diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 00cb69ed5..f1531b3a8 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -138,7 +138,7 @@ jobs:
STACK_NAME: pfp
TARGET_ENVIRONMENT: ref
APIGEE_ENVIRONMENT: ref
- ENABLE_MUTUAL_TLS: true
+ ENABLE_MUTUAL_TLS: false
MTLS_KEY: prescriptions-for-patients-mtls-1
BUILD_ARTIFACT: packaged_code
TRUSTSTORE_FILE: pfp-truststore.pem
diff --git a/docs/pfp-bundle-path.md b/docs/pfp-bundle-path.md
new file mode 100644
index 000000000..8fff7e084
--- /dev/null
+++ b/docs/pfp-bundle-path.md
@@ -0,0 +1,60 @@
+# Bundle endpoint behaviour
+
+```mermaid
+flowchart TB
+ subgraph API["API Gateway / Step Function"]
+ A[GET /Bundle
headers + JWT] --> S1["State: Get My Prescriptions"]
+ S1 -->|Lambda result| S2{statusCode == 200?}
+ S2 -- no --> F1["Return OperationOutcome
(Failed Get My Prescriptions)"]
+ S2 -- yes --> P1[Parse body JSON]
+ P1 --> T1{getStatusUpdates flag?}
+ T1 -- false --> S3["State: Enrich Prescriptions"]
+ T1 -- true --> S2a["State: Get Status Updates
(invoke external Lambda)"]
+ S2a --> S3
+ S3 --> R[200 FHIR Bundle response]
+ end
+
+ subgraph L1["GetMyPrescriptions Lambda"]
+ S1 --> L10["Middy wraps handler
(logging, header normaliser, error handler)"]
+ L10 --> L11["jobWithTimeout(10s)
stateMachineEventHandler"]
+ L11 --> L12{Spine cert configured?}
+ L12 -- no --> OC1[500 OperationOutcome
SPINE_CERT_NOT_CONFIGURED]
+ L12 -- yes --> L13["Override testing headers
+ adapt subject/delegated IDs"]
+ L13 --> L14{"TC008 test NHS?
(pfpConfig.isTC008)"}
+ L14 -- yes --> OC2[500 OperationOutcome
TC008]
+ L14 -- no --> L15["Spine call (9s timeout)
getPrescriptions"]
+ L15 -->|timeout| OC3[408 OperationOutcome
TIMEOUT_RESPONSE]
+ L15 -->|Bundle| L16["Tag bundle id + log
OperationOutcomes
extract ODS codes"]
+ L16 --> L17{shouldGetStatusUpdates?}
+ L17 -- true --> L18["buildStatusUpdateData
skip fully approved/cancelled
Skips prescriptions without performer/ODS code"]
+ L17 -- false --> L19[No status update payload]
+ L18 --> L20
+ L19 --> L20["Clone bundle → DistanceSelling.search
(5s timeout)"]
+ L20 -->|timeout| L21["Fallback to Spine bundle"]
+ L20 -->|success| L22["Use enriched bundle"]
+ L21 --> L23
+ L22 --> L23["stateMachineLambdaResponse
wrap fhir, traceIDs,
statusUpdateData,
TC009 exclusions"]
+ end
+
+ subgraph L2["Get Status Updates Lambda"]
+ S2a --> L30["Receives statusUpdateData array
fetches latest tracking data
(result stored as StatusUpdates)"]
+ end
+
+ subgraph L3["Enrich Prescriptions Lambda"]
+ S3 --> L40["extractNHSNumber + getUpdatesScenario
(expectStatusUpdates, TC007, etc.)"]
+ L40 --> L41{Scenario?}
+ L41 -- Present --> L42["applyStatusUpdates
per MedicationRequest"]
+ L41 -- ExpectedButAbsent --> L43["applyTemporaryStatusUpdates
set 'Tracking Temporarily Unavailable'"]
+ L41 -- NotExpected --> L44[Pass-through bundle]
+ L42 --> L45["lambdaResponse → headers + Bundle JSON"]
+ L43 --> L45
+ L44 --> L45
+ end
+
+ OC1 --> R
+ OC2 --> R
+ OC3 --> R
+ L23 --> P1
+ L30 --> S3
+ L45 --> R
+```
diff --git a/docs/pfp-path.md b/docs/pfp-path.md
new file mode 100644
index 000000000..1a55d6213
--- /dev/null
+++ b/docs/pfp-path.md
@@ -0,0 +1,31 @@
+# Broad API path
+
+```mermaid
+flowchart LR
+ subgraph Client
+ U[Patient-facing app]
+ A[NHS login P9
OAuth2 token exchange]
+ H[Required headers
Authorization: Bearer
X-Request-ID
X-Correlation-ID]
+ end
+
+ subgraph API["Prescriptions for Patients API"]
+ E[GET /Bundle]
+ end
+
+ subgraph Success["200 OK"]
+ B[Bundle
<=25 prescription collections]
+ C[Collection Bundle entries
MedicationRequest
Dispensing Organisation
Practitioner
PractitionerRole]
+ O[OperationOutcome entry
per excluded prescription]
+ end
+
+ subgraph Errors
+ X[4XX OperationOutcome
401 ACCESS_DENIED
408 timeout
429 throttled]
+ Y[500 OperationOutcome
SERVER_ERROR]
+ end
+
+ U --> A --> H --> E
+ E --> B --> C
+ B --> O
+ E --> X
+ E --> Y
+```