feat(frontend): add Helm chart browser, monitoring, chart-references and values templates pages

Add new frontend pages for the multi-tenant OCDP platform:

- Charts page (/charts): Browse Harbor OCI registries to list Helm chart repositories
  and versions, with deploy modal to launch charts on selected clusters
- Monitoring page (/monitoring): Display cluster metrics (CPU/Memory/GPU usage)
  and per-node details with resource utilization bars
- Chart References page (/chart-references): CRUD for chart metadata references
- Values Templates page (/templates): CRUD for Helm values templates with version
  history and rollback support
- Sidebar: Add Charts navigation, update Storage and Templates links
- api.ts: Add all API client functions (clusterApi, registryApi, instanceApi,
  monitoringApi, storageApi, chartReferenceApi, valuesTemplateApi,
  workspaceApi, userApi) with full TypeScript types

Note: deploy flow and values template rollback not yet end-to-end tested.

backend/internal/adapter/output/persistence/postgres/user_repository.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"database/sql"
 	"fmt"
+	"log"
 	"time"
 
 	"github.com/google/uuid"
@@ -27,9 +28,14 @@ func (r *UserRepository) Create(ctx context.Context, user *entity.User) error {
 		user.ID = uuid.New().String()
 	}
 
+	// 设置默认值
+	if user.IsActive {
+		user.IsActive = true
+	}
+
 	query := `
-		INSERT INTO users (id, username, password_hash, email, revoked_after, created_at, updated_at)
-		VALUES ($1, $2, $3, $4, $5, $6, $7)
+		INSERT INTO users (id, username, password_hash, email, role, workspace_id, is_active, must_change_password, revoked_after, created_at, updated_at)
+		VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11)
 	`
 
 	_, err := r.db.conn.ExecContext(ctx, query,
@@ -37,6 +43,10 @@ func (r *UserRepository) Create(ctx context.Context, user *entity.User) error {
 		user.Username,
 		user.PasswordHash,
 		user.Email,
+		user.Role,
+		user.WorkspaceID,
+		user.IsActive,
+		user.MustChangePassword,
 		user.RevokedAfter,
 		user.CreatedAt,
 		user.UpdatedAt,
@@ -52,22 +62,34 @@ func (r *UserRepository) Create(ctx context.Context, user *entity.User) error {
 // GetByID 根据 ID 获取用户
 func (r *UserRepository) GetByID(ctx context.Context, id string) (*entity.User, error) {
 	query := `
-		SELECT id, username, password_hash, email, revoked_after, created_at, updated_at
+		SELECT id, username, password_hash, email, role, workspace_id, is_active, must_change_password, revoked_after, created_at, updated_at
 		FROM users
 		WHERE id = $1
 	`
 
 	user := &entity.User{}
+	var workspaceID sql.NullString
 	err := r.db.conn.QueryRowContext(ctx, query, id).Scan(
 		&user.ID,
 		&user.Username,
 		&user.PasswordHash,
 		&user.Email,
+		&user.Role,
+		&workspaceID,
+		&user.IsActive,
+		&user.MustChangePassword,
 		&user.RevokedAfter,
 		&user.CreatedAt,
 		&user.UpdatedAt,
 	)
 
+	// Handle NULL workspace_id
+	if workspaceID.Valid {
+		user.WorkspaceID = workspaceID.String
+	} else {
+		user.WorkspaceID = ""
+	}
+
 	if err == sql.ErrNoRows {
 		return nil, entity.ErrUserNotFound
 	}
@@ -80,30 +102,50 @@ func (r *UserRepository) GetByID(ctx context.Context, id string) (*entity.User,
 
 // GetByUsername 根据用户名获取用户
 func (r *UserRepository) GetByUsername(ctx context.Context, username string) (*entity.User, error) {
+	log.Printf("[DEBUG] GetByUsername called with username: %q", username)
 	query := `
-		SELECT id, username, password_hash, email, revoked_after, created_at, updated_at
+		SELECT id, username, password_hash, email, role, workspace_id, is_active, must_change_password, revoked_after, created_at, updated_at
 		FROM users
 		WHERE username = $1
 	`
 
+	log.Printf("[DEBUG] Executing query: %s with param: %s", query, username)
+
 	user := &entity.User{}
+	var workspaceID sql.NullString
 	err := r.db.conn.QueryRowContext(ctx, query, username).Scan(
 		&user.ID,
 		&user.Username,
 		&user.PasswordHash,
 		&user.Email,
+		&user.Role,
+		&workspaceID,
+		&user.IsActive,
+		&user.MustChangePassword,
 		&user.RevokedAfter,
 		&user.CreatedAt,
 		&user.UpdatedAt,
 	)
 
