rigortype 0.1.2 → 0.1.3

data/lib/rigor/cache/descriptor.rb

@@ -24,8 +24,10 @@ module Rigor
     class Descriptor # rubocop:disable Metrics/ClassLength
       # Bumped on incompatible schema changes. The storage layer
       # mixes this into the cache key, so a bump implicitly
-      # invalidates every cached value.
-      SCHEMA_VERSION = 1
+      # invalidates every cached value. v2 added the
+      # `dependencies` slot for ADR-10 per-gem-version cache slice
+      # invalidation.
+      SCHEMA_VERSION = 2
 
       # Per-slot entry value objects. Constructors validate enums /
       # required fields and freeze the resulting struct so no caller
@@ -134,6 +136,54 @@ module Rigor
         end
       end
 
+      # Per-(gem, version, mode) row carrying the cache slice
+      # boundary for ADR-10 dependency-source inference. A
+      # `bundle update` that bumps a listed gem's pinned version
+      # produces a different `gem_version` here and therefore a
+      # fresh cache key — invalidating exactly that gem's slice
+      # without disturbing other gems' slices or the project's
+      # own cache.
+      #
+      # `mode` mirrors the
+      # [Configuration::Dependencies::VALID_MODES](../configuration/dependencies.rb)
+      # enum (`:disabled` / `:when_missing` / `:full`); a mode
+      # change for the same gem also forces invalidation because
+      # the inferred shapes depend on whether RBS overrides the
+      # walk.
+      class DependencyEntry
+        VALID_MODES = %i[disabled when_missing full].freeze
+
+        attr_reader :gem_name, :gem_version, :mode
+
+        def initialize(gem_name:, gem_version:, mode:)
+          unless VALID_MODES.include?(mode)
+            raise ArgumentError,
+                  "DependencyEntry mode must be one of #{VALID_MODES.inspect}, got #{mode.inspect}"
+          end
+
+          @gem_name = gem_name.to_s.dup.freeze
+          @gem_version = gem_version.to_s.dup.freeze
+          @mode = mode
+          freeze
+        end
+
+        def to_h
+          { "gem_name" => gem_name, "gem_version" => gem_version, "mode" => mode.to_s }
+        end
+
+        def ==(other)
+          other.is_a?(DependencyEntry) &&
+            other.gem_name == gem_name &&
+            other.gem_version == gem_version &&
+            other.mode == mode
+        end
+        alias eql? ==
+
+        def hash
+          [self.class, gem_name, gem_version, mode].hash
+        end
+      end
+
       # Raised when {.compose} encounters incompatible entries
       # under the same key (file digest mismatch, gem-locked
       # disagreement, …). Callers handle the exception by
@@ -141,13 +191,14 @@ module Rigor
       # contribution silently.
       class Conflict < StandardError; end
 
-      attr_reader :files, :gems, :plugins, :configs
+      attr_reader :files, :gems, :plugins, :configs, :dependencies
 
-      def initialize(files: [], gems: [], plugins: [], configs: [])
+      def initialize(files: [], gems: [], plugins: [], configs: [], dependencies: [])
         @files = files.dup.freeze
         @gems = gems.dup.freeze
         @plugins = plugins.dup.freeze
         @configs = configs.dup.freeze
+        @dependencies = dependencies.dup.freeze
         freeze
       end
 
@@ -170,7 +221,8 @@ module Rigor
         gems = compose_by_key(descriptors.flat_map(&:gems), :name)
         plugins = compose_by_key(descriptors.flat_map(&:plugins), :id)
         configs = compose_by_key(descriptors.flat_map(&:configs), :key)
-        new(files: files, gems: gems, plugins: plugins, configs: configs)
+        dependencies = compose_by_key(descriptors.flat_map(&:dependencies), :gem_name)
+        new(files: files, gems: gems, plugins: plugins, configs: configs, dependencies: dependencies)
       end
 
