feat(helm): add lint matrix and Helm e2e test harness

[TaylorMutch]

Summary

• Consolidates all Helm values overlays from the chart root into `deploy/helm/openshell/ci/` to keep development and CI configuration together
• Adds a `helm:lint` matrix task that validates the chart against every configuration variant in `ci/values-*.yaml` (cert-manager, gateway, keycloak, skaffold, tls-disabled)
• Introduces `tasks/scripts/helm-e2e.sh` and four `e2e:helm*` mise tasks that bootstrap a k3d cluster, build images via `docker buildx`, deploy via Helm, and run the existing Rust and Python e2e suites against the Kubernetes compute driver
• Adds a `helm-lint.yml` GitHub Actions workflow that runs the lint matrix automatically on PRs touching `deploy/helm/**`

Related Issue

Depends on #1158 (adds the local-dev k3d environment this PR builds on top of).

Changes

• `deploy/helm/openshell/ci/` — new directory; `values-skaffold.yaml`, `values-cert-manager.yaml`, `values-gateway.yaml`, `values-keycloak.yaml` moved here from the chart root; `values-tls-disabled.yaml` added for lint coverage
• `deploy/helm/openshell/.helmignore` — simplified to `ci/` wildcard (replaces per-file entries)
• `deploy/helm/openshell/skaffold.yaml` — updated `valuesFiles` paths to `ci/`
• `tasks/helm.toml` — `helm:lint` expanded to loop over all `ci/values-*.yaml`; `e2e:helm`, `e2e:helm:rust`, `e2e:helm:python`, `e2e:helm:cert-manager` tasks added
• `tasks/scripts/helm-e2e.sh` — new script: preflight → reuse/create k3d cluster → docker build gateway+supervisor → k3d image import → helm upgrade --install → wait for PKI secrets → port-forward → register gateway → poll health → run suites → cleanup trap
• `.github/workflows/helm-lint.yml` — new workflow: triggers on `deploy/helm/**` path changes, runs `mise run helm:lint` in the CI container (path-filtered so unrelated PRs skip it entirely)
• `.agents/skills/helm-dev-environment/SKILL.md` — updated paths and added `helm-e2e.sh` to key files table

Testing

• `mise run helm:lint` — 6 variants, all passing locally
• `HELM_E2E_KEEP_CLUSTER=1 mise run e2e:helm:rust` — full Rust suite passes against a fresh k3d cluster
• `helm-lint.yml` workflow verified firing on GHA (PR ci: add helm lint workflow triggered on helm chart changes #1160)
• Tests that rely on `host.openshell.internal` host-network access (`graphql_l7`, `forward_proxy_l7_bypass allow`, `host_gateway_alias` reach/inference tests) are skipped on the Kubernetes path; these require Docker-native networking not available in k3d pods

Checklist

• Follows conventional commits format
• `mise run helm:lint` passes
• Helm e2e Rust suite passes locally
• GHA helm lint workflow verified
• No secrets or credentials committed
• Skill documentation updated

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.