From 6775cc76ebb258be8b058cacb6410d6a0baf899e Mon Sep 17 00:00:00 2001
From: Chandler Copeland <ccopeland@motivhealth.com>
Date: Sat, 21 Mar 2026 10:53:56 -0600
Subject: [PATCH] fix(07-04): restrict /file route to original PDF only
 (LEGAL-03)

- Remove signedFilePath fallback from /file route
- Route now always serves doc.filePath (unsigned original)
- Signed PDF exclusively available via presigned /download?adt=[token]
---
 .../src/app/api/documents/[id]/file/route.ts                  | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/teressa-copeland-homes/src/app/api/documents/[id]/file/route.ts b/teressa-copeland-homes/src/app/api/documents/[id]/file/route.ts
index c33b1ce..b591e77 100644
--- a/teressa-copeland-homes/src/app/api/documents/[id]/file/route.ts
+++ b/teressa-copeland-homes/src/app/api/documents/[id]/file/route.ts
@@ -21,8 +21,8 @@ export async function GET(
   });
   if (!doc || !doc.filePath) return new Response('Not found', { status: 404 });
 
-  // Serve signed PDF for completed documents, original otherwise
-  const relativePath = doc.signedFilePath ?? doc.filePath;
+  // Serve the original unsigned PDF only — see LEGAL-03
+  const relativePath = doc.filePath;
   const filePath = path.join(UPLOADS_BASE, relativePath);
 
   // Path traversal guard — critical security check