pryv 3.4.1 → 3.6.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pryv",
-  "version": "3.4.1",
+  "version": "3.6.0",
   "description": "Pryv JavaScript library",
   "keywords": [
     "Pryv",

package/src/Auth/AuthController.js

@@ -22,8 +22,15 @@ class AuthController {
     validateSettings.call(this, settings);
 
     this.stateChangeListeners = [];
+    // External `onStateChange` callers only see `{ status, id, key, serviceInfo? }`
+    // on AUTHORIZED — credentials (`username`, `token`, `apiEndpoint`) stay
+    // inside the lib. Internal listeners (e.g. LoginButton, for cookie
+    // autologin) get the full unfiltered state.
     if (this.settings.onStateChange) {
-      this.stateChangeListeners.push(this.settings.onStateChange);
+      const externalListener = this.settings.onStateChange;
+      this.stateChangeListeners.push(function (state) {
+        externalListener(filterForExternalListener(state));
+      });
     }
     this.service = service;
 
@@ -166,6 +173,10 @@ class AuthController {
   async startAuthRequest () {
     // @ts-ignore - postAccess uses .call(this) for context
     this.state = await postAccess.call(this);
+    // Remember the polling key so listeners on the terminal AUTHORIZED
+    // state can be handed `{ key, serviceInfo? }` (the polling response
+    // itself doesn't echo `key` back).
+    this._authFlowKey = this.state?.key;
 
     await doPolling.call(this);
 
@@ -205,6 +216,11 @@ class AuthController {
         // @ts-ignore - this is bound via .call()
         setTimeout(await doPolling.bind(this), this.state?.poll_rate_ms);
       } else {
+        // Carry the key forward — listeners on the narrow public surface
+        // need it, and the server doesn't echo it back on ACCEPTED.
+        if (this._authFlowKey != null && pollResponse.key == null) {
+          pollResponse.key = this._authFlowKey;
+        }
         this.state = pollResponse;
       }
 
@@ -245,6 +261,38 @@ class AuthController {
 
 // ----------- private methods -------------
 
+/**
+ * Narrow the state passed to *external* `onStateChange` callers so the
+ * calling app sees only `{ status, id, key, serviceInfo? }` on the
+ * terminal AUTHORIZED state reached through the auth-flow polling path.
+ * `username` / `token` / `apiEndpoint` are kept inside the lib; the
+ * calling app uses `pryv.connectFromKey(key, serviceInfoUrl)` to obtain
+ * a `Connection`.
+ *
+ * The cookie-autologin path (no fresh `key` available, restored from
+ * `LoginButton.getAuthorizationData()`) passes through unchanged so
+ * existing pages that build a `Connection` directly from the restored
+ * state on page load keep working.
+ *
+ * Non-AUTHORIZED states pass through unchanged so error messages /
+ * loading flags / etc. still reach the listener.
+ *
+ * @param {Object} state - full internal state
+ * @returns {Object} narrowed state
+ */
+function filterForExternalListener (state) {
+  if (state == null || state.status !== AuthStates.AUTHORIZED) {
+    return state;
+  }
+  // No key → cookie-autologin path; preserve existing shape.
+  if (state.key == null) {
+    return state;
+  }
+  const out = { status: state.status, id: state.id, key: state.key };
+  if (state.serviceInfo != null) out.serviceInfo = state.serviceInfo;
+  return out;
+}
+
 async function checkAutoLogin (authController) {
   const loginButton = authController.loginButton;
   if (loginButton == null) {

package/src/Connection.js

@@ -8,6 +8,7 @@ const libGetEventStreamed = require('./lib/getEventStreamed');
 const PryvError = require('./lib/PryvError');
 const StaleAccessIdError = require('./lib/StaleAccessIdError');
 const buildSearchParams = require('./lib/buildSearchParams');
+const resolveDotPath = require('./lib/resolveDotPath');
 
 /**
  * @class Connection
@@ -77,8 +78,8 @@ class Connection {
    * caches the result; subsequent calls return the cached copy in O(1).
    * Pass `forceRefresh: true` to invalidate the cache and fetch a fresh
    * copy from the server — used internally by `connection.socket` to
-   * react to Plan 66 `accessUpdated` server-push events. A failed
-   * server fetch leaves any prior cached value intact.
+   * react to `accessUpdated` server-push events. A failed server
+   * fetch leaves any prior cached value intact.
    *
    * @param {boolean} [forceRefresh=false] - bypass + refresh the cache
    * @returns {Promise<AccessInfo>} Promise resolving to the access info
@@ -350,6 +351,44 @@ class Connection {
     return res.body;
   }
 
