--- phase: 03-tier-3-9-providers plan: 08 subsystem: providers tags: [tests, guardrail, tier3, tier4, tier5, tier6, tier7, tier8, tier9] requirements: [PROV-03, PROV-04, PROV-05, PROV-06, PROV-07, PROV-08, PROV-09] dependency-graph: requires: - "03-01..03-07 (all 82 Tier 3-9 provider YAML files embedded and loading)" - "pkg/providers/tier12_test.go (pattern + inherited TestAllPatternsCompile / TestAllProvidersHaveKeywords)" provides: - "Regression net locking registry at 108 providers" - "Drift detection for any rename, removal, or miscount across Tier 3-9" affects: - "All future phases that modify pkg/providers/definitions/*.yaml" tech-stack: added: [] patterns: - "Table-driven guardrail tests (per-tier count + per-tier name slice)" - "Inherited cross-tier invariants via existing TestAllPatternsCompile / TestAllProvidersHaveKeywords" key-files: created: - pkg/providers/tier39_test.go modified: [] decisions: - "Single guardrail file for Tier 3-9 (mirrors tier12_test.go) — simpler than one file per tier" - "Reuse existing TestAllPatternsCompile and TestAllProvidersHaveKeywords rather than duplicating — they already iterate reg.List() and cover every loaded provider" - "Per-tier Count tests kept separate (not table-driven) to produce clear per-tier failure messages in CI" metrics: duration: "~2 min" completed: "2026-04-05" tasks: 1 files_created: 1 files_modified: 0 --- # Phase 03 Plan 08: Tier 3-9 Guardrail Tests Summary Added `pkg/providers/tier39_test.go` — a guardrail test file that locks the provider registry at exactly 108 entries (26 Tier 1-2 + 82 Tier 3-9), enforces per-tier counts, and pins every Tier 3-9 provider name so future edits cannot silently drop or rename providers without a CI failure. ## What Was Built `pkg/providers/tier39_test.go` mirrors the `tier12_test.go` pattern and contains 11 test functions: - `TestTier3Count` .. `TestTier9Count` — seven per-tier assertions against `reg.Stats().ByTier[N]` (T3=12, T4=16, T5=11, T6=15, T7=10, T8=10, T9=8) - `TestTotalProviderCount` — asserts `reg.Stats().Total == 108` - `TestTier39ProviderNames` — table-driven; for each of 82 names in `expectedTier3`..`expectedTier9`, calls `reg.Get(name)` and verifies the returned `Provider.Tier` matches the expected tier Regex compilation (RE2) and keyword presence (≥1 per provider, required for the Aho-Corasick pre-filter) are already exercised globally by the pre-existing `TestAllPatternsCompile` and `TestAllProvidersHaveKeywords` in `tier12_test.go`, which iterate `reg.List()` and therefore automatically cover every newly added Tier 3-9 provider. No duplication needed. ## Verification ``` go test ./pkg/providers/... -count=1 -v -run 'TestTier[3-9]|TestTotalProviderCount|TestTier39ProviderNames|TestAllPatternsCompile|TestAllProvidersHaveKeywords' ``` All 11 Tier 3-9 tests plus the two inherited invariant tests pass. Full repo regression: ``` go test ./... -count=1 ok github.com/salvacybersec/keyhunter/pkg/engine 0.248s ok github.com/salvacybersec/keyhunter/pkg/providers 0.934s ok github.com/salvacybersec/keyhunter/pkg/storage 0.117s ``` Phase 1/2 guardrails (`TestTier1Count`, `TestTier2Count`, `TestTier1ProviderNames`, `TestTier2ProviderNames`) still green — no regression. ## Deviations from Plan None — plan executed exactly as written. ## Requirements Satisfied - **PROV-03** Tier 3 Specialized providers (12) — locked - **PROV-04** Tier 4 Chinese/Regional providers (16) — locked - **PROV-05** Tier 5 Infrastructure/Gateway providers (11) — locked - **PROV-06** Tier 6 Emerging/Niche providers (15) — locked - **PROV-07** Tier 7 Code/Dev Tools providers (10) — locked - **PROV-08** Tier 8 Self-Hosted providers (10) — locked - **PROV-09** Tier 9 Enterprise providers (8) — locked ## Commits - `1aea496` test(03-08): add Tier 3-9 guardrail tests locking 108 total providers ## Known Stubs None. ## Self-Check: PASSED - `pkg/providers/tier39_test.go` — FOUND - Commit `1aea496` — FOUND in git log - `go test ./... -count=1` — all packages green - 11 test functions in tier39_test.go (≥9 required) — verified