NHSDigital
diff --git a/‎infrastructure/terraform/components/dl/module_lambda_mesh_download.tf‎
Lines changed: 11 additions & 10 deletions b/‎infrastructure/terraform/components/dl/module_lambda_mesh_download.tf‎
Lines changed: 11 additions & 10 deletions
diff --git a/‎lambdas/mesh-download/mesh_download/__tests__/test_document_store.py‎
Lines changed: 47 additions & 6 deletions b/‎lambdas/mesh-download/mesh_download/__tests__/test_document_store.py‎
Lines changed: 47 additions & 6 deletions
diff --git a/‎lambdas/mesh-download/mesh_download/__tests__/test_processor.py‎
Lines changed: 89 additions & 21 deletions b/‎lambdas/mesh-download/mesh_download/__tests__/test_processor.py‎
Lines changed: 89 additions & 21 deletions
diff --git a/‎lambdas/mesh-download/mesh_download/config.py‎
Lines changed: 19 additions & 6 deletions b/‎lambdas/mesh-download/mesh_download/config.py‎
Lines changed: 19 additions & 6 deletions
@@ -37,16 +37,17 @@ module "mesh_download" {
   log_subscription_role_arn = local.acct.log_subscription_role_arn
 
   lambda_env_vars = {
-    DOWNLOAD_METRIC_NAME           = "mesh-download-successful-downloads"
-    DUPLICATE_DOWNLOAD_METRIC_NAME = "mesh-duplicate-downloads"
-    DOWNLOAD_METRIC_NAMESPACE      = "dl-mesh-download"
-    ENVIRONMENT                    = var.environment
-    EVENT_PUBLISHER_DLQ_URL        = module.sqs_event_publisher_errors.sqs_queue_url
-    EVENT_PUBLISHER_EVENT_BUS_ARN  = aws_cloudwatch_event_bus.main.arn
-    PII_BUCKET                     = module.s3bucket_pii_data.bucket
-    SSM_MESH_PREFIX                = local.ssm_mesh_prefix
-    SSM_SENDERS_PREFIX             = local.ssm_senders_prefix
-    USE_MESH_MOCK                  = var.enable_mock_mesh ? "true" : "false"
+    DOWNLOAD_METRIC_NAME                    = "mesh-download-successful-downloads"
+    INTERNAL_DUPLICATE_DOWNLOAD_METRIC_NAME = "mesh-internal-duplicate-downloads"
+    TRUST_DUPLICATE_DOWNLOAD_METRIC_NAME    = "mesh-trust-duplicate-downloads"
+    DOWNLOAD_METRIC_NAMESPACE               = "dl-mesh-download"
+    ENVIRONMENT                             = var.environment
+    EVENT_PUBLISHER_DLQ_URL                 = module.sqs_event_publisher_errors.sqs_queue_url
+    EVENT_PUBLISHER_EVENT_BUS_ARN           = aws_cloudwatch_event_bus.main.arn
+    PII_BUCKET                              = module.s3bucket_pii_data.bucket
+    SSM_MESH_PREFIX                         = local.ssm_mesh_prefix
+    SSM_SENDERS_PREFIX                      = local.ssm_senders_prefix
+    USE_MESH_MOCK                           = var.enable_mock_mesh ? "true" : "false"
   }
 
 }
 
@@ -2,7 +2,12 @@
 import pytest
 from unittest.mock import Mock
 from botocore.exceptions import ClientError
-from mesh_download.document_store import DocumentStore, IntermediaryBodyStoreError, DocumentAlreadyExistsError
+from mesh_download.document_store import (
+    DocumentStore,
+    IntermediaryBodyStoreError,
+    DocumentAlreadyExistsError,
+    DocumentAlreadyExistsInternalRetryError,
+)
 
 
 def make_client_error(code):
@@ -36,11 +41,12 @@ def test_store_document_success(self):
             content=b'test content'
         )
 
