@solongate/proxy 0.43.0 → 0.45.0

package/dist/init.js

@@ -1,11 +1,11 @@
 #!/usr/bin/env node
 
 // src/init.ts
-import { readFileSync, writeFileSync, existsSync, mkdirSync } from "fs";
-import { resolve, join, dirname } from "path";
-import { fileURLToPath } from "url";
-import { execFileSync } from "child_process";
-import { createInterface } from "readline";
+import { readFileSync as readFileSync2, writeFileSync as writeFileSync2, existsSync as existsSync2, mkdirSync as mkdirSync2 } from "fs";
+import { resolve as resolve2, join as join2, dirname as dirname2 } from "path";
+import { fileURLToPath as fileURLToPath2 } from "url";
+import { execFileSync as execFileSync2 } from "child_process";
+import { createInterface as createInterface2 } from "readline";
 
 // src/cli-utils.ts
 var c = {
@@ -37,13 +37,201 @@ var BANNER_FULL = [
 ];
 var BANNER_COLORS = [c.blue1, c.blue2, c.blue3, c.blue4, c.blue5, c.blue6];
 
+// src/global-install.ts
+import { readFileSync, writeFileSync, existsSync, mkdirSync } from "fs";
+import { resolve, join, dirname } from "path";
+import { homedir } from "os";
+import { fileURLToPath } from "url";
+import { createInterface } from "readline";
+import { execFileSync } from "child_process";
+var __dirname = dirname(fileURLToPath(import.meta.url));
+var HOOKS_DIR = resolve(__dirname, "..", "hooks");
+function lockFile(file) {
+  if (!existsSync(file)) return;
+  try {
+    if (process.platform === "win32") {
+      try {
+        execFileSync("icacls", [file, "/deny", "*S-1-1-0:(WD,AD,DC,DE)"], { stdio: "ignore" });
+      } catch {
+      }
+      try {
+        execFileSync("attrib", ["+R", file], { stdio: "ignore" });
+      } catch {
+      }
+    } else if (process.platform === "darwin") {
+      try {
+        execFileSync("chflags", ["uchg", file], { stdio: "ignore" });
+      } catch {
+      }
+    } else {
+      try {
+        execFileSync("chattr", ["+i", file], { stdio: "ignore" });
+      } catch {
+      }
+    }
+  } catch {
+  }
+}
+function unlockFile(file) {
+  if (!existsSync(file)) return;
+  try {
+    if (process.platform === "win32") {
+      try {
+        execFileSync("icacls", [file, "/remove:d", "*S-1-1-0"], { stdio: "ignore" });
+      } catch {
+      }
+      try {
+        execFileSync("icacls", [file, "/reset"], { stdio: "ignore" });
+      } catch {
+      }
+      try {
+        execFileSync("attrib", ["-R", file], { stdio: "ignore" });
+      } catch {
+      }
+    } else if (process.platform === "darwin") {
+      try {
+        execFileSync("chflags", ["nouchg", file], { stdio: "ignore" });
+      } catch {
+      }
+    } else {
+      try {
+        execFileSync("chattr", ["-i", file], { stdio: "ignore" });
+      } catch {
+      }
+    }
+  } catch {
+  }
+}
+function protectedTargets() {
+  const p = globalPaths();
+  return [
+    join(p.hooksDir, "guard.mjs"),
+    join(p.hooksDir, "audit.mjs"),
+    join(p.hooksDir, "stop.mjs"),
+    p.configPath,
+    p.settingsPath
+  ];
+}
+function lockProtected() {
+  for (const f of protectedTargets()) lockFile(f);
+}
+function unlockProtected() {
+  for (const f of protectedTargets()) unlockFile(f);
+}
+function globalPaths() {
+  const home = homedir();
+  const sgDir = join(home, ".solongate");
+  const hooksDir = join(sgDir, "hooks");
+  const claudeDir = join(home, ".claude");
+  return {
+    home,
+    sgDir,
+    hooksDir,
+    claudeDir,
+    settingsPath: join(claudeDir, "settings.json"),
+    backupPath: join(claudeDir, "settings.solongate.bak"),
+    configPath: join(sgDir, "cloud-guard.json")
+  };
+}
+function readHook(filename) {
+  return readFileSync(join(HOOKS_DIR, filename), "utf-8");
+}
+function readGuard() {
+  const bundled = join(HOOKS_DIR, "guard.bundled.mjs");
+  return existsSync(bundled) ? readFileSync(bundled, "utf-8") : readHook("guard.mjs");
+}
+function ask(question) {
