diff --git a/apps/web/app/api/chat/stop/route.ts b/apps/web/app/api/chat/stop/route.ts
index 5e87a42fde3..e6ce9199781 100644
--- a/apps/web/app/api/chat/stop/route.ts
+++ b/apps/web/app/api/chat/stop/route.ts
@@ -21,6 +21,8 @@ export async function POST(req: Request) {
 	}
 
 	const run = getActiveRun(runKey);
-	const aborted = run?.status === "running" ? abortRun(runKey) : false;
+	const canAbort =
+		run?.status === "running" || run?.status === "waiting-for-subagents";
+	const aborted = canAbort ? abortRun(runKey) : false;
 	return Response.json({ aborted });
 }
diff --git a/apps/web/app/api/workspace/file/route.ts b/apps/web/app/api/workspace/file/route.ts
index a096c66f9b7..2b588913982 100644
--- a/apps/web/app/api/workspace/file/route.ts
+++ b/apps/web/app/api/workspace/file/route.ts
@@ -49,6 +49,13 @@ export async function POST(req: Request) {
     );
   }
 
+  if (isSystemFile(relPath)) {
+    return Response.json(
+      { error: "Cannot modify system file" },
+      { status: 403 },
+    );
+  }
+
   // Use safeResolveNewPath (not safeResolvePath) because the file may not exist yet
   const absPath = safeResolveNewPath(relPath);
   if (!absPath) {