Modernize internal hashes to xxh128

[binaryfire]

Summary

Modernizes Hypervel's opaque internal hash usage from legacy md5 / sha1 calls to xxh128 where the value is used only as an internal lookup key, namespace, fingerprint, mutex identifier, generated prefix, or grouping key.

This keeps protocol-required and security-sensitive hashes unchanged, including Redis EVALSHA, email verification, cookie HMAC prefixes, Gravatar, HIBP, WebSocket handshakes, Pusher body_md5, and SQS MD5 fixtures.

What changed

• Swapped internal auth guard, cache, scheduler, queue, routing, HTTP fingerprint, view, Vite, watcher, Horizon, Telescope, and Sentry hash paths to xxh128.
• Changed Filesystem::hash() to default to xxh128, while preserving the explicit algorithm parameter for callers that need protocol-specific hashes.
• Updated watcher scan hashing to use Filesystem::hash() instead of direct MD5 file-content hashing.
• Removed unused dynamic database connection hashing state that does not apply to Hypervel's database architecture.
• Simplified database config lookup so it works for both the full config repository and Capsule Fluent config objects.
• Fixed Redis cache Doctor all-mode namespaced key calculation so it derives the namespace through the real tagged-cache path instead of reimplementing it.
• Removed the now-unused Doctor-only tag ID wrapper and refreshed stale all-mode namespace comments from sha1 to xxh128.

Performance

xxh128 is faster than MD5/SHA1 for these internal non-cryptographic paths, while still providing a wide 128-bit output for low collision risk. The change avoids applying cryptographic hashes where Hypervel only needs stable opaque internal identifiers.

The remaining MD5/SHA1 sites were intentionally kept because they are dictated by external protocols, security primitives, or tests for those explicit algorithms.

Tests

• Added and updated coverage for changed hash contracts across cache, filesystem, watcher, auth, HTTP request fingerprints, routing throttles, scheduler mutexes, Vite keys, and Blade component path hashes.
• Added a Redis cache Doctor regression test proving Doctor namespaced keys match the real tagged-cache namespace path and preserve Laravel-compatible tag order behavior.
• Ran composer fix successfully:
  • php-cs-fixer green
  • phpstan green
  • parallel test suite green

Summary by CodeRabbit

• Refactor
  • Switched multiple hashing-based identifiers used for cache keys, authentication/session/token contexts, scheduled mutex/log names, HTTP request fingerprints, and related utilities to a faster xxh128 scheme (key formats may change, impacting existing cache entries).
  • Cache storage paths/namespaces and related tagged-key naming now follow the updated scheme.
  • File watching now detects changes via stored file-hash snapshots rather than MD5 checksums.
• Bug Fixes
  • Improved cache failover event dispatch to only notify when listeners are present.
• Documentation
  • Updated server deployment docs and Swoole worker/HTTP2 configuration variables.
• Tests
  • Updated/added coverage for the new hashing and failover behavior.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: abb27f29-66fe-4fa4-8b3a-90a3cff3b660

📥 Commits

Reviewing files that changed from the base of the PR and between 2f172b6 and 8d4728a.

📒 Files selected for processing (6)

• src/cache/src/Redis/Console/DoctorCommand.php
• src/watcher/src/Driver/ScanFileDriver.php
• tests/Cache/Redis/Console/DoctorCommandTest.php
• tests/Integration/Cache/Redis/KeyNamingIntegrationTest.php
• tests/Integration/Redis/RedisConnectorTest.php
• tests/Watcher/Driver/ScanFileDriverTest.php

🚧 Files skipped from review as they are similar to previous changes (1)

• src/watcher/src/Driver/ScanFileDriver.php

---

📝 Walkthrough

Walkthrough

The PR switches many digest and key-generation paths to xxh128, updates watcher polling to hash files instead of MD5 checksums, rewires DatabaseManager to read config through an internal helper, and changes Swoole server settings and related docs.

