diff --git a/stacks/openclaw/main.tf b/stacks/openclaw/main.tf
index 7bccd0d1..b6476e91 100644
--- a/stacks/openclaw/main.tf
+++ b/stacks/openclaw/main.tf
@@ -472,6 +472,12 @@ resource "kubernetes_deployment" "openclaw" {
             ls -la /home/node/.openclaw/extensions/recruiter-api
           EOT
           ]
+          # /home/node/.openclaw is uid 1000 on NFS; recruiter-responder image
+          # otherwise drops to uid 10001 which can't write or chown. Run as
+          # root so mkdir + chown succeed.
+          security_context {
+            run_as_user = 0
+          }
           volume_mount {
             name       = "openclaw-home"
             mount_path = "/home/node/.openclaw"
diff --git a/stacks/recruiter-responder/terragrunt.hcl b/stacks/recruiter-responder/terragrunt.hcl
index 08c1ee48..6a27cb7a 100644
--- a/stacks/recruiter-responder/terragrunt.hcl
+++ b/stacks/recruiter-responder/terragrunt.hcl
@@ -18,7 +18,6 @@ dependency "external-secrets" {
 }
 
 inputs = {
-  # Override per-deploy in CI / commit. Initial build will land on forgejo
-  # as `forgejo.viktorbarzin.me/viktor/recruiter-responder:<8-char-sha>`.
-  image_tag = "latest"
+  # Override per-deploy in CI / commit.
+  image_tag = "0500c3d3"
 }