116658 Modify MR policy to match Prescriptions

[mmoyer-va]

Summary

• Updating the Medical Records auth policy to match Medications (minus CHAMPVA)
  • Currently MR is using a deprecated flow to check for eligibility
• This work is behind a feature flag, mhv_medical_records_new_eligibility_check
• We were previously looking at implementing a different eligibility check, but that work is no longer relevant, and I have removed all the references to it in the specs.
• I am hoping that this might reduce the number of 403 responses we are seeing, though that may not happen. Either way, this change is a good idea.

Related issue(s)

• [MHV Medical Records] Research recent increase in 403s from vets-api va.gov-team#116658

Testing done

• New code is covered by unit tests
• This should have no visible change on the frontend, with the possible exception of reduced 403s.
• Added tests to cover flag on/flag off scenarios, and updated some existing tests.
• Dashboard and alerts will be monitored during rollout, and flag will be disabled immediately if any issues are noticed.

Screenshots

N/A

What areas of the site does it impact?

Medical Records authorization (eligibility to use MR APIs)

Acceptance criteria

• I fixed|updated|added unit tests and integration tests for each feature (if applicable).
• No error nor warning in the console.
• Events are being sent to the appropriate logging solution
• Documentation has been updated (link to documentation)
• No sensitive information (i.e. PII/credentials/internal URLs/etc.) is captured in logging, hardcoded, or specs
• Feature/bug has a monitor built into Datadog (if applicable)
• If app impacted requires authentication, did you login to a local build and verify all authenticated routes work as expected
• I added a screenshot of the developed feature

[va-vsp-bot]

Error: A file (or its parent directories) does not have a CODEOWNERS entry. Please update the .github/CODEOWNERS file and add the entry for the Offending file: spec/policies/mhv_medical_records_policy_spec.rb

[Copilot]

Pull request overview

This PR modernizes the Medical Records authorization policy to align with the Medications/Prescriptions implementation pattern. The change replaces a deprecated SM user eligibility check with a simpler verification approach that only checks if a user is LOA3-verified and registered as a patient in MHV. The new logic is protected behind the mhv_medical_records_new_eligibility_check feature flag, with CHAMPVA eligibility explicitly excluded (unlike Prescriptions which allows it).

Key Changes:

• Simplified authorization from external API call to local attribute checks (user.loa3? && mhv_user_account&.patient)
• Removed error handling and logging for the deprecated eligibility check endpoint
• Added comprehensive test coverage for both feature flag states

Reviewed changes

Copilot reviewed 20 out of 20 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
app/policies/mhv_medical_records_policy.rb	Simplified access check from SM eligibility API to local LOA3 and patient status verification; removed error handling for deprecated flow
spec/policies/mhv_medical_records_policy_spec.rb	New comprehensive policy spec testing both feature flag states, patient/CHAMPVA scenarios, and verification levels
spec/support/shared_examples_for_mr.rb	New shared examples testing authorization behavior with new eligibility check across different account types and patient statuses
modules/my_health/spec/requests/my_health/v1/medical_records/allergies_spec.rb	Added feature flag stub and included new shared examples; removed deprecated VCR cassette references
modules/my_health/spec/requests/my_health/v1/medical_records/clinical_notes_spec.rb	Added feature flag stub and included new shared examples; removed deprecated VCR cassette references
modules/my_health/spec/requests/my_health/v1/medical_records/conditions_spec.rb	Added feature flag stub and included new shared examples; removed deprecated VCR cassette references
modules/my_health/spec/requests/my_health/v1/medical_records/labs_and_tests_spec.rb	Added feature flag stub and included new shared examples; removed deprecated VCR cassette references
modules/my_health/spec/requests/my_health/v1/medical_records/vaccines_spec.rb	Added feature flag stub and included new shared examples; removed deprecated VCR cassette references
modules/my_health/spec/requests/my_health/v1/medical_records/vitals_spec.rb	Added feature flag stub and included new shared examples; removed deprecated VCR cassette references
modules/my_health/spec/requests/my_health/v1/medical_records/ccd_spec.rb	Added feature flag stub; removed deprecated VCR cassette references
modules/my_health/spec/requests/my_health/v1/medical_records/imaging_spec.rb	Added feature flag stub; removed deprecated VCR cassette references
modules/my_health/spec/requests/my_health/v1/medical_records/radiology_spec.rb	Added feature flag stub; removed deprecated VCR cassette references
modules/my_health/spec/requests/my_health/v1/medical_records/self_entered_spec.rb	Added feature flag stub; removed deprecated VCR cassette references
modules/my_health/spec/requests/my_health/v1/medical_records/session_spec.rb	Added feature flag stub; removed deprecated VCR cassette setup/teardown
modules/my_health/spec/requests/my_health/v1/medical_records/health_records_spec.rb	Removed deprecated VCR cassette setup/teardown
spec/services/users/services_spec.rb	Removed deprecated VCR cassette references; added mhv_user_account stub for Premium user tests
spec/requests/v0/user_spec.rb	Removed deprecated VCR cassette references; added mhv_user_account stubs for proper test isolation
spec/lib/medical_records/client_spec.rb	Removed deprecated VCR cassette references that are no longer needed with simplified policy
config/features.yml	Updated feature flag description to reflect actual policy change rather than endpoint change
.github/CODEOWNERS	Added code ownership entries for new test files to appropriate teams

[AMT98]

🚀