Changes

Runtime identifier hashes

Layer / File(s)	Summary
Auth provider cache invalidation src/auth/src/EloquentUserProvider.php	The cache invalidation descriptor key now uses hash('xxh128', ...) instead of md5(...).
Guard and token keys src/auth/src/SessionGuard.php, src/auth/src/TokenGuard.php, src/jwt/src/JwtGuard.php, src/sanctum/src/SanctumGuard.php, tests/Auth/AuthGuardTest.php	Guard names and per-token cache keys now derive from xxh128 digests, and the auth test asserts the new exact names.
Request, telemetry, and scheduling hashes src/http/src/Request.php, src/telescope/src/IncomingExceptionEntry.php, src/telescope/src/Watchers/QueryWatcher.php, src/horizon/src/Notifications/LongWaitDetected.php, src/console/src/Scheduling/CallbackEvent.php, src/console/src/Scheduling/Event.php, src/sentry/src/Features/ConsoleSchedulingFeature.php, tests/Http/HttpRequestTest.php, tests/Console/Scheduling/*	Request fingerprints, telemetry family hashes, notification signatures, and scheduling/check-in names now use xxh128, with the HTTP and scheduling tests updated.
Rate-limit bucket keys src/queue/src/Middleware/RateLimited.php, src/routing/src/Middleware/ThrottleRequests.php, tests/Routing/ThrottleRequestsTest.php	Limiter keys and request signatures now use xxh128 in the queue and routing middleware, and the routing test matches the new digest.

Cache keying and tagged namespaces

Layer / File(s)	Summary
Failover dispatch and file cache paths src/cache/src/FailoverStore.php, src/cache/src/FileStore.php, tests/Cache/CacheFileStoreTest.php, tests/Cache/CacheSwooleStoreTest.php, tests/Integration/Cache/FailoverStoreTest.php	CacheFailedOver now requires listeners before dispatch, and file-backed cache path tests use xxh128-derived hashes.
Tagged Redis entry hashes src/cache/src/TaggedCache.php, src/cache/src/Redis/AllTaggedCache.php, tests/Cache/Redis/AllTaggedCacheTest.php	Tagged cache item keys and bulk tag writes now use xxh128 prefixes, with Redis cache tests updated to the new key strings.
Doctor and Redis client checks src/cache/src/Redis/Console/DoctorCommand.php, tests/Cache/Redis/Console/DoctorCommandTest.php, tests/Integration/Cache/Redis/KeyNamingIntegrationTest.php, tests/Integration/Redis/RedisConnectorTest.php	Doctor command execution now reuses the borrowed Redis connection, the Redis connector test resolves clients through a callback helper, and key-naming integration verifies the doctor context against tagged Redis keys.
Tagged namespace tooling and docs src/cache/src/Redis/Console/Doctor/DoctorContext.php, src/cache/src/Redis/Console/Benchmark/BenchmarkContext.php, src/cache/src/Redis/Console/Doctor/Checks/*, src/cache/src/Redis/Support/StoreContext.php, src/cache/src/Repository.php, tests/Integration/Cache/Redis/*	Doctor and benchmark helpers, namespace docs, and tagged-key integration comments now describe the xxh128 namespace format.

Utility hash defaults

Layer / File(s)	Summary
Filesystem, manifest, and Redis prefix hashes src/filesystem/src/Filesystem.php, src/foundation/src/Vite.php, src/foundation/src/Testing/Concerns/InteractsWithRedis.php, src/support/src/Facades/File.php, tests/Filesystem/FilesystemTest.php, tests/Foundation/FoundationViteTest.php	Filesystem hashing defaults, Vite manifest hashing, and the Redis prefix helper now default to xxh128, with matching doc and test expectations updated.
Blade anonymous namespace hashes src/view/src/Compilers/BladeCompiler.php, tests/View/Blade/BladeComponentTagCompilerTest.php	Anonymous component namespace prefixes now use xxh128, and the Blade compiler test asserts the new prefix hash.

Watcher file-hash polling

Layer / File(s)	Summary
Watch loop and hash collection src/watcher/src/Driver/ScanFileDriver.php	The polling loop stores file hashes, diffs hash maps, and computes watched file values through Filesystem::hash().
Watcher docs and tests src/watcher/README.md, src/watcher/config/watcher.php, tests/Watcher/Driver/ScanFileDriverTest.php, tests/Watcher/Fixtures/ScanFileDriverStub.php	Watcher documentation, the driver test, and the fixture now refer to file hashes and the renamed watch-hash hook.

DatabaseManager config access

Layer / File(s)	Summary
Internal config lookup and dynamic connection removal src/database/src/DatabaseManager.php	DatabaseManager now uses configValue(), resolves connections from database.connections, and drops the dynamic connection helper state and method.
Facade doc and SQLite test src/support/src/Facades/DB.php, tests/Integration/Database/Sqlite/InMemorySqliteSharedPdoTest.php	The DB facade docblock drops the removed helper, and the SQLite shared-PDO test hashes the per-database config key with xxh128.

