chore: improve document preference form's default settings and reset functionality

feat: add DocumentPreferencesResetDialog component
fix: resolve permission issues (#3029 )
2026-06-27 06:40:53 +10:00 · 2026-06-26 14:25:26 +03:00 · 2026-06-26 14:21:44 +03:00 · 2026-06-26 14:46:30 +10:00 · 2026-06-26 00:01:55 +10:00 · 2026-06-25 23:59:25 +10:00
325 changed files with 17461 additions and 3159 deletions
@@ -48,7 +48,7 @@ NEXT_PRIVATE_DATABASE_URL="postgres://documenso:password@127.0.0.1:54320/documen
 NEXT_PRIVATE_DIRECT_DATABASE_URL="postgres://documenso:password@127.0.0.1:54320/documenso"

 # [[SIGNING]]
-# The transport to use for document signing. Available options: local (default) | gcloud-hsm
+# The transport to use for document signing. Available options: local (default) | gcloud-hsm | csc
 NEXT_PRIVATE_SIGNING_TRANSPORT="local"
 # OPTIONAL: The passphrase to use for the local file-based signing transport.
 NEXT_PRIVATE_SIGNING_PASSPHRASE=
@@ -70,6 +70,14 @@ NEXT_PRIVATE_SIGNING_GCLOUD_HSM_CERT_CHAIN_FILE_PATH=
 NEXT_PRIVATE_SIGNING_GCLOUD_HSM_CERT_CHAIN_CONTENTS=
 # OPTIONAL: The Google Secret Manager path to retrieve the certificate for the gcloud-hsm signing transport.
 NEXT_PRIVATE_SIGNING_GCLOUD_HSM_SECRET_MANAGER_CERT_PATH=
+# OPTIONAL: The base URL of the Cloud Signature Consortium (CSC) provider for the csc signing transport.
+NEXT_PRIVATE_SIGNING_CSC_PROVIDER_BASE_URL=
+# OPTIONAL: The OAuth client ID registered with the CSC provider for the csc signing transport.
+NEXT_PRIVATE_SIGNING_CSC_OAUTH_CLIENT_ID=
+# OPTIONAL: The OAuth client secret registered with the CSC provider for the csc signing transport.
+NEXT_PRIVATE_SIGNING_CSC_OAUTH_CLIENT_SECRET=
+# OPTIONAL: Default signature level for envelopes created on a CSC instance when the caller doesn't specify one. Available options: AES (default) | QES. Explicit AES/QES requests always pass through unchanged.
+NEXT_PRIVATE_SIGNING_CSC_SIGNATURE_LEVEL=
 # OPTIONAL: Comma-separated list of timestamp authority URLs for PDF signing (enables LTV and archival timestamps).
 NEXT_PRIVATE_SIGNING_TIMESTAMP_AUTHORITY=
 # OPTIONAL: Contact info to embed in PDF signatures. Defaults to the webapp URL.
@@ -95,7 +103,7 @@ NEXT_PRIVATE_UPLOAD_ACCESS_KEY_ID="documenso"
 NEXT_PRIVATE_UPLOAD_SECRET_ACCESS_KEY="password"

 # [[SMTP]]
-# OPTIONAL: Defines the transport to use for sending emails. Available options: smtp-auth (default) | smtp-api | mailchannels
+# OPTIONAL: Defines the transport to use for sending emails. Available options: smtp-auth (default) | smtp-api | resend | mailchannels
 NEXT_PRIVATE_SMTP_TRANSPORT="smtp-auth"
 # OPTIONAL: Defines the host to use for sending emails.
 NEXT_PRIVATE_SMTP_HOST="127.0.0.1"
@@ -34,7 +34,7 @@ body:
      label: Browser [e.g., Chrome, Firefox]
  - type: input
    attributes:
-      label: Version [e.g., 2.0.1]
+      label: Version [e.g., 2.13.0]
  - type: checkboxes
    attributes:
      label: Please check the boxes that apply to this issue report.
@@ -44,4 +44,3 @@ body:
        - label: I have included relevant environment information.
        - label: I have included any relevant screenshots.
        - label: I understand that this is a voluntary contribution and that there is no guarantee of resolution.
-        - label: I want to work on creating a PR for this issue if approved
@@ -0,0 +1,11 @@
+blank_issues_enabled: false
+contact_links:
+  - name: Security vulnerability
+    url: https://github.com/documenso/documenso/security/advisories/new
+    about: Please report security vulnerabilities privately via GitHub Security Advisories. Do not open a public issue.
+  - name: Questions & Discussions
+    url: https://github.com/documenso/documenso/discussions
+    about: Ask questions, share ideas, and discuss Documenso with the community.
+  - name: Discord
+    url: https://documen.so/discord
+    about: Chat with the community and the team.
@@ -33,4 +33,3 @@ body:
        - label: I have explained the use case or scenario for this feature.
        - label: I have included any relevant technical details or design suggestions.
        - label: I understand that this is a suggestion and that there is no guarantee of implementation.
-        - label: I want to work on creating a PR for this issue if approved
@@ -15,17 +15,6 @@ body:
      description: 'Are there any additional context or information that might be relevant to the improvement suggestion.'
    validations:
      required: false
-  - type: dropdown
-    id: assignee
-    attributes:
-      label: 'Do you want to work on this improvement?'
-      multiple: false
-      options:
-        - 'No'
-        - 'Yes'
-      default: 0
-    validations:
-      required: true
  - type: checkboxes
    attributes:
      label: 'Please check the boxes that apply to this improvement suggestion.'
@@ -1,3 +1,14 @@
+<!--
+  We are no longer accepting external pull requests.
+
+  Aside from a small group of trusted contributors we reach out to directly,
+  new external PRs will usually be closed with a request to open an issue instead.
+  This is a security decision. See https://documenso.com/blog/why-we-re-pausing-external-pull-requests
+
+  If you're a trusted contributor or maintainer, continue below.
+  Otherwise, please open a detailed issue: https://github.com/documenso/documenso/issues/new/choose
+-->
+
 ## Description

 <!--- Describe the changes introduced by this pull request. -->
@@ -1,40 +0,0 @@
---
-name: Test Addition
-about: Submit a new test, either unit or end-to-end (E2E), for review and inclusion
---
-
-## Description
-
-<!--- Provide a clear and concise description of the new test you are adding. -->
-<!--- Explain the purpose of the test and what it aims to validate. -->
-
-## Related Issue
-
-<!--- If this test addition is related to a specific issue, reference it here using #issue_number. -->
-<!--- For example, "Fixes #123" or "Addresses #456". -->
-
-## Test Details
-
-<!--- Describe the details of the test you're adding. -->
-<!--- Include information about inputs, expected outputs, and any specific scenarios. -->
-
- Test Name: Name of the test
- Type: [Unit / E2E]
- Description: Brief description of what the test checks
- Inputs: What inputs the test uses (if applicable)
- Expected Output: What output or behavior the test expects
-
-## Checklist
-
-<!--- Please check the boxes that apply to this pull request. -->
-<!--- You can add or remove items as needed. -->
-
- [ ] I have written the new test and ensured it works as intended.
- [ ] I have added necessary documentation to explain the purpose of the test.
- [ ] I have followed the project's testing guidelines and coding style.
- [ ] I have addressed any review feedback from previous submissions, if applicable.
-
-## Additional Notes
-
-<!--- Provide any additional context or notes for the reviewers. -->
-<!--- This might include explanations about the testing approach or any potential concerns. -->
@@ -1,13 +1,10 @@
 name: 'Welcome New Contributors'

 on:
-  pull_request:
-    types: ['opened']
  issues:
    types: ['opened']

 permissions:
-  pull-requests: write
  issues: write

 jobs:
@@ -20,10 +17,7 @@ jobs:
      - uses: actions/first-interaction@v1
        with:
          repo-token: ${{ secrets.GITHUB_TOKEN }}
-          pr-message: |
-            Thank you for creating your first Pull Request and for being a part of the open signing revolution! 💚🚀
-            <br /> Feel free to hop into our community in [Discord](https://documen.so/discord)
          issue-message: |
            Thank you for opening your first issue and for being a part of the open signing revolution!
-            <br /> One of our team members will review it and get back to you as soon as it possible 💚
+            <br /> One of our team members will review it and get back to you as soon as possible 💚
            <br /> Meanwhile, please feel free to hop into our community in [Discord](https://documen.so/discord)
@@ -1,62 +0,0 @@
-name: 'Issue Assignee Check'
-
-on:
-  issues:
-    types: ['assigned']
-
-permissions:
-  issues: write
-
-jobs:
-  countIssues:
-    if: ${{ github.event.issue.assignee }} && github.event.action == 'assigned' && github.event.sender.type == 'User'
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 2
-      - name: Set up Node.js
-        uses: actions/setup-node@v4
-        with:
-          node-version: '18'
-
-      - name: Install Octokit
-        run: npm install @octokit/rest@18
-
-      - name: Check Assigned User's Issue Count
-        id: parse-comment
-        uses: actions/github-script@v6
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          script: |
-            const { Octokit } = require("@octokit/rest");
-            const octokit = new Octokit({ auth: process.env.GITHUB_TOKEN });
-
-            const username = context.payload.issue.assignee.login;
-            console.log(`Username Extracted: ${username}`);
-
-            const { data: issues } = await octokit.issues.listForRepo({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              assignee: username,
-              state: 'open'
-            });
-
-            const issueCount = issues.length;
-            console.log(`Issue Count For ${username}: ${issueCount}`);
-
-            if (issueCount > 3) {
-              let issueCountMessage = `### 🚨 Documenso Police 🚨`;
-              issueCountMessage += `\n@${username} has ${issueCount} open issues assigned already. Consider whether this issue should be assigned to them or left open for another contributor.`;
-
-              await octokit.request('POST /repos/{owner}/{repo}/issues/{issue_number}/comments', {
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                issue_number: context.issue.number,
-                body: issueCountMessage,
-                headers: {
-                  'Authorization': `token ${{ secrets.GITHUB_TOKEN }}`,
-                }
-              });
-            }
@@ -1,63 +0,0 @@
-name: 'PR Review Reminder'
-
-on:
-  pull_request:
-    types: ['opened', 'ready_for_review']
-
-permissions:
-  pull-requests: write
-
-jobs:
-  checkPRs:
-    if: ${{ github.event.pull_request.user.login }} && github.event.action == ('opened' || 'ready_for_review')
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 2
-      - name: Set up Node.js
-        uses: actions/setup-node@v4
-        with:
-          node-version: '18'
-
-      - name: Install Octokit
-        run: npm install @octokit/rest@18
-
-      - name: Check user's PRs awaiting review
-        id: parse-prs
-        uses: actions/github-script@v5
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          script: |
-            const { Octokit } = require("@octokit/rest");
-            const octokit = new Octokit({ auth: process.env.GITHUB_TOKEN });
-
-            const username = context.payload.pull_request.user.login;
-            console.log(`Username Extracted: ${username}`);
-
-            const { data: pullRequests } = await octokit.pulls.list({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              state: 'open',
-              sort: 'created',
-              direction: 'asc',
-            });
-
-            const userPullRequests = pullRequests.filter(pr => pr.user.login === username && (pr.state === 'open' || pr.state === 'ready_for_review'));
-            const prCount = userPullRequests.length;
-            console.log(`PR Count for ${username}: ${prCount}`);
-
-            if (prCount > 3) {
-              let prReminderMessage = `🚨 @${username} has ${prCount} pull requests awaiting review. Please consider reviewing them when possible. 🚨`;
-
-              await octokit.request('POST /repos/{owner}/{repo}/issues/{issue_number}/comments', {
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                issue_number: context.payload.pull_request.number,
-                body: prReminderMessage,
-                headers: {
-                  'Authorization': `token ${{ secrets.GITHUB_TOKEN }}`,
-                }
-              });
-            }
@@ -16,24 +16,6 @@ jobs:
    name: Validate PR title
    runs-on: ubuntu-latest
    steps:
-      - name: Check PR creator's previous activity
-        id: check_activity
-        run: |
-          CREATOR=$(curl -s "https://api.github.com/repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}" | jq -r '.user.login')
-          ACTIVITY=$(curl -s "https://api.github.com/search/commits?q=author:${CREATOR}+repo:${{ github.repository }}" | jq -r '.total_count')
-          if [ "$ACTIVITY" -eq 0 ]; then
-            echo "::set-output name=is_new::true"
-          else
-            echo "::set-output name=is_new::false"
-          fi
-
-      - name: Count PRs created by user
-        id: count_prs
-        run: |
-          CREATOR=$(curl -s "https://api.github.com/repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}" | jq -r '.user.login')
-          PR_COUNT=$(curl -s "https://api.github.com/search/issues?q=type:pr+is:open+author:${CREATOR}+repo:${{ github.repository }}" | jq -r '.total_count')
-          echo "::set-output name=pr_count::$PR_COUNT"
-
      - uses: amannn/action-semantic-pull-request@v5
        id: lint_pr_title
        env:
@@ -44,8 +26,6 @@ jobs:
        with:
          header: pr-title-lint-error
          message: |
-            Hey There! and thank you for opening this pull request! 📝👋🏼
-
            We require pull request titles to follow the [Conventional Commits Spec](https://www.conventionalcommits.org/en/v1.0.0/) and it looks like your proposed title needs to be adjusted.

            Details:
@@ -53,10 +33,3 @@ jobs:
            ```
            ${{ steps.lint_pr_title.outputs.error_message }}
            ```
-
-      - if: ${{ steps.lint_pr_title.outputs.error_message == null && steps.check_activity.outputs.is_new == 'false' && steps.count_prs.outputs.pr_count < 2}}
-        uses: marocchino/sticky-pull-request-comment@v2
-        with:
-          header: pr-title-lint-error
-          message: |
-            Thank you for following the naming conventions for pull request titles! 💚🚀
@@ -21,4 +21,4 @@ jobs:
          stale-pr-message: 'This PR has not seen activitiy for a while. It will be closed in 30 days unless further activity is detected.'
          close-pr-message: 'This PR has been closed because of inactivity.'
          exempt-pr-labels: 'WIP,on-hold,needs review'
-          exempt-issue-labels: 'WIP,on-hold,needs review,roadmap,assigned,needs triage'
+          exempt-issue-labels: 'WIP,on-hold,needs review,roadmap,status: assigned,status: triage'
@@ -31,8 +31,7 @@ vscode:
  extensions:
    - aaron-bond.better-comments
    - bradlc.vscode-tailwindcss
-    - dbaeumer.vscode-eslint
-    - esbenp.prettier-vscode
+    - biomejs.biome
    - mikestead.dotenv
    - unifiedjs.vscode-mdx
    - GitHub.vscode-pull-request-github
@@ -1,7 +1,14 @@
-# General Issues
+# Report security vulnerabilities privately via GitHub Security Advisories (preferred).
+Contact: https://github.com/documenso/documenso/security/advisories/new
+
+# Alternatively, report critical issues privately by email.
+Contact: mailto:security@documenso.com
+
+# Security policy
+Policy: https://github.com/documenso/documenso/security/policy
+
+# General (non-security) issues
 Contact: https://github.com/documenso/documenso/issues/new?assignees=&labels=bug&projects=&template=bug-report.yml

-# Report critical issues privately to let us take appropriate action before publishing.
-Contact: mailto:security@documenso.com
 Preferred-Languages: en
-Canonical: https://documenso.com/.well-known/security.txt
+Canonical: https://documenso.com/.well-known/security.txt
@@ -1,13 +1,27 @@
 # Contributing to Documenso

-If you plan to contribute to Documenso, please take a moment to feel awesome ✨ People like you are what open source is about ♥. Any contributions, no matter how big or small, are highly appreciated.
+> **We are no longer accepting external pull requests.**
+>
+> Aside from a small group of trusted contributors we reach out to directly, we no longer merge external PRs. New pull requests will usually be closed with a request to open an issue instead. This is a security decision, not a judgement on your work. Read [Why We're Pausing External Pull Requests](https://documenso.com/blog/why-we-re-pausing-external-pull-requests) for the full reasoning.
+>
+> Documenso stays open source. You can still read, audit, run, and fork the code. The best way to contribute is through detailed issues.

-## Before getting started
+## How to contribute now

- Before jumping into a PR be sure to search [existing PRs](https://github.com/documenso/documenso/pulls) or [issues](https://github.com/documenso/documenso/issues) for an open or closed item that relates to your submission.
- Select an issue from [here](https://github.com/documenso/documenso/issues) or create a new one
- Consider the results from the discussion on the issue
- Accept the [Contributor License Agreement](https://documen.so/cla) to ensure we can accept your contributions.
+The most useful contribution is a detailed issue. Treat it like a spec. The more detail, the better:
+
+- The problem you're trying to solve, and who it affects
+- How you expect the feature or change to behave
+- Edge cases, constraints, and anything you've already considered
+- Examples, mockups, or references where they help
+
+Before opening an issue, search [existing issues](https://github.com/documenso/documenso/issues) and [discussions](https://github.com/documenso/documenso/discussions) for related items. If a proposal is detailed and fits where Documenso is heading, we'll pick it up and build against it.
+
+For security vulnerabilities, do not open a public issue. Follow our [Security Policy](./SECURITY.md) instead.
+
+---
+
+The sections below are for trusted contributors working with us directly, and for anyone running Documenso locally or maintaining a fork.

 ## English only PRs and Issues

@@ -51,16 +51,18 @@ Join us in creating the next generation of open trust infrastructure.

 ## Community and Next Steps 🎯

- Check out the first source code release in this repository and test it.
+- Try Documenso by self-hosting it or signing up at [documenso.com](https://documenso.com).
 - Tell us what you think in the [Discussions](https://github.com/documenso/documenso/discussions).
- Join the [Discord server](https://documen.so/discord) for any questions and getting to know to other community members.
+- Join the [Discord server](https://documen.so/discord) for any questions and getting to know other community members.
 - ⭐ the repository to help us raise awareness.
- Spread the word on Twitter that Documenso is working towards a more open signing tool.
- Fix or create [issues](https://github.com/documenso/documenso/issues), that are needed for the first production release.
+- Open detailed [issues](https://github.com/documenso/documenso/issues) to report bugs or propose features.

 ## Contributing

- To contribute, please see our [contribution guide](https://github.com/documenso/documenso/blob/main/CONTRIBUTING.md).
+> **Note**: We no longer accept external pull requests, aside from a small group of trusted contributors we reach out to directly. The best way to contribute is through detailed issues. Read [Why We're Pausing External Pull Requests](https://documenso.com/blog/why-we-re-pausing-external-pull-requests) for the reasoning.
+
+- Documenso stays open source. You can read, audit, run, and fork the code.
+- To report issues or propose changes, see our [contribution guide](https://github.com/documenso/documenso/blob/main/CONTRIBUTING.md).

 ## Contact us

@@ -81,17 +83,21 @@ Contact us if you are interested in our Enterprise plan for large organizations
  <a href=""><img src="" alt=""></a>
 </p>

- [Typescript](https://www.typescriptlang.org/) - Language
- [ReactRouter](https://reactrouter.com/) - Framework
+- [TypeScript](https://www.typescriptlang.org/) - Language
+- [React Router v7](https://reactrouter.com/) - Framework
+- [Hono](https://hono.dev/) - Server
 - [Prisma](https://www.prisma.io/) - ORM
- [Tailwind](https://tailwindcss.com/) - CSS
- [shadcn/ui](https://ui.shadcn.com/) - Component Library
+- [Tailwind CSS](https://tailwindcss.com/) - CSS
+- [shadcn/ui](https://ui.shadcn.com/) + [Radix UI](https://www.radix-ui.com/) - Component Library
 - [react-email](https://react.email/) - Email Templates
+- [Lingui](https://lingui.dev/) - Internationalization
 - [tRPC](https://trpc.io/) - API
- [@documenso/pdf-sign](https://www.npmjs.com/package/@documenso/pdf-sign) - PDF Signatures (launching soon)
- [React-PDF](https://github.com/wojtekmaj/react-pdf) - Viewing PDFs
- [PDF-Lib](https://github.com/Hopding/pdf-lib) - PDF manipulation
+- [@libpdf/core](https://www.npmjs.com/package/@libpdf/core) - PDF Signatures
+- [pdf.js](https://mozilla.github.io/pdf.js/) - Viewing PDFs
+- [@cantoo/pdf-lib](https://github.com/cantoo-scribe/pdf-lib) - PDF manipulation
 - [Stripe](https://stripe.com/) - Payments
+- [Biome](https://biomejs.dev/) - Linting & Formatting
+- [Playwright](https://playwright.dev/) - E2E Testing

 <!-- - Support for [opensignpdf (requires Java on server)](https://github.com/open-pdf-sign) is currently planned. -->

@@ -196,6 +202,10 @@ For full instructions, requirements, and configuration details, see the [Self Ho

 [![Deploy on Elestio](https://elest.io/images/logos/deploy-to-elestio-btn.png)](https://elest.io/open-source/documenso)

+## Security
+
+If you believe you have found a security vulnerability in Documenso, please report it through our [Security Policy](https://github.com/documenso/documenso/security/policy). We prioritize private reports via [GitHub Security Advisories](https://github.com/documenso/documenso/security/advisories/new). See [SECURITY.md](./SECURITY.md) for scope and details.
+
 ## Troubleshooting

 For troubleshooting self-hosted deployments, see the [Troubleshooting guide](https://docs.documenso.com/docs/self-hosting/maintenance/troubleshooting) and [Tips & Common Pitfalls](https://docs.documenso.com/docs/self-hosting/getting-started/tips).
@@ -0,0 +1,38 @@
+# Security Policy
+
+We take the security of Documenso seriously. As a platform trusted with legally binding documents, the safety of the project and the people who rely on it is a priority for us. We're grateful to the security researchers who help keep it that way. If you've found an issue, we'd genuinely like to hear about it.
+
+## Reporting a Vulnerability
+
+Report security vulnerabilities privately. Do not open a public issue, discussion, or pull request for security reports.
+
+We accept reports through two channels, in order of preference:
+
+1. **GitHub Security Advisories (preferred)**. Use the [private vulnerability reporting form](https://github.com/documenso/documenso/security/advisories/new). This is our primary channel and lets us triage and work with you on a fix.
+2. **Email**. If you cannot use GitHub Security Advisories, email [security@documenso.com](mailto:security@documenso.com).
+
+Include the affected version, a clear description, steps to reproduce, and the potential impact.
+
+## Triage and Response
+
+We triage reports as we have availability. We read every report we receive, and we appreciate the time and effort it takes to put one together.
+
+We also run [Codex](https://openai.com/codex/) security analysis across the codebase. If Codex has already reported the issue you're sending us, we may close your report as a duplicate. Please don't take this as a reflection on your work; it just means our automated tooling happened to surface the same thing first.
+
+## Scope
+
+This policy covers vulnerabilities in the Documenso application code in this repository.
+
+The items below are out of scope and will not be accepted. They are deployment, infrastructure, and configuration concerns that belong with the operator's firewall, network, and environment setup, not the application:
+
+- Server-Side Request Forgery (SSRF) and related network-egress concerns
+- DNS rebinding and other DNS-level issues
+- Rate limiting, denial of service, and volumetric attacks
+- TLS and certificate configuration, HTTP security headers, and other reverse-proxy or web-server configuration
+- Findings that depend on insecure self-hosted infrastructure or misconfiguration
+
+If you're unsure whether something is in scope, report it privately anyway and we'll happily take a look.
+
+## Supported Versions
+
+Security fixes are applied to the latest release. Run the most recent version of Documenso.
@@ -1,67 +1,9 @@
-# Creating your own signing certificate
+# Signing Certificate

-For the digital signature of your documents you need a signing certificate in .p12 format (public and private key). You can buy one (not recommended for dev) or use the steps to create a self-signed one:
+Documenso needs a signing certificate to digitally sign documents. For full, up-to-date instructions on generating, converting, and configuring a certificate, see the official documentation:

-1. Generate a private key using the OpenSSL command. You can run the following command to generate a 2048-bit RSA key:
+- [Signing Certificate](https://docs.documenso.com/docs/self-hosting/configuration/signing-certificate): Overview and all certificate options
+- [Local Certificate](https://docs.documenso.com/docs/self-hosting/configuration/signing-certificate/local): Generate a self-signed `.p12` certificate with OpenSSL
+- [Google Cloud HSM](https://docs.documenso.com/docs/self-hosting/configuration/signing-certificate/google-cloud-hsm): Sign using Google Cloud KMS

-   `openssl genrsa -out private.key 2048`
-
-2. Generate a self-signed certificate using the private key. You can run the following command to generate a self-signed certificate:
-
-   `openssl req -new -x509 -key private.key -out certificate.crt -days 365`
-
-   This will prompt you to enter some information, such as the Common Name (CN) for the certificate. Make sure you enter the correct information. The `-days` parameter sets the number of days for which the certificate is valid.
-
-3. Combine the private key and the self-signed certificate to create the p12 certificate. You can run the following commands to do this:
-
-   ```bash
-   # Set certificate password securely (won't appear in command history)
-   read -s -p "Enter certificate password: " CERT_PASS
-   echo
-   
-   # Create the p12 certificate using the environment variable
-   openssl pkcs12 -export -out certificate.p12 -inkey private.key -in certificate.crt \
-       -password env:CERT_PASS \
-       -keypbe PBE-SHA1-3DES \
-       -certpbe PBE-SHA1-3DES \
-       -macalg sha1
-   ```
-
-4. **IMPORTANT**: A certificate password is required to prevent signing failures. Make sure to use a strong password (minimum 4 characters) when prompted. Certificates without passwords will cause "Failed to get private key bags" errors during document signing.
-
-5. Place the certificate `/apps/remix/resources/certificate.p12` (If the path does not exist, it needs to be created)
-
-## Docker
-
-> We are still working on the publishing of docker images, in the meantime you can follow the steps below to create a production ready docker image.
-
-Want to create a production ready docker image? Follow these steps:
-
- cd into `docker` directory
- Make `build.sh` executable by running `chmod +x build.sh`
- Run `./build.sh` to start building the docker image.
- Publish the image to your docker registry of choice (or) If you prefer running the image from local, run the below command
-
-```
-docker run -d --restart=unless-stopped -p 3000:3000 -v documenso:/app/data --name documenso documenso:latest
-```
-
-Command Breakdown:
-
- `-d` - Let's you run the container in background
- `-p` - Passes down which ports to use. First half is the host port, Second half is the app port. You can change the first half anything you want and reverse proxy to that port.
- `-v` - Volume let's you persist the data
- `--name` - Name of the container
- `documenso:latest` - Image you have built
-
-## Deployment
-
-We support a variety of deployment methods, and are actively working on adding more. Stay tuned for updates!
-
-## Railway
-
-[![Deploy on Railway](https://railway.com/button.svg)](https://railway.com/deploy/DjrRRX?referralCode=EZR3s0&utm_medium=integration&utm_source=template&utm_campaign=generic)
-
-## Render
-
-[![Deploy to Render](https://render.com/images/deploy-to-render-button.svg)](https://render.com/deploy?repo=https://github.com/documenso/documenso)
+For deploying Documenso with Docker, see the [Docker Deployment](https://docs.documenso.com/docs/self-hosting/deployment/docker) and [Docker Compose](https://docs.documenso.com/docs/self-hosting/deployment/docker-compose) guides.
@@ -1,45 +1,16 @@
-# docs
+# @documenso/docs

-This is a Next.js application generated with
-[Create Fumadocs](https://github.com/fuma-nama/fumadocs).
+The Documenso documentation site, built with [Next.js](https://nextjs.org/) and [Fumadocs](https://fumadocs.dev/). Published at [docs.documenso.com](https://docs.documenso.com).

-Run development server:
+Content lives under `content/docs/` as MDX. See [WRITING_STYLE.md](../../WRITING_STYLE.md) for the documentation writing conventions.

 ```bash
-npm run dev
-# or
-pnpm dev
-# or
-yarn dev
+# From the monorepo root
+npm run dev --filter=@documenso/docs
 ```

-Open http://localhost:3000 with your browser to see the result.
+## Structure

-## Explore
-
-In the project, you can see:
-
- `lib/source.ts`: Code for content source adapter, [`loader()`](https://fumadocs.dev/docs/headless/source-api) provides the interface to access your content.
- `lib/layout.shared.tsx`: Shared options for layouts, optional but preferred to keep.
-
-| Route                     | Description                                            |
-| ------------------------- | ------------------------------------------------------ |
-| `app/(home)`              | The route group for your landing page and other pages. |
-| `app/docs`                | The documentation layout and pages.                    |
-| `app/api/search/route.ts` | The Route Handler for search.                          |
-
-### Fumadocs MDX
-
-A `source.config.ts` config file has been included, you can customise different options like frontmatter schema.
-
-Read the [Introduction](https://fumadocs.dev/docs/mdx) for further details.
-
-## Learn More
-
-To learn more about Next.js and Fumadocs, take a look at the following
-resources:
-
- [Next.js Documentation](https://nextjs.org/docs) - learn about Next.js
-  features and API.
- [Learn Next.js](https://nextjs.org/learn) - an interactive Next.js tutorial.
- [Fumadocs](https://fumadocs.dev) - learn about Fumadocs
+- `content/docs/`: Documentation pages (MDX).
+- `lib/source.ts`: Content source adapter.
+- `lib/layout.shared.tsx`: Shared layout options.
@@ -15,16 +15,17 @@ Pick the one that fits your needs the best.

 ## Tech Stack

- [Typescript](https://www.typescriptlang.org/) - Language
- [React Router](https://reactrouter.com/) - Framework
+- [TypeScript](https://www.typescriptlang.org/) - Language
+- [React Router v7](https://reactrouter.com/) - Framework
+- [Hono](https://hono.dev/) - Server
 - [Prisma](https://www.prisma.io/) - ORM
- [Tailwind](https://tailwindcss.com/) - CSS
- [shadcn/ui](https://ui.shadcn.com/) - Component Library
+- [Tailwind CSS](https://tailwindcss.com/) - CSS
+- [shadcn/ui](https://ui.shadcn.com/) + [Radix UI](https://www.radix-ui.com/) - Component Library
 - [react-email](https://react.email/) - Email Templates
+- [Lingui](https://lingui.dev/) - Internationalization
 - [tRPC](https://trpc.io/) - API
- [@documenso/pdf-sign](https://www.npmjs.com/package/@documenso/pdf-sign) - PDF Signatures
- [React-PDF](https://github.com/wojtekmaj/react-pdf) - Viewing PDFs
- [PDF-Lib](https://github.com/Hopding/pdf-lib) - PDF manipulation
+- [@libpdf/core](https://www.npmjs.com/package/@libpdf/core) - PDF Signing and Manipulation
+- [pdf.js](https://mozilla.github.io/pdf.js/) - Viewing PDFs
 - [Stripe](https://stripe.com/) - Payments

 <div className="mt-16 flex items-center justify-center gap-4">
@@ -278,7 +278,9 @@ Test your email configuration by creating an account or resetting a password. Th

