diff --git a/.jules/sentinel.md b/.jules/sentinel.md
index e0fa46b..e8260da 100644
--- a/.jules/sentinel.md
+++ b/.jules/sentinel.md
@@ -2,3 +2,8 @@
 **Vulnerability:** API endpoints in `backend/src/server.ts` taking user input (`projectId`, `jobId`) were directly joined with paths using `join` in `backend/src/store/localStore.ts` without proper sanitization. This allowed attackers to escape the project directory context and overwrite or read arbitrary files by sending payload containing `../` sequences.
 **Learning:** Even internal backend services handling project resources must securely sanitize all parameter values used for file operations to prevent path traversal outside expected boundaries.
 **Prevention:** Always use safe path sanitization utilities, like the implemented `safeJoin` and `toSafeRelativePath` in `backend/src/utils/path.ts`, to securely construct file paths and ensure the final path remains within the intended boundaries.
+
+## 2025-02-18 - [Command Option Injection in Compile Worker]
+**Vulnerability:** The `mainFile` parameter in `backend/src/services/compileQueue.ts` was passed to the `latexmk` binary in the rust worker without validation. If `mainFile` started with a hyphen (`-`), it could be treated as a flag (e.g., `-shell-escape`), leading to Command Option Injection and potentially Remote Code Execution (RCE).
+**Learning:** When passing user-controlled variables to external processes (like `spawn` or `Command`) as positional arguments, we must ensure they are not misinterpreted as option flags.
+**Prevention:** Always explicitly validate and reject user-provided arguments intended as positional arguments if they begin with a hyphen (`-`).
diff --git a/backend/src/services/compileQueue.ts b/backend/src/services/compileQueue.ts
index ed1a3e6..3789712 100644
--- a/backend/src/services/compileQueue.ts
+++ b/backend/src/services/compileQueue.ts
@@ -101,6 +101,12 @@ export class CompileQueueService {
     const settings = await this.store.getSettings();
     const projectId = request.projectId.trim();
     const mainFile = request.mainFile?.trim() || "main.tex";
+
+    // Security Fix: Prevent Command Option Injection in latexmk worker
+    if (mainFile.startsWith("-")) {
+      throw new HttpError(400, "mainFile cannot start with a hyphen.");
+    }
+
     const timeoutMs = request.timeoutMs ?? settings.compileTimeoutMs;
     const jobId = createId("job");