
 
 That keeps marketplace installs independent of a user's global `apex` install.

package/README.md

@@ -19,15 +19,17 @@ apex setup
 
 `apex setup` is the lowest-friction path for agent clients. It:
 
-- registers Apex as an MCP server in any installed Codex and Claude Code CLIs
+- registers Apex as an MCP server in any installed Codex CLI, Claude Code, and GitHub Copilot CLI clients
 - installs the Codex skill into `$CODEX_HOME/skills/apex-cli`
 - installs the Claude project skill into `.claude/skills/apex-cli` in the current repository
+- installs the GitHub Copilot CLI skill into `$COPILOT_HOME/skills/apex-cli` or `~/.copilot/skills/apex-cli`
 
 If you only want one client, run:
 
 ```bash
 apex setup codex
 apex setup claude
+apex setup copilot
 ```
 
 If one client is not installed yet, `apex setup` skips it automatically. If you target a client explicitly, its CLI must already be installed.
@@ -146,7 +148,7 @@ Supported shell commands:
 - `apex doctor`
 - `apex login`
 - `apex logout`
-- `apex setup [all|codex|claude]`
+- `apex setup [all|codex|claude|copilot]`
 - `apex update`
 - `apex connect github`
 - `apex connect gitlab`
@@ -219,7 +221,7 @@ If Apex is installed globally, prefer:
 apex setup
 ```
 
-That registers Apex for installed Codex and Claude Code clients automatically.
+That registers Apex for installed Codex CLI, Claude Code, and GitHub Copilot CLI clients automatically.
 
 If you want to wire clients manually instead, Apex ships a stable `apex-mcp` binary. For Codex:
 
@@ -233,6 +235,12 @@ For Claude Code:
 claude mcp add --scope user apex -- apex-mcp
 ```
 
