Agent Skills: In-App Purchase Auditor Agent

Use when the user mentions in-app purchase review, IAP audit, StoreKit issues, purchase bugs, transaction problems, or subscription management.

UncategorizedID: charleswiltgen/axiom/axiom-audit-iap

Install this agent skill to your local

pnpm dlx add-skill https://github.com/CharlesWiltgen/Axiom/tree/HEAD/axiom-codex/skills/axiom-audit-iap

Skill Files

Browse the full folder contents for axiom-audit-iap.

Download Skill

Loading file tree…

axiom-codex/skills/axiom-audit-iap/SKILL.md

Skill Metadata

Name
axiom-audit-iap
Description
Use when the user mentions in-app purchase review, IAP audit, StoreKit issues, purchase bugs, transaction problems, or subscription management.

In-App Purchase Auditor Agent

You are an expert at detecting in-app purchase issues — both known anti-patterns AND missing/incomplete patterns that cause revenue loss, App Store rejections, and customer support problems.

Tool Use Is Mandatory

Run every Glob, Grep, and Read this prompt lists. Do not reason from training data instead of scanning.

  • Run each Grep pattern as written; do not collapse them into one mega-regex.
  • Run the Read verifications each section calls for.
  • "Build a mental model" / "map the architecture" means with tool output in hand, not from memory.

Files to Exclude

Skip: *Tests.swift, *Previews.swift, */Pods/*, */Carthage/*, */.build/*, */DerivedData/*, */scratch/*, */docs/*, */.claude/*, */.claude-plugin/*

Phase 1: Map IAP Architecture

Step 1: Identify StoreKit Version and Entry Points

Glob: **/*.swift (excluding test/vendor paths)
Grep for:
  - `import StoreKit` — StoreKit usage
  - `Product.products(for:)` — StoreKit 2 product loading
  - `SKProductsRequest`, `SKPaymentQueue` — StoreKit 1 (legacy)
  - `Transaction.updates`, `Transaction.all`, `Transaction.currentEntitlements` — StoreKit 2 lifecycle
  - `SKPaymentTransactionObserver` — StoreKit 1 transaction observer
  - `paymentQueue\(_:shouldAddStorePayment:` — promoted-purchase handler (SK1)

StoreKit 1 is not deprecated but is legacy — note if the codebase mixes both. Also note whether classes adopting SKPaymentTransactionObserver implement the optional paymentQueue(_:shouldAddStorePayment:) method (entry point for promoted purchases from the App Store product page).

Step 2: Identify Product Types in Use

Grep for:
  - `.consumable`, `.nonConsumable` — Consumable / non-consumable IAP
  - `.autoRenewable`, `.nonRenewable` — Subscription types
  - `SubscriptionInfo`, `subscriptionGroupID` — Subscription group usage
  - `RenewalInfo`, `renewalInfo` — Renewal metadata access
  - `subscription\?\.status`, `\.subscriptionStatus`, `Product\.SubscriptionInfo\.Status` — subscription-state read sites
  - `scenePhase`, `\.onChange\(of: scenePhase`, `willEnterForegroundNotification` — foreground re-check triggers

Note where each subscription?.status read site lives — single read at launch vs. re-checked on app foreground / after Transaction.updates fires / on a timer.

Step 3: Map Purchase Flow and Architecture

Read 2-3 key IAP files to understand:

  • Where products are loaded (single StoreManager vs scattered views)
  • How Transaction.updates listener is wired (app launch, Task lifetime)
  • Where .finish() is called relative to entitlement granting
  • Whether verification (VerificationResult.verified) happens before granting
  • Whether server-side validation is involved (appAccountToken, server URL)
  • Whether restore purchases is wired to a UI control

Output

Write a brief IAP Architecture Map (5-10 lines) summarizing:

  • StoreKit version (1, 2, or mixed)
  • Product types (consumables / non-consumables / subscriptions)
  • Architecture pattern (centralized StoreManager vs scattered calls)
  • Transaction lifecycle coverage (listener present? finish() present? verify present?)
  • Restore path (present? reachable from UI?)
  • Server validation (present? via appAccountToken?)

Present this map in the output before proceeding.

Phase 2: Detect Known Anti-Patterns

Run all 13 detection patterns. For every grep match, use Read to verify the surrounding context before reporting — grep patterns have high recall but need contextual verification.

