AZ Azerbaijan / AZN
MUPZA OperatorOwner accountMU
M
MUPZAOSRestaurant OS command
Environment Contract Matrix

Service env names without secret values

Firebase, Cloudflare, Google Tag, metrics, OTP SMS, WhatsApp, Telegram, email, backend and AWS runtime settings are listed as contracts only. Values stay in hosting dashboards, AWS or GitHub secrets.

Env boundaryEnv names: 34Families: 10Secrets: 15Values returned: false
Firebase coveredtrue
Cloudflare coveredtrue
Google Tag coveredtrue
OTP/WhatsApp/Telegram/emailtrue
Backend/AWS coveredtrue
Secret env git blockedtrue
LAN workflow unblockedtrue
No env files generatedtrue

Service families

firebaseEnv names: 7Secrets: 3Configured: 0
cloudflareEnv names: 3Secrets: 1Configured: 0
google_tagEnv names: 2Secrets: 0Configured: 0
metricsEnv names: 2Secrets: 0Configured: 0
otp_smsEnv names: 4Secrets: 3Configured: 0
whatsappEnv names: 4Secrets: 2Configured: 0
telegramEnv names: 2Secrets: 2Configured: 0
backendEnv names: 4Secrets: 2Configured: 0
emailEnv names: 5Secrets: 2Configured: 0
awsEnv names: 1Secrets: 0Configured: 0

Operator rules

Secret valuesAWS/GitHub secrets or provider dashboards only.
Public client IDsConfigured in hosting env, still not hardcoded in source.
Offline/LANPOS, waiter, kitchen and printer bridge do not wait for env readiness.

Env contract list

NEXT_PUBLIC_FIREBASE_API_KEYmissing
firebase -> Firebase Auth clientScope: client_public / secret: falseStore: frontend_hosting_envBlocks LAN: false

Owner/admin Firebase client auth initialization

NEXT_PUBLIC_FIREBASE_AUTH_DOMAINmissing
firebase -> Firebase Auth clientScope: client_public / secret: falseStore: frontend_hosting_envBlocks LAN: false

Firebase browser auth domain

NEXT_PUBLIC_FIREBASE_PROJECT_IDmissing
firebase -> Firebase Auth clientScope: client_public / secret: falseStore: frontend_hosting_envBlocks LAN: false

Firebase project routing

NEXT_PUBLIC_FIREBASE_APP_IDmissing
firebase -> Firebase Auth clientScope: client_public / secret: falseStore: frontend_hosting_envBlocks LAN: false

Firebase app identity

FIREBASE_SERVICE_ACCOUNT_BASE64missing
firebase -> Firebase AdminScope: server_secret / secret: trueStore: aws_or_github_secretBlocks LAN: false

Backend Firebase Admin service account option

FIREBASE_SERVICE_ACCOUNT_JSONmissing
firebase -> Firebase AdminScope: server_secret / secret: trueStore: aws_or_github_secretBlocks LAN: false

Backend Firebase Admin JSON option

FIREBASE_SERVICE_ACCOUNT_PATHmissing
firebase -> Firebase AdminScope: server_path / secret: trueStore: server_runtime_envBlocks LAN: false

Server-only service account path outside Git workspace

NEXT_PUBLIC_CLOUDFLARE_ANALYTICS_TOKENmissing
cloudflare -> Cloudflare Web AnalyticsScope: client_public / secret: falseStore: frontend_hosting_envBlocks LAN: false

Cloudflare analytics site token

CLOUDFLARE_API_TOKENmissing
cloudflare -> Cloudflare DNS/TLS operatorScope: operator_manual / secret: trueStore: dashboard_onlyBlocks LAN: false

Optional manual DNS automation later, not required by current QA

CLOUDFLARE_ZONE_IDmissing
cloudflare -> Cloudflare DNS/TLS operatorScope: operator_manual / secret: falseStore: dashboard_onlyBlocks LAN: false

Manual DNS reference for operator notes

NEXT_PUBLIC_GTM_IDmissing
google_tag -> Google Tag ManagerScope: client_public / secret: falseStore: frontend_hosting_envBlocks LAN: false

Google Tag Manager public container id

NEXT_PUBLIC_GA_MEASUREMENT_IDmissing
google_tag -> Google AnalyticsScope: client_public / secret: falseStore: frontend_hosting_envBlocks LAN: false

