Things That
Broke
(And What They Cost)

The iOS Rejection

Apple rejected the v2 submission for missing subscription compliance. Auto-renewal disclosure text was missing. There was no Restore Purchases button. Terms of Service and Privacy Policy links were not accessible from the paywall screen. No LLM tutorial, no human tutorial, no documentation of any kind mentioned these requirements.

Two days of rework. A full resubmission cycle. The realization that the LLM had confidently built an IAP flow that would never pass review.

Added all three compliance elements. Created a pre-submission checklist. The 31-review suite now includes Review 16 (IAP/Subscription Compliance) that checks for every requirement Apple and Google enforce.

The Refactor That Broke Production

During a code cleanup, Claude renamed API endpoints for consistency. Clean code. Better naming. Deployed to Vercel. The problem: every app already installed on users' phones was still calling the old endpoint names. Live users started getting errors. The old URLs returned 404s.

Live users hit errors until backward-compatibility rewrites were added. Those rewrites still exist in the Vercel config today as tech debt.

Added rewrites in vercel.json to map old paths to new endpoints. Established a rule: never rename a live API endpoint without a redirect. The review suite now includes Review 21 (API Endpoint Hygiene) and Review 30 (Migration and Upgrade Safety).

The Dependabot Trap (RN/SDK Mismatch)

A "minor-and-patch group" Dependabot PR included react-native: 0.83.2 → 0.85.1 alongside 28 other safe-looking bumps. Verification on expo run:ios --device passed because that path is lenient and skips strict codegen. The mismatch only surfaced when expo export:embed (the eager bundle path) ran, which broke BOTH eas update and eas build --local. SDK 55's babel-preset-expo@55.0.17 ships @react-native/codegen@0.83.4, which can't parse RN 0.85.1's VirtualViewNativeComponent onModeChange event. RN minor bumps inside an Expo SDK major aren't safe; the constraint isn't visible to Dependabot.

OTA pipeline blocked for a session. Reverted to the prior RN minor.

Pinned RN to the SDK-supported minor and added npx expo install --check as a custom CI step. Lesson: different toolchain paths exercise different code paths. A passing verification on one path can hide a different path's break.

The OTA Orphan Trap

The project uses runtimeVersion.policy: "appVersion", so the binary version in app.json IS the OTA runtime version. Bumping app.json version to mark a new OTA release feels like a clean version bump. It actually orphans every existing OTA bundle: the new value doesn't match any deployed binary's runtime, so the OTA never reaches a user. Discovered when an OTA published successfully and never showed up on devices.

One published OTA that reached zero users.

Two-version convention in the project guide. app.json version (binary, three-segment MAJOR.MINOR.PATCH) bumps only immediately before a new EAS build. constants/config.js APP_VERSION (header value, two-segment MAJOR.MINOR) bumps on every OTA. The lesson: when "what version is this?" has two correct answers, write down which one bumps when.

ANR on Android (App Not Responding)

Android users with non-Chrome default browsers (DuckDuckGo, Firefox) experienced hangs during Clerk SSO sign-in. The app froze completely. Chrome Custom Tabs opened in the wrong browser, which couldn't handle the redirect back. The main thread blocked. Android killed the app.

Hours of debugging a platform-level limitation that has no real fix. Users with non-Chrome defaults still see friction.

Added a hint toast on Android sign-in failure explaining the Chrome requirement. Documented it as a known limitation in the project guide. This is a platform constraint, not something app code can solve. The fix was transparency, not engineering.

V4 removed Clerk entirely. No sign-in, no SSO, no browser redirect. The problem was eliminated by removing the dependency, not by fixing it.

The Annapolis Demo

Work trip to Annapolis. Three colleagues who had heard about the app wanted to try it. Perfect opportunity: real users, real context, at a restaurant, ready to pick a place for dinner. Opened the app. It didn't work.

The backend had been updated during development without a matching app build. The dev build on the phone was calling endpoints that had changed. The app couldn't fetch restaurants. At a restaurant. In front of three potential users.

Three users. Not hypothetical users. Three real people who were interested, present, and ready to try it. They watched it fail and moved on. They never came back to it.

Every demo is a stakeholder touchpoint. This one failed because the build wasn't tested on the device, in the environment, within the hour. The engagement instinct was right. The preparation discipline didn't exist yet.

Demo prep protocol: before any stakeholder touchpoint, verify the build is production (not dev), test on the actual device, confirm the backend matches, and have a fallback plan if it crashes. This became part of the project's pre-push checklist.