       # @param producer_id [String]
@@ -196,6 +248,7 @@ module Rigor
       def to_canonical_hash
         {
           "configs" => sort_entries(configs, "key").map(&:to_h),
+          "dependencies" => sort_entries(dependencies, "gem_name").map(&:to_h),
           "files" => sort_entries(files, "path").map(&:to_h),
           "gems" => sort_entries(gems, "name").map(&:to_h),
           "plugins" => sort_entries(plugins, "id").map(&:to_h)

data/lib/rigor/configuration/dependencies.rb

@@ -0,0 +1,235 @@
+# frozen_string_literal: true
+
+module Rigor
+  class Configuration
+    # Parsed `dependencies:` section of `.rigor.yml`. Per
+    # [ADR-10](../../../docs/adr/10-dependency-source-inference.md),
+    # the only nested key today is `source_inference:`, listing
+    # gems whose Ruby implementation Rigor MAY walk during
+    # inference instead of degrading to `Dynamic[top]` at the
+    # dependency boundary.
+    #
+    # Slice 1 lands the parser only — `Configuration#dependencies`
+    # is read, but no analyzer machinery consumes it yet. Slice 2
+    # wires `Analysis::DependencySourceInference` against this
+    # value object.
+    class Dependencies # rubocop:disable Metrics/ClassLength
+      # Walking modes per
+      # [ADR-10 § "Decision"](../../../docs/adr/10-dependency-source-inference.md#decision).
+      VALID_MODES = %i[disabled when_missing full].freeze
+
+      # Default `roots:` for an entry that does not supply one.
+      # The hard-excluded directories (`spec/` / `test/` / `bin/`
+      # / C extensions) are enforced by the walker, not the
+      # parser — see ADR-10 § "Hard exclusions".
+      DEFAULT_ROOTS = %w[lib].freeze
+
+      # Default per-gem catalog cap. ADR-10 slice 4 picks
+      # 5000 method definitions: it covers Rack (~1500),
+      # Faraday (~500), Sidekiq (~800) and other realistic
+      # opt-in targets, while still surfacing a diagnostic for
+      # ActiveSupport-class libraries (~10 000+ methods) where
+      # the user should ship RBS or de-list the gem instead.
+      DEFAULT_BUDGET_PER_GEM = 5000
+
+      # Range bounds per ADR-10 § "Budget interaction"
+      # ("range 0.25× – 4×"). Configured against the default,
+      # this lands at 1250 – 20 000.
+      MIN_BUDGET_PER_GEM = (DEFAULT_BUDGET_PER_GEM * 0.25).to_i
+      MAX_BUDGET_PER_GEM = (DEFAULT_BUDGET_PER_GEM * 4).to_i
+
+      # ADR-10 5b — budget-overrun strategy enum.
+      #
+      # - `:walker_cap` (default): the (α) semantics. The
+      #   walker stops harvesting at the cap; methods past the
+      #   cap fall through to the existing user-class fallback
+      #   path. Existing v0.1.3 behaviour.
+      # - `:dependency_silence`: the (β) semantics. Same
+      #   walker behaviour, but the dispatcher additionally
+      #   consults `Index#class_to_gem` after a catalog miss.
+      #   When the receiver's class belongs to a budget-
+      #   exceeded gem, the call resolves to `Dynamic[top]`
+      #   rather than falling through to user-class fallback.
+      #   This silences `call.undefined-method` for unrecorded
+      #   methods at the cost of weaker static checking on
+      #   that gem's surface.
+      VALID_BUDGET_OVERRUN_STRATEGIES = %i[walker_cap dependency_silence].freeze
+      DEFAULT_BUDGET_OVERRUN_STRATEGY = :walker_cap
+
+      # Frozen value object describing a single per-gem opt-in.
+      # `gem:` is the gem name (matched against the bundle at
+      # walk time); `mode:` is one of {VALID_MODES}; `roots:` is
+      # the list of subdirectories within the gem's installation
+      # directory to walk (defaults to `["lib"]`).
+      Entry = Data.define(:gem, :mode, :roots) do
+        def disabled? = mode == :disabled
+        def when_missing? = mode == :when_missing
+        def full? = mode == :full
+      end
+
+      attr_reader :source_inference, :budget_per_gem, :budget_overrun_strategy, :warnings
+
+      # Parse the YAML-shaped `dependencies:` value into a
+      # frozen {Dependencies}. Accepts `nil` / `{}` / a Hash with
+      # `source_inference:` and / or `budget_per_gem:` /
+      # `budget_overrun_strategy:` present.
+      def self.from_h(data)
+        return new([]) if data.nil?
+        raise ArgumentError, "dependencies: must be a Hash, got #{data.inspect}" unless data.is_a?(Hash)
+
+        raw_entries = Array(data["source_inference"]).map { |raw| coerce_entry(raw) }
+        entries, warnings = dedupe_entries(raw_entries)
+        budget = coerce_budget_per_gem(data.fetch("budget_per_gem", DEFAULT_BUDGET_PER_GEM))
+        strategy = coerce_budget_overrun_strategy(
+          data.fetch("budget_overrun_strategy", DEFAULT_BUDGET_OVERRUN_STRATEGY)
+        )
+        new(entries, budget, warnings, strategy)
+      end
+
+      def initialize(source_inference, budget_per_gem = DEFAULT_BUDGET_PER_GEM,
+                     warnings = [], budget_overrun_strategy = DEFAULT_BUDGET_OVERRUN_STRATEGY)
+        @source_inference = source_inference.freeze
+        @budget_per_gem = budget_per_gem
+        @warnings = warnings.freeze
+        @budget_overrun_strategy = budget_overrun_strategy
+        freeze
+      end
+
+      def to_h
