Add delete account endpoint and file encryption at rest

Delete Account (Plan #2):
- DELETE /api/auth/account/ with password or "DELETE" confirmation
- Cascade delete across 15+ tables in correct FK order
- Auth provider detection (email/apple/google) for /auth/me/
- File cleanup after account deletion
- Handler + repository tests (12 tests)

Encryption at Rest (Plan #3):
- AES-256-GCM envelope encryption (per-file DEK wrapped by KEK)
- Encrypt on upload, auto-decrypt on serve via StorageService.ReadFile()
- MediaHandler serves decrypted files via c.Blob()
- TaskService email image loading uses ReadFile()
- cmd/migrate-encrypt CLI tool with --dry-run for existing files
- Encryption service + storage service tests (18 tests)

cmd/api/main.go

@@ -134,6 +134,17 @@ func main() {
 				Str("base_url", cfg.Storage.BaseURL).
 				Int64("max_file_size", cfg.Storage.MaxFileSize).
 				Msg("Storage service initialized")
+
+			// Initialize file encryption at rest if configured
+			if cfg.Storage.EncryptionKey != "" {
+				encSvc, encErr := services.NewEncryptionService(cfg.Storage.EncryptionKey)
+				if encErr != nil {
+					log.Error().Err(encErr).Msg("Failed to initialize encryption service - files will NOT be encrypted")
+				} else {
+					storageService.SetEncryptionService(encSvc)
+					log.Info().Msg("File encryption at rest enabled")
+				}
+			}
 		}
 	}