Update main.py

main.py

@@ -4,6 +4,7 @@ import re
 import json
 import uuid
 import time
+import math  # Added for Location Math
 import traceback
 from datetime import datetime, timedelta
 
@@ -31,6 +32,12 @@ logger = logging.getLogger(__name__)
 app = Flask(__name__)
 CORS(app)
 
+# --- HARDCODED ADMINS (MVP STRATEGY) ---
+HARDCODED_ADMIN_EMAILS = [
+    "rairorr@gmail.com",
+    "carolrue7@gmail.com"
+]
+
 # --- Firebase Initialization ---
 try:
     credentials_json_string = os.environ.get("FIREBASE")
@@ -112,6 +119,8 @@ def upload_to_storage(data_bytes, destination_blob_name, content_type):
 
 def safe_float(x, default=None):
     try:
+        if x is None or x == "":
+            return default
         return float(x)
     except Exception:
         return default
@@ -125,6 +134,28 @@ def safe_int(x, default=None):
 def normalize_text(s: str) -> str:
     return re.sub(r"\s+", " ", str(s or "")).strip().lower()
 
+def haversine_distance(lat1, lon1, lat2, lon2):
+    """
+    Calculate the great circle distance in kilometers between two points 
+    on the earth (specified in decimal degrees).
+    """
+    if lat1 is None or lon1 is None or lat2 is None or lon2 is None:
+        return None
+
+    try:
+        # Convert decimal degrees to radians
+        lat1, lon1, lat2, lon2 = map(math.radians, [float(lat1), float(lon1), float(lat2), float(lon2)])
+
+        # Haversine formula
+        dlon = lon2 - lon1
+        dlat = lat2 - lat1
+        a = math.sin(dlat/2)**2 + math.cos(lat1) * math.cos(lat2) * math.sin(dlon/2)**2
+        c = 2 * math.asin(math.sqrt(a))
+        r = 6371  # Radius of earth in kilometers
+        return r * c
+    except Exception:
+        return None
+
 def send_text_request(model_name, prompt, image=None):
     """
     Helper: if image is provided, send [prompt, image].
@@ -183,6 +214,10 @@ def require_role(uid: str, allowed_roles: list[str]) -> dict:
             f"User profile missing in RTDB at /users/{uid}. "
             f"Call /api/auth/social-signin (or /api/auth/signup) once after login to bootstrap the profile."
         )
+    
+    # Bypass role check if user is admin
+    if user_data.get("is_admin"):
+        return user_data
 
     role = (user_data.get("role") or "").lower().strip()
     if role not in allowed_roles:
@@ -194,21 +229,45 @@ def require_role(uid: str, allowed_roles: list[str]) -> dict:
 def get_or_create_profile(uid: str) -> dict:
     """
     Ensures /users/{uid} exists in RTDB for any authenticated user.
-    - If missing, bootstraps from Firebase Auth and defaults role to 'customer'.
+    **UPDATED**: Checks hardcoded admin emails to force role=admin.
     """
     ref = db_ref.child(f"users/{uid}")
     user_data = ref.get()
+
+    fb_user = auth.get_user(uid)
+    email = fb_user.email or ""
+    
+    # Check Admin Injection
+    is_hardcoded_admin = email in HARDCODED_ADMIN_EMAILS
+
+    # If user exists, update Admin status if needed
     if user_data:
+        patch = {}
+        # If they are on the list but not marked admin yet
+        if is_hardcoded_admin and not user_data.get("is_admin"):
+            patch["is_admin"] = True
+            patch["role"] = "admin" # Force role update
+        
+        # Social signin patch for display name
+        if not user_data.get("displayName") and fb_user.display_name:
+            patch["displayName"] = fb_user.display_name
+
+        if patch:
+            ref.update(patch)
+            user_data = ref.get()
         return user_data
 
-    fb_user = auth.get_user(uid)
+    # Create new profile
+    role = "admin" if is_hardcoded_admin else "customer" # Default to customer unless on list
+    
     new_user_data = {
-        "email": fb_user.email or "",
+        "email": email,
         "displayName": fb_user.display_name or "",
         "phone": "",
         "city": "",
-        "role": "customer",   # safe default so task posting works out-of-the-box
-        "is_admin": False,
+        "role": role,
+        "is_admin": is_hardcoded_admin,
+        "verificationStatus": "unverified", # unverified | pending | verified | rejected
         "createdAt": now_iso()
     }
     ref.set(new_user_data)
@@ -271,7 +330,7 @@ def health():
     return jsonify({"ok": True, "service": "oneplus-server", "time": now_iso()}), 200
 
 # -----------------------------------------------------------------------------
-# 4. AUTH & USER PROFILES (MVP)
+# 4. AUTH & USER PROFILES
 # -----------------------------------------------------------------------------
 
 @app.route("/api/auth/signup", methods=["POST"])
@@ -297,13 +356,20 @@ def signup():
 
         user = auth.create_user(email=email, password=password, display_name=display_name)
 
