The handler is designed to refresh one session token. It accepts any environment variable.

To be clear: this is not a critical vulnerability. It is defense in depth.

Demo: https://asciinema.org/a/WRG8NjV5MjLcFxbh PoC: `npx claude-code-audited`