test(privacy): cover hidden avatar and last-seen in private chat list

docs/core-checklist-status.md

@@ -37,7 +37,7 @@ Legend:
 28. Notifications - `PARTIAL` (browser notifications + mute/settings; no mobile push infra)
 29. Archive - `DONE`
 30. Blacklist - `DONE`
-31. Privacy - `PARTIAL` (avatar/last-seen/group-invites + PM policy `everyone|contacts|nobody`; policy behavior covered by integration tests, remaining UX/matrix hardening)
+31. Privacy - `PARTIAL` (avatar/last-seen/group-invites + PM policy `everyone|contacts|nobody`; integration tests cover search + private chat counterpart visibility, remaining UX/matrix hardening)
 32. Security - `PARTIAL` (sessions + revoke + 2FA base + access-session visibility; revoke-all now force-disconnects active realtime sessions; 2FA setup now blocked after enable to prevent secret re-issuance; one-time recovery codes added; UX polish ongoing)
 33. Realtime Events - `DONE` (connect/disconnect/send/receive/typing/read/delivered/online/offline + chat/message updates + chat_deleted)
 34. Sync - `PARTIAL` (cross-device via backend state + realtime; reconciliation improved for loaded chats/messages, chat-info panel hot-refreshes on `chat_updated`, delete/leave updates realtime subscriptions, full-chat delete emits `chat_deleted`)

tests/test_chat_message_flow.py

@@ -244,3 +244,41 @@ async def test_avatar_privacy_hidden_from_other_users_search(client, db_session)
     owner_row = next((item for item in rows if item["username"] == "avatar_owner"), None)
     assert owner_row is not None
     assert owner_row["avatar_url"] is None
+
+
+async def test_private_chat_hides_counterpart_presence_and_avatar_by_privacy(client, db_session):
+    owner = await _create_verified_user(client, db_session, "privacy_owner@example.com", "privacy_owner", "strongpass123")
+    viewer = await _create_verified_user(client, db_session, "privacy_viewer@example.com", "privacy_viewer", "strongpass123")
+
+    me_owner = await client.get("/api/v1/auth/me", headers={"Authorization": f"Bearer {owner['access_token']}"})
+    owner_id = me_owner.json()["id"]
+
+    set_privacy = await client.put(
+        "/api/v1/users/profile",
+        headers={"Authorization": f"Bearer {owner['access_token']}"},
+        json={
+            "avatar_url": "https://cdn.example.com/privacy-owner.png",
+            "privacy_avatar": "nobody",
+            "privacy_last_seen": "nobody",
+        },
+    )
+    assert set_privacy.status_code == 200
+
+    create_chat = await client.post(
+        "/api/v1/chats",
+        headers={"Authorization": f"Bearer {viewer['access_token']}"},
+        json={"type": ChatType.PRIVATE.value, "title": None, "member_ids": [owner_id]},
+    )
+    assert create_chat.status_code == 200
+    chat_id = create_chat.json()["id"]
+
+    viewer_chats = await client.get(
+        "/api/v1/chats",
+        headers={"Authorization": f"Bearer {viewer['access_token']}"},
+    )
+    assert viewer_chats.status_code == 200
+    row = next((chat for chat in viewer_chats.json() if chat["id"] == chat_id), None)
+    assert row is not None
+    assert row["counterpart_avatar_url"] is None
+    assert row["counterpart_is_online"] is None
+    assert row["counterpart_last_seen_at"] is None