[ENG] Task Expose cst_letters_content_updates via authorized services

[JoshingYou1]

Feature

benefit-letters

Specify Feature (if "Other")

no response

Team

bmt-team-2 (Bee's Knees)

Specify Team (if "Other")

no response

Discipline

Engineering

Issue Type

Task

Summary

Send the cst_letters_content_updates state to the mobile client through /mobile/v0/user/authorized-services as cstLettersContentUpdates. Flag registration lives in Phase 2 (#140006); this ticket is auth-services exposure only.

Description / Context

This is Phase 3 of the initiative. After it ships, mobile can read authServices.cstLettersContentUpdates — it will return false for everyone until the flag is turned on, but the shape of the response is set, so Phase 7 (mobile FE) can start using it right away.

Scope

Add to Mobile::V0::UserAccessibleServices#service_auth_map (modules/mobile/app/models/mobile/v0/user_accessible_services.rb):

cstLettersContentUpdates: Flipper.enabled?(:cst_letters_content_updates, @user)

The actor must be @user (NOT icn_actor) so the same user always lands in the same bucket across mobile and web.

This follows the same pattern as secureMessagingOracleHealthEnabled on line 52 of the same file — plain Flipper check, @user actor, no ICN check (structured content doesn't need an ICN to show up).

Out of scope

• No changes to Mobile::V0::LettersController or the letters response (Phase 4).
• No description field added to the response yet (Phase 5).
• No vets-website changes — web has no server-side work; the service-level flag check in Phase 2 handles it.
• No frontend code uses the flag yet (Phase 6, Phase 7).

Risks / Dependencies

• No runtime risk. Adding an off-by-default flag's state to the response can't change user-visible behavior until the flag is turned on.
• Blocked by Phase 2 ([ENG] [BE] Task Register cst_letters_content_updates flag and add shared benefit-letter content module #140006) — the flag must be registered in config/features.yml before this references it.
• Lets Phase 7 (mobile FE) start right away using authServices?.cstLettersContentUpdates checks.

Design Details (if applicable)

no response

Accessibility Considerations (if applicable)

no response

Acceptance Criteria / Definition of Done

• Mobile::V0::UserAccessibleServices#service_auth_map includes cstLettersContentUpdates: Flipper.enabled?(:cst_letters_content_updates, @user) using @user (not icn_actor).
• Add/update unit and request tests covering cstLettersContentUpdates in both flag-on and flag-off states (follow the cstMultiClaimProvider pattern as a reference).
• modules/mobile/spec/support/schemas/authorized_services.json includes the new key.

Links & Resources

• Files touched:
  • modules/mobile/app/models/mobile/v0/user_accessible_services.rb
  • modules/mobile/spec/models/user_accessible_services_spec.rb
  • modules/mobile/spec/requests/mobile/v0/user/authorized_services_spec.rb
  • modules/mobile/spec/support/schemas/authorized_services.json
• Pattern to follow: secureMessagingOracleHealthEnabled at user_accessible_services.rb:52.
• Blocked by: Phase 2 — [ENG] [BE] Task Register cst_letters_content_updates flag and add shared benefit-letter content module #140006
• Predecessor in sequence: Phase 1 — [ENG] [Mobile] Task Add cstLettersContentUpdates Remote Config flag to va-mobile-app #140076
• Unblocks: Phase 4 (mobile letters content gating), Phase 7 (mobile FE consumption).
• Parent epic: Content Updates to improve VA Benefits Letters & Documents #137195