recruiter-responder: expose Gmail IMAP creds for backtest CLI

Pulls vbarzin@gmail.com app password from secret/recruiter-responder
(seeded from secret/wealthfolio.imap_password — same Gmail credential
that wealthfolio uses for broker-statement ingestion). Env vars
GMAIL_IMAP_USER + GMAIL_IMAP_PASS, consumed by 'backtest gmail'.

Backtest verified 2026-05-16 against folder
'companies-I-dont-take-seriously': 20/20 recruiter, 100% company
extraction (9 stated, 6 subject, 4 sender_domain, 1 body), 30% comp,
avg 12s latency.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

stacks/recruiter-responder/main.tf

@@ -83,6 +83,10 @@ resource "kubernetes_manifest" "external_secret" {
         { secretKey = "CLAUDE_AGENT_TOKEN", remoteRef = { key = "recruiter-responder", property = "claude_agent_token" } },
         { secretKey = "TELEGRAM_BOT_TOKEN", remoteRef = { key = "recruiter-responder", property = "telegram_bot_token" } },
         { secretKey = "TELEGRAM_CHAT_ID", remoteRef = { key = "recruiter-responder", property = "telegram_chat_id" } },
+        # Gmail app password for the backtest CLI (read-only). Same
+        # credential as wealthfolio uses for broker statement ingestion.
+        { secretKey = "GMAIL_IMAP_USER", remoteRef = { key = "recruiter-responder", property = "gmail_imap_user" } },
+        { secretKey = "GMAIL_IMAP_PASS", remoteRef = { key = "recruiter-responder", property = "gmail_imap_pass" } },
       ]
     }
   }