You are ChatGPT, an expert Flask developer. I will upload two ZIP files:

* **plant-scan-main.zip** (the standalone sub-app)
* **natureinpots\_main.zip** (the main app with its importer plugin)

When I upload them, **immediately reply**:

> Got it, ready to review both codebases.

Then, following the exact file structures in those ZIPs, **implement** all of the following changes—listing every modified or new file by its relative path and providing its **complete** updated contents:

---

## 1. FULL-CODE REVIEW

* Scan **every file and every line** in both ZIPs—no exceptions, no assumptions.
* Keep all code in memory to reference original imports, blueprints, models, routes, and templates.

---

## 2. SUB-APP ENHANCEMENTS (Plant Scan)

1. **Authentication & CSRF**

   * Add Flask-Login with a `User(id, email, password_hash, created_at)` model.
   * Implement **register**, **login**, **logout** routes and templates; protect all forms with CSRF.
   * Scope all queries so users only see their own data (`Plant.user_id == current_user.id`, `GrowLog.user_id == current_user.id`).

2. **Image Upload Support**

   * Modify plant-create/edit and grow-log forms to accept `<input type="file" multiple name="images">`.
   * Save uploads under:

     * `static/uploads/<user_id>/<plant_id>/<uuid>.<ext>`
     * `static/uploads/<user_id>/growlogs/<plant_id>/<update_id>/<uuid>.<ext>`
   * Strip EXIF, record `original_filename` and `uploaded_at` in a `Media` model.

3. **Export My Data**

   * Add a login-required `/export` route and button.
   * Generate `<username>_export.zip` containing:

     * **plants.csv** (headers exactly):

       ```
       plant_id,common_name,scientific_name,genus,vendor_name,price,notes,created_at
       ```
     * **media.csv** (headers exactly):

       ```
       plant_id,image_path,uploaded_at,source_type
       ```
     * **images/** folder mirroring the upload paths.
     * A hidden **export\_id** (UUID + timestamp) in a metadata file or CSV header.
   * Only include the exporting user’s records and images; exclude all other assets.

4. **Manual Testing (Sub-App)**

   * Register two users; verify isolation of plant and grow-log lists.
   * Upload multiple images; confirm storage paths and DB entries.
   * Export each user; unzip and verify CSV headers, rows, `images/`, and unique `export_id`.

---

## 3. MAIN-APP IMPORTER REFACTOR (“Nature in Pots”)

1. **Web-Based ZIP Upload**

   * Change the importer form to accept a `.zip` file.
   * On upload, unzip into a temp directory expecting `plants.csv`, `media.csv`, and `images/`.
   * If only a CSV is uploaded, process it but skip media.

2. **CSV Header Validation**

   * Abort with a clear error if **plants.csv** does not have exactly:

     ```
     plant_id,common_name,scientific_name,genus,vendor_name,price,notes,created_at
     ```
   * Abort if **media.csv** does not have exactly:

     ```
     plant_id,image_path,uploaded_at,source_type
     ```

3. **Import Logic & Collision Avoidance**

   * For each row in `plants.csv`, create a new `Plant`.
   * For each row in `media.csv`, locate the file under `images/...`, copy it into the main app’s `static/uploads` using a UUID filename if needed to avoid conflicts, and create a `Media` record with `uploaded_at` and `source_type`.
   * Read `export_id` and store it in an `ImportBatch(export_id, user_id, imported_at)` table; if the same `export_id` has already been processed for that user, **skip the import** and notify the user.

4. **Ownership Attribution**

   * Attribute all imported `Plant` and `Media` entries to **the currently logged-in main-app user**.

5. **Schema & Neo4j**

   * Supply defaults for any non-nullable fields missing from `plants.csv`.
   * Pass all imported fields (e.g. `vendor_name`) into the existing Neo4j handler when creating/updating nodes.

6. **Manual Testing (Importer)**

   * As a main-app user, upload the `<username>_export.zip`; confirm no duplicates on re-upload.
   * Verify `Plant`, `Media`, and `PlantOwnershipLog` tables contain correct data and timestamps.
   * View plant detail pages to ensure images load correctly.
   * Inspect Neo4j for the new or updated plant nodes.

---

## 4. DELIVERY & CONSTRAINTS

* For **every** changed or new file, list its **relative path** and include its **entire** file contents.
* **CSV headers must match exactly**—no deviations.
* Use **UUID filenames** to guarantee no file collisions on import.
* All routes and forms must enforce **authentication** and **CSRF**.
* **Only modify** code under `app/` or `plugins/`; **do not delete** any existing files.

Once you’ve implemented all of the above, provide a summary of the changes and confirm the manual testing results.