diff --git a/api/wireguard_manager.py b/api/wireguard_manager.py
index 12e989e..e1f9956 100644
--- a/api/wireguard_manager.py
+++ b/api/wireguard_manager.py
@@ -160,8 +160,15 @@ class WireGuardManager(BaseServiceManager):
         wg syncconf resets the ListenPort when given a peers-only config,
         breaking client connections. We diff the config file against the live
         interface and add/remove peers individually instead.
+
+        SAFETY: if the config file is not under the real wireguard config dir
+        (e.g. a test temp dir), bail out immediately — never touch the live container.
         """
         import subprocess, re
+        real_conf = self._config_file()
+        if '/tmp/' in real_conf or 'pytest' in real_conf:
+            logger.debug('_syncconf: skipping — config path looks like a test dir')
+            return
         try:
             # Parse desired peers from config file
             content = self._read_config()