 ### Using a Test SMTP Server

-For development or testing, use a local SMTP server like [Mailhog](https://github.com/mailhog/MailHog) or [Mailpit](https://github.com/axllent/mailpit):
+For development or testing, use a local SMTP server like [Inbucket](https://www.inbucket.org/), [Mailpit](https://github.com/axllent/mailpit), or [Mailhog](https://github.com/mailhog/MailHog). The default development setup (`docker/development/compose.yml`) already runs Inbucket, with its web UI on port 9000 and SMTP on port 2500.
+
+To run one standalone instead:

 ```bash
 # Using Docker
@@ -86,6 +86,21 @@ Callback URL: `https://<your-domain>/api/auth/callback/microsoft`
 | `NEXT_PRIVATE_OIDC_SKIP_VERIFY`    | `false` | Skip email verification for OIDC accounts          |
 | `NEXT_PRIVATE_OIDC_PROMPT`         | `login` | OIDC prompt parameter. Set to empty string to omit |

+### Webhooks
+
+| Variable                                | Default | Description                                                              |
+| --------------------------------------- | ------- | ------------------------------------------------------------------------ |
+| `NEXT_PRIVATE_WEBHOOK_SSRF_BYPASS_HOSTS` | -       | Comma-separated hostnames or IPs allowed to resolve to private addresses |
+
+Before delivering a webhook, Documenso checks whether the target resolves to a
+private or loopback address and blocks it if so. This check is best-effort and
+fails open. Use `NEXT_PRIVATE_WEBHOOK_SSRF_BYPASS_HOSTS` to allow specific
+internal hosts, for example when delivering to a service on your own network:
+
+```bash
+NEXT_PRIVATE_WEBHOOK_SSRF_BYPASS_HOSTS="hooks.internal.example,10.0.0.5"
+```
+
 ---

 ## Email Configuration
@@ -186,9 +201,9 @@ Documenso requires a certificate to digitally sign documents.

 ### Transport Selection

-| Variable                         | Description                              | Default |
-| -------------------------------- | ---------------------------------------- | ------- |
-| `NEXT_PRIVATE_SIGNING_TRANSPORT` | Signing backend: `local` or `gcloud-hsm` | `local` |
+| Variable                         | Description                                       | Default |
+| -------------------------------- | ------------------------------------------------- | ------- |
+| `NEXT_PRIVATE_SIGNING_TRANSPORT` | Signing backend: `local`, `gcloud-hsm`, or `csc`  | `local` |

 ### Local Signing

@@ -210,11 +225,36 @@ Documenso requires a certificate to digitally sign documents.
 | `NEXT_PRIVATE_SIGNING_GCLOUD_HSM_CERT_CHAIN_CONTENTS`          | Base64-encoded certificate chain                     |
 | `NEXT_PRIVATE_SIGNING_GCLOUD_HSM_SECRET_MANAGER_CERT_PATH`     | Google Secret Manager path for certificate retrieval |

+### Cloud Signature Consortium (CSC)
+
+Routes signing through a third-party Trust Service Provider for Advanced and Qualified Electronic Signatures (AES/QES). Instance-wide; set `NEXT_PRIVATE_SIGNING_TRANSPORT=csc` to enable. See [CSC (AES / QES)](/docs/self-hosting/configuration/signing-certificate/csc-qes) for the full setup walkthrough.
+
+CSC mode requires an active [Enterprise Edition](/docs/policies/enterprise-edition) license. Without a valid license, the instance will refuse to start in `csc` mode.
+
+| Variable                                       | Description                                                                                                                | Default |
+| ---------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------- | ------- |
+| `NEXT_PRIVATE_SIGNING_CSC_PROVIDER_BASE_URL`   | Base URL of the CSC provider's API                                                                                         |         |
+| `NEXT_PRIVATE_SIGNING_CSC_OAUTH_CLIENT_ID`     | OAuth client ID registered with the CSC provider                                                                           |         |
+| `NEXT_PRIVATE_SIGNING_CSC_OAUTH_CLIENT_SECRET` | OAuth client secret registered with the CSC provider                                                                       |         |
+| `NEXT_PRIVATE_SIGNING_CSC_SIGNATURE_LEVEL`     | Default legal tier for new envelopes when the caller doesn't specify one. `AES` or `QES`. Explicit requests pass through.  | `AES`   |
+
+The OAuth callback URL registered with the CSC provider is fixed at `${NEXT_PUBLIC_WEBAPP_URL}/api/csc/oauth/callback` — register this exact URL with the TSP.
+
+#### Derived Public Variables
+
+The following client-visible variable is **derived automatically** from the private transport at server startup. Do not set it manually — any value set in the environment is overwritten on boot.
+
+| Variable                              | Derived from                                       | Value                                             |
+| ------------------------------------- | -------------------------------------------------- | ------------------------------------------------- |
+| `NEXT_PUBLIC_SIGNING_TRANSPORT_IS_CSC` | `NEXT_PRIVATE_SIGNING_TRANSPORT === 'csc'`        | `'true'` when CSC mode is active, else `'false'` |
+
+The authoring UI uses this flag to gate features that AES/QES envelopes cannot support (parallel signing, assistant role, dictate next signer). Deriving it from the private transport prevents the client-side flag from drifting from the real server-side configuration.
+
 ### Signature Options

 | Variable                                    | Description                                                 | Default    |
 | ------------------------------------------- | ----------------------------------------------------------- | ---------- |
-| `NEXT_PRIVATE_SIGNING_TIMESTAMP_AUTHORITY`  | Comma-separated timestamp authority URLs for LTV signatures |            |
+| `NEXT_PRIVATE_SIGNING_TIMESTAMP_AUTHORITY`  | Comma-separated timestamp authority URLs for LTV signatures. Optional for `local` / `gcloud-hsm` (signatures omit the timestamp when unset). **Required** when `NEXT_PRIVATE_SIGNING_TRANSPORT=csc` — the instance refuses to start without it. See [CSC (AES / QES)](/docs/self-hosting/configuration/signing-certificate/csc-qes#timestamp-authority-resolution). |            |
 | `NEXT_PUBLIC_SIGNING_CONTACT_INFO`          | Contact info embedded in PDF signatures                     | Webapp URL |
 | `NEXT_PRIVATE_USE_LEGACY_SIGNING_SUBFILTER` | Use `adbe.pkcs7.detached` instead of `ETSI.CAdES.detached`  | `false`    |

@@ -0,0 +1,213 @@
+---
+title: CSC (AES / QES)
+description: Configure Cloud Signature Consortium signing for Advanced and Qualified Electronic Signatures via a third-party Trust Service Provider.
+---
+
+import { Callout } from 'fumadocs-ui/components/callout';
+import { Step, Steps } from 'fumadocs-ui/components/steps';
+
+The `csc` signing transport routes signatures through a third-party Trust Service Provider (TSP) using the [Cloud Signature Consortium API v1.0.4.0](https://cloudsignatureconsortium.org/). Each recipient authenticates directly with the TSP (Strong Customer Authentication) and the TSP returns a per-recipient signature bound to the document hash. Documenso assembles the resulting PAdES signature inside the PDF.
+
+This transport enables **Advanced Electronic Signatures (AES)** and **Qualified Electronic Signatures (QES)** under eIDAS. See [Signature Levels](/docs/compliance/signature-levels) for the legal framework.
+
+<Callout type="warn">
+  CSC mode is **instance-wide**: one CSC provider per Documenso install. All envelopes created
+  while the instance runs in `csc` mode use AES or QES. Switching `NEXT_PRIVATE_SIGNING_TRANSPORT`
+  is a one-way operational migration — see [Switching Transports](#switching-transports).
+</Callout>
+
+<Callout type="warn">
+  CSC mode requires an active [Enterprise Edition](/docs/policies/enterprise-edition) license. The
+  instance refuses to start in `csc` mode without it.
+</Callout>
+
+## Prerequisites
+
+{/* prettier-ignore */}
+<Steps>
+<Step>
+
+### A TSP account
+
+Establish a relationship with a CSC-compatible Trust Service Provider. The TSP issues qualified or advanced certificates to your signers, holds the private keys in its HSM, and exposes a CSC v1.0.4.0-compliant API.
+
+</Step>
+<Step>
+
+### OAuth client credentials
+
+Register Documenso as an OAuth client with the TSP. You will receive a client ID and client secret, and must supply Documenso's callback URL when registering:
+
+```
+${NEXT_PUBLIC_WEBAPP_URL}/api/csc/oauth/callback
+```
+
+The callback URL is fixed — Documenso derives it from `NEXT_PUBLIC_WEBAPP_URL` and the route mount path. There is no env var to override it; ensuring the registered URL matches your instance's webapp URL exactly is the operator's responsibility.
+
+</Step>
+<Step>
+
+### Enterprise Edition license
+
+CSC mode is gated by the `instanceCscSigning` license flag. Without a valid Enterprise license, the transport refuses to start (`CSC_UNLICENSED`).
+
+</Step>
+<Step>
+
+### S3 storage (strongly recommended)
+
+CSC produces multiple `DocumentData` rows per envelope item (one per recipient signature, plus the materialised and source rows). Database-backed storage base64-inflates each row by ~33% and is impractical at meaningful PDF sizes. Configure [S3 storage](/docs/self-hosting/configuration/storage) before enabling CSC.
+
+</Step>
+</Steps>
+
+## Environment Variables
+
+| Variable                                       | Description                                                                                                                       | Default |
+| ---------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------- | ------- |
+| `NEXT_PRIVATE_SIGNING_TRANSPORT`               | Set to `csc`                                                                                                                      |         |
+| `NEXT_PRIVATE_SIGNING_CSC_PROVIDER_BASE_URL`   | Base URL of the CSC provider's API                                                                                                |         |
+| `NEXT_PRIVATE_SIGNING_CSC_OAUTH_CLIENT_ID`     | OAuth client ID registered with the CSC provider                                                                                  |         |
+| `NEXT_PRIVATE_SIGNING_CSC_OAUTH_CLIENT_SECRET` | OAuth client secret registered with the CSC provider                                                                              |         |
+| `NEXT_PRIVATE_SIGNING_CSC_SIGNATURE_LEVEL`     | Default legal tier for new envelopes when the caller does not specify one. `AES` or `QES`. Explicit requests always pass through. | `AES`   |
+| `NEXT_PRIVATE_SIGNING_TIMESTAMP_AUTHORITY`     | **Required.** Comma-separated RFC 3161 TSA URLs. Always used for B-LTA archival timestamps at seal time, and also serves as the B-T sign-time fallback when the TSP does not expose `signatures/timestamp`. The instance refuses to start in CSC mode without it. See [Timestamp Authority Resolution](#timestamp-authority-resolution). |         |
+
+<Callout type="info">
+  `NEXT_PUBLIC_SIGNING_TRANSPORT_IS_CSC` is set automatically from
+  `NEXT_PRIVATE_SIGNING_TRANSPORT` at server startup. Do not set it manually — see
+  [Environment Variables](/docs/self-hosting/configuration/environment#derived-public-variables).
+</Callout>
+
+## Configuration Example
+
+```bash
+NEXT_PRIVATE_SIGNING_TRANSPORT=csc
+NEXT_PRIVATE_SIGNING_CSC_PROVIDER_BASE_URL=https://api.example-tsp.com/csc/v1
+NEXT_PRIVATE_SIGNING_CSC_OAUTH_CLIENT_ID=documenso-prod
+NEXT_PRIVATE_SIGNING_CSC_OAUTH_CLIENT_SECRET=...
+NEXT_PRIVATE_SIGNING_CSC_SIGNATURE_LEVEL=QES
+NEXT_PRIVATE_SIGNING_TIMESTAMP_AUTHORITY=http://timestamp.example.com
+```
+
+Register `${NEXT_PUBLIC_WEBAPP_URL}/api/csc/oauth/callback` (e.g. `https://sign.example.com/api/csc/oauth/callback`) as the OAuth callback URL with the TSP.
+
+## Default Signature Level
+
+`NEXT_PRIVATE_SIGNING_CSC_SIGNATURE_LEVEL` selects the legal tier applied to envelopes that do not specify one explicitly. It is a default, not a capability gate: callers may still create AES or QES envelopes explicitly regardless of this setting.
+
+| Configured value | Caller passes nothing | Caller passes `AES` | Caller passes `QES` |
+| ---------------- | --------------------- | ------------------- | ------------------- |
+| `AES` (default)  | Envelope is `AES`     | Envelope is `AES`   | Envelope is `QES`   |
+| `QES`            | Envelope is `QES`     | Envelope is `AES`   | Envelope is `QES`   |
+
+Any value other than `AES` or `QES` causes the instance to refuse to start. This prevents silent qualified-to-advanced downgrades from a typo.
+
+## Timestamp Authority Resolution
+
+AES/QES envelopes use TSA-attested timestamps in two distinct phases. Resolution differs per phase.
+
+### Sign time — PAdES B-T per recipient
+
+Each recipient's CMS embeds a signature timestamp (CMS unsigned attribute) so proven time is bound to the recipient's signature itself. Resolution order:
+
+1. If the TSP advertises `signatures/timestamp` in its `info` response (CSC §11.10), the TSP endpoint is used. The call is authorised with **this recipient's** service-scope bearer token — the same one authorising the `signatures/signHash` call alongside it.
+2. Otherwise, the first URL from `NEXT_PRIVATE_SIGNING_TIMESTAMP_AUTHORITY` is used (RFC 3161 over HTTP).
+
+Selection is made at boot from the discovered transport, not at runtime; there is no try-then-fall-through. If the chosen source fails, the recipient's sign attempt fails.
+
+### Seal time — PAdES B-LTA archival
+
+The seal-document job emits a single archival `/DocTimeStamp` over the fully-signed envelope (plus DSS for the existing signatures and the timestamp's own chain). This phase is **env-only**: the first URL from `NEXT_PRIVATE_SIGNING_TIMESTAMP_AUTHORITY` is always used.
+
+The archival anchor is the operator's long-term trust anchor and SHOULD point at a dedicated qualified archival TSA (e.g. DigiCert) independent of the per-recipient TSP. We deliberately do not fall back to the TSP at seal time: archive longevity should not be coupled to a TSP that may rotate or revoke, and the seal-document job has no recipient context to carry a service-scope bearer.
+
+### Boot-time guard
+
+The instance refuses to start in CSC mode unless `NEXT_PRIVATE_SIGNING_TIMESTAMP_AUTHORITY` is set (`CSC_PROVIDER_NO_TSA` at transport construction). The env var is required unconditionally — even when the TSP advertises its own `signatures/timestamp`, seal-time B-LTA archival uses the env TSA. Catching this at boot prevents the failure mode where an envelope signs successfully at B-T and then hangs in `WAITING_FOR_SIGNATURE_COMPLETION` when the seal job throws.
+
+## Switching Transports
+
+`NEXT_PRIVATE_SIGNING_TRANSPORT` is a one-way operational migration. Existing envelopes route per the `signatureLevel` column they were created with — the runtime branching looks at the envelope, not the env var. After a switch:
+
+- Envelopes already at `SES` continue to use the new transport for sealing, but the new transport's signer must produce SES-compatible signatures (only `local` and `gcloud-hsm` qualify).
+- Envelopes already at `AES` / `QES` will fail at sign or seal time if the new transport is not `csc`.
+
+Plan migrations during a quiet window with no in-flight envelopes.
+
+## Behavioural Notes
+
+CSC mode changes a number of envelope-authoring behaviours that operators should communicate to users.
+
+### Mutation lock at distribution
+
+For AES/QES envelopes, all authoring routes refuse mutations once the envelope leaves DRAFT. This locks the PDF before any recipient begins Strong Customer Authentication, closing the PDF-swap window that would otherwise allow an owner to replace the PDF between view and sign and break the legal "what you see is what you sign" guarantee.
+
+In practice: edit envelope, recipients, fields, and items freely while DRAFT; once sent, no changes are accepted (including from the API).
+
+### Sequential signing only
+
+Parallel signing produces conflicting incremental updates over the same base PDF, breaking the per-recipient `/ByteRange` invariant. The signing order is forced to `SEQUENTIAL` on AES/QES envelopes — at the schema layer, at send time, and in the UI (the parallel-signing toggle is hidden).
+
+### Assistant role and Dictate Next Signer disabled
+
+Both features modify the recipient set after the envelope is sent, which is incompatible with the AES/QES mutation lock. They are hidden in the UI and rejected at the server schema layer.
+
+### Sidecar PDFs at download
+
+The signed PDF must remain byte-identical to what each recipient's TSP signature authorised — Documenso cannot decorate it after signing. Audit logs and the Certificate of Completion are generated on demand and delivered as separate PDFs:
+
+- `GET /sign/{token}/download` returns the signed PDF only (or a ZIP for multi-item envelopes).
+- `GET /sign/{token}/download?version=bundle` returns a ZIP containing the signed PDFs, audit log PDF, and Certificate of Completion.
+- The completion email attaches all three.
+
+## Recipient Flow
+
+For context when supporting end users, here is what a recipient experiences on an AES/QES envelope:
+
+1. Opens the email link, lands on the signing page.
+2. Documenso redirects to the TSP for Strong Customer Authentication (first visit only; cached for the session lifetime).
+3. Fills fields as normal.
+4. Clicks Sign → redirected to the TSP for a second authentication round (issues a per-document Signature Activation Data token).
+5. Returns to Documenso; the signing call completes within ~15 seconds.
+6. Sees the standard completion screen.
+
+If the TSP returns no eligible credentials for the recipient (e.g. they have not enrolled), they see a blocking page directing them to enrol with the TSP and retry.
+
+## Error Codes
+
+CSC-specific error codes surfaced through the standard error channels:
+
+| Code                       | Meaning                                          | Recovery                                                                |
+| -------------------------- | ------------------------------------------------ | ----------------------------------------------------------------------- |
+| `CSC_UNLICENSED`           | License flag absent at transport-create          | Operator: enable Enterprise Edition, restart                            |
+| `CSC_PROVIDER_INFO_FAILED` | `info` discovery failed at startup               | Operator: check TSP availability and `NEXT_PRIVATE_SIGNING_CSC_PROVIDER_BASE_URL` |
+| `CSC_PROVIDER_NO_TSA`      | `NEXT_PRIVATE_SIGNING_TIMESTAMP_AUTHORITY` is unset | Operator: configure `NEXT_PRIVATE_SIGNING_TIMESTAMP_AUTHORITY`        |
+| `CSC_CREDENTIAL_LIST_EMPTY`| TSP returned no credentials for the user         | Recipient: enrol with the TSP                                           |
+| `CSC_CERT_INVALID`         | Certificate refused at credential validation     | Recipient: contact the TSP                                              |
+| `CSC_ALGORITHM_REFUSED`    | Signature algorithm fails policy                 | Operator/recipient: TSP does not meet policy (see below)                |
+| `CSC_SAD_EXPIRED_PRE_SIGN` | Signature Activation Data expired before signing | Recipient: retry from Sign                                              |
+| `CSC_TSP_TIMEOUT`          | 15-second synchronous timeout reached            | Recipient: retry (idempotent — the TSP enforces single-use SAD binding) |
+| `CSC_EMBED_FAILED`         | Sign-time digest diverged from prep capture      | Recipient: retry from Sign                                              |
+| `CSC_BASE_DOCUMENT_MUTATED`| Document data changed between prep and sign      | Operator: investigate (structural guard violation)                      |
+| `CSC_INSTANCE_MODE_MISMATCH`| Envelope created with wrong level for transport | Caller: use a level matching the instance transport                     |
+| `CSC_REQUEST_FAILED`       | TSP HTTP transport failure — network error, non-2xx, or malformed response | Operator: check TSP availability; carries the TSP HTTP status and error in the message |
+
+## Algorithm Policy
+
+Documenso refuses TSP credentials that do not meet the following minimums, at the OAuth callback boundary and again at sign time:
+
+| Class | Allowed                            | Refused                                                |
+| ----- | ---------------------------------- | ------------------------------------------------------ |
+| RSA   | `key.len >= 2048`                  | Missing `key.len`, `key.len < 2048`                    |
+| ECDSA | P-256, P-384, P-521                | Missing `key.curve`, P-192, P-224, other curves        |
+| Hash  | SHA-256, SHA-384, SHA-512          | SHA-1, MD5                                             |
+| Other | —                                  | DSA                                                    |
+
+This is the union of CSC v1.0.4.0 §11.5 requirements and current cryptographic guidance.
+
+## Related
+
+- [Signature Levels](/docs/compliance/signature-levels) — AES / QES legal framework
+- [Signing Certificate](/docs/self-hosting/configuration/signing-certificate) — overview of all signing transports
+- [Environment Variables](/docs/self-hosting/configuration/environment) — full env reference
+- [Enterprise Edition](/docs/policies/enterprise-edition) — license requirements
@@ -24,6 +24,11 @@ Self-hosted Documenso instances require a signing certificate. You can generate
    description="Hardware-based key protection with Google Cloud KMS."
    href="/docs/self-hosting/configuration/signing-certificate/google-cloud-hsm"
  />
+  <Card
+    title="CSC (AES / QES)"
+    description="Route signing through a third-party Trust Service Provider for Advanced and Qualified Electronic Signatures."
+    href="/docs/self-hosting/configuration/signing-certificate/csc-qes"
+  />
  <Card
    title="Timestamp Server"
    description="Add trusted timestamps and customise signature appearance."
@@ -38,7 +43,7 @@ Self-hosted Documenso instances require a signing certificate. You can generate

 ## Certificate Options

-<Tabs items={['Self-Signed', 'CA-Issued', 'Google Cloud HSM']}>
+<Tabs items={['Self-Signed', 'CA-Issued', 'Google Cloud HSM', 'CSC (AES / QES)']}>
 <Tab value="Self-Signed">

 A self-signed certificate is sufficient for most use cases where your industry has no special signing regulations.
@@ -79,6 +84,18 @@ For organisations requiring hardware-based key protection, Documenso supports Go

 See [Google Cloud HSM](/docs/self-hosting/configuration/signing-certificate/google-cloud-hsm) for setup instructions.

+</Tab>
+<Tab value="CSC (AES / QES)">
+
+For Advanced and Qualified Electronic Signatures under eIDAS, Documenso integrates with third-party Trust Service Providers via the Cloud Signature Consortium API. Each recipient authenticates directly with the TSP, which holds the private key and issues the signature.
+
+- Per-recipient identity verification by an accredited TSP
+- Legally equivalent to a handwritten signature within the EU (QES)
+- Requires an [Enterprise Edition](/docs/policies/enterprise-edition) license
+- Instance-wide setting; one CSC provider per Documenso install
+
+See [CSC (AES / QES)](/docs/self-hosting/configuration/signing-certificate/csc-qes) for setup instructions.
+
 </Tab>
 </Tabs>

@@ -1,4 +1,4 @@
 {
  "title": "Signing Certificate",
-  "pages": ["...index", "local", "google-cloud-hsm", "timestamp-server", "troubleshooting"]
+  "pages": ["...index", "local", "google-cloud-hsm", "csc-qes", "timestamp-server", "troubleshooting"]
 }
@@ -235,7 +235,7 @@ spec:
 ```

 <Callout type="info">
-  Pin to a specific image tag (e.g., `documenso/documenso:1.5.0`) in production instead of `latest`
+  Pin to a specific image tag (e.g., `documenso/documenso:<version>`) in production instead of `latest`
  to ensure predictable deployments.
 </Callout>

@@ -14,8 +14,8 @@ import { Step, Steps } from 'fumadocs-ui/components/steps';

 ## Prerequisites

- Node.js 20 or later
- npm
+- Node.js 22 or later
+- npm 11 or later
 - PostgreSQL 14 or later
 - A Linux server (for systemd service setup)

@@ -124,12 +124,16 @@ docker compose -f docker/development/compose.yml exec database \

 The quick start setup runs the following containers:

-| Container   | Purpose                          | Port  |
-| ----------- | -------------------------------- | ----- |
-| `documenso` | Main application                 | 3000  |
-| `database`  | PostgreSQL database              | 54320 |
-| `maildev`   | Local email testing server       | 2500  |
-| `minio`     | S3-compatible storage (optional) | 9000  |
+| Container   | Purpose                              | Port                          |
+| ----------- | ------------------------------------ | ----------------------------- |
+| `documenso` | Main application                     | 3000                          |
+| `database`  | PostgreSQL database                  | 54320                         |
+| `inbucket`  | Local email testing server           | 9000 (web UI), 2500 (SMTP)    |
+| `redis`     | Cache and background job queue       | 63790                         |
+| `minio`     | S3-compatible storage                | 9002 (API), 9001 (console)    |
+| `gotenberg` | Document conversion (optional)       | 3005                          |
+
+The local email server is [Inbucket](https://www.inbucket.org/). Open its web UI at [http://localhost:9000](http://localhost:9000) to view emails Documenso sends during development. For your own deployment you can use any SMTP-compatible mailserver, such as Inbucket, [Mailpit](https://github.com/axllent/mailpit), or [Mailhog](https://github.com/mailhog/MailHog).

 ## Useful Commands

@@ -141,8 +141,8 @@ If building from source (not using Docker images):

 | Requirement | Version |
 | ----------- | ------- |
-| Node.js     | 18+     |
-| npm         | 8+      |
+| Node.js     | 22+     |
+| npm         | 11+     |

 ---

@@ -169,7 +169,7 @@ Documenso runs on:
 | MySQL/MariaDB  | PostgreSQL-specific features required |
 | SQLite         | Not suitable for production workloads |
 | MongoDB        | Relational database required          |
-| Node.js < 18   | Modern JavaScript features required   |
+| Node.js < 22   | Modern JavaScript features required   |

 ---

@@ -92,7 +92,7 @@ Use a specific version tag in production:

 ```bash
 # Good — predictable, reproducible
-docker pull documenso/documenso:1.8.0
+docker pull documenso/documenso:<version>

 # Risky — may pull breaking changes
 docker pull documenso/documenso:latest
@@ -27,6 +27,14 @@ import { Callout } from 'fumadocs-ui/components/callout';
  Please see all the [requirements](/docs/self-hosting/getting-started/requirements) before proceeding.
 </Callout>

+<Callout type="warn">
+  **You are responsible for your own network security.** Documenso applies best-effort, non-exhaustive
+  checks to outbound requests such as webhooks, but these are not a complete SSRF mitigation and they
+  fail open. A self-hosted instance can reach internal addresses on your network. Restricting outbound
+  traffic, egress filtering, and blocking access to internal services and cloud metadata endpoints is
+  your responsibility through your firewall and network configuration.
+</Callout>
+
 ---

 ## Deployment Options
@@ -165,10 +165,10 @@ See [Backups](/docs/self-hosting/maintenance/backups) for automated backup strat
 ### Pull the new image

 ```bash
-docker pull documenso/documenso:1.6.0
+docker pull documenso/documenso:<version>
 ```

-Replace `1.6.0` with your target version.
+Replace `<version>` with your target version.

 </Step>
 <Step>
@@ -189,7 +189,7 @@ docker run -d \
  -p 3000:3000 \
  --env-file .env \
  -v /path/to/cert.p12:/opt/documenso/cert.p12:ro \
-  documenso/documenso:1.6.0
+  documenso/documenso:<version>
 ```

 </Step>
@@ -223,14 +223,14 @@ Edit `compose.yml` or your `.env` file to specify the new version:
 ```yaml
 services:
  documenso:
-    image: documenso/documenso:1.6.0
+    image: documenso/documenso:<version>
 ```

 Or if using environment variable substitution:

 ```bash
 # In .env
-DOCUMENSO_VERSION=1.6.0
+DOCUMENSO_VERSION=<version>
 ```

 ```yaml
@@ -283,7 +283,7 @@ Edit the deployment directly:

 ```bash
 kubectl set image deployment/documenso \
-  documenso=documenso/documenso:1.6.0 \
+  documenso=documenso/documenso:<version> \
  -n documenso
 ```

@@ -295,7 +295,7 @@ spec:
    spec:
      containers:
        - name: documenso
-          image: documenso/documenso:1.6.0
+          image: documenso/documenso:<version>
 ```

 Then apply:
@@ -421,12 +421,12 @@ To run migrations manually before upgrading:

 ```bash
 # Pull the new image
-docker pull documenso/documenso:1.6.0
+docker pull documenso/documenso:<version>

 # Run migrations only
 docker run --rm \
  -e NEXT_PRIVATE_DATABASE_URL="postgresql://user:password@host:5432/documenso" \
-  documenso/documenso:1.6.0 \
+  documenso/documenso:<version> \
  npx prisma migrate deploy
 ```

@@ -516,7 +516,7 @@ docker run -d \
  -p 3000:3000 \
  --env-file .env \
  -v /path/to/cert.p12:/opt/documenso/cert.p12:ro \
-  documenso/documenso:1.5.0
+  documenso/documenso:<previous-version>
 ```

 </Tab>
@@ -1,22 +0,0 @@
-FROM node:20-alpine AS development-dependencies-env
-COPY . /app
-WORKDIR /app
-RUN npm ci
-
-FROM node:20-alpine AS production-dependencies-env
-COPY ./package.json package-lock.json /app/
-WORKDIR /app
-RUN npm ci --omit=dev
-
-FROM node:20-alpine AS build-env
-COPY . /app/
-COPY --from=development-dependencies-env /app/node_modules /app/node_modules
-WORKDIR /app
-RUN npm run build
-
-FROM node:20-alpine
-COPY ./package.json package-lock.json /app/
-COPY --from=production-dependencies-env /app/node_modules /app/node_modules
-COPY --from=build-env /app/build /app/build
-WORKDIR /app
-CMD ["npm", "run", "start"]
@@ -1,100 +1,14 @@
-# Welcome to React Router!
+# @documenso/remix

-A modern, production-ready template for building full-stack React applications using React Router.
+The main Documenso web application. Built with [React Router v7](https://reactrouter.com/) and served by a [Hono](https://hono.dev/) server.

-[![Open in StackBlitz](https://developer.stackblitz.com/img/open_in_stackblitz.svg)](https://stackblitz.com/github/remix-run/react-router-templates/tree/main/default)
+This package is part of the Documenso monorepo and is not meant to be run standalone. Use the root scripts instead.

-## Features
-
- 🚀 Server-side rendering
- ⚡️ Hot Module Replacement (HMR)
- 📦 Asset bundling and optimization
- 🔄 Data loading and mutations
- 🔒 TypeScript by default
- 🎉 TailwindCSS for styling
- 📖 [React Router docs](https://reactrouter.com/)
-
-## Getting Started
-
-### Installation
-
-Install the dependencies:
-
-```bash
-npm install
-```
-
-### Development
-
-Start the development server with HMR:
+- Local development: see the [root README](../../README.md) and the [Local Development docs](https://docs.documenso.com/docs/developers/local-development).
+- Self-hosting and deployment: see the [Self-Hosting docs](https://docs.documenso.com/docs/self-hosting).
+- Architecture overview: see [ARCHITECTURE.md](../../ARCHITECTURE.md).

 ```bash
+# From the monorepo root
 npm run dev
 ```
-
-Your application will be available at `http://localhost:5173`.
-
-## Building for Production
-
-Create a production build:
-
-```bash
-npm run build
-```
-
-## Deployment
-
-### Docker Deployment
-
-This template includes three Dockerfiles optimized for different package managers:
-
- `Dockerfile` - for npm
- `Dockerfile.pnpm` - for pnpm
- `Dockerfile.bun` - for bun
-
-To build and run using Docker:
-
-```bash
-# For npm
-docker build -t my-app .
-
-# For pnpm
-docker build -f Dockerfile.pnpm -t my-app .
-
-# For bun
-docker build -f Dockerfile.bun -t my-app .
-
-# Run the container
-docker run -p 3000:3000 my-app
-```
-
-The containerized application can be deployed to any platform that supports Docker, including:
-
- AWS ECS
- Google Cloud Run
- Azure Container Apps
- Digital Ocean App Platform
- Fly.io
- Railway
-
-### DIY Deployment
-
-If you're familiar with deploying Node applications, the built-in app server is production-ready.
-
-Make sure to deploy the output of `npm run build`
-
-```
-├── package.json
-├── package-lock.json (or pnpm-lock.yaml, or bun.lockb)
-├── build/
-│   ├── client/    # Static assets
-│   └── server/    # Server-side code
-```
-
-## Styling
-
-This template comes with [Tailwind CSS](https://tailwindcss.com/) already configured for a simple default starting experience. You can use whatever CSS framework you prefer.
-
---
-
-Built with ❤️ using React Router.
@@ -1,243 +0,0 @@
-import { AppError, AppErrorCode } from '@documenso/lib/errors/app-error';
-import { FolderType } from '@documenso/lib/types/folder-type';
-import { formatDocumentsPath } from '@documenso/lib/utils/teams';
-import { trpc } from '@documenso/trpc/react';
-import { Button } from '@documenso/ui/primitives/button';
-import {
-  Dialog,
-  DialogContent,
-  DialogDescription,
-  DialogFooter,
-  DialogHeader,
-  DialogTitle,
-} from '@documenso/ui/primitives/dialog';
-import { Form, FormControl, FormField, FormItem, FormLabel, FormMessage } from '@documenso/ui/primitives/form/form';
-import { Input } from '@documenso/ui/primitives/input';
-import { useToast } from '@documenso/ui/primitives/use-toast';
-import { zodResolver } from '@hookform/resolvers/zod';
-import { msg } from '@lingui/core/macro';
-import { useLingui } from '@lingui/react';
-import { Trans } from '@lingui/react/macro';
-import type * as DialogPrimitive from '@radix-ui/react-dialog';
-import { FolderIcon, HomeIcon, Loader2, Search } from 'lucide-react';
-import { useEffect, useState } from 'react';
-import { useForm } from 'react-hook-form';
-import { useNavigate } from 'react-router';
-import { z } from 'zod';
-
-import { useCurrentTeam } from '~/providers/team';
-
-export type DocumentMoveToFolderDialogProps = {
-  documentId: number;
-  open: boolean;
-  onOpenChange: (open: boolean) => void;
-  currentFolderId?: string;
-} & Omit<DialogPrimitive.DialogProps, 'children'>;
-
-const ZMoveDocumentFormSchema = z.object({
-  folderId: z.string().nullable().optional(),
-});
-
-type TMoveDocumentFormSchema = z.infer<typeof ZMoveDocumentFormSchema>;
-
-export const DocumentMoveToFolderDialog = ({
-  documentId,
-  open,
-  onOpenChange,
-  currentFolderId,
-  ...props
-}: DocumentMoveToFolderDialogProps) => {
-  const { _ } = useLingui();
-  const { toast } = useToast();
-
-  const navigate = useNavigate();
-  const team = useCurrentTeam();
-
-  const [searchTerm, setSearchTerm] = useState('');
-
-  const form = useForm<TMoveDocumentFormSchema>({
-    resolver: zodResolver(ZMoveDocumentFormSchema),
-    defaultValues: {
-      folderId: currentFolderId,
-    },
-  });
-
-  const { data: folders, isLoading: isFoldersLoading } = trpc.folder.findFoldersInternal.useQuery(
-    {
-      parentId: currentFolderId,
-      type: FolderType.DOCUMENT,
-    },
-    {
-      enabled: open,
-    },
-  );
-
-  const { mutateAsync: updateDocument } = trpc.document.update.useMutation();
-
-  useEffect(() => {
-    if (!open) {
-      form.reset();
-      setSearchTerm('');
-    } else {
-      form.reset({ folderId: currentFolderId });
-    }
-  }, [open, currentFolderId, form]);
-
-  const onSubmit = async (data: TMoveDocumentFormSchema) => {
-    try {
-      await updateDocument({
-        documentId,
-        data: {
-          folderId: data.folderId ?? null,
-        },
-      });
-
-      const documentsPath = formatDocumentsPath(team.url);
-
-      if (data.folderId) {
-        await navigate(`${documentsPath}/f/${data.folderId}`);
-      } else {
-        await navigate(documentsPath);
-      }
-
-      toast({
-        title: _(msg`Document moved`),
-        description: _(msg`The document has been moved successfully.`),
-        variant: 'default',
-      });
-
-      onOpenChange(false);
-    } catch (err) {
-      const error = AppError.parseError(err);
-
-      if (error.code === AppErrorCode.NOT_FOUND) {
-        toast({
-          title: _(msg`Error`),
-          description: _(msg`The folder you are trying to move the document to does not exist.`),
-          variant: 'destructive',
-        });
-
-        return;
-      }
-
-      if (error.code === AppErrorCode.UNAUTHORIZED) {
-        toast({
-          title: _(msg`Error`),
-          description: _(msg`You are not allowed to move this document.`),
-          variant: 'destructive',
-        });
-
-        return;
-      }
-
-      toast({
-        title: _(msg`Error`),
-        description: _(msg`An error occurred while moving the document.`),
-        variant: 'destructive',
-      });
-    }
-  };
-
-  const filteredFolders = folders?.data.filter((folder) =>
-    folder.name.toLowerCase().includes(searchTerm.toLowerCase()),
-  );
-
-  return (
-    <Dialog {...props} open={open} onOpenChange={onOpenChange}>
-      <DialogContent>
-        <DialogHeader>
-          <DialogTitle>
-            <Trans>Move Document to Folder</Trans>
-          </DialogTitle>
-
-          <DialogDescription>
-            <Trans>Select a folder to move this document to.</Trans>
-          </DialogDescription>
-        </DialogHeader>
-
-        <div className="relative">
-          <Search className="absolute top-3 left-2 h-4 w-4 text-muted-foreground" />
-          <Input
-            placeholder={_(msg`Search folders...`)}
-            value={searchTerm}
-            onChange={(e) => setSearchTerm(e.target.value)}
-            className="pl-8"
-          />
-        </div>
-
-        <Form {...form}>
-          <form onSubmit={form.handleSubmit(onSubmit)} className="flex flex-col gap-y-4">
-            <FormField
-              control={form.control}
-              name="folderId"
-              render={({ field }) => (
-                <FormItem>
-                  <FormLabel>
-                    <Trans>Folder</Trans>
-                  </FormLabel>
-
-                  <FormControl>
-                    <div className="max-h-96 space-y-2 overflow-y-auto">
-                      {isFoldersLoading ? (
-                        <div className="flex h-10 items-center justify-center">
-                          <Loader2 className="h-4 w-4 animate-spin" />
-                        </div>
-                      ) : (
-                        <>
-                          <Button
-                            type="button"
-                            variant={field.value === null ? 'default' : 'outline'}
-                            className="w-full justify-start"
-                            onClick={() => field.onChange(null)}
-                            disabled={currentFolderId === null}
-                          >
-                            <HomeIcon className="mr-2 h-4 w-4" />
-                            <Trans>Home (No Folder)</Trans>
-                          </Button>
-
-                          {filteredFolders?.map((folder) => (
-                            <Button
-                              key={folder.id}
-                              type="button"
-                              variant={field.value === folder.id ? 'default' : 'outline'}
-                              className="w-full justify-start"
-                              onClick={() => field.onChange(folder.id)}
-                              disabled={currentFolderId === folder.id}
-                            >
-                              <FolderIcon className="mr-2 h-4 w-4" />
-                              {folder.name}
-                            </Button>
-                          ))}
-
-                          {searchTerm && filteredFolders?.length === 0 && (
-                            <div className="px-2 py-2 text-center text-muted-foreground text-sm">
-                              <Trans>No folders found</Trans>
-                            </div>
-                          )}
-                        </>
-                      )}
-                    </div>
-                  </FormControl>
-                  <FormMessage />
-                </FormItem>
-              )}
-            />
-
-            <DialogFooter>
-              <Button type="button" variant="secondary" onClick={() => onOpenChange(false)}>
-                <Trans>Cancel</Trans>
-              </Button>
-
-              <Button
-                type="submit"
-                disabled={isFoldersLoading || form.formState.isSubmitting || currentFolderId === null}
-              >
-                <Trans>Move</Trans>
-              </Button>
-            </DialogFooter>
-          </form>
-        </Form>
-      </DialogContent>
-    </Dialog>
-  );
-};
@@ -0,0 +1,144 @@
+import { Alert, AlertDescription } from '@documenso/ui/primitives/alert';
+import { Button } from '@documenso/ui/primitives/button';
+import {
+  Dialog,
+  DialogClose,
+  DialogContent,
+  DialogDescription,
+  DialogFooter,
+  DialogHeader,
+  DialogTitle,
+  DialogTrigger,
+} from '@documenso/ui/primitives/dialog';
+import { Trans } from '@lingui/react/macro';
+import { useState } from 'react';
+
+export type DocumentPreferencesResetDialogProps = {
+  disabled?: boolean;
+  isSubmitting: boolean;
+  onReset: () => Promise<void>;
+  showAiFeatures?: boolean;
+  showDocumentVisibility?: boolean;
+  showIncludeSenderDetails?: boolean;
+  trigger?: React.ReactNode;
+};
+
+export const DocumentPreferencesResetDialog = ({
+  disabled = false,
+  isSubmitting,
+  onReset,
+  showAiFeatures = false,
+  showDocumentVisibility = false,
+  showIncludeSenderDetails = false,
+  trigger,
+}: DocumentPreferencesResetDialogProps) => {
+  const [open, setOpen] = useState(false);
+  const [isResetting, setIsResetting] = useState(false);
+
+  const isLoading = isSubmitting || isResetting;
+
+  const handleResetToDefaults = async () => {
+    setIsResetting(true);
+
+    try {
+      await onReset();
+      setOpen(false);
+    } finally {
+      setIsResetting(false);
+    }
+  };
+
+  return (
+    <Dialog open={open} onOpenChange={(value) => !isLoading && setOpen(value)}>
+      <DialogTrigger asChild>
+        {trigger ?? (
+          <Button variant="destructive" type="button" disabled={disabled || isLoading}>
+            <Trans>Reset</Trans>
+          </Button>
+        )}
+      </DialogTrigger>
+
+      <DialogContent>
+        <DialogHeader>
+          <DialogTitle>
+            <Trans>Reset document preferences</Trans>
+          </DialogTitle>
+
+          <DialogDescription>
+            <Trans>
+              This will reset all document preferences to their default values and save the changes immediately.
+            </Trans>
+          </DialogDescription>
+        </DialogHeader>
+
+        <Alert variant="warning">
+          <AlertDescription>
+            <p>
+              <Trans>Once confirmed, the following will be reset:</Trans>
+            </p>
+
+            <ul className="mt-0.5 list-inside list-disc">
+              {showDocumentVisibility && (
+                <li>
+                  <Trans>Default document visibility</Trans>
+                </li>
+              )}
+              <li>
+                <Trans>Default document language</Trans>
+              </li>
+              <li>
+                <Trans>Default date format</Trans>
+              </li>
+              <li>
+                <Trans>Default time zone</Trans>
+              </li>
+              <li>
+                <Trans>Default signature settings</Trans>
+              </li>
+              {showIncludeSenderDetails && (
+                <li>
+                  <Trans>Send on behalf of team</Trans>
+                </li>
+              )}
+              <li>
+                <Trans>Include the signing certificate in the document</Trans>
+              </li>
+              <li>
+                <Trans>Include the audit logs in the document</Trans>
+              </li>
+              <li>
+                <Trans>Default recipients</Trans>
+              </li>
+              <li>
+                <Trans>Delegate document ownership</Trans>
+              </li>
+              <li>
+                <Trans>Default envelope expiration</Trans>
+              </li>
+              <li>
+                <Trans>Default signing reminders</Trans>
+              </li>
+              {showAiFeatures && (
+                <li>
+                  <Trans>AI features</Trans>
+                </li>
+              )}
+            </ul>
+          </AlertDescription>
+        </Alert>
+
+        <DialogFooter>
+          <DialogClose asChild>
+            <Button type="button" variant="secondary" disabled={isLoading}>
+              <Trans>Cancel</Trans>
+            </Button>
+          </DialogClose>
+
+          <Button type="button" variant="destructive" loading={isLoading} onClick={() => void handleResetToDefaults()}>
+            <Trans>Reset to defaults</Trans>
+          </Button>
+        </DialogFooter>
+      </DialogContent>
+    </Dialog>
+  );
+};
@@ -1,203 +0,0 @@
-import { useSession } from '@documenso/lib/client-only/providers/session';
-import { getRecipientType } from '@documenso/lib/client-only/recipient-type';
-import { AppError } from '@documenso/lib/errors/app-error';
-import type { TRecipientLite } from '@documenso/lib/types/recipient';
-import { recipientAbbreviation } from '@documenso/lib/utils/recipient-formatter';
-import type { Document } from '@documenso/prisma/types/document-legacy-schema';
-import { trpc as trpcReact } from '@documenso/trpc/react';
-import { cn } from '@documenso/ui/lib/utils';
-import { Button } from '@documenso/ui/primitives/button';
-import { Checkbox } from '@documenso/ui/primitives/checkbox';
-import {
-  Dialog,
-  DialogClose,
-  DialogContent,
-  DialogFooter,
-  DialogHeader,
-  DialogTitle,
-  DialogTrigger,
-} from '@documenso/ui/primitives/dialog';
-import { DropdownMenuItem } from '@documenso/ui/primitives/dropdown-menu';
-import { Form, FormControl, FormField, FormItem, FormLabel } from '@documenso/ui/primitives/form/form';
-import { useToast } from '@documenso/ui/primitives/use-toast';
-import { zodResolver } from '@hookform/resolvers/zod';
-import { msg } from '@lingui/core/macro';
-import { useLingui } from '@lingui/react';
-import { Trans } from '@lingui/react/macro';
-import { SigningStatus, type Team, type User } from '@prisma/client';
-import { History } from 'lucide-react';
-import { useState } from 'react';
-import { useForm, useWatch } from 'react-hook-form';
-import * as z from 'zod';
-
-import { useCurrentTeam } from '~/providers/team';
-import { getDistributeErrorMessage } from '~/utils/toast-error-messages';
-
-import { StackAvatar } from '../general/stack-avatar';
-
-const FORM_ID = 'resend-email';
-
-export type DocumentResendDialogProps = {
-  document: Pick<Document, 'id' | 'userId' | 'teamId' | 'status'> & {
-    user: Pick<User, 'id' | 'name' | 'email'>;
-    recipients: TRecipientLite[];
-    team: Pick<Team, 'id' | 'url'> | null;
-  };
-  recipients: TRecipientLite[];
-};
-
-export const ZResendDocumentFormSchema = z.object({
-  recipients: z.array(z.number()).min(1, {
-    message: 'You must select at least one item.',
-  }),
-});
-
-export type TResendDocumentFormSchema = z.infer<typeof ZResendDocumentFormSchema>;
-
-export const DocumentResendDialog = ({ document, recipients }: DocumentResendDialogProps) => {
-  const { user } = useSession();
-  const team = useCurrentTeam();
-
-  const { toast } = useToast();
-  const { _ } = useLingui();
-
-  const [isOpen, setIsOpen] = useState(false);
-  const isOwner = document.userId === user.id;
-  const isCurrentTeamDocument = team && document.team?.url === team.url;
-
-  const isDisabled =
-    (!isOwner && !isCurrentTeamDocument) ||
-    document.status !== 'PENDING' ||
-    !recipients.some((r) => r.signingStatus === SigningStatus.NOT_SIGNED);
-
-  const { mutateAsync: resendDocument } = trpcReact.document.redistribute.useMutation();
-
-  const form = useForm<TResendDocumentFormSchema>({
-    resolver: zodResolver(ZResendDocumentFormSchema),
-    defaultValues: {
-      recipients: [],
-    },
-  });
-
-  const {
-    handleSubmit,
-    formState: { isSubmitting },
-  } = form;
-
-  const selectedRecipients = useWatch({
-    control: form.control,
-    name: 'recipients',
-  });
-
-  const onFormSubmit = async ({ recipients }: TResendDocumentFormSchema) => {
-    try {
-      await resendDocument({ documentId: document.id, recipients });
-
-      toast({
-        title: _(msg`Document re-sent`),
-        description: _(msg`Your document has been re-sent successfully.`),
-        duration: 5000,
-      });
-
-      setIsOpen(false);
-    } catch (err) {
-      const error = AppError.parseError(err);
-      const errorMessage = getDistributeErrorMessage(error.code);
-
-      toast({
-        title: _(errorMessage.title),
-        description: _(errorMessage.description),
-        variant: 'destructive',
-        duration: 7500,
-      });
-    }
-  };
-
-  return (
-    <Dialog open={isOpen} onOpenChange={setIsOpen}>
-      <DialogTrigger asChild>
-        <DropdownMenuItem disabled={isDisabled} onSelect={(e) => e.preventDefault()}>
-          <History className="mr-2 h-4 w-4" />
-          <Trans>Resend</Trans>
-        </DropdownMenuItem>
-      </DialogTrigger>
-
-      <DialogContent className="sm:max-w-sm" hideClose>
-        <DialogHeader>
-          <DialogTitle asChild>
-            <h1 className="text-center text-xl">
-              <Trans>Who do you want to remind?</Trans>
-            </h1>
-          </DialogTitle>
-        </DialogHeader>
-
-        <Form {...form}>
-          <form id={FORM_ID} onSubmit={handleSubmit(onFormSubmit)} className="px-3">
-            <FormField
-              control={form.control}
-              name="recipients"
-              render={({ field: { value, onChange } }) => (
-                <>
-                  {recipients.map((recipient) => (
-                    <FormItem key={recipient.id} className="flex flex-row items-center justify-between gap-x-3">
-                      <FormLabel
-                        className={cn('my-2 flex items-center gap-2 font-normal', {
-                          'opacity-50': !value.includes(recipient.id),
-                        })}
-                      >
-                        <StackAvatar
-                          key={recipient.id}
-                          type={getRecipientType(recipient)}
-                          fallbackText={recipientAbbreviation(recipient)}
-                        />
-                        {recipient.email}
-                      </FormLabel>
-
-                      <FormControl>
-                        <Checkbox
-                          className="h-5 w-5 rounded-full border border-neutral-400"
-                          value={recipient.id}
-                          checked={value.includes(recipient.id)}
-                          onCheckedChange={(checked: boolean) =>
-                            checked
-                              ? onChange([...value, recipient.id])
-                              : onChange(value.filter((v) => v !== recipient.id))
-                          }
-                        />
-                      </FormControl>
-                    </FormItem>
-                  ))}
-                </>
-              )}
-            />
-          </form>
-        </Form>
-
-        <DialogFooter>
-          <div className="flex w-full flex-1 flex-nowrap gap-4">
-            <DialogClose asChild>
-              <Button
-                type="button"
-                className="flex-1 bg-black/5 hover:bg-black/10 dark:bg-muted dark:hover:bg-muted/80"
-                variant="secondary"
-                disabled={isSubmitting}
-              >
-                <Trans>Cancel</Trans>
-              </Button>
-            </DialogClose>
-
-            <Button
-              className="flex-1"
-              loading={isSubmitting}
-              type="submit"
-              form={FORM_ID}
-              disabled={isSubmitting || selectedRecipients.length === 0}
-            >
-              <Trans>Send reminder</Trans>
-            </Button>
-          </div>
-        </DialogFooter>
-      </DialogContent>
-    </Dialog>
-  );
-};
@@ -0,0 +1,134 @@
+import { trpc as trpcReact } from '@documenso/trpc/react';
+import { Alert, AlertDescription } from '@documenso/ui/primitives/alert';
+import { Button } from '@documenso/ui/primitives/button';
+import {
+  Dialog,
+  DialogClose,
+  DialogContent,
+  DialogDescription,
+  DialogFooter,
+  DialogHeader,
+  DialogTitle,
+  DialogTrigger,
+} from '@documenso/ui/primitives/dialog';
+import { Label } from '@documenso/ui/primitives/label';
+import { Textarea } from '@documenso/ui/primitives/textarea';
+import { useToast } from '@documenso/ui/primitives/use-toast';
+import { Trans, useLingui } from '@lingui/react/macro';
+import { useEffect, useState } from 'react';
+
+export type EnvelopeCancelDialogProps = {
+  id: string;
+  title: string;
+  trigger?: React.ReactNode;
+  onCancel?: () => Promise<void> | void;
+};
+
+export const EnvelopeCancelDialog = ({ id, title, trigger, onCancel }: EnvelopeCancelDialogProps) => {
+  const { toast } = useToast();
+  const { t } = useLingui();
+  const trpcUtils = trpcReact.useUtils();
+
+  const [open, setOpen] = useState(false);
+  const [reason, setReason] = useState('');
+
+  const { mutateAsync: cancelEnvelope, isPending } = trpcReact.envelope.cancel.useMutation({
+    onSuccess: async () => {
+      toast({
+        title: t`Document cancelled`,
+        description: t`"${title}" has been successfully cancelled`,
+        duration: 5000,
+      });
+
+      await trpcUtils.document.findDocumentsInternal.invalidate();
+
+      await onCancel?.();
+
+      setOpen(false);
+    },
+    onError: () => {
+      toast({
+        title: t`Something went wrong`,
+        description: t`This document could not be cancelled at this time. Please try again.`,
+        variant: 'destructive',
+        duration: 7500,
+      });
+    },
+  });
+
+  useEffect(() => {
+    if (open) {
+      setReason('');
+    }
+  }, [open]);
+
+  return (
+    <Dialog open={open} onOpenChange={(value) => !isPending && setOpen(value)}>
+      <DialogTrigger asChild>{trigger}</DialogTrigger>
+
+      <DialogContent>
+        <DialogHeader>
+          <DialogTitle>
+            <Trans>Are you sure?</Trans>
+          </DialogTitle>
+
+          <DialogDescription>
+            <Trans>
+              You are about to cancel <strong>"{title}"</strong>
+            </Trans>
+          </DialogDescription>
+        </DialogHeader>
+
+        <Alert variant="warning" className="-mt-1">
+          <AlertDescription>
+            <p>
+              <Trans>Once confirmed, the following will occur:</Trans>
+            </p>
+
+            <ul className="mt-0.5 list-inside list-disc">
+              <li>
+                <Trans>The document signing process will be stopped</Trans>
+              </li>
+              <li>
+                <Trans>Recipients will be notified that the document was cancelled</Trans>
+              </li>
+              <li>
+                <Trans>The document will remain in your dashboard marked as Cancelled</Trans>
+              </li>
+            </ul>
+          </AlertDescription>
+        </Alert>
+
+        <div className="flex flex-col gap-2">
+          <Label htmlFor="cancel-reason">
+            <Trans>Reason (optional)</Trans>
+          </Label>
+
+          <Textarea
+            id="cancel-reason"
+            value={reason}
+            onChange={(event) => setReason(event.target.value)}
+            placeholder={t`Add an optional reason for cancelling this document`}
+          />
+        </div>
+
+        <DialogFooter>
+          <DialogClose asChild>
+            <Button type="button" variant="secondary" disabled={isPending}>
+              <Trans>Cancel</Trans>
+            </Button>
+          </DialogClose>
+
+          <Button
+            type="button"
+            loading={isPending}
+            onClick={() => void cancelEnvelope({ envelopeId: id, reason: reason || undefined })}
+            variant="destructive"
+          >
+            <Trans>Cancel document</Trans>
+          </Button>
+        </DialogFooter>
+      </DialogContent>
+    </Dialog>
+  );
+};
@@ -166,7 +166,7 @@ export const EnvelopeDeleteDialog = ({
                  </ul>
                </AlertDescription>
              ))
-              .with(P.union(DocumentStatus.COMPLETED, DocumentStatus.REJECTED), () => (
+              .with(P.union(DocumentStatus.COMPLETED, DocumentStatus.REJECTED, DocumentStatus.CANCELLED), () => (
                <AlertDescription>
                  <p>
                    <Trans>By deleting this document, the following will occur:</Trans>
@@ -3,12 +3,13 @@ import { useCurrentOrganisation } from '@documenso/lib/client-only/providers/org
 import { DO_NOT_INVALIDATE_QUERY_ON_MUTATION } from '@documenso/lib/constants/trpc';
 import { AppError } from '@documenso/lib/errors/app-error';
 import { extractDocumentAuthMethods } from '@documenso/lib/utils/document-auth';
+import { hasOverlappingFields } from '@documenso/lib/utils/fields-overlap';
 import { getRecipientsWithMissingFields } from '@documenso/lib/utils/recipients';
 import { zEmail } from '@documenso/lib/utils/zod';
 import { trpc, trpc as trpcReact } from '@documenso/trpc/react';
 import { DocumentSendEmailMessageHelper } from '@documenso/ui/components/document/document-send-email-message-helper';
 import { cn } from '@documenso/ui/lib/utils';
-import { Alert, AlertDescription } from '@documenso/ui/primitives/alert';
+import { Alert, AlertDescription, AlertTitle } from '@documenso/ui/primitives/alert';
 import { Button } from '@documenso/ui/primitives/button';
 import {
  Dialog,
@@ -32,7 +33,7 @@ import { zodResolver } from '@hookform/resolvers/zod';
 import { Trans, useLingui } from '@lingui/react/macro';
 import { DocumentDistributionMethod, DocumentStatus, EnvelopeType } from '@prisma/client';
 import { AnimatePresence, motion } from 'framer-motion';
-import { InfoIcon } from 'lucide-react';
+import { AlertTriangleIcon, InfoIcon } from 'lucide-react';
 import { useEffect, useMemo, useState } from 'react';
 import { useForm } from 'react-hook-form';
 import { useNavigate } from 'react-router';
@@ -138,6 +139,27 @@ export const EnvelopeDistributeDialog = ({
    });
  }, [recipientsWithIndex, envelope.authOptions]);

+  /**
+   * Whether any fields significantly overlap each other. This is surfaced as a
+   * non-blocking warning since overlapping fields still allow sending, but can
+   * complicate the signing process or cause fields to behave unexpectedly.
+   */
+  const hasOverlappingEnvelopeFields = useMemo(
+    () =>
+      hasOverlappingFields(
+        envelope.fields.map((field) => ({
+          id: field.id,
+          envelopeItemId: field.envelopeItemId,
+          page: field.page,
+          positionX: Number(field.positionX),
+          positionY: Number(field.positionY),
+          width: Number(field.width),
+          height: Number(field.height),
+        })),
+      ),
+    [envelope.fields],
+  );
+
  const invalidEnvelopeCode = useMemo(() => {
    if (recipientsMissingSignatureFields.length > 0) {
      return 'MISSING_SIGNATURES';
@@ -206,6 +228,11 @@ export const EnvelopeDistributeDialog = ({
  };

  useEffect(() => {
+    // Default the distribution method tab to the envelope's configured setting.
+    if (isOpen && envelope.documentMeta) {
+      setValue('meta.distributionMethod', envelope.documentMeta.distributionMethod);
+    }
+
    // Resync the whole envelope if the envelope is mid saving.
    if (isOpen && (isAutosaving || autosaveError)) {
      void handleSync();
@@ -235,6 +262,24 @@ export const EnvelopeDistributeDialog = ({
          <Form {...form}>
            <form onSubmit={handleSubmit(onFormSubmit)}>
              <fieldset disabled={isSubmitting}>
+                {hasOverlappingEnvelopeFields && (
+                  <Alert variant="warning" className="mb-4 flex flex-row items-start gap-3">
+                    <AlertTriangleIcon className="mt-0.5 h-5 w-5 flex-shrink-0" />
+
+                    <div className="flex flex-col gap-1">
+                      <AlertTitle>
+                        <Trans>Overlapping fields detected</Trans>
+                      </AlertTitle>
+                      <AlertDescription>
+                        <Trans>
+                          Some fields are placed on top of each other. This may complicate the signing process or cause
+                          fields to not work as expected.
+                        </Trans>
+                      </AlertDescription>
+                    </div>
+                  </Alert>
+                )}
+
                <Tabs
                  onValueChange={(value) =>
                    // eslint-disable-next-line @typescript-eslint/consistent-type-assertions
@@ -1,6 +1,7 @@
 import { formatDocumentsPath, formatTemplatesPath } from '@documenso/lib/utils/teams';
 import { trpc } from '@documenso/trpc/react';
 import { Button } from '@documenso/ui/primitives/button';
+import { Checkbox } from '@documenso/ui/primitives/checkbox';
 import {
  Dialog,
  DialogClose,
@@ -11,10 +12,12 @@ import {
  DialogTitle,
  DialogTrigger,
 } from '@documenso/ui/primitives/dialog';
+import { Label } from '@documenso/ui/primitives/label';
 import { useToast } from '@documenso/ui/primitives/use-toast';
 import { Trans, useLingui } from '@lingui/react/macro';
 import { EnvelopeType } from '@prisma/client';
 import { useState } from 'react';
+import { Controller, useForm } from 'react-hook-form';
 import { useNavigate } from 'react-router';

 import { useCurrentTeam } from '~/providers/team';
@@ -37,6 +40,15 @@ export const EnvelopeDuplicateDialog = ({ envelopeId, envelopeType, trigger }: E

  const isDocument = envelopeType === EnvelopeType.DOCUMENT;

+  const form = useForm({
+    defaultValues: {
+      includeRecipients: true,
+      includeFields: true,
+    },
+  });
+
+  const includeRecipients = form.watch('includeRecipients');
+
  const { mutateAsync: duplicateEnvelope, isPending: isDuplicating } = trpc.envelope.duplicate.useMutation({
    onSuccess: async ({ id }) => {
      toast({
@@ -55,8 +67,14 @@ export const EnvelopeDuplicateDialog = ({ envelopeId, envelopeType, trigger }: E
  });

  const onDuplicate = async () => {
+    const { includeRecipients, includeFields } = form.getValues();
+
    try {
-      await duplicateEnvelope({ envelopeId });
+      await duplicateEnvelope({
+        envelopeId,
+        includeRecipients,
+        includeFields: includeRecipients && includeFields,
+      });
    } catch {
      toast({
        title: t`Something went wrong`,
@@ -70,7 +88,20 @@ export const EnvelopeDuplicateDialog = ({ envelopeId, envelopeType, trigger }: E
  };

  return (
-    <Dialog open={open} onOpenChange={(value) => !isDuplicating && setOpen(value)}>
+    <Dialog
+      open={open}
+      onOpenChange={(value) => {
+        if (isDuplicating) {
+          return;
+        }
+
+        setOpen(value);
+
+        if (!value) {
+          form.reset();
+        }
+      }}
+    >
      {trigger && <DialogTrigger asChild>{trigger}</DialogTrigger>}

      <DialogContent>
@@ -87,6 +118,49 @@ export const EnvelopeDuplicateDialog = ({ envelopeId, envelopeType, trigger }: E
          </DialogDescription>
        </DialogHeader>

+        <div className="space-y-4">
+          <Controller
+            control={form.control}
+            name="includeRecipients"
+            render={({ field }) => (
+              <div className="flex items-center space-x-2">
+                <Checkbox
+                  id="envelopeDuplicateIncludeRecipients"
+                  checked={field.value}
+                  onCheckedChange={(checked) => {
+                    field.onChange(checked === true);
+
+                    if (!checked) {
+                      form.setValue('includeFields', false);
+                    }
+                  }}
+                />
+                <Label htmlFor="envelopeDuplicateIncludeRecipients">
+                  <Trans>Include Recipients</Trans>
+                </Label>
+              </div>
+            )}
+          />
+
+          <Controller
+            control={form.control}
+            name="includeFields"
+            render={({ field }) => (
+              <div className="flex items-center space-x-2">
+                <Checkbox
+                  id="envelopeDuplicateIncludeFields"
+                  checked={field.value}
+                  disabled={!includeRecipients}
+                  onCheckedChange={(checked) => field.onChange(checked === true)}
+                />
+                <Label htmlFor="envelopeDuplicateIncludeFields" className={!includeRecipients ? 'opacity-50' : ''}>
+                  <Trans>Include Fields</Trans>
+                </Label>
+              </div>
+            )}
+          />
+        </div>
+
        <DialogFooter>
          <DialogClose asChild>
            <Button type="button" variant="secondary" disabled={isDuplicating}>
@@ -25,14 +25,16 @@ import { Trans, useLingui } from '@lingui/react/macro';
 import { DocumentStatus, EnvelopeType, SigningStatus } from '@prisma/client';
 import { useEffect, useState } from 'react';
 import { useForm } from 'react-hook-form';
+import { match } from 'ts-pattern';
 import * as z from 'zod';
 import { getDistributeErrorMessage } from '~/utils/toast-error-messages';
 import { StackAvatar } from '../general/stack-avatar';

 export type EnvelopeRedistributeDialogProps = {
-  envelope: Pick<TEnvelope, 'id' | 'userId' | 'teamId' | 'status' | 'type' | 'documentMeta'> & {
+  envelope: Pick<TEnvelope, 'id' | 'status' | 'type'> & {
    recipients: TEnvelopeRecipientLite[];
  };
+  envelopeType?: EnvelopeType;
  trigger?: React.ReactNode;
 };

@@ -44,7 +46,7 @@ export const ZEnvelopeRedistributeFormSchema = z.object({

 export type TEnvelopeRedistributeFormSchema = z.infer<typeof ZEnvelopeRedistributeFormSchema>;

-export const EnvelopeRedistributeDialog = ({ envelope, trigger }: EnvelopeRedistributeDialogProps) => {
+export const EnvelopeRedistributeDialog = ({ envelope, envelopeType, trigger }: EnvelopeRedistributeDialogProps) => {
  const recipients = envelope.recipients;

  const { toast } = useToast();
@@ -70,9 +72,23 @@ export const EnvelopeRedistributeDialog = ({ envelope, trigger }: EnvelopeRedist
    try {
      await redistributeEnvelope({ envelopeId: envelope.id, recipients });

+      const successMessage = match(envelopeType)
+        .with(EnvelopeType.DOCUMENT, () => ({
+          title: t`Document resent`,
+          description: t`Your document has been resent successfully.`,
+        }))
+        .with(EnvelopeType.TEMPLATE, () => ({
+          title: t`Template resent`,
+          description: t`Your template has been resent successfully.`,
+        }))
+        .otherwise(() => ({
+          title: t`Envelope resent`,
+          description: t`Your envelope has been resent successfully.`,
+        }));
+
      toast({
-        title: t`Envelope resent`,
-        description: t`Your envelope has been resent successfully.`,
+        title: successMessage.title,
+        description: successMessage.description,
        duration: 5000,
      });

@@ -0,0 +1,159 @@
+import { trpc } from '@documenso/trpc/react';
+import { Alert, AlertDescription } from '@documenso/ui/primitives/alert';
+import { Button } from '@documenso/ui/primitives/button';
+import {
+  Dialog,
+  DialogContent,
+  DialogDescription,
+  DialogFooter,
+  DialogHeader,
+  DialogTitle,
+} from '@documenso/ui/primitives/dialog';
+import { Label } from '@documenso/ui/primitives/label';
+import { Textarea } from '@documenso/ui/primitives/textarea';
+import { useToast } from '@documenso/ui/primitives/use-toast';
+import { plural } from '@lingui/core/macro';
+import { Plural, Trans, useLingui } from '@lingui/react/macro';
+import type * as DialogPrimitive from '@radix-ui/react-dialog';
+import { useEffect, useState } from 'react';
+
+export type EnvelopesBulkCancelDialogProps = {
+  envelopeIds: string[];
+  open: boolean;
+  onOpenChange: (open: boolean) => void;
+  onSuccess?: () => void;
+} & Omit<DialogPrimitive.DialogProps, 'children'>;
+
+export const EnvelopesBulkCancelDialog = ({
+  envelopeIds,
+  open,
+  onOpenChange,
+  onSuccess,
+  ...props
+}: EnvelopesBulkCancelDialogProps) => {
+  const { t } = useLingui();
+  const { toast } = useToast();
+
+  const trpcUtils = trpc.useUtils();
+
+  const [reason, setReason] = useState('');
+
+  useEffect(() => {
+    if (open) {
+      setReason('');
+    }
+  }, [open]);
+
+  const { mutateAsync: bulkCancelEnvelopes, isPending } = trpc.envelope.bulk.cancel.useMutation({
+    onSuccess: async (result) => {
+      await trpcUtils.document.findDocumentsInternal.invalidate();
+
+      if (result.failedIds.length > 0) {
+        toast({
+          title: t`Documents partially cancelled`,
+          description: t`${plural(result.cancelledCount, {
+            one: '# document cancelled.',
+            other: '# documents cancelled.',
+          })} ${plural(result.failedIds.length, {
+            one: '# document could not be cancelled.',
+            other: '# documents could not be cancelled.',
+          })}`,
+          variant: 'destructive',
+        });
+      } else {
+        toast({
+          title: t`Documents cancelled`,
+          description: plural(result.cancelledCount, {
+            one: '# document has been cancelled.',
+            other: '# documents have been cancelled.',
+          }),
+          variant: 'default',
+        });
+      }
+
+      onSuccess?.();
+      onOpenChange(false);
+    },
+    onError: () => {
+      toast({
+        title: t`Error`,
+        description: t`An error occurred while cancelling the documents.`,
+        variant: 'destructive',
+      });
+    },
+  });
+
+  return (
+    <Dialog {...props} open={open} onOpenChange={onOpenChange}>
+      <DialogContent>
+        <DialogHeader>
+          <DialogTitle>
+            <Trans>Cancel Documents</Trans>
+          </DialogTitle>
+
+          <DialogDescription>
+            <Plural
+              value={envelopeIds.length}
+              one="You are about to cancel the selected document."
+              other="You are about to cancel # documents."
+            />
+          </DialogDescription>
+        </DialogHeader>
+
+        <Alert variant="warning">
+          <AlertDescription>
+            <p>
+              <Trans>Only pending documents you have permission to manage will be cancelled.</Trans>
+            </p>
+
+            <p className="mt-1">
+              <Trans>Once confirmed, the following will occur:</Trans>
+            </p>
+
+            <ul className="mt-0.5 list-inside list-disc">
+              <li>
+                <Trans>The document signing process will be stopped</Trans>
+              </li>
+              <li>
+                <Trans>Recipients will be notified that the document was cancelled</Trans>
+              </li>
+              <li>
+                <Trans>The documents will remain in your dashboard marked as Cancelled</Trans>
+              </li>
+            </ul>
+          </AlertDescription>
+        </Alert>
+
+        <div className="flex flex-col gap-2">
+          <Label htmlFor="bulk-cancel-reason">
+            <Trans>Reason (optional)</Trans>
+          </Label>
+
+          <Textarea
+            id="bulk-cancel-reason"
+            value={reason}
+            onChange={(event) => setReason(event.target.value)}
+            placeholder={t`Add an optional reason for cancelling these documents`}
+          />
+        </div>
+
+        <DialogFooter>
+          <Button type="button" variant="secondary" onClick={() => onOpenChange(false)} disabled={isPending}>
+            <Trans>Cancel</Trans>
+          </Button>
+
+          <Button
+            onClick={(e) => {
+              e.preventDefault();
+              void bulkCancelEnvelopes({ envelopeIds, reason: reason || undefined });
+            }}
+            loading={isPending}
+            variant="destructive"
+          >
+            <Trans>Cancel documents</Trans>
+          </Button>
+        </DialogFooter>
+      </DialogContent>
+    </Dialog>
+  );
+};
@@ -28,7 +28,7 @@ export type EnvelopesBulkMoveDialogProps = {
  open: boolean;
  onOpenChange: (open: boolean) => void;
  currentFolderId?: string;
-  onSuccess?: () => void;
+  onSuccess?: (folderId: string | null) => Promise<void> | void;
 } & Omit<DialogPrimitive.DialogProps, 'children'>;

 const ZBulkMoveFormSchema = z.object({
@@ -99,11 +99,12 @@ export const EnvelopesBulkMoveDialog = ({
        await trpcUtils.template.findTemplates.invalidate();
      }

+      await onSuccess?.(data.folderId);
+
      toast({
        description: t`Selected items have been moved.`,
      });

-      onSuccess?.();
      onOpenChange(false);
    } catch (err) {
      const error = AppError.parseError(err);
@@ -16,6 +16,17 @@ import { msg } from '@lingui/core/macro';
 import { useLingui } from '@lingui/react';
 import { Trans } from '@lingui/react/macro';
 import { useState } from 'react';
+import { match } from 'ts-pattern';
+
+/**
+ * The reason a team member cannot be removed from the team. When set, the delete
+ * dialog explains the reason instead of offering a confirm button.
+ */
+export type TeamMemberDeleteDisableReason =
+  | 'TEAM_OWNER'
+  | 'HIGHER_ROLE'
+  | 'INHERIT_MEMBER_ENABLED'
+  | 'INHERITED_MEMBER';

 export type TeamMemberDeleteDialogProps = {
  teamId: number;
@@ -23,7 +34,7 @@ export type TeamMemberDeleteDialogProps = {
  memberId: string;
  memberName: string;
  memberEmail: string;
-  isInheritMemberEnabled: boolean | null;
+  disableReason?: TeamMemberDeleteDisableReason | null;
  trigger?: React.ReactNode;
 };

@@ -34,7 +45,7 @@ export const TeamMemberDeleteDialog = ({
  memberId,
  memberName,
  memberEmail,
-  isInheritMemberEnabled,
+  disableReason,
 }: TeamMemberDeleteDialogProps) => {
  const [open, setOpen] = useState(false);

@@ -86,10 +97,19 @@ export const TeamMemberDeleteDialog = ({
          </DialogDescription>
        </DialogHeader>

-        {isInheritMemberEnabled ? (
+        {disableReason ? (
          <Alert variant="neutral">
            <AlertDescription>
-              <Trans>You cannot remove members from this team if the inherit member feature is enabled.</Trans>
+              {match(disableReason)
+                .with('TEAM_OWNER', () => <Trans>You cannot remove the organisation owner from the team.</Trans>)
+                .with('HIGHER_ROLE', () => <Trans>You cannot remove a member with a role higher than your own.</Trans>)
+                .with('INHERIT_MEMBER_ENABLED', () => (
+                  <Trans>You cannot remove members from this team while the inherit member feature is enabled.</Trans>
+                ))
+                .with('INHERITED_MEMBER', () => (
+                  <Trans>This member is inherited from a group and cannot be removed from the team directly.</Trans>
+                ))
+                .exhaustive()}
            </AlertDescription>
          </Alert>
        ) : (
@@ -109,11 +129,10 @@ export const TeamMemberDeleteDialog = ({
              <Trans>Close</Trans>
            </Button>

-            {!isInheritMemberEnabled && (
+            {!disableReason && (
              <Button
                type="submit"
                variant="destructive"
-                disabled={Boolean(isInheritMemberEnabled)}
                loading={isDeletingTeamMember}
                onClick={async () => deleteTeamMember({ teamId, memberId })}
              >
@@ -1,232 +0,0 @@
-import { AppError, AppErrorCode } from '@documenso/lib/errors/app-error';
-import { FolderType } from '@documenso/lib/types/folder-type';
-import { formatTemplatesPath } from '@documenso/lib/utils/teams';
-import { trpc } from '@documenso/trpc/react';
-import { Button } from '@documenso/ui/primitives/button';
-import {
-  Dialog,
-  DialogContent,
-  DialogDescription,
-  DialogFooter,
-  DialogHeader,
-  DialogTitle,
-} from '@documenso/ui/primitives/dialog';
-import { Form, FormControl, FormField, FormItem, FormLabel, FormMessage } from '@documenso/ui/primitives/form/form';
-import { Input } from '@documenso/ui/primitives/input';
-import { useToast } from '@documenso/ui/primitives/use-toast';
-import { zodResolver } from '@hookform/resolvers/zod';
-import { msg } from '@lingui/core/macro';
-import { useLingui } from '@lingui/react';
-import { Trans } from '@lingui/react/macro';
-import type * as DialogPrimitive from '@radix-ui/react-dialog';
-import { FolderIcon, HomeIcon, Loader2, Search } from 'lucide-react';
-import { useEffect, useState } from 'react';
-import { useForm } from 'react-hook-form';
-import { useNavigate } from 'react-router';
-import { z } from 'zod';
-
-import { useCurrentTeam } from '~/providers/team';
-
-export type TemplateMoveToFolderDialogProps = {
-  templateId: number;
-  templateTitle: string;
-  isOpen: boolean;
-  onOpenChange: (open: boolean) => void;
-  currentFolderId?: string | null;
-} & Omit<DialogPrimitive.DialogProps, 'children'>;
-
-const ZMoveTemplateFormSchema = z.object({
-  folderId: z.string().nullable().optional(),
-});
-
-type TMoveTemplateFormSchema = z.infer<typeof ZMoveTemplateFormSchema>;
-
-export function TemplateMoveToFolderDialog({
-  templateId,
-  templateTitle,
-  isOpen,
-  onOpenChange,
-  currentFolderId,
-  ...props
-}: TemplateMoveToFolderDialogProps) {
-  const { _ } = useLingui();
-  const { toast } = useToast();
-
-  const navigate = useNavigate();
-  const team = useCurrentTeam();
-
-  const [searchTerm, setSearchTerm] = useState('');
-
-  const form = useForm<TMoveTemplateFormSchema>({
-    resolver: zodResolver(ZMoveTemplateFormSchema),
-    defaultValues: {
-      folderId: currentFolderId ?? null,
-    },
-  });
-
-  const { data: folders, isLoading: isFoldersLoading } = trpc.folder.findFoldersInternal.useQuery(
-    {
-      parentId: currentFolderId ?? null,
-      type: FolderType.TEMPLATE,
-    },
-    {
-      enabled: isOpen,
-    },
-  );
-
-  const { mutateAsync: updateTemplate } = trpc.template.updateTemplate.useMutation();
-
-  useEffect(() => {
-    if (!isOpen) {
-      form.reset();
-      setSearchTerm('');
-    } else {
-      form.reset({ folderId: currentFolderId ?? null });
-    }
-  }, [isOpen, currentFolderId, form]);
-
-  const onSubmit = async (data: TMoveTemplateFormSchema) => {
-    try {
-      await updateTemplate({
-        templateId,
-        data: {
-          folderId: data.folderId ?? null,
-        },
-      });
-
-      toast({
-        title: _(msg`Template moved`),
-        description: _(msg`The template has been moved successfully.`),
-        variant: 'default',
-      });
-
-      onOpenChange(false);
-
-      const templatesPath = formatTemplatesPath(team.url);
-
-      if (data.folderId) {
-        void navigate(`${templatesPath}/f/${data.folderId}`);
-      } else {
-        void navigate(templatesPath);
-      }
-    } catch (err) {
-      const error = AppError.parseError(err);
-
-      if (error.code === AppErrorCode.NOT_FOUND) {
-        toast({
-          title: _(msg`Error`),
-          description: _(msg`The folder you are trying to move the template to does not exist.`),
-          variant: 'destructive',
-        });
-
-        return;
-      }
-
-      toast({
-        title: _(msg`Error`),
-        description: _(msg`An error occurred while moving the template.`),
-        variant: 'destructive',
-      });
-    }
-  };
-
-  const filteredFolders = folders?.data?.filter((folder) =>
-    folder.name.toLowerCase().includes(searchTerm.toLowerCase()),
-  );
-
-  return (
-    <Dialog {...props} open={isOpen} onOpenChange={onOpenChange}>
-      <DialogContent>
-        <DialogHeader>
-          <DialogTitle>
-            <Trans>Move Template to Folder</Trans>
-          </DialogTitle>
-
-          <DialogDescription>
-            <Trans>Move &quot;{templateTitle}&quot; to a folder</Trans>
-          </DialogDescription>
-        </DialogHeader>
-
-        <div className="relative">
-          <Search className="absolute top-3 left-2 h-4 w-4 text-muted-foreground" />
-          <Input
-            placeholder={_(msg`Search folders...`)}
-            value={searchTerm}
-            onChange={(e) => setSearchTerm(e.target.value)}
-            className="pl-8"
-          />
-        </div>
-
-        <Form {...form}>
-          <form onSubmit={form.handleSubmit(onSubmit)} className="mt-4 flex flex-col gap-y-4">
-            <FormField
-              control={form.control}
-              name="folderId"
-              render={({ field }) => (
-                <FormItem>
-                  <FormLabel>
-                    <Trans>Folder</Trans>
-                  </FormLabel>
-
-                  <FormControl>
-                    <div className="max-h-96 space-y-2 overflow-y-auto">
-                      {isFoldersLoading ? (
-                        <div className="flex h-10 items-center justify-center">
-                          <Loader2 className="h-4 w-4 animate-spin" />
-                        </div>
-                      ) : (
-                        <>
-                          <Button
-                            type="button"
-                            variant={field.value === null ? 'default' : 'outline'}
-                            className="w-full justify-start"
-                            onClick={() => field.onChange(null)}
-                            disabled={currentFolderId === null}
-                          >
-                            <HomeIcon className="mr-2 h-4 w-4" />
-                            <Trans>Home (No Folder)</Trans>
-                          </Button>
-
-                          {filteredFolders?.map((folder) => (
-                            <Button
-                              key={folder.id}
-                              type="button"
-                              variant={field.value === folder.id ? 'default' : 'outline'}
-                              className="w-full justify-start"
-                              onClick={() => field.onChange(folder.id)}
-                              disabled={currentFolderId === folder.id}
-                            >
-                              <FolderIcon className="mr-2 h-4 w-4" />
-                              {folder.name}
-                            </Button>
-                          ))}
-
-                          {searchTerm && filteredFolders?.length === 0 && (
-                            <div className="px-2 py-2 text-center text-muted-foreground text-sm">
-                              <Trans>No folders found</Trans>
-                            </div>
-                          )}
-                        </>
-                      )}
-                    </div>
-                  </FormControl>
-                  <FormMessage />
-                </FormItem>
-              )}
-            />
-
-            <DialogFooter>
-              <Button type="button" variant="secondary" onClick={() => onOpenChange(false)}>
-                <Trans>Cancel</Trans>
-              </Button>
-
-              <Button type="submit" disabled={isFoldersLoading || form.formState.isSubmitting}>
-                <Trans>Move</Trans>
-              </Button>
-            </DialogFooter>
-          </form>
-        </Form>
-      </DialogContent>
-    </Dialog>
-  );
-}
@@ -11,10 +11,10 @@ import { isValidLanguageCode, SUPPORTED_LANGUAGE_CODES, SUPPORTED_LANGUAGES } fr
 import { TIME_ZONES } from '@documenso/lib/constants/time-zones';
 import type { TDefaultRecipients } from '@documenso/lib/types/default-recipients';
 import { ZDefaultRecipientsSchema } from '@documenso/lib/types/default-recipients';
-import { type TDocumentMetaDateFormat, ZDocumentMetaTimezoneSchema } from '@documenso/lib/types/document-meta';
-import { isPersonalLayout } from '@documenso/lib/utils/organisations';
+import { type TDocumentMetaDateFormat, ZDocumentMetaDateFormatSchema } from '@documenso/lib/types/document-meta';
+import { generateDefaultOrganisationSettings, isPersonalLayout } from '@documenso/lib/utils/organisations';
 import { recipientAbbreviation } from '@documenso/lib/utils/recipient-formatter';
-import { extractTeamSignatureSettings } from '@documenso/lib/utils/teams';
+import { extractTeamSignatureSettings, generateDefaultTeamSettings } from '@documenso/lib/utils/teams';
 import { DocumentSignatureSettingsTooltip } from '@documenso/ui/components/document/document-signature-settings-tooltip';
 import { ExpirationPeriodPicker } from '@documenso/ui/components/document/expiration-period-picker';
 import { ReminderSettingsPicker } from '@documenso/ui/components/document/reminder-settings-picker';
@@ -38,11 +38,11 @@ import { zodResolver } from '@hookform/resolvers/zod';
 import { msg, t } from '@lingui/core/macro';
 import { useLingui } from '@lingui/react';
 import { Trans } from '@lingui/react/macro';
-import type { TeamGlobalSettings } from '@prisma/client';
-import { DocumentVisibility, OrganisationType, type RecipientRole } from '@prisma/client';
+import { DocumentVisibility, OrganisationType, type RecipientRole, type TeamGlobalSettings } from '@prisma/client';
 import { useForm } from 'react-hook-form';
 import { z } from 'zod';

+import { DocumentPreferencesResetDialog } from '~/components/dialogs/document-preferences-reset-dialog';
 import { useOptionalCurrentTeam } from '~/providers/team';

 import { DefaultRecipientsMultiSelectCombobox } from '../general/default-recipients-multiselect-combobox';
@@ -93,6 +93,26 @@ export type DocumentPreferencesFormProps = {
  onFormSubmit: (data: TDocumentPreferencesFormSchema) => Promise<void>;
 };

+const getDocumentPreferencesFormValues = (settings: SettingsSubset): TDocumentPreferencesFormSchema => {
+  const parsedDocumentDateFormat = ZDocumentMetaDateFormatSchema.safeParse(settings.documentDateFormat);
+
+  return {
+    documentVisibility: settings.documentVisibility,
+    documentLanguage: isValidLanguageCode(settings.documentLanguage) ? settings.documentLanguage : null,
+    documentTimezone: settings.documentTimezone,
+    documentDateFormat: parsedDocumentDateFormat.success ? parsedDocumentDateFormat.data : null,
+    includeSenderDetails: settings.includeSenderDetails,
+    includeSigningCertificate: settings.includeSigningCertificate,
+    includeAuditLog: settings.includeAuditLog,
+    signatureTypes: extractTeamSignatureSettings({ ...settings }),
+    defaultRecipients: settings.defaultRecipients ? ZDefaultRecipientsSchema.parse(settings.defaultRecipients) : null,
+    delegateDocumentOwnership: settings.delegateDocumentOwnership,
+    aiFeaturesEnabled: settings.aiFeaturesEnabled,
+    envelopeExpirationPeriod: settings.envelopeExpirationPeriod ?? null,
+    reminderSettings: settings.reminderSettings ?? null,
+  };
+};
+
 export const DocumentPreferencesForm = ({
  settings,
  onFormSubmit,
@@ -113,7 +133,7 @@ export const DocumentPreferencesForm = ({
    documentVisibility: z.nativeEnum(DocumentVisibility).nullable(),
    documentLanguage: z.enum(SUPPORTED_LANGUAGE_CODES).nullable(),
    documentTimezone: z.string().nullable(),
-    documentDateFormat: ZDocumentMetaTimezoneSchema.nullable(),
+    documentDateFormat: ZDocumentMetaDateFormatSchema.nullable(),
    includeSenderDetails: z.boolean().nullable(),
    includeSigningCertificate: z.boolean().nullable(),
    includeAuditLog: z.boolean().nullable(),
@@ -127,26 +147,27 @@ export const DocumentPreferencesForm = ({
    reminderSettings: ZEnvelopeReminderSettings.nullable(),
  });

+  const defaultValues = getDocumentPreferencesFormValues(settings);
+  const defaultSettings = canInherit ? generateDefaultTeamSettings() : generateDefaultOrganisationSettings();
+  const baseResetValues = getDocumentPreferencesFormValues(defaultSettings);
+  const resetValues = {
+    ...baseResetValues,
+    aiFeaturesEnabled: isAiFeaturesConfigured ? baseResetValues.aiFeaturesEnabled : defaultValues.aiFeaturesEnabled,
+  };
+
  const form = useForm<TDocumentPreferencesFormSchema>({
-    defaultValues: {
-      documentVisibility: settings.documentVisibility,
-      documentLanguage: isValidLanguageCode(settings.documentLanguage) ? settings.documentLanguage : null,
-      documentTimezone: settings.documentTimezone,
-      // eslint-disable-next-line @typescript-eslint/consistent-type-assertions
-      documentDateFormat: settings.documentDateFormat as TDocumentMetaDateFormat | null,
-      includeSenderDetails: settings.includeSenderDetails,
-      includeSigningCertificate: settings.includeSigningCertificate,
-      includeAuditLog: settings.includeAuditLog,
-      signatureTypes: extractTeamSignatureSettings({ ...settings }),
-      defaultRecipients: settings.defaultRecipients ? ZDefaultRecipientsSchema.parse(settings.defaultRecipients) : null,
-      delegateDocumentOwnership: settings.delegateDocumentOwnership,
-      aiFeaturesEnabled: settings.aiFeaturesEnabled,
-      envelopeExpirationPeriod: settings.envelopeExpirationPeriod ?? null,
-      reminderSettings: settings.reminderSettings ?? null,
-    },
+    defaultValues,
    resolver: zodResolver(ZDocumentPreferencesFormSchema),
  });

+  const currentValues = form.watch();
+  const isResetDisabled = !form.formState.isDirty && JSON.stringify(currentValues) === JSON.stringify(resetValues);
+
+  const handleResetToDefaults = async () => {
+    await onFormSubmit(resetValues);
+    form.reset(resetValues);
+  };
+
  return (
    <Form {...form}>
      <form onSubmit={form.handleSubmit(onFormSubmit)}>
@@ -760,6 +781,14 @@ export const DocumentPreferencesForm = ({
            <Button type="submit" loading={form.formState.isSubmitting}>
              <Trans>Update</Trans>
            </Button>
+            <DocumentPreferencesResetDialog
+              disabled={isResetDisabled}
+              isSubmitting={form.formState.isSubmitting}
+              onReset={handleResetToDefaults}
+              showAiFeatures={isAiFeaturesConfigured}
+              showDocumentVisibility={!isPersonalLayoutMode}
+              showIncludeSenderDetails={!isPersonalLayoutMode && !isPersonalOrganisation}
+            />
          </div>
        </fieldset>
      </form>
@@ -13,7 +13,7 @@ import { msg } from '@lingui/core/macro';
 import { useLingui } from '@lingui/react';
 import type { Field, Recipient } from '@prisma/client';
 import { useState } from 'react';
-import { useNavigate, useSearchParams } from 'react-router';
+import { useSearchParams } from 'react-router';

 import { useRequiredDocumentSigningAuthContext } from '~/components/general/document-signing/document-signing-auth-provider';
 import { useRequiredDocumentSigningContext } from '~/components/general/document-signing/document-signing-provider';
@@ -37,7 +37,6 @@ export const DirectTemplatePageView = ({
  directTemplateRecipient,
  directTemplateToken,
 }: DirectTemplatePageViewProps) => {
-  const navigate = useNavigate();
  const [searchParams] = useSearchParams();

  const { _ } = useLingui();
@@ -119,7 +118,7 @@ export const DirectTemplatePageView = ({
      if (redirectUrl) {
        window.location.href = redirectUrl;
      } else {
-        await navigate(`/sign/${token}/complete`);
+        window.location.href = `/sign/${token}/complete`;
      }
    } catch (err) {
      const error = AppError.parseError(err);
@@ -0,0 +1,68 @@
+import { AppErrorCode } from '@documenso/lib/errors/app-error';
+import { Button } from '@documenso/ui/primitives/button';
+import { Trans } from '@lingui/react/macro';
+import { AlertTriangleIcon } from 'lucide-react';
+
+export type CscRecipientBlockedPageProps = {
+  code: string;
+  recipientToken: string;
+};
+
+/**
+ * Terminal page rendered when the service-scope CSC OAuth callback surfaces a
+ * hard error the recipient can't resolve themselves (empty credential list,
+ * invalid cert, refused algorithm). The blocking-error cookie is read +
+ * cleared by the loader; this page only renders the message + retry CTA.
+ *
+ * The retry link kicks a fresh service-scope OAuth round-trip — useful when
+ * the TSP-side issue is transient (e.g. the recipient's admin has since
+ * provisioned a credential).
+ */
+export const CscRecipientBlockedPage = ({ code, recipientToken }: CscRecipientBlockedPageProps) => {
+  const retryUrl = `/api/csc/oauth/authorize?scope=service&token=${encodeURIComponent(recipientToken)}`;
+
+  return (
+    <div className="-mx-4 flex max-w-[100vw] flex-col items-center overflow-x-hidden px-4 pt-16 md:-mx-8 md:px-8 lg:pt-16 xl:pt-24">
+      <AlertTriangleIcon className="h-12 w-12 text-destructive" />
+
+      <h2 className="mt-6 max-w-[35ch] text-center font-semibold text-2xl leading-normal md:text-3xl lg:text-4xl">
+        {code === AppErrorCode.CSC_CREDENTIAL_LIST_EMPTY ? (
+          <Trans>No signing credentials available</Trans>
+        ) : code === AppErrorCode.CSC_CERT_INVALID ? (
+          <Trans>Signing certificate is invalid</Trans>
+        ) : code === AppErrorCode.CSC_ALGORITHM_REFUSED ? (
+          <Trans>Signing algorithm is not supported</Trans>
+        ) : (
+          <Trans>Unable to start the signing flow</Trans>
+        )}
+      </h2>
+
+      <p className="mt-2.5 max-w-[60ch] text-center font-medium text-muted-foreground/60 text-sm md:text-base">
+        {code === AppErrorCode.CSC_CREDENTIAL_LIST_EMPTY ? (
+          <Trans>
+            Your signing provider returned no usable credentials for this account. Contact your administrator or signing
+            provider for assistance.
+          </Trans>
+        ) : code === AppErrorCode.CSC_CERT_INVALID ? (
+          <Trans>
+            Your signing certificate is invalid, expired, or missing a required key. Contact your administrator or
+            signing provider for assistance.
+          </Trans>
+        ) : code === AppErrorCode.CSC_ALGORITHM_REFUSED ? (
+          <Trans>
+            Your signing provider does not advertise a signing algorithm this document accepts. Contact your
+            administrator or signing provider for assistance.
+          </Trans>
+        ) : (
+          <Trans>Something went wrong while preparing the remote signature. Please try again.</Trans>
+        )}
+      </p>
+
+      <Button asChild className="mt-8">
+        <a href={retryUrl}>
+          <Trans>Try again</Trans>
+        </a>
+      </Button>
+    </div>
+  );
+};
@@ -0,0 +1,105 @@
+import { AppError, AppErrorCode } from '@documenso/lib/errors/app-error';
+import { trpc } from '@documenso/trpc/react';
+import { Button } from '@documenso/ui/primitives/button';
+import { Trans } from '@lingui/react/macro';
+import { AlertTriangleIcon, Loader2Icon } from 'lucide-react';
+import { useEffect, useRef, useState } from 'react';
+
+export type CscRecipientSigningInProgressPageProps = {
+  sessionId: string;
+  recipientToken: string;
+};
+
+/**
+ * Rendered when the credential-scope OAuth callback has attached a SAD to the
+ * server-side `CscSession` and set the `csc_sad_session` cookie. The page
+ * auto-fires `enterprise.csc.signEnvelope` on mount and navigates to the
+ * completion page on success. On failure, it surfaces an error message and
+ * a retry CTA pointing at a fresh credential-scope OAuth round-trip.
+ */
+export const CscRecipientSigningInProgressPage = ({
+  sessionId,
+  recipientToken,
+}: CscRecipientSigningInProgressPageProps) => {
+  const { mutateAsync: signEnvelope } = trpc.enterprise.csc.signEnvelope.useMutation();
+
+  const [error, setError] = useState<string | null>(null);
+
+  // Ref rather than state for the fire-once guard. Refs mutate synchronously,
+  // so React StrictMode's double-invoke of the effect sees the updated value
+  // on the second pass and short-circuits. A useState guard would still let
+  // the second effect fire because the queued setState from the first run
+  // hasn't been committed yet when the second one reads it — that double-fire
+  // races two signEnvelope calls; whichever loses sees the SAD already
+  // consumed and flashes "Signing failed" before the winning call's
+  // navigation kicks in.
+  const hasFiredRef = useRef(false);
+
+  useEffect(() => {
+    if (hasFiredRef.current) {
+      return;
+    }
+
+    hasFiredRef.current = true;
+
+    const run = async () => {
+      try {
+        await signEnvelope({ sessionId, recipientToken });
+
+        window.location.href = `/sign/${recipientToken}/complete`;
+      } catch (err) {
+        const parsed = AppError.parseError(err);
+        setError(parsed.code || AppErrorCode.UNKNOWN_ERROR);
+      }
+    };
+
+    void run();
+    // eslint-disable-next-line react-hooks/exhaustive-deps
+  }, []);
+
+  const retryUrl = `/api/csc/oauth/authorize?scope=credential&session=${encodeURIComponent(sessionId)}`;
+
+  return (
+    <div className="-mx-4 flex max-w-[100vw] flex-col items-center overflow-x-hidden px-4 pt-16 md:-mx-8 md:px-8 lg:pt-16 xl:pt-24">
+      {error ? (
+        <>
+          <AlertTriangleIcon className="h-12 w-12 text-destructive" />
+
+          <h2 className="mt-6 max-w-[35ch] text-center font-semibold text-2xl leading-normal md:text-3xl lg:text-4xl">
+            <Trans>Signing failed</Trans>
+          </h2>
+
+          <p className="mt-2.5 max-w-[60ch] text-center font-medium text-muted-foreground/60 text-sm md:text-base">
+            {error === AppErrorCode.CSC_TSP_TIMEOUT ? (
+              <Trans>The signing provider did not respond in time. Please retry.</Trans>
+            ) : error === AppErrorCode.CSC_SAD_EXPIRED_PRE_SIGN ? (
+              <Trans>
+                Your signing authorisation expired before the signature could be applied. Please reauthorise to retry.
+              </Trans>
+            ) : (
+              <Trans>Something went wrong while applying your signature. Please retry.</Trans>
+            )}
+          </p>
+
+          <Button asChild className="mt-8">
+            <a href={retryUrl}>
+              <Trans>Reauthorise and retry</Trans>
+            </a>
+          </Button>
+        </>
+      ) : (
+        <>
+          <Loader2Icon className="h-12 w-12 animate-spin text-primary" />
+
+          <h2 className="mt-6 max-w-[35ch] text-center font-semibold text-2xl leading-normal md:text-3xl lg:text-4xl">
+            <Trans>Applying your signature</Trans>
+          </h2>
+
+          <p className="mt-2.5 max-w-[60ch] text-center font-medium text-muted-foreground/60 text-sm md:text-base">
+            <Trans>Please don't close this tab. The signing provider is finalising your signature.</Trans>
+          </p>
+        </>
+      )}
+    </div>
+  );
+};
@@ -27,7 +27,6 @@ import type { Field } from '@prisma/client';
 import { FieldType, RecipientRole } from '@prisma/client';
 import { LucideChevronDown, LucideChevronUp } from 'lucide-react';
 import { useMemo, useState } from 'react';
-import { useNavigate } from 'react-router';
 import { match, P } from 'ts-pattern';

 import { DocumentSigningAttachmentsPopover } from '~/components/general/document-signing/document-signing-attachments-popover';
@@ -84,7 +83,6 @@ export const DocumentSigningPageViewV1 = ({
    ? authUser.twoFactorEnabled && authUser.email === recipient.email
    : false;

-  const navigate = useNavigate();
  const analytics = useAnalytics();

  const [selectedSignerId, setSelectedSignerId] = useState<number | null>(allRecipients?.[0]?.id);
@@ -129,7 +127,7 @@ export const DocumentSigningPageViewV1 = ({
    if (documentMeta?.redirectUrl) {
      window.location.href = documentMeta.redirectUrl;
    } else {
-      await navigate(`/sign/${recipient.token}/complete`);
+      window.location.href = `/sign/${recipient.token}/complete`;
    }
  };

@@ -17,7 +17,7 @@ import { msg } from '@lingui/core/macro';
 import { Trans, useLingui } from '@lingui/react/macro';
 import { useEffect, useState } from 'react';
 import { useForm } from 'react-hook-form';
-import { useNavigate, useSearchParams } from 'react-router';
+import { useSearchParams } from 'react-router';
 import { z } from 'zod';

 const ZRejectDocumentFormSchema = z.object({
@@ -41,7 +41,6 @@ export function DocumentSigningRejectDialog({
 }: DocumentSigningRejectDialogProps) {
  const { t } = useLingui();
  const { toast } = useToast();
-  const navigate = useNavigate();
  const [searchParams] = useSearchParams();

  const [isOpen, setIsOpen] = useState(false);
@@ -74,7 +73,7 @@ export function DocumentSigningRejectDialog({
      if (onRejected) {
        await onRejected(reason);
      } else {
-        await navigate(`/sign/${token}/rejected`);
+        window.location.href = `/sign/${token}/rejected`;
      }
    } catch (err) {
      toast({
@@ -11,10 +11,10 @@ import { DownloadIcon } from 'lucide-react';

 export type DocumentAuditLogDownloadButtonProps = {
  className?: string;
-  documentId: number;
+  envelopeId: string;
 };

-export const DocumentAuditLogDownloadButton = ({ className, documentId }: DocumentAuditLogDownloadButtonProps) => {
+export const DocumentAuditLogDownloadButton = ({ className, envelopeId }: DocumentAuditLogDownloadButtonProps) => {
  const { toast } = useToast();
  const { _ } = useLingui();

@@ -22,7 +22,7 @@ export const DocumentAuditLogDownloadButton = ({ className, documentId }: Docume

  const onDownloadAuditLogsClick = async () => {
    try {
-      const { data, envelopeTitle } = await downloadAuditLogs({ documentId });
+      const { data, envelopeTitle } = await downloadAuditLogs({ envelopeId });

      const buffer = new Uint8Array(base64.decode(data));
      const blob = new Blob([buffer], { type: 'application/pdf' });
@@ -13,13 +13,13 @@ import { DownloadIcon } from 'lucide-react';

 export type DocumentCertificateDownloadButtonProps = {
  className?: string;
-  documentId: number;
+  envelopeId: string;
  documentStatus: DocumentStatus;
 };

 export const DocumentCertificateDownloadButton = ({
  className,
-  documentId,
+  envelopeId,
  documentStatus,
 }: DocumentCertificateDownloadButtonProps) => {
  const { toast } = useToast();
@@ -29,7 +29,7 @@ export const DocumentCertificateDownloadButton = ({

  const onDownloadCertificatesClick = async () => {
    try {
-      const { data, envelopeTitle } = await downloadCertificate({ documentId });
+      const { data, envelopeTitle } = await downloadCertificate({ envelopeId });

      const buffer = new Uint8Array(base64.decode(data));
      const blob = new Blob([buffer], { type: 'application/pdf' });
@@ -38,7 +38,7 @@ export const DocumentPageViewButton = ({ envelope }: DocumentPageViewButtonProps
  })
    .with({ isRecipient: true, isPending: true, isSigned: false }, () => (
      <Button className="w-full" asChild>
-        <Link to={`/sign/${recipient?.token}`}>
+        <a href={`/sign/${recipient?.token}`}>
          {match(role)
            .with(RecipientRole.SIGNER, () => (
              <>
@@ -58,7 +58,7 @@ export const DocumentPageViewButton = ({ envelope }: DocumentPageViewButtonProps
                <Trans>View</Trans>
              </>
            ))}
-        </Link>
+        </a>
      </Button>
    ))
    .with({ isComplete: false }, () => (
@@ -19,6 +19,7 @@ import {
  Download,
  Edit,
  FileOutputIcon,
+  History,
  Loader,
  MoreHorizontal,
  Pencil,
@@ -29,10 +30,10 @@ import {
 import { useState } from 'react';
 import { Link, useNavigate } from 'react-router';

-import { DocumentResendDialog } from '~/components/dialogs/document-resend-dialog';
 import { EnvelopeDeleteDialog } from '~/components/dialogs/envelope-delete-dialog';
 import { EnvelopeDownloadDialog } from '~/components/dialogs/envelope-download-dialog';
 import { EnvelopeDuplicateDialog } from '~/components/dialogs/envelope-duplicate-dialog';
+import { EnvelopeRedistributeDialog } from '~/components/dialogs/envelope-redistribute-dialog';
 import { EnvelopeRenameDialog } from '~/components/dialogs/envelope-rename-dialog';
 import { EnvelopeSaveAsTemplateDialog } from '~/components/dialogs/envelope-save-as-template-dialog';
 import { DocumentRecipientLinkCopyDialog } from '~/components/general/document/document-recipient-link-copy-dialog';
@@ -67,8 +68,6 @@ export const DocumentPageViewDropdown = ({ envelope }: DocumentPageViewDropdownP

  const documentsPath = formatDocumentsPath(team.url);

-  const nonSignedRecipients = envelope.recipients.filter((item) => item.signingStatus !== 'SIGNED');
-
  return (
    <DropdownMenu>
      <DropdownMenuTrigger data-testid="document-page-view-action-btn">
@@ -172,13 +171,20 @@ export const DocumentPageViewDropdown = ({ envelope }: DocumentPageViewDropdownP
          />
        )}

-        <DocumentResendDialog
-          document={{
-            ...envelope,
-            id: mapSecondaryIdToDocumentId(envelope.secondaryId),
-          }}
-          recipients={nonSignedRecipients}
-        />
+        {canManageDocument && (
+          <EnvelopeRedistributeDialog
+            envelope={envelope}
+            envelopeType={EnvelopeType.DOCUMENT}
+            trigger={
+              <DropdownMenuItem asChild onSelect={(e) => e.preventDefault()}>
+                <div>
+                  <History className="mr-2 h-4 w-4" />
+                  <Trans>Resend</Trans>
+                </div>
+              </DropdownMenuItem>
+            }
+          />
+        )}

        <DocumentShareButton
          documentId={mapSecondaryIdToDocumentId(envelope.secondaryId)}
@@ -40,6 +40,12 @@ export const FRIENDLY_STATUS_MAP: Record<ExtendedDocumentStatus, FriendlyStatus>
    icon: XCircle,
    color: 'text-red-500 dark:text-red-300',
  },
+  CANCELLED: {
+    label: msg`Cancelled`,
+    labelExtended: msg`Document cancelled`,
+    icon: XCircle,
+    color: 'text-red-500 dark:text-red-300',
+  },
  INBOX: {
    label: msg`Inbox`,
    labelExtended: msg`Document inbox`,
@@ -1,3 +1,4 @@
+import { useDebouncedValue } from '@documenso/lib/client-only/hooks/use-debounced-value';
 import type { TLocalField } from '@documenso/lib/client-only/hooks/use-editor-fields';
 import { usePageRenderer } from '@documenso/lib/client-only/hooks/use-page-renderer';
 import { useCurrentEnvelopeEditor } from '@documenso/lib/client-only/providers/envelope-editor-provider';
@@ -13,6 +14,7 @@ import {
 } from '@documenso/lib/universal/field-renderer/field-renderer';
