fix: [nomad-step-4] S4.1 — nomad/jobs/agents.hcl (7 roles, llama, vault-templated bot tokens) (#955)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

vault/policies/service-agents.hcl

@@ -0,0 +1,76 @@
+# vault/policies/service-agents.hcl
+#
+# Composite policy for the `agents` Nomad job (S4.1, issue #955).
+# Grants read access to all 7 bot KV namespaces + shared forge config,
+# so a single job running all agent roles can pull per-bot tokens from
+# Vault via workload identity.
+
+# ── Per-bot KV paths (token + pass per role) ─────────────────────────────────
+path "kv/data/disinto/bots/dev" {
+  capabilities = ["read"]
+}
+
+path "kv/metadata/disinto/bots/dev" {
+  capabilities = ["list", "read"]
+}
+
+path "kv/data/disinto/bots/review" {
+  capabilities = ["read"]
+}
+
+path "kv/metadata/disinto/bots/review" {
+  capabilities = ["list", "read"]
+}
+
+path "kv/data/disinto/bots/gardener" {
+  capabilities = ["read"]
+}
+
+path "kv/metadata/disinto/bots/gardener" {
+  capabilities = ["list", "read"]
+}
+
+path "kv/data/disinto/bots/architect" {
+  capabilities = ["read"]
+}
+
+path "kv/metadata/disinto/bots/architect" {
+  capabilities = ["list", "read"]
+}
+
+path "kv/data/disinto/bots/planner" {
+  capabilities = ["read"]
+}
+
+path "kv/metadata/disinto/bots/planner" {
+  capabilities = ["list", "read"]
+}
+
+path "kv/data/disinto/bots/predictor" {
+  capabilities = ["read"]
+}
+
+path "kv/metadata/disinto/bots/predictor" {
+  capabilities = ["list", "read"]
+}
+
+path "kv/data/disinto/bots/supervisor" {
+  capabilities = ["read"]
+}
+
+path "kv/metadata/disinto/bots/supervisor" {
+  capabilities = ["list", "read"]
+}
+
+path "kv/data/disinto/bots/vault" {
+  capabilities = ["read"]
+}
+
+path "kv/metadata/disinto/bots/vault" {
+  capabilities = ["list", "read"]
+}
+
+# ── Shared forge config (URL, bot usernames) ─────────────────────────────────
+path "kv/data/disinto/shared/forge" {
+  capabilities = ["read"]
+}