recruiter-responder: pin image tag + run plugin installer init as root

- stacks/recruiter-responder/terragrunt.hcl: bump image_tag to 0500c3d3
  (300s LLM timeouts + IMAP BODY.PEEK[] fix).
- stacks/openclaw/main.tf: install-recruiter-plugin init container now
  runs as uid 0 — the openclaw NFS volume is owned by uid 1000 and the
  recruiter-responder image otherwise drops to uid 10001 which can't
  write or chown.

Smoke-tested end-to-end 2026-05-15 ~23:15:
  Synthetic recruiter email -> IMAP IDLE EXISTS push -> qwen3-8b triage
  (12.1s, JSON output complete with company/role/salary/location/tech)
  -> 2 drafts persisted in Postgres -> Telegram sendMessage 200 OK.
Then deleted 3 stale n8n workflows W992Nr7..., 1AU4k7..., IisDNx... from
the n8n Postgres workflow_entity table.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

stacks/openclaw/main.tf

@@ -472,6 +472,12 @@ resource "kubernetes_deployment" "openclaw" {
             ls -la /home/node/.openclaw/extensions/recruiter-api
           EOT
           ]
+          # /home/node/.openclaw is uid 1000 on NFS; recruiter-responder image
+          # otherwise drops to uid 10001 which can't write or chown. Run as
+          # root so mkdir + chown succeed.
+          security_context {
+            run_as_user = 0
+          }
           volume_mount {
             name       = "openclaw-home"
             mount_path = "/home/node/.openclaw"

stacks/recruiter-responder/terragrunt.hcl

@@ -18,7 +18,6 @@ dependency "external-secrets" {
 }
 
 inputs = {
-  # Override per-deploy in CI / commit. Initial build will land on forgejo
-  # as `forgejo.viktorbarzin.me/viktor/recruiter-responder:<8-char-sha>`.
-  image_tag = "latest"
+  # Override per-deploy in CI / commit.
+  image_tag = "0500c3d3"
 }