@tsrx/core 0.0.9 → 0.0.10

package/package.json

@@ -3,7 +3,7 @@
   "description": "Core compiler infrastructure for TSRX syntax",
   "license": "MIT",
   "author": "Dominic Gannaway",
-  "version": "0.0.9",
+  "version": "0.0.10",
   "type": "module",
   "repository": {
     "type": "git",
@@ -32,14 +32,15 @@
   },
   "dependencies": {
     "@jridgewell/sourcemap-codec": "^1.5.5",
+    "@noble/hashes": "^2.2.0",
     "@sveltejs/acorn-typescript": "^1.0.9",
+    "@types/estree-jsx": "^1.0.5",
+    "@types/estree": "^1.0.8",
     "acorn": "^8.15.0",
     "esrap": "^2.1.0",
     "is-reference": "^3.0.3",
     "magic-string": "^0.30.18",
-    "zimmerframe": "^1.1.2",
-    "@types/estree": "^1.0.8",
-    "@types/estree-jsx": "^1.0.5"
+    "zimmerframe": "^1.1.2"
   },
   "devDependencies": {
     "@types/node": "^24.3.0",

package/src/index.js

@@ -68,7 +68,8 @@ export {
 
 // Generic utils
 export {
-	hash,
+	simple_hash as simpleHash,
+	strong_hash as strongHash,
 	is_void_element as isVoidElement,
 	is_reserved as isReserved,
 	is_boolean_attribute as isBooleanAttribute,

package/src/parse/style.js

@@ -1,6 +1,6 @@
 /** @import * as AST from 'estree' */
 
-import { hash } from '../utils/hashing.js';
+import { simple_hash } from '../utils/hashing.js';
 
 const REGEX_MATCHER = /^[~^$*|]?=/;
 const REGEX_ATTRIBUTE_FLAGS = /^[a-zA-Z]+/;
@@ -119,7 +119,7 @@ export function parse_style(content, options) {
 
 	return {
 		source: content,
-		hash: `tsrx-${hash(content)}`,
+		hash: `tsrx-${simple_hash(content)}`,
 		type: 'StyleSheet',
 		children: read_body(parser),
 		start: 0,

package/src/utils/hashing.js

@@ -1,11 +1,21 @@
+import { sha256 } from '@noble/hashes/sha2.js';
+import { bytesToHex, utf8ToBytes } from '@noble/hashes/utils.js';
+
 const regex_return_characters = /\r/g;
 
 /**
- * Hashes a string to a base36 value
+ * Fast non-cryptographic string hash (djb2, base36).
+ *
+ * Cheap and small, producing 4–7 chars — good for high-volume identifiers like
+ * CSS class-name prefixes where the output multiplies across every scoped rule
+ * and DOM reference in the shipped bundle. Trivially reversible for short
+ * inputs, so never use this for hashes derived from server-only data that
+ * ships to the client (absolute file paths, function ids, etc.) — use
+ * {@link strong_hash} for those.
  * @param {string} str
  * @returns {string}
  */
-export function hash(str) {
+export function simple_hash(str) {
 	str = str.replace(regex_return_characters, '');
 	let hash = 5381;
 	let i = str.length;
@@ -13,3 +23,21 @@ export function hash(str) {
 	while (i--) hash = ((hash << 5) - hash) ^ str.charCodeAt(i);
 	return (hash >>> 0).toString(36);
 }
+
+/**
+ * Cryptographic string hash — 8-char hex SHA-256 prefix.
+ *
+ * We use a pure-JS SHA-256 so this runs in browser workers (e.g. Monaco)
+ * without a `node:crypto` dependency.
+ *
+ * SHA-256 is pre-image-resistant, so a hash emitted into a client bundle (e.g.
+ * an RPC id derived from an absolute server-file path) can't be inverted to
+ * recover the original path. An attacker with a list of candidate paths could
+ * still confirm a guess by rehashing — the 8-char truncation keeps these ids
+ * short and is fine for identification, not for authentication.
+ * @param {string} str
+ * @returns {string}
+ */
+export function strong_hash(str) {
+	return bytesToHex(sha256(utf8ToBytes(str.replace(regex_return_characters, '')))).slice(0, 8);
+}

package/src/utils.js

@@ -3,7 +3,7 @@
  * Framework-specific utilities should be in the framework package.
  */
 
-export { hash } from './utils/hashing.js';
+export { simple_hash, strong_hash } from './utils/hashing.js';
 
 const VOID_ELEMENT_NAMES = [
 	'area',