Update main.py

main.py

@@ -1,1563 +1,1027 @@
+"""
+main.py — Pricelyst Shopping Advisor (single-file server)
+
+✅ Flask API
+✅ Firebase Admin persistence (service account JSON via env var)
+✅ Gemini via NEW google-genai SDK (text + multimodal)
+✅ Product intelligence from Pricelyst API (/api/v1/products is open)
+✅ Graceful conversational handling (don’t “force” shopping intent)
+✅ Call briefing + call logging + optional actionable post-call report
+
+ENV VARS YOU NEED
+- GOOGLE_API_KEY=...
+- FIREBASE='{"type":"service_account", ...}'   # full JSON string
+- PRICE_API_BASE=https://api.pricelyst.co.zw   # optional
+- GEMINI_MODEL=gemini-2.0-flash                # optional
+- PORT=5000                                    # optional
+
+REQUEST SHAPES
+1) POST /chat
+{
+  "profile_id": "demo123",
+  "username": "Tinashe",              # optional
+  "message": "Where is cooking oil cheapest?",
+  "images": ["data:image/png;base64,...", "https://..."],   # optional
+  "context": { "budget": 20, "location": "Harare" }         # optional
+}
+
+2) POST /api/call-briefing
+{
+  "profile_id": "demo123",
+  "username": "Tinashe"
+}
+
+3) POST /api/log-call-usage
+{
+  "profile_id": "demo123",
+  "transcript": ".... full transcript ...",
+  "call_id": "optional-client-id",
+  "started_at": "2026-01-23T12:00:00Z",
+  "ended_at": "2026-01-23T12:08:05Z",
+  "stats": { "duration_sec": 485, "agent": "elevenlabs" }
+}
+
+NOTES
+- We DO NOT depend on upstream auth (you said products are open).
+- We keep our own "profile_id" for personalization; when integrated, the host app supplies real profile_id.
+"""
+
 import os
-import io
 import re
 import json
-import uuid
 import time
-import traceback
-from datetime import datetime, timedelta
-
-from flask import Flask, request, jsonify, Response
-from flask_cors import CORS
-
-import firebase_admin
-from firebase_admin import credentials, db, storage, auth
-
-from PIL import Image
-import requests
-
-# Google GenAI (Gemini)
-from google import genai
-from google.genai import types
-
+import math
+import uuid
+import base64
 import logging
-logging.basicConfig(level=logging.INFO)
-logger = logging.getLogger(__name__)
-
-# -----------------------------------------------------------------------------
-# 1. CONFIGURATION & INITIALIZATION
-# -----------------------------------------------------------------------------
-
-app = Flask(__name__)
-CORS(app)
-
-# --- Firebase Initialization ---
-try:
-    credentials_json_string = os.environ.get("FIREBASE")
-    if not credentials_json_string:
-        raise ValueError("The FIREBASE environment variable is not set.")
-
-    credentials_json = json.loads(credentials_json_string)
-    firebase_db_url = os.environ.get("Firebase_DB")
-    firebase_storage_bucket = os.environ.get("Firebase_Storage")
+from datetime import datetime, timezone
+from typing import Any, Dict, List, Optional, Tuple
 
-    if not firebase_db_url or not firebase_storage_bucket:
-        raise ValueError("Firebase_DB and Firebase_Storage environment variables must be set.")
-
-    cred = credentials.Certificate(credentials_json)
-    firebase_admin.initialize_app(cred, {
-        "databaseURL": firebase_db_url,
-        "storageBucket": firebase_storage_bucket
-    })
-
-    logger.info("Firebase Admin SDK initialized successfully.")
-except Exception as e:
-    logger.error(f"FATAL: Error initializing Firebase: {e}")
-    raise
+import requests
+import pandas as pd
+from flask import Flask, request, jsonify
+from flask_cors import CORS
 
-bucket = storage.bucket()
-db_ref = db.reference()
+# ---------- Logging ----------
+logging.basicConfig(
+    level=logging.INFO,
+    format="%(asctime)s | %(levelname)s | %(message)s"
+)
+logger = logging.getLogger("pricelyst-advisor")
 
-# --- Google GenAI Client Initialization ---
+# ---------- Gemini (NEW SDK) ----------
+# pip install google-genai
 try:
-    api_key = os.environ.get("Gemini")
-    if not api_key:
-        raise ValueError("The 'Gemini' environment variable is not set.")
-    client = genai.Client(api_key=api_key)
-    logger.info("Google GenAI Client initialized successfully.")
+    from google import genai
 except Exception as e:
-    logger.error(f"FATAL: Error initializing GenAI Client: {e}")
-    raise
-
-# --- Model Constants ---
-VISION_MODEL = "gemini-2.5-flash"  # Vision + text
-TEXT_MODEL = "gemini-2.5-flash"    # text-only tasks
-
-# -----------------------------------------------------------------------------
-# 2. HELPER FUNCTIONS
-# -----------------------------------------------------------------------------
+    genai = None
+    logger.error("google-genai not installed. pip install google-genai. Error=%s", e)
 
-def now_iso() -> str:
-    return datetime.utcnow().isoformat() + "Z"
+GOOGLE_API_KEY = os.environ.get("GOOGLE_API_KEY", "")
+GEMINI_MODEL = os.environ.get("GEMINI_MODEL", "gemini-2.0-flash")
 
-def verify_token(auth_header):
-    """Verifies the Firebase ID token from the Authorization header."""
-    if not auth_header or not auth_header.startswith("Bearer "):
-        return None
-    token = auth_header.split("Bearer ")[1]
+_gemini_client = None
+if genai and GOOGLE_API_KEY:
     try:
-        decoded = auth.verify_id_token(token)
-        return decoded.get("uid")
+        _gemini_client = genai.Client(api_key=GOOGLE_API_KEY)
+        logger.info("Gemini client ready (model=%s).", GEMINI_MODEL)
     except Exception as e:
-        logger.warning(f"Token verification failed: {e}")
-        return None
+        logger.error("Failed to init Gemini client: %s", e)
 
-def verify_admin(auth_header):
-    """Verifies if the user is an admin."""
-    uid = verify_token(auth_header)
-    if not uid:
-        raise PermissionError("Invalid or missing user token")
-
-    user = db_ref.child(f"users/{uid}").get() or {}
-    if not user.get("is_admin", False):
-        raise PermissionError("Admin access required")
-    return uid
-
-def upload_to_storage(data_bytes, destination_blob_name, content_type):
-    """Uploads bytes to Firebase Storage and returns its public URL."""
-    blob = bucket.blob(destination_blob_name)
-    blob.upload_from_string(data_bytes, content_type=content_type)
-    blob.make_public()
-    return blob.public_url
-
-def safe_float(x, default=None):
-    try:
-        return float(x)
-    except Exception:
-        return default
+# ---------- Firebase Admin ----------
+# pip install firebase-admin
+import firebase_admin
+from firebase_admin import credentials, firestore
 
-def safe_int(x, default=None):
-    try:
-        return int(x)
-    except Exception:
-        return default
+FIREBASE_ENV = os.environ.get("FIREBASE", "")
 
-def normalize_text(s: str) -> str:
-    return re.sub(r"\s+", " ", str(s or "")).strip().lower()
+def init_firestore_from_env() -> firestore.Client:
+    if firebase_admin._apps:
+        return firestore.client()
 
-def send_text_request(model_name, prompt, image=None):
-    """
-    Helper: if image is provided, send [prompt, image].
-    If no image, send prompt only.
-    Returns response text or None.
-    """
-    try:
-        chat = client.chats.create(model=model_name)
-        if image is None:
-            resp = chat.send_message([prompt])
-        else:
-            resp = chat.send_message([prompt, image])
+    if not FIREBASE_ENV:
+        raise RuntimeError("FIREBASE env var missing. Provide full service account JSON string.")
 
-        text_out = ""
-        for part in resp.candidates[0].content.parts:
-            if hasattr(part, "text") and part.text:
-                text_out += part.text
-        return text_out.strip() if text_out else None
-    except Exception as e:
-        logger.error(f"Error with model {model_name}: {e}")
-        return None
+    sa_info = json.loads(FIREBASE_ENV)
+    cred = credentials.Certificate(sa_info)
+    firebase_admin.initialize_app(cred)
+    return firestore.client()
 
-def extract_json_from_text(text: str):
-    """
-    Robust-ish JSON extraction:
-    - Try direct JSON parse
-    - Else find first {...} block and parse that
-    """
-    if not text:
-        return None
-    text = text.strip()
+db = init_firestore_from_env()
 
-    # direct
-    try:
-        return json.loads(text)
-    except Exception:
-        pass
+# ---------- External API (Pricelyst) ----------
+PRICE_API_BASE = os.environ.get("PRICE_API_BASE", "https://api.pricelyst.co.zw").rstrip("/")
+HTTP_TIMEOUT = 20
 
-    # find first JSON object
-    m = re.search(r"\{.*\}", text, re.DOTALL)
-    if not m:
-        return None
+# ---------- Flask ----------
+app = Flask(__name__)
+CORS(app)
+
+# ---------- In-memory product cache ----------
+PRODUCT_CACHE_TTL_SEC = 60 * 10  # 10 minutes
+_product_cache: Dict[str, Any] = {
+    "ts": 0,
+    "df_offers": pd.DataFrame(),
+    "raw_count": 0,
+}
+
+# =========================
+# Helpers: time / strings
+# =========================
+def now_utc_iso() -> str:
+    return datetime.now(timezone.utc).isoformat()
+
+def _coerce_float(v: Any) -> Optional[float]:
     try:
-        return json.loads(m.group(0))
+        if v is None:
+            return None
+        if isinstance(v, (int, float)):
+            return float(v)
+        s = str(v).strip()
+        if not s:
+            return None
+        return float(s)
     except Exception:
         return None
 
