From ea3365feb490ad3d2d3052416a1276cb254e434d Mon Sep 17 00:00:00 2001
From: Chandler Copeland <ccopeland@motivhealth.com>
Date: Sat, 21 Mar 2026 11:51:30 -0600
Subject: [PATCH] feat(08-02): add isClientVisibleField server-side filter to
 GET /api/sign/[token]
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Import isClientVisibleField from @/lib/db/schema
- Filter signatureFields in GET response to exclude agent-signature fields
- POST handler untouched — reads signatureFields from DB directly
---
 teressa-copeland-homes/src/app/api/sign/[token]/route.ts | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/teressa-copeland-homes/src/app/api/sign/[token]/route.ts b/teressa-copeland-homes/src/app/api/sign/[token]/route.ts
index 61a272c..cb20348 100644
--- a/teressa-copeland-homes/src/app/api/sign/[token]/route.ts
+++ b/teressa-copeland-homes/src/app/api/sign/[token]/route.ts
@@ -3,7 +3,7 @@ import { NextRequest, NextResponse } from 'next/server';
 import { verifySigningToken } from '@/lib/signing/token';
 import { logAuditEvent } from '@/lib/signing/audit';
 import { db } from '@/lib/db';
-import { signingTokens, documents, clients } from '@/lib/db/schema';
+import { signingTokens, documents, clients, isClientVisibleField } from '@/lib/db/schema';
 import { eq, isNull, and } from 'drizzle-orm';
 import path from 'node:path';
 import { embedSignatureInPdf } from '@/lib/signing/embed-signature';
@@ -85,7 +85,7 @@ export async function GET(
     document: {
       id: doc.id,
       name: doc.name,
-      signatureFields: doc.signatureFields ?? [],
+      signatureFields: (doc.signatureFields ?? []).filter(isClientVisibleField),
       preparedFilePath: doc.preparedFilePath,
     },
     expiresAt: new Date(payload.exp * 1000).toISOString(),