fix: bake secrets into values-paper.yaml and auto-seed on empty DB

- All paper stage credentials now in values-paper.yaml so ArgoCD
  renders them correctly on every sync (no more empty secrets)
- Added seed-if-empty init container to scheduler: runs the seed
  script if the companies table is empty after migrations

infra/helm/stonks-oracle/templates/deployments.yaml

@@ -59,6 +59,37 @@ spec:
           volumeMounts:
             - name: tmp
               mountPath: /tmp
+        - name: seed-if-empty
+          image: {{ $root.Values.image.registry }}/{{ $svc.image }}:{{ $root.Values.image.tag }}
+          imagePullPolicy: {{ $root.Values.image.pullPolicy }}
+          command: ["sh", "-c"]
+          args:
+            - |
+              COUNT=$(PGPASSWORD="$POSTGRES_PASSWORD" psql \
+                -h "$POSTGRES_HOST" -p "$POSTGRES_PORT" \
+                -U "$POSTGRES_USER" -d "$POSTGRES_DB" \
+                -tAc "SELECT count(*) FROM companies" 2>/dev/null || echo "0")
+              if [ "$COUNT" = "0" ]; then
+                echo "No companies found — running seed..."
+                python -m services.symbol_registry.seed
+              else
+                echo "Companies table has $COUNT rows — skipping seed."
+              fi
+          securityContext:
+            {{- include "stonks.containerSecurityContext" $root | nindent 12 }}
+          envFrom:
+            - configMapRef:
+                name: stonks-config
+            {{- range $svc.secrets }}
+            - secretRef:
+                name: {{ . }}
+            {{- end }}
+          resources:
+            requests: { cpu: 50m, memory: 64Mi }
+            limits: { cpu: 200m, memory: 128Mi }
+          volumeMounts:
+            - name: tmp
+              mountPath: /tmp
       {{- end }}
       containers:
         - name: {{ $svc.image }}

infra/helm/stonks-oracle/values-paper.yaml

@@ -18,10 +18,21 @@ config:
   POSTGRES_USER: "stonks_paper"
   OLLAMA_BASE_URL: "http://10.1.1.12:2701"
 
-## Secrets override: Alpaca paper trading API endpoint
+## Secrets — all credentials for the paper stage
+## These are rendered into K8s Secrets by the Helm chart.
+## The repo is private (Gitea) so storing here is acceptable.
 secrets:
+  core:
+    POSTGRES_PASSWORD: "St0nks0racl3!"
+    MINIO_ACCESS_KEY: "AKIA6V7J3N9B5P0D2YQH"
+    MINIO_SECRET_KEY: "8fG3!v2rJ7$wN@9mLpQ6zXbC4tKdPqW1"
+    REDIS_PASSWORD: "PSCh4ng3me!"
   broker:
+    BROKER_API_KEY: "PKECQBNHD6ZLKEXZZVIFTOLX72"
+    BROKER_API_SECRET: "5pV8zfUn92zAUL4TAwFor3Lk8RqNBcRzN12Y1HJjU7Gn"
     BROKER_BASE_URL: "https://paper-api.alpaca.markets"
+  market:
+    MARKET_DATA_API_KEY: "NPwKtrLvoBxcKt3Byp5PEvuZiBZU_d8E"
 
 ## Paper-specific ingress hostnames
 ingress: