docs: add Google Wallet setup guide and loyalty env vars

Step 25 in Hetzner docs with full Google Cloud/Wallet Console setup,
service account configuration, local testing, and architecture diagrams.
Loyalty module env vars added to environment.md and .env.example.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

docs/deployment/environment.md

@@ -300,6 +300,59 @@ the server filesystem.
 
 ---
 
+## Loyalty Module
+
+Configuration for the loyalty module (stamp/points programs, wallet integration).
+All variables use the `LOYALTY_` prefix and are managed by `app/modules/loyalty/config.py`.
+
+### Anti-Fraud Defaults
+
+| Variable | Description | Default | Required |
+|---|---|---|---|
+| `LOYALTY_DEFAULT_COOLDOWN_MINUTES` | Minimum minutes between stamps for the same card | `15` | No |
+| `LOYALTY_MAX_DAILY_STAMPS` | Maximum stamps per card per day | `5` | No |
+| `LOYALTY_PIN_MAX_FAILED_ATTEMPTS` | Failed PIN attempts before lockout | `5` | No |
+| `LOYALTY_PIN_LOCKOUT_MINUTES` | Duration of PIN lockout in minutes | `30` | No |
+
+### Points
+
+| Variable | Description | Default | Required |
+|---|---|---|---|
+| `LOYALTY_DEFAULT_POINTS_PER_EURO` | Points earned per euro spent | `10` | No |
+
+### Google Wallet
+
+!!! info "Required for Google Wallet passes"
+    Both variables must be set for loyalty cards to appear in Google Wallet.
+    See [Hetzner Step 25](hetzner-server-setup.md#step-25-google-wallet-integration) for setup guide.
+
+| Variable | Description | Default | Required |
+|---|---|---|---|
+| `LOYALTY_GOOGLE_ISSUER_ID` | Google Wallet Issuer ID (numeric string from [Pay & Wallet Console](https://pay.google.com/business/console)) | `None` | Yes (for Google Wallet) |
+| `LOYALTY_GOOGLE_SERVICE_ACCOUNT_JSON` | Path to the Google service account JSON key file | `None` | Yes (for Google Wallet) |
+
+### Apple Wallet
+
+!!! info "Required for Apple Wallet passes"
+    All five variables must be set for `.pkpass` generation.
+    Requires an Apple Developer account ($99/year).
+
+| Variable | Description | Default | Required |
+|---|---|---|---|
+| `LOYALTY_APPLE_PASS_TYPE_ID` | Pass type identifier (e.g., `pass.com.example.loyalty`) | `None` | Yes (for Apple Wallet) |
+| `LOYALTY_APPLE_TEAM_ID` | Apple Developer Team ID | `None` | Yes (for Apple Wallet) |
+| `LOYALTY_APPLE_WWDR_CERT_PATH` | Path to Apple WWDR intermediate certificate | `None` | Yes (for Apple Wallet) |
+| `LOYALTY_APPLE_SIGNER_CERT_PATH` | Path to pass signing certificate (`.pem`) | `None` | Yes (for Apple Wallet) |
+| `LOYALTY_APPLE_SIGNER_KEY_PATH` | Path to pass signing private key (`.pem`) | `None` | Yes (for Apple Wallet) |
+
+### QR Code
+
+| Variable | Description | Default | Required |
+|---|---|---|---|
+| `LOYALTY_QR_CODE_SIZE` | QR code image size in pixels | `300` | No |
+
+---
+
 ## Cloudflare CDN / Proxy
 
 | Variable | Description | Default | Required |
@@ -335,6 +388,8 @@ marked **critical** will trigger a startup warning if left at their default valu
     - [x] **Email (Mailgun):** `MAILGUN_API_KEY`, `MAILGUN_DOMAIN` — transactional only, no marketing features
     - [x] **Email (SES):** `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY` — cheapest at scale
     - [x] **R2 Storage:** `R2_ACCOUNT_ID`, `R2_ACCESS_KEY_ID`, `R2_SECRET_ACCESS_KEY`
+    - [x] **Google Wallet:** `LOYALTY_GOOGLE_ISSUER_ID`, `LOYALTY_GOOGLE_SERVICE_ACCOUNT_JSON`
+    - [ ] **Apple Wallet:** `LOYALTY_APPLE_PASS_TYPE_ID`, `LOYALTY_APPLE_TEAM_ID`, `LOYALTY_APPLE_WWDR_CERT_PATH`, `LOYALTY_APPLE_SIGNER_CERT_PATH`, `LOYALTY_APPLE_SIGNER_KEY_PATH`
 
 ### Example `.env` file (production)
 
@@ -374,4 +429,8 @@ ENABLE_METRICS=True
 SENTRY_DSN=https://examplePublicKey@o0.ingest.sentry.io/0
 SENTRY_ENVIRONMENT=production
 CLOUDFLARE_ENABLED=True
+
+# Google Wallet (Loyalty)
+LOYALTY_GOOGLE_ISSUER_ID=3388000000023089598
+LOYALTY_GOOGLE_SERVICE_ACCOUNT_JSON=/app/google-wallet-sa.json
 ```