Wave 6: manner-matrix CI guard (auth×tier×flag×error)

[mastermanas805]

What

Extends the registry-iterating route done-bar guard (route_donebar_guard_test.go) into a manner-matrix guard (internal/router/manner_matrix_guard_test.go). The route guard asserts every (method,path) has a covering test; this asserts every applicable (auth × tier × flag × error) CELL of a route is mapped to a named test or a justified exemption — making "every interaction in every manner" a structural CI guarantee that can't silently regress.

Design ref: docs/ci/01-CI-INTEGRATION-DESIGN.md §"Every scenario CI must cover" + the manner matrix in docs/ci/00-INTERACTION-PATHS.md Part B2. Mirrors the route guard's pattern (same package, same live router, same AST map-rot integrity check).

Manner dimensions (registry-iterating, rule 18)

Each dimension applies only to the routes where it's relevant, derived from the LIVE route tree + small reverse-drift-checked policy sets — so a new route / tier / flag auto-expands the required cells:

Dimension	Applies to	Asserts
auth-negative-401	every authenticated route	invalid/expired bearer → 401
tier-gate-402	provisioning, deploy, stack, pause/resume, twin, domains, vault, make-permanent, ttl, github	over-limit / under-tier → 402
flag-off-and-on	wake (DEPLOY_SCALE_TO_ZERO_ENABLED), count-cap (RESOURCE_COUNT_CAPS_ENABLED)	both OFF + ON arms (each verified to exist)
anon-gate-402-429	anon-capable /new family	recycle 402 + cross-service over-cap 429
backend-failure-503	provisioning/deploy	backend fault + teardown 503
idempotency-replay	+idem routes	replay returns cached (proven once at middleware layer)

The tier axis iterates plans.Default().All() (the registry, not a hand-typed list). TestMannerMatrix_TierDimensionIteratesRegistry binds "tiers in the registry" to "routes that enforce them". TestMannerMatrix_MapPointsAtRealTests AST-parses handlers/middleware/e2e and asserts every referenced test (incl. each comma-separated flag arm) exists — closing the map-rot loophole.

Honest gap ledger (the real next backlog)

TestMannerMatrix_ReportExemptionBacklog prints the 4 live-required cells that are exempt-with-TODO (not fabricated coverage):

• backend-failure-503 | POST /deploy/new — needs live k8s Kaniko backend (W4)
• backend-failure-503 | POST /stacks/new — needs live k8s backend (W4)
• tier-gate-402 | POST /storage/new — per-tier real-backend 402 wall (W3)
• auth-negative-401 | GET /integrations/github/callback — real GitHub OAuth (W6)

Proof the guard reds on a missing cell

• Adding a new tier-gated route (e.g. GET /api/v1/team → tierGatedRoutes) → TestMannerMatrix_EveryApplicableCellCovered/tier-gate-402|GET_/api/v1/team FAILS: "cell ... has NO mapped manner test and NO exemption. Add a covering test + a mannerCoverageMap row, OR ... an exemption with a reason + a TODO wave pointer."
• Removing a map row (e.g. the deploy tier-gate) → same actionable red, naming the exact (route, dimension).

Verify

• New file is hermetic (in-memory router, no DB/Redis/net), -short-safe, never flakes.
• go build ./... + go vet clean; internal/router package green (both guards coexist).
• The only make gate red locally is a pre-existing internal/models/deployment_ttl_test.go NULL-app_id scan drift on the local test DB — reproduces on clean master without this file; CI provides a freshly-migrated DB. This PR touches internal/router only.

Test-only change; no runtime/contract change.

🤖 Generated with Claude Code