chore(infra): codify telegram command sync access

docs/runbooks/first-deploy.md

@@ -32,6 +32,7 @@ Required in your environment `*.tfvars`:
 Recommended:
 
 - `database_url_secret_id = "database-url"`
+- `telegram_bot_token_secret_id = "telegram-bot-token"`
 - `openai_api_key_secret_id = "openai-api-key"`
 - optional `supabase_url_secret_id = "supabase-url"`
 - optional `supabase_publishable_key_secret_id = "supabase-publishable-key"`
@@ -141,6 +142,9 @@ For a functional household dev deployment, set `database_url_secret_id = "databa
 without `DATABASE_URL`, and finance commands, reminders, mini app auth/dashboard, and anonymous
 feedback remain disabled.
 
+Keep `telegram_bot_token_secret_id = "telegram-bot-token"` aligned with the actual bot token
+secret name. CD uses that secret to sync the Telegram command menu after deploy.
+
 ## Phase 4: Configure GitHub CD
 
 Populate GitHub repository secrets with the Terraform outputs:
@@ -161,6 +165,9 @@ gh secret set DATABASE_URL
 
 Set GitHub repository variables if you want to override the defaults used by `.github/workflows/cd.yml`.
 
+- optional `TELEGRAM_BOT_TOKEN_SECRET_ID`
+  - only needed if your bot token secret name is not `telegram-bot-token`
+
 ## Phase 5: Trigger the First Deployment
 
 You have two safe options:

docs/runbooks/iac-terraform.md

@@ -46,8 +46,12 @@ If you set optional secret IDs such as `database_url_secret_id` or
 For a functional dev bot, set at least:
 
 - `database_url_secret_id = "database-url"`
+- `telegram_bot_token_secret_id = "telegram-bot-token"`
 - optional `openai_api_key_secret_id = "openai-api-key"`
 
+If `create_workload_identity = true`, Terraform also grants the GitHub deploy service account
+`secretAccessor` on `telegram_bot_token_secret_id` so CD can sync Telegram commands after deploy.
+
 Keep bot runtime config that is not secret in your `*.tfvars` file:
 
 - `bot_household_id`

infra/terraform/README.md

@@ -61,6 +61,9 @@ echo -n "<value>" | gcloud secrets versions add scheduler-shared-secret --data-f
 If you configure optional secret IDs such as `database_url_secret_id` or
 `openai_api_key_secret_id`, add versions for those secrets as well.
 
+If GitHub OIDC deploy access is enabled, keep `telegram_bot_token_secret_id` aligned with the
+real bot token secret name so CD can read it and sync Telegram commands automatically.
+
 ## Environments
 
 Recommended approach:

infra/terraform/main.tf

@@ -64,6 +64,15 @@ resource "google_secret_manager_secret_iam_member" "bot_runtime_access" {
   member    = "serviceAccount:${google_service_account.bot_runtime.email}"
 }
 
+resource "google_secret_manager_secret_iam_member" "github_deployer_bot_token_access" {
+  count = var.create_workload_identity ? 1 : 0
+
+  project   = var.project_id
+  secret_id = var.telegram_bot_token_secret_id
+  role      = "roles/secretmanager.secretAccessor"
+  member    = "serviceAccount:${google_service_account.github_deployer[0].email}"
+}
+
 module "bot_api_service" {
   source = "./modules/cloud_run_service"
 

infra/terraform/terraform.tfvars.example

@@ -9,6 +9,7 @@ bot_api_image   = "europe-west1-docker.pkg.dev/my-gcp-project/household-bot/bot:
 mini_app_image  = "europe-west1-docker.pkg.dev/my-gcp-project/household-bot/miniapp:latest"
 
 database_url_secret_id   = "database-url"
+telegram_bot_token_secret_id = "telegram-bot-token"
 openai_api_key_secret_id = "openai-api-key"
 # supabase_url_secret_id             = "supabase-url"
 # supabase_publishable_key_secret_id = "supabase-publishable-key"

package.json

@@ -26,6 +26,8 @@
     "infra:fmt": "terraform -chdir=infra/terraform fmt -recursive",
     "infra:fmt:check": "terraform -chdir=infra/terraform fmt -check -recursive",
     "infra:validate": "terraform -chdir=infra/terraform init -backend=false && terraform -chdir=infra/terraform validate",
+    "infra:plan:dev": "terraform -chdir=infra/terraform plan -var-file=dev.tfvars",
+    "infra:apply:dev": "terraform -chdir=infra/terraform apply -var-file=dev.tfvars",
     "dev:bot": "bun run --filter @household/bot dev",
     "dev:miniapp": "bun run --filter @household/miniapp dev",
     "docker:build:bot": "docker build -f apps/bot/Dockerfile -t household-bot:local .",