refactor: full-stack restructure with multi-tenancy, workspace management, and K8s diagnostics

- Add Workspace domain (entity, repository, service, handler, DTO)
- Add multi-tenant K8s client with tenant binding and quota management
- Add K8s diagnostics client (instance diagnostics)
- Add authorization middleware (authz package)
- Restructure frontend to feature-based architecture (features/)
- Add User Management page in configuration
- Add AccessDenied page and route guards
- Refactor shared components (form inputs, layout, UI)
- Update Tailwind config for new design system
- Add comprehensive documentation (docs/, tasks/, plans)
- Improve cluster service with better kubeconfig handling
- Add tests for crypto, config, helm client, tenant binding

backend/internal/domain/entity/tenant_binding_test.go

@@ -0,0 +1,38 @@
+package entity
+
+import (
+	"testing"
+	"time"
+)
+
+func TestTenantTokenTTLCapsAtTwoHours(t *testing.T) {
+	testCases := []struct {
+		name      string
+		requested time.Duration
+		want      time.Duration
+	}{
+		{name: "uses default for zero", requested: 0, want: MaxTenantKubeconfigTTL},
+		{name: "keeps shorter ttl", requested: 30 * time.Minute, want: 30 * time.Minute},
+		{name: "caps longer ttl", requested: 24 * time.Hour, want: MaxTenantKubeconfigTTL},
+	}
+
+	for _, tc := range testCases {
+		if got := TenantTokenTTL(tc.requested); got != tc.want {
+			t.Fatalf("%s: expected %s, got %s", tc.name, tc.want, got)
+		}
+	}
+}
+
+func TestTenantBindingWithDefaults(t *testing.T) {
+	binding := NewTenantBinding("tenant-a").WithDefaults()
+
+	if err := binding.Validate(); err != nil {
+		t.Fatalf("expected valid default binding: %v", err)
+	}
+	if binding.ServiceAccountName != DefaultTenantServiceAccountName {
+		t.Fatalf("expected default service account %q, got %q", DefaultTenantServiceAccountName, binding.ServiceAccountName)
+	}
+	if binding.Labels["ocdp.io/tenant"] != "tenant-a" {
+		t.Fatalf("expected tenant label, got %#v", binding.Labels)
+	}
+}