rigortype 0.0.9 → 0.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b054649005dbeb85c95236ebfba7fe7540e52c10c60aff095fbce81d5b589d67
-  data.tar.gz: 9d879aa46bf37164f52f31786bade4d0ede52203d140cf0a2b1571f23160cd7d
+  metadata.gz: 257469533556c55164c5dbb9ea351c142ea600b17a90b6f9e632b5307bbbac08
+  data.tar.gz: be2141e8f53748716bd7f19e95632a1fab17fde8110dd824d981baaf2522371c
 SHA512:
-  metadata.gz: ae684fc0749faa78117d85c75550b19e6a8e83b53172feea275d9ae1d804cec4f77d187b7ea4ae66e3035ed722bca0636622785f8537a3c42c9eb4ed9dc10b90
-  data.tar.gz: 340b93e08cfcbf7050d6f908aa16e0508250df0cf0d727fb7f5a81f02b312248ee62e403d0046d2c8230cfb71821f4c64d63634bed3eeec276105ad4e663be17
+  metadata.gz: 221248b2968dcd5d11963197468407ffbc34f2c41b79aa45321a5171e8183817e1ed67fbac37c852c6f22c910b065fef7214cf5f5ef2f03ec6f3c2aef5cce213
+  data.tar.gz: d2b096836618fd21a44810aa7c87bad2b0fd28a90baf395dd206ece02844d65819f1ab0cc80ea7a956a4b590351a4f67572be959d8b4effc9d086ff120498e2e

data/README.md

@@ -1,7 +1,8 @@
 # Rigor
 
 [![Gem Version](https://badge.fury.io/rb/rigortype.svg?icon=si%3Arubygems)](https://badge.fury.io/rb/rigortype)
-![GitHub License](https://img.shields.io/github/license/rigortype/rigor)
+[![GitHub License](https://img.shields.io/github/license/rigortype/rigor)](https://github.com/rigortype/rigor/blob/master/LICENSE)
+[![Ask DeepWiki](https://deepwiki.com/badge.svg)](https://deepwiki.com/rigortype/rigor)
 
 **Inference-first static analysis for Ruby.** Add Rigor to your
 Gemfile and run `rigor check` over your code — no annotations,
@@ -207,6 +208,12 @@ genuinely proved.
 
 ### Where the type model is documented
 
+- **End-user handbook** — chapter-by-chapter walkthrough of
+  the type model written for Ruby programmers without prior
+  static-typing background:
+  [`docs/handbook/`](docs/handbook/README.md). Start here if
+  you want a guided tour of how Rigor sees your code rather
+  than a spec deep-dive.
 - One-page mental model:
   [`docs/types.md`](docs/types.md).
 - Binding spec corpus:
@@ -366,6 +373,37 @@ The full per-release surface lives in
 analyzer guarantees live under
 [`docs/internal-spec/`](docs/internal-spec/).
 
+## Plugins (v0.1.0)
+
+`v0.1.0` adds an extension API so projects can teach Rigor about
+their own DSLs. Six worked examples ship under
+[`examples/`](examples/) — each is a fully-shaped plugin gem
+with a runnable demo and an end-to-end integration spec, and
+each spotlights a different facet of the plugin contract:
+
+- [`rigor-deprecations`](examples/rigor-deprecations/) —
+  smallest possible plugin (~80 lines); config-driven rules.
+- [`rigor-lisp-eval`](examples/rigor-lisp-eval/) — typing literal
+  AST arguments at a method call.
+- [`rigor-statesman`](examples/rigor-statesman/) — two-pass DSL
+  analysis (collect declarations, then validate references).
+- [`rigor-pattern`](examples/rigor-pattern/) — plugin →
+  analyzer collaboration via `Scope#type_of` and the
+  literal-string carrier.
+- [`rigor-units`](examples/rigor-units/) — local-variable flow
+  tracking through arithmetic.
+- [`rigor-routes`](examples/rigor-routes/) — `Plugin::IoBoundary`
+  reads under `TrustPolicy` plus cache producers (slice 2 +
+  slice 6) — the most architecturally complete example.
+
+[`examples/README.md`](examples/README.md) is the plugin
+authoring landing page — comparison table, recommended reading
+order, and the architectural map of which surface each example
+exercises. The binding contract for the plugin API lives in
+[`docs/adr/2-extension-api.md`](docs/adr/2-extension-api.md)
+and the slice-by-slice normative specs under
+[`docs/internal-spec/plugin*.md`](docs/internal-spec/).
+
 ## Configuration
 
 `rigor init` writes a starter `.rigor.yml`:
@@ -421,4 +459,4 @@ skill documentation contributors should know about.
 
