feat: near-term UX batch -- URL normalization, currency preference, async search/SSE

- Backend: validate display.currency against 10 supported ISO 4217 codes
  (USD, GBP, EUR, CAD, AUD, JPY, CHF, MXN, BRL, INR); return 400 on
  unsupported code with a clear message listing accepted values
- Frontend: useCurrency composable fetches rates from open.er-api.com
  with 1-hour module-level cache and in-flight deduplication; falls back
  to USD display on network failure
- Preferences store: adds display.currency with localStorage fallback for
  anonymous users and localStorage-to-DB migration for newly logged-in users
- ListingCard: price and market price now convert from USD using live rates,
  showing USD synchronously while rates load then updating reactively
- Settings UI: currency selector dropdown in Appearance section using
  theme-aware CSS classes; available to all users (anon via localStorage,
  logged-in via DB preference)
- Tests: 6 Python tests for the PATCH /api/preferences currency endpoint
  (including ordering-safe fixture using patch.object on _LOCAL_SNIPE_DB);
  14 Vitest tests for convertFromUSD, formatPrice, and formatPriceUSD

.env.example

@@ -19,6 +19,25 @@ EBAY_SANDBOX_CERT_ID=
 # production | sandbox
 EBAY_ENV=production
 
+# ── eBay OAuth — Authorization Code (user account connection) ─────────────────
+# Enables paid-tier users to connect their personal eBay account for instant
+# trust scoring via Trading API GetUser (account age + per-category feedback).
+# Without this, Snipe falls back to Shopping API + Playwright scraping.
+#
+# Setup steps:
+#   1. Go to https://developer.ebay.com/my/keys → select your Production app
+#   2. Under "Auth Accepted URL / RuName", create a new entry:
+#      - Callback URL: https://your-domain/api/ebay/callback
+#        (e.g. https://menagerie.circuitforge.tech/snipe/api/ebay/callback)
+#      - Snipe generates the redirect automatically — just register the URL above
+#   3. Copy the RuName value (looks like "YourName-AppName-PRD-xxx-yyy")
+#      and paste it as EBAY_RUNAME below.
+#   4. Set EBAY_OAUTH_REDIRECT_URI to the same HTTPS callback URL.
+#
+# Self-hosted: your callback URL must be HTTPS and publicly reachable.
+# EBAY_RUNAME=YourName-AppName-PRD-xxxxxxxx-xxxxxxxx
+# EBAY_OAUTH_REDIRECT_URI=https://your-domain/api/ebay/callback
+
 # ── eBay Account Deletion Webhook ──────────────────────────────────────────────
 # Register endpoint at https://developer.ebay.com/my/notification — required for
 # production key activation. Set EBAY_NOTIFICATION_ENDPOINT to the public HTTPS
@@ -32,6 +51,9 @@ EBAY_WEBHOOK_VERIFY_SIGNATURES=true
 # ── Database ───────────────────────────────────────────────────────────────────
 SNIPE_DB=data/snipe.db
 
+# Product identifier reported in cf-orch coordinator analytics for per-app breakdown
+CF_APP_NAME=snipe
+
 # ── Cloud mode (managed / menagerie instance only) ─────────────────────────────
 # Leave unset for self-hosted / local use. When set, per-user DB isolation
 # and Heimdall licensing are enabled. compose.cloud.yml sets CLOUD_MODE=true

.gitignore

@@ -10,3 +10,4 @@ data/
 web/node_modules/
 web/dist/
 config/llm.yaml
+.worktrees/

api/ebay_webhook.py

@@ -33,6 +33,7 @@ from cryptography.hazmat.primitives.serialization import load_pem_public_key
 from fastapi import APIRouter, Header, HTTPException, Request
 
 from app.db.store import Store
+from app.platforms.ebay.auth import EbayTokenManager
 
 log = logging.getLogger(__name__)
 
@@ -40,6 +41,24 @@ router = APIRouter()
 
 _DB_PATH = Path(os.environ.get("SNIPE_DB", "data/snipe.db"))
 
+# ── App-level token manager ───────────────────────────────────────────────────
+# Lazily initialized from env vars; shared across all webhook requests.
+# The Notification public_key endpoint requires a Bearer app token.
+_app_token_manager: EbayTokenManager | None = None
+
+
+def _get_app_token() -> str | None:
+    """Return a valid eBay app-level Bearer token, or None if creds are absent."""
+    global _app_token_manager
+    client_id = (os.environ.get("EBAY_APP_ID") or os.environ.get("EBAY_CLIENT_ID", "")).strip()
+    client_secret = (os.environ.get("EBAY_CERT_ID") or os.environ.get("EBAY_CLIENT_SECRET", "")).strip()
+    if not client_id or not client_secret:
+        return None
+    if _app_token_manager is None:
+        _app_token_manager = EbayTokenManager(client_id, client_secret)
+    return _app_token_manager.get_token()
+
+
 # ── Public-key cache ──────────────────────────────────────────────────────────
 # eBay key rotation is rare; 1-hour TTL is appropriate.
 _KEY_CACHE_TTL = 3600
@@ -58,7 +77,14 @@ def _fetch_public_key(kid: str) -> bytes:
         return cached[0]
 
     key_url = _EBAY_KEY_URL.format(kid=kid)
-    resp = requests.get(key_url, timeout=10)
+    headers: dict[str, str] = {}
+    app_token = _get_app_token()
+    if app_token:
+        headers["Authorization"] = f"Bearer {app_token}"
+    else:
+        log.warning("public_key fetch: no app credentials — request will likely fail")
+
+    resp = requests.get(key_url, headers=headers, timeout=10)
     if not resp.ok:
         log.error("public key fetch failed: %s %s — body: %s", resp.status_code, key_url, resp.text[:500])
     resp.raise_for_status()
@@ -68,6 +94,42 @@ def _fetch_public_key(kid: str) -> bytes:
     return pem_bytes
 
 
+# ── GET — webhook health check ───────────────────────────────────────────────
+
+@router.get("/api/ebay/webhook-health")
+def ebay_webhook_health() -> dict:
+    """Lightweight health check for eBay webhook compliance monitoring.
+
+    Returns 200 + status dict when the webhook is fully configured.
+    Returns 500 when required env vars are missing.
+    Intended for Uptime Kuma or similar uptime monitors.
+    """
+    token = os.environ.get("EBAY_NOTIFICATION_TOKEN", "")
+    endpoint = os.environ.get("EBAY_NOTIFICATION_ENDPOINT", "")
+    client_id = (os.environ.get("EBAY_APP_ID") or os.environ.get("EBAY_CLIENT_ID", "")).strip()
+    client_secret = (os.environ.get("EBAY_CERT_ID") or os.environ.get("EBAY_CLIENT_SECRET", "")).strip()
+
+    missing = [
+        name for name, val in [
+            ("EBAY_NOTIFICATION_TOKEN", token),
+            ("EBAY_NOTIFICATION_ENDPOINT", endpoint),
+            ("EBAY_APP_ID / EBAY_CLIENT_ID", client_id),
+            ("EBAY_CERT_ID / EBAY_CLIENT_SECRET", client_secret),
+        ] if not val
+    ]
+    if missing:
+        log.error("ebay_webhook_health: missing config: %s", missing)
+        raise HTTPException(
+            status_code=500,
+            detail=f"Webhook misconfigured — missing: {missing}",
+        )
+    return {
+        "status": "ok",
+        "endpoint": endpoint,
+        "signature_verification": os.environ.get("EBAY_WEBHOOK_VERIFY_SIGNATURES", "true"),
+    }
+
+
 # ── GET — challenge verification ──────────────────────────────────────────────
 
 @router.get("/api/ebay/account-deletion")

config/llm.yaml.example

@@ -39,6 +39,21 @@ backends:
     #   service: ollama
     #   ttl_s: 300
 
+  # ── cf-orch trunk services ─────────────────────────────────────────────────
+  # Allocate via cf-orch; the router calls the allocated service directly.
+  # Set CF_ORCH_URL (env) or url below to activate.
+  cf_text:
+    type: openai_compat
+    enabled: false
+    base_url: http://localhost:8008/v1
+    model: __auto__
+    api_key: any
+    supports_images: false
+    cf_orch:
+      service: cf-text
+      model_candidates: []
+      ttl_s: 3600
+
 fallback_order:
   - anthropic
   - openai

tests/platforms/test_ebay_normaliser.py

@@ -1,5 +1,6 @@
 import pytest
 
+from api.main import _extract_ebay_item_id
 from app.platforms.ebay.normaliser import normalise_listing, normalise_seller
 
 
@@ -56,3 +57,48 @@ def test_normalise_seller_maps_fields():
     assert seller.feedback_count == 300
     assert seller.feedback_ratio == pytest.approx(0.991, abs=0.001)
     assert seller.account_age_days > 0
+
+
+# ── _extract_ebay_item_id ─────────────────────────────────────────────────────
+
+class TestExtractEbayItemId:
+    """Unit tests for the URL-to-item-ID normaliser."""
+
+    def test_itm_url_with_title_slug(self):
+        url = "https://www.ebay.com/itm/Sony-WH-1000XM5-Headphones/123456789012"
+        assert _extract_ebay_item_id(url) == "123456789012"
+
+    def test_itm_url_without_title_slug(self):
+        url = "https://www.ebay.com/itm/123456789012"
+        assert _extract_ebay_item_id(url) == "123456789012"
+
+    def test_itm_url_no_www(self):
+        url = "https://ebay.com/itm/123456789012"
+        assert _extract_ebay_item_id(url) == "123456789012"
+
+    def test_itm_url_with_query_params(self):
+        url = "https://www.ebay.com/itm/123456789012?hash=item1234abcd"
+        assert _extract_ebay_item_id(url) == "123456789012"
+
+    def test_pay_ebay_rxo_with_itemId_query_param(self):
+        url = "https://pay.ebay.com/rxo?action=view&sessionid=abc123&itemId=123456789012"
+        assert _extract_ebay_item_id(url) == "123456789012"
+
+    def test_pay_ebay_rxo_path_with_itemId(self):
+        url = "https://pay.ebay.com/rxo/view?itemId=123456789012"
+        assert _extract_ebay_item_id(url) == "123456789012"
+
+    def test_non_ebay_url_returns_none(self):
+        assert _extract_ebay_item_id("https://amazon.com/dp/B08N5WRWNW") is None
+
+    def test_plain_keyword_returns_none(self):
+        assert _extract_ebay_item_id("rtx 4090 gpu") is None
+
+    def test_empty_string_returns_none(self):
+        assert _extract_ebay_item_id("") is None
+
+    def test_ebay_url_no_item_id_returns_none(self):
+        assert _extract_ebay_item_id("https://www.ebay.com/sch/i.html?_nkw=gpu") is None
+
+    def test_pay_ebay_no_item_id_returns_none(self):
+        assert _extract_ebay_item_id("https://pay.ebay.com/rxo?action=view&sessionid=abc") is None

