Runbooks
OID4Pay ships a set of operational runbooks at docs/runbooks/ in the repo. The list below is the public-safe index; some runbooks are
operator-only and not published.
Public runbooks
| Runbook | Scope |
|---|---|
oid4ac_as_deploy.md | Per-release AS deploy ritual: build image, push to registry, drain WireGuard, ansible-playbook, smoke probes, alarm clearance. |
oid4ac_as_rebuild.md | Rebuild from scratch after a host loss: Terraform apply, role-by-role ansible reapply, Postgres restore, JWKS rotation. |
oid4ac_wallet_deploy.md | Wallet Portal deploy with Bun SSR and SvelteKit adapter-node. |
oid4ac_discovery_deploy.md | Go-based merchant directory deploy. |
oid4ac_db_dr.md | Postgres point-in-time restore from S3 base backups + WAL. |
oid4ac_region_loss.md | Full region failover: DNS cutover, replica promotion, Cloudflare drain. |
oid4ac_key_rotation.md | 90-day Ed25519 rotation cadence: new kid, JWKS overlap, mandate re-issue (where applicable). |
oid4ac_revocation.md | How to revoke a specific mandate, client, or principal in response to a security event. |
oid4ac_replay_attack_response.md | Triage for replay-detection alarms (DPoP jti, refresh family, authorization code, KB-JWT nonce). |
oid4ac_dispute_evidence.md | Assembling the four-signature dispute pack for a chargeback. |
oid4ac_m13_cdn_cutover.md | CDN-bundle release rollout from sandbox to production. |
oid4ac_account_migration.md | Principal account migration between wallet operators. |
Where to find them
The runbooks themselves live in the OID4Pay GitHub repo at docs/runbooks/. The public docs site does not mirror the
full markdown because some runbooks reference internal host names,
secrets paths, and on-call escalation contacts. Operators with access
to the repo run them from the source.
Disclosure
Security-critical runbooks (revocation, key rotation, replay response) are revised after every incident. The disclosure surface for incidents is at incident history.