diff --git a/agent/overlord-agent.service b/agent/overlord-agent.service
index 4068ee86..d9f75220 100644
--- a/agent/overlord-agent.service
+++ b/agent/overlord-agent.service
@@ -91,17 +91,19 @@ RestrictNamespaces=true
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
 
 # ─── Syscall filter ────────────────────────────────────────────────
+# Use the standard @system-service preset which is what almost every
+# hardened systemd unit uses. It already excludes the dangerous groups
+# (privileged, mount, reboot, raw-io, etc.) by NOT including them, while
+# being broad enough to host typical apps including Node.js.
+#
+# We tried adding extra "~@..." negations on top — they killed Claude
+# (Node) with SIGSYS during startup. The default @system-service preset
+# is the right balance; the rest of the hardening covers what we need.
 SystemCallArchitectures=native
 SystemCallFilter=@system-service
 SystemCallFilter=~@privileged
-SystemCallFilter=~@resources
-SystemCallFilter=~@debug
-SystemCallFilter=~@mount
-SystemCallFilter=~@cpu-emulation
-SystemCallFilter=~@obsolete
 SystemCallFilter=~@reboot
-SystemCallFilter=~@swap
-SystemCallFilter=~@raw-io
+SystemCallFilter=~@mount
 
 [Install]
 WantedBy=multi-user.target