+  const rl = createInterface({ input: process.stdin, output: process.stderr });
+  return new Promise((res) => rl.question(question, (a) => {
+    rl.close();
+    res(a.trim());
+  }));
+}
+function runGlobalRestore() {
+  const p = globalPaths();
+  unlockProtected();
+  if (existsSync(p.backupPath)) {
+    writeFileSync(p.settingsPath, readFileSync(p.backupPath, "utf-8"));
+    console.log(`  Restored ${p.settingsPath} from backup.`);
+  } else if (existsSync(p.settingsPath)) {
+    try {
+      const s = JSON.parse(readFileSync(p.settingsPath, "utf-8"));
+      delete s.hooks;
+      writeFileSync(p.settingsPath, JSON.stringify(s, null, 2) + "\n");
+      console.log(`  Removed SolonGate hooks from ${p.settingsPath}.`);
+    } catch {
+    }
+  } else {
+    console.log("  Nothing to restore \u2014 no global Claude Code settings found.");
+  }
+  console.log("  Global SolonGate enforcement uninstalled. Restart Claude Code.");
+}
+async function runGlobalInstall(opts = {}) {
+  const p = globalPaths();
+  let apiKey = opts.apiKey || process.env["SOLONGATE_API_KEY"] || "";
+  if (!apiKey || apiKey === "sg_live_your_key_here") {
+    try {
+      const cfg = JSON.parse(readFileSync(p.configPath, "utf-8"));
+      if (cfg && typeof cfg.apiKey === "string") apiKey = cfg.apiKey;
+    } catch {
+    }
+  }
+  if (!apiKey || apiKey === "sg_live_your_key_here") {
+    apiKey = await ask("  Enter your SolonGate API key (sg_live_\u2026 from https://dashboard.solongate.com): ");
+  }
+  if (!apiKey.startsWith("sg_live_") && !apiKey.startsWith("sg_test_")) {
+    console.log("  Invalid API key. Must start with sg_live_ or sg_test_");
+    process.exit(1);
+  }
+  const apiUrl = opts.apiUrl || process.env["SOLONGATE_API_URL"] || "https://api.solongate.com";
+  mkdirSync(p.hooksDir, { recursive: true });
+  mkdirSync(p.claudeDir, { recursive: true });
+  unlockProtected();
+  writeFileSync(join(p.hooksDir, "guard.mjs"), readGuard());
+  writeFileSync(join(p.hooksDir, "audit.mjs"), readHook("audit.mjs"));
+  writeFileSync(join(p.hooksDir, "stop.mjs"), readHook("stop.mjs"));
+  console.log(`  Installed hooks \u2192 ${p.hooksDir}`);
+  writeFileSync(p.configPath, JSON.stringify({ apiKey, apiUrl }, null, 2) + "\n");
+  console.log(`  Wrote ${p.configPath}`);
+  let existing = {};
+  if (existsSync(p.settingsPath)) {
+    const raw = readFileSync(p.settingsPath, "utf-8");
+    if (!existsSync(p.backupPath)) {
+      writeFileSync(p.backupPath, raw);
+      console.log(`  Backed up existing settings \u2192 ${p.backupPath}`);
+    }
+    try {
+      existing = JSON.parse(raw);
+    } catch {
+      existing = {};
+    }
+  }
+  const guardAbs = join(p.hooksDir, "guard.mjs").replace(/\\/g, "/");
+  const auditAbs = join(p.hooksDir, "audit.mjs").replace(/\\/g, "/");
+  const stopAbs = join(p.hooksDir, "stop.mjs").replace(/\\/g, "/");
+  const merged = {
+    ...existing,
+    hooks: {
+      PreToolUse: [{ matcher: "", hooks: [{ type: "command", command: `node "${guardAbs}" claude-code "Claude Code"` }] }],
+      PostToolUse: [{ matcher: "", hooks: [{ type: "command", command: `node "${auditAbs}" claude-code "Claude Code"` }] }],
+      Stop: [{ matcher: "", hooks: [{ type: "command", command: `node "${stopAbs}" claude-code "Claude Code"` }] }]
+    }
+  };
+  writeFileSync(p.settingsPath, JSON.stringify(merged, null, 2) + "\n");
+  console.log(`  Registered global hooks \u2192 ${p.settingsPath}`);
+  if (process.env["SOLONGATE_OS_LOCK"] === "1") {
+    lockProtected();
+    console.log("  Locked protection files (OS-level read-only/immutable).");
+  }
+}
+
 // src/init.ts
 var SEARCH_PATHS = [
   ".mcp.json",
   "mcp.json",
   ".claude/mcp.json"
 ];
-var CLAUDE_DESKTOP_PATHS = process.platform === "win32" ? [join(process.env["APPDATA"] ?? "", "Claude", "claude_desktop_config.json")] : process.platform === "darwin" ? [join(process.env["HOME"] ?? "", "Library", "Application Support", "Claude", "claude_desktop_config.json")] : [join(process.env["HOME"] ?? "", ".config", "claude", "claude_desktop_config.json")];
