feat: implement rootless network isolation bootstrap and C launcher

author: James O'Doherty <james@theodohertyfamily.com> 2026-05-22 10:05:38 -0400
committer: James O'Doherty <james@theodohertyfamily.com> 2026-05-22 10:05:38 -0400
commit: 764d3e67fc783c487f42d398d1b85a5a1f0d8ef0 (patch)
tree: 5eed72f4e2371efe4d341fe61ce8bcf7717ac780 /internal/cli/cli.go
parent: a78401b6b5023c3c924c0884b222c329975b3ad6 (diff)
1 files changed, 17 insertions, 0 deletions
diff --git a/internal/cli/cli.go b/internal/cli/cli.go
index cb95202..6118ee5 100644
--- a/internal/cli/cli.go
+++ b/internal/cli/cli.go
@@ -5,6 +5,7 @@ import (
 	"fmt"
 
 	"git.theodohertyfamily.com/tools/wg-wrap/internal/config"
+	"git.theodohertyfamily.com/tools/wg-wrap/internal/namespace"
 )
 
 type App struct {
@@ -17,10 +18,26 @@ func NewApp(args []string) *App {
 }
 
 func (a *App) Run() error {
+	// 1. Ensure we are in an isolated network namespace
+	if err := namespace.Bootstrap(); err != nil {
+		return fmt.Errorf("namespace bootstrap failed: %w", err)
+	}
+
+	// Handle the internal diagnostic command first
+	if len(a.Args) > 1 && a.Args[1] == "test-ns" {
+		ok, msg := namespace.VerifyIsolation()
+		if !ok {
+			return fmt.Errorf("isolation check failed: %s", msg)
+		}
+		fmt.Println("Isolation Verified: OK")
+		return nil
+	}
+
 	// Handle subcommands first (profile list, import, configure, delete, stop)
 	if len(a.Args) > 1 && a.Args[1] == "profile" {
 		return a.handleProfileCmd()
 	}
+	// ...
 
 	cfg := &config.Config{}
author	James O'Doherty <james@theodohertyfamily.com>	2026-05-22 10:05:38 -0400
committer	James O'Doherty <james@theodohertyfamily.com>	2026-05-22 10:05:38 -0400
commit	764d3e67fc783c487f42d398d1b85a5a1f0d8ef0 (patch)
tree	5eed72f4e2371efe4d341fe61ce8bcf7717ac780 /internal/cli/cli.go
parent	a78401b6b5023c3c924c0884b222c329975b3ad6 (diff)