Add bulk workload restart and scale actions

[nadaverell]

Summary

Adds workload-aware bulk actions to the Resources table bulk-select mode.

• Restart is available for Deployments, StatefulSets, DaemonSets, and Argo Rollouts when /api/capabilities says the user can patch that workload kind.
• Scale is available for Deployments and StatefulSets when the user can patch that workload kind.
• Single-namespace views use namespace-scoped capability checks, including authenticated-user SARs, so users without patch permission there do not see these bulk write buttons.
• Explicit multi-namespace views aggregate namespace-scoped checks and show a bulk write button only when every selected namespace grants patch for that workload kind.
• All-namespace views require cluster-wide workload patch permission; backend endpoints still enforce per-object RBAC and report partial failures.
• Existing bulk delete remains unchanged.

Bulk scale uses the existing workload scale endpoint, supports setting replicas to zero, and warns that autoscalers may override the requested replica count. Fixes #902.

Validation

• go test ./internal/k8s ./internal/server
• npm --workspace @skyhook-io/k8s-ui run tsc
• npm --workspace @skyhook-io/radar-app run tsc
• npm --workspace @skyhook-io/k8s-ui test
• git diff --check
• ./scripts/visual-test-start.sh
• Visual test screenshots:
  • .playwright-mcp/visual-test/20260613-022402/deployments-bulk-actions-1920.png
  • .playwright-mcp/visual-test/20260613-022402/deployments-bulk-restart-confirm.png
  • .playwright-mcp/visual-test/20260613-022402/deployments-bulk-scale-dialog.png
  • .playwright-mcp/visual-test/20260613-022402/deployments-bulk-scale-zero-dialog.png
  • .playwright-mcp/visual-test/20260613-022402/deployments-bulk-actions-1280.png
  • .playwright-mcp/visual-test/20260613-022402/rollouts-bulk-restart-no-scale.png

---

Note

Medium Risk
Introduces cluster mutation paths (bulk restart/scale) gated by UI capabilities but still relying on per-request RBAC on workload endpoints; capability logic changes (always-on namespace checks, new patch probes) can change which actions users see.

Overview
Extends capabilities with workloadWrites (patch permission per Deployment, DaemonSet, StatefulSet, and Argo Rollout). Global checks pass API group into SAR; workload patch probes do not use the kubeconfig namespace fallback. Namespace capability re-checks always run for ?namespace= (not only when exec/logs were denied) and merge exec, logs, port-forward, and workloadWrites; authenticated requests use per-user namespace SAR via CheckNamespaceCapabilitiesForUser.

The Resources bulk-select bar gains Restart (deployments, statefulsets, daemonsets, rollouts) and Scale (deployments, statefulsets), with confirm dialogs and a shared replica picker (including scale-to-zero). The web app wires useBulkRestartWorkloads / useBulkScaleWorkloads to existing POST /workloads/.../restart and .../scale endpoints, shows actions only when capabilities allow, and for multi-namespace filters intersects patch permission across namespaces. Types, default/restricted capability stubs, and a smoke test assert the new workloadWrites wire shape.

^{Reviewed by Cursor Bugbot for commit 75d5d47. Bugbot is set up for automated code reviews on this repo. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 3866d4f. Configure here.}