fix(verify): require provable tree type at aggregate query terminal layer

Security finding (Codex): the `verify_aggregate_sum_query` and
`verify_aggregate_count_query` chain walkers only checked
`element.is_any_tree()` for path elements. At the terminal (leaf) layer
this is insufficient — if the honest tree at the queried path happens
to be an EMPTY Merk-backed tree of any type (NormalTree, SumTree,
BigSumTree, CountTree, CountSumTree, ProvableCountTree,
ProvableCountSumTree, ProvableSumTree), its stored
`value_hash = combine_hash(H(element_bytes), NULL_HASH)`. The merk
verifier accepts empty proof bytes as `(NULL_HASH, 0)`, so an attacker
can construct a forged proof with:

  - layer 0: honest single-key proof of the leaf path key in its parent
  - layer 1: empty bytes (forged)

and the chain check passes uniformly. The verifier returns `sum = 0`
(or `count = 0`) against the trusted root hash, even though the leaf
isn't a Provable{Sum,Count}Tree.

The numeric answer is correct (an empty tree has sum 0 / count 0), so
this isn't a value forgery — but it IS a type-confusion soundness gap:
a caller that infers "leaf is a ProvableSumTree" from "the aggregate
verifier accepted" is deceived. The prover-side gate in
`Merk::prove_aggregate_{sum,count}_on_range` already rejects
non-provable inputs, but the verifier didn't mirror that invariant.

THE FIX

In `enforce_lower_chain`, add an `is_terminal: bool` parameter. At
intermediate depths nothing changes (`is_any_tree()` still suffices —
the GroveDB grove can route through any tree type on the way down). At
the terminal depth — passed `is_terminal = true` when
`depth + 1 == path_keys.len()` — the verifier now requires:

  - aggregate-sum:   `matches!(element, Element::ProvableSumTree(..))`
  - aggregate-count: `matches!(element, Element::ProvableCountTree(..) |
                                        Element::ProvableCountSumTree(..))`

Wrapper variants (NonCounted, NotSummed) are stripped via the existing
`into_underlying()` so they continue to work transparently.

TESTS

Three new regression tests that surgically construct the forgery from a
real honest single-key envelope and confirm the verifier now rejects:

  - `empty_leaf_type_confusion_forgery_rejected` (sum side, empty
    NormalTree at leaf)
  - `empty_provable_count_tree_at_leaf_rejected_for_sum` (sum side,
    empty ProvableCountTree at leaf — confirms type-specificity)
  - `empty_leaf_type_confusion_forgery_rejected` (count side, empty
    NormalTree at leaf)

The path == 0 case is unaffected: the merk-level hash divergence
between `node_hash` and `node_hash_with_sum` / `node_hash_with_count`
makes it computationally infeasible to forge a proof that matches the
trusted root, so the path-elements check is unnecessary at the root.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: QuantumExplorer

grovedb/src/operations/proof/aggregate_count.rs

@@ -147,13 +147,19 @@ fn verify_v0_layer(
     )?;
 
     // Chain check: combine_hash(H(tree_value), lower_hash) must equal the
-    // value_hash recorded by the parent merk for this tree element.
+    // value_hash recorded by the parent merk for this tree element. When
+    // the next descent IS the leaf, also require that the element is
+    // specifically a ProvableCountTree / ProvableCountSumTree (parallel to
+    // the sum-side guard) — closes the empty-Merk-tree type-confusion
+    // bypass.
+    let is_terminal = depth + 1 == path_keys.len();
     enforce_lower_chain(
         path_query,
         &next_key,
         &proven_value_bytes,
         &lower_hash,
         &parent_proof_hash,
+        is_terminal,
         grove_version,
     )?;
 
@@ -211,12 +217,14 @@ fn verify_v1_layer(
         grove_version,
     )?;
 
+    let is_terminal = depth + 1 == path_keys.len();
     enforce_lower_chain(
         path_query,
         &next_key,
         &proven_value_bytes,
         &lower_hash,
         &parent_proof_hash,
+        is_terminal,
         grove_version,
     )?;
 
@@ -304,25 +312,27 @@ fn verify_single_key_layer_proof_v0(
     Ok((value_bytes, root_hash, proved.proof))
 }
 
