feat(jobs): expose job source freshness reporting

[JSONbored]

Summary

Jobs already carry source and verification timestamps, and there is source-check tooling. We should expose a structured freshness report so maintainers and public clients can distinguish active, recently verified jobs from stale or unverified listings.

Current state

• apps/web/src/lib/jobs.ts maps lastCheckedAt, sourceCheckedAt, firstSeenAt, and lastVerifiedAt into public listings.
• scripts/check-d1-job-sources.mjs and related tests cover source checking.
• There is no consolidated public/admin freshness report endpoint.

Desired behavior

• Add a freshness report for active jobs with counts by fresh/stale/unknown source status.
• Expose per-job public freshness metadata where appropriate.
• Keep admin-only details out of public output.
• Make stale listings visible to maintainers before they decay the jobs surface.

Implementation notes

• Define thresholds in one shared module.
• Consider both public summary and token-protected admin detail if needed.
• Keep compatibility with existing validate:d1-jobs checks.

Acceptance criteria

• Freshness summary reports active job source verification posture.
• Public payloads include safe verification/freshness indicators.
• Stale or missing source checks are test-covered.
• Maintainer/admin route remains token-protected if detailed operational rows are exposed.

Validation

• pnpm validate:d1-jobs
• pnpm exec vitest run tests/job-source-check-script.test.ts tests/api-contracts.test.ts
• Add or update focused unit tests for the touched API/helper surface.
• Run the narrow relevant validation command for the changed package or route.
• Run git diff --check before opening a PR.