feat(config): user-level (global) config with per-repo consent (#1559)

* feat(config): user-level (global) config with per-repo consent

Implements the global user config layer from spec docs/tasks/1448-user-level-config.md.

- Registry: userConfig.consent section with get/set/list/clear per-repo decisions
  (TTL-exempt, pruned by missing-path only)
- Config: resolveUserConfigPath (env var → XDG → APPDATA → ~/.codegraph fallback),
  sanitizeUserLayer (absolute dbPath guard), appliesTo glob matching,
  layered merge DEFAULTS → global → project → env → secrets,
  per-layer excludeTests shorthand hoisting
- Consent model: disabled > enabled > appliesTo glob > undecided (§4.1/4.2)
  Non-interactive contexts (CI, MCP, programmatic) never prompt
- loadConfigWithProvenance: per-key source map for --explain
- setUserConfigOverride: CLI preAction hook wires --user-config/--no-user-config
- computeConfigHash: stable hash of build-relevant config keys;
  stored as build_meta.config_hash; triggers full rebuild on change
  (closes pre-existing project-config incremental gap, see #1557)
- promptForConsentIfNeeded: async TTY-gated prompt fired before build
- CLI: codegraph config command (--explain, --enable-global, --disable-global,
  --list-global); global --user-config [path] / --no-user-config flags
- Build pipeline: threads userConfig, emits ℹ notice when global layer
  injects build-affecting keys, stores config_hash in finalize
- Lazy config in options.ts: defers loadConfig until first property access
  so CLI flags are parsed before config is evaluated
- Tests: 26 new unit tests for config-user, 18 new tests for registry consent
- Docs: configuration.md global config section; README pointer

Deferred (#1558): --init / --edit scaffolding helpers

* fix(builder): clear file_hashes on config-triggered full rebuild

When opts.exclude is introduced on a second build, the config hash
changes and promotes to forceFullRebuild. handleFullBuild deleted
nodes/edges but left file_hashes intact, so previously-indexed files
that are now excluded remained visible in file_hashes after the rebuild.

Adds DELETE FROM file_hashes to the full rebuild statement so stale
entries from excluded files are purged. insertNodes then re-inserts
fresh hashes only for the files that were actually collected.

* fix(config): address review feedback on user-level config

- XDG_CONFIG_HOME: honour on all platforms (including Windows) — the
  previous code checked XDG_CONFIG_HOME only on non-Windows, so the
  Windows CI test 'uses XDG_CONFIG_HOME when set' returned null.

- _lastAppliedGlobalPath stale on cache hit (P1): move the assignment
  before the early-return so programmatic callers making multiple
  buildGraph calls in the same process get the correct value for the
  build-time notice (Greptile P1, comment #3418566672).

- Eliminate TOCTOU double file read: add _lastAppliedGlobalConfig
  alongside _lastAppliedGlobalPath; loadConfig populates it once;
  pipeline.ts build notice and loadConfigWithProvenance both read from
  the cache rather than re-opening the file (Greptile P2 comments
  #3418566729, #3418566865).

- Remove void no-op suppressions in loadConfigWithProvenance — both
  variables are read in their respective loops and need no suppression
  (Greptile P2, outside-diff comment).

- Redundant --json branch in codegraph config default case: both
  branches emitted identical JSON; unified into one write; the
  discovery hint on stderr is now suppressed by --json (Greptile P2,
  outside-diff comment).

* fix(config): restore global config cache on loadConfig cache hit

Author: carlos-alm

README.md

@@ -797,6 +797,8 @@ Copy `.github/workflows/codegraph-impact.yml` to your repo, and every PR will ge
 
 Create a `.codegraphrc.json` in your project root to customize behavior. The snippets below cover the most-used keys — see **[docs/guides/configuration.md](docs/guides/configuration.md)** for the full reference (every group, every key, every default).
 
