feat(telegram,discord): migrate to plugin userConfig secrets

Closes H1 #3617646 via the proper path — plugin userConfig with
sensitive: true routes tokens to keychain (macOS) or .credentials.json
0600 (elsewhere) instead of world-readable .env files.

Requires claude-cli-internal#23383 (PLUGIN_OPTIONS ungate + per-server
sensitive split).

Changes per plugin:
  - plugin.json: add userConfig.{PLATFORM}_BOT_TOKEN with sensitive: true
  - .mcp.json: add env block with ${user_config.{PLATFORM}_BOT_TOKEN}
  - server.ts: update comment + error message to point to
    /plugin reconfigure instead of .env file

The .env read loop stays as a legacy fallback for existing users —
process.env wins (injected value takes precedence), so no migration
forced. New users get prompted at enable time via CC's built-in dialog;
token lands in keychain, never touches settings.json.

/telegram:configure and /discord:configure skills are NOT removed in this
PR — they still work for the legacy .env path. Follow-up: repurpose or
remove after a grace period once cli#23383 is released.

🏠 Remote-Dev: homespace

external_plugins/discord/.mcp.json

@@ -2,7 +2,10 @@
   "mcpServers": {
     "discord": {
       "command": "bun",
-      "args": ["run", "--cwd", "${CLAUDE_PLUGIN_ROOT}", "--shell=bun", "--silent", "start"]
+      "args": ["run", "--cwd", "${CLAUDE_PLUGIN_ROOT}", "--shell=bun", "--silent", "start"],
+      "env": {
+        "DISCORD_BOT_TOKEN": "${user_config.DISCORD_BOT_TOKEN}"
+      }
     }
   }
 }