fix(verify): reject empty-path aggregate-sum/count queries at validation

Codex follow-up + CodeRabbit: the previous fix added a terminal-type
gate in `enforce_lower_chain`, but `verify_v0_layer` and
`verify_v1_layer` short-circuit to the leaf verifier when
`depth == path_keys.len()`. With an empty path (`path == []`) that's
true at depth 0, so the type gate is never invoked.

In practice the empty-path case is already protected by hash divergence:
the GroveDB root merk is always a `NormalTree` (built with
`Element::empty_tree()` by API), so its root_hash uses `node_hash`. An
attacker's forged proof of `HashWithSum` / `HashWithCount` ops would
reconstruct via `node_hash_with_sum` / `node_hash_with_count` — distinct
hash functions, no collision. So the caller's root-hash compare catches
the forgery cryptographically.

But the defense-in-depth principle says: don't rely on the cryptographic
divergence implicitly. Reject up-front, before any proof handling.
PathQuery::validate_aggregate_{sum,count}_on_range now check
`self.path.is_empty()` and return a clear InvalidQuery error naming why
(root is always NormalTree, no valid Provable* target at root).

The check fires at the entry of `verify_aggregate_{sum,count}_query`
(which call `validate_*` first thing) and at `prove_query` (the
generator also validates the path query before dispatch).

TESTS

  - `empty_path_aggregate_sum_rejected_at_validation`
  - `empty_path_aggregate_count_rejected_at_validation`

Both pin the rejection at both the PathQuery validator and the verify
entrypoint. 2964 workspace tests pass.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: QuantumExplorer

grovedb/src/query/mod.rs

@@ -222,16 +222,48 @@ impl PathQuery {
     /// `AggregateCountOnRange` query. On success, returns a reference to the
     /// inner range item.
     ///
+    /// Rejects empty paths up-front. The GroveDB root merk is always a
+    /// `NormalTree` by API construction (and never a `ProvableCountTree`),
+    /// so a root-level aggregate-count query has no valid target —
+    /// `verify_v0_layer` and `verify_v1_layer` would otherwise hit the
+    /// `depth == path_keys.len()` short-circuit at depth 0, going
+    /// straight to the merk-level count verifier without ever invoking
+    /// the terminal-type gate in `enforce_lower_chain`. Although the
+    /// merk-level hash-divergence between `node_hash` and
+    /// `node_hash_with_count` makes a numeric forgery infeasible, an
+    /// up-front rejection gives a clear error and removes the gate
+    /// dependency on cryptographic hash analysis.
+    ///
     /// Forwards to [`SizedQuery::validate_aggregate_count_on_range`].
     pub fn validate_aggregate_count_on_range(&self) -> Result<&QueryItem, Error> {
+        if self.path.is_empty() {
+            return Err(Error::InvalidQuery(
+                "AggregateCountOnRange queries may not target the root merk: \
+                 the GroveDB root is always a NormalTree, never a \
+                 ProvableCountTree / ProvableCountSumTree, so a count \
+                 aggregate at the root layer has no valid target",
+            ));
+        }
         self.query.validate_aggregate_count_on_range()
     }
 
     /// Validates that this `PathQuery` is a well-formed
     /// `AggregateSumOnRange` query. On success, returns a reference to the
-    /// inner range item. Forwards to
-    /// [`SizedQuery::validate_aggregate_sum_on_range`].
+    /// inner range item.
+    ///
+    /// Rejects empty paths up-front for the same reason as
+    /// [`Self::validate_aggregate_count_on_range`] — the GroveDB root
+    /// merk is always a `NormalTree`, never a `ProvableSumTree`. Forwards
+    /// to [`SizedQuery::validate_aggregate_sum_on_range`].
     pub fn validate_aggregate_sum_on_range(&self) -> Result<&QueryItem, Error> {
+        if self.path.is_empty() {
+            return Err(Error::InvalidQuery(
+                "AggregateSumOnRange queries may not target the root merk: \
+                 the GroveDB root is always a NormalTree, never a \
+                 ProvableSumTree, so a sum aggregate at the root layer has \
+                 no valid target",
+            ));
+        }
         self.query.validate_aggregate_sum_on_range()
     }
 

