I've gone a step further:

- yoloai new mybugfix . -a # start a new sandbox using a copy of CWD as its workdir

- # tell the agent to fix the broken thing

- yoloai diff mybugfix # See a unified diff of what it did with its copy of the workdir

- yoloai apply mybugfix # apply specific git commits it made to the real workdir, or the whole diff - your choice

- yoloai destroy mybugfix

The diff/apply makes sure that the agent has NO write access to ANYTHING sensitive, INCLUDING your workdir. You decide what gets applied AFTER you review what crazy shit it did in its sandbox copy of your workdir.

Blast radius = 0