 Mozilla Public License Version 2.0. See [`LICENSE`](LICENSE).
 </content>
-</invoke>
+</invoke>

data/lib/rigor/analysis/check_rules.rb

@@ -42,19 +42,25 @@ module Rigor
     # the first preview; later slices broaden it.
     # rubocop:disable Metrics/ModuleLength
     module CheckRules
-      # Stable identifiers for each rule. Used by the
-      # configuration `disable:` list and the in-source
-      # `# rigor:disable <rule>` suppression comment system
-      # to identify diagnostics by category. Rule identifiers
-      # are kebab-case strings; new rules MUST register here
-      # so user configuration can refer to them.
-      RULE_UNDEFINED_METHOD = "undefined-method"
-      RULE_WRONG_ARITY = "wrong-arity"
-      RULE_ARGUMENT_TYPE = "argument-type-mismatch"
-      RULE_NIL_RECEIVER = "possible-nil-receiver"
-      RULE_DUMP_TYPE = "dump-type"
-      RULE_ASSERT_TYPE = "assert-type"
-      RULE_ALWAYS_RAISES = "always-raises"
+      # Canonical identifiers for each rule. Per ADR-8 §
+      # "Diagnostic ID family hierarchy", rule names are
+      # `family.rule-name` two-segment strings; the families
+      # group diagnostics by where they originate
+      # (`call.*` for call-site rules, `flow.*` for flow-analysis
+      # proofs, `assert.*` for runtime-assertion rules,
+      # `dump.*` for debug helpers, `def.*` for method-definition
+      # rules). Used by the configuration `disable:` list and the
+      # in-source `# rigor:disable <rule>` suppression comment
+      # system; new rules MUST register here so user configuration
+      # can refer to them.
+      RULE_UNDEFINED_METHOD = "call.undefined-method"
+      RULE_WRONG_ARITY = "call.wrong-arity"
+      RULE_ARGUMENT_TYPE = "call.argument-type-mismatch"
+      RULE_NIL_RECEIVER = "call.possible-nil-receiver"
+      RULE_DUMP_TYPE = "dump.type"
+      RULE_ASSERT_TYPE = "assert.type-mismatch"
+      RULE_ALWAYS_RAISES = "flow.always-raises"
+      RULE_RETURN_TYPE = "def.return-type-mismatch"
 
       ALL_RULES = [
         RULE_UNDEFINED_METHOD,
@@ -63,9 +69,46 @@ module Rigor
         RULE_NIL_RECEIVER,
         RULE_DUMP_TYPE,
         RULE_ASSERT_TYPE,
-        RULE_ALWAYS_RAISES
+        RULE_ALWAYS_RAISES,
+        RULE_RETURN_TYPE
       ].freeze
 
+      # Backward-compat alias table (ADR-8 § "Backward
+      # compatibility"). Existing user code with
+      # `# rigor:disable undefined-method` /
+      # `disable: [undefined-method]` keeps working — the
+      # legacy unprefixed identifiers map to their canonical
+      # `family.rule-name` form here. Removing the aliases is
+      # a future ADR once user code has migrated; until then,
+      # both spellings resolve identically.
+      LEGACY_RULE_ALIASES = {
+        "undefined-method" => RULE_UNDEFINED_METHOD,
+        "wrong-arity" => RULE_WRONG_ARITY,
+        "argument-type-mismatch" => RULE_ARGUMENT_TYPE,
+        "possible-nil-receiver" => RULE_NIL_RECEIVER,
+        "dump-type" => RULE_DUMP_TYPE,
+        "assert-type" => RULE_ASSERT_TYPE,
+        "always-raises" => RULE_ALWAYS_RAISES
+      }.freeze
+
+      # Family wildcard — a `<family>` token in a suppression
+      # comment or `disable:` list disables every rule whose
+      # canonical id starts with `<family>.`. Per ADR-8 § "1".
+      RULE_FAMILIES = %w[call flow assert dump def].freeze
+
+      # Resolves a user-supplied rule token (`undefined-method`,
+      # `call.undefined-method`, or the family wildcard `call`)
+      # to the set of canonical rule identifiers it disables.
+      # Returns `nil` for `"all"` (the existing wildcard meaning
+      # "every rule"), or for unknown tokens.
+      def self.resolve_rule_token(token)
+        return nil if token == "all"
+        return [LEGACY_RULE_ALIASES.fetch(token)] if LEGACY_RULE_ALIASES.key?(token)
+        return ALL_RULES.select { |r| r.start_with?("#{token}.") } if RULE_FAMILIES.include?(token)
+
+        ALL_RULES.include?(token) ? [token] : []
+      end
+
       module_function
 
