wg-wrap runs commands in network namespaces configured with userspace wireguard tunnels. https://git.theodohertyfamily.com/wg-wrap.git/atom?h=main 2026-06-08T02:57:34Z 2026-06-08T02:57:34Z James O'Doherty james@theodohertyfamily.com 2026-06-08T02:57:34Z urn:sha1:f8afb7d5889f5c8b6ea256fd078fa8426d21c7be Prevent the ambiguity where a mistyped subcommand was interpreted as the target wrapped process. - Introduce `run` and `exec` (alias) subcommands for launching wrapped processes. - Promote internal test commands (`test-ns`, `test-args`, `test-lifecycle`) to explicit subcommands. - Update CLI routing to return an error for unknown subcommands instead of falling back to the default execution path. - Update `README.md` usage examples and all test suites to use the new subcommand structure. 2026-06-05T02:57:35Z James O'Doherty james@theodohertyfamily.com 2026-06-05T02:57:35Z urn:sha1:04dca5dada8c2d971ff3b54eeedc5ab6e53a29ac - Introduce `namespace.Ops` interface to decouple `Manager` from system-level namespace operations, enabling easier unit testing via mocks. - Add unit tests for `internal/paths` to verify path resolution logic across different environment configurations. - Implement `EnsureBinary` helper in E2E tests to gracefully skip tests when `WG_WRAP_BIN` is not set, allowing `go test ./...` to pass in non-build environments. - Apply project-wide formatting and fix linting issues. 2026-06-04T03:45:45Z James O'Doherty james@theodohertyfamily.com 2026-06-04T03:45:45Z urn:sha1:51a0845adba702ac02437405988b24b3b2c9fb45 - Fix DNS resolver leaks by creating temporary resolv.conf files within the profile's runtime directory and ensuring robust cleanup. - Fix isolation block directory leaks by explicitly removing the block directory during namespace unpinning. - Improve namespace lifecycle management: - Register processes before joining an active namespace to prevent race conditions in reference counting. - Update `IsLastProcess` and corresponding tests to reflect the unregister-then-check cleanup flow. - Improve test reliability and correctness: - Convert `TestAppRun_ProfileDirInjection` to use separate binary execution, preventing process replacement and ensuring `t.TempDir()` cleanup. - Replace hardcoded test configuration paths with `t.TempDir()` in `mount_leak_test.go`. - Implement `SetEnvOverrides` helper for cleaner environment variable management in E2E tests. - Improve E2E lifecycle tests with better environment handling and output redirection. 2026-05-30T03:35:21Z James O'Doherty james@theodohertyfamily.com 2026-05-30T03:35:21Z urn:sha1:da70b10fbd056f19d892acad542ce96c40c58389 - Update go.mod and all internal imports to reflect the new module path - Add LICENSE file with the Unlicense (public domain dedication) - Increase timeouts in e2e lifecycle tests to prevent flaky failures - Verify all tests, linting, and formatting pass with the new module name 2026-05-30T03:27:50Z James O'Doherty james@theodohertyfamily.com 2026-05-30T03:27:50Z urn:sha1:328a42144fd54ac99d1bf231e6114147e48b820f - Improve routing logic in CLI for better readability. - Resolve flakiness in `TestNamespaceLifecycleAutomation` by increasing polling timeouts and adjusting tick intervals. - Verify project state with `go fmt`, `go vet`, and `golangci-lint`. - Ensure all unit and E2E tests pass deterministically. 2026-05-30T01:24:42Z James O'Doherty james@theodohertyfamily.com 2026-05-30T01:24:42Z urn:sha1:b098e2845b68ce90f34e4e1e927b4914d0b00ef7 - fix(cli): resolve Flock self-deadlock in ExecuteCommand cleanup by reusing the existing lockFile handle if already held during premature exit. - fix(wireguard): configure explicit default route destination (0.0.0.0/0 for IPv4 and ::/0 for IPv6) to avoid netlink "either Dst.IP, Src.IP or Gw must be set" error. - fix(wireguard): initialize the Tunnel return parameter in StartTunnel to prevent a nil pointer dereference. - test(e2e): fix argument ordering in waitForLifecycle to pass "test-lifecycle" first, and increase sleep duration of dummy processes to 1.0s to ensure reliable process persistence under race detection. 2026-05-30T01:16:13Z James O'Doherty james@theodohertyfamily.com 2026-05-30T01:16:13Z urn:sha1:0f3806f77164af99466bfc8c0d7d5f85f9ec078f - Added `test-lifecycle` CLI command to verify active session state. - Replaced manual filesystem polling and `time.Sleep` in E2E tests with `waitForLifecycle` synchronization. - Optimized `TestConfigHotSwap` by reducing artificial sleep durations. - Fixed linting issue (ST1023) in `internal/cli/cli.go`. These changes reduce total test execution time to under 15 seconds and improve the determinism of lifecycle verification. 2026-05-29T23:14:11Z James O'Doherty james@theodohertyfamily.com 2026-05-29T23:14:11Z urn:sha1:284ed362550e1fccc62ecd876dbd3f4c8fc721e2 Completed the remaining roadmap and documentation requirements by implementing robust unprivileged DNS management, completing the profile configuration subcommand, and resolving data-plane transition socket crashes. Detailed changes: - **DNS Isolation**: Implemented `ConfigureResolvConf` in `internal/wireguard/wireguard.go` to override `/etc/resolv.conf` within the unprivileged network/mount namespace. Transitioned the mount namespace to private propagation (`MS_PRIVATE`) and safely bind-mounted a temporary resolv.conf file over `/etc/resolv.conf` without mutating the host's configuration. - **DNS Precedence Order**: Integrated CLI flag `--dns-server`, parsed `.conf` interface DNS parameters, and added a safe default fallback (`1.1.1.1`) to ensure absolute host DNS leak prevention inside wrapped sessions. - **Socket Duplication in FDBind**: Resolved a lifecycle panic in `FDBind` where `wireguard-go` called `Close` and `Open` during device state transitions, causing "use of closed network connection" errors. Implemented file descriptor duplication using `unix.Dup` during bind initialization to gracefully persist the host-socket context across interface transitions and allow clean exit synchronization. - **Profile Configuration**: Implemented `handleProfileConfigure` in `internal/cli/cli.go` to launch the default system `$EDITOR` (falling back to `vi`) on a profile, satisfying the documentation's requirements. - **Hermetic Testing Polish**: - Created `dns_helpers.go` providing a `MockDNSServer` packet probe. - Added E2E tests for unprivileged DNS resolution, data-plane UDP handshake transmission, and 3-way DNS precedence routing. - Refactored `TestNamespaceLifecycleAutomation`, `TestConfigPropagation`, and `TestMTUFragmentation` to use default profile fallbacks, fixing failing stats on missing profiles. - Resolved all `golangci-lint` and `go fmt` warnings to maintain a completely clean static analysis pipeline. 2026-05-22T20:17:55Z James O'Doherty james@theodohertyfamily.com 2026-05-22T20:17:55Z urn:sha1:135f6edbd9389bc4783f13c26aed0a74d3c8aca0 - Create internal/paths package for unified config and runtime directory resolution - Implement robust WireGuard config parsing in pkg/wgconf - Implement profile management subcommands: list, import, configure, delete, stop - Fix namespace pinning path collisions (separating .ns files from pids directories) - Implement and verify namespace unpinning logic - Fix linting errors and improve error handling across the project 2026-05-22T15:37:57Z James O'Doherty james@theodohertyfamily.com 2026-05-22T15:37:57Z urn:sha1:e5bbb969a15c569cf7d37634234a71783f628390