diff --git a/charts/galust-ai-layer/.helmignore b/charts/galust-ai-layer/.helmignore
new file mode 100644
index 0000000..414bb6e
--- /dev/null
+++ b/charts/galust-ai-layer/.helmignore
@@ -0,0 +1,18 @@
+# Patterns to ignore when building packages.
+.DS_Store
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/charts/galust-ai-layer/Chart.lock b/charts/galust-ai-layer/Chart.lock
new file mode 100644
index 0000000..84099ba
--- /dev/null
+++ b/charts/galust-ai-layer/Chart.lock
@@ -0,0 +1,15 @@
+dependencies:
+- name: base
+  repository: https://dasmeta.github.io/helm
+  version: 0.3.29
+- name: base
+  repository: https://dasmeta.github.io/helm
+  version: 0.3.29
+- name: base
+  repository: https://dasmeta.github.io/helm
+  version: 0.3.29
+- name: base
+  repository: https://dasmeta.github.io/helm
+  version: 0.3.29
+digest: sha256:0f058458a7e18d9bb5c9b227c8a7d29712f572efa84f5fad9fa19e314d1d6ab5
+generated: "2026-05-12T09:59:51.72808+04:00"
diff --git a/charts/galust-ai-layer/Chart.yaml b/charts/galust-ai-layer/Chart.yaml
new file mode 100644
index 0000000..2ec1f71
--- /dev/null
+++ b/charts/galust-ai-layer/Chart.yaml
@@ -0,0 +1,28 @@
+apiVersion: v2
+name: galust-ai-layer
+description: Galust AI layer umbrella chart for Kubernetes clusters
+type: application
+version: 0.1.0
+appVersion: "0.1.0"
+
+dependencies:
+  - name: base
+    alias: backend
+    version: 0.3.29
+    repository: https://dasmeta.github.io/helm
+    condition: backend.enabled
+  - name: base
+    alias: mcp
+    version: 0.3.29
+    repository: https://dasmeta.github.io/helm
+    condition: mcp.enabled
+  - name: base
+    alias: mcpUseCase
+    version: 0.3.29
+    repository: https://dasmeta.github.io/helm
+    condition: mcpUseCase.enabled
+  - name: base
+    alias: orchestrator
+    version: 0.3.29
+    repository: https://dasmeta.github.io/helm
+    condition: orchestrator.enabled
diff --git a/charts/galust-ai-layer/README.md b/charts/galust-ai-layer/README.md
new file mode 100644
index 0000000..68b0071
--- /dev/null
+++ b/charts/galust-ai-layer/README.md
@@ -0,0 +1,377 @@
+# Galust AI Layer
+
+Umbrella Helm chart for deploying the Galust AI layer stack into a Kubernetes or EKS cluster.
+
+## What This Chart Deploys
+
+This chart is an umbrella chart for the Galust AI layer services. It wraps the published `dasmeta/base` chart once per component and deploys:
+
+- Strapi backend
+- MCP
+- MCP use-case service
+- Orchestrator
+
+The chart manages Kubernetes workload configuration for these services. It does not provision cloud infrastructure, databases, DNS records, TLS issuers, IAM roles, ECR policies, or external secrets.
+
+## Components
+
+The chart wraps the published `dasmeta/base` chart with one alias per deployable component:
+
+| Component | Values key | Default |
+| --- | --- | --- |
+| Strapi backend | `backend.enabled` | `true` |
+| MCP | `mcp.enabled` | `true` |
+| MCP use-case service | `mcpUseCase.enabled` | `true` |
+| Orchestrator | `orchestrator.enabled` | `true` |
+
+Each component can be disabled independently:
+
+```bash
+helm upgrade --install galust-ai-layer ./charts/galust-ai-layer \
+  -n ai-layer \
+  --create-namespace \
+  --set mcpUseCase.enabled=false
+```
+
+## Prerequisites
+
+Before deploying, confirm the target cluster has:
+
+- Kubernetes access through a working `kubectl` context.
+- Helm 3 installed locally.
+- Access to the `dasmeta` Helm repository, because this chart depends on `dasmeta/base`.
+- AWS access to the target account, usually through an AWS SSO permission set and account assignment managed outside this chart.
+- Namespace access for `ai-layer`, or permission to create it.
+- Image pull access for the private ECR images.
+- ECR read access for the private repositories used by the backend, MCP, MCP use-case, and orchestrator images.
+- Required application secrets already created in the namespace.
+- Database connectivity for the backend.
+- A PVC or storage class suitable for backend uploads.
+- Ingress controller installed if ingress is enabled.
+- DNS records pointing the public hosts to the ingress/load balancer.
+- TLS/cert-manager setup if the default TLS annotations and secrets are used.
+
+If AWS access is managed through the Terraform SSO/RBAC modules, create or assign an AWS SSO permission set before deploying this chart. The permission set should allow the operator or automation role to:
+
+- Read private ECR repositories and get ECR authorization tokens.
+- Access the target EKS cluster and update Kubernetes resources in the `ai-layer` namespace.
+- Create or update Kubernetes Secrets used by the chart, including `ecr-secret`, `ai-layer-strapi`, `db-ai-layer-strapi`, `ai-layer-mcp`, `ai-layer-mcp-use-case`, and `ai-layer-orchestrator`.
+- If `ecrCredentialsRefresh.enabled=true`, provide an AWS identity for the refresh job with `ecr:GetAuthorizationToken`.
+
+Required default Kubernetes objects:
+
+| Object | Default name | Used by |
+| --- | --- | --- |
+| Docker registry pull secret | `ecr-secret` | all components |
+| Backend app secret | `ai-layer-strapi` | backend |
+| Backend DB host secret | `db-ai-layer-strapi`, key `host` | backend |
+| Backend DB port | `backend.config.DATABASE_PORT`, default `5432` | backend |
+| Backend DB password secret | `db-ai-layer-strapi`, key `password` | backend |
+| Backend uploads PVC | `ai-layer-strapi-uploads` | backend |
+| MCP secret | `ai-layer-mcp` | MCP |
+| MCP use-case secret | `ai-layer-mcp-use-case` | MCP use-case |
+| Orchestrator secret | `ai-layer-orchestrator` | orchestrator |
+
+External dependencies such as Redis, Qdrant, Langfuse, OpenAI credentials, database provisioning, External Secrets, IAM trust, and DNS are handled outside this chart.
