diff --git a/vault/policies/bot-architect.hcl b/vault/policies/bot-architect.hcl
index 9381b61..9f84de1 100644
--- a/vault/policies/bot-architect.hcl
+++ b/vault/policies/bot-architect.hcl
@@ -3,14 +3,14 @@
 # Architect agent: reads its own bot KV namespace + the shared forge URL.
 # Attached to the architect-agent Nomad job via workload identity (S2.4).
 
-path "kv/data/disinto/bots/architect/*" {
+path "kv/data/disinto/bots/architect" {
   capabilities = ["read"]
 }
 
-path "kv/metadata/disinto/bots/architect/*" {
+path "kv/metadata/disinto/bots/architect" {
   capabilities = ["list", "read"]
 }
 
-path "kv/data/disinto/shared/forge/*" {
+path "kv/data/disinto/shared/forge" {
   capabilities = ["read"]
 }
diff --git a/vault/policies/bot-dev-qwen.hcl b/vault/policies/bot-dev-qwen.hcl
index b71283d..50f2d2d 100644
--- a/vault/policies/bot-dev-qwen.hcl
+++ b/vault/policies/bot-dev-qwen.hcl
@@ -5,14 +5,14 @@
 # via workload identity (S2.4). KV path mirrors the bot basename:
 # kv/disinto/bots/dev-qwen/*.
 
-path "kv/data/disinto/bots/dev-qwen/*" {
+path "kv/data/disinto/bots/dev-qwen" {
   capabilities = ["read"]
 }
 
-path "kv/metadata/disinto/bots/dev-qwen/*" {
+path "kv/metadata/disinto/bots/dev-qwen" {
   capabilities = ["list", "read"]
 }
 
-path "kv/data/disinto/shared/forge/*" {
+path "kv/data/disinto/shared/forge" {
   capabilities = ["read"]
 }
diff --git a/vault/policies/bot-dev.hcl b/vault/policies/bot-dev.hcl
index 3771288..35cf6de 100644
--- a/vault/policies/bot-dev.hcl
+++ b/vault/policies/bot-dev.hcl
@@ -3,14 +3,14 @@
 # Dev agent: reads its own bot KV namespace + the shared forge URL.
 # Attached to the dev-agent Nomad job via workload identity (S2.4).
 
-path "kv/data/disinto/bots/dev/*" {
+path "kv/data/disinto/bots/dev" {
   capabilities = ["read"]
 }
 
-path "kv/metadata/disinto/bots/dev/*" {
+path "kv/metadata/disinto/bots/dev" {
   capabilities = ["list", "read"]
 }
 
-path "kv/data/disinto/shared/forge/*" {
+path "kv/data/disinto/shared/forge" {
   capabilities = ["read"]
 }
diff --git a/vault/policies/bot-gardener.hcl b/vault/policies/bot-gardener.hcl
index f5ef230..ed45431 100644
--- a/vault/policies/bot-gardener.hcl
+++ b/vault/policies/bot-gardener.hcl
@@ -3,14 +3,14 @@
 # Gardener agent: reads its own bot KV namespace + the shared forge URL.
 # Attached to the gardener-agent Nomad job via workload identity (S2.4).
 
-path "kv/data/disinto/bots/gardener/*" {
+path "kv/data/disinto/bots/gardener" {
   capabilities = ["read"]
 }
 
-path "kv/metadata/disinto/bots/gardener/*" {
+path "kv/metadata/disinto/bots/gardener" {
   capabilities = ["list", "read"]
 }
 
-path "kv/data/disinto/shared/forge/*" {
+path "kv/data/disinto/shared/forge" {
   capabilities = ["read"]
 }
diff --git a/vault/policies/bot-planner.hcl b/vault/policies/bot-planner.hcl
index 440f6aa..ae3e910 100644
--- a/vault/policies/bot-planner.hcl
+++ b/vault/policies/bot-planner.hcl
@@ -3,14 +3,14 @@
 # Planner agent: reads its own bot KV namespace + the shared forge URL.
 # Attached to the planner-agent Nomad job via workload identity (S2.4).
 
-path "kv/data/disinto/bots/planner/*" {
+path "kv/data/disinto/bots/planner" {
   capabilities = ["read"]
 }
 
-path "kv/metadata/disinto/bots/planner/*" {
+path "kv/metadata/disinto/bots/planner" {
   capabilities = ["list", "read"]
 }
 
-path "kv/data/disinto/shared/forge/*" {
+path "kv/data/disinto/shared/forge" {
   capabilities = ["read"]
 }
diff --git a/vault/policies/bot-predictor.hcl b/vault/policies/bot-predictor.hcl
index 3a3b6b2..7159d72 100644
--- a/vault/policies/bot-predictor.hcl
+++ b/vault/policies/bot-predictor.hcl
@@ -3,14 +3,14 @@
 # Predictor agent: reads its own bot KV namespace + the shared forge URL.
 # Attached to the predictor-agent Nomad job via workload identity (S2.4).
 
