bd sync: 2026-01-12 17:46:34

- Comprehensive research on Go TUI libraries
- Architecture design with Bubble Tea stack
- 14-day implementation roadmap
- Package structure and component design
- User experience wireframes
- Security and performance considerations

.beads/issues.jsonl

@@ -1,12 +1,30 @@
 {"id":"wg-admin-0va","title":"Add configuration backup and rollback","description":"Create backup functions: backup_config() (creates timestamped backups), restore_config(), auto-backup before destructive operations (add, remove, install). Store backups in /etc/wg-admin/backups/ with retention policy (e.g., keep last 10).","status":"closed","priority":2,"issue_type":"task","owner":"Calmcacil@Raion","created_at":"2026-01-12T16:27:53.161279119+01:00","created_by":"Calmcacil","updated_at":"2026-01-12T16:44:03.357384383+01:00","closed_at":"2026-01-12T16:44:03.357384383+01:00","close_reason":"Implemented configuration backup and rollback functionality: added backup_config() function (creates timestamped backups in /etc/wg-admin/backups/), restore_config() function (interactive restore from backup), apply_retention_policy() (keeps last 10 backups), and auto-backup before destructive operations (install, add, remove commands)."}
 {"id":"wg-admin-0wc","title":"Remove hardcoded sensitive information","description":"Identify and remove all hardcoded sensitive values from wireguard.sh. Replace with config file reads. Remove: SERVER_DOMAIN (velkhana.calmcacil.dev), VPN_IP_RANGES, any other identifiable information. Document config file structure in README.","status":"closed","priority":2,"issue_type":"task","owner":"Calmcacil@Raion","created_at":"2026-01-12T16:27:53.158448895+01:00","created_by":"Calmcacil","updated_at":"2026-01-12T16:43:08.224554317+01:00","closed_at":"2026-01-12T16:43:08.224554317+01:00","close_reason":"Removed all hardcoded sensitive information: SERVER_DOMAIN, VPN_IPV4_RANGE, VPN_IPV6_RANGE, DNS_SERVERS now configurable via /etc/wg-admin/config.conf. Added load_config() function. Created config.example template. Updated README with configuration documentation. All IP ranges in script now reference config variables."}
-{"id":"wg-admin-1b9","title":"Update documentation for refactored scripts","description":"Update README.md and all documentation to reflect new architecture. Document: wg-install.sh usage (interactive prompts, WGI_ env vars), wg-client-manager commands (add, remove, list, show, qr), environment variable reference, security hardening features, backup/restore procedures. Update examples with new patterns.","status":"open","priority":2,"issue_type":"task","owner":"Calmcacil@Raion","created_at":"2026-01-12T16:33:43.749727154+01:00","created_by":"Calmcacil","updated_at":"2026-01-12T16:33:43.749727154+01:00","dependencies":[{"issue_id":"wg-admin-1b9","depends_on_id":"wg-admin-slj","type":"blocks","created_at":"2026-01-12T16:33:56.00899014+01:00","created_by":"Calmcacil"}]}
+{"id":"wg-admin-11o","title":"Implement backup operations","description":"Create backup functionality that saves WireGuard configs, client configs, and metadata to /etc/wg-admin/backups/ with timestamp. Set proper permissions (600 for sensitive files).","status":"open","priority":2,"issue_type":"task","owner":"Calmcacil@Raion","created_at":"2026-01-12T17:03:30.288606376+01:00","created_by":"Calmcacil","updated_at":"2026-01-12T17:03:30.288606376+01:00","dependencies":[{"issue_id":"wg-admin-11o","depends_on_id":"wg-admin-wf1","type":"blocks","created_at":"2026-01-12T17:04:36.19397874+01:00","created_by":"Calmcacil"}]}
+{"id":"wg-admin-1b9","title":"Update documentation for refactored scripts","description":"Update README.md and all documentation to reflect new architecture. Document: wg-install.sh usage (interactive prompts, WGI_ env vars), wg-client-manager commands (add, remove, list, show, qr), environment variable reference, security hardening features, backup/restore procedures. Update examples with new patterns.","status":"closed","priority":2,"issue_type":"task","owner":"Calmcacil@Raion","created_at":"2026-01-12T16:33:43.749727154+01:00","created_by":"Calmcacil","updated_at":"2026-01-12T17:13:12.828613341+01:00","closed_at":"2026-01-12T17:13:12.828613341+01:00","close_reason":"Documentation updated on main branch. README.md reflects new wg-install.sh and wg-client-manager scripts, WGI_ environment variables, and all usage patterns.","dependencies":[{"issue_id":"wg-admin-1b9","depends_on_id":"wg-admin-slj","type":"blocks","created_at":"2026-01-12T16:33:56.00899014+01:00","created_by":"Calmcacil"}]}
 {"id":"wg-admin-2pl","title":"Improve nftables firewall configuration","description":"Enhance firewall rules based on best practices: add TCP MSS clamping for MTU issues, add connection tracking bypass (notrack) for WireGuard traffic, implement proper rate limiting, ensure ICMPv6 neighbor discovery is allowed, validate rules before applying with nft check.","status":"closed","priority":2,"issue_type":"task","owner":"Calmcacil@Raion","created_at":"2026-01-12T16:27:53.15783619+01:00","created_by":"Calmcacil","updated_at":"2026-01-12T16:37:11.050440729+01:00","closed_at":"2026-01-12T16:37:11.050440729+01:00","close_reason":"Improved nftables firewall configuration with TCP MSS clamping (1360), connection tracking bypass (notrack) for WireGuard UDP traffic, rate limiting for SSH (3/min) and WireGuard (10/s), ensured ICMPv6 neighbor discovery (including nd-router-* messages), and added nft check validation before applying rules."}
