diff --git a/.github/workflows/skill-review.yml b/.github/workflows/skill-review.yml new file mode 100644 index 0000000..aee21d6 --- /dev/null +++ b/.github/workflows/skill-review.yml @@ -0,0 +1,22 @@ +# Tessl Skill Review — runs on PRs that change any SKILL.md; posts scores as one PR comment. +# Docs: https://github.com/tesslio/skill-review +name: Tessl Skill Review + +on: + pull_request: + branches: [main] + paths: + - "**/SKILL.md" + +jobs: + review: + runs-on: ubuntu-latest + permissions: + pull-requests: write + contents: read + steps: + - uses: actions/checkout@v4 + - uses: tesslio/skill-review@main + # Optional quality gate (off by default — do not enable unless user asked): + # with: + # fail-threshold: 70 diff --git a/SKILL.md b/SKILL.md index 3d3143b..5854d81 100644 --- a/SKILL.md +++ b/SKILL.md @@ -1,20 +1,15 @@ --- name: storeready -description: > - Pre-submission compliance checkup for Google Play and Apple App Store. Use this skill when - reviewing mobile app code and configs (Kotlin, Gradle, Android Manifest, Swift, Objective-C, - React Native, Expo) to identify store rejection and policy risks before submission. Triggers on - tasks involving app review preparation, compliance checking, Play Store/App Store submission - readiness, or store-policy audits. +description: "Run automated Google Play and Apple App Store compliance checks using the storeready CLI. Scans Android Manifest flags, Gradle metadata, permissions declarations, privacy manifests, purpose strings, hardcoded secrets, insecure URLs, and common rejection patterns across Kotlin, Swift, React Native, and Expo projects. Use when preparing a mobile app for submission, auditing store-policy compliance, or checking Play Store and App Store readiness." --- # StoreReady — Mobile Store Pre-Submission Checkup -You are an expert at preparing mobile apps for Google Play and Apple App Store submission. You have access to the `storeready` CLI which runs automated compliance checks. Your job is to run the checks, interpret the results, fix every issue, and re-run until the app passes with READY status. +Run automated compliance checks with the `storeready` CLI, fix every issue by severity, and re-run until the app reaches READY status (zero CRITICAL findings). ## Step 1: Run the scan -Run both store checkups immediately on the project root. Do NOT try to install storeready — it is already available in PATH. Just run: +Run both store checkups on the project root. The `storeready` CLI is already available in PATH: ```bash storeready playstore-checkup . @@ -22,64 +17,48 @@ storeready appstore-checkup . ``` If the user has a built IPA, include it: + ```bash storeready appstore-checkup . --ipa /path/to/build.ipa ``` -If `storeready` is not found, install it: -```bash -# Homebrew (macOS) -brew install matrixy/tap/storeready - -# Go install -go install github.com/MaTriXy/StoreReady/cmd/storeready@latest +If `storeready` is not found, install via one of: -# Build from source -git clone https://github.com/MaTriXy/StoreReady.git -cd StoreReady && make build -# Binary at: build/storeready +```bash +brew install matrixy/tap/storeready # Homebrew (macOS) +go install github.com/MaTriXy/StoreReady/cmd/storeready@latest # Go install ``` ## Step 2: Read the output and fix every issue -Every finding has a severity, guideline reference, file location, and fix suggestion. Fix them in order: +Fix findings in severity order: + 1. **CRITICAL** — Will be rejected. Must fix. 2. **WARN** — High rejection risk. Should fix. 3. **INFO** — Best practice. Consider fixing. -When fixing issues: -- **Android release policy issues** → Fix `debuggable`, cleartext traffic, high-risk permissions declarations, target SDK, and versionCode findings. -- **Hardcoded secrets** → Move to environment variables (use `process.env.VAR_NAME` or Expo's `Constants.expoConfig.extra`) -- **External payment for digital goods** → Replace Stripe/PayPal with Play Billing on Android and StoreKit/IAP on Apple for digital content. -- **Social login without Sign in with Apple** → Add `expo-apple-authentication` alongside Google/Facebook login -- **Account creation without deletion** → Add a "Delete Account" option in settings -- **Platform references** → Remove mentions of competing platforms -- **Placeholder content** → Replace "Lorem ipsum", "Coming soon", "TBD" with