+  /**
+   * Get the latest event per value for a content path — typical form-prefill
+   * lookup ("latest assertion per code"). Queries `events.get` with a
+   * `content` condition `{ path, in: values }` (server must support content
+   * queries — see `Service.supportsContentQueries()`), pages through the
+   * time-descending result and keeps the first (= latest) event per value.
+   * Handles paging internally, so the result is correct regardless of the
+   * default `events.get` page size.
+   * @param {string} path - dot-path into `content` (or `$` for the root value)
+   * @param {Array<string|number|boolean>} values - values to look up (one Map entry max per value)
+   * @param {Object} [baseQuery] - additional `events.get` params (e.g. `streams`, `types`, `fromTime`); passed through
+   * @returns {Promise<Map<string|number|boolean, Object>>} value → latest matching event; values with no match are absent
+   */
+  async getLatestByContent (path, values, baseQuery = {}) {
+    const PAGE_LIMIT = 1000;
+    const lookup = new Set(values);
+    const found = new Map();
+    const condition = { path, in: [...lookup] };
+    const content = (baseQuery.content || []).concat([condition]);
+    let skip = 0;
+    while (found.size < lookup.size) {
+      const params = Object.assign({}, baseQuery, {
+        content,
+        sortAscending: false,
+        skip,
+        limit: PAGE_LIMIT
+      });
+      const events = await this.apiOne('events.get', params, 'events');
+      for (const event of events) {
+        const value = resolveDotPath(event.content, path);
+        if (lookup.has(value) && !found.has(value)) found.set(value, event);
+      }
+      if (events.length < PAGE_LIMIT) break;
+      skip += events.length;
+    }
+    return found;
+  }
+
   /**
    * Create an event with attached file
    * NODE.jS ONLY
@@ -429,10 +468,10 @@ class Connection {
   }
 
   /**
-   * Plan 66 (open-pryv.io ≥ 2.0.0-pre.X): update an access by composite id.
-   * Wraps `accesses.update` and translates the 409 `stale-resource` response
-   * into a typed `StaleAccessIdError` so callers can `instanceof`-test and
-   * refetch + retry without re-parsing the inner error.
+   * Update an access by composite id (Pryv.io ≥ 2.0.0-pre.X). Wraps
+   * `accesses.update` and translates the 409 `stale-resource` response
+   * into a typed `StaleAccessIdError` so callers can `instanceof`-test
+   * and refetch + retry without re-parsing the inner error.
    *
    * Pass `id` as the wire-format reference returned by the server — bare
    * cuid on a never-updated access, composite `<base>:<serial>` otherwise.
@@ -456,8 +495,8 @@ class Connection {
   }
 
   /**
-   * Plan 66: fetch an access by composite id including its full version
-   * history (oldest first). Server: `accesses.getOne ?includeHistory=true`.
+   * Fetch an access by composite id including its full version history
+   * (oldest first). Server: `accesses.getOne ?includeHistory=true`.
    *
    * Useful for audit views. Pass the composite `<base>:<serial>` to
    * inspect a specific past version (the result's `current` field then

package/src/Service.js

@@ -80,6 +80,17 @@ class Service {
     return (infos.features == null || infos.features.noHF !== true);
   }
 
+  /**
+   * Whether the platform supports `events.get` content/clientData query
+   * conditions (`features.contentQueries` in service info). Older platforms
+   * reject the parameters with a 400 — use this to pick a fallback path.
+   * @returns {Promise<boolean>}
+   */
+  async supportsContentQueries () {
+    const infos = await this.info();
+    return infos.features != null && infos.features.contentQueries === true;
+  }
+
   /**
    * Check if a service has username in the hostname or in the path of the API.
    * @returns {Promise<boolean>} Promise resolving to true if the service does not rely on DNS to find a host related to a username
@@ -521,6 +532,40 @@ class Service {
     return body;
   }
 