 {"id":"wg-admin-37o","title":"Add security hardening","description":"Implement: client name sanitization with regex, pre-shared key (PSK) support option, proper temporary key cleanup with trap handlers, atomic config file operations (write to temp then mv), chmod 0600 for all key files, verify no hardcoded secrets in generated files.","status":"closed","priority":2,"issue_type":"task","owner":"Calmcacil@Raion","created_at":"2026-01-12T16:27:53.148392501+01:00","created_by":"Calmcacil","updated_at":"2026-01-12T16:44:11.582485544+01:00","closed_at":"2026-01-12T16:44:11.582485544+01:00","close_reason":"Implemented all security hardening features: client name sanitization with regex (validate_client_name function), pre-shared key (PSK) support with --psk option, proper temporary key cleanup with trap handlers (cleanup_handler), atomic config file operations (mktemp + mv), chmod 0600 for all key files, and verified no hardcoded secrets (keys generated dynamically or read from files)"}
+{"id":"wg-admin-3d4","title":"Implement configuration loading system","description":"Implement configuration system to load /etc/wg-admin/config.conf using native Go or Viper library. Support environment variable overrides. Validate required config (SERVER_DOMAIN, WG_PORT, VPN_IPV4_RANGE, VPN_IPV6_RANGE, DNS_SERVERS). Provide clear error messages for missing config.","status":"closed","priority":2,"issue_type":"task","owner":"Calmcacil@Raion","created_at":"2026-01-12T17:02:57.198865993+01:00","created_by":"Calmcacil","updated_at":"2026-01-12T17:21:51.863786437+01:00","closed_at":"2026-01-12T17:21:51.863786437+01:00","close_reason":"Configuration system implemented in internal/config/config.go. Loads from /etc/wg-admin/config.conf, supports environment variable overrides with WGI_ prefix, validates required fields (SERVER_DOMAIN, WG_PORT, CIDR formats). Provides helper methods for network extraction.","dependencies":[{"issue_id":"wg-admin-3d4","depends_on_id":"wg-admin-4ji","type":"blocks","created_at":"2026-01-12T17:04:44.279588181+01:00","created_by":"Calmcacil"}]}
+{"id":"wg-admin-4fb","title":"Set up basic TUI skeleton with Bubble Tea","description":"Create main TUI application entry point implementing Bubble Tea's Model-Update-View pattern. Set up root check and logging. Create empty screen types (list, add, detail, qr, help). Implement basic keyboard navigation (q=quit). Add status bar with version and help shortcut (?).","status":"closed","priority":2,"issue_type":"task","owner":"Calmcacil@Raion","created_at":"2026-01-12T17:02:57.195332445+01:00","created_by":"Calmcacil","updated_at":"2026-01-12T17:29:25.376578103+01:00","closed_at":"2026-01-12T17:29:25.376578103+01:00","close_reason":"TUI skeleton implemented with Model-Update-View pattern. Main entry point in cmd/wg-tui/main.go with root check, configuration loading integration, basic keyboard navigation (q quit), status bar with version and help. Creates clean separation between TUI model (internal/tui) and main program. Successfully builds.","dependencies":[{"issue_id":"wg-admin-4fb","depends_on_id":"wg-admin-4ji","type":"blocks","created_at":"2026-01-12T17:04:26.666043249+01:00","created_by":"Calmcacil"},{"issue_id":"wg-admin-4fb","depends_on_id":"wg-admin-3d4","type":"blocks","created_at":"2026-01-12T17:04:26.672887205+01:00","created_by":"Calmcacil"}]}
+{"id":"wg-admin-4ji","title":"Initialize Go module and project structure","description":"Initialize Go project with go mod init. Create directory structure following plan: cmd/, internal/config, internal/wireguard, internal/tui (screens, components, theme), internal/validation, internal/backup. Add README with project setup instructions.","status":"closed","priority":2,"issue_type":"task","owner":"Calmcacil@Raion","created_at":"2026-01-12T17:02:57.197740013+01:00","created_by":"Calmcacil","updated_at":"2026-01-12T17:20:34.471816058+01:00","closed_at":"2026-01-12T17:20:34.471816058+01:00","close_reason":"Go module initialized, directory structure created (cmd/, internal/ subdirectories), dependencies added (bubbletea, lipgloss, bubbles, huh, qrterminal), basic TUI skeleton with Model-Update-View pattern implemented. Root check added. Builds successfully.","dependencies":[{"issue_id":"wg-admin-4ji","depends_on_id":"wg-admin-gp4","type":"blocks","created_at":"2026-01-12T17:04:26.670875524+01:00","created_by":"Calmcacil"}]}
+{"id":"wg-admin-69b","title":"Implement WireGuard client parsing","description":"Parse WireGuard client configuration files from /etc/wireguard/conf.d/client-*.conf. Extract client name, IPv4, IPv6, public key, and PSK status. Create Client struct. Handle file read errors and malformed configs. Validate config syntax.","status":"closed","priority":2,"issue_type":"task","owner":"Calmcacil@Raion","created_at":"2026-01-12T17:02:57.199808074+01:00","created_by":"Calmcacil","updated_at":"2026-01-12T17:39:44.913242962+01:00","closed_at":"2026-01-12T17:39:44.913242962+01:00","close_reason":"Client struct created in internal/wireguard/client.go with fields: Name, IPv4, IPv6, PublicKey, HasPSK, ConfigPath. ParseClientConfig() parses [Peer] sections from config files. ListClients() scans /etc/wireguard/conf.d/ for client-*.conf files. Handles errors gracefully.","dependencies":[{"issue_id":"wg-admin-69b","depends_on_id":"wg-admin-4fb","type":"blocks","created_at":"2026-01-12T17:04:44.265421971+01:00","created_by":"Calmcacil"}]}
