rigortype 0.1.1 → 0.1.3

data/lib/rigor/inference/statement_evaluator.rb

@@ -785,6 +785,7 @@ module Rigor
         evaluate_block_if_present(node)
         post_scope = record_closure_escape_if_any(node)
         post_scope = apply_rbs_extended_assertions(node, post_scope)
+        post_scope = apply_plugin_assertions(node, post_scope)
         post_scope = apply_rspec_matcher_narrowing(node, post_scope)
         [call_type, post_scope]
       end
@@ -978,6 +979,61 @@ module Rigor
         end
       end
 
+      # ADR-7 § "Slice 4-A" / T.bind priority slice 2 — applies
+      # the post-return facts plugin contributions produce. This
+      # is the sibling of {apply_rbs_extended_assertions}: the
+      # carrier (`Rigor::FlowContribution::Fact`) and the
+      # downstream narrowing path (`apply_post_return_fact` →
+      # `apply_self_post_return_fact`) are the same; only the
+      # *source* of the bundle changes (RBS::Extended vs the
+      # registered plugins' `flow_contribution_for`).
+      #
+      # `:self`-targeted facts narrow `scope.self_type` for the
+      # surrounding scope. In a block body, the surrounding
+      # scope is the block's own scope, so the narrowing applies
+      # to the rest of the block — exactly the contract Sorbet's
+      # `T.bind(self, T)` commits to.
+      #
+      # `:parameter`-targeted facts only land when the called
+      # method has an authoritative RBS sig (via
+      # `resolve_call_method`); plugins recognising their own
+      # synthetic call shapes (e.g. `T.assert_type!`) have no
+      # method_def and the parameter facts silently skip — the
+      # plugin's own diagnostics_for_file path covers those
+      # cases. The full plugin-side parameter-targeting story
+      # (PHPStan-style Type-Specifying Extensions on
+      # plugin-recognised calls) lives behind a follow-up slice
+      # that introduces `:local` / `:argument_at` target kinds.
+      def apply_plugin_assertions(call_node, current_scope)
+        registry = current_scope.environment&.plugin_registry
+        return current_scope if registry.nil? || registry.empty?
+
+        contributions = collect_plugin_contributions(registry, call_node, current_scope)
+        return current_scope if contributions.empty?
+
+        result = Rigor::FlowContribution::Merger.merge(contributions)
+        post_return = result.post_return_facts
+        return current_scope if post_return.empty?
+
+        method_def = resolve_call_method(call_node, current_scope)
+        post_return.reduce(current_scope) do |scope_acc, fact|
+          apply_post_return_fact(fact, call_node, scope_acc, method_def)
+        end
+      end
+
+      # Walks the registry and collects each plugin's
+      # `flow_contribution_for` result, swallowing per-plugin
+      # exceptions so a buggy plugin can't abort the assertion
+      # path. Mirrors `MethodDispatcher.collect_plugin_contributions`
+      # exactly — the two paths consume the same hook.
+      def collect_plugin_contributions(registry, call_node, current_scope)
+        registry.plugins.filter_map do |plugin|
+          plugin.flow_contribution_for(call_node: call_node, scope: current_scope)
+        rescue StandardError
+          nil
+        end
+      end
+
       def resolve_call_method(call_node, current_scope) # rubocop:disable Metrics/PerceivedComplexity
         receiver_node = call_node.receiver
         receiver_type =
@@ -1064,7 +1120,15 @@ module Rigor
         end
       end
 
-      def lookup_post_return_arg(call_node, method_def, target_name)
+      def lookup_post_return_arg(call_node, method_def, target_name) # rubocop:disable Metrics/CyclomaticComplexity
+        # Plugin-source contributions arrive without an
+        # authoritative method_def (the plugin recognised the
+        # call shape directly). Parameter-targeting falls back
+        # to "no narrow" in that case — the wider plugin-side
+        # parameter mapping (`:local` / `:argument_at`) is a
+        # follow-up slice.
+        return nil if method_def.nil?
+
         arguments = call_node.arguments&.arguments || []
         method_def.method_types.each do |mt|
           params = mt.type.required_positionals + mt.type.optional_positionals

