diff --git a/freeze/bin/check-freeze.sh b/freeze/bin/check-freeze.sh
index ed748e93..825bc227 100755
--- a/freeze/bin/check-freeze.sh
+++ b/freeze/bin/check-freeze.sh
@@ -51,9 +51,20 @@ esac
 # Normalize: remove double slashes and trailing slash
 FILE_PATH=$(printf '%s' "$FILE_PATH" | sed 's|/\+|/|g;s|/$||')
 
+# Resolve symlinks and .. sequences (POSIX-portable, works on macOS)
+_resolve_path() {
+  local _dir _base
+  _dir="$(dirname "$1")"
+  _base="$(basename "$1")"
+  _dir="$(cd "$_dir" 2>/dev/null && pwd -P || printf '%s' "$_dir")"
+  printf '%s/%s' "$_dir" "$_base"
+}
+FILE_PATH=$(_resolve_path "$FILE_PATH")
+FREEZE_DIR=$(_resolve_path "$FREEZE_DIR")
+
 # Check: does the file path start with the freeze directory?
 case "$FILE_PATH" in
-  "${FREEZE_DIR}"*)
+  "${FREEZE_DIR}/"*|"${FREEZE_DIR}")
     # Inside freeze boundary — allow
     echo '{}'
     ;;