Security: remove hard-coded Supabase service role key from test suite

[OpenCodeEngineer]

Problem

test/telegram.test.ts contains a hard-coded Supabase service-role key and production identifiers. This creates two risks:

• secret exposure in repository history
• tests writing to production infrastructure by default

Evidence

• test/telegram.test.ts: SUPABASE_SERVICE_KEY constant is in source
• package.json test script includes test/telegram.test.ts in default npm test

Impact

• Compromised key can grant elevated DB/function access
• CI/local test runs may mutate production data and send/route real messages

Required Fix

• Rotate/revoke exposed service key immediately
• Move integration tests behind explicit opt-in env flag
• Use non-production Supabase project for integration tests
• Load secrets from environment, never hard-code
• Keep default npm test fully offline/safe

Acceptance Criteria

• No service/anon keys hard-coded in repo test sources
• npm test does not hit production network endpoints
• Integration test path documented with env requirements
• Existing CI remains green with secure defaults

[OpenCodeEngineer]

Discovered during portability review tracked in #131.

This should be treated as a prerequisite for safe cross-runtime adoption because current defaults couple test execution to production resources.