-        assert result == 'document-reference/SENDER-001/ref-123_mesh-456'
+        assert result == 'document-reference/SENDER-001/ref-123'
         mock_s3_client.put_object.assert_called_once_with(
             Bucket='test-pii-bucket',
-            Key='document-reference/SENDER-001/ref-123_mesh-456',
+            Key='document-reference/SENDER-001/ref-123',
             Body=b'test content',
+            Metadata={'mesh_message_id': 'mesh-456'},
             IfNoneMatch='*'
         )
 
@@ -84,21 +90,56 @@ def test_store_document_raises_error_on_non_200_response(self):
                 content=b'test content'
             )
 
-    def test_store_document_precondition_failed_raises_document_already_exists(self):
-        """Raises DocumentAlreadyExistsError when S3 returns PreconditionFailed (object already exists)"""
+    def test_store_document_precondition_failed_same_mesh_message_id_raises_internal_retry(self):
+        """Raises DocumentAlreadyExistsInternalRetryError when stored meshMessageId matches incoming (internal retry)"""
         mock_s3_client = Mock()
         mock_s3_client.put_object.side_effect = make_client_error('PreconditionFailed')
+        mock_s3_client.head_object.return_value = {
+            'Metadata': {'mesh_message_id': 'mesh-456'}
+        }
 
         config = Mock()
         config.s3_client = mock_s3_client
         config.transactional_data_bucket = 'test-pii-bucket'
 
         store = DocumentStore(config)
 
-        with pytest.raises(DocumentAlreadyExistsError, match='document-reference/SENDER-001/ref-123_mesh-456'):
+        with pytest.raises(DocumentAlreadyExistsInternalRetryError, match='document-reference/SENDER-001/ref-123'):
             store.store_document(
                 sender_id='SENDER-001',
                 message_reference='ref-123',
                 mesh_message_id='mesh-456',
                 content=b'test content'
             )
+
+        mock_s3_client.head_object.assert_called_once_with(
+            Bucket='test-pii-bucket',
+            Key='document-reference/SENDER-001/ref-123'
+        )
+
+    def test_store_document_precondition_failed_different_mesh_message_id_raises_trust_duplicate(self):
+        """Raises DocumentAlreadyExistsError when stored meshMessageId differs from incoming (trust duplicate)"""
+        mock_s3_client = Mock()
+        mock_s3_client.put_object.side_effect = make_client_error('PreconditionFailed')
+        mock_s3_client.head_object.return_value = {
+            'Metadata': {'mesh_message_id': 'original-mesh-id'}
+        }
+
+        config = Mock()
+        config.s3_client = mock_s3_client
+        config.transactional_data_bucket = 'test-pii-bucket'
+
+        store = DocumentStore(config)
+
+        with pytest.raises(DocumentAlreadyExistsError, match='document-reference/SENDER-001/ref-123'):
+            store.store_document(
+                sender_id='SENDER-001',
+                message_reference='ref-123',
+                mesh_message_id='new-mesh-id',
+                content=b'test content'
+            )
+
+        mock_s3_client.head_object.assert_called_once_with(
+            Bucket='test-pii-bucket',
+            Key='document-reference/SENDER-001/ref-123'
+        )
@@ -9,7 +9,7 @@
 from datetime import datetime, timezone
 from pydantic import ValidationError
 from mesh_download.errors import MeshMessageNotFound
-from mesh_download.document_store import DocumentAlreadyExistsError
+from mesh_download.document_store import DocumentAlreadyExistsError, DocumentAlreadyExistsInternalRetryError
 
