fix: add persistentvolumeclaims RBAC to controller service account

The per-taskrun-pvc session store creates PVCs via the K8s API but the
ClusterRole did not grant this permission. Controller was failing with
"persistentvolumeclaims is forbidden" on every ticket poll.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: mattcamp

CHANGELOG.md

@@ -7,6 +7,16 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.3.6] - 2026-03-19
+
+### Fixed
+
+- Controller service account was missing `persistentvolumeclaims` RBAC
+  permissions. The `per-taskrun-pvc` session store calls the K8s API to create
+  PVCs but the ClusterRole only granted access to `jobs`, `pods`, `configmaps`,
+  and `secrets`. Added `get`, `list`, `watch`, `create`, `delete` on
+  `persistentvolumeclaims`.
+
 ## [0.3.5] - 2026-03-18
 
 ### Fixed

charts/osmia/Chart.yaml

@@ -2,8 +2,8 @@ apiVersion: v2
 name: osmia
 description: A Kubernetes-native AI coding agent harness
 type: application
-version: 0.3.5
-appVersion: "0.3.5"
+version: 0.3.6
+appVersion: "0.3.6"
 home: https://github.com/unitaryai/osmia
 sources:
   - https://github.com/unitaryai/osmia

charts/osmia/templates/rbac.yaml

@@ -30,6 +30,9 @@ rules:
   - apiGroups: [""]
     resources: ["secrets"]
     verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["persistentvolumeclaims"]
+    verbs: ["get", "list", "watch", "create", "delete"]
   - apiGroups: ["coordination.k8s.io"]
     resources: ["leases"]
     verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]