Update: [AEA-4652] - signature validation on prescription creation

[bencegadanyi1-nhs]

Summary

Remove items from this list if they are not relevant. Remove this line once this has been done

• Routine Change
• ✨ New Feature

Details

• added ENABLE_PRESCRIBING_SIGNATURE_VALIDATION flag -> lets us turn on signature checks at creation without blowing anything up
• hooked signature verification into $process-message for prescription-order creation
• introduced verifyAndFormatPrescriptionSignature() -> single place for logging + OperationOutcome mapping (no more scattered logic)
• aligned error handling + mapping with release flow (and updated translation/tests to match)
• wired the flag through CDK, ECS env, and CI/release workflows
• updated e2e expectations + trivy ignore list accordingly

[github-actions]

This PR is linked to a ticket in an NHS Digital JIRA Project. Here's a handy link to the ticket:

AEA-4652

[Copilot]

Pull request overview

Adds signature validation for prescription creation (behind a feature flag) and aligns signature-verification error handling/mapping across creation + release flows, with supporting infra/workflow wiring.

Changes:

• Introduces ENABLE_PRESCRIBING_SIGNATURE_VALIDATION feature flag and performs signature verification in the $process-message route for prescription-order creation.
• Adds verifyAndFormatPrescriptionSignature() to centralize logging + OperationOutcome issue mapping; updates release-response translation/tests accordingly.
• Wires the flag through CDK contexts/ECS env and CI/release workflows; updates e2e expectations and security ignore list.

Reviewed changes

Copilot reviewed 20 out of 20 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
packages/e2e-tests/specs/live/process.failures.spec.ts	Updates failure test setup + expected OperationOutcome for signature validation.
packages/coordinator/tests/utils/feature-flags.spec.ts	Adds unit tests for the new feature flag helper.
packages/coordinator/tests/services/translation/response/release/release-response.spec.ts	Updates tests to mock/expect the new signature verification function and diagnostics.
packages/coordinator/tests/services/translation/request/index.spec.ts	Adds tests for creation-time signature verification mapping.
packages/coordinator/src/utils/feature-flags.ts	Adds isSignatureValidationEnabled().
packages/coordinator/src/services/verification/signature-verification.ts	Adds verifyAndFormatPrescriptionSignature() mapping errors to FHIR issues + logging.
packages/coordinator/src/services/translation/response/release/release-response.ts	Uses formatted signature issues when building invalid-signature outcomes.
packages/coordinator/src/services/translation/request/index.ts	Exposes verifySignatureForPrescriptionCreation() used by the route.
packages/coordinator/src/routes/process.ts	Performs signature validation on prescription creation when the flag is enabled.
packages/cdk/stacks/PrescribeDispenseStack.ts	Adds context plumbing + CFN output for the flag.
packages/cdk/resources/ECSTasks.ts	Injects ENABLE_PRESCRIBING_SIGNATURE_VALIDATION into ECS task env.
cdk.json	Adds enablePrescribingSignatureValidation context default.
.trivyignore.yaml	Adds a time-bounded ignore entry for CVE-2026-33036.
.github/workflows/run_regression_tests.yml	Changes regression test tags to a feature-branch tag.
.github/workflows/release_ref.yml	Adds ENABLE_PRESCRIBING_SIGNATURE_VALIDATION to ref release env.
.github/workflows/release.yml	Adds ENABLE_PRESCRIBING_SIGNATURE_VALIDATION to multiple environments.
.github/workflows/pull_request.yml	Enables ENABLE_PRESCRIBING_SIGNATURE_VALIDATION for PR deploys (with TODO).
.github/workflows/ci.yml	Adds ENABLE_PRESCRIBING_SIGNATURE_VALIDATION to CI deploy jobs.
.github/workflows/cdk_release_code.yml	Adds required boolean input for ENABLE_PRESCRIBING_SIGNATURE_VALIDATION.
.github/scripts/fix_cdk_json.sh	Ensures CDK context is populated from ENABLE_PRESCRIBING_SIGNATURE_VALIDATION.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Adds feature-flagged digital signature validation during prescription creation ($process-message for prescription-order) and aligns the resulting error mapping/logging with the existing release flow.

Changes:

• Introduces ENABLE_PRESCRIBING_SIGNATURE_VALIDATION and wires it through coordinator runtime, CDK/ECS config, and CI/release workflows.
• Centralizes signature verification logging + OperationOutcome.issue mapping via verifyAndFormatPrescriptionSignature(), and reuses it in release translation.
• Updates unit/e2e expectations to reflect the new Spine error coding and issue structure.

Reviewed changes

Copilot reviewed 20 out of 20 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
packages/e2e-tests/specs/live/process.failures.spec.ts	Updates expected translated OperationOutcome.issue fields for signature failures.
packages/coordinator/tests/utils/feature-flags.spec.ts	Adds unit tests for isSignatureValidationEnabled().
packages/coordinator/tests/services/translation/response/release/release-response.spec.ts	Updates mocking/expectations for signature verification mapping/logging in release translation.
packages/coordinator/tests/services/translation/request/index.spec.ts	Adds tests for verifySignatureForPrescriptionCreation() behavior.
packages/coordinator/src/utils/feature-flags.ts	Adds isSignatureValidationEnabled() backed by env var.
packages/coordinator/src/services/verification/signature-verification.ts	Adds verifyAndFormatPrescriptionSignature() to map verification errors into OperationOutcomeIssue[].
packages/coordinator/src/services/translation/response/release/release-response.ts	Switches release flow to use verifyAndFormatPrescriptionSignature() and pass through returned issues.
packages/coordinator/src/services/translation/request/index.ts	Adds verifySignatureForPrescriptionCreation() helper for process route.
packages/coordinator/src/routes/process.ts	Gates signature validation on the feature flag for prescription creation requests.
packages/cdk/stacks/PrescribeDispenseStack.ts	Adds CDK context plumb-through + output for signature validation flag.
packages/cdk/resources/ECSTasks.ts	Exposes ENABLE_PRESCRIBING_SIGNATURE_VALIDATION to coordinator container env.
cdk.json	Adds enablePrescribingSignatureValidation context default.
.trivyignore.yaml	Adds an ignore entry for a fast-xml-parser CVE with expiry.
.github/workflows/run_regression_tests.yml	Points regression workflow/test tags to the PR-specific ref.
.github/workflows/release_ref.yml	Enables signature validation for ref release workflow environment.
.github/workflows/release.yml	Sets signature validation env across release jobs (mix of true/false per environment).
.github/workflows/pull_request.yml	Enables signature validation in PR deploy workflow (currently with TODO + formatting issue).
.github/workflows/ci.yml	Adds signature validation env to CI deploy matrices.
.github/workflows/cdk_release_code.yml	Adds typed workflow-call input for signature validation flag and passes it into deployment env.
.github/scripts/fix_cdk_json.sh	Writes enablePrescribingSignatureValidation context value from env into built cdk.json.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[sonarqubecloud]

Quality Gate passed

Issues
5 New issues
0 Accepted issues

Measures
0 Security Hotspots
97.7% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud