diff --git a/nip.zip b/nip.zip
index a36fa77..922fc06 100644
Binary files a/nip.zip and b/nip.zip differ
diff --git a/plugins/media/routes.py b/plugins/media/routes.py
index 269331c..0b6edad 100644
--- a/plugins/media/routes.py
+++ b/plugins/media/routes.py
@@ -232,15 +232,6 @@ def serve(plugin, filename):
     return send_from_directory(disk_dir, filename)
 
 
-@bp.route("/files/<path:filename>")
-def media_file(filename):
-    base = current_app.config["UPLOAD_FOLDER"]
-    full = os.path.normpath(os.path.join(base, filename))
-    if not full.startswith(os.path.abspath(base)):
-        abort(404)
-    return send_from_directory(base, filename)
-
-
 @bp.route("/<filename>")
 def media_public(filename):
     base = current_app.config["UPLOAD_FOLDER"]
@@ -286,32 +277,64 @@ def add_media(plant_uuid):
     return redirect(request.referrer or url_for("plant.edit", uuid_val=plant_uuid))
 
 
-@bp.route("/feature/<string:context>/<int:context_id>/<int:media_id>", methods=["POST"])
-@login_required
-def set_featured_image(context, context_id, media_id):
-    media = Media.query.get_or_404(media_id)
-    if media.uploader_id != current_user.id and current_user.role != "admin":
-        return jsonify({"error": "Not authorized"}), 403
+@bp.route("/<context>/<int:context_id>/<filename>")
+def media_file(context, context_id, filename):
+    # your existing serve_context_media logic here
+    # (unchanged)
+    from flask import current_app, send_from_directory
+    import os
+    valid = {"user", "plant", "growlog", "vendor"}
+    if context in valid:
+        plugin = context
+    elif context.endswith("s") and context[:-1] in valid:
+        plugin = context[:-1]
+    else:
+        abort(404)
 
+    media = Media.query.filter_by(
+        plugin=plugin,
+        related_id=context_id,
+        filename=filename
+    ).first_or_404()
+
+    base = current_app.config["UPLOAD_FOLDER"]
+    directory = os.path.join(base, plugin, str(context_id))
+    return send_from_directory(directory, filename)
+
+@bp.route('/featured/<context>/<int:context_id>/<int:media_id>', methods=['POST'])
+def set_featured_image(context, context_id, media_id):
+    """
+    Single‐select “featured” toggle for any plugin (plants, grow_logs, etc).
+    """
+    # normalize to plural
+    plugin_ctx = context if context.endswith('s') else context + 's'
+    if plugin_ctx not in ('plants', 'grow_logs', 'users', 'vendors'):
+        abort(404)
+
+    # must own that media row
+    media = Media.query.filter_by(
+        plugin=plugin_ctx,
+        related_id=context_id,
+        id=media_id
+    ).first_or_404()
+
+    # clear out any existing
     FeaturedImage.query.filter_by(
-        context=context,
+        context=plugin_ctx,
         context_id=context_id
     ).delete()
 
-    feat = FeaturedImage(
+    # insert new featured row
+    fi = FeaturedImage(
         media_id=media.id,
-        context=context,
+        context=plugin_ctx,
         context_id=context_id,
         is_featured=True
     )
-    db.session.add(feat)
-
-    if context == "plant":
-        plant = Plant.query.get_or_404(context_id)
-        plant.featured_media_id = media.id
-
+    db.session.add(fi)
     db.session.commit()
-    return jsonify({"status": "success", "media_id": media.id})
+
+    return jsonify({"media_id": media.id})
 
 
 @bp.route("/delete/<int:media_id>", methods=["POST"])
diff --git a/plugins/plant/templates/plant/edit.html b/plugins/plant/templates/plant/edit.html
index d5fe03e..a5ab9d2 100644
--- a/plugins/plant/templates/plant/edit.html
+++ b/plugins/plant/templates/plant/edit.html
@@ -5,6 +5,7 @@
 <div class="container mt-4">
   <h2>Edit Plant</h2>
 
+  {# ——— Plant Edit Form ——— #}
   <form method="POST" enctype="multipart/form-data">
     {{ form.hidden_tag() }}
 
@@ -54,6 +55,7 @@
 
   <hr>
 
+  {# ——— Upload New Image ——— #}
   <h4>Upload Image</h4>
   <form
     method="POST"
@@ -68,56 +70,63 @@
     </div>
   </form>
 
+  {# ——— Existing Images & Featured Toggle ——— #}
   <h4>Existing Images</h4>
-  <form method="POST" id="delete-images-form"
+  <form method="POST"
+        id="delete-images-form"
         action="{{ url_for('media.bulk_delete_media', plant_uuid=plant.uuid) }}"
         onsubmit="return confirm('Are you sure you want to delete selected images?');">
     {{ form.csrf_token }}
     <div class="row">
-      {% for media in plant.media %}
+      {% for media in plant.media_items %}
         <div class="col-md-3 mb-4">
           <div class="card h-100">
             <img
               id="image-{{ media.id }}"
-              src="{{ generate_image_url(media) }}"
+              src="{{ url_for('media.media_file',
+                               context='plants',
+                               context_id=plant.id,
+                               filename=media.filename) }}"
               class="card-img-top img-fluid"
               alt="Plant Image"
               style="object-fit:cover; height:150px;"
             >
             <div class="card-body text-center">
 
+              {# Featured radio driven off media.featured #}
               <div class="form-check mb-2">
                 <input
                   class="form-check-input featured-radio"
                   type="radio"
                   name="featured_media"
                   value="{{ media.id }}"
-                  {% if plant.featured_media_id == media.id %} checked {% endif %}
+                  {% if media.featured %}checked{% endif %}
                   data-url="{{ url_for('media.set_featured_image',
-                                       context='plant',
+                                       context='plants',
                                        context_id=plant.id,
                                        media_id=media.id) }}"
                 >
                 <label class="form-check-label">Featured</label>
               </div>
 
-              <div class="d-grid gap-1">
-                <button
-                  type="button"
-                  class="btn btn-outline-secondary btn-sm rotate-btn"
-                  data-url="{{ url_for('media.rotate_media', media_id=media.id) }}"
-                  data-id="{{ media.id }}"
-                >Rotate</button>
+              {# Rotate button #}
+              <button
+                type="button"
+                class="btn btn-outline-secondary btn-sm rotate-btn"
+                data-url="{{ url_for('media.rotate_media', media_id=media.id) }}"
+                data-id="{{ media.id }}"
+              >Rotate</button>
 
-                <div class="form-check mt-2">
-                  <input class="form-check-input delete-checkbox"
-                         type="checkbox"
-                         name="delete_ids"
-                         value="{{ media.id }}">
-                  <label class="form-check-label">Delete</label>
-                </div>
+              {# Delete checkbox #}
+              <div class="form-check mt-2">
+                <input
+                  class="form-check-input delete-checkbox"
+                  type="checkbox"
+                  name="delete_ids"
+                  value="{{ media.id }}"
+                >
+                <label class="form-check-label">Delete</label>
               </div>
-
             </div>
           </div>
         </div>
@@ -132,43 +141,42 @@
 {% endblock %}
 
 {% block scripts %}
-<script>
-  const csrfToken = "{{ form.csrf_token._value() }}";
+  {{ super() }}
+  <script>
+    const csrfToken = "{{ form.csrf_token._value() }}";
 
-  // Rotate
-  document.querySelectorAll('.rotate-btn').forEach(btn => {
-    btn.addEventListener('click', () => {
-      const url = btn.dataset.url;
-      const id  = btn.dataset.id;
-      fetch(url, {
-        method: 'POST',
-        headers: { 'X-CSRFToken': csrfToken }
-      })
-      .then(r => {
-        if (!r.ok) throw Error();
-        const img = document.getElementById(`image-${id}`);
-        img.src = img.src.split('?')[0] + `?v=${Date.now()}`;
-      })
-      .catch(() => alert('Failed to rotate image.'));
+    // Rotate buttons
+    document.querySelectorAll('.rotate-btn').forEach(btn => {
+      btn.addEventListener('click', () => {
+        fetch(btn.dataset.url, {
+          method: 'POST',
+          headers: { 'X-CSRFToken': csrfToken }
+        })
+        .then(r => {
+          if (!r.ok) throw Error();
+          const img = document.getElementById(`image-${btn.dataset.id}`);
+          img.src = img.src.split('?')[0] + `?v=${Date.now()}`;
+        })
+        .catch(() => alert('Failed to rotate image.'));
+      });
     });
-  });
 
-  // Feature
-  document.querySelectorAll('.featured-radio').forEach(radio => {
-    radio.addEventListener('change', () => {
-      const url = radio.dataset.url;
-      fetch(url, {
-        method: 'POST',
-        headers: { 'X-CSRFToken': csrfToken }
-      })
-      .then(r => {
-        if (!r.ok) throw Error();
-        // uncheck all, then check this one
-        document.querySelectorAll('.featured-radio').forEach(r => r.checked = false);
-        radio.checked = true;
-      })
-      .catch(() => alert('Could not set featured image.'));
+    // Featured‐radio AJAX
+    document.querySelectorAll('.featured-radio').forEach(radio => {
+      radio.addEventListener('change', () => {
+        fetch(radio.dataset.url, {
+          method: 'POST',
+          headers: { 'X-CSRFToken': csrfToken }
+        })
+        .then(r => {
+          if (!r.ok) throw Error();
+          // uncheck them all, then check this one
+          document.querySelectorAll('.featured-radio')
+                  .forEach(r => r.checked = false);
+          radio.checked = true;
+        })
+        .catch(() => alert('Could not set featured image.'));
+      });
     });
-  });
-</script>
+  </script>
 {% endblock %}