feat(plan-59 Phase 5a): Contact.aggregateCmc + CMC types

Phase 5a keystone — patient-side Contact built from CMC primitives,
no legacy CollectorClient dependency.

- New types: CmcCounterpartyAccess, CmcAcceptedRelationship, CmcRelationship.
- New fields on Contact: counterparty, kind ('person'|'service'|'unknown'),
  cmcRelationships[].
- New getters: cmcIsActive, cmcHasChat, cmcChatStreams, cmcAllPermissions.
- New static aggregator: Contact.aggregateCmc(accesses, accepts, scope) — groups
  patient-side counterparty accesses by (username, host) into Contacts.
- Q-C1 lock applied: cmcDetectKind uses 'hds-bridge-' prefix on appCode.
- Q-C2 lock applied: accept events without a matching access are dropped
  (ghosts from doctor-side revoke); access is source of truth.
- Q-C4 lock applied: aggregator pulls counterparty apiEndpoint + remote
  stream ids from access.clientData.cmc.counterparty (not accept events).

Tests: 12 new specs (CTM1-CTMC) cover detection, grouping, ghost filtering,
dedup, chat filtering. 501/501 pass; tsc clean.

Design briefs:
- _plans/59-pryv-cmc-integration-atwork/design-briefs/contact-cmc.md (Q-C1..C5
  resolved + design-only Q-C3 proposed).
- _plans/59-pryv-cmc-integration-atwork/design-briefs/formspec.md (Q-F1..F3
  resolved + design-only Q-F4..F7 proposed).

Legacy CollectorClient path untouched — Phase 10 deletion.

