chore(helm): remove pre-1.0.0 upgrade fluff + tighten .helmignore

This is the 1.0.0 release of the chart — there is no pre-1.0.0
predecessor for users to upgrade from, so all of the dedicated upgrade
narration was hypothetical.

- Drop the 'Upgrading from a pre-1.0.0 build' README section and the
  matching troubleshooting entry.
- Drop the .Release.IsUpgrade block from NOTES.txt: items 5 (StatefulSet
  orphan-delete), 6 (INTERNAL_API_SECRET 'new in 1.0.0'), 7
  (networkPolicy.egress shape change). Each described a migration off a
  chart version that never shipped.
- Delete references/upgrade-pre-1.0.0.md and remove the corresponding
  pointers from SKILL.md.
- Anchor .helmignore patterns to chart root so /tests/ (unit suites)
  and /examples/ are dropped from the packaged tarball without also
  dropping templates/tests/ (the helm test hook).

Author: waleedlatif1

helm/sim/.claude/skills/sim-helm/SKILL.md

@@ -1,6 +1,6 @@
 ---
 name: sim-helm
-description: Install, upgrade, and operate the Sim Helm chart on Kubernetes. Covers install path selection (inline / existingSecret / External Secrets Operator), required secret generation, the values.yaml mental model (env vs envDefaults vs Secret), common failure triage, and the pre-1.0.0 → 1.0.0 StatefulSet upgrade procedure. Invoke when a user asks about deploying Sim to a cluster, authoring a Sim values.yaml, debugging a Sim pod that won't start, upgrading a Sim release, or wiring Sim into a secret manager.
+description: Install, upgrade, and operate the Sim Helm chart on Kubernetes. Covers install path selection (inline / existingSecret / External Secrets Operator), required secret generation, the values.yaml mental model (env vs envDefaults vs Secret), and common failure triage. Invoke when a user asks about deploying Sim to a cluster, authoring a Sim values.yaml, debugging a Sim pod that won't start, upgrading a Sim release, or wiring Sim into a secret manager.
 license: Apache-2.0
 ---
 
@@ -20,7 +20,6 @@ Before recommending anything, ask (or infer from the conversation) all of these.
 
 | Question | Why it matters |
 |---|---|
-| Fresh install or upgrade? | Upgrade-from-pre-1.0.0 has a mandatory StatefulSet orphan-delete step |
 | Cluster: EKS / GKE / AKS / OpenShift / kind / other? | Storage class, ingress class, identity provider differ |
 | Secret strategy: inline `--set`, pre-existing K8s Secret, or External Secrets Operator (ESO)? | The chart has three distinct code paths |
 | Postgres: chart-bundled, or external (RDS / Cloud SQL / Azure DB)? | Different value blocks (`postgresql.*` vs `externalDatabase.*`) |
@@ -40,7 +39,6 @@ Map the user's request to one of these categories and load the matching referenc
 | User needs to generate the required secrets | `references/secrets.md` |
 | User asks "what does this value do" / wants to author values.yaml | `references/values-model.md` |
 | Pod won't start, error message, `CrashLoopBackOff`, image pull error, ingress not routing | `references/troubleshooting.md` |
-| User is upgrading and `helm upgrade` failed with `Forbidden: updates to statefulset spec for fields other than...` | `references/upgrade-pre-1.0.0.md` |
 | User asks about ESO / Vault / AWS Secrets Manager / Azure Key Vault / GCP Secret Manager | `references/install-paths.md` (ESO section) |
 | User asks "is X production-ready" / autoscaling / network policy / security context | Read the README's "Production checklist" section directly — no separate reference |
 

helm/sim/.claude/skills/sim-helm/references/troubleshooting.md

@@ -69,25 +69,6 @@ Match the error:
 
