refactor: decouple namespace operations and improve test coverage

- Introduce `namespace.Ops` interface to decouple `Manager` from system-level namespace operations, enabling easier unit testing via mocks.
- Add unit tests for `internal/paths` to verify path resolution logic across different environment configurations.
- Implement `EnsureBinary` helper in E2E tests to gracefully skip tests when `WG_WRAP_BIN` is not set, allowing `go test ./...` to pass in non-build environments.
- Apply project-wide formatting and fix linting issues.

1 files changed, 6 insertions, 6 deletions

diff --git a/internal/wireguard/wireguard.go b/internal/wireguard/wireguard.go
index cea9590..5db588e 100644
--- a/internal/wireguard/wireguard.go
+++ b/internal/wireguard/wireguard.go
@@ -3,12 +3,12 @@
 // Package wireguard provides the userspace WireGuard implementation and TUN device binding.
 //
 // Data Flow:
-// 1. Egress: A process sends a packet. The Linux kernel routes it via tun0. The userspace
-//    WireGuard device reads this packet, encrypts it, and sends it as a UDP packet to the
-//    remote endpoint via the preserved host socket.
-// 2. Ingress: A UDP packet arrives via the host socket. The userspace WireGuard device
-//    decrypts it and writes the raw IP packet back into the TUN device, delivering it to
-//    the process.
+//  1. Egress: A process sends a packet. The Linux kernel routes it via tun0. The userspace
+//     WireGuard device reads this packet, encrypts it, and sends it as a UDP packet to the
+//     remote endpoint via the preserved host socket.
+//  2. Ingress: A UDP packet arrives via the host socket. The userspace WireGuard device
+//     decrypts it and writes the raw IP packet back into the TUN device, delivering it to
+//     the process.
 //
 // MTU Management:
 // WireGuard adds overhead. To prevent fragmentation and packet loss, the TUN device