feat(deliverability): send bulk campaigns from dedicated subdomain send.performancewest.net

Isolates bulk sending reputation onto a dedicated subdomain so the root domain
stays clean for transactional/verification mail (and recovers faster). Replies
still go to the root domain via Reply-To, so the customer-facing reply experience
is unchanged.

- build_trucking_campaigns.py: add env-overridable FROM_EMAIL
  (noreply@send.performancewest.net); use it for both scheduled + test sends
  instead of inheriting base["from_email"] from the DB base campaign.
- build_healthcare_campaigns_cron.py: FROM_EMAIL ->
  compliance@send.performancewest.net (env-overridable).
- bounce-watcher.sh / hc-bounce-watcher.sh: track the new subdomain envelope
  sender (keep legacy root-domain sender so the pre-cutover queue still drains;
  HC also tracks by hcout transport regardless of sender).

Infra already live (separate, non-code): subdomain DNS (A/MX/SPF/DKIM
selector=send/DMARC p=reject) on the Hestia master, OpenDKIM signs
d=send.performancewest.net (verified end-to-end), egress .94/.107. Root SPF
trimmed to the real IPs; pointless IP-rehab cron disabled.

scripts/bounce-watcher.sh

@@ -23,8 +23,10 @@ CURRENT_UUID=""
 
 tail -F "$LOG" 2>/dev/null | while IFS= read -r line; do
 
-  # Track queue IDs originating from campaign sender
-  if echo "$line" | grep -q "from=<noreply@performancewest.net>"; then
+  # Track queue IDs originating from campaign sender. Bulk now sends from the
+  # dedicated bulk subdomain (noreply@send.performancewest.net); the root-domain
+  # sender is kept so the pre-cutover queue still drains correctly.
+  if echo "$line" | grep -qE "from=<noreply@send.performancewest.net>|from=<noreply@performancewest.net>"; then
     QID=$(echo "$line" | sed -n 's/.*postfix\/[^[]*\[\([0-9]*\)\]: \([A-Z0-9]*\):.*/\2/p')
     if [ -n "$QID" ]; then
       CAMPAIGN_QIDS[$QID]=1