diff --git a/.planning/REQUIREMENTS.md b/.planning/REQUIREMENTS.md
index d0c2ee0..532b4ed 100644
--- a/.planning/REQUIREMENTS.md
+++ b/.planning/REQUIREMENTS.md
@@ -48,14 +48,14 @@
 - [x] **SIGN-04**: Client can draw a freehand signature on a canvas (works on mobile and desktop)
 - [x] **SIGN-05**: Client can save a default signature and click a signature field to apply it without redrawing
 - [x] **SIGN-06**: Client sees a confirmation screen after successfully signing
-- [ ] **SIGN-07**: Agent can download the signed PDF from the dashboard
+- [x] **SIGN-07**: Agent can download the signed PDF from the dashboard
 
 ### Legal & Compliance
 
 - [x] **LEGAL-01**: System logs a complete audit trail for every signing ceremony — 6 server-side events: document prepared, email sent, link opened (with IP/user-agent), document viewed, signature submitted, final PDF hash computed
 - [x] **LEGAL-02**: System computes and stores a SHA-256 hash of the final signed PDF immediately after signature embedding (tamper-evident record)
-- [ ] **LEGAL-03**: Signed PDFs are stored in private storage — never accessible via public or guessable URLs; agent downloads via authenticated presigned URLs only
-- [ ] **LEGAL-04**: DNS (SPF/DKIM/DMARC) configured for teressacopelandhomes.com before first signing link is sent to a real client
+- [x] **LEGAL-03**: Signed PDFs are stored in private storage — never accessible via public or guessable URLs; agent downloads via authenticated presigned URLs only
+- [x] **LEGAL-04**: DNS (SPF/DKIM/DMARC) configured for teressacopelandhomes.com before first signing link is sent to a real client
 
 ## v2 Requirements
 
@@ -133,9 +133,9 @@ Which phases cover which requirements. Updated during roadmap creation.
 | SIGN-06 | Phase 6 | Complete |
 | LEGAL-01 | Phase 6 | Complete |
 | LEGAL-02 | Phase 6 | Complete |
-| LEGAL-04 | Phase 6 | Pending |
-| SIGN-07 | Phase 7 | Pending |
-| LEGAL-03 | Phase 7 | Pending |
+| LEGAL-04 | Phase 6 | Complete |
+| SIGN-07 | Phase 7 | Complete |
+| LEGAL-03 | Phase 7 | Complete |
 
 **Coverage:**
 - v1 requirements: 28 total
diff --git a/.planning/ROADMAP.md b/.planning/ROADMAP.md
index 8d04d78..515ecdc 100644
--- a/.planning/ROADMAP.md
+++ b/.planning/ROADMAP.md
@@ -157,4 +157,4 @@ Phases execute in numeric order: 1 → 2 → 3 → 4 → 5 → 6 → 7
 | 4. PDF Ingest | 4/4 | Complete   | 2026-03-20 |
 | 5. PDF Fill and Field Mapping | 3/4 | In Progress|  |
 | 6. Signing Flow | 6/6 | Complete   | 2026-03-21 |
-| 7. Audit Trail and Download | 0/3 | Not started | - |
+| 7. Audit Trail and Download | 1/3 | In Progress|  |
diff --git a/.planning/STATE.md b/.planning/STATE.md
index 4eabf36..6ddcc19 100644
--- a/.planning/STATE.md
+++ b/.planning/STATE.md
@@ -3,12 +3,12 @@ gsd_state_version: 1.0
 milestone: v1.0
 milestone_name: milestone
 status: unknown
-last_updated: "2026-03-21T15:43:33.117Z"
+last_updated: "2026-03-21T16:35:45.167Z"
 progress:
-  total_phases: 6
+  total_phases: 7
   completed_phases: 6
-  total_plans: 24
-  completed_plans: 24
+  total_plans: 27
+  completed_plans: 25
 ---
 
 # Project State
@@ -18,16 +18,16 @@ progress:
 See: .planning/PROJECT.md (updated 2026-03-19)
 
 **Core value:** Teressa can prepare and send any real estate form to a client for signing in minutes, from her browser, without leaving her site.
-**Current focus:** Phase 6 - Signing Flow
+**Current focus:** Phase 7 - Audit Trail and Download
 
