refactor: full-stack restructure with multi-tenancy, workspace management, and K8s diagnostics

- Add Workspace domain (entity, repository, service, handler, DTO)
- Add multi-tenant K8s client with tenant binding and quota management
- Add K8s diagnostics client (instance diagnostics)
- Add authorization middleware (authz package)
- Restructure frontend to feature-based architecture (features/)
- Add User Management page in configuration
- Add AccessDenied page and route guards
- Refactor shared components (form inputs, layout, UI)
- Update Tailwind config for new design system
- Add comprehensive documentation (docs/, tasks/, plans)
- Improve cluster service with better kubeconfig handling
- Add tests for crypto, config, helm client, tenant binding

backend/internal/adapter/output/persistence/mock/cluster_repository_mock.go

@@ -3,7 +3,7 @@ package mock
 import (
 	"context"
 	"sync"
-	
+
 	"github.com/ocdp/cluster-service/internal/domain/entity"
 	"github.com/ocdp/cluster-service/internal/domain/repository"
 	"github.com/ocdp/cluster-service/internal/pkg/crypto"
@@ -27,21 +27,21 @@ func NewClusterRepositoryMock(encryptor crypto.Encryptor) repository.ClusterRepo
 func (r *ClusterRepositoryMock) Create(ctx context.Context, cluster *entity.Cluster) error {
 	r.mu.Lock()
 	defer r.mu.Unlock()
-	
+
 	// 检查名称是否已存在
 	for _, c := range r.clusters {
 		if c.Name == cluster.Name {
 			return entity.ErrClusterExists
 		}
 	}
-	
+
 	// Mock 模式：如果没有提供认证信息，自动填充默认的 Mock 证书
 	if (cluster.CertData == "" || cluster.KeyData == "") && cluster.Token == "" {
 		cluster.CAData = "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1vY2sgQ0EgQ2VydGlmaWNhdGUKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ=="
 		cluster.CertData = "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1vY2sgQ2xpZW50IENlcnRpZmljYXRlCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0="
 		cluster.KeyData = "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNb2NrIFByaXZhdGUgS2V5Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0t"
 	}
-	
+
 	// 加密敏感数据后存储
 	encryptedCluster := r.encryptCluster(cluster)
 	r.clusters[cluster.ID] = encryptedCluster
@@ -51,12 +51,12 @@ func (r *ClusterRepositoryMock) Create(ctx context.Context, cluster *entity.Clus
 func (r *ClusterRepositoryMock) GetByID(ctx context.Context, id string) (*entity.Cluster, error) {
 	r.mu.RLock()
 	defer r.mu.RUnlock()
-	
+
 	cluster, exists := r.clusters[id]
 	if !exists {
 		return nil, entity.ErrClusterNotFound
 	}
-	
+
 	// 解密敏感数据后返回
 	return r.decryptCluster(cluster), nil
 }
@@ -64,25 +64,25 @@ func (r *ClusterRepositoryMock) GetByID(ctx context.Context, id string) (*entity
 func (r *ClusterRepositoryMock) GetByName(ctx context.Context, name string) (*entity.Cluster, error) {
 	r.mu.RLock()
 	defer r.mu.RUnlock()
-	
+
 	for _, cluster := range r.clusters {
 		if cluster.Name == name {
 			// 解密敏感数据后返回
 			return r.decryptCluster(cluster), nil
 		}
 	}
-	
+
 	return nil, entity.ErrClusterNotFound
 }
 
