ci: Bump version to 0.9.48 [skip ci]

fix the dang integration tests
ci: Bump version to 0.9.47 [skip ci]
2026-01-07 01:35:26 +05:00 · 2026-01-06 12:34:18 -08:00 · 2026-01-06 23:34:29 +05:00 · 2026-01-06 10:33:51 -08:00 · 2026-01-06 22:39:47 +05:00 · 2026-01-06 09:38:14 -08:00
93 changed files with 1948 additions and 384 deletions
--- a/.gitea/workflows/deploy-to-test.yml
+++ b/.gitea/workflows/deploy-to-test.yml
@@ -113,7 +113,7 @@ jobs:
          REDIS_PASSWORD: ${{ secrets.REDIS_PASSWORD_TEST }}

          # --- Integration test specific variables ---
-          FRONTEND_URL: 'http://localhost:3000'
+          FRONTEND_URL: 'https://example.com'
          VITE_API_BASE_URL: 'http://localhost:3001/api'
          GEMINI_API_KEY: ${{ secrets.VITE_GOOGLE_GENAI_API_KEY }}

@@ -389,7 +389,7 @@ jobs:
          REDIS_PASSWORD: ${{ secrets.REDIS_PASSWORD_TEST }}

          # Application Secrets
-          FRONTEND_URL: 'https://flyer-crawler-test.projectium.com'
+          FRONTEND_URL: 'https://example.com'
          JWT_SECRET: ${{ secrets.JWT_SECRET }}
          GEMINI_API_KEY: ${{ secrets.VITE_GOOGLE_GENAI_API_KEY_TEST }}
          GOOGLE_MAPS_API_KEY: ${{ secrets.GOOGLE_MAPS_API_KEY }}
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
  "name": "flyer-crawler",
-  "version": "0.9.29",
+  "version": "0.9.48",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "flyer-crawler",
-      "version": "0.9.29",
+      "version": "0.9.48",
      "dependencies": {
        "@bull-board/api": "^6.14.2",
        "@bull-board/express": "^6.14.2",
--- a/package.json
+++ b/package.json
@@ -1,7 +1,7 @@
 {
  "name": "flyer-crawler",
  "private": true,
-  "version": "0.9.29",
+  "version": "0.9.48",
  "type": "module",
  "scripts": {
    "dev": "concurrently \"npm:start:dev\" \"vite\"",
--- a/sql/initial_schema.sql
+++ b/sql/initial_schema.sql
@@ -90,10 +90,10 @@ CREATE TABLE IF NOT EXISTS public.profiles (
  created_at TIMESTAMPTZ DEFAULT now() NOT NULL,
  updated_at TIMESTAMPTZ DEFAULT now() NOT NULL,
  CONSTRAINT profiles_full_name_check CHECK (full_name IS NULL OR TRIM(full_name) <> ''),
-  CONSTRAINT profiles_avatar_url_check CHECK (avatar_url IS NULL OR avatar_url ~* '^https://?.*'),
  created_by UUID REFERENCES public.users(user_id) ON DELETE SET NULL,
  updated_by UUID REFERENCES public.users(user_id) ON DELETE SET NULL
 );
+  -- CONSTRAINT profiles_avatar_url_check CHECK (avatar_url IS NULL OR avatar_url ~* '^https://?.*'),
 COMMENT ON TABLE public.profiles IS 'Stores public-facing user data, linked to the public.users table.';
 COMMENT ON COLUMN public.profiles.address_id IS 'A foreign key to the user''s primary address in the `addresses` table.';
 -- This index is crucial for the gamification leaderboard feature.
@@ -108,9 +108,9 @@ CREATE TABLE IF NOT EXISTS public.stores (
  created_at TIMESTAMPTZ DEFAULT now() NOT NULL,
  updated_at TIMESTAMPTZ DEFAULT now() NOT NULL,
  CONSTRAINT stores_name_check CHECK (TRIM(name) <> ''),
-  CONSTRAINT stores_logo_url_check CHECK (logo_url IS NULL OR logo_url ~* '^https://?.*'),
  created_by UUID REFERENCES public.users(user_id) ON DELETE SET NULL
 );
+  -- CONSTRAINT stores_logo_url_check CHECK (logo_url IS NULL OR logo_url ~* '^https://?.*'),
 COMMENT ON TABLE public.stores IS 'Stores metadata for grocery store chains (e.g., Safeway, Kroger).';

 -- 5. The 'categories' table for normalized category data.
@@ -141,10 +141,10 @@ CREATE TABLE IF NOT EXISTS public.flyers (
  updated_at TIMESTAMPTZ DEFAULT now() NOT NULL,
  CONSTRAINT flyers_valid_dates_check CHECK (valid_to >= valid_from),
  CONSTRAINT flyers_file_name_check CHECK (TRIM(file_name) <> ''),
-  CONSTRAINT flyers_image_url_check CHECK (image_url ~* '^https://?.*'),
-  CONSTRAINT flyers_icon_url_check CHECK (icon_url IS NULL OR icon_url ~* '^https://?.*'),
  CONSTRAINT flyers_checksum_check CHECK (checksum IS NULL OR length(checksum) = 64)
 );
+  -- CONSTRAINT flyers_image_url_check CHECK (image_url ~* '^https://?.*'),
+  -- CONSTRAINT flyers_icon_url_check CHECK (icon_url IS NULL OR icon_url ~* '^https://?.*'),
 COMMENT ON TABLE public.flyers IS 'Stores metadata for each processed flyer, linking it to a store and its validity period.';
 CREATE INDEX IF NOT EXISTS idx_flyers_store_id ON public.flyers(store_id);
 COMMENT ON COLUMN public.flyers.file_name IS 'The original name of the uploaded flyer file (e.g., "flyer_week_1.pdf").';
@@ -198,9 +198,9 @@ CREATE TABLE IF NOT EXISTS public.brands (
    store_id BIGINT REFERENCES public.stores(store_id) ON DELETE SET NULL,
    created_at TIMESTAMPTZ DEFAULT now() NOT NULL,
    updated_at TIMESTAMPTZ DEFAULT now() NOT NULL,
-    CONSTRAINT brands_name_check CHECK (TRIM(name) <> ''),
-    CONSTRAINT brands_logo_url_check CHECK (logo_url IS NULL OR logo_url ~* '^https://?.*')
+    CONSTRAINT brands_name_check CHECK (TRIM(name) <> '')
 );
+    -- CONSTRAINT brands_logo_url_check CHECK (logo_url IS NULL OR logo_url ~* '^https://?.*')
 COMMENT ON TABLE public.brands IS 'Stores brand names like "Coca-Cola", "Maple Leaf", or "Kraft".';
 COMMENT ON COLUMN public.brands.store_id IS 'If this is a store-specific brand (e.g., President''s Choice), this links to the parent store.';

@@ -464,9 +464,9 @@ CREATE TABLE IF NOT EXISTS public.user_submitted_prices (
    upvotes INTEGER DEFAULT 0 NOT NULL CHECK (upvotes >= 0),
    downvotes INTEGER DEFAULT 0 NOT NULL CHECK (downvotes >= 0),
    created_at TIMESTAMPTZ DEFAULT now() NOT NULL,
-    updated_at TIMESTAMPTZ DEFAULT now() NOT NULL,
-    CONSTRAINT user_submitted_prices_photo_url_check CHECK (photo_url IS NULL OR photo_url ~* '^https://?.*')
+    updated_at TIMESTAMPTZ DEFAULT now() NOT NULL
 );
+-- CONSTRAINT user_submitted_prices_photo_url_check CHECK (photo_url IS NULL OR photo_url ~* '^https://?.*')
 COMMENT ON TABLE public.user_submitted_prices IS 'Stores item prices submitted by users directly from physical stores.';
 COMMENT ON COLUMN public.user_submitted_prices.photo_url IS 'URL to user-submitted photo evidence of the price.';
 COMMENT ON COLUMN public.user_submitted_prices.upvotes IS 'Community validation score indicating accuracy.';
@@ -521,9 +521,9 @@ CREATE TABLE IF NOT EXISTS public.recipes (
    fork_count INTEGER DEFAULT 0 NOT NULL CHECK (fork_count >= 0),
    created_at TIMESTAMPTZ DEFAULT now() NOT NULL,
    updated_at TIMESTAMPTZ DEFAULT now() NOT NULL,
-    CONSTRAINT recipes_name_check CHECK (TRIM(name) <> ''),
-    CONSTRAINT recipes_photo_url_check CHECK (photo_url IS NULL OR photo_url ~* '^https://?.*')
+    CONSTRAINT recipes_name_check CHECK (TRIM(name) <> '')
 );
+-- CONSTRAINT recipes_photo_url_check CHECK (photo_url IS NULL OR photo_url ~* '^https://?.*')
 COMMENT ON TABLE public.recipes IS 'Stores recipes that can be used to generate shopping lists.';
 COMMENT ON COLUMN public.recipes.servings IS 'The number of servings this recipe yields.';
 COMMENT ON COLUMN public.recipes.original_recipe_id IS 'If this recipe is a variation of another, this points to the original.';
@@ -920,9 +920,9 @@ CREATE TABLE IF NOT EXISTS public.receipts (
    raw_text TEXT,
    created_at TIMESTAMPTZ DEFAULT now() NOT NULL,
    processed_at TIMESTAMPTZ,    
-    updated_at TIMESTAMPTZ DEFAULT now() NOT NULL,
-    CONSTRAINT receipts_receipt_image_url_check CHECK (receipt_image_url ~* '^https://?.*')
+    updated_at TIMESTAMPTZ DEFAULT now() NOT NULL
 );
+    -- CONSTRAINT receipts_receipt_image_url_check CHECK (receipt_image_url ~* '^https://?.*')
 COMMENT ON TABLE public.receipts IS 'Stores uploaded user receipts for purchase tracking and analysis.';
 CREATE INDEX IF NOT EXISTS idx_receipts_user_id ON public.receipts(user_id);
 CREATE INDEX IF NOT EXISTS idx_receipts_store_id ON public.receipts(store_id);
--- a/sql/master_schema_rollup.sql
+++ b/sql/master_schema_rollup.sql
@@ -106,10 +106,10 @@ CREATE TABLE IF NOT EXISTS public.profiles (
    created_at TIMESTAMPTZ DEFAULT now() NOT NULL,
    updated_at TIMESTAMPTZ DEFAULT now() NOT NULL,
    CONSTRAINT profiles_full_name_check CHECK (full_name IS NULL OR TRIM(full_name) <> ''),
-    CONSTRAINT profiles_avatar_url_check CHECK (avatar_url IS NULL OR avatar_url ~* '^https?://.*'),
    created_by UUID REFERENCES public.users(user_id) ON DELETE SET NULL,    
    updated_by UUID REFERENCES public.users(user_id) ON DELETE SET NULL
 );
+    -- CONSTRAINT profiles_avatar_url_check CHECK (avatar_url IS NULL OR avatar_url ~* '^https?://.*'),
 COMMENT ON TABLE public.profiles IS 'Stores public-facing user data, linked to the public.users table.';
 COMMENT ON COLUMN public.profiles.address_id IS 'A foreign key to the user''s primary address in the `addresses` table.';
 -- This index is crucial for the gamification leaderboard feature.
@@ -124,9 +124,9 @@ CREATE TABLE IF NOT EXISTS public.stores (
    created_at TIMESTAMPTZ DEFAULT now() NOT NULL,
    updated_at TIMESTAMPTZ DEFAULT now() NOT NULL,
    CONSTRAINT stores_name_check CHECK (TRIM(name) <> ''),
-    CONSTRAINT stores_logo_url_check CHECK (logo_url IS NULL OR logo_url ~* '^https?://.*'),
    created_by UUID REFERENCES public.users(user_id) ON DELETE SET NULL    
 );
+    -- CONSTRAINT stores_logo_url_check CHECK (logo_url IS NULL OR logo_url ~* '^https?://.*'),
 COMMENT ON TABLE public.stores IS 'Stores metadata for grocery store chains (e.g., Safeway, Kroger).';

 -- 5. The 'categories' table for normalized category data.
@@ -157,10 +157,10 @@ CREATE TABLE IF NOT EXISTS public.flyers (
    updated_at TIMESTAMPTZ DEFAULT now() NOT NULL,
    CONSTRAINT flyers_valid_dates_check CHECK (valid_to >= valid_from),
    CONSTRAINT flyers_file_name_check CHECK (TRIM(file_name) <> ''),
-    CONSTRAINT flyers_image_url_check CHECK (image_url ~* '^https?://.*'),
-    CONSTRAINT flyers_icon_url_check CHECK (icon_url ~* '^https?://.*'),
    CONSTRAINT flyers_checksum_check CHECK (checksum IS NULL OR length(checksum) = 64)
 );
+    -- CONSTRAINT flyers_image_url_check CHECK (image_url ~* '^https?://.*'),
+    -- CONSTRAINT flyers_icon_url_check CHECK (icon_url ~* '^https?://.*'),
 COMMENT ON TABLE public.flyers IS 'Stores metadata for each processed flyer, linking it to a store and its validity period.';
 CREATE INDEX IF NOT EXISTS idx_flyers_store_id ON public.flyers(store_id);
 COMMENT ON COLUMN public.flyers.file_name IS 'The original name of the uploaded flyer file (e.g., "flyer_week_1.pdf").';
@@ -214,9 +214,9 @@ CREATE TABLE IF NOT EXISTS public.brands (
    store_id BIGINT REFERENCES public.stores(store_id) ON DELETE SET NULL,
    created_at TIMESTAMPTZ DEFAULT now() NOT NULL,
    updated_at TIMESTAMPTZ DEFAULT now() NOT NULL,
-    CONSTRAINT brands_name_check CHECK (TRIM(name) <> ''),
-    CONSTRAINT brands_logo_url_check CHECK (logo_url IS NULL OR logo_url ~* '^https?://.*')
+    CONSTRAINT brands_name_check CHECK (TRIM(name) <> '')
 );
+    -- CONSTRAINT brands_logo_url_check CHECK (logo_url IS NULL OR logo_url ~* '^https?://.*')
 COMMENT ON TABLE public.brands IS 'Stores brand names like "Coca-Cola", "Maple Leaf", or "Kraft".';
 COMMENT ON COLUMN public.brands.store_id IS 'If this is a store-specific brand (e.g., President''s Choice), this links to the parent store.';

@@ -481,9 +481,9 @@ CREATE TABLE IF NOT EXISTS public.user_submitted_prices (
    upvotes INTEGER DEFAULT 0 NOT NULL CHECK (upvotes >= 0),
    downvotes INTEGER DEFAULT 0 NOT NULL CHECK (downvotes >= 0),
    created_at TIMESTAMPTZ DEFAULT now() NOT NULL,
-    updated_at TIMESTAMPTZ DEFAULT now() NOT NULL,
-    CONSTRAINT user_submitted_prices_photo_url_check CHECK (photo_url IS NULL OR photo_url ~* '^https?://.*')
+    updated_at TIMESTAMPTZ DEFAULT now() NOT NULL
 );
+    -- CONSTRAINT user_submitted_prices_photo_url_check CHECK (photo_url IS NULL OR photo_url ~* '^https?://.*')
 COMMENT ON TABLE public.user_submitted_prices IS 'Stores item prices submitted by users directly from physical stores.';
 COMMENT ON COLUMN public.user_submitted_prices.photo_url IS 'URL to user-submitted photo evidence of the price.';
 COMMENT ON COLUMN public.user_submitted_prices.upvotes IS 'Community validation score indicating accuracy.';
@@ -538,9 +538,9 @@ CREATE TABLE IF NOT EXISTS public.recipes (
    fork_count INTEGER DEFAULT 0 NOT NULL CHECK (fork_count >= 0),
    created_at TIMESTAMPTZ DEFAULT now() NOT NULL,
    updated_at TIMESTAMPTZ DEFAULT now() NOT NULL,
-    CONSTRAINT recipes_name_check CHECK (TRIM(name) <> ''),
-    CONSTRAINT recipes_photo_url_check CHECK (photo_url IS NULL OR photo_url ~* '^https?://.*')
+    CONSTRAINT recipes_name_check CHECK (TRIM(name) <> '')
 );
+    -- CONSTRAINT recipes_photo_url_check CHECK (photo_url IS NULL OR photo_url ~* '^https?://.*')
 COMMENT ON TABLE public.recipes IS 'Stores recipes that can be used to generate shopping lists.';
 COMMENT ON COLUMN public.recipes.servings IS 'The number of servings this recipe yields.';
 COMMENT ON COLUMN public.recipes.original_recipe_id IS 'If this recipe is a variation of another, this points to the original.';
@@ -940,9 +940,9 @@ CREATE TABLE IF NOT EXISTS public.receipts (
    raw_text TEXT,
    created_at TIMESTAMPTZ DEFAULT now() NOT NULL,
    processed_at TIMESTAMPTZ,    
-    CONSTRAINT receipts_receipt_image_url_check CHECK (receipt_image_url ~* '^https?://.*'),
    updated_at TIMESTAMPTZ DEFAULT now() NOT NULL
 );
+    -- CONSTRAINT receipts_receipt_image_url_check CHECK (receipt_image_url ~* '^https?://.*'),
 COMMENT ON TABLE public.receipts IS 'Stores uploaded user receipts for purchase tracking and analysis.';
 CREATE INDEX IF NOT EXISTS idx_receipts_user_id ON public.receipts(user_id);
 CREATE INDEX IF NOT EXISTS idx_receipts_store_id ON public.receipts(store_id);
--- a/src/App.test.tsx
+++ b/src/App.test.tsx
@@ -628,7 +628,7 @@ describe('App Component', () => {
          app: {
            version: '2.0.0',
            commitMessage: 'A new version!',
-            commitUrl: 'http://example.com/commit/2.0.0',
+            commitUrl: 'https://example.com/commit/2.0.0',
          },
        },
      }));
@@ -638,7 +638,7 @@ describe('App Component', () => {
      renderApp();
      const versionLink = screen.getByText(`Version: 2.0.0`);
      expect(versionLink).toBeInTheDocument();
-      expect(versionLink).toHaveAttribute('href', 'http://example.com/commit/2.0.0');
+      expect(versionLink).toHaveAttribute('href', 'https://example.com/commit/2.0.0');
    });

    it('should open the "What\'s New" modal when the question mark icon is clicked', async () => {
--- a/src/components/FlyerCorrectionTool.test.tsx
+++ b/src/components/FlyerCorrectionTool.test.tsx
@@ -19,7 +19,7 @@ const mockedNotifyError = notifyError as Mocked<typeof notifyError>;
 const defaultProps = {
  isOpen: true,
  onClose: vi.fn(),
-  imageUrl: 'http://example.com/flyer.jpg',
+  imageUrl: 'https://example.com/flyer.jpg',
  onDataExtracted: vi.fn(),
 };

--- a/src/components/Leaderboard.test.tsx
+++ b/src/components/Leaderboard.test.tsx
@@ -25,7 +25,7 @@ const mockLeaderboardData: LeaderboardUser[] = [
  createMockLeaderboardUser({
    user_id: 'user-2',
    full_name: 'Bob',
-    avatar_url: 'http://example.com/bob.jpg',
+    avatar_url: 'https://example.com/bob.jpg',
    points: 950,
    rank: '2',
  }),
@@ -95,7 +95,7 @@ describe('Leaderboard', () => {

      // Check for correct avatar URLs
      const bobAvatar = screen.getByAltText('Bob') as HTMLImageElement;
-      expect(bobAvatar.src).toBe('http://example.com/bob.jpg');
+      expect(bobAvatar.src).toBe('https://example.com/bob.jpg');

      const aliceAvatar = screen.getByAltText('Alice') as HTMLImageElement;
      expect(aliceAvatar.src).toContain('api.dicebear.com'); // Check for fallback avatar
--- a/src/config/rateLimiters.ts
+++ b/src/config/rateLimiters.ts
@@ -0,0 +1,147 @@
+// src/config/rateLimiters.ts
+import rateLimit from 'express-rate-limit';
+import { shouldSkipRateLimit } from '../utils/rateLimit';
+
+const standardConfig = {
+  standardHeaders: true,
+  legacyHeaders: false,
+  skip: shouldSkipRateLimit,
+};
+
+// --- AUTHENTICATION ---
+export const loginLimiter = rateLimit({
+  ...standardConfig,
+  windowMs: 15 * 60 * 1000, // 15 minutes
+  max: 5,
+  message: 'Too many login attempts from this IP, please try again after 15 minutes.',
+});
+
+export const registerLimiter = rateLimit({
+  ...standardConfig,
+  windowMs: 60 * 60 * 1000, // 1 hour
+  max: 5,
+  message: 'Too many accounts created from this IP, please try again after an hour.',
+});
+
+export const forgotPasswordLimiter = rateLimit({
+  ...standardConfig,
+  windowMs: 15 * 60 * 1000, // 15 minutes
+  max: 5,
+  message: 'Too many password reset requests from this IP, please try again after 15 minutes.',
+});
+
+export const resetPasswordLimiter = rateLimit({
+  ...standardConfig,
+  windowMs: 15 * 60 * 1000, // 15 minutes
+  max: 10,
+  message: 'Too many password reset attempts from this IP, please try again after 15 minutes.',
+});
+
+export const refreshTokenLimiter = rateLimit({
+  ...standardConfig,
+  windowMs: 15 * 60 * 1000, // 15 minutes
+  max: 20,
+  message: 'Too many token refresh attempts from this IP, please try again after 15 minutes.',
+});
+
+export const logoutLimiter = rateLimit({
+  ...standardConfig,
+  windowMs: 15 * 60 * 1000, // 15 minutes
+  max: 10,
+  message: 'Too many logout attempts from this IP, please try again after 15 minutes.',
+});
+
+// --- GENERAL PUBLIC & USER ---
+export const publicReadLimiter = rateLimit({
+  ...standardConfig,
+  windowMs: 15 * 60 * 1000, // 15 minutes
+  max: 100,
+  message: 'Too many requests from this IP, please try again later.',
+});
+
+export const userReadLimiter = publicReadLimiter; // Alias for consistency
+
+export const userUpdateLimiter = rateLimit({
+  ...standardConfig,
+  windowMs: 15 * 60 * 1000, // 15 minutes
+  max: 100,
+  message: 'Too many update requests from this IP, please try again after 15 minutes.',
+});
+
+export const reactionToggleLimiter = rateLimit({
+  ...standardConfig,
+  windowMs: 15 * 60 * 1000, // 15 minutes
+  max: 150,
+  message: 'Too many reaction requests from this IP, please try again later.',
+});
+
+export const trackingLimiter = rateLimit({
+  ...standardConfig,
+  windowMs: 15 * 60 * 1000, // 15 minutes
+  max: 200,
+  message: 'Too many tracking requests from this IP, please try again later.',
+});
+
+// --- SENSITIVE / COSTLY ---
+export const userSensitiveUpdateLimiter = rateLimit({
+  ...standardConfig,
+  windowMs: 60 * 60 * 1000, // 1 hour
+  max: 5,
+  message: 'Too many sensitive requests from this IP, please try again after an hour.',
+});
+
+export const adminTriggerLimiter = rateLimit({
+  ...standardConfig,
+  windowMs: 15 * 60 * 1000, // 15 minutes
+  max: 30,
+  message: 'Too many administrative triggers from this IP, please try again later.',
+});
+
+export const aiGenerationLimiter = rateLimit({
+  ...standardConfig,
+  windowMs: 15 * 60 * 1000, // 15 minutes
+  max: 20,
+  message: 'Too many AI generation requests from this IP, please try again after 15 minutes.',
+});
+
+export const suggestionLimiter = aiGenerationLimiter; // Alias
+
+export const geocodeLimiter = rateLimit({
+  ...standardConfig,
+  windowMs: 60 * 60 * 1000, // 1 hour
+  max: 100,
+  message: 'Too many geocoding requests from this IP, please try again later.',
+});
+
+export const priceHistoryLimiter = rateLimit({
+  ...standardConfig,
+  windowMs: 15 * 60 * 1000, // 15 minutes
+  max: 50,
+  message: 'Too many price history requests from this IP, please try again later.',
+});
+
+// --- UPLOADS / BATCH ---
+export const adminUploadLimiter = rateLimit({
+  ...standardConfig,
+  windowMs: 15 * 60 * 1000, // 15 minutes
+  max: 20,
+  message: 'Too many file uploads from this IP, please try again after 15 minutes.',
+});
+
+export const userUploadLimiter = adminUploadLimiter; // Alias
+
+export const aiUploadLimiter = rateLimit({
+  ...standardConfig,
+  windowMs: 15 * 60 * 1000, // 15 minutes
+  max: 10,
+  message: 'Too many file uploads from this IP, please try again after 15 minutes.',
+});
+
+export const batchLimiter = rateLimit({
+  ...standardConfig,
+  windowMs: 15 * 60 * 1000, // 15 minutes
+  max: 50,
+  message: 'Too many batch requests from this IP, please try again later.',
+});
+
+export const budgetUpdateLimiter = batchLimiter; // Alias
--- a/src/features/flyer/AnalysisPanel.test.tsx
+++ b/src/features/flyer/AnalysisPanel.test.tsx
@@ -160,9 +160,9 @@ describe('AnalysisPanel', () => {
      results: { WEB_SEARCH: 'Search results text.' },
      sources: {
        WEB_SEARCH: [
-          { title: 'Valid Source', uri: 'http://example.com/source1' },
+          { title: 'Valid Source', uri: 'https://example.com/source1' },
          { title: 'Source without URI', uri: null },
-          { title: 'Another Valid Source', uri: 'http://example.com/source2' },
+          { title: 'Another Valid Source', uri: 'https://example.com/source2' },
        ],
      },
      loadingAnalysis: null,
@@ -178,7 +178,7 @@ describe('AnalysisPanel', () => {
    expect(screen.getByText('Sources:')).toBeInTheDocument();
    const source1 = screen.getByText('Valid Source');
    expect(source1).toBeInTheDocument();
-    expect(source1.closest('a')).toHaveAttribute('href', 'http://example.com/source1');
+    expect(source1.closest('a')).toHaveAttribute('href', 'https://example.com/source1');
    expect(screen.queryByText('Source without URI')).not.toBeInTheDocument();
    expect(screen.getByText('Another Valid Source')).toBeInTheDocument();
  });
@@ -278,13 +278,13 @@ describe('AnalysisPanel', () => {
      loadingAnalysis: null,
      error: null,
      runAnalysis: mockRunAnalysis,
-      generatedImageUrl: 'http://example.com/meal.jpg',
+      generatedImageUrl: 'https://example.com/meal.jpg',
      generateImage: mockGenerateImage,
    });
    rerender(<AnalysisPanel selectedFlyer={mockFlyer} />);
    const image = screen.getByAltText('AI generated meal plan');
    expect(image).toBeInTheDocument();
-    expect(image).toHaveAttribute('src', 'http://example.com/meal.jpg');
+    expect(image).toHaveAttribute('src', 'https://example.com/meal.jpg');
  });

  it('should not show sources for non-search analysis types', () => {
--- a/src/features/flyer/FlyerDisplay.test.tsx
+++ b/src/features/flyer/FlyerDisplay.test.tsx
@@ -8,13 +8,13 @@ import { createMockStore } from '../../tests/utils/mockFactories';
 const mockStore = createMockStore({
  store_id: 1,
  name: 'SuperMart',
-  logo_url: 'http://example.com/logo.png',
+  logo_url: 'https://example.com/logo.png',
 });

 const mockOnOpenCorrectionTool = vi.fn();

