feat: add Home Assistant MCP sidecar and fix K8s/Flux MCP deployment logic

Added features:
- Home Assistant MCP server as optional sidecar (mcpSidecars.homeassistant)
- Requires homeassistant-url and homeassistant-token secrets
- Runs on port 8087 using SSE transport mode
- Disabled by default due to credential requirements

Fixed deployment logic:
- Kubernetes and Flux MCP sidecars now only deploy when:
  1. They are enabled in values (mcpSidecars.<name>.enabled: true)
  2. AND clusterAccess is not "none" (they need RBAC to function)
- Prevents unnecessary container failures when no permissions exist

Documentation updates:
- Complete Helm values reference for all MCP sidecars
- Deployment examples and troubleshooting guides
- Updated memory notes with current architecture

Breaking change:
- K8s/Flux MCP sidecars won't deploy with clusterAccess=none
- This is intentional as they cannot function without RBAC

Generated with [Claude Code](https://claude.ai/code)
via [Happy](https://happy.engineering)

Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Happy <yesreply@happy.engineering>

CLAUDE.md

@@ -79,26 +79,33 @@ Container start
 
 ### MCP Sidecars
 
-Kubernetes and Flux MCP servers run as sidecar containers in the pod, inheriting its ServiceAccount RBAC permissions:
+MCP (Model Context Protocol) servers run as sidecar containers in the pod, enabling AI assistants to interact with various services:
 
-| Sidecar | Image | Port | Endpoint |
-|---------|-------|------|----------|
-| `kubernetes-mcp` | `quay.io/containers/kubernetes_mcp_server` | 8080 | `http://localhost:8080/sse` |
-| `flux-mcp` | `ghcr.io/controlplaneio-fluxcd/flux-operator-mcp` | 8081 | `http://localhost:8081/sse` |
+| Sidecar | Image | Port | Endpoint | Default |
+|---------|-------|------|----------|---------|
+| `kubernetes-mcp` | `quay.io/containers/kubernetes_mcp_server` | 8080 | `http://localhost:8080/sse` | Enabled |
+| `flux-mcp` | `ghcr.io/controlplaneio-fluxcd/flux-operator-mcp` | 8081 | `http://localhost:8081/sse` | Enabled |
+| `homeassistant-mcp` | `ghcr.io/homeassistant-ai/ha-mcp` | 8087 | `http://localhost:8087/sse` | Disabled |
 
-Both are enabled by default and configurable via `mcpSidecars` in `values.yaml`. Playwright MCP remains an external service.
+**Note:**
+- Kubernetes and Flux sidecars require `clusterAccess` != `none` to be deployed (they need RBAC permissions)
+- Kubernetes and Flux sidecars inherit the pod's ServiceAccount RBAC permissions
+- Home Assistant sidecar requires `HOMEASSISTANT_URL` and `HOMEASSISTANT_TOKEN` in the env secret
+- Playwright MCP remains an external service
 
 #### Enabling/Disabling MCP Servers
 
 To control MCP sidecars, set the `enabled` flag in your values override:
 
 ```yaml
-# Disable both MCP sidecars
+# Disable all MCP sidecars
 mcpSidecars:
   kubernetes:
     enabled: false
   flux:
     enabled: false
+  homeassistant:
+    enabled: false
 
 # Or selectively enable/disable
 mcpSidecars:
@@ -106,6 +113,8 @@ mcpSidecars:
     enabled: true  # Keep Kubernetes MCP enabled
   flux:
     enabled: false # Disable Flux MCP
+  homeassistant:
+    enabled: true  # Enable Home Assistant MCP (requires secrets)
 ```
 
 When deploying via Helm: