docs: add host controls decision (keep delete failsafe, add LXC controls)

SCRATCH/2026-02-07_host-controls-and-delete-failsafe.md

@@ -0,0 +1,58 @@
+# 2026-02-07 — Host controls + delete failsafe
+
+## Problem
+
+- The frontend gained a **Delete Server** button with confirmation.
+- Backend has a **failsafe**: do not allow deleting a container unless the host (LXC) is stopped.
+- At the time, the portal only had "server" controls (game server process), not host controls (LXC start/stop).
+
+## Decision
+
+✅ Keep the failsafe.
+
+Instead of removing safety checks, add **Host Controls** to the UI and wire them to the API:
+- Start Host
+- Stop Host
+- Restart Host
+
+This keeps the deletion gate meaningful, and also gives users a way to stop compute spend / idle containers.
+
+## UX wording
+
+Avoid saying "container" in the user-facing UI if possible.
+
+Use:
+- "Host Controls" or "Server Host"
+- "Start Host / Stop Host / Restart Host"
+
+(Internally it is Proxmox LXC lifecycle, but the UI doesn't need to expose that.)
+
+## Backend wiring (high-level)
+
+Routes in `servers.js`:
+
+- `POST /servers/:id/host/start`
+- `POST /servers/:id/host/stop`
+- `POST /servers/:id/host/restart`
+
+Implementation calls `proxmoxClient.startContainer(vmid)`, `stopContainer(...)` or `shutdownContainer(...)`.
+
+## Delete gate
+
+Delete endpoint should enforce something like:
+
+- refuse delete if host is still running
+- or auto-stop then delete (only if you explicitly want that behavior)
+
+Current stance:
+- keep it strict to avoid accidental data loss.
+- make the user stop the host first, then delete.
+
+## Testing checklist
+
+- Start Host → LXC goes running
+- Stop Host → LXC shuts down
+- Restart Host → stop then start
+- Delete Server:
+  - while running → denied (expected)
+  - after stop → allowed (expected)