VIBE-221 Subscription Fulfilment Email

.github/workflows/e2e.yml

@@ -90,9 +90,14 @@ jobs:
 
       # API Authentication Configuration (for blob ingestion endpoint)
       AZURE_TENANT_ID: ${{ secrets.APP_TENANT_ID }}
-      AZURE_CLIENT_ID: ${{ secrets.APP_PIP_DATA_MANAGEMENT_ID }}
+      AZURE_API_CLIENT_ID: ${{ secrets.APP_PIP_DATA_MANAGEMENT_ID }}
+      AZURE_API_CLIENT_SECRET: ${{ secrets.APP_PIP_DATA_MANAGEMENT_PWD }}
       APP_PIP_DATA_MANAGEMENT_SCOPE: ${{ secrets.APP_PIP_DATA_MANAGEMENT_SCOPE }}
 
+      # GOV.UK Notify Configuration (for notification E2E tests)
+      GOVUK_NOTIFY_API_KEY: ${{ secrets.GOVUK_NOTIFY_API_KEY }}
+      GOVUK_NOTIFY_TEMPLATE_ID_SUBSCRIPTION: ${{ secrets.GOVUK_NOTIFY_TEMPLATE_ID_SUBSCRIPTION }}
+
     steps:
       - name: Checkout
         uses: actions/checkout@v6

apps/api/package.json

@@ -21,7 +21,7 @@
     "compression": "1.8.1",
     "config": "4.1.1",
     "cors": "2.8.5",
-    "express": "5.1.0"
+    "express": "5.2.0"
   },
   "devDependencies": {
     "@types/compression": "1.8.1",

apps/postgres/prisma/migrations/20251201095418_add_notification_audit_log/migration.sql

@@ -0,0 +1,55 @@
+-- DropForeignKey (only if exists)
+ALTER TABLE "ingestion_log" DROP CONSTRAINT IF EXISTS "fk_blob_artefact";
+
+-- AlterTable (only if DEFAULT exists)
+DO $$ BEGIN
+  IF EXISTS (
+    SELECT 1 FROM information_schema.columns
+    WHERE table_name = 'ingestion_log'
+    AND column_name = 'id'
+    AND column_default IS NOT NULL
+  ) THEN
+    ALTER TABLE "ingestion_log" ALTER COLUMN "id" DROP DEFAULT;
+  END IF;
+END $$;
+
+-- CreateTable (only if not exists)
+CREATE TABLE IF NOT EXISTS "notification_audit_log" (
+    "notification_id" UUID NOT NULL,
+    "subscription_id" UUID NOT NULL,
+    "user_id" UUID NOT NULL,
+    "publication_id" UUID NOT NULL,
+    "status" TEXT NOT NULL DEFAULT 'Pending',
+    "error_message" TEXT,
+    "created_at" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "sent_at" TIMESTAMP(3),
+
+    CONSTRAINT "notification_audit_log_pkey" PRIMARY KEY ("notification_id")
+);
+
+-- CreateIndex (only if not exists)
+CREATE INDEX IF NOT EXISTS "notification_audit_log_publication_id_idx" ON "notification_audit_log"("publication_id");
+
+-- CreateIndex (only if not exists)
+CREATE INDEX IF NOT EXISTS "notification_audit_log_status_idx" ON "notification_audit_log"("status");
+
+-- CreateIndex (only if not exists)
+CREATE UNIQUE INDEX IF NOT EXISTS "notification_audit_log_user_id_publication_id_key" ON "notification_audit_log"("user_id", "publication_id");
+
+-- AddForeignKey (only if not exists)
+DO $$ BEGIN
+  IF NOT EXISTS (
+    SELECT 1 FROM pg_constraint WHERE conname = 'ingestion_log_artefact_id_fkey'
+  ) THEN
+    ALTER TABLE "ingestion_log" ADD CONSTRAINT "ingestion_log_artefact_id_fkey" FOREIGN KEY ("artefact_id") REFERENCES "artefact"("artefact_id") ON DELETE SET NULL ON UPDATE CASCADE;
+  END IF;
+END $$;
+
+-- AddForeignKey (only if not exists)
+DO $$ BEGIN
+  IF NOT EXISTS (
+    SELECT 1 FROM pg_constraint WHERE conname = 'notification_audit_log_subscription_id_fkey'
+  ) THEN
+    ALTER TABLE "notification_audit_log" ADD CONSTRAINT "notification_audit_log_subscription_id_fkey" FOREIGN KEY ("subscription_id") REFERENCES "subscription"("subscription_id") ON DELETE RESTRICT ON UPDATE CASCADE;
+  END IF;
+END $$;

