# Runbook: Wallet Certificate Management

## Google Wallet

### Service Account JSON

**Location (prod):** `~/apps/orion/google-wallet-sa.json` (app user, mode 600)

**Validation:** The app validates this file at startup via `config.py:google_sa_path_must_exist`. If missing or unreadable, the app fails fast with a clear error message.

### Rotation

1. Generate a new service account key in [Google Cloud Console](https://console.cloud.google.com/iam-admin/serviceaccounts)
2. Download the JSON key file
3. Replace the file at the prod path: `~/apps/orion/google-wallet-sa.json`
4. Restart the app to pick up the new key
5. Verify: check `GET /api/v1/admin/loyalty/wallet-status` returns `google_configured: true`

### Expiry Monitoring

Google service account keys don't expire by default, but Google recommends rotation every 90 days. Set a calendar reminder or monitoring alert.

### Rollback

Keep the previous key file as `google-wallet-sa.json.bak`. If the new key fails, restore the backup and restart.

---

## Apple Wallet (Phase 9 — not yet configured)

### Certificates Required

1. **Pass Type ID** — from Apple Developer portal
2. **Team ID** — your Apple Developer team identifier
3. **WWDR Certificate** — Apple Worldwide Developer Relations intermediate cert
4. **Signer Certificate** — `.pem` for your Pass Type ID
5. **Signer Key** — `.key` private key

### Planned Location

`~/apps/orion/apple-wallet/` with files: `wwdr.pem`, `signer.pem`, `signer.key`

### Apple Cert Expiry

Apple signing certificates typically expire after 1 year. The WWDR intermediate cert expires less frequently. Monitor via:

```bash
openssl x509 -in signer.pem -noout -enddate
```

Add a monitoring alert for < 30 days to expiry.