real content -- **Vague purpose strings** → Rewrite to explain specifically WHY the app needs the permission (not just "Camera needed" but "PostureGuard uses your camera to analyze sitting posture in real-time") -- **Hardcoded IPv4** → Replace IP addresses with proper hostnames -- **HTTP URLs** → Change `http://` to `https://` -- **Console logs** → Remove or gate behind `__DEV__` flag -- **Missing privacy policy** → Note that this needs to be set in Play Console and App Store Connect. +Common fix patterns: + +- **Android release flags** → Set `debuggable` to false, disable cleartext traffic, review high-risk permissions, update target SDK and versionCode. +- **Hardcoded secrets** → Move to environment variables (`process.env.VAR_NAME` or Expo `Constants.expoConfig.extra`). +- **External payment for digital goods** → Replace Stripe/PayPal with Play Billing (Android) and StoreKit/IAP (Apple). +- **Social login without Sign in with Apple** → Add `expo-apple-authentication` alongside Google/Facebook login. +- **Account creation without deletion** → Add a "Delete Account" option in settings. +- **Platform references** → Remove mentions of competing platforms. +- **Placeholder content** → Replace "Lorem ipsum", "Coming soon", "TBD" with real content. +- **Vague purpose strings** → Rewrite to explain specifically why the app needs the permission (e.g. "PostureGuard uses your camera to analyze sitting posture in real-time"). +- **Hardcoded IPv4 / HTTP URLs** → Replace IPs with hostnames, `http://` with `https://`. +- **Console logs** → Remove or gate behind `__DEV__` flag. +- **Missing privacy policy** → Set in Play Console and App Store Connect. ## Step 3: Re-run and repeat -After fixing issues, re-run the scan: ```bash storeready playstore-checkup . storeready appstore-checkup . ``` -**Keep looping until the output shows READY status (zero CRITICAL findings).** Some fixes can introduce new issues (e.g., adding a tracking SDK requires ATT). The scan runs in under 1 second so re-run frequently. - -## Severity Levels - -| Level | Label | Action Required | -|-------|-------|----------------| -| CRITICAL | Will be rejected | **Must fix** before submission | -| WARN | High rejection risk | **Should fix** — strongly recommended | -| INFO | Best practice | **Consider fixing** — improves approval odds | - -The goal is always: **zero CRITICAL findings = READY status.** +**Keep looping until READY status (zero CRITICAL findings).** Some fixes introduce new issues (e.g. adding a tracking SDK requires ATT). The scan runs in under 1 second — re-run frequently. ## Other CLI Commands diff --git a/codex-skill/SKILL.md b/codex-skill/SKILL.md index 4c951e1..e81a8ff 100644 --- a/codex-skill/SKILL.md +++ b/codex-skill/SKILL.md @@ -1,6 +1,6 @@ --- name: store-preflight-compliance -description: Pre-submission compliance checkup for Google Play and Apple App Store apps. Use when reviewing mobile projects for store rejection risks, submission readiness, privacy/policy compliance, and release checkups across Android and iOS. +description: "Run StoreReady compliance checks against mobile app source and configs to catch Google Play and Apple App Store rejection risks. Audits Android Manifest flags, Gradle metadata, permissions, privacy manifests, hardcoded secrets, and common rejection patterns. Use when reviewing mobile projects for store rejection risks, submission readiness, privacy and policy compliance, or release checkups across Android and iOS." --- # Store Preflight Compliance @@ -50,20 +50,14 @@ Fix in order: 2. `WARN`: high rejection risk, strongly recommended to fix. 3. `INFO`: best-practice improvements. -Common fixes: - -- Resolve Android release/policy risks (`debuggable`, cleartext traffic, sensitive permissions, target SDK, versionCode). -- Move hardcoded secrets to environment variables. -- Replace external payment flows for digital goods with Play Billing on Android and StoreKit/IAP on Apple. -- Add Sign in with Apple when social login exists (Apple policy). -- Add account deletion when account creation exists (both stores). -- Remove references to competing platforms. -- Replace placeholder text (`Lorem ipsum`, `TBD`, `Coming soon`). -- Rewrite vague purpose strings with concrete app behavior. -- Replace hardcoded IPs with hostnames. -- Replace `http://` URLs with `https://`. -- Remove