test(helm): add helm-unittest suites + CI workflow + ci values matrix

- 7 helm-unittest suites covering smoke, validators, secret modes,
  envDefaults secret-mode-aware inlining (round-9 regression net),
  chart-computed env keys (round-8 regression net), NetworkPolicy
  shape, and PDB/HPA conditional rendering (38 tests, ~265ms).
- ci/*.yaml render fixtures for default, production, existingSecret,
  ESO, and external-db install modes.
- GitHub Actions workflow runs helm lint --strict, helm unittest,
  helm template across the ci matrix, and kubeconform validation
  against Kubernetes 1.30 schemas.
- CONTRIBUTING.md documents how to run the same gates locally.

Author: waleedlatif1

.github/workflows/helm-chart.yml

@@ -0,0 +1,72 @@
+name: Helm Chart
+
+on:
+  pull_request:
+    paths:
+      - 'helm/**'
+      - '.github/workflows/helm-chart.yml'
+  push:
+    branches:
+      - main
+    paths:
+      - 'helm/**'
+      - '.github/workflows/helm-chart.yml'
+
+permissions:
+  contents: read
+
+jobs:
+  lint-test:
+    name: Lint, unit-test, render, validate
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v4
+        with:
+          version: v3.16.2
+
+      - name: Install helm-unittest plugin
+        run: helm plugin install https://github.com/helm-unittest/helm-unittest --version v0.7.2
+
+      - name: Helm dependency build
+        run: helm dependency build helm/sim
+
+      - name: Helm lint
+        run: helm lint helm/sim --strict
+
+      - name: Helm unit tests
+        run: helm unittest helm/sim
+
+      - name: Render every ci/*.yaml
+        run: |
+          set -euo pipefail
+          for f in helm/sim/ci/*.yaml; do
+            echo "::group::Render $f"
+            helm template release helm/sim -f "$f" > /tmp/render.yaml
+            echo "::endgroup::"
+          done
+
+      - name: Install kubeconform
+        run: |
+          curl -sSL -o /tmp/kubeconform.tar.gz \
+            https://github.com/yannh/kubeconform/releases/download/v0.6.7/kubeconform-linux-amd64.tar.gz
+          tar -xzf /tmp/kubeconform.tar.gz -C /tmp
+          sudo mv /tmp/kubeconform /usr/local/bin/kubeconform
+          kubeconform -v
+
+      - name: kubeconform validate every ci/*.yaml
+        run: |
+          set -euo pipefail
+          for f in helm/sim/ci/*.yaml; do
+            echo "::group::kubeconform $f"
+            helm template release helm/sim -f "$f" \
+              | kubeconform \
+                  -strict \
+                  -ignore-missing-schemas \
+                  -kubernetes-version 1.30.0 \
+                  -summary
+            echo "::endgroup::"
+          done

