matchlock: Matchlock secures AI agent workloads with a Linux-based sandbox.

Matchlock is a CLI tool that runs AI agents inside secure, ephemeral microVMs that boot in under a second, addressing the security risks of unrestricted machine access. The system uses network allowlisting and injects API credentials through a proxy, ensuring secrets never enter the VM while blocking everything else by default. Each sandbox operates on a disposable copy-on-write filesystem, providing agents with a full Linux environment while keeping the host machine isolated from potential malicious code.