Implementation of the OTP request action.
Looks up the user via the configured lookup_action_name, generates an OTP
code, stores an internal JWT keyed by a deterministic JTI, and dispatches the
code via the configured sender. Always returns :ok so user enumeration is
not possible from the response. The audit-log status override is set so that
failed lookups (and senders) are recorded as :failure.