 {"id":"wg-admin-abw","title":"Create wg-client-manager script","description":"Create new wg-client-manager script for client operations: add, remove, list, show, qr. Implement proper command parsing, use interactive 'read' with 'WGI_' environment variable overrides, call validation functions, use atomic config updates.","status":"closed","priority":2,"issue_type":"task","owner":"Calmcacil@Raion","created_at":"2026-01-12T16:27:53.150007325+01:00","created_by":"Calmcacil","updated_at":"2026-01-12T16:48:38.86400169+01:00","closed_at":"2026-01-12T16:48:38.86400169+01:00","close_reason":"Created wg-client-manager script with all required commands (add, remove, list, show, qr). Implements interactive prompts with WGI_ environment variable overrides, uses validation functions, and performs atomic config updates.","dependencies":[{"issue_id":"wg-admin-abw","depends_on_id":"wg-admin-cwb","type":"blocks","created_at":"2026-01-12T16:28:20.280054863+01:00","created_by":"Calmcacil"},{"issue_id":"wg-admin-abw","depends_on_id":"wg-admin-37o","type":"blocks","created_at":"2026-01-12T16:28:20.299310073+01:00","created_by":"Calmcacil"},{"issue_id":"wg-admin-abw","depends_on_id":"wg-admin-lzl","type":"blocks","created_at":"2026-01-12T16:28:20.300924186+01:00","created_by":"Calmcacil"},{"issue_id":"wg-admin-abw","depends_on_id":"wg-admin-wsk","type":"blocks","created_at":"2026-01-12T16:28:20.354270061+01:00","created_by":"Calmcacil"},{"issue_id":"wg-admin-abw","depends_on_id":"wg-admin-0va","type":"blocks","created_at":"2026-01-12T16:28:21.926811217+01:00","created_by":"Calmcacil"}]}
+{"id":"wg-admin-bay","title":"Implement real-time status checking","description":"Implement real-time connection status using 'wg show wg0' command. Check if client public key appears in peers list. Update status in table: Connected (active peer) or Disconnected (not in peers list). Add auto-refresh every 30 seconds using tea.Tick. Manual refresh with 'r' key.","status":"closed","priority":2,"issue_type":"task","owner":"Calmcacil@Raion","created_at":"2026-01-12T17:02:57.643693952+01:00","created_by":"Calmcacil","updated_at":"2026-01-12T17:34:23.96887044+01:00","closed_at":"2026-01-12T17:34:23.96887044+01:00","close_reason":"Implemented real-time status checking functionality: Created status.go with GetClientStatus() and GetAllPeers() functions that parse 'wg show wg0' output to determine connection status. Added PeerStatus struct with PublicKey, Endpoint, AllowedIPs, LatestHandshake, TransferRx, TransferTx, and Status fields. Created tea_messages.go with Tick() command for auto-refresh and ManualRefresh() command for immediate refresh using tea.Tick and custom messages. Status is 'Connected' if handshake is within 3 minutes, otherwise 'Disconnected'.","dependencies":[{"issue_id":"wg-admin-bay","depends_on_id":"wg-admin-xum","type":"blocks","created_at":"2026-01-12T17:04:44.270454474+01:00","created_by":"Calmcacil"}]}
 {"id":"wg-admin-cwb","title":"Implement input validation functions","description":"Create robust validation functions: validate_client_name() (regex check for [a-zA-Z0-9_-]), validate_ip_availability(), validate_dns_servers(), validate_port_range(), validate_config_syntax(). Add validation before client creation and config changes.","status":"closed","priority":2,"issue_type":"task","owner":"Calmcacil@Raion","created_at":"2026-01-12T16:27:53.143579452+01:00","created_by":"Calmcacil","updated_at":"2026-01-12T16:38:18.705584126+01:00","closed_at":"2026-01-12T16:38:18.705584126+01:00","close_reason":"Implemented all validation functions: validate_client_name(), validate_ip_availability(), validate_dns_servers(), validate_port_range(), validate_config_syntax(). Added validation calls in cmd_add and cmd_load_clients."}
+{"id":"wg-admin-dd2","title":"Implement client detail view","description":"Create detailed view for selected client showing name, IPs, public key, connection status, last handshake time, and transfer stats. Include copy to clipboard functionality and delete button with confirmation.","status":"open","priority":2,"issue_type":"task","owner":"Calmcacil@Raion","created_at":"2026-01-12T17:03:30.290544009+01:00","created_by":"Calmcacil","updated_at":"2026-01-12T17:03:30.290544009+01:00","dependencies":[{"issue_id":"wg-admin-dd2","depends_on_id":"wg-admin-wf1","type":"blocks","created_at":"2026-01-12T17:04:52.968940596+01:00","created_by":"Calmcacil"}]}
+{"id":"wg-admin-ej7","title":"Implement color themes","description":"Add support for color themes using lipgloss. Create default theme with primary, success, warning, and error colors. Support theme switching through config file or environment variable.","status":"closed","priority":2,"issue_type":"task","owner":"Calmcacil@Raion","created_at":"2026-01-12T17:03:30.290145203+01:00","created_by":"Calmcacil","updated_at":"2026-01-12T17:42:36.454922032+01:00","closed_at":"2026-01-12T17:42:36.454922032+01:00","close_reason":"Implemented color theme support using lipgloss. Created theme package (internal/tui/theme/theme.go) with ColorScheme and Theme structs, implemented default/dark/light themes, added theme registry and management functions (GetTheme, ApplyTheme, SetTheme, GetCurrentTheme), and integrated THEME config option into internal/config/config.go. Supports theme switching via config file or THEME environment variable.","dependencies":[{"issue_id":"wg-admin-ej7","depends_on_id":"wg-admin-xum","type":"blocks","created_at":"2026-01-12T17:04:53.269323117+01:00","created_by":"Calmcacil"}]}
+{"id":"wg-admin-gp4","title":"Create Go TUI epic","description":"Epic: Convert wg-client-manager bash script to a modern, responsive Go TUI application using Bubble Tea framework. Provides better UX with interactive forms, real-time status updates, and intuitive keyboard navigation.","status":"in_progress","priority":1,"issue_type":"feature","owner":"Calmcacil@Raion","created_at":"2026-01-12T17:03:30.286393088+01:00","created_by":"Calmcacil","updated_at":"2026-01-12T17:14:51.878635666+01:00"}