Server settings and docs

Layer / File(s)	Summary
Swoole settings and deployment docs src/foundation/config/server.php, src/boost/docs/deployment.md, src/boost/docs/reverb.md	The server config now reads worker, HTTP/2, and max-request settings from env vars, and the deployment/reverb docs reflect the updated names and defaults.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Poem

🐰 Hop, hop—new hashes shine so bright,
xxh128 twirls through day and night.
I nibbled keys and watched them flip,
then tucked the docs in tidy zip.
Thump-thump! The burrow hums just right.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 49.62% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: replacing internal md5/sha1 hashes with xxh128 across the codebase.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feature/internal-xxh128-hashes

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[greptile-apps]

Greptile Summary

This PR modernizes Hypervel's internal non-cryptographic hashing from md5/sha1 to xxh128 across auth, cache, console, HTTP, routing, queue, view, watcher, and third-party integrations (Horizon, Telescope, Sentry, Vite), while intentionally leaving protocol-mandated hashes (Redis EVALSHA, WebSocket handshake, Pusher body_md5, HIBP, Gravatar) unchanged. It also carries three ancillary improvements: a FailoverStore optimization that skips event construction when no listeners are registered, a DoctorCommand refactor that holds a single Redis connection for the entire diagnostic run, and a DoctorContext::namespacedKey() correction that delegates to the real tagged-cache namespace path instead of re-implementing it with sorted tags.

• Hash migration touches 20+ source files; all external-protocol hashes are deliberately preserved and the PR correctly identifies them in its description.
• DoctorContext::namespacedKey() was bug-fixed: the old implementation sorted tag IDs before hashing, diverging from the real cache path; the new implementation delegates to TagSet::getNamespace() and the integration test explicitly asserts tag-order sensitivity.
• ScanFileDriver now skips files that fail hashing (returns null) rather than storing false in the snapshot, and accepts an injected Filesystem for deterministic test coverage.

Confidence Score: 4/5

Safe to merge after fixing the Mockery call-count expectation in the new DoctorCommand test; all other changes are well-covered and logically consistent.

The new test testDoctorRunsChecksWhileRedisConnectionIsBorrowed asserts withConnection->twice(), but the refactored handle() consolidates everything into a single withConnection call. Mockery verifies exact call counts at teardown, so this test will fail in the suite despite all inline assertions passing during the test body.

tests/Cache/Redis/Console/DoctorCommandTest.php - the withConnection call-count expectation in the new connection-borrowing test

Important Files Changed

Filename	Overview
tests/Cache/Redis/Console/DoctorCommandTest.php	New test testDoctorRunsChecksWhileRedisConnectionIsBorrowed asserts withConnection->twice() but the refactored command only calls it once, causing Mockery verification to fail at teardown
src/cache/src/Redis/Console/DoctorCommand.php	Refactored to borrow a single Redis connection for the entire command run rather than acquiring two separate connections; passes the connection into environment checks instead of re-borrowing inside them
src/cache/src/Redis/Console/Doctor/DoctorContext.php	Removes unused tagId() wrapper; rewrites namespacedKey() to delegate to the real tagged-cache namespace path instead of reimplementing it with sorted tags; updates comments from sha1 to xxh128
src/cache/src/FailoverStore.php	Adds hasListeners guard before dispatching CacheFailedOver to avoid constructing and dispatching an event when no listeners are registered
src/database/src/DatabaseManager.php	Removes calculateDynamicConnectionName(), $dynamicConnectionConfigurations, and the dynamic-connection lookup path; adds configValue() helper to support both ConfigRepository and Capsule Fluent config objects
src/watcher/src/Driver/ScanFileDriver.php	Replaces md5(file_get_contents) with Filesystem::hash(); skips files that return null from hash (unreadable files) rather than storing false; accepts optional Filesystem injection for testability
src/filesystem/src/Filesystem.php	Changes default hash algorithm from md5 to xxh128; intentionally diverges from Laravel default
src/cache/src/FileStore.php	Switches file cache path derivation from SHA1 to xxh128; changes key hash length from 40 to 32 hex chars, orphaning existing cache entries on upgrade
src/auth/src/SessionGuard.php	Switches session/cookie name hash from SHA1 to xxh128; changes cookie names, invalidating all active sessions on upgrade
tests/Integration/Cache/Redis/KeyNamingIntegrationTest.php	Adds regression test proving DoctorContext.namespacedKey() matches the real tagged-cache namespace and verifies tag-order sensitivity

_{Reviews (2): Last reviewed commit: "fix(cache): address hash review feedback" | Re-trigger Greptile}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (2)

src/cache/src/FileStore.php (1)

400-405: 🗄️ Data Integrity & Integration | 🔵 Trivial | 💤 Low value

Path-derivation change orphans existing file-cache entries on upgrade.

