telegram: move token to secrets file

Read token from channels/telegram.secrets/token instead of the
json5 config. Keeps secrets out of config files.

Co-Authored-By: Kent Overstreet <kent.overstreet@linux.dev>

channels/telegram/src/main.rs

@@ -25,22 +25,34 @@ use poc_memory::channel_capnp::{channel_client, channel_server};
 
 #[derive(Clone, serde::Deserialize)]
 struct Config {
+    #[serde(default)]
     token: String,
     chat_id: i64,
 }
 
-fn config_path() -> PathBuf {
+fn channels_dir() -> PathBuf {
     dirs::home_dir()
         .unwrap_or_default()
-        .join(".consciousness/channels/telegram.json5")
+        .join(".consciousness/channels")
 }
 
 fn load_config() -> Config {
-    let path = config_path();
+    let dir = channels_dir();
-    let text = std::fs::read_to_string(&path)
+    let config_path = dir.join("telegram.json5");
-        .unwrap_or_else(|_| panic!("failed to read {}", path.display()));
+    let text = std::fs::read_to_string(&config_path)
-    serde_json::from_str(&text)
+        .unwrap_or_else(|_| panic!("failed to read {}", config_path.display()));
-        .unwrap_or_else(|e| panic!("failed to parse {}: {}", path.display(), e))
+    let mut config: Config = serde_json::from_str(&text)
+        .unwrap_or_else(|e| panic!("failed to parse {}: {}", config_path.display(), e));
+
+    // Read token from secrets file
+    let token_path = dir.join("telegram.secrets/token");
+    if let Ok(token) = std::fs::read_to_string(&token_path) {
+        config.token = token.trim().to_string();
+    }
+    if config.token.is_empty() {
+        panic!("no telegram token — set it in {}", token_path.display());
+    }
+    config
 }
 
 // ── State ───────────────────────────────────────────────────────