+        {
+          "source_inference" => @source_inference.map do |entry|
+            {
+              "gem" => entry.gem,
+              "mode" => entry.mode.to_s,
+              "roots" => entry.roots
+            }
+          end,
+          "budget_per_gem" => @budget_per_gem,
+          "budget_overrun_strategy" => @budget_overrun_strategy.to_s
+        }
+      end
+
+      def empty? = @source_inference.empty?
+
+      class << self
+        # ADR-10 § "config-conflict diagnostic" — merges a
+        # potentially-duplicated entry list (the `includes:`
+        # chain produces concatenated arrays via
+        # `Configuration.deep_merge`'s special-case for
+        # `dependencies.source_inference`) into a single
+        # canonical entry per gem name. The merge rules:
+        #
+        # - Same gem, same all fields → idempotent collapse
+        #   (no warning).
+        # - Same gem, different `mode:` → keep the LAST entry
+        #   (matches existing right-wins semantics elsewhere)
+        #   AND emit a `:warning` so the user knows their
+        #   `includes:` chain is ambiguous.
+        # - Same gem, different `roots:` → union the roots
+        #   silently (no warning). The walker is happy to
+        #   visit the union.
+        #
+        # Returns `[entries, warnings]` so the caller can
+        # plumb the warning list through to the Runner for
+        # diagnostic emission.
+        def dedupe_entries(entries)
+          warnings = []
+          by_gem = {}
+          entries.each do |entry|
+            existing = by_gem[entry.gem]
+            by_gem[entry.gem] = if existing.nil?
+                                  entry
+                                else
+                                  merge_entry_pair(existing, entry, warnings)
+                                end
+          end
+          [by_gem.values, warnings]
+        end
+
+        def merge_entry_pair(existing, incoming, warnings)
+          if existing.mode != incoming.mode
+            warnings << "dependencies.source_inference[].gem #{incoming.gem.inspect} declared with " \
+                        "conflicting modes (#{existing.mode.inspect} vs #{incoming.mode.inspect}); " \
+                        "the later (#{incoming.mode.inspect}) wins."
+          end
+          merged_roots = (existing.roots + incoming.roots).uniq.freeze
+          Entry.new(gem: incoming.gem, mode: incoming.mode, roots: merged_roots)
+        end
+
+        private
+
+        def coerce_entry(raw)
+          unless raw.is_a?(Hash)
+            raise ArgumentError,
+                  "dependencies.source_inference[] entry must be a Hash, got #{raw.inspect}"
+          end
+
+          Entry.new(
+            gem: coerce_gem(raw["gem"]),
+            mode: coerce_mode(raw["mode"]),
+            roots: coerce_roots(raw)
+          )
+        end
+
+        def coerce_gem(value)
+          unless value.is_a?(String) && !value.empty?
+            raise ArgumentError,
+                  "dependencies.source_inference[].gem must be a non-empty String, got #{value.inspect}"
+          end
+
+          value.dup.freeze
+        end
+
+        def coerce_mode(value)
+          mode = (value || "when_missing").to_sym
+          return mode if VALID_MODES.include?(mode)
+
+          raise ArgumentError,
+                "dependencies.source_inference[].mode must be one of " \
+                "#{VALID_MODES.inspect}, got #{value.inspect}"
+        end
+
+        def coerce_roots(raw)
+          roots = Array(raw.fetch("roots", DEFAULT_ROOTS)).map(&:to_s).freeze
+          return roots unless roots.empty?
+
+          raise ArgumentError,
+                "dependencies.source_inference[].roots must not be empty when supplied " \
+                "(omit the key to fall back to the default #{DEFAULT_ROOTS.inspect})"
+        end
+
+        def coerce_budget_overrun_strategy(value)
+          symbol = value.to_sym
+          return symbol if VALID_BUDGET_OVERRUN_STRATEGIES.include?(symbol)
+
+          raise ArgumentError,
+                "dependencies.budget_overrun_strategy must be one of " \
+                "#{VALID_BUDGET_OVERRUN_STRATEGIES.inspect}, got #{value.inspect}"
+        end
+
+        # ADR-10 slice 4. Per-gem catalog cap is mandatory
+        # (the parser supplies the default before this is
+        # called, so `nil` only reaches here on an explicit
+        # `budget_per_gem: ~`). Range bounds match
+        # MIN_BUDGET_PER_GEM .. MAX_BUDGET_PER_GEM
+        # (i.e. 0.25× – 4× of the default).
+        def coerce_budget_per_gem(value)
+          unless value.is_a?(Integer)
+            raise ArgumentError,
+                  "dependencies.budget_per_gem must be an Integer, " \
+                  "got #{value.inspect}"
+          end
+
+          unless value.between?(MIN_BUDGET_PER_GEM, MAX_BUDGET_PER_GEM)
+            raise ArgumentError,
+                  "dependencies.budget_per_gem must be in the range " \
+                  "#{MIN_BUDGET_PER_GEM}..#{MAX_BUDGET_PER_GEM}, " \
+                  "got #{value.inspect}"
+          end
+
+          value
+        end
+      end
+    end
+  end
+end

