SEC Codebase Flaw: simulate_coinflip Function Still Uses Predictable Mersenne Twister for Secret Bytes

A critical inconsistency in the SEC's codebase leaves a simulation function generating predictable secret data. While a previous fix patched the `simulate_dice` function to use a cryptographically secure random number generator, the `simulate_coinflip` function remains vulnerable, still relying on Python's predictable Mersenne Twister pseudorandom number generator (PRNG) to produce its secret bytes. This creates a hidden flaw in the testing environment that could undermine security analysis.

The issue, documented in a GitHub report, points to line 255 in `backend/rng_module.py`. The `simulate_coinflip` function currently uses `random.getrandbits(64).to_bytes(8, 'big')` to generate its secret bytes, the same insecure method that was corrected in `simulate_dice` via PR #129. The fix for `simulate_dice` replaced that call with the secure `os.urandom(8)`. This inconsistency means the codebase contains two different standards for randomness in simulation functions, despite both being designed for testing secret generation.

Although labeled a simulation function and not part of the live protocol, this vulnerability carries significant risk. It produces statistically weak test data that fails to mirror production behavior, potentially misleading any security review that assumes all secret generation uses a cryptographically secure pseudorandom number generator (CSPRNG). The presence of such an outdated pattern in a regulated entity's code raises questions about internal security review processes and the completeness of vulnerability patching. The proposed fix is straightforward: replace the vulnerable line in `simulate_coinflip` with the secure `os.urandom(8)` call.