--- phase: 07-audit-trail-and-download plan: 04 subsystem: api tags: [pdf, legal-compliance, presigned-url, next-js, react] # Dependency graph requires: - phase: 07-audit-trail-and-download provides: Presigned /download?adt=[token] route (07-01, 07-02) serving signed PDFs with 5-min TTL provides: - /file route restricted to original unsigned PDF only (signedFilePath fallback removed) - PdfViewer Download anchor hidden when docStatus is 'Signed' - LEGAL-03 fully satisfied — sole signed PDF download path is presigned /download?adt=[token] affects: - 07-audit-trail-and-download # Tech tracking tech-stack: added: [] patterns: - "LEGAL-03 enforcement: /file route hardcoded to filePath (no signedFilePath fallback) — signed PDF only downloadable via presigned token" - "Conditional anchor: docStatus !== 'Signed' guard hides toolbar Download link in PdfViewer" key-files: created: [] modified: - teressa-copeland-homes/src/app/api/documents/[id]/file/route.ts - teressa-copeland-homes/src/app/portal/(protected)/documents/[docId]/_components/PdfViewer.tsx key-decisions: - "/file route always reads doc.filePath (original) — signedFilePath fallback removed per Option A lock; LEGAL-03 comment added" - "PdfViewer Download anchor wrapped in {docStatus !== 'Signed' && ...} — still loads PDF via /file for in-browser display, toolbar download hidden for Signed" patterns-established: - "Enforcement via subtraction: removing the fallback (doc.signedFilePath ?? doc.filePath) is simpler and more secure than adding checks" - "Toolbar action gating by docStatus: use conditional rendering rather than disabling to completely eliminate the download path for Signed docs" requirements-completed: [SIGN-07, LEGAL-03] # Metrics duration: 1min completed: 2026-03-21 --- # Phase 7 Plan 04: LEGAL-03 Gap Closure Summary **Removed signedFilePath fallback from /file route and conditionally hidden PdfViewer Download anchor for Signed docs, making presigned /download?adt=[token] the sole signed PDF download path** ## Performance - **Duration:** 1 min - **Started:** 2026-03-21T16:53:33Z - **Completed:** 2026-03-21T16:54:50Z - **Tasks:** 2 - **Files modified:** 2 ## Accomplishments - `/file` route no longer serves signed PDFs — always returns the unsigned original via `doc.filePath` - PdfViewer toolbar Download anchor is absent when `docStatus === 'Signed'` — no second download path for agents - LEGAL-03 requirement fully satisfied: presigned `/download?adt=[token]` is the exclusive route for signed PDF downloads - TypeScript compiles cleanly — `doc.filePath` type matches previous usage, no new errors ## Task Commits Each task was committed atomically: 1. **Task 1: Restrict /file route to original PDF only** - `6775cc7` (fix) 2. **Task 2: Hide Download anchor in PdfViewer for Signed documents** - `cac5d5b` (fix) **Plan metadata:** (final commit — see below) ## Files Created/Modified - `teressa-copeland-homes/src/app/api/documents/[id]/file/route.ts` - Replaced `doc.signedFilePath ?? doc.filePath` with `doc.filePath`; updated comment to reference LEGAL-03 - `teressa-copeland-homes/src/app/portal/(protected)/documents/[docId]/_components/PdfViewer.tsx` - Wrapped Download `` in `{docStatus !== 'Signed' && (...)}` conditional; Document file prop unchanged ## Decisions Made - Used `doc.filePath` directly with no null coalescence — clean and unambiguous. The previous `??` fallback was the entire gap; removing it closes it in 2 characters. - Conditional rendering (`{docStatus !== 'Signed' && ...}`) rather than `disabled` on the anchor — a hidden anchor is a cleaner UX signal that no download is available, not just unavailable. ## Deviations from Plan None - plan executed exactly as written. ## Issues Encountered None. Both changes were minimal and targeted (2-line change in route.ts, wrapping existing anchor in PdfViewer.tsx). TypeScript confirmed clean on first pass. ## User Setup Required None - no external service configuration required. ## Next Phase Readiness LEGAL-03 is fully closed. All 27 plans across all 7 phases are now complete: - Signed PDF downloads are exclusively available via PreparePanel presigned URL (5-min TTL, purpose:'agent-download' JWT claim) - `/file` route is safe to use for in-browser PDF viewing without inadvertently serving signed PDFs - No further Phase 7 work required --- *Phase: 07-audit-trail-and-download* *Completed: 2026-03-21* ## Self-Check: PASSED - route.ts: FOUND - PdfViewer.tsx: FOUND - 07-04-SUMMARY.md: FOUND - Commit 6775cc7: FOUND - Commit cac5d5b: FOUND