feat: add lobbying-tracker app spec

[jnf]

What

Registers the lobbying expense tracker with SharedServices by adding tofu/config/hosting/specs/lobbying-tracker.yaml.

App details

• Repo: https://github.com/codeforamerica/sharedservices-lobbying-tracker
• Subdomain: lobbying-tracker.services.cfa.codes
• Runtime: Node.js, no npm dependencies
• Storage: EFS persistent volume at /app/data (JSON file-based)
• Auth: Internal only — Okta SSO at the edge; admin features (Reports + Staff Rates) gated server-side via ADMIN_EMAILS secret

What DevOps needs to do

1. Review and merge this PR
2. Enable ECS Exec on the task definition (needed for one-time seed data copy — see DEPLOYMENT.md in the app repo)
3. Grant the task role ssmmessages:* for ECS Exec
4. Configure ADMIN_EMAILS secret in Doppler (comma-separated Okta emails for admin access)
5. Configure GitHub secrets for the deploy workflow — Doppler manages DEPLOYMENT_APP_ID and DEPLOYMENT_APP_KEY
6. Confirm the health check passes and hand back the URL

Open questions for DevOps

• Deploy workflow template: What's the standard GitHub Actions workflow for ECR build + ECS deploy? (RFC TODO-8)
• SSO identity header: What header does the edge layer inject after Okta auth? (x-forwarded-user is the current placeholder — depends on ALB vs CloudFront+Lambda decision, RFC TODO-6)

References

• DEPLOYMENT.md in the app repo covers the full onboarding flow
• RFC: Internal Tools Platform (distributed in Slack)

[github-actions]

Plan output for hosting config

OpenTofu used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  ~ update in-place (current -> planned)

OpenTofu will perform the following actions:

  # module.app["dc-sebt-portal"].module.database["this"].module.mssql["this"].module.db_instance.aws_db_instance.this[0] will be updated in-place
  ~ resource "aws_db_instance" "this" {
      ~ engine_version                        = "16.00.4215.2.v1" -> "16.00.4245.2.v1"
        id                                    = "db-AQO5FR4MFE4QXEK44UMOZ5DUYE"
      ~ password_wo                           = (write-only attribute)
        tags                                  = {
            "application"    = "sebt-portal-development"
            "awsApplication" = "arn:aws:resource-groups:us-east-1:816069131564:group/sebt-portal-development/0015lbmzv6im0turnaqk9d1eyw"
            "environment"    = "development"
            "program"        = "safety-net"
            "project"        = "sebt-portal"
        }
        # (60 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Warning: Deprecated attribute

  on .terraform/modules/app.secrets/kms.tf line 8, in resource "aws_kms_key" "secrets":
   8:     region : data.aws_region.current.name,

The attribute "name" is deprecated. Refer to the provider documentation for
details.

(and 11 more similar warnings elsewhere)

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: tfplan

To perform exactly these actions, run the following command to apply:
    tofu apply "tfplan"