feat: mută secretele Discord/Telegram din TOML în .env

TOML-urile din configs/ rămân 100% calibrare — safe to commit. Secretele
(ATM_DISCORD_URL, ATM_TG_TOKEN, ATM_TG_CHAT) trăiesc în .env la rădăcină
(ignored), cu loader stdlib (shell wins peste file). Validare fail-fast
pentru env lipsă, placeholder REPLACE_ME, chat_id non-numeric.

Include .env.example + secţiune README §Secrets. Tests: 19 noi (env loader +
missing-env + placeholder + chat_id + regression post-migrate snapshot).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

tests/test_config.py

@@ -1,6 +1,8 @@
 """Tests for atm.config — focused on attach_screenshots parsing (legacy bool vs new dict)."""
 from __future__ import annotations
 
+import pytest
+
 from atm.config import AlertsCfg, Config
 
 
@@ -23,11 +25,17 @@ _BASE = {
         "baseline_phash": "0" * 16,
         "drift_threshold": 8,
     },
-    "discord": {"webhook_url": "https://example.com/hook"},
-    "telegram": {"bot_token": "tok", "chat_id": "123"},
 }
 
 
+@pytest.fixture(autouse=True)
+def _secrets_env(monkeypatch: pytest.MonkeyPatch) -> None:
+    """Provide valid Discord/Telegram env vars for every test in this module."""
+    monkeypatch.setenv("ATM_DISCORD_URL", "https://example.com/hook")
+    monkeypatch.setenv("ATM_TG_TOKEN", "123:tok")
+    monkeypatch.setenv("ATM_TG_CHAT", "123")
+
+
 def _with_opts(opts: dict) -> dict:
     d = {k: v for k, v in _BASE.items()}
     d["options"] = opts
@@ -153,3 +161,119 @@ def test_operating_hours_invalid_weekday_raises_valueerror() -> None:
         Config._from_dict(_with_opts({
             "operating_hours": {"enabled": True, "weekdays": ["XYZ"]},
         }))
+
+
+# ---------------------------------------------------------------------------
+# Secrets migration: Discord + Telegram creds live in env vars, not TOML
+# ---------------------------------------------------------------------------
+
+def test_missing_discord_url_raises(monkeypatch: pytest.MonkeyPatch) -> None:
+    monkeypatch.delenv("ATM_DISCORD_URL", raising=False)
+    with pytest.raises(ValueError, match="ATM_DISCORD_URL"):
+        Config._from_dict(_with_opts({}))
+
+
+def test_missing_tg_token_raises(monkeypatch: pytest.MonkeyPatch) -> None:
+    monkeypatch.delenv("ATM_TG_TOKEN", raising=False)
+    with pytest.raises(ValueError, match="ATM_TG_TOKEN"):
+        Config._from_dict(_with_opts({}))
+
+
+def test_missing_tg_chat_raises(monkeypatch: pytest.MonkeyPatch) -> None:
+    monkeypatch.delenv("ATM_TG_CHAT", raising=False)
+    with pytest.raises(ValueError, match="ATM_TG_CHAT"):
+        Config._from_dict(_with_opts({}))
+
+
+def test_placeholder_webhook_rejected(monkeypatch: pytest.MonkeyPatch) -> None:
+    monkeypatch.setenv("ATM_DISCORD_URL", "https://discord.com/api/webhooks/REPLACE_ME")
+    with pytest.raises(ValueError, match="placeholder"):
+        Config._from_dict(_with_opts({}))
+
+
+def test_placeholder_token_rejected(monkeypatch: pytest.MonkeyPatch) -> None:
+    monkeypatch.setenv("ATM_TG_TOKEN", "REPLACE_ME")
+    with pytest.raises(ValueError, match="placeholder"):
+        Config._from_dict(_with_opts({}))
+
+
+def test_chat_id_non_numeric_rejected(monkeypatch: pytest.MonkeyPatch) -> None:
+    monkeypatch.setenv("ATM_TG_CHAT", "abc123")
+    with pytest.raises(ValueError, match="chat_id"):
