From 764d3e67fc783c487f42d398d1b85a5a1f0d8ef0 Mon Sep 17 00:00:00 2001
From: James O'Doherty <james@theodohertyfamily.com>
Date: Fri, 22 May 2026 10:05:38 -0400
Subject: feat: implement rootless network isolation bootstrap and C launcher

---
 internal/cli/cli.go | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

(limited to 'internal/cli/cli.go')

diff --git a/internal/cli/cli.go b/internal/cli/cli.go
index cb95202..6118ee5 100644
--- a/internal/cli/cli.go
+++ b/internal/cli/cli.go
@@ -5,6 +5,7 @@ import (
 	"fmt"
 
 	"git.theodohertyfamily.com/tools/wg-wrap/internal/config"
+	"git.theodohertyfamily.com/tools/wg-wrap/internal/namespace"
 )
 
 type App struct {
@@ -17,10 +18,26 @@ func NewApp(args []string) *App {
 }
 
 func (a *App) Run() error {
+	// 1. Ensure we are in an isolated network namespace
+	if err := namespace.Bootstrap(); err != nil {
+		return fmt.Errorf("namespace bootstrap failed: %w", err)
+	}
+
+	// Handle the internal diagnostic command first
+	if len(a.Args) > 1 && a.Args[1] == "test-ns" {
+		ok, msg := namespace.VerifyIsolation()
+		if !ok {
+			return fmt.Errorf("isolation check failed: %s", msg)
+		}
+		fmt.Println("Isolation Verified: OK")
+		return nil
+	}
+
 	// Handle subcommands first (profile list, import, configure, delete, stop)
 	if len(a.Args) > 1 && a.Args[1] == "profile" {
 		return a.handleProfileCmd()
 	}
+	// ...
 
 	cfg := &config.Config{}
 
-- 
cgit v1.2.3