-/// Enforce the layer-chain hash equality: the parent merk's recorded
-/// value_hash for the tree element must equal `combine_hash(H(value),
-/// lower_layer_root_hash)`. This is what makes the count cryptographically
-/// bound to the GroveDB root hash — the leaf count proof's reconstructed
-/// `lower_hash` must agree with the parent's commitment, transitively up to
-/// the root.
+/// Enforce the layer-chain hash equality plus, at the terminal layer, the
+/// leaf-tree-type invariant.
 ///
-/// Intermediate path elements may be any tree type — the GroveDB grove can
-/// route through Normal/Sum/Count/etc. trees on the way down to the
-/// provable-count leaf. The leaf-level tree-type check is enforced by the
-/// merk prover (`Merk::prove_aggregate_count_on_range`); here we only
-/// require that each non-leaf element on the path *is* some non-empty tree,
-/// since only trees have a lower layer to chain into.
+/// At intermediate depths the only requirement is that the element be
+/// *some* tree (we have to descend further). At the terminal depth — the
+/// last path element, whose inner Merk is the actual count target — the
+/// element MUST deserialize to `ProvableCountTree` or `ProvableCountSumTree`
+/// (after wrapper unwrapping). Without this, an empty Merk-backed tree of
+/// any other type at the leaf accepts a forged empty leaf proof, because
+/// every empty Merk-backed tree has `inner_root = NULL_HASH` and so its
+/// stored `value_hash = combine_hash(H(bytes), NULL_HASH)` matches the
+/// recomputation uniformly. The honest prover-side gate in
+/// `Merk::prove_aggregate_count_on_range` already rejects non-provable-count
+/// inputs; this is the matching verifier-side gate.
 fn enforce_lower_chain(
     path_query: &PathQuery,
     target_key: &[u8],
     proven_value_bytes: &[u8],
     lower_hash: &CryptoHash,
     parent_proof_hash: &CryptoHash,
+    is_terminal: bool,
     grove_version: &GroveVersion,
 ) -> Result<(), Error> {
     let element = Element::deserialize(proven_value_bytes, grove_version)
@@ -337,14 +347,30 @@ fn enforce_lower_chain(
             )
         })?
         .into_underlying();
-    if !element.is_any_tree() {
+    if is_terminal {
+        if !matches!(
+            element,
+            Element::ProvableCountTree(..) | Element::ProvableCountSumTree(..)
+        ) {
+            return Err(Error::InvalidProof(
+                path_query.clone(),
+                format!(
+                    "aggregate-count proof's terminal path element at key {} must be a \
+                     ProvableCountTree or ProvableCountSumTree (got {}); a count aggregate \
+                     is only meaningful against a tree that binds its count into the node hash",
+                    hex::encode(target_key),
+                    element.type_str()
+                ),
+            ));
+        }
+    } else if !element.is_any_tree() {
         return Err(Error::InvalidProof(
             path_query.clone(),
             format!(
-                "aggregate-count proof's path element at key {} is not a tree element \
-                 (got {:?}); count queries can only descend through tree elements",
+                "aggregate-count proof's intermediate path element at key {} is not a tree \
+                 element (got {}); count queries can only descend through tree elements",
                 hex::encode(target_key),
-                std::mem::discriminant(&element)
+                element.type_str()
             ),
         ));
     }

grovedb/src/operations/proof/aggregate_sum.rs

@@ -151,12 +151,23 @@ fn verify_v0_layer(
         grove_version,
     )?;
 
+    // When the next descent IS the leaf, require that the element we're
+    // about to bottom out into is specifically a ProvableSumTree. Without
+    // this gate, an empty Merk-backed tree of any other type (Tree,
+    // SumTree, CountTree, …) at the leaf path would accept a forged empty
+    // leaf proof — its stored value_hash already equals
+    // `combine_hash(H(bytes), NULL_HASH)`, so the chain check passes — and
+    // the verifier would silently return sum=0 for a non-ProvableSumTree
+    // leaf (type-confusion, not value forgery, but a soundness gap all
+    // the same).
+    let is_terminal = depth + 1 == path_keys.len();
     enforce_lower_chain(
         path_query,
         &next_key,
         &proven_value_bytes,
         &lower_hash,
         &parent_proof_hash,
+        is_terminal,
         grove_version,
     )?;
 