data/lib/rigor/configuration.rb

@@ -2,6 +2,7 @@
 
 require "yaml"
 
+require_relative "configuration/dependencies"
 require_relative "configuration/severity_profile"
 
 module Rigor
@@ -58,7 +59,11 @@ module Rigor
         "allowed_url_hosts" => []
       },
       "severity_profile" => "balanced",
-      "severity_overrides" => {}
+      "severity_overrides" => {},
+      "dependencies" => {
+        "source_inference" => [],
+        "budget_per_gem" => Configuration::Dependencies::DEFAULT_BUDGET_PER_GEM
+      }
     }.freeze
 
     # Top-level keys whose values are file/directory paths that
@@ -72,7 +77,8 @@ module Rigor
                 :libraries, :signature_paths, :fold_platform_specific_paths,
                 :plugins_io_network, :plugins_io_allowed_paths,
                 :plugins_io_allowed_url_hosts,
-                :severity_profile, :severity_overrides
+                :severity_profile, :severity_overrides,
+                :dependencies
 
     # Loads a configuration file.
     #
@@ -174,15 +180,39 @@ module Rigor
 
       merged = left.dup
       right.each do |key, value|
-        merged[key] = if merged.key?(key) && merged[key].is_a?(Hash) && value.is_a?(Hash)
-                        deep_merge(merged[key], value)
-                      else
-                        value
-                      end
+        merged[key] = merge_value(key, merged, value)
       end
       merged
     end
-    private_class_method :load_with_includes, :merge_includes, :resolve_paths_in, :deep_merge
+
+    # Most keys are right-wins (override) or recursively
+    # merged hashes. ADR-10 § "config-conflict diagnostic"
+    # carves out `dependencies.source_inference[]`: the
+    # per-gem merge across `includes:` chains needs union
+    # behaviour with mode-conflict detection. The Hash itself
+    # still merges deeply; only the inner array gets
+    # concatenated so {Dependencies.from_h} sees every
+    # contributor's entries and can dedupe them.
+    def self.merge_value(key, merged, value)
+      if key == "dependencies" && merged[key].is_a?(Hash) && value.is_a?(Hash)
+        merge_dependencies_hash(merged[key], value)
+      elsif merged.key?(key) && merged[key].is_a?(Hash) && value.is_a?(Hash)
+        deep_merge(merged[key], value)
+      else
+        value
+      end
+    end
+
+    def self.merge_dependencies_hash(left, right)
+      out = deep_merge(left, right)
+      left_si = Array(left["source_inference"])
+      right_si = Array(right["source_inference"])
+      both_empty = left_si.empty? && right_si.empty?
+      out["source_inference"] = left_si + right_si unless both_empty # rigor:disable flow.always-truthy-condition
+      out
+    end
+    private_class_method :load_with_includes, :merge_includes, :resolve_paths_in, :deep_merge,
+                         :merge_value, :merge_dependencies_hash
 
