docs: bugfix release with policy path-matching improvements

[allisson]

This release improves authorization policy path matching behavior with mid-path wildcard support and updates all documentation references from v0.4.0 to v0.4.1.

Documentation updates:

• Added release notes page: docs/releases/v0.4.1.md
• Updated metadata.json to current_release: v0.4.1 and last_docs_refresh: 2026-02-19
• Updated all Docker examples from allisson/secrets:v0.4.0 to v0.4.1
• Updated README.md with v0.4.1 highlights and release notes link

Policy matching improvements:

• Documented mid-path wildcard support (/v1/transit/keys/*/rotate pattern)
• Added path matching behavior section to policies.md with exact, trailing, and mid-path wildcard rules
• Added route shape vs policy shape guidance to distinguish 404 vs 403 errors
• Added pre-deploy policy review checklist
• Added copy-safe split-role policy snippets for common workflows

Documentation enhancements:

• Added policy matcher quick-reference table to capability-matrix.md
• Added troubleshooting FAQ for policy matchers with common false positives
• Added transit rotate smoke-test validation steps
• Added malformed path-shape smoke checks for route validation
• Added strict CI mode snippet for policy smoke checks
• Added operator quick checklist and documentation migration map
• Converted Clients API references to clickable links across docs
• Added docs metadata guard to require "Last updated: YYYY-MM-DD" marker

Cross-linking improvements:

• Added wildcard matcher semantics links in auth, clients, secrets, and transit API docs
• Added policy triage cross-links in audit-logs.md
• Linked v0.4.1 release notes from production.md and smoke-test.md

Code changes:

• Enhanced Client.IsAllowed() with mid-path wildcard matching logic
• Added matchPath() helper function supporting exact, trailing, and mid-path wildcards
• Expanded test coverage with 11 new edge-case scenarios for wildcard matching