pub fn generate_challenge() -> Res<[u8; 32]>
Generates a fresh random challenge nonce (server-side, DESIGN.md §5).
Returns an error if the OS random source cannot be read.