 
 def setup_mocks():
@@ -20,7 +20,8 @@ def setup_mocks():
     # Set up default config attributes
     config.mesh_client = Mock()
     config.download_metric = Mock()
-    config.duplicate_download_metric = Mock()
+    config.internal_duplicate_download_metric = Mock()
+    config.trust_duplicate_download_metric = Mock()
     config.s3_client = Mock()
     config.environment = 'development'
     config.transactional_data_bucket = 'test-pii-bucket'
@@ -157,7 +158,8 @@ def test_processor_initialization_calls_mesh_handshake(self):
             log=log,
             mesh_client=config.mesh_client,
             download_metric=config.download_metric,
-            duplicate_download_metric=config.duplicate_download_metric,
+            internal_duplicate_download_metric=config.internal_duplicate_download_metric,
+            trust_duplicate_download_metric=config.trust_duplicate_download_metric,
             document_store=document_store,
             event_publisher=event_publisher
         )
@@ -183,7 +185,8 @@ def test_process_sqs_message_success(self, mock_datetime):
             log=log,
             mesh_client=config.mesh_client,
             download_metric=config.download_metric,
-            duplicate_download_metric=config.duplicate_download_metric,
+            internal_duplicate_download_metric=config.internal_duplicate_download_metric,
+            trust_duplicate_download_metric=config.trust_duplicate_download_metric,
             document_store=document_store,
             event_publisher=event_publisher
         )
@@ -260,7 +263,8 @@ def test_process_sqs_message_invalid_fhir_content(self, mock_datetime):
             log=log,
             mesh_client=config.mesh_client,
             download_metric=config.download_metric,
-            duplicate_download_metric=config.duplicate_download_metric,
+            internal_duplicate_download_metric=config.internal_duplicate_download_metric,
+            trust_duplicate_download_metric=config.trust_duplicate_download_metric,
             document_store=document_store,
             event_publisher=event_publisher
         )
@@ -326,7 +330,8 @@ def test_process_sqs_message_validation_failure(self):
             log=log,
             mesh_client=config.mesh_client,
             download_metric=config.download_metric,
-            duplicate_download_metric=config.duplicate_download_metric,
+            internal_duplicate_download_metric=config.internal_duplicate_download_metric,
+            trust_duplicate_download_metric=config.trust_duplicate_download_metric,
             document_store=document_store,
             event_publisher=event_publisher
         )
@@ -351,7 +356,8 @@ def test_process_sqs_message_missing_mesh_message_id(self):
             log=log,
             mesh_client=config.mesh_client,
             download_metric=config.download_metric,
-            duplicate_download_metric=config.duplicate_download_metric,
+            internal_duplicate_download_metric=config.internal_duplicate_download_metric,
+            trust_duplicate_download_metric=config.trust_duplicate_download_metric,
             document_store=document_store,
             event_publisher=event_publisher
         )
@@ -379,7 +385,8 @@ def test_download_and_store_message_not_found(self):
             log=log,
             mesh_client=config.mesh_client,
             download_metric=config.download_metric,
-            duplicate_download_metric=config.duplicate_download_metric,
+            internal_duplicate_download_metric=config.internal_duplicate_download_metric,
+            trust_duplicate_download_metric=config.trust_duplicate_download_metric,
             document_store=document_store,
             event_publisher=event_publisher
         )
@@ -410,7 +417,8 @@ def test_document_store_failure_prevents_ack_and_raises(self):
             log=log,
             mesh_client=config.mesh_client,
             download_metric=config.download_metric,
-            duplicate_download_metric=config.duplicate_download_metric,
+            internal_duplicate_download_metric=config.internal_duplicate_download_metric,
+            trust_duplicate_download_metric=config.trust_duplicate_download_metric,
             document_store=document_store,
             event_publisher=event_publisher
         )
@@ -446,7 +454,8 @@ def test_bucket_selection_with_mesh_mock_enabled(self, mock_datetime):
             log=log,
             mesh_client=config.mesh_client,
             download_metric=config.download_metric,
-            duplicate_download_metric=config.duplicate_download_metric,
+            internal_duplicate_download_metric=config.internal_duplicate_download_metric,
+            trust_duplicate_download_metric=config.trust_duplicate_download_metric,
             document_store=document_store,
             event_publisher=event_publisher
         )
@@ -486,7 +495,8 @@ def test_bucket_selection_with_mesh_mock_disabled(self, mock_datetime):
             log=log,
             mesh_client=config.mesh_client,
             download_metric=config.download_metric,
-            duplicate_download_metric=config.duplicate_download_metric,
+            internal_duplicate_download_metric=config.internal_duplicate_download_metric,
+            trust_duplicate_download_metric=config.trust_duplicate_download_metric,
             document_store=document_store,
             event_publisher=event_publisher
         )
@@ -505,23 +515,27 @@ def test_bucket_selection_with_mesh_mock_disabled(self, mock_datetime):
         assert message_uri.startswith('s3://test-pii-bucket/')
 
