sboulahtit/orion
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4a60d75a137513c12d7aae31533181e748776316
orion/app/modules/loyalty/docs/runbook-wallet-certs.md
Samir Boulahtit 4a60d75a13
Some checks failed
CI / ruff (push) Successful in 12s
Details
CI / docs (push) Has been cancelled
Details
CI / deploy (push) Has been cancelled
Details
CI / validate (push) Has been cancelled
Details
CI / dependency-scanning (push) Has been cancelled
Details
CI / pytest (push) Has been cancelled
Details
docs(loyalty): Phase 8 — runbooks, monitoring, OpenAPI tags, plan update 
Final phase of the production launch plan:

- Runbook: wallet certificate management (Google + Apple rotation,
  expiry monitoring, rollback procedure)
- Runbook: point expiration task (manual execution, partial failure,
  per-merchant re-run, point restore via admin API)
- Runbook: wallet sync task (failed_card_ids interpretation, manual
  re-sync, retry behavior table)
- Monitoring: alert definitions (P0/P1/P2), key metrics, log events,
  dashboard suggestions
- OpenAPI: added tags=["Loyalty - Store"] and tags=["Loyalty - Admin"]
  to route groups for /docs discoverability
- Production launch plan: all phases 0-8 marked DONE

Coverage note: loyalty services at 70-85%, tasks at 16-29%.
Target 80% enforcement deferred — current 342 tests provide good
functional coverage. Task-level coverage requires Celery mocking
infrastructure (future sprint).

342 tests pass.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-11 23:07:50 +02:00

52 lines
1.7 KiB
Markdown
Raw Blame History

# Runbook: Wallet Certificate Management
## Google Wallet
### Service Account JSON
**Location (prod):** `~/apps/orion/google-wallet-sa.json` (app user, mode 600)
**Validation:** The app validates this file at startup via `config.py:google_sa_path_must_exist`. If missing or unreadable, the app fails fast with a clear error message.
### Rotation
1. Generate a new service account key in [Google Cloud Console](https://console.cloud.google.com/iam-admin/serviceaccounts)
2. Download the JSON key file
3. Replace the file at the prod path: `~/apps/orion/google-wallet-sa.json`
4. Restart the app to pick up the new key
5. Verify: check `GET /api/v1/admin/loyalty/wallet-status` returns `google_configured: true`
### Expiry Monitoring
Google service account keys don't expire by default, but Google recommends rotation every 90 days. Set a calendar reminder or monitoring alert.
### Rollback
Keep the previous key file as `google-wallet-sa.json.bak`. If the new key fails, restore the backup and restart.
---
## Apple Wallet (Phase 9 — not yet configured)
### Certificates Required
1. **Pass Type ID** — from Apple Developer portal
2. **Team ID** — your Apple Developer team identifier
3. **WWDR Certificate** — Apple Worldwide Developer Relations intermediate cert
4. **Signer Certificate**`.pem` for your Pass Type ID
5. **Signer Key**`.key` private key
### Planned Location
`~/apps/orion/apple-wallet/` with files: `wwdr.pem`, `signer.pem`, `signer.key`
### Apple Cert Expiry
Apple signing certificates typically expire after 1 year. The WWDR intermediate cert expires less frequently. Monitor via:
```bash
openssl x509 -in signer.pem -noout -enddate
```
Add a monitoring alert for < 30 days to expiry.
Reference in New Issue View Git Blame Copy Permalink