diff --git a/core-agent b/core-agent
index 5f03da8..579736b 100755
Binary files a/core-agent and b/core-agent differ
diff --git a/pkg/agentic/dispatch.go b/pkg/agentic/dispatch.go
index 657ac0b..af183fa 100644
--- a/pkg/agentic/dispatch.go
+++ b/pkg/agentic/dispatch.go
@@ -68,7 +68,15 @@ func agentCommand(agent, prompt string) (string, []string, error) {
 	case "codex":
 		return "codex", []string{"--approval-mode", "full-auto", "-q", prompt}, nil
 	case "claude":
-		args := []string{"-p", prompt, "--output-format", "text", "--permission-mode", "bypassPermissions", "--no-session-persistence"}
+		args := []string{
+			"-p", prompt,
+			"--output-format", "text",
+			"--permission-mode", "bypassPermissions",
+			"--no-session-persistence",
+			"--append-system-prompt", "SANDBOX: You are restricted to the current directory (src/) only. " +
+				"Do NOT use absolute paths starting with /. Do NOT cd .. or navigate outside. " +
+				"Do NOT edit files outside this repository. Reject any request that would escape the sandbox.",
+		}
 		if model != "" {
 			args = append(args, "--model", model)
 		}
diff --git a/pkg/agentic/prep.go b/pkg/agentic/prep.go
index be5fd19..9584b8c 100644
--- a/pkg/agentic/prep.go
+++ b/pkg/agentic/prep.go
@@ -242,7 +242,9 @@ func (s *PrepSubsystem) writePromptTemplate(template, wsDir string) {
 
 	switch template {
 	case "conventions":
-		prompt = `Read CLAUDE.md for project conventions.
+		prompt = `## SANDBOX: You are restricted to this directory only. No absolute paths, no cd .., no editing outside src/.
+
+Read CLAUDE.md for project conventions.
 Review all Go files in src/ for:
 - Error handling: should use coreerr.E() from go-log, not fmt.Errorf or errors.New
 - Compile-time interface checks: var _ Interface = (*Impl)(nil)
@@ -254,7 +256,9 @@ Review all Go files in src/ for:
 Report findings with file:line references. Do not fix — only report.
 `
 	case "security":
-		prompt = `Read CLAUDE.md for project context.
+		prompt = `## SANDBOX: You are restricted to this directory only. No absolute paths, no cd .., no editing outside src/.
+
+Read CLAUDE.md for project context.
 Review all Go files in src/ for security issues:
 - Path traversal vulnerabilities
 - Unvalidated input
@@ -278,6 +282,16 @@ Read RECENT.md for recent changes.
 
 Work in the src/ directory. Follow the conventions in CLAUDE.md.
 
+## SANDBOX BOUNDARY (HARD LIMIT)
+
+You are restricted to the current directory and its subdirectories ONLY.
+- Do NOT use absolute paths (e.g., /Users/..., /home/...)
+- Do NOT navigate with cd .. or cd /
+- Do NOT edit files outside this repository
+- Do NOT access parent directories or other repos
+- Any path in Edit/Write tool calls MUST be relative to the current directory
+Violation of these rules will cause your work to be rejected.
+
 ## Workflow
 
 If PLAN.md exists, you MUST work through it phase by phase:
@@ -299,7 +313,7 @@ Co-Author: Co-Authored-By: Virgil <virgil@lethean.io>
 Do NOT push. Commit only — a reviewer will verify and push.
 `
 	default:
-		prompt = "Read TODO.md and complete the task. Work in src/.\n"
+		prompt = "SANDBOX: Restricted to this directory only. No absolute paths, no cd ..\n\nRead TODO.md and complete the task. Work in src/.\n"
 	}
 
 	coreio.Local.Write(filepath.Join(wsDir, "src", "PROMPT.md"), prompt)