fix: correct zeroize annotation placement and avoid secret cloning in protected.rs (#108)

S3Credentials had #[zeroize(skip)] on secret_access_key instead of
access_key_id. The comment said "access_key_id is not sensitive" but
the annotation was on the adjacent field. In practice ProtectedString
has its own #[zeroize(drop)] so the secret was still zeroed on drop,
but the annotation contradicted its own comment and would silently
break if ProtectedString's drop behavior ever changed.

ProtectedString::into_inner() cloned self.inner instead of moving it
out. Use std::mem::take to swap the value out directly, avoiding the
unnecessary heap allocation of the clone.

// ticktockbent

nora-registry/src/secrets/protected.rs

@@ -33,8 +33,8 @@ impl ProtectedString {
     }
 
     /// Consume and return the inner value
-    pub fn into_inner(self) -> Zeroizing<String> {
-        Zeroizing::new(self.inner.clone())
+    pub fn into_inner(mut self) -> Zeroizing<String> {
+        Zeroizing::new(std::mem::take(&mut self.inner))
     }
 
     /// Check if the secret is empty
@@ -74,8 +74,8 @@ impl From<&str> for ProtectedString {
 #[derive(Clone, Zeroize)]
 #[zeroize(drop)]
 pub struct S3Credentials {
-    pub access_key_id: String,
     #[zeroize(skip)] // access_key_id is not sensitive
+    pub access_key_id: String,
     pub secret_access_key: ProtectedString,
     pub region: Option<String>,
 }