feat: improve data export security

[sakshiwankhade026-coder]

Summary

Improves security for the user data export endpoint by adding audit logging, export rate limiting, and sensitive data redaction.

Closes #1612

---

Type of Change

• Bug fix
• Security improvement
• Documentation update
• Refactor / code cleanup

---

Changes Made

• Added export rate limiting (1 export per hour per user)
• Added audit logging for export and account deletion actions
• Added database migration for data_export_audit
• Added recursive sensitive-field redaction for exported data
• Restricted exported fields to explicit column selections
• Added audit trail metadata (IP address and user agent)
• Preserved existing authorization flow and user scoping

---

How to Test

1. Sign in with a valid GitHub account
2. Call GET /api/user/data-export
3. Verify exported data is returned successfully
4. Trigger a second export within one hour
5. Verify the endpoint returns 429 Too Many Requests
6. Verify sensitive values are redacted from exported payloads
7. Call account deletion flow with confirmation text DELETE
8. Verify user data is removed successfully

---

Database Changes

• Added new migration:

  • create_data_export_audit

---

Screenshots (if UI change)

N/A

---

Checklist

• Linked issue in summary
• npm run lint passes locally
• npm run build passes locally
• Self-reviewed the diff
• Added/updated tests if applicable

---

Additional Notes

The implementation introduces a dedicated audit table used for both export tracking and rate limiting. Existing authentication and authorization behavior remains unchanged.

[vercel]

@sakshiwankhade026-coder is attempting to deploy a commit to the PRIYANSHU DOSHI's projects Team on Vercel.

A member of the Team first needs to authorize it.

[github-actions]

GSSoC Label Checklist 🏷️

@Priyanshu-byte-coder — please apply the appropriate labels before merging:

Difficulty (pick one):

• level:beginner — 20 pts
• level:intermediate — 35 pts
• level:advanced — 55 pts
• level:critical — 80 pts

Quality (optional):

• quality:clean — ×1.2 multiplier
• quality:exceptional — ×1.5 multiplier

Validation (required to score):

• gssoc:approved — counts for points
• gssoc:invalid / gssoc:spam / gssoc:ai-slop — does not score

Type labels (type:*) are auto-detected from files and title. Review and adjust if needed.
Points formula: (difficulty × quality_multiplier) + type_bonus

[github-actions]

Thanks for your first PR on DevTrack! 🎉

A maintainer will review it within 48 hours. While you wait:

• Make sure CI is passing (type-check + lint)
• Double-check the PR description is filled out and the issue is linked
• Feel free to ask questions in Discussions if you need help

If you find DevTrack useful, a ⭐ star on the repo is always appreciated — it helps the project grow and attract more contributors!

[github-actions]

🎉 Merged! Thanks for contributing to DevTrack.

If the project has been useful to you, a ⭐ star on the repo is the easiest way to support it — it helps DevTrack get discovered by more developers.

Keep an eye on open issues for your next contribution!