+{"id":"wg-admin-gw9","title":"Add search and filter clients","description":"Implement client search functionality with keyboard shortcut (/). Allow filtering by client name, IP address, or status. Highlight matching results in real-time as user types.","status":"open","priority":2,"issue_type":"task","owner":"Calmcacil@Raion","created_at":"2026-01-12T17:03:30.285733479+01:00","created_by":"Calmcacil","updated_at":"2026-01-12T17:03:30.285733479+01:00","dependencies":[{"issue_id":"wg-admin-gw9","depends_on_id":"wg-admin-xum","type":"blocks","created_at":"2026-01-12T17:04:36.200521151+01:00","created_by":"Calmcacil"}]}
+{"id":"wg-admin-hd4","title":"Add keyboard shortcuts help","description":"Create help screen displaying all keyboard shortcuts. Show on '?' key press or in status bar. Include shortcuts for navigation (j/k, arrows), actions (a=add, d=delete, q=quit), and help (?).","status":"closed","priority":2,"issue_type":"task","owner":"Calmcacil@Raion","created_at":"2026-01-12T17:03:30.283054325+01:00","created_by":"Calmcacil","updated_at":"2026-01-12T17:46:20.995549065+01:00","closed_at":"2026-01-12T17:46:20.995549065+01:00","close_reason":"Implemented keyboard shortcuts help screen. Created internal/tui/screens/help.go with Screen interface implementation. Added '?' key handler in main.go to switch to help screen. Help displays organized shortcuts in two-column layout with lipgloss styling (Navigation: j/k, arrows, Enter, Esc; Actions: a, d, D, Q, r, l; Other: ?, /, q). Press q or Esc to return. Added help reference to status bar.","dependencies":[{"issue_id":"wg-admin-hd4","depends_on_id":"wg-admin-xum","type":"blocks","created_at":"2026-01-12T17:04:53.117669255+01:00","created_by":"Calmcacil"}]}
+{"id":"wg-admin-ka8","title":"Generate QR codes for clients","description":"Generate ANSI-colored QR codes from client configs using qrterminal library. Support both inline and fullscreen QR display modes. Handle terminal resize events for optimal QR rendering.","status":"closed","priority":2,"issue_type":"task","owner":"Calmcacil@Raion","created_at":"2026-01-12T17:03:30.273562645+01:00","created_by":"Calmcacil","updated_at":"2026-01-12T17:46:26.810100876+01:00","closed_at":"2026-01-12T17:46:26.810100876+01:00","close_reason":"Implemented QR code generation for wg-admin-tui: Created qr.go screen with inline/fullscreen modes, added GetClientConfigContent to client.go, wired 'Q' key in list screen to show QR codes, updated main.go to handle QR screen navigation with back navigation support","dependencies":[{"issue_id":"wg-admin-ka8","depends_on_id":"wg-admin-wf1","type":"blocks","created_at":"2026-01-12T17:04:36.203581002+01:00","created_by":"Calmcacil"}]}
 {"id":"wg-admin-kfs","title":"Create configuration file format for WireGuard settings","description":"Design and implement /etc/wg-admin/config file to replace hardcoded values. Include: SERVER_DOMAIN, WG_PORT, VPN_IPV4_RANGE, VPN_IPV6_RANGE, WG_INTERFACE, DNS_SERVERS, and other configurable parameters. Support both file-based and environment variable override.","status":"closed","priority":2,"issue_type":"task","owner":"Calmcacil@Raion","created_at":"2026-01-12T16:27:53.148859434+01:00","created_by":"Calmcacil","updated_at":"2026-01-12T16:31:29.339557739+01:00","closed_at":"2026-01-12T16:31:29.339557739+01:00","close_reason":"Config file approach replaced with interactive prompts using 'read', with 'WGI_' prefixed environment variable overrides. No persistent config file needed."}
 {"id":"wg-admin-lzl","title":"Add improved error handling and traps","description":"Implement: EXIT trap for cleanup on script interruption, pre-install validation (disk space, port availability, root check), rollback mechanism for failed operations, better error messages with actionable guidance, log all operations with timestamps.","status":"closed","priority":2,"issue_type":"task","owner":"Calmcacil@Raion","created_at":"2026-01-12T16:27:53.154445252+01:00","created_by":"Calmcacil","updated_at":"2026-01-12T16:44:11.575490008+01:00","closed_at":"2026-01-12T16:44:11.575490008+01:00","close_reason":"Implemented all error handling and trap features: EXIT trap for cleanup (cleanup_handler catches EXIT,INT,TERM,HUP), pre-install validation (pre_install_validation checks disk space, port availability, root), rollback mechanism (rollback_installation function with BACKUP_DIR), better error messages with actionable guidance (all errors include specific fix suggestions), and logging with timestamps (log_info, log_error, log_warn functions)"}
+{"id":"wg-admin-o4o","title":"Implement WireGuard key generation","description":"Implement WireGuard key generation using wg genkey and wg pubkey commands. Generate client private key, public key, and optional pre-shared key (PSK). Ensure atomic file writes and proper permissions (0600).","status":"open","priority":2,"issue_type":"task","owner":"Calmcacil@Raion","created_at":"2026-01-12T17:03:30.283256646+01:00","created_by":"Calmcacil","updated_at":"2026-01-12T17:03:30.283256646+01:00","dependencies":[{"issue_id":"wg-admin-o4o","depends_on_id":"wg-admin-wod","type":"blocks","created_at":"2026-01-12T17:04:52.815358118+01:00","created_by":"Calmcacil"}]}