     # rubocop:disable Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity, Metrics/MethodLength
     def initialize(data = DEFAULTS)
@@ -213,6 +243,9 @@ module Rigor
       @severity_overrides = coerce_severity_overrides(
         data.fetch("severity_overrides", DEFAULTS.fetch("severity_overrides"))
       )
+      @dependencies = Dependencies.from_h(
+        data.fetch("dependencies", DEFAULTS.fetch("dependencies"))
+      )
     end
     # rubocop:enable Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity, Metrics/MethodLength
 
@@ -235,7 +268,8 @@ module Rigor
           "allowed_url_hosts" => plugins_io_allowed_url_hosts
         },
         "severity_profile" => severity_profile.to_s,
-        "severity_overrides" => severity_overrides.to_h { |k, v| [k, v.to_s] }
+        "severity_overrides" => severity_overrides.to_h { |k, v| [k, v.to_s] },
+        "dependencies" => dependencies.to_h
       }
     end
 

data/lib/rigor/environment.rb

@@ -41,7 +41,7 @@ module Rigor
       prism rbs
     ].freeze
 
-    attr_reader :class_registry, :rbs_loader, :plugin_registry
+    attr_reader :class_registry, :rbs_loader, :plugin_registry, :dependency_source_index
 
     # @param class_registry [Rigor::Environment::ClassRegistry]
     # @param rbs_loader [Rigor::Environment::RbsLoader, nil] when nil the
@@ -57,10 +57,17 @@ module Rigor
     #   default), no plugin-level return-type contribution
     #   participates — useful for tests, the `Environment.default`
     #   facade, and analyses that don't load plugins.
-    def initialize(class_registry: ClassRegistry.default, rbs_loader: nil, plugin_registry: nil)
+    # @param dependency_source_index [Rigor::Analysis::DependencySourceInference::Index, nil]
+    #   ADR-10 slice 2b-ii. The per-run index of opt-in gem
+    #   sources the dispatcher consults BELOW RBS dispatch.
+    #   When nil (the default), no dep-source contribution
+    #   participates and the dispatcher tier is a no-op.
+    def initialize(class_registry: ClassRegistry.default, rbs_loader: nil,
+                   plugin_registry: nil, dependency_source_index: nil)
       @class_registry = class_registry
       @rbs_loader = rbs_loader
       @plugin_registry = plugin_registry
+      @dependency_source_index = dependency_source_index
       freeze
     end
 
@@ -90,7 +97,8 @@ module Rigor
       #   reflection artefacts) consult the cache. Pass `nil` (the
       #   default) to skip caching for this environment.
       # @return [Rigor::Environment]
-      def for_project(root: Dir.pwd, libraries: [], signature_paths: nil, cache_store: nil, plugin_registry: nil)
+      def for_project(root: Dir.pwd, libraries: [], signature_paths: nil, cache_store: nil, # rubocop:disable Metrics/ParameterLists
+                      plugin_registry: nil, dependency_source_index: nil)
         resolved_paths = signature_paths || default_signature_paths(root)
         merged_libraries = (DEFAULT_LIBRARIES + libraries.map(&:to_s)).uniq
         loader = RbsLoader.new(
@@ -98,7 +106,11 @@ module Rigor
           signature_paths: resolved_paths,
           cache_store: cache_store
         )
-        new(rbs_loader: loader, plugin_registry: plugin_registry)
+        new(
+          rbs_loader: loader,
+          plugin_registry: plugin_registry,
+          dependency_source_index: dependency_source_index
+        )
       end
 
       private

data/lib/rigor/flow_contribution/merger.rb

@@ -1,5 +1,9 @@
 # frozen_string_literal: true
 
+require_relative "conflict"
+require_relative "fact"
+require_relative "merge_result"
+
 module Rigor
   class FlowContribution
     # Composes any number of {FlowContribution} bundles into a

data/lib/rigor/inference/method_dispatcher.rb

@@ -86,6 +86,18 @@ module Rigor
         )
         return rbs_result if rbs_result
 