 func (r *ClusterRepositoryMock) Update(ctx context.Context, cluster *entity.Cluster) error {
 	r.mu.Lock()
 	defer r.mu.Unlock()
-	
+
 	if _, exists := r.clusters[cluster.ID]; !exists {
 		return entity.ErrClusterNotFound
 	}
-	
+
 	// 加密敏感数据后存储
 	encryptedCluster := r.encryptCluster(cluster)
 	r.clusters[cluster.ID] = encryptedCluster
@@ -92,11 +92,11 @@ func (r *ClusterRepositoryMock) Update(ctx context.Context, cluster *entity.Clus
 func (r *ClusterRepositoryMock) Delete(ctx context.Context, id string) error {
 	r.mu.Lock()
 	defer r.mu.Unlock()
-	
+
 	if _, exists := r.clusters[id]; !exists {
 		return entity.ErrClusterNotFound
 	}
-	
+
 	delete(r.clusters, id)
 	return nil
 }
@@ -104,20 +104,20 @@ func (r *ClusterRepositoryMock) Delete(ctx context.Context, id string) error {
 func (r *ClusterRepositoryMock) List(ctx context.Context) ([]*entity.Cluster, error) {
 	r.mu.RLock()
 	defer r.mu.RUnlock()
-	
+
 	clusters := make([]*entity.Cluster, 0, len(r.clusters))
 	for _, cluster := range r.clusters {
 		// 解密敏感数据后返回
 		clusters = append(clusters, r.decryptCluster(cluster))
 	}
-	
+
 	return clusters, nil
 }
 
 // encryptCluster 加密 Cluster 的敏感数据
 func (r *ClusterRepositoryMock) encryptCluster(cluster *entity.Cluster) *entity.Cluster {
 	encrypted := *cluster // 复制
-	
+
 	// 加密证书数据
 	if cluster.CAData != "" && !crypto.IsEncrypted(cluster.CAData) {
 		if encryptedData, err := r.encryptor.Encrypt(cluster.CAData); err == nil {
@@ -139,14 +139,14 @@ func (r *ClusterRepositoryMock) encryptCluster(cluster *entity.Cluster) *entity.
 			encrypted.Token = encryptedData
 		}
 	}
-	
+
 	return &encrypted
 }
 
 // decryptCluster 解密 Cluster 的敏感数据
 func (r *ClusterRepositoryMock) decryptCluster(cluster *entity.Cluster) *entity.Cluster {
 	decrypted := *cluster // 复制
-	
+
 	// 解密证书数据
 	if cluster.CAData != "" && crypto.IsEncrypted(cluster.CAData) {
 		if decryptedData, err := r.encryptor.Decrypt(cluster.CAData); err == nil {
@@ -168,7 +168,6 @@ func (r *ClusterRepositoryMock) decryptCluster(cluster *entity.Cluster) *entity.
 			decrypted.Token = decryptedData
 		}
 	}
-	
+
 	return &decrypted
 }
-

backend/internal/adapter/output/persistence/mock/instance_repository_mock.go

@@ -3,7 +3,7 @@ package mock
 import (
 	"context"
 	"sync"
-	
+
 	"github.com/ocdp/cluster-service/internal/domain/entity"
 	"github.com/ocdp/cluster-service/internal/domain/repository"
 )
@@ -24,14 +24,14 @@ func NewInstanceRepositoryMock() repository.InstanceRepository {
 func (r *InstanceRepositoryMock) Create(ctx context.Context, instance *entity.Instance) error {
 	r.mu.Lock()
 	defer r.mu.Unlock()
-	
+
 	// 检查同一集群中名称是否已存在
 	for _, inst := range r.instances {
 		if inst.ClusterID == instance.ClusterID && inst.Name == instance.Name {
 			return entity.ErrInstanceExists
 		}
 	}
-	
+
 	r.instances[instance.ID] = instance
 	return nil
 }
@@ -39,36 +39,36 @@ func (r *InstanceRepositoryMock) Create(ctx context.Context, instance *entity.In
 func (r *InstanceRepositoryMock) GetByID(ctx context.Context, id string) (*entity.Instance, error) {
 	r.mu.RLock()
 	defer r.mu.RUnlock()
-	
+
 	instance, exists := r.instances[id]
 	if !exists {
 		return nil, entity.ErrInstanceNotFound
 	}
-	
+
 	return instance, nil
 }
 
