rigortype 0.2.0 → 0.2.1

data/lib/rigor/protection/mutation_scanner.rb

@@ -2,8 +2,8 @@
 
 require "prism"
 
-require_relative "../analysis/runner"
 require_relative "mutator"
+require_relative "diagnostic_oracle"
 
 module Rigor
   module Protection
@@ -15,17 +15,16 @@ module Rigor
     # Mechanism (the ADR-62 warm loop, narrowed to per-file measurement):
     # generate the type-visible mutations ({Mutator}), keep only those whose
     # receiver Rigor holds a concrete type for (the type-aware filter — the
-    # FP-safe meaning-maker; an unresolved receiver is kept), then for each:
-    # re-analyse the mutated SOURCE against a clean baseline and read whether a
-    # NEW diagnostic appears. A *killed* mutation is a caught breakage; a
-    # *survived* one is a breakage Rigor missed — an "add a type here" site.
+    # FP-safe meaning-maker; an unresolved receiver is kept), then for each ask
+    # the **kill oracle** whether the mutant is caught. The oracle is the ADR-69
+    # seam: {#scan_file} uses the {DiagnosticOracle} (a *new Rigor diagnostic* =
+    # a kill); {#scan_file_fused} additionally consults a {TestSuiteOracle} on the
+    # type-survivors (ADR-70 — the dynamic protection axis).
     #
     # The expensive builds (RBS environment + the whole-project pre-pass scan)
-    # are paid ONCE by the caller and threaded in via `environment:` /
-    # `project_scan:`; each mutant reuses them through
-    # `Runner.new(prebuilt:)#run_source` (in-memory overlay, no disk write).
-    # Passing `prebuilt:` disables the run-result cache (whose key digests the
-    # *disk* file), so a mutant is never served a stale clean hit.
+    # are paid ONCE by the caller and threaded into the {DiagnosticOracle}; each
+    # mutant reuses them through `Runner.new(prebuilt:)#run_source` (in-memory
+    # overlay, no disk write).
     class MutationScanner
       # A surviving mutation site — a breakage Rigor did not catch.
       SurvivingSite = Data.define(:line, :receiver, :method_name, :operator)
@@ -39,18 +38,46 @@ module Rigor
         def ratio = total.zero? ? 1.0 : killed.to_f / total
       end
 
+      # ADR-70 — one type-survivor classified by the dynamic (test) axis.
+      # `protection` is `:test` (a test caught it) or `:none` (unprotected — the
+      # "add a type OR a test here" sites).
+      FusedSite = Data.define(:line, :receiver, :method_name, :operator, :protection)
+
+      # ADR-70 — the per-file fused classification. The gradual short-circuit
+      # collapses the conceptual "doubly-protected" bucket into `type_killed`:
+      # a mutant the type checker already kills never reaches the suite, because
+      # the static net already suffices and re-running the suite to learn a test
+      # *would also* catch it is wasted work. So the observed buckets are three.
+      FusedFileResult = Data.define(:path, :type_killed, :test_killed, :sites) do
+        # The unprotected sites (neither a type nor a test caught the breakage).
+        def unprotected = sites.size
+        def total = type_killed + test_killed + unprotected
+
+        # Fused protected ratio — caught by *either* axis.
+        def ratio = total.zero? ? 1.0 : (type_killed + test_killed).to_f / total
+      end
+
       # @param configuration [Rigor::Configuration]
       # @param environment [Rigor::Environment] pre-built once by the caller
       # @param project_scan [Rigor::Analysis::ProjectScan] pre-built once
       # @param limit [Integer, nil] optional per-file mutation cap (sampled with
       #   `seed`); nil analyses every type-relevant mutation (deterministic).
       # @param seed [Integer] RNG seed for the optional sample.
-      def initialize(configuration:, environment:, project_scan:, limit: nil, seed: 1)
-        @configuration = configuration
+      # @param oracle [#baseline, #killed?, nil] the kill oracle (ADR-69 Seam 1);
+      #   defaults to the {DiagnosticOracle} (the ADR-62/63 behaviour).
+      # @param site_selector [:biteable, :all] which sites to mutate (ADR-69
+      #   Seam 2). `:biteable` (default) keeps only concrete-type sites Rigor can
+      #   bite; `:all` also mutates Dynamic-receiver dispatch sites — use only
+      #   with a {TestSuiteOracle} (the fused overlay), never the diagnostic path.
+      def initialize(configuration:, environment:, project_scan:, limit: nil, seed: 1, oracle: nil,
+                     site_selector: :biteable)
         @environment = environment
-        @project_scan = project_scan
         @limit = limit
         @seed = seed
+        @site_selector = site_selector
+        @oracle = oracle || DiagnosticOracle.new(
+          configuration: configuration, environment: environment, project_scan: project_scan
+        )
       end
 