Author: perki

tests/contact.test.js

@@ -428,4 +428,169 @@ describe('[CTCT] Contact class', function () {
       assert.equal(c.collectorClients.length, 1);
     });
   });
+
+  // ---- Plan 59 Phase 5a — CMC aggregator ---- //
+
+  describe('[CTCM] CMC Contact aggregator', function () {
+    const SCOPE = ':_cmc:apps:hds-patient';
+
+    function counterpartyAccess (overrides = {}) {
+      const cp = {
+        username: 'drandy',
+        host: 'demo.datasafe.dev',
+        apiEndpoint: 'https://abctoken@drandy.demo.datasafe.dev/',
+        remoteChatStreamId: ':_cmc:apps:hds-collector:foo:chats:pthdstest--demo-datasafe-dev',
+        remoteCollectorStreamId: ':_cmc:apps:hds-collector:foo:collectors:pthdstest--demo-datasafe-dev',
+        ...(overrides.counterpartyOverrides || {})
+      };
+      const cmc = {
+        role: 'counterparty',
+        appCode: 'hds-collector',
+        features: { chat: true, systemMessaging: true },
+        counterparty: cp,
+        ...(overrides.cmcOverrides || {})
+      };
+      return {
+        id: overrides.id || 'acc-cp-1',
+        apiEndpoint: 'irrelevant',
+        permissions: overrides.permissions ?? [{ streamId: 'health', level: 'read' }],
+        deleted: overrides.deleted ?? null,
+        clientData: { cmc }
+      };
+    }
+
+    function acceptEvent (overrides = {}) {
+      return {
+        acceptEventId: overrides.acceptEventId || 'evt-accept-1',
+        counterparty: overrides.counterparty || { username: 'drandy', host: 'demo.datasafe.dev' },
+        appCode: overrides.appCode || 'hds-collector',
+        scopeStreamId: SCOPE,
+        acceptedAt: overrides.acceptedAt ?? 1716000000,
+        features: overrides.features || { chat: true, systemMessaging: true },
+        backChannelAccessId: overrides.backChannelAccessId || 'acc-cp-1'
+      };
+    }
+
+    it('[CTM1] cmcDetectKind splits person vs service by hds-bridge- prefix', () => {
+      assert.equal(Contact.cmcDetectKind('hds-collector'), 'person');
+      assert.equal(Contact.cmcDetectKind('hds-patient'), 'person');
+      assert.equal(Contact.cmcDetectKind('hds-bridge-mira'), 'service');
+      assert.equal(Contact.cmcDetectKind('hds-bridge-athenahealth'), 'service');
+      assert.equal(Contact.cmcDetectKind(null), 'unknown');
+      assert.equal(Contact.cmcDetectKind(undefined), 'unknown');
+      assert.equal(Contact.cmcDetectKind(''), 'unknown');
+    });
+
+    it('[CTM2] aggregateCmc returns empty when no counterparty accesses', () => {
+      const out = Contact.aggregateCmc([], [], SCOPE);
+      assert.deepEqual(out, []);
+    });
+
+    it('[CTM3] aggregateCmc skips deleted accesses', () => {
+      const a = counterpartyAccess({ deleted: { reason: 'revoked' } });
+      const out = Contact.aggregateCmc([a], [acceptEvent()], SCOPE);
+      assert.deepEqual(out, []);
+    });
+
+    it('[CTM4] aggregateCmc skips accesses without cmc.role === counterparty', () => {
+      const a = counterpartyAccess({ cmcOverrides: { role: 'requester' } });
+      const out = Contact.aggregateCmc([a], [], SCOPE);
+      assert.deepEqual(out, []);
+    });
+
+    it('[CTM5] aggregateCmc builds one Contact + one relationship from one access', () => {
+      const a = counterpartyAccess();
+      const out = Contact.aggregateCmc([a], [acceptEvent()], SCOPE);
+      assert.equal(out.length, 1);
+      const c = out[0];
+      assert.equal(c.counterparty.username, 'drandy');
+      assert.equal(c.counterparty.host, 'demo.datasafe.dev');
+      assert.equal(c.kind, 'person');
+      assert.equal(c.cmcRelationships.length, 1);
+      const rel = c.cmcRelationships[0];
+      assert.equal(rel.accessId, 'acc-cp-1');
+      assert.equal(rel.acceptEventId, 'evt-accept-1');
+      assert.equal(rel.counterpartyApiEndpoint, 'https://abctoken@drandy.demo.datasafe.dev/');
+      assert.equal(rel.appCode, 'hds-collector');
+      assert.deepEqual(rel.features, { chat: true, systemMessaging: true });
+      assert.equal(rel.acceptedAt, 1716000000);
+      // Local chat stream uses cmc.counterpartySlug (lowercase + host dots → hyphens, port stripped)
+      assert.equal(rel.localChatStreamId, ':_cmc:apps:hds-patient:chats:drandy--demo-datasafe-dev');
+    });
+
+    it('[CTM6] aggregateCmc groups multiple accesses from the same counterparty into one Contact', () => {
+      const a1 = counterpartyAccess({ id: 'acc-cp-1' });
+      const a2 = counterpartyAccess({ id: 'acc-cp-2', permissions: [{ streamId: 'sleep', level: 'read' }] });
+      const out = Contact.aggregateCmc([a1, a2], [acceptEvent()], SCOPE);
+      assert.equal(out.length, 1);
+      assert.equal(out[0].cmcRelationships.length, 2);
+    });
+
+    it('[CTM7] aggregateCmc puts different counterparties into different Contacts', () => {
+      const a1 = counterpartyAccess({ id: 'acc-cp-1' });
+      const a2 = counterpartyAccess({
+        id: 'acc-cp-2',
+        counterpartyOverrides: { username: 'drother', host: 'demo.datasafe.dev' }
+      });
+      const out = Contact.aggregateCmc([a1, a2], [], SCOPE);
+      assert.equal(out.length, 2);
+    });
+
+    it('[CTM8] aggregateCmc marks bridge contacts as kind=service', () => {
+      const a = counterpartyAccess({
+        cmcOverrides: { appCode: 'hds-bridge-mira', features: { chat: false } },
+        counterpartyOverrides: { username: 'bridgemiratest', host: 'demo.datasafe.dev' }
+      });
+      const out = Contact.aggregateCmc([a], [], SCOPE);
+      assert.equal(out.length, 1);
+      assert.equal(out[0].kind, 'service');
+      assert.equal(out[0].counterparty.username, 'bridgemiratest');
+    });
+
+    it('[CTM9] aggregateCmc tolerates missing accept events (acceptedAt: null)', () => {
+      const a = counterpartyAccess();
+      const out = Contact.aggregateCmc([a], [], SCOPE);
+      assert.equal(out.length, 1);
+      assert.equal(out[0].cmcRelationships[0].acceptedAt, null);
+      assert.equal(out[0].cmcRelationships[0].acceptEventId, null);
+    });
+
+    it('[CTMA] aggregateCmc drops ghost accept events (Q-C2): accepts without matching access', () => {
+      // Doctor revoked → patient access deleted, but the accept event still exists.
+      // aggregator must not create a Contact from the ghost accept event.
+      const out = Contact.aggregateCmc([], [acceptEvent()], SCOPE);
+      assert.deepEqual(out, []);
+    });
+
+    it('[CTMB] cmcAllPermissions dedupes across relationships', () => {
+      const a1 = counterpartyAccess({
+        id: 'a1',
+        permissions: [{ streamId: 'health', level: 'read' }, { streamId: 'sleep', level: 'read' }]
+      });
+      const a2 = counterpartyAccess({
+        id: 'a2',
+        permissions: [{ streamId: 'sleep', level: 'read' }, { streamId: 'mood', level: 'contribute' }]
+      });
+      const out = Contact.aggregateCmc([a1, a2], [], SCOPE);
+      const perms = out[0].cmcAllPermissions;
+      assert.equal(perms.length, 3);
+      assert.deepEqual(perms.map(p => p.streamId).sort(), ['health', 'mood', 'sleep']);
+    });
+
+    it('[CTMC] cmcChatStreams only includes chat-enabled relationships', () => {
+      const a1 = counterpartyAccess({
+        id: 'a1',
+        cmcOverrides: { role: 'counterparty', appCode: 'hds-collector', features: { chat: true, systemMessaging: false }, counterparty: { username: 'drandy', host: 'demo.datasafe.dev', apiEndpoint: 'https://t@drandy.x/', remoteChatStreamId: 'r1', remoteCollectorStreamId: 'c1' } }
+      });
+      const a2 = counterpartyAccess({
+        id: 'a2',
+        cmcOverrides: { role: 'counterparty', appCode: 'hds-collector', features: { chat: false }, counterparty: { username: 'drandy', host: 'demo.datasafe.dev', apiEndpoint: 'https://t@drandy.x/', remoteChatStreamId: null, remoteCollectorStreamId: null } }
+      });
+      const out = Contact.aggregateCmc([a1, a2], [], SCOPE);
+      const streams = out[0].cmcChatStreams;
+      assert.equal(streams.length, 1);
+      assert.equal(streams[0].read, 'r1');
+      assert.equal(streams[0].accessId, 'a1');
+    });
+  });
 });