diff --git a/hosts/vps/runtime/control-plane/docker-compose.override.yml b/hosts/vps/runtime/control-plane/docker-compose.override.yml
index 7e4364c..7834b87 100644
--- a/hosts/vps/runtime/control-plane/docker-compose.override.yml
+++ b/hosts/vps/runtime/control-plane/docker-compose.override.yml
@@ -13,8 +13,27 @@
 #
 # The executor inherits the canonical name from the action JSON written by the
 # supervisor, so NODE_ALIAS_MAP is only required on the supervisor service.
+#
+# Memory limits: VPS has 4 GiB RAM, no swap. oom_score_adj -900 ensures the
+# host kernel OOM-killer never targets control-plane containers. mem_limit
+# provides a per-container cgroup ceiling so a leaking process is restarted by
+# Docker before it can exhaust host memory.
 
 services:
+  operator-ui:
+    mem_limit: 192m
+    oom_score_adj: -900
+
+  observer:
+    mem_limit: 192m
+    oom_score_adj: -900
+
   supervisor:
+    mem_limit: 400m
+    oom_score_adj: -900
     environment:
       - NODE_ALIAS_MAP={"node-2":"chelsty"}
+
+  executor:
+    mem_limit: 64m
+    oom_score_adj: -900
diff --git a/hosts/vps/runtime/node-agent/docker-compose.override.yml b/hosts/vps/runtime/node-agent/docker-compose.override.yml
index 58c3f8c..ec4545f 100644
--- a/hosts/vps/runtime/node-agent/docker-compose.override.yml
+++ b/hosts/vps/runtime/node-agent/docker-compose.override.yml
@@ -8,3 +8,9 @@ services:
     # Without this, localhost inside the container is the container's own loopback
     # and the _check_control_plane_health() probe would always fail.
     network_mode: host
+    # HARD memory ceiling: node-agent mounts /opt/homelab/events/ (page cache)
+    # and may accumulate Python RSS over hours; 640m cap ensures it is killed and
+    # auto-restarted by Docker before consuming host memory. oom_score_adj -900
+    # prevents the host kernel OOM-killer from picking it as a global victim.
+    mem_limit: 640m
+    oom_score_adj: -900
diff --git a/hosts/vps/runtime/stability-agent/docker-compose.override.yml b/hosts/vps/runtime/stability-agent/docker-compose.override.yml
index f5ae248..1ab44a9 100644
--- a/hosts/vps/runtime/stability-agent/docker-compose.override.yml
+++ b/hosts/vps/runtime/stability-agent/docker-compose.override.yml
@@ -5,3 +5,5 @@ services:
       - REDIS_HOST=100.108.208.3
       - REDIS_PORT=6379
       - REDIS_ENABLED=true
+    mem_limit: 96m
+    oom_score_adj: -900
diff --git a/services/control-plane/deploy-local.sh b/services/control-plane/deploy-local.sh
index 784d027..5f6f2e1 100755
--- a/services/control-plane/deploy-local.sh
+++ b/services/control-plane/deploy-local.sh
@@ -46,7 +46,13 @@ sudo chmod -R 775 /opt/homelab
 
 # 4. Run docker compose up -d --build --force-recreate
 echo "--- Starting Control Plane Services ---"
-docker compose up -d --build --force-recreate
+COMPOSE_ARGS="-f docker-compose.yml"
+OVERRIDE_FILE="../../hosts/vps/runtime/control-plane/docker-compose.override.yml"
+if [ -f "$OVERRIDE_FILE" ]; then
+    echo "Using override: $OVERRIDE_FILE"
+    COMPOSE_ARGS="$COMPOSE_ARGS -f $OVERRIDE_FILE"
+fi
+docker compose $COMPOSE_ARGS up -d --build --force-recreate
 
 # 5. Print docker ps for control-plane containers
 echo "--- Deployment Status ---"