 import { renderField } from '@documenso/lib/universal/field-renderer/render-field';
 import { getClientSideFieldTranslations } from '@documenso/lib/utils/fields';
+import { getOverlappingFieldPairs } from '@documenso/lib/utils/fields-overlap';
 import { canRecipientFieldsBeModified } from '@documenso/lib/utils/recipients';
 import {
  Command,
@@ -62,6 +64,36 @@ export const EnvelopeEditorFieldsPageRenderer = ({ pageData }: { pageData: PageR
    [editorFields.localFields, pageNumber, currentEnvelopeItem?.id],
  );

+  /**
+   * Debounce the fields used for overlap highlighting so we don't recompute on every
+   * small drag/resize tick. Overlaps only occur within the same page and envelope
+   * item, so computing from this page's fields alone is sufficient.
+   */
+  const debouncedPageFields = useDebouncedValue(localPageFields, 300);
+
+  const overlappingFieldFormIds = useMemo(() => {
+    const formIds = new Set<string>();
+
+    const pairs = getOverlappingFieldPairs(
+      debouncedPageFields.map((field) => ({
+        id: field.formId,
+        envelopeItemId: field.envelopeItemId,
+        page: field.page,
+        positionX: field.positionX,
+        positionY: field.positionY,
+        width: field.width,
+        height: field.height,
+      })),
+    );
+
+    for (const pair of pairs) {
+      formIds.add(pair.fieldA.id);
+      formIds.add(pair.fieldB.id);
+    }
+
+    return formIds;
+  }, [debouncedPageFields]);
+
  const handleResizeOrMove = (event: KonvaEventObject<Event>) => {
    const isDragEvent = event.type === 'dragend';

@@ -113,6 +145,62 @@ export const EnvelopeEditorFieldsPageRenderer = ({ pageData }: { pageData: PageR
    pageLayer.current?.batchDraw();
  };

+  /**
+   * Draws (or removes) a dashed warning outline over a field that significantly
+   * overlaps another field. The highlight is a child of the field group so it moves
+   * and resizes with the field, and sits on top of the field's own rect (which is
+   * re-styled on every render and would otherwise clobber a direct stroke change).
+   */
+  const syncOverlapHighlight = (fieldGroup: Konva.Group, isOverlapping: boolean) => {
+    const existingHighlight = fieldGroup.findOne('.field-overlap-highlight');
+
+    // Skip while a field is actively being dragged/resized. The highlight is driven
+    // by debounced field data, so it would lag behind and distort during the gesture.
+    // It is repainted once the gesture settles (the effect re-runs on isFieldChanging).
+    if (isFieldChanging) {
+      existingHighlight?.destroy();
+      return;
+    }
+
+    if (!isOverlapping) {
+      existingHighlight?.destroy();
+      return;
+    }
+
+    const fieldRect = fieldGroup.findOne('.field-rect');
+
+    if (!fieldRect) {
+      return;
+    }
+
+    const highlightAttrs = {
+      x: 0,
+      y: 0,
+      width: fieldRect.width(),
+      height: fieldRect.height(),
+      stroke: '#f59e0b',
+      strokeWidth: 2,
+      dash: [6, 4],
+      cornerRadius: 2,
+      strokeScaleEnabled: false,
+      listening: false,
+    } satisfies Partial<Konva.RectConfig>;
+
+    if (existingHighlight instanceof Konva.Rect) {
+      existingHighlight.setAttrs(highlightAttrs);
+      existingHighlight.moveToTop();
+      return;
+    }
+
+    const highlight = new Konva.Rect({
+      name: 'field-overlap-highlight',
+      ...highlightAttrs,
+    });
+
+    fieldGroup.add(highlight);
+    highlight.moveToTop();
+  };
+
  const unsafeRenderFieldOnLayer = (field: TLocalField) => {
    if (!pageLayer.current) {
      return;
@@ -139,6 +227,8 @@ export const EnvelopeEditorFieldsPageRenderer = ({ pageData }: { pageData: PageR
      mode: 'edit',
    });

+    syncOverlapHighlight(fieldGroup, overlappingFieldFormIds.has(field.formId));
+
    if (!isFieldEditable) {
      return;
    }
@@ -435,7 +525,7 @@ export const EnvelopeEditorFieldsPageRenderer = ({ pageData }: { pageData: PageR
    interactiveTransformer.current?.forceUpdate();

    pageLayer.current.batchDraw();
-  }, [localPageFields, selectedKonvaFieldGroups]);
+  }, [localPageFields, selectedKonvaFieldGroups, overlappingFieldFormIds, isFieldChanging]);

  const setSelectedFields = (nodes: Konva.Node[]) => {
    // eslint-disable-next-line @typescript-eslint/consistent-type-assertions
@@ -1,3 +1,4 @@
+import { useDebouncedValue } from '@documenso/lib/client-only/hooks/use-debounced-value';
 import { useCurrentEnvelopeEditor } from '@documenso/lib/client-only/providers/envelope-editor-provider';
 import { useCurrentEnvelopeRender } from '@documenso/lib/client-only/providers/envelope-render-provider';
 import { PDF_VIEWER_ERROR_MESSAGES } from '@documenso/lib/constants/pdf-viewer-i18n';
@@ -17,6 +18,7 @@ import {
  type TTextFieldMeta,
 } from '@documenso/lib/types/field-meta';
 import { getEnvelopeItemPermissions } from '@documenso/lib/utils/envelope';
+import { getOverlappingFieldPairs } from '@documenso/lib/utils/fields-overlap';
 import { canRecipientFieldsBeModified } from '@documenso/lib/utils/recipients';
 import { AnimateGenericFadeInOut } from '@documenso/ui/components/animate/animate-generic-fade-in-out';
 import { cn } from '@documenso/ui/lib/utils';
@@ -28,7 +30,7 @@ import { msg } from '@lingui/core/macro';
 import { useLingui } from '@lingui/react';
 import { Trans } from '@lingui/react/macro';
 import { DocumentStatus, FieldType, RecipientRole } from '@prisma/client';
-import { FileTextIcon, PencilIcon, SparklesIcon } from 'lucide-react';
+import { AlertTriangleIcon, FileTextIcon, PencilIcon, SparklesIcon } from 'lucide-react';
 import { useEffect, useMemo, useRef, useState } from 'react';
 import { useRevalidator, useSearchParams } from 'react-router';
 import { isDeepEqual } from 'remeda';
@@ -78,7 +80,7 @@ export const EnvelopeEditorFieldsPage = () => {

  const { envelope, editorFields, navigateToStep, editorConfig } = useCurrentEnvelopeEditor();

-  const { currentEnvelopeItem } = useCurrentEnvelopeRender();
+  const { currentEnvelopeItem, setCurrentEnvelopeItem } = useCurrentEnvelopeRender();

  const { _ } = useLingui();

@@ -93,6 +95,53 @@ export const EnvelopeEditorFieldsPage = () => {

  const selectedField = useMemo(() => structuredClone(editorFields.selectedField), [editorFields.selectedField]);

+  /**
+   * Debounce the fields used for overlap detection so we don't recompute on every
+   * small drag/resize movement, which is expensive on large field counts and can
+   * bog down lower-end devices.
+   */
+  const debouncedLocalFields = useDebouncedValue(editorFields.localFields, 300);
+
+  /**
+   * Fields that significantly overlap each other. Overlapping fields render poorly in
+   * the editor and can behave unexpectedly during signing, so we warn the author here.
+   */
+  const overlappingFieldPairs = useMemo(
+    () =>
+      getOverlappingFieldPairs(
+        debouncedLocalFields.map((field) => ({
+          id: field.formId,
+          envelopeItemId: field.envelopeItemId,
+          page: field.page,
+          positionX: field.positionX,
+          positionY: field.positionY,
+          width: field.width,
+          height: field.height,
+        })),
+      ),
+    [debouncedLocalFields],
+  );
+
+  const handleReviewOverlappingField = () => {
+    const firstPair = overlappingFieldPairs[0];
+
+    if (!firstPair) {
+      return;
+    }
+
+    const targetField = editorFields.localFields.find((field) => field.formId === firstPair.fieldA.id);
+
+    if (!targetField) {
+      return;
+    }
+
+    if (targetField.envelopeItemId !== currentEnvelopeItem?.id) {
+      setCurrentEnvelopeItem(targetField.envelopeItemId);
+    }
+
+    editorFields.setSelectedField(targetField.formId);
+  };
+
  const updateSelectedFieldMeta = (fieldMeta: TFieldMetaSchema) => {
    if (!selectedField) {
      return;
@@ -211,6 +260,29 @@ export const EnvelopeEditorFieldsPage = () => {
            </Alert>
          )}

+          {overlappingFieldPairs.length > 0 && (
+            <Alert
+              variant="warning"
+              className="mt-20 mb-4 flex w-full max-w-[800px] flex-row items-center justify-between space-y-0 rounded-sm"
+            >
+              <div className="flex flex-row items-start gap-3">
+                <AlertTriangleIcon className="mt-0.5 h-5 w-5 flex-shrink-0" />
+
+                <div className="flex flex-col gap-1">
+                  <AlertTitle>
+                    <Trans>Overlapping fields detected</Trans>
+                  </AlertTitle>
+                  <AlertDescription>
+                    <Trans>
+                      Some fields are placed on top of each other. This may complicate the signing process or cause
+                      fields to not work as expected.
+                    </Trans>
+                  </AlertDescription>
+                </div>
+              </div>
+            </Alert>
+          )}
+
          {currentEnvelopeItem !== null ? (
            <EnvelopePdfViewer
              customPageRenderer={EnvelopeEditorFieldsPageRenderer}
@@ -148,6 +148,11 @@ export default function EnvelopeEditorHeader() {
                    <Trans>Rejected</Trans>
                  </Badge>
                ))
+                .with(DocumentStatus.CANCELLED, () => (
+                  <Badge variant="destructive" className="shrink-0">
+                    <Trans>Cancelled</Trans>
+                  </Badge>
+                ))
                .exhaustive()}

            {autosaveError && (
@@ -89,7 +89,7 @@ export const EnvelopeSignerCompleteDialog = () => {
    recipientDetails?: { name: string; email: string },
  ) => {
    try {
-      await completeDocument({
+      const result = await completeDocument({
        token: recipient.token,
        documentId: mapSecondaryIdToDocumentId(envelope.secondaryId),
        accessAuthOptions,
@@ -97,6 +97,15 @@ export const EnvelopeSignerCompleteDialog = () => {
        ...(nextSigner?.email && nextSigner?.name ? { nextSigner } : {}),
      });

+      // TSP envelopes can't be completed via the SES path; the mutation returns
+      // a credential-scope OAuth URL the recipient must follow to acquire a SAD
+      // before the sync sign mutation can run. Short-circuit here so the
+      // analytics / completion handlers don't run with a still-unsigned doc.
+      if (result.status === 'REDIRECT') {
+        window.location.href = result.redirectUrl;
+        return;
+      }
+
      analytics.capture('App: Recipient has completed signing', {
        signerId: recipient.id,
        documentId: envelope.id,
@@ -119,7 +128,7 @@ export const EnvelopeSignerCompleteDialog = () => {
      if (envelope.documentMeta.redirectUrl) {
        window.location.href = envelope.documentMeta.redirectUrl;
      } else {
-        await navigate(`/sign/${recipient.token}/complete`);
+        window.location.href = `/sign/${recipient.token}/complete`;
      }
    } catch (err) {
      const error = AppError.parseError(err);
@@ -197,7 +206,7 @@ export const EnvelopeSignerCompleteDialog = () => {
      if (redirectUrl) {
        window.location.href = redirectUrl;
      } else {
-        await navigate(`/sign/${token}/complete`);
+        window.location.href = `/sign/${token}/complete`;
      }
    } catch (err) {
      console.log('err', err);
@@ -66,7 +66,7 @@ export const DocumentsTableActionButton = ({ row }: DocumentsTableActionButtonPr
    ))
    .with({ isRecipient: true, isPending: true, isSigned: false }, () => (
      <Button className="w-32" asChild>
-        <Link to={`/sign/${recipient?.token}`}>
+        <a href={`/sign/${recipient?.token}`}>
          {match(role)
            .with(RecipientRole.SIGNER, () => (
              <>
@@ -86,7 +86,7 @@ export const DocumentsTableActionButton = ({ row }: DocumentsTableActionButtonPr
                <Trans>View</Trans>
              </>
            ))}
-        </Link>
+        </a>
      </Button>
    ))
    .with({ isPending: true, isSigned: true }, () => (
@@ -3,7 +3,7 @@ import type { TDocumentMany as TDocumentRow } from '@documenso/lib/types/documen
 import { isDocumentCompleted } from '@documenso/lib/utils/document';
 import { getEnvelopeItemPermissions } from '@documenso/lib/utils/envelope';
 import { findRecipientByEmail } from '@documenso/lib/utils/recipients';
-import { formatDocumentsPath } from '@documenso/lib/utils/teams';
+import { formatDocumentsPath, isMemberManagerOrAbove } from '@documenso/lib/utils/teams';
 import { trpc as trpcReact } from '@documenso/trpc/react';
 import { DocumentShareButton } from '@documenso/ui/components/document/document-share-button';
 import {
@@ -25,18 +25,21 @@ import {
  EyeIcon,
  FileOutputIcon,
  FolderInput,
+  History,
  Loader,
  MoreHorizontal,
  Pencil,
  Share,
  Trash2,
+  XCircle,
 } from 'lucide-react';
 import { useState } from 'react';
 import { Link } from 'react-router';

-import { DocumentResendDialog } from '~/components/dialogs/document-resend-dialog';
+import { EnvelopeCancelDialog } from '~/components/dialogs/envelope-cancel-dialog';
 import { EnvelopeDeleteDialog } from '~/components/dialogs/envelope-delete-dialog';
 import { EnvelopeDuplicateDialog } from '~/components/dialogs/envelope-duplicate-dialog';
+import { EnvelopeRedistributeDialog } from '~/components/dialogs/envelope-redistribute-dialog';
 import { EnvelopeSaveAsTemplateDialog } from '~/components/dialogs/envelope-save-as-template-dialog';
 import { DocumentRecipientLinkCopyDialog } from '~/components/general/document/document-recipient-link-copy-dialog';
 import { useCurrentTeam } from '~/providers/team';
@@ -74,6 +77,12 @@ export const DocumentsTableActionDropdown = ({ row, onMoveDocument }: DocumentsT
  const isCurrentTeamDocument = team && row.team?.url === team.url;
  const canManageDocument = Boolean(isOwner || isCurrentTeamDocument);

+  // Cancelling a document is restricted server-side to the document owner or a
+  // privileged team member (ADMIN/MANAGER). Mirror that here so plain MEMBERs
+  // don't see a Cancel action that would fail on the server.
+  const isPrivilegedTeamMember = isMemberManagerOrAbove(team.currentTeamRole);
+  const canCancelDocument = isOwner || isPrivilegedTeamMember;
+
  const { canTitleBeChanged } = getEnvelopeItemPermissions(
    {
      completedAt: row.completedAt,
@@ -87,8 +96,6 @@ export const DocumentsTableActionDropdown = ({ row, onMoveDocument }: DocumentsT
  const documentsPath = formatDocumentsPath(team.url);
  const formatPath = `${documentsPath}/${row.envelopeId}/edit`;

-  const nonSignedRecipients = row.recipients.filter((item) => item.signingStatus !== 'SIGNED');
-
  return (
    <DropdownMenu>
      <DropdownMenuTrigger data-testid="document-table-action-btn">
@@ -105,7 +112,7 @@ export const DocumentsTableActionDropdown = ({ row, onMoveDocument }: DocumentsT
          recipient?.role !== RecipientRole.CC &&
          recipient?.role !== RecipientRole.ASSISTANT && (
            <DropdownMenuItem disabled={!recipient || isComplete} asChild>
-              <Link to={`/sign/${recipient?.token}`}>
+              <a href={`/sign/${recipient?.token}`}>
                {recipient?.role === RecipientRole.VIEWER && (
                  <>
                    <EyeIcon className="mr-2 h-4 w-4" />
@@ -126,7 +133,7 @@ export const DocumentsTableActionDropdown = ({ row, onMoveDocument }: DocumentsT
                    <Trans>Approve</Trans>
                  </>
                )}
-              </Link>
+              </a>
            </DropdownMenuItem>
          )}

@@ -184,11 +191,23 @@ export const DocumentsTableActionDropdown = ({ row, onMoveDocument }: DocumentsT
          </DropdownMenuItem>
        )}

-        {/* No point displaying this if there's no functionality. */}
-        {/* <DropdownMenuItem disabled>
-          <XCircle className="mr-2 h-4 w-4" />
-          Void
-        </DropdownMenuItem> */}
+        {canCancelDocument && isPending && (
+          <EnvelopeCancelDialog
+            id={row.envelopeId}
+            title={row.title}
+            onCancel={async () => {
+              await trpcUtils.document.findDocumentsInternal.invalidate();
+            }}
+            trigger={
+              <DropdownMenuItem asChild onSelect={(e) => e.preventDefault()}>
+                <div>
+                  <XCircle className="mr-2 h-4 w-4" />
+                  <Trans>Cancel</Trans>
+                </div>
+              </DropdownMenuItem>
+            }
+          />
+        )}

        <EnvelopeDeleteDialog
          id={row.envelopeId}
@@ -224,7 +243,25 @@ export const DocumentsTableActionDropdown = ({ row, onMoveDocument }: DocumentsT
          />
        )}

-        <DocumentResendDialog document={row} recipients={nonSignedRecipients} />
+        {canManageDocument && (
+          <EnvelopeRedistributeDialog
+            envelope={{
+              id: row.envelopeId,
+              status: row.status,
+              type: EnvelopeType.DOCUMENT,
+              recipients: row.recipients,
+            }}
+            envelopeType={EnvelopeType.DOCUMENT}
+            trigger={
+              <DropdownMenuItem asChild onSelect={(e) => e.preventDefault()}>
+                <div>
+                  <History className="mr-2 h-4 w-4" />
+                  <Trans>Resend</Trans>
+                </div>
+              </DropdownMenuItem>
+            }
+          />
+        )}

        <DocumentShareButton
          documentId={row.id}
@@ -1,7 +1,7 @@
 import { ExtendedDocumentStatus } from '@documenso/prisma/types/extended-document-status';
 import { msg } from '@lingui/core/macro';
 import { useLingui } from '@lingui/react';
-import { Bird, CheckCircle2 } from 'lucide-react';
+import { Bird, CheckCircle2, XCircle } from 'lucide-react';
 import { match } from 'ts-pattern';

 export type DocumentsTableEmptyStateProps = { status: ExtendedDocumentStatus };
@@ -24,6 +24,11 @@ export const DocumentsTableEmptyState = ({ status }: DocumentsTableEmptyStatePro
      message: msg`There are no active drafts at the current moment. You can upload a document to start drafting.`,
      icon: CheckCircle2,
    }))
+    .with(ExtendedDocumentStatus.CANCELLED, () => ({
+      title: msg`Nothing cancelled`,
+      message: msg`There are no cancelled documents. Documents you cancel will remain here as a record that they were distributed.`,
+      icon: XCircle,
+    }))
    .with(ExtendedDocumentStatus.ALL, () => ({
      title: msg`We're all empty`,
      message: msg`You have not yet created or received any documents. To create a document please upload one.`,
@@ -29,7 +29,7 @@ export type DocumentsTableProps = {
  data?: TFindDocumentsResponse;
  isLoading?: boolean;
  isLoadingError?: boolean;
-  onMoveDocument?: (documentId: number) => void;
+  onMoveDocument?: (envelopeId: string) => void;
  enableSelection?: boolean;
  rowSelection?: RowSelectionState;
  onRowSelectionChange?: (selection: RowSelectionState) => void;
@@ -117,7 +117,7 @@ export const DocumentsTable = ({
              <DocumentsTableActionButton row={row.original} />
              <DocumentsTableActionDropdown
                row={row.original}
-                onMoveDocument={onMoveDocument ? () => onMoveDocument(row.original.id) : undefined}
+                onMoveDocument={onMoveDocument ? () => onMoveDocument(row.original.envelopeId) : undefined}
              />
            </div>
          ),
@@ -1,11 +1,12 @@
 import { Button } from '@documenso/ui/primitives/button';
 import { Trans, useLingui } from '@lingui/react/macro';
-import { FolderInputIcon, Trash2Icon, XIcon } from 'lucide-react';
+import { FolderInputIcon, Trash2Icon, XCircleIcon, XIcon } from 'lucide-react';

 export type EnvelopesTableBulkActionBarProps = {
  selectedCount: number;
  onMoveClick: () => void;
  onDeleteClick: () => void;
+  onCancelClick?: () => void;
  onClearSelection: () => void;
 };

@@ -13,6 +14,7 @@ export const EnvelopesTableBulkActionBar = ({
  selectedCount,
  onMoveClick,
  onDeleteClick,
+  onCancelClick,
  onClearSelection,
 }: EnvelopesTableBulkActionBarProps) => {
  const { t } = useLingui();
@@ -34,6 +36,13 @@ export const EnvelopesTableBulkActionBar = ({
        <Trans>Move to Folder</Trans>
      </Button>

+      {onCancelClick && (
+        <Button type="button" variant="outline" size="sm" onClick={onCancelClick}>
+          <XCircleIcon className="mr-2 h-4 w-4" />
+          <Trans>Cancel</Trans>
+        </Button>
+      )}
+
      <Button type="button" variant="destructive" size="sm" onClick={onDeleteClick}>
        <Trash2Icon className="mr-2 h-4 w-4" />
        <Trans>Delete</Trans>
@@ -17,7 +17,7 @@ import { DocumentStatus as DocumentStatusEnum, RecipientRole, SigningStatus } fr
 import { CheckCircleIcon, DownloadIcon, EyeIcon, Loader, PencilIcon } from 'lucide-react';
 import { DateTime } from 'luxon';
 import { useMemo, useTransition } from 'react';
-import { Link, useSearchParams } from 'react-router';
+import { useSearchParams } from 'react-router';
 import { match } from 'ts-pattern';

 import { DocumentStatus } from '~/components/general/document/document-status';
@@ -200,7 +200,7 @@ export const InboxTableActionButton = ({ row }: InboxTableActionButtonProps) =>
  })
    .with({ isPending: true, isSigned: false }, () => (
      <Button className="w-32" asChild>
-        <Link to={`/sign/${recipient?.token}`}>
+        <a href={`/sign/${recipient?.token}`}>
          {match(role)
            .with(RecipientRole.SIGNER, () => (
              <>
@@ -220,7 +220,7 @@ export const InboxTableActionButton = ({ row }: InboxTableActionButtonProps) =>
                <Trans>View</Trans>
              </>
            ))}
-        </Link>
+        </a>
      </Button>
    ))
    .with({ isPending: true, isSigned: true }, () => (
@@ -29,7 +29,7 @@ import { useSearchParams } from 'react-router';

 import { useCurrentTeam } from '~/providers/team';

-import { TeamMemberDeleteDialog } from '../dialogs/team-member-delete-dialog';
+import { TeamMemberDeleteDialog, type TeamMemberDeleteDisableReason } from '../dialogs/team-member-delete-dialog';
 import { TeamMemberUpdateDialog } from '../dialogs/team-member-update-dialog';
 import { TeamInheritMemberAlert } from '../general/teams/team-inherit-member-alert';

@@ -86,6 +86,39 @@ export const TeamMembersTable = () => {
  );

  const columns = useMemo(() => {
+    // A member is a direct team member when they belong to one of the team's
+    // INTERNAL_TEAM groups. Otherwise they are inherited from an organisation or
+    // custom group and cannot be managed directly from this team.
+    const isMemberPartOfInternalTeamGroup = (memberId: string) =>
+      groups.some(
+        (group) =>
+          group.organisationGroupType === OrganisationGroupType.INTERNAL_TEAM &&
+          group.members.some((member) => member.id === memberId),
+      );
+
+    // Determine why a member can't be removed from the team (if at all). The delete
+    // dialog uses this to explain the reason instead of attempting a removal that
+    // would fail.
+    const getDeleteDisableReason = (member: (typeof results)['data'][number]): TeamMemberDeleteDisableReason | null => {
+      if (organisation.ownerUserId === member.userId) {
+        return 'TEAM_OWNER';
+      }
+
+      if (!isTeamRoleWithinUserHierarchy(team.currentTeamRole, member.teamRole)) {
+        return 'HIGHER_ROLE';
+      }
+
+      if (memberAccessTeamGroup !== undefined) {
+        return 'INHERIT_MEMBER_ENABLED';
+      }
+
+      if (!isMemberPartOfInternalTeamGroup(member.id)) {
+        return 'INHERITED_MEMBER';
+      }
+
+      return null;
+    };
+
    return [
      {
        header: _(msg`Team Member`),
@@ -111,15 +144,7 @@ export const TeamMembersTable = () => {
      },
      {
        header: _(msg`Source`),
-        cell: ({ row }) => {
-          const internalTeamGroupFound = groups.find(
-            (group) =>
-              group.organisationGroupType === OrganisationGroupType.INTERNAL_TEAM &&
-              group.members.some((member) => member.id === row.original.id),
-          );
-
-          return internalTeamGroupFound ? _(msg`Member`) : _(msg`Group`);
-        },
+        cell: ({ row }) => (isMemberPartOfInternalTeamGroup(row.original.id) ? _(msg`Member`) : _(msg`Group`)),
      },
      {
        header: _(msg`Actions`),
@@ -161,16 +186,9 @@ export const TeamMembersTable = () => {
                memberId={row.original.id}
                memberName={row.original.name ?? ''}
                memberEmail={row.original.email}
-                isInheritMemberEnabled={memberAccessTeamGroup !== undefined}
+                disableReason={getDeleteDisableReason(row.original)}
                trigger={
-                  <DropdownMenuItem
-                    onSelect={(e) => e.preventDefault()}
-                    disabled={
-                      organisation.ownerUserId === row.original.userId ||
-                      !isTeamRoleWithinUserHierarchy(team.currentTeamRole, row.original.teamRole)
-                    }
-                    title={_(msg`Remove team member`)}
-                  >
+                  <DropdownMenuItem onSelect={(e) => e.preventDefault()} title={_(msg`Remove team member`)}>
                    <Trash2Icon className="mr-2 h-4 w-4" />
                    <Trans>Remove</Trans>
                  </DropdownMenuItem>
@@ -11,15 +11,15 @@ import { Trans } from '@lingui/react/macro';
 import { DocumentStatus, EnvelopeType, type TemplateDirectLink } from '@prisma/client';
 import { Copy, Download, Edit, FolderIcon, MoreHorizontal, Pencil, Share2Icon, Trash2, Upload } from 'lucide-react';
 import { useState } from 'react';
-import { Link } from 'react-router';
+import { Link, useNavigate } from 'react-router';

 import { EnvelopeDeleteDialog } from '../dialogs/envelope-delete-dialog';
 import { EnvelopeDownloadDialog } from '../dialogs/envelope-download-dialog';
 import { EnvelopeDuplicateDialog } from '../dialogs/envelope-duplicate-dialog';
 import { EnvelopeRenameDialog } from '../dialogs/envelope-rename-dialog';
+import { EnvelopesBulkMoveDialog } from '../dialogs/envelopes-bulk-move-dialog';
 import { TemplateBulkSendDialog } from '../dialogs/template-bulk-send-dialog';
 import { TemplateDirectLinkDialog } from '../dialogs/template-direct-link-dialog';
-import { TemplateMoveToFolderDialog } from '../dialogs/template-move-to-folder-dialog';

 export type TemplatesTableActionDropdownProps = {
  row: {
@@ -44,6 +44,7 @@ export const TemplatesTableActionDropdown = ({
  onDelete,
 }: TemplatesTableActionDropdownProps) => {
  const trpcUtils = trpcReact.useUtils();
+  const navigate = useNavigate();

  const [isRenameDialogOpen, setRenameDialogOpen] = useState(false);
  const [isMoveToFolderDialogOpen, setMoveToFolderDialogOpen] = useState(false);
@@ -153,12 +154,13 @@ export const TemplatesTableActionDropdown = ({
        )}
      </DropdownMenuContent>

-      <TemplateMoveToFolderDialog
-        templateId={row.id}
-        templateTitle={row.title}
-        isOpen={isMoveToFolderDialogOpen}
+      <EnvelopesBulkMoveDialog
+        envelopeIds={[row.envelopeId]}
+        envelopeType={EnvelopeType.TEMPLATE}
+        open={isMoveToFolderDialogOpen}
        onOpenChange={setMoveToFolderDialogOpen}
-        currentFolderId={row.folderId}
+        currentFolderId={row.folderId ?? undefined}
+        onSuccess={(folderId) => navigate(folderId ? `${templateRootPath}/f/${folderId}` : templateRootPath)}
      />

      <EnvelopeRenameDialog
@@ -224,6 +224,7 @@ export default function DocumentPage({ params }: Route.ComponentProps) {
                {match(envelope.status)
                  .with(DocumentStatus.COMPLETED, () => <Trans>This document has been signed by all recipients</Trans>)
                  .with(DocumentStatus.REJECTED, () => <Trans>This document has been rejected by a recipient</Trans>)
+                  .with(DocumentStatus.CANCELLED, () => <Trans>This document has been cancelled</Trans>)
                  .with(DocumentStatus.DRAFT, () => (
                    <Trans>This document is currently a draft and has not been sent</Trans>
                  ))
@@ -153,11 +153,11 @@ export default function DocumentsLogsPage({ loaderData }: Route.ComponentProps)
          <div className="mt-4 flex w-full flex-row sm:mt-0 sm:w-auto sm:self-end">
            <DocumentCertificateDownloadButton
              className="mr-2"
-              documentId={document.id}
+              envelopeId={document.envelopeId}
              documentStatus={document.status}
            />

-            <DocumentAuditLogDownloadButton documentId={document.id} />
+            <DocumentAuditLogDownloadButton envelopeId={document.envelopeId} />
          </div>
        </div>
      </div>
@@ -16,10 +16,10 @@ import { msg } from '@lingui/core/macro';
 import { Trans } from '@lingui/react/macro';
 import { EnvelopeType, FolderType, OrganisationType } from '@prisma/client';
 import { useEffect, useMemo, useState } from 'react';
-import { Link, useParams, useSearchParams } from 'react-router';
+import { Link, useNavigate, useParams, useSearchParams } from 'react-router';
 import { z } from 'zod';

-import { DocumentMoveToFolderDialog } from '~/components/dialogs/document-move-to-folder-dialog';
+import { EnvelopesBulkCancelDialog } from '~/components/dialogs/envelopes-bulk-cancel-dialog';
 import { EnvelopesBulkDeleteDialog } from '~/components/dialogs/envelopes-bulk-delete-dialog';
 import { EnvelopesBulkMoveDialog } from '~/components/dialogs/envelopes-bulk-move-dialog';
 import { DocumentSearch } from '~/components/general/document/document-search';
@@ -54,13 +54,17 @@ export default function DocumentsPage() {

  const { folderId } = useParams();
  const [searchParams] = useSearchParams();
+  const navigate = useNavigate();
+
+  const documentsPath = formatDocumentsPath(team.url);

  const [isMovingDocument, setIsMovingDocument] = useState(false);
-  const [documentToMove, setDocumentToMove] = useState<number | null>(null);
+  const [documentToMove, setDocumentToMove] = useState<string | null>(null);

  const [rowSelection, setRowSelection] = useSessionStorage<RowSelectionState>('documents-bulk-selection', {});
  const [isBulkMoveDialogOpen, setIsBulkMoveDialogOpen] = useState(false);
  const [isBulkDeleteDialogOpen, setIsBulkDeleteDialogOpen] = useState(false);
+  const [isBulkCancelDialogOpen, setIsBulkCancelDialogOpen] = useState(false);

  const selectedEnvelopeIds = useMemo(() => {
    return Object.keys(rowSelection).filter((id) => rowSelection[id]);
@@ -71,6 +75,7 @@ export default function DocumentsPage() {
    [ExtendedDocumentStatus.PENDING]: 0,
    [ExtendedDocumentStatus.COMPLETED]: 0,
    [ExtendedDocumentStatus.REJECTED]: 0,
+    [ExtendedDocumentStatus.CANCELLED]: 0,
    [ExtendedDocumentStatus.INBOX]: 0,
    [ExtendedDocumentStatus.ALL]: 0,
  });
@@ -150,6 +155,7 @@ export default function DocumentsPage() {
                  ExtendedDocumentStatus.INBOX,
                  ExtendedDocumentStatus.PENDING,
                  ExtendedDocumentStatus.COMPLETED,
+                  ExtendedDocumentStatus.CANCELLED,
                  ExtendedDocumentStatus.DRAFT,
                  ExtendedDocumentStatus.ALL,
                ]
@@ -196,8 +202,8 @@ export default function DocumentsPage() {
                data={data}
                isLoading={isLoading}
                isLoadingError={isLoadingError}
-                onMoveDocument={(documentId) => {
-                  setDocumentToMove(documentId);
+                onMoveDocument={(envelopeId) => {
+                  setDocumentToMove(envelopeId);
                  setIsMovingDocument(true);
                }}
                enableSelection
@@ -209,8 +215,9 @@ export default function DocumentsPage() {
        </div>

        {documentToMove && (
-          <DocumentMoveToFolderDialog
-            documentId={documentToMove}
+          <EnvelopesBulkMoveDialog
+            envelopeIds={[documentToMove]}
+            envelopeType={EnvelopeType.DOCUMENT}
            open={isMovingDocument}
            currentFolderId={folderId}
            onOpenChange={(open) => {
@@ -220,6 +227,9 @@ export default function DocumentsPage() {
                setDocumentToMove(null);
              }
            }}
+            onSuccess={(destinationFolderId) =>
+              navigate(destinationFolderId ? `${documentsPath}/f/${destinationFolderId}` : documentsPath)
+            }
          />
        )}

@@ -227,6 +237,7 @@ export default function DocumentsPage() {
          selectedCount={selectedEnvelopeIds.length}
          onMoveClick={() => setIsBulkMoveDialogOpen(true)}
          onDeleteClick={() => setIsBulkDeleteDialogOpen(true)}
+          onCancelClick={() => setIsBulkCancelDialogOpen(true)}
          onClearSelection={() => setRowSelection({})}
        />

@@ -246,6 +257,13 @@ export default function DocumentsPage() {
          onOpenChange={setIsBulkDeleteDialogOpen}
          onSuccess={() => setRowSelection({})}
        />
+
+        <EnvelopesBulkCancelDialog
+          envelopeIds={selectedEnvelopeIds}
+          open={isBulkCancelDialogOpen}
+          onOpenChange={setIsBulkCancelDialogOpen}
+          onSuccess={() => setRowSelection({})}
+        />
      </div>
    </EnvelopeDropZoneWrapper>
  );
@@ -1,7 +1,14 @@
 import signingCelebration from '@documenso/assets/images/signing-celebration.png';
 import { getOptionalSession } from '@documenso/auth/server/lib/utils/get-session';
+import {
+  buildClearCscBlockingErrorCookieHeader,
+  readCscBlockingErrorFromRequest,
+} from '@documenso/ee/server-only/signing/csc/cookies/blocking-error-cookie';
+import { readCscSadSessionFromRequest } from '@documenso/ee/server-only/signing/csc/cookies/sad-session-cookie';
+import { readCscServiceSessionFromRequest } from '@documenso/ee/server-only/signing/csc/cookies/service-session-cookie';
 import { EnvelopeRenderProvider } from '@documenso/lib/client-only/providers/envelope-render-provider';
 import { useOptionalSession } from '@documenso/lib/client-only/providers/session';
+import { IS_INSTANCE_CSC_MODE } from '@documenso/lib/constants/app';
 import { AppError, AppErrorCode } from '@documenso/lib/errors/app-error';
 import { loadRecipientBrandingByTeamId } from '@documenso/lib/server-only/branding/load-recipient-branding';
 import { getDocumentAndSenderByToken } from '@documenso/lib/server-only/document/get-document-by-token';
@@ -18,6 +25,7 @@ import { getRecipientsForAssistant } from '@documenso/lib/server-only/recipient/
 import { getTeamSettings } from '@documenso/lib/server-only/team/get-team-settings';
 import { getUserByEmail } from '@documenso/lib/server-only/user/get-user-by-email';
 import { DocumentAccessAuth } from '@documenso/lib/types/document-auth';
+import { isTspEnvelope } from '@documenso/lib/types/signature-level';
 import { extractDocumentAuthMethods } from '@documenso/lib/utils/document-auth';
 import { isRecipientExpired } from '@documenso/lib/utils/recipients';
 import { prisma } from '@documenso/prisma';
@@ -30,6 +38,8 @@ import { getOptionalLoaderContext } from 'server/utils/get-loader-session';
 import { match } from 'ts-pattern';

 import { Header as AuthenticatedHeader } from '~/components/general/app-header';
+import { CscRecipientBlockedPage } from '~/components/general/document-signing/csc-recipient-blocked-page';
+import { CscRecipientSigningInProgressPage } from '~/components/general/document-signing/csc-recipient-signing-in-progress-page';
 import { DocumentSigningAuthPageView } from '~/components/general/document-signing/document-signing-auth-page';
 import { DocumentSigningAuthProvider } from '~/components/general/document-signing/document-signing-auth-provider';
 import { DocumentSigningPageViewV1 } from '~/components/general/document-signing/document-signing-page-view-v1';
@@ -257,6 +267,58 @@ const handleV2Loader = async ({ params, request }: Route.LoaderArgs) => {
    recipientAccessAuth: derivedRecipientAccessAuth,
  }).catch(() => null);

+  // CSC / TSP routing. TSP envelopes have three terminal recipient-page
+  // states beyond the normal signing UI:
+  //   1. `blocked` — service-scope OAuth returned a hard error (set by the
+  //      callback as a one-shot `csc_blocking_error` cookie).
+  //   2. `signing-in-progress` — credential-scope OAuth completed, SAD is
+  //      attached server-side, page auto-fires the sync sign mutation.
+  //   3. pre-auth — no service token yet, kick the recipient into
+  //      service-scope OAuth.
+  // The fourth state (service session valid, no SAD, no blocking error) falls
+  // through to the normal signing UI.
+  if (IS_INSTANCE_CSC_MODE() && isTspEnvelope(envelope)) {
+    const blockingError = await readCscBlockingErrorFromRequest(request);
+
+    if (blockingError && blockingError.recipientToken === token) {
+      return {
+        isDocumentAccessValid: true,
+        envelopeForSigning,
+        csc: { state: 'blocked', code: blockingError.code } as const,
+        responseHeaders: { 'Set-Cookie': buildClearCscBlockingErrorCookieHeader() },
+      } as const;
+    }
+
+    const sadSessionId = await readCscSadSessionFromRequest(request);
+
+    if (sadSessionId) {
+      const cscSession = await prisma.cscSession.findUnique({
+        where: { id: sadSessionId },
+      });
+
+      const isSadSessionValid =
+        cscSession !== null &&
+        cscSession.recipientId === recipient.id &&
+        cscSession.encryptedSad !== null &&
+        cscSession.sadExpiresAt !== null &&
+        cscSession.sadExpiresAt > new Date();
+
+      if (isSadSessionValid) {
+        return {
+          isDocumentAccessValid: true,
+          envelopeForSigning,
