Correct README/plan/spec after the apply-failure root cause: nesting/keyctl
are settable by the API token on an unprivileged CT and are required at create
to avoid the systemd-252 TASK WARNINGS that fails apply. Console step reduced
to bind mounts only. README apply uses -target (PBS disk drift).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Adds hermes.tf / hermes-variables.tf / scripts/hermes-bootstrap.sh
rows to the structure table, and appends a Hermes Agent section with
the 4-step deploy sequence (host prep → terraform apply → pct set
bind mounts → in-container bootstrap). Notes that mp0/mp1 are outside
TF state and need a future terraform import.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
