diff --git a/Makefile b/Makefile
index 7f90924..ae5918b 100755
--- a/Makefile
+++ b/Makefile
@@ -163,60 +163,91 @@ test-helm: ## Test Helm charts (lint, template, validate)
 		exit 1; \
 	fi
 	@echo "Linting Helm chart..."
-	helm lint $(HELM_CHART_DIR)/
+	helm lint $(HELM_CHART_DIR)/ \
+		--set image.registry=quay.io \
+		--set image.repository=openshift-hyperfleet/hyperfleet-sentinel \
+		--set image.tag=latest
 	@echo ""
 	@echo "Testing template rendering with default values..."
-	helm template test-release $(HELM_CHART_DIR)/ > /dev/null
+	helm template test-release $(HELM_CHART_DIR)/ \
+		--set image.registry=quay.io \
+		--set image.repository=openshift-hyperfleet/hyperfleet-sentinel \
+		--set image.tag=latest > /dev/null
 	@echo "Default values template OK"
 	@echo ""
-	@echo "Testing template with custom image registry..."
+	@echo "Testing template with custom image..."
 	helm template test-release $(HELM_CHART_DIR)/ \
-		--set image.registry=quay.io/openshift-hyperfleet \
+		--set image.registry=quay.io \
+		--set image.repository=myorg/hyperfleet-sentinel \
 		--set image.tag=v1.0.0 > /dev/null
 	@echo "Custom image config template OK"
 	@echo ""
 	@echo "Testing template with PDB enabled..."
 	helm template test-release $(HELM_CHART_DIR)/ \
+		--set image.registry=quay.io \
+		--set image.repository=openshift-hyperfleet/hyperfleet-sentinel \
+		--set image.tag=latest \
 		--set podDisruptionBudget.enabled=true \
 		--set podDisruptionBudget.maxUnavailable=1 > /dev/null
 	@echo "PDB config template OK"
 	@echo ""
 	@echo "Testing template with PDB disabled..."
 	helm template test-release $(HELM_CHART_DIR)/ \
+		--set image.registry=quay.io \
+		--set image.repository=openshift-hyperfleet/hyperfleet-sentinel \
+		--set image.tag=latest \
 		--set podDisruptionBudget.enabled=false > /dev/null
 	@echo "PDB disabled template OK"
 	@echo ""
 	@echo "Testing template with RabbitMQ broker..."
 	helm template test-release $(HELM_CHART_DIR)/ \
+		--set image.registry=quay.io \
+		--set image.repository=openshift-hyperfleet/hyperfleet-sentinel \
+		--set image.tag=latest \
 		--set broker.type=rabbitmq \
 		--set broker.rabbitmq.url=amqp://user:pass@rabbitmq:5672/hyperfleet > /dev/null
 	@echo "RabbitMQ broker template OK"
 	@echo ""
 	@echo "Testing template with Google Pub/Sub broker..."
 	helm template test-release $(HELM_CHART_DIR)/ \
+		--set image.registry=quay.io \
+		--set image.repository=openshift-hyperfleet/hyperfleet-sentinel \
+		--set image.tag=latest \
 		--set broker.type=googlepubsub \
 		--set broker.googlepubsub.projectId=test-project > /dev/null
 	@echo "Google Pub/Sub broker template OK"
 	@echo ""
 	@echo "Testing template with PodMonitoring enabled..."
 	helm template test-release $(HELM_CHART_DIR)/ \
+		--set image.registry=quay.io \
+		--set image.repository=openshift-hyperfleet/hyperfleet-sentinel \
+		--set image.tag=latest \
 		--set monitoring.podMonitoring.enabled=true \
 		--set monitoring.podMonitoring.interval=15s > /dev/null
 	@echo "PodMonitoring config template OK"
 	@echo ""
 	@echo "Testing template with ServiceMonitor enabled..."
 	helm template test-release $(HELM_CHART_DIR)/ \
+		--set image.registry=quay.io \
+		--set image.repository=openshift-hyperfleet/hyperfleet-sentinel \
+		--set image.tag=latest \
 		--set monitoring.serviceMonitor.enabled=true \
 		--set monitoring.serviceMonitor.interval=30s > /dev/null
 	@echo "ServiceMonitor config template OK"
 	@echo ""
 	@echo "Testing template with PrometheusRule enabled..."
 	helm template test-release $(HELM_CHART_DIR)/ \
+		--set image.registry=quay.io \
+		--set image.repository=openshift-hyperfleet/hyperfleet-sentinel \
+		--set image.tag=latest \
 		--set monitoring.prometheusRule.enabled=true > /dev/null
 	@echo "PrometheusRule config template OK"
 	@echo ""
 	@echo "Testing template with custom resource selector..."
 	helm template test-release $(HELM_CHART_DIR)/ \
+		--set image.registry=quay.io \
+		--set image.repository=openshift-hyperfleet/hyperfleet-sentinel \
+		--set image.tag=latest \
 		--set config.resourceType=nodepools \
 		--set config.pollInterval=10s \
 		--set config.maxAgeReady=1h > /dev/null
diff --git a/charts/Chart.yaml b/charts/Chart.yaml
index 3978fe9..a753dd5 100644
--- a/charts/Chart.yaml
+++ b/charts/Chart.yaml
@@ -1,9 +1,9 @@
 apiVersion: v2
-name: sentinel
+name: hyperfleet-sentinel
 description: HyperFleet Sentinel - Kubernetes service that polls HyperFleet API and publishes CloudEvents
 type: application
-version: 0.1.0
-appVersion: "0.1.0"
+version: 1.0.0
+appVersion: "0.0.0-dev"
 keywords:
   - hyperfleet
   - sentinel
diff --git a/charts/templates/_helpers.tpl b/charts/templates/_helpers.tpl
index 42cce6b..53187ee 100644
--- a/charts/templates/_helpers.tpl
+++ b/charts/templates/_helpers.tpl
@@ -59,6 +59,22 @@ Create the name of the service account to use
 {{- end }}
 {{- end }}
 
