External service activation matrix
Firebase, Cloudflare, Google Tag, metrics, OTP SMS, WhatsApp, Telegram and email activation stay env-gated, audited, dry-run by default and independent from POS/waiter/kitchen LAN authority.
Activation order
External services should not be attached before the app is reachable and value-free health passes.
Owner/admin auth and backend public URL must be stable before notification webhooks.
Public analytics IDs can be enabled only after blocked event rules and consent are reviewed.
OTP, WhatsApp, Telegram and email need provider secrets, audit and template controls.
Services
Create Firebase project, add web app config to hosting env, keep service account in secret storage.
Point staging DNS only after /api/health and route smoke pass.
Add public analytics token through hosting env after consent policy is ready.
Add public GTM container id only after blocked-event rules are reviewed.
Enable aggregate-only metrics after privacy and consent checks pass.
Add provider secrets to AWS/GitHub secret store and keep OTP online-only.
Enable approved templates only after customer opt-in and unsubscribe path are ready.
Set bot token and webhook secret in server env, never in source.
Configure SMTP runtime env and keep invite/reset payloads secret-free.