diff --git a/scripts/mutation_gate.py b/scripts/mutation_gate.py
index 1a7c281d..6671b803 100644
--- a/scripts/mutation_gate.py
+++ b/scripts/mutation_gate.py
@@ -255,6 +255,11 @@ def _invalidate_bytecode(path: Path) -> None:
 def _survives(
     path: Path, tree: ast.Module, src: str, mutant: _Mutant, data: coverage.CoverageData
 ) -> bool:
+    # Safety: only ever rewrite files inside the package under test. The file list
+    # comes from `git diff`, so this can't normally escape, but guard against a path
+    # that resolves outside aai_cli/ before we write to it.
+    if not path.resolve().is_relative_to(Path(_PKG).resolve()):
+        raise ValueError(f"refusing to mutate a file outside {_PKG}/: {path}")
     mutant.apply()
     try:
         path.write_text(ast.unparse(tree), encoding="utf-8")