claude-scionos 4.4.0 → 4.5.0

package/README.fr.md

@@ -67,21 +67,21 @@ npx claude-scionos --strategy aws --no-prompt -p "Résume ce dépôt"
 - `--service llm` bascule le lanceur vers `https://llm.routerlab.ch`
 - `llm` est prévu pour un accès sur invitation
 - les tokens enregistrés avec `auth login --service llm` sont stockés séparément du token RouterLab par défaut
-- `llm` expose pour l'instant `claude`, `claude-gpt`, `claude-gpt-special` et `deepseek-v4-beta`
-- `routerlab` expose aussi `claude-gpt`, `claude-minimax-m2.7` et `claude-glm-5.1`
+- `llm` expose pour l'instant `claude`, `claude-gpt`, `claude-gpt-special`, `deepseek-v4-beta` et `claude-minimax-m2.7`
+- `routerlab` expose aussi `claude-gpt`, `claude-kimi-k2.6`, `claude-minimax-m2.7` et `claude-glm-5.1`
 
 ## Stratégies
 
 - `default` : utilise Claude Code normalement sans proxy local
-- `aws` : remappe les familles de modèles Claude vers les variantes Claude AWS de RouterLab
-- `claude` : remappe les familles de modèles Claude sur `--service llm` vers les variantes Claude standard `claude-haiku-4-5-20251001`, `claude-sonnet-4-6` et `claude-opus-4-6`
-- `claude-gpt` : mappe les requêtes Claude vers la famille `claude-gpt`
-  `claude-gpt-5.5 ==> claude-opus-4.7`, `claude-gpt-5.4 ==> claude-sonnet-4.6`, `claude-gpt-5.4-mini ==> claude-gpt-5.4-mini`
-- `claude-gpt-special` : sur `--service llm`, force toutes les requêtes vers `claude-gpt-5.4-sp`
+- `aws` : remappe les familles de modèles Claude vers les variantes Claude AWS de RouterLab
+- `claude` : remappe les familles de modèles Claude sur `--service llm` vers les variantes Claude standard `claude-haiku-4-5-20251001`, `claude-sonnet-4-6` et `claude-opus-4-6`
+- `claude-gpt` : mappe les requêtes Claude vers la famille `claude-gpt`
+  les requêtes Opus sont mappées vers `claude-gpt-5.5`, les requêtes Sonnet vers `claude-gpt-5.4` et les requêtes Haiku vers `claude-gpt-5.4-mini`
+- `claude-gpt-special` : sur `--service llm`, force toutes les requêtes vers `claude-gpt-5.4-sp`
 - `deepseek-v4-beta` : sur `--service llm`, mappe les requêtes Claude vers `claude-deepseek-v4-pro` pour opus ou sonnet et `claude-deepseek-v4-flash` pour haiku
-- `claude-qwen3.6-plus` : force toutes les requêtes vers `claude-qwen3.6-plus`
-- `claude-minimax-m2.7` : force toutes les requêtes vers `claude-minimax-m2.7`
-- `claude-glm-5.1` : force toutes les requêtes vers `claude-glm-5.1`
+- `claude-kimi-k2.6` : force toutes les requêtes vers `claude-kimi-k2.6`
+- `claude-minimax-m2.7` : force toutes les requêtes vers `claude-minimax-m2.7`
+- `claude-glm-5.1` : force toutes les requêtes vers `claude-glm-5.1`
 
 Utilise `--list-strategies` pour voir les stratégies disponibles pour le service choisi et leur disponibilité réelle quand un token est disponible.
 

package/README.md

@@ -67,21 +67,21 @@ npx claude-scionos --strategy aws --no-prompt -p "Summarize this repo"
 - `--service llm` switches the launcher to `https://llm.routerlab.ch`
 - `llm` is intended for invitation-only access
 - Tokens stored with `auth login --service llm` are kept separate from the default RouterLab token
-- `llm` currently exposes `claude`, `claude-gpt`, `claude-gpt-special`, and `deepseek-v4-beta`
-- `routerlab` also exposes `claude-gpt`, `claude-minimax-m2.7`, and `claude-glm-5.1`
+- `llm` currently exposes `claude`, `claude-gpt`, `claude-gpt-special`, `deepseek-v4-beta`, and `claude-minimax-m2.7`
+- `routerlab` also exposes `claude-gpt`, `claude-kimi-k2.6`, `claude-minimax-m2.7`, and `claude-glm-5.1`
 
