-- Privacy hardening: hide email addresses by default.
--
-- Previously email_visible defaulted to 1, so any logged-in user who knew
-- (or guessed) a UUID could read another user's email via get_profile.
-- New installs get DEFAULT 0 from schema.sql; this migration fixes
-- EXISTING databases.
--
-- Run manually against the encrypted_chat database:
--   mysql -u chat -p encrypted_chat < migrations/2026-06-12_email_visible_default_off.sql
--
-- NOTE: the UPDATE resets the flag for ALL users, including any who
-- explicitly opted in to a visible email. Users who want their email
-- visible must re-enable it in their profile settings.

ALTER TABLE user_profiles ALTER COLUMN email_visible SET DEFAULT 0;

UPDATE user_profiles SET email_visible = 0 WHERE email_visible = 1;