test(matrix): Wave 6 — manner-matrix CI guard (auth×tier×flag×error) (#267)

Extends the route done-bar guard into a MANNER-matrix guard so "every user/API
interaction, in every manner" is a structural CI guarantee that can't silently
regress (CEO core fear). The route guard asserts every (method,path) has *a*
covering test; this asserts every applicable (auth×tier×flag×error) CELL of a
route is mapped to a named test or a justified exemption.

Design ref: docs/ci/01-CI-INTEGRATION-DESIGN.md §"Every scenario CI must cover"
+ the manner matrix in docs/ci/00-INTERACTION-PATHS.md Part B2. Mirrors the
existing route_donebar_guard_test.go pattern (same package, same live router,
same AST map-rot integrity check) — not a divergent style.

Manner dimensions (each applied only to the routes where it's relevant, derived
from the LIVE route tree + small reverse-drift-checked policy sets, so a new
route/tier/flag auto-expands the required cells — rule 18):
  - auth-negative-401   (every authenticated route)
  - tier-gate-402       (provisioning / deploy / stack / pause-resume / twin /
                         domains / vault / make-permanent / ttl / github)
  - flag-off-and-on     (DEPLOY_SCALE_TO_ZERO_ENABLED wake; RESOURCE_COUNT_CAPS
                         _ENABLED count-cap) — BOTH arms required + verified
  - anon-gate-402-429   (anon-capable /new family: recycle 402 + cross-svc 429)
  - backend-failure-503 (provisioning/deploy backend faults + teardown)
  - idempotency-replay  (+idem routes; proven once at the middleware layer)

The tier axis iterates plans.Default().All() (registry, not a hand-typed list);
TestMannerMatrix_TierDimensionIteratesRegistry binds "tiers in the registry" to
"routes that enforce them". TestMannerMatrix_MapPointsAtRealTests AST-parses
handlers/middleware/e2e and asserts every referenced test (incl. each comma-
separated flag arm) actually exists, closing the map-rot loophole.

Honest gap ledger (TestMannerMatrix_ReportExemptionBacklog) — 4 live-required
cells exempt-with-TODO, the real remaining backlog:
  - backend-failure-503 | POST /deploy/new   (needs live k8s Kaniko; W4)
  - backend-failure-503 | POST /stacks/new   (needs live k8s; W4)
  - tier-gate-402       | POST /storage/new  (per-tier real-backend 402; W3)
  - auth-negative-401   | GET /integrations/github/callback (GitHub OAuth; W6)

Guard proven to RED on a missing cell: adding a new tier-gated route OR removing
a map row fails TestMannerMatrix_EveryApplicableCellCovered with an actionable
message naming the exact (route, dimension). Hermetic, -short-safe, no DB/net.

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Author: mastermanas805