+var CLAUDE_DESKTOP_PATHS = process.platform === "win32" ? [join2(process.env["APPDATA"] ?? "", "Claude", "claude_desktop_config.json")] : process.platform === "darwin" ? [join2(process.env["HOME"] ?? "", "Library", "Application Support", "Claude", "claude_desktop_config.json")] : [join2(process.env["HOME"] ?? "", ".config", "claude", "claude_desktop_config.json")];
 var sleep = (ms) => new Promise((r) => setTimeout(r, ms));
 var SPINNER_FRAMES = ["\u280B", "\u2819", "\u2839", "\u2838", "\u283C", "\u2834", "\u2826", "\u2827", "\u2807", "\u280F"];
 var spinnerInterval = null;
@@ -66,14 +254,14 @@ function stopSpinner(result) {
 }
 function findConfigFile(explicitPath, createIfMissing = false) {
   if (explicitPath) {
-    if (existsSync(explicitPath)) {
-      return { path: resolve(explicitPath), type: "mcp" };
+    if (existsSync2(explicitPath)) {
+      return { path: resolve2(explicitPath), type: "mcp" };
     }
     return null;
   }
   for (const searchPath of SEARCH_PATHS) {
-    const full = resolve(searchPath);
-    if (existsSync(full)) return { path: full, type: "mcp" };
+    const full = resolve2(searchPath);
+    if (existsSync2(full)) return { path: full, type: "mcp" };
   }
   if (createIfMissing) {
     const starterConfig = {
@@ -88,19 +276,19 @@ function findConfigFile(explicitPath, createIfMissing = false) {
         }
       }
     };
-    const starterPath = resolve(".mcp.json");
-    writeFileSync(starterPath, JSON.stringify(starterConfig, null, 2) + "\n");
+    const starterPath = resolve2(".mcp.json");
+    writeFileSync2(starterPath, JSON.stringify(starterConfig, null, 2) + "\n");
     console.log("  Created .mcp.json with starter servers (filesystem, playwright).");
     console.log("");
     return { path: starterPath, type: "mcp", created: true };
   }
   for (const desktopPath of CLAUDE_DESKTOP_PATHS) {
-    if (existsSync(desktopPath)) return { path: desktopPath, type: "claude-desktop" };
+    if (existsSync2(desktopPath)) return { path: desktopPath, type: "claude-desktop" };
   }
   return null;
 }
 function readConfig(filePath) {
-  const content = readFileSync(filePath, "utf-8");
+  const content = readFileSync2(filePath, "utf-8");
   const parsed = JSON.parse(content);
   if (parsed.mcpServers) return parsed;
   throw new Error(`Unrecognized config format in ${filePath}`);
@@ -135,7 +323,7 @@ function wrapServer(serverName, server, policy, agentName) {
   };
 }
 async function prompt(question) {
-  const rl = createInterface({ input: process.stdin, output: process.stderr });
+  const rl = createInterface2({ input: process.stdin, output: process.stderr });
   return new Promise((res) => {
     rl.question(question, (answer) => {
       rl.close();
@@ -147,7 +335,9 @@ function parseInitArgs(argv) {
   const args = argv.slice(2);
   const options = {
     all: false,
-    tools: []
+    tools: [],
+    global: false,
+    restore: false
   };
   for (let i = 0; i < args.length; i++) {
     switch (args[i]) {
@@ -163,6 +353,14 @@ function parseInitArgs(argv) {
       case "--all":
         options.all = true;
         break;
+      case "--global":
+      case "-g":
+        options.global = true;
+        break;
+      case "--restore":
+      case "--uninstall":
+        options.restore = true;
+        break;
       case "--claude-code":
         options.tools.push("claude-code");
         break;
@@ -183,12 +381,17 @@ SolonGate Init \u2014 Protect your MCP servers in seconds
 
 USAGE
   npx @solongate/proxy init --all
+  npx @solongate/proxy init --global          # system-wide (every project)
 
 OPTIONS
   --config <path>     Path to MCP config file (default: auto-detect)
   --policy <file>     Custom policy JSON file (auto-detects policy.json)
   --api-key <key>     SolonGate API key (sg_live_... or sg_test_...)
