fix: add min length and even length check for hex detection

Prevents false positives where short hex-like strings (e.g. "face")
would be incorrectly decoded as hex-encoded credentials.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: say8425

src/usage/token.ts

@@ -7,7 +7,12 @@ export function parseCredentialString(raw: string): string | null {
 	if (text.length === 0) return null;
 
 	// macOS security -w outputs hex when password has non-printable chars
-	if (/^[0-9a-fA-F]+$/.test(text) && text.length > 0) {
+	// Require even length and min length to avoid false positives (e.g. "face")
+	if (
+		text.length > 10 &&
+		text.length % 2 === 0 &&
+		/^[0-9a-fA-F]+$/.test(text)
+	) {
 		text = Buffer.from(text, "hex").toString("utf-8");
 	}