 ## Strategies
 
 - `default`: use Claude Code normally without the local proxy
-- `aws`: remap Claude model families to RouterLab AWS-backed Claude variants
-- `claude`: remap Claude model families on `--service llm` to the standard Claude variants `claude-haiku-4-5-20251001`, `claude-sonnet-4-6`, and `claude-opus-4-6`
-- `claude-gpt`: map Claude requests to the `claude-gpt` family
-  `claude-gpt-5.5 ==> claude-opus-4.7`, `claude-gpt-5.4 ==> claude-sonnet-4.6`, `claude-gpt-5.4-mini ==> claude-gpt-5.4-mini`
-- `claude-gpt-special`: on `--service llm`, force all requests to `claude-gpt-5.4-sp`
+- `aws`: remap Claude model families to RouterLab AWS-backed Claude variants
+- `claude`: remap Claude model families on `--service llm` to the standard Claude variants `claude-haiku-4-5-20251001`, `claude-sonnet-4-6`, and `claude-opus-4-6`
+- `claude-gpt`: map Claude requests to the `claude-gpt` family
+  Opus requests map to `claude-gpt-5.5`, Sonnet requests map to `claude-gpt-5.4`, and Haiku requests map to `claude-gpt-5.4-mini`
+- `claude-gpt-special`: on `--service llm`, force all requests to `claude-gpt-5.4-sp`
 - `deepseek-v4-beta`: on `--service llm`, map Claude requests to `claude-deepseek-v4-pro` for opus or sonnet and `claude-deepseek-v4-flash` for haiku
-- `claude-qwen3.6-plus`: force all requests to `claude-qwen3.6-plus`
-- `claude-minimax-m2.7`: force all requests to `claude-minimax-m2.7`
-- `claude-glm-5.1`: force all requests to `claude-glm-5.1`
+- `claude-kimi-k2.6`: force all requests to `claude-kimi-k2.6`
+- `claude-minimax-m2.7`: force all requests to `claude-minimax-m2.7`
+- `claude-glm-5.1`: force all requests to `claude-glm-5.1`
 
 Use `--list-strategies` to see the strategies available for the selected service and their live availability when a token is available.
 

package/index.js

@@ -52,6 +52,23 @@ import { startProxyServer } from './src/proxy.js';
 
 const require = createRequire(import.meta.url);
 const pkg = require('./package.json');
+const SIGNAL_EXIT_CODES = {
+    SIGHUP: 129,
+    SIGINT: 130,
+    SIGQUIT: 131,
+    SIGILL: 132,
+    SIGTRAP: 133,
+    SIGABRT: 134,
+    SIGBUS: 135,
+    SIGFPE: 136,
+    SIGKILL: 137,
+    SIGUSR1: 138,
+    SIGSEGV: 139,
+    SIGUSR2: 140,
+    SIGPIPE: 141,
+    SIGALRM: 142,
+    SIGTERM: 143
+};
 
 function normalizeEntrypointPath(candidate) {
     if (!candidate) {
@@ -68,6 +85,40 @@ function normalizeEntrypointPath(candidate) {
     }
 }
 
+function shouldSpawnWithShell(commandPath) {
+    if (process.platform !== 'win32') {
+        return false;
+    }
+
+    const extension = path.extname(commandPath || '').toLowerCase();
+    return extension === '.cmd' || extension === '.bat';
+}
+
+function resolveProcessExitCode(code, signal) {
+    if (typeof code === 'number') {
+        return code;
+    }
+
+    if (signal) {
+        return SIGNAL_EXIT_CODES[signal] ?? 1;
+    }
+
+    return 1;
+}
+
+function createCleanupOnce(cleanup) {
+    let cleaned = false;
+
+    return () => {
+        if (cleaned) {
+            return;
+        }
+
+        cleaned = true;
+        cleanup();
+    };
+}
+
 // --- UTILS ---
 
 function showBanner() {
@@ -184,6 +235,23 @@ function resolveSelectedService(serviceValue) {
     throw new Error(`Unknown service "${serviceValue}". Supported values: ${supported}.`);
 }
 
