refactor: optimize file cleanups, propagate exit codes, and fix Makefile

- Unlink the temporary bootstrap launcher binary immediately after opening a read-only descriptor to it, then execute via `/proc/self/fd/<fd>` to ensure zero-disk footprint on execution.
- Unlink temporary `/tmp/resolvconf*` files immediately after successful bind-mounting over `/etc/resolv.conf`.
- Prune parent ephemeral profile directories when unpinning a namespace, leaving zero directories behind once empty.
- Propagate the exact exit status of the wrapped command to the host process using `errors.As` and `*exec.ExitError` instead of defaulting to exit code 1.
- Added E2E automated test `TestExitCodePropagation` to verify exit status delivery.
- Added the `$(BINARY)` target to `.PHONY` in the Makefile to delegate dependency tracking to Go's compiler cache, ensuring modified Go files are rebuilt during `make test`.

1 files changed, 5 insertions, 0 deletions

diff --git a/internal/wireguard/wireguard.go b/internal/wireguard/wireguard.go
index a45401c..5bbc518 100644
--- a/internal/wireguard/wireguard.go
+++ b/internal/wireguard/wireguard.go
@@ -244,9 +244,14 @@ func ConfigureResolvConf(dns string) error {
 
 	// 1. Bind-mount the temp file over /etc/resolv.conf
 	if err := unix.Mount(tmpFile.Name(), "/etc/resolv.conf", "", unix.MS_BIND, ""); err != nil {
+		_ = os.Remove(tmpFile.Name())
 		return fmt.Errorf("failed to bind-mount %s to /etc/resolv.conf: %w", tmpFile.Name(), err)
 	}
 
+	// Unlink the temporary source file. Since /etc/resolv.conf is a bind mount,
+	// the kernel will keep the inode alive, but the file is removed from /tmp.
+	_ = os.Remove(tmpFile.Name())
+
 	// 2. Make the mount private to ensure it doesn't propagate back to the host
 	// and to satisfy kernel requirements for mount transitions in some environments.
 	if err := unix.Mount("/etc/resolv.conf", "/etc/resolv.conf", "", unix.MS_REMOUNT|unix.MS_BIND|unix.MS_PRIVATE, ""); err != nil {