debug logs or gate them behind development flags. -- Add missing privacy policy URL and required store metadata. +Store-specific fixes (apply standard code hygiene for generic issues): + +- **Android release flags** → Remove `android:debuggable="true"` and `android:usesCleartextTraffic="true"` from `AndroidManifest.xml`. Verify `targetSdk` meets current Play requirements. +- **Digital goods payments** → Replace Stripe/PayPal with Play Billing (Android) and StoreKit/IAP (Apple) for in-app digital content. +- **Sign in with Apple** → Add Apple authentication when social login (Google/Facebook) exists — Apple requires this. +- **Account deletion** → Add "Delete Account" path when account creation exists (both stores require this). +- **Purpose strings** → Rewrite vague permission descriptions: not "Camera needed" but "PostureGuard uses your camera to analyze sitting posture in real-time." +- **Privacy policy** → Add URL in Play Console and App Store Connect if missing. ## Step 3: Re-Run Until READY @@ -72,17 +66,4 @@ storeready playstore-checkup . storeready appstore-checkup . ``` -Continue until output reports READY (zero `CRITICAL` findings). - -## Useful Commands - -```bash -storeready play-guidelines list -storeready codescan . -storeready privacy . -storeready ipa /path/to/build.ipa -storeready scan --app-id -storeready release-checklist --app-type all -storeready publish --app-id --version [--build ] [--confirm] -storeready guidelines search "privacy" -``` +Continue until output reports READY (zero `CRITICAL` findings). Some fixes introduce new issues (e.g. adding a tracking SDK requires ATT) — re-run after each batch of changes. diff --git a/skills/store-preflight-compliance/SKILL.md b/skills/store-preflight-compliance/SKILL.md index b8c5bdb..c48e8ee 100644 --- a/skills/store-preflight-compliance/SKILL.md +++ b/skills/store-preflight-compliance/SKILL.md @@ -1,78 +1,93 @@ --- name: store-preflight-compliance -description: This skill should be used when the user asks to "run a play store and app store checkup", "review mobile app submission readiness", "check Google Play policy compliance", "check Apple App Store compliance", "audit store submission risks", or "prepare a mobile app for store submission". -version: 0.1.0 +description: "Audit mobile app source code for Google Play and Apple App Store submission compliance. Checks AndroidManifest flags, Gradle release metadata, high-risk permissions, privacy manifests, purpose strings, hardcoded secrets, and common rejection patterns. Produces a severity-ranked findings report with fix recommendations and a READY/NOT READY verdict. Use when reviewing mobile projects for store rejection risks, submission readiness, privacy and policy compliance, or release checkups across Android and iOS." --- # Store Preflight Compliance -Run a full pre-submission compliance checkup for mobile apps targeting Google Play and Apple App Store. +Audit mobile app source for Google Play and Apple App Store compliance. Produce a severity-ranked report with fix recommendations and a READY/NOT READY verdict — no binary build required. -## Purpose +## Step 1: Detect Platform Scope -Use this skill to produce a release-readiness report without requiring any binary build/install step. Perform static repository checks directly from source files and produce store-specific findings plus manual console review items. +Identify which store targets are present: -## No-Build Workflow +```bash +# Android indicators +find . -name "AndroidManifest.xml" -o -name "build.gradle" -o -name "build.gradle.kts" | head -5 -Do not require `go build`, `make build`, or tool installation to run this skill. +# Apple indicators +find . -name "Info.plist" -o -name "PrivacyInfo.xcprivacy" -o -name "*.xcodeproj" | head -5 +grep -rl '"expo".