Shopify + WooCommerce + TikTok Shop — Get GMH Approved on All 3 (Prior Submissions Failed)

GMH is a fully built commerce app (embedded Shopify, WooCommerce connector, TikTok Shop integration). We have gone through multiple submission rounds on Shopify and TikTok Shop and have been rejected each time. We know our app has issues blocking approval. We know exactly what those issues are. We are writing them out below. However, we may be missing something, and that is your role as an expert in submitting apps to these stores. If you cannot read this list and immediately know how to fix every item, please do not apply. This project is only considered complete and paid in full when all three stores have approved the app. One approval out of three is not success. We have been burned before by freelancers who submitted blindly, got rejected, collected partial payment, and disappeared. That is not happening again. We want one developer who has done this before — someone who can read our specific failure points, tell us exactly how they will fix them, and show us live approved apps as proof they can deliver. ⸻ What GMH Is GMH is a product sourcing and import app that allows merchants to: * Browse supplier inventory and import products directly into their Shopify or WooCommerce store * Manage product categories, pricing, and inventory sync * Connect TikTok Shop for cross-channel selling Tech Stack: Laravel 10 / PHP 8.1+ / MySQL / Vue + Vite / Embedded AppBridge SPA ⸻ The Specific Issues We Need Fixed — By Platform Read all three sections before you propose anything. ⸻ 1. Shopify App Store Our submission history shows the embedded iframe and session layer is our recurring failure zone. Here is what Shopify reviewers have flagged or what our own testing has exposed: Session & Cookie Compliance * 419 / CSRF Page Expired errors occurring in the embedded context — session is not persisting correctly across iframe navigation * SameSite=None cookie rejection — the middleware exists but has not been consistently verified to work under all browser and embedding conditions * Redirect loops during the OAuth install flow * Frame blocking — X-Frame-Options conflicts with the required frame-ancestors CSP header * Console JS errors present in the embedded iframe view * Session not persisting after AppBridge navigation between pages AppBridge & Security Headers * meta name=“shopify-api-key” must be present and correct in every embedded layout * AppBridge v4 must be loaded correctly — no full-page redirects inside the iframe * CSP frame-ancestors must cover: * https://SHOP_DOMAIN * https://admin.shopify.com * https://*.myshopify.com * HTTPS enforced on all routes; zero mixed HTTP content GDPR Webhooks (Hard Requirement) The following three GDPR webhook endpoints must be live, HMAC-validated, and correctly mapped to their job handlers: * customers/data_request * customers/redact * shop/redact Note: These cannot be registered via the API — they must be manually configured in the Shopify Partner Dashboard. If these are not functioning perfectly, the app will not pass review. API Version Consistency Our config, README, and compliance tests currently disagree on the API version. This must be reconciled to a single current stable version and all tests must pass against it. Scope Justification We request a significant set of scopes: * read/write_products * read/write_orders * read/write_customers * read/write_fulfillments * read/write_inventory * read_locations Shopify reviewers require a clear written justification for every scope. These must be documented and accurate before resubmission. ⸻ 2. TikTok Shop TikTok has already sent us an official rejection. The rejection reason was: “The APIs are insufficient to support the functions of your service.” We know the root cause: the scopes in our Partner Center service package did not match the scopes our code actually calls. The package was missing required permissions and still contained test scopes that must never appear in a production submission. Scope Package Fixes Required Add the following missing scopes to the Partner Center service package: * Shop Authorized Information (seller.authorization.info) * Shop Analytics Public Read (data.shop_analytics.public.read) * Bestselling Data Public Read (data.bestselling.public.read) * Delivery Status Write (seller.delivery.status.write) * Return & Refund Basic (seller.return_refund.basic) * Finance Information (seller.finance.info) Remove leftover test scopes from the production package. Any scope containing “test” in its name, or any obviously non-production identifier, must be removed before resubmission. Redirect