refactor(dlx): extract generateCacheKey to shared dlx.ts module

- Move generateCacheKey from dlx-binary.ts to dlx.ts for reuse
- Remove generatePackageCacheKey from dlx-package.ts
- Update both dlx-binary and dlx-package to use shared function
- Enables socket-cli to import and use generateCacheKey directly
- All tests passing (4573 passed)

Author: jdalton

src/dlx-binary.ts

@@ -7,6 +7,7 @@ import path from 'node:path'
 
 import { WIN32 } from '#constants/platform'
 
+import { generateCacheKey } from './dlx'
 import { downloadWithLock } from './download-lock'
 import { isDir, readJson, safeDelete } from './fs'
 import { isObjectObject } from './objects'
@@ -39,34 +40,6 @@ export interface DlxBinaryResult {
   spawnPromise: ReturnType<typeof spawn>
 }
 
-/**
- * Generate a cache directory name using npm/npx approach.
- * Uses first 16 characters of SHA-512 hash (like npm/npx).
- *
- * Rationale for SHA-512 truncated (vs full SHA-256):
- * - Matches npm/npx ecosystem behavior
- * - Shorter paths for Windows MAX_PATH compatibility (260 chars)
- * - 16 hex chars = 64 bits = acceptable collision risk for local cache
- * - Collision probability ~1 in 18 quintillion with 1000 entries
- *
- * Input strategy (aligned with npx):
- * - npx uses package spec strings (e.g., '@scope/pkg@1.0.0', 'prettier@3.0.0')
- * - Caller provides complete spec string with version for accurate cache keying
- * - For package installs: Use PURL-style spec with version
- *   Examples: 'npm:prettier@3.0.0', 'pypi:requests@2.31.0', 'gem:rails@7.0.0'
- *   Note: Socket uses shorthand format without 'pkg:' prefix
- *   (handled by @socketregistry/packageurl-js)
- * - For binary downloads: Use URL for uniqueness
- *
- * Reference: npm/cli v11.6.2 libnpmexec/lib/index.js#L233-L244
- * https://github.com/npm/cli/blob/v11.6.2/workspaces/libnpmexec/lib/index.js#L233-L244
- * Implementation: packages.map().sort().join('\n') → SHA-512 → slice(0,16)
- * npx hashes the package spec (name@version), not just name
- */
-function generateCacheKey(spec: string): string {
-  return createHash('sha512').update(spec).digest('hex').substring(0, 16)
-}
-
 /**
  * Get metadata file path for a cached binary.
  */

src/dlx-package.ts

@@ -30,13 +30,13 @@
  * - dlxPackage() combines both for convenience
  */
 
-import { createHash } from 'node:crypto'
 import { existsSync, promises as fs } from 'node:fs'
 import path from 'node:path'
 
-import pacote from './external/pacote'
 import { WIN32 } from './constants/platform'
 import { getPacoteCachePath } from './constants/packages'
+import { generateCacheKey } from './dlx'
+import pacote from './external/pacote'
 import { readJsonSync } from './fs'
 import { normalizePath } from './path'
 import { getSocketDlxDir } from './paths'
@@ -85,14 +85,6 @@ export interface DlxPackageResult {
   spawnPromise: ReturnType<typeof spawn>
 }
 
-/**
- * Generate a cache key from package spec, similar to npm's _npx.
- * Uses first 16 hex characters of SHA256 hash.
- */
-function generatePackageCacheKey(packageSpec: string): string {
-  return createHash('sha256').update(packageSpec).digest('hex').slice(0, 16)
-}
-
 /**
  * Parse package spec into name and version.
  * Examples:
@@ -142,7 +134,7 @@ async function ensurePackageInstalled(
   packageName: string,
   force: boolean,
 ): Promise<{ installed: boolean; packageDir: string }> {
-  const cacheKey = generatePackageCacheKey(packageSpec)
+  const cacheKey = generateCacheKey(packageSpec)
   const packageDir = normalizePath(path.join(getSocketDlxDir(), cacheKey))
   const installedDir = normalizePath(
     path.join(packageDir, 'node_modules', packageName),

src/dlx.ts

@@ -1,12 +1,41 @@
 /** @fileoverview DLX (execute package) utilities for Socket ecosystem shared installations. */
 
+import { createHash } from 'node:crypto'
 import { existsSync, promises as fs } from 'node:fs'
 
 import { readDirNamesSync, safeDelete } from './fs'
 import { normalizePath } from './path'
 import { getSocketDlxDir } from './paths'
 import { pEach } from './promises'
 
+/**
+ * Generate a cache directory name using npm/npx approach.
+ * Uses first 16 characters of SHA-512 hash (like npm/npx).
+ *
+ * Rationale for SHA-512 truncated (vs full SHA-256):
+ * - Matches npm/npx ecosystem behavior
+ * - Shorter paths for Windows MAX_PATH compatibility (260 chars)
+ * - 16 hex chars = 64 bits = acceptable collision risk for local cache
+ * - Collision probability ~1 in 18 quintillion with 1000 entries
+ *
+ * Input strategy (aligned with npx):
+ * - npx uses package spec strings (e.g., '@scope/pkg@1.0.0', 'prettier@3.0.0')
+ * - Caller provides complete spec string with version for accurate cache keying
+ * - For package installs: Use PURL-style spec with version
+ *   Examples: 'npm:prettier@3.0.0', 'pypi:requests@2.31.0', 'gem:rails@7.0.0'
+ *   Note: Socket uses shorthand format without 'pkg:' prefix
+ *   (handled by @socketregistry/packageurl-js)
+ * - For binary downloads: Use URL:name for uniqueness
+ *
+ * Reference: npm/cli v11.6.2 libnpmexec/lib/index.js#L233-L244
+ * https://github.com/npm/cli/blob/v11.6.2/workspaces/libnpmexec/lib/index.js#L233-L244
+ * Implementation: packages.map().sort().join('\n') → SHA-512 → slice(0,16)
+ * npx hashes the package spec (name@version), not just name
+ */
+export function generateCacheKey(spec: string): string {
+  return createHash('sha512').update(spec).digest('hex').substring(0, 16)
+}
+
 let _path: typeof import('path') | undefined
 /**
  * Lazily load the path module to avoid Webpack errors.