NHSDigital · sandyforresternhs · Mar 10, 2026 · Feb 26, 2026 · Mar 3, 2026 · Mar 5, 2026
@@ -49,6 +49,44 @@ def add_test_files(folder, file_name, local_path):
         json.dump(PointerTypes.list(), f)
 
 
+def _write_permission_file(folder_path, ods_code, pointer_types):
+    folder_path.mkdir(parents=True, exist_ok=True)
+    with open(folder_path / f"{ods_code}.json", "w") as f:
+        json.dump({"types": pointer_types}, f)
+
+
+def add_feature_test_files(local_path):
+    """Bake in v2 permissions for the feature test application so that the
+    v2 permissions model can be proven via feature tests without
+    requiring a dynamic layer rebuild between test setup and test execution.
+    """
+
+    print("Adding feature test v2 permissions to temporary directory...")
+    permissions = {
+        "consumer": [
+            (
+                "z00z-y11y-x22x",
+                "RX898",
+                [PointerTypes.MENTAL_HEALTH_PLAN.value],
+            ),  # http://snomed.info/sct|736253002
+        ],
+        "producer": [
+            (
+                "z00z-y11y-x22x",
+                "RX898",
+                [PointerTypes.EOL_CARE_PLAN.value],
+            ),  # http://snomed.info/sct|736373009
+        ],
+    }
+    [
+        _write_permission_file(
+            Path.joinpath(local_path, actor_type, app_id), ods_code, pointer_types
+        )
+        for actor_type, entries in permissions.items()
+        for app_id, ods_code, pointer_types in entries
+    ]
+
+
 def download_files(s3_client, bucket_name, local_path, file_names, folders):
     print(f"Downloading {len(file_names)} S3 files to temporary directory...")
     local_path = Path(local_path)
@@ -65,6 +103,7 @@ def download_files(s3_client, bucket_name, local_path, file_names, folders):
         s3_client.download_file(bucket_name, file_name, str(file_path))
 
     add_test_files("K6PerformanceTest", "Y05868.json", local_path)
+    add_feature_test_files(local_path)
 
 
 def main(use_shared_resources: str, env: str, workspace: str, path_to_store: str):

@@ -60,3 +60,13 @@ resource "aws_s3_bucket_versioning" "authorization-store" {
     status = "Enabled"
   }
 }
+# Need to pull these into state if they already exist
+resource "aws_s3_object" "consumer-object" {
+  bucket = aws_s3_bucket.authorization-store.id
+  key    = "consumer/"
+}
+
+resource "aws_s3_object" "producer-object" {
+  bucket = aws_s3_bucket.authorization-store.id
+  key    = "producer/"
+}
@@ -6,7 +6,7 @@ Feature: Consumer - readDocumentReference - Failure Scenarios
     And the organisation 'RX898' is authorised to access pointer types:
       | system                 | value     |
       | http://snomed.info/sct | 736253002 |
-    When consumer 'RX898' reads a DocumentReference with ID 'X26-000000000-000000000'
+    When consumer v1 'RX898' reads a DocumentReference with ID 'X26-000000000-000000000'
     Then the response status code is 404
     And the response is an OperationOutcome with 1 issue
     And the OperationOutcome contains the issue:
@@ -33,7 +33,7 @@ Feature: Consumer - readDocumentReference - Failure Scenarios
     And the organisation 'RX898' is authorised to access pointer types:
       | system                 | value     |
       | http://snomed.info/sct | 736253002 |
-    When consumer 'RX898' reads a DocumentReference with ID 'X26`DROP TABLE 'pointers';--Something-000000000-000000000'
+    When consumer v1 'RX898' reads a DocumentReference with ID 'X26`DROP TABLE 'pointers';--Something-000000000-000000000'
     Then the response status code is 404
     And the response is an OperationOutcome with 1 issue
     And the OperationOutcome contains the issue:
@@ -58,7 +58,7 @@ Feature: Consumer - readDocumentReference - Failure Scenarios
     Given the application 'DataShare' (ID 'z00z-y11y-x22x') is registered to access the API
     And the organisation 'RX898' is authorised to access pointer types:
       | system | value |
-    When consumer 'RX898' reads a DocumentReference with ID 'X26-000000000-000000000'
+    When consumer v1 'RX898' reads a DocumentReference with ID 'X26-000000000-000000000'
     Then the response status code is 403
     And the response is an OperationOutcome with 1 issue
     And the OperationOutcome contains the issue:
@@ -95,7 +95,7 @@ Feature: Consumer - readDocumentReference - Failure Scenarios
       | url         | https://example.org/my-doc.pdf         |
       | custodian   | 02V                                    |
       | author      | 02V                                    |
-    When consumer 'RX898' reads a DocumentReference with ID '02V-1111111111-ReadDocRefNoAuthForType'
+    When consumer v1 'RX898' reads a DocumentReference with ID '02V-1111111111-ReadDocRefNoAuthForType'
     Then the response status code is 403
     And the response is an OperationOutcome with 1 issue
     And the OperationOutcome contains the issue:
@@ -120,7 +120,7 @@ Feature: Consumer - readDocumentReference - Failure Scenarios
     Given the application 'DataShare' (ID 'z00z-y11y-x22x') is registered to access the API
