diff --git a/hermes.tf b/hermes.tf
index 437e432..69bc171 100644
--- a/hermes.tf
+++ b/hermes.tf
@@ -6,11 +6,14 @@ resource "proxmox_virtual_environment_download_file" "debian12_template_gihyeon"
   url          = "http://download.proxmox.com/images/system/debian-12-standard_12.12-1_amd64.tar.zst"
 }
 
-# Hermes Agent LXC — token-safe skeleton.
-# IMPORTANT: container `features` (nesting/keyctl) and bind mounts are NOT set
-# here. The Proxmox API token cannot set host-security settings; they are applied
-# once via the PVE web console with `pct set` (see scripts/hermes-bootstrap.sh
-# and docs/superpowers/specs/2026-06-18-hermes-agent-lxc-design.md).
+# Hermes Agent LXC.
+# `features` (nesting/keyctl) ARE set here: on an unprivileged container these need
+# only VM.Allocate, which the API token has, so Terraform can set them. nesting is
+# also required so the systemd-252 (Debian 12) create does not emit the "enable
+# nesting" warning that Proxmox returns as TASK WARNINGS (which fails the apply).
+# Bind mounts (mp0/mp1, host paths) genuinely DO require root@pam, so those are still
+# added via the PVE web console with `pct set` (see scripts/hermes-bootstrap.sh and
+# docs/superpowers/specs/2026-06-18-hermes-agent-lxc-design.md).
 resource "proxmox_virtual_environment_container" "hermes" {
   description   = "Hermes Agent (Nous Research) - Managed by Terraform"
   node_name     = var.hermes_node
@@ -19,6 +22,11 @@ resource "proxmox_virtual_environment_container" "hermes" {
   unprivileged  = true
   tags          = ["ai", "agent", "terraform"]
 
+  features {
+    nesting = true
+    keyctl  = true
+  }
+
   operating_system {
     template_file_id = proxmox_virtual_environment_download_file.debian12_template_gihyeon.id
     type             = "debian"