chore(infra): codify telegram command sync access

docs/runbooks/first-deploy.md

@@ -32,6 +32,7 @@ Required in your environment `*.tfvars`:
 Recommended:
 
 - `database_url_secret_id = "database-url"`
+- `telegram_bot_token_secret_id = "telegram-bot-token"`
 - `openai_api_key_secret_id = "openai-api-key"`
 - optional `supabase_url_secret_id = "supabase-url"`
 - optional `supabase_publishable_key_secret_id = "supabase-publishable-key"`
@@ -141,6 +142,9 @@ For a functional household dev deployment, set `database_url_secret_id = "databa
 without `DATABASE_URL`, and finance commands, reminders, mini app auth/dashboard, and anonymous
 feedback remain disabled.
 
+Keep `telegram_bot_token_secret_id = "telegram-bot-token"` aligned with the actual bot token
+secret name. CD uses that secret to sync the Telegram command menu after deploy.
+
 ## Phase 4: Configure GitHub CD
 
 Populate GitHub repository secrets with the Terraform outputs:
@@ -161,6 +165,9 @@ gh secret set DATABASE_URL
 
 Set GitHub repository variables if you want to override the defaults used by `.github/workflows/cd.yml`.
 
+- optional `TELEGRAM_BOT_TOKEN_SECRET_ID`
+  - only needed if your bot token secret name is not `telegram-bot-token`
+
 ## Phase 5: Trigger the First Deployment
 
 You have two safe options:

docs/runbooks/iac-terraform.md

@@ -46,8 +46,12 @@ If you set optional secret IDs such as `database_url_secret_id` or
 For a functional dev bot, set at least:
 
 - `database_url_secret_id = "database-url"`
+- `telegram_bot_token_secret_id = "telegram-bot-token"`
 - optional `openai_api_key_secret_id = "openai-api-key"`
 
+If `create_workload_identity = true`, Terraform also grants the GitHub deploy service account
+`secretAccessor` on `telegram_bot_token_secret_id` so CD can sync Telegram commands after deploy.
+
 Keep bot runtime config that is not secret in your `*.tfvars` file:
 
 - `bot_household_id`