Google Analytics public measurement id

NEXT_PUBLIC_METRICS_ENABLEDmissing
metrics -> MUPZAOS product metricsScope: client_public / secret: falseStore: frontend_hosting_envBlocks LAN: false

Enable privacy-safe aggregate metrics

NEXT_PUBLIC_METRICS_DRY_RUNmissing
metrics -> MUPZAOS product metricsScope: client_public / secret: falseStore: frontend_hosting_envBlocks LAN: false

Keep metrics in dry-run mode until operator enables providers

OTP_PROVIDERmissing
otp_sms -> OTP provider selectorScope: server_config / secret: falseStore: server_runtime_envBlocks LAN: false

Choose Twilio Verify or Firebase phone auth

TWILIO_ACCOUNT_SIDmissing
otp_sms -> Twilio VerifyScope: server_secret / secret: trueStore: aws_or_github_secretBlocks LAN: false

Twilio Verify account id

TWILIO_AUTH_TOKENmissing
otp_sms -> Twilio VerifyScope: server_secret / secret: trueStore: aws_or_github_secretBlocks LAN: false

Twilio Verify auth token

TWILIO_VERIFY_SERVICE_SIDmissing
otp_sms -> Twilio VerifyScope: server_secret / secret: trueStore: aws_or_github_secretBlocks LAN: false

Twilio Verify service id

WHATSAPP_ACCESS_TOKENmissing
whatsapp -> WhatsApp Cloud APIScope: server_secret / secret: trueStore: aws_or_github_secretBlocks LAN: false

Meta Graph API send token

WHATSAPP_PHONE_NUMBER_IDmissing
whatsapp -> WhatsApp Cloud APIScope: server_config / secret: falseStore: server_runtime_envBlocks LAN: false

WhatsApp sender phone number id

WHATSAPP_VERIFY_TOKENmissing
whatsapp -> WhatsApp Cloud APIScope: server_secret / secret: trueStore: aws_or_github_secretBlocks LAN: false

WhatsApp webhook verification token

WHATSAPP_API_VERSIONmissing
whatsapp -> WhatsApp Cloud APIScope: server_config / secret: falseStore: server_runtime_envBlocks LAN: false

Meta Graph API version

TELEGRAM_BOT_TOKENmissing
telegram -> Telegram Bot APIScope: server_secret / secret: trueStore: aws_or_github_secretBlocks LAN: false

Telegram bot token

TELEGRAM_WEBHOOK_SECRETmissing
telegram -> Telegram Bot APIScope: server_secret / secret: trueStore: aws_or_github_secretBlocks LAN: false

Telegram webhook secret path/token

BACKEND_PUBLIC_URLmissing
backend -> Backend runtimeScope: server_config / secret: falseStore: server_runtime_envBlocks LAN: false

Webhook public URL for Telegram/WhatsApp callbacks

SMTP_HOSTmissing
email -> SMTP emailScope: server_config / secret: falseStore: server_runtime_envBlocks LAN: false

SMTP host

SMTP_PORTmissing
email -> SMTP emailScope: server_config / secret: falseStore: server_runtime_envBlocks LAN: false

SMTP port

SMTP_USERmissing
email -> SMTP emailScope: server_secret / secret: trueStore: aws_or_github_secretBlocks LAN: false

SMTP username

SMTP_PASSmissing
email -> SMTP emailScope: server_secret / secret: trueStore: aws_or_github_secretBlocks LAN: false

SMTP password

SMTP_FROMmissing
email -> SMTP emailScope: server_config / secret: falseStore: server_runtime_envBlocks LAN: false

Default sender address

DATABASE_URLmissing
backend -> Backend databaseScope: server_secret / secret: trueStore: aws_or_github_secretBlocks LAN: false

Future backend database connection

QUEUE_URLmissing
backend -> Backend queueScope: server_config / secret: falseStore: server_runtime_envBlocks LAN: false

Future cloud sync queue endpoint

REDIS_URLmissing
backend -> Backend queueScope: server_secret / secret: trueStore: aws_or_github_secretBlocks LAN: false

Future Redis queue connection

AWS_REGIONmissing
aws -> AWS staging serverScope: server_config / secret: falseStore: server_runtime_envBlocks LAN: false

AWS region metadata for staging operations