       # @param path [String] the file to measure (used as the in-memory bind path)
@@ -58,21 +85,13 @@ module Rigor
       # @return [FileResult]
       def scan_file(path, source: nil)
         source ||= File.read(path, encoding: Encoding::UTF_8)
-        mutator = Mutator.new(source)
-        kept, = mutator.filter_by_type(mutator.mutations, environment: @environment, path: path)
-        kept = sample(kept)
+        kept = kept_mutations(source, path)
         return FileResult.new(path: path, killed: 0, survived: 0, sites: []) if kept.empty?
 
-        baseline = signatures(analyse(source, path))
-        measure(source, path, kept, baseline)
-      end
-
-      private
-
-      def measure(source, path, mutations, baseline)
+        baseline = @oracle.baseline(source: source, path: path)
         killed = 0
         sites = []
-        mutations.each do |mut|
+        kept.each do |mut|
           case classify(source, path, mut, baseline)
           when :killed then killed += 1
           when :survived then sites << surviving_site(mut)
@@ -82,39 +101,80 @@ module Rigor
         FileResult.new(path: path, killed: killed, survived: sites.size, sites: sites)
       end
 
+      # ADR-70 — the fused static∪dynamic measurement. Runs the type pass
+      # (the {DiagnosticOracle}); for every mutant the type checker did **not**
+      # kill, asks `test_oracle` whether the project's test suite catches it.
+      # The expensive suite run is paid only for type-survivors (the gradual
+      # short-circuit), so the cost is proportional to the protection hole.
+      # @param test_oracle [TestSuiteOracle]
+      # @return [FusedFileResult]
+      def scan_file_fused(path, test_oracle:, source: nil)
+        source ||= File.read(path, encoding: Encoding::UTF_8)
+        kept = kept_mutations(source, path)
+        return FusedFileResult.new(path: path, type_killed: 0, test_killed: 0, sites: []) if kept.empty?
+
+        baseline = @oracle.baseline(source: source, path: path)
+        type_killed = 0
+        test_killed = 0
+        sites = []
+        kept.each do |mut|
+          case classify(source, path, mut, baseline)
+          when :killed then type_killed += 1
+          when :survived
+            if test_oracle.killed?(path: path, original: source, mutant_source: mut.apply(source))
+              test_killed += 1
+            else
+              sites << fused_site(mut, :none)
+            end
+            # :invalid — a parse-broken mutant; not a measurement, skip it.
+          end
+        end
+        FusedFileResult.new(path: path, type_killed: type_killed, test_killed: test_killed, sites: sites)
+      end
+
+      private
+
+      # The mutations to measure: the biteable filter (concrete-type sites only;
+      # the FP-safe default — an unresolved receiver is kept) or, under the
+      # `:all` selector (ADR-69 Seam 2), every dispatch site including Dynamic
+      # receivers. Optionally sampled.
+      def kept_mutations(source, path)
+        mutator = Mutator.new(source)
+        muts = mutator.mutations
+        kept =
+          if @site_selector == :all
+            mutator.dispatch_site_mutations(muts, environment: @environment, path: path)
+          else
+            mutator.filter_by_type(muts, environment: @environment, path: path).first
+          end
+        sample(kept)
+      end
+
       def classify(source, path, mut, baseline)
         mutant_source = mut.apply(source)
         return :invalid unless Prism.parse(mutant_source).success?
 
-        new_diagnostics = analyse(mutant_source, path).reject { |d| baseline.include?(sig(d)) }
-        new_diagnostics.empty? ? :survived : :killed
+        @oracle.killed?(mutant_source: mutant_source, path: path, baseline: baseline) ? :killed : :survived
       rescue StandardError
         # A harness-level failure on one mutant must not abort the file.
         :invalid
       end
 
