Audit / SHOT Clubhouse / iOS / 2026-05-28

Apple App Store Review Guidelines — Comprehensive Audit of SHOT Clubhouse v1.1.25

App version v1.1.25 Commit 276cc35ae Build 202605280951 Submission ID f7d9526a-055e-4a0e-91a8-d2775b1b2685 Reviewer device iPad Air 11" M3 / iPadOS 26.5 Guidelines fetched developer.apple.com/app-store/review/guidelines

1 · Executive summary

This audit enumerates every Apple App Store Review Guidelines subsection — 5 sections, 137 sub-IDs — against SHOT Clubhouse v1.1.25 (Capacitor 6 + React 18 + Vite), the build currently sitting on TestFlight against submission f7d9526a. Each subsection received a finding (with severity tier) or an explicit "not applicable" entry. No silent skips.

High

Borderline

Speculative

Pass

Counts by section

Section	HIGH	BORDERLINE	SPECULATIVE	PASS	NA
§1 Safety	3	6	7	0	9
§2 Performance	3	9	8	9	27
§3 Business	0	4	1	0	7
§4 Design	0	0	0	0	25
§5 Legal	1	5	0	19	9

Top 3 risks (de-duplicated)

The 7 HIGH findings collapse to three distinct root issues plus one policy-reminder. The three actionable risks below are recommended blockers for v1.1.26 resubmission.

🔴 HIGHGuideline 2.1(a)

Placeholder "Coming Soon" screens reachable from nav (Orders, Wishlist, Rewards)

Why it's high Direct repeat of v1.1.8 rejection pattern. Apple guideline literal: "placeholder text…should be scrubbed before submission." All three placeholders mounted via showInNav: true.

Fix Hide nav entries on iOS prod (src/routes/lockerRoutes.ts:47-65, src/routes/protectedRoutes.ts:129-136) until the features ship, or remove the routes entirely from production builds.

🔴 HIGHGuideline 1.5 / 1.2

Contact-email fragmentation across legal/account/consent surfaces

Why it's high Three different inboxes: info@ (Privacy), support@ (Terms/Delete/Checkout), contact@ (Consent/Coach). Apple emails the wrong one and gets no reply → rejection per feedback_apple_review_bundle_one_resubmit.

Fix Consolidate to a single canonical address (support@shotclubhouse.com matches Terms + ASC Support URL). Migrate the 9 file:line references via shared constant.

🔴 HIGHGuideline 5.1.1(i)

Privacy Policy is missing 4 shipping processors (RevenueCat, Brevo, BigCommerce, Shopify)

Why it's high Apple-rejectable disclosure gap. Privacy Policy §8 must enumerate every third-party data processor and SHOT App Privacy must agree with binary SDK reality. Also missing: explicit data retention period (§6).

Fix Append the four processors to src/pages/PrivacyPolicy.tsx §8 with category + jurisdiction. Add §6 retention text. ASC App Privacy schema must mirror.

The 4th HIGH (1.3 Made for Kids must stay NO) is a non-action policy reminder — current declaration is correct and structurally must persist while PostHog/Sentry/RevenueCat remain in the binary. Codify in publishing skill checklist.

2 · Methodology

Per goal §3 (drop-in autonomous prompt), the audit ran in four passes, parallelised where independent.

Code-archaeology (§3.1) — One subagent per Apple section (1–5), dispatched concurrently. Each scanned src/, ios/App/App/Info.plist, capacitor.config.ts, package.json using Glob + Grep + ast-grep + Read. Every finding carries a file:line citation. JSON output per section in findings/section-N.json.
Screen walk (§3.2) — Routing-tree enumeration via src/AppRoutes.tsx, src/routes/protectedRoutes.ts, src/routes/publicRoutes.ts identified which findings are reachable by a logged-in coach reviewer.
Playwright runtime probe (§3.3) — Headless Chromium against https://app.shotclubhouse.com (the same React bundle the iOS Capacitor app loads). Cold incognito context per URL, 7-second settle, no interaction. Captured cookies, network requests to tracker domains (posthog, sentry.io, clarity.ms etc), localStorage. Compared baseline vs ?att=denied handoff. Wall-time 3 minutes.
Self-review (§3.5) — 9 mis-tagged "verification PASSED" entries from Section 2 downgraded from HIGH/BORDERLINE to PASS with audit-trail comments in _consolidated.json. Final tier counts above reflect post-review state.

Edge functions, marketing site (shotclubhouse.com + pulse.shotclubhouse.com), Android, and CI tooling were explicitly out of scope per goal §2.2. See §5 below.

§1

Safety

3 HIGH 6 BORDERLINE 7 SPECULATIVE 0 PASS 9 NA

■ HIGH 1.2

Four UGC requirements: filter / report / block / contact — all four mechanically present, but textual contact info is fragmented across THREE different emails

src/features/pulse/components/comments/ReportCommentSheet.tsx:1-213 src/features/pulse/components/comments/BlockUserConfirmSheet.tsx:1-184 src/features/announcements/components/moderation/ReportSheet.tsx:1-150 src/features/pulse/hooks/useComments.ts:469-493 src/hooks/useBlockedUsers.ts:1-50 src/pages/PrivacyPolicy.tsx:215 +2 more

Evidence

Filter: Perspective API moderation server-side (useComments.ts:469-493) — gated on submit, rejected if !moderation.allowed. Report: 4-reason sheet on Pulse (ReportCommentSheet.tsx:9-14: Harassment, Hate speech, Spam, Inappropriate); 5-reason sheet on announcements (ReportSheet.tsx:24-55). Block: BlockUserConfirmSheet.tsx hides commenter content (CommentItem.tsx:46, useComments.ts:905-917). Contact: privacy emails 'info@shotclubhouse.com' (PrivacyPolicy.tsx:215, 366), terms email 'support@shotclubhouse.com' (TermsOfService.tsx:169, DeleteAccount.tsx:154,274), consent email 'contact@shotclubhous

Why it engages the guideline

All four 1.2 mechanisms exist but 'published contact information' fragmentation makes it ambiguous which inbox Apple reviewer should email if they hit a content issue. Per memory feedback_apple_review_bundle_one_resubmit, Apple expects ONE clear support contact and ASC Support URL aligned with in-app contact.

Recommended fix

Consolidate to one canonical address (recommend support@shotclubhouse.com to match TermsOfService.tsx and ASC Support URL). Migrate info@ and contact@ references to forward to one inbox. Document mapping in ASC App Review Notes.

■ HIGH 1.3

Made for Kids must remain NO — confirmed correct per existing submission doc, but COPPA-gating + analytics SDKs would block any future Yes

docs/apple-app-store-submission.md:115-125 src/foundation/auth/guards/MinorAccountGuard.tsx:22-23 src/foundation/auth/guards/MinorAccountGuard.tsx:81-100 src/components/consent/ConsentBanner.tsx:1 src/utils/attWebHandoff.ts:1

Evidence

docs/apple-app-store-submission.md:115-125 declares 'Made for Kids: No' and 'Age Rating Result: Expected 12+ or 17+ (due to UGC)'. MinorAccountGuard.tsx enforces COPPA gating with statuses blocked_underage / provisional_minor / parent_managed / verified_minor (lines 22-23). Per memory feedback_made_for_kids_no_when_coppa_gated and project_shot_observability_web_only: SHOT ships PostHog (posthog-js) + Sentry (@sentry/react) + RevenueCat — all incompatible with Kids Category's third-party-analytics ban.

Why it engages the guideline

Apple 1.3 forbids third-party analytics + IDFA collection in Kids apps. SHOT's analytics stack is structurally incompatible. ATT prompt is wired (NSUserTrackingUsageDescription in ios/App/App/Info.plist:58-59) which itself signals non-Kids.

Recommended fix

NO ACTION — current 'Made for Kids: No' answer is correct and must persist across submissions. Codify in publishing skill / ASC checklist to prevent regression.

■ HIGH 1.5

Contact email fragmentation — three different support inboxes (info@, support@, contact@) across legal, account, and consent surfaces

src/pages/PrivacyPolicy.tsx:215 src/pages/PrivacyPolicy.tsx:366 src/pages/TermsOfService.tsx:169 src/pages/DeleteAccount.tsx:154 src/pages/DeleteAccount.tsx:274 src/pages/consent/ConsentBlockedPage.tsx:207 +5 more

Evidence

PrivacyPolicy uses 'info@shotclubhouse.com' (lines 215, 366). TermsOfService + DeleteAccount + CheckoutSuccess + Alex deep link allowlist use 'support@shotclubhouse.com' (TermsOfService.tsx:169, DeleteAccount.tsx:154/274, CheckoutSuccess.tsx:143, deepLink.ts:65). Consent + coach quick actions use 'contact@shotclubhouse.com' (ConsentBlockedPage.tsx:207, ParentConsentPage.tsx:464, CoachQuickActions.tsx:78, CoachPerformSection.tsx:222).