+
+## Orchestrator Secret
+
+The orchestrator reads sensitive values from a Kubernetes Secret through `envFrom.secret`.
+
+Default values:
+
+```yaml
+orchestrator:
+  envFrom:
+    secret: ai-layer-orchestrator
+```
+
+This means every key in the `ai-layer-orchestrator` Secret is exposed to the orchestrator container as an environment variable. The default secret should contain:
+
+| Secret key | Purpose |
+| --- | --- |
+| `OPENAI_API_KEY` | OpenAI API access |
+| `LANGFUSE_PUBLIC_KEY` | Langfuse public key |
+| `LANGFUSE_SECRET_KEY` | Langfuse secret key |
+| `CLOUDBROWSER_API_TOKEN` | Cloud browser access |
+| `FIRECRAWL_API_KEY` | Firecrawl API access |
+| `SENTRY_DSN` | Sentry project DSN |
+| `AI_LAYER_BACKEND_API_TOKEN` | Backend API token |
+| `MCP_USE_CASE_AUTH_TOKEN` | MCP use-case auth token |
+| `SUPPORT_CHAT_CORE_PRODUCT_UID` | Support chat core product UID |
+
+Create or update the secret before deploying:
+
+```bash
+kubectl create secret generic ai-layer-orchestrator \
+  -n ai-layer \
+  --from-literal=OPENAI_API_KEY='<openai-api-key>' \
+  --from-literal=LANGFUSE_PUBLIC_KEY='<langfuse-public-key>' \
+  --from-literal=LANGFUSE_SECRET_KEY='<langfuse-secret-key>' \
+  --from-literal=CLOUDBROWSER_API_TOKEN='<cloudbrowser-api-token>' \
+  --from-literal=FIRECRAWL_API_KEY='<firecrawl-api-key>' \
+  --from-literal=SENTRY_DSN='<sentry-dsn>' \
+  --from-literal=AI_LAYER_BACKEND_API_TOKEN='<backend-api-token>' \
+  --from-literal=MCP_USE_CASE_AUTH_TOKEN='<mcp-use-case-auth-token>' \
+  --from-literal=SUPPORT_CHAT_CORE_PRODUCT_UID='<support-chat-core-product-uid>' \
+  --dry-run=client -o yaml | kubectl apply -f -
+```
+
+Use a different secret name if needed:
+
+```bash
+helm upgrade --install galust-ai-layer charts/galust-ai-layer \
+  -n ai-layer \
+  --create-namespace \
+  --set orchestrator.envFrom.secret=my-orchestrator-secret
+```
+
+## Configure Public URLs
+
+Public URLs are defined near the top of `values.yaml`:
+
+```yaml
+global:
+  API_URL: &apiUrl https://api.galust.ai
+  API_HOST: &apiHost api.galust.ai
+  APP_URL: &appUrl https://app.galust.ai
+  MCP_URL: &mcpUrl https://mcp.galust.ai
+  MCP_HOST: &mcpHost mcp.galust.ai
+  ADMIN_URL: &adminUrl https://api.galust.ai/admin
+  OPENAPI_BASE_URL: &openapiBaseUrl https://api.galust.ai/api
+  OPENAPI_SPEC_URL: &openapiSpecUrl https://api.galust.ai/documentation/openapi.json
+  ORCHESTRATOR_ENDPOINT: &orchestratorEndpoint https://api.galust.ai/orchestrator/api/galust/ask
+```
+
+The rest of `values.yaml` reuses these values with YAML anchors, for example:
+
+```yaml
+backend:
+  config:
+    ADMIN_URL: *adminUrl
+    BACKEND_URL: *apiUrl
+  ingress:
+    hosts:
+      - host: *apiHost
+```
+
+Important: YAML anchors are resolved before Helm merges extra values files. If you deploy with `-f examples/galust-ai-layer/values.test.yaml` and only override `global`, Helm will not recalculate aliases already resolved in `values.yaml`. To change domains for another environment, either edit the full values file or provide a values file that also overrides the component `config` and `ingress` fields.
+
+## Image Pull Access
+
+The default values expect an existing Kubernetes docker registry secret named `ecr-secret`. The secret name is anchored once and reused by every component:
+
+```yaml
+imagePullSecret:
+  name: &imagePullSecretName ecr-secret
+
+imagePullSecrets:
+  - name: *imagePullSecretName
+```
+
+The chart can also render the secret when `imagePullSecret.create=true`:
+
+```bash
+helm upgrade --install galust-ai-layer ./charts/galust-ai-layer \
+  -n ai-layer \
+  --create-namespace \
+  --set imagePullSecret.create=true \
+  --set-file imagePullSecret.dockerConfigJson=./dockerconfig.json
+```
+
+AWS IAM trust, ECR repository policies, role assumption, and External Secrets setup are intentionally outside this chart. Provide the resulting Kubernetes pull secret name through `imagePullSecret.name` and each component's `imagePullSecrets` override.
+
+ECR authorization tokens expire. For long-running environments, enable the optional refresh CronJob or use another cluster-managed renewal mechanism such as External Secrets, a registry credential controller, or a platform-owned refresh job. This chart can reference an existing pull secret, render one from provided docker config JSON, or refresh the secret through the optional CronJob.
+
+Example secret creation:
+
+```bash
+kubectl create namespace ai-layer
+
+kubectl create secret docker-registry ecr-secret \
+  -n ai-layer \
+  --docker-server=565580475168.dkr.ecr.eu-central-1.amazonaws.com \
+  --docker-username=AWS \
+  --docker-password='<ecr-login-password>'
+```
+
+## ECR Credentials Refresh
+
+The chart can render an optional CronJob that refreshes the ECR docker registry secret before the token expires:
+
+```yaml
+ecrCredentialsRefresh:
+  enabled: true
+  schedule: "0 */6 * * *"
+  registry: 565580475168.dkr.ecr.eu-central-1.amazonaws.com
+  region: eu-central-1
+  secretName: ecr-secret
+```
+
+The refresh job updates the same `kubernetes.io/dockerconfigjson` Secret referenced by component `imagePullSecrets`. It creates a namespaced `Role`, `RoleBinding`, `ServiceAccount`, and `CronJob`.