+        # ADR-10 slice 2b-ii — dependency-source inference tier.
+        # Sits BELOW RBS dispatch (RBS / RBS::Inline / generated
+        # stubs / plugin contracts always win) and ABOVE the
+        # user-class fallback so a method defined in an opt-in
+        # gem stops emitting `call.undefined-method` even when
+        # no signature contract resolves. Returns
+        # `Dynamic[top]` — slice 2b-ii deliberately stops at the
+        # dynamic-origin envelope; per-method return-type
+        # precision is queued for a later slice.
+        dep_source_result = try_dependency_source(receiver_type, method_name, environment)
+        return dep_source_result if dep_source_result
+
         # Slice 7 phase 10 — user-class ancestor fallback. When
         # the receiver is `Nominal[T]` or `Singleton[T]` for a
         # class not in the RBS environment (typically a
@@ -125,6 +137,81 @@ module Rigor
         FlowContribution::Merger.merge(contributions).return_type
       end
 
+      # ADR-10 slice 2b-ii. Consults the per-run
+      # `Analysis::DependencySourceInference::Index` carried by
+      # the environment for `(class_name, method_name)`
+      # observations harvested from opt-in gems' `roots:`. On a
+      # hit, returns `Combinator.untyped` so the call site
+      # carries the `Dynamic[top]` provenance (per ADR-10's
+      # "Inference contract": gem-source-inferred shapes never
+      # publish as ground-truth `T`). Returns `nil` when the
+      # environment carries no index, the index has no entry, or
+      # the receiver has no nominal class to look up.
+      def try_dependency_source(receiver_type, method_name, environment)
+        index = environment&.dependency_source_index
+        return nil if index.nil? || index.empty?
+
+        class_name = dep_source_class_name(receiver_type)
+        return nil if class_name.nil?
+
+        # ADR-10 5a — per-receiver plugin veto. When a
+        # registered plugin declares `manifest(owns_receivers:
+        # [<class>])` AND the call's receiver IS that class
+        # (or a subclass), decline and let plugins handle the
+        # call. Plugins that own a receiver are the
+        # authoritative source for that type; gem-source
+        # inference must not contribute behind their backs.
+        return nil if plugin_owns_receiver?(class_name, environment)
+
+        contribution_kind = index.contribution_for(class_name: class_name, method_name: method_name)
+        return Type::Combinator.untyped if contribution_kind
+
+        # ADR-10 5b — β budget semantics. On a catalog miss,
+        # if the receiver class belongs to a budget-exceeded
+        # gem AND the user opted into `:dependency_silence`,
+        # return `Dynamic[top]` rather than falling through to
+        # the user-class fallback. The user-class fallback
+        # would otherwise emit `call.undefined-method` for
+        # methods Rigor's catalog couldn't reach because the
+        # walker hit its cap.
+        budget_silence_result(class_name, index, environment)
+      end
+
+      def budget_silence_result(class_name, index, _environment)
+        return nil unless index.budget_overrun_strategy == :dependency_silence
+
+        owning_gem = index.gem_for(class_name)
+        return nil if owning_gem.nil?
+        return nil unless index.budget_exceeded.include?(owning_gem)
+
+        Type::Combinator.untyped
+      end
+
+      def plugin_owns_receiver?(class_name, environment)
+        registry = environment&.plugin_registry
+        return false if registry.nil? || registry.empty?
+
+        registry.plugins.any? do |plugin|
+          owns = plugin.manifest.owns_receivers # rigor:disable undefined-method
+          owns.any? { |owner| receiver_matches_owner?(class_name, owner, environment) }
+        end
+      end
+
+      def receiver_matches_owner?(class_name, owner, environment)
+        return true if class_name == owner
+
+        ordering = environment.class_ordering(class_name, owner)
+        %i[equal subclass].include?(ordering)
+      rescue StandardError
+        false
+      end
+
+      def dep_source_class_name(receiver_type)
+        case receiver_type
+        when Type::Nominal, Type::Singleton then receiver_type.class_name
+        end
+      end
+
       def collect_plugin_contributions(registry, call_node, scope)
         registry.plugins.filter_map do |plugin|
           contribution = plugin.flow_contribution_for(call_node: call_node, scope: scope)

