git: sandbox with bwrap

hosts/common/programs/git.nix

@@ -6,7 +6,17 @@ let
   mkCfg = lib.generators.toINI { };
 in
 {
-  sane.programs.git.fs.".config/git/config".symlink.text = mkCfg {
+  sane.programs.git = {
+    sandbox.method = "bwrap";
+    sandbox.wrapperType = "wrappedDerivation";  # can't pass installCheckPhase :?
+    sandbox.whitelistPwd = true;
+    sandbox.extraHomePaths = [
+      # even with `whitelistPwd`, git has to crawl *up* the path -- which isn't necessarily in the sandbox -- to locate parent .git files
+      "dev"
+      "ref"
+      ".ssh/id_ed25519"
+    ];
+    fs.".config/git/config".symlink.text = mkCfg {
       # top-level options documented:
       # - <https://git-scm.com/docs/git-config#_variables>
 
@@ -40,4 +50,5 @@ in
 
       stash.showPatch = true;
     };
+  };
 }