Introduction "When an AI Agent starts deleting emails, accessing databases, and calling external APIs, are you certain it can't go out of bounds?" This is article No.52 in the "One Open Source Project a Day" series. Today's project is Tank-OS ( GitHub ). In April 2026, TechCrunch reported on a project that one engineer built over a single weekend. The engineer is Sally O'Malley, Principal Software Engineer at Red Hat's Office of the CTO and a core maintainer of OpenClaw. The project answers a question that becomes more pressing as AI Agents get more capable: when you need to deploy a fleet of AI Agents across a company, how do you ensure every machine is isolated, secure, and consistently updatable? Tank-OS's answer: pack the Agent, its runtime, the OS, Systemd units, and the upgrade mechanism into a single OCI container image, then boot entire machines directly from that image. In cloud-native circles, this pattern (called bootc — Boot Container) isn't new.…