-def require_role(uid: str, allowed_roles: list[str]) -> dict:
-    """
-    Reads user profile and checks role.
-    Returns user_data if ok, else raises PermissionError with a clear message.
-    """
-    user_data = db_ref.child(f"users/{uid}").get()
-    if not user_data:
-        raise PermissionError(
-            f"User profile missing in RTDB at /users/{uid}. "
-            f"Call /api/auth/social-signin (or /api/auth/signup) once after login to bootstrap the profile."
-        )
-
-    role = (user_data.get("role") or "").lower().strip()
-    if role not in allowed_roles:
-        raise PermissionError(f"Role '{role}' not allowed. Allowed roles: {allowed_roles}")
-
-    return user_data
-
-
-def get_or_create_profile(uid: str) -> dict:
-    """
-    Ensures /users/{uid} exists in RTDB for any authenticated user.
-    - If missing, bootstraps from Firebase Auth and defaults role to 'customer'.
-    """
-    ref = db_ref.child(f"users/{uid}")
-    user_data = ref.get()
-    if user_data:
-        return user_data
-
-    fb_user = auth.get_user(uid)
-    new_user_data = {
-        "email": fb_user.email or "",
-        "displayName": fb_user.display_name or "",
-        "phone": "",
-        "city": "",
-        "role": "customer",   # safe default so task posting works out-of-the-box
-        "is_admin": False,
-        "createdAt": now_iso()
-    }
-    ref.set(new_user_data)
-    return new_user_data    
-
-
-def push_notification(to_uid: str, notif_type: str, title: str, body: str, meta: dict | None = None):
-    """
-    In-app notification stored in RTDB:
-      /notifications/{uid}/{notifId}
-    """
-    notif_id = str(uuid.uuid4())
-    payload = {
-        "notifId": notif_id,
-        "type": notif_type,
-        "title": title,
-        "body": body,
-        "meta": meta or {},
-        "createdAt": now_iso(),
-        "read": False
-    }
-    db_ref.child(f"notifications/{to_uid}/{notif_id}").set(payload)
-    return payload
-
-def task_access_check(uid: str, task: dict, user_role: str):
-    """
-    Role-aware access:
-    - customer can access own tasks
-    - tasker can access open tasks + tasks they are assigned to + tasks they bid on
-    - admin can access all
-    """
-    if user_role == "admin":
-        return True
-
-    owner = task.get("createdBy")
-    assigned = task.get("assignedTaskerId")
-    if user_role == "customer":
-        return owner == uid
-
-    if user_role == "tasker":
-        if task.get("status") in ["open", "bidding"] and owner != uid:
-            return True
-        if assigned == uid:
-            return True
-        # bid check
-        bids = db_ref.child(f"bids/{task.get('taskId')}").get() or {}
-        for b in bids.values():
-            if b.get("taskerId") == uid:
-                return True
-        return False
-
-    return False
-
-# -----------------------------------------------------------------------------
-# 3. BASIC HEALTH
-# -----------------------------------------------------------------------------
-
-@app.route("/api/health", methods=["GET"])
-def health():
-    return jsonify({"ok": True, "service": "oneplus-server", "time": now_iso()}), 200
-
-# -----------------------------------------------------------------------------
-# 4. AUTH & USER PROFILES (MVP)
-# -----------------------------------------------------------------------------
-
-@app.route("/api/auth/signup", methods=["POST"])
-def signup():
-    """
-    Email + password signup.
-    Creates Firebase Auth user + RTDB user profile.
-    """
-    try:
-        data = request.get_json() or {}
-        email = data.get("email")
-        password = data.get("password")
-        display_name = data.get("displayName")
-        phone = data.get("phone")
-        city = data.get("city")
-        role = (data.get("role") or "customer").lower().strip()  # customer|tasker|admin(not allowed here)
-
-        if role not in ["customer", "tasker"]:
-            return jsonify({"error": "Invalid role. Use customer or tasker."}), 400
-
-        if not email or not password:
-            return jsonify({"error": "Email and password are required"}), 400
-
-        user = auth.create_user(email=email, password=password, display_name=display_name)
-
-        user_data = {
-            "email": email,
-            "displayName": display_name,
-            "phone": phone,
-            "city": city,
-            "role": role,
-            "is_admin": False,
-            "createdAt": now_iso()
-        }
-        db_ref.child(f"users/{user.uid}").set(user_data)
-        return jsonify({"success": True, "uid": user.uid, **user_data}), 201
-
-    except Exception as e:
-        logger.error(f"Signup failed: {e}")
-        if "EMAIL_EXISTS" in str(e):
-            return jsonify({"error": "An account with this email already exists."}), 409
-        return jsonify({"error": str(e)}), 400
-
-@app.route("/api/auth/social-signin", methods=["POST"])
-def social_signin():
-    """
-    Ensures RTDB user record exists. Social login happens on client,
-    we just bootstrap profile.
-    """
-    uid = verify_token(request.headers.get("Authorization"))
-    if not uid:
-        return jsonify({"error": "Invalid or expired token"}), 401
-
-    user_ref = db_ref.child(f"users/{uid}")
-    user_data = user_ref.get()
+def _norm_str(s: Any) -> str:
+    s = "" if s is None else str(s)
+    s = s.strip().lower()
+    s = re.sub(r"\s+", " ", s)
+    return s
 
+def _safe_json_loads(s: str, fallback: Any):
     try:
-        fb_user = auth.get_user(uid)
-
-        # ---- NEW: If user record exists but missing role, default safely
-        if user_data:
-            patch = {}
-            if not user_data.get("displayName") and fb_user.display_name:
-                patch["displayName"] = fb_user.display_name
-            if not (user_data.get("role") or "").strip():
-                patch["role"] = "customer"
-            if patch:
-                user_ref.update(patch)
-                user_data = user_ref.get()
-            return jsonify({"uid": uid, **(user_data or {})}), 200
-
-        # create profile
-        new_user_data = {
-            "email": fb_user.email,
-            "displayName": fb_user.display_name,
-            "phone": "",
-            "city": "",
-            "role": "customer",
-            "is_admin": False,
-            "createdAt": now_iso()
+        return json.loads(s)
+    except Exception:
+        return fallback
+
+# =========================
+# Firestore profile storage
+# =========================
+def profile_ref(profile_id: str):
+    return db.collection("pricelyst_profiles").document(profile_id)
+
+def get_profile(profile_id: str) -> Dict[str, Any]:
+    ref = profile_ref(profile_id)
+    doc = ref.get()
+    if doc.exists:
+        return doc.to_dict() or {}
+    # create default
+    data = {
+        "profile_id": profile_id,
+        "created_at": now_utc_iso(),
+        "updated_at": now_utc_iso(),
+        "username": None,
+        "memory_summary": "",
+        "preferences": {},
+        "last_actions": [],
+        "counters": {
+            "chats": 0,
+            "calls": 0,
         }
-        user_ref.set(new_user_data)
-        return jsonify({"success": True, "uid": uid, **new_user_data}), 201
-
-    except Exception as e:
-        logger.error(f"social_signin failed: {e}")
-        return jsonify({"error": f"Failed to create user profile: {str(e)}"}), 500
-
-@app.route("/api/auth/set-role", methods=["POST"])
-def set_role_after_social_signin():
-    """
-    Set role after first social sign-in (or first time profile is missing).
-
-    Allowed transitions:
-      - missing profile -> bootstrap -> set role
-      - role missing/empty -> set role (customer|tasker)
-      - customer -> tasker (one-way upgrade ONCE)
-      - tasker -> customer (BLOCK)
-      - same role -> idempotent 200
-
-    Responses:
-      - 401 invalid token
-      - 400 invalid role
-      - 409 blocked role change
-      - 200 success (profile returned)
-    """
-    uid = verify_token(request.headers.get("Authorization"))
-    if not uid:
-        return jsonify({"error": "Invalid or expired token"}), 401
-
-    data = request.get_json() or {}
-    requested_role = (data.get("role") or "").lower().strip()
-
-    if requested_role not in ["customer", "tasker"]:
-        return jsonify({"error": "Invalid role. Use customer or tasker."}), 400
-
-    try:
-        user_ref = db_ref.child(f"users/{uid}")
-        user_data = user_ref.get()
-
-        # Bootstrap if missing
-        if not user_data:
-            fb_user = auth.get_user(uid)
-            user_data = {
-                "email": fb_user.email or "",
-                "displayName": fb_user.display_name or "",
-                "phone": "",
-                "city": "",
-                "role": "",  # intentionally empty so user must choose
-                "is_admin": False,
-                "createdAt": now_iso(),
-            }
-            user_ref.set(user_data)
-
-        current_role = (user_data.get("role") or "").lower().strip()
-
-        # Idempotent: already same role
-        if current_role and current_role == requested_role:
-            updated = user_ref.get() or {}
-            return jsonify({"success": True, "uid": uid, "profile": updated, "note": "role unchanged"}), 200
-
-        # If role is empty/missing -> allow setting
-        if not current_role:
-            patch = {
-                "role": requested_role,
-                "roleSetAt": now_iso(),
-                "updatedAt": now_iso(),
-            }
-            user_ref.update(patch)
-            updated = user_ref.get() or {}
-            return jsonify({"success": True, "uid": uid, "profile": updated}), 200
-
-        # One-way upgrade: customer -> tasker (allow ONCE)
-        if current_role == "customer" and requested_role == "tasker":
-            # If you want to allow this only once, the existence of roleUpgradedAt is enough
-            if (user_data.get("roleUpgradedAt") or "").strip():
-                return jsonify({
-                    "error": "Role change blocked",
-                    "reason": "Customer -> Tasker upgrade already used. Role flipping is not allowed.",
-                    "currentRole": current_role,
-                    "requestedRole": requested_role
-                }), 409
-
-            patch = {
-                "role": "tasker",
-                "roleUpgradedAt": now_iso(),
-                "updatedAt": now_iso(),
-            }
-            user_ref.update(patch)
-            updated = user_ref.get() or {}
-            return jsonify({"success": True, "uid": uid, "profile": updated, "note": "upgraded customer -> tasker"}), 200
-
-        # Block any other change (tasker->customer or any flip)
-        return jsonify({
-            "error": "Role change blocked",
-            "reason": "Role flipping is not allowed.",
-            "currentRole": current_role,
-            "requestedRole": requested_role
-        }), 409
-
-    except Exception as e:
-        logger.error(f"[SET ROLE] failed: {e}")
-        logger.error(traceback.format_exc())
-        return jsonify({"error": "Internal server error"}), 500
-
-@app.route("/api/user/profile", methods=["GET"])
-def get_user_profile():
-    uid = verify_token(request.headers.get("Authorization"))
-    if not uid:
-        return jsonify({"error": "Invalid or expired token"}), 401
-
-    # ---- NEW: auto-bootstrap profile so profile fetch never mysteriously 404s
-    try:
-        user_data = get_or_create_profile(uid)
-        return jsonify({"uid": uid, **user_data}), 200
-    except Exception as e:
-        logger.error(f"get_user_profile failed: {e}")
-        return jsonify({"error": "Failed to load profile"}), 500
-
-
-@app.route("/api/user/profile", methods=["PUT"])
-def update_user_profile():
-    uid = verify_token(request.headers.get("Authorization"))
-    if not uid:
-        return jsonify({"error": "Invalid or expired token"}), 401
-
-    # ---- NEW: ensure profile exists before update
-    try:
-        _ = get_or_create_profile(uid)
-    except Exception as e:
-        logger.error(f"update_user_profile bootstrap failed: {e}")
-        return jsonify({"error": "Failed to bootstrap profile"}), 500
-
-    data = request.get_json() or {}
-    allowed = {}
-
-    # Common fields
-    for key in ["displayName", "phone", "city"]:
-        if key in data:
-            allowed[key] = data.get(key)
-
-    # Role-specific (tasker)
-    for key in ["skills", "categories", "bio", "serviceRadiusKm", "baseRate", "profilePhotoUrl", "availability"]:
-        if key in data:
-            allowed[key] = data.get(key)
-
-    # ---- NEW: allow role updates ONLY if explicitly permitted (optional safeguard)
-    # If you don't want clients to ever change role, leave this out entirely.
-    # if "role" in data:
-    #     return jsonify({"error": "Role cannot be updated from client"}), 400
-
-    if not allowed:
-        return jsonify({"error": "No valid fields provided"}), 400
-
-    try:
-        # If displayName changes, also update Auth profile
-        if "displayName" in allowed and allowed["displayName"]:
-            auth.update_user(uid, display_name=str(allowed["displayName"]))
-
-        db_ref.child(f"users/{uid}").update(allowed)
-        return jsonify({"success": True, "updated": allowed}), 200
-    except Exception as e:
-        logger.error(f"update_user_profile failed: {e}")
-        return jsonify({"error": f"Failed to update profile: {str(e)}"}), 500
-
-# -----------------------------------------------------------------------------
-# 5. AI (CUSTOMER) — SMART CAPTURE (MVP Critical)
-# -----------------------------------------------------------------------------
-
-@app.route("/api/ai/smart-capture", methods=["POST"])
-def smart_capture():
-    """
-    Customer uploads image (or video thumbnail) + optional context text.
-    Server sends to Gemini Vision and returns structured output for prefill:
-      - category
-      - problemSummary
-      - difficulty
-      - timeEstimate
-      - priceBand
-      - suggestedMaterials[]
-      - suggestedTitle
-      - suggestedDescription
-      - suggestedBudgetRange
-    """
-    uid = verify_token(request.headers.get("Authorization"))
-    if not uid:
-        return jsonify({"error": "Unauthorized"}), 401
-
-    try:
-        # Accept multipart like SozoFix
-        if "image" not in request.files:
-            return jsonify({"error": "Image file is required (field name: image)"}), 400
-
-        image_file = request.files["image"]
-        context_text = request.form.get("contextText", "") or ""
-
-        image_bytes = image_file.read()
-        pil_image = Image.open(io.BytesIO(image_bytes)).convert("RGB")
-
-        prompt = f"""
-You are One Plus Smart Capture (task diagnosis).
-Analyze the image + optional context and return ONLY valid JSON.
-
-Context (may be empty): "{context_text}"
-
-Return this schema:
-{{
-  "category": "plumbing|electrical|cleaning|moving|handyman|painting|gardening|appliance_repair|other",
-  "problemSummary": "plain language summary (1-2 sentences)",
-  "difficulty": "easy|moderate|complex",
-  "timeEstimate": "e.g. 30-60 minutes, 1-2 hours, 1 day",
-  "priceBand": "low|medium|high",
-  "suggestedBudgetRange": "e.g. $20-$40 (rough)",
-  "suggestedMaterials": ["..."],
-  "suggestedTitle": "short task title",
-  "suggestedDescription": "professional task description, include key constraints + what to check"
-}}
-
-Rules:
-- Be realistic and safe.
-- If unsure, pick "other" category and state uncertainty in problemSummary.
-- Output must be JSON only (no markdown).
-"""
-        raw = send_text_request(VISION_MODEL, prompt, pil_image)
-        result = extract_json_from_text(raw)
-
-        if not result:
-            logger.error(f"[SMART CAPTURE] Could not parse JSON. Raw: {raw}")
-            return jsonify({"error": "AI response format error"}), 500
-
-        # minimal cleanup defaults
-        result["category"] = (result.get("category") or "other").strip()
-        result["difficulty"] = (result.get("difficulty") or "moderate").strip()
-        result["priceBand"] = (result.get("priceBand") or "medium").strip()
-        if not isinstance(result.get("suggestedMaterials"), list):
-            result["suggestedMaterials"] = []
-
-        # Store last smart capture on user (handy for UI)
-        db_ref.child(f"users/{uid}/lastSmartCapture").set({
-            "createdAt": now_iso(),
-            "contextText": context_text,
-            "result": result
-        })
-
-        return jsonify({"success": True, "smartCapture": result}), 200
+    }
+    ref.set(data)
+    return data
+
+def update_profile(profile_id: str, patch: Dict[str, Any]) -> None:
+    patch = dict(patch or {})
+    patch["updated_at"] = now_utc_iso()
+    profile_ref(profile_id).set(patch, merge=True)
+
+def log_chat(profile_id: str, payload: Dict[str, Any]) -> None:
+    db.collection("pricelyst_profiles").document(profile_id).collection("chat_logs").add({
+        **payload,
+        "ts": now_utc_iso()
+    })
 
