fix: 避免绑定令牌重复

[he0119]

变更内容

• 将绑定令牌生成从 random.randint 切换为 secrets.randbelow。
• 生成绑定令牌时跳过仍在有效期内的已有 token，避免碰撞时覆盖旧绑定上下文。
• 为重复 token 场景补充测试，并在测试夹具中清理全局 token 缓存，避免用例之间互相影响。
• 在 CHANGELOG.md 的 Unreleased 中记录本次修复。

影响范围

• 用户侧 /bind 流程和 6 位数字令牌格式不变。
• 令牌碰撞时会重新生成，避免旧 token 被新绑定流程覆盖。
• 极端情况下连续生成重复 token 会抛出明确错误，避免无限循环。

验证

• uv run ruff check
• uv run ruff format --check
• uv run pytest tests/test_bind_private.py tests/test_bind_group.py

备注：AGENTS.md 编码指南已经在当前分支基线中，包含 nb orm CLI 迁移约定。

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 100.00%. Comparing base (79cf94f) to head (7105daf).
⚠️ Report is 1 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@            Coverage Diff            @@
##              main      #191   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files            7         7           
  Lines          238       242    +4     
=========================================
+ Hits           238       242    +4     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.