 {"id":"wg-admin-qpy","title":"Refactor installation into wg-install.sh","description":"Extract install logic from wireguard.sh into dedicated wg-install.sh script. Handle: dependency checks, package installation, firewall setup (nftables), server key generation, interface initialization, systemd service setup. Use interactive 'read' prompts for settings with 'WGI_' prefixed environment variable overrides.","status":"closed","priority":2,"issue_type":"task","owner":"Calmcacil@Raion","created_at":"2026-01-12T16:27:53.151817177+01:00","created_by":"Calmcacil","updated_at":"2026-01-12T16:50:42.168393277+01:00","closed_at":"2026-01-12T16:50:42.168393277+01:00","close_reason":"Created wg-install.sh script with complete installation logic extracted from wireguard.sh. Script includes dependency checks, package installation, nftables firewall setup, server key generation, interface initialization, and systemd service setup. Uses interactive prompts with WGI_ prefixed environment variable overrides. All validation and error handling maintained with atomic operations and proper cleanup. Test suite (test-wg-install.sh) created with 35 tests all passing.","dependencies":[{"issue_id":"wg-admin-qpy","depends_on_id":"wg-admin-37o","type":"blocks","created_at":"2026-01-12T16:28:20.30398105+01:00","created_by":"Calmcacil"},{"issue_id":"wg-admin-qpy","depends_on_id":"wg-admin-wsk","type":"blocks","created_at":"2026-01-12T16:28:20.305872992+01:00","created_by":"Calmcacil"},{"issue_id":"wg-admin-qpy","depends_on_id":"wg-admin-0wc","type":"blocks","created_at":"2026-01-12T16:28:27.88358441+01:00","created_by":"Calmcacil"},{"issue_id":"wg-admin-qpy","depends_on_id":"wg-admin-cwb","type":"blocks","created_at":"2026-01-12T16:28:27.890595849+01:00","created_by":"Calmcacil"},{"issue_id":"wg-admin-qpy","depends_on_id":"wg-admin-2pl","type":"blocks","created_at":"2026-01-12T16:28:27.948214112+01:00","created_by":"Calmcacil"}]}
-{"id":"wg-admin-slj","title":"Refactor WireGuard scripts into modular architecture","description":"Refactor monolithic wireguard.sh into two separate scripts: wg-install.sh for initial setup, wg-client-manager for client operations. Use interactive 'read' prompts with 'WGI_' prefixed environment variable overrides. Add validation functions, security hardening, and remove all hardcoded sensitive information from repository.","status":"open","priority":2,"issue_type":"task","owner":"Calmcacil@Raion","created_at":"2026-01-12T16:27:18.232667092+01:00","created_by":"Calmcacil","updated_at":"2026-01-12T16:31:55.321378801+01:00","dependencies":[{"issue_id":"wg-admin-slj","depends_on_id":"wg-admin-abw","type":"blocks","created_at":"2026-01-12T16:28:21.930404739+01:00","created_by":"Calmcacil"},{"issue_id":"wg-admin-slj","depends_on_id":"wg-admin-qpy","type":"blocks","created_at":"2026-01-12T16:28:21.936380993+01:00","created_by":"Calmcacil"},{"issue_id":"wg-admin-slj","depends_on_id":"wg-admin-0wc","type":"blocks","created_at":"2026-01-12T16:28:21.983754904+01:00","created_by":"Calmcacil"}]}
+{"id":"wg-admin-slj","title":"Refactor WireGuard scripts into modular architecture","description":"Refactor monolithic wireguard.sh into two separate scripts: wg-install.sh for initial setup, wg-client-manager for client operations. Use interactive 'read' prompts with 'WGI_' prefixed environment variable overrides. Add validation functions, security hardening, and remove all hardcoded sensitive information from repository.","status":"closed","priority":2,"issue_type":"task","owner":"Calmcacil@Raion","created_at":"2026-01-12T16:27:18.232667092+01:00","created_by":"Calmcacil","updated_at":"2026-01-12T17:11:02.639140093+01:00","closed_at":"2026-01-12T17:11:02.639140093+01:00","close_reason":"Refactoring complete: wg-install.sh (921 lines) and wg-client-manager (545 lines) scripts have been created and are functional. wireguard.sh retained for backwards compatibility.","dependencies":[{"issue_id":"wg-admin-slj","depends_on_id":"wg-admin-abw","type":"blocks","created_at":"2026-01-12T16:28:21.930404739+01:00","created_by":"Calmcacil"},{"issue_id":"wg-admin-slj","depends_on_id":"wg-admin-qpy","type":"blocks","created_at":"2026-01-12T16:28:21.936380993+01:00","created_by":"Calmcacil"},{"issue_id":"wg-admin-slj","depends_on_id":"wg-admin-0wc","type":"blocks","created_at":"2026-01-12T16:28:21.983754904+01:00","created_by":"Calmcacil"}]}
+{"id":"wg-admin-tv6","title":"Add client delete functionality","description":"Implement delete client workflow with confirmation modal. Remove client config from server, delete client files, auto-backup before deletion, and reload WireGuard configuration.","status":"in_progress","priority":2,"issue_type":"task","owner":"Calmcacil@Raion","created_at":"2026-01-12T17:03:30.281557572+01:00","created_by":"Calmcacil","updated_at":"2026-01-12T17:40:24.706261881+01:00","dependencies":[{"issue_id":"wg-admin-tv6","depends_on_id":"wg-admin-dd2","type":"blocks","created_at":"2026-01-12T17:04:36.207822184+01:00","created_by":"Calmcacil"}]}
+{"id":"wg-admin-wf1","title":"Create server and client config files","description":"Generate WireGuard configuration files for both server and client. Server config includes PublicKey and AllowedIPs. Client config includes PrivateKey, Address, DNS, Endpoint, and AllowedIPs. Use atomic writes (temp file + mv).","status":"open","priority":2,"issue_type":"task","owner":"Calmcacil@Raion","created_at":"2026-01-12T17:03:30.273615688+01:00","created_by":"Calmcacil","updated_at":"2026-01-12T17:03:30.273615688+01:00","dependencies":[{"issue_id":"wg-admin-wf1","depends_on_id":"wg-admin-o4o","type":"blocks","created_at":"2026-01-12T17:04:44.268995878+01:00","created_by":"Calmcacil"}]}
