diff --git a/guides/VAULT-SECRETS.md b/guides/VAULT-SECRETS.md
index 3692b36..9a797ad 100644
--- a/guides/VAULT-SECRETS.md
+++ b/guides/VAULT-SECRETS.md
@@ -355,7 +355,6 @@ package config
 
 import (
     "fmt"
-    "os"
     "github.com/kelseyhightower/envconfig"
 )
 
@@ -373,10 +372,16 @@ func Load() (*Config, error) {
     }
     return &cfg, nil
 }
+```
 
-// In main():
-// cfg, err := config.Load()
-// if err != nil { fmt.Fprintln(os.Stderr, err); os.Exit(1) }
+In your `main.go`:
+
+```go
+cfg, err := config.Load()
+if err != nil {
+    fmt.Fprintln(os.Stderr, err)
+    os.Exit(1)
+}
 ```
 
 ---
@@ -399,7 +404,12 @@ Use this pattern ONLY when a documented dynamic-secrets requirement applies (DB
 vault auth enable approle
 
 # Create a Vault policy for the app
+# Note: KV v2 paths require both the exact path (for the top-level secret) and the
+# wildcard (for sub-paths). Always include both to avoid permission denied errors.
 vault policy write <app>-policy - <<EOF
+path "secret/data/k3s/<app>" {
+  capabilities = ["read"]
+}
 path "secret/data/k3s/<app>/*" {
   capabilities = ["read"]
 }
diff --git a/packages/mosaic/framework/guides/VAULT-SECRETS.md b/packages/mosaic/framework/guides/VAULT-SECRETS.md
index 3692b36..9a797ad 100644
--- a/packages/mosaic/framework/guides/VAULT-SECRETS.md
+++ b/packages/mosaic/framework/guides/VAULT-SECRETS.md
@@ -355,7 +355,6 @@ package config
 
 import (
     "fmt"
-    "os"
     "github.com/kelseyhightower/envconfig"
 )
 
@@ -373,10 +372,16 @@ func Load() (*Config, error) {
     }
     return &cfg, nil
 }
+```
 
-// In main():
-// cfg, err := config.Load()
-// if err != nil { fmt.Fprintln(os.Stderr, err); os.Exit(1) }
+In your `main.go`:
+
+```go
+cfg, err := config.Load()
+if err != nil {
+    fmt.Fprintln(os.Stderr, err)
+    os.Exit(1)
+}
 ```
 
 ---
@@ -399,7 +404,12 @@ Use this pattern ONLY when a documented dynamic-secrets requirement applies (DB
 vault auth enable approle
 
 # Create a Vault policy for the app
+# Note: KV v2 paths require both the exact path (for the top-level secret) and the
+# wildcard (for sub-paths). Always include both to avoid permission denied errors.
 vault policy write <app>-policy - <<EOF
+path "secret/data/k3s/<app>" {
+  capabilities = ["read"]
+}
 path "secret/data/k3s/<app>/*" {
   capabilities = ["read"]
 }