 ---
 
-## Realtime pod connects to `http://localhost:3000` even though I set NEXT_PUBLIC_APP_URL
-
-**Cause:** You set `NEXT_PUBLIC_APP_URL` in `app.env` but not `realtime.env`. In chart versions before the fix shipped in 1.0.0, the realtime Deployment would inline the localhost default from `realtime.envDefaults`, masking the Secret value.
-
-**Fix (1.0.0+):** The chart now skips the realtime envDefault when the key is set in **either** `app.env` or `realtime.env`. Upgrade to chart 1.0.0+ if you're on an older build.
-
-**Fix (older chart):** Mirror the value in `realtime.env`:
-
-```yaml
-app:
-  env:
-    NEXT_PUBLIC_APP_URL: "https://sim.example.com"
-realtime:
-  env:
-    NEXT_PUBLIC_APP_URL: "https://sim.example.com"
-```
-
----
-
 ## Image pull errors (`ErrImagePull` / `ImagePullBackOff`)
 
 ```bash
@@ -136,19 +117,11 @@ kubectl describe ingress -n sim
 
 ---
 
-## `helm upgrade` fails with `Forbidden: updates to statefulset spec for fields other than 'replicas', 'ordinals', 'template', 'updateStrategy'...`
-
-**Cause:** You're upgrading from a pre-1.0.0 build. `StatefulSet.spec.serviceName` was renamed to point at a new headless Service. That field is immutable.
-
-**Fix:** See `references/upgrade-pre-1.0.0.md`. Orphan-delete the StatefulSet first (pods + PVCs survive), then re-run `helm upgrade`.
-
----
-
 ## CronJob pods fail with `CreateContainerConfigError: couldn't find key CRON_SECRET in Secret`
 
 **Cause:** `cronjobs.enabled=true` (the default) but `CRON_SECRET` isn't in the app Secret. Two paths:
 
-1. Inline mode: `app.env.CRON_SECRET=""` — the chart will fail at template time in 1.0.0+. If you somehow got past that, regenerate and set it.
+1. Inline mode: `app.env.CRON_SECRET=""` — the chart will fail at template time. If you somehow got past that, regenerate and set it.
 2. Existing-Secret mode: your pre-created Secret doesn't include `CRON_SECRET`. Add it:
    ```bash
    kubectl patch secret sim-app-secrets -n sim --type='json' \

helm/sim/.claude/skills/sim-helm/references/upgrade-pre-1.0.0.md

@@ -21,8 +21,11 @@
 .idea/
 *.tmproj
 .vscode/
-# Examples directory (included in chart but ignored during packaging)
-examples/
-# Test files
-*_test.yaml
-test/
+# Repo tooling — not part of the chart artifact (anchored to chart root)
+/.claude/
+/CONTRIBUTING.md
+/ci/
+# Examples — published in-repo, not in the packaged chart
+/examples/
+# Unit-test suites (helm-unittest) — distinct from templates/tests/ which IS shipped
+/tests/

helm/sim/.helmignore

@@ -133,26 +133,10 @@ helm install sim ./helm/sim --dry-run --debug \
 
 ## Upgrading
 
-### Upgrading within the 1.x line
-
 ```bash
 helm upgrade sim ./helm/sim --namespace sim --values my-values.yaml
 ```
 
-### Upgrading from a pre-1.0.0 build
-
-If you previously installed this chart from a git checkout before the `1.0.0` tag, the internal Postgres StatefulSets had their `serviceName` renamed to point at new headless Services. `StatefulSet.spec.serviceName` is immutable, so `helm upgrade` will fail with `Forbidden: updates to statefulset spec ...`. Orphan-delete the affected StatefulSet(s) first — pods and PVCs are preserved, traffic continues to flow:
-
-```bash
-kubectl delete statefulset sim-postgresql --namespace sim --cascade=orphan
-# If copilot is enabled, also:
-kubectl delete statefulset sim-copilot-postgresql --namespace sim --cascade=orphan
-
-helm upgrade sim ./helm/sim --namespace sim --values my-values.yaml
-```
-
-Other defaults that changed in `1.0.0`: image tags default to `Chart.AppVersion` (not `latest`), `pullPolicy` defaults to `IfNotPresent` (not `Always`), Ollama mount moved from `/root/.ollama` to `/data` (models must be re-pulled), `networkPolicy.egress` became an object `{exceptCidrs, extraRules}` instead of a list, `automountServiceAccountToken: false` is set on every pod, and every value in `app.env` / `realtime.env` is now written to a chart-managed Secret instead of inlined on the Deployment (chart-computed values `DATABASE_URL`, `SOCKET_SERVER_URL`, `OLLAMA_URL` remain inline). ESO users must map every key via `externalSecrets.remoteRefs.app.<KEY>` — the chart fails template rendering if a key is missing.
-
 ---
 
 ## Uninstalling
@@ -424,10 +408,6 @@ kubectl describe ingress --namespace sim
 * `ingress.className` doesn't match your controller → set it to your installed class.
 * DNS not pointed at the ingress's external IP / LoadBalancer.
 
-### `helm upgrade` fails with `Forbidden: updates to statefulset spec for fields other than...`
-
-You're upgrading from a pre-1.0.0 build of the chart. The `StatefulSet.serviceName` rename requires an orphan-delete first — see [Upgrading from a pre-1.0.0 build](#upgrading-from-a-pre-100-build).
-
 ### Get logs from each component
 
