fix: implement proper cleanup of sensitive cryptographic material in SeedlessOnboardingController

[huggingbot]

Explanation

Current state: The SeedlessOnboardingController handles sensitive cryptographic material (encryption keys, authentication keypairs, OPRF keys, and seed phrases) but was not properly cleaning up this data from memory after use. This creates an increased security risk where sensitive material could be extracted through memory scraping attacks, XSS exploits, or heap inspection.

Solution: Implemented cleanup of sensitive cryptographic material using try-finally blocks with .fill(0) for Uint8Arrays and nullification of all references. Used a declare-first pattern to minimize the number of references to sensitive objects in memory. This reduces the risk but cannot completely eliminate it due to JavaScript's garbage collection behavior, potential engine optimizations, and the inherent limitations of memory management in JavaScript environments.

Limitations:

• JavaScript garbage collection is non-deterministic
• JavaScript engines may keep internal copies of data
• BigInt and string values cannot be reliably cleared from memory
• Data is still vulnerable during active use

References

This addresses security audit findings related to improper handling of sensitive cryptographic material in memory.

Checklist

• [ ] I've updated the test suite for new or updated code as appropriate
• [ ] I've updated documentation (JSDoc, Markdown, etc.) for new or updated code as appropriate
• [ ] I've communicated my changes to consumers by updating changelogs for packages I've changed, highlighting breaking changes as necessary
• [x] I've prepared draft pull requests for clients and consumer packages to resolve any breaking changes