test(v3): rename property-test tiers to catalog/fixture/e2e (CIP-3141)

Replace the abstract 'Tier A/B/C' labels with concrete names matching what
each suite does and where it lives:

- Tier C -> catalog (unit, pure Rust, no DB)
- Tier A -> fixture (integration, committed ciphertext)
- Tier B -> e2e    (integration, fresh ZeroKMS->Postgres each run)

Full-depth rename: live_oracle.rs -> e2e_oracle.rs, cargo feature
proptest-live -> proptest-e2e (Cargo.toml, mise.toml, #[cfg]),
run_live_property -> run_e2e_property, *_oracle_live -> *_oracle_e2e,
DB tables proptest_live_* -> proptest_e2e_*, plus all prose in comments,
README, CHANGELOG and the implementation plan.

Unrelated 'Tier 1/2' usages (benchmarks, pg_stat_statements, jsonb builders)
left untouched. Test-only; no behaviour change.

Author: tobyhede

CHANGELOG.md

@@ -33,7 +33,7 @@ Each entry that ships in a published release links to the PR that introduced it.
 - **`eql_v3.text` encrypted-domain family (`text`, `text_eq`, `text_match`, `text_ord`, `text_ord_ore`, `text_search`).** Adds equality (`=` / `<>` via HMAC), match (`@>` / `<@` via a new self-contained `eql_v3.bloom_filter` SEM index term), and ORE ordering (`<` `<=` `>` `>=`, `min` / `max`) for encrypted text, at parity with EQL v2 text — generated from the `text` row in `eql-scalars::CATALOG` by the same materializer as the `eql_v3.int4` reference. `text` is the first scalar to add a new index `Term` (`Bloom`) and the first non-integer, unbounded ordered kind (lexicographic pivots, hand-written `impl ScalarType`). The combined **`text_search`** domain carries all three capabilities in one type — `=` / `<>` via HMAC, `<` `<=` `>` `>=` / `min` / `max` via ORE, and `@>` / `<@` via bloom filter. Index via a functional index on the `eql_v3.eq_term` / `eql_v3.ord_term` / `eql_v3.match_term` extractors, not an operator class on the domain. Why: brings searchable encrypted text to the namespaced, `eql_v2`-free `eql_v3` surface. Match is exposed as bloom-filter containment on the `text_match` / `text_search` domains — deliberately *not* SQL `LIKE` (no wildcard/anchoring; probabilistic ngram containment) — and never backs equality. **Equality on the ordered text domains (`text_ord`, `text_ord_ore`) and on `text_search` always routes `=` / `<>` through `hm` (exact HMAC), never the ORE term — ORE is not exact-equality for text** (integer ordered domains keep exact ORE equality, which is lossless for them). ([#260](https://github.com/cipherstash/encrypt-query-language/pull/260))
 - **Self-contained `eql_v3` schema + standalone `release/cipherstash-encrypt-v3.sql` installer.** The `eql_v3` encrypted-domain surface no longer depends on `eql_v2` at runtime: it now owns its own copies of the searchable-encrypted-metadata (SEM) index-term types — `eql_v3.hmac_256` and `eql_v3.ore_block_256` (with its btree operator class) — so the `eql_v3.eq_term` / `eql_v3.ord_term` extractors return `eql_v3` types and no `eql_v2.<symbol>` appears anywhere in the v3 SQL. The whole v3 surface relocated under a single `src/v3/` tree (`src/v3/sem/` for the hand-written SEM types, `src/v3/scalars/` for the generated domain families). A new build variant ships the `eql_v3` schema on its own as `release/cipherstash-encrypt-v3.sql`, installable into a database with no `eql_v2` present; a CI gate greps that artifact and its dependency closure to keep it `eql_v2`-free. Why: a clean foundation for the per-scalar encrypted-domain model to stand alone, ahead of it replacing the `eql_v2_encrypted` composite column type. This is additive — a new schema and a new artifact — and leaves `eql_v2` byte-for-byte unchanged. ([#255](https://github.com/cipherstash/encrypt-query-language/pull/255))
 - **`eql_v3.text` encrypted-domain family (`text`, `text_eq`, `text_match`, `text_ord`, `text_ord_ore`).** Adds equality (`=` / `<>` via HMAC), match (`@>` / `<@` via a new self-contained `eql_v3.bloom_filter` SEM index term), and ORE ordering (`<` `<=` `>` `>=`, `min` / `max`) for encrypted text, at parity with EQL v2 text — generated from the `text` row in `eql-scalars::CATALOG` by the same materializer as the `eql_v3.int4` reference. `text` is the first scalar to add a new index `Term` (`Bloom`) and the first non-integer, unbounded ordered kind (lexicographic pivots, hand-written `impl ScalarType`). Index via a functional index on the `eql_v3.eq_term` / `eql_v3.ord_term` / `eql_v3.match_term` extractors, not an operator class on the domain. Why: brings searchable encrypted text to the namespaced, `eql_v2`-free `eql_v3` surface. Match is exposed as bloom-filter containment on the `text_match` domain — deliberately *not* SQL `LIKE` (no wildcard/anchoring; probabilistic ngram containment) — and never backs equality (which always routes through `Hm`). ([#260](https://github.com/cipherstash/encrypt-query-language/pull/260))
