docs/superpowers/plans/2026-06-18-hermes-agent-lxc.md

@@ -277,12 +277,19 @@ git commit -m "feat: add Hermes Agent LXC outputs"
 - [ ] **Step 1: Review the plan**
 
 Run: `terraform plan`
-Expected: plan shows `2 to add` — `proxmox_virtual_environment_download_file.debian12_template_gihyeon` and `proxmox_virtual_environment_container.hermes`. **0 to change, 0 to destroy.** Confirm it does NOT touch `proxmox_virtual_environment_container.pbs`.
+Expected: `2 to add` — `proxmox_virtual_environment_download_file.debian12_template_gihyeon` and `proxmox_virtual_environment_container.hermes`.
 
-- [ ] **Step 2: Apply**
+> ⚠️ **Known pre-existing drift:** the plan ALSO shows `1 to change` — `proxmox_virtual_environment_container.pbs` disk `size = 48 -> 16`. The live PBS rootfs is 48GB but `pbs.tf` declares 16GB. A blanket apply would try to **shrink** the PBS disk (dangerous). Do NOT untargeted-apply. Reconcile separately by setting `pbs.tf` `size = 48` to match reality (no infra change), or leave it and always target hermes.
 
-Run: `terraform apply`
+- [ ] **Step 2: Apply (TARGETED to hermes only)**
-Expected: `Apply complete! Resources: 2 added, 0 changed, 0 destroyed.` Outputs include `hermes_container_id = 118`.
+
+Run:
+```bash
+terraform apply \
+  -target=proxmox_virtual_environment_download_file.debian12_template_gihyeon \
+  -target=proxmox_virtual_environment_container.hermes
+```
+Expected: `Apply complete! Resources: 2 added, 0 changed, 0 destroyed.` Outputs include `hermes_container_id = 118`. The `-target` flags ensure the PBS disk drift is NOT touched.
 
 > If apply errors with a permission/`root@pam`-only message on any container attribute, STOP — it means an attribute in `hermes.tf` is host-restricted. The skeleton here is intentionally limited to attributes the PBS container already created successfully via the same token, so this is not expected.