Posted this 6 months ago but got no traction here: https://blog.gpkb.org/posts/ai-agent-sandbox/

Recently got it working for OpenCode and updated my post.

Someone pointed out to me that having the .git directory mounted read/write in the sandbox could be a problem. So I'm considering only mounting src/ and project metadata (including git) being read only.

You really need to use the `--new-session` parameter, by the way. It's unfortunate that this isn't the default with bwrap.