data/lib/rigor/plugin/io_boundary.rb

@@ -27,20 +27,37 @@ module Rigor
     #   the file's contents, and adds a digest-keyed
     #   {Cache::Descriptor::FileEntry} to the boundary's
     #   accumulated descriptor.
-    # - `#open_url(url)` — always raises {AccessDeniedError} while
-    #   `network_policy` is `:disabled` (the only setting in slice
-    #   2). The hook exists so slices 3-6 can layer richer access
-    #   policy without re-defining the API.
+    # - `#open_url(url)` — fetches the URL when the policy
+    #   permits it (`network_policy: :allowlist` plus an
+    #   `allowed_url_hosts` match) and raises
+    #   {AccessDeniedError} otherwise. v0.1.2 ships the
+    #   allowlist surface; the default project policy still
+    #   has `network_policy: :disabled` so plugins that want
+    #   network access opt in explicitly through
+    #   `.rigor.yml`'s `plugins_io.network: allowlist` plus
+    #   `plugins_io.allowed_url_hosts: [...]`. The HTTP fetch
+    #   is GET-only over HTTPS, capped at {URL_TIMEOUT_SECONDS}
+    #   wall time and {URL_MAX_BYTES} body size; non-2xx
+    #   responses raise {AccessDeniedError} so plugin code
+    #   doesn't have to rescue mid-build.
     # - `#cache_descriptor` — flushes the accumulated entries into
     #   a fresh {Cache::Descriptor} for the contribution that
-    #   built it.
+    #   built it. URL fetches contribute `ConfigEntry` rows
+    #   keyed `"url:#{url}"` with the response body's SHA-256
+    #   so contributions invalidate when the remote document
+    #   changes.
     class IoBoundary
+      URL_TIMEOUT_SECONDS = 10
+      URL_MAX_BYTES = 10 * 1024 * 1024
+
       attr_reader :policy, :plugin_id
 
-      def initialize(policy:, plugin_id:)
+      def initialize(policy:, plugin_id:, http_client: DefaultHttpClient.new)
         @policy = policy
         @plugin_id = plugin_id.to_s.dup.freeze
         @file_entries = {}
+        @config_entries = {}
+        @http_client = http_client
         @mutex = Mutex.new
       end
 
@@ -64,30 +81,39 @@ module Rigor
         contents
       end
 
-      # Slice 2 stub: every URL access is denied while
-      # `network_policy` is `:disabled`. Slices that need to relax
-      # the rule (e.g. for opt-in offline-replay caches) will lift
-      # the policy gate; the API does not change.
+      # Fetches the URL when the policy permits it. Returns the
+      # response body. Raises {AccessDeniedError} when the policy
+      # is `:disabled`, the URL scheme is not `https`, the host is
+      # not on the allowlist, the response is non-2xx, the body
+      # exceeds {URL_MAX_BYTES}, or the request times out
+      # ({URL_TIMEOUT_SECONDS}). On success, records a
+      # `ConfigEntry` keyed `"url:#{url}"` with the body's
+      # SHA-256 so the cache descriptor invalidates if the remote
+      # document changes.
       def open_url(url)
-        unless @policy.network_allowed?
+        url_string = url.to_s
+        unless @policy.allow_url?(url_string)
           raise AccessDeniedError.new(
             "plugin #{@plugin_id.inspect} cannot open URL #{url.inspect}: " \
-            "network access is disabled during analysis",
+            "URL is not permitted by the active TrustPolicy " \
+            "(network_policy=#{@policy.network_policy} allowed_url_hosts=#{@policy.allowed_url_hosts.inspect})",
             reason: :network_disabled,
-            resource: url.to_s
+            resource: url_string
           )
         end
 
-        raise NotImplementedError, "URL fetch surface is reserved; slice 2 only ships the deny path"
+        body = @http_client.get(url_string, timeout: URL_TIMEOUT_SECONDS, max_bytes: URL_MAX_BYTES)
+        record_url_entry(url_string, body)
+        body
       end
 
