feat(alknet-secret): make DerivedKey zeroize-on-drop, non-Clone, with redacted serialization

Per ADR-038, DerivedKey.private_key now derives Zeroize with #[zeroize(drop)]
ensuring sensitive key material is zeroized before deallocation. DerivedKey
is now move-only (no Clone), and JSON/debug output redacts private_key as
"[REDACTED]". Deserialization still works for postcard/irpc wire format.

Also fixes clippy needless_borrows_for_generic_args in encryption.rs and
applies cargo fmt to existing code.

crates/alknet-secret/tests/service_tests.rs

@@ -3,8 +3,8 @@
 //! These tests verify the unlock/lock lifecycle, error conditions,
 //! and that the service correctly manages state transitions.
 
-use alknet_secret::service::{SecretServiceError, SecretServiceHandle};
 use alknet_secret::derivation::PATHS;
+use alknet_secret::service::{SecretServiceError, SecretServiceHandle};
 
 #[test]
 fn test_full_lifecycle() {
@@ -94,7 +94,5 @@ fn test_multiple_derive_paths_succeed() {
     // All standard paths should work
     let _identity = service.derive_ed25519(PATHS::IDENTITY).unwrap();
     let _ssh = service.derive_ed25519(PATHS::SSH_HOST).unwrap();
-    let _enc = service
-        .derive_encryption_key(PATHS::ENCRYPTION)
-        .unwrap();
-}
+    let _enc = service.derive_encryption_key(PATHS::ENCRYPTION).unwrap();
+}