Add delete account endpoint and file encryption at rest

Delete Account (Plan #2):
- DELETE /api/auth/account/ with password or "DELETE" confirmation
- Cascade delete across 15+ tables in correct FK order
- Auth provider detection (email/apple/google) for /auth/me/
- File cleanup after account deletion
- Handler + repository tests (12 tests)

Encryption at Rest (Plan #3):
- AES-256-GCM envelope encryption (per-file DEK wrapped by KEK)
- Encrypt on upload, auto-decrypt on serve via StorageService.ReadFile()
- MediaHandler serves decrypted files via c.Blob()
- TaskService email image loading uses ReadFile()
- cmd/migrate-encrypt CLI tool with --dry-run for existing files
- Encryption service + storage service tests (18 tests)

Makefile

@@ -1,4 +1,4 @@
-.PHONY: build run test contract-test clean deps lint docker-build docker-up docker-down migrate
+.PHONY: build run test contract-test clean deps lint docker-build docker-up docker-down migrate migrate-encrypt migrate-encrypt-dry
 
 # Binary names
 API_BINARY=honeydue-api
@@ -99,6 +99,13 @@ migrate-down:
 migrate-create:
 	migrate create -ext sql -dir migrations -seq $(name)
 
+# Encrypt existing uploads at rest (run after setting STORAGE_ENCRYPTION_KEY)
+migrate-encrypt:
+	go run ./cmd/migrate-encrypt
+
+migrate-encrypt-dry:
+	go run ./cmd/migrate-encrypt --dry-run
+
 # Development helpers
 dev: deps run
 
@@ -139,5 +146,9 @@ help:
 	@echo "  docker-build-prod - Build production images (api, worker, admin)"
 	@echo ""
 	@echo "Database:"
-	@echo "  migrate-up    - Run database migrations"
-	@echo "  migrate-down  - Rollback database migrations"
+	@echo "  migrate-up          - Run database migrations"
+	@echo "  migrate-down        - Rollback database migrations"
+	@echo ""
+	@echo "Encryption:"
+	@echo "  migrate-encrypt     - Encrypt existing uploads at rest"
+	@echo "  migrate-encrypt-dry - Preview encryption migration (dry run)"