wg-wrap runs commands in network namespaces configured with userspace wireguard tunnels. https://git.theodohertyfamily.com/wg-wrap.git/atom?h=main 2026-06-13T17:50:25Z 2026-06-13T17:50:25Z James O'Doherty james@theodohertyfamily.com 2026-06-13T17:50:25Z urn:sha1:5646eca119f80f8f45ebec9fcbe666ca614ebf5d Introduced a tiered system verification mechanism to improve reliability and provide actionable feedback to users, avoiding false positives in the critical execution path. Key changes: - Implement `CheckSystemRequirements` for critical, non-ambiguous requirements (e.g., TUN device availability) to ensure fatal environment issues are caught immediately during bootstrap. - Implement a user-facing `healthcheck` command that provides comprehensive diagnostics and actionable configuration hints for common misconfigurations (e.g., unprivileged user namespaces, subuid/subgid mappings, and kernel sysctls). - Refactor the `FileSystem` interface to support full mockability, allowing for exhaustive unit testing of diagnostic logic. - Add comprehensive unit tests in `internal/namespace/preflight_test.go` covering various Linux distributions, privilege levels, and hardware availability scenarios. - Ensure code quality through formatting, static analysis (golangci-lint), and validation of all existing unit, integration, and E2E tests. 2026-06-13T15:51:04Z James O'Doherty james@theodohertyfamily.com 2026-06-13T15:51:04Z urn:sha1:29621ecbd1e77e6e1a70b6b3ea8fbe3a56e47df3 This commit refactors the core system operations to use a manager-based dependency injection pattern, eliminating global state and resolving data races in the test suite. Architecture: - Introduced NetworkManager and NetworkOps interface in internal/network to abstract netlink calls. - Introduced MountOps and FileSystem interfaces in internal/namespace to abstract mount and filesystem operations. - Introduced TunnelManager in internal/wireguard to coordinate tunnel lifecycle using the new abstractions. - Updated internal/cli and internal/manager to use these managers. Testing: - Restored t.Parallel() to unit tests in internal/network and internal/wireguard. - Implemented setupParallelEnv and an enhanced mockFS in wireguard_unit_test.go to ensure complete test isolation. - Added bootstrap_test.go to verify launcher preparation logic in internal/namespace without requiring syscall.Exec. - Resolved data races in internal/network tests. CLI: - Added support for -h, --help, and -help flags for the main command. Verification: - Passed all tests (unit, integration, E2E). - Verified zero data races with 'go test -race'. - Passed golangci-lint and go vet. 2026-06-08T02:57:34Z James O'Doherty james@theodohertyfamily.com 2026-06-08T02:57:34Z urn:sha1:f8afb7d5889f5c8b6ea256fd078fa8426d21c7be Prevent the ambiguity where a mistyped subcommand was interpreted as the target wrapped process. - Introduce `run` and `exec` (alias) subcommands for launching wrapped processes. - Promote internal test commands (`test-ns`, `test-args`, `test-lifecycle`) to explicit subcommands. - Update CLI routing to return an error for unknown subcommands instead of falling back to the default execution path. - Update `README.md` usage examples and all test suites to use the new subcommand structure. 2026-06-08T01:51:48Z James O'Doherty james@theodohertyfamily.com 2026-06-08T01:51:48Z urn:sha1:7010768877c227c9410a06908e4cb3e54db403bd WireGuard profile files contain sensitive private keys. Previously, these files were written with 0644 permissions, making them world-readable. This commit changes the file mode to 0600 to ensure only the owner can read and write the profiles. - Updated `handleProfileImport` to use 0600 permissions. - Added tests to verify that imported profiles have the correct permissions. 2026-06-05T03:16:07Z James O'Doherty james@theodohertyfamily.com 2026-06-05T03:16:07Z urn:sha1:184deac4efe2062db6ecd2285ec8db1e919f9441 Implement custom usage functions to provide more comprehensive and discoverable help messages for the top-level tool and profile management subcommands. - Add printUsage and printProfileUsage methods to App. - Override FlagSet.Usage to display professional help messages. - Ensure profile subcommands are listed in the main help output. - Trigger profile usage on missing or invalid subcommands. 2026-06-05T02:57:35Z James O'Doherty james@theodohertyfamily.com 2026-06-05T02:57:35Z urn:sha1:04dca5dada8c2d971ff3b54eeedc5ab6e53a29ac - Introduce `namespace.Ops` interface to decouple `Manager` from system-level namespace operations, enabling easier unit testing via mocks. - Add unit tests for `internal/paths` to verify path resolution logic across different environment configurations. - Implement `EnsureBinary` helper in E2E tests to gracefully skip tests when `WG_WRAP_BIN` is not set, allowing `go test ./...` to pass in non-build environments. - Apply project-wide formatting and fix linting issues. 2026-06-05T02:38:44Z James O'Doherty james@theodohertyfamily.com 2026-06-05T02:38:44Z urn:sha1:66b782e261f1cd928ad6a8482788a65fb484db45 - Extract orchestration logic from `internal/cli` into a new `internal/manager` package for better composability. - Migrate technical implementation details from README.md to package-level godoc strings. - Rewrite README.md to be more user-centric, focusing on quick start and usage. - Add comprehensive documentation for exported structs and fields across the project. - Verify all changes with `go fmt`, `go vet`, `golangci-lint`, and full E2E test suite. 2026-06-04T04:21:56Z James O'Doherty james@theodohertyfamily.com 2026-06-04T04:21:56Z urn:sha1:c53503b52b6fc6de37b6053719521054003fa50b - Remove leftover DEBUG prints from CLI and wireguard internal packages. - Silence stdout during successful command wrapping to ensure only the wrapped command's output is visible. - Redirect all warnings and internal errors to stderr. - Implement a verbose mode via `WG_WRAP_VERBOSE=1` to enable tunnel status messages. - Update E2E tests to use verbose mode for verification of tunnel lifecycle events. - Fix errcheck linting issue in wireguard.go and apply go fmt. 2026-06-04T03:45:45Z James O'Doherty james@theodohertyfamily.com 2026-06-04T03:45:45Z urn:sha1:51a0845adba702ac02437405988b24b3b2c9fb45 - Fix DNS resolver leaks by creating temporary resolv.conf files within the profile's runtime directory and ensuring robust cleanup. - Fix isolation block directory leaks by explicitly removing the block directory during namespace unpinning. - Improve namespace lifecycle management: - Register processes before joining an active namespace to prevent race conditions in reference counting. - Update `IsLastProcess` and corresponding tests to reflect the unregister-then-check cleanup flow. - Improve test reliability and correctness: - Convert `TestAppRun_ProfileDirInjection` to use separate binary execution, preventing process replacement and ensuring `t.TempDir()` cleanup. - Replace hardcoded test configuration paths with `t.TempDir()` in `mount_leak_test.go`. - Implement `SetEnvOverrides` helper for cleaner environment variable management in E2E tests. - Improve E2E lifecycle tests with better environment handling and output redirection. 2026-05-30T03:35:21Z James O'Doherty james@theodohertyfamily.com 2026-05-30T03:35:21Z urn:sha1:da70b10fbd056f19d892acad542ce96c40c58389 - Update go.mod and all internal imports to reflect the new module path - Add LICENSE file with the Unlicense (public domain dedication) - Increase timeouts in e2e lifecycle tests to prevent flaky failures - Verify all tests, linting, and formatting pass with the new module name