diff --git a/vault/policies/service-forgejo.hcl b/vault/policies/service-forgejo.hcl
index 1724fc5..8470a23 100644
--- a/vault/policies/service-forgejo.hcl
+++ b/vault/policies/service-forgejo.hcl
@@ -3,13 +3,13 @@
 # Read-only access to shared Forgejo secrets (admin password, OAuth client
 # config). Attached to the Forgejo Nomad job via workload identity (S2.4).
 #
-# Scope: kv/disinto/shared/forgejo — entries owned by the operator and
+# Scope: kv/disinto/shared/forgejo/* — entries owned by the operator and
 # shared between forgejo + the chat OAuth client (issue #855 lineage).
 
-path "kv/data/disinto/shared/forgejo" {
+path "kv/data/disinto/shared/forgejo/*" {
   capabilities = ["read"]
 }
 
-path "kv/metadata/disinto/shared/forgejo" {
+path "kv/metadata/disinto/shared/forgejo/*" {
   capabilities = ["list", "read"]
 }