+function getRequiredOptionValue(argv, index, optionName) {
+    const value = argv[index + 1];
+    if (!value || value.startsWith('--')) {
+        throw new Error(`${optionName} requires a value.`);
+    }
+
+    return value;
+}
+
+function getRequiredInlineOptionValue(value, optionName) {
+    if (!value) {
+        throw new Error(`${optionName} requires a value.`);
+    }
+
+    return value;
+}
+
 function parseWrapperArgs(argv) {
     const parsed = {
         authAction: 'status',
@@ -201,6 +269,11 @@ function parseWrapperArgs(argv) {
     for (let index = 0; index < argv.length; index += 1) {
         const arg = argv[index];
 
+        if (arg === '--') {
+            parsed.claudeArgs.push(...argv.slice(index + 1));
+            break;
+        }
+
         if ((arg === 'doctor' || arg === 'auth') && parsed.command === null && parsed.claudeArgs.length === 0) {
             parsed.command = arg;
             if (arg === 'auth') {
@@ -224,24 +297,24 @@ function parseWrapperArgs(argv) {
         }
 
         if (arg === '--strategy') {
-            parsed.strategy = normalizeStrategyValue(argv[index + 1]);
+            parsed.strategy = normalizeStrategyValue(getRequiredOptionValue(argv, index, '--strategy'));
             index += 1;
             continue;
         }
 
         if (arg === '--service') {
-            parsed.service = normalizeServiceValue(argv[index + 1]);
+            parsed.service = normalizeServiceValue(getRequiredOptionValue(argv, index, '--service'));
             index += 1;
             continue;
         }
 
         if (arg.startsWith('--strategy=')) {
-            parsed.strategy = normalizeStrategyValue(arg.slice('--strategy='.length));
+            parsed.strategy = normalizeStrategyValue(getRequiredInlineOptionValue(arg.slice('--strategy='.length), '--strategy'));
             continue;
         }
 
         if (arg.startsWith('--service=')) {
-            parsed.service = normalizeServiceValue(arg.slice('--service='.length));
+            parsed.service = normalizeServiceValue(getRequiredInlineOptionValue(arg.slice('--service='.length), '--service'));
             continue;
         }
 
@@ -255,7 +328,7 @@ function parseWrapperArgs(argv) {
             continue;
         }
 
-        if (arg === '--scionos-debug') {
+        if (arg === '--scionos-debug' || arg === '--scionos') {
             parsed.debug = true;
             continue;
         }
@@ -562,15 +635,12 @@ async function runDoctor(serviceConfig) {
     showStatus('Env token', getEnvironmentToken() ? 'ok' : 'warn', getEnvironmentToken() ? 'available' : 'not set');
     console.log('');
 
-    const envToken = getEnvironmentToken();
-    const candidate = envToken
-        ? { token: envToken, source: 'environment' }
-        : { token: null, source: storedStatus.stored ? 'secure-store' : 'none' };
+    const candidate = getAvailableTokenCandidate(serviceConfig.value);
     let validation = null;
 
     if (!candidate.token) {
-        showStatus(`${serviceConfig.tokenPromptLabel} auth`, 'warn', storedStatus.stored
-            ? 'Skipped: stored token available but not validated during doctor on Windows'
+        showStatus(`${serviceConfig.tokenPromptLabel} auth`, 'warn', candidate.source === 'secure-store-error'
+            ? 'Skipped: stored token is present but could not be read'
             : 'Skipped: no environment or stored token available');
     } else {
         validation = await validateToken(candidate.token, {
@@ -714,6 +784,9 @@ async function main() {
         proxyServer = proxyInfo.server;
         finalBaseUrl = proxyInfo.url; // e.g. http://127.0.0.1:54321
         if (interactive && isDebug) console.log(chalk.gray(`✓ Proxy listening on ${finalBaseUrl}`));
+        if (interactive && isDebug && !proxyInfo.authenticated) {
+            console.log(chalk.yellow('WARN Proxy authentication is not enabled because Claude Code header injection is not verified; binding remains limited to 127.0.0.1.'));
+        }
     }
 
     const env = {
@@ -737,19 +810,19 @@ async function main() {
     const child = spawn(claudeStatus.cliPath, parsed.claudeArgs, {
         stdio: 'inherit',
         env: env,
-        shell: process.platform === 'win32'
+        shell: shouldSpawnWithShell(claudeStatus.cliPath)
     });
 
-    const cleanup = () => {
+    const cleanup = createCleanupOnce(() => {
         if (proxyServer) {
             if (interactive && isDebug) console.log(chalk.gray('\nStopping proxy server...'));
             proxyServer.close();
         }
-    };
+    });
 
-    child.on('exit', (code) => {
+    child.on('exit', (code, signal) => {
         cleanup();
-        process.exit(code ?? 0);
+        process.exit(resolveProcessExitCode(code, signal));
     });
 
     child.on('error', (err) => {
@@ -772,7 +845,7 @@ async function main() {
     process.on('SIGTERM', () => {
         if (child) child.kill('SIGTERM');
         cleanup();
-        process.exit(0);
+        process.exit(resolveProcessExitCode(null, 'SIGTERM'));
     });
 }
 
@@ -787,9 +860,13 @@ if (isEntrypoint) {
 
 export {
     canProceedWithValidation,
+    createCleanupOnce,
     installClaudeCode,
     main,
     normalizeEntrypointPath,
+    parseWrapperArgs,
+    resolveProcessExitCode,
     resolveLaunchToken,
+    shouldSpawnWithShell,
     validateToken
 };

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "claude-scionos",
-    "version": "4.4.0",
+    "version": "4.5.0",
     "description": "RouterLab launcher, strategy proxy and secure token wrapper for Claude Code CLI",
     "type": "module",
     "main": "index.js",
@@ -47,8 +47,8 @@
     },
     "devDependencies": {
         "@eslint/js": "^10.0.1",
-        "eslint": "^10.2.1",
-        "globals": "^17.5.0",
+        "eslint": "^10.3.0",
+        "globals": "^17.6.0",
         "vitest": "^4.1.5"
     }
 }

package/src/proxy.js

@@ -17,6 +17,8 @@ const HOP_BY_HOP_HEADERS = new Set([
 ]);
 const PROXY_AUTH_HEADER = 'x-scionos-proxy-secret';
 const MESSAGES_PATH = '/v1/messages';
+const COUNT_TOKENS_PATH = '/v1/messages/count_tokens';
+const MODELS_PATH = '/v1/models';
 const REASONING_CONTENT_BLOCK_TYPES = new Set(['thinking', 'redacted_thinking']);
 const REASONING_DELTA_TYPES = new Set(['thinking_delta', 'signature_delta']);
 
@@ -231,14 +233,18 @@ function resolveMappedModel(targetModel, requestedModel = '', availableModels =
   return 'aws-claude-sonnet-4-6';
 }
 
-function writeJsonError(res, statusCode, payload) {
-  if (res.headersSent) {
-    return;
-  }
-
-  res.writeHead(statusCode);
-  res.end(JSON.stringify(payload));
-}
+function writeJsonError(res, statusCode, payload) {
+  if (res.headersSent) {
+    return;
+  }
+
+  const body = JSON.stringify(payload);
+  res.writeHead(statusCode, {
+    'content-type': 'application/json; charset=utf-8',
+    'content-length': String(Buffer.byteLength(body)),
+  });
+  res.end(body);
+}
 
 function getRequestPath(req) {
   return new URL(req.url, 'http://127.0.0.1').pathname;
@@ -252,9 +258,13 @@ function isAuthorizedProxyRequest(req, proxySecret) {
   return req.headers[PROXY_AUTH_HEADER] === proxySecret;
 }
 
-function isAllowedProxyRoute(req) {
-  return req.method === 'POST' && getRequestPath(req) === MESSAGES_PATH;
-}
+function isAllowedProxyRoute(req) {
+  const path = getRequestPath(req);
+  return (
+    (req.method === 'POST' && (path === MESSAGES_PATH || path === COUNT_TOKENS_PATH))
+    || (req.method === 'GET' && path === MODELS_PATH)
+  );
+}
 
 async function handleMessageRequest(req, res, options) {
   const {availableModels = [], baseUrl, debug, onDebug, onError, targetModel, validToken} = options;
@@ -607,7 +617,7 @@ function startProxyServer(targetModel, validToken, options = {}) {
   } = options;
 
   return new Promise((resolve, reject) => {
-    const server = http.createServer((req, res) => {
+    const server = http.createServer((req, res) => {
       if (!isAuthorizedProxyRequest(req, proxySecret)) {
         writeJsonError(res, 403, {error: {message: 'Forbidden'}});
         return;
@@ -618,21 +628,33 @@ function startProxyServer(targetModel, validToken, options = {}) {
         return;
       }
 
