docs(06-02): complete email delivery layer plan

- Add 06-02-SUMMARY.md: SigningRequestEmail, signing-mailer, send route, prepare audit log
- Update STATE.md: Plan 2 complete, decisions logged, session updated
- Update ROADMAP.md: Phase 6 plan progress (2 of 5 summaries)
- Mark SIGN-01 complete in REQUIREMENTS.md

.planning/REQUIREMENTS.md

@@ -42,7 +42,7 @@
 
 ### Signing Flow
 
-- [ ] **SIGN-01**: Client receives an email with a unique link to sign the document (no account required)
+- [x] **SIGN-01**: Client receives an email with a unique link to sign the document (no account required)
 - [x] **SIGN-02**: Signing link expires after 72 hours and can only be used once
 - [ ] **SIGN-03**: Client opens the link in any browser and sees the prepared PDF with signature fields highlighted
 - [ ] **SIGN-04**: Client can draw a freehand signature on a canvas (works on mobile and desktop)
@@ -125,7 +125,7 @@ Which phases cover which requirements. Updated during roadmap creation.
 | DOC-04 | Phase 5 | Complete |
 | DOC-05 | Phase 5 | Complete |
 | DOC-06 | Phase 5 | Complete |
-| SIGN-01 | Phase 6 | Pending |
+| SIGN-01 | Phase 6 | Complete |
 | SIGN-02 | Phase 6 | Complete |
 | SIGN-03 | Phase 6 | Pending |
 | SIGN-04 | Phase 6 | Pending |

.planning/ROADMAP.md

@@ -153,5 +153,5 @@ Phases execute in numeric order: 1 → 2 → 3 → 4 → 5 → 6 → 7
 | 3. Agent Portal Shell | 4/4 | Complete   | 2026-03-19 |
 | 4. PDF Ingest | 4/4 | Complete   | 2026-03-20 |
 | 5. PDF Fill and Field Mapping | 3/4 | In Progress|  |
-| 6. Signing Flow | 1/6 | In Progress | - |
+| 6. Signing Flow | 2/6 | In Progress|  |
 | 7. Audit Trail and Download | 0/? | Not started | - |

.planning/STATE.md

@@ -3,12 +3,12 @@ gsd_state_version: 1.0
 milestone: v1.0
 milestone_name: milestone
 status: unknown
-last_updated: "2026-03-20T17:25:09Z"
+last_updated: "2026-03-20T17:30:55.130Z"
 progress:
-  total_phases: 7
+  total_phases: 6
   completed_phases: 5
-  total_plans: 23
-  completed_plans: 19
+  total_plans: 24
+  completed_plans: 20
 ---
 
 # Project State
@@ -22,12 +22,12 @@ See: .planning/PROJECT.md (updated 2026-03-19)
 
 ## Current Position
 
-Phase: 6 of 7 (Signing Flow) — Plan 1 complete
-Plan: 06-01 (1 of 5 plans) — cryptographic foundation, DB tables, utility library
-Status: signingTokens + auditEvents tables in PostgreSQL, documents extended with signedFilePath/pdfHash/signedAt, createSigningToken/verifySigningToken/logAuditEvent/embedSignatureInPdf utilities compiled and committed, npm run build passes cleanly.
-Last activity: 2026-03-20 — Phase 6 Plan 01: signing foundation (DB + JWT + audit + PDF embed utilities)
+Phase: 6 of 7 (Signing Flow) — Plan 2 complete
+Plan: 06-02 (2 of 5 plans) — email delivery layer, signing request email, send API route
+Status: SigningRequestEmail.tsx + signing-mailer.tsx created, POST /api/documents/[id]/send live, document_prepared audit log wired in prepare route, npm run build passes cleanly.
+Last activity: 2026-03-20 — Phase 6 Plan 02: email delivery layer (React Email + nodemailer + send route)
 
-Progress: [████████░░] 83%
+Progress: [████████░░] 87%
 
 ## Performance Metrics
 
@@ -59,6 +59,7 @@ Progress: [████████░░] 83%
 | Phase 05-pdf-fill-and-field-mapping P02 | 1 | 2 tasks | 2 files |
 | Phase 05-pdf-fill-and-field-mapping P03 | 3 | 2 tasks | 4 files |
 | Phase 06-signing-flow P01 | 2 | 2 tasks | 8 files |
+| Phase 06-signing-flow P02 | 2 | 2 tasks | 4 files |
 
 ## Accumulated Context
 
@@ -121,6 +122,9 @@ Recent decisions affecting current work:
 - [Phase 06-signing-flow 06-01]: Signing utilities live in src/lib/signing/ — server-only, never import from client components
 - [Phase 06-signing-flow 06-01]: JWT jti stored in signingTokens table on createSigningToken — enables one-time-use enforcement in later plans
 - [Phase 06-signing-flow 06-01]: SHA-256 hash computed from disk after atomic rename — never from in-memory bytes (LEGAL-02)
+- [Phase 06-signing-flow]: Sender address hardcoded as teressa@teressacopelandhomes.com — matches brand identity requirement in CONTEXT.md
+- [Phase 06-signing-flow]: sendMail failure triggers 502 without DB status update — document stays in current state if email delivery fails
+- [Phase 06-signing-flow]: Status update in send/route.ts guarded by status=Draft — prevents downgrading Sent/Signed documents
 
 ### Pending Todos
 
@@ -137,5 +141,5 @@ None yet.
 ## Session Continuity
 
 Last session: 2026-03-20
-Stopped at: Completed 06-01-PLAN.md — signing foundation DB tables, JWT utilities, audit log, PDF embed with SHA-256
+Stopped at: Completed 06-02-PLAN.md — branded email component, signing mailer, send API route, document_prepared audit logging
 Resume file: None