+          csc: { state: 'signing-in-progress', sessionId: sadSessionId } as const,
+        } as const;
+      }
+    }
+
+    const serviceSessionToken = await readCscServiceSessionFromRequest(request);
+
+    if (serviceSessionToken !== token) {
+      throw redirect(`/api/csc/oauth/authorize?scope=service&token=${encodeURIComponent(token)}`);
+    }
+  }
+
  return {
    isDocumentAccessValid: true,
    envelopeForSigning,
@@ -296,11 +358,22 @@ export async function loader(loaderArgs: Route.LoaderArgs) {
  if (foundRecipient.envelope.internalVersion === 2) {
    const payloadV2 = await handleV2Loader(loaderArgs);

-    return superLoaderJson({
-      version: 2,
-      payload: payloadV2,
-      branding,
-    } as const);
+    // V2 payload may carry a one-shot `Set-Cookie` header (used to clear the
+    // CSC blocking-error cookie after the loader reads it). Forward it via
+    // the `superLoaderJson` response init so the browser actually applies the
+    // header. The field stays on the payload — it's just a `Max-Age=0` clear
+    // directive, not sensitive — and isn't read by any consumer.
+    const responseHeaders =
+      'responseHeaders' in payloadV2 && payloadV2.responseHeaders ? payloadV2.responseHeaders : undefined;
+
+    return superLoaderJson(
+      {
+        version: 2,
+        payload: payloadV2,
+        branding,
+      } as const,
+      responseHeaders ? { headers: responseHeaders } : undefined,
+    );
  }

  const payloadV1 = await handleV1Loader(loaderArgs);
@@ -430,6 +503,19 @@ const SigningPageV2 = ({ data }: { data: Awaited<ReturnType<typeof handleV2Loade
    return <DocumentSigningAuthPageView email={data.recipientEmail} emailHasAccount={!!data.recipientHasAccount} />;
  }

+  if ('csc' in data && data.csc?.state === 'blocked') {
+    return <CscRecipientBlockedPage code={data.csc.code} recipientToken={data.envelopeForSigning.recipient.token} />;
+  }
+
+  if ('csc' in data && data.csc?.state === 'signing-in-progress') {
+    return (
+      <CscRecipientSigningInProgressPage
+        sessionId={data.csc.sessionId}
+        recipientToken={data.envelopeForSigning.recipient.token}
+      />
+    );
+  }
+
  const { envelope, recipientSignature, recipient } = data.envelopeForSigning;

  if (envelope.deletedAt || envelope.status === DocumentStatus.REJECTED) {
@@ -9,7 +9,7 @@ import { Stepper } from '@documenso/ui/primitives/stepper';
 import { useToast } from '@documenso/ui/primitives/use-toast';
 import { useLingui } from '@lingui/react';
 import { useLayoutEffect, useState } from 'react';
-import { useNavigate } from 'react-router';
+import { useNavigate, useSearchParams } from 'react-router';

 import { ConfigureDocumentProvider } from '~/components/embed/authoring/configure-document-context';
 import { ConfigureDocumentView } from '~/components/embed/authoring/configure-document-view';
@@ -22,6 +22,9 @@ export default function EmbeddingAuthoringDocumentCreatePage() {

  const { toast } = useToast();
  const navigate = useNavigate();
+  const [searchParams] = useSearchParams();
+
+  const presignToken = searchParams.get('token') ?? undefined;

  const [configuration, setConfiguration] = useState<TConfigureEmbedFormSchema | null>(null);
  const [fields, setFields] = useState<TConfigureFieldsFormSchema | null>(null);
@@ -57,11 +60,14 @@ export default function EmbeddingAuthoringDocumentCreatePage() {

      const fields = data.fields;

-      const documentData = await putPdfFile({
-        arrayBuffer: async () => Promise.resolve(configuration.documentData!.data.buffer),
-        name: configuration.documentData.name,
-        type: configuration.documentData.type,
-      });
+      const documentData = await putPdfFile(
+        {
+          arrayBuffer: async () => Promise.resolve(configuration.documentData!.data.buffer),
+          name: configuration.documentData.name,
+          type: configuration.documentData.type,
+        },
+        { presignToken },
+      );

      // Use the externalId from the URL fragment if available
      const documentExternalId = externalId || configuration.meta.externalId;
@@ -8,7 +8,7 @@ import { Stepper } from '@documenso/ui/primitives/stepper';
 import { useToast } from '@documenso/ui/primitives/use-toast';
 import { useLingui } from '@lingui/react';
 import { useLayoutEffect, useState } from 'react';
-import { useNavigate } from 'react-router';
+import { useNavigate, useSearchParams } from 'react-router';

 import { ConfigureDocumentProvider } from '~/components/embed/authoring/configure-document-context';
 import { ConfigureDocumentView } from '~/components/embed/authoring/configure-document-view';
@@ -20,6 +20,9 @@ export default function EmbeddingAuthoringTemplateCreatePage() {
  const { _ } = useLingui();
  const { toast } = useToast();
  const navigate = useNavigate();
+  const [searchParams] = useSearchParams();
+
+  const presignToken = searchParams.get('token') ?? undefined;

  const [configuration, setConfiguration] = useState<TConfigureEmbedFormSchema | null>(null);
  const [fields, setFields] = useState<TConfigureFieldsFormSchema | null>(null);
@@ -55,11 +58,14 @@ export default function EmbeddingAuthoringTemplateCreatePage() {

      const fields = data.fields;

-      const documentData = await putPdfFile({
-        arrayBuffer: async () => Promise.resolve(configuration.documentData!.data.buffer),
-        name: configuration.documentData.name,
-        type: configuration.documentData.type,
-      });
+      const documentData = await putPdfFile(
+        {
+          arrayBuffer: async () => Promise.resolve(configuration.documentData!.data.buffer),
+          name: configuration.documentData.name,
+          type: configuration.documentData.type,
+        },
+        { presignToken },
+      );

      // Use the externalId from the URL fragment if available
      const metaWithExternalId = {
@@ -106,5 +106,5 @@
    "vite-plugin-babel-macros": "^1.0.6",
    "vite-tsconfig-paths": "^5.1.4"
  },
-  "version": "2.12.0"
+  "version": "2.13.0"
 }
@@ -1,7 +1,14 @@
-# General Issues
+# Report security vulnerabilities privately via GitHub Security Advisories (preferred).
+Contact: https://github.com/documenso/documenso/security/advisories/new
+
+# Alternatively, report critical issues privately by email.
+Contact: mailto:security@documenso.com
+
+# Security policy
+Policy: https://github.com/documenso/documenso/security/policy
+
+# General (non-security) issues
 Contact: https://github.com/documenso/documenso/issues/new?assignees=&labels=bug&projects=&template=bug-report.yml

-# Report critical issues privately to let us take appropriate action before publishing.
-Contact: mailto:security@documenso.com
 Preferred-Languages: en
-Canonical: https://documenso.com/.well-known/security.txt
+Canonical: https://documenso.com/.well-known/security.txt
@@ -1,20 +1,52 @@
+import { PDF_SIZE_A4_72PPI } from '@documenso/lib/constants/pdf';
 import { AppError, AppErrorCode } from '@documenso/lib/errors/app-error';
-import { getEnvelopeById } from '@documenso/lib/server-only/envelope/get-envelope-by-id';
+import { getEnvelopeById, getEnvelopeWhereInput } from '@documenso/lib/server-only/envelope/get-envelope-by-id';
+import { generateAuditLogPdf } from '@documenso/lib/server-only/pdf/generate-audit-log-pdf';
+import { generateCertificatePdf } from '@documenso/lib/server-only/pdf/generate-certificate-pdf';
 import { getApiTokenByToken } from '@documenso/lib/server-only/public-api/get-api-token-by-token';
+import { isDocumentCompleted } from '@documenso/lib/utils/document';
 import { buildTeamWhereQuery } from '@documenso/lib/utils/teams';
 import { prisma } from '@documenso/prisma';
 import { sValidator } from '@hono/standard-validator';
-import { EnvelopeType } from '@prisma/client';
+import { DocumentStatus, EnvelopeType } from '@prisma/client';
+import contentDisposition from 'content-disposition';
 import { Hono } from 'hono';

 import type { HonoEnv } from '../../router';
 import { handleEnvelopeItemFileRequest } from '../files/files.helpers';
 import {
  ZDownloadDocumentRequestParamsSchema,
+  ZDownloadEnvelopeAuditLogPdfRequestParamsSchema,
+  ZDownloadEnvelopeCertificatePdfRequestParamsSchema,
  ZDownloadEnvelopeItemRequestParamsSchema,
  ZDownloadEnvelopeItemRequestQuerySchema,
 } from './download.types';

+/**
+ * Resolve and validate an API token from the Authorization header.
+ *
+ * Supports both "Authorization: Bearer api_xxx" and "Authorization: api_xxx".
+ */
+const resolveApiToken = async (authorizationHeader: string | undefined) => {
+  const [token] = (authorizationHeader || '').split('Bearer ').filter((s) => s.length > 0);
+
+  if (!token) {
+    throw new AppError(AppErrorCode.UNAUTHORIZED, {
+      message: 'API token was not provided',
+    });
+  }
+
+  const apiToken = await getApiTokenByToken({ token });
+
+  if (apiToken.user.disabled) {
+    throw new AppError(AppErrorCode.UNAUTHORIZED, {
+      message: 'User is disabled',
+    });
+  }
+
+  return apiToken;
+};
+
 export const downloadRoute = new Hono<HonoEnv>()
  /**
   * Download an envelope item by its ID.
@@ -30,24 +62,8 @@ export const downloadRoute = new Hono<HonoEnv>()
      try {
        const { envelopeItemId } = c.req.valid('param');
        const { version } = c.req.valid('query');
-        const authorizationHeader = c.req.header('authorization');

-        // Support for both "Authorization: Bearer api_xxx" and "Authorization: api_xxx"
-        const [token] = (authorizationHeader || '').split('Bearer ').filter((s) => s.length > 0);
-
-        if (!token) {
-          throw new AppError(AppErrorCode.UNAUTHORIZED, {
-            message: 'API token was not provided',
-          });
-        }
-
-        const apiToken = await getApiTokenByToken({ token });
-
-        if (apiToken.user.disabled) {
-          throw new AppError(AppErrorCode.UNAUTHORIZED, {
-            message: 'User is disabled',
-          });
-        }
+        const apiToken = await resolveApiToken(c.req.header('authorization'));

        logger.info({
          auth: 'api',
@@ -125,6 +141,180 @@ export const downloadRoute = new Hono<HonoEnv>()
      }
    },
  )
+  /**
+   * Download the audit log for a document as a PDF.
+   * Requires API key authentication via Authorization header.
+   */
+  .get(
+    '/envelope/:envelopeId/audit-log/pdf',
+    sValidator('param', ZDownloadEnvelopeAuditLogPdfRequestParamsSchema),
+    async (c) => {
+      const logger = c.get('logger');
+
+      try {
+        const { envelopeId } = c.req.valid('param');
+
+        const apiToken = await resolveApiToken(c.req.header('authorization'));
+
+        logger.info({
+          auth: 'api',
+          source: 'apiV2',
+          path: c.req.path,
+          userId: apiToken.user.id,
+          apiTokenId: apiToken.id,
+          envelopeId,
+        });
+
+        const envelope = await getEnvelopeById({
+          id: {
+            type: 'envelopeId',
+            id: envelopeId,
+          },
+          type: EnvelopeType.DOCUMENT,
+          userId: apiToken.user.id,
+          teamId: apiToken.teamId,
+        }).catch(() => null);
+
+        if (!envelope) {
+          return c.json({ error: 'Document not found' }, 404);
+        }
+
+        const auditLogPdf = await generateAuditLogPdf({
+          envelope,
+          recipients: envelope.recipients,
+          fields: envelope.fields,
+          language: envelope.documentMeta.language,
+          envelopeOwner: {
+            email: envelope.user.email,
+            name: envelope.user.name || '',
+          },
+          envelopeItems: envelope.envelopeItems.map((item) => item.title),
+          pageWidth: PDF_SIZE_A4_72PPI.width,
+          pageHeight: PDF_SIZE_A4_72PPI.height,
+        });
+
+        const result = await auditLogPdf.save();
+
+        const baseTitle = envelope.title.replace(/\.pdf$/i, '');
+
+        c.header('Content-Type', 'application/pdf');
+        c.header('Content-Disposition', contentDisposition(`${baseTitle}_audit-log.pdf`));
+        c.header('Cache-Control', 'no-cache, no-store, must-revalidate');
+
+        return c.body(result);
+      } catch (error) {
+        logger.error(error);
+
+        if (error instanceof AppError) {
+          const { status, body } = AppError.toRestAPIError(error);
+
+          return c.json({ error: body.message, code: error.code }, status);
+        }
+
+        return c.json({ error: 'Internal server error' }, 500);
+      }
+    },
+  )
+  /**
+   * Download the signing certificate for a completed document as a PDF.
+   * Requires API key authentication via Authorization header.
+   */
+  .get(
+    '/envelope/:envelopeId/certificate/pdf',
+    sValidator('param', ZDownloadEnvelopeCertificatePdfRequestParamsSchema),
+    async (c) => {
+      const logger = c.get('logger');
+
+      try {
+        const { envelopeId } = c.req.valid('param');
+
+        const apiToken = await resolveApiToken(c.req.header('authorization'));
+
+        logger.info({
+          auth: 'api',
+          source: 'apiV2',
+          path: c.req.path,
+          userId: apiToken.user.id,
+          apiTokenId: apiToken.id,
+          envelopeId,
+        });
+
+        const { envelopeWhereInput } = await getEnvelopeWhereInput({
+          id: {
+            type: 'envelopeId',
+            id: envelopeId,
+          },
+          type: EnvelopeType.DOCUMENT,
+          userId: apiToken.user.id,
+          teamId: apiToken.teamId,
+        });
+
+        const envelope = await prisma.envelope.findFirst({
+          where: envelopeWhereInput,
+          include: {
+            recipients: true,
+            fields: {
+              include: {
+                signature: true,
+              },
+            },
+            documentMeta: true,
+            user: {
+              select: {
+                email: true,
+                name: true,
+              },
+            },
+          },
+        });
+
+        if (!envelope) {
+          return c.json({ error: 'Document not found' }, 404);
+        }
+
+        // A cancelled document was never sealed/completed, so a signing certificate
+        // must not be generated for it.
+        if (!isDocumentCompleted(envelope.status) || envelope.status === DocumentStatus.CANCELLED) {
+          throw new AppError('DOCUMENT_NOT_COMPLETE', {
+            message: 'Document is not complete',
+          });
+        }
+
+        const certificatePdf = await generateCertificatePdf({
+          envelope,
+          recipients: envelope.recipients,
+          fields: envelope.fields,
+          language: envelope.documentMeta.language,
+          envelopeOwner: {
+            email: envelope.user.email,
+            name: envelope.user.name || '',
+          },
+          pageWidth: PDF_SIZE_A4_72PPI.width,
+          pageHeight: PDF_SIZE_A4_72PPI.height,
+        });
+
+        const result = await certificatePdf.save();
+
+        const baseTitle = envelope.title.replace(/\.pdf$/i, '');
+
+        c.header('Content-Type', 'application/pdf');
+        c.header('Content-Disposition', contentDisposition(`${baseTitle}_certificate.pdf`));
+        c.header('Cache-Control', 'no-cache, no-store, must-revalidate');
+
+        return c.body(result);
+      } catch (error) {
+        logger.error(error);
+
+        if (error instanceof AppError) {
+          const { status, body } = AppError.toRestAPIError(error);
+
+          return c.json({ error: body.message, code: error.code }, status);
+        }
+
+        return c.json({ error: 'Internal server error' }, 500);
+      }
+    },
+  )
  /**
   * Download a document by its ID.
   * Requires API key authentication via Authorization header.
@@ -134,24 +324,8 @@ export const downloadRoute = new Hono<HonoEnv>()

    try {
      const { documentId, version } = c.req.valid('param');
-      const authorizationHeader = c.req.header('authorization');

-      // Support for both "Authorization: Bearer api_xxx" and "Authorization: api_xxx"
-      const [token] = (authorizationHeader || '').split('Bearer ').filter((s) => s.length > 0);
-
-      if (!token) {
-        throw new AppError(AppErrorCode.UNAUTHORIZED, {
-          message: 'API token was not provided',
-        });
-      }
-
-      const apiToken = await getApiTokenByToken({ token });
-
-      if (apiToken.user.disabled) {
-        throw new AppError(AppErrorCode.UNAUTHORIZED, {
-          message: 'User is disabled',
-        });
-      }
+      const apiToken = await resolveApiToken(c.req.header('authorization'));

      logger.info({
        auth: 'api',
@@ -200,11 +374,9 @@ export const downloadRoute = new Hono<HonoEnv>()
      logger.error(error);

      if (error instanceof AppError) {
-        if (error.code === AppErrorCode.UNAUTHORIZED) {
-          return c.json({ error: error.message }, 401);
-        }
+        const { status, body } = AppError.toRestAPIError(error);

-        return c.json({ error: error.message }, 400);
+        return c.json({ error: body.message, code: error.code }, status);
      }

      return c.json({ error: 'Internal server error' }, 500);
@@ -30,3 +30,17 @@ export const ZDownloadDocumentRequestParamsSchema = z.object({
 });

 export type TDownloadDocumentRequestParams = z.infer<typeof ZDownloadDocumentRequestParamsSchema>;
+
+export const ZDownloadEnvelopeAuditLogPdfRequestParamsSchema = z.object({
+  envelopeId: z.string().describe('The ID of the envelope to download the audit log for.'),
+});
+
+export type TDownloadEnvelopeAuditLogPdfRequestParams = z.infer<typeof ZDownloadEnvelopeAuditLogPdfRequestParamsSchema>;
+
+export const ZDownloadEnvelopeCertificatePdfRequestParamsSchema = z.object({
+  envelopeId: z.string().describe('The ID of the envelope to download the certificate for.'),
+});
+
+export type TDownloadEnvelopeCertificatePdfRequestParams = z.infer<
+  typeof ZDownloadEnvelopeCertificatePdfRequestParamsSchema
+>;
@@ -1,4 +1,6 @@
+import { getOptionalSession } from '@documenso/auth/server/lib/utils/get-session';
 import { AppError, AppErrorCode } from '@documenso/lib/errors/app-error';
+import { verifyEmbeddingPresignToken } from '@documenso/lib/server-only/embedding-presign/verify-embedding-presign-token';
 import { generatePartialSignedPdf } from '@documenso/lib/server-only/pdf/generate-partial-signed-pdf';
 import { getTeamById } from '@documenso/lib/server-only/team/get-team';
 import { sha256 } from '@documenso/lib/universal/crypto';
@@ -26,6 +28,29 @@ type DocumentDataInput = {
  initialData: string;
 };

+export const resolveFileUploadUserId = async (c: Context<HonoEnv>): Promise<number | null> => {
+  const session = await getOptionalSession(c);
+
+  if (session.user?.id) {
+    return session.user.id;
+  }
+
+  const authorizationHeader = c.req.header('authorization');
+
+  const [bearerToken] = (authorizationHeader || '').split('Bearer ').filter((part) => part.length > 0);
+
+  const queryToken = c.req.query('token');
+  const presignToken = bearerToken || queryToken;
+
+  if (!presignToken) {
+    return null;
+  }
+
+  const verifiedToken = await verifyEmbeddingPresignToken({ token: presignToken }).catch(() => undefined);
+
+  return verifiedToken?.userId ?? null;
+};
+
 type EnvelopeForPendingDownload = {
  id: string;
  status: DocumentStatus;
@@ -10,8 +10,9 @@ import type { Prisma } from '@prisma/client';
 import { Hono } from 'hono';

 import type { HonoEnv } from '../../router';
-import { checkEnvelopeFileAccess, handleEnvelopeItemFileRequest } from './files.helpers';
+import { checkEnvelopeFileAccess, handleEnvelopeItemFileRequest, resolveFileUploadUserId } from './files.helpers';
 import {
+  isAllowedUploadContentType,
  type TGetPresignedPostUrlResponse,
  ZGetEnvelopeItemFileDownloadRequestParamsSchema,
  ZGetEnvelopeItemFileRequestParamsSchema,
@@ -31,6 +32,12 @@ export const filesRoute = new Hono<HonoEnv>()
   */
  .post('/upload-pdf', sValidator('form', ZUploadPdfRequestSchema), async (c) => {
    try {
+      const userId = await resolveFileUploadUserId(c);
+
+      if (!userId) {
+        return c.json({ error: 'Unauthorized' }, 401);
+      }
+
      const { file } = c.req.valid('form');

      if (!file) {
@@ -55,10 +62,20 @@ export const filesRoute = new Hono<HonoEnv>()
    }
  })
  .post('/presigned-post-url', sValidator('json', ZGetPresignedPostUrlRequestSchema), async (c) => {
+    const userId = await resolveFileUploadUserId(c);
+
+    if (!userId) {
+      return c.json({ error: 'Unauthorized' }, 401);
+    }
+
    const { fileName, contentType } = c.req.valid('json');

+    if (!isAllowedUploadContentType(contentType)) {
+      return c.json({ error: 'Unsupported content type' }, 400);
+    }
+
    try {
-      const { key, url } = await getPresignPostUrl(fileName, contentType);
+      const { key, url } = await getPresignPostUrl(fileName, contentType, userId);

      return c.json({ key, url } satisfies TGetPresignedPostUrlResponse);
    } catch (err) {
@@ -13,6 +13,14 @@ export const ZUploadPdfResponseSchema = DocumentDataSchema.pick({
 export type TUploadPdfRequest = z.infer<typeof ZUploadPdfRequestSchema>;
 export type TUploadPdfResponse = z.infer<typeof ZUploadPdfResponseSchema>;

+export const ALLOWED_UPLOAD_CONTENT_TYPES = ['application/pdf', 'image/jpeg', 'image/png', 'image/webp'] as const;
+
+export const isAllowedUploadContentType = (contentType: string): boolean => {
+  const normalizedContentType = contentType.split(';').at(0)?.trim().toLowerCase();
+
+  return ALLOWED_UPLOAD_CONTENT_TYPES.some((allowed) => allowed === normalizedContentType);
+};
+
 export const ZGetPresignedPostUrlRequestSchema = z.object({
  fileName: z.string().min(1),
  contentType: z.string().min(1),
@@ -1,5 +1,6 @@
 import { tsRestHonoApp } from '@documenso/api/hono';
 import { auth } from '@documenso/auth/server';
+import { csc } from '@documenso/ee/server-only/signing/csc/hono';
 import { jobsClient } from '@documenso/lib/jobs/client';
 import { LicenseClient } from '@documenso/lib/server-only/license/license-client';
 import { createRateLimitMiddleware } from '@documenso/lib/server-only/rate-limit/rate-limit-middleware';
@@ -111,6 +112,9 @@ app.route('/api/files', filesRoute);
 app.use('/api/ai/*', aiRateLimitMiddleware);
 app.route('/api/ai', aiRoute);

+// CSC OAuth routes (mounted from @documenso/ee).
+app.route('/api/csc', csc);
+
 // API servers.
 app.route('/api/v1', tsRestHonoApp);
 app.use('/api/jobs/*', jobsClient.getApiHandler());
@@ -1,12 +1,12 @@
 {
  "name": "@documenso/root",
-  "version": "2.12.0",
+  "version": "2.13.0",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "@documenso/root",
-      "version": "2.12.0",
+      "version": "2.13.0",
      "hasInstallScript": true,
      "workspaces": [
        "apps/*",
@@ -15,7 +15,7 @@
      "dependencies": {
        "@ai-sdk/google-vertex": "3.0.81",
        "@documenso/prisma": "*",
-        "@libpdf/core": "^0.3.6",
+        "@libpdf/core": "^0.4.0",
        "@lingui/conf": "^5.6.0",
        "@lingui/core": "^5.6.0",
        "@marsidev/react-turnstile": "^1.5.0",
@@ -406,7 +406,7 @@
    },
    "apps/remix": {
      "name": "@documenso/remix",
-      "version": "2.12.0",
+      "version": "2.13.0",
      "dependencies": {
        "@cantoo/pdf-lib": "^2.5.3",
        "@documenso/api": "*",
@@ -4661,16 +4661,16 @@
      "license": "MIT"
    },
    "node_modules/@libpdf/core": {
-      "version": "0.3.6",
-      "resolved": "https://registry.npmjs.org/@libpdf/core/-/core-0.3.6.tgz",
-      "integrity": "sha512-VzRUXaDq+M9qrroKiipCgePK2mwKM3M6DY7B0yfXnxD4aYnUxD/nUtkcsHCBUUnJpkX9rWikdEhYa5vU8ZlReg==",
+      "version": "0.4.0",
+      "resolved": "https://registry.npmjs.org/@libpdf/core/-/core-0.4.0.tgz",
+      "integrity": "sha512-G9nZRjf9DGDJaS/C23YWogk8akPM7O/6HfMslxVsKTKRbbbb+0szpQIetcGGUGRu7KtmBDmGDWCgz//DXSmq8A==",
      "license": "MIT",
      "dependencies": {
        "@noble/ciphers": "^2.2.0",
        "@noble/hashes": "^2.2.0",
        "@scure/base": "^2.2.0",
        "asn1js": "^3.0.10",
-        "lru-cache": "^11.4.0",
+        "lru-cache": "^11.5.1",
        "pako": "^2.1.0",
        "pkijs": "^3.4.0"
      },
@@ -4724,9 +4724,9 @@
      }
    },
    "node_modules/@libpdf/core/node_modules/lru-cache": {
-      "version": "11.4.0",
-      "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-11.4.0.tgz",
-      "integrity": "sha512-W+R+kFL4HgVxONq2bhXPi3bGpzGe/yEhVOp233qw9wCRtgncJ15P3bC+e4zZMu4Cq7d+WAJjXGW0uUkifhcatA==",
+      "version": "11.5.1",
+      "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-11.5.1.tgz",
+      "integrity": "sha512-RPimw/7aMdv2oqRrxKwvZXcPfwBrn/JZ2xYcY9Hus/6LaS3VOAKVWKWgNLCFSiOm1ESXinjsDlidVU7JlnCN2A==",
      "license": "BlueOak-1.0.0",
      "engines": {
        "node": "20 || >=22"
@@ -30593,6 +30593,8 @@
        "@aws-sdk/client-sesv2": "^3.998.0",
        "@documenso/lib": "*",
        "@documenso/prisma": "*",
+        "arctic": "^3.7.0",
+        "hono": "^4.12.14",
        "luxon": "^3.7.2",
        "react": "^18",
        "ts-pattern": "^5.9.0",
@@ -5,7 +5,7 @@
    "apps/*",
    "packages/*"
  ],
-  "version": "2.12.0",
+  "version": "2.13.0",
  "scripts": {
    "postinstall": "patch-package",
    "build": "turbo run build",
@@ -35,7 +35,6 @@
    "with:env": "dotenv -e .env -e .env.local --",
    "reset:hard": "npm run clean && npm i && npm run prisma:generate",
    "precommit": "npm install && git add package.json package-lock.json",
-    "trigger:dev": "npm run with:env -- npx trigger-cli dev --handler-path=\"/api/jobs\"",
    "inngest:dev": "inngest dev -u http://localhost:3000/api/jobs",
    "make:version": "npm version --workspace @documenso/remix --include-workspace-root --no-git-tag-version -m \"v%s\"",
    "translate": "npm run translate:extract && npm run translate:compile",
@@ -88,7 +87,7 @@
  "dependencies": {
    "@ai-sdk/google-vertex": "3.0.81",
    "@documenso/prisma": "*",
-    "@libpdf/core": "^0.3.6",
+    "@libpdf/core": "^0.4.0",
    "@lingui/conf": "^5.6.0",
    "@lingui/core": "^5.6.0",
    "@prisma/extension-read-replicas": "^0.4.1",
@@ -1,7 +1,7 @@
 import { getServerLimits } from '@documenso/ee/server-only/limits/server';
 import { NEXT_PUBLIC_WEBAPP_URL } from '@documenso/lib/constants/app';
 import { DATE_FORMATS, DEFAULT_DOCUMENT_DATE_FORMAT } from '@documenso/lib/constants/date-formats';
-import { DocumentDataType, EnvelopeType, SigningStatus } from '@prisma/client';
+import { DocumentDataType, DocumentStatus, EnvelopeType, SigningStatus } from '@prisma/client';
 import { tsr } from '@ts-rest/serverless/fetch';
 import { match } from 'ts-pattern';
 import '@documenso/lib/constants/time-zones';
@@ -240,7 +240,12 @@ export const ApiContractV1Implementation = tsr.router(ApiContractV1, {
        };
      }

-      if (!downloadOriginalDocument && !isDocumentCompleted(envelope.status)) {
+      // A cancelled document was never sealed, so its data is the unsigned original.
+      // Treat it as not-completed here so a "signed" version is never served for it.
+      // REJECTED and COMPLETED keep their prior behavior.
+      const hasSignedArtifact = isDocumentCompleted(envelope.status) && envelope.status !== DocumentStatus.CANCELLED;
+
+      if (!downloadOriginalDocument && !hasSignedArtifact) {
        return {
          status: 400,
          body: {
@@ -0,0 +1,64 @@
+import { NEXT_PUBLIC_WEBAPP_URL } from '@documenso/lib/constants/app';
+import { createApiToken } from '@documenso/lib/server-only/public-api/create-api-token';
+import { mapSecondaryIdToDocumentId } from '@documenso/lib/utils/envelope';
+import { prisma } from '@documenso/prisma';
+import { SendStatus, SigningStatus } from '@documenso/prisma/client';
+import { seedPendingDocument } from '@documenso/prisma/seed/documents';
+import { seedUser } from '@documenso/prisma/seed/users';
+import { expect, test } from '@playwright/test';
+import type { Team, User } from '@prisma/client';
+
+const WEBAPP_BASE_URL = NEXT_PUBLIC_WEBAPP_URL();
+const baseUrl = `${WEBAPP_BASE_URL}/api/v2-beta`;
+
+test.describe.configure({
+  mode: 'parallel',
+});
+
+test.describe('Redistribute updates recipient send status', () => {
+  let user: User, team: Team, token: string;
+
+  test.beforeEach(async () => {
+    ({ user, team } = await seedUser());
+    ({ token } = await createApiToken({
+      userId: user.id,
+      teamId: team.id,
+      tokenName: 'test',
+      expiresIn: null,
+    }));
+  });
+
+  test('marks a NOT_SENT signer as SENT after a successful resend', async ({ request }) => {
+    const document = await seedPendingDocument(user, team.id, ['recipient@test.documenso.com']);
+
+    const [recipient] = document.recipients;
+
+    // Simulate a recipient that is stuck at NOT_SENT on a pending document
+    // (e.g. the initial send did not dispatch an email for them).
+    await prisma.recipient.update({
+      where: { id: recipient.id },
+      data: {
+        sendStatus: SendStatus.NOT_SENT,
+        signingStatus: SigningStatus.NOT_SIGNED,
+        sentAt: null,
+      },
+    });
+
+    const res = await request.post(`${baseUrl}/document/redistribute`, {
+      headers: { Authorization: `Bearer ${token}` },
+      data: {
+        documentId: mapSecondaryIdToDocumentId(document.secondaryId),
+        recipients: [recipient.id],
+      },
+    });
+
+    expect(res.ok(), `redistribute should succeed: ${await res.text()}`).toBeTruthy();
+
+    const updatedRecipient = await prisma.recipient.findFirstOrThrow({
+      where: { id: recipient.id },
+    });
+
+    expect(updatedRecipient.sendStatus).toBe(SendStatus.SENT);
+    expect(updatedRecipient.sentAt).not.toBeNull();
+  });
+});
@@ -0,0 +1,260 @@
+import { NEXT_PUBLIC_WEBAPP_URL } from '@documenso/lib/constants/app';
+import { createApiToken } from '@documenso/lib/server-only/public-api/create-api-token';
+import { prisma } from '@documenso/prisma';
+import { DocumentVisibility, SigningStatus, TeamMemberRole } from '@documenso/prisma/client';
+import { seedPendingDocument } from '@documenso/prisma/seed/documents';
+import { seedTeam, seedTeamMember } from '@documenso/prisma/seed/teams';
+import { seedUser } from '@documenso/prisma/seed/users';
+import type { TRejectEnvelopeRecipientOnBehalfOfRequest } from '@documenso/trpc/server/envelope-router/envelope-recipients/reject-envelope-recipient-on-behalf-of.types';
+import { type APIRequestContext, expect, test } from '@playwright/test';
+import type { Team, User } from '@prisma/client';
+
+const WEBAPP_BASE_URL = NEXT_PUBLIC_WEBAPP_URL();
+const baseUrl = `${WEBAPP_BASE_URL}/api/v2-beta`;
+
+test.describe.configure({
+  mode: 'parallel',
+});
+
+const rejectRecipient = (
+  request: APIRequestContext,
+  authToken: string,
+  envelopeId: string,
+  recipientId: number,
+  reason: string,
+  actAsEmail?: string,
+) => {
+  return request.post(`${baseUrl}/envelope/recipient/${recipientId}/reject`, {
+    headers: { Authorization: `Bearer ${authToken}`, 'Content-Type': 'application/json' },
+    data: {
+      envelopeId,
+      recipientId,
+      reason,
+      actAsEmail,
+    } satisfies TRejectEnvelopeRecipientOnBehalfOfRequest,
+  });
+};
+
+test.describe('Reject recipient on behalf of', () => {
+  let user: User;
+  let team: Team;
+  let token: string;
+
+  test.beforeEach(async () => {
+    ({ user, team } = await seedUser());
+    ({ token } = await createApiToken({
+      userId: user.id,
+      teamId: team.id,
+      tokenName: 'test-reject-recipient',
+      expiresIn: null,
+    }));
+  });
+
+  test('should reject a recipient and record an external rejection audit log', async ({ request }) => {
+    const envelope = await seedPendingDocument(user, team.id, ['recipient@test.documenso.com']);
+    const recipient = envelope.recipients[0];
+
+    const res = await rejectRecipient(request, token, envelope.id, recipient.id, 'Declined out of band');
+
+    expect(res.ok()).toBeTruthy();
+    expect(res.status()).toBe(200);
+
+    const updatedRecipient = await prisma.recipient.findUniqueOrThrow({
+      where: { id: recipient.id },
+    });
+
+    expect(updatedRecipient.signingStatus).toBe(SigningStatus.REJECTED);
+    expect(updatedRecipient.rejectionReason).toBe('Declined out of band');
+
+    const auditLog = await prisma.documentAuditLog.findFirst({
+      where: {
+        envelopeId: envelope.id,
+        type: 'DOCUMENT_RECIPIENT_REJECTED',
+      },
+      orderBy: { createdAt: 'desc' },
+    });
+
+    expect(auditLog).not.toBeNull();
+
+    const auditData = auditLog!.data as Record<string, unknown>;
+
+    expect(auditData.recipientId).toBe(recipient.id);
+    expect(auditData.recipientEmail).toBe(recipient.email);
+    expect(auditData.reason).toBe('Declined out of band');
+    expect(auditData.isExternal).toBe(true);
+
+    // No actAsEmail supplied - the rejection defaults to the API user.
+    expect(auditLog!.userId).toBe(user.id);
+    expect(auditLog!.email).toBe(user.email);
+    expect(auditData.onBehalfOfUserEmail).toBeUndefined();
+  });
+
+  test('should attribute the rejection to the elected team member when actAsEmail is supplied', async ({ request }) => {
+    const member = await seedTeamMember({ teamId: team.id });
+
+    const envelope = await seedPendingDocument(user, team.id, ['recipient@test.documenso.com']);
+    const recipient = envelope.recipients[0];
+
+    const res = await rejectRecipient(request, token, envelope.id, recipient.id, 'Declined out of band', member.email);
+
+    expect(res.ok()).toBeTruthy();
+    expect(res.status()).toBe(200);
+
+    const auditLog = await prisma.documentAuditLog.findFirstOrThrow({
+      where: {
+        envelopeId: envelope.id,
+        type: 'DOCUMENT_RECIPIENT_REJECTED',
+      },
+      orderBy: { createdAt: 'desc' },
+    });
+
+    // The audit log actor must be the elected member, not the API user.
+    expect(auditLog.userId).toBe(member.id);
+    expect(auditLog.email).toBe(member.email);
+
+    const auditData = auditLog.data as Record<string, unknown>;
+
+    expect(auditData.isExternal).toBe(true);
+    expect(auditData.onBehalfOfUserEmail).toBe(member.email);
+  });
+
+  test('should reject when actAsEmail is not a member of the team', async ({ request }) => {
+    // A user that exists but belongs to a different team.
+    const { user: outsider } = await seedUser();
+
+    const envelope = await seedPendingDocument(user, team.id, ['recipient@test.documenso.com']);
+    const recipient = envelope.recipients[0];
+
+    const res = await rejectRecipient(
+      request,
+      token,
+      envelope.id,
+      recipient.id,
+      'Declined out of band',
+      outsider.email,
+    );
+
+    expect(res.ok()).toBeFalsy();
+    expect(res.status()).toBe(401);
+
+    // The recipient must remain untouched.
+    const untouchedRecipient = await prisma.recipient.findUniqueOrThrow({
+      where: { id: recipient.id },
+    });
+
+    expect(untouchedRecipient.signingStatus).toBe(SigningStatus.NOT_SIGNED);
+    expect(untouchedRecipient.rejectionReason).toBeNull();
+  });
+
+  test('should deny rejecting a recipient that has already actioned the document', async ({ request }) => {
+    const envelope = await seedPendingDocument(user, team.id, ['recipient@test.documenso.com']);
+    const recipient = envelope.recipients[0];
+
+    // Reject once - succeeds.
+    const firstRes = await rejectRecipient(request, token, envelope.id, recipient.id, 'First rejection');
+    expect(firstRes.ok()).toBeTruthy();
+
+    // Reject again - the recipient is no longer NOT_SIGNED.
+    const secondRes = await rejectRecipient(request, token, envelope.id, recipient.id, 'Second rejection');
+
+    expect(secondRes.ok()).toBeFalsy();
+    expect(secondRes.status()).toBe(400);
+
+    // The original rejection reason must remain unchanged.
+    const updatedRecipient = await prisma.recipient.findUniqueOrThrow({
+      where: { id: recipient.id },
+    });
+
+    expect(updatedRecipient.rejectionReason).toBe('First rejection');
+  });
+
+  test('should not allow rejecting a recipient in another team', async ({ request }) => {
+    // Seed a separate team/user that owns the document.
+    const { user: otherUser, team: otherTeam } = await seedUser();
+
+    const envelope = await seedPendingDocument(otherUser, otherTeam.id, ['recipient@test.documenso.com']);
+    const recipient = envelope.recipients[0];
+
+    // Use the original team's token - it must not be able to reject.
+    const res = await rejectRecipient(request, token, envelope.id, recipient.id, 'Should not work');
+
+    expect(res.ok()).toBeFalsy();
+    expect(res.status()).toBe(404);
+
+    // The recipient must remain untouched.
+    const untouchedRecipient = await prisma.recipient.findUniqueOrThrow({
+      where: { id: recipient.id },
+    });
+
+    expect(untouchedRecipient.signingStatus).toBe(SigningStatus.NOT_SIGNED);
+    expect(untouchedRecipient.rejectionReason).toBeNull();
+  });
+
+  test('should return 404 for a non-existent recipient', async ({ request }) => {
+    const envelope = await seedPendingDocument(user, team.id, ['recipient@test.documenso.com']);
+
+    const res = await rejectRecipient(request, token, envelope.id, 999999999, 'No such recipient');
+
+    expect(res.ok()).toBeFalsy();
+    expect(res.status()).toBe(404);
+  });
+
+  test('should return 404 when the recipient does not belong to the supplied envelope', async ({ request }) => {
+    const targetEnvelope = await seedPendingDocument(user, team.id, ['recipient@test.documenso.com']);
+    const otherEnvelope = await seedPendingDocument(user, team.id, ['other-recipient@test.documenso.com']);
+
+    const recipient = targetEnvelope.recipients[0];
+
+    // Valid recipient ID, but paired with the wrong envelope ID.
