fix: scale replicas in response, K8s metrics client, quota precheck, auth tests

- Add GetMetrics method to MetricsClient interface and implement cluster metrics API
- Add QuotaPrecheck service for validating resource quotas before deployment
- Add auth DTO with role/permission models and auth handler tests
- Add instance diagnostics: mounted NFS volumes, labels, annotations in pod diagnostics
- Update workspace handler with GetWorkspace endpoint and shared-user list
- Fix monitoring handler to use correct service method name
- Add tail_lines fallback in instance handler for snake_case query params
- Update nginx config for SSE log streaming support (no buffering)
- Add comprehensive test coverage: auth_service_test, auth_handler_test,
  auth_dto_test, metrics_client_test, quota_precheck_test
- Update error messages for quota validation and instance operations
- ModifyModal: fix YAML lineWidth:0, modified keys summary, delta-only submit
- InstanceCard: correctly disable scale-minus when replicas <= 0
- SidebarLayout: add hover transition for sidebar items
- Update todo.md and lessons.md with latest fixes

backend/internal/adapter/output/k8s/tenant_client.go

@@ -106,6 +106,25 @@ func (c *TenantClient) IssueKubeconfig(ctx context.Context, cluster *entity.Clus
 	}, nil
 }
 
+func (c *TenantClient) GetResourceQuotaUsage(ctx context.Context, cluster *entity.Cluster, binding entity.TenantBinding) (*repository.ResourceQuotaUsage, error) {
+	binding = binding.WithDefaults()
+	if err := binding.Validate(); err != nil {
+		return nil, err
+	}
+	clientset, _, err := c.clientsetForCluster(cluster)
+	if err != nil {
+		return nil, err
+	}
+	quota, err := clientset.CoreV1().ResourceQuotas(binding.Namespace).Get(ctx, binding.ResourceQuotaName, metav1.GetOptions{})
+	if err != nil {
+		return nil, fmt.Errorf("failed to get tenant resource quota usage: %w", err)
+	}
+	return &repository.ResourceQuotaUsage{
+		Hard: resourceVectorFromList(quota.Status.Hard),
+		Used: resourceVectorFromList(quota.Status.Used),
+	}, nil
+}
+
 // SuspendTenant revokes tenant API access by deleting only the RoleBinding.
 func (c *TenantClient) SuspendTenant(ctx context.Context, cluster *entity.Cluster, binding entity.TenantBinding) error {
 	binding = binding.WithDefaults()
@@ -128,6 +147,82 @@ func (c *TenantClient) SuspendTenant(ctx context.Context, cluster *entity.Cluste
 	return nil
 }
 
+func (c *TenantClient) DeleteTenant(ctx context.Context, cluster *entity.Cluster, binding entity.TenantBinding) error {
+	binding = binding.WithDefaults()
+	if err := binding.Validate(); err != nil {
+		return err
+	}
+	if isProtectedTenantNamespace(binding.Namespace) {
+		return entity.ErrProtectedNamespace
+	}
+	clientset, _, err := c.clientsetForCluster(cluster)
+	if err != nil {
+		return err
+	}
+	if err := deleteIgnoringNotFound(ctx, func() error {
+		return clientset.RbacV1().RoleBindings(binding.Namespace).Delete(ctx, binding.RoleBindingName, metav1.DeleteOptions{})
+	}); err != nil {
+		return fmt.Errorf("failed to delete tenant role binding: %w", err)
+	}
+	if err := deleteIgnoringNotFound(ctx, func() error {
+		return clientset.CoreV1().ResourceQuotas(binding.Namespace).Delete(ctx, binding.ResourceQuotaName, metav1.DeleteOptions{})
+	}); err != nil {
+		return fmt.Errorf("failed to delete tenant resource quota: %w", err)
+	}
+	if err := deleteIgnoringNotFound(ctx, func() error {
+		return clientset.CoreV1().ServiceAccounts(binding.Namespace).Delete(ctx, binding.ServiceAccountName, metav1.DeleteOptions{})
+	}); err != nil {
+		return fmt.Errorf("failed to delete tenant service account: %w", err)
+	}
+	namespace, err := clientset.CoreV1().Namespaces().Get(ctx, binding.Namespace, metav1.GetOptions{})
+	if apierrors.IsNotFound(err) {
+		return nil
+	}
+	if err != nil {
+		return fmt.Errorf("failed to get tenant namespace before deletion: %w", err)
+	}
+	if namespace.Labels["ocdp.io/managed-by"] != "ocdp" || namespace.Labels["ocdp.io/tenant"] != binding.Namespace {
+		return fmt.Errorf("refusing to delete unmanaged namespace %q", binding.Namespace)
+	}
+	if err := deleteIgnoringNotFound(ctx, func() error {
+		return clientset.CoreV1().Namespaces().Delete(ctx, binding.Namespace, metav1.DeleteOptions{})
+	}); err != nil {
+		return fmt.Errorf("failed to delete tenant namespace: %w", err)
+	}
+	return nil
+}
+
+func deleteIgnoringNotFound(ctx context.Context, deleteFn func() error) error {
+	if err := ctx.Err(); err != nil {
+		return err
+	}
+	err := deleteFn()
+	if apierrors.IsNotFound(err) {
+		return nil
+	}
+	return err
+}
+
+func isProtectedTenantNamespace(namespace string) bool {
+	switch strings.TrimSpace(namespace) {
+	case "", "default", "kube-system", "kube-public", "kube-node-lease":
+		return true
+	default:
+		return false
+	}
+}
+
+func resourceVectorFromList(values corev1.ResourceList) repository.ResourceVector {
+	gpu := values[corev1.ResourceName("requests.nvidia.com/gpu")]
+	gpuMem := values[corev1.ResourceName("requests.nvidia.com/gpumem")]
+	return repository.ResourceVector{
+		CPU:         values[corev1.ResourceName("requests.cpu")],
+		Memory:      values[corev1.ResourceName("requests.memory")],
+		GPU:         gpu.Value(),
+		GPUMemoryMB: gpuMem.Value(),
+	}
+}
+
 func (c *TenantClient) clientsetForCluster(cluster *entity.Cluster) (kubernetes.Interface, *rest.Config, error) {
 	if c.clientset != nil {
 		config := &rest.Config{Host: "https://kubernetes.default.svc"}