--- name: shopify-app-review description: Pre-submission compliance review for Shopify apps. Use when preparing a Shopify app or app update for App Store submission — audits code, OAuth/session handling, webhooks, billing, and the listing against the most common rejection reasons. --- # Shopify App Pre-Submission Review You are reviewing a Shopify app the way a Shopify app reviewer would — adversarially, before submission. Work through every section below against the actual codebase. For each item report PASS, FAIL (with file/line evidence), or N/A (with one-line justification). Never mark an item PASS without looking at the code that proves it. ## 1. Authentication & installation - OAuth flow completes immediately on install — the app must not show a login/signup wall before OAuth. Embedded apps must use session token auth (App Bridge), not cookies. - Verify HMAC validation on the OAuth callback and on every request that carries query-string HMAC. - Session tokens are validated server-side (signature + expiry + `dest` claim), not just decoded. - App works when installed on a development store with no prior data. ## 2. Webhooks (the #1 silent rejection) - `app/uninstalled` webhook is registered AND handled — all merchant data cleanup happens here. - Mandatory GDPR webhooks exist and return 200: `customers/data_request`, `customers/redact`, `shop/redact`. - Every webhook handler verifies the HMAC header before processing the body. - Handlers respond within 5 seconds — heavy work is queued, not done inline. Look for synchronous external API calls inside webhook handlers and flag them. ## 3. Billing - All charges go through the Shopify Billing API — flag any Stripe/PayPal checkout for app functionality (allowed only for sales outside app functionality). - Test charges work on a development store (`test: true` handled properly, never hardcoded for production). - Upgrade/downgrade paths don't strand the merchant: plan changes cancel the prior subscription. - Free trial behavior matches what the listing promises. ## 4. Embedded app quality - App loads inside the Shopify admin iframe without frame-busting; CSP headers include `frame-ancestors` for the shop domain. - Uses Polaris (or visually consistent equivalent) — flag obviously non-admin-looking UI. - Navigation works with App Bridge: deep links, the browser back button, and session token refresh after idle. - No broken states when API scopes are missing — re-auth flow triggers cleanly on 401/403 from Shopify. ## 5. Data & scopes - Requested scopes are the minimum the app actually uses — list each scope and the code that uses it; flag unused scopes. - No protected customer data is logged, sent to third-party analytics, or stored beyond need. - If the app uses AI/LLM processing on shop data, the privacy policy and listing must disclose it. ## 6. Listing readiness - App name, icon, and screenshots contain no Shopify trademarks misuse ("Shopify" not leading the app name). - Listing claims match real functionality — flag any feature in the listing copy you cannot find in the code. - Demo store or screencast URL is provided if the app needs configuration to demonstrate. ## Output format Produce a single report: 1. **Verdict** — READY / NOT READY with the count of blocking failures. 2. **Blocking failures** — each with evidence (file:line), why Shopify rejects for it, and the minimal fix. 3. **Warnings** — items likely to pass but worth fixing. 4. **Evidence table** — every checklist item with PASS/FAIL/N/A. Be strict: a false PASS costs a 1–2 week review round-trip. When uncertain, mark FAIL and say what evidence would flip it.