v0.1.3

The first release that pairs the published gem with the interactive viewer the README has been showcasing, plus the supply-chain hardening that justifies shipping a vendored third-party JS file inside the gem.

Added

• Interactive view --output html viewer. Replaces the static Mermaid embed with a Cytoscape.js-based page that renders 5k+ nodes, filters live by kind / confidence, supports a name-substring search, and copies path:line to the clipboard on node click. The Cytoscape library is vendored into the gem at a sha256-pinned version (lib/rigor/module_graph/templates/vendor/cytoscape.min.js); no CDN, no npm, no Dependabot auto-bump. See docs/plan.md "2D interactive viewer" for the supply-chain rationale.
• --path-mode {relative,absolute,none} flag on view — controls how node paths reach the viewer's click-through metadata. none strips paths from the HTML artefact, which is the right setting when sharing the file outside the project (PR comment, gist, …).
• --open-with vscode flag on view — flips the node-click action from clipboard copy to vscode://file/<path>:<line> so the editor jumps straight to the source location.
• bundle exec rake vendor:verify task — recomputes sha256 for every file in vendor/CHECKSUMS and fails on mismatch. Wired into pre-commit on any staged file under lib/**/templates/vendor/**.
• .github/dependabot.yml — weekly Bundler + GitHub Actions bumps; vendor/** is explicitly excluded so vendored third-party JS never auto-updates.
• bundle exec rake vendor:audit — 4-source cross-check (local sha256 / npm tarball dist.integrity / tarball-internal copy / GitHub raw / every CDN). Reads lib/rigor/module_graph/templates/vendor/MANIFEST.yml for the provenance metadata. Use on bump PRs; not part of the regular CI pipeline (network-using).
• CI now runs rake vendor:verify independently of pre-commit so an unaudited bump can't land on main even if local hooks were skipped.
• CI now regenerates examples/billing/ via script/ check_billing_drift.rb and fails on drift between the freshly-built artefacts and the committed copies. Normalises the graphviz version banner so the runner's apt-shipped version doesn't trigger a false positive.
• New docs/security.md consolidates the supply-chain story (Bundler / Dependabot cooldown, vendored-JS sha256 + 4-source audit, action SHA pinning, OIDC trusted publishing).

Changed

• view --output html semantics. The flag now produces the interactive viewer. The previous static Mermaid HTML moves behind --output mermaid-html (still loads Mermaid from a CDN, kept for back-compat).
• CI workflows read Ruby from .ruby-version instead of pinning "4.0.0" inline, so future .ruby-version bumps no longer need a .github/workflows/ chase.
• RDoc dependency bumped from ~> 6.0 to ~> 7.0 (resolves to 7.2.0). gemspec.rdoc_options corrected to --markup markdown to match .rdoc_options and the Rakefile, fixing the silent inconsistency left when the README rendering fix landed in [0.1.2]. No code change; rake rdoc emits no warnings under 7.x.
• README hero leads with the Cytoscape viewer screenshot (the default output) and the Graphviz SVG follows. examples/billing/preview.png resized from 1280x860 to 720x483 so it fits the RDoc darkfish content pane on the GitHub Pages site without overflow.
• README Documentation index re-ordered along the natural reading flow: how-it-works → security → limitation → development → plan.