feat(alknet-secret): make DerivedKey zeroize-on-drop, non-Clone, with redacted serialization

Per ADR-038, DerivedKey.private_key now derives Zeroize with #[zeroize(drop)]
ensuring sensitive key material is zeroized before deallocation. DerivedKey
is now move-only (no Clone), and JSON/debug output redacts private_key as
"[REDACTED]". Deserialization still works for postcard/irpc wire format.

Also fixes clippy needless_borrows_for_generic_args in encryption.rs and
applies cargo fmt to existing code.

crates/alknet-secret/tests/encryption_tests.rs

@@ -55,4 +55,4 @@ fn test_encrypted_data_serialization() {
     let deserialized: alknet_secret::encryption::EncryptedData =
         serde_json::from_str(&json).unwrap();
     assert_eq!(deserialized, encrypted);
-}
+}