+{{/*
+Validate required values that must not remain as placeholders.
+*/}}
+{{- define "sentinel.validateValues" -}}
+{{- $effectiveRegistry := ((.Values.global).imageRegistry) | default .Values.image.registry -}}
+{{- if eq $effectiveRegistry "CHANGE_ME" -}}
+{{- fail "image.registry must be set (e.g. --set image.registry=quay.io)" -}}
+{{- end -}}
+{{- if eq .Values.image.repository "CHANGE_ME" -}}
+{{- fail "image.repository must be set (e.g. --set image.repository=openshift-hyperfleet/hyperfleet-sentinel)" -}}
+{{- end -}}
+{{- if not .Values.image.tag -}}
+{{- fail "image.tag must be set (e.g. --set image.tag=abc1234)" -}}
+{{- end -}}
+{{- end }}
+
 {{/*
 Create the name of the secret to use
 */}}
diff --git a/charts/templates/deployment.yaml b/charts/templates/deployment.yaml
index 643e137..e279bd7 100644
--- a/charts/templates/deployment.yaml
+++ b/charts/templates/deployment.yaml
@@ -1,3 +1,4 @@
+{{- include "sentinel.validateValues" . }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -19,6 +20,9 @@ spec:
         {{- end }}
       labels:
         {{- include "sentinel.selectorLabels" . | nindent 8 }}
+        {{- with .Values.podLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
     spec:
       {{- with .Values.imagePullSecrets }}
       imagePullSecrets:
@@ -31,7 +35,7 @@ spec:
       - name: {{ .Chart.Name }}
         securityContext:
           {{- toYaml .Values.securityContext | nindent 12 }}
-        image: "{{ ((.Values.global).imageRegistry) | default .Values.image.registry }}/{{ .Values.image.repository }}:{{ ((.Values.global).imageTag) | default (.Values.image.tag | default .Chart.AppVersion) }}"
+        image: "{{ ((.Values.global).imageRegistry) | default .Values.image.registry }}/{{ .Values.image.repository }}:{{ ((.Values.global).imageTag) | default .Values.image.tag }}"
         imagePullPolicy: {{ .Values.image.pullPolicy }}
         args:
           - serve
diff --git a/charts/values.yaml b/charts/values.yaml
index 8d7c0ad..495a6d0 100644
--- a/charts/values.yaml
+++ b/charts/values.yaml
@@ -8,9 +8,9 @@ replicaCount: 1
 # Container image configuration
 image:
   registry: CHANGE_ME
-  repository: hyperfleet-sentinel
+  repository: CHANGE_ME # e.g. openshift-hyperfleet/hyperfleet-sentinel
   pullPolicy: Always
-  # Overrides the image tag whose default is the chart appVersion.
+  # Required: image tag (e.g. git SHA, semver tag). No default — must be set at install time.
   tag: ""
 
 imagePullSecrets: []
@@ -32,20 +32,23 @@ serviceAccount:
 
 # Pod annotations
 podAnnotations: {}
+podLabels: {}
 
 # Pod security context
 podSecurityContext:
   fsGroup: 65532
+  runAsNonRoot: true
+  runAsUser: 65532
 
 # Container security context
 securityContext:
-  runAsNonRoot: true
-  runAsUser: 65532
   readOnlyRootFilesystem: true
   allowPrivilegeEscalation: false
   capabilities:
     drop:
       - ALL
+  seccompProfile:
+    type: RuntimeDefault
 
 # Resource limits and requests
 resources: