pub fn secure_hex(bytes: usize) -> StringExpand description
OS-RNG hex, safe for bearer credentials.
Every byte comes from the OS random source (getrandom) on every call —
unpredictable across calls and across process restarts, unlike
uid_hex. Use this whenever the value itself is the secret: the
CapToken nonce (its server-side lookup key and part of the signed
material) and worker/session bearer handles.