import { Agent } from 'undici';

// PVE uses a self-signed cert on the LAN; opt into skipping verification with
// PROXMOX_INSECURE_TLS=1 (homelab). Cached dispatcher; tests inject fetchImpl.
let insecure;
function tlsDispatcher() {
  if (process.env.PROXMOX_INSECURE_TLS !== '1') return undefined;
  insecure ??= new Agent({ connect: { rejectUnauthorized: false } });
  return insecure;
}

// Proxmox guest power via a SCOPED PVEAPIToken (VM.PowerMgmt on whitelisted guests
// only). PVE enforces permissions server-side; this adapter never builds shell commands.
export async function powerGuest({ node, vmid, op, kindPath = 'lxc' }, {
  apiUrl = process.env.PROXMOX_API_URL,
  token = process.env.PROXMOX_API_TOKEN,
  fetchImpl = fetch
} = {}) {
  const url = `${apiUrl}/api2/json/nodes/${node}/${kindPath}/${vmid}/status/${op}`;
  const res = await fetchImpl(url, {
    method: 'POST',
    headers: { Authorization: `PVEAPIToken=${token}` },
    dispatcher: tlsDispatcher()
  });
  if (!res.ok) throw new Error(`proxmox ${op} ${vmid} → ${res.status} ${await res.text?.() ?? ''}`);
  const body = await res.json();
  return { ok: true, upid: body?.data ?? null };
}