@leejungkiin/awkit 1.7.1 → 1.7.4

package/skills/app-store-review-agent/SKILL.md

@@ -0,0 +1,164 @@
+---
+name: app-store-review-agent
+description: >
+  AI App Store Reviewer agent. Simulates an Apple App Store review of your iOS/macOS
+  app by inspecting source code, project files, entitlements, privacy manifests, and
+  metadata for guideline violations. Trigger with "review my app". Catches rejections
+  before Apple does.
+metadata:
+  author: blitz
+  version: "2.0"
+---
+
+# Reviewer
+
+You are an Apple App Store Reviewer. Your job is to review iOS and macOS apps for compliance with the App Store Review Guidelines before the developer submits to Apple.
+
+You are thorough, fair, and specific — just like a real reviewer. When you find a violation, you cite the exact guideline, point to the offending file and line, and explain what needs to change. When everything checks out, you say so.
+
+The developer has asked you to review their app. Do your job.
+
+## How You Work
+
+You have access to the full source code and project files. You cannot see App Store Connect, so for metadata that only lives there (app name, subtitle, description, screenshots), you flag what the developer needs to verify manually.
+
+No external tools required. You inspect everything through source code, project files, and build configuration.
+
+## Review Process
+
+### 1. Identify the App
+
+Scan the project to determine:
+- **Platform**: iOS, macOS, or both
+- **App type**: What does this app do? (social, subscription, health, AI, game, kids, crypto, VPN, etc.)
+- **Key features**: Subscriptions, Sign in with Apple, HealthKit, entitlements, generative AI, etc.
+
+### 2. Load the Relevant Guidelines
+
+Based on what you found, load the applicable checklists from `references/guidelines/by-app-type/`. Always start with `all_apps.md`, then add type-specific ones:
+
+| App Type | Checklist |
+|----------|-----------|
+| Every app | `references/guidelines/by-app-type/all_apps.md` |
+| Subscriptions / IAP | `references/guidelines/by-app-type/subscription_iap.md` |
+| Social / UGC | `references/guidelines/by-app-type/social_ugc.md` |
+| Kids Category | `references/guidelines/by-app-type/kids.md` |
+| Health & Fitness | `references/guidelines/by-app-type/health_fitness.md` |
+| Games | `references/guidelines/by-app-type/games.md` |
+| macOS | `references/guidelines/by-app-type/macos.md` |
+| AI / Generative AI | `references/guidelines/by-app-type/ai_apps.md` |
+| Crypto & Finance | `references/guidelines/by-app-type/crypto_finance.md` |
+| VPN | `references/guidelines/by-app-type/vpn.md` |
+
+Full guideline index: `references/guidelines/README.md`
+
+### 3. Inspect the Project
+
+Go through the app like a real reviewer would:
+
+- **Info.plist** — App name, bundle ID, version, required device capabilities
+- **Entitlements** (`*.entitlements`) — Every declared capability must have matching code
+- **Privacy manifest** (`PrivacyInfo.xcprivacy`) — Must exist if Required Reason APIs are used
+- **Assets** (`Assets.xcassets`) — App icon for trademark violations
+- **Source code** — Subscription flows, sign-in flows, data collection, WebView usage
+- **Localized strings** — Competitor terms, Apple trademarks, banned AI terms
+- **Local metadata** (fastlane `metadata/`, etc.) — If present, scan it
+
+### 4. Run Every Applicable Rule
+
+For each rule in `references/rules/`, follow the "How to Detect" instructions and inspect the project. These are the common rejection patterns you are trained to catch:
+
+| Category | Rule Files |
+|----------|------------|
+| Metadata | `references/rules/metadata/*.md` |
+| Subscription | `references/rules/subscription/*.md` |
+| Privacy | `references/rules/privacy/*.md` |
+| Design | `references/rules/design/*.md` |
+| Entitlements | `references/rules/entitlements/*.md` |
+
+### 5. Deliver Your Review
+
+Write your review as Apple would. Use this format:
+
+```
+## App Review
+
+**App**: [name from Info.plist or project]
+**Platform**: iOS / macOS / both
+**Version**: [from Info.plist]
+**Review Date**: [today]
+
+---
+
+### Decision: REJECTED / APPROVED / APPROVED WITH WARNINGS
+
+---
+
+### Issues Found
+
+#### [Guideline X.X.X — Title]
+
+> [Write the rejection notice exactly as Apple would phrase it, in their voice]
+
+**Where**: `path/to/file.swift:42`
+**Fix**: [specific, actionable fix]
+
+---
+
+#### [Guideline X.X.X — Title]
+
+> [another issue...]
+
+---
+
+### Needs Manual Verification
+
+These checks require access to App Store Connect, which I cannot inspect:
+
+- [ ] **[Guideline X.X.X]** — [what to check in ASC]
+
+---
+
+### Passed
+
+- [Category] — All checks passed
+```
+
+If the app passes everything, say so clearly. Don't invent problems.
+
+### 6. Offer to Fix
+
+After delivering the review, ask the developer if they want you to fix the issues you found. For auto-fixable issues:
+
+- **Competitor terms in strings** — Remove or replace with generic alternatives
+- **Missing PrivacyInfo.xcprivacy** — Generate one with the correct Required Reason API declarations
+- **Unused entitlements** — Remove the keys from the entitlements file
+- **Missing ToS/PP links** — Add template URLs to subscription views
+
+After fixing, re-run the affected checks to confirm the fix works. Only mark resolved once the re-check passes.
+
+For issues that require manual work (screenshots, App Store Connect metadata, UI redesign), give clear instructions but don't attempt a fix.
+
+## Things Real Reviewers Catch That You Should Too
+
+- **China storefront** — Banned AI terms (ChatGPT, Gemini, etc.) are checked across ALL locales, not just `zh-Hans`. Apple checks every locale visible in the China storefront.
+- **Privacy manifests** — `PrivacyInfo.xcprivacy` is required even if your app doesn't call Required Reason APIs directly. Third-party SDKs (Firebase, Amplitude, etc.) that use `UserDefaults` or `NSFileManager` trigger this requirement transitively.
+- **Subscription metadata** — Apple requires ToS/PP links in BOTH the App Store description AND the in-app subscription purchase screen. Missing either one is a separate rejection.
+- **macOS entitlements** — Apple will ask you to justify every temporary exception entitlement (`com.apple.security.temporary-exception.*`). Remove entitlements you don't actively use.
+- **Metadata in ASC only** — Some metadata (app name, subtitle, description, screenshots) lives only in App Store Connect. Flag these as "needs manual verification" — don't skip them silently.
+
+## Adding New Rules
+
+Create a `.md` file in the appropriate `references/rules/` subdirectory:
+
+```markdown
+# Rule: [Short Title]
+- **Guideline**: [Apple Guideline Number]
+- **Severity**: REJECTION | WARNING
+- **Category**: metadata | subscription | privacy | design | entitlements
+
+## What to Check
+## How to Detect
+## Resolution
+## Example Rejection
+```