Why it engages the guideline

Apple 1.5 literal: 'Make sure your app and its Support URL include an easy way to contact you'. Three separate inboxes for one app raises 'is this monitored?' question. ASC Support URL almost certainly points at one of these only — a reviewer emailing a different one and getting no reply triggers rejection per memory feedback_apple_review_bundle_one_resubmit.

Recommended fix

Consolidate to one canonical 'support@shotclubhouse.com'. Either retire info@ + contact@, or aliases that forward to support@. Match ASC Support URL accordingly. Update PrivacyPolicy.tsx + ParentConsentPage.tsx + ConsentBlockedPage.tsx + CoachQuickActions.tsx + CoachPerformSection.tsx to a single shared constant.

▲ BORDERLINE 1.1.1

Pulse + announcement comment moderation relies on Perspective API toxicity scoring — no explicit hate-speech / discrimination rule beyond generic Perspective thresholds

src/features/pulse/hooks/useComments.ts:469-493 src/features/pulse/components/comments/ReportCommentSheet.tsx:9-14 src/features/announcements/components/moderation/ReportSheet.tsx:24-55

Evidence

REPORT_REASONS array includes 'Harassment or bullying' and 'Hate speech' in Pulse (ReportCommentSheet.tsx:9-14); announcements expose Spam/Harassment/Inappropriate/Misinformation/Other (ReportSheet.tsx:24-55). Server-side text moderation = generic Perspective API call only.

Why it engages the guideline

Apple expects authored-defamation prevention. UGC reach is limited to within-club comments (not public), reducing reviewer exposure risk, but the literal guideline does apply since comments are visible to all club members including minors.

Recommended fix

Document Perspective TOXICITY + IDENTITY_ATTACK thresholds in the moderate-comment edge fn (out of scope of this audit) and link from ASC App Review Notes; this is the moderation evidence Apple expects.

▲ BORDERLINE 1.1.4

Announcement image + video uploads pass straight to R2 without NSFW image-classification

src/features/announcements/components/editor/FileUploader.tsx:8-19 src/features/announcements/services/uploadService.ts:1

Evidence

FileUploader accepts image/jpeg, image/png, image/gif, image/webp + video/mp4, video/webm, video/quicktime up to 10MB image / 100MB video. No client- or edge-side NSFW classifier (Vision, Hive, Sightengine, etc.) — files go directly to Cloudflare R2 via uploadService. Authoring is gated to role:coach (src/routes/v2Routes.ts:276-282 guard:'role:coach'), so the attack vector is a compromised / abusive coach account.

Why it engages the guideline

1.1.4 + 1.2 require 'method for filtering objectionable material from being posted to the app'. Text is filtered (Perspective); media is not. Reviewer-reachable on iPad if reviewer logs in as coach@shotclubhouse.com and posts media to an announcement.

Recommended fix

Add image moderation (Cloudflare Images AI scan, AWS Rekognition DetectModerationLabels, or Sightengine) to the upload pipeline before persisting attachment_url, OR document in ASC that authoring is restricted to verified coaches with TOS-binding.

▲ BORDERLINE 1.2

Announcement media uploads (images, videos, PDF, .docx) bypass moderation — fails 'method for filtering objectionable material'

src/features/announcements/components/editor/FileUploader.tsx:8-19 src/features/announcements/services/uploadService.ts

Evidence

FileUploader accepts image/jpeg/png/gif/webp + video/mp4/webm/quicktime up to 100MB per file (FileUploader.tsx:8-19) with NO content moderation pipeline. Upload routes directly to R2 via uploadService. Only text moderation exists (Perspective on submit). Coach-only authoring (role:coach guard) provides social mitigation but not technical filter.

Why it engages the guideline

Apple 1.2 literal text: 'A method for filtering objectionable material from being posted to the app'. Text filter exists; media filter doesn't. Bot reviewers don't usually inspect, but a human reviewer testing the coach demo account who uploads a flagged test image would observe no rejection.

Recommended fix

Add an NSFW classifier on the upload edge function (Cloudflare Workers AI, AWS Rekognition, or Sightengine) and reject before persisting. Alternative: document in ASC that media authoring is restricted to verified-coach role plus TOS commitment + reactive moderation dashboard (ModerationDashboard.tsx at v2Routes.ts:268-272).

▲ BORDERLINE 1.2

User-block is per-feature-scope (Pulse only) — announcement comment authors cannot be blocked

src/hooks/useBlockedUsers.ts:12-23 src/features/announcements/components/moderation/ContentActionsMenu.tsx:1-80

Evidence

useBlockedUsers hook is global (returns Set<string>) and is consumed by Pulse comments (useComments.ts:159, 214, 905-917) but NOT wired into announcements/components/feed/InlineComments.tsx or CommentSection.tsx. Announcement comment menu (ContentActionsMenu.tsx) exposes Report + Edit + Delete + Pin + Hide but no Block.

Why it engages the guideline

Apple 1.2 requires 'ability to block abusive users from the service'. Block existing in Pulse covers part of the surface but not announcements — a user blocked from Pulse comments still appears in announcement comment threads.

Recommended fix

Plumb useBlockedUsers into announcement comment feeds (CommentSection.tsx filter step) so block is global. Add 'Block @user' option to ContentActionsMenu when commentId is present.

▲ BORDERLINE 1.4.1

Alex AI assistant has no medical-advice disclaimer and could answer injury / recovery / nutrition questions if asked

src/features/alex/components/AlexHeader.tsx:119-124 src/features/alex/components/AlexChatPanel.tsx:684 src/features/alex/config/quickChips.ts:1-100

Evidence

Alex chat input placeholder: 'Ask Alex about training, stats, your next event…' (AlexChatPanel.tsx:684). No 'not medical advice / consult a doctor' disclaimer in AlexHeader.tsx, AlexChatPanel.tsx, or AlexQuickChips.tsx. Grep across src/features/alex for 'medical', 'consult.*doctor', 'disclaimer' returns zero hits. quickChips.ts has no medical chips but the LLM is unconstrained in user-typed prompts. Currently flag-gated OFF in production (VITE_ENABLE_ALEX defaults to false per useAlexEnabled.ts:10-37).

Why it engages the guideline

Apple 1.4.1 explicit requirement: 'Apps should remind users to check with a doctor in addition to using the app and before making medical decisions.' If Alex is enabled in a future prod release and a youth athlete asks 'I have shin splints, what should I do?', Alex's current prompt has no enforced disclaimer. Production safety relies on flag being OFF.

Recommended fix

Before flipping VITE_ENABLE_ALEX=true in production, add (a) a 'Alex is not a doctor — talk to a coach or medical professional for injury / health questions' disclaimer in AlexChatPanel empty state, and (b) a server-side prompt instruction in _alex_shared system prompt that refuses medical advice and redirects.

▲ BORDERLINE 1.5

No in-app 'Contact Support' surface from Account page — users cannot find support without scrolling to legal / consent pages

src/pages/Account.tsx:1-100

Evidence

src/pages/Account.tsx (Account page) shows no direct 'Contact Support' / 'Help' link. Grep on Account.tsx for 'privacy', 'terms', 'help', 'support' returns only the string 'contact support' inside an error toast (line 390) and PrivacyConsentCard import (line 43). Privacy Policy + Terms ARE routed at /privacy and /terms (src/routes/publicRoutes.ts:71-77) but not linked from the authenticated account UI.

Why it engages the guideline

Apple 1.5: 'particularly important for apps that may be used in the classroom'. Youth sports app used by minors — should provide easy in-app contact path beyond a buried error toast.

Recommended fix

Add a 'Help & Support' section to src/pages/Account.tsx with mailto:support@shotclubhouse.com + Privacy Policy + Terms links.

◆ SPECULATIVE 1.1

Top-level 1.1 umbrella — no SHOT surface directly violates the parent clause; all material risk routes through the 1.1.x subclauses below

src/features/pulse/components/comments/CommentInput.tsx:1 src/features/announcements/components/comments/CommentSection.tsx:1

Evidence

SHOT is a multisport youth coaching app. Authored content (Pulse articles, Alex prompts, announcements) is editorial / AI-rewritten / coach-authored. The only freeform user-supplied text surfaces are Pulse comments + announcement comments, both gated through Perspective-API moderation in moderate-comment edge function (src/features/pulse/hooks/useComments.ts:469). No objectionable-content product surface beyond UGC comments.

