infra: harden identifier entropy and delay jitter (#57744)

* infra: harden identifier entropy and delay jitter

* test: make randomness hardening deterministic in CI

ui/src/ui/uuid.test.ts

@@ -31,8 +31,7 @@ describe("generateUUID", () => {
   it("still returns a v4 UUID when crypto is missing", () => {
     const warnSpy = vi.spyOn(console, "warn").mockImplementation(() => {});
     try {
-      const id = generateUUID(null);
-      expect(id).toMatch(/^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/);
+      expect(() => generateUUID(null)).toThrow("Web Crypto is required for UUID generation");
       expect(warnSpy).toHaveBeenCalled();
     } finally {
       warnSpy.mockRestore();

ui/src/ui/uuid.ts

@@ -20,25 +20,12 @@ function uuidFromBytes(bytes: Uint8Array): string {
   )}-${hex.slice(20)}`;
 }
 
-function weakRandomBytes(): Uint8Array {
-  const bytes = new Uint8Array(16);
-  const now = Date.now();
-  for (let i = 0; i < bytes.length; i++) {
-    bytes[i] = Math.floor(Math.random() * 256);
-  }
-  bytes[0] ^= now & 0xff;
-  bytes[1] ^= (now >>> 8) & 0xff;
-  bytes[2] ^= (now >>> 16) & 0xff;
-  bytes[3] ^= (now >>> 24) & 0xff;
-  return bytes;
-}
-
 function warnWeakCryptoOnce() {
   if (warnedWeakCrypto) {
     return;
   }
   warnedWeakCrypto = true;
-  console.warn("[uuid] crypto API missing; falling back to weak randomness");
+  console.warn("[uuid] crypto API missing; refusing insecure UUID generation");
 }
 
 export function generateUUID(cryptoLike: CryptoLike | null = globalThis.crypto): string {
@@ -53,5 +40,5 @@ export function generateUUID(cryptoLike: CryptoLike | null = globalThis.crypto):
   }
 
   warnWeakCryptoOnce();
-  return uuidFromBytes(weakRandomBytes());
+  throw new Error("Web Crypto is required for UUID generation");
 }