feat: AlertManager Matrix integration with severity routing

Deploy matrix-alertmanager-receiver bridge (pending bot credentials in
OpenBao). Update AlertManager routing: critical → Matrix + email,
warning → Matrix only, Watchdog → null. Reduce repeat interval to 4h.

base/monitoring/matrix-bot-secret.yaml

@@ -0,0 +1,27 @@
+---
+# Matrix alertbot credentials from OpenBao KV at secret/alertbot.
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: matrix-bot-creds
+  namespace: monitoring
+spec:
+  vaultAuthRef: vso-auth
+  mount: secret
+  type: kv-v2
+  path: alertbot
+  refreshAfter: 30s
+  rolloutRestartTargets:
+    - kind: Deployment
+      name: matrix-alertmanager-receiver
+  destination:
+    name: matrix-bot-creds
+    create: true
+    overwrite: true
+    transformation:
+      excludeRaw: true
+      templates:
+        access_token:
+          text: "{{ index .Secrets \"access_token\" }}"
+        room_id:
+          text: "{{ index .Secrets \"room_id\" }}"