-    except Exception as e:
-        logger.error(f"[SMART CAPTURE] Error: {e}")
-        logger.error(traceback.format_exc())
-        return jsonify({"error": "Internal server error"}), 500
+def log_call(profile_id: str, payload: Dict[str, Any]) -> str:
+    doc_ref = db.collection("pricelyst_profiles").document(profile_id).collection("call_logs").document()
+    doc_ref.set({
+        **payload,
+        "ts": now_utc_iso()
+    })
+    return doc_ref.id
 
-@app.route("/api/ai/improve-description", methods=["POST"])
-def improve_description():
+# =========================
+# Multimodal image handling
+# =========================
+def parse_images(images: List[str]) -> List[Dict[str, Any]]:
     """
-    MVP nice-to-have:
-    User provides a short/vague description; AI rewrites professionally and adds questions.
+    Accepts:
+      - data URLs: data:image/png;base64,....
+      - raw base64 strings
+      - http(s) URLs
+    Returns: list of { "mime": "...", "bytes": b"..." } or { "url": "..." }
     """
-    uid = verify_token(request.headers.get("Authorization"))
-    if not uid:
-        return jsonify({"error": "Unauthorized"}), 401
-
-    data = request.get_json() or {}
-    short_desc = (data.get("text") or "").strip()
-    category = (data.get("category") or "other").strip()
-
-    if len(short_desc) < 3:
-        return jsonify({"error": "text is required"}), 400
-
-    prompt = f"""
-Rewrite this task description professionally for a services marketplace.
-Category: {category}
-
-User text:
-"{short_desc}"
-
-Return ONLY JSON:
-{{
-  "suggestedTitle": "...",
-  "suggestedDescription": "...",
-  "questionsForTasker": ["...", "...", "..."]
-}}
-JSON only, no markdown.
-"""
-    raw = send_text_request(TEXT_MODEL, prompt, None)
-    result = extract_json_from_text(raw)
-    if not result:
-        return jsonify({"error": "AI response format error"}), 500
-    if not isinstance(result.get("questionsForTasker"), list):
-        result["questionsForTasker"] = []
-    return jsonify({"success": True, "result": result}), 200
-
-# -----------------------------------------------------------------------------
-# 6. TASKS (CUSTOMER POSTS, TASKER BROWSES) + MEDIA UPLOAD (MVP)
-# -----------------------------------------------------------------------------
-
-@app.route("/api/tasks", methods=["POST"])
-def create_task():
-    """
-    Customer creates a task.
-    Upload media like SozoFix:
-      - multipart/form-data
-      - fields: category, title, description, city, address(optional), budget, scheduleAt(optional ISO), contextText(optional)
-      - file fields: media (can send multiple) OR image (single)
-    """
-    uid = verify_token(request.headers.get("Authorization"))
-    if not uid:
-        return jsonify({"error": "Unauthorized"}), 401
-
-    try:
-        # ---- NEW: Always ensure RTDB profile exists (prevents 403 due to missing /users/{uid})
-        profile = get_or_create_profile(uid)
-
-        # ---- NEW: role gate with explicit, debuggable response
-        role = (profile.get("role") or "").lower().strip()
-        if role not in ["customer", "admin"]:
-            return jsonify({
-                "error": "Forbidden",
-                "reason": f"Role '{role}' not allowed to create tasks. Must be customer (or admin).",
-                "uid": uid
-            }), 403
-
-        # ---- NEW: helpful logs for production debugging
-        logger.info(f"[CREATE TASK] uid={uid} role={role} email={profile.get('email')}")
-
-        # multipart
-        category = request.form.get("category", "").strip()
-        title = request.form.get("title", "").strip()
-        description = request.form.get("description", "").strip()
-        city = request.form.get("city", "").strip()
-        address = request.form.get("address", "").strip()
-        budget = request.form.get("budget", "").strip()
-        schedule_at = request.form.get("scheduleAt", "").strip()  # ISO string from UI
-        smart_capture_json = request.form.get("smartCapture", "").strip()  # optional JSON string from UI
-
-        if not category or not city or not description:
-            return jsonify({"error": "category, city, and description are required"}), 400
-
-        task_id = str(uuid.uuid4())
-        created_at = now_iso()
-
-        # Upload media (media[] or image)
-        media_urls = []
-        files = []
-
-        if "media" in request.files:
-            files = request.files.getlist("media")
-        elif "image" in request.files:
-            files = [request.files["image"]]
-
-        for i, f in enumerate(files):
-            data_bytes = f.read()
-            if not data_bytes:
-                continue
-            ext = (f.mimetype or "application/octet-stream").split("/")[-1]
-            path = f"tasks/{task_id}/media/{i+1}_{int(time.time())}.{ext}"
-            url = upload_to_storage(data_bytes, path, f.mimetype or "application/octet-stream")
-            media_urls.append(url)
-
-        # optional smartCapture object
-        smart_capture = None
-        if smart_capture_json:
+    out = []
+    for item in images or []:
+        if not item:
+            continue
+        item = item.strip()
+
+        # URL
+        if item.startswith("http://") or item.startswith("https://"):
+            out.append({"url": item})
+            continue
+
+        # data URL
+        m = re.match(r"^data:(image\/[a-zA-Z0-9.+-]+);base64,(.+)$", item)
+        if m:
+            mime = m.group(1)
+            b64 = m.group(2)
             try:
-                smart_capture = json.loads(smart_capture_json)
+                out.append({"mime": mime, "bytes": base64.b64decode(b64)})
             except Exception:
-                smart_capture = None
-
-        task_payload = {
-            "taskId": task_id,
-            "createdBy": uid,
-            "createdByName": profile.get("displayName") or "",
-            "createdAt": created_at,
-
-            "category": category,
-            "title": title or (smart_capture or {}).get("suggestedTitle") or "Task Request",
-            "description": description or (smart_capture or {}).get("suggestedDescription") or "",
-            "city": city,
-            "address": address,
-
-            "budget": budget,            # keep as string to avoid currency assumptions
-            "scheduleAt": schedule_at,   # ISO string
-            "mediaUrls": media_urls,
-
-            "smartCapture": smart_capture or {},
-            "status": "open",
-
-            "assignedTaskerId": "",
-            "selectedBidId": "",
-            "completedAt": "",
-            "cancelledAt": ""
-        }
-
-        db_ref.child(f"tasks/{task_id}").set(task_payload)
-
-        # Notify taskers (basic broadcast by category + city)
-        notify_taskers_for_new_task(task_payload)
-
-        return jsonify({"success": True, "task": task_payload}), 201
-
-    except PermissionError as e:
-        # Keep PermissionError mapping, but now it will be far more informative when it happens
-        return jsonify({"error": "Forbidden", "reason": str(e)}), 403
-    except Exception as e:
-        logger.error(f"[CREATE TASK] Error: {e}")
-        logger.error(traceback.format_exc())
-        return jsonify({"error": "Internal server error"}), 500
-
-def notify_taskers_for_new_task(task: dict):
+                continue
+            continue
+
+        # raw base64
+        try:
+            out.append({"mime": "image/png", "bytes": base64.b64decode(item)})
+        except Exception:
+            continue
+
+    return out
+
+# =========================
+# Product fetching + offers DF
+# =========================
+def fetch_products_page(page: int, per_page: int = 50) -> Dict[str, Any]:
+    url = f"{PRICE_API_BASE}/api/v1/products"
+    params = {"page": page, "perPage": per_page}
+    r = requests.get(url, params=params, timeout=HTTP_TIMEOUT)
+    r.raise_for_status()
+    return r.json()
+
+def fetch_products(max_pages: int = 6, per_page: int = 50) -> List[Dict[str, Any]]:
     """
-    MVP matching:
-    - loop through users with role=tasker
-    - match category overlap + city match (or empty city)
-    - push in-app notification
+    Pull a reasonable slice (you can increase pages later).
+    API shape (common): {status, message, data, totalItemCount, currentPage, totalPages}
     """
-    try:
-        users = db_ref.child("users").get() or {}
-        tcat = normalize_text(task.get("category"))
-        tcity = normalize_text(task.get("city"))
-
-        for tasker_id, u in users.items():
-            if (u.get("role") or "").lower().strip() != "tasker":
-                continue
-
-            # City match: if tasker has city set, match it; else allow.
-            ucity = normalize_text(u.get("city"))
-            if ucity and tcity and ucity != tcity:
-                continue
-
-            # Category match: if tasker categories list exists, try overlap; else allow.
-            cats = u.get("categories") or []
-            if isinstance(cats, str):
-                cats = [c.strip() for c in cats.split(",") if c.strip()]
-
-            if cats:
-                ok = any(normalize_text(c) == tcat for c in cats)
-                if not ok:
-                    continue
-
-            push_notification(
-                to_uid=tasker_id,
-                notif_type="new_task",
-                title="New task in your area",
-                body=f"{task.get('category')} • {task.get('city')}",
-                meta={"taskId": task.get("taskId")}
-            )
-    except Exception as e:
-        logger.warning(f"[NOTIFY TASKERS] Failed: {e}")
-
-@app.route("/api/tasks", methods=["GET"])
-def list_tasks():
+    products: List[Dict[str, Any]] = []
+    for p in range(1, max_pages + 1):
+        payload = fetch_products_page(p, per_page=per_page)
+        data = payload.get("data") or []
+        if isinstance(data, list):
+            products.extend(data)
+        total_pages = payload.get("totalPages")
+        if isinstance(total_pages, int) and p >= total_pages:
+            break
+        if not data:
+            break
+    return products
+
+def products_to_offers_df(products: List[Dict[str, Any]]) -> pd.DataFrame:
     """
-    Role-aware list:
-    - customer: list my tasks
-    - tasker: list open/bidding tasks (with filters)
-    - admin: list all tasks (optional filters)
-    Query params:
-      status, category, city, mine=true
+    Each row = one product + one retailer offer.
+    Your product object can include `prices[]` with nested `retailer`.
     """
-    uid = verify_token(request.headers.get("Authorization"))
-    if not uid:
-        return jsonify({"error": "Unauthorized"}), 401
-
-    try:
-        user = db_ref.child(f"users/{uid}").get() or {}
-        role = (user.get("role") or "customer").lower().strip()
-
-        status_f = (request.args.get("status") or "").strip()
-        category_f = (request.args.get("category") or "").strip()
-        city_f = (request.args.get("city") or "").strip()
-        mine = (request.args.get("mine") or "").lower().strip() == "true"
-
-        tasks = db_ref.child("tasks").get() or {}
-        out = []
-
-        for t in tasks.values():
-            if not t:
+    rows = []
+    for p in products or []:
+        try:
+            product_id = p.get("id")
+            name = p.get("name") or ""
+            clean_name = _norm_str(name)
+
+            brand_name = ((p.get("brand") or {}).get("brand_name")) if isinstance(p.get("brand"), dict) else None
+            categories = p.get("categories") or []
+            cat_names = []
+            for c in categories:
+                if isinstance(c, dict) and c.get("name"):
+                    cat_names.append(c.get("name"))
+            primary_category = cat_names[0] if cat_names else None
+
+            stock_status = p.get("stock_status")
+            on_promo = bool(p.get("on_promotion"))
+            promo_badge = p.get("promo_badge")
+            promo_name = p.get("promo_name")
+            promo_price = _coerce_float(p.get("promo_price"))
+            original_price = _coerce_float(p.get("original_price"))
+
+            recommended_price = _coerce_float(p.get("recommended_price"))
+            base_price = _coerce_float(p.get("price"))
+            bulk_price = _coerce_float(p.get("bulk_price"))
+            bulk_unit = p.get("bulk_unit")
+
+            image = p.get("image")
+            thumb = p.get("thumbnail")
+
+            offers = p.get("prices") or []
+            if not offers:
+                rows.append({
+                    "product_id": product_id,
+                    "product_name": name,
+                    "clean_name": clean_name,
+                    "brand_name": brand_name,
+                    "primary_category": primary_category,
+                    "categories": cat_names,
+                    "stock_status": stock_status,
+                    "on_promotion": on_promo,
+                    "promo_badge": promo_badge,
+                    "promo_name": promo_name,
+                    "promo_price": promo_price,
+                    "original_price": original_price,
+                    "recommended_price": recommended_price,
+                    "base_price": base_price,
+                    "bulk_price": bulk_price,
+                    "bulk_unit": bulk_unit,
+                    "image": image,
+                    "thumbnail": thumb,
+                    "retailer_id": None,
+                    "retailer_name": None,
+                    "retailer_type": None,
+                    "retailer_logo": None,
+                    "offer_price": None,
+                })
                 continue
 