   --all               Protect all servers without prompting
+  --global, -g        Install a SYSTEM-WIDE Claude Code hook (~/.claude) that
+                      guards EVERY session on the machine with your cloud
+                      policy (OPA WASM) \u2014 like the air-gapped product.
+  --restore           With --global: undo the system-wide install.
   -h, --help          Show this help message
 
 AI TOOL HOOKS (default: all)
@@ -199,59 +402,66 @@ EXAMPLES
   npx @solongate/proxy init --all                          # Protect everything, all tools
   npx @solongate/proxy init --all --claude-code            # Only Claude Code hooks
   npx @solongate/proxy init --all --policy policy.json     # With custom policy
+  npx @solongate/proxy init --global --api-key sg_live_\u2026   # System-wide enforcement
+  npx @solongate/proxy init --global --restore             # Undo system-wide install
 `;
   console.log(help);
 }
-var __dirname = dirname(fileURLToPath(import.meta.url));
-var HOOKS_DIR = resolve(__dirname, "..", "hooks");
+var __dirname2 = dirname2(fileURLToPath2(import.meta.url));
+var HOOKS_DIR2 = resolve2(__dirname2, "..", "hooks");
 function readHookScript(filename) {
-  return readFileSync(join(HOOKS_DIR, filename), "utf-8");
+  return readFileSync2(join2(HOOKS_DIR2, filename), "utf-8");
+}
+function readGuardForGlobal() {
+  const bundled = join2(HOOKS_DIR2, "guard.bundled.mjs");
+  if (existsSync2(bundled)) return readFileSync2(bundled, "utf-8");
+  return readFileSync2(join2(HOOKS_DIR2, "guard.mjs"), "utf-8");
 }
 function unlockProtectedDirs() {
   const dirs = [".solongate", ".claude", ".gemini"];
   for (const dir of dirs) {
-    const fullDir = resolve(dir);
-    if (!existsSync(fullDir)) continue;
+    const fullDir = resolve2(dir);
+    if (!existsSync2(fullDir)) continue;
     try {
       if (process.platform === "win32") {
         try {
-          execFileSync("icacls", [fullDir, "/remove:d", "*S-1-1-0", "/T", "/Q"], { stdio: "ignore" });
+          execFileSync2("icacls", [fullDir, "/remove:d", "*S-1-1-0", "/T", "/Q"], { stdio: "ignore" });
         } catch {
         }
         try {
-          execFileSync("attrib", ["-R", "/S", "/D", fullDir], { stdio: "ignore" });
+          execFileSync2("attrib", ["-R", "/S", "/D", fullDir], { stdio: "ignore" });
         } catch {
         }
       } else {
         try {
-          execFileSync("chattr", ["-i", "-R", fullDir], { stdio: "ignore" });
+          execFileSync2("chattr", ["-i", "-R", fullDir], { stdio: "ignore" });
         } catch {
         }
-        execFileSync("chmod", ["-R", "u+w", fullDir], { stdio: "ignore" });
+        execFileSync2("chmod", ["-R", "u+w", fullDir], { stdio: "ignore" });
       }
     } catch {
     }
   }
   const protectedFiles = [".env", ".gitignore", ".mcp.json", "policy.json"];
   for (const file of protectedFiles) {
-    const fullPath = resolve(file);
-    if (!existsSync(fullPath)) continue;
+    const fullPath = resolve2(file);
+    if (!existsSync2(fullPath)) continue;
     try {
       if (process.platform === "win32") {
         try {
-          execFileSync("icacls", [fullPath, "/remove:d", "*S-1-1-0", "/Q"], { stdio: "ignore" });
+          execFileSync2("icacls", [fullPath, "/remove:d", "*S-1-1-0", "/Q"], { stdio: "ignore" });
         } catch {
         }
         try {
-          execFileSync("attrib", ["-R", fullPath], { stdio: "ignore" });
+          execFileSync2("attrib", ["-R", fullPath], { stdio: "ignore" });
         } catch {
         }
       } else {
         try {
