HDPI-5819 Pin pack generation on case issue#1984
Merged
Merged
Conversation
CCD diff summary👉 Full report: https://github.com/hmcts/pcs-api/actions/runs/28606969848?check_suite_focus=true No change |
sadmanrahh
reviewed
Jun 17, 2026
sadmanrahh
reviewed
Jun 17, 2026
sadmanrahh
approved these changes
Jun 17, 2026
scottstewart-sl
approved these changes
Jun 17, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Jira link
See HDPI-5819
Change description
Generates the defendant access code letter (pin pack) when a case is issued, so each
defendant has a printable letter containing a unique access code they can use to respond
online or by post.
Testing done
Added unit tests for the new code paths and updated tests for the modified ones.
Local build verification:
gradlew build end-to-end on this branch is green:
The test-pin sink was deliberately refactored from a JPA entity + repository to a plain
JdbcTemplate writer + reader. This keeps the table out of Hibernate's schema validation, so
the @DataJpaTest slice and other JPA-validating tests can boot without the runtime-created
table being present.
Manual end-to-end (local stack)
Verified live by issuing real cases through XUI / Make a claim against bootWithCCD,
docmosis-tornado, and the local wiremock stubs for doc-assembly + Location Reference.
Case ref Scenario verified :
1781600966587792 AC01 : 1 v 1 (John Smith) 1× DEFENDANT_ACCESS_CODE doc with category_id NULL; 1 BCrypt row in party_access_code; 1 SUCCESS log row; 1 plaintext row in testing_support_pin; GET /testing-support/pins/{ref} returns one entry; rendered PDF shows the right pin + name + addresses + court block.
1781606860693552 AC02 : 1 v many (John Smith + Jane Doe) 2 docs (category NULL each), 2 distinct BCrypt codes, 2 SUCCESS log rows, 2 distinct plaintext pins (WDAHVW5MS7MV, EYP2MF8REKBP); /pins JSON has two top-level keys; one PDF per defendant.
1781614122802623 AC04 + AC05 : persons unknown + no-address (one of each) DB shape identical to AC02; /pins returns {} for the persons-unknown / no-address defendant and an entry without an address key for the named / no-address defendant : the two response shapes downstream uses to detect each fallback; rendered PDFs show "Persons unknown" and property-address fallback.
All three AC03 : BCrypt at rest party_access_code.code starts with $2a$10$ (BCrypt), distinct per defendant, different from the plaintext value in testing_support_pin.plaintext_code. Plaintext never lives in party_access_code.
All three AC06 : respond-by-post court The court block on each rendered letter shows the venue returned by rd-location-ref-api (court_name, court_address, postcode), verified against the canonical LrdCourtVenueResponse schema in hmcts/rd-location-ref-api.
All three Hidden from Case File document.category_id is NULL for every DEFENDANT_ACCESS_CODE row (the DocumentService.mapDocumentTypeToCategory switch returns Optional.empty() for this type).
All three Failure logging Forced a failure by killing the location-reference stub mid-run: claim_activity_log recorded DOCUMENTS_CREATED / FAILURE in a new transaction (visible despite the outer rollback); db-scheduler retried with backoff; subsequent attempt logged SUCCESS.
Evidence rendered locally (one PDF per defendant per case, via Docmosis Tornado direct :
same engine pcs-api hits via doc-assembly in prod):
Each was field-checked for: plaintext pin, defendant name (or
"Persons unknown"), case reference, property address, court address + postcode, the
"Respond by: The date of the hearing" label, and the /access-your-case URL.
Security Vulnerability Assessment
CVE Suppression: Are there any CVEs present in the codebase (either newly introduced or pre-existing) that are being intentionally suppressed or ignored by this commit?
Checklist