From bf0563d59e745b1e571d8a70a93bbe747d237fb5 Mon Sep 17 00:00:00 2001
From: wasrusgen <i@wasrusgen.ru>
Date: Wed, 3 Jun 2026 10:26:03 +0300
Subject: [PATCH] security: read BOT_TOKEN from env, remove hardcoded token

- token was hardcoded in test files (now revoked)
- tests now read BOT_TOKEN from environment
---
 tests/test_manager.py | 3 ++-
 tests/ui_smoke.js     | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/tests/test_manager.py b/tests/test_manager.py
index 5ca1551..0eb9aba 100644
--- a/tests/test_manager.py
+++ b/tests/test_manager.py
@@ -1,3 +1,4 @@
+import os
 """
 Тест кабинета менеджера — полная проверка всех API-модулей
 с реальной Telegram-аутентификацией.
@@ -16,7 +17,7 @@ import urllib.error
 from typing import Any
 
 # ─── Конфигурация ───────────────────────────────────────────────────────────
-BOT_TOKEN   = "8281503057:AAEXmOepY8quH8E3RqOjFbgn7owV1ngnbGA"
+BOT_TOKEN   = os.getenv("BOT_TOKEN", "")
 ADMIN_TG_ID = 5937498515
 ADMIN_USERNAME = "wasrusgen"
 ADMIN_NAME  = "Руслан"
diff --git a/tests/ui_smoke.js b/tests/ui_smoke.js
index 800e18e..b5e9417 100644
--- a/tests/ui_smoke.js
+++ b/tests/ui_smoke.js
@@ -17,7 +17,7 @@ const { spawn } = require("child_process");
 const path = require("path");
 
 // ─── Конфигурация ────────────────────────────────────────────────────────────
-const BOT_TOKEN      = "8281503057:AAEXmOepY8quH8E3RqOjFbgn7owV1ngnbGA";
+const BOT_TOKEN      = process.env.BOT_TOKEN || "";
 const ADMIN_TG_ID    = 5937498515;
 const LOCAL_PORT     = 8787;
 const PROJECT_ROOT   = path.resolve(__dirname, "..");   // без пробелов в аргументах