+
+Use an existing Kubernetes Secret with AWS credentials:
+
+```bash
+kubectl create secret generic ecr-refresh-aws-credentials \
+  -n ai-layer \
+  --from-literal=AWS_ACCESS_KEY_ID='<aws-access-key-id>' \
+  --from-literal=AWS_SECRET_ACCESS_KEY='<aws-secret-access-key>' \
+  --dry-run=client -o yaml | kubectl apply -f -
+```
+
+Then enable the refresher:
+
+```bash
+helm upgrade --install galust-ai-layer charts/galust-ai-layer \
+  -n ai-layer \
+  --create-namespace \
+  --set ecrCredentialsRefresh.enabled=true \
+  --set ecrCredentialsRefresh.awsCredentialsSecret.name=ecr-refresh-aws-credentials
+```
+
+If the cluster uses IRSA or EKS Pod Identity, leave `awsCredentialsSecret.name` empty and annotate the refresh service account:
+
+```yaml
+ecrCredentialsRefresh:
+  enabled: true
+  serviceAccount:
+    annotations:
+      eks.amazonaws.com/role-arn: arn:aws:iam::<account-id>:role/<role-name>
+```
+
+The AWS identity used by the refresh job needs permission to call `ecr:GetAuthorizationToken`. The refresh container uses `alpine` and installs `aws-cli`, `curl`, `ca-certificates`, and `coreutils` at runtime, so the namespace must allow outbound package download access or you must override `ecrCredentialsRefresh.image` with an internal image that already contains the required tools.
+
+After installing, trigger the first refresh before private-image workloads need to pull:
+
+```bash
+kubectl create job \
+  -n ai-layer \
+  --from=cronjob/galust-ai-layer-ecr-refresh \
+  galust-ai-layer-ecr-refresh-manual
+```
+
+## Backend Notes
+
+The backend values use the existing Galust Strapi image and runtime defaults from `ai-layer/backend/helm/strapi.yaml`, but this umbrella chart does not provision AWS IAM or a managed database. Database secrets are created outside this chart. By default the backend expects:
+
+- an `ai-layer-strapi` secret for Strapi application secrets
+- `db-ai-layer-strapi` with key `host`
+- `backend.config.DATABASE_PORT`, defaulting to `5432`
+- `db-ai-layer-strapi` with key `password`
+- a PVC named `ai-layer-strapi-uploads` for `/opt/app/public/uploads`
+
+Override those names for environment-specific infrastructure.
+
+If the database host and password are stored in one Kubernetes Secret, override the `extraEnv` references:
+
+```yaml
+backend:
+  extraEnv:
+    DATABASE_HOST:
+      secretKeyRef:
+        name: my-database-secret
+        key: host
+    DATABASE_PASSWORD:
+      secretKeyRef:
+        name: my-database-secret
+        key: password
+```
+
+If the database port is also stored in the same database secret, override `DATABASE_PORT` from `config` with an `extraEnv` secret reference:
+
+```yaml
+backend:
+  config:
+    DATABASE_PORT: null
+  extraEnv:
+    DATABASE_HOST:
+      secretKeyRef:
+        name: db-ai-layer-strapi
+        key: host
+    DATABASE_PORT:
+      secretKeyRef:
+        name: db-ai-layer-strapi
+        key: port
+```
+
+## Deploy
+
+Run commands from the `helm` repository directory:
+
+```bash
+cd /Users/juliaaghamyan/Desktop/dasmeta/helm
+helm dependency update charts/galust-ai-layer
+```
+
+Deploy with default `values.yaml`:
+
+```bash
+helm upgrade --install galust-ai-layer charts/galust-ai-layer \
+  -n ai-layer \
+  --create-namespace
+```
+
+Deploy with the test values example:
+
+```bash
+helm upgrade --install galust-ai-layer charts/galust-ai-layer \
+  -n ai-layer \
+  --create-namespace \
+  -f examples/galust-ai-layer/values.test.yaml
+```
+
+Disable a component:
+
+```bash
+helm upgrade --install galust-ai-layer charts/galust-ai-layer \
+  -n ai-layer \
+  --create-namespace \
+  --set mcpUseCase.enabled=false
+```
+
+## Post-Deploy Checks
+
+```bash
+kubectl get pods -n ai-layer
+kubectl get svc -n ai-layer
+kubectl get ingress -n ai-layer
+kubectl describe pod -n ai-layer -l app=ai-layer-orchestrator
+kubectl logs -n ai-layer deploy/ai-layer-orchestrator
+```
+
+Expected default service names:
+
+- `ai-layer-strapi`
+- `ai-layer-mcp`
+- `ai-layer-mcp-use-case`
+- `ai-layer-orchestrator`
+
+Expected public hosts when ingress is enabled:
+
+- `api.galust.ai`
+- `mcp.galust.ai`
+
+## Local Validation
+
+```bash
+helm dependency update charts/galust-ai-layer
+helm lint charts/galust-ai-layer
+helm template galust-ai-layer charts/galust-ai-layer -n ai-layer
+helm template galust-ai-layer charts/galust-ai-layer -n ai-layer --set backend.enabled=false
+helm template galust-ai-layer charts/galust-ai-layer -n ai-layer -f examples/galust-ai-layer/values.test.yaml
+```
+
+## Troubleshooting
+
+If pods are stuck in `ImagePullBackOff`, check the `ecr-secret` secret and ECR access.
+
+If the backend fails to start, check the `ai-layer-strapi` and `db-ai-layer-strapi` secrets, plus database reachability from the namespace.