+        Config._from_dict(_with_opts({}))
+
+
+def test_chat_id_negative_groups_accepted(monkeypatch: pytest.MonkeyPatch) -> None:
+    monkeypatch.setenv("ATM_TG_CHAT", "-5108062256")
+    cfg = Config._from_dict(_with_opts({}))
+    assert cfg.telegram.chat_id == "-5108062256"
+
+
+def test_telegram_section_optional() -> None:
+    """TOML without [telegram] still loads; secrets come from env; options use defaults."""
+    data = {k: v for k, v in _BASE.items()}
+    cfg = Config._from_dict(data)
+    assert cfg.telegram.bot_token == "123:tok"
+    assert cfg.telegram.chat_id == "123"
+    assert cfg.telegram.poll_timeout_s == 30
+    assert cfg.telegram.auto_poll_interval_s == 180
+    assert cfg.telegram.allowed_chat_ids == ("123",)
+
+
+def test_telegram_non_secret_keys_from_toml() -> None:
+    data = {k: v for k, v in _BASE.items()}
+    data["telegram"] = {
+        "poll_timeout_s": 42,
+        "auto_poll_interval_s": 999,
+        "allowed_chat_ids": ["123", "456"],
+    }
+    cfg = Config._from_dict(data)
+    assert cfg.telegram.poll_timeout_s == 42
+    assert cfg.telegram.auto_poll_interval_s == 999
+    assert cfg.telegram.allowed_chat_ids == ("123", "456")
+
+
+def test_regression_post_migration_load(
+    tmp_path, monkeypatch: pytest.MonkeyPatch
+) -> None:
+    """Loading a real post-migrate TOML (no [discord]/[telegram] secrets) works.
+
+    IRON RULE: prevents re-regression of the secret-in-TOML pattern.
+    """
+    fixture = tmp_path / "post_migration_sample.toml"
+    fixture.write_text(
+        'window_title = "X"\n'
+        "\n"
+        "[dot_roi]\nx=0\ny=0\nw=10\nh=10\n"
+        "[chart_roi]\nx=0\ny=0\nw=100\nh=100\n"
+        "[colors.turquoise]\nrgb=[0,253,253]\ntolerance=60.0\n"
+        "[colors.yellow]\nrgb=[253,253,0]\ntolerance=60.0\n"
+        "[colors.dark_green]\nrgb=[0,122,0]\ntolerance=60.0\n"
+        "[colors.dark_red]\nrgb=[128,0,0]\ntolerance=60.0\n"
+        "[colors.light_green]\nrgb=[0,255,0]\ntolerance=60.0\n"
+        "[colors.light_red]\nrgb=[255,0,0]\ntolerance=60.0\n"
+        "[colors.gray]\nrgb=[128,128,128]\ntolerance=60.0\n"
+        "[colors.background]\nrgb=[0,0,0]\ntolerance=25.0\n"
+        "[y_axis]\np1_y=100\np1_price=485.0\np2_y=200\np2_price=484.0\n"
+        "[canary]\nbaseline_phash=\"abc\"\ndrift_threshold=8\n"
+        "[canary.roi]\nx=0\ny=0\nw=10\nh=10\n"
+        "[telegram]\npoll_timeout_s=30\nauto_poll_interval_s=180\n"
+        "[options]\ndebounce_depth=1\nloop_interval_s=5.0\n",
+        encoding="utf-8",
+    )
+    monkeypatch.setenv("ATM_DISCORD_URL", "https://disc.example/x")
+    monkeypatch.setenv("ATM_TG_TOKEN", "999:tok")
+    monkeypatch.setenv("ATM_TG_CHAT", "-42")
+    cfg = Config.load(fixture)
+    # Secrets sourced from env
+    assert cfg.discord.webhook_url == "https://disc.example/x"
+    assert cfg.telegram.bot_token == "999:tok"
+    assert cfg.telegram.chat_id == "-42"
+    # Non-secret telegram keys sourced from TOML
+    assert cfg.telegram.poll_timeout_s == 30
+    # Calibration values sourced from TOML
+    assert cfg.colors["turquoise"].rgb == (0, 253, 253)
+    # TOML does not contain any of the secret markers
+    text = fixture.read_text(encoding="utf-8")
+    for marker in ("webhook_url", "bot_token", "chat_id"):
+        assert marker not in text, f"TOML still contains secret marker: {marker}"