+{"id":"wg-admin-wjj","title":"Implement restore functionality","description":"Add restore capability to load backups from /etc/wg-admin/backups/. Include backup list view, restore confirmation, and pre-restore safety backup. Handle missing backups gracefully.","status":"open","priority":2,"issue_type":"task","owner":"Calmcacil@Raion","created_at":"2026-01-12T17:03:30.29166861+01:00","created_by":"Calmcacil","updated_at":"2026-01-12T17:03:30.29166861+01:00","dependencies":[{"issue_id":"wg-admin-wjj","depends_on_id":"wg-admin-11o","type":"blocks","created_at":"2026-01-12T17:04:36.234546234+01:00","created_by":"Calmcacil"}]}
+{"id":"wg-admin-wod","title":"Create add client form with huh","description":"Implement form for adding new WireGuard clients using the huh library. Include fields for client name, DNS servers, and PSK toggle. Add validation for client name format, IP availability, and DNS format.","status":"open","priority":2,"issue_type":"task","owner":"Calmcacil@Raion","created_at":"2026-01-12T17:03:30.272758265+01:00","created_by":"Calmcacil","updated_at":"2026-01-12T17:03:30.272758265+01:00","dependencies":[{"issue_id":"wg-admin-wod","depends_on_id":"wg-admin-xum","type":"blocks","created_at":"2026-01-12T17:04:26.667835195+01:00","created_by":"Calmcacil"}]}
 {"id":"wg-admin-wsk","title":"Add configuration validation and syntax checking","description":"Implement validate_config_syntax() to check WireGuard config format before applying: verify [Interface] and [Peer] sections, check key format (44 base64 characters), validate IP addresses and CIDR notation, validate DNS format, ensure no duplicate public keys.","status":"closed","priority":2,"issue_type":"task","owner":"Calmcacil@Raion","created_at":"2026-01-12T16:27:53.159692055+01:00","created_by":"Calmcacil","updated_at":"2026-01-12T16:38:35.611667005+01:00","closed_at":"2026-01-12T16:38:35.611667005+01:00","close_reason":"validate_config_syntax() implemented in previous task with full WireGuard config format validation: [Interface]/[Peer] sections, key format (44 base64 chars), IP/CIDR notation, DNS format, duplicate public key detection. Integrated into cmd_load_clients."}
+{"id":"wg-admin-xum","title":"Create client list table with bubble-table","description":"Implement interactive client list table using bubble-table library. Columns: Name, IPv4, IPv6, Status (Connected/Disconnected). Add sorting by column (name or status). Support keyboard navigation (j/k, arrows, Enter to select). Highlight selected row.","status":"closed","priority":2,"issue_type":"task","owner":"Calmcacil@Raion","created_at":"2026-01-12T17:02:57.647838043+01:00","created_by":"Calmcacil","updated_at":"2026-01-12T17:41:34.482127827+01:00","closed_at":"2026-01-12T17:41:34.482127827+01:00","close_reason":"Implemented list screen integration with bubble-table. Created list.go with table display of clients (Name, IPv4, IPv6, Status). Integrated with wireguard.ListClients() and wireguard.GetClientStatus(). Updated main.go to add screen management with 'l' key to switch to list view. List screen handles StatusTickMsg and RefreshStatusMsg for automatic status updates. Keyboard navigation and selection highlighting supported.","dependencies":[{"issue_id":"wg-admin-xum","depends_on_id":"wg-admin-69b","type":"blocks","created_at":"2026-01-12T17:04:26.676478182+01:00","created_by":"Calmcacil"}]}

GO_TUI_PLAN.md

@@ -0,0 +1,543 @@
+# WireGuard Client Manager - Go TUI Implementation Plan
+
+## Executive Summary
+
+Converting the bash-based `wg-client-manager` to a modern, responsive Go TUI application using Bubble Tea and the Charm ecosystem. This will provide a better user experience with interactive forms, real-time status updates, and intuitive navigation.
+
+## Technology Stack
+
+### Core Framework
+- **bubbletea** (v1.3.10) - Elm-architecture TUI framework
+- **lipgloss** - Expressive styling and theming
+
+### Component Libraries
+- **huh** - Terminal forms for client creation
+- **bubble-table** - Interactive table for client list
+- **bubbles** - Text input and other UI components
+- **qrterminal** - QR code generation for terminal display
+
+### Go Modules
+- WireGuard Go library (if available) or exec-based wrapper
+- Configuration management (Viper or native config)
+- File system operations (os, path/filepath)
+
+## Functional Requirements Analysis
+
+### Commands to Implement
+
+| Command | Current Behavior | TUI Implementation |
+|---------|-----------------|-------------------|
+| **add** | Interactive prompts or WGI_ env vars | Form modal with fields: name, DNS, PSK option |
+| **remove** | Command-line with confirmation | Select from list → Confirm modal → Delete |
+| **list** | Table view with status | Interactive table with sorting, filtering |
+| **show** | Display client config | Detail view with copyable sections |
+| **qr** | Display QR code | Inline QR code in modal |
+
+### Key Features
+
+#### 1. Client Management
+- **Add client**
+  - Name input (regex validation: `[a-zA-Z0-9_-]+`, max 64 chars)
+  - Optional DNS configuration
+  - PSK toggle (yes/no)
+  - Auto-assign IPv4/IPv6 addresses
+  - Generate client keys
+  - Create server and client configs
+  - Generate QR code
+
+- **Remove client**
+  - Select from list
+  - Confirmation dialog
+  - Remove config files
+  - Reload WireGuard
+
+- **List clients**
+  - Table view: Name, IPv4, IPv6, Status (Connected/Disconnected)
+  - Sorting by column
+  - Filtering/search
+  - Real-time status refresh
+
+- **Show client details**
+  - Full configuration display
+  - Copy to clipboard functionality
+  - Status information (last handshake, transfer stats)
+
+- **QR code display**
+  - ANSI-colored QR code in terminal
+  - Toggle fullscreen/inline mode
+
+#### 2. Configuration Loading
+- Read `/etc/wg-admin/config.conf`
+- Environment variable support
+- Validation of required settings (SERVER_DOMAIN, WG_PORT, etc.)
