docs: features set in Terraform (token can); only bind mounts via console

Correct README/plan/spec after the apply-failure root cause: nesting/keyctl
are settable by the API token on an unprivileged CT and are required at create
to avoid the systemd-252 TASK WARNINGS that fails apply. Console step reduced
to bind mounts only. README apply uses -target (PBS disk drift).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

docs/superpowers/specs/2026-06-18-hermes-agent-lxc-design.md

@@ -48,7 +48,7 @@ and generated files on the host's large disks via direct bind mounts.
 | Decision | Choice | Rationale |
 |---|---|---|
 | Deployment form | **Docker LXC (unprivileged)** | Matches homelab convention (multiple docker LXCs: 101/104/119/124); low overhead; official image + clean upgrades; Hermes needs no privileged mode. |
-| Provisioning | **Terraform (container only) + console for bind mounts** | TF mirrors `pbs.tf` for the container. **Bind mounts cannot be created via API token** (Proxmox restricts them to `root@pam`/SSH), so `mp0/mp1` are added via console `pct set` — same method already used for jellyfin(115)/tos-api(700). `terraform import` of the mounts is a follow-up. |
+| Provisioning | **Terraform (container incl. features) + console for bind mounts** | TF mirrors `pbs.tf` and also sets `features { nesting/keyctl }` (token CAN do this on an unprivileged CT; nesting at create time avoids the systemd-252 "enable nesting" warning that fails the apply). **Only bind mounts** can't be done by the token (host paths require `root@pam`), so `mp0/mp1` are added via console `pct set` — same method already used for jellyfin(115)/tos-api(700). `terraform import` of the mounts is a follow-up. |
 | Primary interface | **Messaging connectors** | Outbound-only → **zero inbound ports exposed.** |
 | Subagent sandbox | **local** | Avoids Docker-in-Docker friction in an unprivileged LXC; revisit later if isolation needed. |
 | Large workspace | **Direct host bind mount (both disks)** | Aligns with the user's **Plan A** (same-host LXC → host bind mount, not nfs LXC re-share). No network hop, no nfs-LXC SPOF. See `nfs-lxc-sharing-redesign` memory. |
@@ -79,7 +79,7 @@ and generated files on the host's large disks via direct bind mounts.
 | VMID | `118` (adjacent to litellm `117`, AI group) |
 | Node | `gihyeon` |
 | Type | unprivileged LXC, Debian 12 |
-| Features | `nesting = 1`, `keyctl = 1` (required for Docker) — **set via console `pct set`**, not TF (API token can't set host-security features) |
+| Features | `nesting = 1`, `keyctl = 1` (required for Docker) — **set in Terraform** (token can set these on an unprivileged CT; nesting at create avoids the systemd-252 warning that fails the apply) |
 | CPU / RAM | 2 cores / 4096 MB dedicated (+512 MB swap) |
 | rootfs | 24 GB on `local-lvm` |
 | Network | `eth0` on bridge `intra01`, IPv4 DHCP |
@@ -132,14 +132,13 @@ subtree is remapped** (isolation preserved), not the whole disk.
    mkdir -p /mnt/pve/hdd/hermes /media/2tb/hermes
    chown 100000:100000 /mnt/pve/hdd/hermes /media/2tb/hermes
    ```
-2. **Terraform apply** (from workstation): creates LXC #118 token-safe skeleton
-   (rootfs, network, cpu/mem, unprivileged, onboot). **No features, no bind mounts**
-   (API-token can't set host-security settings).
-3. **Apply features + bind mounts** (node1 console, once): use `pct set`:
+2. **Terraform apply** (from workstation, `-target` hermes only): creates LXC #118
+   with rootfs, network, cpu/mem, unprivileged, onboot, **and `features { nesting/keyctl }`**.
+   No bind mounts (host paths need root@pam). `-target` avoids the pre-existing PBS disk drift.
+3. **Add bind mounts** (node1 console, once): use `pct set` (mounts only — features already in TF):
    ```sh
-   pct set 118 -features nesting=1,keyctl=1 \
-     -mp0 /mnt/pve/hdd/hermes,mp=/data \
-     -mp1 /media/2tb/hermes,mp=/fast
+   pct set 118 -mp0 /mnt/pve/hdd/hermes,mp=/data \
+               -mp1 /media/2tb/hermes,mp=/fast
    pct reboot 118
    ```
 4. **Container bootstrap** (LXC console, once): `scripts/hermes-bootstrap.sh` —