+
+If ingress does not work, confirm the ingress controller, DNS records, TLS secret or cert-manager issuer, and rendered ingress hosts.
+
+If URL overrides do not appear in rendered manifests, remember that YAML anchors are not dynamic Helm templates. Render locally with:
+
+```bash
+helm template galust-ai-layer charts/galust-ai-layer -n ai-layer -f examples/galust-ai-layer/values.test.yaml
+```
diff --git a/charts/galust-ai-layer/charts/base-0.3.29.tgz b/charts/galust-ai-layer/charts/base-0.3.29.tgz
new file mode 100644
index 0000000..e96111f
Binary files /dev/null and b/charts/galust-ai-layer/charts/base-0.3.29.tgz differ
diff --git a/charts/galust-ai-layer/templates/NOTES.txt b/charts/galust-ai-layer/templates/NOTES.txt
new file mode 100644
index 0000000..f7b3194
--- /dev/null
+++ b/charts/galust-ai-layer/templates/NOTES.txt
@@ -0,0 +1,21 @@
+Galust AI layer chart rendered for namespace {{ .Release.Namespace }}.
+
+Enabled components:
+{{- if .Values.backend.enabled }}
+- backend: {{ .Values.backend.fullnameOverride | default "backend" }}
+{{- end }}
+{{- if .Values.mcp.enabled }}
+- mcp: {{ .Values.mcp.fullnameOverride | default "mcp" }}
+{{- end }}
+{{- if .Values.mcpUseCase.enabled }}
+- mcp-use-case: {{ .Values.mcpUseCase.fullnameOverride | default "mcp-use-case" }}
+{{- end }}
+{{- if .Values.orchestrator.enabled }}
+- orchestrator: {{ .Values.orchestrator.fullnameOverride | default "orchestrator" }}
+{{- end }}
+
+Image pull access:
+- By default the chart references an existing imagePullSecret named {{ include "galust-ai-layer.imagePullSecretName" . }}.
+- Set imagePullSecret.create=true with dockerConfigJson or dockerConfigJsonBase64 to render that Secret from this chart.
+- Set ecrCredentialsRefresh.enabled=true to render a CronJob that refreshes the ECR docker registry secret.
+- AWS IAM trust, ECR repository policy, and external secret provisioning are outside this chart.
diff --git a/charts/galust-ai-layer/templates/_helpers.tpl b/charts/galust-ai-layer/templates/_helpers.tpl
new file mode 100644
index 0000000..e4d07bc
--- /dev/null
+++ b/charts/galust-ai-layer/templates/_helpers.tpl
@@ -0,0 +1,54 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "galust-ai-layer.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+*/}}
+{{- define "galust-ai-layer.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := include "galust-ai-layer.name" . }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Common labels.
+*/}}
+{{- define "galust-ai-layer.labels" -}}
+helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+app.kubernetes.io/name: {{ include "galust-ai-layer.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Image pull secret name used by the optional generated dockerconfigjson Secret.
+*/}}
+{{- define "galust-ai-layer.imagePullSecretName" -}}
+{{- default "ecr-secret" .Values.imagePullSecret.name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Name used for the optional ECR credentials refresh resources.
+*/}}
+{{- define "galust-ai-layer.ecrCredentialsRefreshName" -}}
+{{- printf "%s-ecr-refresh" (include "galust-ai-layer.fullname" .) | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Service account name used by the optional ECR credentials refresh job.
+*/}}
+{{- define "galust-ai-layer.ecrCredentialsRefreshServiceAccountName" -}}
+{{- default (include "galust-ai-layer.ecrCredentialsRefreshName" .) .Values.ecrCredentialsRefresh.serviceAccount.name | trunc 63 | trimSuffix "-" }}
+{{- end }}
diff --git a/charts/galust-ai-layer/templates/ecr-credentials-refresh.yaml b/charts/galust-ai-layer/templates/ecr-credentials-refresh.yaml
new file mode 100644
index 0000000..1774674
--- /dev/null
+++ b/charts/galust-ai-layer/templates/ecr-credentials-refresh.yaml
@@ -0,0 +1,143 @@
+{{- if .Values.ecrCredentialsRefresh.enabled -}}
+{{- $name := include "galust-ai-layer.ecrCredentialsRefreshName" . -}}
+{{- $serviceAccountName := include "galust-ai-layer.ecrCredentialsRefreshServiceAccountName" . -}}
+{{- $secretName := required "ecrCredentialsRefresh.secretName is required when ecrCredentialsRefresh.enabled=true" .Values.ecrCredentialsRefresh.secretName -}}
+{{- $registry := required "ecrCredentialsRefresh.registry is required when ecrCredentialsRefresh.enabled=true" .Values.ecrCredentialsRefresh.registry -}}
+{{- $region := required "ecrCredentialsRefresh.region is required when ecrCredentialsRefresh.enabled=true" .Values.ecrCredentialsRefresh.region -}}
+{{- if .Values.ecrCredentialsRefresh.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ $serviceAccountName }}
+  labels:
+    {{- include "galust-ai-layer.labels" . | nindent 4 }}
+  {{- with .Values.ecrCredentialsRefresh.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+---
+{{- end }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ $name }}
+  labels:
+    {{- include "galust-ai-layer.labels" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - get
+      - create
+      - patch
+      - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ $name }}
+  labels:
+    {{- include "galust-ai-layer.labels" . | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ $serviceAccountName }}
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ $name }}
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: {{ $name }}
+  labels:
+    {{- include "galust-ai-layer.labels" . | nindent 4 }}
+spec:
+  schedule: {{ .Values.ecrCredentialsRefresh.schedule | quote }}
+  concurrencyPolicy: {{ .Values.ecrCredentialsRefresh.concurrencyPolicy }}
+  successfulJobsHistoryLimit: {{ .Values.ecrCredentialsRefresh.successfulJobsHistoryLimit }}
+  failedJobsHistoryLimit: {{ .Values.ecrCredentialsRefresh.failedJobsHistoryLimit }}
+  jobTemplate:
+    spec:
+      template:
+        metadata:
+          labels:
+            {{- include "galust-ai-layer.labels" . | nindent 12 }}
+        spec:
+          serviceAccountName: {{ $serviceAccountName }}
+          restartPolicy: OnFailure
+          containers:
+            - name: refresh
+              image: "{{ .Values.ecrCredentialsRefresh.image.repository }}:{{ .Values.ecrCredentialsRefresh.image.tag }}"
+              imagePullPolicy: {{ .Values.ecrCredentialsRefresh.image.pullPolicy }}
+              env:
+                - name: AWS_REGION
+                  value: {{ $region | quote }}
+                - name: ECR_REGISTRY
+                  value: {{ $registry | quote }}
+                - name: DOCKER_SECRET_NAME
+                  value: {{ $secretName | quote }}
+                - name: TARGET_NAMESPACE
+                  value: {{ .Release.Namespace | quote }}
+              {{- with .Values.ecrCredentialsRefresh.awsCredentialsSecret.name }}
+              envFrom:
+                - secretRef:
+                    name: {{ . }}
+              {{- end }}
+              command:
+                - /bin/sh
+                - -ec
+              args:
+                - |
+                  apk add --no-cache aws-cli curl ca-certificates coreutils
+
+                  ECR_PASSWORD="$(aws ecr get-login-password --region "${AWS_REGION}")"
+                  AUTH="$(printf 'AWS:%s' "${ECR_PASSWORD}" | base64 | tr -d '\n')"
+                  DOCKER_CONFIG_JSON="$(printf '{"auths":{"%s":{"username":"AWS","password":"%s","auth":"%s"}}}' "${ECR_REGISTRY}" "${ECR_PASSWORD}" "${AUTH}")"
+                  DOCKER_CONFIG_B64="$(printf '%s' "${DOCKER_CONFIG_JSON}" | base64 | tr -d '\n')"
+
+                  cat >/tmp/secret-create.json <<EOF
+                  {"apiVersion":"v1","kind":"Secret","metadata":{"name":"${DOCKER_SECRET_NAME}","namespace":"${TARGET_NAMESPACE}"},"type":"kubernetes.io/dockerconfigjson","data":{".dockerconfigjson":"${DOCKER_CONFIG_B64}"}}
+                  EOF
+
+                  cat >/tmp/secret-patch.json <<EOF
+                  {"type":"kubernetes.io/dockerconfigjson","data":{".dockerconfigjson":"${DOCKER_CONFIG_B64}"}}
+                  EOF
+
+                  TOKEN="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)"
+                  CACERT="/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
+                  API="https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT_HTTPS:-443}"
+                  SECRET_URL="${API}/api/v1/namespaces/${TARGET_NAMESPACE}/secrets/${DOCKER_SECRET_NAME}"
+
+                  STATUS="$(curl --silent --show-error --cacert "${CACERT}" \
+                    -H "Authorization: Bearer ${TOKEN}" \
+                    -o /tmp/secret-get-response \
+                    -w "%{http_code}" \
+                    "${SECRET_URL}")"
+
+                  if [ "${STATUS}" = "200" ]; then
+                    curl --fail --silent --show-error --cacert "${CACERT}" \
+                      -X PATCH \
+                      -H "Authorization: Bearer ${TOKEN}" \
+                      -H "Content-Type: application/merge-patch+json" \
+                      --data-binary @/tmp/secret-patch.json \
+                      "${SECRET_URL}"
+                  elif [ "${STATUS}" = "404" ]; then
+                    curl --fail --silent --show-error --cacert "${CACERT}" \
+                      -X POST \
+                      -H "Authorization: Bearer ${TOKEN}" \
+                      -H "Content-Type: application/json" \
+                      --data-binary @/tmp/secret-create.json \
+                      "${API}/api/v1/namespaces/${TARGET_NAMESPACE}/secrets"
+                  else
+                    cat /tmp/secret-get-response
+                    exit 1
+                  fi
+              {{- with .Values.ecrCredentialsRefresh.resources }}
+              resources:
+                {{- toYaml . | nindent 16 }}
+              {{- end }}
+{{- end }}
diff --git a/charts/galust-ai-layer/templates/image-pull-secret.yaml b/charts/galust-ai-layer/templates/image-pull-secret.yaml
new file mode 100644
index 0000000..3f4aa42
--- /dev/null
+++ b/charts/galust-ai-layer/templates/image-pull-secret.yaml
@@ -0,0 +1,20 @@
+{{- if .Values.imagePullSecret.create -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "galust-ai-layer.imagePullSecretName" . }}
+  labels:
+    {{- include "galust-ai-layer.labels" . | nindent 4 }}
+  {{- with .Values.imagePullSecret.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+type: kubernetes.io/dockerconfigjson
+{{- if .Values.imagePullSecret.dockerConfigJson }}
+stringData:
+  .dockerconfigjson: {{ .Values.imagePullSecret.dockerConfigJson | quote }}
+{{- else }}
+data:
+  .dockerconfigjson: {{ required "imagePullSecret.dockerConfigJson or imagePullSecret.dockerConfigJsonBase64 is required when imagePullSecret.create=true" .Values.imagePullSecret.dockerConfigJsonBase64 | quote }}
+{{- end }}
+{{- end }}
diff --git a/charts/galust-ai-layer/values.yaml b/charts/galust-ai-layer/values.yaml
new file mode 100644
index 0000000..d0ca7ee
--- /dev/null
+++ b/charts/galust-ai-layer/values.yaml
@@ -0,0 +1,300 @@
+imagePullSecret:
+  create: false
+  name: &imagePullSecretName ecr-secret
+  annotations: {}
+  dockerConfigJson: ""
+  dockerConfigJsonBase64: ""
+
+imagePullSecrets: &galustImagePullSecrets
+  - name: *imagePullSecretName
+
+ecrCredentialsRefresh:
+  enabled: false
+  schedule: "0 */6 * * *"
+  registry: 565580475168.dkr.ecr.eu-central-1.amazonaws.com
+  region: eu-central-1
+  secretName: *imagePullSecretName
+  image:
+    repository: alpine
+    tag: "3.20"
+    pullPolicy: IfNotPresent
+  awsCredentialsSecret:
+    name: ""
+  serviceAccount:
+    create: true
+    name: ""