Switching the key digest from sha1 to xxh128 changes the derived directory/file path for every key, so entries written by a prior version become unreachable (cold cache) and the old files won't be cleaned by forget()/flush() until a full directory flush. This is acceptable for cache semantics, but call it out in upgrade notes so operators don't rely on a warm file cache across the deploy.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/cache/src/FileStore.php` around lines 400 - 405, The FileStore::path
digest switch from sha1 to xxh128 changes every derived cache location, so
existing on-disk entries from prior versions will be orphaned after upgrade.
Keep the new FileStore::path behavior as-is, but add an upgrade note/changelog
entry documenting that file-cache entries will not be reused across the deploy
and may need a warm-up or manual cleanup, and mention the impact on forget() and
flush() semantics for previously written keys.

src/auth/src/SessionGuard.php (1)

102-104: 🧹 Nitpick | 🔵 Trivial

Deploy impact: switching the class hash invalidates all active sessions and remember-me cookies.

$classHash feeds both hashedName (the session key) and hashedRecallerName (the recaller cookie name). Moving from sha1 to xxh128 changes both derived names, so on rollout every currently logged-in user's session lookup and "remember me" cookie will no longer resolve, effectively forcing a global logout. This is inherent to the rename and the test contract confirms the new values, but it should be called out in migration/release notes so it isn't mistaken for a regression.

The change itself is otherwise correct and consistent with the updated AuthGuardTest assertions.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/auth/src/SessionGuard.php` around lines 102 - 104, Call out the
SessionGuard class-hash change in release/migration notes because $classHash in
SessionGuard::__construct now changes both hashedName and hashedRecallerName,
which invalidates existing sessions and remember-me cookies on deployment. Add a
brief upgrade note near the SessionGuard/AuthGuardTest change explaining that
switching from the old hash to xxh128 causes a one-time global logout so
operators are not surprised by the behavior.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/watcher/src/Driver/ScanFileDriver.php`:
- Around line 32-33: Update ScanFileDriver::scanFile so the baseline check uses
an explicit null comparison instead of a truthy test on $this->lastFileHashes;
this ensures an empty array snapshot is treated as a valid prior state and
transitions from no files to newly created files are detected. Keep the change
localized to the current-file comparison logic around getWatchFileHashes and the
$this->lastFileHashes guard.

In `@tests/Cache/Redis/Console/DoctorCommandTest.php`:
- Around line 265-280: The regression test is using ArrayStore, so it is not
validating the Redis all-mode namespace behavior that
DoctorContext::namespacedKey() is meant to mirror. Update the test to use the
actual Redis tagged store path or assert directly against the Redis namespace
format, and keep the existing tagged-key comparisons anchored on
DoctorContext::namespacedKey() so ordering and Redis all-mode naming are
exercised correctly.

---

Nitpick comments:
In `@src/auth/src/SessionGuard.php`:
- Around line 102-104: Call out the SessionGuard class-hash change in
release/migration notes because $classHash in SessionGuard::__construct now
changes both hashedName and hashedRecallerName, which invalidates existing
sessions and remember-me cookies on deployment. Add a brief upgrade note near
the SessionGuard/AuthGuardTest change explaining that switching from the old
hash to xxh128 causes a one-time global logout so operators are not surprised by
the behavior.

In `@src/cache/src/FileStore.php`:
- Around line 400-405: The FileStore::path digest switch from sha1 to xxh128
changes every derived cache location, so existing on-disk entries from prior
versions will be orphaned after upgrade. Keep the new FileStore::path behavior
as-is, but add an upgrade note/changelog entry documenting that file-cache
entries will not be reused across the deploy and may need a warm-up or manual
cleanup, and mention the impact on forget() and flush() semantics for previously
written keys.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 71f2004e-3f67-4b40-b130-1cbef3a858c4

📥 Commits

Reviewing files that changed from the base of the PR and between f808b36 and 2f172b6.