+
+#### 3. Validation
+- Client name format
+- IP availability checks
+- DNS server format validation
+- Pre-install checks (WireGuard installed, config exists)
+
+#### 4. Security
+- Run as root required
+- Proper file permissions (0600 for keys)
+- Atomic config writes
+- Temporary key cleanup
+
+#### 5. Backup & Recovery
+- Auto-backup before add/remove
+- Config backup/restore functionality
+
+## Architecture Design
+
+### Package Structure
+
+```
+wg-admin-tui/
+├── cmd/
+│   └── main.go              # Entry point
+├── internal/
+│   ├── config/
+│   │   ├── config.go        # Configuration loading
+│   │   └── defaults.go      # Default values
+│   ├── wireguard/
+│   │   ├── client.go        # Client management
+│   │   ├── keys.go          # Key generation
+│   │   ├── config.go        # WireGuard config parsing
+│   │   └── status.go        # Status monitoring
+│   ├── tui/
+│   │   ├── app.go           # Main TUI application
+│   │   ├── model.go         # Application state
+│   │   ├── update.go        # Message handlers
+│   │   ├── view.go          # Rendering
+│   │   ├── screens/
+│   │   │   ├── list.go      # Client list view
+│   │   │   ├── add.go       # Add client form
+│   │   │   ├── detail.go    # Client detail view
+│   │   │   └── qr.go        # QR code view
+│   │   ├── components/
+│   │   │   ├── table.go     # Client table
+│   │   │   ├── statusbar.go # Status bar
+│   │   │   └── modal.go     # Modal dialogs
+│   │   └── theme/
+│   │       ├── colors.go    # Color scheme
+│   │       └── style.go     # Styling utilities
+│   ├── validation/
+│   │   ├── client.go        # Client name validation
+│   │   ├── network.go       # IP/DNS validation
+│   │   └── config.go        # Config syntax validation
+│   └── backup/
+│       ├── backup.go        # Backup operations
+│       └── restore.go       # Restore operations
+├── pkg/
+│   └── util/
+│       ├── exec.go          # Command execution helpers
+│       └── file.go          # File operations
+└── go.mod
+```
+
+### Component Design
+
+#### 1. Main Application (app.go)
+```go
+type Application struct {
+    model     Model
+    programs  *tea.Program
+    config    *config.Config
+    wireguard *wireguard.Client
+}
+
+func NewApplication() (*Application, error)
+func (a *Application) Run() error
+```
+
+#### 2. Model (model.go)
+```go
+type Model struct {
+    screen      Screen          // Current active screen
+    clients     []Client        // Client data
+    selected    int             // Selected client
+    loading     bool            // Loading state
+    error       error           // Error message
+    table       table.Model     // Client table
+    form        *huh.Form       // Add client form
+    modal       *Modal          // Active modal
+    status      Status          // Status bar state
+}
+
+type Screen interface {
+    Init() tea.Cmd
+    Update(msg tea.Msg) (Screen, tea.Cmd)
+    View() string
+}
+```
+
+#### 3. Screens
+- **ListScreen**: Display client table
+- **AddScreen**: Form for adding client
+- **DetailScreen**: Show client configuration
+- **QRScreen**: Display QR code
+
+#### 4. WireGuard Integration
+```go
+type Client struct {
+    Name       string
+    IPv4       string
+    IPv6       string
+    PublicKey  string
+    HasPSK     bool
+    Status     ConnectionStatus
+    LastSeen   time.Time
+    Handshake  string
+    ConfigPath string
+}
+
+type Manager interface {
+    ListClients() ([]Client, error)
+    AddClient(name, dns string, usePSK bool) (*Client, error)
+    RemoveClient(name string) error
+    GetClient(name string) (*Client, error)
+    GetStatus() (Status, error)
+    ReloadConfig() error
+}
+```
+
+## Implementation Roadmap
+
+### Phase 1: Project Setup & Foundation (Days 1-2)
+
+**Goal**: Establish project structure and core framework
+
+**Tasks**:
+- [ ] Initialize Go module
+- [ ] Set up project structure
+- [ ] Add dependencies (bubbletea, lipgloss, huh, bubble-table, qrterminal)
+- [ ] Create configuration loading from `/etc/wg-admin/config.conf`
+- [ ] Implement root check
+- [ ] Create basic TUI skeleton with empty screens
+- [ ] Set up logging (both file and console)
+
+**Deliverables**:
+- Working TUI that launches and shows a placeholder screen
+- Configuration system in place
+
+### Phase 2: Client List View (Days 3-4)
+
+**Goal**: Display clients in interactive table
+
+**Tasks**:
+- [ ] Implement WireGuard client list parsing
+- [ ] Create `Client` struct
+- [ ] Set up bubble-table with columns: Name, IPv4, IPv6, Status
+- [ ] Parse client configs from `/etc/wireguard/conf.d/client-*.conf`
+- [ ] Check connection status using `wg show`
+- [ ] Implement keyboard navigation (j/k, arrows, Enter, q)
+- [ ] Add status bar with help text
+- [ ] Implement auto-refresh (every 30 seconds)
+
+**Deliverables**:
+- Functional client list with real-time status
+
+### Phase 3: Add Client Form (Days 5-6)
+
+**Goal**: Create interactive form for adding clients
+
+**Tasks**:
+- [ ] Create add screen with `huh` form
+- [ ] Implement fields:
+  - Client name (text input)
+  - DNS servers (text input with default)
+  - Use PSK (toggle/confirm)
+- [ ] Add validation:
+  - Client name regex
+  - IP availability check
+  - DNS format validation
+- [ ] Implement WireGuard key generation
+- [ ] Auto-assign IPv4/IPv6 addresses
+- [ ] Create server config file
+- [ ] Create client config file
+- [ ] Generate QR code
+- [ ] Implement atomic config writes
+- [ ] Auto-backup before add
+- [ ] Reload WireGuard config
+
+**Deliverables**:
+- Working add client form with all validations
+
+### Phase 4: Client Detail View (Days 7-8)
+
+**Goal**: Show full client configuration
+
+**Tasks**:
+- [ ] Create detail screen
+- [ ] Display:
+  - Client name
+  - IP addresses
+  - Public key
+  - Full configuration
+  - Connection status
+  - Last handshake
+  - Transfer stats (Rx/Tx)
+- [ ] Implement copy to clipboard
+- [ ] Add "Back" and "Delete" buttons
+- [ ] Delete confirmation modal
+- [ ] Remove client with config deletion
+- [ ] Auto-backup before remove
+- [ ] Reload WireGuard config
+
+**Deliverables**:
+- Functional detail view with delete capability
+
+### Phase 5: QR Code Display (Days 9-10)
+
+**Goal**: Display QR codes for mobile setup
+
+**Tasks**:
+- [ ] Create QR screen
+- [ ] Read client config
+- [ ] Generate QR code using `qrterminal`
+- [ ] Display QR code inline
+- [ ] Implement fullscreen QR mode
+- [ ] Add resize handling for QR codes
+- [ ] Test with various terminal sizes
+
+**Deliverables**:
+- Working QR code display
+
