feat: send email notification on account hard-delete

Notify users via email when their account is permanently deleted after
the 15-day soft-delete grace period. Query now returns email alongside
user ID so the notification can be sent after deletion.

Email failure is logged as a warning but does not block cleanup.

db/queries/users.sql

@@ -92,7 +92,7 @@ WHERE ut.user_id = $1
   );
 
 -- name: ListExpiredSoftDeletedUsers :many
-SELECT id FROM users WHERE deleted_at IS NOT NULL AND deleted_at < NOW() - INTERVAL '15 days';
+SELECT id, email FROM users WHERE deleted_at IS NOT NULL AND deleted_at < NOW() - INTERVAL '15 days';
 
 -- name: HardDeleteUser :exec
 DELETE FROM users WHERE id = $1;

pkg/cpserver/run.go

@@ -193,6 +193,7 @@ func Run(opts ...Option) {
 
 	// Hard-delete accounts that have been soft-deleted for more than 15 days (runs every 24h).
 	// Audit logs referencing deleted users are anonymized before the user row is removed.
+	// A notification email is sent to the user before their data is permanently removed.
 	go func() {
 		ticker := time.NewTicker(24 * time.Hour)
 		defer ticker.Stop()
@@ -207,16 +208,24 @@ func Run(opts ...Option) {
 					continue
 				}
 				var deleted int
-				for _, userID := range expired {
+				for _, row := range expired {
-					prefixedID := id.FormatUserID(userID)
+					prefixedID := id.FormatUserID(row.ID)
 					if err := queries.AnonymizeAuditLogsByUserID(ctx, pgtype.Text{String: prefixedID, Valid: true}); err != nil {
 						slog.Error("account cleanup: failed to anonymize audit logs, skipping delete", "user_id", prefixedID, "error", err)
 						continue
 					}
-					if err := queries.HardDeleteUser(ctx, userID); err != nil {
+					if err := queries.HardDeleteUser(ctx, row.ID); err != nil {
 						slog.Error("account cleanup: failed to hard-delete user", "user_id", prefixedID, "error", err)
 						continue
 					}
+					if err := mailer.Send(ctx, row.Email, "Your Wrenn account has been deleted", email.EmailData{
+						Message: "Your Wrenn account and all associated data have been permanently deleted. " +
+							"This action was taken automatically because your account was scheduled for deletion more than 15 days ago.\n\n" +
+							"If you believe this was done in error, please contact support.",
+						Closing: "Thank you for using Wrenn.",
+					}); err != nil {
+						slog.Warn("account cleanup: failed to send deletion notification", "email", row.Email, "error", err)
+					}
 					deleted++
 				}
 				if len(expired) > 0 {

pkg/db/users.sql.go

@@ -326,22 +326,27 @@ func (q *Queries) InsertUserOAuth(ctx context.Context, arg InsertUserOAuthParams
 }
 
 const listExpiredSoftDeletedUsers = `-- name: ListExpiredSoftDeletedUsers :many
-SELECT id FROM users WHERE deleted_at IS NOT NULL AND deleted_at < NOW() - INTERVAL '15 days'
+SELECT id, email FROM users WHERE deleted_at IS NOT NULL AND deleted_at < NOW() - INTERVAL '15 days'
 `
 
-func (q *Queries) ListExpiredSoftDeletedUsers(ctx context.Context) ([]pgtype.UUID, error) {
+type ListExpiredSoftDeletedUsersRow struct {
+	ID    pgtype.UUID `json:"id"`
+	Email string      `json:"email"`
+}
+
+func (q *Queries) ListExpiredSoftDeletedUsers(ctx context.Context) ([]ListExpiredSoftDeletedUsersRow, error) {
 	rows, err := q.db.Query(ctx, listExpiredSoftDeletedUsers)
 	if err != nil {
 		return nil, err
 	}
 	defer rows.Close()
-	var items []pgtype.UUID
+	var items []ListExpiredSoftDeletedUsersRow
 	for rows.Next() {
-		var id pgtype.UUID
+		var i ListExpiredSoftDeletedUsersRow
-		if err := rows.Scan(&id); err != nil {
+		if err := rows.Scan(&i.ID, &i.Email); err != nil {
 			return nil, err
 		}
-		items = append(items, id)
+		items = append(items, i)
 	}
 	if err := rows.Err(); err != nil {
 		return nil, err