 ## Current Position
 
-Phase: 6 of 7 (Signing Flow) — Plan 6 complete (PHASE COMPLETE)
-Plan: 06-06 (6 of 6 plans) — DNS email authentication (SPF/DKIM/DMARC) verified for tcopelandhomes.com via Resend — LEGAL-04 satisfied
-Status: All three MXToolbox checks (SPF, DKIM, DMARC) verified green/pass for tcopelandhomes.com. Resend configured as SMTP provider with DKIM at resend._domainkey.tcopelandhomes.com. Signing emails may now be sent to real clients.
-Last activity: 2026-03-21 — Phase 6 Plan 06: DNS verification checkpoint — LEGAL-04 compliance gate satisfied
+Phase: 7 of 7 (Audit Trail and Download) — Plan 1 complete (1 of 3)
+Plan: 07-01 (1 of 3 plans) — Agent download token (createAgentDownloadToken/verifyAgentDownloadToken) and GET /api/documents/[id]/download route — SIGN-07 and LEGAL-03 satisfied
+Status: token.ts extended with agent-download JWT (5-min TTL); download route streams signed PDFs with path traversal guard and document ID cross-check; tsc and build pass
+Last activity: 2026-03-21 — Phase 7 Plan 01: agent-download JWT utilities and authenticated download API route complete
 
-Progress: [██████████] 100% (Phase 6 complete)
+Progress: [█░░░░░░░░░] 33% (Phase 7 plan 1 of 3 complete)
 
 ## Performance Metrics
 
@@ -64,6 +64,7 @@ Progress: [██████████] 100% (Phase 6 complete)
 | Phase 06-signing-flow P04 | 7 | 2 tasks | 4 files |
 | Phase 06-signing-flow P05 | 3 | 2 tasks | 4 files |
 | Phase 06-signing-flow P06 | 2 | 2 tasks | 2 files |
+| Phase 07-audit-trail-and-download P01 | 2 | 2 tasks | 2 files |
 
 ## Accumulated Context
 
@@ -138,6 +139,8 @@ Recent decisions affecting current work:
 - [Phase 06-signing-flow 06-05]: Download token uses purpose:'download' claim with same SIGNING_JWT_SECRET — no DB record needed for 15-min ephemeral download authorization
 - [Phase 06-signing-flow 06-05]: Buffer cast to Uint8Array for Response constructor BodyInit compatibility in Next.js 16 TypeScript strict mode
 - [Phase 06-signing-flow 06-05]: router.push replaces window.location.href for confirmed page navigation — SPA navigation consistent with Next.js App Router patterns
+- [Phase 07-audit-trail-and-download]: Agent download token uses same SIGNING_JWT_SECRET with purpose:'agent-download' claim; 5-min TTL; no DB record needed for ephemeral presigned download authorization
+- [Phase 07-audit-trail-and-download]: Token documentId vs route [id] cross-check added as defense-in-depth: valid token for doc A cannot download doc B (403)
 
