diff --git a/agent/overlord-agent.service b/agent/overlord-agent.service
index 2e05529c..4068ee86 100644
--- a/agent/overlord-agent.service
+++ b/agent/overlord-agent.service
@@ -25,7 +25,7 @@ StandardOutput=journal
 StandardError=journal
 
 # ─── Resource caps ─────────────────────────────────────────────────
-MemoryLimit=512M
+MemoryMax=512M
 CPUQuota=200%
 TasksMax=128
 
@@ -74,7 +74,12 @@ LockPersonality=true
 RestrictRealtime=true
 RestrictSUIDSGID=true
 RemoveIPC=true
-MemoryDenyWriteExecute=true
+# MemoryDenyWriteExecute would break Node.js (V8 JIT requires W^X
+# transitions via mprotect with PROT_EXEC on JITted code pages). Claude
+# Code is a Node app, so omit this. Without JIT we'd lose all model
+# performance. The other restrictions still prevent shellcode injection
+# in practice (no Bash/Write tools, no shellcraft surface).
+# MemoryDenyWriteExecute=true   ← DO NOT enable; breaks Node V8 JIT
 RestrictNamespaces=true
 
 # ─── Network family restriction ────────────────────────────────────