diff --git a/Dockerfile b/Dockerfile
index 8a3feaf..ab76703 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -33,6 +33,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     fzf \
     gh \
     git \
+    htop \
     iputils-ping \
     iproute2 \
     jitterentropy-rngd \
@@ -113,6 +114,7 @@ RUN useradd --create-home --shell /bin/bash node \
   && printf 'node ALL=(ALL) NOPASSWD:ALL\n' >/etc/sudoers.d/node \
   && chmod 440 /etc/sudoers.d/node \
   && install -d -m 0755 /etc/microagent \
+  && install -d -m 0755 -o node -g node /home/node/.local/bin \
   && ln -sf /usr/bin/fdfind /usr/local/bin/fd \
   && ln -sf /usr/bin/batcat /usr/local/bin/bat \
   && ln -sf /usr/bin/nvim /usr/local/bin/vim \
@@ -130,6 +132,7 @@ COPY microagent-network-up.sh /usr/local/bin/microagent-network-up
 COPY defaults/.zshrc /home/node/.zshrc
 COPY defaults/.bashrc /home/node/.bashrc
 COPY defaults/.profile /home/node/.profile
+COPY defaults/pip.conf /etc/pip.conf
 COPY terminfo/xterm-ghostty.terminfo /tmp/xterm-ghostty.terminfo
 COPY terminfo/xterm-kitty.terminfo /tmp/xterm-kitty.terminfo
 
diff --git a/defaults/.bashrc b/defaults/.bashrc
index e6b6ced..a59cced 100644
--- a/defaults/.bashrc
+++ b/defaults/.bashrc
@@ -3,6 +3,9 @@ case $- in
   *) return ;;
 esac
 
+# Ensure user-local binaries are on PATH.
+[[ ":$PATH:" == *":$HOME/.local/bin:"* ]] || export PATH="$HOME/.local/bin:$PATH"
+
 computer_prompt_base_name() {
   local name=""
   if [ -r /etc/microagent/machine-name ]; then
diff --git a/defaults/.profile b/defaults/.profile
index 099b28a..2fcc369 100644
--- a/defaults/.profile
+++ b/defaults/.profile
@@ -1,5 +1,8 @@
 export LANG="${LANG:-C.UTF-8}"
 
+# Ensure user-local binaries are on PATH.
+[[ ":$PATH:" == *":$HOME/.local/bin:"* ]] || export PATH="$HOME/.local/bin:$PATH"
+
 if [ -n "${BASH_VERSION:-}" ] && [ -f "$HOME/.bashrc" ]; then
   . "$HOME/.bashrc"
 fi
diff --git a/defaults/.zshrc b/defaults/.zshrc
index a1026bf..dc248b0 100644
--- a/defaults/.zshrc
+++ b/defaults/.zshrc
@@ -1,5 +1,8 @@
 export LANG="${LANG:-C.UTF-8}"
 
+# Ensure user-local binaries are on PATH.
+[[ ":$PATH:" == *":$HOME/.local/bin:"* ]] || export PATH="$HOME/.local/bin:$PATH"
+
 HISTFILE="${HOME}/.zsh_history"
 HISTSIZE=50000
 SAVEHIST=50000
diff --git a/defaults/pip.conf b/defaults/pip.conf
new file mode 100644
index 0000000..9d54ef9
--- /dev/null
+++ b/defaults/pip.conf
@@ -0,0 +1,2 @@
+[global]
+break-system-packages = true
diff --git a/microagent-init.sh b/microagent-init.sh
index 7651a0b..973cdc2 100644
--- a/microagent-init.sh
+++ b/microagent-init.sh
@@ -179,6 +179,16 @@ if [ -f /etc/microagent/trusted_user_ca_keys ]; then
   chmod 0644 /etc/microagent/trusted_user_ca_keys
 fi
 
+# Raise default process and file-descriptor limits for interactive sessions.
+ulimit -n 1048576 2>/dev/null || true
+ulimit -u 65536  2>/dev/null || true
+cat >/etc/security/limits.d/microagent.conf <<'LIMITS'
+* soft nofile 1048576
+* hard nofile 1048576
+* soft nproc  65536
+* hard nproc  65536
+LIMITS
+
 if command -v jitterentropy-rngd >/dev/null 2>&1; then
   log "starting jitterentropy-rngd"
   jitterentropy-rngd -v >/var/log/jitterentropy.log 2>&1 &