-      handleMessageRequest(req, res, {
-        availableModels,
-        baseUrl,
-        debug,
-        onDebug,
-        onError,
-        targetModel,
-        validToken,
-      });
+      if (req.method === 'GET' && getRequestPath(req) === MODELS_PATH) {
+        forwardRequest(req, res, {
+          baseUrl,
+          debug,
+          onDebug,
+          onError,
+          timeout: 30000,
+          validToken,
+        });
+        return;
+      }
+
+      handleMessageRequest(req, res, {
+        availableModels,
+        baseUrl,
+        debug,
+        onDebug,
+        onError,
+        targetModel,
+        validToken,
+      });
     });
 
-    server.listen(0, '127.0.0.1', () => {
-      const address = server.address();
-      resolve({server, url: `http://127.0.0.1:${address.port}`});
-    });
+    server.listen(0, '127.0.0.1', () => {
+      const address = server.address();
+      resolve({server, url: `http://127.0.0.1:${address.port}`, authenticated: Boolean(proxySecret)});
+    });
 
     server.on('error', (error) => reject(error));
   });
@@ -640,6 +662,8 @@ function startProxyServer(targetModel, validToken, options = {}) {
 
 export {
   buildProxyRequestOptions,
+  isAuthorizedProxyRequest,
+  isAllowedProxyRoute,
   normalizeProxyHeaders,
   PROXY_AUTH_HEADER,
   resolveMappedModel,

package/src/routerlab.js

@@ -15,7 +15,7 @@ const SERVICES = {
     secureStorageAccount: 'routerlab-token',
     secureStorageLabel: 'RouterLab Token',
     secureStorageFileName: 'routerlab-token.secure.txt',
-    strategyValues: ['default', 'aws', 'claude-gpt', 'claude-minimax-m2.7', 'claude-glm-5.1'],
+    strategyValues: ['default', 'aws', 'claude-gpt', 'claude-kimi-k2.6', 'claude-minimax-m2.7', 'claude-glm-5.1'],
   },
   llm: {
     value: 'llm',
@@ -28,7 +28,7 @@ const SERVICES = {
     secureStorageAccount: 'routerlab-llm-token',
     secureStorageLabel: 'RouterLab LLM Token',
     secureStorageFileName: 'routerlab-llm-token.secure.txt',
-    strategyValues: ['claude', 'claude-gpt', 'claude-gpt-special', 'deepseek-v4-beta'],
+    strategyValues: ['claude', 'claude-gpt', 'claude-gpt-special', 'deepseek-v4-beta', 'claude-minimax-m2.7'],
   },
 };
 const DEFAULT_SERVICE = 'routerlab';
@@ -125,6 +125,13 @@ const STRATEGIES = [
     selectionDescription: 'Forces all requests to claude-qwen3.6-plus.',
     mappedModels: ['claude-qwen3.6-plus'],
   },
+  {
+    value: 'claude-kimi-k2.6',
+    name: 'Kimi K2.6',
+    description: 'Forces all requests to claude-kimi-k2.6.',
+    selectionDescription: 'Forces all requests to claude-kimi-k2.6.',
+    mappedModels: ['claude-kimi-k2.6'],
+  },
   {
     value: 'claude-minimax-m2.7',
     name: 'MiniMax M2.7',
@@ -149,9 +156,10 @@ async function fetchModels(apiKey, options = {}) {
     timeoutMs = 30000,
   } = options;
 
+  const controller = new AbortController();
+  const timeoutId = setTimeout(() => controller.abort(), timeoutMs);
+
   try {
-    const controller = new AbortController();
-    const timeoutId = setTimeout(() => controller.abort(), timeoutMs);
     const response = await fetch(`${baseUrl}/v1/models`, {
       method: 'GET',
       headers: {
@@ -160,19 +168,33 @@ async function fetchModels(apiKey, options = {}) {
       },
       signal: controller.signal,
     });
-    clearTimeout(timeoutId);
 
     if (response.ok) {
-      let payload = null;
+      let payload;
       try {
         payload = await response.json();
       } catch {
-        payload = null;
+        return {
+          valid: false,
+          reason: 'invalid_response',
+          message: 'Model list response is not valid JSON',
+        };
+      }
+
+      const models = extractModelIds(payload);
+      if (models.length === 0) {
+        return {
+          valid: false,
+          reason: 'models_unavailable',
+          message: 'Model list response did not include any model ids',
+          models,
+        };
       }
 
       return {
         valid: true,
-        models: payload ? extractModelIds(payload) : null,
+        models,
+        modelsVerified: true,
       };
     }
 
