Review Process

How the internal review process works — what reviewers check and what information is required.

Overview

Every Agent App version must pass internal review before it becomes available to users. The review process ensures that apps meet quality, security, and content standards.

Only users with admin or reviewer roles (set via Supabase auth.users.app_metadata) can review submissions.

Review Checklist

Reviewers evaluate each submission across four dimensions:

1. Security Check

No malicious code or suspicious network requests
Proper data handling — no unauthorized data collection
No attempts to access other apps' sandboxed storage
Bundle integrity — SHA256 hash matches the uploaded file
No embedded credentials or secrets in the bundle

2. Performance Check

Bundle size is reasonable
App loads within acceptable time limits
No memory leaks or excessive resource consumption
Smooth UI interactions without blocking the main thread

3. UX Check

App renders correctly in both light and dark color schemes
Responsive layout works on different screen sizes
Navigation is intuitive — back button and gestures work properly
Toast messages and alerts are appropriate and not excessive
Welcome message and suggested prompts are helpful and relevant

4. Content Check

System prompt is appropriate — no harmful, misleading, or offensive instructions
Welcome message and suggested prompts meet community guidelines
App description accurately represents the app's functionality
Agent behavior aligns with the declared category and purpose

Review Decisions

Decision	Effect
Approved	Version status → `approved` → `published`, App status → `published`. The app becomes available to all users in the store.
Rejected	Version status → `rejected`. The developer can fix issues and submit a new version.
Needs Changes	Informational — the review record is created with feedback, but no status change occurs. The developer should address the feedback and resubmit.

Review API

The review is performed via the agent-app-review edge function:

curl -X POST "${SUPABASE_URL}/functions/v1/agent-app-review" \
  -H "Authorization: Bearer ${REVIEWER_AUTH_TOKEN}" \
  -H "Content-Type: application/json" \
  -d '{
    "version_id": "uuid-of-the-version",
    "decision": "approved",
    "comments": "Looks good! Clean implementation, appropriate system prompt.",
    "security_check": true,
    "performance_check": true,
    "ux_check": true,
    "content_check": true
  }'

Required Fields

Field	Type	Description
`version_id`	string (UUID)	The ID of the version to review
`decision`	string	One of: `approved`, `rejected`, `needs_changes`

Optional Fields

Field	Type	Default	Description
`comments`	string	null	Review comments and feedback
`security_check`	boolean	false	Whether the security review passed
`performance_check`	boolean	false	Whether the performance review passed
`ux_check`	boolean	false	Whether the UX review passed
`content_check`	boolean	false	Whether the content review passed

Information Required for Review

When submitting your app for review, make sure you have:

Complete app metadata — Name, description (required for review), category, and icon are set
Clear system prompt — Describes the agent's purpose and behavior constraints
Appropriate model selection — Choose a model that fits your app's complexity
Valid version number — Follows semantic versioning (e.g., 1.0.0)
Changelog — A description of what this version includes
Working bundle (for dynamic apps) — The web bundle loads correctly and the SHA256 hash is valid

Tips for Passing Review

Keep your system prompt focused and specific to your app's purpose
Test your app in both light and dark mode
Ensure the app handles errors gracefully (network failures, missing data)
Don't request unnecessary permissions
Make sure your welcome message clearly explains what the app does
Provide relevant suggested prompts that showcase your app's capabilities
Keep bundle sizes small — inline only what's necessary