     And the organisation 'RX898' is authorised to access pointer types:
       | system | value |
-    When consumer 'RX898' reads a DocumentReference with ID 'X26-000000000-000000000'
+    When consumer v1 'RX898' reads a DocumentReference with ID 'X26-000000000-000000000'
     Then the response status code is 403
     And the response is an OperationOutcome with 1 issue
     And the OperationOutcome contains the issue:
@@ -157,7 +157,7 @@ Feature: Consumer - readDocumentReference - Failure Scenarios
       | url         | https://example.org/my-doc.pdf           |
       | custodian   | 02V                                      |
       | author      | 02V                                      |
-    When consumer 'RX898' reads a DocumentReference with ID '02V-1111111111-ReadDocRefNoAuthForTypeS3'
+    When consumer v1 'RX898' reads a DocumentReference with ID '02V-1111111111-ReadDocRefNoAuthForTypeS3'
     Then the response status code is 403
     And the response is an OperationOutcome with 1 issue
     And the OperationOutcome contains the issue:

@@ -16,7 +16,7 @@ Feature: Consumer - readDocumentReference - Success Scenarios
       | url         | https://example.org/my-doc.pdf           |
       | custodian   | RX898                                    |
       | author      | RX898                                    |
-    When consumer 'RX898' reads a DocumentReference with ID 'RX898-9999999999-ReadDocRefSameCustodian'
+    When consumer v1 'RX898' reads a DocumentReference with ID 'RX898-9999999999-ReadDocRefSameCustodian'
     Then the response status code is 200
     And the response is a DocumentReference with JSON value:
       """
@@ -133,7 +133,7 @@ Feature: Consumer - readDocumentReference - Success Scenarios
       | url         | https://example.org/my-doc.pdf         |
       | custodian   | X26                                    |
       | author      | RX898                                  |
-    When consumer 'RX898' reads a DocumentReference with ID 'X26-9999999999-ReadDocRefDiffCustodian'
+    When consumer v1 'RX898' reads a DocumentReference with ID 'X26-9999999999-ReadDocRefDiffCustodian'
     Then the response status code is 200
     And the response is a DocumentReference with JSON value:
       """
@@ -250,5 +250,5 @@ Feature: Consumer - readDocumentReference - Success Scenarios
       | url         | https://example.org/my-doc.pdf             |
       | custodian   | RX898\|001                                 |
       | author      | RX898                                      |
-    When consumer 'RX898' reads a DocumentReference with ID 'RX898%7C001-1234567890-ReadDocRefUrlEncoded'
+    When consumer v1 'RX898' reads a DocumentReference with ID 'RX898%7C001-1234567890-ReadDocRefUrlEncoded'
     Then the response status code is 200
@@ -5,7 +5,7 @@ Feature: Consumer - searchDocumentReference - Failure Scenarios
     And the organisation 'RX898' is authorised to access pointer types:
       | system                 | value     |
       | http://snomed.info/sct | 736253002 |
-    When consumer 'RX898' searches for DocumentReferences with parameters:
+    When consumer v1 'RX898' searches for DocumentReferences with parameters:
       | parameter | value      |
       | subject   | 9278693472 |
       | extra     | parameter  |
@@ -33,7 +33,7 @@ Feature: Consumer - searchDocumentReference - Failure Scenarios
     And the organisation 'RX898' is authorised to access pointer types:
       | system                 | value     |
       | http://snomed.info/sct | 736253002 |
-    When consumer 'RX898' searches for DocumentReferences with parameters:
+    When consumer v1 'RX898' searches for DocumentReferences with parameters:
       | parameter | value |
     Then the response status code is 400
     And the response is an OperationOutcome with 1 issue
@@ -59,7 +59,7 @@ Feature: Consumer - searchDocumentReference - Failure Scenarios
     And the organisation 'RX898' is authorised to access pointer types:
       | system                 | value     |
       | http://snomed.info/sct | 736253002 |
-    When consumer 'RX898' searches for DocumentReferences with parameters:
+    When consumer v1 'RX898' searches for DocumentReferences with parameters:
       | parameter | value                                |
       | subject   | 9278693472                           |
       | type      | http://incorrect.info/sct\|736253002 |
@@ -87,7 +87,7 @@ Feature: Consumer - searchDocumentReference - Failure Scenarios
     And the organisation 'RX898' is authorised to access pointer types:
       | system                 | value     |
       | http://snomed.info/sct | 736253002 |
-    When consumer 'RX898' searches for DocumentReferences with parameters:
+    When consumer v1 'RX898' searches for DocumentReferences with parameters:
       | parameter | value                                   |
       | subject   | 9278693472                              |
       | type      | http://snomed.info/sct\|887701000000100 |
@@ -115,7 +115,7 @@ Feature: Consumer - searchDocumentReference - Failure Scenarios
