wg-wrap.git/tests/e2e/e2e_test.go, branch main

feat(cli): introduce explicit run/exec subcommands to prevent typo-execution

2026-06-08T02:57:34Z

Prevent the ambiguity where a mistyped subcommand was interpreted as the target wrapped process. - Introduce `run` and `exec` (alias) subcommands for launching wrapped processes. - Promote internal test commands (`test-ns`, `test-args`, `test-lifecycle`) to explicit subcommands. - Update CLI routing to return an error for unknown subcommands instead of falling back to the default execution path. - Update `README.md` usage examples and all test suites to use the new subcommand structure.

refactor: decouple namespace operations and improve test coverage

2026-06-05T02:57:35Z

- Introduce `namespace.Ops` interface to decouple `Manager` from system-level namespace operations, enabling easier unit testing via mocks. - Add unit tests for `internal/paths` to verify path resolution logic across different environment configurations. - Implement `EnsureBinary` helper in E2E tests to gracefully skip tests when `WG_WRAP_BIN` is not set, allowing `go test ./...` to pass in non-build environments. - Apply project-wide formatting and fix linting issues.

refactor: optimize file cleanups, propagate exit codes, and fix Makefile

2026-05-29T23:21:49Z

- Unlink the temporary bootstrap launcher binary immediately after opening a read-only descriptor to it, then execute via `/proc/self/fd/` to ensure zero-disk footprint on execution. - Unlink temporary `/tmp/resolvconf*` files immediately after successful bind-mounting over `/etc/resolv.conf`. - Prune parent ephemeral profile directories when unpinning a namespace, leaving zero directories behind once empty. - Propagate the exact exit status of the wrapped command to the host process using `errors.As` and `*exec.ExitError` instead of defaulting to exit code 1. - Added E2E automated test `TestExitCodePropagation` to verify exit status delivery. - Added the `$(BINARY)` target to `.PHONY` in the Makefile to delegate dependency tracking to Go's compiler cache, ensuring modified Go files are rebuilt during `make test`.

feat(dns): implement unprivileged DNS isolation, precedence order, and profile configuration

2026-05-29T23:14:11Z

Completed the remaining roadmap and documentation requirements by implementing robust unprivileged DNS management, completing the profile configuration subcommand, and resolving data-plane transition socket crashes. Detailed changes: - **DNS Isolation**: Implemented `ConfigureResolvConf` in `internal/wireguard/wireguard.go` to override `/etc/resolv.conf` within the unprivileged network/mount namespace. Transitioned the mount namespace to private propagation (`MS_PRIVATE`) and safely bind-mounted a temporary resolv.conf file over `/etc/resolv.conf` without mutating the host's configuration. - **DNS Precedence Order**: Integrated CLI flag `--dns-server`, parsed `.conf` interface DNS parameters, and added a safe default fallback (`1.1.1.1`) to ensure absolute host DNS leak prevention inside wrapped sessions. - **Socket Duplication in FDBind**: Resolved a lifecycle panic in `FDBind` where `wireguard-go` called `Close` and `Open` during device state transitions, causing "use of closed network connection" errors. Implemented file descriptor duplication using `unix.Dup` during bind initialization to gracefully persist the host-socket context across interface transitions and allow clean exit synchronization. - **Profile Configuration**: Implemented `handleProfileConfigure` in `internal/cli/cli.go` to launch the default system `$EDITOR` (falling back to `vi`) on a profile, satisfying the documentation's requirements. - **Hermetic Testing Polish**: - Created `dns_helpers.go` providing a `MockDNSServer` packet probe. - Added E2E tests for unprivileged DNS resolution, data-plane UDP handshake transmission, and 3-way DNS precedence routing. - Refactored `TestNamespaceLifecycleAutomation`, `TestConfigPropagation`, and `TestMTUFragmentation` to use default profile fallbacks, fixing failing stats on missing profiles. - Resolved all `golangci-lint` and `go fmt` warnings to maintain a completely clean static analysis pipeline.

feat: implement userspace wireguard data-path and unprivileged host fd-passing

2026-05-29T22:29:12Z

- Implement complete rootless network namespace bootstrap via C launcher using unshare(CLONE_NEWUSER | CLONE_NEWNS | CLONE_NEWNET). - Resolve unprivileged network isolation blackhole via host-socket preservation (FD passing): open client UDP sockets on the host pre-isolation, clear O_CLOEXEC, and ingest them via custom `FDBind` inside the sandbox. - Implement isolated routing table automation over `tun0` (addresses, MTU, default routes). - Implement persistent, multi-process namespace sharing and joining using reference-counted PID files and the setns system call. - Write robust, self-contained E2E data plane test suites in `tests/e2e/e2e_test.go` using a mock UDP listener. - Update project documentation (`README.md` and `AGENTS.md`) to reflect completed milestones. - Ensure 100% test passing rate and zero lint/staticcheck warnings.

Implement automatic namespace lifecycle cleanup with last-man-out reference counting

2026-05-22T15:12:21Z

Security hardening: prevent shell injection and null-byte crashes, implement 8-bit clean argument fuzzing and portable E2E binary discovery

2026-05-22T14:46:02Z

feat: implement rootless network isolation bootstrap and C launcher

2026-05-22T14:05:38Z

Refactor CLI for testability and implement hermetic config path injection

2026-05-22T13:18:55Z

Scaffold wg-wrap project structure and toolchain

2026-05-22T13:13:16Z