feat: remove secrets block from Helm values

Remove the secrets: block from values.yaml so no plaintext credentials
live in the chart or git history. Update values-prod.yaml to replace the
--set secrets.* instructions with a pointer to the create-secrets.sh script.

helm/shorefront/values-prod.yaml

@@ -1,8 +1,9 @@
 ingress:
   host: shorefront.yourdomain.com
 
-# Override secrets at deploy time:
-# helm upgrade --install shorefront ./helm/shorefront \
-#   --values helm/shorefront/values-prod.yaml \
-#   --set secrets.postgresPassword=<real-password> \
-#   --set secrets.jwtSecretKey=<real-jwt-secret>
+# Secrets are NOT managed by Helm. Run scripts/create-secrets.sh before
+# the first helm install/ArgoCD sync:
+#
+#   export POSTGRES_PASSWORD=<real-password>
+#   export JWT_SECRET_KEY=<real-jwt-secret>
+#   bash scripts/create-secrets.sh

helm/shorefront/values.yaml

@@ -33,7 +33,3 @@ nfs:
 ingress:
   host: shorefront.example.com
   ingressClassName: traefik
-
-secrets:
-  postgresPassword: changeme-in-prod
-  jwtSecretKey: changeme-in-prod