Move encrypt_output from ConfidentialHTTPRequest to HTTPRequest (#291)

* Move encrypt_output from ConfidentialHTTPRequest to HTTPRequest

encrypt_output is an HTTP request property, not a framework/secrets
concern. Moving it into HTTPRequest (field 9) keeps encryption as a
per-request setting alongside URL, method, headers, etc.

* Auto-fix: buf format, gofmt, go generate, go mod tidy

---------

Co-authored-by: app-token-issuer-engops[bot] <144731339+app-token-issuer-engops[bot]@users.noreply.github.com>

Author: nadahalli

cre/capabilities/networking/confidentialhttp/v1alpha/client.proto

@@ -37,6 +37,11 @@ message HTTPRequest {
   bytes custom_root_ca_cert_pem = 6;
   // timeout is the request timeout duration.
   google.protobuf.Duration timeout = 7;
+  // encrypt_output controls whether the enclave response should be encrypted.
+  // If true, the response will be AES-GCM encrypted using the
+  // "san_marino_aes_gcm_encryption_key" secret.
+  // Default is false (response returned unencrypted).
+  bool encrypt_output = 9;
 }
 
 // HTTPResponse contains the HTTP response from the enclave.
@@ -55,13 +60,6 @@ message HTTPResponse {
 message ConfidentialHTTPRequest {
   repeated SecretIdentifier vault_don_secrets = 1;
   HTTPRequest request = 2;
-  // encrypt_output controls whether the enclave response should be encrypted.
-  // If true and a secret named "san_marino_aes_gcm_encryption_key" is provided,
-  // the response will be AES-GCM encrypted using that key.
-  // If true and no such key is provided, the response will be TDH2 encrypted
-  // using the VaultDON master public key.
-  // Default is false (response returned unencrypted).
-  bool encrypt_output = 3;
 }
 
 service Client {