 const defaultProps = {
-  imageUrl: 'http://example.com/flyer.jpg',
+  imageUrl: 'https://example.com/flyer.jpg',
  store: mockStore,
  validFrom: '2023-10-26',
  validTo: '2023-11-01',
--- a/src/features/flyer/FlyerList.test.tsx
+++ b/src/features/flyer/FlyerList.test.tsx
@@ -19,7 +19,7 @@ const mockFlyers: Flyer[] = [
    flyer_id: 1,
    file_name: 'metro_flyer_oct_1.pdf',
    item_count: 50,
-    image_url: 'http://example.com/flyer1.jpg',
+    image_url: 'https://example.com/flyer1.jpg',
    store: { store_id: 101, name: 'Metro' },
    valid_from: '2023-10-05',
    valid_to: '2023-10-11',
@@ -29,7 +29,7 @@ const mockFlyers: Flyer[] = [
    flyer_id: 2,
    file_name: 'walmart_flyer.pdf',
    item_count: 75,
-    image_url: 'http://example.com/flyer2.jpg',
+    image_url: 'https://example.com/flyer2.jpg',
    store: { store_id: 102, name: 'Walmart' },
    valid_from: '2023-10-06',
    valid_to: '2023-10-06', // Same day
@@ -40,8 +40,8 @@ const mockFlyers: Flyer[] = [
      flyer_id: 3,
      file_name: 'no-store-flyer.pdf',
      item_count: 10,
-      image_url: 'http://example.com/flyer3.jpg',
-      icon_url: 'http://example.com/icon3.png',
+      image_url: 'https://example.com/flyer3.jpg',
+      icon_url: 'https://example.com/icon3.png',
      valid_from: '2023-10-07',
      valid_to: '2023-10-08',
      store_address: '456 Side St, Ottawa',
@@ -53,7 +53,7 @@ const mockFlyers: Flyer[] = [
    flyer_id: 4,
    file_name: 'bad-date-flyer.pdf',
    item_count: 5,
-    image_url: 'http://example.com/flyer4.jpg',
+    image_url: 'https://example.com/flyer4.jpg',
    store: { store_id: 103, name: 'Date Store' },
    created_at: 'invalid-date',
    valid_from: 'invalid-from',
@@ -163,7 +163,7 @@ describe('FlyerList', () => {
      const flyerWithIcon = screen.getByText('Unknown Store').closest('li'); // Flyer ID 3
      const iconImage = flyerWithIcon?.querySelector('img');
      expect(iconImage).toBeInTheDocument();
-      expect(iconImage).toHaveAttribute('src', 'http://example.com/icon3.png');
+      expect(iconImage).toHaveAttribute('src', 'https://example.com/icon3.png');
    });

    it('should render a document icon when icon_url is not present', () => {
--- a/src/hooks/useFlyerItems.test.ts
+++ b/src/hooks/useFlyerItems.test.ts
@@ -15,8 +15,8 @@ describe('useFlyerItems Hook', () => {
  const mockFlyer = createMockFlyer({
    flyer_id: 123,
    file_name: 'test-flyer.jpg',
-    image_url: 'http://example.com/test.jpg',
-    icon_url: 'http://example.com/icon.jpg',
+    image_url: 'https://example.com/test.jpg',
+    icon_url: 'https://example.com/icon.jpg',
    checksum: 'abc',
    valid_from: '2024-01-01',
    valid_to: '2024-01-07',
--- a/src/hooks/useFlyers.test.tsx
+++ b/src/hooks/useFlyers.test.tsx
@@ -72,7 +72,7 @@ describe('useFlyers Hook and FlyersProvider', () => {
      createMockFlyer({
        flyer_id: 1,
        file_name: 'flyer1.jpg',
-        image_url: 'http://example.com/flyer1.jpg',
+        image_url: 'https://example.com/flyer1.jpg',
        item_count: 5,
        created_at: '2024-01-01',
      }),
--- a/src/pages/HomePage.test.tsx
+++ b/src/pages/HomePage.test.tsx
@@ -79,7 +79,7 @@ describe('HomePage Component', () => {
  describe('when a flyer is selected', () => {
    const mockFlyer: Flyer = createMockFlyer({
      flyer_id: 1,
-      image_url: 'http://example.com/flyer.jpg',
+      image_url: 'https://example.com/flyer.jpg',
    });

    it('should render FlyerDisplay but not data tables if there are no flyer items', () => {
--- a/src/pages/UserProfilePage.test.tsx
+++ b/src/pages/UserProfilePage.test.tsx
@@ -26,7 +26,7 @@ const mockedApiClient = vi.mocked(apiClient);
 const mockProfile: UserProfile = createMockUserProfile({
  user: createMockUser({ user_id: 'user-123', email: 'test@example.com' }),
  full_name: 'Test User',
-  avatar_url: 'http://example.com/avatar.jpg',
+  avatar_url: 'https://example.com/avatar.jpg',
  points: 150,
  role: 'user',
 });
@@ -359,7 +359,7 @@ describe('UserProfilePage', () => {
    });

    it('should upload a new avatar and update the image source', async () => {
-      const updatedProfile = { ...mockProfile, avatar_url: 'http://example.com/new-avatar.png' };
+      const updatedProfile = { ...mockProfile, avatar_url: 'https://example.com/new-avatar.png' };

      // Log when the mock is called
      mockedApiClient.uploadAvatar.mockImplementation((file) => {
--- a/src/pages/admin/ActivityLog.test.tsx
+++ b/src/pages/admin/ActivityLog.test.tsx
@@ -30,7 +30,7 @@ const mockLogs: ActivityLogItem[] = [
    user_id: 'user-123',
    action: 'flyer_processed',
    display_text: 'Processed a new flyer for Walmart.',
-    user_avatar_url: 'http://example.com/avatar.png',
+    user_avatar_url: 'https://example.com/avatar.png',
    user_full_name: 'Test User',
    details: { flyer_id: 1, store_name: 'Walmart' },
  }),
@@ -63,7 +63,7 @@ const mockLogs: ActivityLogItem[] = [
    action: 'recipe_favorited',
    display_text: 'User favorited a recipe',
    user_full_name: 'Pizza Lover',
-    user_avatar_url: 'http://example.com/pizza.png',
+    user_avatar_url: 'https://example.com/pizza.png',
    details: { recipe_name: 'Best Pizza' },
  }),
  createMockActivityLogItem({
@@ -136,7 +136,7 @@ describe('ActivityLog', () => {
      // Check for avatar
      const avatar = screen.getByAltText('Test User');
      expect(avatar).toBeInTheDocument();
-      expect(avatar).toHaveAttribute('src', 'http://example.com/avatar.png');
+      expect(avatar).toHaveAttribute('src', 'https://example.com/avatar.png');

      // Check for fallback avatar (Newbie User has no avatar)
      // The fallback is an SVG inside a span. We can check for the span's class or the SVG.
--- a/src/pages/admin/FlyerReviewPage.test.tsx
+++ b/src/pages/admin/FlyerReviewPage.test.tsx
@@ -59,14 +59,14 @@ describe('FlyerReviewPage', () => {
        file_name: 'flyer1.jpg',
        created_at: '2023-01-01T00:00:00Z',
        store: { name: 'Store A' },
-        icon_url: 'http://example.com/icon1.jpg',
+        icon_url: 'https://example.com/icon1.jpg',
      },
      {
        flyer_id: 2,
        file_name: 'flyer2.jpg',
        created_at: '2023-01-02T00:00:00Z',
        store: { name: 'Store B' },
-        icon_url: 'http://example.com/icon2.jpg',
+        icon_url: 'https://example.com/icon2.jpg',
      },
      {
        flyer_id: 3,
--- a/src/pages/admin/components/AdminBrandManager.test.tsx
+++ b/src/pages/admin/components/AdminBrandManager.test.tsx
@@ -19,7 +19,7 @@ const mockBrands = [
    brand_id: 2,
    name: 'Compliments',
    store_name: 'Sobeys',
-    logo_url: 'http://example.com/compliments.png',
+    logo_url: 'https://example.com/compliments.png',
  }),
 ];

@@ -92,7 +92,7 @@ describe('AdminBrandManager', () => {
    );
    mockedApiClient.uploadBrandLogo.mockImplementation(
      async () =>
-        new Response(JSON.stringify({ logoUrl: 'http://example.com/new-logo.png' }), {
+        new Response(JSON.stringify({ logoUrl: 'https://example.com/new-logo.png' }), {
          status: 200,
        }),
    );
@@ -120,7 +120,7 @@ describe('AdminBrandManager', () => {
      // Check if the UI updates with the new logo
      expect(screen.getByAltText('No Frills logo')).toHaveAttribute(
        'src',
-        'http://example.com/new-logo.png',
+        'https://example.com/new-logo.png',
      );
      console.log('TEST SUCCESS: All assertions for successful upload passed.');
    });
@@ -350,7 +350,7 @@ describe('AdminBrandManager', () => {
      // Brand 2 should still have original logo
      expect(screen.getByAltText('Compliments logo')).toHaveAttribute(
        'src',
-        'http://example.com/compliments.png',
+        'https://example.com/compliments.png',
      );
    });
  });
--- a/src/pages/admin/components/ProfileManager.test.tsx
+++ b/src/pages/admin/components/ProfileManager.test.tsx
@@ -35,7 +35,7 @@ const authenticatedUser = createMockUser({ user_id: 'auth-user-123', email: 'tes
 const mockAddressId = 123;
 const authenticatedProfile = createMockUserProfile({
  full_name: 'Test User',
-  avatar_url: 'http://example.com/avatar.png',
+  avatar_url: 'https://example.com/avatar.png',
  role: 'user',
  points: 100,
  preferences: {
--- a/src/routes/admin.routes.test.ts
+++ b/src/routes/admin.routes.test.ts
@@ -0,0 +1,113 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+import supertest from 'supertest';
+import { createTestApp } from '../tests/utils/createTestApp';
+import { createMockUserProfile } from '../tests/utils/mockFactories';
+
+// Mock dependencies required by admin.routes.ts
+vi.mock('../services/db/index.db', () => ({
+  adminRepo: {},
+  flyerRepo: {},
+  recipeRepo: {},
+  userRepo: {},
+  personalizationRepo: {},
+  notificationRepo: {},
+}));
+
+vi.mock('../services/backgroundJobService', () => ({
+  backgroundJobService: {
+    runDailyDealCheck: vi.fn(),
+    triggerAnalyticsReport: vi.fn(),
+    triggerWeeklyAnalyticsReport: vi.fn(),
+  },
+}));
+
+vi.mock('../services/queueService.server', () => ({
+  flyerQueue: { add: vi.fn(), getJob: vi.fn() },
+  emailQueue: { add: vi.fn(), getJob: vi.fn() },
+  analyticsQueue: { add: vi.fn(), getJob: vi.fn() },
+  cleanupQueue: { add: vi.fn(), getJob: vi.fn() },
+  weeklyAnalyticsQueue: { add: vi.fn(), getJob: vi.fn() },
+}));
+
+vi.mock('../services/geocodingService.server', () => ({
+  geocodingService: { clearGeocodeCache: vi.fn() },
+}));
+
+vi.mock('../services/logger.server', async () => ({
+  logger: (await import('../tests/utils/mockLogger')).mockLogger,
+}));
+
+vi.mock('@bull-board/api');
+vi.mock('@bull-board/api/bullMQAdapter');
+vi.mock('@bull-board/express', () => ({
+  ExpressAdapter: class {
+    setBasePath() {}
+    getRouter() { return (req: any, res: any, next: any) => next(); }
+  },
+}));
+
+vi.mock('node:fs/promises');
+
+// Mock Passport to allow admin access
+vi.mock('./passport.routes', () => ({
+  default: {
+    authenticate: vi.fn(() => (req: any, res: any, next: any) => {
+      req.user = createMockUserProfile({ role: 'admin' });
+      next();
+    }),
+  },
+  isAdmin: (req: any, res: any, next: any) => next(),
+}));
+
+import adminRouter from './admin.routes';
+
+describe('Admin Routes Rate Limiting', () => {
+  const app = createTestApp({ router: adminRouter, basePath: '/api/admin' });
+
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  describe('Trigger Rate Limiting', () => {
+    it('should block requests to /trigger/daily-deal-check after exceeding limit', async () => {
+      const limit = 30; // Matches adminTriggerLimiter config
+      
+      // Make requests up to the limit
+      for (let i = 0; i < limit; i++) {
+        await supertest(app)
+          .post('/api/admin/trigger/daily-deal-check')
+          .set('X-Test-Rate-Limit-Enable', 'true');
+      }
+
+      // The next request should be blocked
+      const response = await supertest(app)
+        .post('/api/admin/trigger/daily-deal-check')
+        .set('X-Test-Rate-Limit-Enable', 'true');
+      
+      expect(response.status).toBe(429);
+      expect(response.text).toContain('Too many administrative triggers');
+    });
+  });
+
+  describe('Upload Rate Limiting', () => {
+    it('should block requests to /brands/:id/logo after exceeding limit', async () => {
+      const limit = 20; // Matches adminUploadLimiter config
+      const brandId = 1;
+
+      // Make requests up to the limit
+      // Note: We don't need to attach a file to test the rate limiter, as it runs before multer
+      for (let i = 0; i < limit; i++) {
+        await supertest(app)
+          .post(`/api/admin/brands/${brandId}/logo`)
+          .set('X-Test-Rate-Limit-Enable', 'true');
+      }
+
+      const response = await supertest(app)
+        .post(`/api/admin/brands/${brandId}/logo`)
+        .set('X-Test-Rate-Limit-Enable', 'true');
+
+      expect(response.status).toBe(429);
+      expect(response.text).toContain('Too many file uploads');
+    });
+  });
+});
--- a/src/routes/admin.routes.ts
+++ b/src/routes/admin.routes.ts
@@ -35,6 +35,7 @@ import { monitoringService } from '../services/monitoringService.server';
 import { userService } from '../services/userService';
 import { cleanupUploadedFile } from '../utils/fileUtils';
 import { brandService } from '../services/brandService';
+import { adminTriggerLimiter, adminUploadLimiter } from '../config/rateLimiters';

 const updateCorrectionSchema = numericIdParam('id').extend({
  body: z.object({
@@ -242,6 +243,7 @@ router.put(

 router.post(
  '/brands/:id/logo',
+  adminUploadLimiter,
  validateRequest(numericIdParam('id')),
  brandLogoUpload.single('logoImage'),
  requireFileUpload('logoImage'),
@@ -421,6 +423,7 @@ router.delete(
 */
 router.post(
  '/trigger/daily-deal-check',
+  adminTriggerLimiter,
  validateRequest(emptySchema),
  async (req: Request, res: Response, next: NextFunction) => {
    const userProfile = req.user as UserProfile;
@@ -449,6 +452,7 @@ router.post(
 */
 router.post(
  '/trigger/analytics-report',
+  adminTriggerLimiter,
  validateRequest(emptySchema),
  async (req: Request, res: Response, next: NextFunction) => {
    const userProfile = req.user as UserProfile;
@@ -474,6 +478,7 @@ router.post(
 */
 router.post(
  '/flyers/:flyerId/cleanup',
+  adminTriggerLimiter,
  validateRequest(numericIdParam('flyerId')),
  async (req: Request, res: Response, next: NextFunction) => {
    const userProfile = req.user as UserProfile;
@@ -502,6 +507,7 @@ router.post(
 */
 router.post(
  '/trigger/failing-job',
+  adminTriggerLimiter,
  validateRequest(emptySchema),
  async (req: Request, res: Response, next: NextFunction) => {
  const userProfile = req.user as UserProfile;
@@ -528,6 +534,7 @@ router.post(
 */
 router.post(
  '/system/clear-geocode-cache',
+  adminTriggerLimiter,
  validateRequest(emptySchema),
  async (req: Request, res: Response, next: NextFunction) => {
    const userProfile = req.user as UserProfile;
@@ -580,6 +587,7 @@ router.get('/queues/status', validateRequest(emptySchema), async (req: Request,
 */
 router.post(
  '/jobs/:queueName/:jobId/retry',
+  adminTriggerLimiter,
  validateRequest(jobRetrySchema),
  async (req: Request, res: Response, next: NextFunction) => {
    const userProfile = req.user as UserProfile;
@@ -606,6 +614,7 @@ router.post(
 */
 router.post(
  '/trigger/weekly-analytics',
+  adminTriggerLimiter,
  validateRequest(emptySchema),
  async (req: Request, res: Response, next: NextFunction) => {
    const userProfile = req.user as UserProfile; // This was a duplicate, fixed.
--- a/src/routes/ai.routes.ts
+++ b/src/routes/ai.routes.ts
@@ -14,6 +14,7 @@ import { validateRequest } from '../middleware/validation.middleware';
 import { requiredString } from '../utils/zodUtils';
 import { cleanupUploadedFile, cleanupUploadedFiles } from '../utils/fileUtils';
 import { monitoringService } from '../services/monitoringService.server';
+import { aiUploadLimiter, aiGenerationLimiter } from '../config/rateLimiters';

 const router = Router();

@@ -27,6 +28,7 @@ const uploadAndProcessSchema = z.object({
        .length(64, 'Checksum must be 64 characters long.')
        .regex(/^[a-f0-9]+$/, 'Checksum must be a valid hexadecimal string.'),
    ),
+    baseUrl: z.string().url().optional(),
  }),
 });

@@ -165,6 +167,7 @@ router.use((req: Request, res: Response, next: NextFunction) => {
 */
 router.post(
  '/upload-and-process',
+  aiUploadLimiter,
  optionalAuth,
  uploadToDisk.single('flyerFile'),
  // Validation is now handled inside the route to ensure file cleanup on failure.
@@ -196,6 +199,7 @@ router.post(
        userProfile,
        req.ip ?? 'unknown',
        req.log,
+        body.baseUrl,
      );

      // Respond immediately to the client with 202 Accepted
@@ -221,6 +225,7 @@ router.post(
 */
 router.post(
  '/upload-legacy',
+  aiUploadLimiter,
  passport.authenticate('jwt', { session: false }),
  uploadToDisk.single('flyerFile'),
  async (req: Request, res: Response, next: NextFunction) => {
@@ -271,6 +276,7 @@ router.get(
 */
 router.post(
  '/flyers/process',
+  aiUploadLimiter,
  optionalAuth,
  uploadToDisk.single('flyerImage'),
  async (req, res, next: NextFunction) => {
@@ -306,6 +312,7 @@ router.post(
 */
 router.post(
  '/check-flyer',
+  aiUploadLimiter,
  optionalAuth,
  uploadToDisk.single('image'),
  async (req, res, next: NextFunction) => {
@@ -325,6 +332,7 @@ router.post(

 router.post(
  '/extract-address',
+  aiUploadLimiter,
  optionalAuth,
  uploadToDisk.single('image'),
  async (req, res, next: NextFunction) => {
@@ -344,6 +352,7 @@ router.post(

 router.post(
  '/extract-logo',
+  aiUploadLimiter,
  optionalAuth,
  uploadToDisk.array('images'),
  async (req, res, next: NextFunction) => {
@@ -363,6 +372,7 @@ router.post(

 router.post(
  '/quick-insights',
+  aiGenerationLimiter,
  passport.authenticate('jwt', { session: false }),
  validateRequest(insightsSchema),
  async (req, res, next: NextFunction) => {
@@ -379,6 +389,7 @@ router.post(

 router.post(
  '/deep-dive',
+  aiGenerationLimiter,
  passport.authenticate('jwt', { session: false }),
  validateRequest(insightsSchema),
  async (req, res, next: NextFunction) => {
@@ -395,6 +406,7 @@ router.post(

 router.post(
  '/search-web',
+  aiGenerationLimiter,
  passport.authenticate('jwt', { session: false }),
  validateRequest(searchWebSchema),
  async (req, res, next: NextFunction) => {
@@ -409,6 +421,7 @@ router.post(

 router.post(
  '/compare-prices',
+  aiGenerationLimiter,
  passport.authenticate('jwt', { session: false }),
  validateRequest(comparePricesSchema),
  async (req, res, next: NextFunction) => {
@@ -427,6 +440,7 @@ router.post(

 router.post(
  '/plan-trip',
+  aiGenerationLimiter,
  passport.authenticate('jwt', { session: false }),
  validateRequest(planTripSchema),
  async (req, res, next: NextFunction) => {
@@ -446,6 +460,7 @@ router.post(

 router.post(
  '/generate-image',
+  aiGenerationLimiter,
  passport.authenticate('jwt', { session: false }),
  validateRequest(generateImageSchema),
  (req: Request, res: Response) => {
@@ -458,6 +473,7 @@ router.post(

 router.post(
  '/generate-speech',
+  aiGenerationLimiter,
  passport.authenticate('jwt', { session: false }),
  validateRequest(generateSpeechSchema),
  (req: Request, res: Response) => {
@@ -474,6 +490,7 @@ router.post(
 */
 router.post(
  '/rescan-area',
+  aiUploadLimiter,
  passport.authenticate('jwt', { session: false }),
  uploadToDisk.single('image'),
  validateRequest(rescanAreaSchema),
--- a/src/routes/auth.routes.test.ts
+++ b/src/routes/auth.routes.test.ts
@@ -708,5 +708,203 @@ describe('Rate Limiting on /forgot-password', () => {
      expect(blockedResponse.status).toBe(429);
      expect(blockedResponse.text).toContain('Too many password reset attempts');
    });
+
+    it('should NOT block requests when the opt-in header is not sent (default test behavior)', async () => {
+      // Arrange
+      const maxRequests = 12; // Limit is 10
+      const newPassword = 'a-Very-Strong-Password-123!';
+      const token = 'some-token-for-skip-limit-test';
+
+      mockedAuthService.updatePassword.mockResolvedValue(null);
+
+      // Act: Make more calls than the limit.
+      for (let i = 0; i < maxRequests; i++) {
+        const response = await supertest(app)
+          .post('/api/auth/reset-password')
+          .send({ token, newPassword });
+        expect(response.status).toBe(400);
+      }
+    });
+  });
+
+  describe('Rate Limiting on /register', () => {
+    it('should block requests after exceeding the limit when the opt-in header is sent', async () => {
+      // Arrange
+      const maxRequests = 5; // Limit is 5 per hour
+      const newUser = {
+        email: 'rate-limit-reg@test.com',
+        password: 'StrongPassword123!',
+        full_name: 'Rate Limit User',
+      };
+
+      // Mock success to ensure we are hitting the limiter and not failing early
+      mockedAuthService.registerAndLoginUser.mockResolvedValue({
+        newUserProfile: createMockUserProfile({ user: { email: newUser.email } }),
+        accessToken: 'token',
+        refreshToken: 'refresh',
+      });
+
+      // Act: Make maxRequests calls
+      for (let i = 0; i < maxRequests; i++) {
+        const response = await supertest(app)
+          .post('/api/auth/register')
+          .set('X-Test-Rate-Limit-Enable', 'true')
+          .send(newUser);
+        expect(response.status).not.toBe(429);
+      }
+
+      // Act: Make one more call
+      const blockedResponse = await supertest(app)
+        .post('/api/auth/register')
+        .set('X-Test-Rate-Limit-Enable', 'true')
+        .send(newUser);
+
+      // Assert
+      expect(blockedResponse.status).toBe(429);
+      expect(blockedResponse.text).toContain('Too many accounts created');
+    });
+
+    it('should NOT block requests when the opt-in header is not sent', async () => {
+      const maxRequests = 7;
+      const newUser = {
+        email: 'no-limit-reg@test.com',
+        password: 'StrongPassword123!',
+        full_name: 'No Limit User',
+      };
+
+      mockedAuthService.registerAndLoginUser.mockResolvedValue({
+        newUserProfile: createMockUserProfile({ user: { email: newUser.email } }),
+        accessToken: 'token',
+        refreshToken: 'refresh',
+      });
+
+      for (let i = 0; i < maxRequests; i++) {
+        const response = await supertest(app).post('/api/auth/register').send(newUser);
+        expect(response.status).not.toBe(429);
+      }
+    });
+  });
+
+  describe('Rate Limiting on /login', () => {
+    it('should block requests after exceeding the limit when the opt-in header is sent', async () => {
+      // Arrange
+      const maxRequests = 5; // Limit is 5 per 15 mins
+      const credentials = { email: 'rate-limit-login@test.com', password: 'password123' };
+
+      mockedAuthService.handleSuccessfulLogin.mockResolvedValue({
+        accessToken: 'token',
+        refreshToken: 'refresh',
+      });
+
+      // Act
+      for (let i = 0; i < maxRequests; i++) {
+        const response = await supertest(app)
+          .post('/api/auth/login')
+          .set('X-Test-Rate-Limit-Enable', 'true')
+          .send(credentials);
+        expect(response.status).not.toBe(429);
+      }
+
+      const blockedResponse = await supertest(app)
+        .post('/api/auth/login')
+        .set('X-Test-Rate-Limit-Enable', 'true')
+        .send(credentials);
+
+      // Assert
+      expect(blockedResponse.status).toBe(429);
+      expect(blockedResponse.text).toContain('Too many login attempts');
+    });
+
+    it('should NOT block requests when the opt-in header is not sent', async () => {
+      const maxRequests = 7;
+      const credentials = { email: 'no-limit-login@test.com', password: 'password123' };
+
+      mockedAuthService.handleSuccessfulLogin.mockResolvedValue({
+        accessToken: 'token',
+        refreshToken: 'refresh',
+      });
+
+      for (let i = 0; i < maxRequests; i++) {
+        const response = await supertest(app).post('/api/auth/login').send(credentials);
+        expect(response.status).not.toBe(429);
+      }
+    });
+  });
+
+  describe('Rate Limiting on /refresh-token', () => {
+    it('should block requests after exceeding the limit when the opt-in header is sent', async () => {
+      // Arrange
+      const maxRequests = 20; // Limit is 20 per 15 mins
+      mockedAuthService.refreshAccessToken.mockResolvedValue({ accessToken: 'new-token' });
+
+      // Act: Make maxRequests calls
+      for (let i = 0; i < maxRequests; i++) {
+        const response = await supertest(app)
+          .post('/api/auth/refresh-token')
+          .set('Cookie', 'refreshToken=valid-token')
+          .set('X-Test-Rate-Limit-Enable', 'true');
+        expect(response.status).not.toBe(429);
+      }
+
+      // Act: Make one more call
+      const blockedResponse = await supertest(app)
+        .post('/api/auth/refresh-token')
+        .set('Cookie', 'refreshToken=valid-token')
+        .set('X-Test-Rate-Limit-Enable', 'true');
+
+      // Assert
+      expect(blockedResponse.status).toBe(429);
+      expect(blockedResponse.text).toContain('Too many token refresh attempts');
+    });
+
+    it('should NOT block requests when the opt-in header is not sent', async () => {
+      const maxRequests = 22;
+      mockedAuthService.refreshAccessToken.mockResolvedValue({ accessToken: 'new-token' });
+
+      for (let i = 0; i < maxRequests; i++) {
+        const response = await supertest(app)
+          .post('/api/auth/refresh-token')
+          .set('Cookie', 'refreshToken=valid-token');
+        expect(response.status).not.toBe(429);
+      }
+    });
+  });
+
+  describe('Rate Limiting on /logout', () => {
+    it('should block requests after exceeding the limit when the opt-in header is sent', async () => {
+      // Arrange
+      const maxRequests = 10; // Limit is 10 per 15 mins
+      mockedAuthService.logout.mockResolvedValue(undefined);
+
+      // Act
+      for (let i = 0; i < maxRequests; i++) {
+        const response = await supertest(app)
+          .post('/api/auth/logout')
+          .set('Cookie', 'refreshToken=valid-token')
+          .set('X-Test-Rate-Limit-Enable', 'true');
+        expect(response.status).not.toBe(429);
+      }
+
+      const blockedResponse = await supertest(app)
+        .post('/api/auth/logout')
+        .set('Cookie', 'refreshToken=valid-token')
+        .set('X-Test-Rate-Limit-Enable', 'true');
+
+      // Assert
+      expect(blockedResponse.status).toBe(429);
+      expect(blockedResponse.text).toContain('Too many logout attempts');
+    });
+
+    it('should NOT block requests when the opt-in header is not sent', async () => {
+      const maxRequests = 12;
+      mockedAuthService.logout.mockResolvedValue(undefined);
+
+      for (let i = 0; i < maxRequests; i++) {
+        const response = await supertest(app)
+          .post('/api/auth/logout')
+          .set('Cookie', 'refreshToken=valid-token');
+        expect(response.status).not.toBe(429);
+      }
+    });
  });
 });
--- a/src/routes/auth.routes.ts
+++ b/src/routes/auth.routes.ts
@@ -1,7 +1,6 @@
 // src/routes/auth.routes.ts
 import { Router, Request, Response, NextFunction } from 'express';
 import { z } from 'zod';
-import rateLimit from 'express-rate-limit';
 import passport from './passport.routes';
 import { UniqueConstraintError } from '../services/db/errors.db'; // Import actual class for instanceof checks
 import { logger } from '../services/logger.server';
@@ -9,39 +8,18 @@ import { validateRequest } from '../middleware/validation.middleware';
 import type { UserProfile } from '../types';
 import { validatePasswordStrength } from '../utils/authUtils';
 import { requiredString } from '../utils/zodUtils';
+import {
+  loginLimiter,
+  registerLimiter,
+  forgotPasswordLimiter,
+  resetPasswordLimiter,
+  refreshTokenLimiter,
+  logoutLimiter,
+} from '../config/rateLimiters';

 import { authService } from '../services/authService';
 const router = Router();