-          execFileSync("chattr", ["-i", fullPath], { stdio: "ignore" });
+          execFileSync2("chattr", ["-i", fullPath], { stdio: "ignore" });
         } catch {
         }
-        execFileSync("chmod", ["u+w", fullPath], { stdio: "ignore" });
+        execFileSync2("chmod", ["u+w", fullPath], { stdio: "ignore" });
       }
     } catch {
     }
@@ -259,26 +469,26 @@ function unlockProtectedDirs() {
 }
 function installHooks(selectedTools = [], wrappedMcpConfig) {
   unlockProtectedDirs();
-  const hooksDir = resolve(".solongate", "hooks");
-  mkdirSync(hooksDir, { recursive: true });
+  const hooksDir = resolve2(".solongate", "hooks");
+  mkdirSync2(hooksDir, { recursive: true });
   const hookFiles = ["guard.mjs", "audit.mjs", "stop.mjs"];
   let hooksUpdated = 0;
   let hooksSkipped = 0;
   for (const filename of hookFiles) {
-    const hookPath = join(hooksDir, filename);
-    const latest = readHookScript(filename);
+    const hookPath = join2(hooksDir, filename);
+    const latest = filename === "guard.mjs" ? readGuardForGlobal() : readHookScript(filename);
     let needsWrite = true;
-    if (existsSync(hookPath)) {
-      const current = readFileSync(hookPath, "utf-8");
+    if (existsSync2(hookPath)) {
+      const current = readFileSync2(hookPath, "utf-8");
       if (current === latest) {
         needsWrite = false;
         hooksSkipped++;
       }
     }
     if (needsWrite) {
-      writeFileSync(hookPath, latest);
+      writeFileSync2(hookPath, latest);
       hooksUpdated++;
-      console.log(`  ${existsSync(hookPath) ? "Updated" : "Created"} ${hookPath}`);
+      console.log(`  ${existsSync2(hookPath) ? "Updated" : "Created"} ${hookPath}`);
     }
   }
   if (hooksSkipped > 0 && hooksUpdated === 0) {
@@ -292,8 +502,8 @@ function installHooks(selectedTools = [], wrappedMcpConfig) {
   const activatedNames = [];
   const skippedNames = [];
   for (const client of clients) {
-    const clientDir = resolve(client.dir);
-    mkdirSync(clientDir, { recursive: true });
+    const clientDir = resolve2(client.dir);
+    mkdirSync2(clientDir, { recursive: true });
     const guardCmd = `node .solongate/hooks/guard.mjs ${client.agentId} "${client.agentName}"`;
     const auditCmd = `node .solongate/hooks/audit.mjs ${client.agentId} "${client.agentName}"`;
     const stopCmd = `node .solongate/hooks/stop.mjs ${client.agentId} "${client.agentName}"`;
@@ -320,7 +530,7 @@ function installHooks(selectedTools = [], wrappedMcpConfig) {
   }
 }
 function installStandardHookConfig(clientDir, clientName, guardCmd, auditCmd, stopCmd) {
-  const settingsPath = join(clientDir, "settings.json");
+  const settingsPath = join2(clientDir, "settings.json");
   const hookSettings = {
     PreToolUse: [
       { matcher: "", hooks: [{ type: "command", command: guardCmd }] }
@@ -334,22 +544,22 @@ function installStandardHookConfig(clientDir, clientName, guardCmd, auditCmd, st
   };
   let existing = {};
   try {
-    existing = JSON.parse(readFileSync(settingsPath, "utf-8"));
+    existing = JSON.parse(readFileSync2(settingsPath, "utf-8"));
   } catch {
   }
   const merged = { ...existing, hooks: hookSettings };
   const mergedStr = JSON.stringify(merged, null, 2) + "\n";
-  const existingStr = existsSync(settingsPath) ? readFileSync(settingsPath, "utf-8") : "";
+  const existingStr = existsSync2(settingsPath) ? readFileSync2(settingsPath, "utf-8") : "";
   if (mergedStr === existingStr) return "skipped";
-  writeFileSync(settingsPath, mergedStr);
+  writeFileSync2(settingsPath, mergedStr);
   console.log(`  ${existingStr ? "Updated" : "Created"} ${settingsPath}`);