Why it engages the guideline

1.1 parent clause is preventative — concrete risk lands in 1.1.1/1.1.2/1.1.4. Listed SPECULATIVE so audit isn't silent.

Recommended fix

No action — covered by subclause findings.

◆ SPECULATIVE 1.1.6

Alex AI may hallucinate sports facts or athlete-performance interpretations

src/features/alex/components/AlexHeader.tsx:119-124 src/features/alex/config/quickChips.ts:118-244

Evidence

Alex header brands the assistant as 'ALEX · Five Corners AI' (AlexHeader.tsx:119-124), so the LLM nature is disclosed. Quick chips like 'How am I doing this season?' (quickChips.ts:118), 'Show me the latest Premier League scores.' (line 136) imply factual claims. No 'AI may make mistakes' disclaimer string anywhere in src/features/alex/.

Why it engages the guideline

Apple 1.1.6 targets inaccurate-device-data and trick functionality. LLM-generated 'season stats' that hallucinate are an edge case but a careful reviewer could test this. Currently flag-gated off in production (VITE_ENABLE_ALEX defaults false per useAlexEnabled.ts:35-37), so production reviewer never sees Alex unless staging is toggled.

Recommended fix

Add a one-line disclaimer in AlexHeader subtext or AlexChatPanel empty state: 'AI-generated, may be inaccurate. Verify with your coach.' Already partially mitigated by build-time gate.

◆ SPECULATIVE 1.4

Top-level 1.4 — SHOT trains youth athletes; intensity/workload tracking + AI coaching tips engage physical-harm framing but stay subjective

src/features/assess/components/PlayerIntensitySelector.tsx:25-40 src/features/alex/config/quickChips.ts:130

Evidence

PlayerIntensitySelector exposes 0-3 subjective intensity scoring with INTENSITY_LABELS / INTENSITY_DESCRIPTIONS (line 89-94). Alex quick chips offer 'Give me tips for my position.' (line 130) — subjective coaching, not medical. No HR / fitness sensor capture, no HealthKit integration, no fitness-recovery prescriptions.

Why it engages the guideline

1.4 parent clause covers physical-harm risk broadly. SHOT's surfaces are subjective coach-driven assessment, not biometric-based prescription. Concrete risk lives in 1.4.1.

Recommended fix

No action — covered by subclause findings.

◆ SPECULATIVE 1.4.1

Pulse and announcement content could theoretically include health misinformation

src/features/pulse-v2/components/detail/PulseArticleBody.tsx:1-50 src/features/announcements/components/editor/AnnouncementEditor.tsx:1

Evidence

Pulse content is AI-rewritten from sports news sources. Announcements are coach-authored free text. Neither has a category gate against health/medical claims. ReportSheet for announcements includes MISINFORMATION reason (ReportSheet.tsx:43-48).

Why it engages the guideline

Speculative — content scope is sports, not health. Reactive moderation via Report is present.

Recommended fix

No action — Report flow + coach-only authoring is sufficient.

◆ SPECULATIVE 1.4.5

Coach-authored training plans could prescribe injury-risk drills — no validation surface

src/features/alex/config/quickChips.ts:285 src/features/assess/components/PostEventDataForm.tsx:1

Evidence

Alex coach-side quick chip 'Help me plan a training session for my team today.' (quickChips.ts:285) generates coach-side training plans. PostEventDataForm captures session intensity. No surface explicitly encourages risky activity; coaches choose the drills, not the app.

Why it engages the guideline

1.4.5 targets app-encouraged dangerous activity (TikTok-style challenges, dangerous device use). SHOT is a tool, not a challenge platform. Coaches are real-world responsible parties.

Recommended fix

No action — coach professional responsibility + reactive moderation.

◆ SPECULATIVE 1.6

COPPA flow + RLS architecture present; no obvious in-code security regression at v1.1.25

src/foundation/auth/guards/MinorAccountGuard.tsx:22-100 src/lib/supabase.ts:1 ios/App/App/Info.plist:27-50 .agents/MEMORY.md:RLS Performance

Evidence

MinorAccountGuard.tsx implements blocked_underage / provisional_minor / parent_managed / verified_minor enforcement (lines 22-100). Info.plist (lines 27-50) configures App Transport Security with TLSv1.2 minimum + ForwardSecrecy for supabase.co. Memory notes extensive RLS hardening (alex RPC-only, evaluations SECURITY DEFINER helpers, initPlan optimization).

Why it engages the guideline

1.6 is general 'implement appropriate security measures'. SHOT has demonstrably invested in this layer; no obvious gap visible in client code (server-side RLS audit out-of-scope per goal — skip supabase/functions/**).

Recommended fix

Maintain current posture. Document COPPA + RLS architecture in ASC App Review Notes proactively if Apple raises 1.6 concerns about youth-data handling.

◆ SPECULATIVE 1.6

ATT web-handoff cookie discipline shipped at v1.1.11 (per memory) — confirms 5.1.1(iv) hardening that also reads as 1.6 hygiene

src/utils/attWebHandoff.ts:1 src/pages/PrivacyPolicy.tsx:20-38

Evidence

attWebHandoff.ts utility wraps Browser.open with appendATTStatusToUrl + getTrackingStatus so external-Safari handoffs (PrivacyPolicy.tsx:23-38 openDeleteAccountWeb) carry native ATT status. PostHog/Sentry/Clarity gate cookie writes based on ?att= param.

Why it engages the guideline

1.6 + 5.1.1 overlap on cookie / tracking discipline. Already addressed at v1.1.11 per memory feedback_att_web_handoff_three_layer_gate.

Recommended fix

No action — already shipped.

§2

Performance

3 HIGH 9 BORDERLINE 8 SPECULATIVE 9 PASS 27 NA

■ HIGH 2.1

Placeholder 'Coming Soon' screens still ship in production navigation (Orders, Wishlist)

src/routes/lockerRoutes.ts:47-60 src/components/ComingSoonWithNav.tsx:16-18 src/components/ComingSoon.tsx:1-44

Evidence

lockerRoutes.ts mounts `/locker/orders` (line 48-53) and `/locker/wishlist` (line 55-60) to ComingSoonWithNav with `showInNav: true` and labels 'Orders' and 'Wishlist'. ComingSoonWithNav renders default title 'Coming Soon' + description "We're working hard to bring you this feature. Check back soon!". `/locker/size-guide` (line 62-65) also placeholder but hidden from nav.

Why it engages the guideline

Apple 2.1(a) literal text: 'placeholder text, empty websites, and other temporary content should be scrubbed before submission... We will reject incomplete app bundles and binaries that crash or exhibit obvious technical problems.' Two of these are reachable from the locker navigation bar — a reviewer tapping the cart icon in any session can navigate to Orders/Wishlist and see the placeholder page. This is the literal pattern Apple rejects.

Recommended fix

Either (a) remove `showInNav: true` from `/locker/orders` and `/locker/wishlist` so they aren't reachable, (b) hide the routes entirely behind a `VITE_ENABLE_LOCKER_ORDERS` env flag defaulted to false in production, or (c) ship a minimal real implementation (order history reads BigCommerce, wishlist is local). Same fix for `/locker/size-guide` even though it isn't in nav — a deep link or static page link would still expose it to a reviewer.

■ HIGH 2.1

`/rewards` is a placeholder Coming Soon page reachable from drawer/header

src/routes/protectedRoutes.ts:129-136 src/pages/Rewards/ComingSoon.tsx:41-94 src/components/StandardHeader.tsx:209 src/components/v2/AppHeaderV2.tsx:142 src/components/v2/nav-drawer.tsx:111

Evidence

protectedRoutes.ts mounts `/rewards` to `ProtectedComponents.RewardsComingSoon` which renders heading 'SP Rewards Coming Soon!' and large badge '🚀 Coming Soon - Stay Tuned!'. Three different navigation entry points push to `/rewards`: StandardHeader.tsx:209, AppHeaderV2.tsx:142, nav-drawer.tsx:111. `showInNav: false` on the route itself doesn't matter — header/drawer buttons surface it.

Why it engages the guideline

Same 2.1(a) literal placeholder content rule. The 🚀 emoji, 'Coming Soon' heading, and 'Stay Tuned!' CTA are textbook placeholder text. The fact that the page is also `/rewards` (a feature gestured at across UI) makes the gap obvious to a reviewer. Apple has rejected SHOT on 2.1(a) before — this is repeat exposure.

Recommended fix

Remove rewards button from StandardHeader/AppHeaderV2/nav-drawer for production builds (env gate `VITE_ENABLE_REWARDS`), OR ship a minimal SP balance display + redemption log even with zero programs. Treat 'Coming Soon' UI as a release blocker the same way the variant-options error block is.

