fix(ci): pass Telegram token as deploy-prod.sh arg2, OAuth stays in env

Workflow wrongly passed PROD_QWEN_OAUTH_CREDS as $2, so getMe used
base64 as bot token (HTTP 404 / invalid JSON). Match script contract:
$1 SSH password, $2 bot token; PROD_QWEN_OAUTH_CREDS only via env.

Made-with: Cursor

Author: ilyar

.github/workflows/deploy.yml

@@ -71,7 +71,8 @@ jobs:
           PROD_QWEN_OAUTH_CREDS: ${{ secrets.PROD_QWEN_OAUTH_CREDS }}
           PROD_TELEGRAM_BOT_TOKEN: ${{ secrets.PROD_TELEGRAM_BOT_TOKEN }}
         run: |
+          # deploy-prod.sh: arg1=SSH password, arg2=Telegram bot token only.
+          # Qwen OAuth is read from env PROD_QWEN_OAUTH_CREDS (not a CLI arg).
           bash ./scripts/deploy-prod.sh \
             "$PROD_VPS_PASSWORD" \
-            "$PROD_QWEN_OAUTH_CREDS" \
             "$PROD_TELEGRAM_BOT_TOKEN"

scripts/deploy-prod.sh

@@ -3,12 +3,16 @@ set -euo pipefail
 
 if [[ $# -lt 2 ]]; then
   echo "Usage: $0 <ssh-password> <telegram-bot-token> [ssh-host] [ssh-user] [public-origin]" >&2
-  echo "Required env: PROD_QWEN_OAUTH_CREDS (base64 of ~/.qwen/oauth_creds.json)" >&2
+  echo "Required env: PROD_QWEN_OAUTH_CREDS (base64 of ~/.qwen/oauth_creds.json). Do not pass OAuth on the CLI." >&2
   exit 1
 fi
 
 SSH_PASSWORD="$1"
 TELEGRAM_BOT_TOKEN="$2"
+if [[ -z "$TELEGRAM_BOT_TOKEN" ]]; then
+  echo "Telegram bot token (2nd argument) is empty. Fix CI: pass PROD_TELEGRAM_BOT_TOKEN as arg2, not PROD_QWEN_OAUTH_CREDS." >&2
+  exit 1
+fi
 SSH_HOST="${3:-spawn-dock.w3voice.net}"
 SSH_USER="${4:-ops}"
 PUBLIC_ORIGIN="${5:-https://spawn-dock.w3voice.net}"