Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@helm/cosmo/README.md`:
- Line 181: The Markdown table row for keycloak.extraEnv contains unescaped pipe
characters in the default multiline string (references: keycloak.extraEnv,
KC_BOOTSTRAP_ADMIN_PASSWORD, .Values.global.keycloak.adminPassword) which breaks
the table; fix it by escaping each pipe inside the string (e.g., replace "|"
with "\|" or use "|") so the table parser treats them as literal characters
rather than column separators, ensuring the value string remains unchanged
semantically but safe for Markdown rendering.

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@helm/cosmo/values.yaml`:
- Around line 359-362: The values file currently includes the 'start-dev' entry
under args which disables TLS and should never be the default for production;
remove 'start-dev' from the default args list, add a prominent WARNING comment
above the args block calling out that 'start-dev' must not be used in
production, and add a separate commented "production example" values snippet
(without 'start-dev' and showing the TLS-related flags/configuration) so
operators have a safe, copy-paste production configuration; reference and update
the args array and the 'start-dev' token in the helm values to implement this.

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@helm/cosmo/README.md`:
- Line 181: The README at helm/cosmo/README.md has drift (the rendered table row
for keycloak.extraEnv doesn't match generated output) and CI fails; regenerate
the chart documentation with the exact tool/version used by CI (the chart doc
generator that produces the keycloak.extraEnv table row) and commit the
regenerated README so the rendered table (the keycloak.extraEnv row) matches
exactly what CI expects; ensure you run the same command/version as CI, verify
the keycloak.extraEnv row now matches, and commit the updated README.

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@helm/cosmo/values.yaml`:
- Around line 359-362: The Helm values currently set Keycloak to start in dev
mode by default (args contains 'start-dev'); change the default startup arg in
the args array from 'start-dev' to 'start' so production uses the proper kc.sh
start behavior, leaving 'start-dev' available only as an explicit override for
local/dev deployments (update any related docs or comments to note that
'start-dev' is for local use only).
- Around line 395-399: The extraEnv entries for KC_BOOTSTRAP_ADMIN_USERNAME and
KC_BOOTSTRAP_ADMIN_PASSWORD render raw template values which can break YAML when
the credentials contain special characters; update the value expressions for
.Values.global.keycloak.adminUser and .Values.global.keycloak.adminPassword to
produce quoted/escaped strings (use the Helm quote function or ensure the
template output is wrapped in double quotes) so the produced manifest remains
valid even with colons, hashes, or quotes in the credentials.

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@helm/cosmo/CHART.md`:
- Line 27: Update the Keycloak Helm repo URL in CHART.md: replace the incorrect
repository string "https://codecentric.github.io/helm-chart" in the table row
containing "keycloakx" with the correct
"https://codecentric.github.io/helm-charts" so the entry remains "|
https://codecentric.github.io/helm-charts | keycloakx | ^7.1.8 |".

In `@helm/cosmo/values.yaml`:
- Line 64: The ingress backend is routing to the wrong Keycloak service name;
update the ingress template so the backend service name matches the actual
Keycloak service created (cosmo-keycloak-http) or change the value used by the
include. Specifically, reconcile the mismatch between the values key apiUrl
(apiUrl: 'http://cosmo-keycloak-http:8080') and the ingress backend reference
({{ include "keycloak.fullname" .}) by modifying the ingress backend to
reference the http service (the fullname for the Keycloak HTTP service) or
adjust the keycloak chart include used in the ingress template so it resolves to
the http service name (ensure the template uses the Keycloak HTTP service
fullname rather than the nonexistent base service).

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@helm/cosmo/values.yaml`:
- Around line 359-362: The chart currently defaults the container args list
(args: including 'start-dev', '--import-realm', '--optimized') for development;
add a short note to the chart README or DEV.md explaining that production
deployments must override these Helm values (the args key) to use the non-dev
command (replace 'start-dev' with 'start'), and must supply proper TLS
certificate, hostname, and related configuration (e.g., ingress/host, TLS
secret) via Helm values or values.yaml overrides; mention the exact values key
to change (args) and suggest using helm --set or a production values file to
perform the override.