       # Yields diagnostics for every unrecognised method call on
@@ -78,35 +121,31 @@ module Rigor
       # @param root [Prism::Node]
       # @param scope_index [Hash{Prism::Node => Rigor::Scope}]
       # @return [Array<Rigor::Analysis::Diagnostic>]
-      def diagnose(path:, root:, scope_index:, comments: [], disabled_rules: []) # rubocop:disable Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity
+      def diagnose(path:, root:, scope_index:, comments: [], disabled_rules: [])
         diagnostics = []
         Source::NodeWalker.each(root) do |node|
-          next unless node.is_a?(Prism::CallNode)
-
-          diagnostic = undefined_method_diagnostic(path, node, scope_index)
-          diagnostics << diagnostic if diagnostic
-
-          arity_diagnostic = wrong_arity_diagnostic(path, node, scope_index)
-          diagnostics << arity_diagnostic if arity_diagnostic
-
-          arg_type_diagnostic = argument_type_diagnostic(path, node, scope_index)
-          diagnostics << arg_type_diagnostic if arg_type_diagnostic
-
-          nil_diagnostic = nil_receiver_diagnostic(path, node, scope_index)
-          diagnostics << nil_diagnostic if nil_diagnostic
-
-          dump_diagnostic = dump_type_diagnostic(path, node, scope_index)
-          diagnostics << dump_diagnostic if dump_diagnostic
-
-          assert_diagnostic = assert_type_diagnostic(path, node, scope_index)
-          diagnostics << assert_diagnostic if assert_diagnostic
-
-          raises_diagnostic = always_raises_diagnostic(path, node, scope_index)
-          diagnostics << raises_diagnostic if raises_diagnostic
+          if node.is_a?(Prism::CallNode)
+            diagnostics.concat(call_node_diagnostics(path, node, scope_index))
+          elsif node.is_a?(Prism::DefNode)
+            return_diagnostic = return_type_mismatch_diagnostic(path, node, scope_index)
+            diagnostics << return_diagnostic if return_diagnostic
+          end
         end
         filter_suppressed(diagnostics, comments: comments, disabled_rules: disabled_rules)
       end
 
+      def call_node_diagnostics(path, node, scope_index)
+        [
+          undefined_method_diagnostic(path, node, scope_index),
+          wrong_arity_diagnostic(path, node, scope_index),
+          argument_type_diagnostic(path, node, scope_index),
+          nil_receiver_diagnostic(path, node, scope_index),
+          dump_type_diagnostic(path, node, scope_index),
+          assert_type_diagnostic(path, node, scope_index),
+          always_raises_diagnostic(path, node, scope_index)
+        ].compact
+      end
+
       # v0.0.2 #6 — diagnostic suppression. Two kinds of
       # suppression compose:
       #
@@ -125,7 +164,7 @@ module Rigor
       # silence away.
       def filter_suppressed(diagnostics, comments:, disabled_rules:)
         suppressions = parse_suppression_comments(comments)
-        disabled = disabled_rules.to_set(&:to_s)
+        disabled = expand_rule_tokens(disabled_rules)
 
         diagnostics.reject do |diagnostic|
           rule = diagnostic.rule
@@ -137,7 +176,7 @@ module Rigor
         end
       end
 
-      SUPPRESSION_PATTERN = /#\s*rigor:disable\s+(?<rules>[\w,\s-]+)/
+      SUPPRESSION_PATTERN = /#\s*rigor:disable\s+(?<rules>[\w.,\s-]+)/
       private_constant :SUPPRESSION_PATTERN
 
       def parse_suppression_comments(comments)
@@ -148,11 +187,29 @@ module Rigor
           next if match.nil?
 