@@ -212,12 +223,14 @@ fn verify_v1_layer(
         grove_version,
     )?;
 
+    let is_terminal = depth + 1 == path_keys.len();
     enforce_lower_chain(
         path_query,
         &next_key,
         &proven_value_bytes,
         &lower_hash,
         &parent_proof_hash,
+        is_terminal,
         grove_version,
     )?;
 
@@ -300,15 +313,27 @@ fn verify_single_key_layer_proof_v0(
     Ok((value_bytes, root_hash, proved.proof))
 }
 
-/// Enforce the layer-chain hash equality. Identical contract to the count
-/// side: the parent merk's recorded value_hash for the tree element must
-/// equal `combine_hash(H(value), lower_layer_root_hash)`.
+/// Enforce the layer-chain hash equality plus, at the terminal layer,
+/// the leaf-tree-type invariant.
+///
+/// At intermediate depths the only requirement is that the element be
+/// *some* tree (we have to descend further). At the terminal depth — the
+/// last path element, whose inner Merk is the actual aggregate target —
+/// the element MUST deserialize to `Element::ProvableSumTree` (after
+/// wrapper unwrapping). Without this check, an empty Merk-backed tree of
+/// any other type at the leaf accepts a forged empty leaf proof, because
+/// every empty Merk-backed tree has `inner_root = NULL_HASH` and so its
+/// stored `value_hash = combine_hash(H(bytes), NULL_HASH)` — the chain
+/// check passes uniformly. The honest prover-side gate in
+/// `Merk::prove_aggregate_sum_on_range` already rejects non-ProvableSumTree
+/// inputs; this is the matching verifier-side gate.
 fn enforce_lower_chain(
     path_query: &PathQuery,
     target_key: &[u8],
     proven_value_bytes: &[u8],
     lower_hash: &CryptoHash,
     parent_proof_hash: &CryptoHash,
+    is_terminal: bool,
     grove_version: &GroveVersion,
 ) -> Result<(), Error> {
     let element = Element::deserialize(proven_value_bytes, grove_version)
@@ -323,14 +348,27 @@ fn enforce_lower_chain(
             )
         })?
         .into_underlying();
-    if !element.is_any_tree() {
+    if is_terminal {
+        if !matches!(element, Element::ProvableSumTree(..)) {
+            return Err(Error::InvalidProof(
+                path_query.clone(),
+                format!(
+                    "aggregate-sum proof's terminal path element at key {} must be a \
+                     ProvableSumTree (got {}); a sum aggregate is only meaningful against \
+                     a tree that binds its sum into the node hash",
+                    hex::encode(target_key),
+                    element.type_str()
+                ),
+            ));
+        }
+    } else if !element.is_any_tree() {
         return Err(Error::InvalidProof(
             path_query.clone(),
             format!(
-                "aggregate-sum proof's path element at key {} is not a tree element \
-                 (got {:?}); sum queries can only descend through tree elements",
+                "aggregate-sum proof's intermediate path element at key {} is not a tree \
+                 element (got {}); sum queries can only descend through tree elements",
                 hex::encode(target_key),
-                std::mem::discriminant(&element)
+                element.type_str()
             ),
         ));
     }