data/lib/rigor/inference/statement_evaluator.rb

@@ -785,6 +785,7 @@ module Rigor
         evaluate_block_if_present(node)
         post_scope = record_closure_escape_if_any(node)
         post_scope = apply_rbs_extended_assertions(node, post_scope)
+        post_scope = apply_plugin_assertions(node, post_scope)
         post_scope = apply_rspec_matcher_narrowing(node, post_scope)
         [call_type, post_scope]
       end
@@ -978,6 +979,61 @@ module Rigor
         end
       end
 
+      # ADR-7 § "Slice 4-A" / T.bind priority slice 2 — applies
+      # the post-return facts plugin contributions produce. This
+      # is the sibling of {apply_rbs_extended_assertions}: the
+      # carrier (`Rigor::FlowContribution::Fact`) and the
+      # downstream narrowing path (`apply_post_return_fact` →
+      # `apply_self_post_return_fact`) are the same; only the
+      # *source* of the bundle changes (RBS::Extended vs the
+      # registered plugins' `flow_contribution_for`).
+      #
+      # `:self`-targeted facts narrow `scope.self_type` for the
+      # surrounding scope. In a block body, the surrounding
+      # scope is the block's own scope, so the narrowing applies
+      # to the rest of the block — exactly the contract Sorbet's
+      # `T.bind(self, T)` commits to.
+      #
+      # `:parameter`-targeted facts only land when the called
+      # method has an authoritative RBS sig (via
+      # `resolve_call_method`); plugins recognising their own
+      # synthetic call shapes (e.g. `T.assert_type!`) have no
+      # method_def and the parameter facts silently skip — the
+      # plugin's own diagnostics_for_file path covers those
+      # cases. The full plugin-side parameter-targeting story
+      # (PHPStan-style Type-Specifying Extensions on
+      # plugin-recognised calls) lives behind a follow-up slice
+      # that introduces `:local` / `:argument_at` target kinds.
+      def apply_plugin_assertions(call_node, current_scope)
+        registry = current_scope.environment&.plugin_registry
+        return current_scope if registry.nil? || registry.empty?
+
+        contributions = collect_plugin_contributions(registry, call_node, current_scope)
+        return current_scope if contributions.empty?
+
+        result = Rigor::FlowContribution::Merger.merge(contributions)
+        post_return = result.post_return_facts
+        return current_scope if post_return.empty?
+
+        method_def = resolve_call_method(call_node, current_scope)
+        post_return.reduce(current_scope) do |scope_acc, fact|
+          apply_post_return_fact(fact, call_node, scope_acc, method_def)
+        end
+      end
+
+      # Walks the registry and collects each plugin's
+      # `flow_contribution_for` result, swallowing per-plugin
+      # exceptions so a buggy plugin can't abort the assertion
+      # path. Mirrors `MethodDispatcher.collect_plugin_contributions`
+      # exactly — the two paths consume the same hook.
+      def collect_plugin_contributions(registry, call_node, current_scope)
+        registry.plugins.filter_map do |plugin|
+          plugin.flow_contribution_for(call_node: call_node, scope: current_scope)
+        rescue StandardError
+          nil
+        end
+      end
+
       def resolve_call_method(call_node, current_scope) # rubocop:disable Metrics/PerceivedComplexity
         receiver_node = call_node.receiver
         receiver_type =
@@ -1064,7 +1120,15 @@ module Rigor
         end
       end
 
-      def lookup_post_return_arg(call_node, method_def, target_name)
+      def lookup_post_return_arg(call_node, method_def, target_name) # rubocop:disable Metrics/CyclomaticComplexity
+        # Plugin-source contributions arrive without an
+        # authoritative method_def (the plugin recognised the
+        # call shape directly). Parameter-targeting falls back
+        # to "no narrow" in that case — the wider plugin-side
+        # parameter mapping (`:local` / `:argument_at`) is a
+        # follow-up slice.
+        return nil if method_def.nil?
+
         arguments = call_node.arguments&.arguments || []
         method_def.method_types.each do |mt|
           params = mt.type.required_positionals + mt.type.optional_positionals