diff --git a/services/analysis-engine/src/bandscope_analysis/api.py b/services/analysis-engine/src/bandscope_analysis/api.py
index a193bce2..e44bf7de 100644
--- a/services/analysis-engine/src/bandscope_analysis/api.py
+++ b/services/analysis-engine/src/bandscope_analysis/api.py
@@ -307,10 +307,14 @@ def validate_analysis_job_request(payload: object) -> AnalysisJobRequest:
     if cache_root is not None:
         if not isinstance(cache_root, str) or not cache_root.strip():
             raise ValueError("Invalid analysis job request: invalid field 'cacheRoot'")
+        if ".." in cache_root:
+            raise ValueError("Invalid analysis job request: invalid field 'cacheRoot'")
         normalized["cacheRoot"] = cache_root
     if temp_root is not None:
         if not isinstance(temp_root, str) or not temp_root.strip():
             raise ValueError("Invalid analysis job request: invalid field 'tempRoot'")
+        if ".." in temp_root:
+            raise ValueError("Invalid analysis job request: invalid field 'tempRoot'")
         normalized["tempRoot"] = temp_root
 
     return normalized
diff --git a/services/analysis-engine/tests/test_api.py b/services/analysis-engine/tests/test_api.py
index ea55cba2..e6da6e43 100644
--- a/services/analysis-engine/tests/test_api.py
+++ b/services/analysis-engine/tests/test_api.py
@@ -245,6 +245,38 @@ def test_validate_analysis_job_request_rejects_bad_payloads() -> None:
             },
             "cacheRoot",
         ),
+        (
+            {
+                "sourceKind": "local_audio",
+                "projectId": "project-1",
+                "sourceLabel": "Late Night Set",
+                "roleFocus": [],
+                "localSource": {
+                    "sourcePath": "/Users/test/Music/late-night-set.wav",
+                    "fileName": "late-night-set.wav",
+                    "extension": "wav",
+                    "fileSizeBytes": 1024000,
+                },
+                "cacheRoot": "/tmp/../../../etc",
+            },
+            "cacheRoot",
+        ),
+        (
+            {
+                "sourceKind": "local_audio",
+                "projectId": "project-1",
+                "sourceLabel": "Late Night Set",
+                "roleFocus": [],
+                "localSource": {
+                    "sourcePath": "/Users/test/Music/late-night-set.wav",
+                    "fileName": "late-night-set.wav",
+                    "extension": "wav",
+                    "fileSizeBytes": 1024000,
+                },
+                "tempRoot": "/tmp/../../../etc",
+            },
+            "tempRoot",
+        ),
         (
             {
                 "sourceKind": "local_audio",
diff --git a/test_fix.py b/test_fix.py
new file mode 100644
index 00000000..dcdc685e
--- /dev/null
+++ b/test_fix.py
@@ -0,0 +1,10 @@
+import re
+
+with open(".github/workflows/opencode-review.yml", "r") as f:
+    content = f.read()
+
+# Let's find why the process completed with exit code 1
+# Specifically at Line: 1782
+#               --title "PR #${PR_NUMBER} failed-check diagnosis ${MODEL}" >"$opencode_json_file"; then
+
+print(content[content.find("1782"):content.find("1782")+200])