feat(eql-types): add numeric + promote timestamptz to ordered domains

The eql-types crate landed on eql_v3 (PR #236) after this branch forked,
so merging the base in surfaced a catalog_parity failure: CATALOG now has
the numeric family and ordered timestamptz, but v3::all() didn't.

- numeric.rs: four ordered domains (storage/_eq/_ord/_ord_ore), mirroring
  date.rs; numeric is the first scalar with a >8-block ORE term (14)
- timestamptz.rs: add the two ordered domains; the eq-only/8-block-limit
  rationale is gone now that eql_v3.ore_block_256 derives N from term length
- mod.rs: register the six new domains in all(), in CATALOG order
- terms.rs: the ob term's SQL constructor is eql_v3.ore_block_256 (renamed
  this branch) and is width-agnostic (8/12/14 blocks)
- v3_conformance.rs: cover numeric + timestamptz ord wire shapes; drop the
  stale equality-only claim
- README: timestamptz no longer eq-only; add numeric

Author: tobyhede

crates/eql-types/README.md

@@ -21,7 +21,7 @@ hand-copying.
 
 The [`src/v3/`](src/v3/) module has one type per **SQL domain** in the
 `eql_v3` schema — `Int4` / `Int4Eq` / `Int4Ord` / `Int4OrdOre`, and likewise
-for `int2`, `int8`, `date`, `timestamptz` (eq-only), and `text` (which adds
+for `int2`, `int8`, `date`, `timestamptz`, `numeric`, and `text` (which adds
 `TextMatch`) — each carrying its index terms as **required** fields. The
 capability is the type identity; `Option` never appears. A payload missing
 its term key fails to deserialize: the Rust analogue of the SQL domain's

crates/eql-types/src/v3/mod.rs

@@ -50,6 +50,7 @@ pub mod date;
 pub mod int2;
 pub mod int4;
 pub mod int8;
+pub mod numeric;
 pub mod terms;
 pub mod text;
 pub mod timestamptz;
@@ -130,6 +131,12 @@ pub fn all() -> Vec<Box<dyn DomainType>> {
         Box::new(PhantomData::<date::DateOrd>),
         Box::new(PhantomData::<timestamptz::Timestamptz>),
         Box::new(PhantomData::<timestamptz::TimestamptzEq>),
+        Box::new(PhantomData::<timestamptz::TimestamptzOrdOre>),
+        Box::new(PhantomData::<timestamptz::TimestamptzOrd>),
+        Box::new(PhantomData::<numeric::Numeric>),
+        Box::new(PhantomData::<numeric::NumericEq>),
+        Box::new(PhantomData::<numeric::NumericOrdOre>),
+        Box::new(PhantomData::<numeric::NumericOrd>),
         Box::new(PhantomData::<text::Text>),
         Box::new(PhantomData::<text::TextEq>),
         Box::new(PhantomData::<text::TextMatch>),