tests/test_async_search.py

@@ -0,0 +1,231 @@
+"""Tests for GET /api/search/async (fire-and-forget search + SSE streaming).
+
+Verifies:
+  - Returns HTTP 202 with session_id and status: "queued"
+  - session_id is registered in _update_queues immediately
+  - Actual scraping is not performed (mocked out)
+  - Empty query path returns a completed session with done event
+"""
+from __future__ import annotations
+
+import os
+from pathlib import Path
+from unittest.mock import MagicMock, patch
+
+import pytest
+from fastapi.testclient import TestClient
+
+
+# ── Fixtures ──────────────────────────────────────────────────────────────────
+
+@pytest.fixture
+def client(tmp_path):
+    """TestClient with a fresh tmp DB.  Must set SNIPE_DB *before* importing app."""
+    os.environ["SNIPE_DB"] = str(tmp_path / "snipe.db")
+    from api.main import app
+    return TestClient(app, raise_server_exceptions=False)
+
+
+def _make_mock_listing():
+    """Return a minimal mock listing object that satisfies the search pipeline."""
+    m = MagicMock()
+    m.platform_listing_id = "123456789"
+    m.seller_platform_id = "test_seller"
+    m.title = "Test GPU"
+    m.price = 100.0
+    m.currency = "USD"
+    m.condition = "Used"
+    m.url = "https://www.ebay.com/itm/123456789"
+    m.photo_urls = []
+    m.listing_age_days = 5
+    m.buying_format = "fixed_price"
+    m.ends_at = None
+    m.fetched_at = None
+    m.trust_score_id = None
+    m.id = 1
+    m.category_name = None
+    return m
+
+
+# ── Core contract tests ───────────────────────────────────────────────────────
+
+def test_async_search_returns_202(client):
+    """GET /api/search/async?q=... returns HTTP 202 with session_id and status."""
+    with (
+        patch("api.main._make_adapter") as mock_adapter_factory,
+        patch("api.main._trigger_scraper_enrichment"),
+        patch("api.main.TrustScorer") as mock_scorer_cls,
+    ):
+        mock_adapter = MagicMock()
+        mock_adapter.search.return_value = []
+        mock_adapter.get_completed_sales.return_value = None
+        mock_adapter_factory.return_value = mock_adapter
+
+        mock_scorer = MagicMock()
+        mock_scorer.score_batch.return_value = []
+        mock_scorer_cls.return_value = mock_scorer
+
+        resp = client.get("/api/search/async?q=test+gpu")
+
+    assert resp.status_code == 202
+    data = resp.json()
+    assert "session_id" in data
+    assert data["status"] == "queued"
+    assert isinstance(data["session_id"], str)
+    assert len(data["session_id"]) > 0
+
+
+def test_async_search_registers_session_id(client):
+    """session_id returned by 202 response must appear in _update_queues immediately."""
+    with (
+        patch("api.main._make_adapter") as mock_adapter_factory,
+        patch("api.main._trigger_scraper_enrichment"),
+        patch("api.main.TrustScorer") as mock_scorer_cls,
+    ):
+        mock_adapter = MagicMock()
+        mock_adapter.search.return_value = []
+        mock_adapter.get_completed_sales.return_value = None
+        mock_adapter_factory.return_value = mock_adapter
+
+        mock_scorer = MagicMock()
+        mock_scorer.score_batch.return_value = []
+        mock_scorer_cls.return_value = mock_scorer
+
+        resp = client.get("/api/search/async?q=test+gpu")
+
+    assert resp.status_code == 202
+    session_id = resp.json()["session_id"]
+
+    # The queue must be registered so the SSE endpoint can open it.
+    from api.main import _update_queues
+    assert session_id in _update_queues
+
+
+def test_async_search_empty_query(client):
+    """Empty query returns 202 with a pre-loaded done sentinel, no scraping needed."""
+    resp = client.get("/api/search/async?q=")
+    assert resp.status_code == 202
+    data = resp.json()
+    assert data["status"] == "queued"
+    assert "session_id" in data
+
+    from api.main import _update_queues
+    import queue as _queue
+    sid = data["session_id"]
+    assert sid in _update_queues
+    q = _update_queues[sid]
+    # First item should be the empty listings event
+    first = q.get_nowait()
+    assert first is not None
+    assert first["type"] == "listings"
+    assert first["listings"] == []
+    # Second item should be the sentinel
+    sentinel = q.get_nowait()
+    assert sentinel is None
+
+
+def test_async_search_no_real_chromium(client):
+    """Async search endpoint must not launch real Chromium in tests.
+
+    Verifies that the background scraper is submitted to the executor but the
+    adapter factory is patched — no real Playwright/Xvfb process is spawned.
+    Uses a broad patch on Store to avoid sqlite3 DB path issues in the thread pool.
+    """
+    import threading
+    scrape_called = threading.Event()
+
+    def _fake_search(query, filters):
+        scrape_called.set()
+        return []
+
+    with (
+        patch("api.main._make_adapter") as mock_adapter_factory,
+        patch("api.main._trigger_scraper_enrichment"),
+        patch("api.main.TrustScorer") as mock_scorer_cls,
+        patch("api.main.Store") as mock_store_cls,
+    ):
+        mock_adapter = MagicMock()
+        mock_adapter.search.side_effect = _fake_search
+        mock_adapter.get_completed_sales.return_value = None
+        mock_adapter_factory.return_value = mock_adapter
+
+        mock_scorer = MagicMock()
+        mock_scorer.score_batch.return_value = []
+        mock_scorer_cls.return_value = mock_scorer
+
+        mock_store = MagicMock()
+        mock_store.get_listings_staged.return_value = {}
+        mock_store.refresh_seller_categories.return_value = 0
+        mock_store.save_listings.return_value = None
+        mock_store.save_trust_scores.return_value = None
+        mock_store.get_market_comp.return_value = None
+        mock_store.get_seller.return_value = None
+        mock_store.get_user_preference.return_value = None
+        mock_store_cls.return_value = mock_store
+
+        resp = client.get("/api/search/async?q=rtx+3080")
+
+    assert resp.status_code == 202
+    # Give the background worker a moment to run (it's in a thread pool)
+    scrape_called.wait(timeout=5.0)
+    # If we get here without a real Playwright process, the test passes.
+    assert scrape_called.is_set(), "Background search worker never ran"
+
+
+def test_async_search_query_params_forwarded(client):
+    """All filter params accepted by /api/search are also accepted here."""
+    with (
+        patch("api.main._make_adapter") as mock_adapter_factory,
+        patch("api.main._trigger_scraper_enrichment"),
+        patch("api.main.TrustScorer") as mock_scorer_cls,
+    ):
+        mock_adapter = MagicMock()
+        mock_adapter.search.return_value = []
+        mock_adapter.get_completed_sales.return_value = None
+        mock_adapter_factory.return_value = mock_adapter
+
+        mock_scorer = MagicMock()
+        mock_scorer.score_batch.return_value = []
+        mock_scorer_cls.return_value = mock_scorer
+
+        resp = client.get(
+            "/api/search/async"
+            "?q=rtx+3080"
+            "&max_price=400"
+            "&min_price=100"
+            "&pages=2"
+            "&must_include=rtx,3080"
+            "&must_include_mode=all"
+            "&must_exclude=mining"
+            "&category_id=27386"
+            "&adapter=auto"
+        )
+
+    assert resp.status_code == 202
+
+
+def test_async_search_session_id_is_uuid(client):
+    """session_id must be a valid UUID v4 string."""
+    import uuid as _uuid
+
+    with (
+        patch("api.main._make_adapter") as mock_adapter_factory,
+        patch("api.main._trigger_scraper_enrichment"),
+        patch("api.main.TrustScorer") as mock_scorer_cls,
+    ):
+        mock_adapter = MagicMock()
+        mock_adapter.search.return_value = []
+        mock_adapter.get_completed_sales.return_value = None
+        mock_adapter_factory.return_value = mock_adapter
+
+        mock_scorer = MagicMock()
+        mock_scorer.score_batch.return_value = []
+        mock_scorer_cls.return_value = mock_scorer
+
+        resp = client.get("/api/search/async?q=test")
+
+    assert resp.status_code == 202
+    sid = resp.json()["session_id"]
+    # Should not raise if it's a valid UUID
+    parsed = _uuid.UUID(sid)
+    assert str(parsed) == sid