package/skills/app-store-review-agent/references/guidelines/README.md

@@ -0,0 +1,154 @@
+# Apple App Store Review Guidelines — Complete Reference
+
+> Source: [App Store Review Guidelines](https://developer.apple.com/app-store/review/guidelines/)
+
+This is a structured index of every guideline section, organized for quick lookup. Use the [app-type checklists](./by-app-type/) to find which guidelines apply to your specific type of app.
+
+---
+
+## Section 1: Safety
+
+| Guideline | Title | Summary |
+|-----------|-------|---------|
+| 1.1 | Objectionable Content | No offensive, discriminatory, violent, sexual, or misleading content |
+| 1.1.1 | Defamatory Content | No discrimination by religion, race, gender, etc. |
+| 1.1.2 | Violence | No realistic portrayals of killing/torture; game enemies can't target real groups |
+| 1.1.3 | Weapons | No encouragement of illegal weapon use; no facilitating firearm purchases |
+| 1.1.4 | Sexual Content | No pornographic material; no hookup/prostitution facilitation |
+| 1.1.5 | Religious Content | No inflammatory religious commentary |
+| 1.1.6 | False Information | No fake features, fake location trackers, prank calls |
+| 1.1.7 | Harmful Concepts | No profiting from recent tragedies |
+| 1.2 | User-Generated Content | Must have: content filter, report mechanism, block users, contact info |
+| 1.2.1 | Creator Content | Creator apps must moderate content and restrict by age |
+| 1.3 | Kids Category | No external links, no third-party analytics/ads, strict privacy rules |
+| 1.4 | Physical Harm | No apps risking physical harm |
+| 1.4.1 | Medical Apps | Must disclose methodology; can't claim sensor-only diagnostics |
+| 1.4.2 | Drug Dosage | Must come from approved medical entities |
+| 1.4.3 | Substance Use | No encouraging tobacco, vape, drugs, excessive alcohol |
+| 1.4.4 | DUI Checkpoints | Only law-enforcement-published checkpoints |
+| 1.4.5 | Risky Activities | No encouraging dangerous bets/challenges |
+| 1.5 | Developer Information | Must include easy contact info; Wallet passes need valid issuer info |
+| 1.6 | Data Security | Appropriate security measures for user data |
+| 1.7 | Reporting Criminal Activity | Must involve local law enforcement |
+
+---
+
+## Section 2: Performance
+
+| Guideline | Title | Summary |
+|-----------|-------|---------|
+| 2.1 | App Completeness | App must be final, functional, no placeholder content, demo accounts required |
+| 2.2 | Beta Testing | No demos/betas on App Store — use TestFlight |
+| 2.3 | Accurate Metadata | All metadata must accurately reflect the app |
+| 2.3.1 | Hidden Features | No undocumented features; all changes in review notes |
+| 2.3.2 | IAP Disclosure | Description/screenshots must indicate IAP requirements |
+| 2.3.3 | Screenshots | Must show app in use, not just splash/login screens |
+| 2.3.4 | Previews | Video previews: screen captures only, no device frames |
+| 2.3.5 | Category | Select the most appropriate category |
+| 2.3.6 | Age Rating | Honest age rating answers |
+| 2.3.7 | App Name/Keywords | Max 30 chars; no trademark stuffing, no pricing in metadata |
+| 2.3.8 | Metadata Audience | Metadata must be 4+ appropriate; "For Kids" reserved for Kids Category |
+| 2.3.9 | Rights | Secure rights for all icon/screenshot materials |
+| 2.3.10 | Platform Focus | No other platform names/icons in metadata (no Android, Google Play) |
+| 2.3.11 | Pre-Orders | Must be complete and match advertised features |
+| 2.3.12 | What's New | Significant changes must be listed; generic OK for bug fixes |
+| 2.3.13 | In-App Events | Event metadata must be accurate and timely |
+| 2.4 | Hardware Compatibility | — |
+| 2.4.1 | iPad Support | iPhone apps should run on iPad when possible |
+| 2.4.2 | Power Efficiency | No battery drain, heat, crypto mining |
+| 2.4.3 | Apple TV | Must work with Siri remote; explain if game controller needed |
+| 2.4.4 | System Settings | No requiring device restart or disabling security features |
+| 2.4.5 | Mac App Store | Must be sandboxed; no auto-launch; no third-party installers; no license screens |
+| 2.5 | Software Requirements | — |
+| 2.5.1 | Public APIs | Only public APIs; current OS; frameworks for intended purposes |
+| 2.5.2 | Self-Contained | No reading/writing outside container; no downloading executable code |
+| 2.5.3 | Malware | No viruses or harmful code |
+| 2.5.4 | Background Services | Only for intended purposes (VoIP, audio, location, etc.) |
+| 2.5.5 | IPv6 | Must be fully functional on IPv6-only networks |
+| 2.5.6 | WebKit | Web browsing must use WebKit |
+| 2.5.8 | Home Screen | No alternate desktop/home screen environments |
+| 2.5.9 | System Controls | No altering standard switches or native UI elements |
+| 2.5.11 | SiriKit/Shortcuts | Only register for relevant intents; no generic aliases |
+| 2.5.12 | CallKit/SMS | Only block confirmed spam; explain blocking criteria |
+| 2.5.13 | Face Recognition | Must use LocalAuthentication; alternate auth for under-13 |
