Add message retention and hide emails by default

- db: cleanup_old_messages(days) purges messages older than N days in
  batches; recipients/reads/deliveries/reactions follow via ON DELETE
  CASCADE. Returns attachment file_ids no longer referenced by any
  surviving message (forwarded copies keep their files) and removes
  their image_uploads rows
- server: MESSAGE_RETENTION_DAYS env var (default 0 = keep forever);
  hourly cleanup deletes expired messages and securely removes orphaned
  attachment blobs from the upload dir
- schema: email_visible now defaults to 0 — previously any logged-in
  user who knew a UUID could read another user's email via get_profile
- migrations: SQL script to apply the new default and reset the flag on
  existing databases (run manually, see file header)
- docker-compose: document MESSAGE_RETENTION_DAYS

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

migrations/2026-06-12_email_visible_default_off.sql

@@ -0,0 +1,17 @@
+-- Privacy hardening: hide email addresses by default.
+--
+-- Previously email_visible defaulted to 1, so any logged-in user who knew
+-- (or guessed) a UUID could read another user's email via get_profile.
+-- New installs get DEFAULT 0 from schema.sql; this migration fixes
+-- EXISTING databases.
+--
+-- Run manually against the encrypted_chat database:
+--   mysql -u chat -p encrypted_chat < migrations/2026-06-12_email_visible_default_off.sql
+--
+-- NOTE: the UPDATE resets the flag for ALL users, including any who
+-- explicitly opted in to a visible email. Users who want their email
+-- visible must re-enable it in their profile settings.
+
+ALTER TABLE user_profiles ALTER COLUMN email_visible SET DEFAULT 0;
+
+UPDATE user_profiles SET email_visible = 0 WHERE email_visible = 1;