+For GitHub Copilot CLI:
+
+```bash
+copilot mcp add apex --type stdio --tools "*" -- apex-mcp
+```
+
 For any other MCP client, configure it to launch:
 
 ```json
@@ -285,7 +293,7 @@ The MCP server exposes Apex-specific tools for:
 
 For repository-scoped operations, pass `cwd` explicitly so the server can resolve the right `.apex/workspace.json` binding and repository roots.
 
-For Codex-style clients, the packaged skill can be installed with `apex setup codex`. The repo-local source lives at `skills/apex-cli/SKILL.md`.
+For Codex-style clients, the packaged skill can be installed with `apex setup codex`. For GitHub Copilot CLI, the same skill is installed into `~/.copilot/skills/apex-cli` with `apex setup copilot`. The repo-local source lives at `skills/apex-cli/SKILL.md`.
 
 For Claude Code, the packaged project skill can be installed into the current repository with `apex setup claude`. The repo-local source lives at `.claude/skills/apex-cli/SKILL.md`. Anthropic documents project skills as filesystem directories under `.claude/skills/<name>/SKILL.md`, and the Claude Agent SDK uses the same location when the `Skill` tool is enabled.
 
@@ -297,7 +305,7 @@ The npm package also includes marketplace-ready plugin artifacts:
 - `.claude-plugin/plugin.json` and `.mcp.claude.json` for Claude Code plugin installs
 - `.claude-plugin/marketplace.json` for a Claude marketplace entry backed by the public npm package
 
-These plugin installs launch the pinned npm package with `npx -y -p @cantinasecurity/apex-cli@0.1.9 apex-mcp`, so users do not need to install `apex` globally before enabling the plugin.
+These plugin installs launch the pinned npm package with `npx -y -p @cantinasecurity/apex-cli@0.1.10 apex-mcp`, so users do not need to install `apex` globally before enabling the plugin.
 
 The repository also includes `.agents/plugins/marketplace.json` for local Codex marketplace testing from a checkout.
 

package/dist/help.js

@@ -21,7 +21,8 @@ export const CLI_HELP_TEXT = `Usage:
   apex login                        Sign in to Apex
   apex logout                       Sign out locally
   apex mcp                          Start the Apex MCP server over stdio
-  apex setup [all|codex|claude]     Configure Apex for Codex and Claude Code
+  apex setup [all|codex|claude|copilot]
+                                    Configure Apex for Codex, Claude Code, and GitHub Copilot CLI
   apex update                       Update the local Apex CLI install
   apex connect github               Open the GitHub connection flow
   apex connect gitlab               Open the GitLab connection flow

package/dist/setup.js

@@ -10,6 +10,7 @@ const PACKAGE_ROOT = path.resolve(path.dirname(fileURLToPath(import.meta.url)),
 const CODEX_SKILL_NAME = "apex-cli";
 const MCP_SERVER_NAME = "apex";
 const execFile = promisify(execFileCallback);
+const SETUP_CLIENTS = ["codex", "claude", "copilot"];
 function quoteShellArg(value) {
     return /[^A-Za-z0-9_./:-]/.test(value)
         ? `'${value.replace(/'/g, `'\\''`)}'`
@@ -73,9 +74,28 @@ function getCodexHome() {
     }
     return path.join(os.homedir(), ".codex");
 }
+function getCopilotHome() {
+    const configured = process.env.COPILOT_HOME?.trim();
+    if (configured) {
+        return configured;
+    }
+    return path.join(os.homedir(), ".copilot");
+}
 function normalizeArgs(value) {
     return Array.isArray(value) ? value.filter((item) => typeof item === "string") : [];
 }
+function normalizeTools(value) {
+    if (Array.isArray(value)) {
+        return value.filter((item) => typeof item === "string");
+    }
+    if (typeof value === "string") {
+        return value
+            .split(",")
+            .map((item) => item.trim())
+            .filter(Boolean);
+    }
+    return [];
+}
 function codexConfigMatches(existing, launch) {
     if (!existing?.transport) {
         return false;
@@ -92,6 +112,17 @@ function claudeConfigMatches(existing, launch) {
         JSON.stringify(normalizeArgs(existing.args)) === JSON.stringify(launch.args) &&
         normalizedEnv === 0);
 }
+function copilotConfigMatches(existing, launch) {
+    const env = existing?.env;
+    const normalizedEnv = env && typeof env === "object" && !Array.isArray(env) ? Object.keys(env).length : 0;
+    const normalizedTools = normalizeTools(existing?.tools);
+    return ((existing?.type === "stdio" || existing?.type === "local") &&
+        existing.command === launch.command &&
+        JSON.stringify(normalizeArgs(existing.args)) === JSON.stringify(launch.args) &&
+        normalizedEnv === 0 &&
+        normalizedTools.length === 1 &&
+        normalizedTools[0] === "*");
+}
 async function writeManagedFile(filePath, content) {
     const current = await readTextFile(filePath);
     if (current === content) {
@@ -127,6 +158,20 @@ async function readClaudeUserMcpConfig() {
         return null;
     }
 }
+async function readCopilotUserMcpConfig() {
+    const configPath = path.join(getCopilotHome(), "mcp-config.json");
+    const raw = await readTextFile(configPath);
+    if (!raw) {
+        return null;
+    }
+    try {
+        const parsed = JSON.parse(raw);
+        return parsed.mcpServers?.[MCP_SERVER_NAME] ?? null;
+    }
+    catch {
+        return null;
+    }
+}
 async function configureCodex(launch) {
     const existing = await readCodexMcpConfig();
     const mcpStatus = existing === null
@@ -197,6 +242,49 @@ async function configureClaude(cwd, launch) {
         },
     ];
 }
+async function configureCopilot(launch) {
+    const existing = await readCopilotUserMcpConfig();
+    const mcpStatus = existing === null
+        ? "installed"
+        : copilotConfigMatches(existing, launch)
+            ? "unchanged"
+            : "updated";
+    if (existing) {
+        await execText("copilot", ["mcp", "remove", MCP_SERVER_NAME]);
+    }
+    await execText("copilot", [
+        "mcp",
+        "add",
+        MCP_SERVER_NAME,
+        "--type",
+        "stdio",
+        "--tools",
+        "*",
+        "--",
+        launch.command,
+        ...launch.args,
+    ]);
+    const skillSource = path.join(PACKAGE_ROOT, "skills", CODEX_SKILL_NAME, "SKILL.md");
+    const skillTarget = path.join(getCopilotHome(), "skills", CODEX_SKILL_NAME, "SKILL.md");
