GEO Agent App Review Packet

GEO Agent is a Shopify embedded app by 8BitConcepts for AI visibility audits, product data review, merchant-approved fixes, and storefront agent-readable metadata.

Review path: Shopify OAuth, Shopify Billing, app proxy, compliance webhooks, and merchant-controlled theme extension.

Public review URLs

• Product overview
• Pricing
• Support
• Privacy policy
• Terms
• Agent-readable instructions
• OpenAPI spec
• Machine-readable review packet
• Submission checklist
• Screenshot and screencast media plan
• Reviewer tester instructions
• App proxy verification guide
• Shopify Billing verification guide
• Protected data and data-use appendix
• AI self-review answer packet
• App-review evidence ledger
• Partner Dashboard field packet
• Final submission runbook
• Review feedback response playbook

Requested scopes

• read_products: reads product titles, descriptions, images, and metafields for audit and benchmark scoring.
• write_products: applies AI-generated product-description fixes only after the merchant reviews and clicks Apply Fix.
• write_app_proxy: configures the /apps/geo app proxy for merchant-controlled llms.txt, UCP, and product-schema outputs.

The current review submission does not request read_content, read_themes, or read_metaobjects. Theme activation is merchant-controlled through the Shopify theme editor and the GEO Schema JSON-LD app block.

Billing and install path

Merchant installation starts from Shopify-owned App Store or Admin surfaces. App charges use Shopify Billing subscriptions only. Public commerce and agent manifests point merchants back to Shopify install and billing approval surfaces instead of direct card, Stripe Payment Link, machine-payment, or other off-platform checkout. The billing verification guide is available at /app-review-billing-verification.md.

Embedded app checks

• The server-rendered root document includes <meta name="shopify-api-key"> and loads https://cdn.shopify.com/shopifycloud/app-bridge.js from Shopify's CDN.
• Embedded routes use Shopify's Remix app provider and the app is configured with the new embedded authentication strategy for session-token based admin access.

Compliance behavior

• app/uninstalled deletes shop-scoped app data.
• shop/redact deletes shop-scoped app data.
• customers/data_request and customers/redact are acknowledged because GEO Agent does not store customer PII.
• Compliance webhook handlers do not log webhook payloads.

Protected data and data minimization

• GEO Agent does not request customer or order scopes and does not collect, store, or process Shopify customer PII.
• Benchmark prompts sent to OpenRouter/Kimi use product names and buyer-intent query text only.
• Stored shop data is limited to Shopify sessions, shop plan/scope state, product audit results, benchmark results, product records, and generated fix drafts.
• The full review appendix is available at /app-review-data-use.md.

Operational webhooks

• app/scopes_update at /webhooks/app/scopes_update updates the stored granted-scope string for the shop.
• products/create at /webhooks/products/create audits newly created products for agent-readable product data gaps.
• products/update at /webhooks/products/update re-audits updated products so merchant-facing recommendations stay current.

Pre-submission evidence

• Production app URL, support, privacy, terms, pricing, OpenAPI, and review packet routes return HTTP 200.
• Live OAuth install smoke confirms /auth/login?shop=8bitconcepts.myshopify.com redirects to Shopify Admin OAuth install with the submitted app client ID.
• Local app-review guard tests cover scopes, Shopify Billing-only checkout, App Bridge tags, operational webhooks, privacy deletion language, and no off-platform payment claims.
• Verification command: npx -y -p node@20.19.0 -p yarn@1.22.22 -c 'node -v && yarn -v && yarn test && yarn build'.
• Live app-review smoke command: npm run review:smoke. It covers public review URLs, the static API index, commerce and agent-readable checkout surfaces, Shopify Billing-only copy, structured review JSON, the expected direct-origin app-proxy auth response, and unsigned webhook fail-closed responses.
• Source checks use Shopify's current app-review guidance for production readiness, embedded session-token requirements, Shopify Billing, and App Store requirements.
• Final Partner Dashboard field values and guardrails are staged in the submission checklist.
• Screenshot captions and the demo screencast runbook are staged in the media plan.
• Paste-ready Partner Dashboard tester instructions are staged in the tester instructions.
• Signed Shopify app-proxy verification steps are staged in the app proxy guide.
• Shopify Billing approval and callback verification steps are staged in the billing guide.
• Protected-customer-data and AI-provider minimization evidence is staged in the data-use appendix.
• Paste-ready AI self-review answers are staged in the AI self-review packet.
• The current code-backed proof and remaining dashboard-only gates are staged in the evidence ledger.
• Paste-ready Partner Dashboard field values are staged in the field packet.
• The final dashboard sequence and submit boundary are staged in the final submission runbook.
• Narrow response templates for Shopify review feedback are staged in the response playbook.

Manual Partner Dashboard gates

• Run Shopify's App Store AI self-review from the Partner Dashboard or Shopify AI Toolkit before final submission, using the answers staged in the AI self-review packet.
• Install and open the production app in a development store from Shopify Admin, then interact with embedded routes so Shopify's automated App Bridge and session-token checks can observe live usage.
• Approve a Shopify Billing subscription in the development store and confirm the embedded app reflects the approved plan after Shopify reports an active subscription.
• Attach the demo screencast that follows the flow in the media plan. This recurring worker has no browser/Computer Use authority and does not submit the app review itself.
• Paste the reviewer test flow from the tester instructions into the Partner Dashboard testing instructions field.
• Paste the remaining field values from the Partner Dashboard field packet and keep screenshots/screencast evidence attached in the dashboard.
• Use the final submission runbook as the last pre-submit sequence after the dashboard-only gates are complete.

Reviewer demo flow

1. Install GEO Agent from the Shopify review/Admin install surface.
2. Open the embedded dashboard and run a product scan.
3. Review Products for audit results and recommendations.
4. Open Fixes, generate a product-description fix, review it, and apply only if appropriate.
5. Open Benchmark, run the Kimi/OpenRouter visibility benchmark, and wait for progress to complete.
6. Open Settings to review plan selection, API-key status, and merchant-controlled theme extension guidance.
7. Open storefront app-proxy URLs under /apps/geo to confirm merchant-controlled llms.txt, UCP, and product-schema outputs.

Contact

Support and review questions: hello@8bitconcepts.com.