+    annotations: {}
+  successfulJobsHistoryLimit: 1
+  failedJobsHistoryLimit: 3
+  concurrencyPolicy: Forbid
+  resources: {}
+
+global:
+  API_URL: &apiUrl https://api.galust.ai
+  API_HOST: &apiHost api.galust.ai
+  APP_URL: &appUrl https://app.galust.ai
+  MCP_URL: &mcpUrl https://mcp.galust.ai
+  MCP_HOST: &mcpHost mcp.galust.ai
+  ADMIN_URL: &adminUrl https://api.galust.ai/admin
+  OPENAPI_BASE_URL: &openapiBaseUrl https://api.galust.ai/api
+  OPENAPI_SPEC_URL: &openapiSpecUrl https://api.galust.ai/documentation/openapi.json
+  ORCHESTRATOR_ENDPOINT: &orchestratorEndpoint https://api.galust.ai/orchestrator/api/galust/ask
+
+gatewayApi:
+  enabled: false
+
+zeroTrustMesh:
+  enabled: false
+
+backend:
+  enabled: true
+  gatewayApi:
+    enabled: false
+  zeroTrustMesh:
+    enabled: false
+    allowTo: []
+  fullnameOverride: ai-layer-strapi
+  version: 0.1.0
+  appVersion: 0.1.0
+  image:
+    repository: 565580475168.dkr.ecr.eu-central-1.amazonaws.com/ai-layer-backend
+    tag: latest
+    pullPolicy: Always
+  imagePullSecrets: *galustImagePullSecrets
+  replicaCount: 1
+  containerPort: 1337
+  service:
+    type: ClusterIP
+    port: 1337
+  persistence:
+    uploads:
+      enabled: true
+      claimName: ai-layer-strapi-uploads
+      size: 20Gi
+      accessModes:
+        - ReadWriteOnce
+      storageClassName: ""
+      keepPvc: true
+  storage:
+    - persistentVolumeClaimName: ai-layer-strapi-uploads
+      accessModes:
+        - ReadWriteOnce
+      requestedSize: 20Gi
+      keepPvc: true
+  volumes:
+    - name: strapi-uploads
+      persistentVolumeClaim:
+        claimName: ai-layer-strapi-uploads
+      mountPath: /opt/app/public/uploads
+  resources:
+    limits:
+      cpu: 1500m
+      memory: 1500Mi
+    requests:
+      cpu: 1000m
+      memory: 1000Mi
+  securityContext:
+    readOnlyRootFilesystem: false
+    runAsNonRoot: false
+    runAsUser: 0
+    runAsGroup: 0
+  envFrom:
+    secret: ai-layer-strapi
+  config:
+    PORT: "1337"
+    DATABASE_CLIENT: postgres
+    DATABASE_PORT: "5432"
+    DATABASE_NAME: strapi
+    DATABASE_USERNAME: strapi
+    STRAPI_DISABLE_UPDATE_NOTIFICATION: "true"
+    FAST_REFRESH: "false"
+    EXTRA_ARGS: ""
+    ADMIN_URL: *adminUrl
+    APP_HOST: 0.0.0.0
+    APP_URL: *adminUrl
+    BACKEND_URL: *apiUrl
+    ENV: production
+    HOST: 0.0.0.0
+    NODE_ENV: production
+    PUBLIC_URL: *apiUrl
+    STRAPI_ADMIN_BACKEND_URL: *apiUrl
+  extraEnv:
+    DATABASE_HOST:
+      secretKeyRef:
+        name: db-ai-layer-strapi
+        key: host
+    DATABASE_PASSWORD:
+      secretKeyRef:
+        name: db-ai-layer-strapi
+        key: password
+  ingress:
+    enabled: true
+    class: nginx
+    annotations:
+      kubernetes.io/tls-acme: "true"
+      cert-manager.io/cluster-issuer: letsencrypt-prod
+    hosts:
+      - host: *apiHost
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              servicePort: 1337
+    tls:
+      - secretName: com-galust-api-tls2
+        hosts:
+          - *apiHost
+
+mcp:
+  enabled: true
+  gatewayApi:
+    enabled: false
+  zeroTrustMesh:
+    enabled: false
+    allowTo: []
+  fullnameOverride: ai-layer-mcp
+  version: 0.0.1
+  appVersion: 0.0.1
+  image:
+    repository: 565580475168.dkr.ecr.eu-central-1.amazonaws.com/ai-layer-mcp
+    tag: latest
+    pullPolicy: Always
+  imagePullSecrets: *galustImagePullSecrets
+  replicaCount: 1
+  labels:
+    version:
+      name: app-version
+      value: v0.0.1
+    app:
+      name: app
+      value: ai-layer-mcp
+  service:
+    type: ClusterIP
+    port: 4002
+  containerPort: 4002
+  envFrom:
+    secret: ai-layer-mcp
+  config:
+    DEBUG_MCP_HEADER_FLOW: "true"
+    OPENAPI_BASE_URL: *openapiBaseUrl
+    OPENAPI_SPEC_URL: *openapiSpecUrl
+  ingress:
+    enabled: true
+    class: nginx
+    annotations:
+      kubernetes.io/tls-acme: "true"
+      cert-manager.io/cluster-issuer: letsencrypt-prod
+    hosts:
+      - host: *mcpHost
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              servicePort: 4002
+    tls:
+      - secretName: com-galust-mcp-tls2
+        hosts:
+          - *mcpHost
+
+mcpUseCase:
+  enabled: true
+  gatewayApi:
+    enabled: false
+  zeroTrustMesh:
+    enabled: false
+    allowTo: []
+  fullnameOverride: ai-layer-mcp-use-case
+  version: 0.0.1
+  appVersion: 0.0.1
+  image:
+    repository: 565580475168.dkr.ecr.eu-central-1.amazonaws.com/ai-layer-mcp-use-case
+    tag: latest
+    pullPolicy: Always
+  imagePullSecrets: *galustImagePullSecrets
+  replicaCount: 1
+  labels:
+    version:
+      name: app-version
+      value: v0.0.1
+    app:
+      name: app
+      value: ai-layer-mcp-use-case
+  service:
+    type: ClusterIP
+    port: 4002
+  containerPort: 4002
+  envFrom:
+    secret: ai-layer-mcp-use-case
+  config:
+    DEBUG_MCP_HEADER_FLOW: "true"
+    TOOLS_CATALOG_URL: *apiUrl
+    ORCHESTRATOR_ENDPOINT: *orchestratorEndpoint
+
+orchestrator:
+  enabled: true
+  gatewayApi:
+    enabled: false
+  zeroTrustMesh:
+    enabled: false
+    allowTo: []
+  fullnameOverride: ai-layer-orchestrator
+  version: 0.0.1
+  appVersion: 0.0.1
+  image:
+    repository: 565580475168.dkr.ecr.eu-central-1.amazonaws.com/ai-layer-orchestrator
+    tag: latest
+    pullPolicy: Always
+  imagePullSecrets: *galustImagePullSecrets
+  replicaCount: 1
+  labels:
+    version:
+      name: app-version
+      value: v0.0.1
+    app:
+      name: app
+      value: ai-layer-orchestrator
+  service:
+    type: ClusterIP
+    port: 3000
+  containerPort: 3000
+  resources:
+    requests:
+      cpu: 500m
+  autoscaling:
+    enabled: true
+    minReplicas: 2
+    maxReplicas: 5
+  envFrom:
+    # Existing Kubernetes Secret loaded as environment variables by the orchestrator.