+**Global (user-level) config:** you can also define personal defaults once at `~/.config/codegraph/config.json` and opt individual repos into it with `codegraph config --enable-global`. The global layer merges below the project config so repos always win, and non-interactive contexts (CI, MCP) never apply it without explicit consent. See [docs/guides/configuration.md#user-level-global-configuration](docs/guides/configuration.md#user-level-global-configuration).
+
 ```json
 {
   "include": ["src/**", "lib/**"],

docs/guides/configuration.md

@@ -32,6 +32,97 @@ Leaves `build.dbPath`, `build.driftThreshold`, etc. at their defaults. Arrays ar
 
 ---
 
+## User-level (global) configuration
+
+You can define **personal config defaults once** and reuse them across repositories — without committing anything to any repo, and without ever silently changing a repo's behavior.
+
+**The defining property:** a global config file is inert until a specific repository explicitly consents to it. There is no blanket "apply everywhere" switch.
+
+### Global config file location
+
+Codegraph resolves the global config file in this order:
+
+1. `CODEGRAPH_USER_CONFIG=<path>` env var (location override only — does not force application)
+2. `$XDG_CONFIG_HOME/codegraph/config.json` (Unix/macOS), or `%APPDATA%\codegraph\config.json` (Windows), falling back to `~/.config/codegraph/config.json`
+3. `~/.codegraph/config.json` (legacy fallback, next to `registry.json`)
+
+### Format
+
+The global config file uses the same schema as `.codegraphrc.json`. Two shapes are accepted:
+
+```jsonc
+// Plain config — applies to any repo that has consented
+{ "query": { "defaultLimit": 50 }, "exclude": ["**/*.generated.*"] }
+```
+
+```jsonc
+// With appliesTo — auto-consent for matching repo paths (power-user)
+{
+  "appliesTo": ["~/work/**", "/Users/me/oss/*"],
+  "config": { "query": { "defaultLimit": 50 } }
+}
+```
+
+### Consent model
+
+A global config file has no effect until a repository consents to it. Consent is per-repo and per-machine (stored in `~/.codegraph/registry.json`, never committed):
+
+| Command | Effect |
+|---------|--------|
+| `codegraph config --enable-global` | Record `enabled` consent for the current repo |
+| `codegraph config --disable-global` | Record `disabled` consent for the current repo |
+| `codegraph config --list-global` | List every repo with a recorded decision |
+| `codegraph build` (interactive) | Prompts once if the repo is undecided and a global file exists |
+
+**Non-interactive contexts** (CI, MCP, programmatic use, hooks) never get prompted and default to *off*, keeping builds reproducible.
+
+**Per-run overrides** (do not record consent):
+- `--user-config [path]` — force-on for this run (optional custom path)
+- `--no-user-config` — force-off for this run
+
+### Precedence
+
+```
+DEFAULTS → global (if consented) → project (.codegraphrc.json) → env vars → secrets
+```
+
+- Objects are **deep-merged** (later layers win per key)
+- Arrays and scalars **replace** (project `ignoreDirs` fully replaces global `ignoreDirs`)
+- A project that omits a key inherits from the global layer
+
+### Safety guard
+
+If the global file sets `build.dbPath` to an **absolute path**, codegraph drops that key with a warning (it would make every repo share one database). Relative `dbPath` values are allowed through unchanged.
+
+### Transparency
+
+- `codegraph config` — print the effective config; shows a discovery hint when a global file exists but is not applied
+- `codegraph config --explain` — per-key provenance (`default` / `user` / `project` / `env`) plus consent state and applied file paths
+- Build notice — when the global layer contributes build-affecting keys, codegraph prints a one-line notice: `ℹ global config applied (<path>) — injecting: ...  · --no-user-config to ignore`
+
+### Programmatic API
+
+```typescript
+import { loadConfig, loadConfigWithProvenance } from '@optave/codegraph';
+
+// Normal: honour per-repo consent from registry
+loadConfig('/path/to/repo');
+
+// Force-on: apply the default global file
+loadConfig('/path/to/repo', { userConfig: true });
+
+// Force-on with explicit file
+loadConfig('/path/to/repo', { userConfig: '/path/to/global.json' });
+
+// Force-off
+loadConfig('/path/to/repo', { userConfig: false });
+
+// With provenance info (for tooling)
+const { config, provenance, appliedGlobalPath } = loadConfigWithProvenance('/path/to/repo');
+```
+
+---
+
 ## File selection
 
 Controls which files codegraph parses.

src/cli/commands/build.ts

@@ -16,7 +16,10 @@ export const command: CommandDefinition = {
   ],
   async execute([dir], opts, ctx) {
     const root = path.resolve(dir || '.');
-    const engine = ctx.program.opts().engine;
+    const globalOpts = ctx.program.opts();
+    const engine = globalOpts.engine;
+    // Prompt for global-config consent on interactive TTY builds (§4.3).
+    const promptForConsent = !process.env.CI && !!process.stdin.isTTY && !!process.stdout.isTTY;
     await buildGraph(root, {
       incremental: opts.incremental as boolean,
       ast: opts.ast as boolean,
@@ -25,6 +28,8 @@ export const command: CommandDefinition = {
       dataflow: opts.dataflow as boolean,
       cfg: opts.cfg as boolean,
       dbPath: opts.db ? path.resolve(opts.db as string) : undefined,
+      userConfig: globalOpts.userConfig as string | boolean | undefined,
+      promptForConsent,
     });
   },
 };

src/cli/commands/config.ts

@@ -0,0 +1,151 @@
+import path from 'node:path';
+import {
+  clearConfigCache,
+  loadConfig,
+  loadConfigWithProvenance,
+  resolveUserConfigPath,
+} from '../../infrastructure/config.js';
+import {
+  getUserConfigConsent,
+  listUserConfigConsent,
+  REGISTRY_PATH,
+  setUserConfigConsent,
+} from '../../infrastructure/registry.js';
+import type { CommandDefinition } from '../types.js';
+
+export const command: CommandDefinition = {
+  name: 'config',
+  description: 'Show or manage codegraph configuration (project + user-level global config)',
+  options: [
+    ['-j, --json', 'Output as JSON'],
+    ['--explain', 'Show per-key provenance (default / user / project / env)'],
+    ['--enable-global', 'Record consent to apply the global config to this repo'],
+    ['--disable-global', 'Record consent to skip the global config for this repo'],
+    ['--list-global', 'List all repos with a recorded consent decision'],
+  ],
+  execute(_args, opts, ctx) {
+    const rootDir = path.resolve('.');
+
+    // ── Consent management ─────────────────────────────────────────────
+
+    if (opts.enableGlobal) {
+      setUserConfigConsent(rootDir, 'enabled');
+      clearConfigCache();
+      const globalPath = resolveUserConfigPath();
+      if (!globalPath) {
+        process.stderr.write(
+          `Consent recorded: "enabled" for ${rootDir}\n` +
+            `Note: no global config file found. Create one at ~/.config/codegraph/config.json\n`,
+        );
+      } else {
+        process.stderr.write(
+          `Consent recorded: "enabled" for ${rootDir}\n` + `Global config: ${globalPath}\n`,
+        );
+      }
+      return;
+    }
+
+    if (opts.disableGlobal) {
+      setUserConfigConsent(rootDir, 'disabled');
+      clearConfigCache();
+      process.stderr.write(`Consent recorded: "disabled" for ${rootDir}\n`);
+      return;
+    }
+
+    if (opts.listGlobal) {
+      const entries = listUserConfigConsent(REGISTRY_PATH);
+      if (opts.json) {
+        process.stdout.write(`${JSON.stringify(entries, null, 2)}\n`);
+        return;
+      }
+      if (entries.length === 0) {
+        process.stdout.write('No repos have a recorded global-config consent decision.\n');
+        return;
+      }
+      process.stdout.write('Global config consent decisions:\n\n');
+      for (const { path: p, decision } of entries) {
+        process.stdout.write(
+          `  ${decision === 'enabled' ? '✔' : '✘'} ${decision.padEnd(8)} ${p}\n`,
+        );
+      }
+      return;
+    }
+
+    // ── Explain mode ───────────────────────────────────────────────────
+
+    if (opts.explain) {
+      const { config, provenance, appliedGlobalPath, consentDecision } = loadConfigWithProvenance(
+        rootDir,
+        {
+          userConfig: ctx.program.opts().userConfig,
+        },
+      );
+      const globalPath = resolveUserConfigPath();
+      const consent = getUserConfigConsent(rootDir);
+
+      if (opts.json) {
+        process.stdout.write(
+          `${JSON.stringify(
+            {
+              config,
+              provenance,
+              appliedGlobalPath,
+              globalFilePath: globalPath,
+              consentDecision: consentDecision ?? consent ?? 'undecided',
+            },
+            null,
+            2,
+          )}\n`,
+        );
+        return;
+      }
+
+      // Human-readable explain output
