// Proxmox guest power via a SCOPED PVEAPIToken (VM.PowerMgmt on whitelisted guests
// only). PVE enforces permissions server-side; this adapter never builds shell commands.
export async function powerGuest({ node, vmid, op, kindPath = 'lxc' }, {
  apiUrl = process.env.PROXMOX_API_URL,
  token = process.env.PROXMOX_API_TOKEN,
  fetchImpl = fetch
} = {}) {
  const url = `${apiUrl}/api2/json/nodes/${node}/${kindPath}/${vmid}/status/${op}`;
  const res = await fetchImpl(url, {
    method: 'POST',
    headers: { Authorization: `PVEAPIToken=${token}` }
  });
  if (!res.ok) throw new Error(`proxmox ${op} ${vmid} → ${res.status} ${await res.text?.() ?? ''}`);
  const body = await res.json();
  return { ok: true, upid: body?.data ?? null };
}