feat(alknet-secret): make DerivedKey zeroize-on-drop, non-Clone, with redacted serialization

Per ADR-038, DerivedKey.private_key now derives Zeroize with #[zeroize(drop)]
ensuring sensitive key material is zeroized before deallocation. DerivedKey
is now move-only (no Clone), and JSON/debug output redacts private_key as
"[REDACTED]". Deserialization still works for postcard/irpc wire format.

Also fixes clippy needless_borrows_for_generic_args in encryption.rs and
applies cargo fmt to existing code.

crates/alknet-secret/tests/derivation_tests.rs

@@ -22,13 +22,8 @@ fn test_encryption_key_derivation() {
     let service = SecretServiceHandle::new();
     service.unlock_new(24).unwrap();
 
-    let key = service
-        .derive_encryption_key(PATHS::ENCRYPTION)
-        .unwrap();
-    assert_eq!(
-        key.key_type,
-        alknet_secret::protocol::KeyType::Aes256Gcm
-    );
+    let key = service.derive_encryption_key(PATHS::ENCRYPTION).unwrap();
+    assert_eq!(key.key_type, alknet_secret::protocol::KeyType::Aes256Gcm);
 }
 
 #[test]
@@ -59,4 +54,4 @@ fn test_different_paths_different_keys() {
 
     assert_ne!(identity_key.private_key, ssh_key.private_key);
     assert_ne!(identity_key.public_key, ssh_key.public_key);
-}
+}