fix(helm): drop empty-string shadowing in app/realtime env merge

Sprig 'merge' treats "" as a real value, so a default-empty
app.env.BETTER_AUTH_URL would shadow a non-empty realtime.env override
and the URL would never reach the rendered Secret. Replace 'merge'
with an explicit two-pass overlay that filters empties before writing,
mirroring the same pattern already used in deployment-realtime.yaml's
existingSecret block.

Adds two regression tests: realtime.env-only value reaches the Secret
when app.env is empty, and app.env still wins on collision when both
are non-empty (48 tests total).

Author: waleedlatif1

helm/sim/templates/secrets-app.yaml

@@ -20,18 +20,32 @@ type: Opaque
 stringData:
   {{- $chartComputed := list "DATABASE_URL" "SOCKET_SERVER_URL" "OLLAMA_URL" }}
   {{- /*
-    Sprig `merge` keeps the FIRST source's value on key collision. Listing
-    app.env first makes app.env authoritative for shared keys (e.g.
-    BETTER_AUTH_SECRET, BETTER_AUTH_URL) — both pods mount this Secret via
-    envFrom, so the app container must not be silently overwritten by a
-    realtime-side value.
+    Intent: app.env is authoritative for shared keys (both pods envFrom this
+    Secret, so the app container must not be silently overwritten by a
+    realtime-side value), BUT empty strings must never win.
+
+    Sprig `merge` treats "" as a real value, so a default-empty app.env entry
+    would shadow a non-empty realtime.env entry. Build the effective dict
+    manually: start from realtime.env, then overlay non-empty app.env values
+    on top — this gives app.env-wins-on-collision without empty-string
+    shadowing. Mirrors the pattern used in deployment-realtime.yaml.
   */}}
-  {{- $merged := merge (dict) (.Values.app.env | default dict) (.Values.realtime.env | default dict) }}
-  {{- range $key, $value := $merged }}
-  {{- if not (has $key $chartComputed) }}
+  {{- $appEnv := .Values.app.env | default dict }}
+  {{- $rtEnv := .Values.realtime.env | default dict }}
+  {{- $effective := dict }}
+  {{- range $key, $value := $rtEnv }}
   {{- if and (ne (toString $value) "") (ne (toString $value) "<nil>") }}
-  {{ $key }}: {{ $value | quote }}
+  {{- $_ := set $effective $key $value }}
   {{- end }}
   {{- end }}
+  {{- range $key, $value := $appEnv }}
+  {{- if and (ne (toString $value) "") (ne (toString $value) "<nil>") }}
+  {{- $_ := set $effective $key $value }}
+  {{- end }}
+  {{- end }}
+  {{- range $key, $value := $effective }}
+  {{- if not (has $key $chartComputed) }}
+  {{ $key }}: {{ $value | quote }}
+  {{- end }}
   {{- end }}
 {{- end }}

helm/sim/tests/secret-modes_test.yaml

@@ -86,3 +86,33 @@ tests:
           content:
             secretRef:
               name: my-existing-secret
+
+  - it: realtime.env-only value reaches the Secret when app.env entry is empty (cursor bugbot fix)
+    template: secrets-app.yaml
+    set:
+      app.env.BETTER_AUTH_SECRET: x
+      app.env.ENCRYPTION_KEY: x
+      app.env.INTERNAL_API_SECRET: x
+      app.env.CRON_SECRET: x
+      app.env.BETTER_AUTH_URL: ""
+      realtime.env.BETTER_AUTH_URL: "https://realtime.example.com"
+      postgresql.auth.password: x
+    asserts:
+      - equal:
+          path: stringData.BETTER_AUTH_URL
+          value: "https://realtime.example.com"
+
+  - it: app.env wins over realtime.env on collision when both are non-empty
+    template: secrets-app.yaml
+    set:
+      app.env.BETTER_AUTH_SECRET: x
+      app.env.ENCRYPTION_KEY: x
+      app.env.INTERNAL_API_SECRET: x
+      app.env.CRON_SECRET: x
+      app.env.NEXT_PUBLIC_APP_URL: "https://app.example.com"
+      realtime.env.NEXT_PUBLIC_APP_URL: "https://realtime.example.com"
+      postgresql.auth.password: x
+    asserts:
+      - equal:
+          path: stringData.NEXT_PUBLIC_APP_URL
+          value: "https://app.example.com"