docs(07-audit-trail-and-download): create phase 7 plan

3 plans in 3 sequential waves: agent download token + API route (01),
UI wiring for download button + signedAt column (02), human verification
checkpoint (03). Covers SIGN-07 and LEGAL-03.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

.planning/ROADMAP.md

@@ -137,9 +137,12 @@ Plans:
   1. Agent can download the signed PDF from the dashboard via an authenticated presigned URL (5-minute TTL)
   2. Signed PDFs are stored in a private local directory (not publicly accessible) — a direct or guessable URL returns an access error, not the file
   3. Document status in the dashboard updates correctly to "Signed" after a signing ceremony completes
-**Plans**: TBD
+**Plans**: 3 plans
 
-Plans: none yet
+Plans:
+- [ ] 07-01-PLAN.md — Agent download token utilities (createAgentDownloadToken/verifyAgentDownloadToken in token.ts) + GET /api/documents/[id]/download route with 5-min presigned JWT and path traversal guard
+- [ ] 07-02-PLAN.md — PreparePanel Signed-state panel with Download button, document detail page server-side token generation, DocumentsTable Date Signed column, dashboard signedAt select
+- [ ] 07-03-PLAN.md — Full Phase 7 human verification checkpoint (SIGN-07 + LEGAL-03)
 
 ## Progress
 
@@ -154,4 +157,4 @@ Phases execute in numeric order: 1 → 2 → 3 → 4 → 5 → 6 → 7
 | 4. PDF Ingest | 4/4 | Complete   | 2026-03-20 |
 | 5. PDF Fill and Field Mapping | 3/4 | In Progress|  |
 | 6. Signing Flow | 6/6 | Complete   | 2026-03-21 |
-| 7. Audit Trail and Download | 0/? | Not started | - |
+| 7. Audit Trail and Download | 0/3 | Not started | - |