feat(v3): add eql_v3.ore_cllw SEM index-term type and operators

[tobyhede]

What

Adds the self-contained eql_v3.ore_cllw CLLW-ORE searchable-encrypted-metadata (SEM) index-term type under src/v3/sem/ore_cllw/: the type, extractors/comparators, comparison operators, and a btree operator class. No eql_v2 dependency.

It is a peer of the existing eql_v3.hmac_256 / eql_v3.ore_block_u64_8_256 SEM types and provides entry-level ordering for the encrypted-JSONB document surface.

Why split out

This is a foundational SEM primitive with a hard -- REQUIRE: boundary — src/v3/jsonb/{operators,aggregates}.sql require src/v3/sem/ore_cllw/operators.sql. Landing it as its own PR underneath the eql_v3.json document surface (#267) keeps that PR focused on the document type rather than mixing in a new index-term primitive.

Stack

eql-v3-codegen-hardening
  └─ eql-v3-ore-cllw            ← this PR
       └─ eql-v3-jsonb-domain   ← #267 (retargeted onto this branch)

Scope

src/v3/sem/ore_cllw/{types,functions,operators,operator_class}.sql — 4 new files, ~389 lines, purely additive.

Summary by CodeRabbit

• New Features

  • Added order-revealing encryption (ORE) support for encrypted range queries, enabling efficient comparison operations on encrypted data without decryption.
  • Introduced comparison operators for encrypted values, supporting equality and ordering (=, <>, <, <=, >, >=).
  • Added indexing capabilities for encrypted data with proper ordering semantics.

• Tests

  • Expanded validation to ensure encryption support functions remain optimizable across database schemas.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 6ec1477f-f1c3-4838-a76e-15a52cc0244e

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch eql-v3-ore-cllw

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

tests/sqlx/tests/encrypted_domain/family/inlinability.rs (1)

118-129: ⚠️ Potential issue | 🟠 Major | ⚖️ Poor tradeoff

Add the ore_cllw 2-arg comparators to the eql_v3 SEM inline-critical check.

The upstream contract in tasks/pin_search_path.sql:270-273 explicitly lists ore_cllw_eq, ore_cllw_neq, ore_cllw_lt, ore_cllw_lte, ore_cllw_gt, ore_cllw_gte as inline-critical (mirroring the ore_block_u64_8_256_* comparators already in this query). This test should validate them to match the contract symmetrically.

🔍 Proposed fix to add ore_cllw comparators

   AND (
     (p.pronargs = 2 AND p.proname IN (
       'ore_block_u64_8_256_eq','ore_block_u64_8_256_neq',
       'ore_block_u64_8_256_lt','ore_block_u64_8_256_lte',
       'ore_block_u64_8_256_gt','ore_block_u64_8_256_gte'))
+    OR (p.pronargs = 2 AND p.proname IN (
+      'ore_cllw_eq','ore_cllw_neq',
+      'ore_cllw_lt','ore_cllw_lte',
+      'ore_cllw_gt','ore_cllw_gte'))
     OR (p.pronargs = 1 AND p.proname IN (

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/sqlx/tests/encrypted_domain/family/inlinability.rs` around lines 118 -
129, The test's eql_v3 SEM inline-critical check is missing the 2-argument
ore_cllw comparators; update the IN list used with p.pronargs = 2 and p.proname
IN (...) to include ore_cllw_eq, ore_cllw_neq, ore_cllw_lt, ore_cllw_lte,
ore_cllw_gt, ore_cllw_gte so they are validated alongside ore_block_u64_8_256_*;
locate the clause that checks (p.pronargs = 2 AND p.proname IN (...)) and add
those ore_cllw_* names to that list to match the upstream contract.

🧹 Nitpick comments (1)

tests/sqlx/tests/encrypted_domain/family/inlinability.rs (1)

92-97: 💤 Low value

Update the documentation to mention the ore_cllw comparators.

The comment mentions "the ore_cllw/has_ore_cllw extractors" (1-arg functions) but doesn't call out the ore_cllw comparison operators that take the composite type (2-arg). For consistency with how the ore_block comparators are described, consider updating the doc to clarify that both extractors and comparators are covered.

