test(05-04): guardrail tests for Tier 1 verify spec completeness

- TestTier1VerifySpecs_Complete asserts 11 Tier 1 providers have HTTPS
  verify URLs and non-empty effective success codes
- TestInflection_NoVerifyEndpoint documents the intentional empty URL
- Prevents future regressions when editing provider YAMLs

pkg/providers/registry_test.go

@@ -1,6 +1,7 @@
 package providers_test
 
 import (
+	"strings"
 	"testing"
 
 	"github.com/salvacybersec/keyhunter/pkg/providers"
@@ -49,6 +50,46 @@ func TestAhoCorasickBuild(t *testing.T) {
 	assert.Empty(t, noMatches)
 }
 
+func TestTier1VerifySpecs_Complete(t *testing.T) {
+	reg, err := providers.NewRegistry()
+	require.NoError(t, err)
+
+	// Tier 1 providers that must have a usable verify endpoint.
+	// Note: inflection is Tier 1 but intentionally excluded — no public verify endpoint.
+	tier1 := []string{
+		"openai", "anthropic", "google-ai", "cohere", "mistral",
+		"groq", "xai", "ai21", "perplexity", "deepseek", "together",
+	}
+	for _, name := range tier1 {
+		p, ok := reg.Get(name)
+		if !ok {
+			t.Errorf("provider %q not in registry", name)
+			continue
+		}
+		if p.Verify.URL == "" {
+			t.Errorf("provider %q: verify.url must be set", name)
+			continue
+		}
+		if !strings.HasPrefix(p.Verify.URL, "https://") {
+			t.Errorf("provider %q: verify.url must be HTTPS, got %q", name, p.Verify.URL)
+		}
+		if len(p.Verify.EffectiveSuccessCodes()) == 0 {
+			t.Errorf("provider %q: no success codes configured", name)
+		}
+	}
+}
+
+func TestInflection_NoVerifyEndpoint(t *testing.T) {
+	reg, err := providers.NewRegistry()
+	require.NoError(t, err)
+
+	p, ok := reg.Get("inflection")
+	if !ok {
+		t.Skip("inflection provider not loaded")
+	}
+	assert.Equal(t, "", p.Verify.URL, "inflection should have empty verify.url (no public endpoint)")
+}
+
 func TestProviderSchemaValidation(t *testing.T) {
 	invalid := []byte("format_version: 0\nname: invalid\nlast_verified: \"\"\n")
 	var p providers.Provider