fix: [nomad-step-5] S5.2 — nomad/jobs/staging.hcl + chat.hcl (#989)

vault/policies/service-chat.hcl

@@ -1,15 +0,0 @@
-# vault/policies/service-chat.hcl
-#
-# Read-only access to shared Chat secrets (OAuth client config, forward auth
-# secret). Attached to the Chat Nomad job via workload identity (S5.2).
-#
-# Scope: kv/disinto/shared/chat — entries owned by the operator and
-# shared between the chat service and edge proxy.
-
-path "kv/data/disinto/shared/chat" {
-  capabilities = ["read"]
-}
-
-path "kv/metadata/disinto/shared/chat" {
-  capabilities = ["list", "read"]
-}

vault/roles.yaml

@@ -70,11 +70,6 @@ roles:
     namespace: default
     job_id:    agents
 
-  - name:      service-chat
-    policy:    service-chat
-    namespace: default
-    job_id:    chat
-
   # ── Per-agent bots (nomad/jobs/bot-<role>.hcl — land in later steps) ───────
   # job_id placeholders match the policy name 1:1 until each bot's jobspec
   # lands. When a bot's jobspec is added under nomad/jobs/, update the