+  /**
+   * Resolve a completed auth-flow polling key into a `Connection`.
+   *
+   * Pairs with `Service.startAccessRequest` / `Service.pollAccessRequest`
+   * and the headless polling pattern: the calling app holds only the
+   * `key` returned by the auth-flow (not the underlying token /
+   * apiEndpoint), and uses this method to build a working `Connection`.
+   *
+   * The implementation polls `<access>/<key>` once; the call MUST be
+   * made while the access is still in the ACCEPTED state (which
+   * persists until expiry — see `expireAfter` on the access request).
+   *
+   * @param {string} key - polling key from `startAccessRequest`
+   * @returns {Promise<Connection>}
+   * @throws {PryvError} if the key is not ACCEPTED (NEED_SIGNIN, REFUSED, ERROR)
+   */
+  async connectFromKey (key) {
+    if (!key) {
+      throw new PryvError('connectFromKey requires a key');
+    }
+    const body = await this.pollAccessRequest(key);
+    if (body.status !== 'ACCEPTED') {
+      throw new PryvError(
+        'connectFromKey: access is not ACCEPTED (status=' + body.status + ')'
+      );
+    }
+    if (!body.apiEndpoint) {
+      throw new PryvError(
+        'connectFromKey: ACCEPTED response missing apiEndpoint'
+      );
+    }
+    return new Connection(body.apiEndpoint, this);
+  }
+
   /**
    * Set a new password using a reset token (from the reset email).
    * Pre-auth — no login token required.
@@ -588,4 +633,5 @@ const Connection = require('./Connection');
  * @property {string} [assets.definitions] URL to json object with assets definitions
  * @property {Object} [features] Platform feature flags
  * @property {boolean} [features.noHF] True if HF data is not supported
+ * @property {boolean} [features.contentQueries] True if events.get content/clientData query conditions are supported
  */

package/src/index.d.ts

@@ -267,6 +267,22 @@ declare module 'pryv' {
     not?: Identifier[];
   };
 
+  /**
+   * Condition on a JSON path of events' `content` or `clientData`.
+   * `path` is a dot-path (segments: [a-zA-Z0-9_:-]) or `$` for the root
+   * value; exactly one operator per condition. Conditions AND together.
+   * Server support is advertised by `features.contentQueries` (see
+   * `Service.supportsContentQueries()`).
+   */
+  export type ContentQueryCondition = { path: string } & (
+    | { eq: string | number | boolean }
+    | { neq: string | number | boolean }
+    | { in: Array<string | number | boolean> }
+    | { exists: boolean }
+    | { gt: number } | { gte: number } | { lt: number } | { lte: number }
+    | { prefix: string }
+  );
+
   export type EventQueryParams = {
     fromTime: Timestamp;
     toTime: Timestamp;
@@ -280,6 +296,8 @@ declare module 'pryv' {
     state: 'default' | 'trashed' | 'all';
     modifiedSince: Timestamp;
     includeDeletion: boolean;
+    content: ContentQueryCondition[];
+    clientData: ContentQueryCondition[];
   };
 
   export type EventQueryParamsStreamQuery = Omit<EventQueryParams, 'streams'> & {
@@ -705,6 +723,15 @@ declare module 'pryv' {
       queryParams: Partial<EventQueryParamsStreamQuery>,
       forEachEvent: StreamedEventsHandler,
     ): Promise<StreamedEventsResult>;
+    /**
+     * Latest event per value for a content path (form-prefill lookup).
+     * Pages internally; requires server content-query support.
+     */
+    getLatestByContent(
+      path: string,
+      values: Array<string | number | boolean>,
+      baseQuery?: Partial<EventQueryParamsStreamQuery>,
+    ): Promise<Map<string | number | boolean, Event>>;
     createEventWithFile(
       params: EventFileCreationParams,
       filePath: string | Buffer | Blob,
@@ -725,9 +752,9 @@ declare module 'pryv' {
     ): Promise<HFSeriesAddResult>;
     /** Memoized; pass `forceRefresh: true` to bypass + refresh the cache. */
     accessInfo(forceRefresh?: boolean): Promise<AccessInfo>;
-    /** Plan 66: update an access by composite id. */
+    /** Update an access by composite id. */
     updateAccess(id: string, changes: object): Promise<object>;
-    /** Plan 66: fetch an access including its full version history. */
+    /** Fetch an access including its full version history. */
     getAccessWithHistory(id: string): Promise<{ access: object, current?: string, history?: object[] }>;
     revoke(throwOnFail?: boolean, usingConnection?: Connection): Promise<any>;
     readonly deltaTime: number;
@@ -826,6 +853,8 @@ declare module 'pryv' {
     ): Promise<Connection>;
 