-// Conditionally disable rate limiting for the test environment
-const isTestEnv = process.env.NODE_ENV === 'test';
-
-// --- Rate Limiting Configuration ---
-const forgotPasswordLimiter = rateLimit({
-  windowMs: 15 * 60 * 1000, // 15 minutes
-  max: 5,
-  message: 'Too many password reset requests from this IP, please try again after 15 minutes.',
-  standardHeaders: true,
-  legacyHeaders: false,
-  // Skip in test env unless a specific header is present.
-  // This allows E2E tests to run unblocked, while specific integration
-  // tests for the limiter can opt-in by sending the header.
-  skip: (req) => {
-    if (!isTestEnv) return false; // Never skip in non-test environments.
-    // In test env, skip UNLESS the opt-in header is present.
-    return req.headers['x-test-rate-limit-enable'] !== 'true';
-  },
-});
-
-const resetPasswordLimiter = rateLimit({
-  windowMs: 15 * 60 * 1000, // 15 minutes
-  max: 10,
-  message: 'Too many password reset attempts from this IP, please try again after 15 minutes.',
-  standardHeaders: true,
-  legacyHeaders: false,
-  skip: () => isTestEnv, // Skip this middleware if in test environment
-});
-
 // --- Reusable Schemas ---

 const passwordSchema = z
@@ -95,6 +73,7 @@ const resetPasswordSchema = z.object({
 // Registration Route
 router.post(
  '/register',
+  registerLimiter,
  validateRequest(registerSchema),
  async (req: Request, res: Response, next: NextFunction) => {
    type RegisterRequest = z.infer<typeof registerSchema>;
@@ -134,6 +113,7 @@ router.post(
 // Login Route
 router.post(
  '/login',
+  loginLimiter,
  validateRequest(loginSchema),
  (req: Request, res: Response, next: NextFunction) => {
    passport.authenticate(
@@ -238,7 +218,7 @@ router.post(
 );

 // New Route to refresh the access token
-router.post('/refresh-token', async (req: Request, res: Response, next: NextFunction) => {
+router.post('/refresh-token', refreshTokenLimiter, async (req: Request, res: Response, next: NextFunction) => {
  const { refreshToken } = req.cookies;
  if (!refreshToken) {
    return res.status(401).json({ message: 'Refresh token not found.' });
@@ -261,7 +241,7 @@ router.post('/refresh-token', async (req: Request, res: Response, next: NextFunc
 * It clears the refresh token from the database and instructs the client to
 * expire the `refreshToken` cookie.
 */
-router.post('/logout', async (req: Request, res: Response) => {
+router.post('/logout', logoutLimiter, async (req: Request, res: Response) => {
  const { refreshToken } = req.cookies;
  if (refreshToken) {
    // Invalidate the token in the database so it cannot be used again.
--- a/src/routes/budget.routes.ts
+++ b/src/routes/budget.routes.ts
@@ -6,6 +6,7 @@ import { budgetRepo } from '../services/db/index.db';
 import type { UserProfile } from '../types';
 import { validateRequest } from '../middleware/validation.middleware';
 import { requiredString, numericIdParam } from '../utils/zodUtils';
+import { budgetUpdateLimiter } from '../config/rateLimiters';

 const router = express.Router();

@@ -37,6 +38,9 @@ const spendingAnalysisSchema = z.object({
 // Middleware to ensure user is authenticated for all budget routes
 router.use(passport.authenticate('jwt', { session: false }));

+// Apply rate limiting to all subsequent budget routes
+router.use(budgetUpdateLimiter);
+
 /**
 * GET /api/budgets - Get all budgets for the authenticated user.
 */
--- a/src/routes/deals.routes.test.ts
+++ b/src/routes/deals.routes.test.ts
@@ -103,4 +103,18 @@ describe('Deals Routes (/api/users/deals)', () => {
      );
    });
  });
+
+  describe('Rate Limiting', () => {
+    it('should apply userReadLimiter to GET /best-watched-prices', async () => {
+      vi.mocked(dealsRepo.findBestPricesForWatchedItems).mockResolvedValue([]);
+
+      const response = await supertest(authenticatedApp)
+        .get('/api/users/deals/best-watched-prices')
+        .set('X-Test-Rate-Limit-Enable', 'true');
+
+      expect(response.status).toBe(200);
+      expect(response.headers).toHaveProperty('ratelimit-limit');
+      expect(parseInt(response.headers['ratelimit-limit'])).toBe(100);
+    });
+  });
 });
--- a/src/routes/deals.routes.ts
+++ b/src/routes/deals.routes.ts
@@ -5,6 +5,7 @@ import passport from './passport.routes';
 import { dealsRepo } from '../services/db/deals.db';
 import type { UserProfile } from '../types';
 import { validateRequest } from '../middleware/validation.middleware';
+import { userReadLimiter } from '../config/rateLimiters';

 const router = express.Router();

@@ -27,6 +28,7 @@ router.use(passport.authenticate('jwt', { session: false }));
 */
 router.get(
  '/best-watched-prices',
+  userReadLimiter,
  validateRequest(bestWatchedPricesSchema),
  async (req: Request, res: Response, next: NextFunction) => {
    const userProfile = req.user as UserProfile;
--- a/src/routes/flyer.routes.test.ts
+++ b/src/routes/flyer.routes.test.ts
@@ -310,4 +310,55 @@ describe('Flyer Routes (/api/flyers)', () => {
      );
    });
  });
+
+  describe('Rate Limiting', () => {
+    it('should apply publicReadLimiter to GET /', async () => {
+      vi.mocked(db.flyerRepo.getFlyers).mockResolvedValue([]);
+      const response = await supertest(app)
+        .get('/api/flyers')
+        .set('X-Test-Rate-Limit-Enable', 'true');
+      
+      expect(response.status).toBe(200);
+      expect(response.headers).toHaveProperty('ratelimit-limit');
+      expect(parseInt(response.headers['ratelimit-limit'])).toBe(100);
+    });
+
+    it('should apply batchLimiter to POST /items/batch-fetch', async () => {
+      vi.mocked(db.flyerRepo.getFlyerItemsForFlyers).mockResolvedValue([]);
+      const response = await supertest(app)
+        .post('/api/flyers/items/batch-fetch')
+        .set('X-Test-Rate-Limit-Enable', 'true')
+        .send({ flyerIds: [1] });
+
+      expect(response.status).toBe(200);
+      expect(response.headers).toHaveProperty('ratelimit-limit');
+      expect(parseInt(response.headers['ratelimit-limit'])).toBe(50);
+    });
+
+    it('should apply batchLimiter to POST /items/batch-count', async () => {
+      vi.mocked(db.flyerRepo.countFlyerItemsForFlyers).mockResolvedValue(0);
+      const response = await supertest(app)
+        .post('/api/flyers/items/batch-count')
+        .set('X-Test-Rate-Limit-Enable', 'true')
+        .send({ flyerIds: [1] });
+
+      expect(response.status).toBe(200);
+      expect(response.headers).toHaveProperty('ratelimit-limit');
+      expect(parseInt(response.headers['ratelimit-limit'])).toBe(50);
+    });
+
+    it('should apply trackingLimiter to POST /items/:itemId/track', async () => {
+      // Mock fire-and-forget promise
+      vi.mocked(db.flyerRepo.trackFlyerItemInteraction).mockResolvedValue(undefined);
+      
+      const response = await supertest(app)
+        .post('/api/flyers/items/1/track')
+        .set('X-Test-Rate-Limit-Enable', 'true')
+        .send({ type: 'view' });
+
+      expect(response.status).toBe(202);
+      expect(response.headers).toHaveProperty('ratelimit-limit');
+      expect(parseInt(response.headers['ratelimit-limit'])).toBe(200);
+    });
+  });
 });
--- a/src/routes/flyer.routes.ts
+++ b/src/routes/flyer.routes.ts
@@ -4,6 +4,11 @@ import * as db from '../services/db/index.db';
 import { z } from 'zod';
 import { validateRequest } from '../middleware/validation.middleware';
 import { optionalNumeric } from '../utils/zodUtils';
+import {
+  publicReadLimiter,
+  batchLimiter,
+  trackingLimiter,
+} from '../config/rateLimiters';

 const router = Router();

@@ -48,7 +53,7 @@ const trackItemSchema = z.object({
 /**
 * GET /api/flyers - Get a paginated list of all flyers.
 */
-router.get('/', validateRequest(getFlyersSchema), async (req, res, next): Promise<void> => {
+router.get('/', publicReadLimiter, validateRequest(getFlyersSchema), async (req, res, next): Promise<void> => {
  try {
    // The `validateRequest` middleware ensures `req.query` is valid.
    // We parse it here to apply Zod's coercions (string to number) and defaults.
@@ -65,7 +70,7 @@ router.get('/', validateRequest(getFlyersSchema), async (req, res, next): Promis
 /**
 * GET /api/flyers/:id - Get a single flyer by its ID.
 */
-router.get('/:id', validateRequest(flyerIdParamSchema), async (req, res, next): Promise<void> => {
+router.get('/:id', publicReadLimiter, validateRequest(flyerIdParamSchema), async (req, res, next): Promise<void> => {
  try {
    // Explicitly parse to get the coerced number type for `id`.
    const { id } = flyerIdParamSchema.shape.params.parse(req.params);
@@ -82,6 +87,7 @@ router.get('/:id', validateRequest(flyerIdParamSchema), async (req, res, next):
 */
 router.get(
  '/:id/items',
+  publicReadLimiter,
  validateRequest(flyerIdParamSchema),
  async (req, res, next): Promise<void> => {
    type GetFlyerByIdRequest = z.infer<typeof flyerIdParamSchema>;
@@ -103,6 +109,7 @@ router.get(
 type BatchFetchRequest = z.infer<typeof batchFetchSchema>;
 router.post(
  '/items/batch-fetch',
+  batchLimiter,
  validateRequest(batchFetchSchema),
  async (req, res, next): Promise<void> => {
    const { body } = req as unknown as BatchFetchRequest;
@@ -124,6 +131,7 @@ router.post(
 type BatchCountRequest = z.infer<typeof batchCountSchema>;
 router.post(
  '/items/batch-count',
+  batchLimiter,
  validateRequest(batchCountSchema),
  async (req, res, next): Promise<void> => {
    const { body } = req as unknown as BatchCountRequest;
@@ -142,7 +150,7 @@ router.post(
 /**
 * POST /api/flyers/items/:itemId/track - Tracks a user interaction with a flyer item.
 */
-router.post('/items/:itemId/track', validateRequest(trackItemSchema), (req, res, next): void => {
+router.post('/items/:itemId/track', trackingLimiter, validateRequest(trackItemSchema), (req, res, next): void => {
  try {
    // Explicitly parse to get coerced types.
    const { params, body } = trackItemSchema.parse({ params: req.params, body: req.body });
--- a/src/routes/gamification.routes.test.ts
+++ b/src/routes/gamification.routes.test.ts
@@ -336,4 +336,50 @@ describe('Gamification Routes (/api/achievements)', () => {
      expect(response.body.errors[0].message).toMatch(/less than or equal to 50|Too big/i);
    });
  });
+
+  describe('Rate Limiting', () => {
+    it('should apply publicReadLimiter to GET /', async () => {
+      vi.mocked(db.gamificationRepo.getAllAchievements).mockResolvedValue([]);
+      const response = await supertest(unauthenticatedApp)
+        .get('/api/achievements')
+        .set('X-Test-Rate-Limit-Enable', 'true');
+
+      expect(response.status).toBe(200);
+      expect(response.headers).toHaveProperty('ratelimit-limit');
+      expect(parseInt(response.headers['ratelimit-limit'])).toBe(100);
+    });
+
+    it('should apply userReadLimiter to GET /me', async () => {
+      mockedAuthMiddleware.mockImplementation((req: Request, res: Response, next: NextFunction) => {
+        req.user = mockUserProfile;
+        next();
+      });
+      vi.mocked(db.gamificationRepo.getUserAchievements).mockResolvedValue([]);
+      const response = await supertest(authenticatedApp)
+        .get('/api/achievements/me')
+        .set('X-Test-Rate-Limit-Enable', 'true');
+
+      expect(response.status).toBe(200);
+      expect(response.headers).toHaveProperty('ratelimit-limit');
+      expect(parseInt(response.headers['ratelimit-limit'])).toBe(100);
+    });
+
+    it('should apply adminTriggerLimiter to POST /award', async () => {
+      mockedAuthMiddleware.mockImplementation((req: Request, res: Response, next: NextFunction) => {
+        req.user = mockAdminProfile;
+        next();
+      });
+      mockedIsAdmin.mockImplementation((req: Request, res: Response, next: NextFunction) => next());
+      vi.mocked(db.gamificationRepo.awardAchievement).mockResolvedValue(undefined);
+
+      const response = await supertest(adminApp)
+        .post('/api/achievements/award')
+        .set('X-Test-Rate-Limit-Enable', 'true')
+        .send({ userId: 'some-user', achievementName: 'some-achievement' });
+
+      expect(response.status).toBe(200);
+      expect(response.headers).toHaveProperty('ratelimit-limit');
+      expect(parseInt(response.headers['ratelimit-limit'])).toBe(30);
+    });
+  });
 });
--- a/src/routes/gamification.routes.ts
+++ b/src/routes/gamification.routes.ts
@@ -7,6 +7,11 @@ import { logger } from '../services/logger.server';
 import { UserProfile } from '../types';
 import { validateRequest } from '../middleware/validation.middleware';
 import { requiredString, optionalNumeric } from '../utils/zodUtils';
+import {
+  publicReadLimiter,
+  userReadLimiter,
+  adminTriggerLimiter,
+} from '../config/rateLimiters';

 const router = express.Router();
 const adminGamificationRouter = express.Router(); // Create a new router for admin-only routes.
@@ -34,7 +39,7 @@ const awardAchievementSchema = z.object({
 * GET /api/achievements - Get the master list of all available achievements.
 * This is a public endpoint.
 */
-router.get('/', async (req, res, next: NextFunction) => {
+router.get('/', publicReadLimiter, async (req, res, next: NextFunction) => {
  try {
    const achievements = await gamificationService.getAllAchievements(req.log);
    res.json(achievements);
@@ -50,6 +55,7 @@ router.get('/', async (req, res, next: NextFunction) => {
 */
 router.get(
  '/leaderboard',
+  publicReadLimiter,
  validateRequest(leaderboardSchema),
  async (req, res, next: NextFunction): Promise<void> => {
    try {
@@ -74,6 +80,7 @@ router.get(
 router.get(
  '/me',
  passport.authenticate('jwt', { session: false }),
+  userReadLimiter,
  async (req, res, next: NextFunction): Promise<void> => {
    const userProfile = req.user as UserProfile;
    try {
@@ -103,6 +110,7 @@ adminGamificationRouter.use(passport.authenticate('jwt', { session: false }), is
 */
 adminGamificationRouter.post(
  '/award',
+  adminTriggerLimiter,
  validateRequest(awardAchievementSchema),
  async (req, res, next: NextFunction): Promise<void> => {
    // Infer type and cast request object as per ADR-003
--- a/src/routes/personalization.routes.test.ts
+++ b/src/routes/personalization.routes.test.ts
@@ -40,7 +40,7 @@ describe('Personalization Routes (/api/personalization)', () => {
      const mockItems = [createMockMasterGroceryItem({ master_grocery_item_id: 1, name: 'Milk' })];
      vi.mocked(db.personalizationRepo.getAllMasterItems).mockResolvedValue(mockItems);

-      const response = await supertest(app).get('/api/personalization/master-items');
+      const response = await supertest(app).get('/api/personalization/master-items').set('x-test-rate-limit-enable', 'true');

      expect(response.status).toBe(200);
      expect(response.body).toEqual(mockItems);
@@ -49,7 +49,7 @@ describe('Personalization Routes (/api/personalization)', () => {
    it('should return 500 if the database call fails', async () => {
      const dbError = new Error('DB Error');
      vi.mocked(db.personalizationRepo.getAllMasterItems).mockRejectedValue(dbError);
-      const response = await supertest(app).get('/api/personalization/master-items');
+      const response = await supertest(app).get('/api/personalization/master-items').set('x-test-rate-limit-enable', 'true');
      expect(response.status).toBe(500);
      expect(response.body.message).toBe('DB Error');
      expect(mockLogger.error).toHaveBeenCalledWith(
@@ -106,4 +106,16 @@ describe('Personalization Routes (/api/personalization)', () => {
      );
    });
  });
+
+  describe('Rate Limiting', () => {
+    it('should apply publicReadLimiter to GET /master-items', async () => {
+      vi.mocked(db.personalizationRepo.getAllMasterItems).mockResolvedValue([]);
+      const response = await supertest(app)
+        .get('/api/personalization/master-items')
+        .set('X-Test-Rate-Limit-Enable', 'true');
+
+      expect(response.status).toBe(200);
+      expect(response.headers).toHaveProperty('ratelimit-limit');
+    });
+  });
 });
--- a/src/routes/personalization.routes.ts
+++ b/src/routes/personalization.routes.ts
@@ -3,6 +3,7 @@ import { Router, Request, Response, NextFunction } from 'express';
 import { z } from 'zod';
 import * as db from '../services/db/index.db';
 import { validateRequest } from '../middleware/validation.middleware';
+import { publicReadLimiter } from '../config/rateLimiters';

 const router = Router();

@@ -16,6 +17,7 @@ const emptySchema = z.object({});
 */
 router.get(
  '/master-items',
+  publicReadLimiter,
  validateRequest(emptySchema),
  async (req: Request, res: Response, next: NextFunction) => {
    try {
@@ -39,6 +41,7 @@ router.get(
 */
 router.get(
  '/dietary-restrictions',
+  publicReadLimiter,
  validateRequest(emptySchema),
  async (req: Request, res: Response, next: NextFunction) => {
    try {
@@ -59,6 +62,7 @@ router.get(
 */
 router.get(
  '/appliances',
+  publicReadLimiter,
  validateRequest(emptySchema),
  async (req: Request, res: Response, next: NextFunction) => {
    try {
--- a/src/routes/price.routes.test.ts
+++ b/src/routes/price.routes.test.ts
@@ -1,8 +1,10 @@
 // src/routes/price.routes.test.ts
 import { describe, it, expect, vi, beforeEach } from 'vitest';
 import supertest from 'supertest';
+import type { Request, Response, NextFunction } from 'express';
 import { createTestApp } from '../tests/utils/createTestApp';
 import { mockLogger } from '../tests/utils/mockLogger';
+import { createMockUserProfile } from '../tests/utils/mockFactories';

 // Mock the price repository
 vi.mock('../services/db/price.db', () => ({
@@ -17,12 +19,29 @@ vi.mock('../services/logger.server', async () => ({
  logger: (await import('../tests/utils/mockLogger')).mockLogger,
 }));

+// Mock the passport middleware
+vi.mock('./passport.routes', () => ({
+  default: {
+    authenticate: vi.fn(
+      (_strategy, _options) => (req: Request, res: Response, next: NextFunction) => {
+        // If req.user is not set by the test setup, simulate unauthenticated access.
+        if (!req.user) {
+          return res.status(401).json({ message: 'Unauthorized' });
+        }
+        // If req.user is set, proceed as an authenticated user.
+        next();
+      },
+    ),
+  },
+}));
+
 // Import the router AFTER other setup.
 import priceRouter from './price.routes';
 import { priceRepo } from '../services/db/price.db';

 describe('Price Routes (/api/price-history)', () => {
-  const app = createTestApp({ router: priceRouter, basePath: '/api/price-history' });
+  const mockUser = createMockUserProfile({ user: { user_id: 'price-user-123' } });
+  const app = createTestApp({ router: priceRouter, basePath: '/api/price-history', authenticatedUser: mockUser });
  beforeEach(() => {
    vi.clearAllMocks();
  });
@@ -130,4 +149,18 @@ describe('Price Routes (/api/price-history)', () => {
      expect(response.body.errors[1].message).toBe('Invalid input: expected number, received NaN');
    });
  });
+
+  describe('Rate Limiting', () => {
+    it('should apply priceHistoryLimiter to POST /', async () => {
+      vi.mocked(priceRepo.getPriceHistory).mockResolvedValue([]);
+      const response = await supertest(app)
+        .post('/api/price-history')
+        .set('X-Test-Rate-Limit-Enable', 'true')
+        .send({ masterItemIds: [1, 2] });
+
+      expect(response.status).toBe(200);
+      expect(response.headers).toHaveProperty('ratelimit-limit');
+      expect(parseInt(response.headers['ratelimit-limit'])).toBe(50);
+    });
+  });
 });
--- a/src/routes/price.routes.ts
+++ b/src/routes/price.routes.ts
@@ -1,9 +1,11 @@
 // src/routes/price.routes.ts
 import { Router, Request, Response, NextFunction } from 'express';
 import { z } from 'zod';
+import passport from './passport.routes';
 import { validateRequest } from '../middleware/validation.middleware';
 import { priceRepo } from '../services/db/price.db';
 import { optionalNumeric } from '../utils/zodUtils';
+import { priceHistoryLimiter } from '../config/rateLimiters';

 const router = Router();

@@ -26,21 +28,27 @@ type PriceHistoryRequest = z.infer<typeof priceHistorySchema>;
 * POST /api/price-history - Fetches historical price data for a given list of master item IDs.
 * This endpoint retrieves price points over time for specified master grocery items.
 */
-router.post('/', validateRequest(priceHistorySchema), async (req: Request, res: Response, next: NextFunction) => {
-  // Cast 'req' to the inferred type for full type safety.
-  const {
-    body: { masterItemIds, limit, offset },
-  } = req as unknown as PriceHistoryRequest;
-  req.log.info(
-    { itemCount: masterItemIds.length, limit, offset },
-    '[API /price-history] Received request for historical price data.',
-  );
-  try {
-    const priceHistory = await priceRepo.getPriceHistory(masterItemIds, req.log, limit, offset);
-    res.status(200).json(priceHistory);
-  } catch (error) {
-    next(error);
-  }
-});
+router.post(
+  '/',
+  passport.authenticate('jwt', { session: false }),
+  priceHistoryLimiter,
+  validateRequest(priceHistorySchema),
+  async (req: Request, res: Response, next: NextFunction) => {
+    // Cast 'req' to the inferred type for full type safety.
+    const {
+      body: { masterItemIds, limit, offset },
+    } = req as unknown as PriceHistoryRequest;
+    req.log.info(
+      { itemCount: masterItemIds.length, limit, offset },
+      '[API /price-history] Received request for historical price data.',
+    );
+    try {
+      const priceHistory = await priceRepo.getPriceHistory(masterItemIds, req.log, limit, offset);
+      res.status(200).json(priceHistory);
+    } catch (error) {
+      next(error);
+    }
+  },
+);

 export default router;
--- a/src/routes/reactions.routes.test.ts
+++ b/src/routes/reactions.routes.test.ts
@@ -208,4 +208,36 @@ describe('Reaction Routes (/api/reactions)', () => {
      );
    });
  });
+
+  describe('Rate Limiting', () => {
+    it('should apply publicReadLimiter to GET /', async () => {
+      const app = createTestApp({ router: reactionsRouter, basePath: '/api/reactions' });
+      vi.mocked(reactionRepo.getReactions).mockResolvedValue([]);
+      const response = await supertest(app)
+        .get('/api/reactions')
+        .set('X-Test-Rate-Limit-Enable', 'true');
+
+      expect(response.status).toBe(200);
+      expect(response.headers).toHaveProperty('ratelimit-limit');
+    });
+
+    it('should apply userUpdateLimiter to POST /toggle', async () => {
+      const mockUser = createMockUserProfile({ user: { user_id: 'user-123' } });
+      const app = createTestApp({
+        router: reactionsRouter,
+        basePath: '/api/reactions',
+        authenticatedUser: mockUser,
+      });
+      vi.mocked(reactionRepo.toggleReaction).mockResolvedValue(null);
+
+      const response = await supertest(app)
+        .post('/api/reactions/toggle')
+        .set('X-Test-Rate-Limit-Enable', 'true')
+        .send({ entity_type: 'recipe', entity_id: '1', reaction_type: 'like' });
+
+      expect(response.status).toBe(200);
+      expect(response.headers).toHaveProperty('ratelimit-limit');
+      expect(parseInt(response.headers['ratelimit-limit'])).toBe(150);
+    });
+  });
 });
--- a/src/routes/reactions.routes.ts
+++ b/src/routes/reactions.routes.ts
@@ -5,6 +5,7 @@ import { validateRequest } from '../middleware/validation.middleware';
 import passport from './passport.routes';
 import { requiredString } from '../utils/zodUtils';
 import { UserProfile } from '../types';
+import { publicReadLimiter, reactionToggleLimiter } from '../config/rateLimiters';

 const router = Router();

