Correct README/plan/spec after the apply-failure root cause: nesting/keyctl
are settable by the API token on an unprivileged CT and are required at create
to avoid the systemd-252 TASK WARNINGS that fails apply. Console step reduced
to bind mounts only. README apply uses -target (PBS disk drift).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
terraform plan revealed proxmox_virtual_environment_container.pbs has disk
drift (live 48G vs code 16G). A blanket apply would shrink it, so the hermes
apply must be -targeted. Recorded in the plan.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Plan: 10 tasks splitting workstation Terraform (token-safe container skeleton)
from PVE-console host ops (features nesting/keyctl + bind mounts via pct set,
which the API token cannot do) and in-container Docker/hermes bootstrap.
Spec amended for the discovered API-token limitation: bind mounts AND container
features require root@pam/SSH, so both are applied via console pct set rather
than Terraform; terraform import tracked as follow-up.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