-      # cache_store: nil + prebuilt: scan ⇒ the run cache is bypassed and the
-      # mutant is always re-analysed against the in-memory bytes.
-      def analyse(source, path)
-        Rigor::Analysis::Runner.new(
-          configuration: @configuration, environment: @environment, prebuilt: @project_scan,
-          cache_store: nil, collect_stats: false
-        ).run_source(source: source, path: path).diagnostics
-      end
-
       def sample(mutations)
         return mutations unless @limit
 
         mutations.sample(@limit, random: Random.new(@seed))
       end
 
-      def signatures(diagnostics) = diagnostics.to_set { |d| sig(d) }
-      def sig(diagnostic) = [diagnostic.rule, diagnostic.path, diagnostic.line, diagnostic.column, diagnostic.message]
-
       def surviving_site(mut)
         SurvivingSite.new(line: mut.line, receiver: mut.anchor_type,
                           method_name: mut.method_name, operator: mut.operator.to_s)
       end
+
+      def fused_site(mut, protection)
+        FusedSite.new(line: mut.line, receiver: mut.anchor_type, method_name: mut.method_name,
+                      operator: mut.operator.to_s, protection: protection)
+      end
     end
   end
 end

data/lib/rigor/protection/mutator.rb

@@ -98,6 +98,27 @@ module Rigor
         [kept, mutations.size - kept.size]
       end
 
+      # ADR-69 Seam 2 (AllSites) — keep every *dispatch-site* mutation (a method
+      # call or a call-argument literal), Dynamic receiver included, annotating
+      # the anchor type where Rigor holds one. Drops only non-dispatch literals
+      # (a literal outside any call — no receiver contract to violate). The
+      # biteable {#filter_by_type} hides exactly the Dynamic sites a test-suite
+      # consumer most wants to probe: where Rigor cannot bite, a test is the only
+      # protection. Use only with a {TestSuiteOracle} — at a Dynamic site the
+      # type pass can never kill, so without the test axis these are all noise.
+      def dispatch_site_mutations(mutations, environment:, path:)
+        base = Rigor::Scope.empty(environment: environment, source_path: path)
+        index = Rigor::Inference::ScopeIndexer.index(@parse.value, default_scope: base)
+        cache = {}
+        mutations.select do |mut|
+          next false if mut.method_name.nil?
+
+          _keep, type = anchor_decision(mut.anchor, index, cache)
+          mut.anchor_type = type
+          true
+        end
+      end
+
       private
 
       def walk(node, &blk)

data/lib/rigor/protection/test_suite_oracle.rb

@@ -0,0 +1,68 @@
+# frozen_string_literal: true
+
+module Rigor
+  module Protection
+    # ADR-70 — the **test-suite** kill oracle, the dynamic sibling of
+    # {DiagnosticOracle} on the ADR-69 seam. A mutant is killed iff applying its
+    # bytes to the file under test turns the project's test suite **red**. This is
+    # the dynamic half of the fused static∪dynamic protection map: a `Dynamic`
+    # site Rigor cannot bite (a type survivor) may still be fully guarded by a
+    # test.
+    #
+    # The suite command is the **runner hook** (`--test-command`, e.g.
+    # `bundle exec rake`). The runner is injectable so the decision logic is
+    # unit-testable without shelling out; the default shells out and reads the
+    # process exit status (0 = green / passed).
+    #
+    # I/O policy: {#killed?} writes the mutant to disk, runs the suite, and
+    # **always restores** the original bytes in an `ensure` — a normal exception
+    # never leaves a mutant on disk. (A hard interrupt mid-suite is the standard
+    # mutation-testing hazard the `ensure` cannot cover; callers running this in
+    # CI accept that, as `mutant` / Stryker do.)
+    class TestSuiteOracle
+      # @param command [Array<String>] the test command (the runner hook)
+      # @param runner [#call, nil] `runner.call(command) -> true iff the suite
+      #   passed`. Defaults to shelling out via `system`.
+      def initialize(command:, runner: nil)
+        @command = command
+        @runner = runner || method(:shell_run)
+      end
+
+      # The baseline: the suite must pass on clean code, else "a mutant survived"
+      # is meaningless (every mutant would look killed, or none would). Run once
+      # before measuring.
+      def green?
+        @runner.call(@command)
+      end
+
+      # Killed iff the mutant turns the suite red. Restores `original` afterward.
+      # @param path [String] the file to (temporarily) overwrite with the mutant
+      # @param original [String] the clean bytes to restore
+      # @param mutant_source [String] the mutated bytes to test against
+      def killed?(path:, original:, mutant_source:)
+        File.write(path, mutant_source)
+        !@runner.call(@command)
+      ensure
+        File.write(path, original)
+      end
+
+      private
+
+      # Run the suite with Bundler's environment stripped, so a `bundle exec`
+      # test command resolves the **target** project's Gemfile — not whatever
+      # bundle Rigor itself was launched under. Running Rigor via `bundle exec`
+      # leaks `RUBYOPT=-rbundler/setup` + `GEM_HOME` / `BUNDLE_*` into a plain
+      # `system` subprocess, which then resolves the target's Gemfile against
+      # Rigor's gems and fails — so a green suite looks red and the run aborts.
+      # `with_unbundled_env` restores the pre-bundler env (a bare `env -u
+      # BUNDLE_GEMFILE` is not enough — the `BUNDLER_ORIG_*` preservers defeat
+      # it). Found validating ADR-70 on real projects (2026-06-17).
+      def shell_run(command)
+        run = -> { system(*command, out: File::NULL, err: File::NULL) }
+        return run.call unless defined?(Bundler) && Bundler.respond_to?(:with_unbundled_env)
+
+        Bundler.with_unbundled_env(&run)
+      end
+    end
+  end
+end