-            # role gating
-            if role == "customer":
-                if t.get("createdBy") != uid:
+            for offer in offers:
+                if not isinstance(offer, dict):
                     continue
-
-            elif role == "tasker":
-                # default: show open/bidding, or mine jobs if mine=true
-                if mine:
-                    if t.get("assignedTaskerId") != uid:
-                        continue
-                else:
-                    if t.get("status") not in ["open", "bidding"]:
-                        continue
-
-            # admin sees all
-
-            # filters
-            if status_f and t.get("status") != status_f:
-                continue
-            if category_f and normalize_text(t.get("category")) != normalize_text(category_f):
-                continue
-            if city_f and normalize_text(t.get("city")) != normalize_text(city_f):
-                continue
-
-            out.append(t)
-
-        # sort newest first
-        out.sort(key=lambda x: x.get("createdAt") or "", reverse=True)
-        return jsonify(out), 200
-
-    except Exception as e:
-        logger.error(f"[LIST TASKS] Error: {e}")
-        return jsonify({"error": "Internal server error"}), 500
-
-@app.route("/api/tasks/<string:task_id>", methods=["GET"])
-def get_task(task_id):
-    uid = verify_token(request.headers.get("Authorization"))
-    if not uid:
-        return jsonify({"error": "Unauthorized"}), 401
+                retailer = offer.get("retailer") or {}
+                rows.append({
+                    "product_id": product_id,
+                    "product_name": name,
+                    "clean_name": clean_name,
+                    "brand_name": brand_name,
+                    "primary_category": primary_category,
+                    "categories": cat_names,
+                    "stock_status": stock_status,
+                    "on_promotion": on_promo,
+                    "promo_badge": promo_badge,
+                    "promo_name": promo_name,
+                    "promo_price": promo_price,
+                    "original_price": original_price,
+                    "recommended_price": recommended_price,
+                    "base_price": base_price,
+                    "bulk_price": bulk_price,
+                    "bulk_unit": bulk_unit,
+                    "image": image,
+                    "thumbnail": thumb,
+                    "retailer_id": offer.get("retailer_id") or retailer.get("id"),
+                    "retailer_name": (retailer.get("name") if isinstance(retailer, dict) else None),
+                    "retailer_type": (retailer.get("type") if isinstance(retailer, dict) else None),
+                    "retailer_logo": (retailer.get("logo") if isinstance(retailer, dict) else None),
+                    "offer_price": _coerce_float(offer.get("price")),
+                })
+        except Exception:
+            continue
+
+    df = pd.DataFrame(rows)
+    if df.empty:
+        return df
+
+    df["offer_price"] = df["offer_price"].apply(_coerce_float)
+    df["clean_name"] = df["clean_name"].fillna("").astype(str)
+    df["product_name"] = df["product_name"].fillna("").astype(str)
+    df["retailer_name"] = df["retailer_name"].fillna("").astype(str)
+    return df
+
+def get_offers_df(force_refresh: bool = False) -> pd.DataFrame:
+    ts = _product_cache["ts"]
+    if (not force_refresh) and (time.time() - ts < PRODUCT_CACHE_TTL_SEC) and isinstance(_product_cache["df_offers"], pd.DataFrame) and not _product_cache["df_offers"].empty:
+        return _product_cache["df_offers"]
 
     try:
-        user = db_ref.child(f"users/{uid}").get() or {}
-        role = (user.get("role") or "customer").lower().strip()
-
-        task = db_ref.child(f"tasks/{task_id}").get()
-        if not task:
-            return jsonify({"error": "Task not found"}), 404
-
-        if not task_access_check(uid, task, role):
-            return jsonify({"error": "Access denied"}), 403
-
-        # attach bids count (cheap)
-        bids = db_ref.child(f"bids/{task_id}").get() or {}
-        task["bidsCount"] = len(bids)
-
-        return jsonify(task), 200
-
-    except Exception as e:
-        logger.error(f"[GET TASK] Error: {e}")
-        return jsonify({"error": "Internal server error"}), 500
-
-@app.route("/api/tasks/<string:task_id>", methods=["PUT"])
-def update_task(task_id):
-    """
-    Customer can edit task only if not assigned/in_progress/completed.
-    """
-    uid = verify_token(request.headers.get("Authorization"))
-    if not uid:
-        return jsonify({"error": "Unauthorized"}), 401
-
-    try:
-        user = require_role(uid, ["customer", "admin"])
-        task_ref = db_ref.child(f"tasks/{task_id}")
-        task = task_ref.get()
-        if not task:
-            return jsonify({"error": "Task not found"}), 404
-
-        if user.get("role") != "admin" and task.get("createdBy") != uid:
-            return jsonify({"error": "Access denied"}), 403
-
-        if task.get("status") not in ["open", "bidding"]:
-            return jsonify({"error": "Task cannot be edited at this stage"}), 400
-
-        data = request.get_json() or {}
-        allowed = {}
-        for key in ["category", "title", "description", "city", "address", "budget", "scheduleAt"]:
-            if key in data:
-                allowed[key] = data.get(key)
-
-        if not allowed:
-            return jsonify({"error": "No valid fields provided"}), 400
-
-        allowed["updatedAt"] = now_iso()
-        task_ref.update(allowed)
-
-        return jsonify({"success": True, "updated": allowed, "task": task_ref.get()}), 200
-
-    except PermissionError as e:
-        return jsonify({"error": str(e)}), 403
+        products = fetch_products(max_pages=8, per_page=50)
+        df = products_to_offers_df(products)
+        _product_cache["ts"] = time.time()
+        _product_cache["df_offers"] = df
+        _product_cache["raw_count"] = len(products)
+        logger.info("Loaded offers DF: products=%s offers_rows=%s", len(products), len(df))
+        return df
     except Exception as e:
-        logger.error(f"[UPDATE TASK] Error: {e}")
-        return jsonify({"error": "Internal server error"}), 500
-
-@app.route("/api/tasks/<string:task_id>/status", methods=["PUT"])
-def update_task_status(task_id):
-    """
-    Status transitions (MVP):
-      customer: cancel, mark_completed
-      tasker: on_the_way, in_progress, mark_completed (if assigned)
-      admin: any
-    """
-    uid = verify_token(request.headers.get("Authorization"))
-    if not uid:
-        return jsonify({"error": "Unauthorized"}), 401
-
+        logger.error("Failed to refresh product cache: %s", e)
+        # fallback: return old cache (even if stale)
+        if isinstance(_product_cache["df_offers"], pd.DataFrame):
+            return _product_cache["df_offers"]
+        return pd.DataFrame()
+
+# =========================
+# Gemini wrappers
+# =========================
+def gemini_generate_text(system: str, user: str, temperature: float = 0.4) -> str:
+    if not _gemini_client:
+        return ""
     try:
-        user = db_ref.child(f"users/{uid}").get() or {}
-        role = (user.get("role") or "customer").lower().strip()
-
-        task_ref = db_ref.child(f"tasks/{task_id}")
-        task = task_ref.get()
-        if not task:
-            return jsonify({"error": "Task not found"}), 404
-
-        data = request.get_json() or {}
-        new_status = (data.get("status") or "").strip()
-
-        if not new_status:
-            return jsonify({"error": "status is required"}), 400
-
-        # Admin override
-        if role == "admin":
-            task_ref.update({"status": new_status, "updatedAt": now_iso()})
-            return jsonify({"success": True, "task": task_ref.get()}), 200
-
-        # Customer rules
-        if role == "customer":
-            if task.get("createdBy") != uid:
-                return jsonify({"error": "Access denied"}), 403
-
-            if new_status == "cancelled":
-                if task.get("status") in ["completed", "cancelled"]:
-                    return jsonify({"error": "Task already closed"}), 400
-                task_ref.update({"status": "cancelled", "cancelledAt": now_iso()})
-                # notify assigned tasker (if any)
-                if task.get("assignedTaskerId"):
-                    push_notification(task["assignedTaskerId"], "task_cancelled", "Task cancelled", "Customer cancelled the task.", {"taskId": task_id})
-                return jsonify({"success": True, "task": task_ref.get()}), 200
-
-            if new_status == "completed":
-                # allow completion only if was assigned/in_progress
-                if task.get("status") not in ["assigned", "in_progress"]:
-                    return jsonify({"error": "Task not in a completable state"}), 400
-                task_ref.update({"status": "completed", "completedAt": now_iso()})
-                if task.get("assignedTaskerId"):
-                    push_notification(task["assignedTaskerId"], "task_completed", "Task marked complete", "Customer marked the task completed.", {"taskId": task_id})
-                return jsonify({"success": True, "task": task_ref.get()}), 200
-
-            return jsonify({"error": "Invalid customer status update"}), 400
-
-        # Tasker rules
-        if role == "tasker":
-            if task.get("assignedTaskerId") != uid:
-                return jsonify({"error": "Only assigned tasker can update status"}), 403
-
-            if new_status not in ["on_the_way", "in_progress", "completed"]:
-                return jsonify({"error": "Invalid tasker status update"}), 400
-
-            # map on_the_way as in_progress-ish, but keep it if you want
-            task_ref.update({"status": new_status, "updatedAt": now_iso()})
-
-            # notify customer
-            push_notification(task["createdBy"], "task_update", "Task update", f"Task status: {new_status}", {"taskId": task_id})
-            return jsonify({"success": True, "task": task_ref.get()}), 200
-
-        return jsonify({"error": "Role not supported"}), 400
-
+        resp = _gemini_client.models.generate_content(
+            model=GEMINI_MODEL,
+            contents=[
+                {"role": "user", "parts": [{"text": system.strip() + "\n\n" + user.strip()}]}
+            ],
+            config={
+                "temperature": temperature,
+                "max_output_tokens": 900,
+            }
+        )
+        return (resp.text or "").strip()
     except Exception as e:
-        logger.error(f"[TASK STATUS] Error: {e}")
-        return jsonify({"error": "Internal server error"}), 500
+        logger.error("Gemini text error: %s", e)
+        return ""
 