tests/test_preferences_currency.py

@@ -0,0 +1,76 @@
+"""Tests for PATCH /api/preferences display.currency validation."""
+from __future__ import annotations
+
+import os
+from pathlib import Path
+from unittest.mock import patch
+
+import pytest
+from fastapi.testclient import TestClient
+
+
+@pytest.fixture
+def client(tmp_path):
+    """TestClient with a patched local DB path.
+
+    api.cloud_session._LOCAL_SNIPE_DB is set at module import time, so we
+    cannot rely on setting SNIPE_DB before import when other tests have already
+    triggered the module load.  Patch the module-level variable directly so
+    the session dependency points at our fresh tmp DB for the duration of this
+    fixture.
+    """
+    db_path = tmp_path / "snipe.db"
+    # Ensure the DB is initialised so the Store can create its tables.
+    import api.cloud_session as _cs
+    from circuitforge_core.db import get_connection, run_migrations
+    conn = get_connection(db_path)
+    run_migrations(conn, Path("app/db/migrations"))
+    conn.close()
+
+    from api.main import app
+    with patch.object(_cs, "_LOCAL_SNIPE_DB", db_path):
+        yield TestClient(app, raise_server_exceptions=False)
+
+
+def test_set_display_currency_valid(client):
+    """Accepted ISO 4217 codes are stored and returned."""
+    for code in ("USD", "GBP", "EUR", "CAD", "AUD", "JPY", "CHF", "MXN", "BRL", "INR"):
+        resp = client.patch("/api/preferences", json={"path": "display.currency", "value": code})
+        assert resp.status_code == 200, f"Expected 200 for {code}, got {resp.status_code}: {resp.text}"
+        data = resp.json()
+        assert data.get("display", {}).get("currency") == code
+
+
+def test_set_display_currency_normalises_lowercase(client):
+    """Lowercase code is accepted and normalised to uppercase."""
+    resp = client.patch("/api/preferences", json={"path": "display.currency", "value": "eur"})
+    assert resp.status_code == 200
+    assert resp.json()["display"]["currency"] == "EUR"
+
+
+def test_set_display_currency_unsupported_returns_400(client):
+    """Unsupported currency code returns 400 with a clear message."""
+    resp = client.patch("/api/preferences", json={"path": "display.currency", "value": "XYZ"})
+    assert resp.status_code == 400
+    detail = resp.json().get("detail", "")
+    assert "XYZ" in detail
+    assert "Supported" in detail or "supported" in detail
+
+
+def test_set_display_currency_empty_string_returns_400(client):
+    """Empty string is not a valid currency code."""
+    resp = client.patch("/api/preferences", json={"path": "display.currency", "value": ""})
+    assert resp.status_code == 400
+
+
+def test_set_display_currency_none_returns_400(client):
+    """None is not a valid currency code."""
+    resp = client.patch("/api/preferences", json={"path": "display.currency", "value": None})
+    assert resp.status_code == 400
+
+
+def test_other_preference_paths_unaffected(client):
+    """Unrelated preference paths still work normally after currency validation added."""
+    resp = client.patch("/api/preferences", json={"path": "affiliate.opt_out", "value": True})
+    assert resp.status_code == 200
+    assert resp.json().get("affiliate", {}).get("opt_out") is True

web/index.html

@@ -22,8 +22,9 @@
     <meta name="twitter:description" content="Free eBay trust scorer. Catches scammers before you bid. No account required." />
     <meta name="twitter:image" content="https://menagerie.circuitforge.tech/snipe/og-image.png" />
     <link rel="canonical" href="https://menagerie.circuitforge.tech/snipe" />
-    <!-- Inline background prevents blank flash before CSS bundle loads -->
+    <!-- FOFT guard: prevents dark flash before CSS bundle loads.
-    <!-- Matches --color-surface dark tactical theme from theme.css -->
+         theme.css overrides both html and body backgrounds via var(--color-surface)
+         once loaded, so this only applies for the brief pre-bundle window. -->
     <style>
       html, body { margin: 0; background: #0d1117; min-height: 100vh; }
     </style>

