feat: add GET/POST /user/privacy to read and set privacy settings

[ThiagoBauken]

What

Exposes whatsmeow's privacy settings through two endpoints, following the same shape as the existing /user/* handlers:

Method	Route	Purpose
GET	/user/privacy	return the account's current privacy settings
POST	/user/privacy	update a single setting — body {"Name":"...","Value":"..."}

Example

# read
curl -H "token: $TOKEN" http://localhost:8080/user/privacy

# set "last seen" to contacts only
curl -X POST -H "token: $TOKEN" -H "Content-Type: application/json" \
     -d '{"Name":"last","Value":"contacts"}' http://localhost:8080/user/privacy

Validation

Input is checked before it reaches the server. validatePrivacySetting verifies the name is supported and the value is allowed for that name, using the matrix documented in whatsmeow's types (groupadd/last/status/profile → all|contacts|contact_blacklist|none, readreceipts → all|none, online → all|match_last_seen, calladd → all|known).

The exposed set is deliberately the seven settings that whatsmeow's (*Client).SetPrivacySetting round-trips into the returned/cached PrivacySettings. The protocol also defines messages/defense/stickers, but whatsmeow's setter has no switch case for them — a change would be sent to the server yet not reflected back in the response or cache — so they're intentionally rejected. A test locks that boundary (using values that are valid per the matrix, to prove the rejection is by name, not value). Easy to extend if whatsmeow adds those cases upstream.

Testing

• Unit: TestValidatePrivacySetting — 20 cases (valid combos, invalid values, the deliberately-excluded names, unknown/empty).
• Integration: TestPrivacyEndpoints — drives GET and POST through the real router + auth middleware, asserting both routes are wired (not 404) and auth passes (not 401).
• go vet ./..., go test ./..., and a GOOS=linux build/test-binary all green.

Notes

• Purely additive — two new routes, no change to existing behavior.
• Docs added to API.md and static/api/spec.yml.
• +308 / -0.

[gemini-code-assist]

Code Review

This pull request introduces endpoints to get and set user privacy settings (GET /user/privacy and POST /user/privacy). It includes input validation against supported WhatsApp privacy settings, handler implementations, route registration, comprehensive unit tests, and updated API documentation in both API.md and the OpenAPI specification. I have no feedback to provide as there are no review comments.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.