       # @return [Rigor::Cache::Descriptor] frozen snapshot of every
-      #   file the boundary has read so far. Calling this multiple
-      #   times yields equal descriptors; subsequent reads expand
-      #   the underlying record table.
+      #   file / URL the boundary has read so far. Calling this
+      #   multiple times yields equal descriptors; subsequent
+      #   reads expand the underlying record tables.
       def cache_descriptor
-        entries = @mutex.synchronize { @file_entries.values.dup }
-        Cache::Descriptor.new(files: entries)
+        files, configs = @mutex.synchronize { [@file_entries.values.dup, @config_entries.values.dup] }
+        Cache::Descriptor.new(files: files, configs: configs)
       end
 
       private
@@ -97,6 +123,53 @@ module Rigor
         entry = Cache::Descriptor::FileEntry.new(path: path, comparator: :digest, value: digest)
         @mutex.synchronize { @file_entries[path] = entry }
       end
+
+      def record_url_entry(url, body)
+        digest = Digest::SHA256.hexdigest(body)
+        key = "url:#{url}"
+        entry = Cache::Descriptor::ConfigEntry.new(key: key, value_hash: digest)
+        @mutex.synchronize { @config_entries[key] = entry }
+      end
+    end
+
+    # Default HTTP client wrapping `Net::HTTP`. Wraps a single
+    # `GET` over HTTPS. Specs inject a fake client that conforms
+    # to the same `#get(url, timeout:, max_bytes:)` shape so the
+    # tests don't require network access.
+    class DefaultHttpClient
+      # rubocop:disable Metrics/MethodLength
+      def get(url, timeout:, max_bytes:)
+        require "net/http"
+        require "uri"
+
+        uri = URI.parse(url)
+        body = +""
+        Net::HTTP.start(uri.host, uri.port, use_ssl: true,
+                                            open_timeout: timeout,
+                                            read_timeout: timeout) do |http|
+          http.request_get(uri.request_uri) do |response|
+            unless response.is_a?(Net::HTTPSuccess)
+              raise Plugin::AccessDeniedError.new(
+                "URL #{url.inspect} returned non-success status #{response.code}",
+                reason: :url_fetch_failed,
+                resource: url
+              )
+            end
+            response.read_body do |chunk|
+              body << chunk
+              if body.bytesize > max_bytes
+                raise Plugin::AccessDeniedError.new(
+                  "URL #{url.inspect} body exceeds #{max_bytes} bytes",
+                  reason: :url_body_too_large,
+                  resource: url
+                )
+              end
+            end
+          end
+        end
+        body
+      end
+      # rubocop:enable Metrics/MethodLength
     end
   end
 end

data/lib/rigor/plugin/manifest.rb

@@ -37,26 +37,29 @@ module Rigor
         end
       end
 
-      attr_reader :id, :version, :description, :protocols, :config_schema, :produces, :consumes
+      attr_reader :id, :version, :description, :protocols, :config_schema, :produces, :consumes,
+                  :owns_receivers
 
       def initialize( # rubocop:disable Metrics/ParameterLists
         id:, version:,
         description: nil, protocols: [], config_schema: {},
-        produces: [], consumes: []
+        produces: [], consumes: [], owns_receivers: []
       )
         validate_id!(id)
         validate_version!(version)
         validate_protocols!(protocols)
         validate_config_schema!(config_schema)
         validate_produces!(produces)
+        validate_owns_receivers!(owns_receivers)
 
-        assign_fields(id, version, description, protocols, config_schema, produces, consumes)
+        assign_fields(id, version, description, protocols, config_schema, produces, consumes, owns_receivers)
         freeze
       end
 
       private
 
-      def assign_fields(id, version, description, protocols, config_schema, produces, consumes) # rubocop:disable Metrics/ParameterLists
+      # rubocop:disable Metrics/ParameterLists,Metrics/AbcSize
+      def assign_fields(id, version, description, protocols, config_schema, produces, consumes, owns_receivers)
         @id = id.dup.freeze
         @version = version.dup.freeze
         @description = description.nil? ? nil : description.to_s.dup.freeze
@@ -64,7 +67,9 @@ module Rigor
         @config_schema = config_schema.to_h { |k, v| [k.to_s.dup.freeze, v.to_sym] }.freeze
         @produces = produces.map(&:to_sym).freeze
         @consumes = coerce_consumes(consumes)
+        @owns_receivers = owns_receivers.map { |c| c.to_s.dup.freeze }.freeze
       end
+      # rubocop:enable Metrics/ParameterLists,Metrics/AbcSize
 
       public
 
@@ -99,7 +104,8 @@ module Rigor
           "protocols" => protocols.map(&:to_s),
           "config_schema" => config_schema.to_h { |k, v| [k, v.to_s] },
           "produces" => produces.map(&:to_s),
-          "consumes" => consumes.map { |c| consumption_hash(c) }
+          "consumes" => consumes.map { |c| consumption_hash(c) },
+          "owns_receivers" => owns_receivers
         }
       end
 
