red/.planning/phases/06-signing-flow/.continue-here.md

phase, task, status, last_updated

phase	task	status	last_updated
06-signing-flow	post-execution bug fixes	in_progress	2026-03-21T16:15:33.200Z

<current_state> Phase 6 execution is complete (all 6 plans committed, verification passed 9/9). We are in post-execution bug-fix mode — fixing issues discovered during real end-to-end testing. Three bugs were found and fixed, one more was partially fixed and needs verification. </current_state>

<completed_work>

• Phase 6 fully executed: 6/6 plans complete (schema, email, signing page, modal+submission, confirmation+download, DNS gate)
• DNS configured: Resend.com verified for tcopelandhomes.com, DKIM propagated
• fix: domain updated teressacopelandhomes.com → tcopelandhomes.com in signing-mailer.tsx and .env.local
• fix: PreparePanel was calling /prepare but never /send — signing email was never sent. Now chains /prepare → /send
• fix: agent portal PDF viewer now serves signedFilePath (signed PDF) when available, falling back to filePath
• fix: document_viewed audit event + status→Viewed was added to GET /api/sign/[token] route — but this was WRONG PLACE
• fix (in progress): Viewed status fix moved to correct location: signing page server component (src/app/sign/[token]/page.tsx) — this is the code path that actually runs when a client opens the link. Committed as bf6d361. NOT YET VERIFIED by user.

</completed_work>

<remaining_work>

• Verify that Viewed status fix actually works now (user reported it still wasn't working before last fix — needs re-test)
• The GET /api/sign/[token] route ALSO still has the status update code from the earlier (wrong) fix — that's harmless but could be cleaned up
• Phase 7 (Audit Trail and Download) has not been started yet — it's the final phase

</remaining_work>

<decisions_made>

• Used Resend.com (free tier) for transactional email instead of Google Workspace or raw Gmail
• SMTP config: smtp.resend.com port 465 (SSL), user=resend, pass=API key
• Domain changed to tcopelandhomes.com (Squarespace/Google Domains nameservers)
• Viewed status must be set in the PAGE SERVER COMPONENT (src/app/sign/[token]/page.tsx) not in the API route — the page does direct DB calls and never hits the API route

</decisions_made>

• None hard-blocking. Viewed status fix is committed but not user-verified yet.

Phase 6 is done. We hit real bugs during end-to-end testing: 1. Email not sending → PreparePanel never called /send (only /prepare) 2. Signed PDF not showing in portal → file route always served original filePath 3. Viewed status not updating → audit/status code was in API route but signing page never calls that API route — it validates token and queries DB directly in the server component

The Viewed fix (commit bf6d361) puts the logAuditEvent + db.update(status→Viewed) directly in page.tsx, which is the correct place. This should work — but user needs to re-test.

After confirming Viewed works, the natural next step is Phase 7 (Audit Trail and Download): agent download of signed PDFs via authenticated presigned URL, private storage enforcement, and dashboard status display.

<next_action> Ask user to re-test the signing flow — open a fresh signing link and confirm the document status changes to "Viewed" in the portal. If it works, move to Phase 7 with /gsd:progress then /gsd:plan-phase 7. </next_action>