-@app.route("/api/tasks/<string:task_id>", methods=["DELETE"])
-def delete_task(task_id):
+def gemini_generate_multimodal(system: str, user: str, images: List[Dict[str, Any]]) -> str:
     """
-    Customer can delete only if open/bidding and no assignment.
-    Also removes task media folder.
+    Uses Gemini multimodal:
+      - if we have bytes -> inline_data
+      - if we have url -> just paste the URL (server-side fetch is unreliable w/o whitelisting),
+        so we prefer bytes from the client.
     """
-    uid = verify_token(request.headers.get("Authorization"))
-    if not uid:
-        return jsonify({"error": "Unauthorized"}), 401
+    if not _gemini_client:
+        return ""
+
+    parts: List[Dict[str, Any]] = [{"text": system.strip() + "\n\n" + user.strip()}]
+
+    for img in images or []:
+        if "bytes" in img and img.get("mime"):
+            b64 = base64.b64encode(img["bytes"]).decode("utf-8")
+            parts.append({
+                "inline_data": {
+                    "mime_type": img["mime"],
+                    "data": b64
+                }
+            })
+        elif img.get("url"):
+            # last resort
+            parts.append({"text": f"[IMAGE_URL]\n{img['url']}"})
 
     try:
-        user = require_role(uid, ["customer", "admin"])
-        role = (user.get("role") or "customer").lower().strip()
-
-        task_ref = db_ref.child(f"tasks/{task_id}")
-        task = task_ref.get()
-        if not task:
-            return jsonify({"error": "Task not found"}), 404
-
-        if role != "admin" and task.get("createdBy") != uid:
-            return jsonify({"error": "Access denied"}), 403
-
-        if role != "admin" and task.get("status") not in ["open", "bidding"]:
-            return jsonify({"error": "Task cannot be deleted at this stage"}), 400
-
-        # delete RTDB nodes
-        task_ref.delete()
-        db_ref.child(f"bids/{task_id}").delete()
-        db_ref.child(f"chats/{task_id}").delete()
-        db_ref.child(f"reviews/{task_id}").delete()
-
-        # delete storage media
-        for blob in bucket.list_blobs(prefix=f"tasks/{task_id}/"):
-            try:
-                blob.delete()
-            except Exception:
-                pass
-
-        return jsonify({"success": True, "message": f"Task {task_id} deleted"}), 200
-
-    except PermissionError as e:
-        return jsonify({"error": str(e)}), 403
+        resp = _gemini_client.models.generate_content(
+            model=GEMINI_MODEL,
+            contents=[{"role": "user", "parts": parts}],
+            config={
+                "temperature": 0.2,
+                "max_output_tokens": 900,
+            }
+        )
+        return (resp.text or "").strip()
     except Exception as e:
-        logger.error(f"[DELETE TASK] Error: {e}")
-        return jsonify({"error": "Internal server error"}), 500
+        logger.error("Gemini multimodal error: %s", e)
+        return ""
+
+# =========================
+# Intent + actionability
+# =========================
+INTENT_SYSTEM = """
+You are Pricelyst AI. Your job: understand whether the user is asking for actionable shopping help.
+Return STRICT JSON only.
+
+Output schema:
+{
+  "actionable": true|false,
+  "intent": one of [
+    "store_recommendation",
+    "price_lookup",
+    "price_compare",
+    "basket_optimize",
+    "basket_build",
+    "product_discovery",
+    "trust_check",
+    "chit_chat",
+    "other"
+  ],
+  "items": [{"name": "...", "quantity": 1}],
+  "constraints": {"budget": number|null, "location": "... "|null, "time_context": "mid-month|month-end|weekend|today|unknown"},
+  "notes": "short reasoning"
+}
 
-# -----------------------------------------------------------------------------
-# 7. BIDDING (TASKERS SUBMIT OFFERS) (MVP)
-# -----------------------------------------------------------------------------
+Rules:
+- If user is chatting/social (hi, jokes, thanks, how are you, etc) => actionable=false, intent="chit_chat".
+- If user asks about prices/stores/basket/what to buy => actionable=true.
+- If user provided a list, extract items + quantities if obvious.
+- Keep it conservative: if unclear, actionable=false.
+"""
 
-@app.route("/api/tasks/<string:task_id>/bids", methods=["POST"])
-def submit_bid(task_id):
+def detect_intent(message: str, images_present: bool, context: Dict[str, Any]) -> Dict[str, Any]:
+    ctx_str = json.dumps(context or {}, ensure_ascii=False)
+    user = f"Message: {message}\nImagesPresent: {images_present}\nContext: {ctx_str}"
+    out = gemini_generate_text(INTENT_SYSTEM, user, temperature=0.1)
+    data = _safe_json_loads(out, fallback={})
+    if not isinstance(data, dict):
+        return {"actionable": False, "intent": "other", "items": [], "constraints": {}, "notes": "bad_json"}
+    # normalize
+    data.setdefault("actionable", False)
+    data.setdefault("intent", "other")
+    data.setdefault("items", [])
+    data.setdefault("constraints", {})
+    return data
+
+# =========================
+# Matching + analytics
+# =========================
+def search_products(df: pd.DataFrame, query: str, limit: int = 10) -> pd.DataFrame:
     """
-    Tasker submits bid: price + timeline + message.
-    Stored under /bids/{taskId}/{bidId}
+    Simple search: contains on clean_name + fallback token overlap scoring.
     """
-    uid = verify_token(request.headers.get("Authorization"))
-    if not uid:
-        return jsonify({"error": "Unauthorized"}), 401
-
-    try:
-        require_role(uid, ["tasker", "admin"])
-
-        task = db_ref.child(f"tasks/{task_id}").get()
-        if not task:
-            return jsonify({"error": "Task not found"}), 404
-
-        if task.get("status") not in ["open", "bidding"]:
-            return jsonify({"error": "Task not open for bids"}), 400
-
-        data = request.get_json() or {}
-        price = (data.get("price") or "").strip()
-        timeline = (data.get("timeline") or "").strip()
-        message = (data.get("message") or "").strip()
-
-        if not price or not timeline:
-            return jsonify({"error": "price and timeline are required"}), 400
-
-        bid_id = str(uuid.uuid4())
-        bid = {
-            "bidId": bid_id,
-            "taskId": task_id,
-            "taskerId": uid,
-            "price": price,
-            "timeline": timeline,
-            "message": message,
-            "status": "submitted",
-            "createdAt": now_iso()
-        }
-        db_ref.child(f"bids/{task_id}/{bid_id}").set(bid)
-
-        # flip task to bidding
-        if task.get("status") == "open":
-            db_ref.child(f"tasks/{task_id}").update({"status": "bidding", "updatedAt": now_iso()})
-
-        # notify customer
-        push_notification(
-            to_uid=task["createdBy"],
-            notif_type="new_bid",
-            title="New bid received",
-            body=f"A tasker submitted a bid for {task.get('category')}",
-            meta={"taskId": task_id, "bidId": bid_id}
-        )
-
-        return jsonify({"success": True, "bid": bid}), 201
-
-    except PermissionError as e:
-        return jsonify({"error": str(e)}), 403
-    except Exception as e:
-        logger.error(f"[SUBMIT BID] Error: {e}")
-        return jsonify({"error": "Internal server error"}), 500
-
-@app.route("/api/tasks/<string:task_id>/bids", methods=["GET"])
-def list_bids(task_id):
+    if df.empty:
+        return df
+
+    q = _norm_str(query)
+    if not q:
+        return df.head(0)
+
+    # direct contains
+    hit = df[df["clean_name"].str.contains(re.escape(q), na=False)]
+    if len(hit) >= limit:
+        return hit.head(limit)
+
+    # token overlap (cheap scoring)
+    q_tokens = set(q.split())
+    if not q_tokens:
+        return hit.head(limit)
+
+    tmp = df.copy()
+    tmp["score"] = tmp["clean_name"].apply(lambda s: len(q_tokens.intersection(set(str(s).split()))))
+    tmp = tmp[tmp["score"] > 0].sort_values(["score"], ascending=False)
+    combined = pd.concat([hit, tmp], axis=0).drop_duplicates(subset=["product_id", "retailer_id"])
+    return combined.head(limit)
+
+def summarize_offers(df_hits: pd.DataFrame) -> Dict[str, Any]:
     """
-    Customer: can see bids for own task
-    Tasker: can see bids if they bid
-    Admin: all
+    For one product name, there can be multiple retailers (offers).
+    We return:
+      - cheapest offer
+      - price range
+      - top offers
     """
-    uid = verify_token(request.headers.get("Authorization"))
-    if not uid:
-        return jsonify({"error": "Unauthorized"}), 401
-
-    try:
-        user = db_ref.child(f"users/{uid}").get() or {}
-        role = (user.get("role") or "customer").lower().strip()
-
-        task = db_ref.child(f"tasks/{task_id}").get()
-        if not task:
-            return jsonify({"error": "Task not found"}), 404
-
-        bids = db_ref.child(f"bids/{task_id}").get() or {}
-        out = list(bids.values())
-
-        if role == "admin":
-            out.sort(key=lambda x: x.get("createdAt") or "", reverse=True)
-            return jsonify(out), 200
-
-        if role == "customer":
-            if task.get("createdBy") != uid:
-                return jsonify({"error": "Access denied"}), 403
-            out.sort(key=lambda x: x.get("createdAt") or "", reverse=True)
-            return jsonify(out), 200
-
-        if role == "tasker":
-            # only show their own bids unless task assigned to them
-            if task.get("assignedTaskerId") == uid:
-                out.sort(key=lambda x: x.get("createdAt") or "", reverse=True)
-                return jsonify(out), 200
-            mine = [b for b in out if b.get("taskerId") == uid]
-            mine.sort(key=lambda x: x.get("createdAt") or "", reverse=True)
-            return jsonify(mine), 200
+    if df_hits.empty:
+        return {}
+
+    # group by product_id (best is highest offer coverage)
+    grp = df_hits.groupby("product_id").size().sort_values(ascending=False)
+    best_pid = int(grp.index[0])
+    prod_rows = df_hits[df_hits["product_id"] == best_pid].copy()
+
+    prod_name = prod_rows["product_name"].iloc[0]
+    brand = prod_rows["brand_name"].iloc[0]
+    category = prod_rows["primary_category"].iloc[0]
+    stock = prod_rows["stock_status"].iloc[0]
+    on_promo = bool(prod_rows["on_promotion"].iloc[0])
+    promo_badge = prod_rows["promo_badge"].iloc[0]
+    image = prod_rows["thumbnail"].iloc[0] or prod_rows["image"].iloc[0]
+
+    offers = prod_rows[prod_rows["offer_price"].notna()].copy()
+    offers = offers.sort_values("offer_price", ascending=True)
+
+    if offers.empty:
+        return {
+            "product_id": best_pid,
+            "name": prod_name,
+            "brand": brand,
+            "category": category,
+            "stock_status": stock,
+            "on_promotion": on_promo,
+            "promo_badge": promo_badge,
+            "image": image,
+            "offers": [],
+            "cheapest": None,
+            "price_range": None,
+        }
 