-- **Property-based tests for the `eql_v3` encrypted scalar domains.** A three-tier harness asserts SQL operator results agree with a plaintext oracle across a generated input space: a pure-Rust catalog-invariant tier (no database), a fixture-corpus tier that samples the live-encrypted fixtures and checks all ordered pairs in each sampled corpus, and a live-encryption tier (gated behind the `proptest-live` cargo feature) that batch-encrypts freshly generated plaintexts each run. Covers the equality (`=`/`<>`) and ordering (`<`/`<=`/`>`/`>=`, `ord_term` sort order) oracles plus NULL/blocker/CHECK edge cases. Why: the prior matrix exercised fixed pivots only; property tests catch operator/oracle disagreements across the whole value space. ([#275](https://github.com/cipherstash/encrypt-query-language/pull/275))
+- **Property-based tests for the `eql_v3` encrypted scalar domains.** A harness of three suites asserts SQL operator results agree with a plaintext oracle across a generated input space: a pure-Rust **catalog** suite (no database) over the term/scalar catalog, a **fixture** suite that samples the committed fixture corpus (real ciphertext) and checks all ordered pairs in each sampled corpus, and an **e2e** suite (gated behind the `proptest-e2e` cargo feature) that batch-encrypts freshly generated plaintexts end-to-end through ZeroKMS each run. Covers the equality (`=`/`<>`) and ordering (`<`/`<=`/`>`/`>=`, `ord_term` sort order) oracles plus NULL/blocker/CHECK edge cases. Why: the prior matrix exercised fixed pivots only; property tests catch operator/oracle disagreements across the whole value space. ([#275](https://github.com/cipherstash/encrypt-query-language/pull/275))
 - **Self-contained `eql_v3` schema + standalone `release/cipherstash-encrypt-v3.sql` installer.** The `eql_v3` encrypted-domain surface no longer depends on `eql_v2` at runtime: it now owns its own copies of the searchable-encrypted-metadata (SEM) index-term types — `eql_v3.hmac_256` and `eql_v3.ore_block_u64_8_256` (with its btree operator class) — so the `eql_v3.eq_term` / `eql_v3.ord_term` extractors return `eql_v3` types and no `eql_v2.<symbol>` appears anywhere in the v3 SQL. The whole v3 surface relocated under a single `src/v3/` tree (`src/v3/sem/` for the hand-written SEM types, `src/v3/scalars/` for the generated domain families). A new build variant ships the `eql_v3` schema on its own as `release/cipherstash-encrypt-v3.sql`, installable into a database with no `eql_v2` present; a CI gate greps that artifact and its dependency closure to keep it `eql_v2`-free. Why: a clean foundation for the per-scalar encrypted-domain model to stand alone, ahead of it replacing the `eql_v2_encrypted` composite column type. This is additive — a new schema and a new artifact — and leaves `eql_v2` byte-for-byte unchanged. ([#255](https://github.com/cipherstash/encrypt-query-language/pull/255))
 - **`eql_v3.min` / `eql_v3.max` aggregates over `eql_v3.ste_vec_entry`.** SteVec document entries extracted at a selector (`doc -> 'sel'`) can now be aggregated like ordered scalars: `eql_v3.min(doc -> 'sel')` / `eql_v3.max(...)` return the entry with the smallest / largest ordered leaf. Ordering routes through the entry's `oc` (CLLW ORE) term via `eql_v3.ore_cllw` — the same comparator the entry `<` / `<=` / `>` / `>=` operators use, not the scalar Block-ORE `ord_term`. Only `oc`-carrying entries are orderable: an entry without an `oc` term (`eql_v3.ore_cllw` returns NULL) is non-orderable and is ignored by the aggregate — the same way the `eql_v3.ore_cllw` btree NULL-filters such rows — so a mix of `oc`-carrying and `oc`-less entries yields the extremum of the orderable subset rather than a corrupted result. Declared `PARALLEL = SAFE` with a combine function (the state function itself), so partial / parallel aggregation is available on large `GROUP BY` workloads. Why: brings encrypted-JSONB entry ordering to parity with the scalar encrypted-domain families' `MIN` / `MAX`, and lets the shared scalar behaviour matrix cover entry aggregation. Additive — the document and entry comparison surface is otherwise unchanged. ([#267](https://github.com/cipherstash/encrypt-query-language/pull/267))
 