.planning/phases/06-signing-flow/06-02-SUMMARY.md

@@ -0,0 +1,113 @@
+---
+phase: 06-signing-flow
+plan: "02"
+subsystem: email-delivery
+tags: [react-email, nodemailer, smtp, signing, audit, email]
+
+# Dependency graph
+requires:
+  - phase: 06-signing-flow
+    plan: "01"
+    provides: createSigningToken(), logAuditEvent(), signingTokens + auditEvents tables
+
+provides:
+  - SigningRequestEmail React Email component (navy/gold brand, CTA button, expiry notice)
+  - sendSigningRequestEmail() — renders HTML email and delivers via SMTP
+  - sendAgentNotificationEmail() — plain-text notification to agent on signing completion
+  - POST /api/documents/[id]/send — token creation, email delivery, email_sent audit, status update
+  - document_prepared audit event logged in POST /api/documents/[id]/prepare
+
+affects: [06-03, 06-04, 06-05]
+
+# Tech tracking
+tech-stack:
+  added: []
+  patterns:
+    - React Email render() + nodemailer sendMail() for HTML email delivery
+    - sendMail wrapped in try/catch — 502 returned without DB update on email failure
+    - Reuse CONTACT_SMTP_* env vars for signing emails (same SMTP provider)
+
+key-files:
+  created:
+    - teressa-copeland-homes/src/emails/SigningRequestEmail.tsx
+    - teressa-copeland-homes/src/lib/signing/signing-mailer.tsx
+    - teressa-copeland-homes/src/app/api/documents/[id]/send/route.ts
+  modified:
+    - teressa-copeland-homes/src/app/api/documents/[id]/prepare/route.ts
+
+key-decisions:
+  - "Sender address hardcoded as teressa@teressacopelandhomes.com — matches brand identity requirement in CONTEXT.md"
+  - "sendMail error triggers 502 without DB status update — document stays in Draft if email fails, preventing silent failures"
+  - "Status update in send/route.ts only when status=Draft — avoids downgrading Sent back to Sent (no-op) and never touches Signed documents"
+  - "logAuditEvent(document_prepared) placed after db.update .returning() in prepare route — ensures it only fires on success"
+
+requirements-completed: [SIGN-01, LEGAL-01]
+
+# Metrics
+duration: 2min
+completed: 2026-03-20
+---
+
+# Phase 6 Plan 02: Email Delivery Layer Summary
+
+**Branded React Email signing request template, nodemailer SMTP mailer utilities, and POST /api/documents/[id]/send endpoint that creates a JWT signing token, sends the email, logs email_sent audit event, and updates document status**
+
+## Performance
+
+- **Duration:** 2 min
+- **Started:** 2026-03-20T17:28:17Z
+- **Completed:** 2026-03-20T17:30:01Z
+- **Tasks:** 2
+- **Files modified:** 4
+
+## Accomplishments
+
+- SigningRequestEmail.tsx created with navy/gold brand colors, document name, expiry date, and "Review & Sign" CTA button
+- signing-mailer.tsx exports sendSigningRequestEmail() and sendAgentNotificationEmail()
+- POST /api/documents/[id]/send creates signing token, sends branded email, logs email_sent, updates status to Sent
+- prepare/route.ts now logs document_prepared audit event after successful PDF preparation
+- npm run build passes cleanly
+
+## Task Commits
+
+Each task was committed atomically:
+
+1. **Task 1: Branded signing request email + mailer** - `f41db49` (feat)
+2. **Task 2: Send API route + document_prepared audit logging** - `877ad66` (feat)
+
+**Plan metadata:** (docs commit — see below)
+
+## Files Created/Modified
+
+- `teressa-copeland-homes/src/emails/SigningRequestEmail.tsx` - React Email component: navy header, gold CTA button, document name, expiry date, "No account needed" instruction
+- `teressa-copeland-homes/src/lib/signing/signing-mailer.tsx` - sendSigningRequestEmail() renders HTML via @react-email/render and sends via nodemailer; sendAgentNotificationEmail() sends plain-text notification to agent
+- `teressa-copeland-homes/src/app/api/documents/[id]/send/route.ts` - POST handler: auth guard, token creation, email delivery, email_sent audit log, status update to Sent
+- `teressa-copeland-homes/src/app/api/documents/[id]/prepare/route.ts` - Added logAuditEvent import and document_prepared event log after db.update success
+
+## Decisions Made
+
+- Sender address hardcoded as `teressa@teressacopelandhomes.com` — matches brand identity requirement locked in CONTEXT.md
+- sendMail failure triggers 502 response without updating DB status — document stays in current state if email delivery fails, preventing silent failures where the client never receives a link but the status shows Sent
+- Status update guarded by `if (doc.status === 'Draft')` — prevents no-op double-Sent writes and never downgrades Signed documents
+- `logAuditEvent(document_prepared)` placed after `.returning()` in prepare route — ensures the audit event only fires when the DB update succeeds
+
+## Deviations from Plan
+
+None - plan executed exactly as written.
+
+## Issues Encountered
+
+None.
+
+## Next Phase Readiness
+
+Email delivery layer complete:
+- sendSigningRequestEmail() and sendAgentNotificationEmail() exported from signing-mailer.tsx
+- POST /api/documents/[id]/send live and returning 401 for unauthenticated requests
+- document_prepared audit logging wired in prepare route
+- Plan 06-03 (sign page) can import sendAgentNotificationEmail from signing-mailer.tsx
+- Plan 06-04 (sign API) can call sendAgentNotificationEmail after signature submission
+
+---
+*Phase: 06-signing-flow*
+*Completed: 2026-03-20*