+| 2.5.14 | Recording Consent | Explicit consent required for recording user activity |
+| 2.5.15 | File Access | Must include Files app and iCloud documents |
+| 2.5.16 | Extensions | Widgets/extensions must relate to app functionality |
+| 2.5.17 | Matter | Must use Apple's Matter support framework |
+| 2.5.18 | Advertising | Ads only in main binary; no ads in extensions/widgets/keyboards |
+
+---
+
+## Section 3: Business
+
+| Guideline | Title | Summary |
+|-----------|-------|---------|
+| 3.1 | Payments | — |
+| 3.1.1 | In-App Purchase | Must use IAP for digital content/features; loot box odds required |
+| 3.1.1(a) | External Purchase Links | Entitlement required for external purchase links (region-specific) |
+| 3.1.2 | Subscriptions | Auto-renewable subscription rules |
+| 3.1.2(a) | Permissible Uses | Must provide ongoing value; 7-day minimum; cross-device |
+| 3.1.2(b) | Upgrades/Downgrades | Seamless experience; no accidental duplicate subscriptions |
+| 3.1.2(c) | Subscription Info | Clear description of what user gets; ToS/PP links required |
+| 3.1.3 | Other Purchase Methods | Reader apps, multiplatform, enterprise, person-to-person |
+| 3.1.3(a) | Reader Apps | Can access previously purchased content |
+| 3.1.3(b) | Multiplatform | Can access cross-platform content if IAP also available |
+| 3.1.3(c) | Enterprise | B2B apps may allow pre-purchased content access |
+| 3.1.3(d) | Person-to-Person | Real-time 1:1 services can use external payment |
+| 3.1.3(e) | Physical Goods | Must use external payment (Apple Pay, credit card) |
+| 3.1.3(f) | Free Companions | Free web-tool companions don't need IAP |
+| 3.1.4 | Hardware Content | Hardware-dependent features can bypass IAP |
+| 3.1.5 | Cryptocurrencies | Wallets (org only), no on-device mining, licensed exchanges |
+| 3.2 | Other Business Issues | — |
+| 3.2.1 | Acceptable | Gifts must be optional; no forcing ratings/reviews |
+| 3.2.2 | Unacceptable | No binary options trading; loan APR ≤36%; no manipulating visibility |
+
+---
+
+## Section 4: Design
+
+| Guideline | Title | Summary |
+|-----------|-------|---------|
+| 4.1 | Copycats | No cloning other apps; no using others' icons/brands |
+| 4.2 | Minimum Functionality | Must be more than a repackaged website |
+| 4.2.1 | ARKit | Must provide rich integrated AR experiences |
+| 4.2.2 | Marketing Apps | Not primarily marketing materials or link collections |
+| 4.2.3 | Self-Contained | Must work without installing another app |
+| 4.2.6 | Template Apps | Commercialized template apps rejected unless by content provider |
+| 4.2.7 | Remote Desktop | Must connect to user-owned device on local network |
+| 4.3 | Spam | No duplicates, no spamming the store |
+| 4.4 | Extensions | Keyboard and Safari extension rules |
+| 4.5 | Apple Sites/Services | No scraping Apple sites; Apple Music rules |
+| 4.5.4 | Push Notifications | Not required to function; no spam; opt-in for marketing |
+| 4.5.6 | Apple Emoji | Unicode emoji OK; no embedding on other platforms |
+| 4.7 | Third-Party Software | HTML5-based apps require explicit consent for data sharing |
+| 4.8 | Login Services | If social login offered, must also offer SIWA-equivalent option |
+| 4.9 | Apple Pay | Disclose recurring payment terms |
+| 4.10 | Monetizing Built-In | Can't charge for OS capabilities (Push, camera, iCloud, etc.) |
+
+---
+
+## Section 5: Legal
+
+| Guideline | Title | Summary |
+|-----------|-------|---------|
+| 5.1 | Privacy | Full privacy compliance required |
+| 5.1.1 | Data Collection | Privacy policy required; consent required; data minimization |
+| 5.1.1(v) | Account/Sign-In | Account deletion required if creation offered; no unnecessary login |
+| 5.1.1(ix) | Regulated Fields | Banking, healthcare, gambling apps must be from legal entities |
+| 5.1.2 | Data Use & Sharing | No selling user data; ATT required for tracking |
+| 5.1.3 | Health & Fitness | HealthKit data can't be used for ads; no false data writing |
+| 5.1.4 | Kids | COPPA/GDPR compliance; no third-party analytics in Kids apps |
+| 5.1.5 | Location Services | Only when directly relevant; consent required |
+| 5.2 | Intellectual Property | — |
+| 5.2.1 | Generally | Don't use others' protected material |
+| 5.2.2 | Third-Party Sites | Don't use third-party content without permission |
+| 5.2.3 | Audio/Video | No unauthorized AV downloading |
+| 5.2.5 | Apple Trademarks | No Apple product images in icons; no confusing Apple terms |
+| 5.3 | Gaming & Gambling | Licensed gambling only; lottery apps from lottery entities only |
+| 5.4 | VPN Apps | Must use NEVPNManager; no data collection; from org accounts only |
+| 5.5 | Mobile Device Management | MDM from enterprises/education only; strict data use limits |
+| 5.6 | Developer Code of Conduct | Respectful responses; no review manipulation; verifiable identity |
+| 5.6.1 | App Store Reviews | Respect users; use API for review prompts |
+| 5.6.3 | Discovery Fraud | No chart/search/review manipulation |
+| 5.6.4 | App Quality | Must maintain quality; excessive complaints may cause removal |

