fix(auth): replace identity template with explicit username in vault policies

Fixed document signing permissions by using explicit usernames in transit/sign
policies instead of relying on {{identity.entity.name}} templates, which were
not properly resolving during authorization checks. This enables users to
successfully sign documents with their respective vault transit keys.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

src/vault_setup.rs

@@ -442,6 +442,9 @@ impl VaultClient {
             Department::Finance => "finance",
         };
 
+        // Get the username from the policy name (remove "-policy" suffix)
+        let username = policy_name.trim_end_matches("-policy");
+        
         // Policy content with specific paths for the department
         let policy = format!(r#"
             # Allow reading document metadata
@@ -449,8 +452,8 @@ impl VaultClient {
                 capabilities = ["read"]
             }}
 
-            # Allow signing with user's key
-            path "transit/sign/{{{{identity.entity.name}}}}" {{
+            # Allow signing with user's key - use explicit username instead of identity.entity.name
+            path "transit/sign/{}" {{
                 capabilities = ["update"]
             }}
 
@@ -463,7 +466,7 @@ impl VaultClient {
             path "documents/data/dept/{}/signatures/*" {{
                 capabilities = ["create", "read", "update"]
             }}
-        "#, dept_name);
+        "#, username, dept_name);
 
         let url = format!("{}/v1/sys/policies/acl/{}", self.addr, policy_name);
         let payload = json!({