■ HIGH 2.1(a)

Placeholder screens (Coming Soon for Orders/Wishlist/Rewards) violate the explicit 2.1(a) ban on 'placeholder text'

src/routes/lockerRoutes.ts:47-65 src/routes/protectedRoutes.ts:129-136

Evidence

See 2.1 main finding. 2.1(a) text states 'placeholder text, empty websites, and other temporary content should be scrubbed before submission'. SHOT ships three navigation-reachable surfaces (`/locker/orders`, `/locker/wishlist`, `/rewards`) whose entire purpose is to display 'Coming Soon' placeholder copy.

Why it engages the guideline

This is the literal text-level violation of 2.1(a). The previous SHOT 2.1(a) rejection was a functional bug (variant selection broke); this is a metadata-level violation (placeholder text). Both fall under the same guideline sub-bullet.

Recommended fix

Per 2.1 fix list above. Demo account `coach@shotclubhouse.com` per `.claude/CLAUDE.md` is provisioned and works against production.

▲ BORDERLINE 2.1(b)

Paywall + RevenueCat IAP plumbing is conditionally gated on iOS native

src/pages/Paywall/index.tsx:7,20,32,57,436,460-463 package.json:134

Evidence

Paywall comment at line 7: 'On native (iOS/Android): displays IAP subscription buttons (RevenueCat) + Restore'. RevenueCat package `@revenuecat/purchases-capacitor@^9.2.2` is installed. Paywall renders PaywallOptions for the IAP buttons.

Why it engages the guideline

IAPs are wired to RevenueCat via Capacitor on iOS. App Review reviewers must be able to see + complete the IAP — known iPad-emulator gotcha is real-device-only (per project memory: 'Android emulator getOfferings() returns NULL'). For iPad reviewer, RevenueCat must show offerings against the Apple sandbox storefront. Tier borderline because actual reviewer-facing flow requires both ASC product approval AND RevenueCat config — neither verifiable at code level.

Recommended fix

Before submitting, run a fresh TestFlight build on iPad Air M3 simulator/device with sandbox Apple ID and confirm: (a) Paywall renders subscription tiles, (b) tapping a tile triggers Apple's purchase sheet, (c) Restore button works. Document in App Review Notes which Apple sandbox account to use.

▲ BORDERLINE 2.3

Code-side metadata-touching surfaces look consistent; ASC-side metadata not auditable here

ios/App/App/Info.plist:8 capacitor.config.ts:5 package.json:4

Evidence

CFBundleDisplayName='SHOT' (Info.plist:8), Capacitor appName='SHOT Clubhouse' (line 5), package.json version='1.1.25' (line 4). Bundle ID `com.shotclubhouse.app` in capacitor.config.ts vs `com.shotclubhouse.shot` in pbxproj (line 400) — naming drift exists but production builds use the pbxproj value.

Why it engages the guideline

App identity is consistent. Full metadata accuracy (description, screenshots, privacy survey) is set in ASC and cannot be audited at code level.

Recommended fix

Confirm ASC-side: description still accurate for v1.1.25, screenshots show the latest UI (not v1.1.8 era), promotional text doesn't promise the Rewards/Orders/Wishlist features that are still placeholders.

▲ BORDERLINE 2.3.1

Alex AI feature is build-time gated by `VITE_ENABLE_ALEX` — flip behavior depends on env file

src/features/alex/hooks/useAlexEnabled.ts:36-37 src/AppRoutes.tsx:147 src/vite-env.d.ts:44

Evidence

AlexLauncher mounted only when `parseEnvBool(import.meta.env.VITE_ENABLE_ALEX)` returns true. AppRoutes comment line 147: 'Build-time gated via VITE_ENABLE_ALEX (default OFF in prod for App Store cycle).' Per project MEMORY.md, set ON in staging, OFF in production until App Store cycle clears.

Why it engages the guideline

Apple 2.3.1(a) bans 'hidden, dormant, or undocumented features'. If the v1.1.25 production binary ships with `VITE_ENABLE_ALEX=true`, Alex chat appears — and it's a fully functional AI feature not documented in App Store description, which is a 2.3.1 violation. If it ships OFF, the code is present but dormant — Apple's wording covers 'dormant' features explicitly. Either way an answer is needed.

Recommended fix

Either (a) ship Alex ENABLED in v1.1.25 and disclose it in App Review Notes + What's New + ASC description ('AI assistant available to coaches/parents/athletes'), OR (b) keep it OFF and ensure the bundled code is dead-stripped at build time so reviewers cannot reach `/alex` via direct URL. Verify the production `.env.production` value before submission.

▲ BORDERLINE 2.3.2

RevenueCat handles SKPaymentTransactionObserver via @revenuecat/purchases-capacitor

package.json:134

Evidence

App uses `@revenuecat/purchases-capacitor@^9.2.2`, which internally configures the StoreKit observer. App code does not directly instantiate `SKPaymentTransactionObserver` — RevenueCat owns it.

Why it engages the guideline

RevenueCat handles the observer correctly per their SDK contract. Code-level concern is whether the paywall properly handles the launch case where StoreKit delivers a queued transaction (e.g. App Store-initiated purchase). Tier borderline — RevenueCat's defaults usually pass this guideline but a specific reviewer test (kick off purchase outside the app then launch) could still fail.

Recommended fix

Ensure RevenueCat is configured with `purchasesAreCompletedBy.RevenueCat` (default) and `Purchases.shared.delegate` is hooked at app start so any queued transactions complete on launch. Document in App Review Notes that promoted IAPs and queued transactions are routed through the Paywall page.

▲ BORDERLINE 2.4

App targets iPhone-only device family but configures iPad orientations

ios/App/App.xcodeproj/project.pbxproj:404,425 ios/App/App/Info.plist:78-84

Evidence

TARGETED_DEVICE_FAMILY='1' (iPhone only) in both Debug and Release configs. Info.plist sets `UISupportedInterfaceOrientations~ipad` (lines 78-84) which only matters if the app actually runs on iPad. LSRequiresIPhoneOS=true.

Why it engages the guideline

Apple 2.4.1 encourages iPhone apps to run on iPad whenever possible. SHOT-OG ships as iPhone-only. iPad reviewers will test under iPhone-compat mode (scaled). The iPad orientations key suggests intent to support iPad but device family contradicts it. See 2.4.1 below for detail.

Recommended fix

See 2.4.1.

▲ BORDERLINE 2.4.1

App is iPhone-only (TARGETED_DEVICE_FAMILY=1) — reviewer on iPad Air M3 runs in compat mode

ios/App/App.xcodeproj/project.pbxproj:404,425

Evidence

TARGETED_DEVICE_FAMILY = "1" hardcoded in both Debug (line 404) and Release (line 425) configurations. Value 1 = iPhone, value 2 = iPad, '1,2' = universal.

Why it engages the guideline

Apple 2.4.1 says 'iPhone apps should run on iPad whenever possible. We encourage you to consider building apps so customers can use them on all of their devices.' This is not a hard rejection criterion ('should', 'encourage'), but reviewers using iPad Air M3 will see the app run in iPhone compat mode. Per project memory, prior reviewers have done this without issue. Borderline because the SHOT UI is React + Tailwind responsive — adding iPad to TARGETED_DEVICE_FAMILY would likely 'just work' and remove the compat-mode risk entirely.

Recommended fix

Consider changing TARGETED_DEVICE_FAMILY to '1,2' in a future release after a manual sweep of layout breakpoints on iPad Air M3. NOT a v1.1.25 blocker.

▲ BORDERLINE 2.5.1

IPHONEOS_DEPLOYMENT_TARGET = 13.0 — minimum supported iOS is 13

ios/App/App.xcodeproj/project.pbxproj:396,418

Evidence

Both Debug (line 396) and Release (line 418) configs set IPHONEOS_DEPLOYMENT_TARGET = 13.0.

Why it engages the guideline

Apple 2.5.1 says 'must run on the currently shipping OS'. iOS 26.x is currently shipping, and the app supports back to iOS 13 — well-covered for the current OS, no issue.

Recommended fix

No action. Consider bumping minimum to iOS 15 in a future release for SDK simplifications, not a v1.1.25 concern.

▲ BORDERLINE 2.5.2

App uses dynamic `import()` for lazy-route loading — bundled JS only, no remote code

src/routes/components.ts:6-51 src/components/SignIn.tsx:473-475

Evidence

All dynamic imports are `React.lazy(() => import('@/pages/X'))` — resolved at Vite build time, bundled into the app's own JS chunks. No `import()` of a URL, no `fetch()` of executable code, no `eval()`, no `new Function()` (grep confirmed empty).

