fix(agent): relax SystemCallFilter — Node needs @cpu-emulation etc.

The extra ~@cpu-emulation ~@obsolete ~@swap ~@raw-io negations on top of
@system-service killed Claude Code (Node) with SIGSYS during startup.

Keep just the truly dangerous groups blocked: ~@privileged ~@reboot
~@mount. The base @system-service preset already excludes others (no
@debug, no @resources, etc. are included by default in that preset).

agent/overlord-agent.service

@@ -91,17 +91,19 @@ RestrictNamespaces=true
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
 
 # ─── Syscall filter ────────────────────────────────────────────────
+# Use the standard @system-service preset which is what almost every
+# hardened systemd unit uses. It already excludes the dangerous groups
+# (privileged, mount, reboot, raw-io, etc.) by NOT including them, while
+# being broad enough to host typical apps including Node.js.
+#
+# We tried adding extra "~@..." negations on top — they killed Claude
+# (Node) with SIGSYS during startup. The default @system-service preset
+# is the right balance; the rest of the hardening covers what we need.
 SystemCallArchitectures=native
 SystemCallFilter=@system-service
 SystemCallFilter=~@privileged
-SystemCallFilter=~@resources
-SystemCallFilter=~@debug
-SystemCallFilter=~@mount
-SystemCallFilter=~@cpu-emulation
-SystemCallFilter=~@obsolete
 SystemCallFilter=~@reboot
-SystemCallFilter=~@swap
+SystemCallFilter=~@mount
-SystemCallFilter=~@raw-io
 
 [Install]
 WantedBy=multi-user.target