diff --git a/src/browser/server.agent-contract-form-layout-act-commands.test.ts b/src/browser/server.agent-contract-form-layout-act-commands.test.ts
index 8809393818b..ca11f5ffd8a 100644
--- a/src/browser/server.agent-contract-form-layout-act-commands.test.ts
+++ b/src/browser/server.agent-contract-form-layout-act-commands.test.ts
@@ -514,6 +514,15 @@ describe("browser control server", () => {
     expect(pwMocks.traceStopViaPlaywright).not.toHaveBeenCalled();
   });
 
+  it("trace stop rejects absolute path outside trace dir", async () => {
+    const base = await startServerAndBase();
+    const res = await postJson<{ error?: string }>(`${base}/trace/stop`, {
+      path: path.resolve("/", "pwned.zip"),
+    });
+    expect(res.error).toContain("Invalid path");
+    expect(pwMocks.traceStopViaPlaywright).not.toHaveBeenCalled();
+  });
+
   it("trace stop accepts in-root relative output path", async () => {
     const base = await startServerAndBase();
     const res = await postJson<{ ok?: boolean; path?: string }>(`${base}/trace/stop`, {
@@ -560,6 +569,15 @@ describe("browser control server", () => {
     expect(pwMocks.waitForDownloadViaPlaywright).not.toHaveBeenCalled();
   });
 
+  it("wait/download rejects absolute path outside downloads dir", async () => {
+    const base = await startServerAndBase();
+    const waitRes = await postJson<{ error?: string }>(`${base}/wait/download`, {
+      path: path.resolve("/", "pwned.pdf"),
+    });
+    expect(waitRes.error).toContain("Invalid path");
+    expect(pwMocks.waitForDownloadViaPlaywright).not.toHaveBeenCalled();
+  });
+
   it("download rejects traversal path outside downloads dir", async () => {
     const base = await startServerAndBase();
     const downloadRes = await postJson<{ error?: string }>(`${base}/download`, {
@@ -570,6 +588,16 @@ describe("browser control server", () => {
     expect(pwMocks.downloadViaPlaywright).not.toHaveBeenCalled();
   });
 
+  it("download rejects absolute path outside downloads dir", async () => {
+    const base = await startServerAndBase();
+    const downloadRes = await postJson<{ error?: string }>(`${base}/download`, {
+      ref: "e12",
+      path: path.resolve("/", "pwned.pdf"),
+    });
+    expect(downloadRes.error).toContain("Invalid path");
+    expect(pwMocks.downloadViaPlaywright).not.toHaveBeenCalled();
+  });
+
   it("wait/download accepts in-root relative output path", async () => {
     const base = await startServerAndBase();
     const res = await postJson<{ ok?: boolean; download?: { path?: string } }>(