@@ -42,6 +43,7 @@ const getReactionSummarySchema = z.object({
 */
 router.get(
  '/',
+  publicReadLimiter,
  validateRequest(getReactionsSchema),
  async (req: Request, res: Response, next: NextFunction) => {
    try {
@@ -62,6 +64,7 @@ router.get(
 */
 router.get(
  '/summary',
+  publicReadLimiter,
  validateRequest(getReactionSummarySchema),
  async (req: Request, res: Response, next: NextFunction) => {
    try {
@@ -81,6 +84,7 @@ router.get(
 */
 router.post(
  '/toggle',
+  reactionToggleLimiter,
  passport.authenticate('jwt', { session: false }),
  validateRequest(toggleReactionSchema),
  async (req: Request, res: Response, next: NextFunction) => {
--- a/src/routes/recipe.routes.test.ts
+++ b/src/routes/recipe.routes.test.ts
@@ -318,4 +318,65 @@ describe('Recipe Routes (/api/recipes)', () => {
      );
    });
  });
+
+  describe('Rate Limiting on /suggest', () => {
+    const mockUser = createMockUserProfile({ user: { user_id: 'rate-limit-user' } });
+    const authApp = createTestApp({
+      router: recipeRouter,
+      basePath: '/api/recipes',
+      authenticatedUser: mockUser,
+    });
+
+    it('should block requests after exceeding the limit when the opt-in header is sent', async () => {
+      // Arrange
+      const maxRequests = 20; // Limit is 20 per 15 mins
+      const ingredients = ['chicken', 'rice'];
+      vi.mocked(aiService.generateRecipeSuggestion).mockResolvedValue('A tasty suggestion');
+
+      // Act: Make maxRequests calls
+      for (let i = 0; i < maxRequests; i++) {
+        const response = await supertest(authApp)
+          .post('/api/recipes/suggest')
+          .set('X-Test-Rate-Limit-Enable', 'true')
+          .send({ ingredients });
+        expect(response.status).not.toBe(429);
+      }
+
+      // Act: Make one more call
+      const blockedResponse = await supertest(authApp)
+        .post('/api/recipes/suggest')
+        .set('X-Test-Rate-Limit-Enable', 'true')
+        .send({ ingredients });
+
+      // Assert
+      expect(blockedResponse.status).toBe(429);
+      expect(blockedResponse.text).toContain('Too many AI generation requests');
+    });
+
+    it('should NOT block requests when the opt-in header is not sent', async () => {
+      const maxRequests = 22;
+      const ingredients = ['beef', 'potatoes'];
+      vi.mocked(aiService.generateRecipeSuggestion).mockResolvedValue('Another suggestion');
+
+      for (let i = 0; i < maxRequests; i++) {
+        const response = await supertest(authApp)
+          .post('/api/recipes/suggest')
+          .send({ ingredients });
+        expect(response.status).not.toBe(429);
+      }
+    });
+  });
+
+  describe('Rate Limiting on Public Routes', () => {
+    it('should apply publicReadLimiter to GET /:recipeId', async () => {
+      vi.mocked(db.recipeRepo.getRecipeById).mockResolvedValue(createMockRecipe({}));
+      const response = await supertest(app)
+        .get('/api/recipes/1')
+        .set('X-Test-Rate-Limit-Enable', 'true');
+
+      expect(response.status).toBe(200);
+      expect(response.headers).toHaveProperty('ratelimit-limit');
+      expect(parseInt(response.headers['ratelimit-limit'])).toBe(100);
+    });
+  });
 });
--- a/src/routes/recipe.routes.ts
+++ b/src/routes/recipe.routes.ts
@@ -6,6 +6,7 @@ import { aiService } from '../services/aiService.server';
 import passport from './passport.routes';
 import { validateRequest } from '../middleware/validation.middleware';
 import { requiredString, numericIdParam, optionalNumeric } from '../utils/zodUtils';
+import { publicReadLimiter, suggestionLimiter } from '../config/rateLimiters';

 const router = Router();

@@ -41,6 +42,7 @@ const suggestRecipeSchema = z.object({
 */
 router.get(
  '/by-sale-percentage',
+  publicReadLimiter,
  validateRequest(bySalePercentageSchema),
  async (req, res, next) => {
    try {
@@ -60,6 +62,7 @@ router.get(
 */
 router.get(
  '/by-sale-ingredients',
+  publicReadLimiter,
  validateRequest(bySaleIngredientsSchema),
  async (req, res, next) => {
    try {
@@ -82,6 +85,7 @@ router.get(
 */
 router.get(
  '/by-ingredient-and-tag',
+  publicReadLimiter,
  validateRequest(byIngredientAndTagSchema),
  async (req, res, next) => {
    try {
@@ -102,7 +106,7 @@ router.get(
 /**
 * GET /api/recipes/:recipeId/comments - Get all comments for a specific recipe.
 */
-router.get('/:recipeId/comments', validateRequest(recipeIdParamsSchema), async (req, res, next) => {
+router.get('/:recipeId/comments', publicReadLimiter, validateRequest(recipeIdParamsSchema), async (req, res, next) => {
  try {
    // Explicitly parse req.params to coerce recipeId to a number
    const { params } = recipeIdParamsSchema.parse({ params: req.params });
@@ -117,7 +121,7 @@ router.get('/:recipeId/comments', validateRequest(recipeIdParamsSchema), async (
 /**
 * GET /api/recipes/:recipeId - Get a single recipe by its ID, including ingredients and tags.
 */
-router.get('/:recipeId', validateRequest(recipeIdParamsSchema), async (req, res, next) => {
+router.get('/:recipeId', publicReadLimiter, validateRequest(recipeIdParamsSchema), async (req, res, next) => {
  try {
    // Explicitly parse req.params to coerce recipeId to a number
    const { params } = recipeIdParamsSchema.parse({ params: req.params });
@@ -135,6 +139,7 @@ router.get('/:recipeId', validateRequest(recipeIdParamsSchema), async (req, res,
 */
 router.post(
  '/suggest',
+  suggestionLimiter,
  passport.authenticate('jwt', { session: false }),
  validateRequest(suggestRecipeSchema),
  async (req, res, next) => {
--- a/src/routes/stats.routes.test.ts
+++ b/src/routes/stats.routes.test.ts
@@ -66,4 +66,16 @@ describe('Stats Routes (/api/stats)', () => {
      expect(response.body.errors.length).toBe(2);
    });
  });
+
+  describe('Rate Limiting', () => {
+    it('should apply publicReadLimiter to GET /most-frequent-sales', async () => {
+      vi.mocked(db.adminRepo.getMostFrequentSaleItems).mockResolvedValue([]);
+      const response = await supertest(app)
+        .get('/api/stats/most-frequent-sales')
+        .set('X-Test-Rate-Limit-Enable', 'true');
+
+      expect(response.status).toBe(200);
+      expect(response.headers).toHaveProperty('ratelimit-limit');
+    });
+  });
 });
--- a/src/routes/stats.routes.ts
+++ b/src/routes/stats.routes.ts
@@ -4,6 +4,7 @@ import { z } from 'zod';
 import * as db from '../services/db/index.db';
 import { validateRequest } from '../middleware/validation.middleware';
 import { optionalNumeric } from '../utils/zodUtils';
+import { publicReadLimiter } from '../config/rateLimiters';

 const router = Router();

@@ -25,6 +26,7 @@ const mostFrequentSalesSchema = z.object({
 */
 router.get(
  '/most-frequent-sales',
+  publicReadLimiter,
  validateRequest(mostFrequentSalesSchema),
  async (req: Request, res: Response, next: NextFunction) => {
    try {
--- a/src/routes/system.routes.test.ts
+++ b/src/routes/system.routes.test.ts
@@ -156,4 +156,25 @@ describe('System Routes (/api/system)', () => {
      expect(response.body.errors[0].message).toMatch(/An address string is required|Required/i);
    });
  });
+
+  describe('Rate Limiting on /geocode', () => {
+    it('should block requests after exceeding the limit when the opt-in header is sent', async () => {
+      const limit = 100; // Matches geocodeLimiter config
+      const address = '123 Test St';
+      vi.mocked(geocodingService.geocodeAddress).mockResolvedValue({ lat: 0, lng: 0 });
+
+      // We only need to verify it blocks eventually.
+      // Instead of running 100 requests, we check for the headers which confirm the middleware is active.
+      const response = await supertest(app)
+        .post('/api/system/geocode')
+        .set('X-Test-Rate-Limit-Enable', 'true')
+        .send({ address });
+
+      expect(response.status).toBe(200);
+      expect(response.headers).toHaveProperty('ratelimit-limit');
+      expect(response.headers).toHaveProperty('ratelimit-remaining');
+      expect(parseInt(response.headers['ratelimit-limit'])).toBe(limit);
+      expect(parseInt(response.headers['ratelimit-remaining'])).toBeLessThan(limit);
+    });
+  });
 });
--- a/src/routes/system.routes.ts
+++ b/src/routes/system.routes.ts
@@ -6,6 +6,7 @@ import { validateRequest } from '../middleware/validation.middleware';
 import { z } from 'zod';
 import { requiredString } from '../utils/zodUtils';
 import { systemService } from '../services/systemService';
+import { geocodeLimiter } from '../config/rateLimiters';

 const router = Router();

@@ -41,6 +42,7 @@ router.get(
 */
 router.post(
  '/geocode',
+  geocodeLimiter,
  validateRequest(geocodeSchema),
  async (req: Request, res: Response, next: NextFunction) => {
    // Infer type and cast request object as per ADR-003
--- a/src/routes/user.routes.test.ts
+++ b/src/routes/user.routes.test.ts
@@ -1030,7 +1030,7 @@ describe('User Routes (/api/users)', () => {
      it('should upload an avatar and update the user profile', async () => {
        const mockUpdatedProfile = createMockUserProfile({
          ...mockUserProfile,
-          avatar_url: 'http://localhost:3001/uploads/avatars/new-avatar.png',
+          avatar_url: 'https://example.com/uploads/avatars/new-avatar.png',
        });
        vi.mocked(userService.updateUserAvatar).mockResolvedValue(mockUpdatedProfile);

@@ -1042,7 +1042,7 @@ describe('User Routes (/api/users)', () => {
          .attach('avatar', Buffer.from('dummy-image-content'), dummyImagePath);

        expect(response.status).toBe(200);
-        expect(response.body.avatar_url).toContain('http://localhost:3001/uploads/avatars/');
+        expect(response.body.avatar_url).toContain('https://example.com/uploads/avatars/');
        expect(userService.updateUserAvatar).toHaveBeenCalledWith(
          mockUserProfile.user.user_id,
          expect.any(Object),
@@ -1235,5 +1235,96 @@ describe('User Routes (/api/users)', () => {
        expect(logger.error).toHaveBeenCalled();
      });
    }); // End of Recipe Routes
+
+    describe('Rate Limiting', () => {
+      beforeAll(() => {
+        vi.useFakeTimers();
+      });
+
+      beforeEach(() => {
+        // Advance time to ensure rate limits are reset between tests
+        vi.advanceTimersByTime(2 * 60 * 60 * 1000);
+      });
+
+      afterAll(() => {
+        vi.useRealTimers();
+      });
+
+      it('should apply userUpdateLimiter to PUT /profile', async () => {
+        vi.mocked(db.userRepo.updateUserProfile).mockResolvedValue(mockUserProfile);
+
+        const response = await supertest(app)
+          .put('/api/users/profile')
+          .set('X-Test-Rate-Limit-Enable', 'true')
+          .send({ full_name: 'Rate Limit Test' });
+
+        expect(response.status).toBe(200);
+        expect(response.headers).toHaveProperty('ratelimit-limit');
+        expect(parseInt(response.headers['ratelimit-limit'])).toBe(100);
+      });
+
+      it('should apply userSensitiveUpdateLimiter to PUT /profile/password and block after limit', async () => {
+        const limit = 5;
+        vi.mocked(userService.updateUserPassword).mockResolvedValue(undefined);
+
+        // Consume the limit
+        for (let i = 0; i < limit; i++) {
+          const response = await supertest(app)
+            .put('/api/users/profile/password')
+            .set('X-Test-Rate-Limit-Enable', 'true')
+            .send({ newPassword: 'StrongPassword123!' });
+          expect(response.status).toBe(200);
+        }
+
+        // Next request should be blocked
+        const response = await supertest(app)
+          .put('/api/users/profile/password')
+          .set('X-Test-Rate-Limit-Enable', 'true')
+          .send({ newPassword: 'StrongPassword123!' });
+
+        expect(response.status).toBe(429);
+        expect(response.text).toContain('Too many sensitive requests');
+      });
+
+      it('should apply userUploadLimiter to POST /profile/avatar', async () => {
+        vi.mocked(userService.updateUserAvatar).mockResolvedValue(mockUserProfile);
+        const dummyImagePath = 'test-avatar.png';
+
+        const response = await supertest(app)
+          .post('/api/users/profile/avatar')
+          .set('X-Test-Rate-Limit-Enable', 'true')
+          .attach('avatar', Buffer.from('dummy-image-content'), dummyImagePath);
+
+        expect(response.status).toBe(200);
+        expect(response.headers).toHaveProperty('ratelimit-limit');
+        expect(parseInt(response.headers['ratelimit-limit'])).toBe(20);
+      });
+
+      it('should apply userSensitiveUpdateLimiter to DELETE /account and block after limit', async () => {
+        // Explicitly advance time to ensure the rate limiter window has reset from previous tests
+        vi.advanceTimersByTime(60 * 60 * 1000 + 5000);
+
+        const limit = 5;
+        vi.mocked(userService.deleteUserAccount).mockResolvedValue(undefined);
+
+        // Consume the limit
+        for (let i = 0; i < limit; i++) {
+          const response = await supertest(app)
+            .delete('/api/users/account')
+            .set('X-Test-Rate-Limit-Enable', 'true')
+            .send({ password: 'correct-password' });
+          expect(response.status).toBe(200);
+        }
+
+        // Next request should be blocked
+        const response = await supertest(app)
+          .delete('/api/users/account')
+          .set('X-Test-Rate-Limit-Enable', 'true')
+          .send({ password: 'correct-password' });
+
+        expect(response.status).toBe(429);
+        expect(response.text).toContain('Too many sensitive requests');
+      });
+    });
  });
 });
--- a/src/routes/user.routes.ts
+++ b/src/routes/user.routes.ts
@@ -21,6 +21,11 @@ import {
 } from '../utils/zodUtils';
 import * as db from '../services/db/index.db';
 import { cleanupUploadedFile } from '../utils/fileUtils';
+import {
+  userUpdateLimiter,
+  userSensitiveUpdateLimiter,
+  userUploadLimiter,
+} from '../config/rateLimiters';

 const router = express.Router();

@@ -95,6 +100,7 @@ const avatarUpload = createUploadMiddleware({
 */
 router.post(
  '/profile/avatar',
+  userUploadLimiter,
  avatarUpload.single('avatar'),
  async (req: Request, res: Response, next: NextFunction) => {
    // The try-catch block was already correct here.
@@ -215,6 +221,7 @@ router.get('/profile', validateRequest(emptySchema), async (req, res, next: Next
 type UpdateProfileRequest = z.infer<typeof updateProfileSchema>;
 router.put(
  '/profile',
+  userUpdateLimiter,
  validateRequest(updateProfileSchema),
  async (req, res, next: NextFunction) => {
    logger.debug(`[ROUTE] PUT /api/users/profile - ENTER`);
@@ -241,6 +248,7 @@ router.put(
 type UpdatePasswordRequest = z.infer<typeof updatePasswordSchema>;
 router.put(
  '/profile/password',
+  userSensitiveUpdateLimiter,
  validateRequest(updatePasswordSchema),
  async (req, res, next: NextFunction) => {
    logger.debug(`[ROUTE] PUT /api/users/profile/password - ENTER`);
@@ -264,6 +272,7 @@ router.put(
 type DeleteAccountRequest = z.infer<typeof deleteAccountSchema>;
 router.delete(
  '/account',
+  userSensitiveUpdateLimiter,
  validateRequest(deleteAccountSchema),
  async (req, res, next: NextFunction) => {
    logger.debug(`[ROUTE] DELETE /api/users/account - ENTER`);
@@ -302,6 +311,7 @@ router.get('/watched-items', validateRequest(emptySchema), async (req, res, next
 type AddWatchedItemRequest = z.infer<typeof addWatchedItemSchema>;
 router.post(
  '/watched-items',
+  userUpdateLimiter,
  validateRequest(addWatchedItemSchema),
  async (req, res, next: NextFunction) => {
    logger.debug(`[ROUTE] POST /api/users/watched-items - ENTER`);
@@ -333,6 +343,7 @@ const watchedItemIdSchema = numericIdParam('masterItemId');
 type DeleteWatchedItemRequest = z.infer<typeof watchedItemIdSchema>;
 router.delete(
  '/watched-items/:masterItemId',
+  userUpdateLimiter,
  validateRequest(watchedItemIdSchema),
  async (req, res, next: NextFunction) => {
    logger.debug(`[ROUTE] DELETE /api/users/watched-items/:masterItemId - ENTER`);
@@ -407,6 +418,7 @@ router.get(
 type CreateShoppingListRequest = z.infer<typeof createShoppingListSchema>;
 router.post(
  '/shopping-lists',
+  userUpdateLimiter,
  validateRequest(createShoppingListSchema),
  async (req, res, next: NextFunction) => {
    logger.debug(`[ROUTE] POST /api/users/shopping-lists - ENTER`);
@@ -435,6 +447,7 @@ router.post(
 */
 router.delete(
  '/shopping-lists/:listId',
+  userUpdateLimiter,
  validateRequest(shoppingListIdSchema),
  async (req, res, next: NextFunction) => {
    logger.debug(`[ROUTE] DELETE /api/users/shopping-lists/:listId - ENTER`);
@@ -475,6 +488,7 @@ const addShoppingListItemSchema = shoppingListIdSchema.extend({
 type AddShoppingListItemRequest = z.infer<typeof addShoppingListItemSchema>;
 router.post(
  '/shopping-lists/:listId/items',
+  userUpdateLimiter,
  validateRequest(addShoppingListItemSchema),
  async (req, res, next: NextFunction) => {
    logger.debug(`[ROUTE] POST /api/users/shopping-lists/:listId/items - ENTER`);
@@ -515,6 +529,7 @@ const updateShoppingListItemSchema = numericIdParam('itemId').extend({
 type UpdateShoppingListItemRequest = z.infer<typeof updateShoppingListItemSchema>;
 router.put(
  '/shopping-lists/items/:itemId',
+  userUpdateLimiter,
  validateRequest(updateShoppingListItemSchema),
  async (req, res, next: NextFunction) => {
    logger.debug(`[ROUTE] PUT /api/users/shopping-lists/items/:itemId - ENTER`);
@@ -546,6 +561,7 @@ const shoppingListItemIdSchema = numericIdParam('itemId');
 type DeleteShoppingListItemRequest = z.infer<typeof shoppingListItemIdSchema>;
 router.delete(
  '/shopping-lists/items/:itemId',
+  userUpdateLimiter,
  validateRequest(shoppingListItemIdSchema),
  async (req, res, next: NextFunction) => {
    logger.debug(`[ROUTE] DELETE /api/users/shopping-lists/items/:itemId - ENTER`);
@@ -574,6 +590,7 @@ const updatePreferencesSchema = z.object({
 type UpdatePreferencesRequest = z.infer<typeof updatePreferencesSchema>;
 router.put(
  '/profile/preferences',
+  userUpdateLimiter,
  validateRequest(updatePreferencesSchema),
  async (req, res, next: NextFunction) => {
    logger.debug(`[ROUTE] PUT /api/users/profile/preferences - ENTER`);
@@ -619,6 +636,7 @@ const setUserRestrictionsSchema = z.object({
 type SetUserRestrictionsRequest = z.infer<typeof setUserRestrictionsSchema>;
 router.put(
  '/me/dietary-restrictions',
+  userUpdateLimiter,
  validateRequest(setUserRestrictionsSchema),
  async (req, res, next: NextFunction) => {
    logger.debug(`[ROUTE] PUT /api/users/me/dietary-restrictions - ENTER`);
@@ -663,6 +681,7 @@ const setUserAppliancesSchema = z.object({
 type SetUserAppliancesRequest = z.infer<typeof setUserAppliancesSchema>;
 router.put(
  '/me/appliances',
+  userUpdateLimiter,
  validateRequest(setUserAppliancesSchema),
  async (req, res, next: NextFunction) => {
    logger.debug(`[ROUTE] PUT /api/users/me/appliances - ENTER`);
@@ -730,6 +749,7 @@ const updateUserAddressSchema = z.object({
 type UpdateUserAddressRequest = z.infer<typeof updateUserAddressSchema>;
 router.put(
  '/profile/address',
+  userUpdateLimiter,
  validateRequest(updateUserAddressSchema),
  async (req, res, next: NextFunction) => {
    const userProfile = req.user as UserProfile;
@@ -756,6 +776,7 @@ const recipeIdSchema = numericIdParam('recipeId');
 type DeleteRecipeRequest = z.infer<typeof recipeIdSchema>;
 router.delete(
  '/recipes/:recipeId',
+  userUpdateLimiter,
  validateRequest(recipeIdSchema),
  async (req, res, next: NextFunction) => {
    logger.debug(`[ROUTE] DELETE /api/users/recipes/:recipeId - ENTER`);
@@ -794,6 +815,7 @@ const updateRecipeSchema = recipeIdSchema.extend({
 type UpdateRecipeRequest = z.infer<typeof updateRecipeSchema>;
 router.put(
  '/recipes/:recipeId',
+  userUpdateLimiter,
  validateRequest(updateRecipeSchema),
  async (req, res, next: NextFunction) => {
    logger.debug(`[ROUTE] PUT /api/users/recipes/:recipeId - ENTER`);
--- a/src/services/aiService.server.test.ts
+++ b/src/services/aiService.server.test.ts
@@ -116,7 +116,7 @@ interface MockFlyer {
  updated_at: string;
 }

-const baseUrl = 'http://localhost:3001';
+const baseUrl = 'https://example.com';

 describe('AI Service (Server)', () => {
  // Create mock dependencies that will be injected into the service
@@ -197,15 +197,17 @@ describe('AI Service (Server)', () => {
      const service = new AIService(mockLoggerInstance);

      // Assert: Check that the warning was logged and the mock client is in use
-      expect(mockLoggerInstance.warn).toHaveBeenCalledWith(
-        '[AIService] GoogleGenAI client could not be initialized (likely missing API key in test environment). Using mock placeholder.',
+      expect(mockLoggerInstance.info).toHaveBeenCalledWith(
+        '[AIService Constructor] Test environment detected. Using internal mock for AI client to prevent real API calls in INTEGRATION TESTS.',
      );
      await expect(
-        (service as any).aiClient.generateContent({ contents: [] }),
+        (service as any).aiClient.generateContent({ contents: [], useLiteModels: false }),
      ).resolves.toBeDefined();
    });

    it('should use the adapter to call generateContent when using real GoogleGenAI client', async () => {
+      vi.stubEnv('NODE_ENV', 'production');
+      vi.stubEnv('VITEST_POOL_ID', '');
      vi.stubEnv('GEMINI_API_KEY', 'test-key');
      // We need to force the constructor to use the real client logic, not the injected mock.
      // So we instantiate AIService without passing aiClient.
@@ -229,6 +231,8 @@ describe('AI Service (Server)', () => {
    });

    it('should throw error if adapter is called without content', async () => {
+      vi.stubEnv('NODE_ENV', 'production');
+      vi.stubEnv('VITEST_POOL_ID', '');
      vi.stubEnv('GEMINI_API_KEY', 'test-key');
      vi.resetModules();
      const { AIService } = await import('./aiService.server');
@@ -244,6 +248,8 @@ describe('AI Service (Server)', () => {
  describe('Model Fallback Logic', () => {
    beforeEach(() => {
      vi.unstubAllEnvs();
+      vi.stubEnv('NODE_ENV', 'production');
+      vi.stubEnv('VITEST_POOL_ID', '');
      vi.stubEnv('GEMINI_API_KEY', 'test-key');
      vi.resetModules(); // Re-import to use the new env var and re-instantiate the service
      mockGenerateContent.mockReset();
@@ -1015,7 +1021,7 @@ describe('AI Service (Server)', () => {
        userId: 'user123',
        submitterIp: '127.0.0.1',
        userProfileAddress: '123 St, City, Country', // Partial address match based on filter(Boolean)
-        baseUrl: 'http://localhost:3000',
+        baseUrl: 'https://example.com',
      });
      expect(result.id).toBe('job123');
    });
@@ -1037,7 +1043,7 @@ describe('AI Service (Server)', () => {
        expect.objectContaining({
          userId: undefined,
          userProfileAddress: undefined,
-          baseUrl: 'http://localhost:3000',
+          baseUrl: 'https://example.com',
        }),
      );
    });
--- a/src/services/aiService.server.ts
+++ b/src/services/aiService.server.ts
@@ -136,85 +136,81 @@ export class AIService {
    "gemma-3n-e2b-it"             // Corrected name from JSON
  ];

+  // Helper to return valid mock data for tests
+  private getMockFlyerData() {
+    return {
+      store_name: 'Mock Store from AIService',
+      valid_from: '2025-01-01',
+      valid_to: '2025-01-07',
+      store_address: '123 Mock St',
+      items: [
+        {
+          item: 'Mocked Integration Item',
+          price_display: '$1.99',
+          price_in_cents: 199,
+          quantity: 'each',
+          category_name: 'Mock Category',
+          master_item_id: null,
+        },
+      ],
+    };
+  }
+
  constructor(logger: Logger, aiClient?: IAiClient, fs?: IFileSystem) {
    this.logger = logger;
    this.logger.info('---------------- [AIService] Constructor Start ----------------');
+
+    const isTestEnvironment = process.env.NODE_ENV === 'test' || !!process.env.VITEST_POOL_ID;
+
    if (aiClient) {
      this.logger.info(
-        '[AIService Constructor] Using provided mock AI client. This indicates a TEST environment.',
+        '[AIService Constructor] Using provided mock AI client. This indicates a UNIT TEST environment.',
      );
      this.aiClient = aiClient;
+    } else if (isTestEnvironment) {
+      this.logger.info(
+        '[AIService Constructor] Test environment detected. Using internal mock for AI client to prevent real API calls in INTEGRATION TESTS.',
+      );
+      this.aiClient = {
+        generateContent: async (request) => {
+          this.logger.info(
+            { useLiteModels: request.useLiteModels },
+            '[AIService] Mock generateContent called in test environment.',
+          );
+          const mockData = this.getMockFlyerData();
+          return {
+            text: JSON.stringify(mockData),
+          } as unknown as GenerateContentResponse;
+        },
+      };
    } else {
      this.logger.info(
-        '[AIService Constructor] No mock client provided. Initializing Google GenAI client for PRODUCTION-LIKE environment.',
+        '[AIService Constructor] No mock client provided and not a test environment. Initializing Google GenAI client for PRODUCTION.',
      );
-      // Determine if we are in any kind of test environment.
-      // VITEST_POOL_ID is reliably set by Vitest during test runs.
-      const isTestEnvironment = process.env.NODE_ENV === 'test' || !!process.env.VITEST_POOL_ID;
-      this.logger.info(
-        {
-          isTestEnvironment,
-          nodeEnv: process.env.NODE_ENV,
-          vitestPoolId: process.env.VITEST_POOL_ID,
-          hasApiKey: !!process.env.GEMINI_API_KEY,
-        },
-        '[AIService Constructor] Environment check',
-      );
-
      const apiKey = process.env.GEMINI_API_KEY;
      if (!apiKey) {
-        this.logger.warn('[AIService] GEMINI_API_KEY is not set.');
-        // Allow initialization without key in test/build environments if strictly needed
-        if (!isTestEnvironment) {
-          this.logger.error('[AIService] GEMINI_API_KEY is required in non-test environments.');
-          throw new Error('GEMINI_API_KEY environment variable not set for server-side AI calls.');
-        } else {
-          this.logger.warn(
-            '[AIService Constructor] GEMINI_API_KEY is missing, but this is a test environment, so proceeding.',
-          );
-        }
-      }
-      // In test mode without injected client, we might not have a key.
-      // The stubs below protect against calling the undefined client.
-      // This is the correct modern SDK pattern. We instantiate the main client.
-      const genAI = apiKey ? new GoogleGenAI({ apiKey }) : null;
-      if (!genAI) {
-        this.logger.warn(
-          '[AIService] GoogleGenAI client could not be initialized (likely missing API key in test environment). Using mock placeholder.',
-        );
+        this.logger.error('[AIService] GEMINI_API_KEY is required in non-test environments.');
+        throw new Error('GEMINI_API_KEY environment variable not set for server-side AI calls.');
      }
+      const genAI = new GoogleGenAI({ apiKey });