package/skills/app-store-review-agent/references/guidelines/by-app-type/ai_apps.md

@@ -0,0 +1,37 @@
+# Checklist: AI-Powered / Generative AI Apps
+
+Guidelines specifically applying to apps that use AI services (ChatGPT, Gemini, Claude, etc.), generative AI, or deep synthesis technology.
+
+## Critical (Will Reject)
+
+- [ ] **5 (China DST)** — If distributing in China: remove all references to OpenAI, ChatGPT, GPT, Gemini, Claude, Anthropic, Midjourney, DALL-E from metadata
+- [ ] **5 (China DST)** — If distributing in China: suppress AI functionality or obtain MIIT license
+- [ ] **1.1.6** — No false information or misleading AI capabilities (e.g., "AI doctor")
+- [ ] **1.4.1** — AI health advice: must include medical disclaimers; can't substitute for professional diagnosis
+- [ ] **2.3.1** — All AI features documented in review notes; no hidden AI capabilities
+
+## Important (Common Rejections)
+
+- [ ] **5.2.5** — Don't use "GPT", "ChatGPT", "OpenAI", "Gemini" as part of app name unless you are the brand owner
+- [ ] **2.3.7** — Don't keyword-stuff with AI brand names (ChatGPT, GPT-4, Gemini, etc.)
+- [ ] **1.2** — If AI generates user-facing content: implement content moderation/filtering
+- [ ] **5.1.1** — Disclose AI data processing in privacy policy
+- [ ] **2.5.14** — Explicit consent required for AI processing of user recordings/inputs
+- [ ] **5.1.1(iii)** — Data minimization: don't send more data to AI than necessary
+- [ ] **3.1.1** — AI features/credits unlocked via IAP (not external payment for digital content)
+
+## China Storefront Specific
+
+Banned AI terms in metadata for China (all locales, not just zh-Hans):
+- `ChatGPT`, `GPT-4`, `GPT-4o`, `GPT`  
+- `OpenAI`
+- `Gemini`, `Bard` (Google)
+- `Claude`, `Anthropic`
+- `Midjourney`, `DALL-E`, `DALL·E`
+- `Copilot` (in AI context)
+- `Stable Diffusion` (cloud API context)
+
+### Options
+1. **Remove references** → Use "AI-powered" / "smart assistant" generically
+2. **Exclude China** → Deselect China mainland in App Store Connect
+3. **Obtain compliance** → Get MIIT license for DST services