+        # Admin Injection logic for Signup
+        is_admin = False
+        if email in HARDCODED_ADMIN_EMAILS:
+            role = "admin"
+            is_admin = True
+
         user_data = {
             "email": email,
             "displayName": display_name,
             "phone": phone,
             "city": city,
             "role": role,
-            "is_admin": False,
+            "is_admin": is_admin,
+            "verificationStatus": "unverified",
             "createdAt": now_iso()
         }
         db_ref.child(f"users/{user.uid}").set(user_data)
@@ -318,43 +384,16 @@ def signup():
 @app.route("/api/auth/social-signin", methods=["POST"])
 def social_signin():
     """
-    Ensures RTDB user record exists. Social login happens on client,
-    we just bootstrap profile.
+    Ensures RTDB user record exists. Social login happens on client.
     """
     uid = verify_token(request.headers.get("Authorization"))
     if not uid:
         return jsonify({"error": "Invalid or expired token"}), 401
 
-    user_ref = db_ref.child(f"users/{uid}")
-    user_data = user_ref.get()
-
     try:
-        fb_user = auth.get_user(uid)
-
-        # ---- NEW: If user record exists but missing role, default safely
-        if user_data:
-            patch = {}
-            if not user_data.get("displayName") and fb_user.display_name:
-                patch["displayName"] = fb_user.display_name
-            if not (user_data.get("role") or "").strip():
-                patch["role"] = "customer"
-            if patch:
-                user_ref.update(patch)
-                user_data = user_ref.get()
-            return jsonify({"uid": uid, **(user_data or {})}), 200
-
-        # create profile
-        new_user_data = {
-            "email": fb_user.email,
-            "displayName": fb_user.display_name,
-            "phone": "",
-            "city": "",
-            "role": "customer",
-            "is_admin": False,
-            "createdAt": now_iso()
-        }
-        user_ref.set(new_user_data)
-        return jsonify({"success": True, "uid": uid, **new_user_data}), 201
+        # get_or_create_profile handles admin injection
+        user_data = get_or_create_profile(uid)
+        return jsonify({"success": True, "uid": uid, **user_data}), 200
 
     except Exception as e:
         logger.error(f"social_signin failed: {e}")
@@ -363,20 +402,7 @@ def social_signin():
 @app.route("/api/auth/set-role", methods=["POST"])
 def set_role_after_social_signin():
     """
-    Set role after first social sign-in (or first time profile is missing).
-
-    Allowed transitions:
-      - missing profile -> bootstrap -> set role
-      - role missing/empty -> set role (customer|tasker)
-      - customer -> tasker (one-way upgrade ONCE)
-      - tasker -> customer (BLOCK)
-      - same role -> idempotent 200
-
-    Responses:
-      - 401 invalid token
-      - 400 invalid role
-      - 409 blocked role change
-      - 200 success (profile returned)
+    Set role after first social sign-in.
     """
     uid = verify_token(request.headers.get("Authorization"))
     if not uid:
@@ -390,21 +416,11 @@ def set_role_after_social_signin():
 
     try:
         user_ref = db_ref.child(f"users/{uid}")
-        user_data = user_ref.get()
-
-        # Bootstrap if missing
-        if not user_data:
-            fb_user = auth.get_user(uid)
-            user_data = {
-                "email": fb_user.email or "",
-                "displayName": fb_user.display_name or "",
-                "phone": "",
-                "city": "",
-                "role": "",  # intentionally empty so user must choose
-                "is_admin": False,
-                "createdAt": now_iso(),
-            }
-            user_ref.set(user_data)
+        user_data = get_or_create_profile(uid) # ensure exists
+
+        # IF ADMIN via injection, LOCK role changes
+        if user_data.get("is_admin"):
+            return jsonify({"success": True, "uid": uid, "profile": user_data, "note": "User is Admin, role locked."}), 200
 
         current_role = (user_data.get("role") or "").lower().strip()
 
@@ -426,13 +442,10 @@ def set_role_after_social_signin():
 
         # One-way upgrade: customer -> tasker (allow ONCE)
         if current_role == "customer" and requested_role == "tasker":
-            # If you want to allow this only once, the existence of roleUpgradedAt is enough
             if (user_data.get("roleUpgradedAt") or "").strip():
                 return jsonify({
                     "error": "Role change blocked",
-                    "reason": "Customer -> Tasker upgrade already used. Role flipping is not allowed.",
-                    "currentRole": current_role,
-                    "requestedRole": requested_role
+                    "reason": "Customer -> Tasker upgrade already used.",
                 }), 409
 
             patch = {
@@ -444,17 +457,14 @@ def set_role_after_social_signin():
             updated = user_ref.get() or {}
             return jsonify({"success": True, "uid": uid, "profile": updated, "note": "upgraded customer -> tasker"}), 200
 
-        # Block any other change (tasker->customer or any flip)
+        # Block any other change
         return jsonify({
             "error": "Role change blocked",
             "reason": "Role flipping is not allowed.",
-            "currentRole": current_role,
-            "requestedRole": requested_role
         }), 409
 
     except Exception as e:
         logger.error(f"[SET ROLE] failed: {e}")
-        logger.error(traceback.format_exc())
         return jsonify({"error": "Internal server error"}), 500
 