 func (r *InstanceRepositoryMock) GetByClusterAndName(ctx context.Context, clusterID, name string) (*entity.Instance, error) {
 	r.mu.RLock()
 	defer r.mu.RUnlock()
-	
+
 	for _, instance := range r.instances {
 		if instance.ClusterID == clusterID && instance.Name == name {
 			return instance, nil
 		}
 	}
-	
+
 	return nil, entity.ErrInstanceNotFound
 }
 
 func (r *InstanceRepositoryMock) Update(ctx context.Context, instance *entity.Instance) error {
 	r.mu.Lock()
 	defer r.mu.Unlock()
-	
+
 	if _, exists := r.instances[instance.ID]; !exists {
 		return entity.ErrInstanceNotFound
 	}
-	
+
 	r.instances[instance.ID] = instance
 	return nil
 }
@@ -76,11 +76,11 @@ func (r *InstanceRepositoryMock) Update(ctx context.Context, instance *entity.In
 func (r *InstanceRepositoryMock) Delete(ctx context.Context, id string) error {
 	r.mu.Lock()
 	defer r.mu.Unlock()
-	
+
 	if _, exists := r.instances[id]; !exists {
 		return entity.ErrInstanceNotFound
 	}
-	
+
 	delete(r.instances, id)
 	return nil
 }
@@ -88,26 +88,25 @@ func (r *InstanceRepositoryMock) Delete(ctx context.Context, id string) error {
 func (r *InstanceRepositoryMock) ListByCluster(ctx context.Context, clusterID string) ([]*entity.Instance, error) {
 	r.mu.RLock()
 	defer r.mu.RUnlock()
-	
+
 	instances := make([]*entity.Instance, 0)
 	for _, instance := range r.instances {
 		if instance.ClusterID == clusterID {
 			instances = append(instances, instance)
 		}
 	}
-	
+
 	return instances, nil
 }
 
 func (r *InstanceRepositoryMock) List(ctx context.Context) ([]*entity.Instance, error) {
 	r.mu.RLock()
 	defer r.mu.RUnlock()
-	
+
 	instances := make([]*entity.Instance, 0, len(r.instances))
 	for _, instance := range r.instances {
 		instances = append(instances, instance)
 	}
-	
+
 	return instances, nil
 }
-

backend/internal/adapter/output/persistence/mock/registry_repository_mock.go

@@ -3,7 +3,7 @@ package mock
 import (
 	"context"
 	"sync"
-	
+
 	"github.com/ocdp/cluster-service/internal/domain/entity"
 	"github.com/ocdp/cluster-service/internal/domain/repository"
 	"github.com/ocdp/cluster-service/internal/pkg/crypto"
@@ -27,14 +27,14 @@ func NewRegistryRepositoryMock(encryptor crypto.Encryptor) repository.RegistryRe
 func (r *RegistryRepositoryMock) Create(ctx context.Context, registry *entity.Registry) error {
 	r.mu.Lock()
 	defer r.mu.Unlock()
-	
+
 	// 检查名称是否已存在
 	for _, reg := range r.registries {
 		if reg.Name == registry.Name {
 			return entity.ErrRegistryExists
 		}
 	}
-	
+
 	// 加密敏感数据后存储
 	encryptedRegistry := r.encryptRegistry(registry)
 	r.registries[registry.ID] = encryptedRegistry
@@ -44,12 +44,12 @@ func (r *RegistryRepositoryMock) Create(ctx context.Context, registry *entity.Re
 func (r *RegistryRepositoryMock) GetByID(ctx context.Context, id string) (*entity.Registry, error) {
 	r.mu.RLock()
 	defer r.mu.RUnlock()
-	
+
 	registry, exists := r.registries[id]
 	if !exists {
 		return nil, entity.ErrRegistryNotFound
 	}
-	
+
 	// 解密敏感数据后返回
 	return r.decryptRegistry(registry), nil
 }
@@ -57,25 +57,25 @@ func (r *RegistryRepositoryMock) GetByID(ctx context.Context, id string) (*entit
 func (r *RegistryRepositoryMock) GetByName(ctx context.Context, name string) (*entity.Registry, error) {
 	r.mu.RLock()
 	defer r.mu.RUnlock()
-	
+
 	for _, registry := range r.registries {
 		if registry.Name == name {
 			// 解密敏感数据后返回
 			return r.decryptRegistry(registry), nil
 		}
 	}
-	
+
 	return nil, entity.ErrRegistryNotFound
 }
 
