feat(frontend): add Helm chart browser, monitoring, chart-references and values templates pages

Add new frontend pages for the multi-tenant OCDP platform:

- Charts page (/charts): Browse Harbor OCI registries to list Helm chart repositories
  and versions, with deploy modal to launch charts on selected clusters
- Monitoring page (/monitoring): Display cluster metrics (CPU/Memory/GPU usage)
  and per-node details with resource utilization bars
- Chart References page (/chart-references): CRUD for chart metadata references
- Values Templates page (/templates): CRUD for Helm values templates with version
  history and rollback support
- Sidebar: Add Charts navigation, update Storage and Templates links
- api.ts: Add all API client functions (clusterApi, registryApi, instanceApi,
  monitoringApi, storageApi, chartReferenceApi, valuesTemplateApi,
  workspaceApi, userApi) with full TypeScript types

Note: deploy flow and values template rollback not yet end-to-end tested.

infra/nginx/default.conf

@@ -1,7 +1,14 @@
 # default.conf - OCDP production gateway
 # - 对外监听 80/443（Docker 默认映射宿主 80/443）
-# - 路由策略: /api/* → backend 服务，其余路径 → SPA 静态资源
+# - 路由策略: /api/* → backend 服务，其余路径 → Next.js 前端
 # - TLS 证书通过 /etc/nginx/certs/tls.(crt|key) 挂载，可替换为正式证书
+# - 包含安全 headers: CORS, CSP, X-Frame-Options, etc.
+
+# Security headers map
+map $request_uri $csp_header {
+    ~^\/api\/    "default-src 'none'; script-src 'self'; connect-src 'self'; frame-ancestors 'none';";
+    default     "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; connect-src 'self' http://localhost:* https://*; frame-ancestors 'none'; form-action 'self'; base-uri 'self';";
+}
 
 server {
     listen 80 default_server;
@@ -16,17 +23,31 @@ server {
     ssl_ciphers         'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';
     ssl_prefer_server_ciphers on;
 
-    root /usr/share/nginx/html;
-    index index.html;
+    # Security headers for all responses
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+    add_header Permissions-Policy "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()" always;
 
-    # 前端 SPA 路由 fallback
+    # 前端 Next.js 服务代理 - 所有非 API 请求
     location / {
-        try_files $uri /index.html;
+        add_header Content-Security-Policy $csp_header always;
+        proxy_pass         http://ocdp-frontend:3000;
+        proxy_http_version 1.1;
+        proxy_set_header   Host $host;
+        proxy_set_header   X-Real-IP $remote_addr;
+        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header   X-Forwarded-Proto $scheme;
+        proxy_set_header   Upgrade $http_upgrade;
+        proxy_set_header   Connection 'upgrade';
+        proxy_cache_bypass $http_upgrade;
     }
 
     # API 请求代理到 backend 服务
     location /api/ {
-        proxy_pass         http://backend:8080;
+        add_header Content-Security-Policy $csp_header always;
+        proxy_pass         http://ocdp-backend:8080;
         proxy_http_version 1.1;
         proxy_set_header   Host $host;
         proxy_set_header   X-Real-IP $remote_addr;
@@ -40,11 +61,4 @@ server {
         add_header Content-Type text/plain;
         return 200 'ok';
     }
-
-    # 提供静态资源 (cache control)
-    location ~* \.(js|css|png|jpg|jpeg|gif|svg|ico)$ {
-        expires 7d;
-        add_header Cache-Control "public, max-age=604800, immutable";
-        try_files $uri /index.html;
-    }
-}
+}