crates/eql-scalars/Cargo.toml

@@ -15,7 +15,7 @@ workspace = true
 # Dev-only. proptest is NOT a runtime dependency: it never compiles on the SQL
 # build path (eql-codegen depends on eql-scalars' lib, not its tests), so the
 # "INTENTIONALLY no dependencies" rule above — which is about build-path deps —
-# is preserved. Used by src/proptest_invariants.rs (Tier C catalog property
-# tests, no DB, runs in the lean `mise run test:crates` / fork CI path).
+# is preserved. Used by src/proptest_invariants.rs (the catalog suite of
+# property tests, no DB, runs in the lean `mise run test:crates` / fork CI path).
 [dev-dependencies]
 proptest = "1"

crates/eql-scalars/src/proptest_invariants.rs

@@ -1,9 +1,9 @@
-//! Property-based invariants over the scalar/term catalog (CIP-3141, Tier C).
+//! Catalog suite (CIP-3141): property-based invariants over the scalar/term catalog.
 //!
 //! Pure Rust — no database, no encryption, no creds. These run in the lean
 //! `cargo test -p eql-scalars` path (fork CI). They assert the *catalog* is
-//! internally consistent for any generated input; the DB-backed oracle tiers
-//! (A/B) live in `tests/sqlx`.
+//! internally consistent for any generated input; the DB-backed oracle suites
+//! (fixture/e2e) live in `tests/sqlx`.
 
 use crate::{ScalarKind, Term, CATALOG};
 use proptest::prelude::*;

mise.toml

@@ -86,7 +86,7 @@ depends = ["test:sqlx:prep"]
 dir = "{{config_root}}/tests/sqlx"
 run = """
 echo "Running Rust tests..."
-cargo test --features proptest-live
+cargo test --features proptest-e2e
 """
 
 [tasks."test:sqlx:watch"]

tests/sqlx/Cargo.toml

@@ -45,14 +45,14 @@ bench = []
 # *usable*. Off by default to keep `mise run test` fast; CI runs with
 # `--features scale`.
 scale = []
-# Opt-in to the live-encryption property tests (Tier B, CIP-3141). They
-# generate fresh random plaintexts each run and encrypt them via
-# cipherstash-client, so they need the same CS_* creds as fixture generation.
+# Opt-in to the e2e property suite (CIP-3141). It generates fresh random
+# plaintexts each run and encrypts them end-to-end through ZeroKMS via
+# cipherstash-client, so it needs the same CS_* creds as fixture generation.
 # `mise run test:sqlx` enables this (CI has the secrets). A bare `cargo test`
-# without it compiles the live tier out, so credential-less quick runs and the
-# lean crate path are unaffected. Tier A (fixture-corpus) and Tier C (catalog)
-# are NOT gated — they need no fresh encryption.
-proptest-live = []
+# without it compiles the e2e suite out, so credential-less quick runs and the
+# lean crate path are unaffected. The fixture suite and the catalog suite are
+# NOT gated — they need no fresh encryption.
+proptest-e2e = []
 # Opt-in to compiling the fixture generators. Without this feature the
 # `#[cfg(feature = "fixture-gen")]` generator tests do not exist, so
 # `cargo test` and CI never see them. Generators need a live Postgres and,

tests/sqlx/README.md

@@ -276,8 +276,9 @@ Tests connect to PostgreSQL database configured by SQLx:
 
