Provider health monitor
Firebase, Cloudflare, Google tags, OTP, WhatsApp, Telegram and SMTP health are tracked as dry-run status contracts without provider calls, env values or secrets.
Health checks
Add Firebase public config and service account through runtime secret stores.
Use manual Cloudflare dashboard after staging /api/health passes.
Enable only after consent and blocked-event policy review.
Add public analytics token only after consent policy is active.
Keep dry-run aggregate metrics enabled locally.
Add OTP provider secrets to runtime secret storage before enabling real sends.
Configure WhatsApp token and approved templates after consent ledger is active.
Configure bot token and webhook secret in server runtime env only.
Configure SMTP runtime env and keep invite/reset payloads secret-free.