Maintenance Guide

This document lists items to check regularly and when to update configurations, certificates, and third-party services.

Quick Checklist (Monthly)

Area	Check	When
Render	Service status, plan limits	Monthly
Vercel	Builds, env vars, domains	Monthly
Database	Backups, disk usage	Monthly
Certificate pinning	Let's Encrypt intermediates	Every 12–18 months
Dependencies	`go mod`, `npm`, `flutter pub`	Quarterly
API keys	Razorpay, Resend, AWS, Google Maps	When rotating
Security	Audit checklist, logs	Quarterly

Certificate Pinning (Mobile Apps)

Type of Pinning

Intermediate CA pinning — The customer and shopkeeper apps pin Let's Encrypt intermediate certificates (E7, R12, YE1, YE2, YR1, YR2), not the server's leaf cert.

Do You Need to Update?

Event	Update needed?
Server cert renewed (every 90 days)	No — chain still validates
Let's Encrypt rotates intermediates	Yes — around 2027–2028
Intermediate certs expire	Yes — E7/R12 to 2027, YE1/YE2/YR1/YR2 to 2028

How to Update

Run the update script in the customer app:

cd customer_app
.\scripts\update_letsencrypt_certs.ps1

Copy the updated lib/config/letsencrypt_certs.dart to the shopkeeper app.
Rebuild both apps and release new versions.

Note: Set a reminder for mid-2027 to check Let's Encrypt status and update if needed.

Render (Backend & Database)

Subscription & Plans

Free tier: Backend and PostgreSQL on free plans
Limits: Service sleeps after ~15 min idle; first request can take 30–60 seconds (cold start)
Paid plan ($7/month+): No cold starts, persistent disk, SMTP ports

Regular Checks

Item	Action
Service status	Dashboard → Services; verify backend and DB are running
Logs	Check for errors, rate limits, 5xx responses
Environment variables	Verify JWT_SECRET, ALLOWED_ORIGINS, DATABASE_URL, ENVIRONMENT
Disk usage	Free tier: ephemeral storage; files lost on redeploy. Use S3 for persistence

Database (Render PostgreSQL)

Free tier: Limited storage, may have row limits
Backups: Configure in Render dashboard if using paid DB plan
Connection: Ensure ?sslmode=require in DATABASE_URL for production

When to Upgrade

Cold starts affecting users → paid plan
Need persistent file storage → S3 or paid disk
Need SMTP (vs Resend API) → paid plan (SMTP ports blocked on free)

Vercel (Frontend & Admin)

What to Check

Item	Action
Builds	Deployments → verify builds succeed
Environment variables	`NEXT_PUBLIC_API_URL`, `NEXT_PUBLIC_RAZORPAY_KEY_ID` — set and applied
Domains	Custom domain DNS, SSL status
Usage	Bandwidth, build minutes (free tier limits)

Env Var Changes

After changing env vars in Vercel, redeploy — Next.js bakes NEXT_PUBLIC_* at build time.

Admin Frontend

If deployed separately: same checks; Root Directory = admin_frontend.

Third-Party Services

Razorpay (Payments)

Check	Notes
API keys	Test vs live — ensure correct env
Webhook URL	Must be HTTPS, publicly reachable; set in Razorpay dashboard
Webhook secret	`RAZORPAY_WEBHOOK_SECRET` must match dashboard
Subscription	Verify account active; check for API changes

Resend (Email)

Check	Notes
API key	`RESEND_API_KEY` in backend
Domain verification	`FROM_EMAIL` must be verified in Resend
Rate limits	Free tier limits; monitor for bounces

AWS S3 (File Storage)

Check	Notes
Bucket	`AWS_S3_BUCKET`, region, credentials
IAM	Keys not expired; least privilege
Costs	Monitor storage and transfer

Google Maps (Customer App)

Check	Notes
API key	In `local.properties` (Android), `MapsConfig.xcconfig` (iOS)
Billing	Enable billing if required; set quotas
Restrictions	Restrict key by package/bundle ID

Code & Dependencies

Quarterly Updates

Project	Command	Notes
Backend	`cd backend && go get -u ./... && go mod tidy`	Test after Go updates
Frontend	`npm update`	Check Next.js, React compatibility
Admin frontend	Same as frontend
Customer app	`flutter pub upgrade`	Test on Android/iOS
Shopkeeper app	`flutter pub upgrade`	Test on Windows

Security

Run flutter pub audit (Flutter), npm audit (Node)
Check Dependabot / GitHub alerts if enabled
Review Security Audit checklist

Configuration Files to Review

File	Purpose
`backend/.env`	DB, JWT, Razorpay, Resend, S3 — never commit
`frontend/.env.local`	API URL, Razorpay key — never commit
`render.yaml`	Render service config — plan, env vars
`frontend/vercel.json`	Vercel config, headers, CSP
`customer_app/lib/config/letsencrypt_certs.dart`	Pinned certs — update when Let's Encrypt rotates
`shopkeeper_app/lib/config/letsencrypt_certs.dart`	Same as above — keep in sync

Backup & Recovery

Database: Configure backups in Render (paid DB) or external (e.g. pg_dump cron)
Uploads: On free tier, files are ephemeral; use S3 for durable storage
Secrets: Store JWT_SECRET, API keys in password manager; document rotation

Logs & Monitoring

Render: Logs tab for backend; check for panics, 5xx
Vercel: Function logs, build logs
Razorpay: Webhook logs in dashboard
Consider: Sentry, LogRocket, or similar for error tracking

Last Updated: February 2026

Quick Checklist (Monthly)​

Certificate Pinning (Mobile Apps)​

Type of Pinning​

Do You Need to Update?​

How to Update​

Render (Backend & Database)​

Subscription & Plans​

Regular Checks​

Database (Render PostgreSQL)​

When to Upgrade​

Vercel (Frontend & Admin)​

What to Check​

Env Var Changes​

Admin Frontend​

Third-Party Services​

Razorpay (Payments)​

Resend (Email)​

AWS S3 (File Storage)​

Google Maps (Customer App)​

Code & Dependencies​

Quarterly Updates​

Security​

Configuration Files to Review​

Backup & Recovery​

Logs & Monitoring​