wg-wrap runs commands in network namespaces configured with userspace wireguard tunnels. https://git.theodohertyfamily.com/wg-wrap.git/atom?h=main 2026-05-30T01:07:46Z 2026-05-30T01:07:46Z James O'Doherty james@theodohertyfamily.com 2026-05-30T01:07:46Z urn:sha1:d2173cdbc03884ecd9534e9369f8ebe1634f7e9c - Security: Eliminate namespace escape risk by removing `HostBind` and enforcing `FDBind` using pre-opened host socket FDs. - Security: Replace unsafe `atoi` with `strtol` and strict validation in the C launcher to prevent malformed PID joins. - Stability: Fix PID wraparound by storing session timestamps in PID files to detect recycled PIDs. - Stability: Resolve DNS mount leaks by implementing proper unmounting of `/etc/resolv.conf` during tunnel shutdown. - Performance: Optimize `FDBind` throughput by implementing batch packet processing in the receive loop. - Deployment: Implement `memfd_create` for the C launcher to support `noexec` temporary directories and reduce disk I/O. - Maintenance: Replace external `ip` CLI dependency with native `netlink` library for robust network configuration. - Quality: Fix all `golangci-lint` errors and replace remaining panics with explicit error handling. 2026-05-22T13:18:55Z James O'Doherty james@theodohertyfamily.com 2026-05-22T13:18:55Z urn:sha1:96d75d9f1fab87365d7e6b5070eed3a5757c3484 2026-05-22T13:13:16Z James O'Doherty james@theodohertyfamily.com 2026-05-22T13:13:16Z urn:sha1:756ba94292b408cc4f23d137b2c4c52009b2b38d