     And the organisation 'RX898' is authorised to access pointer types:
       | system                 | value     |
       | http://snomed.info/sct | 736253002 |
-    When consumer 'RX898' searches for DocumentReferences with parameters:
+    When consumer v1 'RX898' searches for DocumentReferences with parameters:
       | parameter | value |
       | subject   | 123   |
     Then the response status code is 400
@@ -141,7 +141,7 @@ Feature: Consumer - searchDocumentReference - Failure Scenarios
     Given the application 'DataShare' (ID 'z00z-y11y-x22x') is registered to access the API
     And the organisation 'RX898' is authorised to access pointer types:
       | system | value |
-    When consumer 'RX898' searches for DocumentReferences with parameters:
+    When consumer v1 'RX898' searches for DocumentReferences with parameters:
       | parameter | value      |
       | subject   | 9278693472 |
     Then the response status code is 403
@@ -166,7 +166,7 @@ Feature: Consumer - searchDocumentReference - Failure Scenarios
     Given the application 'DataShare' (ID 'z00z-y11y-x22x') is registered to access the API
     And the organisation 'RX898' is authorised to access pointer types:
       | system | value |
-    When consumer 'RX898' searches for DocumentReferences with parameters:
+    When consumer v1 'RX898' searches for DocumentReferences with parameters:
       | parameter | value                             |
       | subject   | 9278693472                        |
       | category  | http://snomed.info/sct\|734163000 |
@@ -204,7 +204,7 @@ Feature: Consumer - searchDocumentReference - Failure Scenarios
       | url         | https://example.org/my-doc.pdf   |
       | custodian   | 8FW23                            |
       | author      | 8FW23                            |
-    When consumer 'RX898' searches for DocumentReferences with parameters:
+    When consumer v1 'RX898' searches for DocumentReferences with parameters:
       | parameter | value                                    |
       | subject   | 9278693472                               |
       | category  | http://snomed.info/sct\|1102421000000108 |
@@ -227,7 +227,7 @@ Feature: Consumer - searchDocumentReference - Failure Scenarios
       | url         | https://example.org/my-doc.pdf    |
       | custodian   | 8FW23                             |
       | author      | 8FW23                             |
-    When consumer 'Z26' searches for DocumentReferences with parameters:
+    When consumer v1 'Z26' searches for DocumentReferences with parameters:
       | parameter | value      |
       | subject   | 9278693472 |
       | type      | 736253002  |
@@ -254,7 +254,7 @@ Feature: Consumer - searchDocumentReference - Failure Scenarios
     And the organisation 'RX898' is authorised to access pointer types:
       | system                 | value     |
       | http://snomed.info/sct | 736253002 |
-    When consumer 'RX898' searches for DocumentReferences with parameters:
+    When consumer v1 'RX898' searches for DocumentReferences with parameters:
       | parameter | value                                |
       | subject   | 9278693472                           |
       | category  | http://incorrect.info/sct\|736253002 |
@@ -282,7 +282,7 @@ Feature: Consumer - searchDocumentReference - Failure Scenarios
     And the organisation 'RX898' is authorised to access pointer types:
       | system                 | value     |
       | http://snomed.info/sct | 736253002 |
-    When consumer 'RX898' searches for DocumentReferences with parameters:
+    When consumer v1 'RX898' searches for DocumentReferences with parameters:
       | parameter | value                                                             |
       | subject   | 9278693472                                                        |
       | category  | http://snomed.info/sct\|734163000,http://snomed.info/sct\|invalid |

@@ -16,7 +16,7 @@ Feature: Consumer - searchDocumentReference - Success Scenarios
       | url         | https://example.org/my-doc.pdf  |
       | custodian   | 02V                             |
       | author      | 02V                             |
-    When consumer 'RX898' searches for DocumentReferences with parameters:
+    When consumer v1 'RX898' searches for DocumentReferences with parameters:
       | parameter | value      |
       | subject   | 9278693472 |
     Then the response status code is 200
@@ -53,7 +53,7 @@ Feature: Consumer - searchDocumentReference - Success Scenarios
       | custodian   | 02V                             |
       | author      | 02V                             |
       | identifier  | 02V.123456789                   |
-    When consumer 'RX898' searches for DocumentReferences with parameters:
+    When consumer v1 'RX898' searches for DocumentReferences with parameters:
       | parameter | value      |
       | subject   | 9278693472 |
     Then the response status code is 200
@@ -90,7 +90,7 @@ Feature: Consumer - searchDocumentReference - Success Scenarios
       | url         | https://example.org/my-doc.pdf  |