     supportsHF(): Promise<boolean>;
+    /** Whether the platform supports events.get content/clientData query conditions. */
+    supportsContentQueries(): Promise<boolean>;
     isDnsLess(): Promise<boolean>;
 
     userExists(userId: string): Promise<boolean>;

package/src/index.js

@@ -11,11 +11,13 @@
  * @property {pryv.utils} utils - Exposes some utils for HTTP calls and tools to manipulate Pryv's API endpoints
  * @property {pryv.PryvError} PryvError - Custom error class with innerObject + structured API-error fields
  * @property {pryv.MfaRequiredError} MfaRequiredError - Thrown by Service.login when the platform returns an mfaToken instead of a token. Carries `.mfaToken`.
- * @property {pryv.StaleAccessIdError} StaleAccessIdError - Plan 66: thrown when a Pryv.io server rejects an `accesses.update` / `accesses.delete` with a 409 stale-resource. Refetch + retry.
+ * @property {pryv.StaleAccessIdError} StaleAccessIdError - Thrown when a Pryv.io server rejects an `accesses.update` / `accesses.delete` with a 409 stale-resource. Refetch + retry.
  * @property {Object} ERRORS - Catalogue of Pryv API error ids (mirrors open-pryv.io/components/errors)
  */
+const Service = require('./Service');
+
 module.exports = {
-  Service: require('./Service'),
+  Service,
   Connection: require('./Connection'),
   Auth: require('./Auth'),
   Browser: require('./Browser'),
@@ -24,5 +26,25 @@ module.exports = {
   MfaRequiredError: require('./lib/MfaRequiredError'),
   StaleAccessIdError: require('./lib/StaleAccessIdError'),
   ERRORS: require('./lib/errorIds'),
-  version: require('../package.json').version
+  version: require('../package.json').version,
+  connectFromKey
 };
+
+/**
+ * Module-level convenience over `Service#connectFromKey` — builds a
+ * `Service` on the fly, fetches its info, and resolves the given
+ * auth-flow polling key into a working `Connection`.
+ *
+ * Mirrors the `pryv.connectFromKey(key, serviceInfoUrl)` shape the
+ * headless polling pattern documents.
+ *
+ * @param {string} key - polling key from `Service.startAccessRequest`
+ * @param {string} serviceInfoUrl - URL of the platform's `/service/info`
+ * @param {Object} [serviceCustomizations] - same shape as `new Service(url, customizations)`
+ * @returns {Promise<import('./Connection')>}
+ */
+async function connectFromKey (key, serviceInfoUrl, serviceCustomizations) {
+  const service = new Service(serviceInfoUrl, serviceCustomizations);
+  await service.info();
+  return service.connectFromKey(key);
+}

package/src/lib/StaleAccessIdError.js

@@ -6,9 +6,9 @@
 const PryvError = require('./PryvError');
 
 /**
- * Plan 66: typed error surfaced when a Pryv.io server (≥ 2.0.0-pre.X)
- * rejects an `accesses.update` or `accesses.delete` call with a
- * 409 `stale-resource` response.
+ * Typed error surfaced when a Pryv.io server (≥ 2.0.0-pre.X) rejects
+ * an `accesses.update` or `accesses.delete` call with a 409
+ * `stale-resource` response.
  *
  * The composite access id `<base>:<serial>` carries the version the
  * caller last observed. If the access has since been updated, the

package/src/lib/buildSearchParams.js

@@ -4,8 +4,12 @@
  */
 
 /**
- * Build URL search params string from an object, properly handling arrays.
- * Arrays are expanded as repeated keys: { a: ['x', 'y'] } => 'a=x&a=y'
+ * Build URL search params string from an object, properly handling arrays
+ * and structured values.
+ * - Arrays of scalars are expanded as repeated keys: { a: ['x', 'y'] } => 'a=x&a=y'
+ * - Arrays containing objects (e.g. `content` / `clientData` conditions,
+ *   rich `streams` queries) and plain objects are sent as one
+ *   JSON-encoded parameter, which the API parses back.
  * @param {Object} params - Query parameters object
  * @returns {string} - URL encoded query string
  */
@@ -13,9 +17,15 @@ function buildSearchParams (params) {
   const searchParams = new URLSearchParams();
   for (const [key, value] of Object.entries(params)) {
     if (Array.isArray(value)) {
-      for (const item of value) {
-        searchParams.append(key, item);
+      if (value.some((item) => item !== null && typeof item === 'object')) {
+        searchParams.append(key, JSON.stringify(value));
+      } else {
+        for (const item of value) {
+          searchParams.append(key, item);
+        }
       }
+    } else if (value !== null && typeof value === 'object') {
+      searchParams.append(key, JSON.stringify(value));
     } else if (value !== undefined && value !== null) {
       searchParams.append(key, value);
     }

