wg-wrap runs commands in network namespaces configured with userspace wireguard tunnels. https://git.theodohertyfamily.com/wg-wrap.git/atom?h=main 2026-05-30T03:35:21Z 2026-05-30T03:35:21Z James O'Doherty james@theodohertyfamily.com 2026-05-30T03:35:21Z urn:sha1:da70b10fbd056f19d892acad542ce96c40c58389 - Update go.mod and all internal imports to reflect the new module path - Add LICENSE file with the Unlicense (public domain dedication) - Increase timeouts in e2e lifecycle tests to prevent flaky failures - Verify all tests, linting, and formatting pass with the new module name 2026-05-30T01:07:46Z James O'Doherty james@theodohertyfamily.com 2026-05-30T01:07:46Z urn:sha1:d2173cdbc03884ecd9534e9369f8ebe1634f7e9c - Security: Eliminate namespace escape risk by removing `HostBind` and enforcing `FDBind` using pre-opened host socket FDs. - Security: Replace unsafe `atoi` with `strtol` and strict validation in the C launcher to prevent malformed PID joins. - Stability: Fix PID wraparound by storing session timestamps in PID files to detect recycled PIDs. - Stability: Resolve DNS mount leaks by implementing proper unmounting of `/etc/resolv.conf` during tunnel shutdown. - Performance: Optimize `FDBind` throughput by implementing batch packet processing in the receive loop. - Deployment: Implement `memfd_create` for the C launcher to support `noexec` temporary directories and reduce disk I/O. - Maintenance: Replace external `ip` CLI dependency with native `netlink` library for robust network configuration. - Quality: Fix all `golangci-lint` errors and replace remaining panics with explicit error handling. 2026-05-29T23:33:07Z James O'Doherty james@theodohertyfamily.com 2026-05-29T23:33:07Z urn:sha1:edf4e0f0380b6662ba88cfa00d2d2ff5a43032de Upgrades several indirect and direct dependencies to their latest safe versions, successfully resolving 26 dormant vulnerabilities identified by govulncheck. - Upgraded golang.org/x/crypto from v0.37.0 to v0.52.0 (remediating 13 CVEs) - Upgraded golang.org/x/net from v0.39.0 to v0.55.0 (remediating 12 CVEs) - Upgraded golang.org/x/sys from v0.32.0 to v0.45.0 (remediating 1 CVE) - Upgraded golang.zx2c4.com/wireguard to v0.0.0-20260522210424-ecfc5a8d5446 Ran `go mod tidy` and verified that all unit, integration, and E2E data-plane tests continue to compile and pass successfully. 2026-05-29T22:29:12Z James O'Doherty james@theodohertyfamily.com 2026-05-29T22:29:12Z urn:sha1:ee2f5d545825752af63da36e2b9ec7a92985a875 - Implement complete rootless network namespace bootstrap via C launcher using unshare(CLONE_NEWUSER | CLONE_NEWNS | CLONE_NEWNET). - Resolve unprivileged network isolation blackhole via host-socket preservation (FD passing): open client UDP sockets on the host pre-isolation, clear O_CLOEXEC, and ingest them via custom `FDBind` inside the sandbox. - Implement isolated routing table automation over `tun0` (addresses, MTU, default routes). - Implement persistent, multi-process namespace sharing and joining using reference-counted PID files and the setns system call. - Write robust, self-contained E2E data plane test suites in `tests/e2e/e2e_test.go` using a mock UDP listener. - Update project documentation (`README.md` and `AGENTS.md`) to reflect completed milestones. - Ensure 100% test passing rate and zero lint/staticcheck warnings. 2026-05-22T14:14:03Z James O'Doherty james@theodohertyfamily.com 2026-05-22T14:14:03Z urn:sha1:5dbc46f3c1c75bf922bcc1c3df342323c23c04ce 2026-05-22T14:05:38Z James O'Doherty james@theodohertyfamily.com 2026-05-22T14:05:38Z urn:sha1:764d3e67fc783c487f42d398d1b85a5a1f0d8ef0 2026-05-22T12:48:02Z James O'Doherty james@theodohertyfamily.com 2026-05-22T12:48:02Z urn:sha1:a4cd7de209fe90006b3e6e67c69dea5ed0c9f832