-path "kv/data/disinto/bots/predictor/*" {
+path "kv/data/disinto/bots/predictor" {
   capabilities = ["read"]
 }
 
-path "kv/metadata/disinto/bots/predictor/*" {
+path "kv/metadata/disinto/bots/predictor" {
   capabilities = ["list", "read"]
 }
 
-path "kv/data/disinto/shared/forge/*" {
+path "kv/data/disinto/shared/forge" {
   capabilities = ["read"]
 }
diff --git a/vault/policies/bot-review.hcl b/vault/policies/bot-review.hcl
index 04c7668..f0ddfe4 100644
--- a/vault/policies/bot-review.hcl
+++ b/vault/policies/bot-review.hcl
@@ -3,14 +3,14 @@
 # Review agent: reads its own bot KV namespace + the shared forge URL.
 # Attached to the review-agent Nomad job via workload identity (S2.4).
 
-path "kv/data/disinto/bots/review/*" {
+path "kv/data/disinto/bots/review" {
   capabilities = ["read"]
 }
 
-path "kv/metadata/disinto/bots/review/*" {
+path "kv/metadata/disinto/bots/review" {
   capabilities = ["list", "read"]
 }
 
-path "kv/data/disinto/shared/forge/*" {
+path "kv/data/disinto/shared/forge" {
   capabilities = ["read"]
 }
diff --git a/vault/policies/bot-supervisor.hcl b/vault/policies/bot-supervisor.hcl
index 36ecc90..4d7f1e2 100644
--- a/vault/policies/bot-supervisor.hcl
+++ b/vault/policies/bot-supervisor.hcl
@@ -3,14 +3,14 @@
 # Supervisor agent: reads its own bot KV namespace + the shared forge URL.
 # Attached to the supervisor-agent Nomad job via workload identity (S2.4).
 
-path "kv/data/disinto/bots/supervisor/*" {
+path "kv/data/disinto/bots/supervisor" {
   capabilities = ["read"]
 }
 
-path "kv/metadata/disinto/bots/supervisor/*" {
+path "kv/metadata/disinto/bots/supervisor" {
   capabilities = ["list", "read"]
 }
 
-path "kv/data/disinto/shared/forge/*" {
+path "kv/data/disinto/shared/forge" {
   capabilities = ["read"]
 }
diff --git a/vault/policies/bot-vault.hcl b/vault/policies/bot-vault.hcl
index 0a088dd..d2f9fe4 100644
--- a/vault/policies/bot-vault.hcl
+++ b/vault/policies/bot-vault.hcl
@@ -7,14 +7,14 @@
 # NOTE: distinct from the runner-* policies, which gate per-secret access
 # for vault-runner ephemeral dispatches (Step 5).
 
-path "kv/data/disinto/bots/vault/*" {
+path "kv/data/disinto/bots/vault" {
   capabilities = ["read"]
 }
 
-path "kv/metadata/disinto/bots/vault/*" {
+path "kv/metadata/disinto/bots/vault" {
   capabilities = ["list", "read"]
 }
 
-path "kv/data/disinto/shared/forge/*" {
+path "kv/data/disinto/shared/forge" {
   capabilities = ["read"]
 }
diff --git a/vault/policies/dispatcher.hcl b/vault/policies/dispatcher.hcl
index 6383ae7..a18f1ab 100644
--- a/vault/policies/dispatcher.hcl
+++ b/vault/policies/dispatcher.hcl
@@ -20,10 +20,10 @@ path "kv/metadata/disinto/runner/*" {
   capabilities = ["list", "read"]
 }
 
-path "kv/data/disinto/shared/ops-repo/*" {
+path "kv/data/disinto/shared/ops-repo" {
   capabilities = ["read"]
 }
 
-path "kv/metadata/disinto/shared/ops-repo/*" {
+path "kv/metadata/disinto/shared/ops-repo" {
   capabilities = ["list", "read"]
 }
diff --git a/vault/policies/service-woodpecker.hcl b/vault/policies/service-woodpecker.hcl
index 19c9726..34b3795 100644
--- a/vault/policies/service-woodpecker.hcl
+++ b/vault/policies/service-woodpecker.hcl
@@ -6,10 +6,10 @@
 # Scope: kv/disinto/shared/woodpecker/* — entries owned by the operator
 # and consumed by woodpecker-server + woodpecker-agent.
 
-path "kv/data/disinto/shared/woodpecker/*" {
+path "kv/data/disinto/shared/woodpecker" {
   capabilities = ["read"]
 }
 
-path "kv/metadata/disinto/shared/woodpecker/*" {
+path "kv/metadata/disinto/shared/woodpecker" {
   capabilities = ["list", "read"]
 }