NHSDigital · nhsd-david-wass · Dec 11, 2025 · Dec 5, 2025 · Dec 5, 2025 · Dec 10, 2025
@@ -27,4 +27,8 @@ dist
 /sandbox/*.log
 /sandbox-staging
 /specification/api/components/examples
+/specification/api/components/x-nhsd-apim/x-nhsd-apim.yml
+/specification/api/components/security-schemes/security-schemes.yml
+/specification/api/components/security/security.yml
+/specification/api/components/parameters/authorization/authorization.yml
 /scripts/JWT/*.pem
@@ -46,32 +46,26 @@ publish-oas:
 	npm run publish-oas
 
 set-authorization: guard-APIM_ENV
-	@ AUTHORIZATION=authorization-$$APIM_ENV.yml \
-	envsubst '$${AUTHORIZATION}' \
-	< specification/api/components/parameters/authorization/authorization-template.yml > specification/api/components/parameters/authorization/authorization.yml
+	SPEC_DIR=./specification/api/components/environments
+	COMPONENT_DIR=./specification/api/components/parameters/authorization
+	./scripts/build/substitute_build_env.sh $$COMPONENT_DIR/authorization-template.yml $$SPEC_DIR/$$APIM_ENV.env $$COMPONENT_DIR/authorization.yml
 
-set-target: guard-APIM_ENV
-	@ TARGET=target-$$APIM_ENV.yml \
-	envsubst '$${TARGET}' \
-	< specification/api/components/x-nhsd-apim/target-template.yml > specification/api/components/x-nhsd-apim/target.yml
-
-set-access: guard-APIM_ENV
-	@ ACCESS=access-$$APIM_ENV.yml \
-	envsubst '$${ACCESS}' \
-	< specification/api/components/x-nhsd-apim/access-template.yml > specification/api/components/x-nhsd-apim/access.yml
+set-nhsd-apim: guard-APIM_ENV
+	SPEC_DIR=./specification/api/components/environments
+	COMPONENT_DIR=./specification/api/components/x-nhsd-apim
+	./scripts/build/substitute_build_env.sh $$COMPONENT_DIR/x-nhsd-apim-template.yml $$SPEC_DIR/$$APIM_ENV.env $$COMPONENT_DIR/x-nhsd-apim.yml
 
 set-security: guard-APIM_ENV
-	@ SECURITY=security-$$APIM_ENV.yml \
-	envsubst '$${SECURITY}' \
-	< specification/api/components/security/security-template.yml > specification/api/components/security/security.yml
-	@ SECURITY_SCHEMES=security-schemes-$$APIM_ENV.yml \
-	envsubst '$${SECURITY_SCHEMES}' \
-	< specification/api/components/security-schemes/security-schemes-template.yml > specification/api/components/security-schemes/security-schemes.yml
+	SPEC_DIR=./specification/api/components/environments
+	COMPONENT_DIR=./specification/api/components/security
+	./scripts/build/substitute_build_env.sh $$COMPONENT_DIR/security-template.yml $$SPEC_DIR/$$APIM_ENV.env $$COMPONENT_DIR/security.yml
+	COMPONENT_DIR=./specification/api/components/security-schemes
+	./scripts/build/substitute_build_env.sh $$COMPONENT_DIR/security-schemes-template.yml $$SPEC_DIR/$$APIM_ENV.env $$COMPONENT_DIR/security-schemes.yml
+
 
 construct-spec: guard-APIM_ENV
+	$(MAKE) set-nhsd-apim APIM_ENV=$$APIM_ENV
 	$(MAKE) set-authorization APIM_ENV=$$APIM_ENV
-	$(MAKE) set-target APIM_ENV=$$APIM_ENV
-	$(MAKE) set-access APIM_ENV=$$APIM_ENV
 	$(MAKE) set-security APIM_ENV=$$APIM_ENV
 