 @app.route("/api/user/profile", methods=["GET"])
@@ -463,7 +473,6 @@ def get_user_profile():
     if not uid:
         return jsonify({"error": "Invalid or expired token"}), 401
 
-    # ---- NEW: auto-bootstrap profile so profile fetch never mysteriously 404s
     try:
         user_data = get_or_create_profile(uid)
         return jsonify({"uid": uid, **user_data}), 200
@@ -474,15 +483,17 @@ def get_user_profile():
 
 @app.route("/api/user/profile", methods=["PUT"])
 def update_user_profile():
+    """
+    Updates user profile. 
+    **UPDATED**: Accepts 'lat', 'lng', 'serviceRadiusKm' for Location Matching.
+    """
     uid = verify_token(request.headers.get("Authorization"))
     if not uid:
         return jsonify({"error": "Invalid or expired token"}), 401
 
-    # ---- NEW: ensure profile exists before update
     try:
         _ = get_or_create_profile(uid)
     except Exception as e:
-        logger.error(f"update_user_profile bootstrap failed: {e}")
         return jsonify({"error": "Failed to bootstrap profile"}), 500
 
     data = request.get_json() or {}
@@ -493,15 +504,14 @@ def update_user_profile():
         if key in data:
             allowed[key] = data.get(key)
 
-    # Role-specific (tasker)
-    for key in ["skills", "categories", "bio", "serviceRadiusKm", "baseRate", "profilePhotoUrl", "availability"]:
+    # Role-specific (tasker) + Location fields
+    for key in ["skills", "categories", "bio", "serviceRadiusKm", "baseRate", "profilePhotoUrl", "availability", "lat", "lng"]:
         if key in data:
-            allowed[key] = data.get(key)
-
-    # ---- NEW: allow role updates ONLY if explicitly permitted (optional safeguard)
-    # If you don't want clients to ever change role, leave this out entirely.
-    # if "role" in data:
-    #     return jsonify({"error": "Role cannot be updated from client"}), 400
+            # Type safety for numeric
+            if key in ["lat", "lng", "baseRate", "serviceRadiusKm"]:
+                allowed[key] = safe_float(data.get(key))
+            else:
+                allowed[key] = data.get(key)
 
     if not allowed:
         return jsonify({"error": "No valid fields provided"}), 400
@@ -518,30 +528,19 @@ def update_user_profile():
         return jsonify({"error": f"Failed to update profile: {str(e)}"}), 500
 
 # -----------------------------------------------------------------------------
-# 5. AI (CUSTOMER) — SMART CAPTURE (MVP Critical)
+# 5. AI & SMART CAPTURE
 # -----------------------------------------------------------------------------
 
 @app.route("/api/ai/smart-capture", methods=["POST"])
 def smart_capture():
     """
-    Customer uploads image (or video thumbnail) + optional context text.
-    Server sends to Gemini Vision and returns structured output for prefill:
-      - category
-      - problemSummary
-      - difficulty
-      - timeEstimate
-      - priceBand
-      - suggestedMaterials[]
-      - suggestedTitle
-      - suggestedDescription
-      - suggestedBudgetRange
+    Customer uploads image -> Gemini Vision -> Structured Task Data.
     """
     uid = verify_token(request.headers.get("Authorization"))
     if not uid:
         return jsonify({"error": "Unauthorized"}), 401
 
     try:
-        # Accept multipart like SozoFix
         if "image" not in request.files:
             return jsonify({"error": "Image file is required (field name: image)"}), 400
 
@@ -600,14 +599,12 @@ Rules:
 
     except Exception as e:
         logger.error(f"[SMART CAPTURE] Error: {e}")
-        logger.error(traceback.format_exc())
         return jsonify({"error": "Internal server error"}), 500
 
 @app.route("/api/ai/improve-description", methods=["POST"])
 def improve_description():
     """
-    MVP nice-to-have:
-    User provides a short/vague description; AI rewrites professionally and adds questions.
+    (RESTORED) User provides a short/vague description; AI rewrites professionally.
     """
     uid = verify_token(request.headers.get("Authorization"))
     if not uid:
@@ -644,38 +641,84 @@ JSON only, no markdown.
     return jsonify({"success": True, "result": result}), 200
 
