The external sandboxing tool I use (nono) supports rollbacks for this kind of situation. But I also only give agents write access to the project I'm asking them to work in, so they can't actually delete more than one codebase even temporarily, inside the sandbox.

YOLO modes are useful, and a lot more productive than trying to do one-by-one approvals. But you just need to devise a policy about what your blast radius is (what are you willing to lose, and what kind of recovery cost are you willing to play?) ahead of time and use some external boundary (OS sandbox, container, VM) to enforce it.

You should think of these as "I, the developer, am handling containment myself" modes, not "there is no containment" modes.

You're absolutely right about this! I will definitely look into no. Thanks for the hint. And yes, manually approving every single step is cumbersome and not really feasible. That's why I'm trying to curate my policy file as good as possible. But as you said, I'm also thinking about using an external boundary. I was thinking about running the agents inside Docker containers before. Maybe now is a good time to do it.