sboulahtit/orion
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4a60d75a137513c12d7aae31533181e748776316
orion/app/modules/loyalty/docs/runbook-wallet-certs.md
Samir Boulahtit 4a60d75a13
Some checks failed
CI / ruff (push) Successful in 12s
Details
CI / docs (push) Has been cancelled
Details
CI / deploy (push) Has been cancelled
Details
CI / validate (push) Has been cancelled
Details
CI / dependency-scanning (push) Has been cancelled
Details
CI / pytest (push) Has been cancelled
Details
docs(loyalty): Phase 8 — runbooks, monitoring, OpenAPI tags, plan update 
Final phase of the production launch plan:

- Runbook: wallet certificate management (Google + Apple rotation,
  expiry monitoring, rollback procedure)
- Runbook: point expiration task (manual execution, partial failure,
  per-merchant re-run, point restore via admin API)
- Runbook: wallet sync task (failed_card_ids interpretation, manual
  re-sync, retry behavior table)
- Monitoring: alert definitions (P0/P1/P2), key metrics, log events,
  dashboard suggestions
- OpenAPI: added tags=["Loyalty - Store"] and tags=["Loyalty - Admin"]
  to route groups for /docs discoverability
- Production launch plan: all phases 0-8 marked DONE

Coverage note: loyalty services at 70-85%, tasks at 16-29%.
Target 80% enforcement deferred — current 342 tests provide good
functional coverage. Task-level coverage requires Celery mocking
infrastructure (future sprint).

342 tests pass.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-11 23:07:50 +02:00

1.7 KiB
Raw Blame History

Runbook: Wallet Certificate Management

Google Wallet

Service Account JSON

Location (prod): ~/apps/orion/google-wallet-sa.json (app user, mode 600)

Validation: The app validates this file at startup via config.py:google_sa_path_must_exist. If missing or unreadable, the app fails fast with a clear error message.

Rotation

  1. Generate a new service account key in Google Cloud Console
  2. Download the JSON key file
  3. Replace the file at the prod path: ~/apps/orion/google-wallet-sa.json
  4. Restart the app to pick up the new key
  5. Verify: check GET /api/v1/admin/loyalty/wallet-status returns google_configured: true

Expiry Monitoring

Google service account keys don't expire by default, but Google recommends rotation every 90 days. Set a calendar reminder or monitoring alert.

Rollback

Keep the previous key file as google-wallet-sa.json.bak. If the new key fails, restore the backup and restart.

Apple Wallet (Phase 9 — not yet configured)

Certificates Required

  1. Pass Type ID — from Apple Developer portal
  2. Team ID — your Apple Developer team identifier
  3. WWDR Certificate — Apple Worldwide Developer Relations intermediate cert
  4. Signer Certificate.pem for your Pass Type ID
  5. Signer Key.key private key

Planned Location

~/apps/orion/apple-wallet/ with files: wwdr.pem, signer.pem, signer.key

Apple Cert Expiry

Apple signing certificates typically expire after 1 year. The WWDR intermediate cert expires less frequently. Monitor via:

openssl x509 -in signer.pem -noout -enddate

Add a monitoring alert for < 30 days to expiry.

Reference in New Issue View Git Blame Copy Permalink