 # -----------------------------------------------------------------------------
-# 6. TASKS (CUSTOMER POSTS, TASKER BROWSES) + MEDIA UPLOAD (MVP)
+# 6. TASKER VERIFICATION (NEW)
+# -----------------------------------------------------------------------------
+
+@app.route("/api/tasker/verify-docs", methods=["POST"])
+def upload_verification_docs():
+    """
+    Tasker uploads ID (required) and Certificate (optional).
+    Status becomes 'pending'.
+    """
+    uid = verify_token(request.headers.get("Authorization"))
+    if not uid:
+        return jsonify({"error": "Unauthorized"}), 401
+
+    try:
+        # Only Tasker or Admin
+        user = require_role(uid, ["tasker", "admin"])
+        
+        # Files
+        id_file = request.files.get("idDocument")
+        cert_file = request.files.get("certificate") # optional
+
+        if not id_file:
+            return jsonify({"error": "ID Document is required"}), 400
+
+        verification_data = {
+            "status": "pending",
+            "submittedAt": now_iso()
+        }
+
+        # Upload ID
+        ext = (id_file.mimetype or "").split("/")[-1] or "jpg"
+        path = f"users/{uid}/verification/id_{int(time.time())}.{ext}"
+        verification_data["idDocUrl"] = upload_to_storage(id_file.read(), path, id_file.mimetype)
+
+        # Upload Cert if exists
+        if cert_file:
+            ext = (cert_file.mimetype or "").split("/")[-1] or "jpg"
+            path = f"users/{uid}/verification/cert_{int(time.time())}.{ext}"
+            verification_data["certDocUrl"] = upload_to_storage(cert_file.read(), path, cert_file.mimetype)
+
+        # Update user profile
+        db_ref.child(f"users/{uid}").update({
+            "verificationStatus": "pending",
+            "verificationDocs": verification_data
+        })
+
+        return jsonify({"success": True, "status": "pending", "docs": verification_data}), 200
+
+    except PermissionError as e:
+        return jsonify({"error": str(e)}), 403
+    except Exception as e:
+        logger.error(f"[VERIFICATION UPLOAD] Error: {e}")
+        return jsonify({"error": "Internal server error"}), 500
+
+# -----------------------------------------------------------------------------
+# 7. TASKS (UPDATED WITH LOCATION)
 # -----------------------------------------------------------------------------
 
 @app.route("/api/tasks", methods=["POST"])
 def create_task():
     """
     Customer creates a task.
-    Upload media like SozoFix:
-      - multipart/form-data
-      - fields: category, title, description, city, address(optional), budget, scheduleAt(optional ISO), contextText(optional)
-      - file fields: media (can send multiple) OR image (single)
+    **UPDATED**: Accepts 'lat' and 'lng' from form data for location matching.
     """
     uid = verify_token(request.headers.get("Authorization"))
     if not uid:
         return jsonify({"error": "Unauthorized"}), 401
 
     try:
-        # ---- NEW: Always ensure RTDB profile exists (prevents 403 due to missing /users/{uid})
         profile = get_or_create_profile(uid)
 
-        # ---- NEW: role gate with explicit, debuggable response
         role = (profile.get("role") or "").lower().strip()
         if role not in ["customer", "admin"]:
             return jsonify({
                 "error": "Forbidden",
-                "reason": f"Role '{role}' not allowed to create tasks. Must be customer (or admin).",
-                "uid": uid
+                "reason": f"Role '{role}' not allowed to create tasks.",
             }), 403
 
-        # ---- NEW: helpful logs for production debugging
-        logger.info(f"[CREATE TASK] uid={uid} role={role} email={profile.get('email')}")
-
         # multipart
         category = request.form.get("category", "").strip()
         title = request.form.get("title", "").strip()
@@ -683,8 +726,12 @@ def create_task():
         city = request.form.get("city", "").strip()
         address = request.form.get("address", "").strip()
         budget = request.form.get("budget", "").strip()
-        schedule_at = request.form.get("scheduleAt", "").strip()  # ISO string from UI
-        smart_capture_json = request.form.get("smartCapture", "").strip()  # optional JSON string from UI
+        schedule_at = request.form.get("scheduleAt", "").strip() 
+        smart_capture_json = request.form.get("smartCapture", "").strip()
+
+        # Location Data
+        lat = safe_float(request.form.get("lat"))
+        lng = safe_float(request.form.get("lng"))
 
         if not category or not city or not description:
             return jsonify({"error": "category, city, and description are required"}), 400
@@ -710,7 +757,6 @@ def create_task():
             url = upload_to_storage(data_bytes, path, f.mimetype or "application/octet-stream")
             media_urls.append(url)
 
-        # optional smartCapture object
         smart_capture = None
         if smart_capture_json:
             try:
@@ -729,9 +775,13 @@ def create_task():
             "description": description or (smart_capture or {}).get("suggestedDescription") or "",
             "city": city,
             "address": address,
+            
+            # Geo-location
+            "lat": lat,
+            "lng": lng,
 
-            "budget": budget,            # keep as string to avoid currency assumptions
-            "scheduleAt": schedule_at,   # ISO string
+            "budget": budget,            
+            "scheduleAt": schedule_at,   
             "mediaUrls": media_urls,
 
             "smartCapture": smart_capture or {},
@@ -745,47 +795,61 @@ def create_task():
 
         db_ref.child(f"tasks/{task_id}").set(task_payload)
 