web/src/__tests__/useCurrency.test.ts

@@ -0,0 +1,140 @@
+import { beforeEach, describe, expect, it, vi } from 'vitest'
+
+// Reset module-level cache and fetch mock between tests
+beforeEach(async () => {
+  vi.restoreAllMocks()
+  // Reset module-level cache so each test starts clean
+  const mod = await import('../composables/useCurrency')
+  mod._resetCacheForTest()
+})
+
+const MOCK_RATES: Record<string, number> = {
+  USD: 1,
+  GBP: 0.79,
+  EUR: 0.92,
+  JPY: 151.5,
+  CAD: 1.36,
+}
+
+function mockFetchSuccess(rates = MOCK_RATES) {
+  vi.stubGlobal('fetch', vi.fn().mockResolvedValue({
+    ok: true,
+    json: async () => ({ rates }),
+  }))
+}
+
+function mockFetchFailure() {
+  vi.stubGlobal('fetch', vi.fn().mockRejectedValue(new Error('Network error')))
+}
+
+describe('convertFromUSD', () => {
+  it('returns the same amount for USD (no conversion)', async () => {
+    mockFetchSuccess()
+    const { convertFromUSD } = await import('../composables/useCurrency')
+    const result = await convertFromUSD(100, 'USD')
+    expect(result).toBe(100)
+    // fetch should not be called for USD passthrough
+    expect(fetch).not.toHaveBeenCalled()
+  })
+
+  it('converts USD to GBP using fetched rates', async () => {
+    mockFetchSuccess()
+    const { convertFromUSD, _resetCacheForTest } = await import('../composables/useCurrency')
+    _resetCacheForTest()
+    const result = await convertFromUSD(100, 'GBP')
+    expect(result).toBeCloseTo(79, 1)
+  })
+
+  it('converts USD to JPY using fetched rates', async () => {
+    mockFetchSuccess()
+    const { convertFromUSD, _resetCacheForTest } = await import('../composables/useCurrency')
+    _resetCacheForTest()
+    const result = await convertFromUSD(10, 'JPY')
+    expect(result).toBeCloseTo(1515, 1)
+  })
+
+  it('returns the original amount when rates are unavailable (network failure)', async () => {
+    mockFetchFailure()
+    const { convertFromUSD, _resetCacheForTest } = await import('../composables/useCurrency')
+    _resetCacheForTest()
+    const result = await convertFromUSD(100, 'EUR')
+    expect(result).toBe(100)
+  })
+
+  it('returns the original amount when the currency code is unknown', async () => {
+    mockFetchSuccess({ USD: 1, EUR: 0.92 }) // no XYZ rate
+    const { convertFromUSD, _resetCacheForTest } = await import('../composables/useCurrency')
+    _resetCacheForTest()
+    const result = await convertFromUSD(50, 'XYZ')
+    expect(result).toBe(50)
+  })
+
+  it('only calls fetch once when called concurrently (deduplication)', async () => {
+    mockFetchSuccess()
+    const { convertFromUSD, _resetCacheForTest } = await import('../composables/useCurrency')
+    _resetCacheForTest()
+    await Promise.all([
+      convertFromUSD(100, 'GBP'),
+      convertFromUSD(200, 'EUR'),
+      convertFromUSD(50, 'CAD'),
+    ])
+    expect((fetch as ReturnType<typeof vi.fn>).mock.calls.length).toBe(1)
+  })
+})
+
+describe('formatPrice', () => {
+  it('formats USD amount with dollar sign', async () => {
+    mockFetchSuccess()
+    const { formatPrice, _resetCacheForTest } = await import('../composables/useCurrency')
+    _resetCacheForTest()
+    const result = await formatPrice(99.99, 'USD')
+    expect(result).toMatch(/^\$99\.99$|^\$100$/)  // Intl rounding may vary
+    expect(result).toContain('$')
+  })
+
+  it('formats GBP amount with correct symbol', async () => {
+    mockFetchSuccess()
+    const { formatPrice, _resetCacheForTest } = await import('../composables/useCurrency')
+    _resetCacheForTest()
+    const result = await formatPrice(100, 'GBP')
+    // GBP 79 — expect pound sign or "GBP" prefix
+    expect(result).toMatch(/[£]|GBP/)
+  })
+
+  it('formats JPY without decimal places (Intl rounds to zero decimals)', async () => {
+    mockFetchSuccess()
+    const { formatPrice, _resetCacheForTest } = await import('../composables/useCurrency')
+    _resetCacheForTest()
+    const result = await formatPrice(10, 'JPY')
+    // 10 * 151.5 = 1515 JPY — no decimal places for JPY
+    expect(result).toMatch(/¥1,515|JPY.*1,515|¥1515/)
+  })
+
+  it('falls back gracefully on network failure, showing USD', async () => {
+    mockFetchFailure()
+    const { formatPrice, _resetCacheForTest } = await import('../composables/useCurrency')
+    _resetCacheForTest()
+    // With failed rates, conversion returns original amount and uses Intl with target currency
+    // This may throw if Intl doesn't know EUR — but the function should not throw
+    const result = await formatPrice(50, 'EUR')
+    expect(typeof result).toBe('string')
+    expect(result.length).toBeGreaterThan(0)
+  })
+})
+
+describe('formatPriceUSD', () => {
+  it('formats a USD amount synchronously', async () => {
+    const { formatPriceUSD } = await import('../composables/useCurrency')
+    const result = formatPriceUSD(1234.5)
+    // Intl output varies by runtime locale data; check structure not exact string
+    expect(result).toContain('$')
+    expect(result).toContain('1,234')
+  })
+
+  it('formats zero as a USD string', async () => {
+    const { formatPriceUSD } = await import('../composables/useCurrency')
+    const result = formatPriceUSD(0)
+    expect(result).toContain('$')
+    expect(result).toMatch(/\$0/)
+  })
+})

web/src/assets/theme.css

@@ -2,6 +2,12 @@
    Dark tactical theme: near-black surfaces, amber accent, trust-signal colours.
    ALL color/font/spacing tokens live here — nowhere else.
    Snipe Mode easter egg: activated by Konami code (cf-snipe-mode in localStorage).
+
+   Planned theme variants (add as [data-theme="<name>"] blocks using the same token set):
+     solarized-dark  — Ethan Schoonover's Solarized dark palette, amber accent
+     solarized-light — Solarized light palette, amber accent
+     high-contrast   — WCAG AAA minimum contrast ratios, no mid-grey text
+     colorblind      — Deuteranopia-safe trust signal colours (blue/orange instead of green/red)
 */
 
 /* ── Snipe — dark tactical (default) ───────────────
@@ -212,7 +218,7 @@ html {
   -moz-osx-font-smoothing: grayscale;
 }
 
-body { margin: 0; min-height: 100vh; }
+body { margin: 0; min-height: 100vh; background: var(--color-surface); }
 
 h1, h2, h3, h4, h5, h6 {
   font-family: var(--font-display);

web/src/components/ListingCard.vue

@@ -189,15 +189,18 @@
 </template>
 
 <script setup lang="ts">
-import { computed, ref } from 'vue'
+import { computed, ref, watch } from 'vue'
 import { RouterLink } from 'vue-router'
 import type { Listing, TrustScore, Seller } from '../stores/search'
 import { useSearchStore } from '../stores/search'
 import { useBlocklistStore } from '../stores/blocklist'
 import TrustFeedbackButtons from './TrustFeedbackButtons.vue'
 import { useTrustSignalPref } from '../composables/useTrustSignalPref'
+import { formatPrice, formatPriceUSD } from '../composables/useCurrency'
+import { usePreferencesStore } from '../stores/preferences'
 
 const { enabled: trustSignalEnabled } = useTrustSignalPref()
+const prefsStore = usePreferencesStore()
 
 const props = defineProps<{
   listing: Listing
@@ -379,15 +382,26 @@ const isSteal = computed(() => {
   return props.listing.price < props.marketPrice * 0.8
 })
 
