Script dedup key truncation may cause collisions #37
Description
Problem
In the widget renderer's iframe bridge (widget-renderer.tsx:369-370), executed scripts are tracked using a truncated base64 key:
```js
content.getAttribute('data-exec-' + btoa(key).slice(0, 16))
```
Truncating to 16 characters creates a collision risk for scripts with similar prefixes. Two different scripts could hash to the same 16-char prefix, causing the second script to be skipped.
Impact
Low probability with current usage (small widget scripts), but could cause bugs if:
- Widgets include multiple scripts with similar content prefixes
- Templates are applied with untrusted or user-influenced content
Suggested fix
Use the full btoa(key) value instead of truncating, or switch to a proper hash function. The data attribute name length is not meaningfully constrained.
Files
apps/app/src/components/generative-ui/widget-renderer.tsx
From PR #20 review