Consider the following policy

path "secret/*" {
  capabilities = [ "read" ]
}

path "secret/dev.example.com/django/*" {
  capabilities = [ "read" ]
}

The second rule allows for reading secrets out of secret/dev.example.com/django. However, this only works if read privilege is granted on secret/* too.

My question is why the first rule is required ?