      // We create a shim/adapter that matches the old structure but uses the new SDK call pattern.
      // This preserves the dependency injection pattern used throughout the class.
-      this.aiClient = genAI
-        ? {
-            generateContent: async (request) => {
-              if (!request.contents || request.contents.length === 0) {
-                this.logger.error(
-                  { request },
-                  '[AIService Adapter] generateContent called with no content, which is invalid.',
-                );
-                throw new Error('AIService.generateContent requires at least one content element.');
-              }
-
-              const { useLiteModels, ...apiReq } = request;
-              const models = useLiteModels ? this.models_lite : this.models;
-              return this._generateWithFallback(genAI, apiReq, models);
-            },
+      this.aiClient = {
+        generateContent: async (request) => {
+          if (!request.contents || request.contents.length === 0) {
+            this.logger.error(
+              { request },
+              '[AIService Adapter] generateContent called with no content, which is invalid.',
+            );
+            throw new Error('AIService.generateContent requires at least one content element.');
          }
-        : {
-            // This is the updated mock for testing, matching the new response shape.
-            generateContent: async () => {
-              this.logger.warn(
-                '[AIService] Mock generateContent called. This should only happen in tests when no API key is available.',
-              );
-              // Return a minimal valid JSON object structure to prevent downstream parsing errors.
-              const mockResponse = { store_name: 'Mock Store', items: [] };
-              return {
-                text: JSON.stringify(mockResponse),
-              } as unknown as GenerateContentResponse;
-            },
-          };
+
+          const { useLiteModels, ...apiReq } = request;
+          const models = useLiteModels ? this.models_lite : this.models;
+          return this._generateWithFallback(genAI, apiReq, models);
+        },
+      };
    }

    this.fs = fs || fsPromises;
@@ -254,19 +250,37 @@ export class AIService {
        // If the call succeeds, return the result immediately.
        return result;
      } catch (error: unknown) {
-        lastError = error instanceof Error ? error : new Error(String(error));
-        const errorMessage = (lastError.message || '').toLowerCase(); // Make case-insensitive
+        // Robust error message extraction to handle various error shapes (Error objects, JSON responses, etc.)
+        let errorMsg = '';
+        if (error instanceof Error) {
+          lastError = error;
+          errorMsg = error.message;
+        } else {
+          try {
+            if (typeof error === 'object' && error !== null && 'message' in error) {
+              errorMsg = String((error as any).message);
+            } else {
+              errorMsg = JSON.stringify(error);
+            }
+          } catch {
+            errorMsg = String(error);
+          }
+          lastError = new Error(errorMsg);
+        }
+        const lowerErrorMsg = errorMsg.toLowerCase();

        // Check for specific error messages indicating quota issues or model unavailability.
        if (
-          errorMessage.includes('quota') ||
-          errorMessage.includes('429') || // HTTP 429 Too Many Requests
-          errorMessage.includes('resource_exhausted') || // Make case-insensitive
-          errorMessage.includes('model is overloaded') ||
-          errorMessage.includes('not found') // Also retry if model is not found (e.g., regional availability or API version issue)
+          lowerErrorMsg.includes('quota') ||
+          lowerErrorMsg.includes('429') || // HTTP 429 Too Many Requests
+          lowerErrorMsg.includes('503') || // HTTP 503 Service Unavailable
+          lowerErrorMsg.includes('resource_exhausted') ||
+          lowerErrorMsg.includes('overloaded') || // Covers "model is overloaded"
+          lowerErrorMsg.includes('unavailable') || // Covers "Service Unavailable"
+          lowerErrorMsg.includes('not found') // Also retry if model is not found (e.g., regional availability or API version issue)
        ) {
          this.logger.warn(
-            `[AIService Adapter] Model '${modelName}' failed due to quota/rate limit. Trying next model. Error: ${errorMessage}`,
+            `[AIService Adapter] Model '${modelName}' failed due to quota/rate limit/overload. Trying next model. Error: ${errorMsg}`,
          );
          continue; // Try the next model in the list.
        } else {
@@ -753,6 +767,7 @@ async enqueueFlyerProcessing(
    userProfile: UserProfile | undefined,
    submitterIp: string,
    logger: Logger,
+    baseUrlOverride?: string,
  ): Promise<Job> {
    // 1. Check for duplicate flyer
    const existingFlyer = await db.flyerRepo.findFlyerByChecksum(checksum, logger);
@@ -779,7 +794,7 @@ async enqueueFlyerProcessing(
        .join(', ');
    }

-    const baseUrl = getBaseUrl(logger);
+    const baseUrl = baseUrlOverride || getBaseUrl(logger);
    // --- START DEBUGGING ---
    // Add a fail-fast check to ensure the baseUrl is a valid URL before enqueuing.
    // This will make the test fail at the upload step if the URL is the problem,
@@ -886,8 +901,8 @@ async enqueueFlyerProcessing(
    const itemsArray = Array.isArray(rawItems) ? rawItems : typeof rawItems === 'string' ? JSON.parse(rawItems) : [];
    const itemsForDb = itemsArray.map((item: Partial<ExtractedFlyerItem>) => ({
      ...item,
-      // Ensure price_display is never null to satisfy database constraints.
-      price_display: item.price_display ?? '',
+      // Ensure empty or nullish price_display is stored as NULL to satisfy database constraints.
+      price_display: item.price_display || null,
      master_item_id: item.master_item_id === null ? undefined : item.master_item_id,
      quantity: item.quantity ?? 1,
      view_count: 0,
--- a/src/services/analyticsService.server.test.ts
+++ b/src/services/analyticsService.server.test.ts
@@ -86,6 +86,30 @@ describe('AnalyticsService', () => {
        'Daily analytics job failed.',
      );
    });
+
+    it('should handle non-Error objects thrown during processing', async () => {
+      const job = createMockJob<AnalyticsJobData>({ reportDate: '2023-10-27' } as AnalyticsJobData);
+
+      mockLoggerInstance.info
+        .mockImplementationOnce(() => {}) // "Picked up..."
+        .mockImplementationOnce(() => {
+          throw 'A string error';
+        });
+
+      const promise = service.processDailyReportJob(job);
+
+      await vi.advanceTimersByTimeAsync(10000);
+
+      await expect(promise).rejects.toThrow('A string error');
+
+      expect(mockLoggerInstance.error).toHaveBeenCalledWith(
+        expect.objectContaining({
+          err: expect.objectContaining({ message: 'A string error' }),
+          attemptsMade: 1,
+        }),
+        'Daily analytics job failed.',
+      );
+    });
  });

  describe('processWeeklyReportJob', () => {
@@ -149,5 +173,32 @@ describe('AnalyticsService', () => {
        'Weekly analytics job failed.',
      );
    });
+
+    it('should handle non-Error objects thrown during processing', async () => {
+      const job = createMockJob<WeeklyAnalyticsJobData>({
+        reportYear: 2023,
+        reportWeek: 43,
+      } as WeeklyAnalyticsJobData);
+
+      mockLoggerInstance.info
+        .mockImplementationOnce(() => {}) // "Picked up..."
+        .mockImplementationOnce(() => {
+          throw 'A string error';
+        });
+
+      const promise = service.processWeeklyReportJob(job);
+
+      await vi.advanceTimersByTimeAsync(30000);
+
+      await expect(promise).rejects.toThrow('A string error');
+
+      expect(mockLoggerInstance.error).toHaveBeenCalledWith(
+        expect.objectContaining({
+          err: expect.objectContaining({ message: 'A string error' }),
+          attemptsMade: 1,
+        }),
+        'Weekly analytics job failed.',
+      );
+    });
  });
 });
--- a/src/services/apiClient.test.ts
+++ b/src/services/apiClient.test.ts
@@ -947,7 +947,10 @@ describe('API Client', () => {

    it('trackFlyerItemInteraction should log a warning on failure', async () => {
      const apiError = new Error('Network failed');
-      vi.mocked(global.fetch).mockRejectedValue(apiError);
+      // Mock global.fetch to throw an error directly to ensure the catch block is hit.
+      vi.spyOn(global, 'fetch').mockImplementationOnce(() => {
+        throw apiError;
+      });
      const { logger } = await import('./logger.client');

      // We can now await this properly because we added 'return' in apiClient.ts
@@ -959,7 +962,10 @@ describe('API Client', () => {

    it('logSearchQuery should log a warning on failure', async () => {
      const apiError = new Error('Network failed');
-      vi.mocked(global.fetch).mockRejectedValue(apiError);
+      // Mock global.fetch to throw an error directly to ensure the catch block is hit.
+      vi.spyOn(global, 'fetch').mockImplementationOnce(() => {
+        throw apiError;
+      });
      const { logger } = await import('./logger.client');

      const queryData = createMockSearchQueryPayload({
--- a/src/services/authService.test.ts
+++ b/src/services/authService.test.ts
@@ -35,6 +35,7 @@ describe('AuthService', () => {
  let DatabaseError: typeof import('./processingErrors').DatabaseError;
  let UniqueConstraintError: typeof import('./db/errors.db').UniqueConstraintError;
  let RepositoryError: typeof import('./db/errors.db').RepositoryError;
+  let ValidationError: typeof import('./db/errors.db').ValidationError;
  let withTransaction: typeof import('./db/index.db').withTransaction;

  const reqLog = {}; // Mock request logger object
@@ -59,7 +60,7 @@ describe('AuthService', () => {

    // Set environment variables before any modules are imported
    vi.stubEnv('JWT_SECRET', 'test-secret');
-    vi.stubEnv('FRONTEND_URL', 'http://localhost:3000');
+    vi.stubEnv('FRONTEND_URL', 'https://example.com');

    // Mock all dependencies before dynamically importing the service
    // Core modules like bcrypt, jsonwebtoken, and crypto are now mocked globally in tests-setup-unit.ts
@@ -109,6 +110,7 @@ describe('AuthService', () => {
    DatabaseError = (await import('./processingErrors')).DatabaseError;
    UniqueConstraintError = (await import('./db/errors.db')).UniqueConstraintError;
    RepositoryError = (await import('./db/errors.db')).RepositoryError;
+    ValidationError = (await import('./db/errors.db')).ValidationError;
  });

  afterEach(() => {
@@ -168,6 +170,15 @@ describe('AuthService', () => {

      expect(logger.error).toHaveBeenCalledWith({ error, email: 'test@example.com' }, `User registration failed with an unexpected error.`);
    });
+
+    it('should throw ValidationError if password is weak', async () => {
+      const { validatePasswordStrength } = await import('../utils/authUtils');
+      vi.mocked(validatePasswordStrength).mockReturnValue({ isValid: false, feedback: 'Password too weak' });
+
+      await expect(
+        authService.registerUser('test@example.com', 'weak', 'Test User', undefined, reqLog),
+      ).rejects.toThrow(ValidationError);
+    });
  });

  describe('registerAndLoginUser', () => {
@@ -285,6 +296,25 @@ describe('AuthService', () => {
      );
      expect(logger.error).toHaveBeenCalled();
    });
+
+    it('should log error if sending email fails but still return token', async () => {
+      vi.mocked(userRepo.findUserByEmail).mockResolvedValue(mockUser);
+      vi.mocked(bcrypt.hash).mockImplementation(async () => 'hashed-token');
+      const emailError = new Error('Email failed');
+      vi.mocked(sendPasswordResetEmail).mockRejectedValue(emailError);
+
+      const result = await authService.resetPassword('test@example.com', reqLog);
+
+      expect(logger.error).toHaveBeenCalledWith({ emailError }, `Email send failure during password reset for user`);
+      expect(result).toBe('mocked_random_id');
+    });
+
+    it('should re-throw RepositoryError', async () => {
+      const repoError = new RepositoryError('Repo error', 500);
+      vi.mocked(userRepo.findUserByEmail).mockRejectedValue(repoError);
+
+      await expect(authService.resetPassword('test@example.com', reqLog)).rejects.toThrow(repoError);
+    });
  });

  describe('updatePassword', () => {
@@ -334,6 +364,22 @@ describe('AuthService', () => {
      expect(transactionalUserRepoMocks.updateUserPassword).not.toHaveBeenCalled();
      expect(result).toBeNull();
    });
+
+    it('should throw ValidationError if new password is weak', async () => {
+      const { validatePasswordStrength } = await import('../utils/authUtils');
+      vi.mocked(validatePasswordStrength).mockReturnValue({ isValid: false, feedback: 'Password too weak' });
+
+      await expect(
+        authService.updatePassword('token', 'weak', reqLog),
+      ).rejects.toThrow(ValidationError);
+    });
+
+    it('should re-throw RepositoryError from transaction', async () => {
+      const repoError = new RepositoryError('Repo error', 500);
+      vi.mocked(withTransaction).mockRejectedValue(repoError);
+
+      await expect(authService.updatePassword('token', 'newPass', reqLog)).rejects.toThrow(repoError);
+    });
  });

  describe('getUserByRefreshToken', () => {
--- a/src/services/backgroundJobService.test.ts
+++ b/src/services/backgroundJobService.test.ts
@@ -161,6 +161,13 @@ describe('Background Job Service', () => {
          { jobId: expect.stringContaining('manual-weekly-report-') },
        );
      });
+
+      it('should throw if job ID is not returned from the queue', async () => {
+        // Mock the queue to return a job object without an 'id' property
+        vi.mocked(weeklyAnalyticsQueue.add).mockResolvedValue({ name: 'test-job' } as any);
+
+        await expect(service.triggerWeeklyAnalyticsReport()).rejects.toThrow();
+      });
    });

    it('should do nothing if no deals are found for any user', async () => {
@@ -177,6 +184,35 @@ describe('Background Job Service', () => {
      expect(mockNotificationRepo.createBulkNotifications).not.toHaveBeenCalled();
    });

+    it('should process a single user successfully and log notification creation', async () => {
+      const singleUserDeal = [
+        {
+          ...createMockWatchedItemDeal({
+            master_item_id: 1,
+            item_name: 'Apples',
+            best_price_in_cents: 199,
+          }),
+          user_id: 'user-1',
+          email: 'user1@test.com',
+          full_name: 'User One',
+        },
+      ];
+      mockPersonalizationRepo.getBestSalePricesForAllUsers.mockResolvedValue(singleUserDeal);
+      mockEmailQueue.add.mockResolvedValue({ id: 'job-1' });
+
+      await service.runDailyDealCheck();
+
+      expect(mockEmailQueue.add).toHaveBeenCalledTimes(1);
+      expect(mockNotificationRepo.createBulkNotifications).toHaveBeenCalledTimes(1);
+      const notificationPayload = mockNotificationRepo.createBulkNotifications.mock.calls[0][0];
+      expect(notificationPayload).toHaveLength(1);
+
+      // This assertion specifically targets line 180
+      expect(mockServiceLogger.info).toHaveBeenCalledWith(
+        `[BackgroundJob] Successfully created 1 in-app notifications.`,
+      );
+    });
+
    it('should create notifications and enqueue emails when deals are found', async () => {
      mockPersonalizationRepo.getBestSalePricesForAllUsers.mockResolvedValue(mockDealsForAllUsers);

--- a/src/services/db/flyer.db.test.ts
+++ b/src/services/db/flyer.db.test.ts
@@ -132,8 +132,8 @@ describe('Flyer DB Service', () => {
    it('should execute an INSERT query and return the new flyer', async () => {
      const flyerData: FlyerDbInsert = {
        file_name: 'test.jpg',
-        image_url: 'http://localhost:3001/images/test.jpg',
-        icon_url: 'http://localhost:3001/images/icons/test.jpg',
+        image_url: 'https://example.com/images/test.jpg',
+        icon_url: 'https://example.com/images/icons/test.jpg',
        checksum: 'checksum123',
        store_id: 1,
        valid_from: '2024-01-01',
@@ -155,8 +155,8 @@ describe('Flyer DB Service', () => {
        expect.stringContaining('INSERT INTO flyers'),
        [
          'test.jpg',
-          'http://localhost:3001/images/test.jpg',
-          'http://localhost:3001/images/icons/test.jpg',
+          'https://example.com/images/test.jpg',
+          'https://example.com/images/icons/test.jpg',
          'checksum123',
          1,
          '2024-01-01',
@@ -360,6 +360,58 @@ describe('Flyer DB Service', () => {
        'Database error in insertFlyerItems',
      );
    });
+
+    it('should sanitize empty or whitespace-only price_display to "N/A"', async () => {
+      const itemsData: FlyerItemInsert[] = [
+        {
+          item: 'Free Item',
+          price_display: '', // Empty string
+          price_in_cents: 0,
+          quantity: '1',
+          category_name: 'Promo',
+          view_count: 0,
+          click_count: 0,
+        },
+        {
+          item: 'Whitespace Item',
+          price_display: '   ', // Whitespace only
+          price_in_cents: null,
+          quantity: '1',
+          category_name: 'Promo',
+          view_count: 0,
+          click_count: 0,
+        },
+      ];
+      const mockItems = itemsData.map((item, i) =>
+        createMockFlyerItem({ ...item, flyer_item_id: i + 1, flyer_id: 1 }),
+      );
+      mockPoolInstance.query.mockResolvedValue({ rows: mockItems });
+
+      await flyerRepo.insertFlyerItems(1, itemsData, mockLogger);
+
+      expect(mockPoolInstance.query).toHaveBeenCalledTimes(1);
+
+      // Check that the values array passed to the query has null for price_display
+      const queryValues = mockPoolInstance.query.mock.calls[0][1];
+      expect(queryValues).toEqual([
+        1, // flyerId for item 1
+        'Free Item',
+        "N/A", // Sanitized price_display for item 1
+        0,
+        '1',
+        'Promo',
+        0,
+        0,
+        1, // flyerId for item 2
+        'Whitespace Item',
+        "N/A", // Sanitized price_display for item 2
+        null,
+        '1',
+        'Promo',
+        0,
+        0,
+      ]);
+    });
  });

  describe('createFlyerAndItems', () => {
@@ -433,6 +485,34 @@ describe('Flyer DB Service', () => {
      );
    });

+    it('should create a flyer with no items if items array is empty', async () => {
+      const flyerData: FlyerInsert = {
+        file_name: 'empty.jpg',
+        store_name: 'Empty Store',
+      } as FlyerInsert;
+      const itemsData: FlyerItemInsert[] = [];
+      const mockFlyer = createMockFlyer({ ...flyerData, flyer_id: 100, store_id: 2 });
+
+      const mockClient = { query: vi.fn() };
+      mockClient.query
+        .mockResolvedValueOnce({ rows: [], rowCount: 0 }) // findOrCreateStore (insert)
+        .mockResolvedValueOnce({ rows: [{ store_id: 2 }] }) // findOrCreateStore (select)
+        .mockResolvedValueOnce({ rows: [mockFlyer] }); // insertFlyer
+
+      const result = await createFlyerAndItems(
+        flyerData,
+        itemsData,
+        mockLogger,
+        mockClient as unknown as PoolClient,
+      );
+
+      expect(result).toEqual({
+        flyer: mockFlyer,
+        items: [],
+      });
+      expect(mockClient.query).toHaveBeenCalledTimes(3);
+    });
+
    it('should propagate an error if any step fails', async () => {
      const flyerData: FlyerInsert = {
        file_name: 'fail.jpg',
--- a/src/services/db/flyer.db.ts
+++ b/src/services/db/flyer.db.ts
@@ -63,6 +63,7 @@ export class FlyerRepository {
   * @returns The newly created flyer record with its ID.
   */
  async insertFlyer(flyerData: FlyerDbInsert, logger: Logger): Promise<Flyer> {
+    console.error('[DEBUG] FlyerRepository.insertFlyer called with:', JSON.stringify(flyerData, null, 2));
    try {
      const query = `
        INSERT INTO flyers (
@@ -139,10 +140,18 @@ export class FlyerRepository {
        valueStrings.push(
          `($${paramIndex++}, $${paramIndex++}, $${paramIndex++}, $${paramIndex++}, $${paramIndex++}, $${paramIndex++}, $${paramIndex++}, $${paramIndex++})`,
        );
+
+        // Sanitize price_display. The database requires a non-empty string.
+        // We provide a default value if the input is null, undefined, or an empty string.
+        const priceDisplay =
+          item.price_display && item.price_display.trim() !== ''
+            ? item.price_display
+            : 'N/A';
+
        values.push(
          flyerId,
          item.item,
-          item.price_display,
+          priceDisplay,
          item.price_in_cents ?? null,
          item.quantity ?? '',
          item.category_name ?? null,
--- a/src/services/db/shopping.db.test.ts
+++ b/src/services/db/shopping.db.test.ts
@@ -596,7 +596,7 @@ describe('Shopping DB Service', () => {
      const mockReceipt = {
        receipt_id: 1,
        user_id: 'user-1',
-        receipt_image_url: 'http://example.com/receipt.jpg',
+        receipt_image_url: 'https://example.com/receipt.jpg',
        status: 'pending',
      };
      mockPoolInstance.query.mockResolvedValue({ rows: [mockReceipt] });
--- a/src/services/emailService.server.test.ts
+++ b/src/services/emailService.server.test.ts
@@ -50,6 +50,7 @@ describe('Email Service (Server)', () => {
  beforeEach(async () => {
    console.log('[TEST SETUP] Setting up Email Service mocks');
    vi.clearAllMocks();
+    vi.stubEnv('FRONTEND_URL', 'https://test.flyer.com');
    // Reset to default successful implementation
    mocks.sendMail.mockImplementation((mailOptions: { to: string }) => {
      console.log('[TEST DEBUG] mockSendMail (default) called with:', mailOptions?.to);
@@ -60,12 +61,17 @@ describe('Email Service (Server)', () => {
    });
  });

-  describe('sendPasswordResetEmail', () => {
-    it('should call sendMail with the correct recipient, subject, and link', async () => {
-      const to = 'test@example.com';
-      const resetLink = 'http://localhost:3000/reset/mock-token-123';
+  afterEach(() => {
+    vi.unstubAllEnvs();
+  });

-      await sendPasswordResetEmail(to, resetLink, logger);
+  describe('sendPasswordResetEmail', () => {
+    it('should call sendMail with the correct recipient, subject, and constructed link', async () => {
+      const to = 'test@example.com';
+      const token = 'mock-token-123';
+      const expectedResetUrl = `https://test.flyer.com/reset-password?token=${token}`;
+
+      await sendPasswordResetEmail(to, token, logger);

      expect(mocks.sendMail).toHaveBeenCalledTimes(1);
      const mailOptions = mocks.sendMail.mock.calls[0][0] as {
@@ -77,9 +83,8 @@ describe('Email Service (Server)', () => {

      expect(mailOptions.to).toBe(to);
      expect(mailOptions.subject).toBe('Your Password Reset Request');
-      expect(mailOptions.text).toContain(resetLink);
-      // The implementation constructs the link, so we check that our mock link is present inside the href
-      expect(mailOptions.html).toContain(resetLink);
+      expect(mailOptions.text).toContain(expectedResetUrl);
+      expect(mailOptions.html).toContain(`href="${expectedResetUrl}"`);
    });
  });

@@ -269,5 +274,22 @@ describe('Email Service (Server)', () => {
        'Email job failed.',
      );
    });
+
+    it('should handle non-Error objects thrown during processing', async () => {
+      const job = createMockJob(mockJobData);
+      const emailErrorString = 'SMTP Connection Failed as a string';
+      mocks.sendMail.mockRejectedValue(emailErrorString);
+
+      await expect(processEmailJob(job)).rejects.toThrow(emailErrorString);
+
+      expect(logger.error).toHaveBeenCalledWith(
+        {
+          err: expect.objectContaining({ message: emailErrorString }),
+          jobData: mockJobData,
+          attemptsMade: 1,
+        },
+        'Email job failed.',
+      );
+    });
  });
 });
--- a/src/services/flyerAiProcessor.server.test.ts
+++ b/src/services/flyerAiProcessor.server.test.ts
@@ -21,7 +21,7 @@ const createMockJobData = (data: Partial<FlyerJobData>): FlyerJobData => ({
  filePath: '/tmp/flyer.jpg',
  originalFileName: 'flyer.jpg',
  checksum: 'checksum-123',
-  baseUrl: 'http://localhost:3000',
+  baseUrl: 'https://example.com',
  ...data,
 });

--- a/src/services/flyerDataTransformer.test.ts
+++ b/src/services/flyerDataTransformer.test.ts
@@ -5,6 +5,7 @@ import { logger as mockLogger } from './logger.server';
 import { generateFlyerIcon } from '../utils/imageProcessor';
 import type { AiProcessorResult } from './flyerAiProcessor.server';
 import type { FlyerItemInsert } from '../types';
+import { getBaseUrl } from '../utils/serverUtils';

 // Mock the dependencies
 vi.mock('../utils/imageProcessor', () => ({
@@ -15,6 +16,10 @@ vi.mock('./logger.server', () => ({
  logger: { info: vi.fn(), error: vi.fn(), warn: vi.fn(), debug: vi.fn() },
 }));

+vi.mock('../utils/serverUtils', () => ({
+  getBaseUrl: vi.fn(),
+}));
+
 describe('FlyerDataTransformer', () => {
  let transformer: FlyerDataTransformer;

@@ -23,12 +28,13 @@ describe('FlyerDataTransformer', () => {
    transformer = new FlyerDataTransformer();
    // Stub environment variables to ensure consistency and predictability.
    // Prioritize FRONTEND_URL to match the updated service logic.
-    vi.stubEnv('FRONTEND_URL', 'http://localhost:3000');
+    vi.stubEnv('FRONTEND_URL', 'https://example.com');
    vi.stubEnv('BASE_URL', ''); // Ensure this is not used to confirm priority logic
    vi.stubEnv('PORT', '');     // Ensure this is not used

    // Provide a default mock implementation for generateFlyerIcon
    vi.mocked(generateFlyerIcon).mockResolvedValue('icon-flyer-page-1.webp');
+    vi.mocked(getBaseUrl).mockReturnValue('https://example.com');
  });

  it('should transform AI data into database-ready format with a user ID', async () => {
@@ -63,7 +69,7 @@ describe('FlyerDataTransformer', () => {
    const originalFileName = 'my-flyer.pdf';
    const checksum = 'checksum-abc-123';
    const userId = 'user-xyz-456';
-    const baseUrl = 'http://test.host';
+    const baseUrl = 'https://example.com';

    // Act
    const { flyerData, itemsForDb } = await transformer.transform(
@@ -244,7 +250,7 @@ describe('FlyerDataTransformer', () => {
    );
  });

-  it('should use fallback baseUrl if none is provided and log a warning', async () => {
+  it('should use fallback baseUrl from getBaseUrl if none is provided', async () => {
    // Arrange
    const aiResult: AiProcessorResult = {
      data: {
@@ -256,11 +262,10 @@ describe('FlyerDataTransformer', () => {
      },
      needsReview: false,
    };
-    const baseUrl = undefined; // Explicitly pass undefined for this test
+    const baseUrl = ''; // Explicitly pass '' for this test

-    // The fallback logic uses process.env.PORT || 3000.
-    // The beforeEach sets PORT to '', so it should fallback to 3000.
-    const expectedFallbackUrl = 'http://localhost:3000';
+    const expectedFallbackUrl = 'http://fallback-url.com';
+    vi.mocked(getBaseUrl).mockReturnValue(expectedFallbackUrl);

    // Act
    const { flyerData } = await transformer.transform(
@@ -275,10 +280,8 @@ describe('FlyerDataTransformer', () => {
    );

    // Assert
-    // 1. Check that a warning was logged
-    expect(mockLogger.warn).toHaveBeenCalledWith(
-      `Base URL not provided in job data. Falling back to default local URL: ${expectedFallbackUrl}`,
-    );
+    // 1. Check that getBaseUrl was called
+    expect(getBaseUrl).toHaveBeenCalledWith(mockLogger);

    // 2. Check that the URLs were constructed with the fallback
    expect(flyerData.image_url).toBe(`${expectedFallbackUrl}/flyer-images/flyer-page-1.jpg`);
--- a/src/services/flyerDataTransformer.ts
+++ b/src/services/flyerDataTransformer.ts
@@ -7,6 +7,7 @@ import type { AiProcessorResult } from './flyerAiProcessor.server'; // Keep this
 import { AiFlyerDataSchema } from '../types/ai'; // Import consolidated schema
 import { TransformationError } from './processingErrors';
 import { parsePriceToCents } from '../utils/priceParser';
+import { getBaseUrl } from '../utils/serverUtils';