URI & Webhooks * OAuth redirect URI in Partner Center must exactly match the production callback URL — no trailing slashes, no HTTP * GDPR webhooks (data-request, data-redact, shop-redact) and the General Events webhook must all be configured in Partner Center * Webhook HMAC signature validation must be functional for every incoming TikTok event API Testing Tool — Must Pass With Real Data TikTok’s submission process requires the API Testing Tool to confirm all endpoints return “code”: 0. This must be run against a real connected shop with a live access token — not placeholder values, demo credentials, or a shop with shop_id: 0. Every endpoint in the service package must return a clean result. If you do not have a live TikTok merchant account to test against, this job is not for you. ⸻ 3. WooCommerce WooCommerce has two layers to this job: 1. The WordPress.org Plugin Marketplace submission (so merchants can find and install the plugin) 2. The live connection layer (so the plugin actually works) Both have failed. WordPress.org Plugin Rejection — Multiple Rounds The plugin was submitted to WordPress.org and was auto-rejected before it ever reached human review. The failures were: * Escape violations: Dynamic output was not properly escaped with esc_attr() and esc_html() in multiple places. WordPress.org auto-rejects immediately. * printf() substitution error: Format strings were escaped, but the substitutions were left unescaped. * Trademark naming violation: The plugin folder was named incorrectly relative to WooCommerce trademark naming guidelines. * Missing translator comments: Three translation calls lacked the required inline comments for WordPress.org. * Debug code in production: error_log() calls were present in plugin code. These must be replaced with wc_get_logger(). * Outdated headers: The Tested up to version header was stale. * Plugin URI conflict: The Plugin URI header was missing or conflicting, causing an additional submission error. * Uninstall.php global variable naming: Missing vendor prefix, resulting in another auto-rejection flag. These were addressed in a series of patch commits. A developer must audit the current plugin state to confirm every auto-reject flag is gone before resubmission and must run the Plugin Check tool to a clean result. Connection Layer Fragility (Live Functionality) * The connection wizard crashes when the merchant’s domain is entered without a URL scheme (https://) or is null — explode(’//’, …) fails and the dashboard returns a 500 on every load * When a WooCommerce shop loads the dashboard, 10+ required view variables were missing, causing 500 errors on every page view for WooCommerce-connected stores * Navigation inside the app was broken for WooCommerce users — nav links were conditionally rendered for Shopify only, leaving WooCommerce merchants with a broken sidebar * The getCurrentWooShop() method could return null without a guard, causing cascading null dereference errors across the dashboard Sync Job Reliability * Product and inventory sync jobs retry up to 5 times but do not capture the full WooCommerce API response body on failure * Errors are logged with only a generic message, making debugging silent failures very difficult * No circuit breaker exists — a persistently broken store’s API gets hammered with retries on every queue run Domain Canonicalization Our codebase currently has inconsistencies in the production domain referenced across dashboards, redirect URIs, and webhook endpoints. This must be resolved and all three platforms’ dashboard configurations must point to the same canonical HTTPS domain. ⸻ What You Are Being Hired To Do 1. Audit the codebase against every issue listed above 2. Fix every blocking issue 3. Submit GMH to the Shopify App Store, WooCommerce (connection + sync working for a real store), and TikTok Shop 4. Stay engaged throughout the review process — if a reviewer requests changes, you handle them 5. Deliver approval confirmation for all three stores This is not a “submit and hope” engagement. You are responsible for the outcome. ⸻ Payment Structure Payment is released per store upon confirmed approval. Milestone Trigger Milestone 1 Shopify App Store approved and live Milestone 2 WooCommerce connection + sync working and verified with a real store Milestone 3 TikTok Shop approved and live Full project payment is released only when all three milestones are complete. If you are only able to deliver two out of three, you will only be paid for those two. We strongly prefer to hire someone who can do all three. Budget is negotiable based on your experience and proposed approach. Non negotiable budget.