fix: has() on non-container types returns error instead of false

has() applied to a non-container, non-optional value (e.g., an integer
or string) previously returned false silently when
errorOnBadPresenceTest was not enabled. This caused !has(x.field) to
evaluate to true when x was an unexpected type, creating a fail-open
condition in policy expressions that use presence guards on dynamic
inputs.

This change narrows the default case in refQualify so that:

- has() on a non-container, non-optional type (presenceOnly=true):
  returns missingKey error, preventing silent false returns
- has() on an optional value (e.g. optional.none()): continues to
  return false, preserving correct optional semantics
- Optional field selection (x.?field, presenceOnly=false): continues
  to return not-present for optional.none() compatibility
- EnableErrorOnBadPresenceTest(true): errors for all cases (unchanged)

No test expectations changed. Full suite green.

Signed-off-by: Koda Reef <koda.reef5@gmail.com>

Author: kodareef5

interpreter/attributes.go

@@ -1419,7 +1419,14 @@ func refQualify(adapter types.Adapter, obj any, idx ref.Val, presenceTest, prese
 		return val, true, nil
 	default:
 		if presenceTest && !errorOnBadPresenceTest {
-			return nil, false, nil
+			if _, isOpt := celVal.(*types.Optional); isOpt || !presenceOnly {
+				// Optional values and optional field selection correctly
+				// report not-present for non-container types.
+				return nil, false, nil
+			}
+			// has() macro on a non-container, non-optional type (e.g.
+			// has(int_value.field)) errors to prevent silent fail-open
+			// in policy expressions using presence guards on dynamic inputs.
 		}
 		return nil, false, missingKey(idx)
 	}