The Build Credit Burn

Asked Claude how many EAS builds were included on the Starter plan. Answer: "Unlimited!" Planned accordingly. Weeks later, asked again. Claude read its own previous memory file. Same answer: "Unlimited!" Felt confirmed.

Then an email arrived from Expo: 80% of build credits consumed with two weeks left in the billing cycle.

The LLM had been wrong the first time. Then it cited itself as a source the second time. A hallucination, reinforced by its own memory, presented as verified information.

Scrambled to cancel unnecessary builds. Established a rule to cancel superseded builds immediately. Nearly burned through a paid plan's allocation on builds that were never used.

New rule: never trust LLM pricing knowledge. Always verify vendor pricing pages directly before making cost-driven decisions. Added to project memory as a permanent instruction.

The Google API Pricing Lie

Claude stated that Google Maps Platform included a $200/month free credit. Architecture decisions, cost projections, and the free tier design were all built on this assumption. The entire "as free as possible" pricing model assumed that credit existed.

It didn't. Google had eliminated the $200 monthly credit over a year before the project started. The LLM's training data was stale. Every cost calculation based on that number was wrong.

Rearchitecting the API call strategy. Adding pool caching, client-side filtering, and aggressive deduplication to reduce API spend. The free tier limits (20 searches/month) exist partly because the expected credit never materialized.

Verified Google's actual pricing page. Rebuilt cost projections from real numbers. Added "verify vendor pricing" as a permanent memory instruction. Every cost-driven decision now requires a primary source, not an LLM assertion.

The Billing Exposure

The backend API had no rate limiting or origin checking for weeks. No user data was at risk (the search endpoint doesn't store or transmit personal data), but anyone who discovered the URL could have run up the Google Places API bill on my account.

The LLM built it. The LLM didn't flag the gap. I didn't know to check. It was discovered during a code review, not because anyone exploited it.

Weeks of financial exposure. Nobody found it. The risk was to my billing account, not to user data.

Added rate limiting (30 req/min per IP), origin checking, and security middleware. The review suite includes Review 7 (Security), Review 18 (Operational Readiness), and Review 21 (API Endpoint Hygiene). Every endpoint now validates before processing.

The Auth Gap

Separate from the billing exposure: API endpoints that touch user data (favorites, history, sync) accepted a user ID in the request body but never verified it belonged to the person making the request. Someone could have read or written another user's data by guessing their ID.

Discovered during a manual code review session. Patched immediately. No exploitation occurred. But the gap was real: user data endpoints without identity verification.

Added Clerk JWT verification on all protected endpoints. Established Review 19 (Auth and Identity) in the review suite. Auth is now verified server-side on every request that touches user data.

V4 removed all user data endpoints entirely (no accounts, no server-side history, no sync). The attack surface was eliminated, not patched. The auth gap can't exist if user data never leaves the device.

The Cross-Project Contamination

Claude picked up stray files from a different project (HabitCoach, a blue and gold themed app) and built the entire onboarding tour in the wrong brand colors. The tour was fully functional, well-structured, and completely off-brand. Blue and gold instead of orange and teal.

Multiple design reviews missed it. I didn't catch it until later, when the gold "felt off." The LLM cross-contaminated two projects, and the human reviewing it didn't notice because the tour worked. Functional correctness masked visual wrongness.

Rebuilt the tour in the correct brand. Established the color theory doc (orange = problem, teal = solution) and the brand style guide in CLAUDE.md so the LLM has an authoritative reference. Review 22 (Brand Continuity) now checks every screen for theme consistency.

Premature Surrender

LLMs will say "I can't do that" or "you'll need to do this manually" about things they absolutely can do. The first time it happened, I accepted it and spent time on manual work that wasn't necessary. It kept happening. Each time, the cost was small: a few minutes here, a workaround there. But it accumulated.

No dramatic failure. No outage. Just accumulated time lost to unnecessary manual work, spread across dozens of interactions. The kind of cost that doesn't show up in a postmortem because no single instance was big enough to flag.

A permanent instruction in the project memory: don't say "I can't" without trying workarounds first. Push back, ask to try, or rephrase. The lesson: don't accept the first "no" from an LLM. The default is surrender, not effort.

The What's New Ironic Gap

Built a What's New modal that shows release notes when users open the app on a new OTA version. Shipped in v4.2. Realized after publishing: the feature has no lastSeenVersion to compare against on the OTA that introduces it, so every existing user sees nothing. The modal that announces what's new can't announce itself.