   return "installed";
 }
 function installGeminiConfig(clientDir, guardCmd, auditCmd, _stopCmd, wrappedMcpConfig) {
-  const settingsPath = join(clientDir, "settings.json");
+  const settingsPath = join2(clientDir, "settings.json");
   let existing = {};
   try {
-    existing = JSON.parse(readFileSync(settingsPath, "utf-8"));
+    existing = JSON.parse(readFileSync2(settingsPath, "utf-8"));
   } catch {
   }
   const merged = { ...existing };
@@ -377,17 +587,17 @@ function installGeminiConfig(clientDir, guardCmd, auditCmd, _stopCmd, wrappedMcp
     ]
   };
   const mergedStr = JSON.stringify(merged, null, 2) + "\n";
-  const existingStr = existsSync(settingsPath) ? readFileSync(settingsPath, "utf-8") : "";
+  const existingStr = existsSync2(settingsPath) ? readFileSync2(settingsPath, "utf-8") : "";
   if (mergedStr === existingStr) return "skipped";
-  writeFileSync(settingsPath, mergedStr);
+  writeFileSync2(settingsPath, mergedStr);
   console.log(`  ${existingStr ? "Updated" : "Created"} ${settingsPath}`);
   return "installed";
 }
 function ensureEnvFile() {
   let envChanged = false;
   let gitignoreChanged = false;
-  const envPath = resolve(".env");
-  if (!existsSync(envPath)) {
+  const envPath = resolve2(".env");
+  if (!existsSync2(envPath)) {
     const envContent = `# SolonGate Configuration
 # IMPORTANT: Never commit this file to git!
 
@@ -398,25 +608,25 @@ SOLONGATE_API_KEY=sg_live_your_key_here
 # Enable with: npx @solongate/proxy --ai-judge ...
 GROQ_API_KEY=gsk_your_groq_key_here
 `;
-    writeFileSync(envPath, envContent);
+    writeFileSync2(envPath, envContent);
     console.log(`  Created .env`);
     console.log(`  \u2192 Set your API key in .env (get one at https://dashboard.solongate.com)`);
     envChanged = true;
   } else {
-    const existingEnv = readFileSync(envPath, "utf-8");
+    const existingEnv = readFileSync2(envPath, "utf-8");
     if (!existingEnv.includes("SOLONGATE_API_KEY")) {
       const separator = existingEnv.endsWith("\n") ? "" : "\n";
       const appendContent = `${separator}
 # SolonGate API key \u2014 get one at https://dashboard.solongate.com
 SOLONGATE_API_KEY=sg_live_your_key_here
 `;
-      writeFileSync(envPath, existingEnv + appendContent);
+      writeFileSync2(envPath, existingEnv + appendContent);
       console.log(`  Updated .env (added SOLONGATE_API_KEY)`);
       console.log(`  \u2192 Set your API key in .env (get one at https://dashboard.solongate.com)`);
       envChanged = true;
     }
   }
-  const gitignorePath = resolve(".gitignore");
+  const gitignorePath = resolve2(".gitignore");
   const requiredLines = [
     ".env",
     ".env.local",
@@ -425,19 +635,19 @@ SOLONGATE_API_KEY=sg_live_your_key_here
     ".claude/**",
     ".gemini/**"
   ];
-  if (existsSync(gitignorePath)) {
-    let gitignore = readFileSync(gitignorePath, "utf-8");
+  if (existsSync2(gitignorePath)) {
+    let gitignore = readFileSync2(gitignorePath, "utf-8");
     const existingLines = new Set(gitignore.split("\n").map((l) => l.trim()));
     const missing = requiredLines.filter((line) => !existingLines.has(line));
     if (missing.length > 0) {
       gitignore = gitignore.trimEnd() + "\n\n# SolonGate\n" + missing.join("\n") + "\n";
-      writeFileSync(gitignorePath, gitignore);
+      writeFileSync2(gitignorePath, gitignore);
       console.log(`  Updated .gitignore (+${missing.length} entries)`);
       gitignoreChanged = true;
     }
   } else {
     const content = "# SolonGate\n" + requiredLines.join("\n") + "\nnode_modules/\n";
-    writeFileSync(gitignorePath, content);