 /**
 * This class is responsible for transforming the validated data from the AI service
@@ -58,19 +59,16 @@ export class FlyerDataTransformer {
  private _buildUrls(
    imageFileName: string,
    iconFileName: string,
-    baseUrl: string | undefined,
+    baseUrl: string,
    logger: Logger,
  ): { imageUrl: string; iconUrl: string } {
+    console.log('[DEBUG] FlyerDataTransformer._buildUrls inputs:', { imageFileName, iconFileName, baseUrl });
    logger.debug({ imageFileName, iconFileName, baseUrl }, 'Building URLs');
-    let finalBaseUrl = baseUrl;
-    if (!finalBaseUrl) {
-      const port = process.env.PORT || 3000;
-      finalBaseUrl = `http://localhost:${port}`;
-      logger.warn(`Base URL not provided in job data. Falling back to default local URL: ${finalBaseUrl}`);
-    }
-    finalBaseUrl = finalBaseUrl.endsWith('/') ? finalBaseUrl.slice(0, -1) : finalBaseUrl;
+    const finalBaseUrl = baseUrl || getBaseUrl(logger);
+    console.log('[DEBUG] FlyerDataTransformer._buildUrls finalBaseUrl resolved to:', finalBaseUrl);
    const imageUrl = `${finalBaseUrl}/flyer-images/${imageFileName}`;
    const iconUrl = `${finalBaseUrl}/flyer-images/icons/${iconFileName}`;
+    console.log('[DEBUG] FlyerDataTransformer._buildUrls constructed:', { imageUrl, iconUrl });
    logger.debug({ imageUrl, iconUrl }, 'Constructed URLs');
    return { imageUrl, iconUrl };
  }
@@ -93,8 +91,9 @@ export class FlyerDataTransformer {
    checksum: string,
    userId: string | undefined,
    logger: Logger,
-    baseUrl?: string,
+    baseUrl: string,
  ): Promise<{ flyerData: FlyerInsert; itemsForDb: FlyerItemInsert[] }> {
+    console.log('[DEBUG] FlyerDataTransformer.transform called with baseUrl:', baseUrl);
    logger.info('Starting data transformation from AI output to database format.');

    try {
--- a/src/services/flyerProcessingService.server.test.ts
+++ b/src/services/flyerProcessingService.server.test.ts
@@ -104,8 +104,8 @@ describe('FlyerProcessingService', () => {
    vi.spyOn(FlyerDataTransformer.prototype, 'transform').mockResolvedValue({
      flyerData: {
        file_name: 'test.jpg',
-        image_url: 'http://example.com/test.jpg',
-        icon_url: 'http://example.com/icon.webp',
+        image_url: 'https://example.com/test.jpg',
+        icon_url: 'https://example.com/icon.webp',
        store_name: 'Mock Store',
        // Add required fields for FlyerInsert type
        status: 'processed',
@@ -169,7 +169,7 @@ describe('FlyerProcessingService', () => {
      flyer: createMockFlyer({
        flyer_id: 1,
        file_name: 'test.jpg',
-        image_url: 'http://example.com/test.jpg',
+        image_url: 'https://example.com/test.jpg',
        item_count: 1,
      }),
      items: [],
@@ -189,7 +189,7 @@ describe('FlyerProcessingService', () => {
        filePath: '/tmp/flyer.jpg',
        originalFileName: 'flyer.jpg',
        checksum: 'checksum-123',
-        baseUrl: 'http://localhost:3000',
+        baseUrl: 'https://example.com',
        ...data,
      },
      updateProgress: vi.fn(),
@@ -241,7 +241,7 @@ describe('FlyerProcessingService', () => {
        'checksum-123', // checksum
        undefined, // userId
        expect.any(Object), // logger
-        'http://localhost:3000', // baseUrl
+        'https://example.com', // baseUrl
      );

      // 5. DB transaction was initiated
@@ -695,8 +695,8 @@ describe('FlyerProcessingService', () => {
    it('should derive paths from DB and delete files if job paths are empty', async () => {
      const job = createMockCleanupJob({ flyerId: 1, paths: [] }); // Empty paths
      const mockFlyer = createMockFlyer({
-        image_url: 'http://localhost:3000/flyer-images/flyer-abc.jpg',
-        icon_url: 'http://localhost:3000/flyer-images/icons/icon-flyer-abc.webp',
+        image_url: 'https://example.com/flyer-images/flyer-abc.jpg',
+        icon_url: 'https://example.com/flyer-images/icons/icon-flyer-abc.webp',
      });
      // Mock DB call to return a flyer
      vi.mocked(mockedDb.flyerRepo.getFlyerById).mockResolvedValue(mockFlyer);
--- a/src/services/flyerProcessingService.server.ts
+++ b/src/services/flyerProcessingService.server.ts
@@ -103,6 +103,8 @@ export class FlyerProcessingService {
      // The main processed image path is already in `allFilePaths` via `createdImagePaths`.
      allFilePaths.push(path.join(iconsDir, iconFileName));

+      console.log('[DEBUG] FlyerProcessingService calling transformer with:', { originalFileName: job.data.originalFileName, imageFileName, iconFileName, checksum: job.data.checksum, baseUrl: job.data.baseUrl });
+
      const { flyerData, itemsForDb } = await this.transformer.transform(
        aiResult,
        job.data.originalFileName,
--- a/src/services/processingErrors.test.ts
+++ b/src/services/processingErrors.test.ts
@@ -6,6 +6,9 @@ import {
  AiDataValidationError,
  GeocodingFailedError,
  UnsupportedFileTypeError,
+  TransformationError,
+  DatabaseError,
+  ImageConversionError,
 } from './processingErrors';

 describe('Processing Errors', () => {
@@ -18,6 +21,30 @@ describe('Processing Errors', () => {
      expect(error).toBeInstanceOf(FlyerProcessingError);
      expect(error.message).toBe(message);
      expect(error.name).toBe('FlyerProcessingError');
+      expect(error.errorCode).toBe('UNKNOWN_ERROR');
+      expect(error.userMessage).toBe(message);
+    });
+
+    it('should allow setting a custom errorCode and userMessage', () => {
+      const message = 'Internal error';
+      const errorCode = 'CUSTOM_ERROR';
+      const userMessage = 'Something went wrong for you.';
+      const error = new FlyerProcessingError(message, errorCode, userMessage);
+
+      expect(error.errorCode).toBe(errorCode);
+      expect(error.userMessage).toBe(userMessage);
+    });
+
+    it('should return the correct error payload', () => {
+      const message = 'Internal error';
+      const errorCode = 'CUSTOM_ERROR';
+      const userMessage = 'Something went wrong for you.';
+      const error = new FlyerProcessingError(message, errorCode, userMessage);
+
+      expect(error.toErrorPayload()).toEqual({
+        errorCode,
+        message: userMessage,
+      });
    });
  });

@@ -32,6 +59,7 @@ describe('Processing Errors', () => {
      expect(error.message).toBe(message);
      expect(error.name).toBe('PdfConversionError');
      expect(error.stderr).toBeUndefined();
+      expect(error.errorCode).toBe('PDF_CONVERSION_FAILED');
    });

    it('should store the stderr property if provided', () => {
@@ -42,6 +70,16 @@ describe('Processing Errors', () => {
      expect(error.message).toBe(message);
      expect(error.stderr).toBe(stderr);
    });
+
+    it('should include stderr in the error payload', () => {
+      const message = 'pdftocairo failed.';
+      const stderr = 'pdftocairo: command not found';
+      const error = new PdfConversionError(message, stderr);
+
+      const payload = error.toErrorPayload();
+      expect(payload.errorCode).toBe('PDF_CONVERSION_FAILED');
+      expect(payload.stderr).toBe(stderr);
+    });
  });

  describe('AiDataValidationError', () => {
@@ -58,6 +96,58 @@ describe('Processing Errors', () => {
      expect(error.name).toBe('AiDataValidationError');
      expect(error.validationErrors).toEqual(validationErrors);
      expect(error.rawData).toEqual(rawData);
+      expect(error.errorCode).toBe('AI_VALIDATION_FAILED');
+    });
+
+    it('should include validationErrors and rawData in the error payload', () => {
+      const message = 'AI response validation failed.';
+      const validationErrors = { fieldErrors: { store_name: ['Store name cannot be empty'] } };
+      const rawData = { store_name: '', items: [] };
+      const error = new AiDataValidationError(message, validationErrors, rawData);
+
+      const payload = error.toErrorPayload();
+      expect(payload.errorCode).toBe('AI_VALIDATION_FAILED');
+      expect(payload.validationErrors).toEqual(validationErrors);
+      expect(payload.rawData).toEqual(rawData);
+    });
+  });
+
+  describe('TransformationError', () => {
+    it('should create an error with the correct message and code', () => {
+      const message = 'Transformation failed.';
+      const error = new TransformationError(message);
+
+      expect(error).toBeInstanceOf(FlyerProcessingError);
+      expect(error).toBeInstanceOf(TransformationError);
+      expect(error.message).toBe(message);
+      expect(error.errorCode).toBe('TRANSFORMATION_FAILED');
+      expect(error.userMessage).toBe('There was a problem transforming the flyer data. Please check the input.');
+    });
+  });
+
+  describe('DatabaseError', () => {
+    it('should create an error with the correct message and code', () => {
+      const message = 'DB failed.';
+      const error = new DatabaseError(message);
+
+      expect(error).toBeInstanceOf(FlyerProcessingError);
+      expect(error).toBeInstanceOf(DatabaseError);
+      expect(error.message).toBe(message);
+      expect(error.errorCode).toBe('DATABASE_ERROR');
+      expect(error.userMessage).toBe('A database operation failed. Please try again later.');
+    });
+  });
+
+  describe('ImageConversionError', () => {
+    it('should create an error with the correct message and code', () => {
+      const message = 'Image conversion failed.';
+      const error = new ImageConversionError(message);
+
+      expect(error).toBeInstanceOf(FlyerProcessingError);
+      expect(error).toBeInstanceOf(ImageConversionError);
+      expect(error.message).toBe(message);
+      expect(error.errorCode).toBe('IMAGE_CONVERSION_FAILED');
+      expect(error.userMessage).toBe('The uploaded image could not be processed. It might be corrupt or in an unsupported format.');
    });
  });

@@ -71,6 +161,7 @@ describe('Processing Errors', () => {
      expect(error).toBeInstanceOf(GeocodingFailedError);
      expect(error.message).toBe(message);
      expect(error.name).toBe('GeocodingFailedError');
+      expect(error.errorCode).toBe('GEOCODING_FAILED');
    });
  });

@@ -84,6 +175,7 @@ describe('Processing Errors', () => {
      expect(error).toBeInstanceOf(UnsupportedFileTypeError);
      expect(error.message).toBe(message);
      expect(error.name).toBe('UnsupportedFileTypeError');
+      expect(error.errorCode).toBe('UNSUPPORTED_FILE_TYPE');
    });
  });
 });
--- a/src/services/queueService.server.test.ts
+++ b/src/services/queueService.server.test.ts
@@ -251,6 +251,19 @@ describe('Worker Service Lifecycle', () => {
      expect(processExitSpy).toHaveBeenCalledWith(1);
    });

+    it('should log an error if Redis connection fails to close', async () => {
+      const quitError = new Error('Redis quit failed');
+      mockRedisConnection.quit.mockRejectedValueOnce(quitError);
+
+      await gracefulShutdown('SIGTERM');
+
+      expect(mockLogger.error).toHaveBeenCalledWith(
+        { err: quitError, resource: 'redisConnection' },
+        '[Shutdown] Error closing Redis connection.',
+      );
+      expect(processExitSpy).toHaveBeenCalledWith(1);
+    });
+
    it('should timeout if shutdown takes too long', async () => {
      vi.useFakeTimers();
      // Make one of the close calls hang indefinitely
--- a/src/services/userService.test.ts
+++ b/src/services/userService.test.ts
@@ -7,6 +7,7 @@ import { ValidationError, NotFoundError } from './db/errors.db';
 import { DatabaseError } from './processingErrors';
 import type { Job } from 'bullmq';
 import type { TokenCleanupJobData } from '../types/job-data';
+import { getTestBaseUrl } from '../tests/utils/testHelpers';

 // Un-mock the service under test to ensure we are testing the real implementation,
 // not the global mock from `tests/setup/tests-setup-unit.ts`.
@@ -240,12 +241,12 @@ describe('UserService', () => {
  describe('updateUserAvatar', () => {
    it('should construct avatar URL and update profile', async () => {
      const { logger } = await import('./logger.server');
-      const testBaseUrl = 'http://localhost:3001';
+      const testBaseUrl = getTestBaseUrl();
      vi.stubEnv('FRONTEND_URL', testBaseUrl);

      const userId = 'user-123';
      const file = { filename: 'avatar.jpg' } as Express.Multer.File;
-      const expectedUrl = `${testBaseUrl}/uploads/avatars/avatar.jpg`;
+      const expectedUrl = `${testBaseUrl}/uploads/avatars/${file.filename}`;

      mocks.mockUpdateUserProfile.mockResolvedValue({} as any);

@@ -259,6 +260,33 @@ describe('UserService', () => {

      vi.unstubAllEnvs();
    });
+
+    it('should re-throw NotFoundError if user profile does not exist', async () => {
+      const { logger } = await import('./logger.server');
+      const userId = 'user-not-found';
+      const file = { filename: 'avatar.jpg' } as Express.Multer.File;
+      const notFoundError = new NotFoundError('User not found');
+
+      mocks.mockUpdateUserProfile.mockRejectedValue(notFoundError);
+
+      await expect(userService.updateUserAvatar(userId, file, logger)).rejects.toThrow(
+        NotFoundError,
+      );
+    });
+
+    it('should wrap generic errors in a DatabaseError', async () => {
+      const { logger } = await import('./logger.server');
+      const userId = 'user-123';
+      const file = { filename: 'avatar.jpg' } as Express.Multer.File;
+      const genericError = new Error('DB connection failed');
+
+      mocks.mockUpdateUserProfile.mockRejectedValue(genericError);
+
+      await expect(userService.updateUserAvatar(userId, file, logger)).rejects.toThrow(
+        DatabaseError,
+      );
+      expect(logger.error).toHaveBeenCalledWith(expect.any(Object), `Failed to update user avatar: ${genericError.message}`);
+    });
  });

  describe('updateUserPassword', () => {
@@ -275,6 +303,19 @@ describe('UserService', () => {
      expect(bcrypt.hash).toHaveBeenCalledWith(newPassword, 10);
      expect(mocks.mockUpdateUserPassword).toHaveBeenCalledWith(userId, hashedPassword, logger);
    });
+
+    it('should wrap generic errors in a DatabaseError', async () => {
+      const { logger } = await import('./logger.server');
+      const userId = 'user-123';
+      const newPassword = 'new-password';
+      const genericError = new Error('DB write failed');
+
+      vi.mocked(bcrypt.hash).mockResolvedValue();
+      mocks.mockUpdateUserPassword.mockRejectedValue(genericError);
+
+      await expect(userService.updateUserPassword(userId, newPassword, logger)).rejects.toThrow(DatabaseError);
+      expect(logger.error).toHaveBeenCalledWith(expect.any(Object), `Failed to update user password: ${genericError.message}`);
+    });
  });

  describe('deleteUserAccount', () => {
@@ -317,6 +358,22 @@ describe('UserService', () => {
      ).rejects.toThrow(ValidationError);
      expect(mocks.mockDeleteUserById).not.toHaveBeenCalled();
    });
+
+    it('should wrap generic errors in a DatabaseError', async () => {
+      const { logger } = await import('./logger.server');
+      const userId = 'user-123';
+      const password = 'password';
+      const genericError = new Error('Something went wrong');
+
+      mocks.mockFindUserWithPasswordHashById.mockResolvedValue({
+        user_id: userId,
+        password_hash: 'hashed-password',
+      });
+      vi.mocked(bcrypt.compare).mockRejectedValue(genericError);
+
+      await expect(userService.deleteUserAccount(userId, password, logger)).rejects.toThrow(DatabaseError);
+      expect(logger.error).toHaveBeenCalledWith(expect.any(Object), `Failed to delete user account: ${genericError.message}`);
+    });
  });

  describe('getUserAddress', () => {
@@ -364,5 +421,17 @@ describe('UserService', () => {
      );
      expect(mocks.mockDeleteUserById).not.toHaveBeenCalled();
    });
+
+    it('should wrap generic errors in a DatabaseError', async () => {
+      const { logger } = await import('./logger.server');
+      const deleterId = 'admin-1';
+      const targetId = 'user-2';
+      const genericError = new Error('DB write failed');
+
+      mocks.mockDeleteUserById.mockRejectedValue(genericError);
+
+      await expect(userService.deleteUserAsAdmin(deleterId, targetId, logger)).rejects.toThrow(DatabaseError);
+      expect(logger.error).toHaveBeenCalledWith(expect.any(Object), `Admin failed to delete user account: ${genericError.message}`);
+    });
  });
 });
--- a/src/services/workers.server.test.ts
+++ b/src/services/workers.server.test.ts
@@ -26,6 +26,8 @@ const mocks = vi.hoisted(() => {
      // Return a mock worker instance, though it's not used in this test file.
      return { on: vi.fn(), close: vi.fn() };
    }),
+    fsReaddir: vi.fn(),
+    fsUnlink: vi.fn(),
  };
 });

@@ -51,7 +53,8 @@ vi.mock('./userService', () => ({
 // that the adapter is built from in queueService.server.ts.
 vi.mock('node:fs/promises', () => ({
  default: {
-    // unlink is no longer directly called by the worker
+    readdir: mocks.fsReaddir,
+    unlink: mocks.fsUnlink,
  },
 }));

@@ -279,4 +282,18 @@ describe('Queue Workers', () => {
      await expect(tokenCleanupProcessor(job)).rejects.toThrow(dbError);
    });
  });
+
+  describe('fsAdapter', () => {
+    it('should call fsPromises.readdir', async () => {
+      const { fsAdapter } = await import('./workers.server');
+      await fsAdapter.readdir('/tmp', { withFileTypes: true });
+      expect(mocks.fsReaddir).toHaveBeenCalledWith('/tmp', { withFileTypes: true });
+    });
+
+    it('should call fsPromises.unlink', async () => {
+      const { fsAdapter } = await import('./workers.server');
+      await fsAdapter.unlink('/tmp/file');
+      expect(mocks.fsUnlink).toHaveBeenCalledWith('/tmp/file');
+    });
+  });
 });
--- a/src/services/workers.server.ts
+++ b/src/services/workers.server.ts
@@ -36,7 +36,7 @@ const execAsync = promisify(exec);

 // --- Worker Instantiation ---

-const fsAdapter: IFileSystem = {
+export const fsAdapter: IFileSystem = {
  readdir: (path: string, options: { withFileTypes: true }) => fsPromises.readdir(path, options),
  unlink: (path: string) => fsPromises.unlink(path),
 };
--- a/src/tests/e2e/admin-dashboard.e2e.test.ts
+++ b/src/tests/e2e/admin-dashboard.e2e.test.ts
@@ -3,7 +3,6 @@ import { describe, it, expect, afterAll } from 'vitest';
 import * as apiClient from '../../services/apiClient';
 import { getPool } from '../../services/db/connection.db';
 import { cleanupDb } from '../utils/cleanup';
-import { poll } from '../utils/poll';

 /**
 * @vitest-environment node
@@ -42,20 +41,16 @@ describe('E2E Admin Dashboard Flow', () => {
    ]);

    // 3. Login to get the access token (now with admin privileges)
-    // We poll because the direct DB write above runs in a separate transaction
-    // from the login API call. Due to PostgreSQL's `Read Committed` transaction
-    // isolation, the API might read the user's role before the test's update
-    // transaction is fully committed and visible. Polling makes the test resilient to this race condition.
-    const { response: loginResponse, data: loginData } = await poll(
-      async () => {
-        const response = await apiClient.loginUser(adminEmail, adminPassword, false);
-        // Clone to read body without consuming the original response stream
-        const data = response.ok ? await response.clone().json() : {};
-        return { response, data };
-      },
-      (result) => result.response.ok && result.data?.userprofile?.role === 'admin',
-      { timeout: 10000, interval: 1000, description: 'user login with admin role' },
-    );
+    // We wait briefly to ensure the DB transaction is committed and visible to the API,
+    // and to provide a buffer for any rate limits from previous tests.
+    await new Promise((resolve) => setTimeout(resolve, 2000));
+
+    const loginResponse = await apiClient.loginUser(adminEmail, adminPassword, false);
+    if (!loginResponse.ok) {
+      const errorText = await loginResponse.text();
+      throw new Error(`Failed to log in as admin: ${loginResponse.status} ${errorText}`);
+    }
+    const loginData = await loginResponse.json();

    expect(loginResponse.status).toBe(200);
    authToken = loginData.token;
--- a/src/tests/e2e/auth.e2e.test.ts
+++ b/src/tests/e2e/auth.e2e.test.ts
@@ -182,17 +182,11 @@ describe('Authentication E2E Flow', () => {
        { timeout: 10000, interval: 1000, description: 'user login after registration' },
      );

-      // Poll for the password reset token.
-      const { response: forgotResponse, token: resetToken } = await poll(
-        async () => {
-          const response = await apiClient.requestPasswordReset(email);
-          // Clone to read body without consuming the original response stream
-          const data = response.ok ? await response.clone().json() : {};
-          return { response, token: data.token };
-        },
-        (result) => !!result.token,
-        { timeout: 10000, interval: 1000, description: 'password reset token generation' },
-      );
+      // Request password reset (do not poll, as this endpoint is rate-limited)
+      const forgotResponse = await apiClient.requestPasswordReset(email);
+      expect(forgotResponse.status).toBe(200);
+      const forgotData = await forgotResponse.json();
+      const resetToken = forgotData.token;

      // Assert 1: Check that we received a token.
      expect(resetToken, 'Backend returned 200 but no token. Check backend logs for "Connection terminated" errors.').toBeDefined();
@@ -217,8 +211,18 @@ describe('Authentication E2E Flow', () => {
    });

    it('should return a generic success message for a non-existent email to prevent enumeration', async () => {
+      // Add a small delay to ensure we don't hit the rate limit (5 RPM) if tests run too fast
+      await new Promise((resolve) => setTimeout(resolve, 2000));
+
      const nonExistentEmail = `non-existent-e2e-${Date.now()}@example.com`;
      const response = await apiClient.requestPasswordReset(nonExistentEmail);
+
+      // Check for rate limiting or other errors before parsing JSON to avoid SyntaxError
+      if (!response.ok) {
+        const text = await response.text();
+        throw new Error(`Request failed with status ${response.status}: ${text}`);
+      }
+
      const data = await response.json();
      expect(response.status).toBe(200);
      expect(data.message).toBe('If an account with that email exists, a password reset link has been sent.');
@@ -240,6 +244,10 @@ describe('Authentication E2E Flow', () => {
      // A typical Set-Cookie header might be 'refreshToken=...; Path=/; HttpOnly; Max-Age=...'. We just need the 'refreshToken=...' part.
      const refreshTokenCookie = setCookieHeader!.split(';')[0];

+      // Wait for >1 second to ensure the 'iat' (Issued At) claim in the new JWT changes.
+      // JWT timestamps have second-level precision.
+      await new Promise((resolve) => setTimeout(resolve, 1100));
+
      // 3. Call the refresh token endpoint, passing the cookie.
      // This assumes a new method in apiClient to handle this specific request.
      const refreshResponse = await apiClient.refreshToken(refreshTokenCookie);
--- a/src/tests/integration/admin.integration.test.ts
+++ b/src/tests/integration/admin.integration.test.ts
@@ -1,18 +1,17 @@
 // src/tests/integration/admin.integration.test.ts
-import { describe, it, expect, beforeAll, beforeEach, afterAll } from 'vitest';
+import { describe, it, expect, beforeAll, beforeEach, afterAll, vi } from 'vitest';
 import supertest from 'supertest';
-import app from '../../../server';
 import { getPool } from '../../services/db/connection.db';
 import type { UserProfile } from '../../types';
-import { createAndLoginUser } from '../utils/testHelpers';
+import { createAndLoginUser, TEST_EXAMPLE_DOMAIN } from '../utils/testHelpers';
 import { cleanupDb } from '../utils/cleanup';

 /**
 * @vitest-environment node
 */
-const request = supertest(app);

 describe('Admin API Routes Integration Tests', () => {
+  let request: ReturnType<typeof supertest>;
  let adminToken: string;
  let adminUser: UserProfile;
  let regularUser: UserProfile;
@@ -21,6 +20,10 @@ describe('Admin API Routes Integration Tests', () => {
  const createdStoreIds: number[] = [];

  beforeAll(async () => {
+    vi.stubEnv('FRONTEND_URL', 'https://example.com');
+    const app = (await import('../../../server')).default;
+    request = supertest(app);
+
    // Create a fresh admin user and a regular user for this test suite
    // Using unique emails to prevent test pollution from other integration test files.
    ({ user: adminUser, token: adminToken } = await createAndLoginUser({
@@ -40,6 +43,7 @@ describe('Admin API Routes Integration Tests', () => {
  });

  afterAll(async () => {
+    vi.unstubAllEnvs();
    await cleanupDb({
      userIds: createdUserIds,
      storeIds: createdStoreIds,
@@ -164,7 +168,7 @@ describe('Admin API Routes Integration Tests', () => {
    beforeEach(async () => {
      const flyerRes = await getPool().query(
        `INSERT INTO public.flyers (store_id, file_name, image_url, icon_url, item_count, checksum) 
-         VALUES ($1, 'admin-test.jpg', 'https://example.com/flyer-images/asdmin-test.jpg', 'https://example.com/flyer-images/icons/admin-test.jpg', 1, $2) RETURNING flyer_id`,
+         VALUES ($1, 'admin-test.jpg', '${TEST_EXAMPLE_DOMAIN}/flyer-images/asdmin-test.jpg', '${TEST_EXAMPLE_DOMAIN}/flyer-images/icons/admin-test.jpg', 1, $2) RETURNING flyer_id`,
        // The checksum must be a unique 64-character string to satisfy the DB constraint.
        // We generate a dynamic string and pad it to 64 characters.
        [testStoreId, `checksum-${Date.now()}-${Math.random()}`.padEnd(64, '0')],
--- a/src/tests/integration/ai.integration.test.ts
+++ b/src/tests/integration/ai.integration.test.ts
@@ -1,7 +1,6 @@
 // src/tests/integration/ai.integration.test.ts
-import { describe, it, expect, beforeAll, afterAll } from 'vitest';
+import { describe, it, expect, beforeAll, afterAll, vi } from 'vitest';
 import supertest from 'supertest';
-import app from '../../../server';
 import fs from 'node:fs/promises';
 import path from 'path';
 import { createAndLoginUser } from '../utils/testHelpers';
@@ -12,8 +11,6 @@ import { cleanupFiles } from '../utils/cleanupFiles';
 * @vitest-environment node
 */

-const request = supertest(app);
-
 interface TestGeolocationCoordinates {
  latitude: number;
  longitude: number;
@@ -26,10 +23,15 @@ interface TestGeolocationCoordinates {
 }

 describe('AI API Routes Integration Tests', () => {
+  let request: ReturnType<typeof supertest>;
  let authToken: string;
  let testUserId: string;

  beforeAll(async () => {
+    vi.stubEnv('FRONTEND_URL', 'https://example.com');
+    const app = (await import('../../../server')).default;
+    request = supertest(app);
+
    // Create and log in as a new user for authenticated tests.
    const { token, user } = await createAndLoginUser({ fullName: 'AI Tester', request });
    authToken = token;
@@ -37,6 +39,7 @@ describe('AI API Routes Integration Tests', () => {
  });

  afterAll(async () => {
+    vi.unstubAllEnvs();
    // 1. Clean up database records
    await cleanupDb({ userIds: [testUserId] });

