AZ Azerbaijan / AZN
MUPZA OperatorOwner accountMU
M
MUPZAOSRestaurant OS command
Communication Foundation

OTP, WhatsApp, Telegram, email and notification outbox

External communication is modeled as an audited outbox first. Real provider sends stay disabled in this mock until Firebase, Cloudflare, WhatsApp, Telegram, SMTP and OTP secrets are configured outside the repo.

Provider readinessProviders: 5Outbox items: 4Env-required providers: 4LAN-safe items: 1Dry-run adapters: 5
External sends disabledtrue
Outbox audit requiredtrue
OTP online onlytrue
POS LAN protectedtrue
Cashier approval untouchedtrue
Secrets never returnedtrue
Provider adapters dry-runtrue
Env values redactedtrue

Provider contracts

OTP SMSEnv required
Twilio Verify or Firebase phone auth

OTP is online-only and must never block POS, waiter, kitchen or printer LAN workflows.

OTP_PROVIDERTWILIO_ACCOUNT_SIDTWILIO_AUTH_TOKENTWILIO_VERIFY_SERVICE_SID
WhatsAppEnv required
Meta WhatsApp Cloud API

Use outbox/audit first; real sends require provider env and explicit tenant policy.

WHATSAPP_ACCESS_TOKENWHATSAPP_PHONE_NUMBER_IDWHATSAPP_VERIFY_TOKENWHATSAPP_API_VERSION
TelegramEnv required
Telegram Bot API

Never print bot token or chat id; only expose configured yes/no.

TELEGRAM_BOT_TOKENTELEGRAM_WEBHOOK_SECRETBACKEND_PUBLIC_URL
EmailEnv required
SMTP / Nodemailer-compatible provider

SMTP credentials stay server-side; frontend only sees delivery status.

SMTP_HOSTSMTP_PORTSMTP_USERSMTP_PASSSMTP_FROM
In-app notificationMock ready
MUPZAOS notification center

In-app notifications are LAN-safe and can be queued locally.

no external env required

Outbox audit preview

Kitchen ticket readyMock sent
Channel: in_appTarget: pos-desktop-01Source: kitchen_desktopOffline safe: true

Kitchen status notification stays on LAN and does not require external provider.

Owner login OTPBlocked
Channel: otp_smsTarget: +994000000000Source: owner_panelOffline safe: false

OTP provider env is not configured in this local mock.

Domain setup supportQueued
Channel: whatsappTarget: +994000000001Source: owner_panelOffline safe: false

WhatsApp send waits for Cloud API env and tenant opt-in.

Daily owner reportReady
Channel: emailTarget: owner@example.localSource: owner_panelOffline safe: false

Email report contract is ready, SMTP env remains server-side.

Dry-run provider adapters

OTP SMS via Twilio VerifyDry-run
Twilio VerifyEndpoint: server-side Twilio Verify API clientWebhook: none

OTP remains online-only and cannot block LAN cashier, waiter, kitchen or printer workflows.

OTP_PROVIDERTWILIO_ACCOUNT_SIDTWILIO_AUTH_TOKENTWILIO_VERIFY_SERVICE_SID
OTP SMS via Firebase phone authDry-run
Firebase AuthEndpoint: Firebase client auth SDKWebhook: none

Only public Firebase config names are modeled; service-account secrets stay server-side and out of Git.

NEXT_PUBLIC_FIREBASE_API_KEYNEXT_PUBLIC_FIREBASE_AUTH_DOMAINNEXT_PUBLIC_FIREBASE_PROJECT_IDNEXT_PUBLIC_FIREBASE_APP_ID
WhatsApp Cloud APIDry-run
Meta Graph APIEndpoint: https://graph.facebook.com/{WHATSAPP_API_VERSION}/{WHATSAPP_PHONE_NUMBER_ID}/messagesWebhook: GET verify token + POST inbound message webhook

Real sends require outbox audit, tenant opt-in, provider env and explicit non-QA runtime.

WHATSAPP_ACCESS_TOKENWHATSAPP_PHONE_NUMBER_IDWHATSAPP_VERIFY_TOKENWHATSAPP_API_VERSION
Telegram Bot APIDry-run
TelegramEndpoint: https://api.telegram.org/bot{TELEGRAM_BOT_TOKEN}/sendMessageWebhook: POST /telegram/webhook/{TELEGRAM_WEBHOOK_SECRET}

Bot token and webhook secret are never returned; readiness exposes only missing/configured env names.

TELEGRAM_BOT_TOKENTELEGRAM_WEBHOOK_SECRETBACKEND_PUBLIC_URL
Email via SMTPDry-run
SMTP / Nodemailer-compatibleEndpoint: server-side SMTP transportWebhook: none

SMTP credentials stay server-side; frontend and mock API expose status only.

SMTP_HOSTSMTP_PORTSMTP_USERSMTP_PASSSMTP_FROM
In-app LAN notificationLAN mock
MUPZAOS local hubEndpoint: local hub queueWebhook: none

LAN notifications are offline-safe and remain available without external providers.

no external env required