# GEO Agent App Proxy Verification

Use this when verifying the Shopify app proxy before app-review submission.

## App Proxy Contract

- Shopify config: prefix `apps`, subpath `geo`.
- Requested scope: `write_app_proxy`.
- Public storefront base path after install: `/apps/geo`.
- App backend target: `https://geo-agent.fly.dev/api`.
- Outputs:
  - `/apps/geo/llms-txt` -> generated `llms.txt` for the shop.
  - `/apps/geo/ucp` -> generated commerce profile for the shop.
  - `/apps/geo/product-schema/{handle}` -> generated product JSON-LD for a scanned product.

## Expected Direct-Origin Behavior

Direct calls to `https://geo-agent.fly.dev/api/llms-txt`, `/api/ucp`, or `/api/product-schema/{handle}` are not the reviewer proof path. Those routes require Shopify's signed app-proxy request context. A direct-origin smoke can return 400 or 401 and still be correct.

## Reviewer-Store Smoke

Run this after installing GEO Agent on the Shopify review or development store:

1. Open the storefront, not the app's Fly origin.
2. Visit `https://{review-store-domain}/apps/geo/llms-txt`.
3. Confirm the response is plain text and either generated `llms.txt` content or the setup placeholder.
4. Visit `https://{review-store-domain}/apps/geo/ucp` after enabling AI Protocols in Fixes.
5. Confirm the response is JSON.
6. Visit `https://{review-store-domain}/apps/geo/product-schema/{product-handle}` after scanning products.
7. Confirm the response is JSON-LD for the scanned product.

## Guardrails

- Do not tell reviewers to test app-proxy outputs from the Fly origin.
- Do not request `read_themes` to make app-proxy checks easier.
- Do not imply GEO Agent reads or modifies theme files. Theme app extension activation stays merchant-controlled in the Shopify theme editor.