vault: spec-conformance fixes from review (task: vault/review-vault-sync)

Review of vault crate against all architecture specs. Fixed 5 deviations:
1. EncryptionKey: removed Clone (now move-only per spec), added redacting Debug
2. EncryptionKey::new made private (cfg(test)), added pub(crate) key_bytes()
3. encrypt/decrypt made pub(crate) per encryption.md, low-level crypto tests
   moved from integration to unit tests
4. CachedKey refactored to wrap DerivedKey with cached_at/last_accessed fields
   per service.md, with key_type()/private_key()/public_key() accessors
5. Mnemonic::to_seed() unwrap() eliminated by storing validated Bip39Mnemonic
   (enabled bip39 zeroize feature for proper zeroization)

All 10 drift items verified resolved. 105 tests pass; clippy clean.

Refs: docs/architecture/crates/vault/README.md (review checklist)
This commit is contained in:
2026-06-23 14:09:36 +00:00
7 changed files with 172 additions and 103 deletions

1
Cargo.lock generated
View File

@@ -333,6 +333,7 @@ dependencies = [
"rand_core 0.6.4",
"serde",
"unicode-normalization",
"zeroize",
]
[[package]]