fix: use module-level #![allow] for Zeroize derive lint

Field-level #[allow(unused_assignments)] doesn't propagate to derive
macro generated code. Module-level #![allow] at top of file works.

Author: 27Bslash6

src/encryption/key_derivation.rs

@@ -8,6 +8,10 @@
 //! to prevent key confusion attacks and ensure cryptographic isolation between different
 //! uses of the same master key.
 
+// Zeroize derive macro generates code that triggers false positive unused_assignments
+// lint in Rust 1.92+ for #[zeroize(skip)] fields. The TenantKeys.tenant_id field IS read.
+#![allow(unused_assignments)]
+
 use hkdf::Hkdf;
 use sha2::Sha256;
 use thiserror::Error;

src/encryption/key_rotation.rs

@@ -5,6 +5,10 @@
 //! - Write only with new key (migration forward)
 //! - Key version bytes in ciphertext header track which key was used
 
+// Zeroize derive macro generates code that triggers false positive unused_assignments
+// lint in Rust 1.92+ for #[zeroize(skip)] fields. The KeyRotationState.rotation_active field IS read.
+#![allow(unused_assignments)]
+
 use std::convert::TryInto;
 use zeroize::{Zeroize, ZeroizeOnDrop};