package/skills/app-store-review-agent/references/guidelines/by-app-type/all_apps.md

@@ -0,0 +1,50 @@
+# Checklist: All Apps (Universal Guidelines)
+
+Guidelines that apply to **every** app regardless of category. Check these before every submission.
+
+## Pre-Submission Essentials
+
+- [ ] **2.1** — App is final, complete, tested for crashes and bugs
+- [ ] **2.1** — All metadata is complete and accurate (no placeholder text, empty URLs)
+- [ ] **2.1** — Demo account provided (or demo mode with prior Apple approval)
+- [ ] **2.1** — Backend services are live and accessible during review
+- [ ] **2.1(b)** — All configured IAP items are findable and functional (or explained in review notes)
+- [ ] **2.3** — Review notes describe all non-obvious features
+
+## Metadata
+
+- [ ] **2.3.7** — App name ≤ 30 characters; unique; no trademark stuffing
+- [ ] **2.3.7** — No pricing info, other app names, or irrelevant phrases in metadata
+- [ ] **2.3.10** — No competitor platform names/icons (Android, Google Play, etc.)
+- [ ] **2.3.3** — Screenshots show app in use (not just title art, login, or splash)
+- [ ] **2.3.4** — App preview videos: screen captures only (no device frames)
+- [ ] **2.3.8** — Metadata adheres to 4+ age rating (icons, screenshots, previews)
+- [ ] **2.3.9** — Rights secured for all materials; fictional account data in screenshots
+- [ ] **2.3.12** — What's New text describes significant changes
+- [ ] **5.2.5** — No Apple product images in app icon; no confusing Apple trademarks
+
+## Privacy & Data
+
+- [ ] **5.1.1(i)** — Privacy policy linked in App Store Connect AND accessible in-app
+- [ ] **5.1.1(ii)** — User consent secured for all data collection
+- [ ] **5.1.1(iii)** — Only request data relevant to core functionality
+- [ ] **5.1.1(v)** — If account creation exists, account deletion must be offered
+- [ ] **5.1.2** — ATT framework required for cross-app tracking
+- [ ] **Privacy Manifest** — `PrivacyInfo.xcprivacy` includes all Required Reason APIs
+
+## Design & UX
+
+- [ ] **4.1** — Not a copycat of another app
+- [ ] **4.2** — Meaningful functionality beyond a repackaged website
+- [ ] **4.8** — If social logins offered, must also offer Sign in with Apple (or equivalent)
+- [ ] **4.0** — Sign in with Apple: don't re-ask name/email already provided by SIWA
+- [ ] **2.5.1** — Only public APIs; current OS; frameworks for intended purposes
+- [ ] **2.5.5** — Fully functional on IPv6-only networks
+- [ ] **2.5.14** — Explicit consent for recording user activity
+
+## Business
+
+- [ ] **3.1.1** — Digital content unlocks use IAP
+- [ ] **3.2.1(x)** — Not forcing users to rate/review to access features
+- [ ] **1.5** — Support URL with easy contact method
+- [ ] **5.6.2** — Developer identity information is accurate and verifiable

package/skills/app-store-review-agent/references/guidelines/by-app-type/crypto_finance.md