package/src/lib/resolveDotPath.js

@@ -0,0 +1,25 @@
+/**
+ * @license
+ * [BSD-3-Clause](https://github.com/pryv/lib-js/blob/master/LICENSE)
+ */
+
+/**
+ * Resolve a content-query dot-path against a JSON value.
+ * `$` addresses the root value itself. Returns `undefined` when the path
+ * does not lead to a value.
+ * @param {*} root - The JSON value (typically an event's `content`)
+ * @param {string} path - Dot-path (e.g. 'drug.codes.atc') or '$'
+ * @returns {*} The value at the path, or undefined
+ */
+function resolveDotPath (root, path) {
+  if (path === '$') return root;
+  let current = root;
+  for (const segment of path.split('.')) {
+    if (current == null || typeof current !== 'object' || Array.isArray(current)) return undefined;
+    if (!Object.prototype.hasOwnProperty.call(current, segment)) return undefined;
+    current = current[segment];
+  }
+  return current;
+}
+
+module.exports = resolveDotPath;

package/src/utils.js

@@ -226,11 +226,11 @@ const utils = module.exports = {
   },
 
   /**
-   * Plan 66 (open-pryv.io ≥ 2.0.0-pre.X): parse a wire-format access
-   * reference into `{ base, serial }`. Accepts both bare cuid
-   * (`"abc123"` → `{ base: 'abc123', serial: null }`) and composite
-   * (`"abc123:3"` → `{ base: 'abc123', serial: 3 }`). Throws on
-   * malformed input. Apply this to `access.id`, `access.createdBy`,
+   * Parse a wire-format access reference into `{ base, serial }`
+   * (Pryv.io ≥ 2.0.0-pre.X). Accepts both bare cuid (`"abc123"` →
+   * `{ base: 'abc123', serial: null }`) and composite (`"abc123:3"` →
+   * `{ base: 'abc123', serial: 3 }`). Throws on malformed input.
+   * Apply this to `access.id`, `access.createdBy`,
    * `access.modifiedBy`, and `streamIds` entries of the form
    * `access-<base>:<serial>` from audit events.
    * @memberof pryv.utils
@@ -256,9 +256,9 @@ const utils = module.exports = {
   },
 
   /**
-   * Plan 66: render an `{ base, serial }` pair back to the wire
-   * format. Bare cuid when serial is null/undefined; `<base>:<serial>`
-   * otherwise. Mostly used to construct the composite id when calling
+   * Render an `{ base, serial }` pair back to the wire format. Bare
+   * cuid when serial is null/undefined; `<base>:<serial>` otherwise.
+   * Mostly used to construct the composite id when calling
    * `connection.api()` for `accesses.update` / `accesses.delete`.
    * @memberof pryv.utils
    * @param {{ base: string, serial?: number | null }} ref

