AgentFlow Enterprise Docs
Admin Runbook
A concise operator guide for safe production support without exposing secrets or weakening security controls.
Deployment Verification
- Confirm the deployment is tied to the existing GitHub repository and expected Vercel project.
- Review Vercel build logs for missing env names, not secret values.
- Check
/,/docs,/pricing,/login,/signup,/status, and/dashboardredirect behavior. - Run one non-production lead qualification and confirm lead, qualification, usage counter, audit event, and optional integration outcomes.
Environment Rotation, Webhooks, and RLS
| Procedure | Steps |
|---|---|
| Environment variable rotation | Rotate in provider dashboard, update Vercel env, redeploy, verify route health, then revoke old credential. Never paste old or new values into tickets. |
| Stripe webhook debugging | Check Stripe delivery status, endpoint path, webhook secret, billing_events.processing_status, and Vercel function logs. Replay only safe events and watch idempotency. |
| Supabase RLS troubleshooting | Use non-production tenant tests, verify active memberships, compare row organization_id, and inspect grants. Do not disable RLS to debug. |
| Failed payment investigation | Check invoice.payment_failed, subscription status, customer id mapping, SES notification result, and dashboard billing state. |
Incident Response and Rollback
- Classify severity and affected surfaces: auth, billing, AI, database, docs, integrations, monitoring, or public pages.
- Freeze risky changes and preserve logs privately.
- Use public status page updates that avoid secrets, raw payloads, private stack traces, customer data, and unsupported SLA claims.
- Rollback through the existing deployment platform or Git revert when needed; do not create a new repo or bypass the existing project.
- After resolution, record root cause, customer impact, remediation, owner, and verification evidence.
What Not To Do
Unsafe operator actions
Do not disable RLS to debug, expose SUPABASE_SERVICE_ROLE_KEY, bypass Stripe webhook signature verification, paste real environment values, log raw provider payloads with PII, or claim SLA/certification without evidence.
These docs describe implementation readiness and configuration. They are not a SOC 2, ISO 27001, penetration test, or contractual SLA claim.