fix(security): harden channel token and id generation

extensions/tlon/src/urbit/channel-client.ts

@@ -1,3 +1,4 @@
+import { randomUUID } from "node:crypto";
 import type { LookupFn, SsrFPolicy } from "openclaw/plugin-sdk";
 import { ensureUrbitChannelOpen, pokeUrbitChannel, scryUrbitPath } from "./channel-ops.js";
 import { getUrbitContext, normalizeUrbitCookie } from "./context.js";
@@ -43,7 +44,7 @@ export class UrbitChannelClient {
       return;
     }
 
-    const channelId = `${Math.floor(Date.now() / 1000)}-${Math.random().toString(36).substring(2, 8)}`;
+    const channelId = `${Math.floor(Date.now() / 1000)}-${randomUUID()}`;
     this.channelId = channelId;
 
     try {

extensions/tlon/src/urbit/sse-client.ts

@@ -1,3 +1,4 @@
+import { randomUUID } from "node:crypto";
 import { Readable } from "node:stream";
 import type { LookupFn, SsrFPolicy } from "openclaw/plugin-sdk";
 import { ensureUrbitChannelOpen, pokeUrbitChannel, scryUrbitPath } from "./channel-ops.js";
@@ -59,7 +60,7 @@ export class UrbitSSEClient {
     this.url = ctx.baseUrl;
     this.cookie = normalizeUrbitCookie(cookie);
     this.ship = ctx.ship;
-    this.channelId = `${Math.floor(Date.now() / 1000)}-${Math.random().toString(36).substring(2, 8)}`;
+    this.channelId = `${Math.floor(Date.now() / 1000)}-${randomUUID()}`;
     this.channelUrl = new URL(`/~/channel/${this.channelId}`, this.url).toString();
     this.onReconnect = options.onReconnect ?? null;
     this.autoReconnect = options.autoReconnect !== false;
@@ -343,7 +344,7 @@ export class UrbitSSEClient {
     await new Promise((resolve) => setTimeout(resolve, delay));
 
     try {
-      this.channelId = `${Math.floor(Date.now() / 1000)}-${Math.random().toString(36).substring(2, 8)}`;
+      this.channelId = `${Math.floor(Date.now() / 1000)}-${randomUUID()}`;
       this.channelUrl = new URL(`/~/channel/${this.channelId}`, this.url).toString();
 
       if (this.onReconnect) {