feat(agent): scaffold + proxmox interaction layer (slice 1)

Stand up the felhom-agent project (module gitea.dooplex.hu/admin/felhom-agent,
binary felhom-agent) and the internal/proxmox package: the typed library every
other agent module calls to talk to Proxmox.

- API-first Client (hand-rolled REST over net/http, PVEAPIToken auth) with typed
  read ops (version/nodes/status/lxc/config/storage) and async mutating ops
  (restore/vzdump/snapshot/rollback/delete-snapshot/setconfig/start/stop), each
  returning a UPID. WaitTask polls task status until stopped and asserts
  exitstatus OK (authz can surface at task exec, not the POST — phase1-2 §1.3).
- Fenced Privileged (root-CLI) backend for the THREE proven exceptions only
  (keyctl pct create, USB mount/fstab, SMART/sensors); each cites why it can't be
  the API. Fence is structural (Client never shells out, Privileged never HTTPs)
  and asserted in routing_test.go.
- TLS: SHA-256 leaf-cert pinning or CA file; insecure mode explicit + off by
  default. No blanket verification disable.
- 403 -> privilege-named APIError; failed task -> privilege-named TaskError.
- JSON config + env overrides (token never logged); slog logging.
- cmd/felhom-agent --selftest (read-only health report) + gated --selftest=task
  (reversible snapshot/rollback/delete exercise of WaitTask). No daemon loop yet.
- Types grounded in the spike findings and exact JSON shapes captured live from
  demo-felhom (PVE 9.2.2). Unit tests use a mock transport + runner.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

internal/proxmox/upid_test.go

@@ -0,0 +1,59 @@
+package proxmox
+
+import "testing"
+
+func TestParseUPID(t *testing.T) {
+	// Captured live from demo-felhom.
+	const raw = "UPID:demo-felhom:00026454:004E3431:6A265E53:vzdestroy:9021:root@pam:"
+	u, err := ParseUPID(raw)
+	if err != nil {
+		t.Fatalf("ParseUPID: %v", err)
+	}
+	if u.Node != "demo-felhom" {
+		t.Errorf("node = %q", u.Node)
+	}
+	if u.Worker != "vzdestroy" {
+		t.Errorf("worker = %q", u.Worker)
+	}
+	if u.ID != "9021" {
+		t.Errorf("id = %q", u.ID)
+	}
+	if u.User != "root@pam" {
+		t.Errorf("user = %q", u.User)
+	}
+	if u.PID != 0x00026454 {
+		t.Errorf("pid = %#x, want 0x26454", u.PID)
+	}
+	if u.StartTime != 0x6A265E53 {
+		t.Errorf("starttime = %#x", u.StartTime)
+	}
+	if u.String() != raw {
+		t.Errorf("String() round-trip = %q", u.String())
+	}
+}
+
+func TestParseUPID_PrivsepTokenUser(t *testing.T) {
+	// The user field can contain '@' and '!' (a privsep token) but never ':'.
+	const raw = "UPID:demo-felhom:00001234:00005678:6A265E53:vzdump:9001:felhom-agent@pve!agent:"
+	u, err := ParseUPID(raw)
+	if err != nil {
+		t.Fatalf("ParseUPID: %v", err)
+	}
+	if u.User != "felhom-agent@pve!agent" {
+		t.Errorf("user = %q", u.User)
+	}
+}
+
+func TestParseUPID_Invalid(t *testing.T) {
+	cases := []string{
+		"",
+		"not-a-upid",
+		"UPID:node:nothex:00:00:t:1:u:", // bad pid hex
+		"UPID:node:00:00",               // too few fields
+	}
+	for _, c := range cases {
+		if _, err := ParseUPID(c); err == nil {
+			t.Errorf("ParseUPID(%q) = nil error, want error", c)
+		}
+	}
+}