           rules = match[:rules].to_s.split(/[\s,]+/).reject(&:empty?)
-          rules.each { |rule| result[comment.location.start_line] << rule }
+          rules.each { |token| result[comment.location.start_line].merge(expand_token(token)) }
         end
         result
       end
 
+      # Expands a list of user-supplied rule tokens into the
+      # canonical-id set per ADR-8 § "Backward compatibility".
+      # `disabled_rules` accepts unprefixed legacy names
+      # (`undefined-method`), canonical names
+      # (`call.undefined-method`), and family wildcards (`call`).
+      def expand_rule_tokens(tokens)
+        Array(tokens).each_with_object(Set.new) do |token, set|
+          set.merge(expand_token(token.to_s))
+        end
+      end
+
+      def expand_token(token)
+        return ["all"] if token == "all"
+
+        resolved = resolve_rule_token(token)
+        resolved.nil? || resolved.empty? ? [token] : resolved
+      end
+
       # rubocop:disable Metrics/ClassLength
       class << self
         private
@@ -792,6 +849,137 @@ module Rigor
             severity: :error
           )
         end
+
+        # ADR-8 § "`def.return-type-mismatch` rule" — flags a
+        # `def m(...) ... end` whose body's last expression's
+        # type cannot satisfy the RBS-declared return type.
+        # Conservative envelope (v0.1.x first cut):
+        #
+        # - Skips methods without an RBS declaration. The rule
+        #   has no contract to compare against for source-only
+        #   methods.
+        # - Skips methods whose enclosing class isn't a
+        #   `Type::Singleton` self_type that we can name (top-
+        #   level / module-level methods land outside the rule).
+        # - Skips methods whose body's last expression is
+        #   absent or types as `Dynamic[top]` (the analyzer's
+        #   fail-soft fallback) — emitting on `Dynamic[top]`
+        #   would be noise.
+        # - Compares the inferred body type against the
+        #   declared return via `accepts?`:
+        #     :yes   → silent
+        #     :no    → emit at :error (severity_profile may
+        #              re-stamp; default `balanced` keeps the
+        #              authored severity).
+        #     :maybe → emit at :warning. Promoted to :error
+        #              under `severity_profile: strict` per
+        #              ADR-8 § "Severity profile".
+        def return_type_mismatch_diagnostic(path, def_node, scope_index) # rubocop:disable Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity
+          return nil if def_node.body.nil?
+
+          last_expr = body_last_expression(def_node.body)
+          return nil if last_expr.nil?
+
+          inner_scope = scope_index[last_expr] || scope_index[def_node.body] || scope_index[def_node]
+          return nil if inner_scope.nil?
+
+          declared = declared_return_type(def_node, scope_index)
+          return nil if declared.nil?
+
+          inferred = inner_scope.type_of(last_expr)
+          return nil if dynamic_top?(inferred)
+
+          severity = compare_return(declared, inferred)
+          return nil if severity.nil?
+
+          build_return_type_mismatch_diagnostic(path, def_node, declared, inferred, severity)
+        end
+
+        # The body of a `def` is the last `Prism::StatementsNode`
+        # child (or a single expression for one-liner defs).
+        # Take the last statement; that's the implicit return.
+        def body_last_expression(body)
+          case body
+          when Prism::StatementsNode then body.body.last
+          when Prism::BeginNode then body_last_expression(body.statements)
+          else body
+          end
+        end
+
+        # Pulls the declared RBS return type for the def. The
+        # enclosing class name comes from the def's scope's
+        # `self_type`; the method name is on the def itself.
+        # `def self.foo` is a singleton method — dispatched
+        # through `Reflection.singleton_method_definition`;
+        # plain `def foo` uses `instance_method_definition`.
+        # Method overloads contribute their union of declared
+        # return types (any one of them satisfying the body
+        # silences the rule).
+        def declared_return_type(def_node, scope_index)
+          scope = scope_index[def_node]
+          return nil if scope.nil?
+
+          self_type = scope.self_type
+          return nil unless self_type.respond_to?(:class_name)
+
+          method_def =
+            if def_node.receiver.nil?
+              Reflection.instance_method_definition(self_type.class_name, def_node.name, scope: scope)
+            else
+              Reflection.singleton_method_definition(self_type.class_name, def_node.name, scope: scope)
+            end
+          return nil if method_def.nil?
+
+          declared_return_union(method_def, scope.environment)
+        end
+
+        def declared_return_union(method_def, _environment)
+          translated = method_def.method_types.filter_map do |mt|
+            Inference::RbsTypeTranslator.translate(
+              mt.type.return_type,
+              self_type: nil, instance_type: nil, type_vars: {}
+            )
+          rescue StandardError
+            nil
+          end
+          return nil if translated.empty?
+
+          translated.size == 1 ? translated.first : Type::Combinator.union(*translated)
+        end
+
+        def dynamic_top?(type)
+          type.is_a?(Type::Dynamic) || (type.respond_to?(:top?) && type.top?.yes?)
+        end
+
+        # Returns the severity to emit at, or nil to stay
+        # silent. The first-cut implementation only fires on
+        # proven (`:no`) mismatches; `:maybe` is treated as
+        # silent until the analyzer's narrowing becomes precise
+        # enough to avoid noise on common patterns (`{}` →
+        # declared `Hash[K, V]`, `Set.new` → declared
+        # `Set[Symbol]`, …). ADR-8's promise to emit on
+        # `:maybe` under `severity_profile: strict` is
+        # deferred to a follow-up that lands together with the
+        # narrowing precision improvements.
+        def compare_return(declared, inferred)
+          result = declared.accepts(inferred)
+          return :error if result.no?
+
+          nil
+        end
+
+        def build_return_type_mismatch_diagnostic(path, def_node, declared, inferred, severity)
+          location = def_node.name_loc || def_node.location
+          Diagnostic.new(
+            rule: RULE_RETURN_TYPE,
+            path: path,
+            line: location.start_line,
+            column: location.start_column + 1,
+            message: "return-type mismatch on `#{def_node.name}': " \
+                     "declared #{declared.describe(:short)}, inferred #{inferred.describe(:short)}",
+            severity: severity
+          )
+        end
       end
       # rubocop:enable Metrics/ClassLength
     end

