fix: [nomad-step-5] S5.2 — nomad/jobs/staging.hcl + chat.hcl (#989)

vault/policies/service-chat.hcl

@@ -0,0 +1,15 @@
+# vault/policies/service-chat.hcl
+#
+# Read-only access to shared Chat secrets (OAuth client config, forward auth
+# secret). Attached to the Chat Nomad job via workload identity (S5.2).
+#
+# Scope: kv/disinto/shared/chat — entries owned by the operator and
+# shared between the chat service and edge proxy.
+
+path "kv/data/disinto/shared/chat" {
+  capabilities = ["read"]
+}
+
+path "kv/metadata/disinto/shared/chat" {
+  capabilities = ["list", "read"]
+}

vault/roles.yaml

@@ -70,6 +70,11 @@ roles:
     namespace: default
     job_id:    agents
 
+  - name:      service-chat
+    policy:    service-chat
+    namespace: default
+    job_id:    chat
+
   # ── Per-agent bots (nomad/jobs/bot-<role>.hcl — land in later steps) ───────
   # job_id placeholders match the policy name 1:1 until each bot's jobspec
   # lands. When a bot's jobspec is added under nomad/jobs/, update the