Audit checklist should only check hardcoded namespaces and required+default conflicts.
Resource names are not violations — they depend on subchart implementation and must be
tested via helm template, not audited via grep.
Testing Templates section rewritten:
- require testing with at least 2 different release names and namespaces
- verify resource names, labels, selectors linkage works correctly in both
- verify manifest links (Service → Deployment) use correct names/namespaces
- this is how you validate chart portability, not via code inspection
IaC principle clarified:
- chart must be deployable to any cluster/namespace without editing
- deployment discipline prevents two instances in same cluster/namespace
- not a chart constraint, a deployment constraint
Audit checklist:
- add explicit grep-based checks for hardcoded namespaces, names, required+default conflicts, unused values keys
- scope name checks to templates/ only — hardcoded names in values.yaml are legitimate
- fix required error message example to include what to set and where
New sections:
- values.yaml Is Not Rendered — fixed names in values.yaml for subchart coordination are correct
- Never Hardcode Namespace / Release Name — hard rule with IaC principle rationale
- Glue Configuration pattern — documented exception for subchart coordination (e.g. Tempo + MinIO)
values.yaml hygiene rewrite:
- two purposes: static baseline + umbrella glue (wiring subcharts into one unit)
- goal is a short, minimal file identical across all installations
- installation-specific values belong exclusively in values.<instance>.yaml
- forbidden: empty placeholders, defaults for rarely-changed values, required-value entries
required vs defaults rewrite:
- sensible default → hardcode in template, not in values.yaml
- must-vary value → required with descriptive message, no entry in values.yaml
- | default forbidden
- required error messages must say exactly what to set and where
KISS addition:
- hardcoded values are the starting point, not a compromise
- parameterize only when developer asks, and into values.<instance>.yaml
Add hard rule: charts must be fully agnostic about installation target.
- Never hardcode namespace in any template — use .Release.Namespace or omit
- Never hardcode release name — use .Release.Name / fullname helper
- Enforce IaC principle: deployer decides where, chart describes what
config.yaml: new repo-root config file with docs_folders list
(docs, documentation, doc). apply.sh reads this list and picks the
first existing folder per project instead of hardcoding docs/.
Instructions:
- core-principles: add No Vibe Coding and No Touching .ai/ sections
- ai-root-instructions: add mandatory instructions block — rules stay
active for the whole session, not just at start; AI must stop and
announce if instructions were not loaded
- project-context, docs: updated to list all docs folder alternatives
and reference config.yaml as the source of truth
FR-5.0 added to apply-requirements.md. README step 4 updated.
New skill files:
- clean-code.instructions.md — naming, functions, classes, error handling,
formatting, DRY/KISS/SOLID, Helm YAML conventions
- clean-architecture.instructions.md — dependency rule, layers, boundaries,
SOLID foundation, Helm as outermost layer
- helm.instructions.md — resource ownership, values hygiene, required vs
defaults, umbrella chart pattern, two-file values layering, KISS principle,
hook ordering, config files pattern, dependency caching, template testing
Register all three in ai-root-instructions.md skills list and routing table.
Remove .ai from .gitignore — .ai/ is the product in this repo and must be
tracked; the apply.sh skip-by-marker mechanism prevents changes to other repos.