@@ -193,4 +196,31 @@ describe('AI API Routes Integration Tests', () => {
      .send({ text: 'a test prompt' });
    expect(response.status).toBe(501);
  });
+
+  describe('Rate Limiting', () => {
+    it('should block requests to /api/ai/quick-insights after exceeding the limit', async () => {
+      const limit = 20; // Matches aiGenerationLimiter config
+      const items = [{ item: 'test' }];
+
+      // Send requests up to the limit
+      for (let i = 0; i < limit; i++) {
+        const response = await request
+          .post('/api/ai/quick-insights')
+          .set('Authorization', `Bearer ${authToken}`)
+          .set('X-Test-Rate-Limit-Enable', 'true')
+          .send({ items });
+        expect(response.status).toBe(200);
+      }
+
+      // The next request should be blocked
+      const blockedResponse = await request
+        .post('/api/ai/quick-insights')
+        .set('Authorization', `Bearer ${authToken}`)
+        .set('X-Test-Rate-Limit-Enable', 'true')
+        .send({ items });
+
+      expect(blockedResponse.status).toBe(429);
+      expect(blockedResponse.text).toContain('Too many AI generation requests');
+    });
+  });
 });
--- a/src/tests/integration/auth.integration.test.ts
+++ b/src/tests/integration/auth.integration.test.ts
@@ -1,7 +1,6 @@
 // src/tests/integration/auth.integration.test.ts
-import { describe, it, expect, beforeAll, afterAll } from 'vitest';
+import { describe, it, expect, beforeAll, afterAll, vi } from 'vitest';
 import supertest from 'supertest';
-import app from '../../../server';
 import { createAndLoginUser, TEST_PASSWORD } from '../utils/testHelpers';
 import { cleanupDb } from '../utils/cleanup';
 import type { UserProfile } from '../../types';
@@ -10,8 +9,6 @@ import type { UserProfile } from '../../types';
 * @vitest-environment node
 */

-const request = supertest(app);
-
 /**
 * These are integration tests that verify the authentication flow against a running backend server.
 * Make sure your Express server is running before executing these tests.
@@ -19,11 +16,16 @@ const request = supertest(app);
 * To run only these tests: `vitest run src/tests/auth.integration.test.ts`
 */
 describe('Authentication API Integration', () => {
+  let request: ReturnType<typeof supertest>;
  let testUserEmail: string;
  let testUser: UserProfile;
  const createdUserIds: string[] = [];

  beforeAll(async () => {
+    vi.stubEnv('FRONTEND_URL', 'https://example.com');
+    const app = (await import('../../../server')).default;
+    request = supertest(app);
+
    // Use a unique email for this test suite to prevent collisions with other tests.
    const email = `auth-integration-test-${Date.now()}@example.com`;
    ({ user: testUser } = await createAndLoginUser({ email, fullName: 'Auth Test User', request }));
@@ -32,6 +34,7 @@ describe('Authentication API Integration', () => {
  });

  afterAll(async () => {
+    vi.unstubAllEnvs();
    await cleanupDb({ userIds: createdUserIds });
  });

@@ -172,22 +175,26 @@ describe('Authentication API Integration', () => {
  });

  describe('Rate Limiting', () => {
-    // This test requires the `skip: () => isTestEnv` line in the `forgotPasswordLimiter`
-    // configuration within `src/routes/auth.routes.ts` to be commented out or removed.
    it('should block requests to /forgot-password after exceeding the limit', async () => {
      const email = testUserEmail; // Use the user created in beforeAll
      const limit = 5; // Based on the configuration in auth.routes.ts

      // Send requests up to the limit. These should all pass.
      for (let i = 0; i < limit; i++) {
-        const response = await request.post('/api/auth/forgot-password').send({ email });
+        const response = await request
+          .post('/api/auth/forgot-password')
+          .set('X-Test-Rate-Limit-Enable', 'true')
+          .send({ email });

        // The endpoint returns 200 even for non-existent users to prevent email enumeration.
        expect(response.status).toBe(200);
      }

      // The next request (the 6th one) should be blocked.
-      const blockedResponse = await request.post('/api/auth/forgot-password').send({ email });
+      const blockedResponse = await request
+        .post('/api/auth/forgot-password')
+        .set('X-Test-Rate-Limit-Enable', 'true')
+        .send({ email });

      expect(blockedResponse.status).toBe(429);
      expect(blockedResponse.text).toContain(
--- a/src/tests/integration/budget.integration.test.ts
+++ b/src/tests/integration/budget.integration.test.ts
@@ -1,7 +1,6 @@
 // src/tests/integration/budget.integration.test.ts
-import { describe, it, expect, beforeAll, afterAll } from 'vitest';
+import { describe, it, expect, beforeAll, afterAll, vi } from 'vitest';
 import supertest from 'supertest';
-import app from '../../../server';
 import { createAndLoginUser } from '../utils/testHelpers';
 import { cleanupDb } from '../utils/cleanup';
 import type { UserProfile, Budget } from '../../types';
@@ -11,9 +10,8 @@ import { getPool } from '../../services/db/connection.db';
 * @vitest-environment node
 */

-const request = supertest(app);
-
 describe('Budget API Routes Integration Tests', () => {
+  let request: ReturnType<typeof supertest>;
  let testUser: UserProfile;
  let authToken: string;
  let testBudget: Budget;
@@ -21,6 +19,10 @@ describe('Budget API Routes Integration Tests', () => {
  const createdBudgetIds: number[] = [];

  beforeAll(async () => {
+    vi.stubEnv('FRONTEND_URL', 'https://example.com');
+    const app = (await import('../../../server')).default;
+    request = supertest(app);
+
    // 1. Create a user for the tests
    const { user, token } = await createAndLoginUser({
      email: `budget-user-${Date.now()}@example.com`,
@@ -50,6 +52,7 @@ describe('Budget API Routes Integration Tests', () => {
  });

  afterAll(async () => {
+    vi.unstubAllEnvs();
    // Clean up all created resources
    await cleanupDb({
      userIds: createdUserIds,
--- a/src/tests/integration/flyer-processing.integration.test.ts
+++ b/src/tests/integration/flyer-processing.integration.test.ts
@@ -1,7 +1,6 @@
 // src/tests/integration/flyer-processing.integration.test.ts
 import { describe, it, expect, beforeAll, afterAll, vi, beforeEach } from 'vitest';
 import supertest from 'supertest';
-import app from '../../../server';
 import fs from 'node:fs/promises';
 import path from 'path';
 import * as db from '../../services/db/index.db';
@@ -16,28 +15,20 @@ import { cleanupFiles } from '../utils/cleanupFiles';
 import piexif from 'piexifjs';
 import exifParser from 'exif-parser';
 import sharp from 'sharp';
+// FIX: Import the singleton instance directly to spy on it
+import { aiService } from '../../services/aiService.server';


 /**
 * @vitest-environment node
 */

-const request = supertest(app);
-
 const { mockExtractCoreData } = vi.hoisted(() => ({
  mockExtractCoreData: vi.fn(),
 }));

-// Mock the AI service to prevent real API calls during integration tests.
-// This is crucial for making the tests reliable and fast. We don't want to
-// depend on the external Gemini API.
-vi.mock('../../services/aiService.server', async (importOriginal) => {
-  const actual = await importOriginal<typeof import('../../services/aiService.server')>();
-  // To preserve the class instance methods of `aiService`, we must modify the
-  // instance directly rather than creating a new plain object with spread syntax.
-  actual.aiService.extractCoreDataFromFlyerImage = mockExtractCoreData;
-  return actual;
-});
+// REMOVED: vi.mock('../../services/aiService.server', ...)
+// The previous mock was not effectively intercepting the singleton instance used by the worker.

 // Mock the main DB service to allow for simulating transaction failures.
 // By default, it will use the real implementation.
@@ -50,6 +41,7 @@ vi.mock('../../services/db/index.db', async (importOriginal) => {
 });

 describe('Flyer Processing Background Job Integration Test', () => {
+  let request: ReturnType<typeof supertest>;
  const createdUserIds: string[] = [];
  const createdFlyerIds: number[] = [];
  const createdFilePaths: string[] = [];
@@ -57,19 +49,30 @@ describe('Flyer Processing Background Job Integration Test', () => {
  beforeAll(async () => {
    // FIX: Stub FRONTEND_URL to ensure valid absolute URLs (http://...) are generated
    // for the database, satisfying the 'url_check' constraint.
-    vi.stubEnv('FRONTEND_URL', 'http://localhost:3000');
+    // IMPORTANT: This must run BEFORE the app is imported so workers inherit the env var.
+    vi.stubEnv('FRONTEND_URL', 'https://example.com');
+    console.log('[TEST SETUP] FRONTEND_URL stubbed to:', process.env.FRONTEND_URL);
+
+    // FIX: Spy on the actual singleton instance. This ensures that when the worker
+    // imports 'aiService', it gets the instance we are controlling here.
+    vi.spyOn(aiService, 'extractCoreDataFromFlyerImage').mockImplementation(mockExtractCoreData);
+
+    const appModule = await import('../../../server');
+    const app = appModule.default;
+    request = supertest(app);
  });

  // FIX: Reset mocks before each test to ensure isolation.
  // This prevents "happy path" mocks from leaking into error handling tests and vice versa.
  beforeEach(async () => {
+    console.log('[TEST SETUP] Resetting mocks before test execution');
    // 1. Reset AI Service Mock to default success state
    mockExtractCoreData.mockReset();
    mockExtractCoreData.mockResolvedValue({
      store_name: 'Mock Store',
-      valid_from: null,
-      valid_to: null,
-      store_address: null,
+      valid_from: '2025-01-01',
+      valid_to: '2025-01-07',
+      store_address: '123 Mock St',
      items: [
        {
          item: 'Mocked Integration Item',
@@ -91,6 +94,7 @@ describe('Flyer Processing Background Job Integration Test', () => {

  afterAll(async () => {
    vi.unstubAllEnvs(); // Clean up env stubs
+    vi.restoreAllMocks(); // Restore the AI spy

    // Use the centralized cleanup utility.
    await cleanupDb({
@@ -107,7 +111,10 @@ describe('Flyer Processing Background Job Integration Test', () => {
   * It uploads a file, polls for completion, and verifies the result in the database.
   */
  const runBackgroundProcessingTest = async (user?: UserProfile, token?: string) => {
+    console.log(`[TEST START] runBackgroundProcessingTest. User: ${user?.user.email ?? 'ANONYMOUS'}`);
    // Arrange: Load a mock flyer PDF.
+    console.log('[TEST] about to read test-flyer-image.jpg')
+
    const imagePath = path.resolve(__dirname, '../assets/test-flyer-image.jpg');
    const imageBuffer = await fs.readFile(imagePath);
    // Create a unique buffer and filename for each test run to ensure a unique checksum.
@@ -116,26 +123,34 @@ describe('Flyer Processing Background Job Integration Test', () => {
    const uniqueFileName = `test-flyer-image-${Date.now()}.jpg`;
    const mockImageFile = new File([new Uint8Array(uniqueContent)], uniqueFileName, { type: 'image/jpeg' });
    const checksum = await generateFileChecksum(mockImageFile);
+    console.log('[TEST] mockImageFile created with uniqueFileName: ', uniqueFileName)
+    console.log('[TEST DATA] Generated checksum for test:', checksum);

    // Track created files for cleanup
    const uploadDir = path.resolve(__dirname, '../../../flyer-images');
    createdFilePaths.push(path.join(uploadDir, uniqueFileName));
+    console.log('[TEST] createdFilesPaths after 1st push: ', createdFilePaths)
    // The icon name is derived from the original filename.
    const iconFileName = `icon-${path.parse(uniqueFileName).name}.webp`;
    createdFilePaths.push(path.join(uploadDir, 'icons', iconFileName));

    // Act 1: Upload the file to start the background job.
+    const testBaseUrl = 'https://example.com';
+    console.log('[TEST ACTION] Uploading file with baseUrl:', testBaseUrl);
+
    const uploadReq = request
      .post('/api/ai/upload-and-process')
      .field('checksum', checksum)
      // Pass the baseUrl directly in the form data to ensure the worker receives it,
      // bypassing issues with vi.stubEnv in multi-threaded test environments.
-      .field('baseUrl', 'http://localhost:3000')
+      .field('baseUrl', testBaseUrl)
      .attach('flyerFile', uniqueContent, uniqueFileName);
    if (token) {
      uploadReq.set('Authorization', `Bearer ${token}`);
    }
    const uploadResponse = await uploadReq;
+    console.log('[TEST RESPONSE] Upload status:', uploadResponse.status);
+    console.log('[TEST RESPONSE] Upload body:', JSON.stringify(uploadResponse.body));
    const { jobId } = uploadResponse.body;

    // Assert 1: Check that a job ID was returned.
@@ -149,6 +164,7 @@ describe('Flyer Processing Background Job Integration Test', () => {
          statusReq.set('Authorization', `Bearer ${token}`);
        }
        const statusResponse = await statusReq;
+        console.log(`[TEST POLL] Job ${jobId} current state:`, statusResponse.body?.state);
        return statusResponse.body;
      },
      (status) => status.state === 'completed' || status.state === 'failed',
@@ -248,7 +264,7 @@ describe('Flyer Processing Background Job Integration Test', () => {
      const uploadResponse = await request
        .post('/api/ai/upload-and-process')
        .set('Authorization', `Bearer ${token}`)
-        .field('baseUrl', 'http://localhost:3000')
+        .field('baseUrl', 'https://example.com')
        .field('checksum', checksum)
        .attach('flyerFile', imageWithExifBuffer, uniqueFileName);

@@ -287,6 +303,10 @@ describe('Flyer Processing Background Job Integration Test', () => {
      const parser = exifParser.create(savedImageBuffer);
      const exifResult = parser.parse();

+      console.log('[TEST] savedImagePath during EXIF data stripping: ', savedImagePath)
+      console.log('[TEST] exifResult.tags: ', exifResult.tags)
+
+
      // The `tags` object will be empty if no EXIF data is found.
      expect(exifResult.tags).toEqual({});
      expect(exifResult.tags.Software).toBeUndefined();
@@ -333,7 +353,7 @@ describe('Flyer Processing Background Job Integration Test', () => {
      const uploadResponse = await request
        .post('/api/ai/upload-and-process')
        .set('Authorization', `Bearer ${token}`)
-        .field('baseUrl', 'http://localhost:3000')
+        .field('baseUrl', 'https://example.com')
        .field('checksum', checksum)
        .attach('flyerFile', imageWithMetadataBuffer, uniqueFileName);

@@ -368,6 +388,9 @@ describe('Flyer Processing Background Job Integration Test', () => {
      const savedImagePath = path.join(uploadDir, path.basename(savedFlyer!.image_url));
      createdFilePaths.push(savedImagePath); // Add final path for cleanup

+      console.log('[TEST] savedImagePath during PNG metadata stripping: ', savedImagePath)
+
+
      const savedImageMetadata = await sharp(savedImagePath).metadata();

      // The test should fail here initially because PNGs are not processed.
@@ -375,6 +398,7 @@ describe('Flyer Processing Background Job Integration Test', () => {
      expect(savedImageMetadata.exif).toBeUndefined();
    },
    240000,
+
  );

 it(
@@ -382,6 +406,7 @@ it(
    async () => {
      // Arrange: Mock the AI service to throw an error for this specific test.
      const aiError = new Error('AI model failed to extract data.');
+      // Update the spy implementation to reject
      mockExtractCoreData.mockRejectedValue(aiError);

      // Arrange: Prepare a unique flyer file for upload.
@@ -399,7 +424,7 @@ it(
      // Act 1: Upload the file to start the background job.
      const uploadResponse = await request
        .post('/api/ai/upload-and-process')
-        .field('baseUrl', 'http://localhost:3000')
+        .field('baseUrl', 'https://example.com')
        .field('checksum', checksum)
        .attach('flyerFile', uniqueContent, uniqueFileName);

@@ -451,7 +476,7 @@ it(
      // Act 1: Upload the file to start the background job.
      const uploadResponse = await request
        .post('/api/ai/upload-and-process')
-        .field('baseUrl', 'http://localhost:3000')
+        .field('baseUrl', 'https://example.com')
        .field('checksum', checksum)
        .attach('flyerFile', uniqueContent, uniqueFileName);

@@ -505,7 +530,7 @@ it(
      // Act 1: Upload the file to start the background job.
      const uploadResponse = await request
        .post('/api/ai/upload-and-process')
-        .field('baseUrl', 'http://localhost:3000')
+        .field('baseUrl', 'https://example.com')
        .field('checksum', checksum)
        .attach('flyerFile', uniqueContent, uniqueFileName);

@@ -531,6 +556,7 @@ it(
      await expect(fs.access(tempFilePath), 'Expected temporary file to exist after job failure, but it was deleted.');
    },
    240000,
+
  );

 });
--- a/src/tests/integration/flyer.integration.test.ts
+++ b/src/tests/integration/flyer.integration.test.ts
@@ -1,10 +1,10 @@
 // src/tests/integration/flyer.integration.test.ts
-import { describe, it, expect, beforeAll, afterAll } from 'vitest';
+import { describe, it, expect, beforeAll, afterAll, vi } from 'vitest';
 import supertest from 'supertest';
 import { getPool } from '../../services/db/connection.db';
-import app from '../../../server';
 import type { Flyer, FlyerItem } from '../../types';
 import { cleanupDb } from '../utils/cleanup';
+import { TEST_EXAMPLE_DOMAIN } from '../utils/testHelpers';

 /**
 * @vitest-environment node
@@ -13,12 +13,16 @@ import { cleanupDb } from '../utils/cleanup';
 describe('Public Flyer API Routes Integration Tests', () => {
  let flyers: Flyer[] = [];
  // Use a supertest instance for all requests in this file
-  const request = supertest(app);
+  let request: ReturnType<typeof supertest>;
  let testStoreId: number;
  let createdFlyerId: number;

  // Fetch flyers once before all tests in this suite to use in subsequent tests.
  beforeAll(async () => {
+    vi.stubEnv('FRONTEND_URL', 'https://example.com');
+    const app = (await import('../../../server')).default;
+    request = supertest(app);
+
    // Ensure at least one flyer exists
    const storeRes = await getPool().query(
      `INSERT INTO public.stores (name) VALUES ('Integration Test Store') RETURNING store_id`,
@@ -27,7 +31,7 @@ describe('Public Flyer API Routes Integration Tests', () => {

    const flyerRes = await getPool().query(
      `INSERT INTO public.flyers (store_id, file_name, image_url, icon_url, item_count, checksum) 
-       VALUES ($1, 'integration-test.jpg', 'https://example.com/flyer-images/integration-test.jpg', 'https://example.com/flyer-images/icons/integration-test.jpg', 1, $2) RETURNING flyer_id`,
+       VALUES ($1, 'integration-test.jpg', '${TEST_EXAMPLE_DOMAIN}/flyer-images/integration-test.jpg', '${TEST_EXAMPLE_DOMAIN}/flyer-images/icons/integration-test.jpg', 1, $2) RETURNING flyer_id`,
      [testStoreId, `${Date.now().toString(16)}`.padEnd(64, '0')],
    );
    createdFlyerId = flyerRes.rows[0].flyer_id;
@@ -44,6 +48,7 @@ describe('Public Flyer API Routes Integration Tests', () => {
  });

  afterAll(async () => {
+    vi.unstubAllEnvs();
    // Clean up the test data created in beforeAll to prevent polluting the test database.
    await cleanupDb({
      flyerIds: [createdFlyerId],
--- a/src/tests/integration/gamification.integration.test.ts
+++ b/src/tests/integration/gamification.integration.test.ts
@@ -1,11 +1,10 @@
 // src/tests/integration/gamification.integration.test.ts
 import { describe, it, expect, beforeAll, afterAll, vi } from 'vitest';
 import supertest from 'supertest';
-import app from '../../../server';
 import path from 'path';
 import fs from 'node:fs/promises';
 import { getPool } from '../../services/db/connection.db';
-import { createAndLoginUser } from '../utils/testHelpers';
+import { createAndLoginUser, getTestBaseUrl } from '../utils/testHelpers';
 import { generateFileChecksum } from '../../utils/checksum';
 import * as db from '../../services/db/index.db';
 import { cleanupDb } from '../utils/cleanup';
@@ -26,8 +25,6 @@ import { cleanupFiles } from '../utils/cleanupFiles';
 * @vitest-environment node
 */

-const request = supertest(app);
-
 const { mockExtractCoreData } = vi.hoisted(() => ({
  mockExtractCoreData: vi.fn(),
 }));
@@ -53,6 +50,7 @@ vi.mock('../../utils/imageProcessor', async () => {
 });

 describe('Gamification Flow Integration Test', () => {
+  let request: ReturnType<typeof supertest>;
  let testUser: UserProfile;
  let authToken: string;
  const createdFlyerIds: number[] = [];
@@ -60,6 +58,12 @@ describe('Gamification Flow Integration Test', () => {
  const createdStoreIds: number[] = [];

  beforeAll(async () => {
+    // Stub environment variables for URL generation in the background worker.
+    // This needs to be in beforeAll to ensure it's set before any code that might use it is imported.
+    vi.stubEnv('FRONTEND_URL', 'https://example.com');
+    const app = (await import('../../../server')).default;
+    request = supertest(app);
+
    // Create a new user specifically for this test suite to ensure a clean slate.
    ({ user: testUser, token: authToken } = await createAndLoginUser({
      email: `gamification-user-${Date.now()}@example.com`,
@@ -67,10 +71,6 @@ describe('Gamification Flow Integration Test', () => {
      request,
    }));

-    // Stub environment variables for URL generation in the background worker.
-    // This needs to be in beforeAll to ensure it's set before any code that might use it is imported.
-    vi.stubEnv('FRONTEND_URL', 'http://localhost:3001');
-
    // Setup default mock response for the AI service's extractCoreDataFromFlyerImage method.
    mockExtractCoreData.mockResolvedValue({
      store_name: 'Gamification Test Store',
@@ -90,6 +90,7 @@ describe('Gamification Flow Integration Test', () => {
  });

  afterAll(async () => {
+    vi.unstubAllEnvs();
    await cleanupDb({
      userIds: testUser ? [testUser.user.user_id] : [],
      flyerIds: createdFlyerIds,
@@ -120,6 +121,7 @@ describe('Gamification Flow Integration Test', () => {
        .post('/api/ai/upload-and-process')
        .set('Authorization', `Bearer ${authToken}`)
        .field('checksum', checksum)
+        .field('baseUrl', 'https://example.com')
        .attach('flyerFile', uniqueContent, uniqueFileName);

      const { jobId } = uploadResponse.body;
@@ -215,7 +217,7 @@ describe('Gamification Flow Integration Test', () => {
        checksum: checksum,
        extractedData: {
          store_name: storeName,
-          items: [{ item: 'Legacy Milk', price_in_cents: 250 }],
+          items: [{ item: 'Legacy Milk', price_in_cents: 250, price_display: '$2.50' }],
        },
      };

@@ -253,7 +255,8 @@ describe('Gamification Flow Integration Test', () => {
      // 8. Assert that the URLs are fully qualified.
      expect(savedFlyer.image_url).to.equal(newFlyer.image_url);
      expect(savedFlyer.icon_url).to.equal(newFlyer.icon_url);
-      expect(newFlyer.image_url).toContain('http://localhost:3001/flyer-images/');
+      const expectedBaseUrl = 'https://example.com';
+      expect(newFlyer.image_url).toContain(`${expectedBaseUrl}/flyer-images/`);
    });
  });
 });
--- a/src/tests/integration/notification.integration.test.ts
+++ b/src/tests/integration/notification.integration.test.ts
@@ -1,7 +1,6 @@
 // src/tests/integration/notification.integration.test.ts
-import { describe, it, expect, beforeAll, afterAll } from 'vitest';
+import { describe, it, expect, beforeAll, afterAll, vi } from 'vitest';
 import supertest from 'supertest';
-import app from '../../../server';
 import { createAndLoginUser } from '../utils/testHelpers';
 import { cleanupDb } from '../utils/cleanup';
 import type { UserProfile, Notification } from '../../types';
@@ -11,14 +10,17 @@ import { getPool } from '../../services/db/connection.db';
 * @vitest-environment node
 */

-const request = supertest(app);
-
 describe('Notification API Routes Integration Tests', () => {
+  let request: ReturnType<typeof supertest>;
  let testUser: UserProfile;
  let authToken: string;
  const createdUserIds: string[] = [];

  beforeAll(async () => {
+    vi.stubEnv('FRONTEND_URL', 'https://example.com');
+    const app = (await import('../../../server')).default;
+    request = supertest(app);
+
    // 1. Create a user for the tests
    const { user, token } = await createAndLoginUser({
      email: `notification-user-${Date.now()}@example.com`,
@@ -46,6 +48,7 @@ describe('Notification API Routes Integration Tests', () => {
  });

  afterAll(async () => {
+    vi.unstubAllEnvs();
    // Notifications are deleted via CASCADE when the user is deleted.
    await cleanupDb({
      userIds: createdUserIds,
--- a/src/tests/integration/price.integration.test.ts
+++ b/src/tests/integration/price.integration.test.ts
@@ -1,16 +1,20 @@
 // src/tests/integration/price.integration.test.ts
-import { describe, it, expect, beforeAll, afterAll } from 'vitest';
+import { describe, it, expect, beforeAll, afterAll, vi } from 'vitest';
 import supertest from 'supertest';
-import app from '../../../server';
 import { getPool } from '../../services/db/connection.db';
+import { TEST_EXAMPLE_DOMAIN, createAndLoginUser } from '../utils/testHelpers';
+import { cleanupDb } from '../utils/cleanup';
+import type { UserProfile } from '../../types';

 /**
 * @vitest-environment node
 */

-const request = supertest(app);
-
 describe('Price History API Integration Test (/api/price-history)', () => {
+  let request: ReturnType<typeof supertest>;
+  let authToken: string;
+  let testUser: UserProfile;
+  const createdUserIds: string[] = [];
  let masterItemId: number;
  let storeId: number;
  let flyerId1: number;
@@ -18,6 +22,19 @@ describe('Price History API Integration Test (/api/price-history)', () => {
  let flyerId3: number;

  beforeAll(async () => {
+    vi.stubEnv('FRONTEND_URL', 'https://example.com');
+    const app = (await import('../../../server')).default;
+    request = supertest(app);
+
+    // Create a user for the tests
+    const email = `price-test-${Date.now()}@example.com`;
+    ({ user: testUser, token: authToken } = await createAndLoginUser({
+      email,
+      fullName: 'Price Test User',
+      request,
+    }));
+    createdUserIds.push(testUser.user.user_id);
+
    const pool = getPool();

    // 1. Create a master grocery item
@@ -35,21 +52,21 @@ describe('Price History API Integration Test (/api/price-history)', () => {
    // 3. Create two flyers with different dates
    const flyerRes1 = await pool.query(
      `INSERT INTO public.flyers (store_id, file_name, image_url, icon_url, item_count, checksum, valid_from) 
-       VALUES ($1, 'price-test-1.jpg', 'https://example.com/flyer-images/price-test-1.jpg', 'https://example.com/flyer-images/icons/price-test-1.jpg', 1, $2, '2025-01-01') RETURNING flyer_id`,
+       VALUES ($1, 'price-test-1.jpg', '${TEST_EXAMPLE_DOMAIN}/flyer-images/price-test-1.jpg', '${TEST_EXAMPLE_DOMAIN}/flyer-images/icons/price-test-1.jpg', 1, $2, '2025-01-01') RETURNING flyer_id`,
      [storeId, `${Date.now().toString(16)}1`.padEnd(64, '0')],
    );
    flyerId1 = flyerRes1.rows[0].flyer_id;

    const flyerRes2 = await pool.query(
      `INSERT INTO public.flyers (store_id, file_name, image_url, icon_url, item_count, checksum, valid_from) 
-       VALUES ($1, 'price-test-2.jpg', 'https://example.com/flyer-images/price-test-2.jpg', 'https://example.com/flyer-images/icons/price-test-2.jpg', 1, $2, '2025-01-08') RETURNING flyer_id`,
+       VALUES ($1, 'price-test-2.jpg', '${TEST_EXAMPLE_DOMAIN}/flyer-images/price-test-2.jpg', '${TEST_EXAMPLE_DOMAIN}/flyer-images/icons/price-test-2.jpg', 1, $2, '2025-01-08') RETURNING flyer_id`,
      [storeId, `${Date.now().toString(16)}2`.padEnd(64, '0')],
    );
    flyerId2 = flyerRes2.rows[0].flyer_id; // This was a duplicate, fixed.

