fix(novelapp): also bind gheorghe's dashboard SA to novelapp admin

His app lives in novelapp, but the dashboard injects his SA token
(system:serviceaccount:vabbit81:dashboard-vabbit81), while the existing
binding only granted the OIDC User vabbit81@gmail.com (OIDC blocked). Add the
SA as a second subject so the web dashboard (token-injector) can manage
novelapp. Verified: SA can list/create in novelapp; injector path returns 200.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

stacks/novelapp/main.tf

@@ -245,7 +245,11 @@ module "ingress" {
   }
 }
 
-# RBAC — grant vabbit81 (Gheorghe) admin access to novelapp namespace
+# RBAC — grant vabbit81 (Gheorghe) admin access to novelapp namespace.
+# Two subjects: the OIDC User (for kubectl/kubelogin, once apiserver OIDC works)
+# AND his dashboard ServiceAccount (the web dashboard injects this SA's token —
+# see stacks/k8s-dashboard/dashboard_injector.tf — so it needs the grant too,
+# since the apiserver sees the SA, not the email, as the subject).
 resource "kubernetes_role_binding" "novelapp_owner_vabbit81" {
   metadata {
     name      = "novelapp-owner-vabbit81"
@@ -261,6 +265,12 @@ resource "kubernetes_role_binding" "novelapp_owner_vabbit81" {
     kind      = "User"
     name      = "vabbit81@gmail.com"
   }
+  subject {
+    api_group = ""
+    kind      = "ServiceAccount"
+    name      = "dashboard-vabbit81"
+    namespace = "vabbit81"
+  }
 }
 
 # Sealed Secrets — encrypted secrets safe to commit to git