crates/eql-types/src/v3/numeric.rs

@@ -0,0 +1,112 @@
+//! The `numeric` encrypted-domain family — an ordered, non-integer scalar
+//! backed by `rust_decimal::Decimal`. Same four-domain ordered shape as
+//! [`crate::v3::int4`] (ORE compares ciphertext, so decimals order like
+//! integers); see that module for the capability table.
+//!
+//! `numeric` is the first scalar whose native ORE term is wider than 8 blocks
+//! (14 blocks): the wire shape is unchanged — the `ob` array simply carries
+//! more block strings — and the generalized `eql_v3.ore_block_256` comparator
+//! orders any block count, so no new type is needed here.
+
+use crate::v3::terms::{Ciphertext, Hmac256, OreBlockU64_8_256};
+use crate::v3::DomainType;
+use crate::{Identifier, SchemaVersion};
+use serde::{Deserialize, Serialize};
+
+/// `eql_v3.numeric` — storage only; every operator is blocked.
+#[derive(Clone, Debug, PartialEq, Serialize, Deserialize)]
+#[serde(deny_unknown_fields)]
+pub struct Numeric {
+    /// Envelope version — always `2` (`EQL_SCHEMA_VERSION`); any other
+    /// value fails deserialization.
+    pub v: SchemaVersion,
+    /// Table/column identifier. Required by the domain CHECK.
+    pub i: Identifier,
+    /// mp_base85 source ciphertext. Required by the domain CHECK.
+    pub c: Ciphertext,
+}
+
+impl DomainType for Numeric {
+    fn sql_domain_static() -> &'static str {
+        "eql_v3.numeric"
+    }
+
+    fn sql_domain(&self) -> &'static str {
+        Self::sql_domain_static()
+    }
+}
+
+/// `eql_v3.numeric_eq` — HMAC equality (`=`, `<>`).
+#[derive(Clone, Debug, PartialEq, Serialize, Deserialize)]
+#[serde(deny_unknown_fields)]
+pub struct NumericEq {
+    /// Envelope version — always `2` (`EQL_SCHEMA_VERSION`); any other
+    /// value fails deserialization.
+    pub v: SchemaVersion,
+    /// Table/column identifier. Required by the domain CHECK.
+    pub i: Identifier,
+    /// mp_base85 source ciphertext. Required by the domain CHECK.
+    pub c: Ciphertext,
+    /// HMAC-SHA-256 equality term.
+    pub hm: Hmac256,
+}
+
+impl DomainType for NumericEq {
+    fn sql_domain_static() -> &'static str {
+        "eql_v3.numeric_eq"
+    }
+
+    fn sql_domain(&self) -> &'static str {
+        Self::sql_domain_static()
+    }
+}
+
+/// `eql_v3.numeric_ord_ore` — full comparison, scheme-explicit name.
+#[derive(Clone, Debug, PartialEq, Serialize, Deserialize)]
+#[serde(deny_unknown_fields)]
+pub struct NumericOrdOre {
+    /// Envelope version — always `2` (`EQL_SCHEMA_VERSION`); any other
+    /// value fails deserialization.
+    pub v: SchemaVersion,
+    /// Table/column identifier. Required by the domain CHECK.
+    pub i: Identifier,
+    /// mp_base85 source ciphertext. Required by the domain CHECK.
+    pub c: Ciphertext,
+    /// Block-ORE order term (14 blocks for numeric). Serves equality too.
+    pub ob: OreBlockU64_8_256,
+}
+
+impl DomainType for NumericOrdOre {
+    fn sql_domain_static() -> &'static str {
+        "eql_v3.numeric_ord_ore"
+    }
+
+    fn sql_domain(&self) -> &'static str {
+        Self::sql_domain_static()
+    }
+}
+
+/// `eql_v3.numeric_ord` — full comparison (`=` `<>` `<` `<=` `>` `>=`).
+#[derive(Clone, Debug, PartialEq, Serialize, Deserialize)]
+#[serde(deny_unknown_fields)]
+pub struct NumericOrd {
+    /// Envelope version — always `2` (`EQL_SCHEMA_VERSION`); any other
+    /// value fails deserialization.
+    pub v: SchemaVersion,
+    /// Table/column identifier. Required by the domain CHECK.
+    pub i: Identifier,
+    /// mp_base85 source ciphertext. Required by the domain CHECK.
+    pub c: Ciphertext,
+    /// Block-ORE order term (14 blocks for numeric). Serves equality too.
+    pub ob: OreBlockU64_8_256,
+}
+
+impl DomainType for NumericOrd {
+    fn sql_domain_static() -> &'static str {
+        "eql_v3.numeric_ord"
+    }
+
+    fn sql_domain(&self) -> &'static str {
+        Self::sql_domain_static()
+    }
+}

crates/eql-types/src/v3/terms.rs

@@ -23,10 +23,12 @@ pub struct Ciphertext(pub String);
 #[derive(Clone, Debug, PartialEq, Eq, Hash, Serialize, Deserialize)]
 pub struct Hmac256(pub String);
 
-/// Block-ORE (u64, 8 blocks, 256) order term — the `ob` wire key. Backs the
-/// `_ord` / `_ord_ore` domains (`=` `<>` `<` `<=` `>` `>=`); ORE is lossless
-/// over the scalar's domain, so it serves equality too. SQL-side constructor:
-/// `eql_v3.ore_block_u64_8_256`.
+/// Block-ORE order term — the `ob` wire key. Backs the `_ord` / `_ord_ore`
+/// domains (`=` `<>` `<` `<=` `>` `>=`); ORE is lossless over the scalar's
+/// domain, so it serves equality too. The block count is width-agnostic on the
+/// wire (8 for the int scalars, 12 for timestamptz, 14 for numeric) — the
+/// array just carries more block strings. SQL-side constructor:
+/// `eql_v3.ore_block_256`.
 #[derive(Clone, Debug, PartialEq, Eq, Hash, Serialize, Deserialize)]
 pub struct OreBlockU64_8_256(pub Vec<String>);
 

