// Allow members of the `wheel` group to manage libvirt (start/stop VMs,
// edit domains, attach devices) without a polkit password prompt.
// This single-user system already trusts wheel for administrative work
// via sudo-rs; libvirt's polkit gate is a separate path that does not
// honour sudoers, so a polkit rule is the idiomatic fix.
polkit.addRule(function (action, subject) {
  if (
    action.id == "org.libvirt.unix.manage" &&
    subject.isInGroup("wheel")
  ) {
    return polkit.Result.YES;
  }
});