feat(wallet): wrap secret_key_hex() in SecretString to prevent accidental key leaks

[satyakwok]

Summary

Wallet::secret_key_hex() previously returned a plain String. That type prints freely through Debug, Display, tracing macros, and serde_json::json! — a single misplaced tracing::info!("{:?}", wallet) or a future #[derive(Debug)] on a struct holding Wallet would silently log the raw private key hex.

secret_key_hex() now returns reliakit_secret::SecretString (from the founder's own reliakit crate, MIT, published to crates.io). Debug prints Secret([REDACTED]), Display prints [REDACTED]. The actual hex is only accessible via .expose_str(), which makes every exposure explicit and greppable.

Call site changes

File	Change
keystore.rs:73 (encrypt)	wallet.secret_key_hex() → .expose_str() for hex::decode input
keystore.rs tests	.expose_str() for comparisons and hex::decode inputs
wallet.rs tests	.expose_str() for length/char checks, comparisons, from_private_key input
commands/wallet.rs (x2)	.expose_str() — operator explicitly requested their key via CLI
commands/misc.rs (x2)	.expose_str() — genesis wallet generation, operator-initiated

What this doesn't fix

Memory zeroization of the SecretString heap allocation — reliakit-secret is a log-leak guard, not a zeroize library. The Zeroizing<[u8;32]> on secret_key_bytes already handles the source bytes. The SecretString returned by secret_key_hex() is a transient copy; callers that need to zero it explicitly can call .into_inner() and zeroize().

Test plan

• cargo check --workspace -D warnings clean
• 22 sentrix-wallet tests pass (including all keystore encrypt/decrypt/migrate round-trips)

[coderabbitai]

Warning

Review limit reached

@satyakwok, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 21 minutes and 7 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: c55bfbc9-ea3f-4326-998e-b27af487db7a

📥 Commits

Reviewing files that changed from the base of the PR and between 7654cac and 49a16a9.

📒 Files selected for processing (5)

• bin/sentrix/src/commands/misc.rs
• bin/sentrix/src/commands/wallet.rs
• crates/sentrix-wallet/Cargo.toml
• crates/sentrix-wallet/src/keystore.rs
• crates/sentrix-wallet/src/wallet.rs

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/wallet-secret-type

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!