grovedb/src/tests/aggregate_count_query_tests.rs

@@ -1231,6 +1231,42 @@ mod tests {
         }
     }
 
+    /// Security regression: empty-path aggregate-count queries are
+    /// rejected at validation time, before any proof handling.
+    ///
+    /// `verify_aggregate_count_query` calls
+    /// `path_query.validate_aggregate_count_on_range()` at its entry. If
+    /// the path is empty, validation must fail — otherwise both
+    /// `verify_v0_layer` and `verify_v1_layer` would hit the
+    /// `depth == path_keys.len()` short-circuit at depth 0 and go
+    /// straight to the merk-level leaf verifier, never invoking the
+    /// terminal-type gate in `enforce_lower_chain`. The GroveDB root
+    /// merk is always a `NormalTree` by API construction, so a root
+    /// aggregate-count query has no valid target.
+    #[test]
+    fn empty_path_aggregate_count_rejected_at_validation() {
+        let v = GroveVersion::latest();
+        let pq = PathQuery::new_aggregate_count_on_range(
+            Vec::new(),
+            QueryItem::RangeFrom(b"a".to_vec()..),
+        );
+        let err = pq
+            .validate_aggregate_count_on_range()
+            .expect_err("empty path must be rejected at validation");
+        let msg = format!("{err}");
+        assert!(
+            msg.contains("root")
+                && (msg.contains("ProvableCountTree") || msg.contains("ProvableCountSumTree")),
+            "expected message naming root + ProvableCountTree, got: {msg}"
+        );
+
+        let result = GroveDb::verify_aggregate_count_query(&[0u8; 4], &pq, v);
+        assert!(
+            result.is_err(),
+            "verify_aggregate_count_query must reject empty-path queries"
+        );
+    }
+
     /// Security regression: empty-leaf type-confusion forgery
     /// (parallel of `empty_leaf_type_confusion_forgery_rejected` on the
     /// sum side).

grovedb/src/tests/aggregate_sum_query_tests.rs

@@ -1050,6 +1050,45 @@ mod tests {
         }
     }
 
+    /// Security regression: empty-path aggregate-sum queries are
+    /// rejected at validation time, before any proof handling.
+    ///
+    /// `verify_aggregate_sum_query` calls
+    /// `path_query.validate_aggregate_sum_on_range()` at its entry. If
+    /// the path is empty, validation must fail — otherwise both
+    /// `verify_v0_layer` and `verify_v1_layer` would hit the
+    /// `depth == path_keys.len()` short-circuit at depth 0 and go
+    /// straight to the merk-level leaf verifier, never invoking the
+    /// terminal-type gate in `enforce_lower_chain`. The GroveDB root
+    /// merk is always a `NormalTree` by API construction, so a root
+    /// aggregate-sum query has no valid target.
+    #[test]
+    fn empty_path_aggregate_sum_rejected_at_validation() {
+        let v = GroveVersion::latest();
+        let pq = PathQuery::new_aggregate_sum_on_range(
+            Vec::new(), // empty path → must be rejected
+            QueryItem::RangeFrom(b"a".to_vec()..),
+        );
+        let err = pq
+            .validate_aggregate_sum_on_range()
+            .expect_err("empty path must be rejected at validation");
+        let msg = format!("{err}");
+        assert!(
+            msg.contains("root") && msg.contains("ProvableSumTree"),
+            "expected message naming root + ProvableSumTree, got: {msg}"
+        );
+
+        // Also confirm the verifier surface rejects with the same error
+        // (the validator is called first inside verify_aggregate_sum_query).
+        // We don't need a real proof — any bytes go in; validation runs
+        // before proof decode.
+        let result = GroveDb::verify_aggregate_sum_query(&[0u8; 4], &pq, v);
+        assert!(
+            result.is_err(),
+            "verify_aggregate_sum_query must reject empty-path queries"
+        );
+    }
+
     /// Same forgery shape, but the honest leaf is an empty
     /// `ProvableCountTree` (the wrong PROVABLE tree type for a sum
     /// query). Confirms the terminal-type gate enforces the precise