feat ✨: Add task to ensure nag patch state directory exists and manage checksums for legacy and minified proxmoxlib.js files

This commit introduces a new feature that ensures the existence of a nag patch state directory. It also reads and stores checksums for both legacy and minified proxmoxlib.js files, applying patches only when necessary.

No blind replaces
No silent failures
Upgrade-safe
Self-healing
Predictable failure mode

tasks/subscription.yml

@@ -1,7 +1,26 @@
 ---
+- name: subscription | Ensure nag patch state directory exists
+  ansible.builtin.file:
+    path: /var/lib/proxmox-nag-patch
+    state: directory
+    owner: root
+    group: root
+    mode: "0755"
+
+############################
+# Legacy proxmoxlib.js
+############################
+- name: subscription | Read stored checksum (legacy)
+  slurp:
+    src: /var/lib/proxmox-nag-patch/proxmoxlib.js.sha256
+  register: proxmoxlib_js_checksum_stored
+  when: proxmoxlib_js.stat.exists
+  failed_when: false
+
 - name: subscription | Check for legacy proxmoxlib.js
   ansible.builtin.stat:
     path: /usr/share/javascript/proxmox-widget-toolkit/proxmoxlib.js
+    checksum_algorithm: sha256
   register: proxmoxlib_js
 
 - name: subscription | Remove subscription nag (legacy proxmoxlib.js)
@@ -9,26 +28,68 @@
     path: /usr/share/javascript/proxmox-widget-toolkit/proxmoxlib.js
     regexp: "if \\(data.status !== 'Active'\\)"
     replace: "if (false)"
-  when: proxmoxlib_js.stat.exists
+  when: 
+    - proxmoxlib_js.stat.exists
+    - proxmoxlib_js_checksum_stored.content is not defined
+      or (proxmoxlib_js.stat.checksum
+        != (proxmoxlib_js_checksum_stored.content | b64decode | trim))
   register: patch_legacy
   failed_when:
     - proxmoxlib_js.stat.exists
     - patch_legacy.matched == 0
   notify: restart pveproxy
 
+- name: subscription | Store patched checksum (legacy)
+  ansible.builtin.copy:
+    dest: /var/lib/proxmox-nag-patch/proxmoxlib.js.sha256
+    owner: root
+    group: root
+    mode: "0644"
+    content: "{{ proxmoxlib_js.stat.checksum }}\n"
+  when:
+    - proxmoxlib_js.stat.exists
+    - patch_legacy is changed
+
+############################
+# Minified proxmoxlib.min.js (VE 8/9)
+############################
+
 - name: subscription | Check for minified proxmoxlib.min.js (VE 8/9)
   ansible.builtin.stat:
     path: /usr/share/javascript/proxmox-widget-toolkit/proxmoxlib.min.js
+    checksum_algorithm: sha256
   register: proxmoxlib_min_js
 
+- name: subscription | Read stored checksum (minified)
+  ansible.builtin.slurp:
+    src: /var/lib/proxmox-nag-patch/proxmoxlib.min.js.sha256
+  register: proxmoxlib_min_checksum_stored
+  when: proxmoxlib_min_js.stat.exists
+  failed_when: false
+
 - name: subscription | Remove subscription nag (minified bundle for VE 8/9)
   ansible.builtin.replace:
     path: /usr/share/javascript/proxmox-widget-toolkit/proxmoxlib.min.js
     regexp: "data.status!=='Active'"
     replace: "false"
-  when: proxmoxlib_min_js.stat.exists
+  when: 
+    - proxmoxlib_min_js.stat.exists
+    - proxmoxlib_min_checksum_stored.content is not defined
+      or (proxmoxlib_min_js.stat.checksum
+        != (proxmoxlib_min_checksum_stored.content | b64decode | trim))
   register: patch_minified
   failed_when:
     - proxmoxlib_min_js.stat.exists
     - patch_minified.matched == 0
   notify: restart pveproxy
+
+- name: subscription | Store patched checksum (minified)
+  ansible.builtin.copy:
+    dest: /var/lib/proxmox-nag-patch/proxmoxlib.min.js.sha256
+    owner: root
+    group: root
+    mode: "0644"
+    content: "{{ proxmoxlib_min_js.stat.checksum }}\n"
+  when:
+    - proxmoxlib_min_js.stat.exists
+    - patch_minified is changed