feat(aztec-nr)!: introduce SenderForTags, remove set_sender_for_tags oracle (F-564)

[nchamo]

Problem

Private log discovery relies on a sender-recipient shared secret: the sender tags a log so the recipient can find it by scanning for known tags. The sender identity used for this came from set_sender_for_tags, TX-wide mutable state that any contract in the call stack could overwrite — silently redirecting all subsequent tag derivation to an arbitrary address.

#22672 addressed this by scoping set_sender_for_tags overrides to the calling contract only, so they no longer leak to subcalls. The wallet also gained a sendMessagesAs option to seed the sender before execution begins. This fixed the trust issue, but set_sender_for_tags remained as ambient global state. The sender used for any given log was determined by a side-effecting call somewhere else in the call stack, rather than at the emission site — making transaction flows hard to reason about.

Our fix

This PR takes a different approach: instead of scoping ambient state, we eliminate it. set_sender_for_tags is removed entirely. Sender selection moves to the log emission site via a new SenderForTags struct passed directly to MessageDelivery:

• SenderForTags::explicit(address) — for call sites that know their sender (e.g. account contracts tagging their own notes)
• SenderForTags::tx_default() — for application contracts that delegate sender selection to the wallet; reads from the oracle the wallet seeds via sendMessagesAs

MessageDelivery is refactored from a global constant struct with u8 fields to a proper struct type with named constructors (MessageDelivery::offchain(), MessageDelivery::onchain_constrained(), etc.). On-chain variants accept an optional SenderForTags override via _with_sender constructors, giving call sites explicit per-log control over which sender is used for tag derivation. This also gives us more flexibility for future features — for example, using a different sender identity per message type, or integrating handshake-based tagging when constrained tagging lands (#14565).

The wallet-side sendMessagesAs option from #22672 is preserved. DeployAccountMethod injects the to-be-deployed address as sendMessagesAs for NO_FROM self-paid deploys, so fee-payment calls have a sender even without an account entrypoint.

Breaking changes

• MessageDelivery.OFFCHAIN → MessageDelivery::offchain(), same for ONCHAIN_UNCONSTRAINED and ONCHAIN_CONSTRAINED
• NoteMessage::deliver(u8) / deliver_to(addr, u8) → takes MessageDelivery instead of u8
• EventMessage::deliver_to(addr, u8) → same
• set_sender_for_tags oracle removed; account contracts use SenderForTags::explicit(self.address) at the emission site instead

This is not ready to merge as-is — posting for early feedback on the approach before we go further.

Fixes F-564

[nchamo]

We are going with #22672 for now, since it's less breaking that this PR