Produce a cryptographically-secure, hex-encoded 256-bit session id.
McpException (internalError) when no OS CSPRNG can be read. There is deliberately no non-cryptographic fallback, so this is a fallible path; callers must handle the throw.
Produce a cryptographically-secure, hex-encoded 256-bit session id.