fix(v3): reject non-array ore 'ob' payloads at the extractor boundary

has_ore_block_256 used "val ->> 'ob' IS NOT NULL", which stringifies a
scalar/object 'ob' and reports it present. ore_block_256 then fed the
malformed payload into jsonb_array_to_ore_block_256, which returns NULL
instead of raising, silently degrading a structurally invalid ORE term
into a NULL comparison/index term.

Tighten the guard to require a JSON array
(jsonb_typeof(val->'ob') = 'array'); a present-but-non-array 'ob' now
RAISEs at the extractor boundary. '{}' (absent ob) and '{"ob": null}'
(JSON null) remain absent (false). Adds T5 characterization cases for
the scalar/object 'ob' presence checks and the extractor RAISE.

Addresses CodeRabbit review thread on PR #276.

Author: tobyhede

src/v3/sem/ore_block_256/functions.sql

@@ -22,9 +22,10 @@
 --!   This deliberately diverges from the v2 plpgsql equivalent (intentionally
 --!   left unchanged): the `CASE WHEN jsonb_typeof(val) = 'array'` guard only
 --!   evaluates the array path for an array, so a non-array JSON scalar returns
---!   NULL here instead of raising. The sole caller passes `val->'ob'`, always an
---!   array or JSON null, so the divergence is unreachable in practice; JSON null
---!   and empty array still return NULL exactly as before.
+--!   NULL here instead of raising. The sole caller (`ore_block_256`) only reaches
+--!   this when `has_ore_block_256(val)` is true, which now requires `val->'ob'`
+--!   to be a JSON array, so the non-array branch is unreachable in practice;
+--!   empty array still returns NULL exactly as before (pinned by T7).
 CREATE FUNCTION eql_v3.jsonb_array_to_ore_block_256(val jsonb)
 RETURNS eql_v3.ore_block_256
   IMMUTABLE
@@ -67,16 +68,24 @@ AS $$
 $$ LANGUAGE plpgsql;
 
 
---! @brief Check if JSONB payload contains ORE block index term
+--! @brief Check if JSONB payload contains an ORE block index term
 --! @param val jsonb containing encrypted EQL payload
---! @return boolean True if 'ob' field is present and non-null
+--! @return boolean True only if the 'ob' field is present and is a JSON array
+--! @note A well-formed ORE index term is always a JSON array of block terms, so
+--!   this guard treats a present-but-non-array `ob` (a scalar or object) as
+--!   absent. That makes the extractor `ore_block_256(val)` RAISE on a
+--!   structurally invalid `ob` payload at the boundary instead of silently
+--!   degrading it to a NULL index term in `jsonb_array_to_ore_block_256`. The
+--!   previous `val ->> 'ob' IS NOT NULL` form stringified scalars/objects and so
+--!   reported them as present. `{}` (absent `ob`) and `{"ob": null}` (JSON null)
+--!   both remain `false`.
 CREATE FUNCTION eql_v3.has_ore_block_256(val jsonb)
   RETURNS boolean
   IMMUTABLE STRICT PARALLEL SAFE
   SET search_path = pg_catalog, extensions, public
 AS $$
   BEGIN
-    RETURN val ->> 'ob' IS NOT NULL;
+    RETURN COALESCE(jsonb_typeof(val -> 'ob') = 'array', false);
   END;
 $$ LANGUAGE plpgsql;
 

tests/sqlx/tests/encrypted_domain/family/sem.rs

@@ -178,7 +178,8 @@ async fn ore_terms_array_null_and_empty_base_cases(pool: PgPool) -> Result<()> {
 }
 
 /// T5 — SEM presence checks (`has_ore_block_256`, `has_hmac_256`), the
-/// extractor's missing-`ob` RAISE, and its NULL-jsonb short-circuit.
+/// extractor's missing-`ob` and non-array-`ob` RAISEs, and its NULL-jsonb
+/// short-circuit.
 #[sqlx::test]
 async fn sem_presence_checks_and_missing_ob_behaviour(pool: PgPool) -> Result<()> {
     let bool_cases = [
@@ -187,11 +188,20 @@ async fn sem_presence_checks_and_missing_ob_behaviour(pool: PgPool) -> Result<()
             true,
         ),
         (r#"SELECT eql_v3.has_ore_block_256('{}'::jsonb)"#, false),
-        // json-null `ob` → `->>` yields NULL → absent.
+        // json-null `ob` is typed `'null'`, not `'array'` → absent.
         (
             r#"SELECT eql_v3.has_ore_block_256('{"ob":null}'::jsonb)"#,
             false,
         ),
+        // Present-but-non-array `ob` is rejected as absent: a well-formed ORE
+        // term is always a JSON array of block terms, so a scalar and an object
+        // both → false. This is the boundary that makes `ore_block_256` RAISE on
+        // a malformed `ob` instead of degrading it to a NULL index term.
+        (r#"SELECT eql_v3.has_ore_block_256('{"ob":5}'::jsonb)"#, false),
+        (
+            r#"SELECT eql_v3.has_ore_block_256('{"ob":{}}'::jsonb)"#,
+            false,
+        ),
         (r#"SELECT eql_v3.has_hmac_256('{"hm":"abc"}'::jsonb)"#, true),
         (r#"SELECT eql_v3.has_hmac_256('{}'::jsonb)"#, false),
     ];
@@ -209,6 +219,16 @@ async fn sem_presence_checks_and_missing_ob_behaviour(pool: PgPool) -> Result<()
     )
     .await?;
 
+    // Present-but-non-array `ob` → RAISE at the extractor boundary, NOT a silent
+    // NULL index term (`has_ore_block_256` reports it absent).
+    assert_raises(
+        &pool,
+        r#"SELECT eql_v3.ore_block_256('{"ob":5}'::jsonb)"#,
+        &[],
+        "Expected an ore index (ob) value",
+    )
+    .await?;
+
     // NULL jsonb → NULL composite (STRICT short-circuit), NOT a raise.
     let is_null: bool = sqlx::query_scalar("SELECT eql_v3.ore_block_256(NULL::jsonb) IS NULL")
         .fetch_one(&pool)