-const formattedPrice = computed(() => {
+// Async price display — show USD synchronously while rates load, then update
-  const sym = props.listing.currency === 'USD' ? '$' : props.listing.currency + ' '
+const formattedPrice = ref(formatPriceUSD(props.listing.price))
-  return `${sym}${props.listing.price.toLocaleString('en-US', { minimumFractionDigits: 0, maximumFractionDigits: 2 })}`
+const formattedMarket = ref(props.marketPrice ? formatPriceUSD(props.marketPrice) : '')
-})
 
-const formattedMarket = computed(() => {
+async function _updatePrices() {
-  if (!props.marketPrice) return ''
+  const currency = prefsStore.displayCurrency
-  return `$${props.marketPrice.toLocaleString('en-US', { maximumFractionDigits: 0 })}`
+  formattedPrice.value = await formatPrice(props.listing.price, currency)
-})
+  if (props.marketPrice) {
+    formattedMarket.value = await formatPrice(props.marketPrice, currency)
+  } else {
+    formattedMarket.value = ''
+  }
+}
+
+// Update when the listing, marketPrice, or display currency changes
+watch(
+  [() => props.listing.price, () => props.marketPrice, () => prefsStore.displayCurrency],
+  () => { _updatePrices() },
+  { immediate: true },
+)
 </script>
 
 <style scoped>

web/src/composables/useCurrency.ts

@@ -0,0 +1,102 @@
+/**
+ * useCurrency — live exchange rate conversion from USD to a target display currency.
+ *
+ * Rates are fetched lazily on first use from open.er-api.com (free, no key required).
+ * A module-level cache with a 1-hour TTL prevents redundant network calls.
+ * On fetch failure the composable falls back silently to USD display.
+ */
+
+const ER_API_URL = 'https://open.er-api.com/v6/latest/USD'
+const CACHE_TTL_MS = 60 * 60 * 1000 // 1 hour
+
+interface RateCache {
+  rates: Record<string, number>
+  fetchedAt: number
+}
+
+// Module-level cache shared across all composable instances
+let _cache: RateCache | null = null
+let _inflight: Promise<Record<string, number>> | null = null
+
+async function _fetchRates(): Promise<Record<string, number>> {
+  const now = Date.now()
+
+  if (_cache && now - _cache.fetchedAt < CACHE_TTL_MS) {
+    return _cache.rates
+  }
+
+  // Deduplicate concurrent calls — reuse the same in-flight fetch
+  if (_inflight) {
+    return _inflight
+  }
+
+  _inflight = (async () => {
+    try {
+      const res = await fetch(ER_API_URL)
+      if (!res.ok) throw new Error(`ER-API responded ${res.status}`)
+      const data = await res.json()
+      const rates: Record<string, number> = data.rates ?? {}
+      _cache = { rates, fetchedAt: Date.now() }
+      return rates
+    } catch {
+      // Return cached stale data if available, otherwise empty object (USD passthrough)
+      return _cache?.rates ?? {}
+    } finally {
+      _inflight = null
+    }
+  })()
+
+  return _inflight
+}
+
+/**
+ * Convert an amount in USD to the target currency using the latest exchange rates.
+ * Returns the original amount unchanged if rates are unavailable or the currency is USD.
+ */
+export async function convertFromUSD(amountUSD: number, targetCurrency: string): Promise<number> {
+  if (targetCurrency === 'USD') return amountUSD
+  const rates = await _fetchRates()
+  const rate = rates[targetCurrency]
+  if (!rate) return amountUSD
+  return amountUSD * rate
+}
+
+/**
+ * Format a USD amount as a localized string in the target currency.
+ * Fetches exchange rates lazily. Falls back to USD display if rates are unavailable.
+ *
+ * Returns a plain USD string synchronously on first call while rates load;
+ * callers should use a ref that updates once the promise resolves.
+ */
+export async function formatPrice(amountUSD: number, currency: string): Promise<string> {
+  const converted = await convertFromUSD(amountUSD, currency)
+  try {
+    return new Intl.NumberFormat('en-US', {
+      style: 'currency',
+      currency,
+      minimumFractionDigits: 0,
+      maximumFractionDigits: 2,
+    }).format(converted)
+  } catch {
+    // Fallback if Intl doesn't know the currency code
+    return `${currency} ${converted.toLocaleString('en-US', { minimumFractionDigits: 0, maximumFractionDigits: 2 })}`
+  }
+}
+
+/**
+ * Synchronous USD-only formatter for use before rates have loaded.
+ */
+export function formatPriceUSD(amountUSD: number): string {
+  return new Intl.NumberFormat('en-US', {
+    style: 'currency',
+    currency: 'USD',
+    minimumFractionDigits: 0,
+    maximumFractionDigits: 2,
+  }).format(amountUSD)
+}
+
+// Exported for testing — allows resetting module-level cache between test cases
+export function _resetCacheForTest(): void {
+  _cache = null
+  _inflight = null
+}

web/src/stores/preferences.ts

@@ -12,8 +12,14 @@ export interface UserPreferences {
   community?: {
     blocklist_share?: boolean
   }
+  display?: {
+    currency?: string
+  }
 }
 
+const CURRENCY_LS_KEY = 'snipe:currency'
+const DEFAULT_CURRENCY = 'USD'
+
 const apiBase = (import.meta.env.VITE_API_BASE as string) ?? ''
 
 export const usePreferencesStore = defineStore('preferences', () => {
@@ -26,14 +32,34 @@ export const usePreferencesStore = defineStore('preferences', () => {
   const affiliateByokId = computed(() => prefs.value.affiliate?.byok_ids?.ebay ?? '')
   const communityBlocklistShare = computed(() => prefs.value.community?.blocklist_share ?? false)
 
+  // displayCurrency: DB preference for logged-in users, localStorage for anon users
+  const displayCurrency = computed((): string => {
+    return prefs.value.display?.currency ?? DEFAULT_CURRENCY
+  })
+
   async function load() {
-    if (!session.isLoggedIn) return
+    if (!session.isLoggedIn) {
+      // Anonymous user: read currency from localStorage
+      const stored = localStorage.getItem(CURRENCY_LS_KEY)
+      if (stored) {
+        prefs.value = { ...prefs.value, display: { ...prefs.value.display, currency: stored } }
+      }
+      return
+    }
     loading.value = true
     error.value = null
     try {
       const res = await fetch(`${apiBase}/api/preferences`)
       if (res.ok) {
-        prefs.value = await res.json()
+        const data: UserPreferences = await res.json()
+        // Migration: if logged in but no DB preference, fall back to localStorage value
+        if (!data.display?.currency) {
+          const lsVal = localStorage.getItem(CURRENCY_LS_KEY)
+          if (lsVal) {
+            data.display = { ...data.display, currency: lsVal }
+          }
+        }
+        prefs.value = data
       }
     } catch {
       // Non-cloud deploy or network error — preferences unavailable
@@ -75,6 +101,18 @@ export const usePreferencesStore = defineStore('preferences', () => {
     await setPref('community.blocklist_share', value)
   }
 