 ```bash

helm/sim/README.md

@@ -81,48 +81,7 @@ Your release is named {{ .Release.Name }} in namespace {{ .Release.Namespace }}.
      # Upgrade after changing values
      helm upgrade {{ .Release.Name }} ./helm/sim --namespace {{ .Release.Namespace }} -f your-values.yaml
 
-{{- if .Release.IsUpgrade }}
-5. Upgrading from a pre-1.0.0 build?
-
-   The internal Postgres StatefulSet's `spec.serviceName` was renamed to point
-   at a new headless Service. That field is immutable, so `helm upgrade` will
-   fail with: `Forbidden: updates to statefulset spec for fields other than
-   ...`. Orphan-delete the StatefulSet first (preserves pods and PVCs, traffic
-   keeps flowing):
-
-     kubectl --namespace {{ .Release.Namespace }} delete statefulset {{ include "sim.fullname" . }}-postgresql --cascade=orphan
-{{- if .Values.copilot.enabled }}
-     kubectl --namespace {{ .Release.Namespace }} delete statefulset {{ include "sim.fullname" . }}-copilot-postgresql --cascade=orphan
-{{- end }}
-
-   Then re-run `helm upgrade`. See README → "Upgrading from a pre-1.0.0 build"
-   for the full procedure. Skip this step if you're already on 1.0.0+.
-
-6. Also new in 1.0.0: `app.env.INTERNAL_API_SECRET` is now required.
-
-   Older charts treated this as optional. Upgrades will fail at template
-   render with `app.env.INTERNAL_API_SECRET is required for production
-   deployment` if you never set it. Generate one and pass it on upgrade:
-
-     --set app.env.INTERNAL_API_SECRET=$(openssl rand -hex 32)
-
-   Store it durably (values.yaml / existingSecret / ESO) — the app and
-   realtime pods both read it to authenticate inter-service requests.
-
-7. Also new in 1.0.0: `networkPolicy.egress` shape changed.
-
-   Was: a list of custom egress rules.
-   Now: a map with `exceptCidrs` (CIDRs excluded from broad HTTPS egress)
-   and `extraRules` (custom rules appended to the policy).
-
-   If you previously set custom rules under `networkPolicy.egress:`, move
-   them to `networkPolicy.egress.extraRules:` — old-shape values are
-   silently ignored after upgrade.
-
-8. Where to go next:
-{{- else }}
 5. Where to go next:
-{{- end }}
 
    * Production checklist:  helm/sim/README.md (search "Production checklist")
    * Troubleshooting:       helm/sim/README.md (search "Troubleshooting")