@@ -193,6 +215,8 @@ async function fetchModels(apiKey, options = {}) {
     }
 
     return {valid: false, reason: 'network_error', message: error.message};
+  } finally {
+    clearTimeout(timeoutId);
   }
 }
 
@@ -271,10 +295,6 @@ function hasNonEmptyWindowsTokenFile(tokenFile) {
   }
 }
 
-function encodeTokenForPowerShell(token) {
-  return Buffer.from(token, 'utf8').toString('base64');
-}
-
 function getServiceStrategies(serviceValue = DEFAULT_SERVICE) {
   const service = getServiceConfig(serviceValue);
   if (!service?.strategyValues?.length) {
@@ -532,6 +552,21 @@ function runCommand(command, args, options = {}) {
   return result;
 }
 
+function storeMacOSToken(service, token) {
+  // `security add-generic-password` requires `-w` for non-interactive writes.
+  // Keep this branch isolated so a safer native macOS path can replace it later.
+  return runCommand('security', [
+    'add-generic-password',
+    '-U',
+    '-a',
+    service.secureStorageAccount,
+    '-s',
+    SECURE_STORAGE_SERVICE,
+    '-w',
+    token,
+  ]);
+}
+
 function storeToken(token, serviceValue = DEFAULT_SERVICE) {
   const service = getServiceConfig(serviceValue);
   if (!service) {
@@ -545,10 +580,10 @@ function storeToken(token, serviceValue = DEFAULT_SERVICE) {
 
   if (process.platform === 'win32') {
     const tokenFile = getWindowsTokenFile(service.value);
-    const encodedToken = encodeTokenForPowerShell(token);
     fs.mkdirSync(path.dirname(tokenFile), {recursive: true});
     const encrypted = runPowerShell(
-      `$token = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('${encodedToken}')); if ([string]::IsNullOrEmpty($token)) { throw "Token input is empty" }; $secure = ConvertTo-SecureString $token -AsPlainText -Force; ConvertFrom-SecureString $secure`,
+      '$token = [Console]::In.ReadToEnd(); if ([string]::IsNullOrEmpty($token)) { throw "Token input is empty" }; $secure = ConvertTo-SecureString $token -AsPlainText -Force; ConvertFrom-SecureString $secure',
+      {input: token},
     );
     fs.writeFileSync(tokenFile, encrypted, 'utf8');
 
@@ -560,16 +595,7 @@ function storeToken(token, serviceValue = DEFAULT_SERVICE) {
   }
 
   if (process.platform === 'darwin') {
-    const result = runCommand('security', [
-      'add-generic-password',
-      '-U',
-      '-a',
-      service.secureStorageAccount,
-      '-s',
-      SECURE_STORAGE_SERVICE,
-      '-w',
-      token,
-    ]);
+    const result = storeMacOSToken(service, token);
 
     if (result.status !== 0) {
       throw new Error((result.stderr || result.stdout || 'Unable to store token in Keychain').trim());
@@ -622,9 +648,9 @@ function getStoredToken(serviceValue = DEFAULT_SERVICE) {
       return null;
     }
 
-    const encodedEncrypted = encodeTokenForPowerShell(encrypted);
     const token = runPowerShell(
-      `$secure = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('${encodedEncrypted}')) | ConvertTo-SecureString; $ptr = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($secure); try { [System.Runtime.InteropServices.Marshal]::PtrToStringBSTR($ptr) } finally { [System.Runtime.InteropServices.Marshal]::ZeroFreeBSTR($ptr) }`,
+      '$encrypted = [Console]::In.ReadToEnd(); if ([string]::IsNullOrWhiteSpace($encrypted)) { throw "Encrypted token input is empty" }; $secure = $encrypted | ConvertTo-SecureString; $ptr = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($secure); try { [System.Runtime.InteropServices.Marshal]::PtrToStringBSTR($ptr) } finally { [System.Runtime.InteropServices.Marshal]::ZeroFreeBSTR($ptr) }',
+      {input: encrypted},
     );
     return token || null;
   }