Wet-Click Terms-of-Service Attestation
How AeroCopilot's TosAttestationGate captures wet-click consent, versions Terms of Service, and retains affirmative-consent records for state AG audits.
Wet-Click Terms-of-Service Attestation
A click that affirmatively records who agreed, what they agreed to, and exactly when is the difference between a Terms of Service that holds up under a state Attorney General audit and one that does not. AeroCopilot enforces a wet-click attestation pattern across the product, versions every change to the agreement, and retains the consent record for seven years.
How the gate works
Every authenticated entry passes through TosAttestationGate, which is anchored to a single string constant: CURRENT_TOS_VERSION in apps/web/lib/legal/tos-acceptance.ts. When that constant changes, the next entry by every authenticated user re-prompts for affirmative consent. There is no silent migration. There is no implied consent. The current value is 2026-05-01-v2-rosca-draft and the /terms-of-service page carries a clearly banner-marked DRAFT label at the top and at the head of §10 until counsel sign-off.
After counsel approval the version flips to 2026-05-01-v2-rosca-final (single string change), the DRAFT banners come off in two locations, and the Bible note flips from "draft" to "final."
Why §10 was rewritten
Section 10 — "Subscription, Billing & Auto-Renewal" — was rewritten on 2026-05-01 to align with the federal and state consumer-protection regimes that govern auto-renewing subscriptions:
- FTC ROSCA — Restore Online Shoppers' Confidence Act §8403
- FTC Click-to-Cancel rule — §425.4 through §425.6
- California ARL — Business & Professions Code §17600 et seq.
- New York GBL — §527-a
- Vermont — 9 V.S.A. §2454a
- State ARL updates — Connecticut, Oregon, Colorado, Minnesota, Washington, DC
Section 10 carries the eight ROSCA-required auto-renewal disclosures plus an Affirmative-Consent Record clause that pairs with the seven-year retention window described below.
What gets recorded
When a user wet-clicks accept, a SubscriptionConsentLog row is written. The log carries the CURRENT_TOS_VERSION value, the user identifier, the timestamp, and the clause set the user assented to. The retention is seven years for state AG audit, with a CCPA anonymization carve-out so deletion requests can satisfy the access right without destroying the audit chain.
CancelIntent follows the same capture-first pattern: the cancel intent is recorded before any UI confirmation step, so even an abandoned cancel attempt is preserved. The cancel UI itself is ROSCA-safe — no double-confirm dark pattern, cancel rendered as a text-link rather than a destructive button.
Wet-click is the same pattern used everywhere safety attaches
The wet-click pattern is not a billing concept — it is the audit-grade signature primitive for any regulatorily significant act:
- Logbook signing — §61.59 falsification defense. Auto-detected entries stay
draftuntil a wet-click sign stampssignedAtandsignedByUserId. Only signed entries advance §61.57 currency. Edits after signing create amendment records rather than overwriting. - Drone PIC attestation — §107.41. The LAANC Submit Wizard at
/drone/laanc/newrequires a §107.41 PIC attestation alongside the Zod-validated form and a UUID v4 idempotency key. - Drone medical fitness — §107.17. The planned → briefed transition requires a structured
medicalAttestationDetailsJSON capture (last alcohol, rest hours, medications, fitness notes) — a boolean alone is unfalsifiable. - Part 175 dangerous goods. "PIC Sign" records
picSignedAtandpicSignedUserIdagainst each declared item with anentity="dangerous_goods_item" action="pic_signed"audit log entry. - Part 135.77 release attestation. The release email artifact is logged to
OpsAuditLogunderentity="foreflight_packet"with the attestation captured.
In every case the click is paired with two server-side facts (*At and *ByUserId) and an audit log entry. The screen text and the recorded fact are always the same.
Counsel handoff
When the working draft is ready for counsel, the handoff is the /terms-of-service URL plus the §10 narrative plus two reference specs: SPEC-COMPLIANCE-RISK.md and COUNCIL-FTC-COMPLIANCE.md. After approval, the version-string flip is the only code change required.