+  async function setDisplayCurrency(code: string) {
+    const upper = code.toUpperCase()
+    // Optimistic local update so the UI reacts immediately
+    prefs.value = { ...prefs.value, display: { ...prefs.value.display, currency: upper } }
+    if (session.isLoggedIn) {
+      await setPref('display.currency', upper)
+    } else {
+      // Anonymous user: persist to localStorage only
+      localStorage.setItem(CURRENCY_LS_KEY, upper)
+    }
+  }
+
   return {
     prefs,
     loading,
@@ -82,9 +120,11 @@ export const usePreferencesStore = defineStore('preferences', () => {
     affiliateOptOut,
     affiliateByokId,
     communityBlocklistShare,
+    displayCurrency,
     load,
     setAffiliateOptOut,
     setAffiliateByokId,
     setCommunityBlocklistShare,
+    setDisplayCurrency,
   }
 })

web/src/stores/search.ts

@@ -145,6 +145,7 @@ export const useSearchStore = defineStore('search', () => {
     _abort?.abort()
     _abort = null
     loading.value = false
+    closeUpdates()
   }
 
   async function search(q: string, filters: SearchFilters = {}) {
@@ -158,8 +159,6 @@ export const useSearchStore = defineStore('search', () => {
     error.value = null
 
     try {
-      // TODO: POST /api/search with { query: q, filters }
-      // API does not exist yet — stub returns empty results
       // VITE_API_BASE is '' in dev; '/snipe' under menagerie (baked at build time by Vite)
       const apiBase = (import.meta.env.VITE_API_BASE as string) ?? ''
       const params = new URLSearchParams({ q })
@@ -174,51 +173,36 @@ export const useSearchStore = defineStore('search', () => {
       if (filters.mustExclude?.trim()) params.set('must_exclude', filters.mustExclude.trim())
       if (filters.categoryId?.trim()) params.set('category_id', filters.categoryId.trim())
       if (filters.adapter && filters.adapter !== 'auto') params.set('adapter', filters.adapter)
-      const res = await fetch(`${apiBase}/api/search?${params}`, { signal })
+
+      // Use the async endpoint: returns 202 immediately with a session_id, then
+      // streams listings + trust scores via SSE as the scrape completes.
+      const res = await fetch(`${apiBase}/api/search/async?${params}`, { signal })
       if (!res.ok) throw new Error(`Search failed: ${res.status} ${res.statusText}`)
 
       const data = await res.json() as {
-        listings: Listing[]
+        session_id: string
-        trust_scores: Record<string, TrustScore>
+        status: 'queued'
-        sellers: Record<string, Seller>
-        market_price: number | null
-        adapter_used: 'api' | 'scraper'
-        affiliate_active: boolean
-        session_id: string | null
       }
 
-      results.value = data.listings ?? []
+      // HTTP 202 received — scraping is underway in the background.
-      trustScores.value = new Map(Object.entries(data.trust_scores ?? {}))
+      // Stay in loading state until the first "listings" SSE event arrives.
-      sellers.value = new Map(Object.entries(data.sellers ?? {}))
+      // loading.value stays true; enriching tracks the SSE stream being open.
-      marketPrice.value = data.market_price ?? null
+      enriching.value = true
-      adapterUsed.value = data.adapter_used ?? null
+      _openUpdates(data.session_id, apiBase)
-      affiliateActive.value = data.affiliate_active ?? false
-      saveCache({
-        query: q,
-        results: results.value,
-        trustScores: data.trust_scores ?? {},
-        sellers: data.sellers ?? {},
-        marketPrice: marketPrice.value,
-        adapterUsed: adapterUsed.value,
-      })
-
-      // Open SSE stream if any scores are partial and a session_id was provided
-      const hasPartial = Object.values(data.trust_scores ?? {}).some(ts => ts.score_is_partial)
-      if (data.session_id && hasPartial) {
-        _openUpdates(data.session_id, apiBase)
-      }
     } catch (e) {
       if (e instanceof DOMException && e.name === 'AbortError') {
         // User cancelled — clear loading but don't surface as an error
         results.value = []
+        loading.value = false
       } else {
         error.value = e instanceof Error ? e.message : 'Unknown error'
         results.value = []
+        loading.value = false
       }
-    } finally {
-      loading.value = false
       _abort = null
     }
+    // Note: loading.value is NOT set to false here — it stays true until the
+    // first "listings" SSE event arrives (see _openUpdates handler below).
   }
 
   function closeUpdates() {
@@ -229,34 +213,115 @@ export const useSearchStore = defineStore('search', () => {
     enriching.value = false
   }
 
+  // Internal type for typed SSE events from the async search endpoint
+  type _AsyncListingsEvent = {
+    type: 'listings'
+    listings: Listing[]
+    trust_scores: Record<string, TrustScore>
+    sellers: Record<string, Seller>
+    market_price: number | null
+    adapter_used: 'api' | 'scraper'
+    affiliate_active: boolean
+    session_id: string
+  }
+
+  type _MarketPriceEvent = {
+    type: 'market_price'
+    market_price: number | null
+  }
+
+  type _UpdateEvent = {
+    type: 'update'
+    platform_listing_id: string
+    trust_score: TrustScore
+    seller: Seller
+    market_price: number | null
+  }
+
+  type _LegacyUpdateEvent = {
+    platform_listing_id: string
+    trust_score: TrustScore
+    seller: Record<string, unknown>
+    market_price: number | null
+  }
+
+  type _SSEEvent =
+    | _AsyncListingsEvent
+    | _MarketPriceEvent
+    | _UpdateEvent
+    | _LegacyUpdateEvent
+
   function _openUpdates(sessionId: string, apiBase: string) {
-    closeUpdates()  // close any previous stream
+    // Close any pre-existing stream but preserve enriching state — caller sets it.
-    enriching.value = true
+    if (_sse) {
+      _sse.close()
+      _sse = null
+    }
 