data/lib/rigor/analysis/diagnostic.rb

@@ -64,8 +64,22 @@ module Rigor
         }
       end
 
+      # Text rendering for `rigor check`. The qualified rule
+      # identifier (per ADR-2 § "Plugin Diagnostic Provenance" —
+      # `plugin.<id>.<rule>`, `rbs_extended.<rule>`,
+      # `generated.<provider>.<rule>`) is appended in brackets
+      # whenever the diagnostic carries a non-default `source_family`,
+      # so plugin / RBS::Extended / generated provenance is visible
+      # in the standard text output without changing the layout for
+      # built-in rules. Slice 5 (v0.1.0) wires this surface.
       def to_s
-        "#{path}:#{line}:#{column}: #{severity}: #{message}"
+        base = "#{path}:#{line}:#{column}: #{severity}: #{message}"
+        return base if source_family == DEFAULT_SOURCE_FAMILY
+
+        qualified = qualified_rule
+        return base if qualified.nil?
+
+        "#{base} [#{qualified}]"
       end
     end
   end

data/lib/rigor/analysis/runner.rb

@@ -5,6 +5,9 @@ require "prism"
 require_relative "../environment"
 require_relative "../scope"
 require_relative "../cache/store"
+require_relative "../plugin"
+require_relative "../reflection"
+require_relative "../type/combinator"
 require_relative "../inference/coverage_scanner"
 require_relative "../inference/scope_indexer"
 require_relative "../inference/method_dispatcher/file_folding"
@@ -18,7 +21,7 @@ module Rigor
       RUBY_GLOB = "**/*.rb"
       DEFAULT_CACHE_ROOT = ".rigor/cache"
 
-      attr_reader :cache_store
+      attr_reader :cache_store, :plugin_registry
 
       # @param configuration [Rigor::Configuration]
       # @param explain [Boolean] surface fail-soft fallback events
@@ -30,10 +33,13 @@ module Rigor
       #   v0.0.9 group A slice 1 introduces the surface; later
       #   slices route real producers through it.
       def initialize(configuration:, explain: false,
-                     cache_store: Cache::Store.new(root: DEFAULT_CACHE_ROOT))
+                     cache_store: Cache::Store.new(root: DEFAULT_CACHE_ROOT),
+                     plugin_requirer: nil)
         @configuration = configuration
         @explain = explain
         @cache_store = cache_store
+        @plugin_requirer = plugin_requirer
+        @plugin_registry = Plugin::Registry::EMPTY
       end
 
       # Walks every Ruby file under `paths`, parses it, builds a
@@ -53,16 +59,188 @@ module Rigor
           signature_paths: @configuration.signature_paths,
           cache_store: @cache_store
         )
+
+        @plugin_registry = load_plugins
         expansion = expand_paths(paths)
 
-        diagnostics = expansion.fetch(:errors)
+        diagnostics = plugin_load_diagnostics
+        diagnostics += expansion.fetch(:errors)
         diagnostics += expansion.fetch(:files).flat_map { |path| analyze_file(path, environment) }
 
-        Result.new(diagnostics: diagnostics)
+        Result.new(diagnostics: apply_severity_profile(diagnostics))
       end
 
       private
 
+      # Loads project-configured plugins through {Rigor::Plugin::Loader}
+      # and returns the resulting {Rigor::Plugin::Registry}. Loader
+      # failures are isolated: each surfaces as a `:plugin_loader`
+      # diagnostic on the run's `Result` rather than aborting the
+      # analysis. Plugins that load successfully but contribute no
+      # protocol hooks are inert in slice 1; later v0.1.0 slices
+      # wire the contribution merger through this registry.
+      def load_plugins
+        return Plugin::Registry::EMPTY if @configuration.plugins.empty?
+
+        services = Plugin::Services.new(
+          reflection: Reflection,
+          type: Type::Combinator,
+          configuration: @configuration,
+          cache_store: @cache_store,
+          trust_policy: build_trust_policy
+        )
+        if @plugin_requirer
+          Plugin::Loader.load(configuration: @configuration, services: services, requirer: @plugin_requirer)
+        else
+          Plugin::Loader.load(configuration: @configuration, services: services)
+        end
+      end
+
+      # Builds the {Rigor::Plugin::TrustPolicy} for this run. Trusted
+      # gems are the gem-name half of every entry in
+      # `Configuration#plugins`. Allowed read roots default to the
+      # project root (CWD), the project's signature_paths, and each
+      # trusted gem's `Gem::Specification#full_gem_path`, plus any
+      # extras the user listed under `plugins_io.allowed_paths`.
+      # Slice 2 keeps `network_policy` `:disabled` — the only value
+      # the configuration accepts today.
+      def build_trust_policy
+        trusted_gems = @configuration.plugins.map { |entry| trusted_gem_name(entry) }.uniq
+        roots = [Dir.pwd]
+        Array(@configuration.signature_paths).each { |sp| roots << File.expand_path(sp) }
+        trusted_gems.each do |gem_name|
+          path = trusted_gem_root(gem_name)
+          roots << path if path
+        end
+        @configuration.plugins_io_allowed_paths.each { |p| roots << File.expand_path(p) }
+
+        Plugin::TrustPolicy.new(
+          trusted_gems: trusted_gems,
+          allowed_read_roots: roots,
+          network_policy: @configuration.plugins_io_network
+        )
+      end
+
+      def trusted_gem_name(entry)
+        case entry
+        when String then entry
+        when Hash then entry["gem"] || entry["id"]
+        end
+      end
+
+      def trusted_gem_root(gem_name)
+        return nil if gem_name.nil? || gem_name.empty?
+
+        spec = Gem.loaded_specs[gem_name]
+        spec&.full_gem_path # rigor:disable undefined-method
+      rescue StandardError
+        nil
+      end
+
+      # ADR-8 § "Severity profile" — re-stamps each diagnostic's
+      # severity from the configured profile + per-rule
+      # overrides. Rules emit with their authored severity; the
+      # profile is the final filter. Diagnostics whose resolved
+      # severity is `:off` are dropped from the run result.
+      def apply_severity_profile(diagnostics)
+        diagnostics.filter_map { |diagnostic| stamp_severity(diagnostic) }
+      end
+
+      def stamp_severity(diagnostic)
+        return diagnostic if diagnostic.rule.nil?
+
+        resolved = Configuration::SeverityProfile.resolve(
+          rule: diagnostic.rule,
+          authored_severity: diagnostic.severity,
+          profile: @configuration.severity_profile,
