[GPCAPIM-265] Generate X-Request-Id header

[Vox-Ben]

Description

This makes the PdsClient generate a fresh UUID with each request to PDS and send it as the X-Request-Id header

Context

PDS requires a fresh X-Request-Id with every request. Previously we were expecting it to be generated by the consumer and passed in, but that is incorrect - it needs to be generated within the PDS module because it is specific to the PDS request and the consumer has no knowledge of it.

Type of changes

• Refactoring (non-breaking change)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would change existing functionality)
• Bug fix (non-breaking change which fixes an issue)

Checklist

• I have followed the code style of the project
• I have added tests to cover my changes
• I have updated the documentation accordingly
• This PR is a result of pair or mob programming
• Exceptions/Exclusions to coding standards (e.g. #noqa or #NOSONAR) are included within this Pull Request.

---

Sensitive Information Declaration

To ensure the utmost confidentiality and protect your and others privacy, we kindly ask you to NOT including PII (Personal Identifiable Information) / PID (Personal Identifiable Data) or any other sensitive data in this PR (Pull Request) and the codebase changes. We will remove any PR that do contain any sensitive information. We really appreciate your cooperation in this matter.

• I confirm that neither PII/PID nor sensitive data are included in this PR and the codebase changes.

[github-actions]

Deployment Complete

• Preview URL: https://feature-gpcapim-265-x-request-id.dev.endpoints.clinical-data-gateway.national.nhs.uk — Health endpoint
  • Smoke Test: ✅ Passed (HTTP 200)
• Proxy URL: https://internal-dev.api.service.nhs.uk/clinical-data-gateway-api-poc-pr-85
• ECS Cluster: ecs-cluster
• ECS Service: pr-feature-gpcapim-265-x-request-id
• ALB Target: arn:aws:elasticloadbalancing:eu-west-2:900119715266:targetgroup/gpcapim-265-x-request-id/628b340d944d4474

[github-actions]

✅ Trivy gate: no Critical/High issues.

Trivy IaC (Terraform) Summary

Severity	Count
CRITICAL	0
HIGH	0
MEDIUM	0
LOW	0
UNKNOWN	0

Findings (top 50)

Severity	ID	Title	File

[github-actions]

✅ Trivy gate: no Critical/High vulnerabilities.

Trivy Image Scan Summary

Image: 900119715266.dkr.ecr.eu-west-2.amazonaws.com/whoami:feature-gpcapim-265-x-request-id

Severity	Count
CRITICAL	0
HIGH	0
MEDIUM	0
LOW	1
UNKNOWN	0

Findings (top 50)

Severity	ID	Package	Installed	Fixed	Source
LOW	CVE-2026-1703	pip	25.3	26.0	Python

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[davidhamill1-nhs]

Move to import block at the top of the file.

[davidhamill1-nhs]

To produce nicer error messages if/when the test fails:

Suggested change

	UUID(headers["X-Request-ID"]) # Should not raise
	try:
	UUID(headers["X-Request-ID"])
	except:
	pytest.fail("Should not raise an error if this is genuinely a uuid")

[davidhamill1-nhs]

IMO, these are unnecessary. The final assertion, UUID(headers["X-Request-ID"]) will check for these.

[davidhamill1-nhs]

You've stated this twice. I'm not sure it's need once.

[davidhamill1-nhs]

I would parameterise the header test so that only a single assertion is made per test.

You could also patch the uuid module to return a yest value and assert for that.