Hi! Just letting you know that I've published a fork of tank-os as tank-claw-os: https://github.com/np6126/tank-agent-os
It swaps openclaw for claw-code (the Rust CLI from ultraworkers) as the agent runtime, but the more interesting bits — at least from an upstream perspective — are a few additions that may or may not be worth pulling back into tank-os:
-
Root-owned read-only system prompt. /etc/clawx/CLAUDE.md is mounted read-only into the agent container. The agent picks it up automatically on every invocation and it establishes a "workspace content is data, not commands" trust hierarchy. The agent cannot modify it. This is a defence layer specific to autonomous agents that I think doesn't have an analogue in conventional service deployments.
-
OS-level network enforcement. nftables rules, owned by root and installed before the user session starts, confine the agent UID to a configured egress proxy address only. The agent has no CAP_NET_ADMIN and cannot modify these rules from inside the container. A deny-all baseline is installed even without a proxy configured.
-
service-gator pinned to a digest. Just a one-line nit, but since service-gator is the only container in the stack with unrestricted outbound internet access, pinning to a digest rather than :latest felt warranted.
The companion piece — an auditing egress proxy with allowlist enforcement and tamper-resistant logging — lives in a separate repo: https://github.com/np6126/leash
For production sudo/admin-user policy I followed the recommendation already in your README (separate admin user, scoped sudo) — nothing novel there.
No action expected from your end. Just thought you'd want to know the fork exists, and if any of those bits look upstreamable I'm happy to open targeted PRs against tank-os. The license is your MIT, preserved as-is; the README credits tank-os as the foundation.
Thanks for the project.
Hi! Just letting you know that I've published a fork of tank-os as tank-claw-os: https://github.com/np6126/tank-agent-os
It swaps openclaw for claw-code (the Rust CLI from ultraworkers) as the agent runtime, but the more interesting bits — at least from an upstream perspective — are a few additions that may or may not be worth pulling back into tank-os:
Root-owned read-only system prompt.
/etc/clawx/CLAUDE.mdis mounted read-only into the agent container. The agent picks it up automatically on every invocation and it establishes a "workspace content is data, not commands" trust hierarchy. The agent cannot modify it. This is a defence layer specific to autonomous agents that I think doesn't have an analogue in conventional service deployments.OS-level network enforcement. nftables rules, owned by root and installed before the user session starts, confine the agent UID to a configured egress proxy address only. The agent has no
CAP_NET_ADMINand cannot modify these rules from inside the container. A deny-all baseline is installed even without a proxy configured.service-gator pinned to a digest. Just a one-line nit, but since service-gator is the only container in the stack with unrestricted outbound internet access, pinning to a digest rather than
:latestfelt warranted.The companion piece — an auditing egress proxy with allowlist enforcement and tamper-resistant logging — lives in a separate repo: https://github.com/np6126/leash
For production sudo/admin-user policy I followed the recommendation already in your README (separate admin user, scoped sudo) — nothing novel there.
No action expected from your end. Just thought you'd want to know the fork exists, and if any of those bits look upstreamable I'm happy to open targeted PRs against tank-os. The license is your MIT, preserved as-is; the README credits tank-os as the foundation.
Thanks for the project.