Merge branch 'main' into dependabot/github_actions/nhs-england-tools/notify-msteams-action-1.0.5

Author: neil-sproston

.github/README.md

@@ -0,0 +1,40 @@
+---
+name: Documentation Writer Agent
+description: Expert technical writer for this project
+---
+
+# Documentation Writer Agent
+
+You are an expert technical writer for this project.
+
+## Your role
+
+- You are fluent in Markdown and can read and understand Python code, the Flask framework, OpenAPI, pytest, Pact, and Schemathesis,
+- You write for a software developer audience, focusing on clarity and practical examples
+- Your task: read all files, and generate or update documentation in `**/README.md` where you feel appropriate and necessary.
+
+## Project knowledge
+
+- **Tech Stack:** Flask, Python, OpenAPI, pytest, Pact, Schemathesis
+- **File Structure:**
+  - Files and folders that require documentation (you READ from here)
+    - `gateway-api` - Code relating to the project
+    - `gateway-api/src/` – All source code
+    - `gateway-api/stubs` – API stubs and mock definitions used for testing or examples
+    - `gateway-api/tests` – Automated tests for the gateway API
+    - `infrastructure/` – All infrastructure code (e.g. Terraform, Dockerfiles, CI/CD pipelines)
+    - `proxygen` - Code relating to the deployment of the API proxy
+  - `**/README.md` – All documentation (you WRITE to here)
+
+## Documentation practices
+
+Be concise and specific.
+Write so that a new developer to this codebase can understand your writing, don’t assume your audience are experts in the topic/area you are writing about.
+Use mermaid to create diagrams where helpful to explain complex concepts or workflows.
+Provide examples where helpful to clarify concepts or usage.
+
+## Boundaries
+
+- ✅ **Always do:** Amend or create `**/README.md` only
+- ⚠️ **Ask first:** Before modifying existing documents in a major way, or before creating new README files.
+- 🚫 **Never do:** Delete a file, nor create or modify any files other than `**/README.md`

.github/agents/docs.agent.md

@@ -0,0 +1,37 @@
+---
+name: Unit Test Writer Agent
+description: Expert unit test writer for this project
+---
+
+# Unit Test Writer Agent
+
+You are an expert unit test writer for this project.
+
+## Your role
+
+- You are fluent in Python, and can understand the Flask framework and pytest
+- You write unit tests to improve the stability and reliability of the codebase by ensuring that all code is exercised by unit tests
+- Your task: read all files in `gateway-api/` and generate or update unit tests in `gateway-api/src/**/test_*.py`
+
+## Project knowledge
+
+- **Tech Stack:** Flask, Python,  pytest
+- **File Structure:**
+  - `gateway-api/src/**/*.py` – Files and folders that require unit tests (you READ from here)
+  - `gateway-api/src/**/test_*.py` – All unit tests (you WRITE to here)
+
+## Unit test practices
+
+Where possible, write unit tests that
+
+- Are independent and can be run in isolation
+- Cover edge cases and error handling, not just the happy path
+- Are well-named to clearly indicate what they are testing and the expected outcome
+- Use `pytest` fixtures to set up any necessary test data or state, and to clean up after tests if needed
+- Pass a message to the assertion to provide additional context when a test fails, making it easier to diagnose issues
+
+## Boundaries
+
+- ✅ **Always do:** Create or amend `gateway-api/src/**/test_*.py` only
+- ⚠️ **Ask first:** Before modifying more than one test file in a single PR; and before deleting a file.
+- 🚫 **Never do:** Modify any files other than `gateway-api/src/**/test_*.py`

.github/agents/unit_test.agent.md

@@ -0,0 +1,39 @@
+# NHSE Clinical Data Gateway API
+
+Our core programming language is Python.
+
+Our docs are in README.md files next to or in the parent directories of the files they are documenting.
+
+This repository is for handling HTTP requests from "Consumer systems" and forwarding them on to "Provider systems", while performing a number of checks on and additions to the request. The response from the "Provider system", which is sent straight back to the "Consumer system" unchanged, will contain a patient's medical details.
+
+We use other NHSE services to assist in the validation and processing of the requests including PDS FHIR API for obtaining GP practice codes for the patient, SDS FHIR API for obtaining the "Provider system" details of that GP practice and Healthcare Worker FHIR API for obtaining details of the requesting practitioner using the "Consumer System" that will then be added to the forwarded request.
+
+`make deploy` will build and start a container running Gateway API at `localhost:5000`.
+
+After deploying the container locally, `make test` will run all tests and capture their coverage. Note: env variables control the use of stubs for the PDS FHIR API, SDS FHIR API, Healthcare Worker FHIR API and Provider system services.
+
+Individual test suites can be run with:
+
+- Unit tests: `make unit`
+- Acceptance tests: `make acceptance`
+- Integration tests: `make integration`
+- Schema tests: `make schema`
+- Contract tests: `make contract`
+
+The container must be running in order to successfully run any of the test suites other than the unit tests.
+
+The schema for this API can be found in `gateway-api/openapi.yaml`.
+
+## Docstrings and comments
+
+- Use precise variable and function names to reduce the need for comments
+- Use docstrings on high-level functions and classes to explain their purpose, inputs, outputs, and any side effects
+- Avoid comments that state the obvious or repeat what the code does; instead, focus on explaining the intent behind the code, the reasons for non-obvious decisions, and any important trade-offs or constraints
+
+## Commits
+
+Prepend `[AI-generated]` to the commit message when committing changes made by an AI agent.
+
+## Security
+
+This repository is public. Do not commit any secrets, tokens or credentials.

