diff --git a/internal/server/session_util_test.go b/internal/server/session_util_test.go
index 341e1be24..eaad6b89e 100644
--- a/internal/server/session_util_test.go
+++ b/internal/server/session_util_test.go
@@ -6,6 +6,46 @@ import (
 	"github.com/stretchr/testify/assert"
 )
 
+// TestIsSinglePathSegmentSessionID verifies that isSinglePathSegmentSessionID
+// accepts normal session identifiers and rejects empty, dot, dot-dot, absolute,
+// and path-traversal inputs that could enable directory traversal attacks.
+func TestIsSinglePathSegmentSessionID(t *testing.T) {
+	tests := []struct {
+		name      string
+		sessionID string
+		want      bool
+	}{
+		// Dot-special inputs — first guard
+		{name: "empty string", sessionID: "", want: false},
+		{name: "single dot", sessionID: ".", want: false},
+		{name: "double dot", sessionID: "..", want: false},
+
+		// Absolute paths — second guard
+		{name: "absolute path", sessionID: "/etc/passwd", want: false},
+		{name: "root slash", sessionID: "/", want: false},
+
+		// Path-separator inputs — third guard
+		{name: "forward slash traversal", sessionID: "path/traversal", want: false},
+		{name: "relative traversal", sessionID: "../etc", want: false},
+		{name: "current-dir prefix", sessionID: "./session", want: false},
+		{name: "backslash traversal", sessionID: `path\traversal`, want: false},
+
+		// Valid single-segment identifiers — happy path
+		{name: "simple session ID", sessionID: "my-session", want: true},
+		{name: "UUID format", sessionID: "550e8400-e29b-41d4-a716-446655440000", want: true},
+		{name: "API key format", sessionID: "ghp_abcdefghijklmnopqrstuvwxyz012345", want: true},
+		{name: "hex token", sessionID: "a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4", want: true},
+		{name: "single character", sessionID: "x", want: true},
+		{name: "numeric string", sessionID: "12345", want: true},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			assert.Equal(t, tt.want, isSinglePathSegmentSessionID(tt.sessionID))
+		})
+	}
+}
+
 func TestTruncateSessionID(t *testing.T) {
 	tests := []struct {
 		name      string