-        # Notify taskers (basic broadcast by category + city)
+        # Notify taskers (Updated logic)
         notify_taskers_for_new_task(task_payload)
 
         return jsonify({"success": True, "task": task_payload}), 201
 
     except PermissionError as e:
-        # Keep PermissionError mapping, but now it will be far more informative when it happens
         return jsonify({"error": "Forbidden", "reason": str(e)}), 403
     except Exception as e:
         logger.error(f"[CREATE TASK] Error: {e}")
-        logger.error(traceback.format_exc())
         return jsonify({"error": "Internal server error"}), 500
 
 def notify_taskers_for_new_task(task: dict):
     """
-    MVP matching:
-    - loop through users with role=tasker
-    - match category overlap + city match (or empty city)
-    - push in-app notification
+    **UPDATED** matching:
+    - Distance check (Haversine) vs Service Radius
+    - Category check
     """
     try:
         users = db_ref.child("users").get() or {}
-        tcat = normalize_text(task.get("category"))
-        tcity = normalize_text(task.get("city"))
+        t_lat = task.get("lat")
+        t_lng = task.get("lng")
+        t_cat = normalize_text(task.get("category"))
+        t_city = normalize_text(task.get("city"))
 
         for tasker_id, u in users.items():
             if (u.get("role") or "").lower().strip() != "tasker":
                 continue
-
-            # City match: if tasker has city set, match it; else allow.
-            ucity = normalize_text(u.get("city"))
-            if ucity and tcity and ucity != tcity:
+            
+            # 1. Location Logic (Precision or City fallback)
+            u_lat = u.get("lat")
+            u_lng = u.get("lng")
+            radius = safe_float(u.get("serviceRadiusKm"), 50.0)
+
+            # If precise location available for both, use math
+            match_location = False
+            if t_lat and t_lng and u_lat and u_lng:
+                dist = haversine_distance(t_lat, t_lng, u_lat, u_lng)
+                if dist is not None and dist <= radius:
+                    match_location = True
+            else:
+                # Fallback to City string match
+                ucity = normalize_text(u.get("city"))
+                if not ucity or (t_city and ucity == t_city):
+                    match_location = True
+            
+            if not match_location:
                 continue
 
-            # Category match: if tasker categories list exists, try overlap; else allow.
+            # 2. Category Match
             cats = u.get("categories") or []
             if isinstance(cats, str):
                 cats = [c.strip() for c in cats.split(",") if c.strip()]
 
             if cats:
-                ok = any(normalize_text(c) == tcat for c in cats)
+                ok = any(normalize_text(c) == t_cat for c in cats)
                 if not ok:
                     continue
 
@@ -802,12 +866,7 @@ def notify_taskers_for_new_task(task: dict):
 @app.route("/api/tasks", methods=["GET"])
 def list_tasks():
     """
-    Role-aware list:
-    - customer: list my tasks
-    - tasker: list open/bidding tasks (with filters)
-    - admin: list all tasks (optional filters)
-    Query params:
-      status, category, city, mine=true
+    Role-aware list.
     """
     uid = verify_token(request.headers.get("Authorization"))
     if not uid:
@@ -835,7 +894,6 @@ def list_tasks():
                     continue
 
             elif role == "tasker":
-                # default: show open/bidding, or mine jobs if mine=true
                 if mine:
                     if t.get("assignedTaskerId") != uid:
                         continue
@@ -855,7 +913,6 @@ def list_tasks():
 
             out.append(t)
 
-        # sort newest first
         out.sort(key=lambda x: x.get("createdAt") or "", reverse=True)
         return jsonify(out), 200
 
@@ -863,6 +920,69 @@ def list_tasks():
         logger.error(f"[LIST TASKS] Error: {e}")
         return jsonify({"error": "Internal server error"}), 500
 
+@app.route("/api/tasker/recommended", methods=["GET"])
+def recommended_tasks():
+    """
+    **NEW**: Smart Recommender for Taskers.
+    Ranks open tasks based on:
+    1. Distance (Haversine)
+    2. Category Match
+    """
+    uid = verify_token(request.headers.get("Authorization"))
+    if not uid: return jsonify({"error": "Unauthorized"}), 401
+
+    try:
+        user = db_ref.child(f"users/{uid}").get() or {}
+        if user.get("role") != "tasker":
+            return jsonify({"error": "Only taskers can view recommended feed"}), 403
+
+        u_lat = safe_float(user.get("lat"))
+        u_lng = safe_float(user.get("lng"))
+        u_cats = user.get("categories") or []
+        if isinstance(u_cats, str): 
+            u_cats = [x.strip().lower() for x in u_cats.split(",")]
+        else:
+            u_cats = [str(x).lower() for x in u_cats]
+
+        all_tasks = db_ref.child("tasks").get() or {}
+        scored_tasks = []
+
+        for t in all_tasks.values():
+            if t.get("status") not in ["open", "bidding"]:
+                continue
+            
+            score = 100
+            
+            # Distance Logic
+            t_lat = safe_float(t.get("lat"))
+            t_lng = safe_float(t.get("lng"))
+            dist_km = None
+            
+            if u_lat and u_lng and t_lat and t_lng:
+                dist_km = haversine_distance(u_lat, u_lng, t_lat, t_lng)
+                if dist_km is not None:
+                    # Deduct 1 point per km
+                    score -= dist_km
+            
+            # Category Match
+            t_cat = normalize_text(t.get("category"))
+            if any(c in t_cat for c in u_cats):
+                score += 50 # Big bonus for matching skill
+
+            # Add verified bonus?
+            
+            t["_debug_score"] = score
+            t["_distance_km"] = dist_km
+            scored_tasks.append(t)
+
+        # Sort: Higher score first
+        scored_tasks.sort(key=lambda x: x["_debug_score"], reverse=True)
+        return jsonify(scored_tasks), 200
+
+    except Exception as e:
+        logger.error(f"[RECOMMENDER] {e}")
+        return jsonify({"error": "Internal server error"}), 500
+
 @app.route("/api/tasks/<string:task_id>", methods=["GET"])
 def get_task(task_id):
     uid = verify_token(request.headers.get("Authorization"))
@@ -893,7 +1013,7 @@ def get_task(task_id):
 @app.route("/api/tasks/<string:task_id>", methods=["PUT"])
 def update_task(task_id):
     """
-    Customer can edit task only if not assigned/in_progress/completed.
+    Customer edit task.
     """
     uid = verify_token(request.headers.get("Authorization"))
     if not uid:
@@ -914,7 +1034,8 @@ def update_task(task_id):
 