-        return jsonify({"error": "Role not supported"}), 400
+    cheapest = {
+        "retailer": offers.iloc[0]["retailer_name"],
+        "price": float(offers.iloc[0]["offer_price"] or 0),
+        "retailer_logo": offers.iloc[0]["retailer_logo"],
+    }
+    lo = float(offers["offer_price"].min())
+    hi = float(offers["offer_price"].max())
+
+    top_offers = []
+    for _, r in offers.head(5).iterrows():
+        top_offers.append({
+            "retailer": r["retailer_name"],
+            "price": float(r["offer_price"]),
+            "retailer_logo": r["retailer_logo"],
+        })
 
-    except Exception as e:
-        logger.error(f"[LIST BIDS] Error: {e}")
-        return jsonify({"error": "Internal server error"}), 500
+    return {
+        "product_id": best_pid,
+        "name": prod_name,
+        "brand": brand,
+        "category": category,
+        "stock_status": stock,
+        "on_promotion": on_promo,
+        "promo_badge": promo_badge,
+        "image": image,
+        "offers": top_offers,
+        "cheapest": cheapest,
+        "price_range": {"min": lo, "max": hi, "spread": (hi - lo)},
+    }
 
-@app.route("/api/tasks/<string:task_id>/select-bid", methods=["PUT"])
-def select_bid(task_id):
+def basket_store_choice(df: pd.DataFrame, items: List[Dict[str, Any]]) -> Dict[str, Any]:
     """
-    Customer selects a bid:
-      - set task.assignedTaskerId
-      - set task.selectedBidId
-      - set task.status = assigned
-      - notify tasker + customer
+    Given items, pick:
+      - best single store to cover most items and minimize total
+    Very pragmatic MVP: for each item, match the best product and take cheapest offer.
     """
-    uid = verify_token(request.headers.get("Authorization"))
-    if not uid:
-        return jsonify({"error": "Unauthorized"}), 401
-
-    try:
-        require_role(uid, ["customer", "admin"])
-
-        task_ref = db_ref.child(f"tasks/{task_id}")
-        task = task_ref.get()
-        if not task:
-            return jsonify({"error": "Task not found"}), 404
-
-        if task.get("createdBy") != uid and not (db_ref.child(f"users/{uid}").get() or {}).get("is_admin"):
-            return jsonify({"error": "Access denied"}), 403
-
-        data = request.get_json() or {}
-        bid_id = (data.get("bidId") or "").strip()
-        if not bid_id:
-            return jsonify({"error": "bidId is required"}), 400
-
-        bid = db_ref.child(f"bids/{task_id}/{bid_id}").get()
-        if not bid:
-            return jsonify({"error": "Bid not found"}), 404
-
-        tasker_id = bid.get("taskerId")
-        task_ref.update({
-            "assignedTaskerId": tasker_id,
-            "selectedBidId": bid_id,
-            "status": "assigned",
-            "updatedAt": now_iso()
+    if df.empty or not items:
+        return {"items": [], "best_store": None, "missing": []}
+
+    results = []
+    missing = []
+
+    for it in items:
+        name = it.get("name") or ""
+        qty = int(it.get("quantity") or 1)
+        hits = search_products(df, name, limit=50)
+        summary = summarize_offers(hits)
+        if not summary or not summary.get("cheapest"):
+            missing.append(name)
+            continue
+        cheapest = summary["cheapest"]
+        results.append({
+            "requested": name,
+            "matched_product": summary["name"],
+            "brand": summary.get("brand"),
+            "qty": qty,
+            "cheapest_retailer": cheapest["retailer"],
+            "unit_price": cheapest["price"],
+            "line_total": cheapest["price"] * qty,
+            "offers": summary.get("offers", []),
+            "image": summary.get("image"),
         })
 
-        # mark bid as accepted, others as rejected (MVP)
-        bids = db_ref.child(f"bids/{task_id}").get() or {}
-        for bkey, b in bids.items():
-            st = "accepted" if bkey == bid_id else "rejected"
-            db_ref.child(f"bids/{task_id}/{bkey}").update({"status": st})
-
-        # notify tasker
-        push_notification(
-            to_uid=tasker_id,
-            notif_type="bid_accepted",
-            title="Bid accepted 🎉",
-            body="Your bid was accepted. You’ve been assigned the job.",
-            meta={"taskId": task_id, "bidId": bid_id}
-        )
-
-        # notify customer
-        push_notification(
-            to_uid=task["createdBy"],
-            notif_type="task_assigned",
-            title="Task assigned",
-            body="You assigned the task to a tasker. You can now chat.",
-            meta={"taskId": task_id, "assignedTaskerId": tasker_id}
-        )
-
-        return jsonify({"success": True, "task": task_ref.get()}), 200
-
-    except PermissionError as e:
-        return jsonify({"error": str(e)}), 403
-    except Exception as e:
-        logger.error(f"[SELECT BID] Error: {e}")
-        return jsonify({"error": "Internal server error"}), 500
-
-# -----------------------------------------------------------------------------
-# 8. CHAT (REAL-TIME DB STORED) (MVP)
-# -----------------------------------------------------------------------------
-
-@app.route("/api/chats/<string:task_id>/messages", methods=["GET"])
-def list_messages(task_id):
-    uid = verify_token(request.headers.get("Authorization"))
-    if not uid:
-        return jsonify({"error": "Unauthorized"}), 401
-
-    try:
-        user = db_ref.child(f"users/{uid}").get() or {}
-        role = (user.get("role") or "customer").lower().strip()
-
-        task = db_ref.child(f"tasks/{task_id}").get()
-        if not task:
-            return jsonify({"error": "Task not found"}), 404
-
-        if not task_access_check(uid, task, role):
-            return jsonify({"error": "Access denied"}), 403
-
-        msgs = db_ref.child(f"chats/{task_id}").get() or {}
-        out = list(msgs.values())
-        out.sort(key=lambda x: x.get("createdAt") or "", reverse=False)
-        return jsonify(out), 200
-
-    except Exception as e:
-        logger.error(f"[LIST MSGS] Error: {e}")
-        return jsonify({"error": "Internal server error"}), 500
+    if not results:
+        return {"items": [], "best_store": None, "missing": missing}
+
+    # compute totals by retailer for "all cheapest per item"
+    retailer_totals: Dict[str, float] = {}
+    retailer_counts: Dict[str, int] = {}
+    for r in results:
+        k = r["cheapest_retailer"]
+        retailer_totals[k] = retailer_totals.get(k, 0.0) + float(r["line_total"])
+        retailer_counts[k] = retailer_counts.get(k, 0) + 1
+
+    # Score: cover_count desc, then total asc
+    best = sorted(retailer_totals.keys(), key=lambda k: (-retailer_counts.get(k, 0), retailer_totals.get(k, 0.0)))[0]
+    return {
+        "items": results,
+        "best_store": {
+            "name": best,
+            "covered_items": retailer_counts.get(best, 0),
+            "total_for_covered_items": round(retailer_totals.get(best, 0.0), 2),
+            "total_items_requested": len(items),
+        },
+        "missing": missing
+    }
 
