fix(battle-node): clarify NodeCrypto.GenerateKey contract + add fixed-vector regression test

Replace inaccurate GenerateKey docstring (it claimed to port Cryptographer.generateKeyString
directly but the input shape differs: server uses one hex digit per call, client uses
Random.Next(0,65535) per call). New doc is honest about the difference and explains why
it's safe. Add EncryptForNode_FixedVector_ProducesStableOutput: a pinned AES-CBC vector
that catches encoding/IV/padding regressions that would slip past the roundtrip test.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

SVSim.BattleNode/Wire/NodeCrypto.cs

@@ -11,9 +11,19 @@ namespace SVSim.BattleNode.Wire;
 public static class NodeCrypto
 {
     /// <summary>
-    /// Generate a fresh 32-char key. 32 random hex digits, base64-encoded, truncated to 32 chars.
-    /// Port of Cryptographer.generateKeyString.
+    /// Generate a fresh 32-char key for server-initiated encryption.
+    /// Calls <paramref name="randHexDigit"/> 32 times expecting a value in [0,15],
+    /// formats each as a single hex char, then base64-encodes the resulting 32-char ASCII
+    /// string and truncates to 32 chars.
     /// </summary>
+    /// <remarks>
+    /// Differs from the client's <c>Cryptographer.generateKeyString</c> in input shape:
+    /// the client uses <c>Random.Next(0, 65535).ToString("x")</c> per iteration (1–4 hex
+    /// chars each). The output distribution is therefore different, but both produce a
+    /// valid 32-char UTF-8 AES-256 key — and the client never validates the server's key
+    /// since the server is decrypt-only in practice. Server-initiated encryption (e.g.
+    /// for <c>synchronize</c> pushes) uses this method.
+    /// </remarks>
     public static string GenerateKey(Func<int> randHexDigit)
     {
         var sb = new StringBuilder(32);