From a84dacd2baf7da5a50450717eeb4752613d95902 Mon Sep 17 00:00:00 2001
From: Hunter Miller <hunter@hmiller.dev>
Date: Mon, 23 Feb 2026 09:43:31 -0600
Subject: [PATCH] fix(tlon): use crypto.randomUUID instead of Math.random for
 channel ID

Fixes security test failure - Math.random is flagged as weak randomness.
---
 extensions/tlon/src/channel.ts | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/extensions/tlon/src/channel.ts b/extensions/tlon/src/channel.ts
index 6b7dd5cc4cb..9791c3ac675 100644
--- a/extensions/tlon/src/channel.ts
+++ b/extensions/tlon/src/channel.ts
@@ -1,3 +1,4 @@
+import crypto from "node:crypto";
 import { configureClient } from "@tloncorp/api";
 import type {
   ChannelOutboundAdapter,
@@ -37,7 +38,7 @@ async function createHttpPokeApi(params: {
 }) {
   const ssrfPolicy = ssrfPolicyFromAllowPrivateNetwork(params.allowPrivateNetwork);
   const cookie = await authenticate(params.url, params.code, { ssrfPolicy });
-  const channelId = `${Math.floor(Date.now() / 1000)}-${Math.random().toString(36).substring(2, 8)}`;
+  const channelId = `${Math.floor(Date.now() / 1000)}-${crypto.randomUUID()}`;
   const channelUrl = `${params.url}/~/channel/${channelId}`;
   const shipName = params.ship.replace(/^~/, "");