privacy/security: add PM privacy levels and improve session visibility

docs/api-reference.md

@@ -109,6 +109,19 @@ For `/health/ready` failure:
 }
 ```
 
+### SessionRead
+
+```json
+{
+  "jti": "uuid",
+  "created_at": "2026-03-08T10:00:00Z",
+  "ip_address": "127.0.0.1",
+  "user_agent": "Mozilla/5.0 ...",
+  "current": false,
+  "token_type": "refresh"
+}
+```
+
 ### AuthUserResponse
 
 ```json
@@ -121,6 +134,11 @@ For `/health/ready` failure:
   "avatar_url": "https://...",
   "email_verified": true,
   "twofa_enabled": false,
+  "allow_private_messages": true,
+  "privacy_private_messages": "everyone",
+  "privacy_last_seen": "everyone",
+  "privacy_avatar": "everyone",
+  "privacy_group_invites": "everyone",
   "created_at": "2026-03-08T10:00:00Z",
   "updated_at": "2026-03-08T10:00:00Z"
 }
@@ -140,6 +158,10 @@ For `/health/ready` failure:
   "bio": "optional",
   "email_verified": true,
   "allow_private_messages": true,
+  "privacy_private_messages": "everyone",
+  "privacy_last_seen": "everyone",
+  "privacy_avatar": "everyone",
+  "privacy_group_invites": "everyone",
   "twofa_enabled": false,
   "created_at": "2026-03-08T10:00:00Z",
   "updated_at": "2026-03-08T10:00:00Z"
@@ -166,11 +188,16 @@ For `/health/ready` failure:
   "username": "new_username",
   "bio": "new bio",
   "avatar_url": "https://...",
-  "allow_private_messages": true
+  "allow_private_messages": true,
+  "privacy_private_messages": "contacts",
+  "privacy_last_seen": "contacts",
+  "privacy_avatar": "everyone",
+  "privacy_group_invites": "contacts"
 }
 ```
 
 All fields are optional.
+`privacy_private_messages`: `everyone | contacts | nobody`.
 
 ## 3.3 Chats
 
@@ -500,7 +527,8 @@ Response: `200` + `AuthUserResponse`
 ### GET `/api/v1/auth/sessions`
 
 Auth required.  
-Response: `200` + `SessionRead[]`
+Response: `200` + `SessionRead[]`  
+Note: list includes refresh sessions and a synthetic current access-token session (`token_type=access`) for stable UI visibility.
 
 ### DELETE `/api/v1/auth/sessions/{jti}`
 

docs/core-checklist-status.md

@@ -37,8 +37,8 @@ Legend:
 28. Notifications - `PARTIAL` (browser notifications + mute/settings; no mobile push infra)
 29. Archive - `DONE`
 30. Blacklist - `DONE`
-31. Privacy - `PARTIAL` (PM permission + block; full matrix controls still limited)
-32. Security - `PARTIAL` (sessions + revoke + 2FA base; revoke-all now invalidates active access tokens, UX/TOTP flow ongoing)
+31. Privacy - `PARTIAL` (avatar/last-seen/group-invites + PM policy `everyone|contacts|nobody`; remaining edge UX/matrix hardening)
+32. Security - `PARTIAL` (sessions + revoke + 2FA base + access-session visibility; UX/TOTP recovery flow ongoing)
 33. Realtime Events - `DONE` (connect/disconnect/send/receive/typing/read/delivered/online/offline + chat/message updates)
 34. Sync - `PARTIAL` (cross-device via backend state + realtime; reconciliation improved for loaded chats/messages)
 35. Additional - `PARTIAL` (drafts/link preview partial/autoload media basic)