+    # Override this name when secrets are managed outside this chart under a different name.
+    secret: ai-layer-orchestrator
+  config:
+    NODE_ENV: production
+    OPENAI_MODEL: gpt-4o-mini
+    LANGFUSE_HOST: https://cloud.langfuse.com
+    GLOBAL_PREFIX: orchestrator
+    OTEL_EXPORTER_OTLP_TRACES_ENDPOINT: http://localhost:4318/v1/traces
+    AI_LAYER_BACKEND_URL: *apiUrl
+  ingress:
+    enabled: true
+    class: nginx
+    annotations:
+      kubernetes.io/tls-acme: "true"
+      cert-manager.io/cluster-issuer: letsencrypt-prod
+      nginx.ingress.kubernetes.io/enable-cors: "true"
+      nginx.ingress.kubernetes.io/cors-allow-origin: *appUrl
+      nginx.ingress.kubernetes.io/cors-allow-credentials: "true"
+      nginx.ingress.kubernetes.io/cors-allow-methods: GET, POST, PUT, PATCH, DELETE, OPTIONS
+      nginx.ingress.kubernetes.io/cors-allow-headers: Authorization, Content-Type, Origin, Accept, X-Requested-With, MCP-Protocol-Version, Mcp-Session-Id
+    hosts:
+      - host: *apiHost
+        paths:
+          - path: /orchestrator
+            pathType: Prefix
+            backend:
+              servicePort: 3000
+    tls:
+      - clusterIssuer: letsencrypt-prod
+        secretName: com-galust-api-tls2
+        hosts:
+          - *apiHost
diff --git a/examples/galust-ai-layer/values.test.yaml b/examples/galust-ai-layer/values.test.yaml
new file mode 100644
index 0000000..e329e29
--- /dev/null
+++ b/examples/galust-ai-layer/values.test.yaml
@@ -0,0 +1,27 @@
+# Minimal example overlay for externally reachable Galust AI layer URLs and ECR pull-secret refresh.
+imagePullSecret:
+  name: &imagePullSecretName ecr-secret
+
+global:
+  API_URL: &apiUrl https://api.galust.ai
+  API_HOST: &apiHost api.galust.ai
+  APP_URL: &appUrl https://app.galust.ai
+  MCP_URL: &mcpUrl https://mcp.galust.ai
+  MCP_HOST: &mcpHost mcp.galust.ai
+  ADMIN_URL: &adminUrl https://api.galust.ai/admin
+  OPENAPI_BASE_URL: &openapiBaseUrl https://api.galust.ai/api
+  OPENAPI_SPEC_URL: &openapiSpecUrl https://api.galust.ai/documentation/openapi.json
+  ORCHESTRATOR_ENDPOINT: &orchestratorEndpoint https://api.galust.ai/orchestrator/api/galust/ask
+
+ecrCredentialsRefresh:
+  enabled: true
+  schedule: "0 */6 * * *"
+  registry: 565580475168.dkr.ecr.eu-central-1.amazonaws.com
+  region: eu-central-1
+  secretName: *imagePullSecretName
+  awsCredentialsSecret:
+    name: ecr-refresh-aws-credentials
+
+orchestrator:
+  envFrom:
+    secret: ai-layer-orchestrator
diff --git a/specs/014-galust-umbrella-chart/plan.md b/specs/014-galust-umbrella-chart/plan.md
new file mode 100644
index 0000000..e82204e
--- /dev/null
+++ b/specs/014-galust-umbrella-chart/plan.md
@@ -0,0 +1,54 @@
+# Implementation Plan: Galust AI Layer Umbrella Chart
+
+**Branch**: `014-galust-umbrella-chart` | **Date**: 2026-05-11 | **Spec**: `specs/014-galust-umbrella-chart/spec.md`
+**Input**: Feature specification from `specs/014-galust-umbrella-chart/spec.md`
+
+## Summary
+
+Add `charts/galust-ai-layer` as an umbrella chart that deploys the Galust AI layer components to Kubernetes or EKS. Use one `dasmeta/base` dependency alias per component, expose component enable flags, and carry the existing `ai-layer` deployment defaults into chart values.
