[job-hunter] Add infra stack + Grafana dashboard + n8n digest workflow

New service stack at stacks/job-hunter/ mirroring the payslip-ingest
pattern: per-service CNPG database + role (via dbaas null_resource),
Vault static role pg-job-hunter (7d rotation), ExternalSecrets for app
secrets and DB creds, Deployment with alembic-migrate init container,
ClusterIP Service, Grafana datasource ConfigMap.

Grafana dashboard job-hunter.json in Finance folder: new roles per
day, source breakdown, top companies, GBP salary distribution, recent
roles table (sorted by parse confidence then salary).

n8n weekly-digest workflow calls POST /digest/generate with bearer
auth every Monday 07:00 London; digest_runs table provides
idempotency.

Refs: code-snp

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

stacks/vault/main.tf

@@ -536,7 +536,7 @@ resource "vault_database_secret_backend_connection" "postgresql" {
     # "pg-trading",  # Commented out 2026-04-06 - trading-bot disabled
     "pg-health", "pg-linkwarden",
     "pg-affine", "pg-woodpecker", "pg-claude-memory",
-    "pg-terraform-state", "pg-payslip-ingest"
+    "pg-terraform-state", "pg-payslip-ingest", "pg-job-hunter"
   ]
 
   postgresql {
@@ -682,6 +682,14 @@ resource "vault_database_secret_backend_static_role" "pg_payslip_ingest" {
   rotation_period = 604800
 }
 
+resource "vault_database_secret_backend_static_role" "pg_job_hunter" {
+  backend         = vault_mount.database.path
+  db_name         = vault_database_secret_backend_connection.postgresql.name
+  name            = "pg-job-hunter"
+  username        = "job_hunter"
+  rotation_period = 604800
+}
+
 # =============================================================================
 # Kubernetes Secrets Engine — Dynamic K8s Credentials
 # =============================================================================