     const es = new EventSource(`${apiBase}/api/updates/${sessionId}`)
     _sse = es
 
     es.onmessage = (e) => {
       try {
-        const update = JSON.parse(e.data) as {
+        const update = JSON.parse(e.data) as _SSEEvent
-          platform_listing_id: string
+
-          trust_score: TrustScore
+        if ('type' in update) {
-          seller: Record<string, unknown>
+          // Typed events from the async search endpoint
-          market_price: number | null
+          if (update.type === 'listings') {
-        }
+            // First batch: hydrate store and transition out of loading state
-        if (update.platform_listing_id && update.trust_score) {
+            results.value = update.listings ?? []
-          trustScores.value = new Map(trustScores.value)
+            trustScores.value = new Map(Object.entries(update.trust_scores ?? {}))
-          trustScores.value.set(update.platform_listing_id, update.trust_score)
+            sellers.value = new Map(Object.entries(update.sellers ?? {}))
-        }
+            marketPrice.value = update.market_price ?? null
-        if (update.seller) {
+            adapterUsed.value = update.adapter_used ?? null
-          const s = update.seller as Seller
+            affiliateActive.value = update.affiliate_active ?? false
-          if (s.platform_seller_id) {
+            saveCache({
-            sellers.value = new Map(sellers.value)
+              query: query.value,
-            sellers.value.set(s.platform_seller_id, s)
+              results: results.value,
+              trustScores: update.trust_scores ?? {},
+              sellers: update.sellers ?? {},
+              marketPrice: marketPrice.value,
+              adapterUsed: adapterUsed.value,
+            })
+            // Scrape complete — turn off the initial loading spinner.
+            // enriching stays true while enrichment SSE is still open.
+            loading.value = false
+          } else if (update.type === 'market_price') {
+            if (update.market_price != null) {
+              marketPrice.value = update.market_price
+            }
+          } else if (update.type === 'update') {
+            // Per-seller enrichment update (same as legacy format but typed)
+            if (update.platform_listing_id && update.trust_score) {
+              trustScores.value = new Map(trustScores.value)
+              trustScores.value.set(update.platform_listing_id, update.trust_score)
+            }
+            if (update.seller?.platform_seller_id) {
+              sellers.value = new Map(sellers.value)
+              sellers.value.set(update.seller.platform_seller_id, update.seller)
+            }
+            if (update.market_price != null) {
+              marketPrice.value = update.market_price
+            }
+          }
+          // type: "error" — no special handling; stream will close via 'done'
+        } else {
+          // Legacy enrichment update (no type field) from synchronous search path
+          const legacy = update as _LegacyUpdateEvent
+          if (legacy.platform_listing_id && legacy.trust_score) {
+            trustScores.value = new Map(trustScores.value)
+            trustScores.value.set(legacy.platform_listing_id, legacy.trust_score)
+          }
+          if (legacy.seller) {
+            const s = legacy.seller as Seller
+            if (s.platform_seller_id) {
+              sellers.value = new Map(sellers.value)
+              sellers.value.set(s.platform_seller_id, s)
+            }
+          }
+          if (legacy.market_price != null) {
+            marketPrice.value = legacy.market_price
           }
-        }
-        if (update.market_price != null) {
-          marketPrice.value = update.market_price
         }
       } catch {
         // malformed event — ignore
@@ -268,6 +333,8 @@ export const useSearchStore = defineStore('search', () => {
     })
 
     es.onerror = () => {
+      // If loading is still true (never got a "listings" event), clear it
+      loading.value = false
       closeUpdates()
     }
   }

web/src/views/SettingsView.vue

@@ -69,6 +69,28 @@
           >{{ opt.label }}</button>
         </div>
       </div>
+
+      <!-- Display currency -->
+      <div class="settings-toggle">
+        <div class="settings-toggle-text">
+          <span class="settings-toggle-label">Display currency</span>
+          <span class="settings-toggle-desc">
+            Listing prices are converted from USD using live exchange rates.
+            Rates update hourly.
+          </span>
+        </div>
+        <select
+          id="display-currency"
+          class="settings-select"
+          :value="prefs.displayCurrency"
+          aria-label="Select display currency"
+          @change="prefs.setDisplayCurrency(($event.target as HTMLSelectElement).value)"
+        >
+          <option v-for="opt in currencyOptions" :key="opt.code" :value="opt.code">
+            {{ opt.code }} — {{ opt.label }}
+          </option>
+        </select>
+      </div>
     </section>
 
     <!-- Affiliate Links — only shown to signed-in cloud users -->
@@ -166,6 +188,18 @@ const themeOptions: { value: 'system' | 'dark' | 'light'; label: string }[] = [
   { value: 'dark',   label: 'Dark' },
   { value: 'light',  label: 'Light' },
 ]
+const currencyOptions: { code: string; label: string }[] = [
+  { code: 'USD', label: 'US Dollar' },
+  { code: 'EUR', label: 'Euro' },
+  { code: 'GBP', label: 'British Pound' },
+  { code: 'CAD', label: 'Canadian Dollar' },
+  { code: 'AUD', label: 'Australian Dollar' },
+  { code: 'JPY', label: 'Japanese Yen' },
+  { code: 'CHF', label: 'Swiss Franc' },
+  { code: 'MXN', label: 'Mexican Peso' },
+  { code: 'BRL', label: 'Brazilian Real' },
+  { code: 'INR', label: 'Indian Rupee' },
+]
 const session = useSessionStore()
 const prefs = usePreferencesStore()
 const { autoRun: llmAutoRun, setAutoRun: setLLMAutoRun } = useLLMQueryBuilder()
@@ -346,6 +380,24 @@ function saveByokId() {
   margin: 0;
 }
 
+.settings-select {
+  padding: var(--space-2) var(--space-3);
+  background: var(--color-surface);
+  border: 1px solid var(--color-border);
+  border-radius: var(--radius-md);
+  color: var(--color-text);
+  font-size: 0.875rem;
+  font-family: inherit;
+  cursor: pointer;
+  outline: none;
+  flex-shrink: 0;
+  transition: border-color 0.15s ease;
+}
+
+.settings-select:focus {
+  border-color: var(--app-primary);
+}
+
 .theme-btn-group {
   display: flex;
   gap: 0;