Separates nonprod into its own working directory for independent state isolation. Follows HashiCorp guidance on environment separation.
Prefer API token over username/password — scoped to least-privilege TerraformRole, reduces blast radius if credentials leak.
Adds provider config, variables, and an example tfvars file using the bpg/proxmox provider. No resources are managed yet — existing Proxmox setup is untouched. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
