feat(p0): complete account security privacy and sync hardening

tests/test_auth_flow.py

@@ -371,3 +371,100 @@ async def test_password_reset_flow_replaces_password_and_invalidates_old_passwor
         json={"email": payload["email"], "password": new_password},
     )
     assert new_login.status_code == 200
+
+
+async def test_check_email_status_reflects_verification_and_twofa_state(client, db_session):
+    payload = {
+        "email": "status_flow@example.com",
+        "name": "Status Flow",
+        "username": "status_flow",
+        "password": "strongpass123",
+    }
+    register_response = await client.post("/api/v1/auth/register", json=payload)
+    assert register_response.status_code == 201
+
+    status_before_verify = await client.get("/api/v1/auth/check-email", params={"email": payload["email"]})
+    assert status_before_verify.status_code == 200
+    body_before = status_before_verify.json()
+    assert body_before["registered"] is True
+    assert body_before["email_verified"] is False
+    assert body_before["twofa_enabled"] is False
+
+    token_row = await db_session.execute(select(EmailVerificationToken).order_by(EmailVerificationToken.id.desc()))
+    verify_token = token_row.scalar_one().token
+    verify_response = await client.post("/api/v1/auth/verify-email", json={"token": verify_token})
+    assert verify_response.status_code == 200
+
+    login_response = await client.post(
+        "/api/v1/auth/login",
+        json={"email": payload["email"], "password": payload["password"]},
+    )
+    assert login_response.status_code == 200
+    access_token = login_response.json()["access_token"]
+    headers = {"Authorization": f"Bearer {access_token}"}
+
+    setup_response = await client.post("/api/v1/auth/2fa/setup", headers=headers)
+    assert setup_response.status_code == 200
+    secret = setup_response.json()["secret"]
+    enable_response = await client.post("/api/v1/auth/2fa/enable", headers=headers, json={"code": _totp_code(secret)})
+    assert enable_response.status_code == 200
+
+    status_after_enable = await client.get("/api/v1/auth/check-email", params={"email": payload["email"]})
+    assert status_after_enable.status_code == 200
+    body_after = status_after_enable.json()
+    assert body_after["registered"] is True
+    assert body_after["email_verified"] is True
+    assert body_after["twofa_enabled"] is True
+
+
+async def test_disable_twofa_clears_recovery_codes_and_allows_password_login_without_otp(client, db_session):
+    payload = {
+        "email": "disable_twofa@example.com",
+        "name": "Disable Twofa",
+        "username": "disable_twofa",
+        "password": "strongpass123",
+    }
+    await client.post("/api/v1/auth/register", json=payload)
+    token_row = await db_session.execute(select(EmailVerificationToken).order_by(EmailVerificationToken.id.desc()))
+    verify_token = token_row.scalar_one().token
+    await client.post("/api/v1/auth/verify-email", json={"token": verify_token})
+
+    login_response = await client.post(
+        "/api/v1/auth/login",
+        json={"email": payload["email"], "password": payload["password"]},
+    )
+    assert login_response.status_code == 200
+    access_token = login_response.json()["access_token"]
+    headers = {"Authorization": f"Bearer {access_token}"}
+
+    setup_response = await client.post("/api/v1/auth/2fa/setup", headers=headers)
+    assert setup_response.status_code == 200
+    secret = setup_response.json()["secret"]
+
+    enable_response = await client.post("/api/v1/auth/2fa/enable", headers=headers, json={"code": _totp_code(secret)})
+    assert enable_response.status_code == 200
+
+    regen_response = await client.post(
+        "/api/v1/auth/2fa/recovery-codes/regenerate",
+        headers=headers,
+        json={"code": _totp_code(secret)},
+    )
+    assert regen_response.status_code == 200
+    assert len(regen_response.json()["codes"]) >= 1
+
+    disable_response = await client.post(
+        "/api/v1/auth/2fa/disable",
+        headers=headers,
+        json={"code": _totp_code(secret)},
+    )
+    assert disable_response.status_code == 200
+
+    status_after_disable = await client.get("/api/v1/auth/2fa/recovery-codes/status", headers=headers)
+    assert status_after_disable.status_code == 200
+    assert status_after_disable.json()["remaining_codes"] == 0
+
+    plain_login_after_disable = await client.post(
+        "/api/v1/auth/login",
+        json={"email": payload["email"], "password": payload["password"]},
+    )
+    assert plain_login_after_disable.status_code == 200

tests/test_chat_message_flow.py

@@ -301,6 +301,73 @@ async def test_archive_and_pin_chat_are_user_scoped(client, db_session):
     assert u2_row_after_u1_archive["archived"] is False
 
