Activity

Closes #40.

The existing DeleteUserData tests exercise a bare user, so they never hit the foreign-key situation the issue flags: the gdpr:cleanup command hard-deleting a fully populated user whose children were soft-deleted (rows still physically present) more than 30 days ago.

What's covered

• Full-data cleaner (cleaner profile, certificates, portfolio, verification, a quote, a message thread, an export request, a notification, an activity log) soft-deleted 31 days ago → gdpr:cleanup hard-deletes them with no FK errors; the user and its cascade-deleted children are gone.
• 30-day boundary — a user soft-deleted 29 days ago is left alone.
• --dry-run deletes nothing.
• Activity logs older than a year and old sessions are purged.

Finding

Confirms the implementation is sound: cleaner_profiles.user_id and quotes.cleaner_id are cascadeOnDelete(), so the soft-deleted-children → forceDelete(user) path cascades cleanly. No code change needed — this just adds the regression protection #40 asked for.

4 tests, green. Existing AccountDeletionTest still green (26 passed).