fix(security): use crypto/rand for session-ID suffix

Semgrep flagged math/rand for the /tmp artifact-directory session-ID
generation. Modern Go (1.20+) auto-seeds the global math/rand source
so this wasn't exploitable in practice, but crypto/rand is the
idiomatic choice for any security-adjacent identifier and removes the
finding from future security audits.

Drops the mrand alias entirely; reads 8 random bytes once and masks
to 24 bits to preserve the existing %06x suffix format.

cmd/gnoma/main.go

@@ -2,13 +2,14 @@ package main
 
 import (
 	"context"
+	"crypto/rand"
+	"encoding/binary"
 	"encoding/json"
 	"errors"
 	"flag"
 	"fmt"
 	"io"
 	"log/slog"
-	mrand "math/rand"
 	"os"
 	"os/signal"
 	"path/filepath"
@@ -656,10 +657,14 @@ func main() {
 	}
 	permChecker := permission.NewChecker(permission.Mode(*permMode), permRules, pipePromptFn)
 
-	// Generate session-scoped ID for /tmp artifact directory
+	// Generate session-scoped ID for /tmp artifact directory.
+	// Use crypto/rand so the suffix isn't predictable even if a future
+	// caller seeds math/rand deterministically (e.g., in tests).
+	var randBuf [8]byte
+	_, _ = rand.Read(randBuf[:])
 	sessionID := fmt.Sprintf("%s-%06x",
 		time.Now().Format("20060102-150405"),
-		mrand.Int63()&0xffffff,
+		binary.BigEndian.Uint64(randBuf[:])&0xffffff,
 	)
 	// Pass the firewall's incognito mode so Save no-ops while incognito
 	// is active. Mode is consulted on every Save (dynamic), so TUI