I use bubblewrap to sandbox the agent to my projects folder, where the ai gets free read/write reign. Non-synthetic env cars are symlinked into my projects folder from outside that folder.