feat(alknet-secret): make DerivedKey zeroize-on-drop, non-Clone, with redacted serialization

Per ADR-038, DerivedKey.private_key now derives Zeroize with #[zeroize(drop)]
ensuring sensitive key material is zeroized before deallocation. DerivedKey
is now move-only (no Clone), and JSON/debug output redacts private_key as
"[REDACTED]". Deserialization still works for postcard/irpc wire format.

Also fixes clippy needless_borrows_for_generic_args in encryption.rs and
applies cargo fmt to existing code.

crates/alknet-secret/Cargo.toml

@@ -30,4 +30,5 @@ irpc-derive = { workspace = true }
 secp256k1 = { version = "0.29", optional = true }
 
 [dev-dependencies]
-hex = "0.4"
+hex = "0.4"
+postcard = { version = "1", features = ["alloc"] }