data/lib/rigor/signature_path_audit.rb

@@ -0,0 +1,92 @@
+# frozen_string_literal: true
+
+module Rigor
+  # Classifies each configured `signature_paths:` entry by what it
+  # actually contributes to the RBS environment, so a caller can warn
+  # when a configured path resolves to nothing.
+  #
+  # The failure this guards against is silent. {Environment::RbsLoader}
+  # `add`s a `signature_paths:` entry only when `path.directory?`, and
+  # only the `.rbs` files under it carry signatures — so a typo'd or
+  # moved path (or a directory holding no `.rbs`) loads zero signatures
+  # with no trace on stderr or in the run summary. The downstream symptom
+  # is the most authoritative diagnostics: every call into the extensions
+  # the missing RBS was meant to describe fires `call.undefined-method` at
+  # `evidence_tier: high`. A one-character path typo can manufacture
+  # hundreds of plausible-looking false positives; surfacing the empty
+  # entry makes the real cause visible.
+  #
+  # The audit deliberately mirrors the loader's own acceptance test
+  # (`path.directory?` + a recursive `**/*.rbs` glob) so a `:ok` verdict
+  # means the loader did load from it and a warning means it did not.
+  module SignaturePathAudit
+    # One configured `signature_paths:` entry's resolution status.
+    #
+    # `status` is one of:
+    # - `:ok`            — a directory containing at least one `.rbs`.
+    # - `:missing`       — the path does not exist.
+    # - `:not_directory` — the path exists but is not a directory (the
+    #   loader only `add`s directories, so a `.rbs` file passed directly
+    #   is silently ignored).
+    # - `:empty`         — a directory with no `.rbs` file (recursive).
+    Entry = Data.define(:path, :status, :rbs_file_count) do
+      def ok?
+        status == :ok
+      end
+
+      def warning?
+        !ok?
+      end
+
+      # One-line, human-facing reason. The wording matches the loader's
+      # actual behaviour ("loaded nothing from it") rather than the
+      # filesystem error, so the message points at the consequence.
+      def message
+        case status
+        when :missing
+          "signature_paths: #{path.inspect} does not exist (no signatures loaded from it)"
+        when :not_directory
+          "signature_paths: #{path.inspect} is not a directory (no signatures loaded from it)"
+        when :empty
+          "signature_paths: #{path.inspect} matched 0 signature files"
+        else
+          "signature_paths: #{path.inspect} loaded #{rbs_file_count} signature file(s)"
+        end
+      end
+
+      def to_h
+        { "path" => path, "status" => status.to_s, "rbs_file_count" => rbs_file_count, "message" => message }
+      end
+    end
+
+    # Audits each configured entry. `signature_paths` is the
+    # {Configuration#signature_paths} array (absolute paths, already
+    # resolved against the config file's directory). Pass `nil` — the
+    # unset default, where Rigor auto-detects `<root>/sig` — to get an
+    # empty result: an absent auto-detected `sig/` is a normal setup, not
+    # a misconfiguration, so it is never audited.
+    #
+    # @param signature_paths [Array<String, Pathname>, nil]
+    # @return [Array<Entry>]
+    def self.audit(signature_paths)
+      Array(signature_paths).map { |path| classify(path.to_s) }
+    end
+
+    # The subset of {audit} that resolved to nothing — the entries worth
+    # warning about.
+    #
+    # @param signature_paths [Array<String, Pathname>, nil]
+    # @return [Array<Entry>]
+    def self.warnings(signature_paths)
+      audit(signature_paths).select(&:warning?)
+    end
+
+    def self.classify(path)
+      return Entry.new(path: path, status: :missing, rbs_file_count: 0) unless File.exist?(path)
+      return Entry.new(path: path, status: :not_directory, rbs_file_count: 0) unless File.directory?(path)
+
+      count = Dir.glob(File.join(path, "**", "*.rbs")).size
+      Entry.new(path: path, status: count.zero? ? :empty : :ok, rbs_file_count: count)
+    end
+  end
+end