 func (r *RegistryRepositoryMock) Update(ctx context.Context, registry *entity.Registry) error {
 	r.mu.Lock()
 	defer r.mu.Unlock()
-	
+
 	if _, exists := r.registries[registry.ID]; !exists {
 		return entity.ErrRegistryNotFound
 	}
-	
+
 	// 加密敏感数据后存储
 	encryptedRegistry := r.encryptRegistry(registry)
 	r.registries[registry.ID] = encryptedRegistry
@@ -85,11 +85,11 @@ func (r *RegistryRepositoryMock) Update(ctx context.Context, registry *entity.Re
 func (r *RegistryRepositoryMock) Delete(ctx context.Context, id string) error {
 	r.mu.Lock()
 	defer r.mu.Unlock()
-	
+
 	if _, exists := r.registries[id]; !exists {
 		return entity.ErrRegistryNotFound
 	}
-	
+
 	delete(r.registries, id)
 	return nil
 }
@@ -97,41 +97,40 @@ func (r *RegistryRepositoryMock) Delete(ctx context.Context, id string) error {
 func (r *RegistryRepositoryMock) List(ctx context.Context) ([]*entity.Registry, error) {
 	r.mu.RLock()
 	defer r.mu.RUnlock()
-	
+
 	registries := make([]*entity.Registry, 0, len(r.registries))
 	for _, registry := range r.registries {
 		// 解密敏感数据后返回
 		registries = append(registries, r.decryptRegistry(registry))
 	}
-	
+
 	return registries, nil
 }
 
 // encryptRegistry 加密 Registry 的敏感数据
 func (r *RegistryRepositoryMock) encryptRegistry(registry *entity.Registry) *entity.Registry {
 	encrypted := *registry // 复制
-	
+
 	// 加密密码
 	if registry.Password != "" && !crypto.IsEncrypted(registry.Password) {
 		if encryptedPassword, err := r.encryptor.Encrypt(registry.Password); err == nil {
 			encrypted.Password = encryptedPassword
 		}
 	}
-	
+
 	return &encrypted
 }
 
 // decryptRegistry 解密 Registry 的敏感数据
 func (r *RegistryRepositoryMock) decryptRegistry(registry *entity.Registry) *entity.Registry {
 	decrypted := *registry // 复制
-	
+
 	// 解密密码
 	if registry.Password != "" && crypto.IsEncrypted(registry.Password) {
 		if decryptedPassword, err := r.encryptor.Decrypt(registry.Password); err == nil {
 			decrypted.Password = decryptedPassword
 		}
 	}
-	
+
 	return &decrypted
 }
-

backend/internal/adapter/output/persistence/mock/user_repository_mock.go

@@ -3,7 +3,7 @@ package mock
 import (
 	"context"
 	"sync"
-	
+
 	"github.com/ocdp/cluster-service/internal/domain/entity"
 	"github.com/ocdp/cluster-service/internal/domain/repository"
 )
@@ -24,14 +24,14 @@ func NewUserRepositoryMock() repository.UserRepository {
 func (r *UserRepositoryMock) Create(ctx context.Context, user *entity.User) error {
 	r.mu.Lock()
 	defer r.mu.Unlock()
-	
+
 	// 检查是否已存在
 	for _, u := range r.users {
 		if u.Username == user.Username {
 			return entity.ErrUserExists
 		}
 	}
-	
+
 	r.users[user.ID] = user
 	return nil
 }
@@ -39,36 +39,36 @@ func (r *UserRepositoryMock) Create(ctx context.Context, user *entity.User) erro
 func (r *UserRepositoryMock) GetByID(ctx context.Context, id string) (*entity.User, error) {
 	r.mu.RLock()
 	defer r.mu.RUnlock()
-	
+
 	user, exists := r.users[id]
 	if !exists {
 		return nil, entity.ErrUserNotFound
 	}
-	
+
 	return user, nil
 }
 
