fix: [nomad-step-5] S5.2 — nomad/jobs/staging.hcl + chat.hcl (#989)

Add lightweight Nomad service jobs for the staging file server and
Claude chat UI. Key changes:

- nomad/jobs/staging.hcl: caddy:alpine file-server mounting docker/
  as /srv/site (read-only), no Vault integration needed
- nomad/jobs/chat.hcl: custom disinto/chat:local image with sandbox
  hardening (cap_drop ALL, tmpfs, pids_limit 128, security_opt),
  Vault-templated OAuth secrets from kv/disinto/shared/chat
- nomad/client.hcl: add site-content host volume for staging
- vault/policies/service-chat.hcl + vault/roles.yaml: read-only
  access to chat secrets via workload identity
- bin/disinto: wire staging+chat into build, deploy order, seed
  mapping, summary, and service validation
- tests/disinto-init-nomad.bats: update known-services assertion

Fixes prior art issue where security_opt and pids_limit were placed
at task level instead of inside docker driver config block.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

vault/roles.yaml

@@ -70,6 +70,13 @@ roles:
     namespace: default
     job_id:    agents
 
+  # ── Chat UI (nomad/jobs/chat.hcl — S5.2) ─────────────────────────────────
+  # Claude chat UI service with OAuth secrets. Uses vault/policies/service-chat.hcl.
+  - name:      service-chat
+    policy:    service-chat
+    namespace: default
+    job_id:    chat
+
   # ── Per-agent bots (nomad/jobs/bot-<role>.hcl — land in later steps) ───────
   # job_id placeholders match the policy name 1:1 until each bot's jobspec
   # lands. When a bot's jobspec is added under nomad/jobs/, update the