From 98a4f8e3627023282017f5091b112023f4bc1a88 Mon Sep 17 00:00:00 2001
From: Agent <agent@example.com>
Date: Thu, 16 Apr 2026 20:09:34 +0000
Subject: [PATCH] fix: vault/policies/service-forgejo.hcl: path glob misses
 exact secret path (#900)

---
 vault/policies/service-forgejo.hcl | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/vault/policies/service-forgejo.hcl b/vault/policies/service-forgejo.hcl
index 8470a23..1724fc5 100644
--- a/vault/policies/service-forgejo.hcl
+++ b/vault/policies/service-forgejo.hcl
@@ -3,13 +3,13 @@
 # Read-only access to shared Forgejo secrets (admin password, OAuth client
 # config). Attached to the Forgejo Nomad job via workload identity (S2.4).
 #
-# Scope: kv/disinto/shared/forgejo/* — entries owned by the operator and
+# Scope: kv/disinto/shared/forgejo — entries owned by the operator and
 # shared between forgejo + the chat OAuth client (issue #855 lineage).
 
-path "kv/data/disinto/shared/forgejo/*" {
+path "kv/data/disinto/shared/forgejo" {
   capabilities = ["read"]
 }
 
-path "kv/metadata/disinto/shared/forgejo/*" {
+path "kv/metadata/disinto/shared/forgejo" {
   capabilities = ["list", "read"]
 }