Add delete account endpoint and file encryption at rest

Delete Account (Plan #2):
- DELETE /api/auth/account/ with password or "DELETE" confirmation
- Cascade delete across 15+ tables in correct FK order
- Auth provider detection (email/apple/google) for /auth/me/
- File cleanup after account deletion
- Handler + repository tests (12 tests)

Encryption at Rest (Plan #3):
- AES-256-GCM envelope encryption (per-file DEK wrapped by KEK)
- Encrypt on upload, auto-decrypt on serve via StorageService.ReadFile()
- MediaHandler serves decrypted files via c.Blob()
- TaskService email image loading uses ReadFile()
- cmd/migrate-encrypt CLI tool with --dry-run for existing files
- Encryption service + storage service tests (18 tests)

internal/dto/requests/auth.go

@@ -63,3 +63,9 @@ type AppleSignInRequest struct {
 type GoogleSignInRequest struct {
 	IDToken string `json:"id_token" validate:"required"` // Google ID token from Credential Manager
 }
+
+// DeleteAccountRequest represents the delete account request body
+type DeleteAccountRequest struct {
+	Password     *string `json:"password"`
+	Confirmation *string `json:"confirmation"`
+}