     def test_duplicate_delivery_skips_publish_and_acknowledge(self):
-        """When S3 signals the object already exists, processor logs a warning, skips publishing and metric, but still acknowledges"""
+        """
+        Internal retry: the object already exists with the same meshMessageId.
+        Skip publish, record internal metric, acknowledge
+        """
         from mesh_download.processor import MeshDownloadProcessor
 
         config, log, event_publisher, document_store = setup_mocks()
         bound_logger = Mock()
         log.bind.return_value = bound_logger
 
-        document_store.store_document.side_effect = DocumentAlreadyExistsError(
-            "Document already exists for key: document-reference/TEST-SENDER/ref-001_mesh-123"
+        document_store.store_document.side_effect = DocumentAlreadyExistsInternalRetryError(
+            "Internal retry for key: document-reference/TEST-SENDER/ref-001"
         )
 
         processor = MeshDownloadProcessor(
             config=config,
             log=log,
             mesh_client=config.mesh_client,
             download_metric=config.download_metric,
-            duplicate_download_metric=config.duplicate_download_metric,
+            internal_duplicate_download_metric=config.internal_duplicate_download_metric,
+            trust_duplicate_download_metric=config.trust_duplicate_download_metric,
             document_store=document_store,
             event_publisher=event_publisher
         )
@@ -530,17 +544,71 @@ def test_duplicate_delivery_skips_publish_and_acknowledge(self):
         config.mesh_client.retrieve_message.return_value = mesh_message
         sqs_record = create_sqs_record()
 
-        # Should complete without raising
         outcome = processor.process_sqs_message(sqs_record)
 