         data = request.get_json() or {}
         allowed = {}
-        for key in ["category", "title", "description", "city", "address", "budget", "scheduleAt"]:
+        # Added lat/lng here too
+        for key in ["category", "title", "description", "city", "address", "budget", "scheduleAt", "lat", "lng"]:
             if key in data:
                 allowed[key] = data.get(key)
 
@@ -934,12 +1055,6 @@ def update_task(task_id):
 
 @app.route("/api/tasks/<string:task_id>/status", methods=["PUT"])
 def update_task_status(task_id):
-    """
-    Status transitions (MVP):
-      customer: cancel, mark_completed
-      tasker: on_the_way, in_progress, mark_completed (if assigned)
-      admin: any
-    """
     uid = verify_token(request.headers.get("Authorization"))
     if not uid:
         return jsonify({"error": "Unauthorized"}), 401
@@ -973,13 +1088,11 @@ def update_task_status(task_id):
                 if task.get("status") in ["completed", "cancelled"]:
                     return jsonify({"error": "Task already closed"}), 400
                 task_ref.update({"status": "cancelled", "cancelledAt": now_iso()})
-                # notify assigned tasker (if any)
                 if task.get("assignedTaskerId"):
                     push_notification(task["assignedTaskerId"], "task_cancelled", "Task cancelled", "Customer cancelled the task.", {"taskId": task_id})
                 return jsonify({"success": True, "task": task_ref.get()}), 200
 
             if new_status == "completed":
-                # allow completion only if was assigned/in_progress
                 if task.get("status") not in ["assigned", "in_progress"]:
                     return jsonify({"error": "Task not in a completable state"}), 400
                 task_ref.update({"status": "completed", "completedAt": now_iso()})
@@ -997,10 +1110,7 @@ def update_task_status(task_id):
             if new_status not in ["on_the_way", "in_progress", "completed"]:
                 return jsonify({"error": "Invalid tasker status update"}), 400
 
-            # map on_the_way as in_progress-ish, but keep it if you want
             task_ref.update({"status": new_status, "updatedAt": now_iso()})
-
-            # notify customer
             push_notification(task["createdBy"], "task_update", "Task update", f"Task status: {new_status}", {"taskId": task_id})
             return jsonify({"success": True, "task": task_ref.get()}), 200
 
@@ -1013,8 +1123,7 @@ def update_task_status(task_id):
 @app.route("/api/tasks/<string:task_id>", methods=["DELETE"])
 def delete_task(task_id):
     """
-    Customer can delete only if open/bidding and no assignment.
-    Also removes task media folder.
+    (RESTORED) Customer can delete only if open/bidding and no assignment.
     """
     uid = verify_token(request.headers.get("Authorization"))
     if not uid:
@@ -1057,21 +1166,21 @@ def delete_task(task_id):
         return jsonify({"error": "Internal server error"}), 500
 
 # -----------------------------------------------------------------------------
-# 7. BIDDING (TASKERS SUBMIT OFFERS) (MVP)
+# 8. BIDDING
 # -----------------------------------------------------------------------------
 
 @app.route("/api/tasks/<string:task_id>/bids", methods=["POST"])
 def submit_bid(task_id):
     """
-    Tasker submits bid: price + timeline + message.
-    Stored under /bids/{taskId}/{bidId}
+    Tasker submits bid.
+    **UPDATED**: Snapshots 'taskerVerified' status into the bid for the badge UI.
     """
     uid = verify_token(request.headers.get("Authorization"))
     if not uid:
         return jsonify({"error": "Unauthorized"}), 401
 
     try:
-        require_role(uid, ["tasker", "admin"])
+        user = require_role(uid, ["tasker", "admin"])
 
         task = db_ref.child(f"tasks/{task_id}").get()
         if not task:
@@ -1093,6 +1202,10 @@ def submit_bid(task_id):
             "bidId": bid_id,
             "taskId": task_id,
             "taskerId": uid,
+            "taskerName": user.get("displayName"),
+            "taskerPhoto": user.get("profilePhotoUrl"),
+            "taskerVerified": (user.get("verificationStatus") == "verified"), # THE BADGE
+
             "price": price,
             "timeline": timeline,
             "message": message,
@@ -1101,11 +1214,9 @@ def submit_bid(task_id):
         }
         db_ref.child(f"bids/{task_id}/{bid_id}").set(bid)
 