+### Phase 6: Polish & UX Improvements (Days 11-12)
+
+**Goal**: Improve user experience
+
+**Tasks**:
+- [ ] Add color themes
+- [ ] Implement modal dialogs for confirmations
+- [ ] Add toast notifications for success/error
+- [ ] Implement search/filter clients
+- [ ] Add sorting by columns
+- [ ] Improve error messages with actionable guidance
+- [ ] Add keyboard shortcuts help
+- [ ] Implement loading indicators
+
+**Deliverables**:
+- Polished, user-friendly interface
+
+### Phase 7: Backup & Recovery (Days 13-14)
+
+**Goal**: Add backup and restore functionality
+
+**Tasks**:
+- [ ] Implement backup operations
+- [ ] Create restore functionality
+- [ ] Add backup history view
+- [ ] Implement retention policy
+- [ ] Add backup/restore screens
+
+**Deliverables**:
+- Complete backup/restore system
+
+## User Experience Design
+
+### Screen Flow
+
+```
+┌─────────────────────────────────────┐
+│         Client List (Main)          │
+│  ┌─────┬─────┬──────────┬─────────┐│
+│  │Name │IPv4 │  IPv6    │ Status  ││
+│  ├─────┼─────┼──────────┼─────────┤│
+│  │laptop│ .2 │ ::2      │Connected││ ← Selected
+│  │phone │ .3 │ ::3      │  Disc   ││
+│  └─────┴─────┴──────────┴─────────┘│
+│                                     │
+│ [a] Add  [d] Detail  [?] Help  [q] Quit│
+└─────────────────────────────────────┘
+              ↓ Enter
+┌─────────────────────────────────────┐
+│       Client Detail: laptop          │
+│                                     │
+│  Name: laptop                        │
+│  IPv4: 10.10.69.2                   │
+│  IPv6: fd69:dead:beef:69::2        │
+│  Status: Connected                   │
+│  Last Handshake: 2m ago             │
+│  Rx: 1.2 MB  Tx: 3.4 MB            │
+│                                     │
+│  [Interface]                        │
+│  PrivateKey = ...                    │
+│  Address = 10.10.69.2/24...         │
+│                                     │
+│  [ESC] Back  [x] Delete  [c] Copy  │
+└─────────────────────────────────────┘
+              ↓ 'a' from list
+┌─────────────────────────────────────┐
+│          Add New Client              │
+│                                     │
+│  Client Name: [_________]           │
+│  DNS Servers: [8.8.8.8, 8.8.4.4]   │
+│  Use PSK? [x] Yes                  │
+│                                     │
+│  [Enter] Submit  [ESC] Cancel       │
+└─────────────────────────────────────┘
+              ↓ 'q' from detail
+┌─────────────────────────────────────┐
+│         Delete Confirmation         │
+│                                     │
+│  Delete client 'laptop'?           │
+│                                     │
+│  [Enter] Yes  [ESC] No             │
+└─────────────────────────────────────┘
+```
+
+### Keyboard Shortcuts
+
+| Key | Action |
+|-----|--------|
+| `q` | Quit |
+| `a` | Add client |
+| `d` | Show details |
+| `x` | Delete |
+| `r` | Refresh |
+| `/` | Search/filter |
+| `↑/k` | Move up |
+| `↓/j` | Move down |
+| `Enter` | Select/Confirm |
+| `Esc` | Back/Cancel |
+| `?` | Help |
+| `c` | Copy to clipboard |
+
+### Color Scheme
+
+```go
+// Default theme
+const (
+    ColorPrimary   lipgloss.Color
+    ColorSecondary lipgloss.Color
+    ColorSuccess   lipgloss.Color
+    ColorWarning   lipgloss.Color
+    ColorError     lipgloss.Color
+    ColorMuted     lipgloss.Color
+)
+
+// Example
+ColorPrimary   = lipgloss.Color("#007AFF")   // Blue
+ColorSuccess   = lipgloss.Color("#34C759")   // Green
+ColorWarning   = lipgloss.Color("#FF9500")   // Orange
+ColorError     = lipgloss.Color("#FF3B30")   // Red
+ColorMuted     = lipgloss.Color("#8E8E93")   // Gray
+```
+
+## Error Handling Strategy
+
+### Validation Errors
+- Display inline validation messages
+- Show specific error with action guidance
+- Keep form state on error
+- Highlight invalid fields
+
+### System Errors
+- Show modal with error message
+- Log full error to file
+- Provide actionable guidance
+- Offer retry or cancel options
+
+### Examples
+```
+ERROR: Client 'laptop' already exists
+Action: Choose a different name or remove existing client first
+
+ERROR: No available IPv4 addresses
+Action: Remove unused clients or expand VPN range
+```
+
+## Performance Considerations
+
+1. **Lazy Loading**
+   - Load clients on screen init
+   - Cache client data between refreshes
+
+2. **Asynchronous Operations**
+   - Run WireGuard status checks in background
+   - Use tea.Cmd for async operations
+
+3. **Throttled Refresh**
+   - Auto-refresh every 30 seconds (configurable)
+   - Manual refresh with 'r' key
+
+4. **QR Code Optimization**
+   - Generate on demand, not cached
+   - Use appropriate error correction level
+
+## Security Considerations
+
+1. **Root Privileges**
+   - Check for root at startup
+   - Display clear error if not root
+
+2. **Key Storage**
+   - Write keys with 0600 permissions
+   - Clean up temporary key files
+
+3. **Atomic Operations**
+   - Write to temp file, then move
+   - Prevent config corruption
+
+4. **Input Validation**
+   - Strict regex for client names
+   - IP availability checks
+   - DNS format validation
+
+## Testing Strategy
+
+### Unit Tests
+- Validation functions
+- Configuration parsing
+- Client model methods
+
+### Integration Tests
+- WireGuard config generation
+- Key generation
+- Backup/restore
+
+### Manual Testing
+- End-to-end workflows
+- Terminal size handling
+- Error scenarios
+
+## Milestones
+
+| Milestone | Days | Goal |
+|-----------|------|------|
+| M1: Foundation | 2 | Project setup, basic TUI |
+| M2: List View | 4 | Client list with status |
+| M3: Add Client | 6 | Working add form |
+| M4: Detail & Delete | 8 | Full client management |
+| M5: QR Codes | 10 | QR code display |
+| M6: Polish | 12 | UX improvements |
+| M7: Complete | 14 | Fully functional TUI |
+
+## Success Criteria
+
+- ✅ All bash functionality replicated in TUI
+- ✅ Responsive and performant UI
+- ✅ Clear error messages with actionable guidance
+- ✅ Keyboard shortcuts for all actions
+- ✅ Real-time client status updates
+- ✅ Working QR code generation
+- ✅ Backup/restore functionality
+- ✅ Polished, intuitive user experience
+
+## Future Enhancements
+
+- Config import/export
+- Client statistics dashboard
+- Connection monitoring view
+- Multiple server support
+- Template-based client creation
+- Bulk operations
+- Dark/Light theme toggle
+
+---
+
+**Estimated Timeline**: 14 days for MVP
+**Primary Dependencies**: bubbletea, lipgloss, huh, bubble-table, qrterminal
+**Minimum Go Version**: 1.21+
+**Target Terminal**: ANSI-compatible terminals (Linux, macOS, Windows with WSL)