 - ✅ ~~Convert remaining SQL tests~~ **COMPLETE!**
 - Property-based tests: implemented in `tests/encrypted_domain/property/` and
-  `crates/eql-scalars/src/proptest_invariants.rs` (CIP-3141). Three tiers:
-  catalog invariants (no DB), fixture-corpus oracle, and live-encryption oracle
-  (`--features proptest-live`).
+  `crates/eql-scalars/src/proptest_invariants.rs` (CIP-3141). One unit-level
+  **catalog** suite (no DB) plus two integration suites — **fixture** (oracle
+  over the committed fixture corpus) and **e2e** (oracle over fresh end-to-end
+  encryption, `--features proptest-e2e`).
 - Performance benchmarks: Measure query performance with encrypted data
 - Integration tests: Test with CipherStash Proxy

tests/sqlx/src/property.rs

@@ -2,9 +2,10 @@
 //!
 //! `assert_eq_oracle` / `assert_ord_oracle` take a corpus of
 //! `(plaintext, payload_json)` rows and check SQL operator results against the
-//! plaintext oracle over every ordered pair. Tier A feeds them rows read from
-//! the live-encrypted fixture; Tier B feeds them rows it batch-encrypts from
-//! freshly generated plaintexts. The engine is identical for both.
+//! plaintext oracle over every ordered pair. The fixture suite feeds them rows
+//! read from the committed fixture corpus (real ciphertext); the e2e suite feeds
+//! them rows it batch-encrypts from freshly generated plaintexts. The engine is
+//! identical for both.
 //!
 //! Operator evaluation is read-only (`SELECT <a> op <b>`), so these helpers take
 //! a `&PgPool` and need no per-test schema isolation.
@@ -21,11 +22,11 @@ use tokio::sync::Mutex;
 /// `fixtures.eql_v2_<T>` table exactly once.
 static FIXTURE_LOADED: OnceLock<Mutex<HashSet<&'static str>>> = OnceLock::new();
 
-/// Materialise the live-encrypted fixture corpus for `T` into the connected DB.
+/// Materialise the committed fixture corpus (real ciphertext) for `T` into the connected DB.
 ///
 /// The fixture `.sql` files (`tests/sqlx/fixtures/eql_v2_<T>.sql`) are normally
 /// loaded only into `#[sqlx::test]`'s ephemeral per-test databases. The property
-/// tiers connect to the shared test DB directly (they cannot use
+/// suites connect to the shared test DB directly (they cannot use
 /// `#[sqlx::test]`'s injected pool from a sync `proptest!` body), so the corpus
 /// is not present there. This loads it on demand: the script is self-contained
 /// and idempotent (`CREATE SCHEMA IF NOT EXISTS` / `DROP TABLE IF EXISTS` /
@@ -174,7 +175,7 @@ fn redact_url(url: &str) -> String {
 
 /// Connect to the shared SQLx test database. Reads `DATABASE_URL`, falling back
 /// to the documented local default (`localhost:7432`, cipherstash/password).
-/// Used by the proptest tiers, which cannot use `#[sqlx::test]`'s injected pool
+/// Used by the proptest suites, which cannot use `#[sqlx::test]`'s injected pool
 /// from a (sync) `proptest!` body.
 pub async fn connect_pool() -> Result<PgPool> {
     let url = std::env::var("DATABASE_URL").unwrap_or_else(|_| {

tests/sqlx/tests/encrypted_domain.rs

@@ -34,8 +34,8 @@ mod signed;
 #[path = "encrypted_domain/jsonb_entry.rs"]
 mod jsonb_entry;
 
-// Property-based + edge-case tests (CIP-3141). Three tiers under `property::`,
-// kept outside `scalars::` so the matrix-inventory gate does not mis-read them
-// as scalar types. See `encrypted_domain/property/mod.rs`.
+// Property-based + edge-case tests (CIP-3141). Three suites under `property::`
+// (catalog, fixture, e2e), kept outside `scalars::` so the matrix-inventory gate
+// does not mis-read them as scalar types. See `encrypted_domain/property/mod.rs`.
 #[path = "encrypted_domain/property/mod.rs"]
 mod property;

…encrypted_domain/property/live_oracle.rs …/encrypted_domain/property/e2e_oracle.rstests/sqlx/tests/encrypted_domain/property/live_oracle.rs renamed to tests/sqlx/tests/encrypted_domain/property/e2e_oracle.rs tests/sqlx/tests/encrypted_domain/property/live_oracle.rs renamed to tests/sqlx/tests/encrypted_domain/property/e2e_oracle.rs

@@ -1,6 +1,7 @@
-//! Tier B (CIP-3141): property tests over freshly generated, live-encrypted
-//! values. Gated behind `proptest-live` (declared in property/mod.rs) — needs
-//! CS_* creds, which `mise run test:sqlx` enables for CI/local full SQLx runs.
+//! e2e suite (CIP-3141): property tests over freshly generated values encrypted
+//! end-to-end through ZeroKMS each run. Gated behind `proptest-e2e` (declared in
+//! property/mod.rs) — needs CS_* creds, which `mise run test:sqlx` enables for
+//! CI/local full SQLx runs.
 //! Each proptest case generates one corpus of random integers — seeded with
 //! type-specific extremes, zero, and deliberate duplicates so the equality-true
 //! branch fires across distinct ciphertexts of the same plaintext — encrypts it
@@ -47,7 +48,7 @@ where
 
 /// Drive proptest: each case is a corpus of integers. Generation is in-process;
 /// encryption + oracle is async on a current-thread runtime.
-fn run_live_property<T>(
+fn run_e2e_property<T>(
     table: &str,
     cast: Cast,
     cases: u32,
@@ -64,9 +65,9 @@ where
         .build()?;
     let pool: PgPool = rt.block_on(connect_pool())?;
 
-    // Shrinking is disabled for the live tier: every failed shrink attempt would
+    // Shrinking is disabled for the e2e suite: every failed shrink attempt would
     // trigger another ZeroKMS batch, and ciphertext cannot be meaningfully
-    // shrunk anyway. Tier C keeps normal shrinking.
+    // shrunk anyway. The catalog suite keeps normal shrinking.
     let mut runner = TestRunner::new(Config {
         cases,
         max_shrink_iters: 0,
@@ -102,14 +103,14 @@ where
             .map_err(|e| TestCaseError::fail(format!("oracle: {e}")))?;
             Ok(())
         })
-        .map_err(|e| anyhow::anyhow!("live property failed: {e}"))
+        .map_err(|e| anyhow::anyhow!("e2e property failed: {e}"))
 }
 
 #[test]
-fn prop_int4_eq_and_ord_oracle_live() -> Result<()> {
+fn prop_int4_eq_and_ord_oracle_e2e() -> Result<()> {
     // Low case count: each case is a ZeroKMS round trip. 8 keeps CI bounded.
-    run_live_property::<i32>(
-        "proptest_live_int4",
+    run_e2e_property::<i32>(
+        "proptest_e2e_int4",
         Cast::INT,
         8,
         true,
@@ -118,9 +119,9 @@ fn prop_int4_eq_and_ord_oracle_live() -> Result<()> {
 }
 
 #[test]
-fn prop_int2_eq_and_ord_oracle_live() -> Result<()> {
-    run_live_property::<i16>(
-        "proptest_live_int2",
+fn prop_int2_eq_and_ord_oracle_e2e() -> Result<()> {
+    run_e2e_property::<i16>(
+        "proptest_e2e_int2",
         Cast::SMALL_INT,
         8,
         true,
@@ -129,9 +130,9 @@ fn prop_int2_eq_and_ord_oracle_live() -> Result<()> {
 }
 
 #[test]
-fn prop_int8_eq_and_ord_oracle_live() -> Result<()> {
-    run_live_property::<i64>(
-        "proptest_live_int8",
+fn prop_int8_eq_and_ord_oracle_e2e() -> Result<()> {
+    run_e2e_property::<i64>(
+        "proptest_e2e_int8",
         Cast::BIG_INT,
         8,
         true,

tests/sqlx/tests/encrypted_domain/property/fixture_oracle.rs

@@ -1,4 +1,4 @@
-//! Tier A (CIP-3141): property tests over the real, committed fixture corpus.
+//! fixture suite (CIP-3141): property tests over the real, committed fixture corpus.
 //!
 //! The fixture table `fixtures.eql_v2_<T>` carries `(plaintext, payload)` rows
 //! encrypted by cipherstash-client during `test:sqlx:prep`. proptest selects a