---
phase: 07-audit-trail-and-download
plan: "03"
type: execute
wave: 3
depends_on:
  - "07-02"
files_modified: []
autonomous: false
requirements:
  - SIGN-07
  - LEGAL-03

must_haves:
  truths:
    - "Agent downloads the signed PDF from the document detail page and receives the actual file"
    - "Dashboard shows Signed status badge for the signed document"
    - "Dashboard shows a non-empty Date Signed value for the signed document"
    - "Accessing uploads/ directory or file directly via guessable URL returns an error, not the file"
  artifacts: []
  key_links: []
---

<objective>
Human verification checkpoint: confirm that the agent-facing download, Signed status badge, private storage guard, and download-only-for-Signed rule all pass the Phase 7 success criteria.

Purpose: Satisfy the observable success criteria for SIGN-07 and LEGAL-03 through direct browser verification.

Output: Human confirmation that all Phase 7 success criteria are met (or issue report for gap closure).
</objective>

<execution_context>
@/Users/ccopeland/.claude/get-shit-done/workflows/execute-plan.md
@/Users/ccopeland/.claude/get-shit-done/templates/summary.md
</execution_context>

<context>
@.planning/ROADMAP.md
@.planning/phases/07-audit-trail-and-download/07-02-SUMMARY.md
</context>

<tasks>

<task type="checkpoint:human-verify" gate="blocking">
  <name>Task 1: Full Phase 7 browser verification</name>
  <action>Start the dev server and walk through the Phase 7 verification checklist below. No code changes needed — this task is observation only.</action>
  <files>none</files>
  <verify>Human approval of all 4 verification criteria below.</verify>
  <done>Agent confirms: download button works, Signed badge shows, Date Signed populates, guessable URLs return 404.</done>
  <what-built>
Plan 01: Agent-authenticated download API at GET /api/documents/[id]/download — 5-min presigned JWT (adt query param), path traversal guard, streams signedFilePath PDF.

Plan 02:
- Document detail page: generates agentDownloadUrl server-side for Signed docs, passes to PreparePanel
- PreparePanel: green "Document Signed" panel with signed timestamp + "Download Signed PDF" anchor for Signed status; unchanged prepare form for Draft; read-only message for Sent/Viewed
- DocumentsTable: Date Signed column added to table
- Dashboard page: signedAt included in DB select
  </what-built>
  <how-to-verify>
Start the dev server: `cd teressa-copeland-homes && npm run dev`

Prerequisite: You need a document with status "Signed" and signedFilePath populated in the DB. Use an existing signed document from Phase 6 testing, or run through a quick signing ceremony now.

**Criterion 1 — Agent download (SIGN-07):**
1. Log in to the portal at http://localhost:3000/portal/dashboard
2. Find a document with status "Signed" — confirm the "Date Signed" column shows a formatted date (not "—")
3. Click the document name to navigate to the document detail page (/portal/documents/[id])
4. Confirm the right sidebar shows a green panel labeled "Document Signed" with the signed date/time and a "Download Signed PDF" button
5. Click "Download Signed PDF" — confirm browser PDF download dialog appears and the file saves successfully
6. Open the downloaded file — confirm it is a PDF containing the drawn signature

**Criterion 2 — Status badge (SIGN-07 success criterion 3):**
7. Return to http://localhost:3000/portal/dashboard
8. Confirm the signed document's Status column shows "Signed" badge (green/teal styling)

**Criterion 3 — Private storage (LEGAL-03):**
9. In the browser address bar, visit: http://localhost:3000/uploads/
10. Confirm it returns 404 — NOT a directory listing or file contents
11. Also try: http://localhost:3000/uploads/clients/ — confirm 404

**Criterion 4 — Download button absent for non-Signed documents:**
12. Navigate to any document with status "Draft", "Sent", or "Viewed"
13. Confirm the right sidebar does NOT show a "Download Signed PDF" button (Draft shows prepare form; Sent/Viewed shows read-only status message)
  </how-to-verify>
  <resume-signal>
Type "approved" if all 4 criteria pass.
Or describe which criterion failed and what you observed — Claude will diagnose and create a gap closure plan.
  </resume-signal>
</task>

</tasks>

<verification>
All three Phase 7 roadmap success criteria verified by human:
1. Agent can download the signed PDF from the document detail page via authenticated presigned URL (5-minute TTL)
2. Signed PDFs are stored in a private local directory — a direct or guessable URL returns 404, not the file
3. Document status in the dashboard updates correctly to "Signed" after a signing ceremony completes
</verification>

<success_criteria>
- Human types "approved" after verifying all 4 browser checks
- Phase 7 is marked complete in ROADMAP.md and STATE.md
- REQUIREMENTS.md checkboxes for SIGN-07 and LEGAL-03 updated to [x]
</success_criteria>

<output>
After completion, create `.planning/phases/07-audit-trail-and-download/07-03-SUMMARY.md`
</output>