 func (r *UserRepositoryMock) GetByUsername(ctx context.Context, username string) (*entity.User, error) {
 	r.mu.RLock()
 	defer r.mu.RUnlock()
-	
+
 	for _, user := range r.users {
 		if user.Username == username {
 			return user, nil
 		}
 	}
-	
+
 	return nil, entity.ErrUserNotFound
 }
 
 func (r *UserRepositoryMock) Update(ctx context.Context, user *entity.User) error {
 	r.mu.Lock()
 	defer r.mu.Unlock()
-	
+
 	if _, exists := r.users[user.ID]; !exists {
 		return entity.ErrUserNotFound
 	}
-	
+
 	r.users[user.ID] = user
 	return nil
 }
@@ -76,11 +76,11 @@ func (r *UserRepositoryMock) Update(ctx context.Context, user *entity.User) erro
 func (r *UserRepositoryMock) Delete(ctx context.Context, id string) error {
 	r.mu.Lock()
 	defer r.mu.Unlock()
-	
+
 	if _, exists := r.users[id]; !exists {
 		return entity.ErrUserNotFound
 	}
-	
+
 	delete(r.users, id)
 	return nil
 }
@@ -88,12 +88,11 @@ func (r *UserRepositoryMock) Delete(ctx context.Context, id string) error {
 func (r *UserRepositoryMock) List(ctx context.Context) ([]*entity.User, error) {
 	r.mu.RLock()
 	defer r.mu.RUnlock()
-	
+
 	users := make([]*entity.User, 0, len(r.users))
 	for _, user := range r.users {
 		users = append(users, user)
 	}
-	
+
 	return users, nil
 }
-

