构建缓存完整性与污染防护治理（哈希-重用门禁）最佳实践

核心要点缓存条目必须包含 `SHA-256`；校验失败拒绝重用并清理。门禁策略：仅在输入一致与哈希匹配时允许重用。实现示例type CacheEntry = { key: string; sha256: string; inputs: string[] }

function hex64(h: string): boolean {

return /^[A-Fa-f0-9]{64}$/.test(h)

}

function inputsMatch(a: string[], b: string[]): boolean {

if (a.length !== b.length) return false

const sa = [...a].sort().join('|')

const sb = [...b].sort().join('|')

return sa === sb

}

function validEntry(e: CacheEntry): boolean {

return !!e.key && hex64(e.sha256) && e.inputs.length > 0

}

function allowReuse(candidate: CacheEntry, expected: CacheEntry): boolean {

if (!validEntry(candidate) || !validEntry(expected)) return false

if (candidate.key !== expected.key) return false

if (!inputsMatch(candidate.inputs, expected.inputs)) return false

return candidate.sha256.toLowerCase() === expected.sha256.toLowerCase()

}

审计与CI门禁审计记录包含键、哈希与输入摘要；污染检出阻断并清理缓存。回退到最近可信缓存或触发重新构建并输出证据。