74063d4d8a
Applying the gpg mount (#87) needs two grants the deployer lacks: it registers the plugin itself (vault_plugin -> sys/plugins/catalog, sudo-protected) and manages keys via the gpgvaultsecret provider (gpg/keys/*). The deployer already has sys/mounts/* but neither of these, so apply would 403 on the plugin registration and on gpg/keys writes. - Add policies/gpg/admin.yaml granting create/read/update/delete/sudo on sys/plugins/catalog/secret/vault-plugin-secrets-gpg and full management of gpg/keys/*, assigned to tf_vault (approle) + woodpecker_terraform_vault (k8s/au/syd1), mirroring policies/litellm/admin.yaml (#84).