helm/sim/CONTRIBUTING.md

@@ -0,0 +1,107 @@
+# Contributing to the Sim Helm chart
+
+Thanks for improving the chart. This page covers how to run the checks that CI
+runs on every PR, so you can catch regressions locally before pushing.
+
+## Prerequisites
+
+- [Helm](https://helm.sh/docs/intro/install/) v3.16+
+- The [`helm-unittest`](https://github.com/helm-unittest/helm-unittest) plugin:
+
+  ```bash
+  helm plugin install https://github.com/helm-unittest/helm-unittest --version v0.7.2
+  ```
+
+- (Optional, for schema validation) [kubeconform](https://github.com/yannh/kubeconform)
+
+## What CI runs
+
+The `Helm Chart` workflow (`.github/workflows/helm-chart.yml`) runs four gates:
+
+1. **`helm lint --strict`** — catches template syntax errors and chart-metadata problems.
+2. **`helm unittest`** — runs every YAML suite in `helm/sim/tests/`.
+3. **`helm template`** against every file in `helm/sim/ci/` — proves the chart
+   actually renders under each supported install mode.
+4. **`kubeconform`** on the rendered output — validates every manifest against
+   Kubernetes API schemas (`-kubernetes-version 1.30.0`, `-strict`,
+   `-ignore-missing-schemas` so CRDs from optional dependencies don't fail).
+
+## Running the same checks locally
+
+```bash
+cd helm/sim
+helm dependency build
+helm lint . --strict
+helm unittest .
+for f in ci/*.yaml; do
+  helm template t . -f "$f" > /dev/null
+done
+```
+
+If you have kubeconform installed:
+
+```bash
+for f in ci/*.yaml; do
+  helm template t . -f "$f" | kubeconform -strict -ignore-missing-schemas \
+    -kubernetes-version 1.30.0 -summary
+done
+```
+
+## Adding a unit test
+
+Tests live in `helm/sim/tests/` and use the
+[helm-unittest DSL](https://github.com/helm-unittest/helm-unittest/blob/main/DOCUMENT.md).
+Each file is one suite. A test sets values, renders a template, and asserts on
+the rendered manifest:
+
+```yaml
+suite: my feature
+release:
+  name: t
+  namespace: sim
+tests:
+  - it: renders the thing
+    template: deployment-app.yaml
+    set:
+      app.env.BETTER_AUTH_SECRET: x
+      app.env.ENCRYPTION_KEY: x
+      app.env.INTERNAL_API_SECRET: x
+      app.env.CRON_SECRET: x
+      postgresql.auth.password: x
+      myFeature.enabled: true
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content: { name: MY_FEATURE_FLAG, value: "true" }
+```
+
+Use the existing suites as references:
+
+- `tests/smoke_test.yaml` — minimal render checks
+- `tests/validators_test.yaml` — `failedTemplate` assertions for required-value gates
+- `tests/secret-modes_test.yaml` — inline / existingSecret / ESO routing
+- `tests/env-defaults_test.yaml` — `envDefaults` secret-mode-aware inlining
+- `tests/chart-computed-env_test.yaml` — chart-computed env keys cannot be overridden
+- `tests/networkpolicy_test.yaml` — NetworkPolicy ingress/egress shape
+- `tests/pdb-hpa_test.yaml` — PDB tri-state + HPA conditional rendering
+
+When you fix a template bug, please add a regression test for it.
+
+## Adding a ci/*.yaml render fixture
+
+`helm/sim/ci/*.yaml` files are minimal values overlays that CI renders end-to-end
+plus validates with kubeconform. Add one when you introduce a new install mode
+(new secret backend, new database backend, new deployment topology). Keep them
+small — they should test that the mode *renders*, not exercise every option;
+detailed behavior belongs in unit tests.
+
+## Updating `Chart.yaml`
+
+- Bump `version` (the chart version) on every user-visible change.
+- Bump `appVersion` when targeting a new Sim release.
+- Follow SemVer: breaking values changes → major bump, additive → minor, fix → patch.
+
+## Touching `values.schema.json`
+
+The chart ships a JSON Schema that validates user-supplied values. If you add a
+new top-level value or change a type, update the schema in the same PR.

helm/sim/ci/default-values.yaml

@@ -0,0 +1,10 @@
+app:
+  env:
+    BETTER_AUTH_SECRET: ci-test-better-auth-secret-32chars
+    ENCRYPTION_KEY: ci-test-encryption-key-32-chars-ok
+    INTERNAL_API_SECRET: ci-test-internal-api-secret-32chr
+    CRON_SECRET: ci-test-cron-secret-32-characters
+
+postgresql:
+  auth:
+    password: ci-test-postgres-password

helm/sim/ci/existing-secret-values.yaml

@@ -0,0 +1,9 @@
+app:
+  secrets:
+    existingSecret:
+      enabled: true
+      name: my-existing-secret
+
+postgresql:
+  auth:
+    password: ci-test-postgres-password

helm/sim/ci/external-db-values.yaml

@@ -0,0 +1,18 @@
+app:
+  env:
+    BETTER_AUTH_SECRET: ci-test-better-auth-secret-32chars
+    ENCRYPTION_KEY: ci-test-encryption-key-32-chars-ok
+    INTERNAL_API_SECRET: ci-test-internal-api-secret-32chr
+    CRON_SECRET: ci-test-cron-secret-32-characters
+
+postgresql:
+  enabled: false
+
+externalDatabase:
+  enabled: true
+  host: db.example.com
+  port: 5432
+  database: simstudio
+  username: simstudio
+  password: ci-test-external-db-password
+  sslMode: require