📒 Files selected for processing (55)

• src/auth/src/EloquentUserProvider.php
• src/auth/src/SessionGuard.php
• src/auth/src/TokenGuard.php
• src/boost/docs/deployment.md
• src/boost/docs/reverb.md
• src/cache/src/FailoverStore.php
• src/cache/src/FileStore.php
• src/cache/src/Redis/AllTaggedCache.php
• src/cache/src/Redis/Console/Benchmark/BenchmarkContext.php
• src/cache/src/Redis/Console/Doctor/Checks/ForeverStorageCheck.php
• src/cache/src/Redis/Console/Doctor/Checks/TaggedOperationsCheck.php
• src/cache/src/Redis/Console/Doctor/DoctorContext.php
• src/cache/src/Redis/Support/StoreContext.php
• src/cache/src/Repository.php
• src/cache/src/TaggedCache.php
• src/console/src/Scheduling/CallbackEvent.php
• src/console/src/Scheduling/Event.php
• src/database/src/DatabaseManager.php
• src/filesystem/src/Filesystem.php
• src/foundation/config/server.php
• src/foundation/src/Testing/Concerns/InteractsWithRedis.php
• src/foundation/src/Vite.php
• src/horizon/src/Notifications/LongWaitDetected.php
• src/http/src/Request.php
• src/jwt/src/JwtGuard.php
• src/queue/src/Middleware/RateLimited.php
• src/routing/src/Middleware/ThrottleRequests.php
• src/sanctum/src/SanctumGuard.php
• src/sentry/src/Features/ConsoleSchedulingFeature.php
• src/support/src/Facades/DB.php
• src/support/src/Facades/File.php
• src/telescope/src/IncomingExceptionEntry.php
• src/telescope/src/Watchers/QueryWatcher.php
• src/view/src/Compilers/BladeCompiler.php
• src/watcher/README.md
• src/watcher/config/watcher.php
• src/watcher/src/Driver/ScanFileDriver.php
• tests/Auth/AuthGuardTest.php
• tests/Cache/CacheFileStoreTest.php
• tests/Cache/CacheSwooleStoreTest.php
• tests/Cache/Redis/AllTaggedCacheTest.php
• tests/Cache/Redis/Console/DoctorCommandTest.php
• tests/Console/Scheduling/CallbackEventTest.php
• tests/Console/Scheduling/EventTest.php
• tests/Filesystem/FilesystemTest.php
• tests/Foundation/FoundationViteTest.php
• tests/Http/HttpRequestTest.php
• tests/Integration/Cache/FailoverStoreTest.php
• tests/Integration/Cache/Redis/KeyNamingIntegrationTest.php
• tests/Integration/Cache/Redis/TaggedOperationsIntegrationTest.php
• tests/Integration/Database/Sqlite/InMemorySqliteSharedPdoTest.php
• tests/Routing/ThrottleRequestsTest.php
• tests/View/Blade/BladeComponentTagCompilerTest.php
• tests/Watcher/Driver/ScanFileDriverTest.php
• tests/Watcher/Fixtures/ScanFileDriverStub.php

💤 Files with no reviewable changes (1)

• src/support/src/Facades/DB.php

[binaryfire]

CodeRabbit:

The SessionGuard class-hash point is accurate: switching the internal digest changes the derived session and remember-me cookie names. That is intentional for Hypervel 0.4 and does not need a compatibility shim. Hypervel 0.4 is a full framework rewrite, so preserving old runtime-derived cookie names is not a goal for this PR.

The FileStore path point is also accurate: changing the internal digest changes the derived file-cache paths, so old file-cache entries may become unreachable. That is acceptable cache behavior for this rewrite and does not need code changes. Operators can clear/warm caches as usual; the framework should not carry old hash-path compatibility code.

The docstring coverage warning is not being acted on. It is not part of this repository’s review criteria for this PR, and adding docstrings just to satisfy that generated threshold would add noise rather than improve the code.

[binaryfire]

Greptile:

Filesystem::hash() defaulting to xxh128 is intentional. Hypervel 0.4 is a full framework rewrite, and we are choosing the faster internal default for non-cryptographic hashing. Callers that need a specific digest can still pass the algorithm explicitly.

The ScanFileDriver unreadable-file hash issue was valid and has been fixed. The driver now normalizes failed hash reads instead of storing raw false, and regression coverage was added.

Removing DatabaseManager::calculateDynamicConnectionName() is intentional. Hypervel uses pooled Swoole database connections, and Laravel-style dynamic connection names do not fit that architecture cleanly. Since 0.4 is not preserving backwards compatibility with the old framework shape, there will be no deprecation shim for this removed path.

The session-cookie, file-cache, tagged-cache, and scheduler-key invalidation points are accurate as upgrade impacts, but they do not require code changes. These are runtime-derived internal keys, and Hypervel 0.4 is not carrying compatibility layers for previous hash formats.