+          overrides: @configuration.severity_overrides
+        )
+        return nil if resolved == :off
+        return diagnostic if resolved == diagnostic.severity
+
+        Diagnostic.new(
+          path: diagnostic.path,
+          line: diagnostic.line,
+          column: diagnostic.column,
+          message: diagnostic.message,
+          severity: resolved,
+          rule: diagnostic.rule,
+          source_family: diagnostic.source_family
+        )
+      end
+
+      def plugin_load_diagnostics
+        @plugin_registry.load_errors.map do |error|
+          Diagnostic.new(
+            path: ".rigor.yml",
+            line: 1,
+            column: 1,
+            message: error.message,
+            severity: :error,
+            rule: "load-error",
+            source_family: :plugin_loader
+          )
+        end
+      end
+
+      # ADR-7 § "Slice 5-A/5-B" — invokes every loaded plugin's
+      # per-file diagnostic emission hook
+      # (`Plugin::Base#diagnostics_for_file`) and re-stamps the
+      # returned diagnostics with
+      # `source_family: "plugin.<manifest.id>"` so plugin
+      # authors cannot accidentally publish under another
+      # plugin's identifier or under `:builtin`. Plugin
+      # exceptions are isolated per ADR-2 § "Plugin Trust and
+      # I/O Policy" — a raise from one plugin becomes a
+      # `:plugin_loader` `runtime-error` diagnostic without
+      # affecting other plugins or the rest of the run.
+      def plugin_emitted_diagnostics(path, root, scope)
+        return [] if @plugin_registry.empty?
+
+        @plugin_registry.plugins.flat_map do |plugin|
+          collect_plugin_diagnostics(plugin, path, root, scope)
+        end
+      end
+
+      def collect_plugin_diagnostics(plugin, path, root, scope)
+        raw = plugin.diagnostics_for_file(path: path, scope: scope, root: root)
+        Array(raw).map { |diagnostic| stamp_plugin_diagnostic(diagnostic, plugin.manifest.id) }
+      rescue StandardError => e
+        [plugin_runtime_error_diagnostic(path, plugin, e)]
+      end
+
+      def stamp_plugin_diagnostic(diagnostic, plugin_id)
+        Diagnostic.new(
+          path: diagnostic.path,
+          line: diagnostic.line,
+          column: diagnostic.column,
+          message: diagnostic.message,
+          severity: diagnostic.severity,
+          rule: diagnostic.rule,
+          source_family: "plugin.#{plugin_id}"
+        )
+      end
+
+      def plugin_runtime_error_diagnostic(path, plugin, error)
+        plugin_id = safe_plugin_id(plugin)
+        Diagnostic.new(
+          path: path,
+          line: 1,
+          column: 1,
+          message: "plugin #{plugin_id.inspect} raised during diagnostics_for_file: " \
+                   "#{error.class}: #{error.message}",
+          severity: :error,
+          rule: "runtime-error",
+          source_family: :plugin_loader
+        )
+      end
+
+      def safe_plugin_id(plugin)
+        plugin.manifest.id
+      rescue StandardError
+        plugin.class.to_s
+      end
+
       # Resolves the user-supplied path list into:
       # - `:files`  — the concrete `.rb` files to analyze.
       # - `:errors` — `Diagnostic` entries for each path that
@@ -111,6 +289,7 @@ module Rigor
           comments: parse_result.comments,
           disabled_rules: @configuration.disabled_rules
         )
+        diagnostics += plugin_emitted_diagnostics(path, parse_result.value, scope)
         diagnostics + explain_diagnostics(path, parse_result.value, scope)
       rescue Errno::ENOENT => e
         [

data/lib/rigor/cache/rbs_class_ancestor_table.rb

@@ -53,7 +53,7 @@ module Rigor
                   .map { |ancestor| ancestor.name.to_s.delete_prefix("::") }
                   .uniq
                   .freeze
-      rescue StandardError
+      rescue ::RBS::BaseError
         nil
       end
 

data/lib/rigor/cache/rbs_class_type_param_names.rb

@@ -50,7 +50,7 @@ module Rigor
         return nil if definition.nil?
 
         definition.type_params.dup.freeze
-      rescue StandardError
+      rescue ::RBS::BaseError
         nil
       end