backend/internal/adapter/output/persistence/mock/workspace_repository_mock.go

@@ -0,0 +1,162 @@
+package mock
+
+import (
+	"context"
+	"sync"
+
+	"github.com/google/uuid"
+	"github.com/ocdp/cluster-service/internal/domain/entity"
+	"github.com/ocdp/cluster-service/internal/domain/repository"
+)
+
+type WorkspaceRepositoryMock struct {
+	mu         sync.RWMutex
+	workspaces map[string]*entity.Workspace
+}
+
+func NewWorkspaceRepositoryMock() repository.WorkspaceRepository {
+	repo := &WorkspaceRepositoryMock{workspaces: make(map[string]*entity.Workspace)}
+	defaultWorkspace := entity.NewWorkspace(entity.DefaultWorkspaceName, "")
+	defaultWorkspace.ID = entity.DefaultWorkspaceID
+	repo.workspaces[defaultWorkspace.ID] = defaultWorkspace
+	return repo
+}
+
+func (r *WorkspaceRepositoryMock) Create(ctx context.Context, workspace *entity.Workspace) error {
+	r.mu.Lock()
+	defer r.mu.Unlock()
+	if workspace.ID == "" {
+		workspace.ID = uuid.New().String()
+	}
+	for _, existing := range r.workspaces {
+		if existing.Name == workspace.Name {
+			return entity.ErrWorkspaceExists
+		}
+	}
+	copy := *workspace
+	r.workspaces[workspace.ID] = &copy
+	return nil
+}
+
+func (r *WorkspaceRepositoryMock) GetByID(ctx context.Context, id string) (*entity.Workspace, error) {
+	r.mu.RLock()
+	defer r.mu.RUnlock()
+	workspace, ok := r.workspaces[id]
+	if !ok {
+		return nil, entity.ErrWorkspaceNotFound
+	}
+	copy := *workspace
+	return &copy, nil
+}
+
+func (r *WorkspaceRepositoryMock) GetByName(ctx context.Context, name string) (*entity.Workspace, error) {
+	r.mu.RLock()
+	defer r.mu.RUnlock()
+	for _, workspace := range r.workspaces {
+		if workspace.Name == name {
+			copy := *workspace
+			return &copy, nil
+		}
+	}
+	return nil, entity.ErrWorkspaceNotFound
+}
+
+func (r *WorkspaceRepositoryMock) Update(ctx context.Context, workspace *entity.Workspace) error {
+	r.mu.Lock()
+	defer r.mu.Unlock()
+	if _, ok := r.workspaces[workspace.ID]; !ok {
+		return entity.ErrWorkspaceNotFound
+	}
+	copy := *workspace
+	r.workspaces[workspace.ID] = &copy
+	return nil
+}
+
+func (r *WorkspaceRepositoryMock) List(ctx context.Context) ([]*entity.Workspace, error) {
+	r.mu.RLock()
+	defer r.mu.RUnlock()
+	result := make([]*entity.Workspace, 0, len(r.workspaces))
+	for _, workspace := range r.workspaces {
+		copy := *workspace
+		result = append(result, &copy)
+	}
+	return result, nil
+}
+
+type WorkspaceClusterBindingRepositoryMock struct {
+	mu       sync.RWMutex
+	bindings map[string]*entity.WorkspaceClusterBinding
+}
+
+func NewWorkspaceClusterBindingRepositoryMock() repository.WorkspaceClusterBindingRepository {
+	return &WorkspaceClusterBindingRepositoryMock{bindings: make(map[string]*entity.WorkspaceClusterBinding)}
+}
+
+func bindingKey(workspaceID, clusterID string) string {
+	return workspaceID + "/" + clusterID
+}
+
+func (r *WorkspaceClusterBindingRepositoryMock) Upsert(ctx context.Context, binding *entity.WorkspaceClusterBinding) error {
+	r.mu.Lock()
+	defer r.mu.Unlock()
+	if binding.ID == "" {
+		binding.ID = uuid.New().String()
+	}
+	copy := *binding
+	r.bindings[bindingKey(binding.WorkspaceID, binding.ClusterID)] = &copy
+	return nil
+}
+
+func (r *WorkspaceClusterBindingRepositoryMock) Get(ctx context.Context, workspaceID, clusterID string) (*entity.WorkspaceClusterBinding, error) {
+	r.mu.RLock()
+	defer r.mu.RUnlock()
+	binding, ok := r.bindings[bindingKey(workspaceID, clusterID)]
+	if !ok {
+		return nil, entity.ErrWorkspaceNotFound
+	}
+	copy := *binding
+	return &copy, nil
+}
+
+func (r *WorkspaceClusterBindingRepositoryMock) Delete(ctx context.Context, workspaceID, clusterID string) error {
+	r.mu.Lock()
+	defer r.mu.Unlock()
+	delete(r.bindings, bindingKey(workspaceID, clusterID))
+	return nil
+}
+
+type AuditLogRepositoryMock struct {
+	mu   sync.RWMutex
+	logs []*entity.AuditLog
+}
+
+func NewAuditLogRepositoryMock() repository.AuditLogRepository {
+	return &AuditLogRepositoryMock{logs: make([]*entity.AuditLog, 0)}
+}
+
+func (r *AuditLogRepositoryMock) Create(ctx context.Context, logEntry *entity.AuditLog) error {
+	r.mu.Lock()
+	defer r.mu.Unlock()
+	if logEntry.ID == "" {
+		logEntry.ID = uuid.New().String()
+	}
+	copy := *logEntry
+	r.logs = append(r.logs, &copy)
+	return nil
+}
+
+func (r *AuditLogRepositoryMock) ListByWorkspace(ctx context.Context, workspaceID string, limit int) ([]*entity.AuditLog, error) {
+	r.mu.RLock()
+	defer r.mu.RUnlock()
+	result := make([]*entity.AuditLog, 0)
+	for i := len(r.logs) - 1; i >= 0; i-- {
+		if r.logs[i].WorkspaceID == workspaceID {
+			copy := *r.logs[i]
+			result = append(result, &copy)
+			if limit > 0 && len(result) >= limit {
+				break
+			}
+		}
+	}
+	return result, nil
+}