Add encryption key CLI commands for confidential-http

[nadahalli]

Summary

• Adds cre secrets store-encryption-key --passphrase command that derives an AES-256 key via HKDF-SHA256 and stores it in VaultDON
• Adds cre secrets decrypt-output --passphrase --input command for local decryption of encrypted response bodies
• Shared HKDF + AES-GCM decrypt helpers in cmd/secrets/common/encryption.go

[github-actions]

⚠️ Abigen Fork Check - Update Available

The forked abigen package is outdated and may be missing important updates.

Version	Value
Current Fork	v1.16.0
Latest Upstream	v1.17.0

Action Required

1. Review abigen changes in upstream (only the accounts/abi/bind directory matters)
2. Compare with our fork in cmd/generate-bindings/bindings/abigen/
3. If relevant changes exist, sync them and update FORK_METADATA.md
4. If no abigen changes, just update the version in FORK_METADATA.md to v1.17.0

Files to Review

• cmd/generate-bindings/bindings/abigen/bind.go
• cmd/generate-bindings/bindings/abigen/bindv2.go
• cmd/generate-bindings/bindings/abigen/template.go

---

⚠️ Note to PR author: This is not something you need to fix. The Platform Expansion team is responsible for maintaining the abigen fork.

cc @smartcontractkit/bix-framework