ci(helm): pass Bundle 3 required-secret values + add inverse regression checks

CI break diagnosed from the runner log on 47da13e (Bundle 3 closure
commit): the existing helm-lint job invoked

  helm lint   --set server.tls.existingSecret=certctl-tls-ci
  helm template --set server.tls.existingSecret=certctl-tls-ci

without supplying server.auth.apiKey or postgresql.auth.password.
Pre-Bundle-3 the chart accepted that and emitted empty-value Secrets;
post-Bundle-3 the new `certctl.requiredSecrets` helper fail-fasts at
template time with the operator-actionable diagnostic. CI helm-lint job
correctly failed loud — exactly what the new guard is supposed to do —
but the workflow itself was the missing piece.

Closure: every positive `helm lint` / `helm template` invocation in
the helm-lint job now passes the two new required values. Five new
inverse-render steps pin the fail-fast guards in CI so a future
regression (someone removes the helper, makes a key optional, etc.)
shows up as a red ::error:: with the exact Bundle 3 finding ID:
  - D2: external Postgres mode renders 0 postgres-* templates
  - D7: TLS both-set must REJECT
  - D1: missing server.auth.apiKey must REJECT
  - D1: missing postgresql.auth.password must REJECT
  - D1: missing externalDatabase.url must REJECT (postgresql.enabled=false)

The CI image installs helm v3.13.0 which is identical to the sandbox
verification version, so green local + green CI line up.

Verification (sandbox, helm v3.16.3 — same fail-fast behavior):
  helm lint <chart> [+required secrets]            # 1 chart linted, 0 failed
  helm template <4 positive modes>                 # all render
  helm template <5 inverse modes>                  # all REJECTED with B3 diagnostic
  bash scripts/ci-guards/B3-helm-chart-coherence.sh # clean

.github/workflows/ci.yml

@@ -432,15 +432,25 @@ jobs:
       # configured. Every lint/template invocation below must pick exactly one
       # provisioning mode — see deploy/helm/certctl/templates/_helpers.tpl
       # (certctl.tls.required) and docs/operator/tls.md.
+      #
+      # Bundle 3 closure (2026-05-12, commit f1fa311): the chart now ALSO
+      # fails render when (a) server.auth.type=api-key + apiKey empty, or
+      # (b) postgresql.enabled=true + postgresql.auth.password empty.
+      # Every positive render below MUST pass both secrets; inverse tests
+      # at the bottom of this job pin the fail-fast guards in place.
       - name: Lint Helm Chart
         run: |
           helm lint deploy/helm/certctl/ \
-            --set server.tls.existingSecret=certctl-tls-ci
+            --set server.tls.existingSecret=certctl-tls-ci \
+            --set server.auth.apiKey=ci-api-key-placeholder \
+            --set postgresql.auth.password=ci-postgres-placeholder
 
       - name: Template Helm Chart (existingSecret mode)
         run: |
           helm template certctl deploy/helm/certctl/ \
             --set server.tls.existingSecret=certctl-tls-ci \
+            --set server.auth.apiKey=ci-api-key-placeholder \
+            --set postgresql.auth.password=ci-postgres-placeholder \
             > /dev/null
 
       - name: Template Helm Chart (cert-manager mode)
@@ -448,8 +458,30 @@ jobs:
           helm template certctl deploy/helm/certctl/ \
             --set server.tls.certManager.enabled=true \
             --set server.tls.certManager.issuerRef.name=letsencrypt-prod \
+            --set server.auth.apiKey=ci-api-key-placeholder \
+            --set postgresql.auth.password=ci-postgres-placeholder \
             > /dev/null
 
+      - name: Template Helm Chart (external Postgres mode — Bundle 3 D2)
+        run: |
+          # Closes Bundle 3 D2: postgresql.enabled=false must (a) render
+          # cleanly with externalDatabase.url and (b) emit ZERO postgres-*
+          # templates. The render output is grep-checked below.
+          out=$(helm template certctl deploy/helm/certctl/ \
+            --set server.tls.existingSecret=certctl-tls-ci \
+            --set postgresql.enabled=false \
+            --set externalDatabase.url='postgres://u:p@db.example.com:5432/certctl?sslmode=require' \
+            --set server.auth.apiKey=ci-api-key-placeholder)
+          # Bundled-Postgres resources must not appear when postgresql.enabled=false.
+          if echo "$out" | grep -qE "^kind: StatefulSet$"; then
+            echo "::error::Bundle 3 D2 regression: postgres StatefulSet rendered with postgresql.enabled=false"
+            exit 1
+          fi
+          if echo "$out" | grep -q "postgres-secret.yaml"; then
+            echo "::error::Bundle 3 D2 regression: postgres-secret rendered with postgresql.enabled=false"
+            exit 1
+          fi
+
       - name: Template Helm Chart (guard fails without TLS)
         run: |
           # Inverse test: the chart MUST refuse to render when no TLS source is
@@ -460,6 +492,58 @@ jobs:
             exit 1
           fi
 
+      - name: Template Helm Chart (guard fails — Bundle 3 D7 TLS both-set)
+        run: |
+          # Bundle 3 D7: setting BOTH existingSecret AND certManager.enabled
+          # creates two conflicting TLS sources of truth. Chart must refuse.
+          if helm template certctl deploy/helm/certctl/ \
+                --set server.tls.existingSecret=ci \
+                --set server.tls.certManager.enabled=true \
+                --set server.tls.certManager.issuerRef.name=foo \
+                --set server.auth.apiKey=k \
+                --set postgresql.auth.password=p \
+                > /dev/null 2>&1; then
+            echo "::error::Bundle 3 D7 regression: chart rendered with BOTH TLS sources configured"
+            exit 1
+          fi
+
+      - name: Template Helm Chart (guard fails — Bundle 3 D1 missing apiKey)
+        run: |
+          # Bundle 3 D1: missing server.auth.apiKey when auth.type=api-key
+          # must fail at template time, not silently render an empty Secret.
+          if helm template certctl deploy/helm/certctl/ \
+                --set server.tls.existingSecret=ci \
+                --set postgresql.auth.password=p \
+                > /dev/null 2>&1; then
+            echo "::error::Bundle 3 D1 regression: chart rendered with empty server.auth.apiKey"
+            exit 1
+          fi
+
+      - name: Template Helm Chart (guard fails — Bundle 3 D1 missing pg password)
+        run: |
+          # Bundle 3 D1: missing postgresql.auth.password when postgresql.enabled=true
+          # must fail at template time, not silently use a fallback default.
+          if helm template certctl deploy/helm/certctl/ \
+                --set server.tls.existingSecret=ci \
+                --set server.auth.apiKey=k \
+                > /dev/null 2>&1; then
+            echo "::error::Bundle 3 D1 regression: chart rendered with empty postgresql.auth.password"
+            exit 1
+          fi
+
+      - name: Template Helm Chart (guard fails — Bundle 3 D1 missing external DB URL)
+        run: |
+          # Bundle 3 D1: missing externalDatabase.url when postgresql.enabled=false
+          # must fail at template time.
+          if helm template certctl deploy/helm/certctl/ \
+                --set server.tls.existingSecret=ci \
+                --set postgresql.enabled=false \
+                --set server.auth.apiKey=k \
+                > /dev/null 2>&1; then
+            echo "::error::Bundle 3 D1 regression: chart rendered with postgresql.enabled=false + empty externalDatabase.url"
+            exit 1
+          fi
+
   # =============================================================================
   # deploy-vendor-e2e — single-job (collapsed from 12-job matrix)
   # =============================================================================