feat(11-01): DB migration and API routes for agent signature storage

- Add agentSignatureData TEXT column to users table in schema.ts
- Generate migration 0008_windy_cloak.sql (ALTER TABLE users ADD COLUMN agent_signature_data text)
- Apply migration to local postgres database
- Create GET/PUT /api/agent/signature route with auth guard and input validation

teressa-copeland-homes/src/app/api/agent/signature/route.ts

@@ -0,0 +1,36 @@
+import { auth } from '@/lib/auth';
+import { db } from '@/lib/db';
+import { users } from '@/lib/db/schema';
+import { eq } from 'drizzle-orm';
+
+export async function GET() {
+  const session = await auth();
+  if (!session?.user?.id) return new Response('Unauthorized', { status: 401 });
+
+  const user = await db.query.users.findFirst({
+    where: eq(users.id, session.user.id),
+    columns: { agentSignatureData: true },
+  });
+
+  return Response.json({ agentSignatureData: user?.agentSignatureData ?? null });
+}
+
+export async function PUT(req: Request) {
+  const session = await auth();
+  if (!session?.user?.id) return new Response('Unauthorized', { status: 401 });
+
+  const { dataURL } = await req.json() as { dataURL: string };
+
+  if (!dataURL || !dataURL.startsWith('data:image/png;base64,')) {
+    return Response.json({ error: 'Invalid signature data' }, { status: 422 });
+  }
+  if (dataURL.length > 50_000) {
+    return Response.json({ error: 'Signature data too large' }, { status: 422 });
+  }
+
+  await db.update(users)
+    .set({ agentSignatureData: dataURL })
+    .where(eq(users.id, session.user.id));
+
+  return Response.json({ ok: true });
+}

teressa-copeland-homes/src/lib/db/schema.ts

@@ -42,6 +42,7 @@ export const users = pgTable("users", {
   email: text("email").notNull().unique(),
   passwordHash: text("password_hash").notNull(),
   createdAt: timestamp("created_at").defaultNow().notNull(),
+  agentSignatureData: text("agent_signature_data"),
 });
 
 export const documentStatusEnum = pgEnum("document_status", [