helm/sim/ci/external-secrets-values.yaml

@@ -0,0 +1,17 @@
+externalSecrets:
+  enabled: true
+  secretStoreRef:
+    name: sim-store
+    kind: ClusterSecretStore
+  remoteRefs:
+    app:
+      BETTER_AUTH_SECRET: secrets/sim/auth
+      ENCRYPTION_KEY: secrets/sim/enc
+      INTERNAL_API_SECRET: secrets/sim/iapi
+      CRON_SECRET: secrets/sim/cron
+    postgresql:
+      password: secrets/sim/pgpw
+
+postgresql:
+  auth:
+    password: ci-test-postgres-password

helm/sim/ci/production-values.yaml

@@ -0,0 +1,36 @@
+app:
+  replicaCount: 2
+  env:
+    BETTER_AUTH_SECRET: ci-test-better-auth-secret-32chars
+    ENCRYPTION_KEY: ci-test-encryption-key-32-chars-ok
+    INTERNAL_API_SECRET: ci-test-internal-api-secret-32chr
+    CRON_SECRET: ci-test-cron-secret-32-characters
+
+realtime:
+  replicaCount: 2
+
+postgresql:
+  auth:
+    password: ci-test-postgres-password
+
+autoscaling:
+  enabled: true
+  minReplicas: 2
+  maxReplicas: 6
+
+networkPolicy:
+  enabled: true
+
+ingress:
+  enabled: true
+  app:
+    host: sim.example.com
+  realtime:
+    host: realtime.example.com
+
+podDisruptionBudget:
+  enabled: true
+  minAvailable: 1
+
+telemetry:
+  enabled: true

helm/sim/tests/chart-computed-env_test.yaml

@@ -0,0 +1,50 @@
+suite: chart-computed env keys can't be overridden (round-8 regression net)
+release:
+  name: t
+  namespace: sim
+
+tests:
+  - it: app pod uses chart-computed DATABASE_URL even when user tries to override
+    template: deployment-app.yaml
+    set:
+      app.env.BETTER_AUTH_SECRET: x
+      app.env.ENCRYPTION_KEY: x
+      app.env.INTERNAL_API_SECRET: x
+      app.env.CRON_SECRET: x
+      app.env.DATABASE_URL: "should-be-ignored"
+      postgresql.auth.password: x
+    asserts:
+      - notContains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: DATABASE_URL
+            value: "should-be-ignored"
+
+  - it: existingSecret inline path skips DATABASE_URL/SOCKET_SERVER_URL
+    template: deployment-app.yaml
+    set:
+      app.secrets.existingSecret.enabled: true
+      app.secrets.existingSecret.name: my-secret
+      app.env.DATABASE_URL: "postgres://evil-1:5432/x"
+      app.env.SOCKET_SERVER_URL: "https://evil-2.example.com"
+      postgresql.auth.password: x
+    asserts:
+      - notContains:
+          path: spec.template.spec.containers[0].env
+          content: { name: DATABASE_URL, value: "postgres://evil-1:5432/x" }
+      - notContains:
+          path: spec.template.spec.containers[0].env
+          content: { name: SOCKET_SERVER_URL, value: "https://evil-2.example.com" }
+
+  - it: realtime pod existingSecret inline path skips chart-computed keys (round-8)
+    template: deployment-realtime.yaml
+    set:
+      app.secrets.existingSecret.enabled: true
+      app.secrets.existingSecret.name: my-secret
+      app.env.DATABASE_URL: "postgres://evil-1:5432/x"
+      app.env.SOCKET_SERVER_URL: "https://evil-2.example.com"
+      postgresql.auth.password: x
+    asserts:
+      - notContains:
+          path: spec.template.spec.containers[0].env
+          content: { name: SOCKET_SERVER_URL, value: "https://evil-2.example.com" }