🛡️ Sentinel: [CRITICAL] Fix insecure random string generation

[thirdeyenation]

🚨 Severity: CRITICAL
💡 Vulnerability: The application was using Python's standard random.choices() to generate sensitive data, including the root SSH password (prepare.py) and internal system identifiers (agent.py, helpers/guids.py). The random module uses the Mersenne Twister, a non-cryptographic PRNG that is deterministic and predictable.
🎯 Impact: An attacker who observes enough output from the standard random number generator can predict future outputs. This allows for the compromise of system identifiers and, critically, predicting the generated root SSH password if left at its default, leading to full system compromise.
🔧 Fix: Replaced import random with import secrets across the affected files. Updated the generation logic to use the cryptographically secure pseudo-random number generator (CSPRNG) via secrets.choice(), implemented safely within a generator comprehension since secrets lacks the k argument present in random.choices().
✅ Verification: The updated code was verified syntactically via py_compile. Test suites were run to ensure existing functionality remains intact. The secrets module securely pulls entropy from the operating system's PRNG (e.g., /dev/urandom).

---

PR created automatically by Jules for task 2079809029579754820 started by @thirdeyenation

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.