+++
title = "quotesdb/api: hidden flag for quotes (schema migration + endpoints)"
priority = 5
status = "done"
ticket_type = "feature"
dependencies = []
+++
## Summary
Add a boolean hidden flag to quotes. Hidden quotes are excluded from listing endpoints and require direct URL access. Changing a quote from hidden to public requires the auth code.

## Schema Migration
Add column to quotes table:
```sql
ALTER TABLE quotes ADD COLUMN hidden INTEGER NOT NULL DEFAULT 0;
```

## API Changes
- GET /api/quotes — filter out hidden=1 quotes by default
- GET /api/quotes/random — exclude hidden quotes
- GET /api/quotes/:id — return hidden quotes (direct access allowed)
- PUT /api/quotes — new quotes default to hidden=0 (not hidden)
- POST /api/quotes/:id — allow toggling hidden field; requires X-Auth-Code header
  - Changing hidden=1 → hidden=0 (unhide) requires valid auth code
  - Changing hidden=0 → hidden=1 (hide) also requires valid auth code
- The quote response body should include the hidden field

## Acceptance Criteria
- [ ] Schema migration applied
- [ ] Listing endpoints exclude hidden quotes
- [ ] Direct quote access (/api/quotes/:id) works for hidden quotes
- [ ] Toggle hidden requires valid X-Auth-Code (403 on mismatch)
- [ ] All existing tests pass

## Validation
```sh
cargo fmt && cargo check && cargo clippy && cargo test
```