tryEncryptWithinAuthWindow

Attempts to obtain a Cipher initialized for encryption with the master key WITHOUT showing a BiometricPrompt. Returns a fresh, unused Cipher when the auth-validity window is open; null when expired or anything else goes wrong, in which case the caller should fall back to authenticateForEncrypt.

Implementation: probes the window with a throwaway cipher (a 1-byte doFinal that forces Keystore's auth check), then on success returns a separate cipher for the caller's actual encrypt. The throwaway is necessary because GCM ciphers commit to a fixed IV at init() time — reusing the probe cipher would be a nonce-reuse vulnerability.