recruiter-responder: vault DB role + switch proactive push to Telegram

- stacks/vault/main.tf: register pg-recruiter-responder static role on
  the postgresql connection (7d password rotation). Adds the role to
  allowed_roles and creates vault_database_secret_backend_static_role
  for `recruiter_responder` user.
- stacks/recruiter-responder/main.tf: drop TASK_WEBHOOK_URL env, swap
  TASK_WEBHOOK_TOKEN secret for TELEGRAM_BOT_TOKEN + TELEGRAM_CHAT_ID.
  Updated header doc.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

stacks/recruiter-responder/main.tf

@@ -38,8 +38,9 @@ resource "kubernetes_namespace" "recruiter_responder" {
 #     imap_spam_pass         — IMAP password for spam@
 #     smtp_password          — SMTP password for me@viktorbarzin.me
 #     claude_agent_token     — Bearer for claude-agent-service (Tier-2)
-#     task_webhook_token     — Bearer for OpenClaw task-webhook (optional;
-#                              empty allowed if task-webhook is unauthed)
+#     telegram_bot_token     — Bot token for @ViktorBarzinOpenClawBot
+#                              (same as secret/openclaw.telegram_bot_token)
+#     telegram_chat_id       — Viktor's Telegram chat id (8281953845)
 #
 # Schema in CNPG: `recruiter_responder` (alembic creates on first migrate).
 # DB user: created via Vault database engine — see static-creds/pg-recruiter-responder.
@@ -75,7 +76,8 @@ resource "kubernetes_manifest" "external_secret" {
         { secretKey = "IMAP_SPAM_PASS", remoteRef = { key = "recruiter-responder", property = "imap_spam_pass" } },
         { secretKey = "SMTP_PASSWORD", remoteRef = { key = "recruiter-responder", property = "smtp_password" } },
         { secretKey = "CLAUDE_AGENT_TOKEN", remoteRef = { key = "recruiter-responder", property = "claude_agent_token" } },
-        { secretKey = "TASK_WEBHOOK_TOKEN", remoteRef = { key = "recruiter-responder", property = "task_webhook_token" } },
+        { secretKey = "TELEGRAM_BOT_TOKEN", remoteRef = { key = "recruiter-responder", property = "telegram_bot_token" } },
+        { secretKey = "TELEGRAM_CHAT_ID", remoteRef = { key = "recruiter-responder", property = "telegram_chat_id" } },
       ]
     }
   }
@@ -240,11 +242,7 @@ resource "kubernetes_deployment" "recruiter_responder" {
             name  = "CLAUDE_AGENT_URL"
             value = "http://claude-agent-service.claude-agent.svc.cluster.local:8080"
           }
-          # OpenClaw proactive push
-          env {
-            name  = "TASK_WEBHOOK_URL"
-            value = "http://task-webhook.openclaw.svc.cluster.local"
-          }
+          # Telegram bot (no URL env needed — token in secret)
 
           readiness_probe {
             http_get {

stacks/vault/main.tf

@@ -577,6 +577,7 @@ resource "vault_database_secret_backend_connection" "postgresql" {
     "pg-terraform-state", "pg-payslip-ingest", "pg-job-hunter",
     "pg-wealthfolio-sync", "pg-fire-planner",
     "pg-postiz", "pg-instagram-poster",
+    "pg-recruiter-responder",
   ]
 
   postgresql {
@@ -765,6 +766,14 @@ resource "vault_database_secret_backend_static_role" "pg_instagram_poster" {
   rotation_period = 604800
 }
 
+resource "vault_database_secret_backend_static_role" "pg_recruiter_responder" {
+  backend         = vault_mount.database.path
+  db_name         = vault_database_secret_backend_connection.postgresql.name
+  name            = "pg-recruiter-responder"
+  username        = "recruiter_responder"
+  rotation_period = 604800
+}
+
 # =============================================================================
 # Kubernetes Secrets Engine — Dynamic K8s Credentials
 # =============================================================================