data/lib/rigor/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Rigor
-  VERSION = "0.2.0"
+  VERSION = "0.2.1"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rigortype
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 0.2.1
 platform: ruby
 authors:
 - Rigor contributors
@@ -281,6 +281,29 @@ files:
 - data/builtins/ruby_core/string.yml
 - data/builtins/ruby_core/struct.yml
 - data/builtins/ruby_core/time.yml
+- data/core_overlay/numeric.rbs
+- data/core_overlay/pathname.rbs
+- data/core_overlay/string_scanner.rbs
+- data/gem_overlay/activesupport/core_ext.rbs
+- data/vendored_gem_sigs/ast/ast.rbs
+- data/vendored_gem_sigs/bcrypt/bcrypt.rbs
+- data/vendored_gem_sigs/bundler/bundler.rbs
+- data/vendored_gem_sigs/cgi/cgi_extras.rbs
+- data/vendored_gem_sigs/did_you_mean/did_you_mean_extras.rbs
+- data/vendored_gem_sigs/idn-ruby/idn.rbs
+- data/vendored_gem_sigs/mysql2/client.rbs
+- data/vendored_gem_sigs/mysql2/error.rbs
+- data/vendored_gem_sigs/mysql2/result.rbs
+- data/vendored_gem_sigs/mysql2/statement.rbs
+- data/vendored_gem_sigs/nokogiri/nokogiri.rbs
+- data/vendored_gem_sigs/nokogiri/nokogiri_html5.rbs
+- data/vendored_gem_sigs/pg/pg.rbs
+- data/vendored_gem_sigs/prism/prism_supplement.rbs
+- data/vendored_gem_sigs/redis/errors.rbs
+- data/vendored_gem_sigs/redis/future.rbs
+- data/vendored_gem_sigs/redis/redis.rbs
+- data/vendored_gem_sigs/redis/redis_extras.rbs
+- data/vendored_gem_sigs/rubygems/rubygems_extras.rbs
 - exe/rigor
 - lib/rigor.rb
 - lib/rigor/analysis/baseline.rb
@@ -343,12 +366,15 @@ files:
 - lib/rigor/cli/ci_detector.rb
 - lib/rigor/cli/command.rb
 - lib/rigor/cli/coverage_command.rb
+- lib/rigor/cli/coverage_mutation.rb
 - lib/rigor/cli/coverage_renderer.rb
 - lib/rigor/cli/coverage_report.rb
 - lib/rigor/cli/coverage_scan.rb
 - lib/rigor/cli/diagnostic_formats.rb
 - lib/rigor/cli/diff_command.rb
 - lib/rigor/cli/explain_command.rb
+- lib/rigor/cli/fused_protection_renderer.rb
+- lib/rigor/cli/fused_protection_report.rb
 - lib/rigor/cli/lsp_command.rb
 - lib/rigor/cli/mcp_command.rb
 - lib/rigor/cli/mutation_protection_renderer.rb
@@ -373,6 +399,7 @@ files:
 - lib/rigor/cli/type_scan_command.rb
 - lib/rigor/cli/type_scan_renderer.rb
 - lib/rigor/cli/type_scan_report.rb
+- lib/rigor/config_audit.rb
 - lib/rigor/configuration.rb
 - lib/rigor/configuration/dependencies.rb
 - lib/rigor/configuration/severity_profile.rb
@@ -519,8 +546,10 @@ files:
 - lib/rigor/plugin/source_rbs_synthesis_reporter.rb
 - lib/rigor/plugin/trust_policy.rb
 - lib/rigor/plugin/type_node_resolver.rb
+- lib/rigor/protection/diagnostic_oracle.rb
 - lib/rigor/protection/mutation_scanner.rb
 - lib/rigor/protection/mutator.rb
+- lib/rigor/protection/test_suite_oracle.rb
 - lib/rigor/rbs_extended.rb
 - lib/rigor/rbs_extended/conformance_checker.rb
 - lib/rigor/rbs_extended/hkt_directives.rb
@@ -540,6 +569,7 @@ files:
 - lib/rigor/sig_gen/type_elaborator.rb
 - lib/rigor/sig_gen/write_result.rb
 - lib/rigor/sig_gen/writer.rb
+- lib/rigor/signature_path_audit.rb
 - lib/rigor/source.rb
 - lib/rigor/source/constant_path.rb
 - lib/rigor/source/literals.rb