fix(data): address medium-severity audit findings

[cpcloud]

Three medium-severity findings from the code audit (#181) that weren't addressed in the overflow PR (#182):

1. Negative sign handling in parseCents -- parseCents only strips $ prefix but doesn't handle - signs at all. FormatCents produces -$5.00 but parseCents can't roundtrip it back. Inputs like -$100, $-100, --$100 all fail with a generic "invalid money" error rather than being parsed or getting a clear rejection message.

2. Vendor restore error clarity -- When restoring a service log whose vendor was hard-deleted (not just soft-deleted), requireParentAlive returns gorm.ErrRecordNotFound which surfaces as a confusing error rather than a clear "vendor no longer exists" message.

3. SQLite pragma configuration -- No explicit journal_mode, synchronous, or busy_timeout pragmas are set or documented. Defaults work for single-user TUI but should be explicitly configured for robustness.