From a98b00324d2653a5390c334652c81eb1a812bb58 Mon Sep 17 00:00:00 2001
From: Viktor Barzin <me@viktorbarzin.me>
Date: Fri, 15 May 2026 23:18:43 +0000
Subject: [PATCH] recruiter-responder: pin image tag + run plugin installer
 init as root
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- stacks/recruiter-responder/terragrunt.hcl: bump image_tag to 0500c3d3
  (300s LLM timeouts + IMAP BODY.PEEK[] fix).
- stacks/openclaw/main.tf: install-recruiter-plugin init container now
  runs as uid 0 — the openclaw NFS volume is owned by uid 1000 and the
  recruiter-responder image otherwise drops to uid 10001 which can't
  write or chown.

Smoke-tested end-to-end 2026-05-15 ~23:15:
  Synthetic recruiter email -> IMAP IDLE EXISTS push -> qwen3-8b triage
  (12.1s, JSON output complete with company/role/salary/location/tech)
  -> 2 drafts persisted in Postgres -> Telegram sendMessage 200 OK.
Then deleted 3 stale n8n workflows W992Nr7..., 1AU4k7..., IisDNx... from
the n8n Postgres workflow_entity table.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 stacks/openclaw/main.tf                   | 6 ++++++
 stacks/recruiter-responder/terragrunt.hcl | 5 ++---
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/stacks/openclaw/main.tf b/stacks/openclaw/main.tf
index 7bccd0d1..b6476e91 100644
--- a/stacks/openclaw/main.tf
+++ b/stacks/openclaw/main.tf
@@ -472,6 +472,12 @@ resource "kubernetes_deployment" "openclaw" {
             ls -la /home/node/.openclaw/extensions/recruiter-api
           EOT
           ]
+          # /home/node/.openclaw is uid 1000 on NFS; recruiter-responder image
+          # otherwise drops to uid 10001 which can't write or chown. Run as
+          # root so mkdir + chown succeed.
+          security_context {
+            run_as_user = 0
+          }
           volume_mount {
             name       = "openclaw-home"
             mount_path = "/home/node/.openclaw"
diff --git a/stacks/recruiter-responder/terragrunt.hcl b/stacks/recruiter-responder/terragrunt.hcl
index 08c1ee48..6a27cb7a 100644
--- a/stacks/recruiter-responder/terragrunt.hcl
+++ b/stacks/recruiter-responder/terragrunt.hcl
@@ -18,7 +18,6 @@ dependency "external-secrets" {
 }
 
 inputs = {
-  # Override per-deploy in CI / commit. Initial build will land on forgejo
-  # as `forgejo.viktorbarzin.me/viktor/recruiter-responder:<8-char-sha>`.
-  image_tag = "latest"
+  # Override per-deploy in CI / commit.
+  image_tag = "0500c3d3"
 }