Zeroize HeldTree's cabinet X25519 private key on drop
X25519PrivateKey is a type alias for [u8; 32], no Zeroize, no Drop.
HeldTree held an Option<X25519PrivateKey> as a plain field — when
uninstall_cabinet / uninstall_all dropped the enclosing Option, the
bytes stayed in the heap slot. Both the module docstring and the
new wipeState doc asserted the cabinet key was scrubbed on drop;
neither was actually true.
Derive RedactedDebug on HeldTree and tag the private_key field
`#[redact]`. The field's Option<[u8; 32]> composes through zeroize's
built-in `Zeroize for Option<T: Zeroize>`, so no wrapper is needed
— the derive's generated Drop zeroizes the field when HeldTree is
dropped. The group_keys ContentKeys already auto-zeroize via their
own impl; this commit closes the last gap in the keeper's crypto
material lifecycle.
Adds an impl Debug for Redacted<'_, Option<[u8; N]>> in crypto/mod.rs
to keep the derive's Debug output honest — matches the existing
Redacted<'_, Option<String>> impl that covers the String-in-Option
case. Without it, RedactedDebug fails to compile on any struct that
has a `#[redact] Option<[u8; N]>` field.