+      process.stdout.write('=== Codegraph config provenance ===\n\n');
+
+      const consentStr = consentDecision ?? consent ?? 'undecided';
+      process.stdout.write(`Global config file : ${globalPath ?? '(none found)'}\n`);
+      process.stdout.write(`Applied this run   : ${appliedGlobalPath ? 'yes' : 'no'}\n`);
+      process.stdout.write(`Consent for repo   : ${consentStr}\n`);
+      process.stdout.write(
+        `  (change with \`codegraph config --enable-global\` or \`--disable-global\`)\n`,
+      );
+
+      if (!globalPath) {
+        process.stdout.write(
+          `\nDiscovery hint: create a global config at ~/.config/codegraph/config.json\n` +
+            `then run \`codegraph config --enable-global\` in repos where you want it applied.\n`,
+        );
+      } else if (!appliedGlobalPath) {
+        process.stdout.write(
+          `\nDiscovery hint: global config exists but is not applied to this repo.\n` +
+            `Run \`codegraph config --enable-global\` to enable it here.\n`,
+        );
+      }
+
+      process.stdout.write('\n--- Per-key provenance ---\n\n');
+      const provenanceEntries = Object.entries(provenance).sort(([a], [b]) => a.localeCompare(b));
+      for (const [key, source] of provenanceEntries) {
+        process.stdout.write(`  ${source.padEnd(8)} ${key}\n`);
+      }
+      return;
+    }
+
+    // ── Default: print effective config ────────────────────────────────
+
+    const globalPath = resolveUserConfigPath();
+    const consent = getUserConfigConsent(rootDir);
+    const config = loadConfig(rootDir, { userConfig: ctx.program.opts().userConfig });
+
+    // Print effective config — always JSON; discovery hint only in non-JSON mode
+    process.stdout.write(`${JSON.stringify(config, null, 2)}\n`);
+
+    if (!opts.json && globalPath && !consent) {
+      process.stderr.write(
+        `\nℹ Global config found at ${globalPath} — not applied to this repo.\n` +
+          `  Run \`codegraph config --enable-global\` to opt in, or\n` +
+          `  \`codegraph config --disable-global\` to dismiss this notice.\n`,
+      );
+    }
+  },
+};

src/cli/index.ts

@@ -2,6 +2,7 @@ import fs from 'node:fs';
 import path from 'node:path';
 import { fileURLToPath, pathToFileURL } from 'node:url';
 import { Command } from 'commander';
+import { setUserConfigOverride } from '../infrastructure/config.js';
 import { setVerbose } from '../infrastructure/logger.js';
 import { checkForUpdates, printUpdateNotification } from '../infrastructure/update-check.js';
 import { ConfigError } from '../shared/errors.js';
@@ -25,9 +26,16 @@ program
   .version(pkg.version)
   .option('-v, --verbose', 'Enable verbose/debug output')
   .option('--engine <engine>', 'Parser engine: native, wasm, or auto (default: auto)', 'auto')
+  .option('--user-config [path]', 'Apply global user config for this run (optional custom path)')
+  .option('--no-user-config', 'Skip global user config for this run')
   .hook('preAction', (thisCommand) => {
     const opts = thisCommand.opts();
     if (opts.verbose) setVerbose(true);
+    // Wire user-config flags into the config loader before any command runs.
+    // Commander sets opts.userConfig = true (bare flag), a string (path), or undefined.
+    // opts.userConfig is false when --no-user-config is passed (Commander negation).
+    const uc = opts.userConfig as string | boolean | undefined;
+    setUserConfigOverride(uc);
   })
   .hook('postAction', async (_thisCommand, actionCommand) => {
     const name = actionCommand.name();

src/cli/shared/options.ts

@@ -1,8 +1,18 @@
 import type { Command } from 'commander';
 import { loadConfig } from '../../infrastructure/config.js';
+import type { CodegraphConfig } from '../../types.js';
 import type { CommandOpts } from '../types.js';
 
-const config = loadConfig(process.cwd());
+// Deferred so global --user-config / --no-user-config flags are parsed
+// before config is first accessed (Commander parses flags before any command
+// action runs, but module-level code executes at import time).
+let _config: CodegraphConfig | undefined;
+const config: CodegraphConfig = new Proxy({} as CodegraphConfig, {
+  get(_t, prop: string) {
+    if (_config === undefined) _config = loadConfig(process.cwd());
+    return _config[prop as keyof CodegraphConfig];
+  },
+}) as CodegraphConfig;
 
 /**
  * Attach the common query options shared by most analysis commands.