wg-wrap.git/AGENTS.md, branch main

wg-wrap.git/AGENTS.md, branch main wg-wrap runs commands in network namespaces configured with userspace wireguard tunnels. https://git.theodohertyfamily.com/wg-wrap.git/atom?h=main 2026-05-30T00:11:07Z Refactor rootless namespace joining to use C launcher 2026-05-30T00:11:07Z James O'Doherty james@theodohertyfamily.com 2026-05-30T00:11:07Z urn:sha1:4ddd0d2ffc7073f2d55ffb6777e3a168af0051f0 Fix an architectural shortfall where concurrent sessions failed to share the target network and mount namespaces. Because the Go runtime is multi-threaded, calling unix.Setns with CLONE_NEWNS from Go always returned EINVAL, silently forcing concurrent runs to fall back to bootstrapping separate isolated namespaces and separate WireGuard connections. This commit resolves the issue by extending the embedded single-threaded C launcher to handle namespace joining, and introducing a host-to-isolated path propagation pattern: 1. Launcher setns Support: The C launcher now checks for WG_WRAP_JOIN_PID in the environment. If present, it joins the User, Mount, and Network namespaces of the active PID in single-threaded mode before executing the Go binary. 2. BootstrapJoin Integration: Implemented namespace.BootstrapJoin to transition joining sessions via the launcher. 3. Path Preservation: Export WG_WRAP_HOST_RUNTIME_BASE_DIR from the host to ensure the isolated instance maps the profile and PID directories to the exact same location. 4. Redundant Tunnel Bypass: Detect joined sessions via WG_WRAP_JOINED=1 in the CLI and bypass starting a duplicate WireGuard tunnel on the occupied tun0. 5. Testing: Added tests/e2e/sharing_test.go to assert namespace ID equality, which now passes successfully. 6. Git Tracking: Fixed .gitignore overmatch to stop ignoring cmd/wg-wrap/. Fix DNS leaks, lifecycle race, and editor arg splitting 2026-05-29T23:56:45Z James O'Doherty james@theodohertyfamily.com 2026-05-29T23:56:45Z urn:sha1:a7c7fa9e76c9c7015c31378062aa5d0c17b0f38f - DNS Leak / Isolation Bypass: Blocked glibc's systemd-resolved and D-Bus socket communication within the unprivileged mount namespace by introducing BlockHostServices(). This targeted mount-blocking forces glibc to fall back to the standard resolv.conf DNS routing path and prevents host leaks. - Lifecycle Race: Reordered and protected the reference-counting cleanup routine under the profile flock to ensure that check-and-unpin operations are atomic and do not teardown namespaces actively used by parallel processes. - Editor Arguments: Split the EDITOR environment variable into discrete field tokens before invocation to support editor configurations containing command-line flags. - Testing: Added E2E regression tests for DNS leak detection, namespace unpinning concurrency, and editor argument parsing. All E2E tests now compile and pass cleanly. feat: implement userspace wireguard data-path and unprivileged host fd-passing 2026-05-29T22:29:12Z James O'Doherty james@theodohertyfamily.com 2026-05-29T22:29:12Z urn:sha1:ee2f5d545825752af63da36e2b9ec7a92985a875 - Implement complete rootless network namespace bootstrap via C launcher using unshare(CLONE_NEWUSER | CLONE_NEWNS | CLONE_NEWNET). - Resolve unprivileged network isolation blackhole via host-socket preservation (FD passing): open client UDP sockets on the host pre-isolation, clear O_CLOEXEC, and ingest them via custom `FDBind` inside the sandbox. - Implement isolated routing table automation over `tun0` (addresses, MTU, default routes). - Implement persistent, multi-process namespace sharing and joining using reference-counted PID files and the setns system call. - Write robust, self-contained E2E data plane test suites in `tests/e2e/e2e_test.go` using a mock UDP listener. - Update project documentation (`README.md` and `AGENTS.md`) to reflect completed milestones. - Ensure 100% test passing rate and zero lint/staticcheck warnings. Security hardening: prevent shell injection and null-byte crashes, implement 8-bit clean argument fuzzing and portable E2E binary discovery 2026-05-22T14:46:02Z James O'Doherty james@theodohertyfamily.com 2026-05-22T14:46:02Z urn:sha1:9131b0004e7c640cc028179e1d049a4c62210d94 feat: add argument verification diagnostic and secure temp files for launcher 2026-05-22T14:22:40Z James O'Doherty james@theodohertyfamily.com 2026-05-22T14:22:40Z urn:sha1:401683a6b11e5a7810c949147a12f2c4bbfba48a docs: update README and AGENTS.md to reflect embedded launcher architecture 2026-05-22T14:14:03Z James O'Doherty james@theodohertyfamily.com 2026-05-22T14:14:03Z urn:sha1:5dbc46f3c1c75bf922bcc1c3df342323c23c04ce Update AGENTS.md with performance conventions and add t.Parallel to CLI tests 2026-05-22T13:23:48Z James O'Doherty james@theodohertyfamily.com 2026-05-22T13:23:48Z urn:sha1:a78401b6b5023c3c924c0884b222c329975b3ad6 Implement platform compatibility stubs and update AGENTS.md 2026-05-22T13:21:07Z James O'Doherty james@theodohertyfamily.com 2026-05-22T13:21:07Z urn:sha1:4c01c88143635cf8b154c936fb0ac6546a509a85 Refactor CLI for testability and implement hermetic config path injection 2026-05-22T13:18:55Z James O'Doherty james@theodohertyfamily.com 2026-05-22T13:18:55Z urn:sha1:96d75d9f1fab87365d7e6b5070eed3a5757c3484 Scaffold wg-wrap project structure and toolchain 2026-05-22T13:13:16Z James O'Doherty james@theodohertyfamily.com 2026-05-22T13:13:16Z urn:sha1:756ba94292b408cc4f23d137b2c4c52009b2b38d