-@app.route("/api/chats/<string:task_id>/messages", methods=["POST"])
-def send_message(task_id):
+# =========================
+# Response rendering (informative)
+# =========================
+def render_price_answer(summary: Dict[str, Any]) -> Dict[str, Any]:
     """
-    Send message. Optional attachment upload (single file) via multipart:
-      - text in form field "text"
-      - file in field "file"
-    Or JSON body: {"text": "..."} for text-only
+    Returns structured payload for frontend to render nicely.
     """
-    uid = verify_token(request.headers.get("Authorization"))
-    if not uid:
-        return jsonify({"error": "Unauthorized"}), 401
-
-    try:
-        user = db_ref.child(f"users/{uid}").get() or {}
-        role = (user.get("role") or "customer").lower().strip()
-
-        task = db_ref.child(f"tasks/{task_id}").get()
-        if not task:
-            return jsonify({"error": "Task not found"}), 404
-
-        if not task_access_check(uid, task, role):
-            return jsonify({"error": "Access denied"}), 403
-
-        text = ""
-        attachment_url = ""
-        attachment_type = ""
-
-        if request.content_type and "multipart/form-data" in request.content_type:
-            text = (request.form.get("text") or "").strip()
-            if "file" in request.files:
-                f = request.files["file"]
-                b = f.read()
-                if b:
-                    ext = (f.mimetype or "application/octet-stream").split("/")[-1]
-                    path = f"tasks/{task_id}/chat/{uid}_{int(time.time())}.{ext}"
-                    attachment_url = upload_to_storage(b, path, f.mimetype or "application/octet-stream")
-                    attachment_type = f.mimetype or ""
-        else:
-            data = request.get_json() or {}
-            text = (data.get("text") or "").strip()
-
-        if not text and not attachment_url:
-            return jsonify({"error": "Message text or file is required"}), 400
-
-        msg_id = str(uuid.uuid4())
-        msg = {
-            "messageId": msg_id,
-            "taskId": task_id,
-            "senderId": uid,
-            "senderRole": role,
-            "text": text,
-            "attachmentUrl": attachment_url,
-            "attachmentType": attachment_type,
-            "createdAt": now_iso()
+    if not summary:
+        return {
+            "type": "not_found",
+            "title": "I couldn't find that product.",
+            "message": "Try a different wording (brand + size helps), or upload an image/receipt.",
         }
-        db_ref.child(f"chats/{task_id}/{msg_id}").set(msg)
-
-        # notify the other party
-        other_uid = None
-        if uid == task.get("createdBy"):
-            other_uid = task.get("assignedTaskerId") or None
-        else:
-            other_uid = task.get("createdBy")
-
-        if other_uid:
-            push_notification(
-                to_uid=other_uid,
-                notif_type="chat_message",
-                title="New message",
-                body="You have a new message on a task.",
-                meta={"taskId": task_id}
-            )
-
-        return jsonify({"success": True, "message": msg}), 201
-
-    except Exception as e:
-        logger.error(f"[SEND MSG] Error: {e}")
-        return jsonify({"error": "Internal server error"}), 500
-
-# -----------------------------------------------------------------------------
-# 9. NOTIFICATIONS (IN-APP) (MVP)
-# -----------------------------------------------------------------------------
-
-@app.route("/api/notifications", methods=["GET"])
-def list_notifications():
-    uid = verify_token(request.headers.get("Authorization"))
-    if not uid:
-        return jsonify({"error": "Unauthorized"}), 401
-
-    try:
-        notifs = db_ref.child(f"notifications/{uid}").get() or {}
-        out = list(notifs.values())
-        out.sort(key=lambda x: x.get("createdAt") or "", reverse=True)
-        return jsonify(out), 200
-    except Exception as e:
-        logger.error(f"[LIST NOTIFS] Error: {e}")
-        return jsonify({"error": "Internal server error"}), 500
-
-@app.route("/api/notifications/<string:notif_id>/read", methods=["PUT"])
-def mark_notification_read(notif_id):
-    uid = verify_token(request.headers.get("Authorization"))
-    if not uid:
-        return jsonify({"error": "Unauthorized"}), 401
-
-    try:
-        ref = db_ref.child(f"notifications/{uid}/{notif_id}")
-        n = ref.get()
-        if not n:
-            return jsonify({"error": "Notification not found"}), 404
-        ref.update({"read": True, "readAt": now_iso()})
-        return jsonify({"success": True}), 200
-    except Exception as e:
-        logger.error(f"[READ NOTIF] Error: {e}")
-        return jsonify({"error": "Internal server error"}), 500
 
-# -----------------------------------------------------------------------------
-# 10. REVIEWS (CUSTOMER RATES TASKER AFTER COMPLETION) (MVP)
-# -----------------------------------------------------------------------------
+    name = summary.get("name")
+    brand = summary.get("brand")
+    category = summary.get("category")
+    stock = summary.get("stock_status")
+    on_promo = summary.get("on_promotion")
+    promo_badge = summary.get("promo_badge")
+    image = summary.get("image")
+    cheapest = summary.get("cheapest")
+    pr = summary.get("price_range")
+
+    lines = []
+    if cheapest:
+        lines.append(f"Cheapest right now: {cheapest['retailer']} — ${cheapest['price']:.2f}")
+    if pr and pr.get("min") is not None and pr.get("max") is not None and pr["max"] != pr["min"]:
+        lines.append(f"Price range: ${pr['min']:.2f} → ${pr['max']:.2f} (spread ${pr['spread']:.2f})")
+    if on_promo:
+        lines.append(f"Promo: {promo_badge or 'On promotion'}")
+
+    return {
+        "type": "product_price",
+        "title": name,
+        "subtitle": " | ".join([x for x in [brand, category, stock] if x]),
+        "image": image,
+        "highlights": lines,
+        "offers": summary.get("offers", []),
+        "raw": summary,
+    }
 
-@app.route("/api/tasks/<string:task_id>/review", methods=["POST"])
-def leave_review(task_id):
-    uid = verify_token(request.headers.get("Authorization"))
-    if not uid:
-        return jsonify({"error": "Unauthorized"}), 401
+def render_basket_answer(basket: Dict[str, Any]) -> Dict[str, Any]:
+    if not basket.get("items"):
+        return {
+            "type": "basket_empty",
+            "title": "I couldn't build a basket from that.",
+            "message": "Send a clearer list (e.g., '2 bread, 1 cooking oil 2L') or upload a list/receipt photo."
+        }
 
-    try:
-        require_role(uid, ["customer", "admin"])
+    best = basket.get("best_store")
+    missing = basket.get("missing") or []
+    return {
+        "type": "basket_plan",
+        "title": "Basket plan",
+        "best_store": best,
+        "items": basket["items"],
+        "missing": missing,
+        "notes": "If you want, tell me your budget and I’ll suggest cheaper substitutes.",
+    }
 
-        task = db_ref.child(f"tasks/{task_id}").get()
-        if not task:
-            return jsonify({"error": "Task not found"}), 404
+# =========================
+# Multimodal extraction (lists / receipts)
+# =========================
+VISION_SYSTEM = """
+You are an expert shopping assistant. Extract actionable items and quantities from the user's image(s).
+Return STRICT JSON only.
 
-        if task.get("createdBy") != uid and not (db_ref.child(f"users/{uid}").get() or {}).get("is_admin"):
-            return jsonify({"error": "Access denied"}), 403
+Output schema:
+{
+  "actionable": true|false,
+  "items": [{"name":"...", "quantity": 1}],
+  "notes": "short"
+}
 
-        if task.get("status") != "completed":
-            return jsonify({"error": "Task must be completed before review"}), 400
+Rules:
+- If it looks like a handwritten shopping list, extract items.
+- If it looks like a receipt, extract the purchased items (best-effort).
+- If it’s random (selfie, meme, etc), actionable=false and items=[].
+- Keep it conservative: only include items you’re confident about.
+"""
 
-        assigned = task.get("assignedTaskerId")
-        if not assigned:
-            return jsonify({"error": "No assigned tasker to review"}), 400
+def extract_items_from_images(images: List[Dict[str, Any]]) -> Dict[str, Any]:
+    if not images:
+        return {"actionable": False, "items": [], "notes": "no_images"}
+    user = "Extract items from the images."
+    out = gemini_generate_multimodal(VISION_SYSTEM, user, images)
+    data = _safe_json_loads(out, fallback={})
+    if not isinstance(data, dict):
+        return {"actionable": False, "items": [], "notes": "bad_json"}
+    data.setdefault("actionable", False)
+    data.setdefault("items", [])
+    return data
+
+# =========================
+# Post-call report synthesis (only if actionable)
+# =========================
+CALL_REPORT_SYSTEM = """
+You are Pricelyst AI. You will receive a full call transcript.
+Decide whether there is an actionable request (party planning, shopping needs, budgeting, groceries, etc).
+If actionable, produce a concise MARKDOWN report that the client can turn into a PDF.
+If NOT actionable (just chatting), return an empty string.
 
-        data = request.get_json() or {}
-        rating = safe_int(data.get("rating"), None)
-        comment = (data.get("comment") or "").strip()
+Rules:
+- Be practical and Zimbabwe-oriented.
+- If planning an event: include (1) Assumptions, (2) Shopping list with quantities, (3) Budget ranges, (4) Simple menu/recipe ideas, (5) Optional restaurant/catering suggestions (generic; do NOT invent addresses).
+- Only output Markdown or empty string. No code blocks.
+"""
 
-        if rating is None or rating < 1 or rating > 5:
-            return jsonify({"error": "rating must be 1-5"}), 400
+def build_call_report_markdown(transcript: str) -> str:
+    if not transcript or len(transcript.strip()) < 40:
+        return ""
+    md = gemini_generate_text(CALL_REPORT_SYSTEM, transcript, temperature=0.3)
+    md = (md or "").strip()
+    # Guardrail: if model returns JSON or obvious nonsense, drop it.
+    if md.startswith("{") or md.startswith("["):
+        return ""
+    # Conservative: must contain at least one list bullet or heading to be “report-like”
+    if ("#" not in md) and ("- " not in md) and ("* " not in md):
+        return ""
+    return md
+
+# =========================
+# Routes
+# =========================
+@app.get("/health")
+def health():
+    return jsonify({
+        "ok": True,
+        "ts": now_utc_iso(),
+        "gemini": bool(_gemini_client),
+        "products_cached_rows": int(len(_product_cache["df_offers"])) if isinstance(_product_cache["df_offers"], pd.DataFrame) else 0,
+        "products_raw_count": int(_product_cache.get("raw_count", 0)),
+    })
 
