rename privacy "private" → "unlisted"; enable GPS for unlisted

- "unlisted" = not shown in the public feed, but GPS track, timeseries
  and detail JSON are all accessible by direct URL (security by obscurity)
- "private" accepted as legacy alias everywhere (backward compat with
  existing data on disk)
- New writes from Strava sync / ZIP upload / sidecar use "unlisted"
- Only "no_gps" now suppresses the GPS track
- isUnlisted() helper in format.ts used by all Svelte/Astro components
- SCHEMA.md and CLAUDE.md document the privacy model and the distinction
  between "unlisted" and "no_gps"

bincio/edit/server.py

@@ -183,7 +183,7 @@ textarea { resize: vertical; min-height: 140px; }
             <input type="checkbox" id="highlight" name="highlight"> Highlight in feed
           </label>
           <label class="toggle" id="toggle-private">
-            <input type="checkbox" id="private" name="private"> Private (hide from feed)
+            <input type="checkbox" id="private" name="private"> Unlisted (hide from feed)
           </label>
         </div>
       </div>

bincio/extract/strava_api.py

@@ -201,7 +201,7 @@ def strava_to_parsed(meta: dict, streams: dict) -> ParsedActivity:
     source = f"strava:{meta['id']}"
     source_hash = "sha256:" + hashlib.sha256(source.encode()).hexdigest()
 
-    # Map Strava visibility to BAS privacy: only_me → private, everything else → public
+    # Map Strava visibility to BAS privacy: only_me → unlisted, everything else → public
     visibility = meta.get("visibility") or ""
     is_private = meta.get("private", False) or visibility == "only_me"
 
@@ -214,5 +214,5 @@ def strava_to_parsed(meta: dict, streams: dict) -> ParsedActivity:
         title=meta.get("name") or None,
         description=meta.get("description") or None,
         strava_id=str(meta["id"]),
-        privacy="private" if is_private else "public",
+        privacy="unlisted" if is_private else "public",
     )

bincio/extract/timeseries.py

@@ -14,13 +14,14 @@ def build_timeseries(
 ) -> dict:
     """Return the BAS `timeseries` object.
 
-    privacy='no_gps' or 'private' → lat/lon set to null.
+    privacy='no_gps' → lat/lon set to null. All other privacy levels
+    (including 'unlisted') retain GPS in the timeseries.
     Downsamples so at most one point per second is emitted.
     """
     if not points:
         return {"t": []}
 
-    include_gps = privacy not in ("no_gps", "private")
+    include_gps = privacy not in ("no_gps", "private")  # "private" = legacy alias for "unlisted"
 
     # Downsample: keep at most one point per second
     sampled: list[DataPoint] = []

bincio/extract/writer.py

@@ -48,7 +48,10 @@ def write_activity(
     acts_dir.mkdir(parents=True, exist_ok=True)
 
     source = _infer_source(activity)
-    has_gps = metrics.bbox is not None and privacy not in ("no_gps", "private")
+    # "unlisted" activities keep their GPS track (not in the public feed, but the
+    # URL is not secret — same model as the detail JSON). Only "no_gps" suppresses
+    # the track. "private" is the legacy alias for "unlisted".
+    has_gps = metrics.bbox is not None and privacy not in ("no_gps",)
 
     # Build timeseries once — written to a separate file to keep detail JSON small.
     # Treat an empty timeseries (no points) as None so no file is created.
@@ -220,7 +223,7 @@ def build_summary(
     privacy: str = "public",
 ) -> dict:
     """Build the Activity Summary object for index.json."""
-    has_gps = metrics.bbox is not None and privacy not in ("no_gps", "private")
+    has_gps = metrics.bbox is not None and privacy not in ("no_gps",)
     return {
         "id": activity_id,
         "title": activity.title or _auto_title(activity),

bincio/render/merge.py

@@ -49,7 +49,7 @@ def apply_sidecar(detail: dict, fm: dict, body: str) -> dict:
     if "highlight" in fm:
         d["custom"]["highlight"] = bool(fm["highlight"])
     if "private" in fm:
-        d["privacy"] = "private" if fm["private"] else detail.get("privacy", "public")
+        d["privacy"] = "unlisted" if fm["private"] else detail.get("privacy", "public")
     if "hide_stats" in fm:
         d["custom"]["hide_stats"] = [str(s) for s in (fm["hide_stats"] or [])]
 
@@ -69,7 +69,7 @@ def _apply_sidecar_summary(summary: dict, fm: dict) -> dict:
     if "highlight" in fm:
         s["custom"]["highlight"] = bool(fm["highlight"])
     if "private" in fm:
-        s["privacy"] = "private" if fm["private"] else summary.get("privacy", "public")
+        s["privacy"] = "unlisted" if fm["private"] else summary.get("privacy", "public")
 
     return s
 
@@ -260,10 +260,10 @@ def merge_all(data_dir: Path) -> int:
                 s = _apply_sidecar_summary(s, fm)
             activities.append(s)
 
-        # Drop private activities from the published feed
-        # Sort: newest first, then bring highlighted activities to the top
-        # Private activities are kept in the index so the owner can see them;
-        # the feed UI filters them out for non-owners client-side.
+        # "unlisted" (and legacy "private") activities are kept in the index so
+        # the owner can reach them by direct URL; the feed UI filters them out
+        # for non-owners client-side.
+        # Sort: newest first, then bring highlighted activities to the top.
         activities.sort(key=lambda a: a.get("started_at", ""), reverse=True)
         activities.sort(key=lambda a: 0 if a.get("custom", {}).get("highlight") else 1)
 

bincio/serve/server.py

@@ -879,7 +879,7 @@ async def upload_strava_zip(
     if not file.filename or not file.filename.lower().endswith(".zip"):
         raise HTTPException(400, "Please upload a .zip file")
 
-    privacy = "private" if private.lower() in ("true", "1", "yes") else "public"
+    privacy = "unlisted" if private.lower() in ("true", "1", "yes") else "public"
 
     dd = _get_data_dir() / user.handle
     import tempfile