refactor(key-wallet): derive Zeroize on WalletType and wipe on drop

[ZocoLini]

Summary by CodeRabbit

• Improvements
  • Enhanced secure handling of sensitive wallet data to ensure proper memory protection when wallet objects are destroyed
  • Strengthened cleanup mechanisms for cryptographic keys during wallet lifecycle operations

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR adds explicit zeroization support to two sensitive cryptographic types in the wallet module. Wallet now derives Zeroize and delegates memory cleanup to the trait, while RootExtendedPrivKey explicitly imports and implements Zeroize with a corresponding Drop implementation to ensure private keys and chain codes are properly scrubbed from memory.

Changes

Sensitive Data Zeroization Pattern

Layer / File(s)	Summary
Wallet zeroization key-wallet/src/wallet/mod.rs	Wallet struct derives Zeroize, implements the Zeroize trait to zero wallet_type, and simplifies Drop to delegate cleanup via self.zeroize().
RootExtendedPrivKey zeroization key-wallet/src/wallet/root_extended_keys.rs	RootExtendedPrivKey imports the Zeroize trait, implements Zeroize for private key and chain code memory scrubbing, and adds an explicit Drop implementation to invoke zeroization on destruction.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 In vaults where secrets dare not linger long,
We scrub the keys with zeroize so strong,
When wallets fade and keys are dropped with care,
No trace of cryptic treasure lingers in the air!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The title mentions 'WalletType' and 'drop', but the actual changes involve deriving Zeroize on 'Wallet' struct and implementing Drop/Zeroize for both Wallet and RootExtendedPrivKey—the title is partially related but incomplete.	Update the title to accurately reflect all main changes, such as: 'refactor(key-wallet): derive Zeroize and implement Drop for Wallet and RootExtendedPrivKey'

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/zeroize-secrets

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

key-wallet/src/wallet/root_extended_keys.rs (1)

25-30: ⚡ Quick win

Enable secp256k1/zeroize feature for stronger memory zeroing guarantees.

The non_secure_erase() method lacks guarantees against compiler optimizations. The secp256k1 crate's zeroize feature implements the Zeroize trait with proper memory barriers. Add "zeroize" to the features list in key-wallet/Cargo.toml (line 37), then use self.root_private_key.zeroize() instead.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@key-wallet/src/wallet/root_extended_keys.rs` around lines 25 - 30, Enable the
secp256k1 crate's "zeroize" feature in Cargo.toml and replace the insecure
erasure call in RootExtendedPrivKey::zeroize with the proper Zeroize method: add
"zeroize" to the features list for the secp256k1 dependency so the crate
implements Zeroize, then change the implementation on RootExtendedPrivKey to
call self.root_private_key.zeroize() (and keep self.root_chain_code.zeroize())
to ensure secure memory zeroing; update any imports if needed to satisfy the
Zeroize trait usage.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@key-wallet/src/wallet/root_extended_keys.rs`:
- Around line 25-30: Enable the secp256k1 crate's "zeroize" feature in
Cargo.toml and replace the insecure erasure call in RootExtendedPrivKey::zeroize
with the proper Zeroize method: add "zeroize" to the features list for the
secp256k1 dependency so the crate implements Zeroize, then change the
implementation on RootExtendedPrivKey to call self.root_private_key.zeroize()
(and keep self.root_chain_code.zeroize()) to ensure secure memory zeroing;
update any imports if needed to satisfy the Zeroize trait usage.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 121f37fc-2a0f-46b7-b424-7443ea89d0e4

📥 Commits

Reviewing files that changed from the base of the PR and between 34e50b6 and 6eeacf0.

📒 Files selected for processing (2)

• key-wallet/src/wallet/mod.rs
• key-wallet/src/wallet/root_extended_keys.rs

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 72.21%. Comparing base (34e50b6) to head (6eeacf0).
⚠️ Report is 2 commits behind head on dev.

Additional details and impacted files

@@            Coverage Diff             @@
##              dev     #780      +/-   ##
==========================================
- Coverage   72.45%   72.21%   -0.25%     
==========================================
  Files         321      321              
  Lines       70350    70329      -21     
==========================================
- Hits        50974    50787     -187     
- Misses      19376    19542     +166     

Flag	Coverage Δ
core	76.30% <ø> (ø)
ffi	45.60% <ø> (-1.79%)	⬇️
rpc	20.00% <ø> (ø)
spv	89.96% <ø> (+0.03%)	⬆️
wallet	71.22% <100.00%> (-0.05%)	⬇️

Files with missing lines	Coverage Δ
key-wallet/src/wallet/mod.rs	95.00% <100.00%> (+5.21%)	⬆️
key-wallet/src/wallet/root_extended_keys.rs	52.54% <100.00%> (+0.61%)	⬆️

... and 19 files with indirect coverage changes