+    const res = await rejectRecipient(request, token, otherEnvelope.id, recipient.id, 'Mismatched envelope');
+
+    expect(res.ok()).toBeFalsy();
+    expect(res.status()).toBe(404);
+
+    // The recipient must remain untouched.
+    const untouchedRecipient = await prisma.recipient.findUniqueOrThrow({
+      where: { id: recipient.id },
+    });
+
+    expect(untouchedRecipient.signingStatus).toBe(SigningStatus.NOT_SIGNED);
+    expect(untouchedRecipient.rejectionReason).toBeNull();
+  });
+
+  test('should enforce document visibility: manager cannot reject on an ADMIN-only document', async ({ request }) => {
+    // The API token belongs to a MANAGER, who cannot see ADMIN-visibility docs.
+    const { team: visTeam, owner } = await seedTeam();
+    const manager = await seedTeamMember({ teamId: visTeam.id, role: TeamMemberRole.MANAGER });
+
+    const { token: managerToken } = await createApiToken({
+      userId: manager.id,
+      teamId: visTeam.id,
+      tokenName: 'manager-reject-token',
+      expiresIn: null,
+    });
+
+    // ADMIN-visibility document owned by the team owner.
+    const envelope = await seedPendingDocument(owner, visTeam.id, ['recipient@test.documenso.com'], {
+      createDocumentOptions: { visibility: DocumentVisibility.ADMIN },
+    });
+    const recipient = envelope.recipients[0];
+
+    const res = await rejectRecipient(
+      request,
+      managerToken,
+      envelope.id,
+      recipient.id,
+      'Should be hidden by visibility',
+    );
+
+    // Visibility failure surfaces as not-found, matching the canonical checks.
+    expect(res.ok()).toBeFalsy();
+    expect(res.status()).toBe(404);
+
+    const untouchedRecipient = await prisma.recipient.findUniqueOrThrow({
+      where: { id: recipient.id },
+    });
+
+    expect(untouchedRecipient.signingStatus).toBe(SigningStatus.NOT_SIGNED);
+    expect(untouchedRecipient.rejectionReason).toBeNull();
+  });
+});
@@ -0,0 +1,242 @@
+import { NEXT_PUBLIC_WEBAPP_URL } from '@documenso/lib/constants/app';
+import { createApiToken } from '@documenso/lib/server-only/public-api/create-api-token';
+import { prisma } from '@documenso/prisma';
+import { seedCompletedDocument, seedDraftDocument, seedPendingDocument } from '@documenso/prisma/seed/documents';
+import { seedTeam, seedTeamMember } from '@documenso/prisma/seed/teams';
+import { seedUser } from '@documenso/prisma/seed/users';
+import { expect, test } from '@playwright/test';
+import { DocumentStatus, TeamMemberRole } from '@prisma/client';
+
+const WEBAPP_BASE_URL = NEXT_PUBLIC_WEBAPP_URL();
+const baseUrl = `${WEBAPP_BASE_URL}/api/v2-beta`;
+
+test.describe.configure({
+  mode: 'parallel',
+});
+
+const createTokenForUser = async (userId: number, teamId: number, tokenName: string) => {
+  const { token } = await createApiToken({
+    userId,
+    teamId,
+    tokenName,
+    expiresIn: null,
+  });
+
+  return token;
+};
+
+test.describe('Envelope cancel endpoint authorization', () => {
+  test('hides the document from an outsider attempting to cancel it', async ({ request }) => {
+    const { user: owner, team } = await seedUser();
+    const { user: recipient } = await seedUser();
+    const document = await seedPendingDocument(owner, team.id, [recipient]);
+
+    const { user: outsider, team: outsiderTeam } = await seedUser();
+    const outsiderToken = await createTokenForUser(outsider.id, outsiderTeam.id, 'outsider');
+
+    const res = await request.post(`${baseUrl}/envelope/cancel`, {
+      headers: { Authorization: `Bearer ${outsiderToken}` },
+      data: { envelopeId: document.id },
+    });
+
+    // Outsiders must not be able to determine whether the envelope exists.
+    expect(res.ok()).toBeFalsy();
+    expect(res.status()).toBe(404);
+
+    // The document must be untouched.
+    const documentInDb = await prisma.envelope.findFirstOrThrow({
+      where: { id: document.id },
+      select: { status: true },
+    });
+
+    expect(documentInDb.status).toBe(DocumentStatus.PENDING);
+  });
+
+  test('hides the document from a recipient attempting to cancel it', async ({ request }) => {
+    const { user: owner, team } = await seedUser();
+    const { user: recipient, team: recipientTeam } = await seedUser();
+    const document = await seedPendingDocument(owner, team.id, [recipient]);
+
+    const recipientToken = await createTokenForUser(recipient.id, recipientTeam.id, 'recipient');
+
+    const res = await request.post(`${baseUrl}/envelope/cancel`, {
+      headers: { Authorization: `Bearer ${recipientToken}` },
+      data: { envelopeId: document.id },
+    });
+
+    // A recipient is not a member of the document's team, so they must not be
+    // able to determine whether it exists via this endpoint.
+    expect(res.ok()).toBeFalsy();
+    expect(res.status()).toBe(404);
+
+    const documentInDb = await prisma.envelope.findFirstOrThrow({
+      where: { id: document.id },
+      select: { status: true },
+    });
+
+    expect(documentInDb.status).toBe(DocumentStatus.PENDING);
+  });
+
+  // Note: a non-privileged MEMBER cannot obtain an API token at all (token
+  // creation requires the MANAGE_TEAM permission), so the MEMBER cancellation
+  // restriction is covered through the UI tests in cancel-documents.spec.ts
+  // rather than at the API layer.
+
+  test('allows the document owner to cancel a pending document', async ({ request }) => {
+    const { user: owner, team } = await seedUser();
+    const { user: recipient } = await seedUser();
+    const document = await seedPendingDocument(owner, team.id, [recipient]);
+
+    const ownerToken = await createTokenForUser(owner.id, team.id, 'owner');
+
+    const res = await request.post(`${baseUrl}/envelope/cancel`, {
+      headers: { Authorization: `Bearer ${ownerToken}` },
+      data: { envelopeId: document.id },
+    });
+
+    expect(res.ok()).toBeTruthy();
+    expect(res.status()).toBe(200);
+
+    const documentInDb = await prisma.envelope.findFirstOrThrow({
+      where: { id: document.id },
+      select: { status: true, completedAt: true, deletedAt: true },
+    });
+
+    expect(documentInDb.status).toBe(DocumentStatus.CANCELLED);
+    expect(documentInDb.completedAt).not.toBeNull();
+    expect(documentInDb.deletedAt).toBeNull();
+  });
+
+  test('allows a team ADMIN to cancel a pending document they do not own', async ({ request }) => {
+    const { team, owner } = await seedTeam();
+
+    const adminUser = await seedTeamMember({
+      teamId: team.id,
+      role: TeamMemberRole.ADMIN,
+    });
+
+    const { user: recipient } = await seedUser();
+    const document = await seedPendingDocument(owner, team.id, [recipient]);
+
+    const adminToken = await createTokenForUser(adminUser.id, team.id, 'admin');
+
+    const res = await request.post(`${baseUrl}/envelope/cancel`, {
+      headers: { Authorization: `Bearer ${adminToken}` },
+      data: { envelopeId: document.id },
+    });
+
+    expect(res.ok()).toBeTruthy();
+    expect(res.status()).toBe(200);
+
+    const documentInDb = await prisma.envelope.findFirstOrThrow({
+      where: { id: document.id },
+      select: { status: true },
+    });
+
+    expect(documentInDb.status).toBe(DocumentStatus.CANCELLED);
+  });
+
+  test('allows a team MANAGER to cancel a pending document they do not own', async ({ request }) => {
+    const { team, owner } = await seedTeam();
+
+    const managerUser = await seedTeamMember({
+      teamId: team.id,
+      role: TeamMemberRole.MANAGER,
+    });
+
+    const { user: recipient } = await seedUser();
+    const document = await seedPendingDocument(owner, team.id, [recipient]);
+
+    const managerToken = await createTokenForUser(managerUser.id, team.id, 'manager');
+
+    const res = await request.post(`${baseUrl}/envelope/cancel`, {
+      headers: { Authorization: `Bearer ${managerToken}` },
+      data: { envelopeId: document.id },
+    });
+
+    expect(res.ok()).toBeTruthy();
+    expect(res.status()).toBe(200);
+
+    const documentInDb = await prisma.envelope.findFirstOrThrow({
+      where: { id: document.id },
+      select: { status: true },
+    });
+
+    expect(documentInDb.status).toBe(DocumentStatus.CANCELLED);
+  });
+
+  test('rejects cancelling a draft document', async ({ request }) => {
+    const { user: owner, team } = await seedUser();
+    const document = await seedDraftDocument(owner, team.id, []);
+
+    const ownerToken = await createTokenForUser(owner.id, team.id, 'owner-draft');
+
+    const res = await request.post(`${baseUrl}/envelope/cancel`, {
+      headers: { Authorization: `Bearer ${ownerToken}` },
+      data: { envelopeId: document.id },
+    });
+
+    expect(res.ok()).toBeFalsy();
+    expect(res.status()).toBe(400);
+
+    const documentInDb = await prisma.envelope.findFirstOrThrow({
+      where: { id: document.id },
+      select: { status: true },
+    });
+
+    expect(documentInDb.status).toBe(DocumentStatus.DRAFT);
+  });
+
+  test('rejects cancelling a completed document', async ({ request }) => {
+    const { user: owner, team } = await seedUser();
+    const { user: recipient } = await seedUser();
+    const document = await seedCompletedDocument(owner, team.id, [recipient]);
+
+    const ownerToken = await createTokenForUser(owner.id, team.id, 'owner-completed');
+
+    const res = await request.post(`${baseUrl}/envelope/cancel`, {
+      headers: { Authorization: `Bearer ${ownerToken}` },
+      data: { envelopeId: document.id },
+    });
+
+    expect(res.ok()).toBeFalsy();
+    expect(res.status()).toBe(400);
+
+    const documentInDb = await prisma.envelope.findFirstOrThrow({
+      where: { id: document.id },
+      select: { status: true },
+    });
+
+    expect(documentInDb.status).toBe(DocumentStatus.COMPLETED);
+  });
+
+  test('rejects double cancellation of an already cancelled document', async ({ request }) => {
+    const { user: owner, team } = await seedUser();
+    const { user: recipient } = await seedUser();
+    const document = await seedPendingDocument(owner, team.id, [recipient]);
+
+    const ownerToken = await createTokenForUser(owner.id, team.id, 'owner-double');
+
+    const firstRes = await request.post(`${baseUrl}/envelope/cancel`, {
+      headers: { Authorization: `Bearer ${ownerToken}` },
+      data: { envelopeId: document.id },
+    });
+
+    expect(firstRes.status()).toBe(200);
+
+    const secondRes = await request.post(`${baseUrl}/envelope/cancel`, {
+      headers: { Authorization: `Bearer ${ownerToken}` },
+      data: { envelopeId: document.id },
+    });
+
+    expect(secondRes.ok()).toBeFalsy();
+    expect(secondRes.status()).toBe(400);
+
+    const documentInDb = await prisma.envelope.findFirstOrThrow({
+      where: { id: document.id },
+      select: { status: true },
+    });
+
+    expect(documentInDb.status).toBe(DocumentStatus.CANCELLED);
+  });
+});
@@ -0,0 +1,102 @@
+import fs from 'node:fs';
+import path from 'node:path';
+import { NEXT_PUBLIC_WEBAPP_URL } from '@documenso/lib/constants/app';
+import { createEmbeddingPresignToken } from '@documenso/lib/server-only/embedding-presign/create-embedding-presign-token';
+import { createApiToken } from '@documenso/lib/server-only/public-api/create-api-token';
+import { seedUser } from '@documenso/prisma/seed/users';
+import { expect, test } from '@playwright/test';
+
+const WEBAPP_BASE_URL = NEXT_PUBLIC_WEBAPP_URL();
+
+const examplePdf = fs.readFileSync(path.join(__dirname, '../../../../../../assets/example.pdf'));
+
+test.describe.configure({
+  mode: 'parallel',
+});
+
+const createPresignTokenForUser = async (userId: number, teamId: number) => {
+  const { token: apiToken } = await createApiToken({
+    userId,
+    teamId,
+    tokenName: 'file-upload-test',
+    expiresIn: null,
+  });
+
+  const { token: presignToken } = await createEmbeddingPresignToken({ apiToken });
+
+  return presignToken;
+};
+
+const buildPdfFormData = () => {
+  const formData = new FormData();
+  formData.append('file', new File([examplePdf], 'test.pdf', { type: 'application/pdf' }));
+
+  return formData;
+};
+
+test.describe('File upload endpoint authorization', () => {
+  test('rejects an unauthenticated upload-pdf request', async ({ request }) => {
+    const res = await request.post(`${WEBAPP_BASE_URL}/api/files/upload-pdf`, {
+      multipart: buildPdfFormData(),
+    });
+
+    expect(res.ok()).toBeFalsy();
+    expect(res.status()).toBe(401);
+  });
+
+  test('rejects an unauthenticated presigned-post-url request', async ({ request }) => {
+    const res = await request.post(`${WEBAPP_BASE_URL}/api/files/presigned-post-url`, {
+      headers: { 'Content-Type': 'application/json' },
+      data: { fileName: 'test.pdf', contentType: 'application/pdf' },
+    });
+
+    expect(res.ok()).toBeFalsy();
+    expect(res.status()).toBe(401);
+  });
+
+  test('rejects a presigned-post-url request with an invalid presign token', async ({ request }) => {
+    const res = await request.post(`${WEBAPP_BASE_URL}/api/files/presigned-post-url`, {
+      headers: {
+        'Content-Type': 'application/json',
+        Authorization: 'Bearer not-a-real-token',
+      },
+      data: { fileName: 'test.pdf', contentType: 'application/pdf' },
+    });
+
+    expect(res.ok()).toBeFalsy();
+    expect(res.status()).toBe(401);
+  });
+
+  test('rejects a presigned-post-url request with a disallowed content type', async ({ request }) => {
+    const { user, team } = await seedUser();
+    const presignToken = await createPresignTokenForUser(user.id, team.id);
+
+    const res = await request.post(`${WEBAPP_BASE_URL}/api/files/presigned-post-url`, {
+      headers: {
+        'Content-Type': 'application/json',
+        Authorization: `Bearer ${presignToken}`,
+      },
+      data: { fileName: 'malware.exe', contentType: 'application/x-msdownload' },
+    });
+
+    // Authenticated, but the content type is not on the allow-list.
+    expect(res.ok()).toBeFalsy();
+    expect(res.status()).toBe(400);
+  });
+
+  test('allows an upload-pdf request authorized by a valid presign token', async ({ request }) => {
+    const { user, team } = await seedUser();
+    const presignToken = await createPresignTokenForUser(user.id, team.id);
+
+    const res = await request.post(`${WEBAPP_BASE_URL}/api/files/upload-pdf`, {
+      headers: { Authorization: `Bearer ${presignToken}` },
+      multipart: buildPdfFormData(),
+    });
+
+    expect(res.ok()).toBeTruthy();
+    expect(res.status()).toBe(200);
+
+    const body = await res.json();
+    expect(body.id).toBeDefined();
+  });
+});
@@ -1,9 +1,12 @@
-import { seedDraftDocument } from '@documenso/prisma/seed/documents';
+import { prisma } from '@documenso/prisma';
+import { seedCompletedDocument, seedDraftDocument, seedPendingDocument } from '@documenso/prisma/seed/documents';
 import { seedBlankFolder } from '@documenso/prisma/seed/folders';
+import { seedTeam, seedTeamMember } from '@documenso/prisma/seed/teams';
 import { seedUser } from '@documenso/prisma/seed/users';
 import { expect, test } from '@playwright/test';
+import { DocumentStatus, TeamMemberRole } from '@prisma/client';

-import { apiSignin } from '../fixtures/authentication';
+import { apiSignin, apiSignout } from '../fixtures/authentication';
 import { expectToastTextToBeVisible } from '../fixtures/generic';

 test.describe.configure({ mode: 'parallel' });
@@ -250,3 +253,147 @@ test('[BULK_ACTIONS]: can move documents from folder to home (root)', async ({ p
  await page.goto(`/t/${sender.team.url}/documents/f/${folder.id}`);
  await expect(page.getByRole('link', { name: 'Bulk Test Doc 1' })).not.toBeVisible();
 });
+
+// ─── Bulk cancel ─────────────────────────────────────────────────────────────
+
+test('[BULK_ACTIONS]: can cancel multiple pending documents', async ({ page }) => {
+  const sender = await seedUser({ setTeamEmailAsOwner: true });
+  const { user: recipient } = await seedUser();
+
+  const [pending1, pending2] = await Promise.all([
+    seedPendingDocument(sender.user, sender.team.id, [recipient], {
+      createDocumentOptions: { title: 'Bulk Cancel Pending 1' },
+    }),
+    seedPendingDocument(sender.user, sender.team.id, [recipient], {
+      createDocumentOptions: { title: 'Bulk Cancel Pending 2' },
+    }),
+  ]);
+
+  await apiSignin({
+    page,
+    email: sender.user.email,
+    redirectPath: `/t/${sender.team.url}/documents`,
+  });
+
+  await page.locator('tr', { hasText: 'Bulk Cancel Pending 1' }).getByRole('checkbox').click();
+  await page.locator('tr', { hasText: 'Bulk Cancel Pending 2' }).getByRole('checkbox').click();
+  await expect(page.getByText('2 selected')).toBeVisible();
+
+  // The bulk action bar Cancel button (distinct from the dialog's confirm button).
+  await page.getByRole('button', { name: 'Cancel', exact: true }).click();
+
+  const dialog = page.getByRole('dialog');
+  await expect(dialog).toBeVisible();
+  await expect(dialog.getByRole('heading', { name: 'Cancel Documents' })).toBeVisible();
+  await expect(dialog.getByText('You are about to cancel 2 documents')).toBeVisible();
+
+  await dialog.getByRole('button', { name: 'Cancel documents' }).click();
+
+  await expectToastTextToBeVisible(page, 'Documents cancelled');
+
+  // Selection clears after a successful cancel.
+  await expect(page.getByText(/\d+ selected/)).not.toBeVisible();
+
+  // Both documents are now cancelled in the database.
+  for (const document of [pending1, pending2]) {
+    const envelope = await prisma.envelope.findFirstOrThrow({
+      where: { id: document.id },
+      select: { status: true, deletedAt: true },
+    });
+
+    expect(envelope.status).toBe(DocumentStatus.CANCELLED);
+    expect(envelope.deletedAt).toBeNull();
+  }
+});
+
+test('[BULK_ACTIONS]: bulk cancel only affects pending documents', async ({ page }) => {
+  const sender = await seedUser({ setTeamEmailAsOwner: true });
+  const { user: recipient } = await seedUser();
+
+  const pending = await seedPendingDocument(sender.user, sender.team.id, [recipient], {
+    createDocumentOptions: { title: 'Mixed Cancel Pending' },
+  });
+  const draft = await seedDraftDocument(sender.user, sender.team.id, [], {
+    createDocumentOptions: { title: 'Mixed Cancel Draft' },
+  });
+  const completed = await seedCompletedDocument(sender.user, sender.team.id, [recipient], {
+    createDocumentOptions: { title: 'Mixed Cancel Completed' },
+  });
+
+  await apiSignin({
+    page,
+    email: sender.user.email,
+    redirectPath: `/t/${sender.team.url}/documents`,
+  });
+
+  await page.locator('thead').getByRole('checkbox').click();
+  await expect(page.getByText('3 selected')).toBeVisible();
+
+  await page.getByRole('button', { name: 'Cancel', exact: true }).click();
+
+  const dialog = page.getByRole('dialog');
+  await expect(dialog).toBeVisible();
+  await dialog.getByRole('button', { name: 'Cancel documents' }).click();
+
+  // Only one of the three was pending, so this is a partial result.
+  await expectToastTextToBeVisible(page, 'Documents partially cancelled');
+
+  const pendingEnvelope = await prisma.envelope.findFirstOrThrow({
+    where: { id: pending.id },
+    select: { status: true },
+  });
+  expect(pendingEnvelope.status).toBe(DocumentStatus.CANCELLED);
+
+  // The draft and completed documents are untouched.
+  const draftEnvelope = await prisma.envelope.findFirstOrThrow({
+    where: { id: draft.id },
+    select: { status: true },
+  });
+  expect(draftEnvelope.status).toBe(DocumentStatus.DRAFT);
+
+  const completedEnvelope = await prisma.envelope.findFirstOrThrow({
+    where: { id: completed.id },
+    select: { status: true },
+  });
+  expect(completedEnvelope.status).toBe(DocumentStatus.COMPLETED);
+});
+
+test('[BULK_ACTIONS]: a MEMBER cannot bulk cancel documents they do not own', async ({ page }) => {
+  const { team, owner } = await seedTeam();
+
+  const memberUser = await seedTeamMember({ teamId: team.id, role: TeamMemberRole.MEMBER });
+
+  const { user: recipient } = await seedUser();
+
+  const ownerDocument = await seedPendingDocument(owner, team.id, [recipient], {
+    createDocumentOptions: { title: 'Member Cannot Cancel This', visibility: 'EVERYONE' },
+  });
+
+  await apiSignin({
+    page,
+    email: memberUser.email,
+    redirectPath: `/t/${team.url}/documents?status=PENDING`,
+  });
+
+  await page.locator('tr', { hasText: 'Member Cannot Cancel This' }).getByRole('checkbox').click();
+  await expect(page.getByText('1 selected')).toBeVisible();
+
+  await page.getByRole('button', { name: 'Cancel', exact: true }).click();
+
+  const dialog = page.getByRole('dialog');
+  await expect(dialog).toBeVisible();
+  await dialog.getByRole('button', { name: 'Cancel documents' }).click();
+
+  // The server rejects the cancellation for a document the MEMBER does not own,
+  // so it reports zero cancelled (a partial result with the document in failedIds).
+  await expectToastTextToBeVisible(page, 'Documents partially cancelled');
+
+  // The document remains pending.
+  const envelope = await prisma.envelope.findFirstOrThrow({
+    where: { id: ownerDocument.id },
+    select: { status: true },
+  });
+  expect(envelope.status).toBe(DocumentStatus.PENDING);
+
+  await apiSignout({ page });
+});
@@ -0,0 +1,342 @@
+import { NEXT_PUBLIC_WEBAPP_URL } from '@documenso/lib/constants/app';
+import { prisma } from '@documenso/prisma';
+import { seedCancelledDocument, seedPendingDocument } from '@documenso/prisma/seed/documents';
+import { seedTeam, seedTeamMember } from '@documenso/prisma/seed/teams';
+import { seedUser } from '@documenso/prisma/seed/users';
+import { expect, type Page, test } from '@playwright/test';
+import { DocumentStatus, TeamMemberRole } from '@prisma/client';
+
+import { apiSignin, apiSignout } from '../fixtures/authentication';
+import { checkDocumentTabCount } from '../fixtures/documents';
+import { expectToastTextToBeVisible, openDropdownMenu } from '../fixtures/generic';
+
+test.describe.configure({ mode: 'serial' });
+
+const seedCancelDocumentsTestRequirements = async () => {
+  const [sender, recipientA, recipientB] = await Promise.all([
+    seedUser({ setTeamEmailAsOwner: true }),
+    seedUser({ setTeamEmailAsOwner: true }),
+    seedUser({ setTeamEmailAsOwner: true }),
+  ]);
+
+  const pendingDocument = await seedPendingDocument(sender.user, sender.team.id, [recipientA.user, recipientB.user], {
+    createDocumentOptions: { title: 'Document 1 - Pending' },
+  });
+
+  return {
+    sender,
+    recipients: [recipientA, recipientB],
+    pendingDocument,
+  };
+};
+
+const cancelDocumentViaUi = async (page: Page, documentTitle: string, reason?: string) => {
+  const documentActionBtn = page.locator('tr', { hasText: documentTitle }).getByTestId('document-table-action-btn');
+
+  await openDropdownMenu(page, documentActionBtn);
+
+  await expect(page.getByRole('menuitem', { name: 'Cancel' })).toBeVisible();
+  await page.getByRole('menuitem', { name: 'Cancel' }).click();
+
+  await expect(page.getByRole('heading', { name: 'Are you sure?' })).toBeVisible();
+
+  if (reason) {
+    await page.getByPlaceholder('Add an optional reason for cancelling this document').fill(reason);
+  }
+
+  await page.getByRole('button', { name: 'Cancel document' }).click();
+};
+
+test('[DOCUMENTS]: cancelling a pending document keeps it in the owner dashboard as cancelled', async ({ page }) => {
+  const { sender, pendingDocument } = await seedCancelDocumentsTestRequirements();
+
+  await apiSignin({
+    page,
+    email: sender.user.email,
+    redirectPath: `/t/${sender.team.url}/documents`,
+  });
+
+  await cancelDocumentViaUi(page, 'Document 1 - Pending', 'No longer required');
+
+  await expectToastTextToBeVisible(page, 'Document cancelled');
+
+  // The document must remain in the dashboard, unlike deleting a pending document.
+  await checkDocumentTabCount(page, 'Inbox', 0);
+  await checkDocumentTabCount(page, 'Pending', 0);
+  await checkDocumentTabCount(page, 'Cancelled', 1);
+  await checkDocumentTabCount(page, 'All', 1);
+
+  // The cancelled document is still listed.
+  await page.getByRole('tab', { name: 'Cancelled' }).click();
+  await expect(page.getByRole('link', { name: 'Document 1 - Pending' })).toBeVisible();
+
+  // The envelope status is persisted as CANCELLED.
+  const envelope = await prisma.envelope.findFirstOrThrow({
+    where: {
+      id: pendingDocument.id,
+    },
+    select: {
+      status: true,
+      completedAt: true,
+      deletedAt: true,
+    },
+  });
+
+  expect(envelope.status).toBe(DocumentStatus.CANCELLED);
+  expect(envelope.completedAt).not.toBeNull();
+  expect(envelope.deletedAt).toBeNull();
+});
+
+test('[DOCUMENTS]: cancelling a pending document retains it for recipients', async ({ page }) => {
+  const { sender, recipients } = await seedCancelDocumentsTestRequirements();
+
+  await apiSignin({
+    page,
+    email: sender.user.email,
+    redirectPath: `/t/${sender.team.url}/documents`,
+  });
+
+  await cancelDocumentViaUi(page, 'Document 1 - Pending');
+
+  await expectToastTextToBeVisible(page, 'Document cancelled');
+
+  await apiSignout({ page });
+
+  // Recipients should still be able to see the document as a record of distribution.
+  for (const recipient of recipients) {
+    await apiSignin({
+      page,
+      email: recipient.user.email,
+      redirectPath: `/t/${recipient.team.url}/documents`,
+    });
+
+    await expect(page.getByRole('link', { name: 'Document 1 - Pending' })).toBeVisible();
+
+    await apiSignout({ page });
+  }
+});
+
+test('[DOCUMENTS]: a cancelled document can be deleted, hiding it from the owner without removing it', async ({
+  page,
+}) => {
+  const { sender, recipients, pendingDocument } = await seedCancelDocumentsTestRequirements();
+
+  await apiSignin({
+    page,
+    email: sender.user.email,
+    redirectPath: `/t/${sender.team.url}/documents`,
+  });
+
+  await cancelDocumentViaUi(page, 'Document 1 - Pending');
+  await expectToastTextToBeVisible(page, 'Document cancelled');
+
+  // Delete the now-cancelled document. Being terminal, it should soft delete (hide).
+  await page.getByRole('tab', { name: 'Cancelled' }).click();
+
+  const documentActionBtn = page
+    .locator('tr', { hasText: 'Document 1 - Pending' })
+    .getByTestId('document-table-action-btn');
+  await openDropdownMenu(page, documentActionBtn);
+
+  await expect(page.getByRole('menuitem', { name: 'Delete' })).toBeVisible();
+  await page.getByRole('menuitem', { name: 'Delete' }).click();
+  await page.getByPlaceholder("Type 'delete' to confirm").fill('delete');
+  await page.getByRole('button', { name: 'Delete' }).click();
+
+  await page.waitForTimeout(2500);
+
+  await expect(page.getByRole('row', { name: /Document 1 - Pending/ })).not.toBeVisible();
+
+  // The envelope is soft deleted, not hard deleted.
+  const envelope = await prisma.envelope.findFirstOrThrow({
+    where: {
+      id: pendingDocument.id,
+    },
+    select: {
+      status: true,
+      deletedAt: true,
+    },
+  });
+
+  expect(envelope.status).toBe(DocumentStatus.CANCELLED);
+  expect(envelope.deletedAt).not.toBeNull();
+
+  await apiSignout({ page });
+
+  // Recipients should still retain the document after the owner deletes it.
+  await apiSignin({
+    page,
+    email: recipients[0].user.email,
+    redirectPath: `/t/${recipients[0].team.url}/documents`,
+  });
+
+  await expect(page.getByRole('link', { name: 'Document 1 - Pending' })).toBeVisible();
+});
+
+// ─── Visibility: a cancelled document must respect team document visibility ───
+
+test('[DOCUMENTS]: cancelled document with ADMIN visibility is hidden from a MEMBER', async ({ page }) => {
+  const { team, owner } = await seedTeam();
+
+  const adminUser = await seedTeamMember({ teamId: team.id, role: TeamMemberRole.ADMIN });
+  const managerUser = await seedTeamMember({ teamId: team.id, role: TeamMemberRole.MANAGER });
+  const memberUser = await seedTeamMember({ teamId: team.id, role: TeamMemberRole.MEMBER });
+
+  await seedCancelledDocument(owner, team.id, [], {
+    createDocumentOptions: {
+      visibility: 'ADMIN',
+      title: 'Cancelled Admin Only Document',
+    },
+  });
+
+  // The MEMBER must NOT see the ADMIN-visibility cancelled document on any tab.
+  await apiSignin({
+    page,
+    email: memberUser.email,
+    redirectPath: `/t/${team.url}/documents?status=CANCELLED`,
+  });
+
+  await expect(page.getByRole('link', { name: 'Cancelled Admin Only Document', exact: true })).not.toBeVisible();
+
+  // Also confirm it doesn't leak via the ALL tab.
+  await page.goto(`${NEXT_PUBLIC_WEBAPP_URL()}/t/${team.url}/documents`);
+  await expect(page.getByRole('link', { name: 'Cancelled Admin Only Document', exact: true })).not.toBeVisible();
+
+  await apiSignout({ page });
+
+  // The MANAGER must NOT see an ADMIN-visibility document either.
+  await apiSignin({
+    page,
+    email: managerUser.email,
+    redirectPath: `/t/${team.url}/documents?status=CANCELLED`,
+  });
+
+  await expect(page.getByRole('link', { name: 'Cancelled Admin Only Document', exact: true })).not.toBeVisible();
+
+  await apiSignout({ page });
+
+  // The ADMIN must see it.
+  await apiSignin({
+    page,
+    email: adminUser.email,
+    redirectPath: `/t/${team.url}/documents?status=CANCELLED`,
+  });
+
+  await expect(page.getByRole('link', { name: 'Cancelled Admin Only Document', exact: true })).toBeVisible();
+});
+
+test('[DOCUMENTS]: cancelled document with MANAGER_AND_ABOVE visibility is hidden from a MEMBER', async ({ page }) => {
+  const { team, owner } = await seedTeam();
+
+  const managerUser = await seedTeamMember({ teamId: team.id, role: TeamMemberRole.MANAGER });
+  const memberUser = await seedTeamMember({ teamId: team.id, role: TeamMemberRole.MEMBER });
+
+  await seedCancelledDocument(owner, team.id, [], {
+    createDocumentOptions: {
+      visibility: 'MANAGER_AND_ABOVE',
+      title: 'Cancelled Manager Document',
+    },
+  });
+
+  // The MEMBER must NOT see it.
+  await apiSignin({
+    page,
+    email: memberUser.email,
+    redirectPath: `/t/${team.url}/documents?status=CANCELLED`,
+  });
+
+  await expect(page.getByRole('link', { name: 'Cancelled Manager Document', exact: true })).not.toBeVisible();
+
+  await apiSignout({ page });
+
+  // The MANAGER must see it.
+  await apiSignin({
+    page,
+    email: managerUser.email,
+    redirectPath: `/t/${team.url}/documents?status=CANCELLED`,
+  });
+
+  await expect(page.getByRole('link', { name: 'Cancelled Manager Document', exact: true })).toBeVisible();
+});
+
+test('[DOCUMENTS]: a recipient sees a cancelled document regardless of restricted visibility', async ({ page }) => {
+  const { team, owner } = await seedTeam();
+
+  // A MEMBER who is also a recipient on an ADMIN-visibility document.
+  const memberRecipient = await seedTeamMember({ teamId: team.id, role: TeamMemberRole.MEMBER });
+
+  await seedCancelledDocument(owner, team.id, [memberRecipient], {
+    createDocumentOptions: {
+      visibility: 'ADMIN',
+      title: 'Cancelled Admin Doc With Recipient',
+    },
+  });
+
+  // Even though the document is ADMIN-only, the MEMBER is a recipient, so they
+  // must still see it (proof of distribution), matching completed-document behaviour.
+  await apiSignin({
+    page,
+    email: memberRecipient.email,
+    redirectPath: `/t/${team.url}/documents?status=CANCELLED`,
+  });
+
+  await expect(page.getByRole('link', { name: 'Cancelled Admin Doc With Recipient', exact: true })).toBeVisible();
+});
+
+// ─── UI gating: only privileged members see the Cancel action ────────────────
+
+test('[DOCUMENTS]: a MEMBER does not see the Cancel action on a pending document', async ({ page }) => {
+  const { team, owner } = await seedTeam();
+
+  const memberUser = await seedTeamMember({ teamId: team.id, role: TeamMemberRole.MEMBER });
+
+  const { user: recipient } = await seedUser();
+
+  await seedPendingDocument(owner, team.id, [recipient], {
+    createDocumentOptions: { title: 'Member Gating Pending Document', visibility: 'EVERYONE' },
+  });
+
+  await apiSignin({
+    page,
+    email: memberUser.email,
+    redirectPath: `/t/${team.url}/documents?status=PENDING`,
+  });
+
+  const documentActionBtn = page
+    .locator('tr', { hasText: 'Member Gating Pending Document' })
+    .getByTestId('document-table-action-btn');
+  await openDropdownMenu(page, documentActionBtn);
+
+  // The dropdown must render (Edit is always there) but Cancel must be absent.
+  await expect(page.getByRole('menuitem', { name: 'Edit' })).toBeVisible();
+  await expect(page.getByRole('menuitem', { name: 'Cancel' })).not.toBeVisible();
+});
+
+test('[DOCUMENTS]: a team ADMIN sees and can use the Cancel action on a document they do not own', async ({ page }) => {
+  const { team, owner } = await seedTeam();
+
+  const adminUser = await seedTeamMember({ teamId: team.id, role: TeamMemberRole.ADMIN });
+
+  const { user: recipient } = await seedUser();
+
+  const document = await seedPendingDocument(owner, team.id, [recipient], {
+    createDocumentOptions: { title: 'Admin Cancellable Document', visibility: 'EVERYONE' },
+  });
+
+  await apiSignin({
+    page,
+    email: adminUser.email,
+    redirectPath: `/t/${team.url}/documents?status=PENDING`,
+  });
+
+  await cancelDocumentViaUi(page, 'Admin Cancellable Document');
+
+  await expectToastTextToBeVisible(page, 'Document cancelled');
+
+  const envelope = await prisma.envelope.findFirstOrThrow({
+    where: { id: document.id },
+    select: { status: true },
+  });
+
+  expect(envelope.status).toBe(DocumentStatus.CANCELLED);
+});
@@ -3,6 +3,7 @@ import path from 'node:path';
 import { NEXT_PUBLIC_WEBAPP_URL } from '@documenso/lib/constants/app';
 import { createApiToken } from '@documenso/lib/server-only/public-api/create-api-token';
 import { prisma } from '@documenso/prisma';
+import { seedDraftDocument } from '@documenso/prisma/seed/documents';
 import { seedTemplate } from '@documenso/prisma/seed/templates';
 import { seedUser } from '@documenso/prisma/seed/users';
 import type {
@@ -302,6 +303,95 @@ test.describe('document editor', () => {
    expect(envelopes.length).toBeGreaterThanOrEqual(2);
  });

+  test('duplicate document without recipients excludes recipients and fields', async ({ page }) => {
+    const { user, team } = await seedUser();
+
+    // Seed a draft document that has a recipient with a field.
+    const document = await seedDraftDocument(user, team.id, ['signer@test.documenso.com'], {
+      key: `dup-exclude-recipients-${Date.now()}`,
+      internalVersion: 2,
+    });
+
+    await apiSignin({
+      page,
+      email: user.email,
+      redirectPath: `/t/${team.url}/documents/${document.id}/edit`,
+    });
+
+    await expect(page.getByRole('heading', { name: 'Documents' })).toBeVisible();
+
+    // Open the duplicate dialog.
+    await page.locator('button[title="Duplicate Envelope"]').click();
+    await expect(page.getByRole('heading', { name: 'Duplicate Document' })).toBeVisible();
+
+    // Uncheck "Include Recipients" — this also disables and unchecks "Include Fields".
+    await page.getByLabel('Include Recipients').click();
+    await expect(page.getByLabel('Include Fields')).toBeDisabled();
+
+    // Duplicate.
+    await page.getByRole('button', { name: 'Duplicate' }).click();
+    await expectToastTextToBeVisible(page, 'Document Duplicated');
+    await expect(page).toHaveURL(/\/documents\/.*\/edit/);
+
+    // The duplicate should have neither recipients nor fields.
+    const duplicate = await prisma.envelope.findFirstOrThrow({
+      where: {
+        teamId: team.id,
+        type: EnvelopeType.DOCUMENT,
+        id: { not: document.id },
+      },
+      include: { recipients: true, fields: true },
+      orderBy: { createdAt: 'desc' },
+    });
+
+    expect(duplicate.recipients).toHaveLength(0);
+    expect(duplicate.fields).toHaveLength(0);
+  });
+
+  test('duplicate document without fields keeps recipients but excludes fields', async ({ page }) => {
+    const { user, team } = await seedUser();
+
+    // Seed a draft document that has a recipient with a field.
+    const document = await seedDraftDocument(user, team.id, ['signer@test.documenso.com'], {
+      key: `dup-exclude-fields-${Date.now()}`,
+      internalVersion: 2,
+    });
+
+    await apiSignin({
+      page,
+      email: user.email,
+      redirectPath: `/t/${team.url}/documents/${document.id}/edit`,
+    });
+
+    await expect(page.getByRole('heading', { name: 'Documents' })).toBeVisible();
+
+    // Open the duplicate dialog.
+    await page.locator('button[title="Duplicate Envelope"]').click();
+    await expect(page.getByRole('heading', { name: 'Duplicate Document' })).toBeVisible();
+
+    // Uncheck only "Include Fields" (recipients stay included).
+    await page.getByLabel('Include Fields').click();
+
+    // Duplicate.
+    await page.getByRole('button', { name: 'Duplicate' }).click();
+    await expectToastTextToBeVisible(page, 'Document Duplicated');
+    await expect(page).toHaveURL(/\/documents\/.*\/edit/);
+
+    // The duplicate should keep the recipient but have no fields.
+    const duplicate = await prisma.envelope.findFirstOrThrow({
+      where: {
+        teamId: team.id,
+        type: EnvelopeType.DOCUMENT,
+        id: { not: document.id },
+      },
+      include: { recipients: true, fields: true },
+      orderBy: { createdAt: 'desc' },
+    });
+
+    expect(duplicate.recipients).toHaveLength(1);
+    expect(duplicate.fields).toHaveLength(0);
+  });
+
  test('download PDF dialog shows envelope items', async ({ page }) => {
    await openDocumentEnvelopeEditor(page);

@@ -270,7 +270,7 @@ test('[ENVELOPE_EXPIRATION]: resending refreshes expiresAt', async ({ page }) =>