@@ -0,0 +1,31 @@
+# Checklist: Crypto, Finance & Trading Apps
+
+Guidelines specifically applying to cryptocurrency wallets, exchanges, trading platforms, banking, and financial service apps.
+
+## Critical (Will Reject)
+
+- [ ] **3.1.5(i)** — Crypto wallets: developer must be enrolled as an organization (not individual)
+- [ ] **3.1.5(ii)** — No on-device cryptocurrency mining (cloud-based mining OK)
+- [ ] **3.1.5(iii)** — Crypto exchanges: only in jurisdictions with appropriate licensing
+- [ ] **3.1.5(iv)** — ICOs, futures, crypto-securities trading: from established banks/financial institutions only
+- [ ] **3.1.5(v)** — No offering crypto for completing tasks (downloading apps, social posting, etc.)
+- [ ] **3.2.2(viii)** — No binary options trading apps
+- [ ] **3.2.2(viii)** — CFD/FOREX apps: properly licensed in all service jurisdictions
+- [ ] **3.2.2(ix)** — Loan apps: APR ≤ 36%; repayment > 60 days; clearly disclose all terms
+- [ ] **5.1.1(ix)** — Banking, financial services, crypto exchanges: submit as legal entity, not individual
+
+## Important (Common Rejections)
+
+- [ ] **5.1.1(i)** — Privacy policy clearly describes financial data collection and handling
+- [ ] **3.1.1** — Digital content within app must use IAP; crypto can't be used to unlock features
+- [ ] **3.1.1** — NFT ownership must not unlock features or functionality
+- [ ] **1.1.6** — No false financial information or misleading investment claims
+- [ ] **2.3.1** — All financial functionality documented in review notes
+- [ ] **5.1.1(v)** — Account deletion must be offered if account creation exists
+- [ ] **1.6** — Appropriate security measures for financial data
+
+## NFT-Specific
+
+- [ ] **3.1.1** — NFTs sold/minted via IAP
+- [ ] **3.1.1** — NFT ownership cannot unlock app features or functionality
+- [ ] **3.1.1** — Browsing others' NFTs: no external purchase links (except US storefront)

package/skills/app-store-review-agent/references/guidelines/by-app-type/games.md

@@ -0,0 +1,31 @@
+# Checklist: Games
+
+Guidelines specifically applying to games, including casual, hardcore, streaming, and gambling apps.
+
+## Critical (Will Reject)
+
+- [ ] **3.1.1** — All in-game currency, levels, and premium content purchased via IAP
+- [ ] **3.1.1** — Loot boxes / gacha mechanics: odds must be disclosed before purchase
+- [ ] **3.1.1** — In-game currencies purchased via IAP do not expire
+- [ ] **3.1.1** — Restore Purchases mechanism for restorable items
+- [ ] **1.1.2** — Game enemies cannot solely target a specific race, culture, real government, or real corporation
+- [ ] **5.3** — Gambling/betting: licensed in the jurisdictions where offered
+- [ ] **5.3** — Lottery apps: only from lottery entities or their authorized partners
+
+## Important (Common Rejections)
+
+- [ ] **2.3.6** — Age rating honestly answers all content questions (violence, mature themes, etc.)
+- [ ] **2.3.8** — Metadata icons/screenshots adhere to 4+ age rating even if game is rated higher
+- [ ] **2.4.3** — Apple TV: must work with Siri remote; explain if game controller required
+- [ ] **4.2.1** — ARKit games: provide rich AR experience, not just dropping a model
+- [ ] **3.1.2(a)** — Streaming game subscriptions: download from App Store; avoid duplicate payment
+- [ ] **2.4.2** — No crypto mining (even background); no excessive battery drain
+- [ ] **1.4.5** — No encouraging dangerous real-world bets or challenges
+- [ ] **3.1.2(a)** — If switching to subscription model, don't remove content already paid for ("full game unlock")
+
+## Game-Specific Design
+
+- [ ] **4.2** — Must provide lasting entertainment value
+- [ ] **4.3** — No submitting duplicate/near-identical game variants to spam the store
+- [ ] **2.3.3** — Screenshots show the actual game in play, not just title art
+- [ ] **5.5.5** — Game Center: don't reverse-lookup Player IDs or exploit player data

package/skills/app-store-review-agent/references/guidelines/by-app-type/health_fitness.md

@@ -0,0 +1,31 @@
+# Checklist: Health, Fitness & Medical Apps
+
+Guidelines specifically applying to health tracking, fitness, medical, and HealthKit-integrated apps.
+
+## Critical (Will Reject)
+
+- [ ] **1.4.1** — Medical apps: clearly disclose data and methodology for accuracy claims
+- [ ] **1.4.1** — Cannot claim sensor-only diagnostics (x-rays, blood pressure, blood glucose, SpO2)
+- [ ] **1.4.1** — Must remind users to check with a doctor before making medical decisions
+- [ ] **1.4.2** — Drug dosage calculators: must come from approved medical entities (manufacturer, hospital, university, FDA-approved)
+- [ ] **5.1.3(i)** — HealthKit data: NO use for advertising, marketing, or data mining
+- [ ] **5.1.3(ii)** — Must not write false or inaccurate data into HealthKit
+- [ ] **5.1.3(ii)** — Must not store personal health data in iCloud
+- [ ] **5.1.3(iii)** — Health research: informed consent required (nature, purpose, duration, risks, confidentiality, withdrawal)
+- [ ] **5.1.3(iv)** — Health research: independent ethics review board approval required
+
+## Important (Common Rejections)
+
+- [ ] **5.1.1** — Privacy policy clearly describes health data collection and use
+- [ ] **2.5.1** — HealthKit used for health/fitness purposes and integrates with Health app
+- [ ] **5.1.1(iii)** — Data minimization: only collect health data relevant to core functionality
+- [ ] **1.4.1** — If regulatory clearance received (FDA, etc.), submit link with app
+- [ ] **5.1.1(ix)** — Healthcare apps: submit as legal entity, not individual developer
+- [ ] **2.5.18** — No targeted ads based on health/medical data (HealthKit APIs)
+
+## HealthKit Specific
+
+- [ ] HealthKit framework used only for health and fitness purposes
+- [ ] Data not shared with third parties for advertising/marketing
+- [ ] User consent obtained for all data access
+- [ ] No false data written to Health app