package/test/AuthController.test.js

@@ -190,4 +190,78 @@ describe('[ACNX] AuthController', function () {
       expect(auth.state.id).to.equal(AuthStates.LOADING); // retro-compatibility
     });
   });
+
+  describe('[AFLT] External listener filtering', function () {
+    it('[AFLA] AUTHORIZED state passes only { status, id, key, serviceInfo } to onStateChange', function () {
+      const seen = [];
+      const auth = new AuthController({
+        authRequest: {
+          requestingAppId: 'test-app',
+          requestedPermissions: []
+        },
+        onStateChange: (state) => seen.push(state)
+      }, service);
+
+      auth.state = {
+        status: AuthStates.AUTHORIZED,
+        key: 'abc123',
+        serviceInfo: { name: 'Test' },
+        apiEndpoint: 'https://token@example.com/',
+        username: 'alice',
+        token: 'secret-token'
+      };
+
+      const last = seen[seen.length - 1];
+      expect(last.status).to.equal(AuthStates.AUTHORIZED);
+      expect(last.id).to.equal(AuthStates.AUTHORIZED);
+      expect(last.key).to.equal('abc123');
+      expect(last.serviceInfo).to.deep.equal({ name: 'Test' });
+      // Credentials must not leak to the calling app.
+      expect(last.apiEndpoint).to.equal(undefined);
+      expect(last.username).to.equal(undefined);
+      expect(last.token).to.equal(undefined);
+    });
+
+    it('[AFLC] AUTHORIZED state from cookie-autologin (no key) passes through unchanged', function () {
+      // Mirrors `checkAutoLogin()`'s state shape: it spreads stored
+      // credentials into the AUTHORIZED state without a key, since the
+      // key is not persisted.
+      const seen = [];
+      const auth = new AuthController({
+        authRequest: {
+          requestingAppId: 'test-app',
+          requestedPermissions: []
+        },
+        onStateChange: (state) => seen.push(state)
+      }, service);
+
+      auth.state = {
+        status: AuthStates.AUTHORIZED,
+        apiEndpoint: 'https://token@example.com/',
+        username: 'alice'
+      };
+
+      const last = seen[seen.length - 1];
+      // Backwards-compat: existing pages building Connection directly
+      // from `state.apiEndpoint` on page reload keep working.
+      expect(last.apiEndpoint).to.equal('https://token@example.com/');
+      expect(last.username).to.equal('alice');
+    });
+
+    it('[AFLB] non-AUTHORIZED states pass through unchanged', function () {
+      const seen = [];
+      const auth = new AuthController({
+        authRequest: {
+          requestingAppId: 'test-app',
+          requestedPermissions: []
+        },
+        onStateChange: (state) => seen.push(state)
+      }, service);
+
+      auth.state = { status: AuthStates.ERROR, message: 'boom', error: new Error('e') };
+      const last = seen[seen.length - 1];
+      expect(last.status).to.equal(AuthStates.ERROR);
+      expect(last.message).to.equal('boom');
+    });
+  });
 });

package/test/Connection.test.js

@@ -500,7 +500,7 @@ describe('[CONX] Connection', () => {
       expect(newUser.access.token).to.equal(accessInfoUser.token);
     });
 
-    // Plan 66 — accessInfo caching + forceRefresh.
+    // accessInfo caching + forceRefresh.
 
     it('[CAIC] accessInfo() memoizes — second call returns the same object reference', async () => {
       const regexAPIandToken = /(.+):\/\/(.+)/gm;