.github/instructions/copilot-instructions.md

@@ -6,13 +6,14 @@ authors = [
     {name = "Your Name", email = "you@example.com"}
 ]
 readme = "README.md"
-requires-python = ">3.13,<4.0.0"
+requires-python = ">=3.14,<4.0.0"
 
 [tool.poetry.dependencies]
 clinical-data-common = { git = "https://github.com/NHSDigital/clinical-data-common.git", tag = "v0.1.0" }
-flask = "^3.1.2"
+flask = "^3.1.3"
 types-flask = "^1.1.6"
 requests = "^2.32.5"
+pyjwt = "^2.11.0"
 
 [tool.poetry]
 packages = [{include = "gateway_api", from = "src"},

gateway-api/poetry.lock

@@ -0,0 +1,5 @@
+from .device import Device
+from .jwt import JWT
+from .practitioner import Practitioner
+
+__all__ = ["JWT", "Device", "Practitioner"]

gateway-api/pyproject.toml

@@ -0,0 +1,29 @@
+from dataclasses import dataclass
+
+
+@dataclass(frozen=True, kw_only=True)
+class Device:
+    system: str
+    value: str
+    model: str
+    version: str
+
+    @property
+    def json(self) -> str:
+        outstr = f"""
+        {{
+        "resourceType": "Device",
+        "identifier": [
+            {{
+                "system": "{self.system}",
+                "value": "{self.value}"
+            }}
+        ],
+        "model": "{self.model}",
+        "version": "{self.version}"
+        }}
+        """
+        return outstr.strip()
+
+    def __str__(self) -> str:
+        return self.json

gateway-api/src/gateway_api/clinical_jwt/__init__.py

@@ -0,0 +1,77 @@
+from dataclasses import dataclass, field
+from datetime import UTC, datetime
+from time import time
+from typing import Any
+
+import jwt as pyjwt
+
+
+@dataclass(frozen=True, kw_only=True)
+class JWT:
+    issuer: str
+    subject: str
+    audience: str
+    requesting_device: str
+    requesting_organization: str
+    requesting_practitioner: str
+
+    # Time fields
+    issued_at: int = field(default_factory=lambda: int(time()))
+    expiration: int = field(default_factory=lambda: int(time()) + 300)
+
+    # These are here for future proofing but are not expected ever to be changed
+    algorithm: str | None = None
+    type: str = "JWT"
+    reason_for_request: str = "directcare"
+    requested_scope: str = "patient/*.read"
+
+    @property
+    def issue_time(self) -> str:
+        return datetime.fromtimestamp(self.issued_at, tz=UTC).isoformat()
+
+    @property
+    def exp_time(self) -> str:
+        return datetime.fromtimestamp(self.expiration, tz=UTC).isoformat()
+
+    def encode(self) -> str:
+        return pyjwt.encode(
+            self.payload(),
+            key=None,
+            algorithm=self.algorithm,
+            headers={"typ": self.type},
+        )
+
+    @staticmethod
+    def decode(token: str) -> "JWT":
+        token_dict = pyjwt.decode(
+            token,
+            options={"verify_signature": False},  # NOSONAR S5659 (not signed)
+        )
+
+        return JWT(
+            issuer=token_dict["iss"],
+            subject=token_dict["sub"],
+            audience=token_dict["aud"],
+            expiration=token_dict["exp"],
+            issued_at=token_dict["iat"],
+            requesting_device=token_dict["requesting_device"],
+            requesting_organization=token_dict["requesting_organization"],
+            requesting_practitioner=token_dict["requesting_practitioner"],
+        )
+
+    def payload(self) -> dict[str, Any]:
+        return {
+            "iss": self.issuer,
+            "sub": self.subject,
+            "aud": self.audience,
+            "exp": self.expiration,
+            "iat": self.issued_at,
+            "requesting_device": self.requesting_device,
+            "requesting_organization": self.requesting_organization,
+            "requesting_practitioner": self.requesting_practitioner,
+            "reason_for_request": self.reason_for_request,
+            "requested_scope": self.requested_scope,
+        }
+
+    def __str__(self) -> str:
+        return self.encode()

gateway-api/src/gateway_api/clinical_jwt/device.py

@@ -0,0 +1,49 @@
+from dataclasses import dataclass
+
+
+@dataclass(kw_only=True)
+class Practitioner:
+    id: str
+    sds_userid: str
+    role_profile_id: str
+    userid_url: str
+    userid_value: str
+    family_name: str
+    given_name: str | None = None
+    prefix: str | None = None
+
+    def __post_init__(self) -> None:
+        given = "" if self.given_name is None else f',"given":["{self.given_name}"]'
+        prefix = "" if self.prefix is None else f',"prefix":["{self.prefix}"]'
+        self._name_str = f'[{{"family": "{self.family_name}"{given}{prefix}}}]'
+
+    @property
+    def json(self) -> str:
+        user_id_system = "https://fhir.nhs.uk/Id/sds-user-id"
+        role_id_system = "https://fhir.nhs.uk/Id/sds-role-profile-id"
+
+        outstr = f"""
+        {{
+        "resourceType": "Practitioner",
+        "id": "{self.id}",
+        "identifier": [
+        {{
+            "system": "{user_id_system}",
+            "value": "{self.sds_userid}"
+        }},
+        {{
+            "system": "{role_id_system}",
+            "value": "{self.role_profile_id}"
+        }},
+        {{
+            "system": "{self.userid_url}",
+            "value": "{self.userid_value}"
+        }}
+        ],
+        "name": {self._name_str}
+        }}
+        """
+        return outstr.strip()
+
+    def __str__(self) -> str:
+        return self.json