fix(helm): copy-pasteable install commands in copilot + ESO examples

values-copilot.yaml: the install header was missing every required
copilot.server.env.* secret (AGENT_API_DB_ENCRYPTION_KEY, INTERNAL_API_SECRET,
LICENSE_KEY, SIM_BASE_URL, SIM_AGENT_API_KEY, REDIS_URL, one model key) plus
copilot.postgresql.auth.password. Pasting it as-is failed at template render.

values-external-secrets.yaml: NEXT_PUBLIC_APP_URL, BETTER_AUTH_URL, etc. were
declared under app.env / realtime.env. In ESO mode the chart-managed Secret
isn't rendered, so the validator (rightly) rejects keys in app.env that
aren't mapped under externalSecrets.remoteRefs. Moved non-secret URL/config
to envDefaults, which is inlined and not subject to the ESO mapping rule.

Author: waleedlatif1

helm/sim/examples/values-copilot.yaml

@@ -16,7 +16,20 @@
 #     --set app.env.ENCRYPTION_KEY="$ENCRYPTION_KEY" \
 #     --set app.env.INTERNAL_API_SECRET="$INTERNAL_API_SECRET" \
 #     --set app.env.CRON_SECRET="$CRON_SECRET" \
-#     --set postgresql.auth.password="$POSTGRES_PASSWORD"
+#     --set postgresql.auth.password="$POSTGRES_PASSWORD" \
+#     --set copilot.postgresql.auth.password="$COPILOT_POSTGRES_PASSWORD" \
+#     --set copilot.server.env.AGENT_API_DB_ENCRYPTION_KEY="$AGENT_API_DB_ENCRYPTION_KEY" \
+#     --set copilot.server.env.INTERNAL_API_SECRET="$INTERNAL_API_SECRET" \
+#     --set copilot.server.env.LICENSE_KEY="$COPILOT_LICENSE_KEY" \
+#     --set copilot.server.env.SIM_BASE_URL="https://sim.example.com" \
+#     --set copilot.server.env.SIM_AGENT_API_KEY="$SIM_AGENT_API_KEY" \
+#     --set copilot.server.env.REDIS_URL="redis://default:password@redis:6379" \
+#     --set copilot.server.env.OPENAI_API_KEY_1="$OPENAI_API_KEY"
+#
+# All copilot.server.env.* keys above are required when copilot.enabled=true,
+# plus at least one model provider key (OPENAI_API_KEY_1 or ANTHROPIC_API_KEY_1).
+# LICENSE_KEY is issued by the Sim team. SIM_AGENT_API_KEY must equal the
+# COPILOT_API_KEY value on the main app side. SIM_BASE_URL is the public app URL.
 
 # Enable the copilot service
 copilot:

helm/sim/examples/values-external-secrets.yaml

@@ -40,7 +40,12 @@ externalSecrets:
 app:
   enabled: true
   replicaCount: 2
-  env:
+  # In ESO mode, app.env may only contain keys that are also mapped under
+  # externalSecrets.remoteRefs.app (the chart-managed Secret is not rendered,
+  # so any unmapped value would silently go nowhere). Non-secret URL/config
+  # belongs in envDefaults — those are inlined on the container as `env:`
+  # and don't flow through the Secret.
+  envDefaults:
     NEXT_PUBLIC_APP_URL: "https://sim.example.com"
     BETTER_AUTH_URL: "https://sim.example.com"
     NEXT_PUBLIC_SOCKET_URL: "wss://sim-ws.example.com"
@@ -49,7 +54,7 @@ app:
 realtime:
   enabled: true
   replicaCount: 2
-  env:
+  envDefaults:
     NEXT_PUBLIC_APP_URL: "https://sim.example.com"
     BETTER_AUTH_URL: "https://sim.example.com"
     ALLOWED_ORIGINS: "https://sim.example.com"