feat: GDPR-compliant PII export & deletion with audit logging

[klawgulp-ship-it]

Summary

What

• Add GET /users/me/export endpoint that generates a ZIP package containing all user personal data as JSON (excluding hashed_password)
• Add DELETE /users/me endpoint that irreversibly cascades deletions across expenses, bills, reminders, and categories, then deletes the user record
• Add AuditLog model to persist compliance records for every export and deletion action
• Add audit_logger service with a reusable log_action helper
• Populate User model with relationships and soft-delete fields

Why

• Fixes GDPR-ready PII Export & Delete Workflow requirement
• Satisfies acceptance criteria: export package generation, irreversible deletion workflow, and audit trail logging

Changes

• Define User and AuditLog SQLAlchemy models with relationships and soft-delete support
• Implement audit logger service that persists action records to the audit_logs table
• Implement PII export (ZIP/JSON) and irreversible account deletion endpoints with audit trail logging

Testing

• Verified the changes align with the issue requirements
• Kept modifications minimal and surgical to reduce review burden

Closes #76