feat(admin): add Danger Zone to delete a Fider site

[mattwoberts]

Summary

Adds a Danger Zone to admin Site Settings with one action: permanently delete the entire site (tenant) and everything in it. Hosted multi-tenant only; owner-only (the original signup user — lowest-id active admin).

• Type-the-subdomain confirmation in a modal; the subdomain is re-validated server-side (defence-in-depth).
• Deletion is scheduled 1 hour out (tenant stays fully active during the grace window). An email with a cancel link goes to the owner immediately; a second "completed" email goes after the irreversible work is done.
• A 5-minute cron processes one tenant per run: Stripe cancel (tolerates resource_missing) → blob storage wipe (S3/fs/sql) → DB hard delete (FK-RESTRICT ordered across 20 tenant-scoped tables + reactions via subquery) → completed email.
• Public keyed cancel route registered before the privacy/auth middleware so the emailed link works on private tenants without login (key is the sole authorisation; it only ever restores access).

Auth model

A request to schedule deletion must pass all of: global CSRF (POST/PUT/DELETE requires JSON Accept/Content-Type, blocking cross-origin forms), IsAuthenticated, IsAuthorized(RoleAdministrator), the env.IsSingleHostMode() check (route isn't even registered in single-host), the owner identity check, and the subdomain match. Only one writer to the schedule column (scheduleTenantDeletion), only one dispatcher (RequestTenantDeletion).

Test plan

• make build succeeds
• make test — all Go + Jest pass (incl. 3 new sqlstore tests + 6 new handler tests)
• make lint — 0 issues
• Hosted dev (make watch): owner schedules deletion → email arrives in MailHog with cancel link → click link → schedule cleared
• Re-schedule, set scheduled_deletion_at to past, wait for cron → tenant + blobs gone, Stripe sub cancelled (test sub), completed email arrives
• Non-owner admin sees an explanatory note instead of the delete control; menu item hidden in single-host

🤖 Generated with Claude Code