-        review = {
-            "taskId": task_id,
-            "customerId": uid,
-            "taskerId": assigned,
-            "rating": rating,
-            "comment": comment,
-            "createdAt": now_iso()
+@app.post("/chat")
+def chat():
+    body = request.get_json(silent=True) or {}
+    profile_id = (body.get("profile_id") or "").strip()
+    if not profile_id:
+        return jsonify({"ok": False, "error": "profile_id is required"}), 400
+
+    message = (body.get("message") or "").strip()
+    username = body.get("username")
+    context = body.get("context") or {}
+    images_raw = body.get("images") or []
+    images = parse_images(images_raw)
+
+    prof = get_profile(profile_id)
+    if username and not prof.get("username"):
+        update_profile(profile_id, {"username": username})
+
+    # 1) If images: try extract items (shopping list / receipt)
+    extracted = {"actionable": False, "items": [], "notes": "skipped"}
+    if images:
+        extracted = extract_items_from_images(images)
+
+    # 2) Detect intent from message (+ image presence)
+    intent = detect_intent(message, images_present=bool(images), context=context)
+
+    # If image extraction got items, treat as actionable unless the message is clearly chit-chat
+    image_items = extracted.get("items") if isinstance(extracted, dict) else []
+    if image_items and isinstance(image_items, list) and intent.get("intent") != "chit_chat":
+        intent["actionable"] = True
+        intent["intent"] = "basket_build" if len(image_items) > 1 else "price_lookup"
+        intent["items"] = image_items
+
+    # 3) Graceful conversational fallback
+    if not intent.get("actionable"):
+        reply = {
+            "type": "chat",
+            "message": (
+                f"Hey{(' ' + (username or prof.get('username') or '')).strip()} 👋\n"
+                "If you want shopping help, ask me something like:\n"
+                "• “Where is cooking oil cheapest?”\n"
+                "• “Which store is best for my basket: rice, chicken, oil?”\n"
+                "• “Build me a budget basket under $20.”"
+            )
         }
-        db_ref.child(f"reviews/{task_id}").set(review)
-
-        push_notification(assigned, "review_received", "New review", "A customer left you a review.", {"taskId": task_id})
-        return jsonify({"success": True, "review": review}), 201
-
-    except PermissionError as e:
-        return jsonify({"error": str(e)}), 403
-    except Exception as e:
-        logger.error(f"[REVIEW] Error: {e}")
-        return jsonify({"error": "Internal server error"}), 500
-
-# -----------------------------------------------------------------------------
-# 11. ADMIN (MVP OVERVIEW + MANAGEMENT)
-# -----------------------------------------------------------------------------
-
-@app.route("/api/admin/overview", methods=["GET"])
-def admin_overview():
-    try:
-        admin_uid = verify_admin(request.headers.get("Authorization"))
-
-        users = db_ref.child("users").get() or {}
-        tasks = db_ref.child("tasks").get() or {}
-        # lightweight counts only
-        total_users = len(users)
-        total_taskers = sum(1 for u in users.values() if (u.get("role") or "").lower().strip() == "tasker")
-        total_customers = sum(1 for u in users.values() if (u.get("role") or "").lower().strip() == "customer")
-
-        by_status = {}
-        for t in tasks.values():
-            s = t.get("status") or "unknown"
-            by_status[s] = by_status.get(s, 0) + 1
-
-        # bids count (shallow)
-        bids_root = db_ref.child("bids").get() or {}
-        total_bids = 0
-        for task_bids in bids_root.values():
-            if isinstance(task_bids, dict):
-                total_bids += len(task_bids)
-
-        return jsonify({
-            "uid": admin_uid,
-            "dashboardStats": {
-                "users": {
-                    "total": total_users,
-                    "customers": total_customers,
-                    "taskers": total_taskers
-                },
-                "tasks": {
-                    "total": len(tasks),
-                    "byStatus": by_status
-                },
-                "bids": {
-                    "total": total_bids
-                }
+        # log + counters
+        log_chat(profile_id, {"message": message, "intent": intent, "response_type": "chit_chat"})
+        update_profile(profile_id, {"counters": {"chats": int((prof.get("counters") or {}).get("chats", 0)) + 1}})
+        return jsonify({"ok": True, "intent": intent, "data": reply})
+
+    # 4) Actionable: execute
+    df = get_offers_df(force_refresh=False)
+
+    response_payload: Dict[str, Any] = {"type": "unknown", "message": "No result."}
+
+    if intent["intent"] in ("price_lookup", "trust_check", "product_discovery"):
+        # pick first item or treat message as query
+        query = ""
+        if intent.get("items"):
+            query = intent["items"][0].get("name") or ""
+        if not query:
+            query = message
+        hits = search_products(df, query, limit=80)
+        summary = summarize_offers(hits)
+        response_payload = render_price_answer(summary)
+
+    elif intent["intent"] in ("basket_build", "basket_optimize", "store_recommendation"):
+        items = intent.get("items") or []
+        # if user didn't provide items but asked store choice, we can try to extract nouns—too risky; keep conservative
+        if not items:
+            response_payload = {
+                "type": "need_list",
+                "title": "Send your list",
+                "message": "I can recommend the best store once you send your basket (even 3–5 items)."
+            }
+        else:
+            basket = basket_store_choice(df, items)
+            response_payload = render_basket_answer(basket)
+
+    elif intent["intent"] == "price_compare":
+        items = intent.get("items") or []
+        if len(items) < 2:
+            response_payload = {
+                "type": "need_two_items",
+                "title": "Need two items",
+                "message": "Tell me two items to compare, e.g., “Coke 2L vs Pepsi 2L”."
+            }
+        else:
+            comparisons = []
+            for it in items[:3]:
+                hits = search_products(df, it.get("name") or "", limit=60)
+                summary = summarize_offers(hits)
+                comparisons.append(summary)
+
+            # compute cheapest for each
+            rows = []
+            for s in comparisons:
+                if not s or not s.get("cheapest"):
+                    continue
+                rows.append({
+                    "name": s.get("name"),
+                    "cheapest_retailer": s["cheapest"]["retailer"],
+                    "price": s["cheapest"]["price"]
+                })
+            rows = sorted(rows, key=lambda x: x["price"])
+            response_payload = {
+                "type": "comparison",
+                "title": "Comparison",
+                "items": rows,
+                "winner": rows[0] if rows else None
             }
-        }), 200
 
-    except PermissionError as e:
-        return jsonify({"error": str(e)}), 403
-    except Exception as e:
-        logger.error(f"[ADMIN OVERVIEW] Error: {e}")
-        return jsonify({"error": "Internal server error"}), 500
+    # 5) Persist + counters + light memory updates
+    log_chat(profile_id, {
+        "message": message,
+        "intent": intent,
+        "response_type": response_payload.get("type"),
+        "images_present": bool(images),
+    })
 
-@app.route("/api/admin/users", methods=["GET"])
-def admin_list_users():
-    try:
-        verify_admin(request.headers.get("Authorization"))
-        users = db_ref.child("users").get() or {}
-        out = [{"uid": uid, **data} for uid, data in users.items()]
-        out.sort(key=lambda x: x.get("createdAt") or "", reverse=True)
-        return jsonify(out), 200
-    except PermissionError as e:
-        return jsonify({"error": str(e)}), 403
-    except Exception as e:
-        logger.error(f"[ADMIN USERS] Error: {e}")
-        return jsonify({"error": "Internal server error"}), 500
+    counters = prof.get("counters") or {}
+    update_profile(profile_id, {"counters": {"chats": int(counters.get("chats", 0)) + 1}})
+
+    # minimal preference inference
+    if response_payload.get("type") == "basket_plan" and response_payload.get("best_store"):
+        update_profile(profile_id, {"preferences": {"last_best_store": response_payload["best_store"]["name"]}})
+
+    return jsonify({"ok": True, "intent": intent, "data": response_payload})
+
+@app.post("/api/call-briefing")
+def call_briefing():
+    body = request.get_json(silent=True) or {}
+    profile_id = (body.get("profile_id") or "").strip()
+    if not profile_id:
+        return jsonify({"ok": False, "error": "profile_id is required"}), 400
+
+    username = body.get("username")
+    prof = get_profile(profile_id)
+
+    if username and not prof.get("username"):
+        update_profile(profile_id, {"username": username})
+        prof["username"] = username
+
+    # Build lightweight "shopping intelligence" variables for ElevenLabs agent
+    prefs = prof.get("preferences") or {}
+    last_store = (prefs.get("last_best_store") or "").strip() or None
+
+    # quick stats from recent chats (last 25)
+    logs = db.collection("pricelyst_profiles").document(profile_id).collection("chat_logs") \
+        .order_by("ts", direction=firestore.Query.DESCENDING).limit(25).stream()
+
+    intents = []
+    for d in logs:
+        dd = d.to_dict() or {}
+        ii = (dd.get("intent") or {}).get("intent")
+        if ii:
+            intents.append(ii)
+
+    intent_counts: Dict[str, int] = {}
+    for ii in intents:
+        intent_counts[ii] = intent_counts.get(ii, 0) + 1
+
+    shopping_intelligence = {
+        "username": prof.get("username") or "there",
+        "last_best_store": last_store,
+        "top_intents_last_25": sorted(intent_counts.items(), key=lambda x: x[1], reverse=True)[:5],
+        "tone": "practical_zimbabwe",
+    }
 
-@app.route("/api/admin/tasks", methods=["GET"])
-def admin_list_tasks():
-    try:
-        verify_admin(request.headers.get("Authorization"))
-        tasks = db_ref.child("tasks").get() or {}
-        out = list(tasks.values())
-        out.sort(key=lambda x: x.get("createdAt") or "", reverse=True)
-        return jsonify(out), 200
-    except PermissionError as e:
-        return jsonify({"error": str(e)}), 403
-    except Exception as e:
-        logger.error(f"[ADMIN TASKS] Error: {e}")
-        return jsonify({"error": "Internal server error"}), 500
+    return jsonify({
+        "ok": True,
+        "profile_id": profile_id,
+        "memory_summary": prof.get("memory_summary", ""),
+        "shopping_intelligence": shopping_intelligence
+    })
 
-@app.route("/api/admin/users/<string:uid>/deactivate", methods=["PUT"])
-def admin_deactivate_user(uid):
-    """
-    MVP deactivate:
-    - sets users/{uid}/disabled=true
-    (Client should enforce; Auth disable is optional for later)
-    """
-    try:
-        verify_admin(request.headers.get("Authorization"))
-        ref = db_ref.child(f"users/{uid}")
-        user = ref.get()
-        if not user:
-            return jsonify({"error": "User not found"}), 404
-        ref.update({"disabled": True, "disabledAt": now_iso()})
-        return jsonify({"success": True}), 200
-    except PermissionError as e:
-        return jsonify({"error": str(e)}), 403
-    except Exception as e:
-        logger.error(f"[ADMIN DEACTIVATE] Error: {e}")
-        return jsonify({"error": "Internal server error"}), 500
+@app.post("/api/log-call-usage")
+def log_call_usage():
+    body = request.get_json(silent=True) or {}
+    profile_id = (body.get("profile_id") or "").strip()
+    if not profile_id:
+        return jsonify({"ok": False, "error": "profile_id is required"}), 400
+
+    transcript = (body.get("transcript") or "").strip()
+    call_id = body.get("call_id") or None
+    started_at = body.get("started_at") or None
+    ended_at = body.get("ended_at") or None
+    stats = body.get("stats") or {}
+
+    prof = get_profile(profile_id)
+
+    # Conservative “actionable report” generation:
+    # - only generate if transcript has planning keywords
+    # - and Gemini returns report-ish markdown
+    planning_keywords = ["party", "birthday", "wedding", "braai", "grocer", "basket", "shopping", "budget", "ingredients", "recipe", "cook", "drinks", "snacks"]
+    looks_planning = any(k in transcript.lower() for k in planning_keywords)
+
+    report_md = ""
+    if looks_planning and _gemini_client:
+        report_md = build_call_report_markdown(transcript)
+
+    doc_id = log_call(profile_id, {
+        "call_id": call_id,
+        "started_at": started_at,
+        "ended_at": ended_at,
+        "stats": stats,
+        "transcript": transcript,
+        "report_markdown": report_md,
+    })
 
-@app.route("/api/admin/task/<string:task_id>/chat", methods=["GET"])
-def admin_view_chat(task_id):
-    try:
-        verify_admin(request.headers.get("Authorization"))
-        msgs = db_ref.child(f"chats/{task_id}").get() or {}
-        out = list(msgs.values())
-        out.sort(key=lambda x: x.get("createdAt") or "", reverse=False)
-        return jsonify(out), 200
-    except PermissionError as e:
-        return jsonify({"error": str(e)}), 403
-    except Exception as e:
-        logger.error(f"[ADMIN VIEW CHAT] Error: {e}")
-        return jsonify({"error": "Internal server error"}), 500
+    # update counters
+    counters = prof.get("counters") or {}
+    update_profile(profile_id, {"counters": {"calls": int(counters.get("calls", 0)) + 1}})
 
-# -----------------------------------------------------------------------------
-# 12. MAIN EXECUTION (HF Spaces)
-# -----------------------------------------------------------------------------
+    return jsonify({
+        "ok": True,
+        "logged_call_doc_id": doc_id,
+        "report_markdown": report_md  # client turns this into PDF; empty if non-actionable
+    })
 
+# =========================
+# Run
+# =========================
 if __name__ == "__main__":
-    app.run(debug=True, host="0.0.0.0", port=int(os.environ.get("PORT", 7860)))
+    port = int(os.environ.get("PORT", "5000"))
+    app.run(host="0.0.0.0", port=port, debug=True)