apps/postgres/prisma/migrations/20251201155125_add_gov_notify_id/migration.sql

@@ -0,0 +1,15 @@
+-- Add gov_notify_id column to notification_audit_log (idempotent)
+DO $$ BEGIN
+  IF NOT EXISTS (
+    SELECT 1 FROM information_schema.columns
+    WHERE table_name = 'notification_audit_log'
+    AND column_name = 'gov_notify_id'
+  ) THEN
+    ALTER TABLE "notification_audit_log"
+    ADD COLUMN "gov_notify_id" TEXT;
+  END IF;
+END $$;
+
+-- Create index for gov_notify_id lookups (idempotent)
+CREATE INDEX IF NOT EXISTS "notification_audit_log_gov_notify_id_idx"
+ON "notification_audit_log"("gov_notify_id");

apps/postgres/prisma/migrations/20251202095746_remove_notification_unique_constraint/migration.sql

@@ -0,0 +1,2 @@
+-- DropIndex
+DROP INDEX "notification_audit_log_user_id_publication_id_key";

apps/postgres/src/schema-discovery.test.ts

@@ -12,11 +12,12 @@ describe("Schema Discovery", () => {
       expect(Array.isArray(result)).toBe(true);
     });
 
-    it("should return array with subscriptions and location schemas", () => {
+    it("should return array with subscriptions, location, and notifications schemas", () => {
       const result = getPrismaSchemas();
-      expect(result.length).toBe(2);
-      expect(result[0]).toContain("subscriptions");
-      expect(result[1]).toContain("location");
+      expect(result.length).toBe(3);
+      expect(result.some((path) => path.includes("subscriptions"))).toBe(true);
+      expect(result.some((path) => path.includes("location"))).toBe(true);
+      expect(result.some((path) => path.includes("notifications"))).toBe(true);
     });
 
     it("should return a new array on each call", () => {

apps/postgres/src/schema-discovery.ts

@@ -1,7 +1,8 @@
 // Schema discovery functionality for module integration
 import { prismaSchemas as locationSchemas } from "@hmcts/location/config";
+import { prismaSchemas as notificationsSchemas } from "@hmcts/notifications/config";
 import { prismaSchemas as subscriptionsSchemas } from "@hmcts/subscriptions/config";
 
 export function getPrismaSchemas(): string[] {
-  return [subscriptionsSchemas, locationSchemas];
+  return [subscriptionsSchemas, locationSchemas, notificationsSchemas];
 }

apps/web/package.json

@@ -35,7 +35,7 @@
     "connect-redis": "9.0.0",
     "cookie-parser": "1.4.7",
     "dotenv": "17.2.3",
-    "express": "5.1.0",
+    "express": "5.2.0",
     "express-session": "1.18.2",
     "glob": "13.0.0",
     "govuk-frontend": "5.13.0",

