fix(helm): hardening from review

- _helpers.tpl: required guard on image.tag — silent empty deploys can
  no longer happen; helm fails fast with a clear message.
- configmap-nginx: HTTPS fastcgi param uses if_not_empty, so PHP only
  sees HTTPS when X-Forwarded-Proto is actually present.
- deployment-app: add startupProbe with 100s budget so first-boot cache
  warmup doesn't trip liveness.
- deployment-horizon: failureThreshold=5 on the horizon:status probe;
  transient Valkey blips no longer cause restart loops.
- job-migrate: mount oauth-keys so seeders that touch Passport clients
  don't silently fail.
- statefulset-valkey: replace separate password Secret with a
  requirePassword toggle that reads REDIS_PASSWORD from the main chart
  Secret (same Secret app/horizon/scheduler already mount). Liveness
  probe authenticates with the password when set.
- values-us-prod: enable valkey.requirePassword.
- README: add REDIS_PASSWORD to bootstrap procedure.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

helm/ezscale-website/templates/configmap-nginx.yaml

@@ -34,7 +34,10 @@ data:
             fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
             fastcgi_param DOCUMENT_ROOT $realpath_root;
             fastcgi_param HTTP_PROXY "";
-            fastcgi_param HTTPS $http_x_forwarded_proto;
+            # Pass HTTPS to PHP only when X-Forwarded-Proto is non-empty.
+            # if_not_empty avoids the param being set to "" when the header
+            # is missing (which would falsely satisfy isset($_SERVER['HTTPS'])).
+            fastcgi_param HTTPS $http_x_forwarded_proto if_not_empty;
             fastcgi_buffers 16 16k;
             fastcgi_buffer_size 32k;
             fastcgi_read_timeout 300;