         assert outcome == 'skipped'
         bound_logger.warning.assert_called_once()
-        warning_msg = bound_logger.warning.call_args[0][0]
-        assert "already stored" in warning_msg
-        config.duplicate_download_metric.record.assert_called_once()
-
+        assert "Internal retry" in bound_logger.warning.call_args[0][0]
+        config.internal_duplicate_download_metric.record.assert_called_once_with(1)
+        config.trust_duplicate_download_metric.record.assert_not_called()
         event_publisher.send_events.assert_not_called()
         config.download_metric.record.assert_not_called()
-
         # Acknowledge should still be called to remove message from MESH inbox
         mesh_message.acknowledge.assert_called_once()
+
+    @patch('mesh_download.processor.datetime')
+    def test_trust_duplicate_publishes_invalid_event_and_acknowledges(self, mock_datetime):
+        """
+        Trust duplicate: the object already exists with a different meshMessageId.
+        Publish invalid event with DL_CLIV_004, record trust metric, acknowledge
+        """
+        from mesh_download.processor import MeshDownloadProcessor
+
+        config, log, event_publisher, document_store = setup_mocks()
+        bound_logger = Mock()
+        log.bind.return_value = bound_logger
+
+        fixed_time = datetime(2025, 11, 19, 15, 30, 45, tzinfo=timezone.utc)
+        mock_datetime.now.return_value = fixed_time
+
+        document_store.store_document.side_effect = DocumentAlreadyExistsError(
+            "Trust duplicate for key: document-reference/TEST-SENDER/ref-001"
+        )
+        event_publisher.send_events.return_value = []
+
+        processor = MeshDownloadProcessor(
+            config=config,
+            log=log,
+            mesh_client=config.mesh_client,
+            download_metric=config.download_metric,
+            internal_duplicate_download_metric=config.internal_duplicate_download_metric,
+            trust_duplicate_download_metric=config.trust_duplicate_download_metric,
+            document_store=document_store,
+            event_publisher=event_publisher
+        )
+
+        mesh_message = create_mesh_message()
+        config.mesh_client.retrieve_message.return_value = mesh_message
+        sqs_record = create_sqs_record()
+
+        outcome = processor.process_sqs_message(sqs_record)
+
+        assert outcome == 'duplicate'
+        bound_logger.warning.assert_called_once()
+        assert "Trust duplicate" in bound_logger.warning.call_args[0][0]
+        config.trust_duplicate_download_metric.record.assert_called_once_with(1)
+        config.internal_duplicate_download_metric.record.assert_not_called()
+        config.download_metric.record.assert_not_called()
+
+        event_publisher.send_events.assert_called_once()
+        published_event = event_publisher.send_events.call_args[0][0][0]
+        assert published_event['type'] == 'uk.nhs.notify.digital.letters.mesh.inbox.message.invalid.v1'
+        assert published_event['time'] == '2025-11-19T15:30:45+00:00'
+
+        event_data = published_event['data']
+        assert event_data['senderId'] == 'TEST-SENDER'
+        assert event_data['meshMessageId'] == 'test-message-123'
+        assert event_data['messageReference'] == 'ref-001'
+        assert event_data['failureCode'] == 'DL_CLIV_004'
+
+        mesh_message.acknowledge.assert_called_once()
@@ -9,7 +9,8 @@
     "ssm_mesh_prefix": "SSM_MESH_PREFIX",
     "environment": "ENVIRONMENT",
     "download_metric_name": "DOWNLOAD_METRIC_NAME",
-    "duplicate_download_metric_name": "DUPLICATE_DOWNLOAD_METRIC_NAME",
+    "internal_duplicate_download_metric_name": "INTERNAL_DUPLICATE_DOWNLOAD_METRIC_NAME",
+    "trust_duplicate_download_metric_name": "TRUST_DUPLICATE_DOWNLOAD_METRIC_NAME",
     "download_metric_namespace": "DOWNLOAD_METRIC_NAMESPACE",
     "event_publisher_event_bus_arn": "EVENT_PUBLISHER_EVENT_BUS_ARN",
     "event_publisher_dlq_url": "EVENT_PUBLISHER_DLQ_URL",
@@ -29,14 +30,16 @@ def __init__(self, ssm=None, s3_client=None):
         super().__init__(ssm=ssm, s3_client=s3_client)
 
         self.download_metric = None
-        self.duplicate_download_metric = None
+        self.internal_duplicate_download_metric = None
+        self.trust_duplicate_download_metric = None
 
     def __enter__(self):
         super().__enter__()
 
         # Build download metric
         self.download_metric = self.build_download_metric()
-        self.duplicate_download_metric = self.build_duplicate_download_metric()
+        self.internal_duplicate_download_metric = self.build_internal_duplicate_download_metric()
+        self.trust_duplicate_download_metric = self.build_trust_duplicate_download_metric()
 
         return self
 
@@ -50,12 +53,22 @@ def build_download_metric(self):
             dimensions={"Environment": self.environment}
         )
 
-    def build_duplicate_download_metric(self):
+    def build_internal_duplicate_download_metric(self):
         """
-        Returns a custom metric to record messages that were attempted to be downloaded more than once
+        Custom metric for messages retried internally
         """
         return Metric(
-            name=self.duplicate_download_metric_name,
+            name=self.internal_duplicate_download_metric_name,
+            namespace=self.download_metric_namespace,
+            dimensions={"Environment": self.environment}
+        )
+
+    def build_trust_duplicate_download_metric(self):
+        """
+        Custom metric for duplicate messages received from a Trust
+        """
+        return Metric(
+            name=self.trust_duplicate_download_metric_name,
             namespace=self.download_metric_namespace,
             dimensions={"Environment": self.environment}
         )