crates/eql-types/src/v3/timestamptz.rs

@@ -1,10 +1,15 @@
-//! The `timestamptz` encrypted-domain family — **equality-only** (storage +
-//! `_eq`). There is no ordered domain: cipherstash encrypts timestamps at
-//! native 12-block ORE width, but EQL's only ORE comparator is hardcoded to
-//! 8 blocks, so an ordered timestamptz domain would silently mis-order.
-//! Ordering arrives with a future wide-ORE term (see `eql-scalars`).
+//! The `timestamptz` encrypted-domain family — an ordered, non-integer scalar.
+//! Same four-domain ordered shape as [`crate::v3::int4`] (ORE compares
+//! ciphertext, so timestamps order like integers); see that module for the
+//! capability table.
+//!
+//! cipherstash encrypts timestamps at native 12-block ORE width. The family
+//! was equality-only while EQL's ORE comparator was hardcoded to 8 blocks;
+//! now that `eql_v3.ore_block_256` derives the block count from the term
+//! length, the 12-block `ob` term orders correctly and the ordered domains
+//! ship. The wire shape is unchanged — the `ob` array just carries 12 blocks.
 
-use crate::v3::terms::{Ciphertext, Hmac256};
+use crate::v3::terms::{Ciphertext, Hmac256, OreBlockU64_8_256};
 use crate::v3::DomainType;
 use crate::{Identifier, SchemaVersion};
 use serde::{Deserialize, Serialize};
@@ -56,3 +61,53 @@ impl DomainType for TimestamptzEq {
         Self::sql_domain_static()
     }
 }
+
+/// `eql_v3.timestamptz_ord_ore` — full comparison, scheme-explicit name.
+#[derive(Clone, Debug, PartialEq, Serialize, Deserialize)]
+#[serde(deny_unknown_fields)]
+pub struct TimestamptzOrdOre {
+    /// Envelope version — always `2` (`EQL_SCHEMA_VERSION`); any other
+    /// value fails deserialization.
+    pub v: SchemaVersion,
+    /// Table/column identifier. Required by the domain CHECK.
+    pub i: Identifier,
+    /// mp_base85 source ciphertext. Required by the domain CHECK.
+    pub c: Ciphertext,
+    /// Block-ORE order term (12 blocks for timestamptz). Serves equality too.
+    pub ob: OreBlockU64_8_256,
+}
+
+impl DomainType for TimestamptzOrdOre {
+    fn sql_domain_static() -> &'static str {
+        "eql_v3.timestamptz_ord_ore"
+    }
+
+    fn sql_domain(&self) -> &'static str {
+        Self::sql_domain_static()
+    }
+}
+
+/// `eql_v3.timestamptz_ord` — full comparison (`=` `<>` `<` `<=` `>` `>=`).
+#[derive(Clone, Debug, PartialEq, Serialize, Deserialize)]
+#[serde(deny_unknown_fields)]
+pub struct TimestamptzOrd {
+    /// Envelope version — always `2` (`EQL_SCHEMA_VERSION`); any other
+    /// value fails deserialization.
+    pub v: SchemaVersion,
+    /// Table/column identifier. Required by the domain CHECK.
+    pub i: Identifier,
+    /// mp_base85 source ciphertext. Required by the domain CHECK.
+    pub c: Ciphertext,
+    /// Block-ORE order term (12 blocks for timestamptz). Serves equality too.
+    pub ob: OreBlockU64_8_256,
+}
+
+impl DomainType for TimestamptzOrd {
+    fn sql_domain_static() -> &'static str {
+        "eql_v3.timestamptz_ord"
+    }
+
+    fn sql_domain(&self) -> &'static str {
+        Self::sql_domain_static()
+    }
+}

crates/eql-types/tests/v3_conformance.rs

@@ -168,7 +168,7 @@ fn non_int4_tokens_round_trip_every_domain() {
     // `catalog_parity.rs` checks domain *names* only, never the wire shape.
     // This sweep roundtrips every non-int4 domain and pins its catalog name,
     // failing the instant a token drifts from the shared envelope/term contract.
-    use eql_types::v3::{date::*, int2::*, int8::*, text::*};
+    use eql_types::v3::{date::*, int2::*, int8::*, numeric::*, text::*};
 
