You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
PR #44 introduced the Helm chart. Copilot review flagged several non-critical hardening items that were deferred. All CI checks pass and the chart is functional — these are DX and edge-case improvements.
secret.yaml — enforce jwtSecret minLength 32: Currently required only checks non-empty. Add a Go template length check or minLength: 32 in values.schema.json to fail-fast on short JWT secrets instead of runtime crash.
pdb.yaml — handle minAvailable: 0 truthiness: Replace {{- if .Values.podDisruptionBudget.minAvailable }} with a kindIs / ne nil check so explicit 0 is preserved. Also enforce mutual exclusivity with maxUnavailable.
hpa.yaml — guard against SQLite + HPA conflict: When storageProvider=sqlite, either disable HPA rendering with a warning or clamp maxReplicas: 1 to prevent multi-replica SQLite writes.
Priority
Low — none of these are blockers. The chart is production-ready for standard usage patterns.
Context
PR #44 introduced the Helm chart. Copilot review flagged several non-critical hardening items that were deferred. All CI checks pass and the chart is functional — these are DX and edge-case improvements.
Tasks
values.schema.json— expand coverage: Add missing properties (serviceAccount,podSecurityContext,securityContext,imagePullSecrets,tolerations,affinity,topologySpreadConstraints,networkPolicy.*,service.annotations,ingress.hosts/tls,persistence.accessModes/annotations,extraEnv,extraEnvFrom). Improves IDE autocomplete andhelm lint --strictvalidation.secret.yaml— enforcejwtSecretminLength 32: Currentlyrequiredonly checks non-empty. Add a Go template length check orminLength: 32invalues.schema.jsonto fail-fast on short JWT secrets instead of runtime crash.pdb.yaml— handleminAvailable: 0truthiness: Replace{{- if .Values.podDisruptionBudget.minAvailable }}with akindIs/ne nilcheck so explicit0is preserved. Also enforce mutual exclusivity withmaxUnavailable.hpa.yaml— guard against SQLite + HPA conflict: WhenstorageProvider=sqlite, either disable HPA rendering with a warning or clampmaxReplicas: 1to prevent multi-replica SQLite writes.Priority
Low — none of these are blockers. The chart is production-ready for standard usage patterns.
🤖 Generated with Claude Code