Vouch Request: Fix custom VCT mount issue (#967)

[kon-angelo]

I'd like to fix the issue where custom volumeClaimTemplates are created but never mounted in sandbox pods (issue #967).

Root Cause

In crates/openshell-driver-kubernetes/src/driver.rs, the apply_workspace_persistence() function (lines 1129-1131) bundles two concerns into an all-or-nothing decision:

1. Adding the /sandbox volumeMount to the agent container
2. Adding the seeding init container that copies image content into the PVC

When users provide custom VCTs via platform_config, the inject_workspace = false flag causes BOTH the mount and the seeding to be skipped. This means:

• The SAG controller creates the PVCs (lines 940-944)
• The PVCs appear in the pod spec as volumes
• But no volumeMount entries are added to the agent container (lines 1073-1082)
• Result: PVCs exist but are unreachable from inside the container

Additionally, providing ANY custom VCT completely disables the default workspace persistence — users lose the /sandbox mount with no way to restore it.

Fix

Split apply_workspace_persistence() into two independent functions:

• apply_workspace_mount(): Always adds the volumeMount at /sandbox (for both default and user VCTs)
• apply_workspace_seeding(): Only adds the init container for the default workspace VCT (not for user VCTs, since users bring their own storage)

This ensures user-provided VCTs are mounted and accessible, while avoiding unnecessary seeding of user-managed storage.

Verification

I have:

1. Traced the VCT lifecycle through sandbox_to_k8s_spec() and sandbox_template_to_k8s() in driver.rs
2. Identified the exact code paths where the mount decision is made (lines 898-902, 940-944, 1129-1131)
3. Confirmed no existing test covers the user-VCT-with-mount path (only workspace_persistence_skipped_when_inject_workspace_false at line 1912, which validates the absence)
4. Implemented the fix with proper test coverage for both cases (default VCT with seeding, user VCT without seeding)
5. The fix is on branch 967-fix-vct-mount with commit 16063bae

I can explain every line of the change and how it interacts with the Kubernetes driver, SAG controller, and pod spec generation.

Related

• Issue: bug: Custom volumeClaimTemplates are created but never mounted in the sandbox pod #967 "bug: Custom volumeClaimTemplates are created but never mounted in the sandbox pod"
• Branch: 967-fix-vct-mount
• Commit: 16063bae "fix(driver-kubernetes): mount user-provided VCTs at /sandbox without seeding"