Why it engages the guideline

PASS at static level. Dynamic imports of local modules are explicitly allowed by Apple — they resolve to in-bundle chunks, not remote code. WKWebView serves bundle from `capacitor://localhost/` (capacitor.config.ts:8-9), not from a remote URL.

Recommended fix

No action. Ensure no future code adds `import(httpUrl)` or `fetch + eval` patterns.

▲ BORDERLINE 2.5.6

ClubLocationFilter uses navigator.geolocation but is currently NOT MOUNTED — Info.plist has no NSLocationWhenInUseUsageDescription

src/pages/section/Coach/supporting/ClubManagement/components/ClubLocationFilter.tsx:117-118 ios/App/App/Info.plist:52-59

Evidence

ClubLocationFilter.tsx line 117 calls `navigator.geolocation.getCurrentPosition`. Static grep across src/ finds NO importers of this component. Info.plist has no NSLocationWhenInUseUsageDescription, NSLocationAlwaysUsageDescription, or NSLocationAlwaysAndWhenInUseUsageDescription.

Why it engages the guideline

Latent risk — code is shipped in the bundle but the route is dead-code so reviewer cannot trigger the prompt. If anyone wires this component up in a future release, the geolocation call would either crash (no permission string) OR Apple would reject 2.5.6 ('apps that request privacy-sensitive APIs must include a usage description'). Tier borderline-not-high because the dead-code path can't be reached at runtime.

Recommended fix

Either (a) delete ClubLocationFilter.tsx entirely (it's unused dead code), OR (b) add NSLocationWhenInUseUsageDescription to Info.plist with text like 'SHOT uses your location to find clubs near you' BEFORE this component is ever mounted. Track in #shame:debt or follow-up issue.

◆ SPECULATIVE 2.1

TODO comment in SignIn.tsx invite-code flow

src/components/SignIn.tsx:471-475

Evidence

Line 471 comment: '// TODO: Replace with available invite code service'. Line 472 references `EnhancedInviteCodeService` 'Moved to outbox' — but actual import on line 473-475 already uses `InviteCodeService` which works.

Why it engages the guideline

The TODO is a stale code comment about an internal service migration — runtime behaviour is fine, the invite code redemption code path executes. Reviewer cannot see code comments. Speculative-tier because a hygiene cleanup would tidy this up but it isn't a functional bug.

Recommended fix

Delete the TODO comment and outbox-reference comment at lines 471-472 in a future PR. No release blocker.

◆ SPECULATIVE 2.3.10

Code contains Android-platform code paths for cross-platform support

package.json:103 src/utils/trackingPermission.ts:194-212

Evidence

`@capacitor/android` is in dependencies. Android-specific code paths exist for tracking permissions, push, etc. None of these are user-visible in the iOS app binary or its metadata.

Why it engages the guideline

2.3.10 prohibits user-facing references to other mobile platforms in app metadata or UI. Internal Capacitor cross-platform code is invisible to reviewer and to users. No violation found.

Recommended fix

No action. Ensure no UI string literally says 'Android' or 'Google Play' in the iOS build.

◆ SPECULATIVE 2.4.2

UIBackgroundModes is `remote-notification` only — no audio/voip/location background abuse

ios/App/App/Info.plist:60-63

Evidence

Info.plist UIBackgroundModes array contains only `remote-notification`. No `audio`, `voip`, `location`, `fetch`, or `processing` modes. No cryptocurrency mining in dependencies (no web3/blockchain libs in package.json).

Why it engages the guideline

PASS at the static level — background activity is bounded to push receipt. App does not enable battery-draining background work.

Recommended fix

No action.

◆ SPECULATIVE 2.4.4

No code-level prompts to disable Wi-Fi, restart, or modify system settings

Evidence

Grep across src/ for 'restart your device', 'turn off wi-fi', 'disable', 'system settings' yields only the standard 'open Settings' deep-link prompt for permission re-request (App.tsx area for push permission).

Why it engages the guideline

PASS — only system-settings interaction is the legitimate iOS app-settings deep link to re-grant push/notification permission.

Recommended fix

No action.

◆ SPECULATIVE 2.5.1

No private API use detected; all native interactions go through Capacitor public plugins

ios/App/App/AppDelegate.swift:1-50 package.json:101-113

Evidence

AppDelegate uses public UIKit/Capacitor/Firebase APIs only. All Capacitor plugins listed in package.json are official `@capacitor/*` or `@capacitor-community/*` packages. Firebase SDKs (`FirebaseCore`, `FirebaseMessaging`, `FirebaseAnalytics`) are vetted public Apple-approved SDKs. RevenueCat (`@revenuecat/purchases-capacitor`) is App-Store-vetted.

Why it engages the guideline

PASS — no IDFA/private-API symbols, no UIDevice undocumented selectors, no method swizzling of Apple frameworks at the iOS layer beyond Firebase's documented swizzles.

Recommended fix

No action.

◆ SPECULATIVE 2.5.5

All HTTP traffic goes through hostnames (Supabase, BigCommerce, Sentry, PostHog) — no hardcoded IPv4 literals

ios/App/App/Info.plist:27-50

Evidence

App Transport Security exception is `supabase.co` (hostname-scoped, includes subdomains, requires forward secrecy + TLS 1.2). No IPv4 literals like `127.0.0.1` or hardcoded numeric IPs in any user-facing network call (grep confirmed). Supabase/Sentry/PostHog/BigCommerce all support IPv6.

Why it engages the guideline

PASS at static level. All HTTPS traffic resolves via DNS, which is IPv6-capable. Cellular IPv6 networks (e.g. T-Mobile US, EE UK) should work transparently.

Recommended fix

Optional: run a quick IPv6-only network test on the iPad Air M3 reviewer device (or simulator with IPv6 NAT64 mode) before submission to be thorough. Not a v1.1.25 blocker absent specific evidence of failure.

◆ SPECULATIVE 2.5.9

No interception of volume buttons or ring/silent switch

Evidence

Grep for `AVAudioSession`, `volumeButton`, `silentSwitch`, `MPRemoteCommandCenter` in src/ + ios/App returned no matches.

Why it engages the guideline

PASS — app does not alter or disable any standard system switches.

Recommended fix

No action.

◆ SPECULATIVE 2.5.16

No iOS app extensions (Widgets, Notification Service, Share, etc.) in Xcode project

ios/App/

Evidence

ios/App/ contains only the main App target + xcworkspace + Podfile. No `Widget/` directory, no NotificationServiceExtension, no ShareExtension targets.

Why it engages the guideline

N/A in spirit — no extensions to be misaligned. Push notifications (the only extension-shaped surface) are wired through the main app and are by definition app-related (event reminders, evaluation prompts).

Recommended fix

No action.

§3

Business

0 HIGH 4 BORDERLINE 1 SPECULATIVE 0 PASS 7 NA

▲ BORDERLINE 3.1.1

Locker storefront does not filter digital products before iOS display

Evidence

src/services/BigCommerceService.ts:23 — type: 'physical' | 'digital' on product model; src/services/BigCommerceService.ts:309 — cart line_items.digital_items array; src/features/locker/components/ProductCard.tsx — no type filter on product display; src/features/locker/pages/shop/LockerHome.tsx:251-325 — renders all collection products without iOS or digital filter; .env.example:VITE_COMMERCE_PROVIDER=shopify — Shopify is default storefront; src/features/locker/pages/checkout/ShopifyCheckout.tsx:28-50 — opens checkout via Browser.open on iOS regardless of product type

Why it engages the guideline

Recommended fix

▲ BORDERLINE 3.1.1

Pulse V2 DropCard has unrestricted external cta_url on iOS

Evidence

src/features/pulse-v2/components/cards/DropCard.tsx:36-43 — window.open(ctaUrl, '_blank') unconditional; src/features/pulse-v2/components/cards/DropCard.tsx:1-3 — 'Sponsored Drop' label confirms commercial intent; ios/App/App/App.entitlements — no com.apple.developer.storekit.external-purchase-link key

Why it engages the guideline

Recommended fix

▲ BORDERLINE 3.1.2(b)

Cross-platform double-subscription warning is informational, not preventative

Evidence

src/pages/Paywall/PaywallOptions.tsx:162-170 — warning rendered, buttons not disabled; src/pages/Paywall/PaywallOptions.tsx:206-208, 250-252 — Subscribe buttons disabled only on isLoading || !pkg

Why it engages the guideline

Recommended fix

▲ BORDERLINE 3.1.3(e)

No client-side enforcement that Locker products are physical only

Evidence

src/services/BigCommerceService.ts:23 — type union includes 'digital'; src/features/locker/components/ProductCard.tsx — no type-based gate

Why it engages the guideline

Recommended fix

◆ SPECULATIVE 3.1.1(a)

BigCommerceCheckout completes payment in WebView on iOS

Evidence

src/features/locker/pages/checkout/BigCommerceCheckout.tsx:21 — type CheckoutStep includes 'payment'; src/features/locker/pages/checkout/CheckoutLauncher.tsx:9 — defaults to Shopify if VITE_COMMERCE_PROVIDER unset

Why it engages the guideline

Recommended fix

§4

Design

0 HIGH 0 BORDERLINE 0 SPECULATIVE 0 PASS 25 NA

No HIGH or BORDERLINE findings in this section. All subsections rated PASS or not applicable. See findings/section-4.json for the complete enumeration.

