fix(BATON-FIX-005): mask BOT_TOKEN in logs — suppress httpx URL logging

- Add logging.getLogger("httpx/httpcore").setLevel(WARNING) to prevent
  token-embedded API URLs from leaking through transport-level loggers
- Add _mask_token() helper showing only last 4 chars of token
- Fix validate_bot_token() exception handler: log exc type + masked token
  instead of raw exc which may contain the full URL in some httpx versions

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/telegram.py

@@ -11,9 +11,21 @@ from backend import config, db
 
 logger = logging.getLogger(__name__)
 
+# Suppress httpx/httpcore transport-level logging to prevent BOT_TOKEN URL leakage.
+# httpx logs request URLs (which embed the token) at DEBUG/INFO level depending on version.
+logging.getLogger("httpx").setLevel(logging.WARNING)
+logging.getLogger("httpcore").setLevel(logging.WARNING)
+
 _TELEGRAM_API = "https://api.telegram.org/bot{token}/{method}"
 
 
+def _mask_token(token: str) -> str:
+    """Return a safe representation of the bot token for logging."""
+    if not token or len(token) < 4:
+        return "***REDACTED***"
+    return f"***{token[-4:]}"
+
+
 async def validate_bot_token() -> bool:
     """Validate BOT_TOKEN by calling getMe. Logs ERROR if invalid. Never raises."""
     url = _TELEGRAM_API.format(token=config.BOT_TOKEN, method="getMe")
@@ -29,7 +41,13 @@ async def validate_bot_token() -> bool:
             )
             return False
         except Exception as exc:
-            logger.error("BOT_TOKEN validation failed (network): %s", exc)
+            # Do not log `exc` directly — it may contain the API URL with the token
+            # embedded (httpx includes request URL in some exception types/versions).
+            logger.error(
+                "BOT_TOKEN validation failed (network error): %s — token ends with %s",
+                type(exc).__name__,
+                _mask_token(config.BOT_TOKEN),
+            )
             return False