 
+async def test_create_private_chat_is_visible_to_other_member_in_chat_list(client, db_session):
+    u1 = await _create_verified_user(client, db_session, "sync_create_u1@example.com", "sync_create_u1", "strongpass123")
+    u2 = await _create_verified_user(client, db_session, "sync_create_u2@example.com", "sync_create_u2", "strongpass123")
+
+    me_u2 = await client.get("/api/v1/auth/me", headers={"Authorization": f"Bearer {u2['access_token']}"})
+    u2_id = me_u2.json()["id"]
+
+    create_chat_response = await client.post(
+        "/api/v1/chats",
+        headers={"Authorization": f"Bearer {u1['access_token']}"},
+        json={"type": ChatType.PRIVATE.value, "title": None, "member_ids": [u2_id]},
+    )
+    assert create_chat_response.status_code == 200
+    chat_id = create_chat_response.json()["id"]
+
+    u2_chats = await client.get(
+        "/api/v1/chats",
+        headers={"Authorization": f"Bearer {u2['access_token']}"},
+    )
+    assert u2_chats.status_code == 200
+    assert any(item["id"] == chat_id for item in u2_chats.json())
+
+
+async def test_clear_chat_hides_messages_only_for_requesting_user(client, db_session):
+    u1 = await _create_verified_user(client, db_session, "sync_clear_u1@example.com", "sync_clear_u1", "strongpass123")
+    u2 = await _create_verified_user(client, db_session, "sync_clear_u2@example.com", "sync_clear_u2", "strongpass123")
+
+    me_u2 = await client.get("/api/v1/auth/me", headers={"Authorization": f"Bearer {u2['access_token']}"})
+    u2_id = me_u2.json()["id"]
+
+    create_chat_response = await client.post(
+        "/api/v1/chats",
+        headers={"Authorization": f"Bearer {u1['access_token']}"},
+        json={"type": ChatType.PRIVATE.value, "title": None, "member_ids": [u2_id]},
+    )
+    assert create_chat_response.status_code == 200
+    chat_id = create_chat_response.json()["id"]
+
+    send_message_response = await client.post(
+        "/api/v1/messages",
+        headers={"Authorization": f"Bearer {u1['access_token']}"},
+        json={"chat_id": chat_id, "type": "text", "text": "sync clear message"},
+    )
+    assert send_message_response.status_code == 201
+
+    clear_response = await client.post(
+        f"/api/v1/chats/{chat_id}/clear",
+        headers={"Authorization": f"Bearer {u1['access_token']}"},
+    )
+    assert clear_response.status_code == 204
+
+    u1_messages = await client.get(
+        f"/api/v1/messages/{chat_id}",
+        headers={"Authorization": f"Bearer {u1['access_token']}"},
+    )
+    assert u1_messages.status_code == 200
+    assert u1_messages.json() == []
+
+    u2_messages = await client.get(
+        f"/api/v1/messages/{chat_id}",
+        headers={"Authorization": f"Bearer {u2['access_token']}"},
+    )
+    assert u2_messages.status_code == 200
+    assert len(u2_messages.json()) == 1
+    assert u2_messages.json()[0]["text"] == "sync clear message"
+
+
 async def test_private_chat_respects_contacts_only_policy(client, db_session):
     u1 = await _create_verified_user(client, db_session, "pm_u1@example.com", "pm_user_one", "strongpass123")
     u2 = await _create_verified_user(client, db_session, "pm_u2@example.com", "pm_user_two", "strongpass123")