diff --git a/.jules/sentinel.md b/.jules/sentinel.md
new file mode 100644
index 0000000000..bfe964669d
--- /dev/null
+++ b/.jules/sentinel.md
@@ -0,0 +1,4 @@
+## 2024-10-24 - Fix Path Traversal in ApiFilesGet
+ **Vulnerability:** Path traversal in `api/api_files_get.py` allowed arbitrary file reading outside of the base directory via manipulated input paths (e.g. starting with `/a0/../../`).
+ **Learning:** When converting internal virtual paths to physical paths on the file system, standard normalization handles `..` but can resolve to directories completely outside the expected application root.
+ **Prevention:** Always use a base directory check function (like `files.is_in_base_dir()`) immediately before acting on any user-provided or user-manipulated file path to restrict access boundaries.
diff --git a/api/api_files_get.py b/api/api_files_get.py
index b2533f4f4f..0df7900719 100644
--- a/api/api_files_get.py
+++ b/api/api_files_get.py
@@ -62,6 +62,11 @@ async def process(self, input: dict, request: Request) -> dict | Response:
                         external_path = path
                         filename = os.path.basename(path)
 
+                    # Security check: ensure path is within base directory to prevent path traversal
+                    if not files.is_in_base_dir(external_path):
+                        PrintStyle.warning(f"Security: Path traversal attempt blocked for path: {path}")
+                        continue
+
                     # Check if file exists
                     if not os.path.exists(external_path):
                         PrintStyle.warning(f"File not found: {path}")