    const flyerRes3 = await pool.query(
      `INSERT INTO public.flyers (store_id, file_name, image_url, icon_url, item_count, checksum, valid_from) 
-       VALUES ($1, 'price-test-3.jpg', 'https://example.com/flyer-images/price-test-3.jpg', 'https://example.com/flyer-images/icons/price-test-3.jpg', 1, $2, '2025-01-15') RETURNING flyer_id`,
+       VALUES ($1, 'price-test-3.jpg', '${TEST_EXAMPLE_DOMAIN}/flyer-images/price-test-3.jpg', '${TEST_EXAMPLE_DOMAIN}/flyer-images/icons/price-test-3.jpg', 1, $2, '2025-01-15') RETURNING flyer_id`,
      [storeId, `${Date.now().toString(16)}3`.padEnd(64, '0')],
    );
    flyerId3 = flyerRes3.rows[0].flyer_id;
@@ -70,6 +87,8 @@ describe('Price History API Integration Test (/api/price-history)', () => {
  });

  afterAll(async () => {
+    vi.unstubAllEnvs();
+    await cleanupDb({ userIds: createdUserIds });
    const pool = getPool();
    // The CASCADE on the tables should handle flyer_items.
    // The delete on flyers cascades to flyer_items, which fires a trigger `recalculate_price_history_on_flyer_item_delete`.
@@ -93,7 +112,9 @@ describe('Price History API Integration Test (/api/price-history)', () => {
  });

  it('should return the correct price history for a given master item ID', async () => {
-    const response = await request.post('/api/price-history').send({ masterItemIds: [masterItemId] });
+    const response = await request.post('/api/price-history')
+      .set('Authorization', `Bearer ${authToken}`)
+      .send({ masterItemIds: [masterItemId] });

    expect(response.status).toBe(200);
    expect(response.body).toBeInstanceOf(Array);
@@ -107,6 +128,7 @@ describe('Price History API Integration Test (/api/price-history)', () => {
  it('should respect the limit parameter', async () => {
    const response = await request
      .post('/api/price-history')
+      .set('Authorization', `Bearer ${authToken}`)
      .send({ masterItemIds: [masterItemId], limit: 2 });

    expect(response.status).toBe(200);
@@ -118,6 +140,7 @@ describe('Price History API Integration Test (/api/price-history)', () => {
  it('should respect the offset parameter', async () => {
    const response = await request
      .post('/api/price-history')
+      .set('Authorization', `Bearer ${authToken}`)
      .send({ masterItemIds: [masterItemId], limit: 2, offset: 1 });

    expect(response.status).toBe(200);
@@ -127,7 +150,9 @@ describe('Price History API Integration Test (/api/price-history)', () => {
  });

  it('should return price history sorted by date in ascending order', async () => {
-    const response = await request.post('/api/price-history').send({ masterItemIds: [masterItemId] });
+    const response = await request.post('/api/price-history')
+      .set('Authorization', `Bearer ${authToken}`)
+      .send({ masterItemIds: [masterItemId] });

    expect(response.status).toBe(200);
    const history = response.body;
@@ -142,7 +167,9 @@ describe('Price History API Integration Test (/api/price-history)', () => {
  });

  it('should return an empty array for a master item ID with no price history', async () => {
-    const response = await request.post('/api/price-history').send({ masterItemIds: [999999] });
+    const response = await request.post('/api/price-history')
+      .set('Authorization', `Bearer ${authToken}`)
+      .send({ masterItemIds: [999999] });
    expect(response.status).toBe(200);
    expect(response.body).toEqual([]);
  });
--- a/src/tests/integration/public.routes.integration.test.ts
+++ b/src/tests/integration/public.routes.integration.test.ts
@@ -1,7 +1,6 @@
 // src/tests/integration/public.routes.integration.test.ts
-import { describe, it, expect, beforeAll, afterAll } from 'vitest';
+import { describe, it, expect, beforeAll, afterAll, vi } from 'vitest';
 import supertest from 'supertest';
-import app from '../../../server';
 import type {
  Flyer,
  FlyerItem,
@@ -14,22 +13,25 @@ import type {
 import { getPool } from '../../services/db/connection.db';
 import { cleanupDb } from '../utils/cleanup';
 import { poll } from '../utils/poll';
-import { createAndLoginUser } from '../utils/testHelpers';
+import { createAndLoginUser, TEST_EXAMPLE_DOMAIN } from '../utils/testHelpers';

 /**
 * @vitest-environment node
 */

-const request = supertest(app);
-
 describe('Public API Routes Integration Tests', () => {
  // Shared state for tests
+  let request: ReturnType<typeof supertest>;
  let testUser: UserProfile;
  let testRecipe: Recipe;
  let testFlyer: Flyer;
  let testStoreId: number;

  beforeAll(async () => {
+    vi.stubEnv('FRONTEND_URL', 'https://example.com');
+    const app = (await import('../../../server')).default;
+    request = supertest(app);
+
    const pool = getPool();
    // Create a user to own the recipe
    const userEmail = `public-routes-user-${Date.now()}@example.com`;
@@ -64,7 +66,7 @@ describe('Public API Routes Integration Tests', () => {
    testStoreId = storeRes.rows[0].store_id;
    const flyerRes = await pool.query(
      `INSERT INTO public.flyers (store_id, file_name, image_url, icon_url, item_count, checksum) 
-       VALUES ($1, 'public-routes-test.jpg', 'https://example.com/flyer-images/public-routes-test.jpg', 'https://example.com/flyer-images/icons/public-routes-test.jpg', 1, $2) RETURNING *`,
+       VALUES ($1, 'public-routes-test.jpg', '${TEST_EXAMPLE_DOMAIN}/flyer-images/public-routes-test.jpg', '${TEST_EXAMPLE_DOMAIN}/flyer-images/icons/public-routes-test.jpg', 1, $2) RETURNING *`,
      [testStoreId, `${Date.now().toString(16)}`.padEnd(64, '0')],
    );
    testFlyer = flyerRes.rows[0];
@@ -77,6 +79,7 @@ describe('Public API Routes Integration Tests', () => {
  });

  afterAll(async () => {
+    vi.unstubAllEnvs();
    await cleanupDb({
      userIds: testUser ? [testUser.user.user_id] : [],
      recipeIds: testRecipe ? [testRecipe.recipe_id] : [],
@@ -221,4 +224,29 @@ describe('Public API Routes Integration Tests', () => {
      expect(appliances[0]).toHaveProperty('appliance_id');
    });
  });
+
+  describe('Rate Limiting on Public Routes', () => {
+    it('should block requests to /api/personalization/master-items after exceeding the limit', async () => {
+      // The limit might be higher than 5. We loop enough times to ensure we hit the rate limit.
+      const maxRequests = 120; // Increased to ensure we hit the limit (likely 60 or 100)
+      let blockedResponse: any;
+
+      for (let i = 0; i < maxRequests; i++) {
+        const response = await request
+          .get('/api/personalization/master-items')
+          .set('X-Test-Rate-Limit-Enable', 'true'); // Enable rate limiter middleware
+
+        if (response.status === 429) {
+          blockedResponse = response;
+          break;
+        }
+        expect(response.status).toBe(200);
+      }
+
+      expect(blockedResponse).toBeDefined();
+      expect(blockedResponse.status).toBe(429);
+      expect(blockedResponse.headers).toHaveProperty('x-ratelimit-limit');
+      expect(blockedResponse.headers).toHaveProperty('x-ratelimit-remaining');
+    });
+  });
 });
--- a/src/tests/integration/recipe.integration.test.ts
+++ b/src/tests/integration/recipe.integration.test.ts
@@ -1,7 +1,6 @@
 // src/tests/integration/recipe.integration.test.ts
 import { describe, it, expect, beforeAll, afterAll, vi } from 'vitest';
 import supertest from 'supertest';
-import app from '../../../server';
 import { createAndLoginUser } from '../utils/testHelpers';
 import { cleanupDb } from '../utils/cleanup';
 import type { UserProfile, Recipe, RecipeComment } from '../../types';
@@ -13,9 +12,8 @@ import { aiService } from '../../services/aiService.server';
 * @vitest-environment node
 */

-const request = supertest(app);
-
 describe('Recipe API Routes Integration Tests', () => {
+  let request: ReturnType<typeof supertest>;
  let testUser: UserProfile;
  let authToken: string;
  let testRecipe: Recipe;
@@ -23,6 +21,10 @@ describe('Recipe API Routes Integration Tests', () => {
  const createdRecipeIds: number[] = [];

  beforeAll(async () => {
+    vi.stubEnv('FRONTEND_URL', 'https://example.com');
+    const app = (await import('../../../server')).default;
+    request = supertest(app);
+
    // Create a user to own the recipe and perform authenticated actions
    const { user, token } = await createAndLoginUser({
      email: `recipe-user-${Date.now()}@example.com`,
@@ -48,6 +50,7 @@ describe('Recipe API Routes Integration Tests', () => {
  });

  afterAll(async () => {
+    vi.unstubAllEnvs();
    // Clean up all created resources
    await cleanupDb({
      userIds: createdUserIds,
--- a/src/tests/integration/server.integration.test.ts
+++ b/src/tests/integration/server.integration.test.ts
@@ -1,13 +1,23 @@
 // src/tests/integration/server.integration.test.ts
-import { describe, it, expect } from 'vitest';
+import { describe, it, expect, beforeAll, afterAll, vi } from 'vitest';
 import supertest from 'supertest';
-import app from '../../../server';

 /**
 * @vitest-environment node
 */

 describe('Server Initialization Smoke Test', () => {
+  let app: any;
+
+  beforeAll(async () => {
+    vi.stubEnv('FRONTEND_URL', 'https://example.com');
+    app = (await import('../../../server')).default;
+  });
+
+  afterAll(() => {
+    vi.unstubAllEnvs();
+  });
+
  it('should import the server app without crashing', () => {
    // This test's primary purpose is to ensure that all top-level code in `server.ts`
    // can execute without throwing an error. This catches issues like syntax errors,
--- a/src/tests/integration/system.integration.test.ts
+++ b/src/tests/integration/system.integration.test.ts
@@ -1,13 +1,23 @@
 // src/tests/integration/system.integration.test.ts
-import { describe, it, expect } from 'vitest';
+import { describe, it, expect, beforeAll, afterAll, vi } from 'vitest';
 import supertest from 'supertest';
-import app from '../../../server';

 /**
 * @vitest-environment node
 */

 describe('System API Routes Integration Tests', () => {
+  let app: any;
+
+  beforeAll(async () => {
+    vi.stubEnv('FRONTEND_URL', 'https://example.com');
+    app = (await import('../../../server')).default;
+  });
+
+  afterAll(() => {
+    vi.unstubAllEnvs();
+  });
+
  describe('GET /api/system/pm2-status', () => {
    it('should return a status for PM2', async () => {
      const request = supertest(app);
--- a/src/tests/integration/user.integration.test.ts
+++ b/src/tests/integration/user.integration.test.ts
@@ -1,9 +1,8 @@
 // src/tests/integration/user.integration.test.ts
-import { describe, it, expect, beforeAll, afterAll } from 'vitest';
+import { describe, it, expect, beforeAll, afterAll, vi } from 'vitest';
 import supertest from 'supertest';
 import path from 'path';
 import fs from 'node:fs/promises';
-import app from '../../../server';
 import { logger } from '../../services/logger.server';
 import { getPool } from '../../services/db/connection.db';
 import type { UserProfile, MasterGroceryItem, ShoppingList } from '../../types';
@@ -15,9 +14,8 @@ import { cleanupFiles } from '../utils/cleanupFiles';
 * @vitest-environment node
 */

-const request = supertest(app);
-
 describe('User API Routes Integration Tests', () => {
+  let request: ReturnType<typeof supertest>;
  let testUser: UserProfile;
  let authToken: string;
  const createdUserIds: string[] = [];
@@ -25,6 +23,10 @@ describe('User API Routes Integration Tests', () => {
  // Before any tests run, create a new user and log them in.
  // The token will be used for all subsequent API calls in this test suite.
  beforeAll(async () => {
+    vi.stubEnv('FRONTEND_URL', 'https://example.com');
+    const app = (await import('../../../server')).default;
+    request = supertest(app);
+
    const email = `user-test-${Date.now()}@example.com`;
    const { user, token } = await createAndLoginUser({ email, fullName: 'Test User', request });
    testUser = user;
@@ -35,6 +37,7 @@ describe('User API Routes Integration Tests', () => {
  // After all tests, clean up by deleting the created user.
  // This now cleans up ALL users created by this test suite to prevent pollution.
  afterAll(async () => {
+    vi.unstubAllEnvs();
    await cleanupDb({ userIds: createdUserIds });

    // Safeguard to clean up any avatar files created during tests.
--- a/src/tests/integration/user.routes.integration.test.ts
+++ b/src/tests/integration/user.routes.integration.test.ts
@@ -1,7 +1,6 @@
 // src/tests/integration/user.routes.integration.test.ts
-import { describe, it, expect, beforeAll, afterAll } from 'vitest';
+import { describe, it, expect, beforeAll, afterAll, vi } from 'vitest';
 import supertest from 'supertest';
-import app from '../../../server';
 import type { UserProfile } from '../../types';
 import { createAndLoginUser } from '../utils/testHelpers';
 import { cleanupDb } from '../utils/cleanup';
@@ -10,15 +9,18 @@ import { cleanupDb } from '../utils/cleanup';
 * @vitest-environment node
 */

-const request = supertest(app);
-
 describe('User Routes Integration Tests (/api/users)', () => {
+  let request: ReturnType<typeof supertest>;
  let authToken = '';
  let testUser: UserProfile;
  const createdUserIds: string[] = [];

  // Authenticate once before all tests in this suite to get a JWT.
  beforeAll(async () => {
+    vi.stubEnv('FRONTEND_URL', 'https://example.com');
+    const app = (await import('../../../server')).default;
+    request = supertest(app);
+
    // Use the helper to create and log in a user in one step.
    const { user, token } = await createAndLoginUser({
      fullName: 'User Routes Test User',
@@ -30,6 +32,7 @@ describe('User Routes Integration Tests (/api/users)', () => {
  });

  afterAll(async () => {
+    vi.unstubAllEnvs();
    await cleanupDb({ userIds: createdUserIds });
  });

--- a/src/tests/setup/global-setup.ts
+++ b/src/tests/setup/global-setup.ts
@@ -22,6 +22,11 @@ const getPool = () => {
 * and then rebuilds it from the master rollup script.
 */
 export async function setup() {
+  // Ensure we are in the correct environment for these tests.
+  process.env.NODE_ENV = 'test';
+  // Set the FRONTEND_URL globally for any scripts or processes spawned here.
+  process.env.FRONTEND_URL = process.env.FRONTEND_URL || 'https://example.com';
+
  // --- START DEBUG LOGGING ---
  // Log the database connection details being used by the Vitest GLOBAL SETUP process.
  // These variables are inherited from the CI environment.
--- a/src/tests/setup/integration-global-setup.ts
+++ b/src/tests/setup/integration-global-setup.ts
@@ -1,7 +1,6 @@
 // src/tests/setup/integration-global-setup.ts
 import { execSync } from 'child_process';
 import type { Server } from 'http';
-import app from '../../../server'; // Import the Express app
 import { logger } from '../../services/logger.server';
 import { getPool } from '../../services/db/connection.db';

@@ -13,6 +12,9 @@ let globalPool: ReturnType<typeof getPool> | null = null;
 export async function setup() {
  // Ensure we are in the correct environment for these tests.
  process.env.NODE_ENV = 'test';
+  // Fix: Set the FRONTEND_URL globally for the test server instance
+  process.env.FRONTEND_URL = 'https://example.com';
+
  console.log(`\n--- [PID:${process.pid}] Running Integration Test GLOBAL Setup ---`);

  // The integration setup is now the single source of truth for preparing the test DB.
@@ -30,6 +32,10 @@ export async function setup() {
  console.log(`[PID:${process.pid}] Initializing global database pool...`);
  globalPool = getPool();

+  // Fix: Dynamic import AFTER env vars are set
+  const appModule = await import('../../../server');
+  const app = appModule.default;
+
  // Programmatically start the server within the same process.
  const port = process.env.PORT || 3001;
  await new Promise<void>((resolve) => {
--- a/src/tests/utils/mockFactories.ts
+++ b/src/tests/utils/mockFactories.ts
@@ -178,7 +178,7 @@ export const createMockFlyer = (
    store_id: overrides.store_id ?? overrides.store?.store_id,
  });

-  const baseUrl = 'http://localhost:3001'; // A reasonable default for tests
+  const baseUrl = 'https://example.com'; // A reasonable default for tests

  // Determine the final file_name to generate dependent properties from.
  const fileName = overrides.file_name ?? `flyer-${flyerId}.jpg`;
--- a/src/tests/utils/testHelpers.ts
+++ b/src/tests/utils/testHelpers.ts
@@ -5,6 +5,12 @@ import type { UserProfile } from '../../types';
 import supertest from 'supertest';

 export const TEST_PASSWORD = 'a-much-stronger-password-for-testing-!@#$';
+export const TEST_EXAMPLE_DOMAIN = 'https://example.com';
+
+export const getTestBaseUrl = (): string => {
+  const url = process.env.FRONTEND_URL || `https://example.com`;
+  return url.endsWith('/') ? url.slice(0, -1) : url;
+};

 interface CreateUserOptions {
  email?: string;
--- a/src/tests/utils/userService.mock.ts
+++ b/src/tests/utils/userService.mock.ts
--- a/src/utils/imageProcessor.ts
+++ b/src/utils/imageProcessor.ts
@@ -43,6 +43,7 @@ export async function processAndSaveImage(
      .toFile(outputPath);

    logger.info(`Successfully processed image and saved to ${outputPath}`);
+    console.log('[DEBUG] processAndSaveImage returning:', outputFileName);
    return outputFileName;
  } catch (error) {
    logger.error(
@@ -84,6 +85,7 @@ export async function generateFlyerIcon(
      .toFile(outputPath);

    logger.info(`Successfully generated icon: ${outputPath}`);
+    console.log('[DEBUG] generateFlyerIcon returning:', iconFileName);
    return iconFileName;
  } catch (error) {
    logger.error(
--- a/src/utils/rateLimit.ts
+++ b/src/utils/rateLimit.ts
@@ -0,0 +1,13 @@
+// src/utils/rateLimit.ts
+import { Request } from 'express';
+
+const isTestEnv = process.env.NODE_ENV === 'test';
+
+/**
+ * Helper to determine if rate limiting should be skipped.
+ * Skips in test environment unless explicitly enabled via header.
+ */
+export const shouldSkipRateLimit = (req: Request) => {
+  if (!isTestEnv) return false;
+  return req.headers['x-test-rate-limit-enable'] !== 'true';
+};
--- a/src/utils/serverUtils.test.ts
+++ b/src/utils/serverUtils.test.ts
@@ -56,29 +56,21 @@ describe('serverUtils', () => {
      expect(mockLogger.warn).not.toHaveBeenCalled();
    });

-    it('should fall back to localhost with default port 3000 if no URL is provided', () => {
+    it('should fall back to example.com with default port 3000 if no URL is provided', () => {
      delete process.env.FRONTEND_URL;
      delete process.env.BASE_URL;
      delete process.env.PORT;
      const baseUrl = getBaseUrl(mockLogger);
-      expect(baseUrl).toBe('http://localhost:3000');
+      expect(baseUrl).toBe('https://example.com:3000');
      expect(mockLogger.warn).not.toHaveBeenCalled();
    });

-    it('should fall back to localhost with the specified PORT if no URL is provided', () => {
-      delete process.env.FRONTEND_URL;
-      delete process.env.BASE_URL;
-      process.env.PORT = '8888';
-      const baseUrl = getBaseUrl(mockLogger);
-      expect(baseUrl).toBe('http://localhost:8888');
-    });
-
    it('should log a warning and fall back if FRONTEND_URL is invalid (does not start with http)', () => {
      process.env.FRONTEND_URL = 'invalid.url.com';
      const baseUrl = getBaseUrl(mockLogger);
-      expect(baseUrl).toBe('http://localhost:3000');
+      expect(baseUrl).toBe('https://example.com:3000');
      expect(mockLogger.warn).toHaveBeenCalledWith(
-        "[getBaseUrl] FRONTEND_URL/BASE_URL is invalid or incomplete ('invalid.url.com'). Falling back to default local URL: http://localhost:3000",
+        "[getBaseUrl] FRONTEND_URL/BASE_URL is invalid or incomplete ('invalid.url.com'). Falling back to default local URL: https://example.com:3000",
      );
    });
  });
--- a/src/utils/serverUtils.ts
+++ b/src/utils/serverUtils.ts
@@ -14,7 +14,7 @@ export function getBaseUrl(logger: Logger): string {
  let baseUrl = (process.env.FRONTEND_URL || process.env.BASE_URL || '').trim();
  if (!baseUrl || !baseUrl.startsWith('http')) {
    const port = process.env.PORT || 3000;
-    const fallbackUrl = `http://localhost:${port}`;
+    const fallbackUrl = `https://example.com:${port}`;
    if (baseUrl) {
      logger.warn(
        `[getBaseUrl] FRONTEND_URL/BASE_URL is invalid or incomplete ('${baseUrl}'). Falling back to default local URL: ${fallbackUrl}`,
--- a/vitest.config.integration.ts
+++ b/vitest.config.integration.ts
@@ -47,7 +47,7 @@ const finalConfig = mergeConfig(
      // Fix: Set environment variables to ensure generated URLs pass validation
      env: {
        NODE_ENV: 'test',
-        BASE_URL: 'http://example.com', // Use a standard domain to pass strict URL validation
+        BASE_URL: 'https://example.com', // Use a standard domain to pass strict URL validation
        PORT: '3000',
      },
      // This setup script starts the backend server before tests run.
Author	SHA1	Message	Date
Gitea Actions	e675c1a73c	ci: Bump version to 0.9.48 [skip ci]	2026-01-07 01:35:26 +05:00
Torben Sorensen	3c19084a0a	fix the dang integration tests All checks were successful Deploy to Test Environment / deploy-to-test (push) Successful in 30m17s Details	2026-01-06 12:34:18 -08:00
Gitea Actions	e2049c6b9f	ci: Bump version to 0.9.47 [skip ci]	2026-01-06 23:34:29 +05:00
Torben Sorensen	a3839c2f0d	debugging the flyer integration issue All checks were successful Deploy to Test Environment / deploy-to-test (push) Successful in 33m13s Details	2026-01-06 10:33:51 -08:00
Gitea Actions	c1df3d7b1b	ci: Bump version to 0.9.46 [skip ci]	2026-01-06 22:39:47 +05:00
Torben Sorensen	94782f030d	debugging the flyer integration issue All checks were successful Deploy to Test Environment / deploy-to-test (push) Successful in 25m42s Details	2026-01-06 09:38:14 -08:00
Gitea Actions	1c25b79251	ci: Bump version to 0.9.45 [skip ci]	2026-01-06 14:34:44 +05:00
Torben Sorensen	0b0fa8294d	debugging the flyer integration issue All checks were successful Deploy to Test Environment / deploy-to-test (push) Successful in 27m54s Details	2026-01-06 01:33:48 -08:00
Gitea Actions	f49f3a75fb	ci: Bump version to 0.9.44 [skip ci]	2026-01-06 13:41:43 +05:00
Torben Sorensen	8f14044ae6	debugging the flyer integration issue All checks were successful Deploy to Test Environment / deploy-to-test (push) Successful in 26m27s Details	2026-01-06 00:41:03 -08:00
Gitea Actions	55e1e425f4	ci: Bump version to 0.9.43 [skip ci]	2026-01-06 12:56:47 +05:00
Torben Sorensen	68b16ad2e8	fix the dang integration tests All checks were successful Deploy to Test Environment / deploy-to-test (push) Successful in 25m2s Details	2026-01-05 23:53:54 -08:00
Gitea Actions	6a28934692	ci: Bump version to 0.9.42 [skip ci]	2026-01-06 12:25:08 +05:00
Torben Sorensen	78c4a5fee6	fix the dang integration tests Some checks failed Deploy to Test Environment / deploy-to-test (push) Has been cancelled Details	2026-01-05 23:20:56 -08:00
Gitea Actions	1ce5f481a8	ci: Bump version to 0.9.41 [skip ci]	2026-01-06 11:39:28 +05:00
Gitea Actions	e0120d38fd	ci: Bump version to 0.9.39 [skip ci]	2026-01-06 11:39:27 +05:00
Torben Sorensen	6b2079ef2c	fix the dang integration tests All checks were successful Deploy to Test Environment / deploy-to-test (push) Successful in 32m44s Details	2026-01-05 22:38:21 -08:00
Gitea Actions	0478e176d5	ci: Bump version to 0.9.38 [skip ci]	2026-01-06 10:23:22 +05:00
Torben Sorensen	47f7f97cd9	fuck database contraints - seems buggy All checks were successful Deploy to Test Environment / deploy-to-test (push) Successful in 32m10s Details	2026-01-05 21:16:08 -08:00
Gitea Actions	b0719d1e39	ci: Bump version to 0.9.37 [skip ci]	2026-01-06 10:11:19 +05:00
Torben Sorensen	0039ac3752	fuck database contraints - seems buggy Some checks failed Deploy to Test Environment / deploy-to-test (push) Failing after 37s Details	2026-01-05 21:08:16 -08:00
Gitea Actions	3c8316f4f7	ci: Bump version to 0.9.36 [skip ci]	2026-01-06 09:03:20 +05:00
Torben Sorensen	2564df1c64	get rid of localhost in tests - not a qualified URL - we'll see All checks were successful Deploy to Test Environment / deploy-to-test (push) Successful in 33m19s Details	2026-01-05 20:02:44 -08:00
Gitea Actions	696c547238	ci: Bump version to 0.9.35 [skip ci]	2026-01-06 08:11:42 +05:00
Torben Sorensen	38165bdb9a	get rid of localhost in tests - not a qualified URL - we'll see All checks were successful Deploy to Test Environment / deploy-to-test (push) Successful in 26m14s Details	2026-01-05 19:10:46 -08:00
Gitea Actions	6139dca072	ci: Bump version to 0.9.34 [skip ci]	2026-01-06 06:33:46 +05:00
Torben Sorensen	68bfaa50e6	more baseurl work - hopefully that does it for now All checks were successful Deploy to Test Environment / deploy-to-test (push) Successful in 26m5s Details	2026-01-05 17:33:00 -08:00
Gitea Actions	9c42621f74	ci: Bump version to 0.9.33 [skip ci]	2026-01-06 04:34:48 +05:00
Torben Sorensen	1b98282202	more rate limiting All checks were successful Deploy to Test Environment / deploy-to-test (push) Successful in 30m19s Details	2026-01-05 15:31:01 -08:00
Gitea Actions	b6731b220c	ci: Bump version to 0.9.32 [skip ci]	2026-01-06 04:13:42 +05:00
Torben Sorensen	3507d455e8	more rate limiting Some checks failed Deploy to Test Environment / deploy-to-test (push) Has been cancelled Details	2026-01-05 15:13:10 -08:00
Gitea Actions	92b2adf8e8	ci: Bump version to 0.9.31 [skip ci]	2026-01-06 04:07:21 +05:00
Torben Sorensen	d6c7452256	more rate limiting Some checks failed Deploy to Test Environment / deploy-to-test (push) Failing after 41s Details	2026-01-05 15:06:55 -08:00
Gitea Actions	d812b681dd	ci: Bump version to 0.9.30 [skip ci]	2026-01-06 03:54:42 +05:00
Torben Sorensen	b4306a6092	more rate limiting Some checks failed Deploy to Test Environment / deploy-to-test (push) Failing after 50s Details	2026-01-05 14:53:49 -08:00