+
+## Technical Context
+
+**Language/Version**: Helm 3 chart YAML and Go templates  
+**Primary Dependencies**: Published `dasmeta/base` chart version `0.3.29`, matching the current shared chart release  
+**Storage**: Backend uploads PVC, default `ai-layer-strapi-uploads`  
+**Testing**: `helm dependency update`, `helm lint`, `helm template`  
+**Target Platform**: Kubernetes / EKS  
+**Project Type**: Helm chart repository  
+**Constraints**: Do not provision AWS IAM trust, ECR repository policy, or database infrastructure in this chart  
+**Scale/Scope**: Four long-running Galust workloads
+
+## Constitution Check
+
+The change is chart-scoped and keeps shared chart logic in `charts/base`. It does not copy base templates into the new chart.
+
+## Project Structure
+
+### Documentation
+
+```text
+specs/014-galust-umbrella-chart/
+├── spec.md
+├── plan.md
+└── tasks.md
+```
+
+### Source Code
+
+```text
+charts/galust-ai-layer/
+├── Chart.yaml
+├── README.md
+├── values.yaml
+└── templates/
+    ├── NOTES.txt
+    ├── _helpers.tpl
+    └── image-pull-secret.yaml
+```
+
+## Implementation Notes
+
+- Use dependency `condition` fields so component toggles are native Helm behavior.
+- Set `fullnameOverride` defaults to preserve existing Galust service names.
+- Keep ingress defaults disabled to avoid installing Galust production hostnames into clusters by accident.
+- Provide default image pull secret name `ecr-secret`, with optional chart-rendered docker config secret.
diff --git a/specs/014-galust-umbrella-chart/spec.md b/specs/014-galust-umbrella-chart/spec.md
new file mode 100644
index 0000000..ca8743f
--- /dev/null
+++ b/specs/014-galust-umbrella-chart/spec.md
@@ -0,0 +1,63 @@
+# Feature Specification: Galust AI Layer Umbrella Chart
+
+**Feature Branch**: `014-galust-umbrella-chart`  
+**Created**: 2026-05-11  
+**Status**: Draft  
+**Input**: Jira `DMVP-10005` and repo evidence from `ai-layer`
+
+## User Scenarios & Testing
+
+### User Story 1 - Install All Galust Components (Priority: P1)
+
+Platform operators can install one Helm chart to deploy the Galust backend, MCP, MCP use-case service, and orchestrator into their own EKS cluster.
+
+**Why this priority**: This is the core onboarding deliverable.
+
+**Independent Test**: Render the chart with default values and confirm all four component releases are present.
+
+**Acceptance Scenarios**:
+
+1. **Given** default chart values, **When** the chart is rendered, **Then** backend, mcp, mcp-use-case, and orchestrator resources are included.
+2. **Given** an existing ECR pull secret name, **When** the chart is installed, **Then** every component references that pull secret.
+
+### User Story 2 - Selectively Disable Components (Priority: P1)
+
+Platform operators can deploy only the components they need for a given environment.
+
+**Why this priority**: The ticket explicitly asks for deploy options per component.
+
+**Independent Test**: Render the chart with each component disabled and confirm that component is omitted while the others remain.
+
+**Acceptance Scenarios**:
+
+1. **Given** `backend.enabled=false`, **When** the chart is rendered, **Then** backend resources are omitted.
+2. **Given** `mcp.enabled=false`, **When** the chart is rendered, **Then** mcp resources are omitted.
+3. **Given** `mcpUseCase.enabled=false`, **When** the chart is rendered, **Then** mcp-use-case resources are omitted.
+4. **Given** `orchestrator.enabled=false`, **When** the chart is rendered, **Then** orchestrator resources are omitted.
+
+### User Story 3 - Configure ECR Pull Access (Priority: P2)
+
+Platform operators can point the deployment at a Kubernetes docker registry secret or have the chart render one from provided docker config JSON.
+
+**Why this priority**: Pull access is necessary for private images but AWS IAM trust remains outside this chart.
+
+**Independent Test**: Render the chart with `imagePullSecret.create=true` and confirm a `kubernetes.io/dockerconfigjson` Secret is produced.
+
+## Requirements
+
+### Functional Requirements
+
+- **FR-001**: The chart MUST expose independent enable flags for `backend`, `mcp`, `mcpUseCase`, and `orchestrator`.
+- **FR-002**: The chart MUST use `dasmeta/base` subchart aliases for the four long-running workloads.
+- **FR-003**: The chart MUST carry defaults derived from the current `ai-layer` deployment files.
+- **FR-004**: The chart MUST allow image repository, tag, pull policy, and pull secrets to be overridden per component.
+- **FR-005**: The chart MUST document ECR/IAM provisioning as out of scope.
+
+## Success Criteria
+
+### Measurable Outcomes
+
+- **SC-001**: `helm lint charts/galust-ai-layer` succeeds after dependencies are built.
+- **SC-002**: `helm template` succeeds with default values.
+- **SC-003**: `helm template` succeeds when any one component is disabled.
+- **SC-004**: The README contains install and pull-secret examples.
diff --git a/specs/014-galust-umbrella-chart/tasks.md b/specs/014-galust-umbrella-chart/tasks.md
new file mode 100644
index 0000000..fbaca8c
--- /dev/null
+++ b/specs/014-galust-umbrella-chart/tasks.md
@@ -0,0 +1,21 @@
+# Tasks: Galust AI Layer Umbrella Chart
+
+**Input**: `specs/014-galust-umbrella-chart/spec.md`, `specs/014-galust-umbrella-chart/plan.md`
+
+## Phase 1: Setup
+
+- [x] T001 Create Speckit package `specs/014-galust-umbrella-chart`
+- [x] T002 Confirm source deployment values from `ai-layer`
+
+## Phase 2: Chart Implementation
+
+- [x] T003 Add `charts/galust-ai-layer/Chart.yaml` with base subchart aliases and component conditions
+- [x] T004 Add default values for backend, mcp, mcp-use-case, and orchestrator
+- [x] T005 Add optional docker registry pull-secret template
+- [x] T006 Add chart README and notes
+
+## Phase 3: Validation
+
+- [x] T007 Run `helm dependency update charts/galust-ai-layer`
+- [x] T008 Run `helm lint charts/galust-ai-layer`
+- [x] T009 Render all components and disabled-component cases with `helm template`