package/skills/app-store-review-agent/references/guidelines/by-app-type/kids.md

@@ -0,0 +1,27 @@
+# Checklist: Kids Category Apps
+
+Guidelines specifically applying to apps in the Kids Category or apps targeting children.
+
+## Critical (Will Reject)
+
+- [ ] **1.3** — No external links (unless behind parental gate)
+- [ ] **1.3** — No purchasing opportunities (unless behind parental gate)
+- [ ] **1.3** — No third-party advertising
+- [ ] **1.3** — No third-party analytics (limited exceptions: no IDFA, no PII, no location)
+- [ ] **5.1.4(a)** — COPPA / GDPR compliance for children's data
+- [ ] **5.1.4** — No sending PII or device info to third parties
+- [ ] **5.1.4** — Privacy policy required and must comply with children's privacy statutes
+- [ ] **5.1.1(i)** — Privacy policy linked in App Store Connect AND accessible in-app
+
+## Important (Common Rejections)
+
+- [ ] **2.3.8** — "For Kids" / "For Children" in metadata is reserved for Kids Category
+- [ ] **1.3** — Once in Kids Category, must continue meeting guidelines in all subsequent updates
+- [ ] **5.1.4(b)** — Third-party contextual ads only if service has documented Kids-specific policies with human review
+- [ ] **2.3.6** — Age rating accurately reflects content
+- [ ] **2.5.18** — No ads in extensions, widgets, App Clips, keyboards, or watchOS
+
+## Parental Gate Requirements
+
+- [ ] Areas with external links, purchases, or distractions must be behind a parental gate
+- [ ] [Parental gate guidance](https://developer.apple.com/app-store/kids-apps/) followed

package/skills/app-store-review-agent/references/guidelines/by-app-type/macos.md

@@ -0,0 +1,38 @@
+# Checklist: macOS / Mac App Store Apps
+
+Guidelines specifically applying to apps distributed via the Mac App Store, including sandboxing, entitlements, and macOS-specific requirements.
+
+## Critical (Will Reject)
+
+- [ ] **2.4.5(i)** — App must be appropriately sandboxed
+- [ ] **2.4.5(i)** — Only use appropriate macOS APIs for modifying data from other apps
+- [ ] **2.4.5(i)** — Entitlements must match actual app functionality (Apple will ask for justification)
+- [ ] **2.4.5(ii)** — Packaged and submitted using Xcode; no third-party installers
+- [ ] **2.4.5(ii)** — Self-contained, single app installation bundle
+- [ ] **2.4.5(iii)** — No auto-launch at startup/login without consent
+- [ ] **2.4.5(iii)** — No spawning background processes after user quits
+- [ ] **2.4.5(iii)** — No auto-adding icons to Dock or desktop shortcuts
+- [ ] **2.4.5(iv)** — No downloading standalone apps, kexts, or additional code
+- [ ] **2.4.5(v)** — No requesting root privileges or setuid attributes
+- [ ] **2.4.5(vi)** — No license screens at launch; no license keys; no custom copy protection
+- [ ] **2.4.5(vii)** — Updates distributed via Mac App Store only
+- [ ] **2.4.5(viii)** — Must run on currently shipping OS; no deprecated technologies (Java)
+- [ ] **2.4.5(ix)** — All localizations in a single app bundle
+
+## Important (Common Rejections)
+
+- [ ] **2.5.1** — Only public APIs; frameworks used for intended purposes
+- [ ] **2.5.2** — Self-contained in bundle; no reading/writing outside designated container
+- [ ] **2.3.10** — Metadata focused on macOS experience; no iOS-only language in description
+- [ ] **5.2.5** — No Apple device images in app icon
+- [ ] **5.1.1(i)** — Privacy policy required
+- [ ] **2.5.5** — Fully functional on IPv6-only networks
+
+## Entitlements Audit
+
+Common entitlements that trigger Apple review questions:
+- [ ] `com.apple.security.network.server` — Justify if app acts as a local server
+- [ ] `com.apple.security.network.client` — Standard for network requests
+- [ ] `com.apple.security.files.downloads.read-only` — Justify Downloads folder access
+- [ ] `com.apple.security.files.user-selected.read-write` — Standard for file picker
+- [ ] `com.apple.security.temporary-exception.*` — Will draw extra scrutiny

package/skills/app-store-review-agent/references/guidelines/by-app-type/social_ugc.md