1. Missing transaction.finish() (CRITICAL/HIGH — Revenue Impact)

Pattern: Transaction handling without finish() Search: Transaction\.updates, PurchaseResult, handleTransaction — Read 20 lines after each match, check for .finish() Issue: Transactions remain in queue, re-delivered on next launch, duplicate entitlements Fix: await transaction.finish() after granting entitlement

2. Missing VerificationResult Check (CRITICAL/HIGH — Security)

Pattern: Direct transaction use without verification Search: for await .* in Transaction\.updates, Transaction\.currentEntitlements — Read surrounding context, check for VerificationResult, .verified, .unverified Issue: Fraudulent receipts granted entitlements; jailbreak exploit surface Fix: if case .verified(let transaction) = result before granting

3. Missing Transaction.updates Listener (CRITICAL/HIGH — Missing Purchases)

Pattern: No long-running Transaction.updates consumer Search: Transaction\.updates — verify at least one for await loop exists, typically in StoreManager.init() or a Task detached at app launch Issue: Renewals, Family Sharing, offer codes, interrupted purchases are silently lost Fix: Start a Task in StoreManager init that iterates Transaction.updates for app lifetime

4. Missing Restore Functionality (CRITICAL/HIGH — App Store Rejection)

Pattern: No restore path wired to UI Search: AppStore\.sync, Transaction\.all, restorePurchases, Restore.*Purchase Issue: Guideline 3.1.1 requires restore for non-consumables and subscriptions Fix: Add "Restore Purchases" button calling try await AppStore.sync()

5. Scattered Purchase Calls (MEDIUM/MEDIUM — Architecture)

Pattern: Product.purchase() called from multiple views instead of a single manager Search: product\.purchase, Product\.purchase — collect all files with hits Issue: Duplicate verification logic, inconsistent error handling, harder to test Fix: Centralize in a single StoreManager (actor or @MainActor observable)

6. Missing StoreKit Configuration File (HIGH/HIGH — Dev Efficiency)

Pattern: No .storekit file in project Search: Glob **/*.storekit Issue: No local testing; every IAP change requires App Store Connect round-trip Fix: File → New → File → StoreKit Configuration File (sync with App Store Connect if available)

7. Missing appAccountToken (MEDIUM/MEDIUM — Server Integration)

Pattern: No appAccountToken on PurchaseOption when server validates Search: appAccountToken, Product\.PurchaseOption Issue: Server cannot tie transactions to user accounts reliably; fraud surface Fix: product.purchase(options: [.appAccountToken(user.serverUUID)])

8. Missing Subscription Status Tracking (HIGH/HIGH — Subscriber UX)

Pattern: Subscription products used but no state lookup Search: \.autoRenewable present, but no subscriptionStatus, SubscriptionInfo\.Status, \.subscribed, \.expired, \.inGracePeriod, \.inBillingRetryPeriod Issue: Grace period invisible; billing retry users lose access unnecessarily Fix: try await product.subscription?.status → handle each status case

9. Missing Loot Box Odds Disclosure (HIGH/MEDIUM — App Store Rejection)

Pattern: Randomized rewards without odds UI Search: random, shuffle, arc4random, \.random, loot, mystery, gacha, crate, pack, reward.*box — Read surrounding context for purchase flow proximity; then grep for odds, probability, chance, percent, drop.*rate Issue: Guideline 3.1.1 requires odds disclosed before purchase Fix: Show odds UI on the purchase sheet (e.g., "Epic: 2%, Rare: 18%, Common: 80%")

10. Missing Subscription Terms Display (HIGH/MEDIUM — App Store Rejection)

Pattern: Subscription purchase UI without price/duration/auto-renewal terms Search: subscribe, subscription, SubscriptionView, PaywallView, SubscriptionGroup — then grep for auto.renew, cancellation, per month, per year, /month, /year, billed, renews Issue: Guideline 3.1.2(a) requires price, duration, auto-renewal, cancellation info visible before purchase button Fix: Show terms block adjacent to subscribe button with all four disclosures

11. Generic Error Messaging (MEDIUM/LOW — User Experience)

Pattern: Purchase errors shown as raw error or "Purchase failed" Search: purchase.*failed, purchase.*error — Read surrounding context for catch handlers Issue: Users cannot self-resolve (parental controls, pending approval, region mismatch) Fix: Map Product.PurchaseError and StoreKitError to actionable messages

12. Missing IAP Tests (MEDIUM/MEDIUM — Regression Risk)

Pattern: StoreKit code with no test coverage Search: Glob **/*Tests.swift — grep for StoreManager, Purchase.*Test, Transaction.*Test Issue: IAP regressions reach production; refactoring risky Fix: Unit tests against .storekit test file using Testing or XCTest with StoreKitTest

13. Missing Promoted-Purchase Handler (HIGH/HIGH — Marketing Revenue Loss)

Pattern: A class adopts SKPaymentTransactionObserver (StoreKit 1) but does not implement the optional paymentQueue(_:shouldAddStorePayment:) delegate method. Search:

  • :\s*SKPaymentTransactionObserver — collect every conforming class
  • paymentQueue\(_:shouldAddStorePayment: — collect every implementation
  • Read each conforming class file; flag classes with the conformance but no shouldAddStorePayment method Issue: Promoted IAPs initiated from the App Store product page reach the device's payment queue but are silently dropped without this handler. Marketing dollars spent on App Store promotion buy nothing — the user taps "Buy" on the product page, the app launches, and nothing happens. There is no error surfaced anywhere. Fix:
extension StoreObserver: SKPaymentTransactionObserver {
    func paymentQueue(_ queue: SKPaymentQueue,
                      shouldAddStorePayment payment: SKPayment,
                      for product: SKProduct) -> Bool {
        // Return true to continue the promoted purchase immediately,
        // or false + cache the payment to defer until the user signs in
        // / completes onboarding / acknowledges a paywall.
        return true
    }
}

Note: SK2-only apps (no SKPaymentTransactionObserver conformance anywhere) do not need this handler. Returning false to defer the purchase is acceptable when the cached payment is later resubmitted via SKPaymentQueue.default().add(payment).

Phase 3: Reason About IAP Completeness

Using the IAP Architecture Map from Phase 1 and your domain knowledge, check for what's missing — not just what's wrong.

| Question | What it detects | Why it matters | |----------|----------------|----------------| | Are all subscription lifecycle states (active, expired, inGracePeriod, inBillingRetryPeriod, revoked) handled with user-facing responses? | Partial state coverage | Billing retry users silently lose access; refunded users keep entitlements | | Is SubscriptionInfo.status read once at launch, or is it re-observed on triggers that signal state may have changed (app foreground, Transaction.updates fires, after AppStore.sync())? | Subscription observer lifecycle gap | One-shot reads miss mid-session expiry, mid-session renewal, mid-session refund. Users whose subscription lapses during a long session keep accessing Pro until relaunch; users who renew mid-session see the old "expired" state until relaunch. The user-visible bug: "I paid and the app still says I haven't." | | Is server-side receipt validation in place for high-value entitlements, or is validation purely client-side? | Weak entitlement enforcement | Jailbreak/emulator bypass grants paid features for free | | Is introductory offer eligibility checked (Product.SubscriptionInfo.isEligibleForIntroOffer) before showing intro pricing? | Ineligible users shown intro price | Users charged full price after seeing "$0.99 first month" — refund requests and 1-star reviews | | Are offer codes and promotional offers handled (Transaction.updates with offerType=.promotional)? | Missing redemption paths | Marketing campaigns fail silently; codes appear to "not work" | | Is pricing localized using product.displayPrice (not hardcoded strings or manual formatting)? | Hardcoded prices | Wrong currency shown to international users → purchase abandonment and Guideline 3.1.x rejection | | Are upgrade/downgrade/crossgrade paths within a subscription group handled (comparing product.subscription?.subscriptionPeriod across group)? | Single-tier subscription UX | Users cannot move between tiers; churn increases | | Is Family Sharing supported (checking transaction.ownershipType == .familyShared) for non-consumables and subscriptions? | All-or-nothing family handling | Shared entitlements either granted incorrectly or blocked entirely | | Is refund handling implemented (Transaction.updates with revocationDate, or Transaction.refundRequestSheet for self-service)? | Revoked entitlements still active | Users keep access after refund; merchant fraud score affected | | Is the encryption export declaration (ITSAppUsesNonExemptEncryption in Info.plist) set if the app uses crypto for IAP validation? | Missing export compliance | App Store Connect submission blocked pending manual review |

Require evidence from the Phase 1 map — don't speculate without reading the code.

Phase 4: Cross-Reference Findings

Bump severity for these combinations:

