chart: make deploy/helm/radar canonical + auto-sync to helm-charts

[nadaverell]

Why

The Radar Helm chart was living in two places that had drifted:

• deploy/helm/radar/ in this repo — Chart.yaml stuck at v0.6.9 with stale metadata, but clusterrole.yaml had ClusterAPI / Contour / Trivy CRD groups wired up.
• skyhook-io/helm-charts/charts/radar/ — published to ArtifactHub at v1.5.x with proper metadata, but missing those three CRD groups in values.yaml. Users installing from the public repo never got the RBAC grants.

The existing helm job in .github/workflows/release.yml already auto-syncs deploy/helm/radar/ → helm-charts/charts/radar/ on every Radar release. The drift came from someone hand-editing helm-charts after the last release — those hand-edits were going to be clobbered the next time release.yml ran. This PR resolves that by making the canonical copy contain everything, so the next release-time sync is correct.

What changes

1. Adopt the published 1.5.x lineage here: ArtifactHub annotations, radarhq.io URLs, full metadata. Bump Chart.yaml to 1.5.10.
2. Add values.schema.json — Helm validates user-supplied values at install/upgrade time (catches typos, bad enums, out-of-range ports), and ArtifactHub displays a "Values schema" badge. additionalProperties: true on service / persistence / auth.oidc / mcp / traffic so future fields don't break user configs.
3. README pointer — clarify that this dir is canonical and release.yml handles publishing.
4. Harden the helm job in release.yml (follow-up from review):
   • Extend the chart-version sed to also rewrite the image tag inside artifacthub.io/images: (previously hard-coded at 1.5.7 — would have advertised a stale image on every future release).
   • Fail fast if helm-charts already has the chart tag radar-$VERSION before pushing. helm/chart-releaser-action silently skips on tag collision; the workflow would otherwise return success but users' helm repo update would see nothing new.
5. Drop the manual chart-edit step from DEVELOPMENT.md — release.yml rewrites Chart.yaml automatically; manual edits race with the release machinery.

No new CI infra needed; the existing release.yml helm job already syncs on every release.

Net effect for end users (after next Radar release)

• ArtifactHub schema badge lights up.
• ClusterAPI / Contour / Trivy CRDs become readable out of the box.
• ArtifactHub image annotation shows the actual published version (was hard-coded 1.5.7).
• All previously hand-added ArtifactHub annotations preserved (icon, screenshots, links, category).

Sequencing with skyhook-io/helm-charts#11

skyhook-io/helm-charts#11 ships the values schema standalone at v1.5.9 so the badge lights up immediately. After that lands, helm-charts will hold tag radar-1.5.9. The next Radar release must therefore be ≥ v1.5.10 — the new tag-collision guard will fail the helm job otherwise, with a clear error message.

Test plan

• helm lint deploy/helm/radar passes
• helm template with default values passes the new schema
• helm template --set rbac.crdGroups.clusterApi=true --set rbac.crdGroups.contour=true --set rbac.crdGroups.trivy=true renders the expected RBAC rules
• Schema rejects bad enums (timeline.storage=invalid, auth.mode=bogus) and out-of-range service.port=99999
• Image-annotation sed pattern verified against the real Chart.yaml (rewrites radar:1.5.7 → radar:<release-version> cleanly)
• After helm-charts#11 merges: ArtifactHub shows schema badge at v1.5.9
• Next Radar release at v1.5.10+: ArtifactHub shows the new chart with all three CRD groups, schema, and updated image annotation

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit e619f23. Configure here.}