package/test/ContentQueries.test.js

@@ -0,0 +1,95 @@
+/**
+ * @license
+ * [BSD-3-Clause](https://github.com/pryv/lib-js/blob/master/LICENSE)
+ */
+/* global describe, it, before, expect, pryv */
+
+const { createId: cuid } = require('@paralleldrive/cuid2');
+const testData = require('../../../test/test-data');
+
+const buildSearchParams = require('../src/lib/buildSearchParams');
+const resolveDotPath = require('../src/lib/resolveDotPath');
+
+describe('[CQLJ] Content queries', () => {
+  describe('[CQLU] buildSearchParams structured values', () => {
+    it('[LU01] keeps scalar arrays as repeated keys', () => {
+      expect(buildSearchParams({ a: ['x', 'y'], b: 1 })).to.equal('a=x&a=y&b=1');
+    });
+
+    it('[LU02] JSON-encodes arrays of objects (conditions) as one parameter', () => {
+      const conditions = [{ path: 'drug.codes.atc', eq: 'G03DA04' }];
+      const out = buildSearchParams({ content: conditions });
+      expect(decodeURIComponent(out)).to.equal('content=' + JSON.stringify(conditions));
+    });
+
+    it('[LU03] JSON-encodes plain object values', () => {
+      const out = buildSearchParams({ streams: { any: ['a'] } });
+      expect(decodeURIComponent(out.replace(/\+/g, ' '))).to.equal('streams=' + JSON.stringify({ any: ['a'] }));
+    });
+  });
+
+  describe('[CQLR] resolveDotPath', () => {
+    it('[LR01] resolves nested paths, root $ and misses', () => {
+      const content = { drug: { codes: { atc: 'G03DA04' } }, taken: true };
+      expect(resolveDotPath(content, 'drug.codes.atc')).to.equal('G03DA04');
+      expect(resolveDotPath(content, 'taken')).to.equal(true);
+      expect(resolveDotPath(content, 'drug.codes.snomed')).to.equal(undefined);
+      expect(resolveDotPath(14.2, '$')).to.equal(14.2);
+      expect(resolveDotPath(undefined, 'a.b')).to.equal(undefined);
+      expect(resolveDotPath({ a: [1] }, 'a.0')).to.equal(undefined); // no array indices
+    });
+  });
+
+  describe('[CQLI] against a live platform (skipped when unsupported)', () => {
+    let conn, supported, streamId;
+    const codes = { progesterone: 'G03DA04', aspirin: 'B01AC06', missing: 'N02BE01' };
+
+    before(async function () {
+      this.timeout(15000);
+      await testData.prepare();
+      conn = new pryv.Connection(testData.apiEndpointWithToken);
+      supported = await conn.service.supportsContentQueries();
+      if (!supported) return;
+
+      streamId = 'cq-' + cuid().substring(0, 8);
+      const calls = [{ method: 'streams.create', params: { id: streamId, name: 'CQ ' + streamId, parentId: 'data' } }];
+      // two assertions per drug — older taken:false, newer taken:true — to verify "latest"
+      let time = 1700000000;
+      for (const code of [codes.progesterone, codes.aspirin]) {
+        calls.push({ method: 'events.create', params: { streamIds: [streamId], type: 'medication/exposure-assertion-v1', time: time++, content: { drug: { codes: { atc: code } }, taken: false } } });
+        calls.push({ method: 'events.create', params: { streamIds: [streamId], type: 'medication/exposure-assertion-v1', time: time++, content: { drug: { codes: { atc: code } }, taken: true } } });
+      }
+      const res = await conn.api(calls);
+      for (const r of res) expect(r.error).to.be.undefined;
+    });
+
+    it('[LI01] supportsContentQueries returns a boolean', async () => {
+      expect(typeof supported).to.equal('boolean');
+    });
+
+    it('[LI02] events.get accepts content conditions via GET (streamed)', async function () {
+      if (!supported) this.skip();
+      const collected = [];
+      await conn.getEventsStreamed(
+        { streams: [streamId], content: [{ path: 'drug.codes.atc', eq: codes.progesterone }, { path: 'taken', eq: true }] },
+        (event) => collected.push(event)
+      );
+      expect(collected.length).to.equal(1);
+      expect(collected[0].content.taken).to.equal(true);
+    });
+
+    it('[LI03] getLatestByContent returns the latest event per value', async function () {
+      if (!supported) this.skip();
+      const byCode = await conn.getLatestByContent(
+        'drug.codes.atc',
+        [codes.progesterone, codes.aspirin, codes.missing],
+        { streams: [streamId] }
+      );
+      expect(byCode.size).to.equal(2);
+      expect(byCode.get(codes.missing)).to.be.undefined;
+      // latest per code is the taken:true one (created later)
+      expect(byCode.get(codes.progesterone).content.taken).to.equal(true);
+      expect(byCode.get(codes.aspirin).content.taken).to.equal(true);
+    });
+  });
+});

package/test/Service.accessRequest.test.js

@@ -38,6 +38,30 @@ describe('[ARQX] Service access-request init', function () {
     });
   });
 
+  describe('[CFKX] Service.connectFromKey', function () {
+    it('[CFKA] rejects when key is missing', async function () {
+      let caught;
+      try { await service.connectFromKey(); } catch (e) { caught = e; }
+      expect(caught).to.be.instanceOf(pryv.PryvError);
+    });
+
+    it('[CFKB] throws when the access is still NEED_SIGNIN', async function () {
+      this.timeout(15000);
+      const env = await service.startAccessRequest({
+        requestingAppId: 'jslib-test',
+        requestedPermissions: [{
+          streamId: 'data',
+          level: 'read',
+          defaultName: 'Test'
+        }]
+      });
+      let caught;
+      try { await service.connectFromKey(env.key); } catch (e) { caught = e; }
+      expect(caught).to.be.instanceOf(pryv.PryvError);
+      expect(caught.message).to.include('NEED_SIGNIN');
+    });
+  });
+
   describe('[APRX] Service.pollAccessRequest', function () {
     it('[APRA] rejects when key is missing', async function () {
       let caught;

package/test/utils.test.js

@@ -60,7 +60,7 @@ describe('[UTLX] utils', function () {
     done();
   });
 
-  // Plan 66 — composite access references.
+  // Composite access references.
 
   it('[UTLF] parseAccessRef on a bare cuid returns { base, serial: null }', function () {
     const ref = pryv.utils.parseAccessRef('abc123def456');