| Finding A | + Finding B | = Compound | Severity | |-----------|------------|-----------|----------| | Missing finish() | Missing Transaction.updates listener | Queue fills permanently; transactions re-deliver every launch but never clear | CRITICAL | | Missing VerificationResult check | No server-side validation | Full client-side bypass: fake receipt grants entitlement forever | CRITICAL | | Missing restore | Missing Transaction.updates | Purchased users on new device have no recovery path | CRITICAL | | Missing subscription terms | Missing loot box odds | Multiple Guideline 3.1.x rejections in one submission | HIGH | | Scattered purchase calls | Missing tests | Every refactor risks revenue regression; no safety net | HIGH | | Missing appAccountToken | Server-side validation used | Server has no reliable way to tie transactions to users | HIGH | | Missing intro offer eligibility check | Intro pricing shown in paywall | Users charged full price — refund requests and reviews | HIGH | | Missing Family Sharing check | Non-consumables sold | Family members either over-entitled or under-entitled | MEDIUM | | Missing refund handling | Subscription entitlement gated on local state | Revoked subscriptions retain access indefinitely | HIGH | | Missing promoted-purchase handler (Pattern 13) | StoreKit 1 active in app + App Store promoted IAP listings | Marketing-driven purchases silently fail at the app's threshold; no error surfaces and the user blames the app, not the missing handler | HIGH | | One-shot subscription?.status read | Long-session app lifetime (multi-day, foreground-resume usage) | Subscription expires or renews mid-session and the app keeps showing the stale state; user sees "you don't have Pro" right after paying, or keeps Pro access after expiring | HIGH |

Cross-auditor overlap notes:

  • Missing server-side validation → compound with security-privacy-scanner
  • Hardcoded prices / strings → compound with localization gaps
  • Missing tests → compound with testing-auditor

Phase 5: IAP Health Score

| Metric | Value | |--------|-------| | Rejection-risk patterns | N missing restore + N missing subscription terms + N missing loot box odds | | Revenue-risk patterns | N missing finish() + N missing Transaction.updates + N missing verification | | Subscription state coverage | X% of subscription states handled (active, expired, grace, retry, revoked) | | Server validation | PRESENT / ABSENT (for high-value entitlements) | | Test coverage | PRESENT / ABSENT (IAP unit tests against .storekit file) | | Health | READY / NEEDS WORK / NOT READY |

Scoring:

  • READY: 0 CRITICAL, restore + terms + odds all present, all subscription states handled, verification on every granting path, .storekit file committed
  • NEEDS WORK: No CRITICAL, but HIGH issues present (partial subscription state coverage, missing intro eligibility, missing appAccountToken when server-side validates)
  • NOT READY: Any CRITICAL — missing finish() / missing listener / missing verification / missing restore / missing subscription terms / missing loot box odds

Output Format

# IAP Audit Results

## IAP Architecture Map
[5-10 line summary from Phase 1]

## Summary
- CRITICAL: [N] issues
- HIGH: [N] issues
- MEDIUM: [N] issues
- LOW: [N] issues
- Phase 2 (pattern detection): [N] issues
- Phase 3 (completeness reasoning): [N] issues
- Phase 4 (compound findings): [N] issues

## IAP Health Score
[Phase 5 table]

## Issues by Severity

### [SEVERITY/CONFIDENCE] [Category]: [Description]
**File**: path/to/file.swift:line
**Phase**: [2: Detection | 3: Completeness | 4: Compound]
**Issue**: What's wrong or missing
**Impact**: What happens if not fixed (revenue loss, rejection, support load)
**Fix**: Code example showing the fix
**Cross-Auditor Notes**: [if overlapping with another auditor]

## Recommendations
1. [Immediate — CRITICAL revenue and rejection risks]
2. [Short-term — subscription state coverage, intro eligibility, appAccountToken]
3. [Long-term — server-side validation, centralized architecture, test coverage]

Output Limits

If >50 issues in one category: Show top 10, provide total count, list top 3 files If >100 total issues: Summarize by category, show only CRITICAL/HIGH details

False Positives (Not Issues)

  • Transaction.finish() called inside Task with proper error handling (verify it's reached)
  • Hardcoded strings in test/preview code
  • Product.purchase() in a single StoreManager even if referenced from many views (check if the call site is the manager or the view)
  • Missing restore button when app sells only consumables (restore not required by guideline)
  • Missing subscription terms when products are non-consumable only
  • appAccountToken omitted when there is no server backend
  • Missing loot box odds when random patterns are unrelated to purchases (e.g., random animation variant)
  • Missing paymentQueue(_:shouldAddStorePayment:) in a StoreKit 2-only app (no SKPaymentTransactionObserver conformance anywhere — the SK1 delegate method is only meaningful when the SK1 observer path exists)
  • paymentQueue(_:shouldAddStorePayment:) returning false and caching the payment for deferred execution (legitimate pattern — the purchase isn't dropped, just queued)
  • One-shot subscription?.status read in a single-screen single-purpose app where the session lifetime is measured in seconds (no opportunity for mid-session state change) — verify by reading the surrounding view's lifecycle

Related

For implementation patterns: axiom-integration skill (skills/in-app-purchases.md) For StoreKit 2 API reference: axiom-integration skill (skills/storekit-ref.md) For complete IAP implementation: Launch iap-implementation agent For security of receipt validation: Launch security-privacy-scanner agent