zeroize decrypted secrets in memory

[iicky]

• add zeroize crate; wrap crypto::decrypt / lib::decrypt_value return types in Zeroizing<Vec<u8>>
• change types::Murk.values and types::Murk.scoped to hold Zeroizing<String> so decrypted plaintext is cleared from memory when dropped
• thread Zeroizing<String> through export::resolve_secrets, export_secrets, decrypt_vault_values, parse_and_decrypt_values, diff_secrets, DiffEntry, and scan::scan_for_leaks
• wrap recovery phrase + generated key returns from recovery::generate/recover/phrase_from_key in Zeroizing<String>
• add plaintext_bytes_to_zeroizing_string helper so utf-8 validation does not escape zeroization
• python SDK: explicitly copy to plain String at the FFI boundary where Python owns the memory
• add testutil::secret helper for test inserts

[codecov]

Codecov Report

❌ Patch coverage is 90.12876% with 23 lines in your changes missing coverage. Please review.
✅ Project coverage is 89.89%. Comparing base (02da47b) to head (8facc2a).
⚠️ Report is 3 commits behind head on main.
✅ All tests successful. No failed tests found.

Files with missing lines	Patch %	Lines
src/main.rs	63.41%	13 Missing and 2 partials ⚠️
src/export.rs	95.18%	3 Missing and 1 partial ⚠️
src/lib.rs	95.55%	0 Missing and 2 partials ⚠️
src/recovery.rs	85.71%	0 Missing and 2 partials ⚠️

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.