grovedb/src/tests/aggregate_count_query_tests.rs

@@ -1230,4 +1230,122 @@ mod tests {
             other => panic!("expected InvalidProof, got {:?}", other),
         }
     }
+
+    /// Security regression: empty-leaf type-confusion forgery
+    /// (parallel of `empty_leaf_type_confusion_forgery_rejected` on the
+    /// sum side).
+    ///
+    /// The honest leaf is an empty NormalTree (root_key=None). Every
+    /// empty Merk-backed tree stores `inner_root = NULL_HASH`, so its
+    /// recorded value_hash equals `combine_hash(H(element_bytes),
+    /// NULL_HASH)`. The merk-level count verifier accepts empty proof
+    /// bytes as `(NULL_HASH, 0)`. Before the fix the verifier's loose
+    /// `is_any_tree()` check happily accepted NormalTree element bytes
+    /// and the chain hash matched by coincidence, letting an attacker
+    /// prove `count = 0` against a path that wasn't actually a
+    /// ProvableCountTree. The numeric answer (0) is correct for an
+    /// empty tree of any type, but the implicit claim "the leaf is a
+    /// ProvableCountTree" was a soundness gap.
+    #[test]
+    fn empty_leaf_type_confusion_forgery_rejected() {
+        use std::collections::BTreeMap;
+
+        use bincode::config;
+        use grovedb_version::version::v2::GROVE_V2;
+
+        use crate::operations::proof::{
+            GroveDBProof, GroveDBProofV0, MerkOnlyLayerProof, ProveOptions,
+        };
+
+        // Use V0 (GROVE_V2) envelope — its MerkOnlyLayerProof is simpler
+        // to surgically reconstruct than V1's LayerProof/ProofBytes.
+        let v: &GroveVersion = &GROVE_V2;
+        let db = make_test_grovedb(v);
+        db.insert(
+            [TEST_LEAF].as_ref(),
+            b"evil",
+            Element::empty_tree(),
+            None,
+            None,
+            v,
+        )
+        .unwrap()
+        .expect("insert empty normal tree at evil");
+
+        // Honest probe to harvest the layer-0 merk proof bytes that prove
+        // `evil` exists in the TEST_LEAF merk with its NormalTree element
+        // bytes.
+        let probe = PathQuery::new_single_key(vec![TEST_LEAF.to_vec()], b"evil".to_vec());
+        let probe_proof_bytes = db
+            .grove_db
+            .prove_query(&probe, None, v)
+            .unwrap()
+            .expect("honest probe should succeed");
+
+        let cfg = config::standard()
+            .with_big_endian()
+            .with_limit::<{ 256 * 1024 * 1024 }>();
+        let probe_decoded: GroveDBProof = bincode::decode_from_slice(&probe_proof_bytes, cfg)
+            .unwrap()
+            .0;
+
+        let (root_mp, test_leaf_mp) = match probe_decoded {
+            GroveDBProof::V0(GroveDBProofV0 { root_layer, .. }) => (
+                root_layer.merk_proof,
+                root_layer
+                    .lower_layers
+                    .get(TEST_LEAF)
+                    .expect("descent")
+                    .merk_proof
+                    .clone(),
+            ),
+            GroveDBProof::V1(_) => panic!("expected V0 envelope under GROVE_V2"),
+        };
+
+        let leaf = MerkOnlyLayerProof {
+            merk_proof: Vec::new(),
+            lower_layers: BTreeMap::new(),
+        };
+        let mut test_leaf_map = BTreeMap::new();
+        test_leaf_map.insert(b"evil".to_vec(), leaf);
+        let test_leaf_layer = MerkOnlyLayerProof {
+            merk_proof: test_leaf_mp,
+            lower_layers: test_leaf_map,
+        };
+        let mut root_lower = BTreeMap::new();
+        root_lower.insert(TEST_LEAF.to_vec(), test_leaf_layer);
+
+        let forged = GroveDBProof::V0(GroveDBProofV0 {
+            root_layer: MerkOnlyLayerProof {
+                merk_proof: root_mp,
+                lower_layers: root_lower,
+            },
+            prove_options: ProveOptions::default(),
+        });
+        let forged_bytes = bincode::encode_to_vec(&forged, cfg).expect("encode");
+
+        let attack_pq = PathQuery::new_aggregate_count_on_range(
+            vec![TEST_LEAF.to_vec(), b"evil".to_vec()],
+            QueryItem::RangeFrom(b"a".to_vec()..),
+        );
+
+        let result = GroveDb::verify_aggregate_count_query(&forged_bytes, &attack_pq, v);
+        match result {
+            Err(e) => {
+                let msg = format!("{e}");
+                assert!(
+                    msg.contains("must be a ProvableCountTree")
+                        || msg.contains("ProvableCountSumTree"),
+                    "verifier rejected as expected but with an unrelated message: {msg}"
+                );
+            }
+            Ok((root_hash, count)) => panic!(
+                "BUG: empty-leaf forgery accepted by aggregate-count verifier! \
+                 Returned (root_hash={}, count={}) — the leaf is a NormalTree, \
+                 not a ProvableCountTree.",
+                hex::encode(root_hash),
+                count
+            ),
+        }
+    }
 }