-        # flip task to bidding
         if task.get("status") == "open":
             db_ref.child(f"tasks/{task_id}").update({"status": "bidding", "updatedAt": now_iso()})
 
-        # notify customer
         push_notification(
             to_uid=task["createdBy"],
             notif_type="new_bid",
@@ -1124,11 +1235,6 @@ def submit_bid(task_id):
 
 @app.route("/api/tasks/<string:task_id>/bids", methods=["GET"])
 def list_bids(task_id):
-    """
-    Customer: can see bids for own task
-    Tasker: can see bids if they bid
-    Admin: all
-    """
     uid = verify_token(request.headers.get("Authorization"))
     if not uid:
         return jsonify({"error": "Unauthorized"}), 401
@@ -1155,7 +1261,6 @@ def list_bids(task_id):
             return jsonify(out), 200
 
         if role == "tasker":
-            # only show their own bids unless task assigned to them
             if task.get("assignedTaskerId") == uid:
                 out.sort(key=lambda x: x.get("createdAt") or "", reverse=True)
                 return jsonify(out), 200
@@ -1171,13 +1276,6 @@ def list_bids(task_id):
 
 @app.route("/api/tasks/<string:task_id>/select-bid", methods=["PUT"])
 def select_bid(task_id):
-    """
-    Customer selects a bid:
-      - set task.assignedTaskerId
-      - set task.selectedBidId
-      - set task.status = assigned
-      - notify tasker + customer
-    """
     uid = verify_token(request.headers.get("Authorization"))
     if not uid:
         return jsonify({"error": "Unauthorized"}), 401
@@ -1210,13 +1308,12 @@ def select_bid(task_id):
             "updatedAt": now_iso()
         })
 
-        # mark bid as accepted, others as rejected (MVP)
+        # mark bid as accepted, others as rejected
         bids = db_ref.child(f"bids/{task_id}").get() or {}
         for bkey, b in bids.items():
             st = "accepted" if bkey == bid_id else "rejected"
             db_ref.child(f"bids/{task_id}/{bkey}").update({"status": st})
 
-        # notify tasker
         push_notification(
             to_uid=tasker_id,
             notif_type="bid_accepted",
@@ -1225,12 +1322,11 @@ def select_bid(task_id):
             meta={"taskId": task_id, "bidId": bid_id}
         )
 
-        # notify customer
         push_notification(
             to_uid=task["createdBy"],
             notif_type="task_assigned",
             title="Task assigned",
-            body="You assigned the task to a tasker. You can now chat.",
+            body="You assigned the task to a tasker.",
             meta={"taskId": task_id, "assignedTaskerId": tasker_id}
         )
 
@@ -1243,7 +1339,7 @@ def select_bid(task_id):
         return jsonify({"error": "Internal server error"}), 500
 
 # -----------------------------------------------------------------------------
-# 8. CHAT (REAL-TIME DB STORED) (MVP)
+# 9. CHAT
 # -----------------------------------------------------------------------------
 
 @app.route("/api/chats/<string:task_id>/messages", methods=["GET"])
@@ -1275,10 +1371,7 @@ def list_messages(task_id):
 @app.route("/api/chats/<string:task_id>/messages", methods=["POST"])
 def send_message(task_id):
     """
-    Send message. Optional attachment upload (single file) via multipart:
-      - text in form field "text"
-      - file in field "file"
-    Or JSON body: {"text": "..."} for text-only
+    Send message with optional file.
     """
     uid = verify_token(request.headers.get("Authorization"))
     if not uid:
@@ -1329,7 +1422,6 @@ def send_message(task_id):
         }
         db_ref.child(f"chats/{task_id}/{msg_id}").set(msg)
 
-        # notify the other party
         other_uid = None
         if uid == task.get("createdBy"):
             other_uid = task.get("assignedTaskerId") or None
@@ -1352,7 +1444,7 @@ def send_message(task_id):
         return jsonify({"error": "Internal server error"}), 500
 
 # -----------------------------------------------------------------------------
-# 9. NOTIFICATIONS (IN-APP) (MVP)
+# 10. NOTIFICATIONS
 # -----------------------------------------------------------------------------
 
 @app.route("/api/notifications", methods=["GET"])
@@ -1372,6 +1464,7 @@ def list_notifications():
 
 @app.route("/api/notifications/<string:notif_id>/read", methods=["PUT"])
 def mark_notification_read(notif_id):
+    """(RESTORED)"""
     uid = verify_token(request.headers.get("Authorization"))
     if not uid:
         return jsonify({"error": "Unauthorized"}), 401
@@ -1388,7 +1481,7 @@ def mark_notification_read(notif_id):
         return jsonify({"error": "Internal server error"}), 500
 