       | custodian   | 02V                             |
       | author      | 02V                             |
-    When consumer 'RX898' searches for DocumentReferences with parameters:
+    When consumer v1 'RX898' searches for DocumentReferences with parameters:
       | parameter | value      |
       | subject   | 9278693472 |
       | custodian | 02V        |
@@ -138,7 +138,7 @@ Feature: Consumer - searchDocumentReference - Success Scenarios
       | url         | https://example.org/my-doc.pdf   |
       | custodian   | DK94                             |
       | author      | DK94                             |
-    When consumer 'RX898' searches for DocumentReferences with parameters:
+    When consumer v1 'RX898' searches for DocumentReferences with parameters:
       | parameter | value      |
       | subject   | 9278693472 |
       | custodian | 02V        |
@@ -186,7 +186,7 @@ Feature: Consumer - searchDocumentReference - Success Scenarios
       | url         | https://example.org/my-doc.pdf  |
       | custodian   | 02V                             |
       | author      | 02V                             |
-    When consumer 'RX898' searches for DocumentReferences with parameters:
+    When consumer v1 'RX898' searches for DocumentReferences with parameters:
       | parameter | value      |
       | subject   | 9278693472 |
       | custodian | 02V        |
@@ -245,7 +245,7 @@ Feature: Consumer - searchDocumentReference - Success Scenarios
       | url         | https://example.org/my-doc-3.pdf      |
       | custodian   | 02V                                   |
       | author      | 02V                                   |
-    When consumer 'RX898' searches for DocumentReferences with parameters:
+    When consumer v1 'RX898' searches for DocumentReferences with parameters:
       | parameter | value      |
       | subject   | 9278693472 |
     Then the response status code is 200
@@ -298,8 +298,8 @@ Feature: Consumer - searchDocumentReference - Success Scenarios
       | url         | https://example.org/my-doc.pdf |
       | custodian   | DK94                           |
       | author      | N64                            |
-    When producer 'DK94' requests to delete DocumentReference with id 'DK94-111-DeleteDocRefTest1'
-    And consumer 'RX898' searches for DocumentReferences with parameters:
+    When producer v1 'DK94' requests to delete DocumentReference with id 'DK94-111-DeleteDocRefTest1'
+    And consumer v1 'RX898' searches for DocumentReferences with parameters:
       | parameter | value      |
       | subject   | 9278693472 |
       | custodian | RX898      |
@@ -348,7 +348,7 @@ Feature: Consumer - searchDocumentReference - Success Scenarios
       | url         | https://example.org/my-doc-3.pdf      |
       | custodian   | 02V                                   |
       | author      | 02V                                   |
-    When consumer 'RX898' searches for DocumentReferences with parameters:
+    When consumer v1 'RX898' searches for DocumentReferences with parameters:
       | parameter | value                             |
       | subject   | 9278693472                        |
       | category  | http://snomed.info/sct\|734163000 |
@@ -409,7 +409,7 @@ Feature: Consumer - searchDocumentReference - Success Scenarios
       | url         | https://example.org/my-doc-3.pdf      |
       | custodian   | 02V                                   |
       | author      | 02V                                   |
-    When consumer 'RX898' searches for DocumentReferences with parameters:
+    When consumer v1 'RX898' searches for DocumentReferences with parameters:
       | parameter | value                                    |
       | subject   | 9278693472                               |
       | category  | http://snomed.info/sct\|1102421000000108 |
@@ -450,7 +450,7 @@ Feature: Consumer - searchDocumentReference - Success Scenarios
       | url         | https://example.org/my-doc-3.pdf      |
       | custodian   | 02V                                   |
       | author      | 02V                                   |
-    When consumer 'RX898' searches for DocumentReferences with parameters:
+    When consumer v1 'RX898' searches for DocumentReferences with parameters:
       | parameter | value      |
       | subject   | 9278693472 |
       | _summary  | count      |
@@ -510,7 +510,7 @@ Feature: Consumer - searchDocumentReference - Success Scenarios
       | url         | https://example.org/my-doc-4.pdf      |
       | custodian   | 02V                                   |
       | author      | 02V                                   |
-    When consumer 'RX898' searches for DocumentReferences with parameters:
+    When consumer v1 'RX898' searches for DocumentReferences with parameters:
       | parameter | value                                                                     |
       | subject   | 9278693472                                                                |
       | category  | http://snomed.info/sct\|734163000,http://snomed.info/sct\|823651000000106 |