feat(dlx): align cache key generation with npm/npx pattern

- Use SHA-512 truncated to 16 chars instead of full SHA-256 (64 chars)
- Construct spec from url:binaryName for unique cache identity
- Update all tests to match new hash algorithm and spec format
- Aligns with npm/npx ecosystem for Windows MAX_PATH compatibility

Reference: npm/cli v11.6.2 libnpmexec/lib/index.js#L233-L244

Author: jdalton

src/dlx-binary.ts

@@ -40,13 +40,31 @@ export interface DlxBinaryResult {
 }
 
 /**
- * Generate a cache directory name from URL and binary name.
- * Uses SHA256 hash to create content-addressed storage.
- * Includes binary name to prevent collisions when multiple binaries
- * are downloaded from the same URL with different names.
+ * Generate a cache directory name using npm/npx approach.
+ * Uses first 16 characters of SHA-512 hash (like npm/npx).
+ *
+ * Rationale for SHA-512 truncated (vs full SHA-256):
+ * - Matches npm/npx ecosystem behavior
+ * - Shorter paths for Windows MAX_PATH compatibility (260 chars)
+ * - 16 hex chars = 64 bits = acceptable collision risk for local cache
+ * - Collision probability ~1 in 18 quintillion with 1000 entries
+ *
+ * Input strategy (aligned with npx):
+ * - npx uses package spec strings (e.g., '@scope/pkg@1.0.0', 'prettier@3.0.0')
+ * - Caller provides complete spec string with version for accurate cache keying
+ * - For package installs: Use PURL-style spec with version
+ *   Examples: 'npm:prettier@3.0.0', 'pypi:requests@2.31.0', 'gem:rails@7.0.0'
+ *   Note: Socket uses shorthand format without 'pkg:' prefix
+ *   (handled by @socketregistry/packageurl-js)
+ * - For binary downloads: Use URL for uniqueness
+ *
+ * Reference: npm/cli v11.6.2 libnpmexec/lib/index.js#L233-L244
+ * https://github.com/npm/cli/blob/v11.6.2/workspaces/libnpmexec/lib/index.js#L233-L244
+ * Implementation: packages.map().sort().join('\n') → SHA-512 → slice(0,16)
+ * npx hashes the package spec (name@version), not just name
  */
-function generateCacheKey(url: string, name: string): string {
-  return createHash('sha256').update(`${url}:${name}`).digest('hex')
+function generateCacheKey(spec: string): string {
+  return createHash('sha512').update(spec).digest('hex').substring(0, 16)
 }
 
 /**
@@ -234,7 +252,9 @@ export async function dlxBinary(
   // Generate cache paths similar to pnpm/npx structure.
   const cacheDir = getDlxCachePath()
   const binaryName = name || `binary-${process.platform}-${os.arch()}`
-  const cacheKey = generateCacheKey(url, binaryName)
+  // Create spec from URL and binary name for unique cache identity.
+  const spec = `${url}:${binaryName}`
+  const cacheKey = generateCacheKey(spec)
   const cacheEntryDir = path.join(cacheDir, cacheKey)
   const binaryPath = normalizePath(path.join(cacheEntryDir, binaryName))
 

test/dlx-binary.test.ts

@@ -368,9 +368,11 @@ describe.sequential('dlx-binary', () => {
 
           // Corrupt metadata
           const name = 'invalid-meta-binary'
-          const cacheKey = createHash('sha256')
-            .update(`${url}:${name}`)
+          const spec = `${url}:${name}`
+          const cacheKey = createHash('sha512')
+            .update(spec)
             .digest('hex')
+            .substring(0, 16)
           const cachePath = getDlxCachePath()
           const metaPath = path.join(cachePath, cacheKey, '.dlx-metadata.json')
           await fs.writeFile(metaPath, 'invalid json', 'utf8')
@@ -405,9 +407,11 @@ describe.sequential('dlx-binary', () => {
 
           // Delete metadata
           const name = 'missing-meta-binary'
-          const cacheKey = createHash('sha256')
-            .update(`${url}:${name}`)
+          const spec = `${url}:${name}`
+          const cacheKey = createHash('sha512')
+            .update(spec)
             .digest('hex')
+            .substring(0, 16)
           const cachePath = getDlxCachePath()
           const metaPath = path.join(cachePath, cacheKey, '.dlx-metadata.json')
           await fs.unlink(metaPath)
@@ -442,9 +446,11 @@ describe.sequential('dlx-binary', () => {
 
           // Write array as metadata (invalid)
           const name = 'array-meta-binary'
-          const cacheKey = createHash('sha256')
-            .update(`${url}:${name}`)
+          const spec = `${url}:${name}`
+          const cacheKey = createHash('sha512')
+            .update(spec)
             .digest('hex')
+            .substring(0, 16)
           const cachePath = getDlxCachePath()
           const metaPath = path.join(cachePath, cacheKey, '.dlx-metadata.json')
           await fs.writeFile(metaPath, JSON.stringify([]), 'utf8')
@@ -479,9 +485,11 @@ describe.sequential('dlx-binary', () => {
 
           // Write metadata without checksum
           const name = 'no-checksum-meta-binary'
-          const cacheKey = createHash('sha256')
-            .update(`${url}:${name}`)
+          const spec = `${url}:${name}`
+          const cacheKey = createHash('sha512')
+            .update(spec)
             .digest('hex')
+            .substring(0, 16)
           const cachePath = getDlxCachePath()
           const metaPath = path.join(cachePath, cacheKey, '.dlx-metadata.json')
           await fs.writeFile(
@@ -1240,9 +1248,11 @@ describe.sequential('dlx-binary', () => {
 
           // Make metadata unreadable (change permissions)
           const name = 'read-error-binary'
-          const cacheKey = createHash('sha256')
-            .update(`${url}:${name}`)
+          const spec = `${url}:${name}`
+          const cacheKey = createHash('sha512')
+            .update(spec)
             .digest('hex')
+            .substring(0, 16)
           const cachePath = getDlxCachePath()
           const metaPath = path.join(cachePath, cacheKey, '.dlx-metadata.json')