 build-json-oas-spec: guard-APIM_ENV

@@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+TEMPLATE="$1"
+ENV_FILE="$2"
+OUT="$3"
+
+# Extract variable names from the env file (left side of KEY=VALUE)
+VARS=$(grep -E '^[A-Za-z_][A-Za-z0-9_]*=' "$ENV_FILE" | cut -d= -f1)
+
+# Build envsubst variable list ($VAR1 $VAR2 ...)
+VARLIST=""
+for v in $VARS; do
+  VARLIST="$VARLIST \$$v"
+done
+VARLIST="${VARLIST# }"   # remove leading space
+
+# Export values from the env file
+set -a
+source "$ENV_FILE"
+set +a
+
+# Run envsubst only on the selected variables
+envsubst "$VARLIST" < "$TEMPLATE" > "$OUT"
+
+echo "Generated: $OUT"
@@ -0,0 +1,3 @@
+MONITORING_FLAG=true
+TEMPORARY_FLAG=false
+ENV_DIR=../environments/int
@@ -0,0 +1 @@
+$ref: '../common/security-schemes-ptl.yml'
@@ -0,0 +1,3 @@
+MONITORING_FLAG=false
+TEMPORARY_FLAG=true
+ENV_DIR=../environments/internal-dev-pr
@@ -0,0 +1,3 @@
+app-default:
+  limit: 300
+  timeunit: second
@@ -0,0 +1 @@
+$ref: '../common/security-schemes-ptl.yml'
@@ -0,0 +1,3 @@
+- name: NHSD-Supplier-ID
+  header: NHSD-Supplier-ID
+  required: true
@@ -0,0 +1,3 @@
+MONITORING_FLAG=true
+TEMPORARY_FLAG=false
+ENV_DIR=../environments/internal-dev
@@ -0,0 +1,3 @@
+app-default:
+  limit: 300
+  timeunit: second
@@ -0,0 +1 @@
+$ref: '../common/security-schemes-ptl.yml'
@@ -0,0 +1 @@
+app-level3: []
@@ -0,0 +1,3 @@
+- name: NHSD-Supplier-ID
+  header: NHSD-Supplier-ID
+  required: true
@@ -0,0 +1,3 @@
+MONITORING_FLAG=true
+TEMPORARY_FLAG=false
+ENV_DIR=../environments/prod
@@ -0,0 +1,3 @@
+app-default:
+  limit: 300
+  timeunit: second
@@ -0,0 +1 @@
+app-level3: []
@@ -0,0 +1,3 @@
+- name: NHSD-Supplier-ID
+  header: NHSD-Supplier-ID
+  required: true
@@ -0,0 +1,3 @@
+MONITORING_FLAG=true
+TEMPORARY_FLAG=false
+ENV_DIR=../environments/ref
@@ -2,7 +2,7 @@ name: Authorization
 in: header
 description: |-
   An OAuth 2.0 bearer token. Required in integration and production environments.
-required: false
+required: true
 schema:
   type: string
   pattern: ^Bearer [[:ascii:]]+$

@@ -0,0 +1,3 @@
+app-default:
+  limit: 300
+  timeunit: second
@@ -0,0 +1 @@
+$ref: '../common/security-schemes-ptl.yml'
@@ -0,0 +1 @@
+app-level3: []
@@ -0,0 +1,3 @@
+- name: NHSD-Supplier-ID
+  header: NHSD-Supplier-ID
+  required: true
@@ -0,0 +1,3 @@
+MONITORING_FLAG=false
+TEMPORARY_FLAG=false
+ENV_DIR=../environments/sandbox
@@ -0,0 +1,3 @@
+app-default:
+  limit: 300
+  timeunit: second
@@ -0,0 +1 @@
+$ref: '../common/security-schemes-ptl.yml'
@@ -0,0 +1,3 @@
+- name: NHSD-Supplier-ID
+  header: NHSD-Supplier-ID
+  required: false
@@ -1 +1 @@
-$ref: $AUTHORIZATION
+$ref: ../$ENV_DIR/authorization.yml
@@ -1 +1 @@
-$ref: $SECURITY_SCHEMES
+$ref: $ENV_DIR/security-schemes.yml
@@ -1 +1 @@
-$ref: $SECURITY
+$ref: $ENV_DIR/security.yml
@@ -0,0 +1,10 @@
+temporary: $TEMPORARY_FLAG
+monitoring: $MONITORING_FLAG
+access:
+  $ref: $ENV_DIR/access.yml
+target:
+  $ref: $ENV_DIR/target.yml
+target-attributes:
+  $ref: $ENV_DIR/target-attributes.yml
+ratelimiting:
+  $ref: $ENV_DIR/rate-limiting.yml
@@ -68,13 +68,4 @@ servers:
   - url: 'http://127.0.0.1:9000'
     description: Local development server
 x-nhsd-apim:
-  temporary: false
-  monitoring: false
-  access:
-    $ref: ./components/x-nhsd-apim/access.yml
-  target:
-    $ref: ./components/x-nhsd-apim/target.yml
-  target-attributes:
-    $ref: ./components/x-nhsd-apim/target-attributes.yml
-  ratelimiting:
-    $ref: ./components/x-nhsd-apim/rate-limiting.yml
+  $ref: './components/x-nhsd-apim/x-nhsd-apim.yml'
Original file line number	Diff line number	Diff line change
		@@ -1 +1 @@
		$ref: $AUTHORIZATION
		$ref: ../$ENV_DIR/authorization.yml
Original file line number	Diff line number	Diff line change
		@@ -1 +1 @@
		$ref: $SECURITY_SCHEMES
		$ref: $ENV_DIR/security-schemes.yml