The launch was silent. Users on v4.2 got the feature but no announcement of it.

The modal becomes useful from the next OTA forward. Documented in code so the silence is the design, not a bug. The lesson: any "show me what's new since last time" feature has a bootstrap problem on the release that introduces it. Account for it in the OTA copy.

The Silent API Rename (V4)

V4 switched from RevenueCat to react-native-iap for direct store communication. The LLM wrote the integration using v14 of the library. What nobody caught: v14 silently renamed its core APIs. requestSubscription became requestPurchase. getSubscriptions became fetchProducts. The old names still imported without error — they just resolved to undefined at runtime.

No build error. No lint error. Tests passed because they mocked the module. The validate-vibe script checked code patterns, not import resolution. Only a real device test caught it — the purchase button did nothing. The failure was invisible to every automated check in the pipeline.

A new validate-vibe check that reads the installed module's actual exports and verifies every import name resolves. If react-native-iap renames another function, the check catches it before the code ships. The lesson: when a library changes its API surface, your mocks hide the breakage.

The Mom Group Trap

Weeks of design work on features driven by feedback from a mom group on social media. The feedback was enthusiastic. The problem: the people giving it weren't users. They were repeating what sounded interesting, filtered through their own context, with no connection to the actual use case.

The features they described (social check-ins, recipe integration, gamification) sounded reasonable in isolation. They were completely wrong for the product. The app picks a random restaurant. It doesn't need a social feed.

Weeks of design iteration on the wrong mental model. Time that could have been spent on features actual users needed (like the exclude filter, or walk mode).

Built a feedback taxonomy with five types (behavioral, voiced pain, feature requests, ambient noise, market signal). The mom group feedback was genuine; the mistake was in how I weighted it. The signal-to-noise rubric now requires decomposing every request into the underlying need before evaluation.

The Promo Code Gap

Built a promo code system for early adopters and testers. Had codes ready to distribute. The problem: the highest-value testers were already gone. The hostel strangers who gave the exclude-filter feedback, the walker who surfaced the walk-mode gap, the colleague who couldn't demo to a friend. No contact information was captured during those interactions.

Lost the ability to close the loop with the people who shaped the product most. Could not reward the testers who mattered. Could not get follow-up feedback from the users whose input was most valuable.

Created STAKEHOLDERS.md in the repo root: a lightweight register tracking who gave feedback, what channel, what type, what it became, and whether the loop was closed. Includes a capture checklist for future sessions. Not a formal tool; just a file that gets updated. The hostel testers are still lost, but the next round won't be.

The Clerk Key Crash

A missing Clerk publishableKey caused a fatal crash on launch. The EAS build injected environment variables differently than local builds, so the crash never appeared in testing. The local build worked. The store build didn't.

Apple's gatekeeping caught what Android's speed let through. The $99/year doesn't just buy a developer account. It buys time between "submitted" and "live" where mistakes can still be caught.

The IAP Gauntlet

Setting up in-app purchases on both platforms. Same products, same prices, same subscription tiers. Completely different experiences.

Google's speed meant subscriptions shipped fast. Apple's friction meant they shipped correctly: with disclosure text, restore buttons, and legal links that protect both the user and the developer.

The Endpoint Rename (Platform Angle)

The refactor that renamed API endpoints hit both platforms differently because of where each was in its release cycle.

Paying for Builds We Could Run for Free

Every EAS build ran on Expo's cloud infrastructure by default. The eas build command, without any flags, sends your code to remote servers that compile, sign, and return the binary. This costs real money per build. The alternative — eas build --local — produces the exact same .ipa and .aab files on the developer's own Mac, for free. The flag existed from day one. It was never surfaced by the AI assistant, even during explicit conversations about build costs.

Dozens of unnecessary cloud builds over months of development. Each one could have been local. The cost wasn't catastrophic, but it was entirely avoidable — the kind of silent leak that compounds when you're not watching.

A permanent rule in the project guide: always use --local for all EAS builds. Cloud builds are never triggered unless there's a specific reason the local machine can't produce the artifact. The default assumption flipped: if the developer has a Mac, local builds are the default.

"Free" tools with paid tiers optimize for their paid path. The default eas build command runs in the cloud. The free alternative is a flag you have to know to add. AI assistants trained on documentation default to the documented happy path — which is often the paid one. Always ask: "Can I do this locally?"