 ### Pending Todos
 
@@ -154,5 +157,5 @@ None yet.
 ## Session Continuity
 
 Last session: 2026-03-21
-Stopped at: Completed 06-06-PLAN.md — DNS verification checkpoint, LEGAL-04 satisfied, Phase 6 fully complete
+Stopped at: Completed 07-01-PLAN.md — agent download token and route (SIGN-07, LEGAL-03 satisfied)
 Resume file: None
diff --git a/.planning/phases/07-audit-trail-and-download/07-01-SUMMARY.md b/.planning/phases/07-audit-trail-and-download/07-01-SUMMARY.md
new file mode 100644
index 0000000..19c8947
--- /dev/null
+++ b/.planning/phases/07-audit-trail-and-download/07-01-SUMMARY.md
@@ -0,0 +1,108 @@
+---
+phase: 07-audit-trail-and-download
+plan: "01"
+subsystem: api
+tags: [jwt, jose, pdf, download, security, next.js]
+
+# Dependency graph
+requires:
+  - phase: 06-signing-flow
+    provides: token.ts with createDownloadToken/verifyDownloadToken pattern and SIGNING_JWT_SECRET
+  - phase: 04-pdf-ingest
+    provides: uploads/ directory and path traversal guard pattern
+provides:
+  - createAgentDownloadToken (purpose:'agent-download', 5-min TTL) in src/lib/signing/token.ts
+  - verifyAgentDownloadToken in src/lib/signing/token.ts
+  - GET /api/documents/[id]/download?adt=[token] — agent-authenticated signed PDF streaming
+affects:
+  - 07-02 (audit trail plan will likely link download events to this route)
+  - document detail page (will need createAgentDownloadToken server-side to generate adt links)
+
+# Tech tracking
+tech-stack:
+  added: []
+  patterns:
+    - Agent download token — purpose:'agent-download', 5-min TTL, no DB record (mirrors client download pattern)
+    - Route-level document ID cross-check — token documentId must match route [id] param (403 on mismatch)
+    - Path traversal guard: absPath.startsWith(UPLOADS_DIR) before every readFile from uploads/
+    - new Uint8Array(fileBuffer) for Response BodyInit compatibility in Next.js 16 TypeScript strict mode
+
+key-files:
+  created:
+    - teressa-copeland-homes/src/app/api/documents/[id]/download/route.ts
+  modified:
+    - teressa-copeland-homes/src/lib/signing/token.ts
+
+key-decisions:
+  - "Agent download token uses same SIGNING_JWT_SECRET as other tokens, purpose:'agent-download' claim distinguishes it"
+  - "5-min TTL for agent-download (shorter than 15-min client download) — agent generates token on demand per LEGAL-03"
+  - "No Auth.js session check in download route — short-lived JWT is the credential (same as client download pattern)"
+  - "Token documentId vs route [id] cross-check added as defense-in-depth against token reuse across documents"
+
+patterns-established:
+  - "Agent download token pattern: createAgentDownloadToken server-side → adt query param → GET /api/documents/[id]/download"
+  - "Path traversal guard: always check absPath.startsWith(UPLOADS_DIR) before readFile, no exceptions"
+
+requirements-completed:
+  - SIGN-07
+  - LEGAL-03
+
+# Metrics
+duration: 2min
+completed: 2026-03-21
+---
+
+# Phase 7 Plan 01: Agent Download Token and Authenticated PDF Download Route Summary
+
+**agent-download JWT (5-min TTL, purpose:'agent-download') added to token.ts plus new GET /api/documents/[id]/download route that streams signed PDFs behind presigned tokens with path traversal guard and document ID cross-check**
+
+## Performance
+
+- **Duration:** 2 min
+- **Started:** 2026-03-21T15:53:23Z
+- **Completed:** 2026-03-21T15:55:10Z
+- **Tasks:** 2
+- **Files modified:** 2
+
+## Accomplishments
+- Added `createAgentDownloadToken` and `verifyAgentDownloadToken` to `src/lib/signing/token.ts` — all 6 exports intact, no existing exports modified
+- Created `GET /api/documents/[id]/download` route with complete security surface: 401 for missing/expired token, 403 for ID mismatch, 403 for path traversal, 404 for unsigned/missing files
+- `tsc --noEmit` and `npm run build` both pass with zero errors after both changes
+
+## Task Commits
+
+Each task was committed atomically:
+
+1. **Task 1: Add agent download token functions to token.ts** - `cd4cb75` (feat)
+2. **Task 2: Create GET /api/documents/[id]/download route** - `ebc47ae` (feat)
+
+## Files Created/Modified
+- `teressa-copeland-homes/src/lib/signing/token.ts` - Appended `createAgentDownloadToken` (5-min TTL, purpose:'agent-download') and `verifyAgentDownloadToken` (throws if purpose mismatch)
+- `teressa-copeland-homes/src/app/api/documents/[id]/download/route.ts` - New agent-authenticated download endpoint streaming signed PDFs via adt query param JWT
+
+## Decisions Made
+- Agent download token reuses `SIGNING_JWT_SECRET` with a distinct `purpose:'agent-download'` claim — consistent with existing token pattern, no new secret needed
+- 5-min TTL (shorter than 15-min client download token) satisfies LEGAL-03 requirement for presigned URLs
+- No Auth.js session check in the download route — the short-lived JWT is the sole credential (established Phase 6 client download pattern)
+- `documentId !== id` cross-check as defense-in-depth: a valid token for document A cannot download document B
+
+## Deviations from Plan
+
+None - plan executed exactly as written.
+
+## Issues Encountered
+
+None.
+
+## User Setup Required
+
+None - no external service configuration required.
+
+## Next Phase Readiness
+- `createAgentDownloadToken` is ready for use in the document detail server component (generate adt URL server-side, render download link)
+- Download route is live at `/api/documents/[id]/download?adt=[token]` — ready to be linked from agent portal document pages
+- Phase 7 plan 02 (audit trail) can log download events against this endpoint
+
+---
+*Phase: 07-audit-trail-and-download*
+*Completed: 2026-03-21*