f6dc709793
Correct README/plan/spec after the apply-failure root cause: nesting/keyctl are settable by the API token on an unprivileged CT and are required at create to avoid the systemd-252 TASK WARNINGS that fails apply. Console step reduced to bind mounts only. README apply uses -target (PBS disk drift). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>