feat(loyalty): Phase 1 production launch hardening

Phase 1 of the loyalty production launch plan: config & security
hardening, dropped-data fix, DB integrity guards, rate limiting, and
constant-time auth compare. 362 tests pass.

- 1.4 Persist customer birth_date (new column + migration). Enrollment
  form was collecting it but the value was silently dropped because
  create_customer_for_enrollment never received it. Backfills existing
  customers without overwriting.
- 1.1 LOYALTY_GOOGLE_SERVICE_ACCOUNT_JSON validated at startup (file
  must exist and be readable; ~ expanded). Adds is_google_wallet_enabled
  and is_apple_wallet_enabled derived flags. Prod path documented as
  ~/apps/orion/google-wallet-sa.json.
- 1.5 CHECK constraints on loyalty_cards (points_balance, stamp_count
  non-negative) and loyalty_programs (min_purchase, points_per_euro,
  welcome_bonus non-negative; stamps_target >= 1). Mirrored as
  CheckConstraint in models. Pre-flight scan showed zero violations.
- 1.3 @rate_limit on store mutating endpoints: stamp 60/min,
  redeem/points-earn 30-60/min, void/adjust 20/min, pin unlock 10/min.
- 1.2 Constant-time hmac.compare_digest for Apple Wallet auth token
  (pulled forward from Phase 9 — code is safe whenever Apple ships).

See app/modules/loyalty/docs/production-launch-plan.md for the full
launch plan and remaining phases.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

app/modules/loyalty/tests/unit/test_config.py

@@ -0,0 +1,99 @@
+"""Tests for loyalty module configuration validators."""
+import os
+
+import pytest
+
+from app.modules.loyalty.config import ModuleConfig
+
+
+@pytest.mark.unit
+@pytest.mark.loyalty
+class TestGoogleWalletConfigValidator:
+    """Validator must fail fast when the SA path is set but unreachable."""
+
+    def test_unset_path_is_allowed(self, monkeypatch):
+        """Google Wallet config is optional — None passes."""
+        monkeypatch.delenv("LOYALTY_GOOGLE_SERVICE_ACCOUNT_JSON", raising=False)
+        monkeypatch.delenv("LOYALTY_GOOGLE_ISSUER_ID", raising=False)
+        cfg = ModuleConfig(_env_file=None)
+        assert cfg.google_service_account_json is None
+        assert cfg.is_google_wallet_enabled is False
+
+    def test_existing_file_passes(self, tmp_path, monkeypatch):
+        """A real file path passes and is returned expanded."""
+        sa_file = tmp_path / "fake-sa.json"
+        sa_file.write_text("{}")
+        monkeypatch.setenv("LOYALTY_GOOGLE_SERVICE_ACCOUNT_JSON", str(sa_file))
+        monkeypatch.setenv("LOYALTY_GOOGLE_ISSUER_ID", "1234567890")
+        cfg = ModuleConfig(_env_file=None)
+        assert cfg.google_service_account_json == str(sa_file)
+        assert cfg.is_google_wallet_enabled is True
+
+    def test_missing_file_raises(self, tmp_path, monkeypatch):
+        """A path that does not exist raises a clear error at import time."""
+        bogus = tmp_path / "does-not-exist.json"
+        monkeypatch.setenv("LOYALTY_GOOGLE_SERVICE_ACCOUNT_JSON", str(bogus))
+        with pytest.raises(ValueError, match="no file exists"):
+            ModuleConfig(_env_file=None)
+
+    def test_unreadable_file_raises(self, tmp_path, monkeypatch):
+        """A path that exists but is not readable raises a clear error."""
+        sa_file = tmp_path / "no-read.json"
+        sa_file.write_text("{}")
+        os.chmod(sa_file, 0o000)
+        try:
+            monkeypatch.setenv(
+                "LOYALTY_GOOGLE_SERVICE_ACCOUNT_JSON", str(sa_file)
+            )
+            # Skip if running as root (root bypasses unix file perms)
+            if os.geteuid() == 0:
+                pytest.skip("Cannot test unreadable file as root")
+            with pytest.raises(ValueError, match="not readable"):
+                ModuleConfig(_env_file=None)
+        finally:
+            os.chmod(sa_file, 0o600)
+
+    def test_tilde_path_is_expanded(self, tmp_path, monkeypatch):
+        """Leading ~ is expanded so deployments can use ~/apps/orion/..."""
+        # Plant the file at $HOME/.../fake-sa.json then reference via ~
+        home = tmp_path / "home"
+        home.mkdir()
+        sa_dir = home / "apps" / "orion"
+        sa_dir.mkdir(parents=True)
+        sa_file = sa_dir / "fake-sa.json"
+        sa_file.write_text("{}")
+
+        monkeypatch.setenv("HOME", str(home))
+        monkeypatch.setenv(
+            "LOYALTY_GOOGLE_SERVICE_ACCOUNT_JSON",
+            "~/apps/orion/fake-sa.json",
+        )
+        cfg = ModuleConfig(_env_file=None)
+        assert cfg.google_service_account_json == str(sa_file)
+
+
+@pytest.mark.unit
+@pytest.mark.loyalty
+class TestAppleWalletEnabledFlag:
+    """is_apple_wallet_enabled is a derived flag for the storefront UI."""
+
+    def test_disabled_when_unset(self, monkeypatch):
+        for var in (
+            "LOYALTY_APPLE_PASS_TYPE_ID",
+            "LOYALTY_APPLE_TEAM_ID",
+            "LOYALTY_APPLE_WWDR_CERT_PATH",
+            "LOYALTY_APPLE_SIGNER_CERT_PATH",
+            "LOYALTY_APPLE_SIGNER_KEY_PATH",
+        ):
+            monkeypatch.delenv(var, raising=False)
+        cfg = ModuleConfig(_env_file=None)
+        assert cfg.is_apple_wallet_enabled is False
+
+    def test_enabled_when_all_set(self, monkeypatch):
+        monkeypatch.setenv("LOYALTY_APPLE_PASS_TYPE_ID", "pass.com.x.y")
+        monkeypatch.setenv("LOYALTY_APPLE_TEAM_ID", "ABCD1234")
+        monkeypatch.setenv("LOYALTY_APPLE_WWDR_CERT_PATH", "/tmp/wwdr.pem")
+        monkeypatch.setenv("LOYALTY_APPLE_SIGNER_CERT_PATH", "/tmp/signer.pem")
+        monkeypatch.setenv("LOYALTY_APPLE_SIGNER_KEY_PATH", "/tmp/signer.key")
+        cfg = ModuleConfig(_env_file=None)
+        assert cfg.is_apple_wallet_enabled is True