§5

Legal

1 HIGH 5 BORDERLINE 0 SPECULATIVE 19 PASS 9 NA

■ HIGH 5.1.1(i)

Privacy Policies — disclosure of all third-party processors

src/pages/PrivacyPolicy.tsx:245 src/services/RevenueCatService.ts:1 supabase/functions/email-queue-processor/index.ts:130 src/contexts/EnhancedShoppingCartContext.tsx:1 src/features/locker/pages/checkout/CheckoutLauncher.tsx:9 src/pages/PrivacyPolicy.tsx:195

Evidence

src/pages/PrivacyPolicy.tsx:245 — Section 8 Third-Party Data Processors — only 6 vendors listed; src/services/RevenueCatService.ts:1 — RevenueCat actively used for IAP — not disclosed; supabase/functions/email-queue-processor/index.ts:130 — Brevo API send — not disclosed; src/contexts/EnhancedShoppingCartContext.tsx:1 — BigCommerce Cart API — not disclosed; src/features/locker/pages/checkout/CheckoutLauncher.tsx:9 — VITE_COMMERCE_PROVIDER=shopify default — Shopify not disclosed; src/pages/PrivacyPolicy.tsx:195 — GDPR rights present; data retention period absent

Why it engages the guideline

Privacy policy enumerates Supabase, PostHog, Microsoft Clarity, Google Firebase, Sentry, and Stripe. MISSING from §8 'Third-Party Data Processors': RevenueCat (subscription/IAP receipt processor, device IDs), Brevo (Sendinblue, transactional email with PII), BigCommerce / Shopify (storefront APIs, order + shipping + contact data via Locker checkout), Google (Generative AI / Gemini — but Alex is feature-flagged OFF in production via VITE_ENABLE_ALEX so currently borderline). Apple has historically rejected for disclosure gaps where a shipped SDK is absent from the privacy listing. Also: GDPR/CCPA section 6 lacks an explicit data retention period (only 'right to deletion' described, not retention duration), and §5 'Data Security' uses 'industry-standard' boilerplate — both common Apple call-outs.

Recommended fix

▲ BORDERLINE 5.1.2

Data Use and Sharing — explicit disclosure to third parties

src/pages/PrivacyPolicy.tsx:145 src/pages/PrivacyPolicy.tsx:220

Evidence

src/pages/PrivacyPolicy.tsx:145 — Section 3 Data Sharing; src/pages/PrivacyPolicy.tsx:220 — Section 7 ATT framework disclosure

Why it engages the guideline

Privacy policy §3 mentions 'Service Providers' generically, §8 enumerates six. Same gap as 5.1.1(i): RevenueCat, Brevo, BigCommerce, Shopify shared with but not disclosed. Same nature of finding under different guideline ID — Apple cross-references 5.1.1(i) and 5.1.2 in disclosure rejections. ATT-API consent for tracking is properly gated.

Recommended fix

▲ BORDERLINE 5.1.4

Kids — COPPA / GDPR-K / AADC compliance

src/utils/analyticsGate.ts:53 src/hooks/useAnalyticsGate.ts:72 src/utils/cookieManager.ts:129 src/foundation/auth/guards/MinorAccountGuard.tsx:41 src/features/alex/components/AlexLauncher.tsx:42 src/pages/PrivacyPolicy.tsx:182

Evidence

src/utils/analyticsGate.ts:53 — setUserProfile applies age defaults via cookieManager.setAgeDefaults; src/hooks/useAnalyticsGate.ts:72 — Called from AnalyticsGateProvider (mounted in App.tsx:405); src/utils/cookieManager.ts:129 — setAgeDefaults forces analytics=false + session_recording=false for unset minors; src/foundation/auth/guards/MinorAccountGuard.tsx:41 — Route-level minor consent guard; src/features/alex/components/AlexLauncher.tsx:42 — Only blocks blocked_underage — verified_minor passes through; src/pages/PrivacyPolicy.tsx:182 — §4 'restrict direct messaging' claim

Why it engages the guideline

SHOT is NOT in Kids Category (correct per /feedback_made_for_kids_no_when_coppa_gated/) but IS used by minors. Strong privacy controls present: account_status state machine (blocked_underage / provisional_minor / verified_minor / parent_managed), cookieManager.setAgeDefaults(true) auto-disables analytics + session_recording for minors via useAnalyticsGate -> AnalyticsGateProvider wiring. MinorAccountGuard gates routes. **BORDERLINE**: Privacy policy §4 promises 'We restrict direct messaging features for minors' — but Alex chat (when enabled) only blocks blocked_underage, NOT verified_minor or parent_managed. With Alex flag currently OFF in prod this is dormant; once flipped, the policy claim may overpromise. Sub-points (i)-(viii) below cover specific dimensions.

Recommended fix

▲ BORDERLINE 5.1.4(vii)

Kids — third-party advertising prohibition

package.json:1 src/pages/PrivacyPolicy.tsx:309 src/utils/cookieManager.ts:41

Evidence

package.json:1 — No advertising SDK dependencies; src/pages/PrivacyPolicy.tsx:309 — §9 No behavioral profiling for minors; src/utils/cookieManager.ts:41 — Clarity in session_recording tier, default FALSE for minors

Why it engages the guideline

No advertising SDKs detected (no Google Ads, no AdMob, no Meta Audience Network, no IronSource). No marketing/advertising data shared with third parties per code audit. Privacy policy §9 affirms 'No Behavioral Profiling: We do not create behavioral profiles or use data for advertising targeting for minor users'. **BORDERLINE**: PostHog, Clarity, Sentry are analytics — Apple sometimes interprets session-replay (Clarity) as borderline tracking for minors. SHOT correctly disables Clarity for users without session_recording consent (which defaults FALSE for minors).

Recommended fix

▲ BORDERLINE 5.6.1

App Store Reviews — use Apple's review prompt API

src/:1

Evidence

src/:1 — No SKStoreReviewController, no AppRate, no custom review prompts

Why it engages the guideline

No SKStoreReviewController / StoreKit-Review API integration detected. No custom review prompts detected either (which would be a violation). Apple's guideline allows but does not require apps to USE the review prompt API — it forbids custom prompts. SHOT silently does neither. **BORDERLINE**: Lack of any review prompt is acceptable; the risk is only if Stevie adds a custom rating modal later.

Recommended fix

▲ BORDERLINE 5.6.4

App Quality — sustained quality and customer experience

src/utils/sentry.ts:75 .agents/MEMORY.md:1

Evidence

src/utils/sentry.ts:75 — Sentry init for prod + staging; .agents/MEMORY.md:1 — ~41 pre-existing test failures noted

Why it engages the guideline

Subjective and ASC-side metric (review scores, refund rates). Code-side hygiene strong: Sentry crash reporting always-on (essential tier, no consent gate), Replay sanitised, retry-friendly error handling. **BORDERLINE only** because: (a) ~41 pre-existing test failures noted in MEMORY.md is a quality signal; (b) v1.1.x release cadence (v1.1.11 → v1.1.25 in <30 days) suggests frequent fixes — neither is per-se a 5.6.4 violation but Apple has invoked 5.6.4 against apps with high crash-to-session ratios.

Recommended fix

3 · Runtime probe — Playwright on prod app.shotclubhouse.com

Verdict on v1.1.25 ATT URL-param handoff

PASS — the 5.1.1(iv) regression path is closed at the bundle layer. Cold-load of ?att=denied: 0 tracker requests, 0 tracker cookies, 0 PostHog/Sentry init. sessionStorage['shot-att-web-handoff-status'] = 'denied' persisted for same-tab navigations.

Outstanding gap — marketing site shotclubhouse.com

The marketing site uses a separate PostHog project key (phc_CTrArQPcH…) and has no ATT URL-param gate. Cookie ph_phc_CTrArQPcH…_posthog drops on .shotclubhouse.com parent-domain pre-consent. If the iOS app ever opens a marketing URL in external Safari, this leaks. Per publish skill memory, the only known iOS entry point was the Coach Guide tile (already hidden on iOS in v1.1.11 fix). Confirm no other marketing-site links survive in v1.1.25.