📝 Suggested doc clarification

-/// take a composite (ore_block_u64_8_256) or raw jsonb (hmac_256, bloom_filter,
-/// the ore_cllw/has_ore_cllw extractors, the two per-encrypted-value
-/// `jsonb_array_to_*` helpers) arg, so they are NOT caught by the structural
+/// take a composite (ore_block_u64_8_256 and its comparators, ore_cllw and its
+/// comparators) or raw jsonb (hmac_256, bloom_filter, the ore_cllw/has_ore_cllw
+/// extractors, the two per-encrypted-value `jsonb_array_to_*` helpers) arg, so
+/// they are NOT caught by the structural

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/sqlx/tests/encrypted_domain/family/inlinability.rs` around lines 92 -
97, The documentation comment currently mentions "the ore_cllw/has_ore_cllw
extractors" but omits the two-argument ore_cllw comparison operators; update the
comment to explicitly call out both the 1-arg extractors (ore_cllw,
has_ore_cllw) and the 2-arg ore_cllw comparators (the comparison operators that
accept the ore_cllw composite type), mirroring how ore_block_u64_8_256
comparators are described, so readers know both extractors and comparators must
be inline_critical allowlisted.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/v3/sem/ore_cllw/types.sql`:
- Around line 3-23: The SQL type eql_v3.ore_cllw documentation is missing the
required Doxygen-style `@param` and `@return` tags; update the comment block above
CREATE TYPE eql_v3.ore_cllw to include an `@param` entry describing the bytes
field (e.g., "bytes — full byte string including domain tag and ciphertext") and
an `@return` entry describing what the type represents/returns (e.g., "Transient
ORE CLLW term used for range comparisons during query execution"), leaving the
rest of the explanatory text intact so the type and its bytes field are fully
documented.

---

Outside diff comments:
In `@tests/sqlx/tests/encrypted_domain/family/inlinability.rs`:
- Around line 118-129: The test's eql_v3 SEM inline-critical check is missing
the 2-argument ore_cllw comparators; update the IN list used with p.pronargs = 2
and p.proname IN (...) to include ore_cllw_eq, ore_cllw_neq, ore_cllw_lt,
ore_cllw_lte, ore_cllw_gt, ore_cllw_gte so they are validated alongside
ore_block_u64_8_256_*; locate the clause that checks (p.pronargs = 2 AND
p.proname IN (...)) and add those ore_cllw_* names to that list to match the
upstream contract.

---

Nitpick comments:
In `@tests/sqlx/tests/encrypted_domain/family/inlinability.rs`:
- Around line 92-97: The documentation comment currently mentions "the
ore_cllw/has_ore_cllw extractors" but omits the two-argument ore_cllw comparison
operators; update the comment to explicitly call out both the 1-arg extractors
(ore_cllw, has_ore_cllw) and the 2-arg ore_cllw comparators (the comparison
operators that accept the ore_cllw composite type), mirroring how
ore_block_u64_8_256 comparators are described, so readers know both extractors
and comparators must be inline_critical allowlisted.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 9b0284e9-668a-4d17-9d89-46d09febecd8

📥 Commits

Reviewing files that changed from the base of the PR and between 82747e7 and e255acb.

📒 Files selected for processing (8)

• src/v3/sem/ore_cllw/functions.sql
• src/v3/sem/ore_cllw/operator_class.sql
• src/v3/sem/ore_cllw/operators.sql
• src/v3/sem/ore_cllw/types.sql
• tasks/pin_search_path.sql
• tasks/test/splinter.sh
• tests/sqlx/tests/encrypted_domain/family/inlinability.rs
• tests/sqlx/tests/ore_cllw_opclass_tests.rs

[yujiyokoo]

Looks good. Added 2 questions

[yujiyokoo]

Just out of curiosity, does this work differently from IF a::text IS NULL OR b::text IS NULL THEN just above?

[tobyhede]

I had to dig into this one - code is ported from v2

Composite types have row IS NULL semantics - true when every field is explicitly NULL.
Cast forces empty composite to NULL.

Then bytes check is on the inner type.