     // Wire builders for the three shapes the ordered tokens share.
     let storage = |t: &str| json!({ "v": 2, "i": { "t": t, "c": "x" }, "c": "ct" });
@@ -200,6 +200,13 @@ fn non_int4_tokens_round_trip_every_domain() {
     round_trip!(DateOrd, ord("a"), "eql_v3.date_ord");
     round_trip!(DateOrdOre, ord("a"), "eql_v3.date_ord_ore");
 
+    // numeric is the first scalar whose native ORE term exceeds 8 blocks (14);
+    // the wire shape is identical, so the same `ord` builder applies.
+    round_trip!(Numeric, storage("a"), "eql_v3.numeric");
+    round_trip!(NumericEq, eq("a"), "eql_v3.numeric_eq");
+    round_trip!(NumericOrd, ord("a"), "eql_v3.numeric_ord");
+    round_trip!(NumericOrdOre, ord("a"), "eql_v3.numeric_ord_ore");
+
     // text_match is covered by `text_match_round_trips_signed_bloom_filter`.
     round_trip!(Text, storage("a"), "eql_v3.text");
     round_trip!(TextEq, eq("a"), "eql_v3.text_eq");
@@ -208,12 +215,16 @@ fn non_int4_tokens_round_trip_every_domain() {
 }
 
 #[test]
-fn timestamptz_round_trips_and_enforces_equality_term() {
-    // The one structurally-distinct token: equality-only, no `_ord`/`_ord_ore`
-    // (the 8-block-ORE limitation). The int4 template was copy-pasted to
-    // produce it, so an accidental extra `ob` field or a dropped `hm` would
-    // pass `catalog_parity` (domain names only) but is caught here.
-    use eql_types::v3::timestamptz::{Timestamptz, TimestamptzEq};
+fn timestamptz_round_trips_and_enforces_term_capabilities() {
+    // timestamptz is an ordered token (12-block ORE) — it carries the full
+    // storage/`_eq`/`_ord`/`_ord_ore` shape, the same as the int scalars. The
+    // int4 template was copy-pasted to produce it, so a dropped `hm`/`ob` or a
+    // field typo would pass `catalog_parity` (domain names only) but is caught
+    // here. (Was equality-only while the ORE comparator was hardcoded to 8
+    // blocks; promoted once `eql_v3.ore_block_256` generalized to any width.)
+    use eql_types::v3::timestamptz::{
+        Timestamptz, TimestamptzEq, TimestamptzOrd, TimestamptzOrdOre,
+    };
 
     // Storage-only: envelope, no term.
     let storage = json!({
@@ -236,16 +247,40 @@ fn timestamptz_round_trips_and_enforces_equality_term() {
     assert_eq!(serde_json::to_value(&parsed).unwrap(), with_hm);
     assert_eq!(TimestamptzEq::sql_domain_static(), "eql_v3.timestamptz_eq");
 
-    // `_eq` is the only searchable shape this token has, so its equality term
-    // cannot silently become optional.
+    // Ordered: envelope + ob (a 12-block array on the wire; shape is the same).
+    let with_ob = json!({
+        "v": 2,
+        "i": { "t": "events", "c": "occurred_at" },
+        "c": "mp_base85_ciphertext",
+        "ob": ["b0", "b1"]
+    });
+    let parsed: TimestamptzOrd = serde_json::from_value(with_ob.clone()).unwrap();
+    assert_eq!(serde_json::to_value(&parsed).unwrap(), with_ob);
+    assert_eq!(
+        TimestamptzOrd::sql_domain_static(),
+        "eql_v3.timestamptz_ord"
+    );
+    let parsed: TimestamptzOrdOre = serde_json::from_value(with_ob.clone()).unwrap();
+    assert_eq!(serde_json::to_value(&parsed).unwrap(), with_ob);
+    assert_eq!(
+        TimestamptzOrdOre::sql_domain_static(),
+        "eql_v3.timestamptz_ord_ore"
+    );
+
+    // The searchable domains cannot let their term silently become optional.
     let no_hm = json!({
         "v": 2,
         "i": { "t": "events", "c": "occurred_at" },
         "c": "mp_base85_ciphertext"
     });
-    let result: Result<TimestamptzEq, _> = serde_json::from_value(no_hm);
+    let result: Result<TimestamptzEq, _> = serde_json::from_value(no_hm.clone());
     assert!(
         result.is_err(),
         "TimestamptzEq must reject a payload with no hm"
     );
+    let result: Result<TimestamptzOrd, _> = serde_json::from_value(no_hm);
+    assert!(
+        result.is_err(),
+        "TimestamptzOrd must reject a payload with no ob"
+    );
 }