*"ios"' app.json 2>/dev/null +``` -If the `storeready` CLI is already available in PATH, it may be used as an optional accelerator. If it is not available, continue with source-only checks. +If only one platform is detected, review that platform and note the other was not found. -## Step 1: Detect Platform Scope - -Identify which store targets are present in the repo: +## Step 2: Run Google Play Source Checks -- Android indicators: `AndroidManifest.xml`, `build.gradle`, `build.gradle.kts`. -- Apple indicators: `Info.plist`, `app.json` with `expo.ios`, `PrivacyInfo.xcprivacy`, iOS project files. +Follow the detailed checklist in `references/play-checklist.md`. At minimum: -If only one platform is present, review that platform and still include a note that the other platform was not detected. +```bash +# Release-blocking flags +grep -rn 'android:debuggable="true"' . --include="AndroidManifest.xml" +grep -rn 'android:usesCleartextTraffic="true"' . --include="AndroidManifest.xml" -## Step 2: Run Google Play Source Checks +# High-risk permissions +grep -rn 'android.permission.\(READ_SMS\|READ_CALL_LOG\|MANAGE_EXTERNAL_STORAGE\|QUERY_ALL_PACKAGES\)' . --include="AndroidManifest.xml" -Use the Play checklist in `references/play-checklist.md`. +# Gradle release metadata +grep -rn 'applicationId\|targetSdk\|versionCode' . --include="*.gradle" --include="*.gradle.kts" | head -10 +``` -At minimum, check: +Also flag: data safety form accuracy, account deletion requirements, billing policy compliance for digital goods, and listing accuracy — these require manual Play Console review. -- Manifest release flags (`debuggable`, cleartext traffic, backup behavior). -- High-risk permissions requiring Play declarations. -- Gradle release metadata (`applicationId`, `targetSdk`, `versionCode`). -- Policy-sensitive areas requiring manual Play Console review (Data safety, account deletion, payments disclosures, listing accuracy). +**Checkpoint:** Confirm at least one Android config file was found and parsed before proceeding. ## Step 3: Run Apple Source Checks -Use the Apple checklist in `references/apple-checklist.md`. +Follow the detailed checklist in `references/apple-checklist.md`. At minimum: + +```bash +# Privacy manifest +find . -name "PrivacyInfo.xcprivacy" | head -3 + +# Hardcoded secrets / insecure URLs +grep -rn 'http://' . --include="*.swift" --include="*.m" --include="*.js" --include="*.ts" | grep -v node_modules | head -10 +grep -rn 'sk_live_\|pk_live_\|AIza\|AKIA' . --include="*.swift" --include="*.js" --include="*.ts" | head -5 + +# Placeholder content +grep -rni 'lorem ipsum\|coming soon\|\bTBD\b' . --include="*.swift" --include="*.js" --include="*.tsx" | head -5 +``` -At minimum, check: +Also flag: missing privacy policy URL, social login without Sign in with Apple, account creation without deletion path, and competing platform references. -- Metadata completeness risks (app name, bundle identifier, privacy policy references). -- Privacy manifest and required-reason API consistency. -- Common rejection patterns in code and copy (placeholder text, insecure URLs, platform-reference mistakes). -- Account and authentication policy pitfalls (for example social login patterns needing Apple Sign in support where applicable). +**Checkpoint:** Confirm at least one Apple config file was found and parsed before proceeding. ## Step 4: Produce Report -Produce output in this structure: +Structure the output as: -1. Scope detected -2. Google Play findings -3. Apple findings -4. Manual console checklist items -5. Release recommendation (`READY` / `NOT READY`) +1. **Scope detected** — which platforms and key config files found +2. **Google Play findings** — sorted by severity +3. **Apple findings** — sorted by severity +4. **Manual console checklist** — items requiring human review in Play Console / App Store Connect +5. **Release recommendation** — `READY` (zero CRITICAL) or `NOT READY` -For each finding include: +Each finding must include: -- Severity (`CRITICAL`, `WARN`, `INFO`) -- Title -- Evidence (file path + short snippet/observation) -- Fix recommendation +| Field | Example | +|-------|---------| +| Severity | `CRITICAL` | +| Title | Debuggable flag enabled in release manifest | +| Evidence | `AndroidManifest.xml:12 — android:debuggable="true"` | +| Fix | Set `android:debuggable="false"` or remove the attribute (defaults to false) | -## Optional Fast Path +## Optional: StoreReady CLI Fast Path -If `storeready` is installed, optionally run: +If `storeready` is available in PATH, use it to accelerate automated checks: ```bash storeready playstore-checkup . storeready appstore-checkup . ``` -Still validate manual policy checklist items from reference files, because not every store requirement is automatable. +Still validate manual policy checklist items from reference files — not every store requirement is automatable.