Add delete account endpoint and file encryption at rest

Delete Account (Plan #2):
- DELETE /api/auth/account/ with password or "DELETE" confirmation
- Cascade delete across 15+ tables in correct FK order
- Auth provider detection (email/apple/google) for /auth/me/
- File cleanup after account deletion
- Handler + repository tests (12 tests)

Encryption at Rest (Plan #3):
- AES-256-GCM envelope encryption (per-file DEK wrapped by KEK)
- Encrypt on upload, auto-decrypt on serve via StorageService.ReadFile()
- MediaHandler serves decrypted files via c.Blob()
- TaskService email image loading uses ReadFile()
- cmd/migrate-encrypt CLI tool with --dry-run for existing files
- Encryption service + storage service tests (18 tests)

internal/testutil/testutil.go

@@ -60,6 +60,9 @@ func SetupTestDB(t *testing.T) *gorm.DB {
 		&models.NotificationPreference{},
 		&models.APNSDevice{},
 		&models.GCMDevice{},
+		&models.AppleSocialAuth{},
+		&models.GoogleSocialAuth{},
+		&models.TaskReminderLog{},
 		&models.UserSubscription{},
 		&models.SubscriptionSettings{},
 		&models.TierLimits{},