feat(ops): add first deployment runbook tooling

infra/terraform/README.md

@@ -73,6 +73,7 @@ Recommended approach:
   - `bot_household_chat_id`
   - `bot_purchase_topic_id`
   - optional `bot_parser_model`
+  - optional `bot_mini_app_allowed_origins`
 
 ## CI validation
 
@@ -86,3 +87,4 @@ CI runs:
 
 - Scheduler jobs default to `paused = true` and `dry_run = true` to prevent accidental sends before live reminder delivery is ready.
 - Bot API is public to accept Telegram webhooks; scheduler endpoint should still verify app-level auth.
+- `bot_mini_app_allowed_origins` cannot be auto-derived in Terraform because the bot and mini app Cloud Run services reference each other; set it explicitly once the mini app URL is known.

infra/terraform/main.tf

@@ -93,6 +93,9 @@ module "bot_api_service" {
     var.bot_parser_model == null ? {} : {
       PARSER_MODEL = var.bot_parser_model
     },
+    length(var.bot_mini_app_allowed_origins) == 0 ? {} : {
+      MINI_APP_ALLOWED_ORIGINS = join(",", var.bot_mini_app_allowed_origins)
+    },
     {
       SCHEDULER_OIDC_ALLOWED_EMAILS = google_service_account.scheduler_invoker.email
     }

infra/terraform/terraform.tfvars.example

@@ -12,6 +12,9 @@ bot_household_id       = "11111111-1111-4111-8111-111111111111"
 bot_household_chat_id  = "-1001234567890"
 bot_purchase_topic_id  = 777
 bot_parser_model       = "gpt-4.1-mini"
+bot_mini_app_allowed_origins = [
+  "https://household-dev-mini-app-abc123-ew.a.run.app"
+]
 
 scheduler_utilities_cron    = "0 9 4 * *"
 scheduler_rent_warning_cron = "0 9 17 * *"

infra/terraform/variables.tf

@@ -111,6 +111,12 @@ variable "bot_parser_model" {
   nullable    = true
 }
 
+variable "bot_mini_app_allowed_origins" {
+  description = "Optional allow-list of mini app origins for bot CORS handling"
+  type        = list(string)
+  default     = []
+}
+
 variable "openai_api_key_secret_id" {
   description = "Optional Secret Manager ID for OPENAI_API_KEY"
   type        = string