docs/GITHUB_SECRETS_SETUP.md

@@ -0,0 +1,119 @@
+# GitHub Secrets Configuration
+
+This document describes the GitHub Secrets required for running E2E tests in CI/CD pipelines.
+
+## Required Secrets
+
+The following secrets must be configured in your GitHub repository settings (`Settings` > `Secrets and variables` > `Actions`):
+
+### API Authentication (Blob Ingestion & Notifications)
+
+| Secret Name | Description | Used By |
+|------------|-------------|---------|
+| `APP_TENANT_ID` | Azure AD Tenant ID | API authentication |
+| `APP_PIP_DATA_MANAGEMENT_ID` | Azure AD Application Client ID | API authentication |
+| `APP_PIP_DATA_MANAGEMENT_PWD` | Azure AD Application Client Secret | API authentication |
+| `APP_PIP_DATA_MANAGEMENT_SCOPE` | Azure AD Application Scope | API authentication |
+
+### GOV.UK Notify (Email Notifications)
+
+| Secret Name | Description | Used By |
+|------------|-------------|---------|
+| `GOVUK_NOTIFY_API_KEY` | GOV.UK Notify API Key | Notification E2E tests |
+| `GOVUK_NOTIFY_TEMPLATE_ID_SUBSCRIPTION` | GOV.UK Notify Template ID for subscription notifications | Notification E2E tests |
+
+### SSO Authentication
+
+| Secret Name | Description |
+|------------|-------------|
+| `SESSION_SECRET` | Session encryption secret |
+| `SSO_CLIENT_ID` | SSO Client ID |
+| `SSO_CLIENT_SECRET` | SSO Client Secret |
+| `SSO_CONFIG_ENDPOINT` | SSO configuration endpoint |
+| `SSO_SG_SYSTEM_ADMIN` | SSO System Admin Group ID |
+| `SSO_SG_ADMIN_CTSC` | SSO CTSC Admin Group ID |
+| `SSO_SG_ADMIN_LOCAL` | SSO Local Admin Group ID |
+
+### Test User Credentials (SSO)
+
+| Secret Name | Description |
+|------------|-------------|
+| `SSO_TEST_SYSTEM_ADMIN_ACCOUNT_USER` | System Admin test user email |
+| `SSO_TEST_SYSTEM_ADMIN_ACCOUNT_PWD` | System Admin test user password |
+| `SSO_TEST_ADMIN_LOCAL_ACCOUNT_USER` | Local Admin test user email |
+| `SSO_TEST_ADMIN_LOCAL_ACCOUNT_PWD` | Local Admin test user password |
+| `SSO_TEST_ADMIN_ACCOUNT_CTSC_USER` | CTSC Admin test user email |
+| `SSO_TEST_ADMIN_ACCOUNT_CTSC_PWD` | CTSC Admin test user password |
+| `SSO_TEST_NO_ROLES_ACCOUNT_USER` | No roles test user email |
+| `SSO_TEST_NO_ROLES_ACCOUNT_PWD` | No roles test user password |
+
+### Test User Credentials (CFT IDAM)
+
+| Secret Name | Description |
+|------------|-------------|
+| `CFT_IDAM_CLIENT_SECRET` | CFT IDAM Client Secret |
+| `CFT_VALID_TEST_ACCOUNT` | CFT IDAM valid test account email |
+| `CFT_VALID_TEST_ACCOUNT_PASSWORD` | CFT IDAM valid test account password |
+| `CFT_INVALID_TEST_ACCOUNT` | CFT IDAM invalid test account email |
+| `CFT_INVALID_TEST_ACCOUNT_PASSWORD` | CFT IDAM invalid test account password |
+
+## Workflow Configuration
+
+The E2E tests workflow (`.github/workflows/e2e.yml`) automatically uses these secrets when running tests on:
+- Pull requests to `master` or `main` branches
+- Direct pushes to `master` or `main` branches
+
+## Local Development
+
+For local E2E test execution, the `run-with-credentials.js` script loads secrets from Azure Key Vault using Azure CLI authentication:
+
+```bash
+# Authenticate with Azure
+az login
+
+# Run E2E tests with Azure Key Vault credentials
+cd e2e-tests
+node run-with-credentials.js blob-ingestion-notifications
+```
+
+The script automatically detects if running in CI (via `CI=true` environment variable) and uses GitHub Secrets instead of Azure Key Vault.
+
+## Environment Variables Mapping
+
+The secrets are mapped to the following environment variables in the GitHub Actions workflow:
+
+```yaml
+# API Authentication
+AZURE_TENANT_ID: ${{ secrets.APP_TENANT_ID }}
+AZURE_API_CLIENT_ID: ${{ secrets.APP_PIP_DATA_MANAGEMENT_ID }}
+AZURE_API_CLIENT_SECRET: ${{ secrets.APP_PIP_DATA_MANAGEMENT_PWD }}
+APP_PIP_DATA_MANAGEMENT_SCOPE: ${{ secrets.APP_PIP_DATA_MANAGEMENT_SCOPE }}
+
+# GOV.UK Notify
+GOVUK_NOTIFY_API_KEY: ${{ secrets.GOVUK_NOTIFY_API_KEY }}
+GOVUK_NOTIFY_TEMPLATE_ID_SUBSCRIPTION: ${{ secrets.GOVUK_NOTIFY_TEMPLATE_ID_SUBSCRIPTION }}
+```
+
+## Notification E2E Tests
+
+The notification E2E tests (`blob-ingestion-notifications.spec.ts`) will:
+- **Skip** the "verify GOV.UK Notify email content" test if `GOVUK_NOTIFY_API_KEY` is not set
+- **Run** all other notification tests (email validation, skipped notifications, etc.)
+
+To enable the full test suite in CI, ensure both `GOVUK_NOTIFY_API_KEY` and `GOVUK_NOTIFY_TEMPLATE_ID_SUBSCRIPTION` secrets are configured.
+
+## Troubleshooting
+
+### Tests are skipped in CI
+- Verify all required secrets are configured in GitHub repository settings
+- Check the GitHub Actions workflow logs for missing environment variables
+
+### Local tests fail to authenticate
+- Ensure you're logged in to Azure CLI: `az login`
+- Verify you have access to the `pip-bootstrap-stg-kv` Key Vault
+- Check your Azure subscription is set correctly: `az account show`
+
+### API authentication errors
+- Verify the Azure AD application credentials are correct
+- Ensure the application has the required permissions/scopes
+- Check the tenant ID matches your Azure AD tenant