  await page.getByLabel('test.documenso.com').first().click();
  await page.getByRole('button', { name: 'Send reminder' }).click();

-  await expect(page.getByText('Document re-sent', { exact: true })).toBeVisible({
+  await expect(page.getByText('Document resent', { exact: true })).toBeVisible({
    timeout: 10_000,
  });

@@ -0,0 +1,342 @@
+import { NEXT_PUBLIC_WEBAPP_URL } from '@documenso/lib/constants/app';
+import { generateDatabaseId, nanoid } from '@documenso/lib/universal/id';
+import { prisma } from '@documenso/prisma';
+import { seedOrganisationMembers } from '@documenso/prisma/seed/organisations';
+import { seedUser } from '@documenso/prisma/seed/users';
+import { expect, type Page, test } from '@playwright/test';
+import { OrganisationGroupType, type OrganisationMemberRole } from '@prisma/client';
+
+import { apiSignin } from '../fixtures/authentication';
+
+const WEBAPP_BASE_URL = NEXT_PUBLIC_WEBAPP_URL();
+
+/**
+ * Calls a tRPC mutation directly using the cookies of whoever is currently
+ * signed in on the page context. This deliberately bypasses the UI: the
+ * authorisation checks under test live on the server, and the UI may simply
+ * hide a button rather than reject the request, which would mask a backend gap.
+ */
+const trpcMutation = async (page: Page, procedure: string, input: Record<string, unknown>) => {
+  return await page.request.post(`${WEBAPP_BASE_URL}/api/trpc/${procedure}`, {
+    headers: { 'content-type': 'application/json' },
+    data: JSON.stringify({ json: input }),
+  });
+};
+
+const getOrganisationMember = async (userId: number, organisationId: string) => {
+  return await prisma.organisationMember.findFirstOrThrow({
+    where: {
+      userId,
+      organisationId,
+    },
+  });
+};
+
+const createCustomGroup = async (organisationId: string, organisationRole: OrganisationMemberRole) => {
+  return await prisma.organisationGroup.create({
+    data: {
+      id: generateDatabaseId('org_group'),
+      organisationId,
+      name: `custom-${organisationRole}-${nanoid()}`,
+      type: OrganisationGroupType.CUSTOM,
+      organisationRole,
+    },
+  });
+};
+
+const createPendingInvite = async (organisationId: string, organisationRole: OrganisationMemberRole) => {
+  return await prisma.organisationMemberInvite.create({
+    data: {
+      id: generateDatabaseId('member_invite'),
+      email: `invite-${nanoid()}@test.documenso.com`,
+      token: nanoid(32),
+      organisationId,
+      organisationRole,
+    },
+  });
+};
+
+test.describe('[ORGANISATION_PERMISSION_HIERARCHY]: member deletion', () => {
+  test('a manager cannot delete an admin via member.delete', async ({ page }) => {
+    const { organisation } = await seedUser({ isPersonalOrganisation: false });
+
+    const [managerUser, adminUser] = await seedOrganisationMembers({
+      members: [
+        { name: 'Manager', organisationRole: 'MANAGER' },
+        { name: 'Admin', organisationRole: 'ADMIN' },
+      ],
+      organisationId: organisation.id,
+    });
+
+    const adminMember = await getOrganisationMember(adminUser.id, organisation.id);
+
+    await apiSignin({ page, email: managerUser.email });
+
+    const res = await trpcMutation(page, 'organisation.member.delete', {
+      organisationId: organisation.id,
+      organisationMemberId: adminMember.id,
+    });
+
+    expect(res.ok()).toBeFalsy();
+
+    // The admin must still be a member of the organisation.
+    const stillExists = await prisma.organisationMember.findFirst({
+      where: { id: adminMember.id },
+    });
+
+    expect(stillExists).not.toBeNull();
+  });
+
+  test('a manager cannot delete an admin via member.deleteMany', async ({ page }) => {
+    const { organisation } = await seedUser({ isPersonalOrganisation: false });
+
+    const [managerUser, adminUser] = await seedOrganisationMembers({
+      members: [
+        { name: 'Manager', organisationRole: 'MANAGER' },
+        { name: 'Admin', organisationRole: 'ADMIN' },
+      ],
+      organisationId: organisation.id,
+    });
+
+    const adminMember = await getOrganisationMember(adminUser.id, organisation.id);
+
+    await apiSignin({ page, email: managerUser.email });
+
+    const res = await trpcMutation(page, 'organisation.member.deleteMany', {
+      organisationId: organisation.id,
+      organisationMemberIds: [adminMember.id],
+    });
+
+    expect(res.ok()).toBeFalsy();
+
+    const stillExists = await prisma.organisationMember.findFirst({
+      where: { id: adminMember.id },
+    });
+
+    expect(stillExists).not.toBeNull();
+  });
+
+  test('a manager cannot delete the organisation owner', async ({ page }) => {
+    const { user: ownerUser, organisation } = await seedUser({ isPersonalOrganisation: false });
+
+    const [managerUser] = await seedOrganisationMembers({
+      members: [{ name: 'Manager', organisationRole: 'MANAGER' }],
+      organisationId: organisation.id,
+    });
+
+    const ownerMember = await getOrganisationMember(ownerUser.id, organisation.id);
+
+    await apiSignin({ page, email: managerUser.email });
+
+    const res = await trpcMutation(page, 'organisation.member.deleteMany', {
+      organisationId: organisation.id,
+      organisationMemberIds: [ownerMember.id],
+    });
+
+    expect(res.ok()).toBeFalsy();
+
+    const stillExists = await prisma.organisationMember.findFirst({
+      where: { id: ownerMember.id },
+    });
+
+    expect(stillExists).not.toBeNull();
+  });
+
+  test('an admin cannot delete the organisation owner', async ({ page }) => {
+    const { user: ownerUser, organisation } = await seedUser({ isPersonalOrganisation: false });
+
+    const [adminUser] = await seedOrganisationMembers({
+      members: [{ name: 'Admin', organisationRole: 'ADMIN' }],
+      organisationId: organisation.id,
+    });
+
+    const ownerMember = await getOrganisationMember(ownerUser.id, organisation.id);
+
+    await apiSignin({ page, email: adminUser.email });
+
+    const res = await trpcMutation(page, 'organisation.member.deleteMany', {
+      organisationId: organisation.id,
+      organisationMemberIds: [ownerMember.id],
+    });
+
+    expect(res.ok()).toBeFalsy();
+
+    const stillExists = await prisma.organisationMember.findFirst({
+      where: { id: ownerMember.id },
+    });
+
+    expect(stillExists).not.toBeNull();
+  });
+
+  test('a manager can still delete a regular member (positive control)', async ({ page }) => {
+    const { organisation } = await seedUser({ isPersonalOrganisation: false });
+
+    const [managerUser, memberUser] = await seedOrganisationMembers({
+      members: [
+        { name: 'Manager', organisationRole: 'MANAGER' },
+        { name: 'Member', organisationRole: 'MEMBER' },
+      ],
+      organisationId: organisation.id,
+    });
+
+    const member = await getOrganisationMember(memberUser.id, organisation.id);
+
+    await apiSignin({ page, email: managerUser.email });
+
+    const res = await trpcMutation(page, 'organisation.member.deleteMany', {
+      organisationId: organisation.id,
+      organisationMemberIds: [member.id],
+    });
+
+    expect(res.ok()).toBeTruthy();
+
+    const deleted = await prisma.organisationMember.findFirst({
+      where: { id: member.id },
+    });
+
+    expect(deleted).toBeNull();
+  });
+});
+
+test.describe('[ORGANISATION_PERMISSION_HIERARCHY]: group deletion', () => {
+  test('a manager cannot delete an admin-role group', async ({ page }) => {
+    const { organisation } = await seedUser({ isPersonalOrganisation: false });
+
+    const [managerUser] = await seedOrganisationMembers({
+      members: [{ name: 'Manager', organisationRole: 'MANAGER' }],
+      organisationId: organisation.id,
+    });
+
+    const adminGroup = await createCustomGroup(organisation.id, 'ADMIN');
+
+    await apiSignin({ page, email: managerUser.email });
+
+    const res = await trpcMutation(page, 'organisation.group.delete', {
+      organisationId: organisation.id,
+      groupId: adminGroup.id,
+    });
+
+    expect(res.ok()).toBeFalsy();
+
+    const stillExists = await prisma.organisationGroup.findFirst({
+      where: { id: adminGroup.id },
+    });
+
+    expect(stillExists).not.toBeNull();
+  });
+
+  test('a manager can delete a member-role group (positive control)', async ({ page }) => {
+    const { organisation } = await seedUser({ isPersonalOrganisation: false });
+
+    const [managerUser] = await seedOrganisationMembers({
+      members: [{ name: 'Manager', organisationRole: 'MANAGER' }],
+      organisationId: organisation.id,
+    });
+
+    const memberGroup = await createCustomGroup(organisation.id, 'MEMBER');
+
+    await apiSignin({ page, email: managerUser.email });
+
+    const res = await trpcMutation(page, 'organisation.group.delete', {
+      organisationId: organisation.id,
+      groupId: memberGroup.id,
+    });
+
+    expect(res.ok()).toBeTruthy();
+
+    const deleted = await prisma.organisationGroup.findFirst({
+      where: { id: memberGroup.id },
+    });
+
+    expect(deleted).toBeNull();
+  });
+});
+
+test.describe('[ORGANISATION_PERMISSION_HIERARCHY]: invite resend', () => {
+  test('a manager cannot resend an admin-role invite', async ({ page }) => {
+    const { organisation } = await seedUser({ isPersonalOrganisation: false });
+
+    const [managerUser] = await seedOrganisationMembers({
+      members: [{ name: 'Manager', organisationRole: 'MANAGER' }],
+      organisationId: organisation.id,
+    });
+
+    const adminInvite = await createPendingInvite(organisation.id, 'ADMIN');
+
+    await apiSignin({ page, email: managerUser.email });
+
+    const res = await trpcMutation(page, 'organisation.member.invite.resend', {
+      organisationId: organisation.id,
+      invitationId: adminInvite.id,
+    });
+
+    expect(res.ok()).toBeFalsy();
+  });
+
+  test('a manager can resend a member-role invite (positive control)', async ({ page }) => {
+    const { organisation } = await seedUser({ isPersonalOrganisation: false });
+
+    const [managerUser] = await seedOrganisationMembers({
+      members: [{ name: 'Manager', organisationRole: 'MANAGER' }],
+      organisationId: organisation.id,
+    });
+
+    const memberInvite = await createPendingInvite(organisation.id, 'MEMBER');
+
+    await apiSignin({ page, email: managerUser.email });
+
+    const res = await trpcMutation(page, 'organisation.member.invite.resend', {
+      organisationId: organisation.id,
+      invitationId: memberInvite.id,
+    });
+
+    expect(res.ok()).toBeTruthy();
+  });
+});
+
+test.describe('[ORGANISATION_PERMISSION_HIERARCHY]: leaving an organisation', () => {
+  test('the owner cannot leave without transferring ownership first', async ({ page }) => {
+    const { user: ownerUser, organisation } = await seedUser({ isPersonalOrganisation: false });
+
+    const ownerMember = await getOrganisationMember(ownerUser.id, organisation.id);
+
+    await apiSignin({ page, email: ownerUser.email });
+
+    const res = await trpcMutation(page, 'organisation.leave', {
+      organisationId: organisation.id,
+    });
+
+    expect(res.ok()).toBeFalsy();
+
+    const stillExists = await prisma.organisationMember.findFirst({
+      where: { id: ownerMember.id },
+    });
+
+    expect(stillExists).not.toBeNull();
+  });
+
+  test('a non-owner member can still leave (positive control)', async ({ page }) => {
+    const { organisation } = await seedUser({ isPersonalOrganisation: false });
+
+    const [memberUser] = await seedOrganisationMembers({
+      members: [{ name: 'Member', organisationRole: 'MEMBER' }],
+      organisationId: organisation.id,
+    });
+
+    const member = await getOrganisationMember(memberUser.id, organisation.id);
+
+    await apiSignin({ page, email: memberUser.email });
+
+    const res = await trpcMutation(page, 'organisation.leave', {
+      organisationId: organisation.id,
+    });
+
+    expect(res.ok()).toBeTruthy();
+
+    const deleted = await prisma.organisationMember.findFirst({
+      where: { id: member.id },
+    });
+
+    expect(deleted).toBeNull();
+  });
+});
@@ -238,7 +238,7 @@ test('[TEAMS]: resend pending team document', async ({ page }) => {
  await page.getByLabel('test.documenso.com').first().click();
  await page.getByRole('button', { name: 'Send reminder' }).click();

-  await expectToastTextToBeVisible(page, 'Document re-sent');
+  await expectToastTextToBeVisible(page, 'Document resent');
 });

 test('[TEAMS]: delete draft team document', async ({ page }) => {
@@ -0,0 +1,105 @@
+import { seedOrganisationMembers } from '@documenso/prisma/seed/organisations';
+import { seedTeamMember } from '@documenso/prisma/seed/teams';
+import { seedUser } from '@documenso/prisma/seed/users';
+import { expect, test } from '@playwright/test';
+import { OrganisationMemberRole, TeamMemberRole } from '@prisma/client';
+
+import { apiSignin } from '../fixtures/authentication';
+import { openDropdownMenu } from '../fixtures/generic';
+
+/**
+ * Reproduces the "Team has no internal team groups" bug.
+ *
+ * When a team has member inheritance turned OFF, organisation admins/managers are
+ * still inherited into the team as team admins (shown with the "Group" source).
+ * These members are not part of the team's INTERNAL_TEAM group, so they cannot be
+ * removed via the team members page - attempting to do so threw a 500 ("Team has no
+ * internal team groups").
+ *
+ * Instead of crashing, the delete dialog must explain why the inherited member can't
+ * be removed and not offer a confirm button.
+ */
+test('[TEAMS]: explains why an inherited organisation member cannot be removed', async ({ page }) => {
+  // Team created with member inheritance OFF.
+  const { user: owner, organisation, team } = await seedUser({ inheritMembers: false });
+
+  const inheritedAdminEmail = `inherited-admin-${team.url}@test.documenso.com`;
+
+  // A second organisation admin is inherited into the team as a team admin (source "Group").
+  await seedOrganisationMembers({
+    organisationId: organisation.id,
+    members: [
+      {
+        name: 'Inherited Admin',
+        email: inheritedAdminEmail,
+        organisationRole: OrganisationMemberRole.ADMIN,
+      },
+    ],
+  });
+
+  await apiSignin({
+    page,
+    email: owner.email,
+    redirectPath: `/t/${team.url}/settings/members`,
+  });
+
+  const inheritedMemberRow = page.getByRole('row').filter({ hasText: inheritedAdminEmail });
+
+  // Sanity check: the member is inherited from a group, not a direct team member.
+  await expect(inheritedMemberRow).toBeVisible();
+  await expect(inheritedMemberRow).toContainText('Group');
+
+  await openDropdownMenu(page, inheritedMemberRow.getByRole('button').last());
+
+  // The action stays enabled - opening it shows a dialog explaining why the inherited
+  // member can't be removed, rather than triggering the 500.
+  const removeMenuItem = page.getByRole('menuitem', { name: 'Remove' });
+  await expect(removeMenuItem).toBeEnabled();
+  await removeMenuItem.click();
+
+  await expect(page.getByText('inherited from a group').first()).toBeVisible();
+
+  // No confirm button is offered, so the broken removal can never be triggered.
+  await expect(page.getByRole('button', { name: 'Remove' })).toHaveCount(0);
+});
+
+/**
+ * Guards against over-disabling the remove action: a direct team member (one that
+ * belongs to the team's INTERNAL_TEAM group) must still be removable.
+ */
+test('[TEAMS]: can remove a direct team member', async ({ page }) => {
+  const { user: owner, team } = await seedUser({ inheritMembers: false });
+
+  const directMember = await seedTeamMember({
+    teamId: team.id,
+    name: 'Direct Member',
+    role: TeamMemberRole.MEMBER,
+  });
+
+  await apiSignin({
+    page,
+    email: owner.email,
+    redirectPath: `/t/${team.url}/settings/members`,
+  });
+
+  const directMemberRow = page.getByRole('row').filter({ hasText: directMember.email });
+
+  await expect(directMemberRow).toBeVisible();
+
+  await openDropdownMenu(page, directMemberRow.getByRole('button').last());
+
+  const removeMenuItem = page.getByRole('menuitem', { name: 'Remove' });
+
+  // The "Remove" action is enabled for direct members and removing them succeeds.
+  await expect(removeMenuItem).toBeEnabled();
+  await removeMenuItem.click();
+
+  await page.getByRole('button', { name: 'Remove' }).click();
+
+  await expect(page.getByText('You have successfully removed this user from the team.').first()).toBeVisible();
+
+  // The member is actually gone after reloading the members list.
+  await page.reload();
+  await expect(page.getByRole('row').filter({ hasText: owner.email })).toBeVisible();
+  await expect(page.getByRole('row').filter({ hasText: directMember.email })).toHaveCount(0);
+});
@@ -16,6 +16,8 @@
    "@aws-sdk/client-sesv2": "^3.998.0",
    "@documenso/lib": "*",
    "@documenso/prisma": "*",
+    "arctic": "^3.7.0",
+    "hono": "^4.12.14",
    "luxon": "^3.7.2",
    "react": "^18",
    "ts-pattern": "^5.9.0",
@@ -0,0 +1,347 @@
+import { AppError, AppErrorCode } from '@documenso/lib/errors/app-error';
+
+import type { TCscCredentialsInfoResponse } from './client/types';
+
+/**
+ * CSC QES V1 algorithm policy.
+ *
+ * Single OID-to-algorithm map + single helper that:
+ * - validates cert state (status, validity window) → `CSC_CERT_INVALID`,
+ * - validates the credential's key + algorithm against the spec's policy
+ *   table (RSA ≥2048, ECDSA P-256/384/521, SHA-256/384/512) →
+ *   `CSC_ALGORITHM_REFUSED`,
+ * - resolves a concrete `(signAlgo, hashAlgo)` OID pair for §11.9.
+ *
+ * Called at the service-scope OAuth callback (validation boundary) and
+ * re-called at sign time as a defence-in-depth pre-check. Persisted fields
+ * (`keyType` / `keyLenBits` / `digestAlgorithm` / `signAlgoOid`) round-trip
+ * through `CscCredential`.
+ */
+
+export type CscKeyType = 'RSA' | 'ECDSA';
+
+export type CscDigest = 'SHA-256' | 'SHA-384' | 'SHA-512';
+
+export type CscEcdsaCurve = 'P-256' | 'P-384' | 'P-521';
+
+export type CscAlgorithmPolicy = {
+  keyType: CscKeyType;
+  keyLenBits: number;
+  digestAlgorithm: CscDigest;
+  /** OID for `signatures/signHash.signAlgo` + persisted on `CscCredential`. */
+  signAlgoOid: string;
+  /** OID for `signatures/signHash.hashAlgo`. */
+  hashAlgoOid: string;
+  /** ECDSA named curve (informational; not separately persisted). */
+  ecdsaCurve?: CscEcdsaCurve;
+};
+
+/**
+ * Default RSA digest when the TSP advertises only hash-agnostic RSA OIDs
+ * (plain `rsaEncryption` / RSASSA-PSS). SHA-256 matches the CSC §11.9
+ * sample and is universally TSP-supported.
+ */
+const DEFAULT_RSA_DIGEST: CscDigest = 'SHA-256';
+
+const HASH_OID_FOR_DIGEST: Record<CscDigest, string> = {
+  'SHA-256': '2.16.840.1.101.3.4.2.1',
+  'SHA-384': '2.16.840.1.101.3.4.2.2',
+  'SHA-512': '2.16.840.1.101.3.4.2.3',
+};
+
+/**
+ * Exposed lookup for the `signatures/signHash.hashAlgo` OID corresponding to a
+ * resolved {@link CscDigest}. Useful at sign time when the policy's
+ * `hashAlgoOid` field is not in scope (e.g. when reconstructing a
+ * `LibpdfSignerAlgo` from a persisted `CscCredential` row).
+ */
+export const hashOidForDigest = (digest: CscDigest): string => HASH_OID_FOR_DIGEST[digest];
+
+const DIGEST_STRENGTH: Record<CscDigest, number> = {
+  'SHA-256': 256,
+  'SHA-384': 384,
+  'SHA-512': 512,
+};
+
+const STRONG_DIGEST_SET = new Set<string>(['SHA-256', 'SHA-384', 'SHA-512']);
+
+type AlgoOidInfo = { family: 'RSA' | 'ECDSA'; boundDigest: CscDigest | 'SHA-1' | 'MD5' | null } | { family: 'DSA' };
+
+/**
+ * Source-of-truth registry for `key.algo` entries (§11.5). Anything not
+ * listed is treated as unknown and skipped at policy evaluation.
+ */
+const KEY_ALGO_OID_REGISTRY: Record<string, AlgoOidInfo> = {
+  // Hash-agnostic RSA — caller picks the hash via `hashAlgo`.
+  '1.2.840.113549.1.1.1': { family: 'RSA', boundDigest: null }, // rsaEncryption
+  '1.2.840.113549.1.1.10': { family: 'RSA', boundDigest: null }, // RSASSA-PSS
+
+  // Hash-bound legacy RSA combos.
+  '1.2.840.113549.1.1.4': { family: 'RSA', boundDigest: 'MD5' }, // md5WithRSAEncryption
+  '1.2.840.113549.1.1.5': { family: 'RSA', boundDigest: 'SHA-1' }, // sha1WithRSAEncryption
+  '1.2.840.113549.1.1.11': { family: 'RSA', boundDigest: 'SHA-256' }, // sha256WithRSAEncryption
+  '1.2.840.113549.1.1.12': { family: 'RSA', boundDigest: 'SHA-384' }, // sha384WithRSAEncryption
+  '1.2.840.113549.1.1.13': { family: 'RSA', boundDigest: 'SHA-512' }, // sha512WithRSAEncryption
+
+  // ECDSA with SHA-x (hash is always bound).
+  '1.2.840.10045.4.1': { family: 'ECDSA', boundDigest: 'SHA-1' }, // ecdsa-with-SHA1
+  '1.2.840.10045.4.3.2': { family: 'ECDSA', boundDigest: 'SHA-256' },
+  '1.2.840.10045.4.3.3': { family: 'ECDSA', boundDigest: 'SHA-384' },
+  '1.2.840.10045.4.3.4': { family: 'ECDSA', boundDigest: 'SHA-512' },
+
+  // DSA — refused outright.
+  '1.2.840.10040.4.1': { family: 'DSA' },
+  '1.2.840.10040.4.3': { family: 'DSA' }, // dsa-with-SHA1
+};
+
+/**
+ * ECDSA named-curve OID registry. Policy verdict (allow/refuse) is decided
+ * by the resolver from the resolved curve name, not encoded here.
+ */
+const CURVE_OID_REGISTRY: Record<string, CscEcdsaCurve | 'P-192' | 'P-224'> = {
+  '1.2.840.10045.3.1.7': 'P-256', // secp256r1
+  '1.3.132.0.34': 'P-384', // secp384r1
+  '1.3.132.0.35': 'P-521', // secp521r1
+  '1.2.840.10045.3.1.1': 'P-192', // secp192r1
+  '1.3.132.0.33': 'P-224', // secp224r1
+};
+
+/**
+ * Validate a CSC credential's cert + key/algorithm against V1 policy and
+ * resolve the `(signAlgo, hashAlgo)` OID pair used by `signatures/signHash`.
+ *
+ * Caller MUST fetch the credential with `certInfo: true` so `cert.validFrom`
+ * / `cert.validTo` are present.
+ *
+ * Throws:
+ * - `CSC_CERT_INVALID` for cert-state issues (status not `valid`, missing or
+ *   malformed validity dates, current time outside the validity window).
+ * - `CSC_ALGORITHM_REFUSED` for key/algorithm policy failures (disabled key,
+ *   missing `key.len`, RSA `< 2048`, ECDSA without an allowed curve, DSA, no
+ *   acceptable digest advertised in `key.algo`).
+ */
+export const resolveCscAlgorithmPolicy = (credentialInfo: TCscCredentialsInfoResponse): CscAlgorithmPolicy => {
+  assertCertValid(credentialInfo.cert);
+
+  if (credentialInfo.key.status !== 'enabled') {
+    throw new AppError(AppErrorCode.CSC_ALGORITHM_REFUSED, {
+      message: `CSC credential key status is '${credentialInfo.key.status}'.`,
+    });
+  }
+
+  if (credentialInfo.key.len === undefined) {
+    throw new AppError(AppErrorCode.CSC_ALGORITHM_REFUSED, {
+      message: 'CSC credential omits required key.len (REQUIRED per §11.5).',
+    });
+  }
+
+  const choice = pickAlgorithmChoice(credentialInfo.key.algo);
+
+  if (choice.family === 'RSA') {
+    if (credentialInfo.key.len < 2048) {
+      throw new AppError(AppErrorCode.CSC_ALGORITHM_REFUSED, {
+        message: `CSC RSA credential keyLen ${credentialInfo.key.len} < 2048.`,
+      });
+    }
+
+    return {
+      keyType: 'RSA',
+      keyLenBits: credentialInfo.key.len,
+      digestAlgorithm: choice.digest,
+      signAlgoOid: choice.signAlgoOid,
+      hashAlgoOid: HASH_OID_FOR_DIGEST[choice.digest],
+    };
+  }
+
+  const curve = resolveEcdsaCurve(credentialInfo.key.curve);
+
+  return {
+    keyType: 'ECDSA',
+    keyLenBits: credentialInfo.key.len,
+    digestAlgorithm: choice.digest,
+    signAlgoOid: choice.signAlgoOid,
+    hashAlgoOid: HASH_OID_FOR_DIGEST[choice.digest],
+    ecdsaCurve: curve,
+  };
+};
+
+type AlgorithmChoice = {
+  family: 'RSA' | 'ECDSA';
+  signAlgoOid: string;
+  digest: CscDigest;
+};
+
+/**
+ * Iterate the TSP's advertised `key.algo` OIDs, drop the policy-refused
+ * entries, and pick the strongest survivor.
+ *
+ * Precedence: ECDSA before RSA (smaller signatures, modern); within each
+ * family, strongest advertised digest first. Hash-agnostic RSA OIDs pair
+ * with {@link DEFAULT_RSA_DIGEST}.
+ */
+const pickAlgorithmChoice = (algoOids: readonly string[]): AlgorithmChoice => {
+  const candidates: AlgorithmChoice[] = [];
+
+  for (const oid of algoOids) {
+    const info = KEY_ALGO_OID_REGISTRY[oid];
+
+    if (info === undefined) {
+      // Unknown OID — another entry in `key.algo` may still be acceptable.
+      continue;
+    }
+
+    if (info.family === 'DSA') {
+      continue;
+    }
+
+    if (info.boundDigest === null) {
+      candidates.push({
+        family: info.family,
+        signAlgoOid: oid,
+        digest: DEFAULT_RSA_DIGEST,
+      });
+      continue;
+    }
+
+    if (STRONG_DIGEST_SET.has(info.boundDigest)) {
+      candidates.push({
+        family: info.family,
+        signAlgoOid: oid,
+        digest: info.boundDigest as CscDigest,
+      });
+    }
+  }
+
+  if (candidates.length === 0) {
+    throw new AppError(AppErrorCode.CSC_ALGORITHM_REFUSED, {
+      message: `CSC credential advertises no policy-compliant key.algo OIDs (got: ${algoOids.join(', ') || '<empty>'}).`,
+    });
+  }
+
+  candidates.sort((a, b) => {
+    if (a.family !== b.family) {
+      return a.family === 'ECDSA' ? -1 : 1;
+    }
+
+    return DIGEST_STRENGTH[b.digest] - DIGEST_STRENGTH[a.digest];
+  });
+
+  return candidates[0];
+};
+
+const resolveEcdsaCurve = (curveOid: string | undefined): CscEcdsaCurve => {
+  if (curveOid === undefined || curveOid === '') {
+    throw new AppError(AppErrorCode.CSC_ALGORITHM_REFUSED, {
+      message: 'CSC ECDSA credential omits required key.curve.',
+    });
+  }
+
+  const named = CURVE_OID_REGISTRY[curveOid];
+
+  if (named === 'P-256' || named === 'P-384' || named === 'P-521') {
+    return named;
+  }
+
+  const detail = named ? `, named=${named}` : '';
+
+  throw new AppError(AppErrorCode.CSC_ALGORITHM_REFUSED, {
+    message: `CSC ECDSA credential uses refused curve (oid=${curveOid}${detail}).`,
+  });
+};
+
+const assertCertValid = (cert: TCscCredentialsInfoResponse['cert']): void => {
+  if (cert.status !== undefined && cert.status !== 'valid') {
+    throw new AppError(AppErrorCode.CSC_CERT_INVALID, {
+      message: `CSC credential certificate status is '${cert.status}'.`,
+    });
+  }
+
+  if (!cert.validFrom || !cert.validTo) {
+    throw new AppError(AppErrorCode.CSC_CERT_INVALID, {
+      message: 'CSC credential certificate omits validFrom/validTo (malformed).',
+    });
+  }
+
+  const validFromMs = parseGeneralizedTime(cert.validFrom);
+  const validToMs = parseGeneralizedTime(cert.validTo);
+
+  if (validFromMs === null || validToMs === null) {
+    throw new AppError(AppErrorCode.CSC_CERT_INVALID, {
+      message: `CSC credential certificate validity dates are malformed (validFrom=${cert.validFrom}, validTo=${cert.validTo}).`,
+    });
+  }
+
+  const now = Date.now();
+
+  if (now < validFromMs) {
+    throw new AppError(AppErrorCode.CSC_CERT_INVALID, {
+      message: `CSC credential certificate is not yet valid (validFrom=${cert.validFrom}).`,
+    });
+  }
+
+  if (now > validToMs) {
+    throw new AppError(AppErrorCode.CSC_CERT_INVALID, {
+      message: `CSC credential certificate has expired (validTo=${cert.validTo}).`,
+    });
+  }
+};
+
+/**
+ * Parse an X.509 GeneralizedTime string (`YYYYMMDDHHMMSSZ`) into epoch ms.
+ * Strict — returns null on any deviation from the §11.5 example format.
+ */
+const parseGeneralizedTime = (value: string): number | null => {
+  const matched = /^(\d{4})(\d{2})(\d{2})(\d{2})(\d{2})(\d{2})Z$/.exec(value);
+
+  if (matched === null) {
+    return null;
+  }
+
+  const [, y, mo, d, h, mi, s] = matched;
+
+  const ms = Date.UTC(Number(y), Number(mo) - 1, Number(d), Number(h), Number(mi), Number(s));
+
+  return Number.isNaN(ms) ? null : ms;
+};
+
+/**
+ * Subset of libpdf's `Signer` interface fields derived from a `CscAlgorithmPolicy`.
+ * Used by `CscCaptureSigner` / `CscFifoSigner` to satisfy libpdf's signer
+ * contract without re-deriving the mapping at each call site. `keyLenBits`
+ * is carried through so the capture-signer can size its placeholder output
+ * appropriately for the chosen key.
+ */
+export type LibpdfSignerAlgo = {
+  keyType: 'RSA' | 'EC';
+  signatureAlgorithm: 'RSASSA-PKCS1-v1_5' | 'RSA-PSS' | 'ECDSA';
+  digestAlgorithm: CscDigest;
+  keyLenBits: number;
+};
+
+/**
+ * Translate a `CscAlgorithmPolicy` (CSC §11.5 OIDs) into libpdf's `Signer`
+ * algorithm tuple. RSASSA-PSS is detected by the `signAlgoOid`; everything
+ * else maps directly from `keyType` + `digestAlgorithm`.
+ */
+export const policyToLibpdfSignerAlgo = (policy: CscAlgorithmPolicy): LibpdfSignerAlgo => {
+  if (policy.keyType === 'ECDSA') {
+    return {
+      keyType: 'EC',
+      signatureAlgorithm: 'ECDSA',
+      digestAlgorithm: policy.digestAlgorithm,
+      keyLenBits: policy.keyLenBits,
+    };
+  }
+
+  // RSA — distinguish PKCS1-v1.5 from PSS by the resolved sign-algo OID.
+  // RSASSA-PSS OID: '1.2.840.113549.1.1.10'.
+  const signatureAlgorithm: 'RSASSA-PKCS1-v1_5' | 'RSA-PSS' =
+    policy.signAlgoOid === '1.2.840.113549.1.1.10' ? 'RSA-PSS' : 'RSASSA-PKCS1-v1_5';
+
+  return {
+    keyType: 'RSA',
+    signatureAlgorithm,
+    digestAlgorithm: policy.digestAlgorithm,
+    keyLenBits: policy.keyLenBits,
+  };
+};
@@ -0,0 +1,122 @@
+import { AppError, AppErrorCode } from '@documenso/lib/errors/app-error';
+
+/**
+ * Length-prefixed X.509 chain for `CscCredential.certCache`. Schema column is
+ * `Bytes`; this gives a self-describing binary that round-trips without
+ * base64 inflation. Format: u32 BE cert count, then per-cert u32 BE byte
+ * length + raw DER bytes.
+ *
+ * Encoding inputs come from `cscCredentialsInfo.cert.certificates`, which the
+ * CSC §11.5 spec defines as an array of base64-encoded DER X.509 certificates
+ * (leaf-first). The encoder decodes each base64 entry once at persistence
+ * time; the decoder is the symmetric inverse used at sign time.
+ *
+ * Pure functions, no I/O.
+ */
+
+const BASE64_REGEX = /^[A-Za-z0-9+/]+={0,2}$/;
+
+/**
+ * Encode a leaf-first chain of base64-encoded DER certs into the
+ * length-prefixed binary form persisted on `CscCredential.certCache`.
+ *
+ * Throws `INVALID_REQUEST` when the input is empty or any entry is not valid
+ * base64.
+ */
+export const encodeCscCertChain = (certs: string[]): Uint8Array => {
+  if (certs.length === 0) {
+    throw new AppError(AppErrorCode.INVALID_REQUEST, {
+      message: 'CSC certificate chain encoding requires at least one certificate.',
+    });
+  }
+
+  const derBuffers: Uint8Array[] = [];
+  let totalDerBytes = 0;
+
+  for (const entry of certs) {
+    if (entry.length === 0 || !BASE64_REGEX.test(entry)) {
+      throw new AppError(AppErrorCode.INVALID_REQUEST, {
+        message: 'CSC certificate chain entry is not valid base64.',
+      });
+    }
+
+    const der = Buffer.from(entry, 'base64');
+
+    if (der.length === 0) {
+      throw new AppError(AppErrorCode.INVALID_REQUEST, {
+        message: 'CSC certificate chain entry decoded to zero bytes.',
+      });
+    }
+
+    derBuffers.push(der);
+    totalDerBytes += der.length;
+  }
+
+  // 4 bytes for the count + 4 bytes per-cert length prefix + raw DER bytes.
+  const totalLength = 4 + derBuffers.length * 4 + totalDerBytes;
+  const out = new Uint8Array(totalLength);
+  const view = new DataView(out.buffer, out.byteOffset, out.byteLength);
+
+  view.setUint32(0, derBuffers.length, false);
+
+  let offset = 4;
+
+  for (const der of derBuffers) {
+    view.setUint32(offset, der.length, false);
+    offset += 4;
+    out.set(der, offset);
+    offset += der.length;
+  }
+
+  return out;
+};
+
+/**
+ * Decode a length-prefixed cert chain back into an array of DER cert byte
+ * arrays. Inverse of {@link encodeCscCertChain}.
+ *
+ * Throws `INVALID_REQUEST` when the buffer is truncated or any per-cert
+ * length prefix runs off the end of the buffer.
+ */
+export const decodeCscCertChain = (bytes: Uint8Array): Uint8Array[] => {
+  if (bytes.byteLength < 4) {
+    throw new AppError(AppErrorCode.INVALID_REQUEST, {
+      message: 'CSC certificate chain buffer is too short to contain a count prefix.',
+    });
+  }
+
+  const view = new DataView(bytes.buffer, bytes.byteOffset, bytes.byteLength);
+  const count = view.getUint32(0, false);
+
+  const result: Uint8Array[] = [];
+  let offset = 4;
+
+  for (let i = 0; i < count; i++) {
+    if (offset + 4 > bytes.byteLength) {
+      throw new AppError(AppErrorCode.INVALID_REQUEST, {
+        message: 'CSC certificate chain buffer truncated at length prefix.',
+      });
+    }
+
+    const length = view.getUint32(offset, false);
+    offset += 4;
+
+    if (length === 0 || offset + length > bytes.byteLength) {
+      throw new AppError(AppErrorCode.INVALID_REQUEST, {
+        message: 'CSC certificate chain buffer truncated within certificate body.',
+      });
+    }
+
+    // Slice copies the underlying bytes so callers can't mutate the source.
+    result.push(bytes.slice(offset, offset + length));
+    offset += length;
+  }
+
+  if (offset !== bytes.byteLength) {
+    throw new AppError(AppErrorCode.INVALID_REQUEST, {
+      message: 'CSC certificate chain buffer has trailing bytes after declared chain end.',
+    });
+  }
+
+  return result;
+};
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Catalin Pit	08e5acd0b2	chore: improve document preference form's default settings and reset functionality	2026-06-26 14:25:26 +03:00
Catalin Pit	1b55b3f7ea	feat: add DocumentPreferencesResetDialog component	2026-06-26 14:21:44 +03:00
David Nguyen	96ab78c33f	fix: resolve permission issues (#3029 )	2026-06-26 14:46:30 +10:00
Lucas Smith	241929bb97	feat: add API endpoints for downloading certificate and audit log PDFs (#3025 ) Add V2 API routes to download an envelope's certificate and audit log separately, and align the internal cert/audit log downloads to use envelopeId. Enforces document visibility via getEnvelopeWhereInput and loads field signatures so certificates render correctly.	2026-06-26 00:01:55 +10:00
Lucas Smith	94adea149d	chore: general repo maintenance and docs cleanup (#3030 ) Refresh README/docs for the current stack, add a security policy, note the external-PR pause, and remove dead config and workflows.	2026-06-25 23:59:25 +10:00
David Nguyen	9c5eb43a26	fix: migrate emails to jobs (#3024 )	2026-06-25 13:57:17 +10:00
Konrad	e0ef11e8c3	chore(i18n): update Polish translation (#3020 )	2026-06-25 13:24:40 +10:00
Lucas Smith	187b612568	chore: add translations (#3012 )	2026-06-23 15:12:23 +10:00
Lucas Smith	b37529a1cf	fix: show warning on overlapping fields (#3017 )	2026-06-23 15:11:57 +10:00
Lucas Smith	04f6e76178	feat: cap automated reminders before resend (#3016 ) Stop sending automated reminders after a configurable threshold (default 5) and reset the count on manual resend.	2026-06-23 15:11:52 +10:00
Lucas Smith	f2525ae95b	feat: add API endpoint to reject documents on behalf of recipients (#3007 ) Programmatically record an external rejection on behalf of a recipient who declined outside the platform. Flags the rejection as external in the audit log, optionally attributes it to a specific team member via actAsEmail, and enforces team membership and document visibility.	2026-06-22 21:59:07 +10:00
David Nguyen	2f24a8eab2	fix: set send status on resend (#3011 )	2026-06-22 17:00:24 +10:00
David Nguyen	d9b7722325	fix: correctly use default distribute envelope tab (#3010 )	2026-06-22 16:27:50 +10:00
github-actions[bot]	783123f72b	chore: extract translations (#2987 )	2026-06-22 16:06:57 +10:00
Lucas Smith	e8ed1c3d99	fix: respect branding enabled for recipient routes (#3009 )	2026-06-22 16:06:06 +10:00
David Nguyen	c23d739f76	feat: allow additional envelope duplicate settings (#3008 )	2026-06-22 14:41:38 +10:00
Lucas Smith	0bf58ca66e	feat: add custom brand colours to emails (#3005 )	2026-06-22 14:33:34 +10:00
David Nguyen	dee3259088	fix: remove old dialogs (#3006 )	2026-06-22 14:17:22 +10:00
Nandini Dhanrale	6ad1a2dfaf	fix: signing request email renders blank when organisation/team branding is enabled (#2968 )	2026-06-22 14:15:12 +10:00
Abdelrahman Abdelhamed	306e7fe5ed	fix: render unicode characters in typed signatures (#2728 )	2026-06-22 13:40:56 +10:00
Yash Singh	219db32fdf	fix: only send S3 checksums when required to support S3-compatible storage (#2984 )	2026-06-22 13:35:37 +10:00
David Nguyen	948d1bbf12	fix: improve team member removal ux (#3001 )	2026-06-22 12:16:55 +10:00
Lucas Smith	40d20ad068	v2.13.0	2026-06-18 16:03:26 +10:00
Lucas Smith	a99bdf5e20	fix: include envelopeId in webhook payload (#2998 )	2026-06-18 14:32:15 +10:00
Lucas Smith	4f346d3c2d	feat: add cancellable document status (#2992 ) Adds a CANCELLED envelope status that privileged members (owner or team admin/manager) can move a pending document into. Sending recipient notifications via a background job while retaining the document in the dashboard as proof of distribution. Includes a dedicated Cancelled tab, single and bulk cancel actions, the ENVELOPE_CANCELLED mutability guard, and e2e coverage for permissions and visibility.	2026-06-18 13:52:35 +10:00
Lucas Smith	d5ce222482	feat: add CSC AES/QES signing (v1 instance-wide config) (#2874 ) Adds Cloud Signature Consortium (CSC) integration for AES/QES signing against a configured TSP. v1 ships as instance-wide configuration via environment variables, with per-envelope signature level selection, license gating, and an OAuth-driven signing flow (capture + FIFO signers, SAD session, blocking/in-progress recipient pages). Includes signature level compatibility checks (role, signing order, dictate next signer), envelope mutability assertions, Prisma migration for signature level and CSC tables, and docs for the new signing certificate options.	2026-06-16 23:37:34 +10:00