Other runtime observations

/redeem/start fires 5 Sentry envelope POSTs before redirecting to /login?returnTo=%2Fredeem (vs 2 on most pages) — suggests unhandled errors during the auth-gated redirect.
Persistent 30-year PostHog cookies drop parent-domain on .shotclubhouse.com with no consent gate on web — likely fine for GDPR if disclosed in privacy policy, but worth confirming.
No Clarity, no Google Analytics, no GTM, no Mixpanel, no Amplitude, no Hotjar, no Datadog, no Facebook Pixel — only PostHog + Sentry across all 11 probed URLs.

Full per-URL JSON dumps + audit.js script live at findings/playwright/. Replayable.

4 · Priors — Apple rejection history

Five rejections across three review cycles inform the HIGH-tier weighting in this audit.

Submission	Version	Guideline	Apple's wording (short)	Fixed in	Audit re-verified at v1.1.25
`c7133e77`	v1.1.8	2.3.2	IAP promotional image showed price text	v1.1.10 (ASC metadata)	NA at code level; ASC discipline
`c7133e77`	v1.1.8	3.1.2(c)	Subscription page missing EULA + Privacy links	v1.1.10 (SubscriptionLegalDisclosure)	✓ PASS — Section 3 finding 3.1.2(c)
`c7133e77`	v1.1.8	2.1(a)	Cart error on SHOT OG Cap variant	v1.1.10 (ShadowProductDetail / QuickAdd)	✓ PASS — Section 2 finding
`c7133e77`	v1.1.8	5.1.1(v)	Registration required to browse Locker	v1.1.10 (public locker routes)	✓ PASS — Section 5 finding
`f7d9526a`	v1.1.10	5.1.1(iv)	Cookies dropped after ATT denied via external Safari handoff	v1.1.11 (URL-param gate); v1.1.21 (5 more handoffs covered)	✓ PASS — Section 5 finding + Playwright runtime confirms
n/a	v1.1.12	2.2	"Beta Feedback" framing on first-launch surface	v1.1.21 (rebrand, hide Experimental tab)	✓ PASS — verified at commit `ec734fea9`

Pattern observation: Apple has surfaced one previously-unflagged guideline per submission cycle (2.3.2/3.1.2(c)/2.1(a)/5.1.1(v) → 5.1.1(iv) → unflagged so far). This audit's purpose is to enumerate the next-unknown-unknown before resubmission so the next cycle either ships or rejects on something already on the radar.

5 · Out of scope acknowledgments

Scope	Why excluded	Risk if affected
Supabase edge functions (`supabase/functions/**`)	Server-side; Apple reviewer cannot inspect	Indirect — affects what loads on app launch (paywall offerings, moderation, Alex). Out of scope per goal §2.2.
Marketing site (`shotclubhouse.com`, `pulse.shotclubhouse.com`)	Separate origin, separate bundle, separate PostHog project	Confirmed by Playwright probe to have NO ATT gate — if iOS app opens a marketing URL, 5.1.1(iv) leak. Coach Guide link to `shotclubhouse.com/guides` was hidden on iOS in v1.1.11; re-verify no other marketing links exist in v1.1.25.
Android (`android/**`)	Goal scope = Apple only	None — Play Store has different review surface.
CI / build tooling (`scripts/`, `.github/`, `.agents/**`)	Never reaches Apple reviewer	None directly. Reviewer sees the IPA, not the pipeline.

6 · NA register — every "not applicable" subsection enumerated

77 subsections were rated NA. Each row below is a one-line justification so the audit trail is complete (no silent skips, per goal §2.1).

Section 1

`1.1.2`	SHOT is a youth sports coaching app; no violent content, no in-game enemies, no animal imagery. No surface engages this guideline.
`1.1.3`	No weapons / firearms / dangerous-object content. Grep across src/ shows zero substantive hits for 'firearm', 'weapon', 'gun' (only a Sidelines widget ID string '_J656cRuavCevbGUN' — false positive).
`1.1.5`	No religious content surface. SHOT scope is sports performance coaching.
`1.1.7`	No newsjacking / current-events monetisation surface. Pulse content pipeline is editorial sports news rewritten by Gemini (out-of-scope edge functions); no SHOT product surface exploits violent conflicts or epidemics.
`1.2.1`	SHOT has no creator-economy surface. Pulse articles are AI-rewritten editorial from external news sources, not creator-authored. Alex is a single first-party AI persona, not a creator marketplace. No tipping, no creator
`1.4.2`	No drug-dosage calculator. SHOT does not handle medications.
`1.4.3`	Zero substantive content references to tobacco, vape, alcohol, cannabis, or controlled substances. Verified via grep across src/. Youth-sports product scope.
`1.4.4`	No DUI, driving, or location-checkpoint surface. SHOT has no navigation or mapping feature beyond event location strings.
`1.7`	SHOT is not a crime-reporting app. No surface engages law-enforcement reporting. The in-app Report flows (ReportCommentSheet, announcements ReportSheet) target content moderation only, not criminal activity.

Section 2

`2.1(c)`	Apple's published 2.1 text has only (a) and (b) sub-bullets per source file lines 233-237. Listed here per audit checklist completeness; no separate (c) exists.
`2.1(d)`	Same as 2.1(c) — no (d) sub-bullet in published guideline.
`2.1(e)`	Same as 2.1(c) — no (e) sub-bullet in published guideline.
`2.1(f)`	Same as 2.1(c) — no (f) sub-bullet in published guideline.
`2.2`	SHOT is shipped on the production App Store, not as TestFlight-only beta. TestFlight is used internally for pre-release validation per `.claude/skills/publish/`. 2.2 does not apply to production App Store submissions.
`2.3.3`	Screenshots are configured in App Store Connect, not in the code repo. Cannot be audited here.
`2.3.4`	App previews are ASC-side. No video assets in repo.
`2.3.5`	Category is set in ASC. Not auditable from code. (SHOT lists under Sports per ASC.)
`2.3.6`	Age rating questionnaire is filled in ASC. Per project memory `feedback_apple_age_rating_locate_semantics`, the questionnaire-side has been audited separately. The code itself does not gate on ASC age rating; COPPA flow
`2.3.7`	App name 'SHOT' (Info.plist:8) and bundle id `com.shotclubhouse.shot` (pbxproj:400) are stable. Keywords are ASC-side. No code-level concern.
`2.3.8`	Icon assets and screenshots are ASC-side. App icons in `ios/App/App/Assets.xcassets` are sport-themed and 4+-appropriate. No code surface affects this.
`2.3.9`	Screenshots and rights are ASC-side. Demo account `coach@shotclubhouse.com` (per CLAUDE.md) is a controlled SHOT account, not a real person's data — satisfies the 'fictional account information' requirement.
`2.3.11`	SHOT is in active live release, not pre-order. 2.3.11 does not apply.
`2.3.13`	SHOT does not use App Store in-app events as a marketing surface. No event metadata in ASC for the SHOT app.
`2.4.3`	SHOT is not an Apple TV app. tvOS target is not in the Xcode project.
`2.4.5`	SHOT is iOS-only. Not distributed via Mac App Store.
`2.5.3`	SHOT is a sport club management app. No malware, no destructive payloads, no abuse of Push Notifications (push handler enqueues local notifications + navigates — does not damage system). Static review of `src/foundation/
`2.5.7`	Apple guidelines text line 333: 'Intentionally omitted.'
`2.5.8`	SHOT does not create a home-screen-replacement environment. It is a single-purpose sport club app.
`2.5.10`	Apple guidelines text line 339: 'Intentionally omitted.'
`2.5.11`	SHOT does not integrate SiriKit or Shortcuts. No Intents.framework, INExtension, or AppIntents in iOS code. No NSUserActivity types registered for shortcut donation.
`2.5.12`	SHOT does not use CallKit or include an SMS fraud extension. No CallDirectoryExtension, IdentityLookup, or MessagingExtension targets in the Xcode project.
`2.5.13`	SHOT does not use facial recognition for account authentication. Email/password + Supabase magic-link is the auth method. No Face ID / Touch ID / ARKit-based biometric login flow in code.
`2.5.15`	SHOT does not present a generic file picker. Uploads are scoped to photo library (Camera plugin) for profile pictures — Apple's standard PHPicker handles Files app integration automatically. No custom Document Picker UI.
`2.5.17`	SHOT does not integrate Matter / smart-home device pairing. Not a home automation app.
`2.5.18`	SHOT does not display third-party advertising. No GoogleMobileAds (`react-native-google-mobile-ads`), AppLovin, Unity Ads, or banner-ad SDKs in package.json. App is a subscription + in-app purchase business model, not ad

