Phase: 7 of 7 (Audit Trail and Download) — COMPLETE (all 4 plans done)
Plan: 07-04 (4 of 4 plans) — LEGAL-03 gap closure — /file route restricted to original PDF, PdfViewer Download anchor hidden for Signed
Status: All plans complete. LEGAL-03 fully satisfied: /file route serves original PDF only, presigned /download?adt=[token] is sole signed PDF download path.
Last activity: 2026-03-21 — Phase 7 Plan 04: LEGAL-03 gap closure complete, all 28 plans done
- [Phase 02-marketing-site]: CSS hover classes in server components — onMouseEnter/onMouseLeave not valid in server component props; use className with style blocks instead
- [Phase 02-marketing-site]: lucide-react installed for marketing site icons (Home, Menu, X, ChevronLeft, ChevronRight)
- [Phase 02-marketing-site 02-02]: nodemailer pinned to ^7.0.7 — v8 conflicts with next-auth@5.0.0-beta.30 peerOptional dep
- [Phase 02-marketing-site 02-02]: useActionState imported from 'react' not 'react-dom' — React 19 canonical API (useFormState removed in React 19)
- [Phase 02-marketing-site 02-02]: Honeypot silent success pattern — bots receive status:success without email sent, preventing bot discovery of rejection
- [Phase 03-agent-portal-shell]: documentStatusEnum exported before documents table in schema.ts — pgEnum must precede referencing table or drizzle-kit may omit CREATE TYPE from migration
- [Phase 03-agent-portal-shell]: Portal route protection: add new prefix to both middleware.ts matcher array AND auth.config.ts authorized callback isPortalRoute check — mirrors existing /agent pattern
- [Phase 03-agent-portal-shell]: Post-login redirect changed from /agent/dashboard to /portal/dashboard — agent portal lives at /portal prefix going forward
- [Phase 03-agent-portal-shell]: Zod v4 uses .issues not .errors for ZodError — updated plan-specified .errors[0].message to .issues[0].message in client server actions
- [Phase 03-agent-portal-shell]: updateClient uses bind pattern (id pre-bound) so useActionState passes prevState + formData as remaining args — caller does updateClient.bind(null, clientId)
- [Phase 03-agent-portal-shell]: PortalNav is a client component (usePathname requires use client); active link state driven by pathname.startsWith(href) with gold border-b-2 underline
- [Phase 03-agent-portal-shell]: DashboardFilters extracted to separate file — use client directive must be at file top in Next.js, cannot be inlined inside server component file
- [Phase 03-agent-portal-shell]: ClientsPageClient extracted to _components/ClientsPageClient.tsx for cleaner server/client split following project convention
- [Phase 03-agent-portal-shell]: Seed script requires DOTENV_CONFIG_PATH=.env.local — dotenv/config reads .env by default but project uses .env.local
- [Phase 03-agent-portal-shell 03-04]: ClientProfileClient extracted to _components/ClientProfileClient.tsx (not inlined) — consistent with project convention for client sub-components
- [Phase 03-agent-portal-shell 03-04]: deleteClient called directly from async event handler in client component — Next.js 15+ supports calling server actions as async functions without form wrappers
- [Phase 03-agent-portal-shell 03-04]: ConfirmDialog message constructed with client name inline — reusable with title + message string props, no JSX message needed
- [Phase 04-pdf-ingest 04-04]: Phase 4 declared complete after human agent verified all 7 browser verification steps pass — forms library, modal, PDF render, file storage, and auth guards confirmed working
- [Phase 05-pdf-fill-and-field-mapping 05-01]: @cantoo/pdf-lib used instead of pdf-lib — packages conflict; @cantoo is the maintained fork with same API
- [Phase 05-pdf-fill-and-field-mapping 05-01]: signatureFields and textFillData stored as JSONB in documents table — flexible schema for field arrays and key/value maps without additional tables
- [Phase 05-pdf-fill-and-field-mapping 05-01]: Atomic write (tmp → rename) for prepared PDFs — prevents corrupting source PDF on partial write failure
- [Phase 05-pdf-fill-and-field-mapping 05-01]: form.flatten() called BEFORE drawing signature rectangles — required order; if reversed, AcroForm overlay obscures drawn rectangles