@@ -0,0 +1,32 @@
+# Checklist: Social / User-Generated Content Apps
+
+Guidelines specifically applying to social networking, messaging, community, and UGC platform apps.
+
+## Critical (Will Reject)
+
+- [ ] **1.2** — Content moderation: filter for objectionable material
+- [ ] **1.2** — Report mechanism for offensive content with timely responses
+- [ ] **1.2** — Ability to block abusive users
+- [ ] **1.2** — Published contact information for user support
+- [ ] **4.8** — If offering third-party login (Facebook, Google, etc.), must also offer Sign in with Apple or equivalent
+- [ ] **4.0** — Sign in with Apple: don't re-ask name/email after SIWA auth
+- [ ] **5.1.1(v)** — If account creation exists, must also offer account deletion
+- [ ] **5.1.1(v)** — Must provide access without social login if core functionality isn't social-network-specific
+- [ ] **5.1.1(i)** — Privacy policy required (in-app + App Store Connect)
+
+## Important (Common Rejections)
+
+- [ ] **1.2.1** — Creator content apps: age-restriction mechanism for content exceeding app rating
+- [ ] **1.1.1** — No defamatory, discriminatory, or mean-spirited content
+- [ ] **2.5.14** — Explicit consent for recording user activity (camera, microphone, screen)
+- [ ] **5.1.1(ii)** — User consent for data collection; clear purpose strings
+- [ ] **5.1.2** — ATT framework required for cross-app tracking
+- [ ] **5.1.1(viii)** — No compiling personal info from non-user sources (public databases)
+- [ ] **4.5.4** — Push notifications: not required to function; opt-in for marketing
+- [ ] **5.1.1(iii)** — Data minimization: only request data relevant to core functionality
+
+## UGC-Specific Rules
+
+- [ ] NSFW content from web services: hidden by default, opt-in via website only
+- [ ] No Chatroulette-style random chat, anonymous bullying, or "hot-or-not" voting
+- [ ] No apps primarily used for pornographic content

package/skills/app-store-review-agent/references/guidelines/by-app-type/subscription_iap.md

@@ -0,0 +1,34 @@
+# Checklist: Apps with Subscriptions / In-App Purchases
+
+Guidelines that specifically apply to apps offering auto-renewable subscriptions, consumable/non-consumable IAP, or freemium models.
+
+## Critical (Will Reject)
+
+- [ ] **3.1.1** — All digital content unlocks use Apple's In-App Purchase (no license keys, QR codes, crypto)
+- [ ] **3.1.2(a)** — Subscription provides ongoing value; minimum 7-day period; works on all user devices
+- [ ] **3.1.2(c)** — Subscription purchase screen clearly describes what user gets for the price
+- [ ] **3.1.2** — Billed amount is the most prominent pricing element (not calculated monthly price)
+- [ ] **3.1.2** — App description includes functional **Terms of Use (EULA)** link
+- [ ] **3.1.2** — App description includes functional **Privacy Policy** link
+- [ ] **5.1.1(i)** — Privacy Policy URL set in App Store Connect metadata
+- [ ] **3.1.1** — Loot boxes / randomized items disclose odds before purchase
+- [ ] **3.1.1** — In-game currencies purchased via IAP do not expire
+- [ ] **3.1.1** — Restore Purchases mechanism exists for restorable IAP
+- [ ] **2.1(b)** — All IAP items are complete, visible to reviewer, and functional
+
+## Important (Common Rejections)
+
+- [ ] **3.1.2(b)** — Seamless upgrade/downgrade; no accidental duplicate subscriptions
+- [ ] **2.3.2** — Description/screenshots clearly indicate which features require additional purchase
+- [ ] **3.1.2(a)** — Not taking away functionality previously paid for when switching to subscription model
+- [ ] **3.1.2(a)** — Free trial clearly identifies duration, what ends, and post-trial charges
+- [ ] **4.10** — Not charging for built-in OS capabilities (Push, camera, iCloud)
+- [ ] **3.2.1(x)** — Not forcing users to rate/review app to access features
+
+## In-App Subscription Screen Must Include
+
+- [ ] Title of subscription
+- [ ] Length of subscription period
+- [ ] Price (and price per unit if appropriate)
+- [ ] Functional tappable Privacy Policy link
+- [ ] Functional tappable Terms of Use / EULA link