v1.5.0 - built-in attacker replay (option 9)
Option 9 - Attacker replay: paste a stolen token and the exe calls Key Vault with it as a plain bearer (no binding cert). Decodes the token to show whether it is bound (cnf claim), then: 200 = EXFILTRATED (bearer accepted), 401 = BLOCKED (bound token rejected), 403 = RBAC. No separate tool needed - run the same exe on the attacker VM.