- [Phase 05-pdf-fill-and-field-mapping 05-01]: jest + ts-jest chosen for unit tests — straightforward TypeScript test support without ESM complications for coordinate formula tests
- [Phase 05-pdf-fill-and-field-mapping 05-01]: Y-flip formula pdfY = ((renderedH - screenY) / renderedH) * originalHeight is scale-invariant — verified at 1:1 and 50% zoom in test suite
- [Phase 05-pdf-fill-and-field-mapping 05-02]: DragOverlay used for ghost rendering — avoids transform-based dragging which breaks coordinate math relative to droppable container
- [Phase 05-pdf-fill-and-field-mapping 05-02]: containerRef.getBoundingClientRect() called at drop time (not stale pageInfo.width) — captures current rendered size after zoom changes
- [Phase 05-pdf-fill-and-field-mapping 05-02]: activatorEvent + delta pattern for final drop coordinates — activatorEvent gives client position at drag start, delta gives displacement
- [Phase 05-pdf-fill-and-field-mapping 05-02]: top: top - heightPx on overlay divs — pdfToScreenCoords returns y of bottom-left corner; must shift up by field height for DOM top-left origin
- [Phase 06-signing-flow]: SigningPageClientWrapper uses dynamic import (ssr:false) — react-pdf requires browser APIs that cannot run server-side
- [Phase 06-signing-flow]: PDF served via /api/sign/[token]/pdf (token-authenticated) not /api/documents/[id]/file (agent-authenticated) — signing page is public
- [Phase 06-signing-flow 06-04]: signedFields changed from Set<string> to Map<string,string> (fieldId->dataURL) to support signature preview image in signed overlays
- [Phase 06-signing-flow 06-04]: POST /api/sign/[token] atomic claim via Drizzle UPDATE...WHERE isNull(usedAt).returning() — 0 rows = 409, PDF never written on race condition
- [Phase 06-signing-flow 06-04]: /sign/[token]/confirmed is static server component — token already used at this point, no re-validation needed
- [Phase 06-signing-flow 06-04]: sendAgentNotificationEmail is fire-and-forget via .then().catch() — email failure must never prevent the signing confirmation from reaching the client
- [Phase 06-signing-flow 06-05]: Download token uses purpose:'download' claim with same SIGNING_JWT_SECRET — no DB record needed for 15-min ephemeral download authorization
- [Phase 06-signing-flow 06-05]: Buffer cast to Uint8Array for Response constructor BodyInit compatibility in Next.js 16 TypeScript strict mode
- [Phase 06-signing-flow 06-05]: router.push replaces window.location.href for confirmed page navigation — SPA navigation consistent with Next.js App Router patterns
- [Phase 07-audit-trail-and-download]: Agent download token uses same SIGNING_JWT_SECRET with purpose:'agent-download' claim; 5-min TTL; no DB record needed for ephemeral presigned download authorization
- [Phase 07-audit-trail-and-download]: Token documentId vs route [id] cross-check added as defense-in-depth: valid token for doc A cannot download doc B (403)
- [Phase 07-audit-trail-and-download 07-02]: agentDownloadUrl generated in server component (page.tsx) not in PreparePanel — PreparePanel is 'use client' and cannot call createAgentDownloadToken (server-only)
- [Phase 07-audit-trail-and-download 07-02]: Download button is a plain anchor tag — browser follows href directly, Content-Disposition:attachment header in API route drives save dialog
- [Phase 07-audit-trail-and-download 07-02]: signedAt added to both dashboard and client profile queries — all document tables show consistent Date Signed column
- [Phase 07-audit-trail-and-download 07-03]: Phase 7 declared complete after human confirmation of all 4 browser verification criteria — SIGN-07 and LEGAL-03 verified working end-to-end in live browser
- [Phase 07-audit-trail-and-download]: /file route reads doc.filePath only — signedFilePath fallback removed per LEGAL-03; presigned /download?adt=[token] is sole signed PDF download path
- [Phase 07-audit-trail-and-download]: PdfViewer Download anchor wrapped in {docStatus \!== 'Signed' && ...} — toolbar download hidden for Signed docs, PDF still loads via /file for in-browser display