+    const skillContent = await readFile(skillSource, "utf8");
+    const skillStatus = await writeManagedFile(skillTarget, skillContent);
+    return [
+        {
+            client: "copilot",
+            kind: "mcp",
+            status: mcpStatus,
+            path: path.join(getCopilotHome(), "mcp-config.json"),
+            detail: `Registered ${MCP_SERVER_NAME} -> ${launch.label} in GitHub Copilot CLI user config`,
+        },
+        {
+            client: "copilot",
+            kind: "skill",
+            status: skillStatus,
+            path: skillTarget,
+            detail: "Installed the Apex GitHub Copilot CLI skill",
+        },
+    ];
+}
 function summarizeStep(step) {
     const prefix = `${step.client} ${step.kind}`;
     if (step.path) {
@@ -204,29 +292,51 @@ function summarizeStep(step) {
     }
     return `${prefix}: ${step.status}`;
 }
+function isSetupClient(value) {
+    return SETUP_CLIENTS.includes(value);
+}
+function displayClientName(client) {
+    switch (client) {
+        case "codex":
+            return "Codex";
+        case "claude":
+            return "Claude Code";
+        case "copilot":
+            return "GitHub Copilot CLI";
+    }
+}
+function isMissingClientError(error) {
+    return error instanceof Error && /spawn (codex|claude|copilot) ENOENT/i.test(error.message);
+}
+async function configureClient(client, cwd, launch) {
+    switch (client) {
+        case "codex":
+            return configureCodex(launch);
+        case "claude":
+            return configureClaude(cwd, launch);
+        case "copilot":
+            return configureCopilot(launch);
+    }
+}
 export async function commandSetup(cwd, flags, requestedTarget, packageRoot = PACKAGE_ROOT) {
-    if (requestedTarget !== null &&
-        requestedTarget !== "all" &&
-        requestedTarget !== "codex" &&
-        requestedTarget !== "claude") {
-        throw new Error("Usage: apex setup [all|codex|claude]");
+    if (requestedTarget !== null && requestedTarget !== "all" && !isSetupClient(requestedTarget)) {
+        throw new Error("Usage: apex setup [all|codex|claude|copilot]");
     }
     const target = requestedTarget ?? "all";
     const launch = await resolveMcpLaunchSpec(packageRoot);
     const steps = [];
-    const requestedClients = target === "all" ? ["codex", "claude"] : [target];
+    const requestedClients = target === "all" ? [...SETUP_CLIENTS] : [target];
     let configuredClients = 0;
     for (const client of requestedClients) {
         try {
-            const clientSteps = client === "codex" ? await configureCodex(launch) : await configureClaude(cwd, launch);
+            const clientSteps = await configureClient(client, cwd, launch);
             steps.push(...clientSteps);
             configuredClients += 1;
         }
         catch (error) {
-            const missingClient = error instanceof Error &&
-                /spawn (codex|claude) ENOENT/i.test(error.message);
+            const missingClient = isMissingClientError(error);
             if (missingClient && target !== "all") {
-                throw new Error(`${client === "codex" ? "Codex" : "Claude Code"} is not installed on this machine. Install it first, then re-run \`apex setup ${client}\`.`);
+                throw new Error(`${displayClientName(client)} is not installed on this machine. Install it first, then re-run \`apex setup ${client}\`.`);
             }
             if (!missingClient) {
                 throw error;
@@ -236,19 +346,19 @@ export async function commandSetup(cwd, flags, requestedTarget, packageRoot = PA
                 kind: "mcp",
                 status: "skipped",
                 path: null,
-                detail: `${client} is not installed on this machine`,
+                detail: `${displayClientName(client)} is not installed on this machine`,
             });
             steps.push({
                 client,
                 kind: "skill",
                 status: "skipped",
                 path: null,
-                detail: `${client} is not installed on this machine`,
+                detail: `${displayClientName(client)} is not installed on this machine`,
             });
         }
     }
     if (configuredClients === 0) {
-        throw new Error("Neither Codex nor Claude Code is installed. Install one of them first, then re-run `apex setup`.");
+        throw new Error("Neither Codex, Claude Code, nor GitHub Copilot CLI is installed. Install one of them first, then re-run `apex setup`.");
     }
     const payload = {
         target,
@@ -271,5 +381,8 @@ export async function commandSetup(cwd, flags, requestedTarget, packageRoot = PA
     if (requestedClients.includes("claude")) {
         logLine("Re-run `apex setup claude` in each repository where you want the Claude project skill.", flags);
     }
+    if (requestedClients.includes("copilot")) {
+        logLine("Restart GitHub Copilot CLI or run `/skills reload` to pick up a newly installed or updated skill.", flags);
+    }
     return payload;
 }

package/dist/update.js

@@ -456,7 +456,7 @@ export async function commandUpdate(flags, packageRoot = PACKAGE_ROOT) {
         printJson(payload);
     }
     else {
-        logLine("Apex CLI updated. Re-run `apex` to use the latest version. Re-run `apex setup` to refresh copied Codex or Claude skill files.", flags);
+        logLine("Apex CLI updated. Re-run `apex` to use the latest version. Re-run `apex setup` to refresh copied Codex, Claude Code, or GitHub Copilot CLI skill files.", flags);
     }
     return payload;
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cantinasecurity/apex-cli",
-  "version": "0.1.9",
+  "version": "0.1.10",
   "description": "Standalone CLI and MCP server for Apex.",
   "private": false,
   "type": "module",

package/skills/apex-cli/SKILL.md

@@ -5,7 +5,7 @@ description: Use when a user wants to start Apex scans, inspect findings, bind w
 
 # Apex CLI
 
-This skill is bundled with Apex CLI and can be installed into Codex with `apex setup codex`.
+This skill is bundled with Apex CLI and can be installed into Codex with `apex setup codex` or GitHub Copilot CLI with `apex setup copilot`.
 
 Prefer the Apex MCP tools over running `apex` in the shell when the server is available.