 # -----------------------------------------------------------------------------
-# 10. REVIEWS (CUSTOMER RATES TASKER AFTER COMPLETION) (MVP)
+# 11. REVIEWS
 # -----------------------------------------------------------------------------
 
 @app.route("/api/tasks/<string:task_id>/review", methods=["POST"])
@@ -1441,7 +1534,7 @@ def leave_review(task_id):
         return jsonify({"error": "Internal server error"}), 500
 
 # -----------------------------------------------------------------------------
-# 11. ADMIN (MVP OVERVIEW + MANAGEMENT)
+# 12. ADMIN
 # -----------------------------------------------------------------------------
 
 @app.route("/api/admin/overview", methods=["GET"])
@@ -1451,38 +1544,31 @@ def admin_overview():
 
         users = db_ref.child("users").get() or {}
         tasks = db_ref.child("tasks").get() or {}
-        # lightweight counts only
+        
         total_users = len(users)
         total_taskers = sum(1 for u in users.values() if (u.get("role") or "").lower().strip() == "tasker")
         total_customers = sum(1 for u in users.values() if (u.get("role") or "").lower().strip() == "customer")
+        
+        # New: Pending verifications
+        pending_verifications = sum(1 for u in users.values() if u.get("verificationStatus") == "pending")
 
         by_status = {}
         for t in tasks.values():
             s = t.get("status") or "unknown"
             by_status[s] = by_status.get(s, 0) + 1
 
-        # bids count (shallow)
-        bids_root = db_ref.child("bids").get() or {}
-        total_bids = 0
-        for task_bids in bids_root.values():
-            if isinstance(task_bids, dict):
-                total_bids += len(task_bids)
-
         return jsonify({
             "uid": admin_uid,
-            "dashboardStats": {
-                "users": {
-                    "total": total_users,
-                    "customers": total_customers,
-                    "taskers": total_taskers
-                },
-                "tasks": {
-                    "total": len(tasks),
-                    "byStatus": by_status
-                },
-                "bids": {
-                    "total": total_bids
-                }
+            "stats": { # Unified stats block
+                "users": total_users,
+                "customers": total_customers,
+                "taskers": total_taskers,
+                "tasks": len(tasks),
+                "pendingVerifications": pending_verifications
+            },
+            "dashboardStats": { # Legacy/Duplicate block just in case FE uses it
+                "users": {"total": total_users},
+                "tasks": {"total": len(tasks)}
             }
         }), 200
 
@@ -1522,11 +1608,7 @@ def admin_list_tasks():
 
 @app.route("/api/admin/users/<string:uid>/deactivate", methods=["PUT"])
 def admin_deactivate_user(uid):
-    """
-    MVP deactivate:
-    - sets users/{uid}/disabled=true
-    (Client should enforce; Auth disable is optional for later)
-    """
+    """(RESTORED)"""
     try:
         verify_admin(request.headers.get("Authorization"))
         ref = db_ref.child(f"users/{uid}")
@@ -1543,6 +1625,7 @@ def admin_deactivate_user(uid):
 
 @app.route("/api/admin/task/<string:task_id>/chat", methods=["GET"])
 def admin_view_chat(task_id):
+    """(RESTORED)"""
     try:
         verify_admin(request.headers.get("Authorization"))
         msgs = db_ref.child(f"chats/{task_id}").get() or {}
@@ -1555,8 +1638,35 @@ def admin_view_chat(task_id):
         logger.error(f"[ADMIN VIEW CHAT] Error: {e}")
         return jsonify({"error": "Internal server error"}), 500
 
+@app.route("/api/admin/users/<string:target_uid>/verify", methods=["PUT"])
+def admin_verify_user(target_uid):
+    """
+    **NEW**: Admin approves or rejects tasker documents.
+    Payload: { "status": "verified" | "rejected" }
+    """
+    try:
+        verify_admin(request.headers.get("Authorization"))
+        data = request.get_json() or {}
+        status = data.get("status")
+        if status not in ["verified", "rejected"]:
+            return jsonify({"error": "Invalid status"}), 400
+
+        db_ref.child(f"users/{target_uid}").update({
+            "verificationStatus": status,
+            "verifiedAt": now_iso() if status == "verified" else None
+        })
+        
+        push_notification(target_uid, "verification_update", "Account Update", f"Your verification status is now: {status}")
+
+        return jsonify({"success": True}), 200
+    except PermissionError:
+        return jsonify({"error": "Admin required"}), 403
+    except Exception as e:
+        logger.error(f"[ADMIN VERIFY] Error: {e}")
+        return jsonify({"error": "Internal server error"}), 500
+
 # -----------------------------------------------------------------------------
-# 12. MAIN EXECUTION (HF Spaces)
+# 13. MAIN EXECUTION
 # -----------------------------------------------------------------------------
 
 if __name__ == "__main__":