Section 3

`3.1.3(a)`	SHOT is a SAAS membership app for sports clubs, not a reader app for magazines/newspapers/books/audio/music/video. The 'Already a member of a club?' iOS card uses Reader-Rule visual shape conservatively but SHOT is not c
`3.1.3(c)`	SHOT serves consumer users (athletes, parents, coaches) and household subscriptions, not enterprise/organizational license sales. Memberships are individual or family-shared (childLimit: 3 children per membership in src/
`3.1.3(d)`	SHOT does not facilitate paid real-time person-to-person services between users. No tutoring marketplace, no 1:1 coaching consultations charged through the app, no real-estate tours, no fitness training booking with paym
`3.1.3(f)`	SHOT is not a free stand-alone companion to a paid web tool. SHOT has its own in-app purchase (RevenueCat IAP for memberships) so 3.1.3(f) explicitly does not apply — the rule is for free apps with NO purchasing inside t
`3.1.3(g)`	SHOT is not an advertising management app for advertisers to purchase ad campaigns. Pulse V2 has 'Sponsored Drop' cards (DropCard.tsx) — but these DISPLAY ads/sponsored content to end-users, they do not let advertisers b
`3.1.4`	SHOT does not unlock functionality based on synced hardware. No telescope, sensor, fitness band, or other physical device integration that gates app features. The free 'Premium SHOT Cap' bundled with yearly subscription
`3.1.5`	Grep verified: no Bitcoin/Ethereum/wallet/mining/exchange/ICO references in source code. The only 'crypto' matches are crypto.subtle (Web Crypto API for hashing/random) and crypto-js (utility for hashing). The 'nft_metad

Section 4

`4.1`	SHOT is an original multisport athlete-development product (custom UX: evaluations framework, Pulse content feed, Locker commerce via Shopify, Membership via Stripe, Alex chatbot). Bundle ID com.shotclubhouse.app, displa
`4.2`	SHOT well exceeds 'repackaged website' threshold. Substantive native-shell capability surfaces: push notifications (CapacitorPushService), camera/photo library (Info.plist:52-57), ATT identifier (Info.plist:58-59), Fireb
`4.2.1`	SHOT does not use ARKit. No @capacitor-community AR plugins, no ARKit-related Swift code, no NSCameraUsageDescription mentions AR. Camera usage is for profile pictures (Info.plist:52-53).
`4.2.3`	(i) App functions without requiring another app to be installed — Capacitor self-contained, login is email/password against Supabase. (ii) No initial-launch large downloads: bundle is fully baked into the IPA (vite build
`4.2.4`	Apple guideline 4.2.4 is intentionally omitted (apple-guidelines.txt:524).
`4.2.5`	Apple guideline 4.2.5 is intentionally omitted (apple-guidelines.txt:526).
`4.2.6`	SHOT is a fully custom build (Vite + React + Capacitor 6 + custom Supabase backend + bespoke evaluations framework). No template-generation service or white-label generator. Repo shows hand-authored components, custom de
`4.2.7`	SHOT is not a remote-desktop / screen-mirroring client. No VNC/RDP/streaming protocol code, no screen capture/share of a host device. Self-contained sports productivity app.
`4.3`	Single bundle ID com.shotclubhouse.app (capacitor.config.ts:5; ios/App/App/Info.plist:11). Not in a saturated low-quality category — substantive athlete-development product with multi-role surfaces (coach/parent/athlete/
`4.4`	SHOT ships zero extensions. ios/App/App/Info.plist contains no NSExtension dict. No .appex bundles found under ios/App/. Single app target — no keyboard extension, no Safari extension, no Action/Share/Today/Widget extens
`4.4.1`	No keyboard extension target. No NSExtensionPointIdentifier=com.apple.keyboard-service in Info.plist.
`4.4.2`	No Safari app extension or web extension. No SafariServices target.
`4.4.3`	Apple guideline 4.4 enumerates 4.4.1 and 4.4.2 only; no 4.4.3 substantive content in current guidelines text (apple-guidelines.txt:556-570).
`4.5`	Parent category — see sub-rules. No misuse of apple.com / iTunes / App Store / developer-portal data observed.
`4.5.1`	SHOT does not scrape Apple sites or use iTunes Store RSS feeds. No fetches to apple.com / itunes.apple.com / appstoreconnect.apple.com from src/.
`4.5.2`	SHOT does not integrate MusicKit. No StoreKit MusicKit calls, no NSAppleMusicUsageDescription in Info.plist, no music playback features.
`4.5.3`	SHOT does not integrate Game Center (no GKLocalPlayer / GameKit code). Push Notifications are used for legitimate user-targeted in-app events (training reminders, evaluation results, announcements) via FCM, not for unsol
`4.5.4`	(a) Push is not required for the app to function — login flow works without push permission (UpdatedLoginV2.tsx has no push gate). (b) Push permission requested via standard iOS prompt at runtime through Capacitor PushNo
`4.5.5`	No Game Center integration. No display of Player IDs/aliases.
`4.5.6`	SHOT renders emoji via Unicode strings (system font, native rendering). No embedded Apple emoji bitmap font, no use of Apple emoji on web/Android variants in a way that ships Apple glyph assets.
`4.6`	Apple guidelines 4.6 in current text (apple-guidelines.txt:600) reads 'Intentionally omitted.' For completeness re: alternate icons: SHOT ships a single AppIcon.appiconset with one 1024x1024 image (no CFBundleAlternateIc
`4.7.4`	Alex is a single chatbot, not an index of multiple mini-apps. No catalogue surface. 4.7.4 requirement applies to apps offering many third-party mini-apps/games and does not bind a single first-party chatbot.
`4.8`	DEFINITIVE: SHOT does NOT use any third-party / social login service. The only authentication surface is email+password via supabase.auth.signInWithPassword (UpdatedLoginV2.tsx:64, SignIn.tsx:299, ParentConsentPage.tsx:1
`4.9`	SHOT does NOT use Apple Pay (PassKit). Membership flow uses Stripe hosted checkout (src/features/membership/ + Stripe webhook handler in supabase/functions/). Locker commerce uses Shopify hosted checkout opened in in-app
`4.10`	SHOT does not paywall built-in iOS capabilities. Camera (Info.plist:52-53) is used freely for profile pictures with no charge. Push notifications (Info.plist:60-63) are not behind a paywall — they're feature-gated by use

Section 5

`5.1.3`	Not applicable. SHOT is a sports/athlete development app — does not access HealthKit, Clinical Health Records, MovementDisorder APIs, or conduct health research. Privacy policy §1B mentions 'Health & Fitness Data: Height
`5.1.4(iii)`	Audit is code-only; ASC metadata not in scope. Sweep src for terms: App name in Info.plist is 'SHOT' / 'SHOT Clubhouse' — no 'Kids' or 'Children' in app metadata fields visible to audit. The brand 'SHOT Clubhouse' does n
`5.3`	Not applicable. SHOT is youth sports development, no real-money gaming, no gambling, no lotteries.
`5.3.1`	Not applicable. No sweepstakes/contests surface.
`5.3.2`	Not applicable.
`5.3.3`	Not applicable. RevenueCat IAP gates membership subscription only.
`5.3.4`	Not applicable.
`5.4`	Not applicable. SHOT does not provide VPN services. No NEVPNManager usage.
`5.5`	Not applicable. SHOT does not offer MDM functionality.

7 · Glossary

Term	Meaning
ATT	App Tracking Transparency — Apple iOS framework requiring user consent before cross-app tracking. Subject of 5.1.1(iv) rejection.
COPPA	Children's Online Privacy Protection Act (US, 1998). Drives SHOT's `blocked_underage` / `provisional_minor` / `parent_managed` account-status model.
SIWA	Sign in with Apple. Apple Guideline 4.8 requires it if any third-party login is offered. SHOT compliant — uses only first-party email/password.
RevenueCat	Subscription-management SDK wrapping App Store IAP. Apple Receipt-validated server-side. Used for Monthly £5.99 / Yearly £59.99 memberships.
Capacitor	Ionic's hybrid framework wrapping a React SPA in a native iOS/Android shell. SHOT runs Capacitor 6.
RLS	Row-Level Security in PostgreSQL/Supabase. SHOT's data-isolation model — minor profiles, club membership scoping.
Tier HIGH	Either Apple has rejected on this exact guideline previously, OR the literal text maps to a v1.1.25 surface an iPad Air M3 reviewer can reach.
Tier BORDERLINE	Surface engages guideline but interpretation is gray. Depends on individual reviewer + region + device.
Tier SPECULATIVE	Letter applies, no current evidence Apple cares. Preventative tracking only.