+	// Handle NULL workspace_id
+	if workspaceID.Valid {
+		user.WorkspaceID = workspaceID.String
+	} else {
+		user.WorkspaceID = ""
+	}
+
+	log.Printf("[DEBUG] Query result - err: %v", err)
 	if err == sql.ErrNoRows {
+		log.Printf("[DEBUG] User not found in DB")
 		return nil, entity.ErrUserNotFound
 	}
 	if err != nil {
+		log.Printf("[DEBUG] Scan error: %v", err)
 		return nil, fmt.Errorf("failed to get user: %w", err)
 	}
 
+	log.Printf("[DEBUG] Found user: %+v", user)
+
 	return user, nil
 }
 
@@ -113,14 +155,18 @@ func (r *UserRepository) Update(ctx context.Context, user *entity.User) error {
 
 	query := `
 		UPDATE users
-		SET username = $1, password_hash = $2, email = $3, revoked_after = $4, updated_at = $5
-		WHERE id = $6
+		SET username = $1, password_hash = $2, email = $3, role = $4, workspace_id = $5, is_active = $6, must_change_password = $7, revoked_after = $8, updated_at = $9
+		WHERE id = $10
 	`
 
 	result, err := r.db.conn.ExecContext(ctx, query,
 		user.Username,
 		user.PasswordHash,
 		user.Email,
+		user.Role,
+		user.WorkspaceID,
+		user.IsActive,
+		user.MustChangePassword,
 		user.RevokedAfter,
 		user.UpdatedAt,
 		user.ID,
@@ -166,7 +212,7 @@ func (r *UserRepository) Delete(ctx context.Context, id string) error {
 // List 列出所有用户
 func (r *UserRepository) List(ctx context.Context) ([]*entity.User, error) {
 	query := `
-		SELECT id, username, password_hash, email, revoked_after, created_at, updated_at
+		SELECT id, username, password_hash, email, role, workspace_id, is_active, must_change_password, revoked_after, created_at, updated_at
 		FROM users
 		ORDER BY created_at DESC
 	`
@@ -185,6 +231,98 @@ func (r *UserRepository) List(ctx context.Context) ([]*entity.User, error) {
 			&user.Username,
 			&user.PasswordHash,
 			&user.Email,
+			&user.Role,
+			&user.WorkspaceID,
+			&user.IsActive,
+			&user.MustChangePassword,
+			&user.RevokedAfter,
+			&user.CreatedAt,
+			&user.UpdatedAt,
+		)
+		if err != nil {
+			return nil, fmt.Errorf("failed to scan user: %w", err)
+		}
+		users = append(users, user)
+	}
+
+	if err := rows.Err(); err != nil {
+		return nil, fmt.Errorf("rows iteration error: %w", err)
+	}
+
+	return users, nil
+}
+
+// ListByWorkspace 列出指定 workspace 的用户
+func (r *UserRepository) ListByWorkspace(ctx context.Context, workspaceID string) ([]*entity.User, error) {
+	query := `
+		SELECT id, username, password_hash, email, role, workspace_id, is_active, must_change_password, revoked_after, created_at, updated_at
+		FROM users
+		WHERE workspace_id = $1
+		ORDER BY created_at DESC
+	`
+
+	rows, err := r.db.conn.QueryContext(ctx, query, workspaceID)
+	if err != nil {
+		return nil, fmt.Errorf("failed to list users by workspace: %w", err)
+	}
+	defer rows.Close()
+
+	users := make([]*entity.User, 0)
+	for rows.Next() {
+		user := &entity.User{}
+		err := rows.Scan(
+			&user.ID,
+			&user.Username,
+			&user.PasswordHash,
+			&user.Email,
+			&user.Role,
+			&user.WorkspaceID,
+			&user.IsActive,
+			&user.MustChangePassword,
+			&user.RevokedAfter,
+			&user.CreatedAt,
+			&user.UpdatedAt,
+		)
+		if err != nil {
+			return nil, fmt.Errorf("failed to scan user: %w", err)
+		}
+		users = append(users, user)
+	}
+
+	if err := rows.Err(); err != nil {
+		return nil, fmt.Errorf("rows iteration error: %w", err)
+	}
+
+	return users, nil
+}
+
+// ListActive 仅列出活跃用户
+func (r *UserRepository) ListActive(ctx context.Context) ([]*entity.User, error) {
+	query := `
+		SELECT id, username, password_hash, email, role, workspace_id, is_active, must_change_password, revoked_after, created_at, updated_at
+		FROM users
+		WHERE is_active = TRUE
+		ORDER BY created_at DESC
+	`
+
+	rows, err := r.db.conn.QueryContext(ctx, query)
+	if err != nil {
+		return nil, fmt.Errorf("failed to list active users: %w", err)
+	}
+	defer rows.Close()
+
+	users := make([]*entity.User, 0)
+	for rows.Next() {
+		user := &entity.User{}
+		err := rows.Scan(
+			&user.ID,
+			&user.Username,
+			&user.PasswordHash,
+			&user.Email,
+			&user.Role,
+			&user.WorkspaceID,
+			&user.IsActive,
+			&user.MustChangePassword,
 			&user.RevokedAfter,
 			&user.CreatedAt,
 			&user.UpdatedAt,