test(privacy): enforce nobody private message policy

docs/core-checklist-status.md

@@ -37,7 +37,7 @@ Legend:
 28. Notifications - `PARTIAL` (browser notifications + mute/settings; no mobile push infra)
 29. Archive - `DONE`
 30. Blacklist - `DONE`
-31. Privacy - `PARTIAL` (avatar/last-seen/group-invites + PM policy `everyone|contacts|nobody`; integration tests cover search + private chat counterpart visibility for `nobody/contacts`, remaining UX/matrix hardening)
+31. Privacy - `PARTIAL` (avatar/last-seen/group-invites + PM policy `everyone|contacts|nobody`; integration tests cover PM policy `contacts/nobody` and private chat counterpart visibility for `nobody/contacts`, remaining UX/matrix hardening)
 32. Security - `PARTIAL` (sessions + revoke + 2FA base + access-session visibility; revoke-all now force-disconnects active realtime sessions; 2FA setup now blocked after enable to prevent secret re-issuance; one-time recovery codes added; UX polish ongoing)
 33. Realtime Events - `DONE` (connect/disconnect/send/receive/typing/read/delivered/online/offline + chat/message updates + chat_deleted)
 34. Sync - `PARTIAL` (cross-device via backend state + realtime; reconciliation improved for loaded chats/messages, chat-info panel hot-refreshes on `chat_updated`, delete/leave updates realtime subscriptions, full-chat delete emits `chat_deleted`)

tests/test_chat_message_flow.py

@@ -98,6 +98,43 @@ async def test_private_chat_respects_contacts_only_policy(client, db_session):
     assert create_chat_allowed.status_code == 200
 
 
+async def test_private_chat_respects_nobody_policy(client, db_session):
+    u1 = await _create_verified_user(client, db_session, "pm_nobody_u1@example.com", "pm_nobody_u1", "strongpass123")
+    u2 = await _create_verified_user(client, db_session, "pm_nobody_u2@example.com", "pm_nobody_u2", "strongpass123")
+
+    me_u1 = await client.get("/api/v1/auth/me", headers={"Authorization": f"Bearer {u1['access_token']}"})
+    u1_id = me_u1.json()["id"]
+
+    set_nobody = await client.put(
+        "/api/v1/users/profile",
+        headers={"Authorization": f"Bearer {u2['access_token']}"},
+        json={"privacy_private_messages": "nobody"},
+    )
+    assert set_nobody.status_code == 200
+
+    me_u2 = await client.get("/api/v1/auth/me", headers={"Authorization": f"Bearer {u2['access_token']}"})
+    u2_id = me_u2.json()["id"]
+    create_chat_blocked = await client.post(
+        "/api/v1/chats",
+        headers={"Authorization": f"Bearer {u1['access_token']}"},
+        json={"type": ChatType.PRIVATE.value, "title": None, "member_ids": [u2_id]},
+    )
+    assert create_chat_blocked.status_code == 403
+
+    add_contact = await client.post(
+        f"/api/v1/users/{u1_id}/contacts",
+        headers={"Authorization": f"Bearer {u2['access_token']}"},
+    )
+    assert add_contact.status_code == 204
+
+    create_chat_still_blocked = await client.post(
+        "/api/v1/chats",
+        headers={"Authorization": f"Bearer {u1['access_token']}"},
+        json={"type": ChatType.PRIVATE.value, "title": None, "member_ids": [u2_id]},
+    )
+    assert create_chat_still_blocked.status_code == 403
+
+
 async def test_group_ban_blocks_rejoin(client, db_session):
     owner = await _create_verified_user(client, db_session, "ban_owner@example.com", "ban_owner", "strongpass123")
     member = await _create_verified_user(client, db_session, "ban_member@example.com", "ban_member", "strongpass123")