@@ -166,6 +172,21 @@ module Rigor
         raise ArgumentError, "plugin manifest produces must be an Array of Symbol/String, got #{produces.inspect}"
       end
 
+      # ADR-10 5a — `owns_receivers:` declares the class names
+      # this plugin claims sole ownership of. The dispatcher's
+      # dependency-source-inference tier consults this list
+      # before consulting its own catalog: receivers owned by a
+      # registered plugin (directly or via subclass) decline,
+      # so plugin contributions stay authoritative for those
+      # types.
+      def validate_owns_receivers!(owns_receivers)
+        return if owns_receivers.is_a?(Array) && owns_receivers.all? { |c| c.is_a?(String) && !c.empty? }
+
+        raise ArgumentError,
+              "plugin manifest owns_receivers must be an Array of non-empty String, " \
+              "got #{owns_receivers.inspect}"
+      end
+
       def coerce_consumes(consumes)
         unless consumes.is_a?(Array)
           raise ArgumentError, "plugin manifest consumes must be an Array, got #{consumes.inspect}"

data/lib/rigor/plugin/trust_policy.rb

@@ -32,15 +32,18 @@ module Rigor
     #   `Gemfile.lock`, and each trusted gem's
     #   `Gem::Specification#full_gem_path`. The user extends this
     #   with `.rigor.yml`'s `plugins_io.allowed_paths:`.
-    # - `network_policy`: `:disabled` in slice 2; the only value
-    #   accepted today. Plugin {IoBoundary#open_url} always raises
-    #   while the policy is `:disabled`.
+    # - `network_policy`: one of {VALID_NETWORK_POLICIES}.
+    #   `:disabled` (default) makes {IoBoundary#open_url} always
+    #   raise. `:allowlist` (v0.1.2) consults `allowed_url_hosts`
+    #   on every fetch — the hostname must be on the list and
+    #   the URL scheme MUST be `https`. The list of allowed hosts
+    #   is exact-match (no wildcards in v0.1.2).
     class TrustPolicy
-      VALID_NETWORK_POLICIES = %i[disabled].freeze
+      VALID_NETWORK_POLICIES = %i[disabled allowlist].freeze
 
-      attr_reader :trusted_gems, :allowed_read_roots, :network_policy
+      attr_reader :trusted_gems, :allowed_read_roots, :network_policy, :allowed_url_hosts
 
-      def initialize(trusted_gems: [], allowed_read_roots: [], network_policy: :disabled)
+      def initialize(trusted_gems: [], allowed_read_roots: [], network_policy: :disabled, allowed_url_hosts: [])
         validate_network_policy!(network_policy)
 
         @trusted_gems = trusted_gems.map { |g| g.to_s.dup.freeze }.uniq.sort.freeze
@@ -50,6 +53,7 @@ module Rigor
                               .sort
                               .freeze
         @network_policy = network_policy
+        @allowed_url_hosts = allowed_url_hosts.map { |h| h.to_s.downcase.dup.freeze }.uniq.sort.freeze
         freeze
       end
 
@@ -67,6 +71,24 @@ module Rigor
         @network_policy != :disabled
       end
 
+      # @param url [String, URI]
+      # @return [Boolean] true when the URL scheme is `https` and
+      #   the parsed hostname is in `allowed_url_hosts`. Always
+      #   `false` while `network_policy` is `:disabled`.
+      def allow_url?(url)
+        return false if @network_policy == :disabled
+        return false if @allowed_url_hosts.empty?
+
+        require "uri"
+        uri = url.is_a?(URI::Generic) ? url : URI.parse(url.to_s)
+        return false unless uri.is_a?(URI::HTTPS)
+        return false if uri.host.nil?
+
+        @allowed_url_hosts.include?(uri.host.downcase)
+      rescue URI::InvalidURIError
+        false
+      end
+
       def gem_trusted?(name)
         @trusted_gems.include?(name.to_s)
       end
@@ -75,7 +97,8 @@ module Rigor
         {
           "trusted_gems" => trusted_gems,
           "allowed_read_roots" => allowed_read_roots,
-          "network_policy" => network_policy.to_s
+          "network_policy" => network_policy.to_s,
+          "allowed_url_hosts" => allowed_url_hosts
         }
       end
 

data/lib/rigor/scope.rb

@@ -20,7 +20,7 @@ module Rigor
                 :ivars, :cvars, :globals,
                 :class_ivars, :class_cvars, :program_globals,
                 :discovered_classes, :in_source_constants, :discovered_methods,
-                :discovered_def_nodes
+                :discovered_def_nodes, :discovered_method_visibilities
 
     EMPTY_DECLARED_TYPES = {}.compare_by_identity.freeze
     EMPTY_VAR_BINDINGS = {}.freeze
@@ -47,7 +47,8 @@ module Rigor
       discovered_classes: EMPTY_VAR_BINDINGS,
       in_source_constants: EMPTY_VAR_BINDINGS,
       discovered_methods: EMPTY_CLASS_BINDINGS,
-      discovered_def_nodes: EMPTY_CLASS_BINDINGS
+      discovered_def_nodes: EMPTY_CLASS_BINDINGS,
+      discovered_method_visibilities: EMPTY_CLASS_BINDINGS
     )
       @environment = environment
       @locals = locals
@@ -64,6 +65,7 @@ module Rigor
       @in_source_constants = in_source_constants
       @discovered_methods = discovered_methods
       @discovered_def_nodes = discovered_def_nodes
+      @discovered_method_visibilities = discovered_method_visibilities
       freeze
     end
 
@@ -268,6 +270,26 @@ module Rigor
       rebuild(discovered_def_nodes: table)
     end
 
+    # v0.1.2 — per-class table mapping `method_name (Symbol) →
+    # :public | :private | :protected`. Populated by
+    # `ScopeIndexer` for every `def` it sees inside a class
+    # body, with the visibility taken from the surrounding
+    # `private` / `protected` / `public` modifier state plus
+    # any post-hoc `private :name, ...` named-argument calls.
+    # Consumed by the `def.method-visibility-mismatch` rule
+    # so explicit-non-self calls to a private method surface
+    # a diagnostic.
+    def discovered_method_visibility(class_name, method_name)
+      table = @discovered_method_visibilities[class_name.to_s]
+      return nil unless table
+
+      table[method_name.to_sym]
+    end
+
+    def with_discovered_method_visibilities(table)
+      rebuild(discovered_method_visibilities: table)
+    end
+
     def facts_for(target: nil, bucket: nil)
       fact_store.facts_for(target: target, bucket: bucket)
     end
@@ -334,7 +356,8 @@ module Rigor
       declared_types: @declared_types, ivars: @ivars, cvars: @cvars, globals: @globals,
       class_ivars: @class_ivars, class_cvars: @class_cvars, program_globals: @program_globals,
       discovered_classes: @discovered_classes, in_source_constants: @in_source_constants,
-      discovered_methods: @discovered_methods, discovered_def_nodes: @discovered_def_nodes
+      discovered_methods: @discovered_methods, discovered_def_nodes: @discovered_def_nodes,
+      discovered_method_visibilities: @discovered_method_visibilities
     )
       self.class.new(
         environment: environment, locals: locals,
@@ -346,7 +369,8 @@ module Rigor
         discovered_classes: discovered_classes,
         in_source_constants: in_source_constants,
         discovered_methods: discovered_methods,
-        discovered_def_nodes: discovered_def_nodes
+        discovered_def_nodes: discovered_def_nodes,
+        discovered_method_visibilities: discovered_method_visibilities
       )
     end
 
@@ -371,7 +395,8 @@ module Rigor
         discovered_classes: discovered_classes,
         in_source_constants: in_source_constants,
         discovered_methods: discovered_methods,
-        discovered_def_nodes: discovered_def_nodes
+        discovered_def_nodes: discovered_def_nodes,
+        discovered_method_visibilities: discovered_method_visibilities
       )
     end
   end

data/lib/rigor/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Rigor
-  VERSION = "0.1.1"
+  VERSION = "0.1.3"
 end

data/sig/rigor/environment.rbs

@@ -7,11 +7,12 @@ module Rigor
     attr_reader class_registry: ClassRegistry
     attr_reader rbs_loader: RbsLoader?
     attr_reader plugin_registry: untyped?
+    attr_reader dependency_source_index: untyped?
 
     def self.default: () -> Environment
-    def self.for_project: (?root: String, ?libraries: Array[String], ?signature_paths: Array[String | _ToPath]?, ?cache_store: untyped?, ?plugin_registry: untyped?) -> Environment
+    def self.for_project: (?root: String, ?libraries: Array[String], ?signature_paths: Array[String | _ToPath]?, ?cache_store: untyped?, ?plugin_registry: untyped?, ?dependency_source_index: untyped?) -> Environment
 
-    def initialize: (?class_registry: ClassRegistry, ?rbs_loader: RbsLoader?, ?plugin_registry: untyped?) -> void
+    def initialize: (?class_registry: ClassRegistry, ?rbs_loader: RbsLoader?, ?plugin_registry: untyped?, ?dependency_source_index: untyped?) -> void
     def nominal_for_name: (String | Symbol name) -> Type::Nominal?
     def singleton_for_name: (String | Symbol name) -> Type::Singleton?
     def constant_for_name: (String | Symbol name) -> Type::t?

data/sig/rigor/scope.rbs

@@ -15,6 +15,7 @@ module Rigor
     attr_reader in_source_constants: Hash[String, Type::t]
     attr_reader discovered_methods: Hash[String, Hash[Symbol, Symbol]]
     attr_reader discovered_def_nodes: Hash[String, Hash[Symbol, untyped]]
+    attr_reader discovered_method_visibilities: Hash[String, Hash[Symbol, Symbol]]
 
     def self.empty: (?environment: Environment) -> Scope
 
@@ -39,6 +40,8 @@ module Rigor
     def with_discovered_def_nodes: (Hash[String, Hash[Symbol, untyped]] table) -> Scope
     def user_def_for: (String | Symbol class_name, String | Symbol method_name) -> untyped?
     def top_level_def_for: (String | Symbol method_name) -> untyped?
+    def with_discovered_method_visibilities: (Hash[String, Hash[Symbol, Symbol]] table) -> Scope
+    def discovered_method_visibility: (String | Symbol class_name, String | Symbol method_name) -> Symbol?
     def with_fact: (Analysis::FactStore::Fact fact) -> Scope
     def with_self_type: (Type::t? type) -> Scope
     def with_declared_types: (Hash[untyped, Type::t] table) -> Scope

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rigortype
 version: !ruby/object:Gem::Version
-  version: 0.1.1
+  version: 0.1.3
 platform: ruby
 authors:
 - Rigor contributors
@@ -184,9 +184,18 @@ files:
 - exe/rigor
 - lib/rigor.rb
 - lib/rigor/analysis/check_rules.rb
+- lib/rigor/analysis/check_rules/always_truthy_condition_collector.rb
+- lib/rigor/analysis/check_rules/dead_assignment_collector.rb
+- lib/rigor/analysis/check_rules/ivar_write_collector.rb
+- lib/rigor/analysis/dependency_source_inference.rb
+- lib/rigor/analysis/dependency_source_inference/builder.rb
+- lib/rigor/analysis/dependency_source_inference/gem_resolver.rb
+- lib/rigor/analysis/dependency_source_inference/index.rb
+- lib/rigor/analysis/dependency_source_inference/walker.rb
 - lib/rigor/analysis/diagnostic.rb
 - lib/rigor/analysis/fact_store.rb
 - lib/rigor/analysis/result.rb
+- lib/rigor/analysis/rule_catalog.rb
 - lib/rigor/analysis/runner.rb
 - lib/rigor/ast.rb
 - lib/rigor/ast/type_node.rb
@@ -203,12 +212,15 @@ files:
 - lib/rigor/cache/rbs_known_class_names.rb
 - lib/rigor/cache/store.rb
 - lib/rigor/cli.rb
+- lib/rigor/cli/diff_command.rb
+- lib/rigor/cli/explain_command.rb
 - lib/rigor/cli/type_of_command.rb
 - lib/rigor/cli/type_of_renderer.rb
 - lib/rigor/cli/type_scan_command.rb
 - lib/rigor/cli/type_scan_renderer.rb
 - lib/rigor/cli/type_scan_report.rb
 - lib/rigor/configuration.rb
+- lib/rigor/configuration/dependencies.rb
 - lib/rigor/configuration/severity_profile.rb
 - lib/rigor/environment.rb
 - lib/rigor/environment/class_registry.rb