+    writeFileSync2(gitignorePath, content);
     console.log(`  Created .gitignore`);
     gitignoreChanged = true;
   }
@@ -448,6 +658,28 @@ SOLONGATE_API_KEY=sg_live_your_key_here
 }
 async function main() {
   const options = parseInitArgs(process.argv);
+  if (options.global) {
+    console.log("");
+    console.log(`  ${c.bold}SolonGate \u2014 Global Install${c.reset}`);
+    console.log("");
+    if (options.restore) {
+      runGlobalRestore();
+    } else {
+      await runGlobalInstall({ apiKey: options.apiKey });
+      console.log("");
+      console.log("  \u250C\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510");
+      console.log("  \u2502  Global enforcement active.                     \u2502");
+      console.log("  \u2502  Every Claude Code session on this machine is   \u2502");
+      console.log("  \u2502  now guarded by your cloud policy (OPA WASM).   \u2502");
+      console.log("  \u2502                                                 \u2502");
+      console.log("  \u2502  Undo:  init --global --restore                 \u2502");
+      console.log("  \u2502  Logs:  https://dashboard.solongate.com         \u2502");
+      console.log("  \u2502  Restart Claude Code to apply.                  \u2502");
+      console.log("  \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518");
+    }
+    console.log("");
+    return;
+  }
   const fullBanner = BANNER_FULL;
   const mediumBanner = [
     " \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2557      \u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2557   \u2588\u2588\u2557",
@@ -556,9 +788,9 @@ async function main() {
   console.log("");
   let apiKey = options.apiKey || process.env.SOLONGATE_API_KEY || "";
   if (!apiKey) {
-    const envPath = resolve(".env");
-    if (existsSync(envPath)) {
-      const envContent = readFileSync(envPath, "utf-8");
+    const envPath = resolve2(".env");
+    if (existsSync2(envPath)) {
+      const envContent = readFileSync2(envPath, "utf-8");
       const match = envContent.match(/^SOLONGATE_API_KEY=(sg_(?:live|test)_\w+)/m);
       if (match) apiKey = match[1];
     }
@@ -583,8 +815,8 @@ async function main() {
   }
   let policyValue;
   if (options.policy) {
-    const policyPath = resolve(options.policy);
-    if (existsSync(policyPath)) {
+    const policyPath = resolve2(options.policy);
+    if (existsSync2(policyPath)) {
       policyValue = `./${options.policy}`;
       console.log(`  Policy:  ${policyPath}`);
     } else {
@@ -592,8 +824,8 @@ async function main() {
       process.exit(1);
     }
   } else {
-    const defaultPolicy = resolve("policy.json");
-    if (existsSync(defaultPolicy)) {
+    const defaultPolicy = resolve2("policy.json");
+    if (existsSync2(defaultPolicy)) {
       policyValue = "./policy.json";
       console.log(`  Policy:  ${defaultPolicy} (auto-detected)`);
     } else {
@@ -612,7 +844,7 @@ async function main() {
       newConfig.mcpServers[name] = config.mcpServers[name];
     }
   }
-  const currentContent = readFileSync(configInfo.path, "utf-8");
+  const currentContent = readFileSync2(configInfo.path, "utf-8");
   let newContent;
   if (configInfo.type === "claude-desktop") {
     const original = JSON.parse(currentContent);
@@ -625,7 +857,7 @@ async function main() {
   if (newContent === currentContent) {
     stopSpinner("\u2713 Config already up to date");
   } else {
-    writeFileSync(configInfo.path, newContent);
+    writeFileSync2(configInfo.path, newContent);
     stopSpinner("\u2713 Config updated");
   }
   console.log("");